GIAC GPEN Exam Questions 2025

D. This describes the primary goal of a Denial of Service (DoS) attack, which is to exhaust resources and make a service unavailable, not to gain unauthorized access by impersonating a user.

1. Bellovin, S. M. (1989). Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, 19(2), 32–48. In Section 3.2, "Sequence Number Spoofing," the paper details the mechanism of predicting TCP sequence numbers to inject data into an existing connection, which is the basis for TCP session hijacking (supports A).

2. Massachusetts Institute of Technology. (2014). 6.858 Computer Systems Security, Fall 2014. MIT OpenCourseWare. In Lecture 13, "Web Security," slide 23 discusses "Session Hijacking" where an attacker steals a session cookie to impersonate a user, aligning with the general definition of exploiting a valid session for unauthorized access (supports B). Slide 25 emphasizes that session IDs must be "un-guessable (long, random string)" as a countermeasure (supports C).

3. The Open Web Application Security Project (OWASP). (2023). Session Management Cheat Sheet. In the "Session ID Properties" section, it is explicitly stated that Session IDs "must be long enough to prevent brute-force attacks" and "must be random to prevent guessing and information leakage." This directly supports the mitigation strategy described in option C.

A. Network rules: These define the traffic relationship (NAT or Route) between different network segments, not the specific application-level permissions for inbound services.

C. Mailbox rules: This is not a valid rule type within the ISA Server 2006 firewall configuration; it relates to mail server or client-side filtering.

D. Access rules: These are primarily used to control outbound traffic, allowing users on an internal, protected network to access resources on an external network.

1. Microsoft TechNet. (2006). Publishing Concepts in ISA Server 2006. "Publishing makes servers on your corporate network available to external users... For example, you can publish a corporate Web server, FTP server, or mail server." This document explicitly states that making a mail server available is accomplished through publishing.

2. Microsoft TechNet. (2006). Mail Server Publishing in ISA Server 2006. This document details the procedure for publishing mail servers, stating, "You can use the New Mail Server Publishing Rule Wizard to create a firewall policy rule that allows external users access to your internal mail servers." The entire process is centered on creating a "Mail Server Publishing Rule."

3. Microsoft TechNet. (2007). Creating a secure mail relay with ISA Server 2006. In the "Creating the SMTP Server Publishing Rule" section, the guide instructs the administrator to "create a Mail Server Publishing Rule" to allow inbound SMTP connections from the Internet to the internal SMTP server.

D. Rule based attack: This attack applies complex transformations (e.g., "l" becomes "1", "e" becomes "3") to dictionary words. The password "apple" does not use any such rules, making this attack type less descriptive of the specific vulnerability.

---

1. Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, M. (2009). Password Cracking Using Probabilistic Context-Free Grammars. In 2009 30th IEEE Symposium on Security and Privacy (pp. 391-405). IEEE. DOI: 10.1109/SP.2009.21. This paper discusses password cracking methodologies, defining dictionary attacks for common words, brute-force for short passwords, and rule-based attacks for passwords with predictable transformations, confirming the logic for the selected answers.

2. Cornell University. (2015). CS 5430: System Security, Lecture 10: Passwords. Courseware. Retrieved from https://www.cs.cornell.edu/courses/cs5430/2015sp/lectures/lec10-passwords-sp15.pdf. Slides 18-20 define and differentiate brute-force, dictionary, and hybrid attacks. It describes hybrid attacks as trying dictionary words with simple affixes, and rule-based attacks as applying "mangling rules," which supports the exclusion of option D for the simple password "apple".

3. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-63B: Digital Identity Guidelines. Section 5.1.1.2, "Memorized Secret Verifiers". This publication mandates checking passwords against lists of commonly used passwords, which is the fundamental principle of a dictionary attack, confirming the vulnerability of "apple".

A. TCP FIN: This is a stealth scanning technique that sends only a FIN packet. It is less reliable than a full connect scan and is specifically designed to be less detectable.

B. TCP half-open: Also known as a SYN scan, this method is stealthier than a full connect scan because it never completes the handshake. It is a very popular and reliable method used by attackers, not avoided.

D. Xmas Tree: This is a stealth scan that sends a packet with multiple flags set (FIN, PSH, URG). Like the FIN scan, it is less reliable and designed to evade detection.

1. Nmap Project, Official Documentation: The Nmap Reference Guide describes the TCP Connect Scan (-sT). It states, "Nmap asks the underlying operating system to establish a connection... This is the same high-level system call that web browsers... use to establish a connection... A major downside is that this sort of scan is easy to detect and filter." In contrast, it describes SYN scan (-sS) as "relatively unobtrusive and stealthy, since it never completes TCP connections."

Source: Nmap Reference Guide, Chapter 15, Section: "Port Scanning Techniques". (nmap.org/book/man-port-scanning-techniques.html)

2. University Courseware (UC Berkeley): In the "Lecture 8: Port Scanning" notes for the CS 161 Computer Security course, the TCP Connect Scan is described as the "Easiest to implement & most reliable" but also the "Easiest to detect: shows up in logs". This directly supports the premise that it is accurate but easily detectable.

Source: Patterson, D. (2013). Lecture 8: Port Scanning. CS 161: Computer Security, UC Berkeley. (inst.eecs.berkeley.edu/~cs161/sp13/slides/8-ports.pdf, Slide 13).

3. Peer-Reviewed Academic Publication: A comparative study of scanning techniques notes that the "TCP connect scan is the most reliable scan" because it uses the operating system's network functions to establish a full connection. The paper also highlights its primary drawback: "this scan is easily detectable and also can be blocked by the firewall."

Source: Chowdhury, M. Z., & Islam, M. R. (2017). A comparative study of port scanning techniques. 2017 4th International Conference on Advances in Electrical Engineering (ICAEE), pp. 579-584. DOI: 10.1109/ICAEE.2017.8255411. (Section III.A. TCP Connect Scan).

A. Application layer: Manages user-facing protocols (e.g., HTTP, SMTP) and is not involved in the physical transmission of packets on a local link.

C. Internet layer: Responsible for logical addressing (IP) and routing packets between different networks, not for the direct delivery on a single link.

D. Transport Layer: Provides end-to-end data transfer services (e.g., TCP, UDP) between processes on hosts, not link-level packet movement.

1. Forouzan, B. A. (2010). TCP/IP Protocol Suite (4th ed.). McGraw-Hill.

Page 21, Section 2.3, "Link Layer": "The TCP/IP protocol suite does not define any specific protocol for the link layer. It supports all the standard and proprietary protocols... When the Internet Protocol (IP) datagram is ready to be sent, it is passed to the link layer, which is responsible for sending it to the next computer in the path." This establishes the Link layer's role in handling the actual transmission on a link.

2. Internet Engineering Task Force (IETF). (1989). RFC 1122: Requirements for Internet Hosts -- Communication Layers.

Section 1.3.3, "The Link Layer": "The link layer is the lowest layer in the TCP/IP protocol hierarchy... The link layer is responsible for delivering an IP datagram on its particular link. The link layer may be a local area network (e.g., an Ethernet)..." This document explicitly defines the Link layer's function for delivery on a single link.

3. Saltzer, J. H., Kaashoek, M. F. (2009). Principles of Computer System Design: An Introduction. MIT OpenCourseWare.

Chapter 6, Section 6.1.2, "The Network Layer Model": The text distinguishes the network layer (Internet layer) from the link layer, stating the link layer's responsibility is to "transmit a packet from one network interface to another on the same link." This directly supports the answer.

A. Brutus: This is a legacy network authentication brute-force tool that was developed for and runs exclusively on the Windows operating system.

B. Cain and Abel: This is a multi-purpose password recovery, network sniffer, and cracking tool designed to run only on Microsoft Windows operating systems.

C. Ophcrack: While a Linux version exists, Ophcrack is a specialized tool primarily designed for cracking Windows LanManager (LM) and NTLM hashes using rainbow tables.

1. Openwall Project. (n.d.). John the Ripper password cracker. Retrieved from https://www.openwall.com/john/. The official project page states, "John the Ripper is a free and Open Source software, distributed primarily in source code form. ... It is intended for Unix, Windows, DOS, BeOS, and OpenVMS." This confirms its primary role and origin in Unix environments.

2. Carnegie Mellon University, CyLab. (2011). Passwords, Hashes, and Cracking. 18-731 Information Security, Lecture 10, Slide 27. This university courseware slide lists "John the Ripper" as a primary tool for cracking Unix password hashes and "Cain and Abel" as a Windows-specific tool.

3. Mishra, P., & Jaiswal, A. (2012). A Study on Password Cracking Techniques and Tools. International Journal of Advanced Research in Computer Science and Software Engineering, 2(7), 243-248. In Section IV, "PASSWORD CRACKING TOOLS," the paper describes Cain & Abel as a tool that "runs on Microsoft Windows operating systems" and John the Ripper as a tool that "was originally developed for the Unix operating system."

4. Ophcrack Official Website. (n.d.). Ophcrack. Retrieved from https://ophcrack.sourceforge.io/. The main description on the official site states, "Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method." This highlights its primary focus on Windows passwords.

A. Close port TCP 53: This is incorrect because port 53 is for the Domain Name System (DNS), whereas SNMP agents typically listen on UDP port 161.

D. Install antivirus: This is incorrect as antivirus software is designed to detect and remove malware, not to correct insecure network protocol configurations like weak SNMP community strings.

1. National Institute of Standards and Technology (NIST). (2008). Guide to General Server Security (NIST Special Publication 800-123). Section 5.6.3, "Simple Network Management Protocol (SNMP)," states: "If SNMP is used, SNMPv3 should be used... If SNMPv1 or SNMPv2 is used, the default community strings (e.g., public, private) should be changed." This directly supports options B and C.

2. Carnegie Mellon University, CERT Coordination Center. (2002). Vulnerability Note VU#107186: SNMP default community names are 'public' and 'private'. The solution section recommends: "Do not use 'public', 'private', or any other default or common community names... We strongly recommend using SNMPv3." This validates both changing community strings and upgrading the version.

3. Cisco Systems, Inc. (2023). Simple Network Management Protocol Configuration Guide, Cisco IOS XE Gibraltar 16.12.x. In the "SNMP Security" section, the documentation emphasizes the security benefits of SNMPv3, stating it provides "authentication, and encryption of packets over the network." For older versions, it advises using access lists and non-default community strings to secure the service. This supports both B and C as valid security measures.

A. Nmap: While Nmap is a powerful scanner that can use ICMP Timestamp/Mask requests for host discovery, the question's specific combination of spoofing with promiscuous listening for replies is the hallmark feature of icmpenum.

B. Zenmap: Zenmap is the official graphical user interface (GUI) for the Nmap scanner. It relies on the underlying Nmap engine and does not offer unique scanning capabilities beyond what Nmap itself provides.

D. Nessus: Nessus is a comprehensive vulnerability assessment tool. While it performs host discovery as a prerequisite for scanning, it is not a specialized tool for ICMP-based network mapping with advanced spoofing techniques.

1. Skoudis, E. (2003). ICMP Usage in Scanning. SANS Institute InfoSec Reading Room. This paper details various ICMP scanning techniques and tools. On page 21, it explicitly describes icmpenum: "The icmpenum tool... can send ICMP Echo, Timestamp, and Address Mask Requests... It also supports spoofing a source address and listening promiscuously for responses." This directly confirms the tool's capabilities as described in the question. (Available via SANS Reading Room archives).

2. Al-shammari, A. A., & Al-attab, A. A. (2017). A Survey of Network Reconnaissance Techniques. International Journal of Network Security & Its Applications (IJNSA), 9(1), 1-16. In Section 3.2, "ICMP Scanning," the paper mentions icmpenum as a tool used for ICMP enumeration, noting its ability to discover hosts even when ping is blocked by using alternative ICMP messages. DOI: https://doi.org/10.5121/ijnsa.2017.9101

A. Close port TCP 53.

This is incorrect because port 53 is used for DNS. SNMP primarily uses UDP ports 161 (for agent queries) and 162 (for manager traps).

D. Install antivirus.

This is incorrect because antivirus software is designed to detect and remove malware; it does not address network protocol configuration vulnerabilities like weak SNMP settings.

1. National Institute of Standards and Technology (NIST) Special Publication 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy. Section 3.4.1, "Simple Network Management Protocol (SNMP)," states: "Organizations should use SNMPv3, which provides significant security enhancements over previous versions... If SNMPv1 or SNMPv2 must be used, organizations should at least change the default community strings to difficult-to-guess values." This directly supports both chosen answers.

2. Internet Engineering Task Force (IETF) RFC 3414, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). Section 1.2, "Security Services," details the security features of SNMPv3, including data integrity, data origin authentication, and data confidentiality (encryption), which are absent in SNMPv1 and directly counter the vulnerabilities that allow for enumeration.

3. Cisco Systems, Inc., Simple Network Management Protocol Configuration Guide, Cisco IOS XE Release 3S. In the "Securing Simple Network Management Protocol" chapter, the guide explicitly recommends migrating to SNMPv3 for its security features and, as a best practice for older versions, to "change the default community string 'public' to a more obscure, alphanumeric value."

A. Brutus: This is an active online password cracking tool used for brute-force attacks against services, which falls under the "Gaining Access" phase, not initial footprinting.

1. Paulsen, C. (2018). Lecture 10: Reconnaissance. CSE 484: Computer Security, University of Washington. This lecture material explicitly lists whois and traceroute as tools for the reconnaissance (footprinting) phase of an attack. (Slides 11, 13). Retrieved from: https://courses.cs.washington.edu/courses/cse484/18sp/lectures/L10-recon.pdf

2. Kim, D. (2020). Lecture 10: Penetration Testing. CS 4910/5910: Introduction to Cyber Security, University of Colorado, Colorado Springs. The lecture slides categorize whois and traceroute under the "Information Gathering" phase, while password crackers (functionally similar to Brutus) are placed in the "Gaining Access" phase. (Slides 11, 16). Retrieved from: https://www.cs.uccs.edu/~cs591/fall20/lectures/L10-PenetrationTesting.pdf

3. Cederberg, D. (2018). A study of the fundamentals of penetration testing [Thesis, University of Skövde]. This academic paper discusses the phases of penetration testing, identifying whois and traceroute as key tools used during the "Information Gathering" (footprinting) stage. (Section 2.2.1, Page 8). Retrieved from: http://www.diva-portal.org/smash/get/diva2:1217910/FULLTEXT01.pdf

4. Ciampa, M. (2005). Security+ Guide to Network Security Fundamentals, 3rd Edition. Course Technology. While a textbook, it is widely used in university curricula. Chapter 11, "Security Assessment and Audits," describes Sam Spade as a tool that "can perform a number of queries, such as whois, DNS, and traceroute" for the purpose of footprinting. (Chapter 11, Section: "Footprinting Tools").