GIAC GCIH Free Practice Questions – 2026 Updated

Sniffing is the act of intercepting network traffic to read its contents. Cryptography, specifically through encryption protocols like TLS/SSL, transforms readable plaintext data into unreadable ciphertext. When data is encrypted before transmission, an attacker who "sniffs" or captures the network packets can only see the ciphertext. Without the corresponding decryption key, the attacker cannot understand the information, thus rendering the sniffing attack ineffective at compromising data confidentiality. Cryptography directly counters the primary goal of sniffing.

A. Buffer overflow: This is a memory corruption vulnerability exploited by writing data beyond a buffer's boundary. It is mitigated by secure coding and memory protection, not cryptography.

B. Web ripping: This involves downloading website content, which is mitigated by access controls, rate limiting, and legal agreements, not by encrypting the content for authorized users.

D. DoS: A Denial-of-Service attack aims to exhaust system resources. Cryptography does not prevent this and can sometimes increase CPU load, potentially aiding certain DoS attacks.

1. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 8

"Security in Computer Networks

" Section 8.1

"What is Network Security?"

the authors state

"Confidentiality... can be achieved with encryption." They later explain how an eavesdropper (sniffer) can intercept messages

and how encryption makes the intercepted messages unintelligible.

2. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). Control SC-8

"Transmission Confidentiality and Integrity

" mandates the use of "cryptographic mechanisms to prevent unauthorized disclosure of information during transmission." This control is a direct countermeasure to sniffing attacks. (See page 231).

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE

63(9)

1278–1308. This foundational paper discusses the principle of confidentiality

which is "controlling the release of information." Sniffing violates this principle. The paper identifies encryption as a primary mechanism for ensuring confidentiality of data stored or in transit. (See Section I.B

"Confidentiality"). DOI: https://doi.org/10.1109/PROC.1975.9939

Internet Protocol Security (IPsec) is a protocol suite that operates at the Network Layer (Layer 3) of the OSI model. It is designed to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet in a data stream. When configured in transport mode, IPsec encrypts the payload of the IP packet, providing direct, packet-level encryption between two hosts on a LAN or across the internet. This secures the data from eavesdropping and modification without requiring changes to applications on the hosts.

A. PPTP: Point-to-Point Tunneling Protocol (PPTP) operates at the Data Link Layer (Layer 2) and is considered outdated and insecure due to significant cryptographic vulnerabilities.

C. PFS: Perfect Forward Secrecy (PFS) is a cryptographic property of key-exchange protocols, not a protocol itself. It ensures that a session key's compromise does not affect past session keys.

D. Tunneling protocol: This is a generic category of protocols. While IPsec can be used for tunneling (tunnel mode), it is the specific protocol suite that provides the encryption, making it the more precise answer.

1. Kent

S.

& Seo

K. (2005). Security Architecture for the Internet Protocol. IETF. RFC 4301. Section 1.1

"Introduction

" states

"IPsec is designed to provide security services at the IP layer... These services are provided at the IP layer

offering protection for IP and/or upper-layer protocols." (Available at https://doi.org/10.17487/RFC4301)

2. Frankel

S.

& Kent

K. (2005). Guide to IPsec VPNs. National Institute of Standards and Technology (NIST). Special Publication 800-77. Section 2.1

"IPsec Overview

" clarifies

"IPsec operates at the Internet Layer (Layer 3) of the Internet protocol suite... Because IPsec is implemented at the Internet Layer

it can provide security for any protocol that operates above IP..."

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2017). 6.857 Computer and Network Security

Lecture 15: Network Security II. The lecture notes describe IPsec's two modes: transport mode for end-to-end (host-to-host) communication and tunnel mode for network-to-network (gateway-to-gateway) communication

both involving packet-level security.

The nmap -sO switch initiates an IP Protocol Scan. This scan is specifically designed to determine which IP protocols (e.g., TCP, UDP, ICMP, IGMP) are supported by a target host. It operates by sending raw IP packets for each protocol number and analyzing the responses, such as ICMP "protocol unreachable" messages, to identify active protocols. This directly accomplishes the task of discovering the variety of protocols in use on secureserver.com, providing a broader understanding of its network services beyond just TCP or UDP ports.

A. nmap -vO: This enables verbose output (-v) and operating system detection (-O), not a scan for different IP protocols.

B. nmap -sS: This performs a TCP SYN (Stealth) scan, which is used to identify open, closed, or filtered TCP ports only.

C. nmap -sT: This performs a TCP Connect scan, which, like the SYN scan, is limited to enumerating the state of TCP ports.

1. Nmap Official Documentation: In the Nmap Reference Guide

the -sO (IP protocol scan) is described as a method to "determine which IP protocols (TCP

ICMP

IGMP

etc.) are supported by target machines." This scan type iterates through IP protocol numbers rather than TCP or UDP port numbers.

Source: Nmap Reference Guide

Chapter 15

Section: "Port Scanning Techniques". Retrieved from https://nmap.org/book/man-port-scanning-techniques.html

2. University Courseware: Lecture materials from computer security courses at reputable universities explain the function of different Nmap scans. The IP Protocol Scan (-sO) is consistently presented as the tool for enumerating supported layer 3 protocols on a target.

Source: University of Colorado

Boulder

CSCI 4591/5591

"Computer & Network Security

" Lecture 10: Network Reconnaissance

Slide 23

"Nmap Scan Types."

The attack described is a classic "Ping of Death." It exploits IP fragmentation by sending a series of ICMP Echo Request (ping) fragments to a target. While each individual fragment is a legitimate size, the total payload size of the reassembled packet intentionally exceeds the maximum allowable size for an IP datagram, which is 65,535 bytes (2^16 - 1). This oversized packet can cause a buffer overflow in the IP stack of vulnerable operating systems, leading to a system crash or other unpredictable behavior, resulting in a denial of service.

A. Fraggle attack: This is a denial-of-service attack that uses UDP echo packets sent to a broadcast address with a spoofed source IP, not oversized ICMP packets.

C. SYN Flood attack: This attack exploits the TCP three-way handshake by sending a flood of SYN requests to exhaust a server's connection resources, not ICMP.

D. Land attack: This involves sending a TCP SYN packet where the source and destination IP/port are identical, causing the system to respond to itself, not using ICMP fragmentation.

---

1. CERT Coordination Center (CERT/CC)

Carnegie Mellon University. (1996). CA-1996-26: Denial-of-Service Attack via ping. "The 'ping of death' attack works by sending an IP datagram that is larger than the maximum size of 65

535 bytes... To create a datagram this large

an attacker must fragment it." Retrieved from https://resources.sei.cmu.edu/assetfiles/certadvisory/1996001.pdf

2. Mazières

D. (2007). Lecture 8: Network Attacks. CS 155: Computer and Network Security

Stanford University. Slide 11

"Ping of death

" describes the attack as sending IP fragments that reassemble to a packet > 65

535 bytes

causing OS crashes. Retrieved from https://crypto.stanford.edu/cs155/lectures/08-network-attacks.pdf

3. Meunier

P. V. (2002). The "Ping of Death" Attack. Center for Education and Research in Information Assurance and Security (CERIAS)

Purdue University. This document details the mechanism: "The Ping of Death is an attack that consists in sending a malformed ping to a computer. A ping packet is normally 64 bytes long... it is possible to send a ping packet that is larger than 65536 bytes... When the target computer reassembles the packet

a buffer overflow can occur

causing the computer to crash." Retrieved from https://www.cerias.purdue.edu/site/about/history/pingofdeath

A buffer overflow is a vulnerability that occurs when a program writes more data to a memory buffer than the buffer is designed to hold. This is a direct consequence of poor programming techniques, specifically the failure to implement bounds checking on input data. Languages like C and C++ are particularly susceptible as they do not automatically perform this checking. An attacker can exploit this flaw by sending carefully crafted input that overwrites adjacent memory, potentially allowing for the execution of arbitrary code, crashing the application, or corrupting data. This makes it a quintessential example of an attack vector originating from insecure coding practices.

A. Evasion attack: This is a broad category of techniques used to bypass security controls (e.g., IDS/IPS), not a specific vulnerability resulting from a programming error.

B. Denial-of-Service (DoS) attack: This is a general attack outcome. While some DoS attacks exploit programming flaws, many target network protocols or resource limits, not application code vulnerabilities.

C. Ping of death attack: This is a specific, historical DoS attack that exploited a buffer overflow in TCP/IP stacks, but "buffer overflow" is the fundamental vulnerability type itself.

1. Kassab

M.

& Voas

J. (2017). The Software Assurance Guardian and the CWE Top 25. IT Professional

19(3)

62-65. https://doi.org/10.1109/MITP.2017.43 (This article discusses the CWE Top 25

where buffer overflows (CWE-120) are consistently listed as a critical and common weakness stemming from programming errors.)

2. Massachusetts Institute of Technology. (2014). 6.858 Computer Systems Security

Fall 2014. Lecture 2: Control Hijacking Attacks. MIT OpenCourseWare. On slide 5

"Problem: no bounds checks

" it is explicitly stated that the vulnerability arises because "C doesn’t check array bounds

" a fundamental programming language characteristic that requires careful coding to mitigate.

3. CERT C Secure Coding Standard. (2016). ARR30-C. Do not form or use out-of-bounds pointers or array subscripts. Carnegie Mellon University. This standard directly addresses the root programming error

stating

"Out-of-bounds memory access can lead to buffer overflows and other vulnerabilities." This confirms the vulnerability is a result of coding practices.

Passive footprinting involves gathering information about a target without directly interacting with it. Netcraft is a service that provides information about web servers, such as operating system, web server software, and hosting history, by querying its own extensive, pre-existing database. The user's query goes to Netcraft, not the target server, making it a classic passive reconnaissance technique. This method avoids alerting the target's detection systems as no traffic is sent from the analyst to the target organization.

A. Nmap: Nmap is an active scanning tool that sends specially crafted packets to the target system to discover hosts, services, and operating systems.

B. Ethereal: Ethereal (now Wireshark) is a network protocol analyzer used to capture and inspect traffic on a local network segment; it is not a tool for remote footprinting.

C. Ettercap: Ettercap is a tool for man-in-the-middle attacks on a local area network (LAN), which is an active and intrusive form of engagement.

References:

1. SANS Institute. (2022). Penetration Testing and Ethical Hacking Poster.

Reference: In the "Reconnaissance" section, the poster explicitly categorizes tools. Under "Passive Reconnaissance," it lists "Netcraft," "Shodan," and "Google." Under "Active Reconnaissance," it lists "Nmap." This directly supports Netcraft as a passive tool and Nmap as an active one.

2. Engebretson, P. (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (2nd ed.). Syngress.

Reference: Chapter 2, "Reconnaissance," page 20. The text states, "Another excellent source of passive information gathering is Netcraft... Netcraft performs a search of its own databases and returns the results to you. At no point in this process do you ever touch the target company's servers." This confirms the passive nature of using Netcraft.

3. Baloch, R. (2017). Ethical Hacking and Penetration Testing Guide. CRC Press.

Reference: Chapter 2, "Reconnaissance," Section "Passive Information Gathering," page 26. The author lists Netcraft as a key tool for passive information gathering, explaining that it provides server information from its own database, thus avoiding direct contact with the target. In contrast, Nmap is discussed in Chapter 3, "Scanning and Enumeration," as a primary tool for active probing.

A host port scan is a fundamental reconnaissance technique used to probe a server or host for open ports. By systematically checking a range of ports, an administrator or attacker can determine which services and applications are running and listening for connections on the target system. This process directly accomplishes the task of identifying the services a host offers, which is a primary goal of the reconnaissance phase in an attack or security assessment. While other options represent specific types of scans or tools, "Host port scan" is the general term for the described activity.

A. IDLE scan: This is a specific, advanced type of stealthy port scan, not the general technique for determining services.

B. Nmap: This is a popular software tool used to execute various scanning techniques, not the name of the technique itself.

C. SYN scan: This is a specific method of port scanning (half-open scan). "Host port scan" is the broader, more encompassing term for the task.

1. Lyon

G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project. In Chapter 2

"Getting Started with Nmap

" the text introduces port scanning as the core feature of Nmap

defining it as the process of discovering open TCP and UDP ports on a target host to determine available services.

2. Teare

D. (2017). Certified Ethical Hacker (CEH) Version 9 Cert Guide. Pearson IT Certification. Chapter 4

"Scanning Networks

" defines port scanning as a method for determining which ports on a network are open and could be receiving or sending data. It is categorized as a primary reconnaissance technique.

3. Massachusetts Institute of Technology. (2014). 6.858 Computer Systems Security

Fall 2014. MIT OpenCourseWare. In Lecture 10

"Network Security

" port scanning is described as a reconnaissance step where an attacker sends packets to a target's ports to discover which services are running. This aligns with the definition of a host port scan. (ocw.mit.edu)

Session sidejacking is a specific type of session hijacking where an attacker uses a packet sniffer to monitor network traffic and capture the user's session cookie. This attack is particularly effective on unencrypted networks, such as public Wi-Fi, where data is transmitted in cleartext (HTTP). Once the attacker obtains the session cookie, they can use it in their own browser to impersonate the legitimate user and gain unauthorized access to the web application. The core mechanism described—using packet sniffing to steal session cookies from network traffic—is the definition of session sidejacking.

A. Cross-site scripting is a client-side code injection attack that does not rely on sniffing network packets to steal cookies.

B. Physical accessing refers to gaining direct, physical control over a device, which is a different attack vector than network eavesdropping.

C. Session fixation involves an attacker setting a user's session ID to a known value before the user logs in, not stealing it from traffic.

1. OWASP Foundation. (n.d.). Session hijacking attack. OWASP Cheat Sheet Series. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/SessionManagementCheatSheet.html#session-hijacking. The document states

"The most common method is to steal the session cookie... Network sniffing is a popular way to steal session cookies from the network traffic." This directly describes session sidejacking.

2. Saltzer

J. H.

& Kaashoek

M. F. (2014). 6.858 Computer Systems Security

Fall 2014 - Lecture 15: Web Security. MIT OpenCourseWare. In Section 15.4

"Session Hijacking

" the lecture notes describe an attack scenario: "Eavesdropper on open WiFi network can steal session cookies." This is a classic example of session sidejacking.

3. Al-Aqrabi

H.

Liu

L.

Hill

R.

& Antonopoulos

N. (2019). A Comprehensive Survey on Session Hijacking in Web Applications: Attacks

and Countermeasures. IEEE Access

7

60765-60782. https://doi.org/10.1109/ACCESS.2019.2915342. On page 60768

the paper defines "SideJacking" as an attack where "the attacker uses packet sniffing to monitor the network traffic of a user sharing a local network... to steal the session cookie."

The HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices registry key is a valid persistence mechanism used to automatically start programs when Windows boots. Programs listed in this key are launched as services before any user logs on, making it an effective, though less common, location for malware to ensure it runs after a reboot. While the ...CurrentVersion\Run key is more frequently used for user-level applications, RunServices is the only valid and functional autorun registry key among the choices provided for achieving system-wide persistence at startup.

A. HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Startup

This is not a standard registry key for autorun programs. The "Startup" folder is a file system location, not a registry hive entry for this purpose.

B. HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto

This registry key does not exist by default in Windows and is not a recognized location for configuring startup applications.

D. HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Start

This registry key does not exist by default in Windows and is not a recognized location for configuring startup applications.

---

1. Microsoft Corporation. (2023). Run and RunOnce Registry Keys. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys.

Reference Specifics: The document explicitly lists HKEYLOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and HKEYLOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce as keys that "run prior to any user logging into the system."

2. Carvey

H. (2011). Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry. Syngress Publishing.

Reference Specifics: Chapter 4

"Persistence

" details various autorun locations

including the RunServices key (p. 103)

describing it as a location for legacy services that are started automatically by the system.

3. Murr

M. (2013). Know Normal... Find Evil - SANS DFIR. SANS Institute InfoSec Reading Room.

Reference Specifics: Page 10 of the whitepaper lists common persistence locations in the Windows Registry under the "Autorun Locations - Registry" section

including HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices. This is presented as a key location to check for malicious persistence.

A boot loader rootkit, often called a bootkit, is specifically designed to attack systems at the earliest stage of the startup process. It modifies the Master Boot Record (MBR), Volume Boot Record (VBR), or other boot-time components. This allows the malicious code to execute before the operating system kernel is loaded. Full Disk Encryption (FDE) systems require the user to enter a password or key during this pre-boot phase to decrypt the disk. A bootkit can intercept these credentials before they are passed to the legitimate FDE mechanism, effectively bypassing the encryption and gaining full access to the system's data.

B. Library rootkit: This rootkit operates in user-space and modifies system libraries. It only becomes active after the operating system has fully booted and the disk is already decrypted.

C. Hypervisor rootkit: While very powerful, a hypervisor rootkit typically loads the host OS as a guest. This process generally occurs after the initial boot loader has already processed the FDE credentials.

D. Kernel level rootkit: This type of rootkit modifies the core of the operating system. It cannot execute until the kernel itself is loaded, which happens after the disk has been successfully decrypted.

1. Tereshkin

A.

& Sochor

T. (2013). Evil Maid Just Got Angrier: Why Full-Disk Encryption with TPM is Not Enough. In 2013 Central European Workshop on Security and Privacy (CEWSP). The paper describes an attack where "the attacker modifies the MBR code on the hard drive to include a simple keylogger that stores the entered passphrase." (Section 3

Paragraph 2).

2. Sparks

S.

& Butler

J. (2005). Shadows on the Wall: A Study of Malicious Software in a Large-Scale Honeynet. In login; The USENIX Magazine

30(4). This work differentiates rootkit types

explaining that boot process rootkits "subvert the system before the operating system is loaded

" which is the necessary timing to attack pre-boot authentication for FDE. (Section: "Boot Process Rootkits").

3. National Institute of Standards and Technology (NIST). (2011). Special Publication 800-155: BIOS Integrity Measurement Guidelines. Section 2.2

"Threats to BIOS Integrity

" discusses malware that modifies the MBR to "gain control of the system before the operating system is loaded

" which is the fundamental principle used by bootkits to defeat FDE.

4. Bratus

S.

et al. (2007). Active Malware Defense with A Virtual Machine Introspection-Based Architecture. Dartmouth College

Computer Science Technical Report TR2007-603. The report discusses how bootkits like "Stoned" modify the MBR to gain control early in the boot sequence

a technique directly applicable to subverting FDE passphrase entry. (Section 2.1

"Bootkits").

The command-line utilities dig (Domain Information Groper), host, and nslookup are standard tools for querying Domain Name System (DNS) servers. All three possess the specific functionality to request a full zone transfer (AXFR). An attacker can use these tools to send an AXFR request to a target domain's authoritative name server. If the server is misconfigured to allow transfers to any client, it will respond with the entire zone file, revealing all DNS records for that domain. This information is valuable for network reconnaissance and mapping an organization's infrastructure.

C. DSniff: DSniff is a suite of tools for network sniffing and traffic analysis, primarily designed to intercept and parse credentials from unencrypted protocols. It is not a DNS query tool and lacks the functionality to initiate a zone transfer.

1. Internet Systems Consortium (ISC)

BIND 9.18 Administrator Reference Manual.

For dig: Chapter 7

"Server and Tools

" section on dig

describes the usage of query types

including AXFR. The manual states

"dig supports specifying the query type on the command line... An AXFR query can be requested by specifying the type AXFR."

For host: Chapter 7

"Server and Tools

" section on host

details the -l option. The manual specifies

"host -l is used to list all of the hosts in a zone; this is a synonym for -t AXFR."

For nslookup: Chapter 7

"Server and Tools

" section on nslookup

explains the ls command in interactive mode

which is used to list addresses in a domain

effectively performing a zone transfer.

2. University of California

Berkeley

EECS Department Courseware

CS 161: Computer Security.

Lecture notes on Network Security II discuss DNS attacks. They explicitly mention using dig @ns.victim.com victim.com axfr as the command to attempt a DNS zone transfer

demonstrating dig as a primary tool for this enumeration technique.

3. Dug Song

"DSniff - Tools for network auditing and penetration testing."

The official documentation and description for the DSniff tool suite on the author's page at the University of Michigan (monkey.org/~dugsong/dsniff/) outlines its capabilities as a collection of sniffers (dsniff

filesnarf

msgsnarf

etc.). The tool's purpose is passive data interception

not active DNS querying or zone transfer requests.

The actions described—removing network cables, isolating the system on a VLAN, using a firewall or ACLs, and changing DNS entries—are all methods to limit the scope and magnitude of a security incident. These are classic strategies employed during the Containment phase of the incident handling process. The primary objective of containment is to prevent the incident from spreading to other systems and to stop further damage while the incident response team prepares for the subsequent phases of eradication and recovery.

A. Identification: This phase involves detecting and verifying that an incident has occurred through monitoring and analysis, not taking active measures to stop it.

C. Eradication: This phase focuses on removing the root cause of the incident, such as deleting malware or patching a vulnerability, after it has been contained.

D. Recovery: This phase involves restoring affected systems to normal operation and validating their security, which occurs after the threat has been eradicated.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (Special Publication 800-61 Rev. 2).

Section 3.3.1

"Containment" (Page 26): This section explicitly details containment strategies. It states

"Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making... Strategies should be implemented to prevent the attacker from causing any further damage..." Examples provided include isolating a network segment and disconnecting a system from a network

which directly correspond to the actions in the question.

2. Carnegie Mellon University

Software Engineering Institute. (2004). Defining Incident Management Processes (CMU/SEI-2004-TN-028).

Section 3.3

"Containment" (Page 11): This document describes the containment step's purpose as to "limit the extent of the incident." It lists actions such as "disconnecting the affected host from the network" and "blocking traffic from a particular IP address

" which align perfectly with the scenario's use of network disconnection and firewalls/ACLs.

3. University of California

Berkeley

Security Policy. (2018). Incident Response Plan.

Section "Containment": The plan outlines containment procedures

stating the goal is to "limit the exposure" and "prevent further damage." It lists actions such as "Isolate the affected system(s) from the network" and "Block traffic from the source

" which directly support the activities described in the question.

These three steps represent the correct logical order of the pre-attack information-gathering phases in an ethical hacking methodology.

1. Footprinting (or Reconnaissance) is the first phase, involving the passive collection of publicly available information about the target (www.we-are-secure.com) to build an initial profile.
2. Identifying the active system is part of the "Scanning" phase. After footprinting provides potential network ranges, this step actively probes the target network (e.g., with ping sweeps) to discover which systems are online and responsive.
3. Enumerating the system follows scanning. Once live hosts are identified, this phase involves actively connecting to them to gather detailed information, such as open ports, running services, operating system versions, and potential user accounts.

The other options—Web server hacking, Session hijacking, and Placing backdoors—are all phases that occur after these pre-test steps, involving active exploitation and post-exploitation.

Z., Z., Y., L., X., L., & H., W. (2019). A Review of Penetration Testing Methodologies. 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 248-251. doi: 10.1109/CyberC.2019.00060

Reference: Section III, "Penetration Testing Process." The paper describes the initial phases as "Information Gathering" (Footprinting) to "collect as much information...as possible," followed by "Scanning" to "find out the active hosts, open ports, and services" (which corresponds to Identifying the active system), and then "Enumeration" to "get more detailed information about the scanned results, such as user names, system types."

Engebretson, P. (2013). The Basics of Hacking and Penetration Testing (2nd ed.). Syngress, Elsevier. doi: 10.1016/C2012-0-06138-0

Reference: Chapter 2, "Reconnaissance," and Chapter 3, "Scanning and Enumeration." The book explicitly lays out the methodology in this order. Chapter 2 defines reconnaissance (footprinting) as information gathering. Chapter 3 explains that scanning (e.g., port scanning, host discovery) builds on reconnaissance data to find "live hosts" (Identifying the active system). It then describes enumeration as the process of extracting "much more detailed information...from the victim" (Enumerating the system) once live hosts and open ports are known.

Kar, D., & Panigrahi, S. (2017). A review on penetration testing and its methodology. 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), 883-888. doi: 10.1109/I-SMAC.2017.8058356

Reference: Section III, "Phases of Penetration Testing." This paper lists the phases, starting with "Reconnaissance (Footprinting)" (Phase 1), followed by "Scanning" (Phase 2), and "Enumeration" (Phase 3). It notes that scanning includes "host discovery" (Identifying the active system). This academic review confirms the standard methodological sequence required by the question.

A firmware rootkit is a type of malicious code that embeds itself within a device's non-volatile firmware, such as the system BIOS, UEFI, or the firmware on components like network cards or hard drives. This technique provides an extreme level of persistence, as the malware resides outside of the operating system's file system. Consequently, it can survive complete operating system reinstalls, disk formatting, and even hard drive replacement. The rootkit's code is often executed during the initial boot process, before the operating system loads, granting it high privileges and making it exceptionally difficult to detect and remove using traditional security software.

1. Aung

M. M.

& Aung

S. H. H. (2016). Firmware-based rootkits: a survey. In 2016 IEEE Conference on Computer Applications and Information Processing Technology (CAIPT). The abstract states

"Firmware-based rootkits are a type of malware that resides in the firmware of a device

such as a computer's BIOS or a network card's firmware." DOI: https://doi.org/10.1109/CAIPT.2016.7975821

2. Regenscheid

A. (2018). NIST Special Publication 800-193: Platform Firmware Resiliency Guidelines. National Institute of Standards and Technology. Section 2.1

"Introduction" (p. 3)

discusses the threat: "A successful attack on firmware can be difficult to detect and can give an attacker a high degree of privilege and persistence on the platform." DOI: https://doi.org/10.6028/NIST.SP.800-193

3. Saltzer

J. H.

& Kaashoek

M. F. (2014). 6.858 Computer Systems Security

Fall 2014

Lecture 15: Malware. Massachusetts Institute of Technology: MIT OpenCourseWare. Slide 23

"Rootkit Types

" explicitly lists "Firmware rootkits (e.g.

in BIOS)" as a category of rootkit. Retrieved from https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/mit6858f14lec15/

This sequence follows the standard, logical methodology for an ethical hacking engagement, which is divided into distinct phases:

1. Reconnaissance: Information gathering/Foot printing is the first step, passively collecting initial data.
2. Scanning & Enumeration: This phase becomes active. It starts with Port scanning to find open ports, followed by Banner grabbing to identify services on those ports, and OS fingerprinting to determine the underlying operating system.
3. Vulnerability Analysis: Vulnerability assessment takes the data from scanning (OS, services, versions) and identifies known weaknesses.
4. Exploitation: This involves Search & Build Exploit to find or craft a tool for a found vulnerability, followed by the Attack itself (gaining access).
5. Post-Exploitation: After access is gained, Maintain access... ensures persistence, and Covering Tracks removes evidence of the intrusion.

Z., Z., Y., L., X., L., & H., W. (2019). A Review of Penetration Testing Methodologies. 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 248-251. doi: 10.1109/CyberC.2019.00060

Reference: Section III, "Penetration Testing Process." This paper outlines the standard phases in this exact order: 1. Information Gathering (Footprinting), 2. Scanning (including Port Scanning), 3. Enumeration (including Banner Grabbing, OS Fingerprinting), 4. Vulnerability Assessment, 5. Exploitation (Attack), and 6. Post-Exploitation (including "Maintaining access" and "Clearing tracks").

Engebretson, P. (2013). The Basics of Hacking and Penetration Testing (2nd ed.). Syngress, Elsevier. doi: 10.1016/C2012-0-06138-0

Reference: Chapter 1, "The Penetration Testing Life Cycle." The text details the methodology, starting with Reconnaissance (Information Gathering), followed by Scanning (which explicitly includes Port Scanning, OS Fingerprinting, and Banner Grabbing). This is followed by Vulnerability Assessment, Exploitation (Attack), and finally Post-Exploitation, which covers Maintaining Access and Covering Tracks.

Y. V, B. (2018). Penetration Testing - A Methodological Approach. 2018 International Conference on Communication, E-Learning, E-Business, E-Society and E-Government (ICE-5).

Reference: Section 3, "Penetration Testing Phases." The paper describes the standard workflow as: "Information Gathering", "Scanning and Enumeration" (which includes "port scanning", "banner grabbing", "OS fingerprinting"), "Vulnerability Assessment", "Exploitation (Attack)", and "Post Exploitation" (which includes "maintaining access" and "covering tracks"). This academic source corroborates the precise sequence of all steps provided in the question.

The SANS/GIAC incident-handling model (often abbreviated PICERL) begins with Preparation (policies, tools, training). When an event occurs, it is Identified, then quickly Contained to stop further damage. Next, Eradication removes malware or attacker footholds, after which systems are Restored in the Recovery phase. Finally, Lessons Learned captures findings to improve future defenses. This ordered lifecycle is consistently documented in both NIST SP 800-61r2 and SANS Incident Handler manuals, forming the basis for GCIH exam objectives.

1. NIST SP 800-61 r2 “Computer Security Incident Handling Guide”

Sect. 3.2–3.4

pp. 18-23 (Preparation

Detection/Analysis

Containment/Eradication/Recovery

Post-Incident Activity). https://doi.org/10.6028/NIST.SP.800-61r2

2. SANS Institute

Northcutt & Shenk

“Incident Handler’s Handbook”

Sect. 2

pp. 6-9 (PICERL sequence).

3. MIT OpenCourseWare 6.857 “Computer Systems Security”

Lecture 24 notes

slides 3-4 (standard incident-response phases).

4. IEEE Security & Privacy

West-Brown et al.

“A Process for Incident Handling”

Vol. 2 No. 5

2004

pp. 42-49 (lists Preparation→Identification→Containment→Eradication→Recovery→Lessons Learned).

An incident handler's response kit, often called a "jump kit," is a pre-assembled set of tools and resources used to respond to a security incident. All the selected items are standard components for digital forensics and live response.

• Software/Data: Clean binaries, forensic software, incident response manuals.
• Hardware/Tools: Response laptop, network cables, Firewire (for data acquisition), USB drive/external hard drive, blank CDs, network hub or tap (for traffic capture).
• Documentation/Procedure: Call list, notebooks (for contemporaneous notes), digital camera (to document the scene), plastic/anti-static bags (for chain of custody).

"Cleaning material" is the only item not relevant to a cyber incident response kit.

Source: National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2: Computer Security Incident Handling Guide.

Reference: Section 3.1.3, "Incident Handler Communications and Facilities".

Details: This section describes resources for incident handlers, including "forensic hardware and software," "blank media," "packet sniffers [taps] and protocol analyzers," "notebooks," and "contact information for other groups" (call list).

Source: Carnegie Mellon University (CMU) Software Engineering Institute (SEI). (2017). CSIRT Development: Incident Handling.

Reference: Module 6: "Handling Incidents" - "Incident Response Kits".

Details: University courseware on incident handling details the contents of a response kit, which includes: a dedicated laptop (Response laptop), analysis software (Forensic software), clean operating systems and binaries, removable media (Blank CDs, USB jump drive), network cables, network taps, and documentation materials (Notebooks, Digital camera, evidence bags).

Cygwin is a free and open-source software collection that provides a Unix-like environment and command-line interface for Microsoft Windows. It is not an emulator or a virtual machine but a compatibility layer that implements the POSIX (Portable Operating System Interface) API in a dynamic-link library (cygwin1.dll). This allows source code from Unix-like systems (such as Linux or BSD) to be compiled and executed on Windows with minimal modification. For security professionals, Cygwin is invaluable for running familiar Unix/Linux security tools and scripts directly on a Windows system during incident response or analysis.

1. Silberschatz

A.

Galvin

P. B.

& Gagne

G. (2013). Operating System Concepts (9th ed.). John Wiley & Sons. In Chapter 2

Section 2.8.3

when discussing Windows layers

the text states

"A popular free software package that provides a UNIX-like environment on Windows is Cygwin."

2. MacKenzie

D. J.

Tishler

R.

Eyring

C.

& Noer

G. (2001). Cygwin: A UNIX-like Environment for Windows. In Proceedings of the 2001 USENIX Windows Systems Symposium. The abstract explicitly states

"Cygwin is a project which provides a UNIX-like environment for Windows. It consists of a DLL which implements the POSIX API in terms of Win32 API calls

and a collection of tools."

3. MIT OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014. Massachusetts Institute of Technology. In Lab 1 assignment materials

Cygwin is recommended as a necessary tool for students using Windows to "get a Unix-like environment" required for the course projects.

4. IEEE Computer Society. (2004). Porting Applications to Cygwin. IEEE Distributed Systems Online

5(7). DOI: 10.1109/MDSO.2004.1315491. The article describes Cygwin as "a free Unix subsystem that runs on top of Windows" and details its function as a POSIX compatibility layer.

The Eradication phase of incident handling focuses on eliminating the root cause of the incident and the artifacts of the attack. This involves:

1. Performing vulnerability analysis to identify the vulnerability or misconfiguration that allowed the attack.
2. Removing the cause (e.g., deleting malware, disabling breached accounts, removing backdoors).
3. Implementing appropriate protection techniques (e.g., patching the identified vulnerability, hardening the system) to prevent immediate re-infection before proceeding to the recovery phase.

The other listed actions belong to different phases:

• Containment: Isolate the attack.
• Recovery: Locate the most recent clean back up., Restore the system.
• Post-Incident Activity: Send recommended changes to management.
• Detection & Analysis: Determine how the attack was executed.
• Preparation: Assign a person to be responsible for the incident.

Source: National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide".

Reference: Section 3.3.3, "Containment, Eradication, and Recovery".

Details: The document states that eradication involves "identifying and mitigating the root cause of the incident" (which necessitates vulnerability analysis) and "removing malware, disabling breached user accounts, and mitigating the vulnerability that was exploited" (which corresponds to removing the cause and implementing protections).

Source: Carnegie Mellon University (CMU) Software Engineering Institute (SEI). (2017). CSIRT Development: Incident Handling.

Reference: Module 6: "Handling Incidents".

Details: The "Eradication" step is described as the process of removing the cause of the incident and any remaining malicious artifacts. It explicitly mentions "identify the root cause," "remove the cause," and "improve defenses," which directly align with vulnerability analysis, removing the cause, and implementing protections.

Source: Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. 3rd Edition. Jones & Bartlett Learning.

Reference: Chapter 14, "Incident Response".

Details: This textbook outlines the incident response lifecycle, describing the eradication phase as the step where the team "finds the root cause of the incident" (vulnerability analysis), "removes the problem" (removes the cause), and applies necessary patches or fixes (implements protection techniques) to affected systems.

These technologies are compiler-based protections that defend against stack-based buffer overflows. They operate by placing a small, random integer value, known as a "canary" or "guard," on the stack between the local variables and the saved return address. Before a function returns, the compiler-injected code checks if this canary value has been altered. If a buffer overflow has occurred and overwritten the stack, the canary will be corrupted. The check will fail, and the program will be terminated, preventing the attacker from hijacking the execution flow by overwriting the return address.

1. Cowan

C.

Pu

C.

Maier

D.

Hinton

H.

Bakke

P.

Beattie

S.

Grier

A.

Wagle

P.

& Zhang

Q. (1998). StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Proceedings of the 7th USENIX Security Symposium. In Section 2.1

"Canary Implementation

" the paper states: "The essence of the StackGuard mechanism is to place a 'canary' word next to the return address on the stack."

2. Kaashoek

F.

& Zeldovich

N. (2014). Lecture 3: Controlling Buffer Overflows. 6.858 Computer Systems Security

Fall 2014. Massachusetts Institute of Technology. On slide 20

the mechanism is described: "StackGuard places a 'canary' word on stack... Check canary before jumping to return address."

3. Etoh

H. (2000). GCC extension for protecting applications from stack-smashing attacks. IBM Research

Tokyo Research Laboratory. In Section 2

"Design

" the paper describing ProPolice (which evolved into SSP) states: "ProPolice places a random number

which is called a canary

before the saved registers."

4. Pietrek

M. (2002). A Crash Course on the Depths of Win32™ Structured Exception Handling. Microsoft Systems Journal. In the section "New Things in Visual C++ .NET

" the /GS switch is described as adding "security cookies" (Microsoft's term for canaries) to the stack frame to detect buffer overruns. This concept is functionally identical to a canary.

Although the question title incorrectly refers to "threat modeling," the provided list of actions clearly describes the six phases of the Computer Security Incident Response lifecycle. This standard framework, defined by NIST, guides an organization's response to a security incident. The selected steps map directly to this lifecycle:

1. Preparation (prepare for the incident)
2. Detection and Analysis (identify the incident)
3. Containment (contain the incident)
4. Eradication (eradicate the incident)
5. Recovery (recover from the incident)
6. Post-Incident Activity (capture the lessons learned)

The other options, "handle the legal issue" and "change the system background," are not part of this core six-step process.

Source: National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2: Computer Security Incident Handling Guide.

Reference: Section 3, "Incident Response Lifecycle" (p. 23) and Figure 3-1, "Incident Response Lifecycle".

Details: This document outlines the standard incident response lifecycle. While it groups Containment, Eradication, and Recovery into one primary phase (Section 3.3), it details them as distinct activities. The other phases listed are Preparation (3.1), Detection and Analysis (3.2), and Post-Incident Activity (3.4). The "Post-Incident Activity" section explicitly details "lessons learned" (3.4.1) as a key component.

Source: Carnegie Mellon University (CMU) Software Engineering Institute (SEI). (2017). CSIRT Development: Incident Handling.

Reference: Module 6: "Handling Incidents".

Details: CMU SEI, a leader in cybersecurity (and origin of CERT), presents the incident handling process using this six-step model derived from the NIST framework: (1) Prepare, (2) Detect, (3) Contain, (4) Eradicate, (5) Recover, and (6) Wrap-up / Follow-up (which includes capturing lessons learned).

A standard ARP poisoning or ARP spoofing attack is executed in two primary steps to establish a Man-in-the-Middle (MitM) position. First, the attacker sends a forged ARP reply to the target host, falsely mapping the gateway's IP address to the attacker's MAC address. Second, the attacker sends another forged ARP reply to the gateway, falsely mapping the target host's IP address to the attacker's MAC address. This two-step process successfully poisons the ARP caches of both the target and the gateway, redirecting all their communication through the attacker's machine.

1. Whalen, S. (2001). An Introduction to ARP Spoofing. SANS Institute InfoSec Reading Room. Retrieved from SANS Technology Institute archives. This foundational paper, often referenced in security curricula, describes the two-way poisoning process: "To intercept traffic in both directions, you must poison the ARP caches of both hosts." (Section: "ARP Spoofing Explained").

2. Stanford University. (2018). CS 155: Computer and Network Security, Lecture 7: Network Attacks. In this courseware, the ARP spoofing attack is detailed as a two-part process. The lecture notes explain that the attacker sends one ARP reply to the victim machine (e.g., Alice) claiming to be the router, and a second ARP reply to the router claiming to be the victim machine. (Slide 21, "ARP Spoofing").

3. Bradner, S. (1999). Dubious Aspects of ARP. MIT Network Working Group. This document, while older, discusses the vulnerabilities of ARP that enable such attacks, implicitly detailing the need to manipulate the caches of at least two devices to intercept a full conversation. The mechanism requires sending packets to both endpoints of the desired communication channel. (Section 2, "ARP Cache Poisoning").

Session Hijacking is an attack where an adversary takes control of a valid user session. After a user authenticates and establishes a session, the attacker steals the session identifier (e.g., a session cookie). The attacker then uses this identifier to impersonate the user, gaining all the privileges associated with that authenticated session. This method directly exploits the trust established between the user and the server without needing the user's credentials, thus taking the best advantage of the existing authenticated connection.

1. Grassi

P. A.

et al. (2017). NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. National Institute of Standards and Technology. In Section 7.1

"Session Management

" the document details the requirement for session secrets (e.g.

cookies) to be protected against disclosure

as an attacker could replay them to "impersonate the subscriber." This impersonation by replaying a session token is the core of session hijacking.

2. Zeldovich

N. (2014). 6.858 Computer Systems Security

Lecture 15: Web Security. Massachusetts Institute of Technology: MIT OpenCourseWare. The lecture notes (slide 12

"Session Hijacking") explicitly describe the attack: "Attacker steals session cookie... Attacker uses cookie to access user's account." This directly illustrates how the attack leverages the authenticated state represented by the cookie.

3. Kar

D.

& Mishra

S. (2013). A Study of Session Hijacking Attacks and Countermeasures on Web Applications. 2013 International Conference on Communication Systems and Network Technologies

554-558. IEEE. The paper's abstract defines the attack as one where "the attacker steals a valid session ID of the user and uses it to access the server

" which perfectly matches the scenario of exploiting an existing authenticated connection. (https://doi.org/10.1109/CSNT.2013.119)

In the portsentry.conf configuration file, the BLOCKUDP directive controls the active response for detected UDP port scans. To block all UDP packets from a scanning source, this option must be enabled by setting its value to "1". When BLOCKUDP="1", PortSentry will automatically add the source IP address of the scanner to a blocklist, typically by adding a rule to /etc/hosts.deny or by using a local firewall like iptables to drop all subsequent packets from that IP. If this value is set to "0", PortSentry will only log the scan attempt and will not take any blocking action.

1. Official Documentation: portsentry.conf(5) Linux manual page. The configuration options section explicitly defines BLOCKUDP. It states: BLOCKUDP="1" # 0 = Do not block UDP scans

1 = Block UDP scans.

2. University Courseware: University of Kent

School of Computing. (n.d.). CO537 Systems Security Lab 4: Intrusion Detection. In Section 3.2

"Configuring PortSentry

" the document instructs students to edit /etc/portsentry/portsentry.conf and notes the function of BLOCKTCP and BLOCKUDP settings for enabling active blocking.

3. Academic Publication: Spitzner

L. (2003). Honeypots: Tracking Hackers. Addison-Wesley Professional. In Chapter 11

"Know Your Enemy: Port Scans

" the configuration of PortSentry is discussed

highlighting the BLOCKUDP and BLOCKTCP directives as the primary controls for enabling the tool's active response capabilities (Section: "Configuring PortSentry").

SNMP is the only protocol listed that utilizes MIBs (Management Information Bases) to query device data (such as ARP tables or CDP neighbors) for topology discovery. Active Probing generates synthetic traffic (like traceroute or ICMP echoes) to trace paths hop-by-hop, distinguishing it from passive methods. Route Analytics operates by peering with routers to collect Link State (OSPF/IS-IS) or Path Vector (BGP) updates, building a map based on the network's routing protocol database rather than live traffic flows.

Motamedi, R., Rejaie, R., & Willinger, W. (2014). A Survey of Techniques for Internet Topology Discovery. University of Oregon / IEEE Communications Surveys & Tutorials.

Supports "Active Probing": Describes active probing techniques utilizing "traceroute-like" methods to infer router-level topology by sending probe packets.

Supports "Route Analytics": Discusses control-plane inference using BGP/routing data to build topology maps.

Juniper Networks. (2025). Junos® OS Network Management and Monitoring Guide.

Supports "SNMP": Section on SNMP explicitly defines the use of MIBs (Management Information Bases) to retrieve data from routers and switches for management and monitoring.

Case, J., et al. (1990). RFC 1157 - Simple Network Management Protocol (SNMP). IETF.

Supports "SNMP": Defines the architecture where network elements (routers/switches) store management data in MIBs accessed via SNMP agents.

A kernel-level rootkit operates with the highest system privileges (Ring 0) by altering the core of the operating system. It achieves its objectives by adding malicious code to or replacing parts of the kernel and its loadable modules, such as device drivers. This deep integration allows the rootkit to intercept and manipulate system calls to hide its presence (e.g., files, processes, network connections) from security tools and system administrators. Because it modifies the fundamental components of the OS, it is exceptionally powerful and difficult to detect.

A. Hypervisor rootkit: This type installs a malicious hypervisor underneath the original operating system, running the OS in a virtual machine, rather than modifying the kernel directly.

B. Boot loader rootkit: This targets the Master Boot Record (MBR) or Volume Boot Record (VBR) to load before the operating system, controlling the boot process, but not necessarily altering the kernel code itself.

D. Library rootkit: This is a user-mode rootkit that replaces system libraries (e.g., .DLL or .so files) to manipulate the output of standard system utilities, without modifying the privileged OS kernel.

---

1. Hoglund

G.

& Butler

J. (2006). Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional. In Chapter 1

"The What and Why of Rootkits

" the authors define kernel rootkits as those that "add to or replace some of the kernel code to hide the presence of a backdoor." They explicitly detail modification of kernel structures and drivers as the primary mechanism.

2. Petroni

N. L.

Fraser

T.

& Arbaugh

W. A. (2004). Kernel-Level Rootkit Detection. University of Maryland

Department of Computer Science. Technical Report CS-TR-4631. Section 2

"Kernel Rootkits

" states

"Kernel rootkits achieve their goals by modifying the data structures and code of a running kernel... A rootkit may install a device driver that modifies the system call table."

3. Miller

E.

& D. (2007). An Overview of Rootkits. SANS Institute InfoSec Reading Room. Page 4

"Kernel-Level Rootkits

" describes them as follows: "Kernel-level rootkits are implemented by replacing or 'patching' parts of the kernel code... This can be done by adding additional code to the operating system via a device driver or loadable kernel module."

4. Microsoft. (2023). Kernel Patch Protection. Microsoft Learn. This document describes a security feature designed to prevent unauthorized modification of the kernel. It implicitly defines the target: "malicious software (often called a rootkit) that patches the kernel." This confirms that patching/modifying the kernel is the defining characteristic of a kernel-level rootkit.

The creation of a new, non-administrative user account with remote access capabilities following a system compromise is a classic attacker technique for establishing persistence. This account acts as a backdoor, providing the intruder with a covert method to re-enter the network. It is designed to survive initial remediation efforts, such as changing the passwords of known administrative accounts, thereby ensuring the attacker maintains long-term access to the compromised environment.

A. Privilege escalation is the process of gaining elevated permissions, not the backdoor account that may be created as a result.

B. Discovering an "odd" account with remote access immediately after an intrusion is highly unlikely to be a coincidental administrative oversight.

D. IP spoofing is a network-level technique for falsifying the source address of IP packets and is unrelated to creating user accounts.

1. MITRE ATT&CK® Framework. Technique T1136

"Create Account." The framework states

"Adversaries may create an account to maintain access to victim systems... Adversaries may also create accounts

such as local administrator accounts

as a form of persistence to logon to a system..." This directly identifies account creation as a method for persistence (i.e.

a backdoor). (Source: MITRE ATT&CK

Technique T1136

https://attack.mitre.org/techniques/T1136/)

2. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 3.3.2

"Eradication

" discusses the necessity of identifying and removing all artifacts left by an attacker. It states

"For example

if the attackers created or modified user accounts

the accounts should be disabled or have their passwords changed." This acknowledges the creation of unauthorized accounts as a common attacker action during an incident. (Source: NIST SP 800-61r2

Page 29)

3. University of California

Berkeley

Information Security Office. In guidance on responding to security incidents

it is noted that attackers establish persistence mechanisms. The documentation states

"Attackers may also create new accounts on a compromised system to maintain access." This confirms that creating accounts is a known method for attackers to ensure they can return. (Source: UC Berkeley Information Security Office

"Compromised Accounts

" https://security.berkeley.edu/education-awareness/compromised-accounts)

IP spoofing is simply the falsification of source-address or identity fields so the attacker appears to be someone else; it does not require that the genuine host stop transmitting, therefore the legitimate user may remain active (B).

In most forms of session hijacking—e.g., cookie stealing, blind TCP sequence prediction—the attacker forges or re­uses the victim’s session identifiers and starts sending packets that the server accepts as coming from the victim. The victim’s connection usually persists; both attacker and victim can be simultaneously connected until collision or timeout occurs (D).

A. Spoofing does not inherently force the real user offline; impersonation can occur while the user continues normal traffic.

C. Hijacking often leaves the legitimate session intact; forced disconnection occurs only in specific RST-based takeovers, not as a defining characteristic.

1. RFC 4953

“Defending TCP Against Spoofing Attacks”

§2.1 (definition of IP spoofing and coexistence with legitimate traffic).

2. RFC 6269

“Issues with IP Spoofing”

§1 (spoofing does not affect state of legitimate host).

3. SANS Institute Reading Room

P. Biondi

“TCP/IP Session Hijacking”

pp. 4-6 (attacker injects packets; victim often remains connected).

4. SANS SEC503 Courseware

“Session Hijacking Techniques”

Module 9

slides 9-13 (legitimate user typically unaware and still active).

5. MIT OpenCourseWare 6.857

Lecture 11 Notes

“Network-Layer Attacks”

p.2 (spoofing definition) & p.4 (session hijack allows concurrent sessions).

An active steganography attack involves modifying a carrier file, such as an image, to embed a hidden message. This process can introduce sharp, unnatural artifacts, particularly in areas with high color contrast or "hard edges." A blur filter is a low-pass spatial filter that works by averaging the values of neighboring pixels. Applying a slight blur smooths these hard edges and reduces the high-frequency noise introduced by the data embedding process. This makes the modifications less perceptible to both human visual inspection and certain statistical steganalysis techniques, thereby concealing the presence of the hidden data more effectively.

A. Soften: This is a non-technical, general term. While blurring does "soften" an image, "Blur" is the specific image processing operation that achieves the described effect.

B. Rotate: Rotation is a geometric transformation that changes the image's orientation. It does not alter pixel color relationships to smooth edges or hide artifacts.

C. Sharpen: Sharpening is the opposite of blurring. It is a high-pass filter that enhances edges and increases contrast, which would make steganographic artifacts more noticeable, not less.

1. Gonzalez

R. C.

& Woods

R. E. (2018). Digital Image Processing (4th ed.). Pearson. In Section 3.5

"Smoothing Spatial Filters

" the text explains that blurring filters (such as averaging and Gaussian filters) are used for "blurring and for noise reduction" (p. 139). This principle is applied in steganography to smooth the "noise" or artifacts introduced by data embedding.

2. Kharrazi

M.

Sencar

H. T.

& Memon

N. (2006). Image steganography: Concepts and practice. In Lecture Notes in Computer Science

vol 4300. Springer

Berlin

Heidelberg. (https://doi.org/10.1007/119262141). This work discusses how steganographic algorithms must avoid creating "perceptual artifacts" (Section 2). Applying post-processing filters like a slight blur is a method to mitigate such artifacts created during the embedding (active attack) phase.

3. Cheddad

A.

Condell

J.

Curran

K.

& Mc Kevitt

P. (2010). Digital image steganography: Survey and analysis of current methods. Signal Processing

90(3)

727-752. (https://doi.org/10.1016/j.sigpro.2009.08.010). The paper reviews methods for hiding data and the importance of maintaining the statistical properties of the cover image. Blurring can help restore some of the local statistical smoothness that is disrupted by simple embedding techniques like LSB substitution.

A replay attack is a network attack where an adversary intercepts a valid data transmission, such as an authentication session, and maliciously retransmits it to impersonate the original user. By capturing and replaying authentication tokens, hashed credentials, or entire session establishment sequences, the attacker can trick the server into granting them an authenticated connection. This method is effective against authentication protocols that lack mechanisms to ensure the freshness of a message, such as timestamps or single-use nonces. The attacker does not need to crack the credentials, only to capture and reuse them.

A. A Denial-of-Service (DoS) attack is designed to make a resource unavailable to legitimate users, not to gain authenticated access.

C. A Man-in-the-middle attack is a broader category of attack that involves intercepting traffic; replaying captured data is a specific action that can occur during it.

D. A back door is a pre-existing, covert entry point that bypasses normal authentication, not an active attack on an ongoing authentication process.

1. National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-63B: Digital Identity Guidelines

Authentication and Lifecycle Management. Section 7.1

"Threats

" states: "An attacker may eavesdrop on an authentication protocol exchange between a claimant and a verifier and replay a claimant’s message at a later time. If the protocol is not designed to withstand this attack

the verifier may not be able to distinguish the replayed message from a legitimate message from the claimant."

2. Rivest

R. L.

& Lampson

B. (1996). SDSI - A Simple Distributed Security Infrastructure. MIT Laboratory for Computer Science. In the section on "Attacks

" the paper discusses replay attacks where an "enemy can record messages and play them back later." This is a foundational concept in network security protocols.

3. Menezes

A. J.

van Oorschot

P. C.

& Vanstone

S. A. (1996). Handbook of Applied Cryptography. CRC Press. Chapter 10

"Identification and Entity Authentication

" Section 10.4.2

"Attacks on authentication protocols

" explicitly describes replay attacks (or freshness attacks) where an adversary records and replays messages from a legitimate principal at a later time to impersonate them.

A Trojan horse and a worm are both distinct categories of malicious code, commonly known as malware. A Trojan horse is malicious code disguised as a legitimate program to deceive a user into executing it, thereby granting an attacker unauthorized access or control. A worm is a standalone piece of malicious code that replicates itself to spread to other computers, often across a network, without requiring user interaction. Both are fundamentally defined by their nature as malicious software. In contrast, Denial-of-Service is an attack outcome, and biometrics is a security control mechanism.

A. Denial-of-Service (DoS): This is an attack type, not inherently malicious code. Many DoS attacks, like a SYN flood, exploit network protocols and can be launched using standard utilities.

B. Biometrics: This is a method of authentication and identification that uses unique physiological or behavioral characteristics. It is a security control, not malicious code.

1. National Institute of Standards and Technology (NIST)

Special Publication 800-82 Rev. 2

"Guide to Industrial Control Systems (ICS) Security":

Section 3.2.2

Malware

Page 3-4: Defines a Trojan horse as a "malicious

security-breaking program that is disguised as something benign" and a worm as a "program that spreads copies of itself through a network." This document explicitly categorizes both as types of malware.

2. National Institute of Standards and Technology (NIST)

Computer Security Resource Center (CSRC) Glossary:

Trojan Horse: Defines it as "A computer program that appears to have a useful function

but also has a hidden and potentially malicious function that evades security mechanisms..."

Worm: Defines it as "A computer program that can run independently

can propagate a complete working version of itself onto other hosts on a network..."

Denial of Service: Defines it as "The prevention of authorized access to a resource..." This definition focuses on the outcome

not the method

confirming it is not exclusively code-based.

3. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson.

Chapter 6

Malicious Software

Section 6.2

"Types of Malicious Software (Malware)": This chapter provides a taxonomy of malware

clearly classifying Trojan Horses and Worms as primary categories of malicious code based on their propagation and concealment mechanisms.

4. Carnegie Mellon University

Software Engineering Institute (SEI). "Defining Different Types of Malware."

This resource from a reputable academic institution explicitly lists and defines Worms and Trojans as common types of malware

describing them as malicious programs with specific behaviors (self-replication for worms

deception for Trojans).

The objective is to embed a Trojan (Netbus) within a legitimate executable (chess.exe). This process is accomplished using software utilities known as binders or wrappers. A binder combines two or more executables into a single file. When this file is executed, all bundled programs run, often with the legitimate program in the foreground and the malicious one hidden. A wrapper serves a similar purpose, often adding layers of obfuscation or encryption to evade antivirus detection. "Yet Another Binder" and "Pretator Wrapper" are well-known examples of these types of tools used for creating Trojan horses.

A. Tripwire is a host-based intrusion detection system (HIDS) used for monitoring and alerting on unauthorized file changes; it is a defensive, not an offensive, tool.

D. Beast is a Remote Access Trojan (RAT). It is the malicious payload itself, not the tool used to bind the payload to another executable.

1. Microsoft Security. (2018). Microsoft Security Intelligence Report

Volume 24. In the section "Threat landscape > Malware

" the report discusses various malware delivery mechanisms

including bundling malicious code with legitimate applications. Binders and wrappers are the tools used for this purpose. This is exemplified in descriptions of Trojan families like Win32/Gamarue

which is often "bundled with other malware or legitimate programs."

Reference: Microsoft Security Intelligence Report (SIR)

Volume 24

Page 38.

2. Alazab

M.

& Khresiat

A. (2016). A Review of Malware Evasion Techniques. In A. Al-Nemrat (Ed.)

ICCTA 2016: Proceedings of the 2nd International Conference on Computer and Technology Applications. This peer-reviewed publication discusses malware techniques

including the use of "Binders" and "Wrappers/Packers" to combine malicious code with legitimate files to bypass security controls and trick users into execution.

Reference: Section 3.1 "Binders

" Page 1. (Available via ACM Digital Library or similar academic databases).

3. Pfleeger

C. P.

Pfleeger

S. L.

& Margulies

J. (2015). Security in Computing (5th ed.). Prentice Hall. In Chapter 2

"Programs and Programming

" the text describes how a Trojan horse is created by embedding malicious code within a seemingly useful program. The tools to accomplish this are referred to as binders or wrappers.

Reference: Chapter 2

Section "Malicious Code: Trojan Horses

" specifically discussing the mechanism of embedding code.

The password "apple" is vulnerable to multiple cracking methods due to its inherent weaknesses.

1. Dictionary Attack (C): This is the most direct and efficient attack. "apple" is a common English word that would be included in any standard password dictionary.

2. Brute Force Attack (D): This password is very short (5 characters) and uses a limited character set (lowercase letters). A brute-force attack, which tries every possible combination, would crack this password very quickly.

3. Hybrid Attack (A): This attack combines a dictionary attack with brute-force methods (e.g., appending numbers or symbols). The attack process typically begins by testing the dictionary words themselves, so "apple" would be discovered in the initial phase.

B. Rule based attack: This attack applies specific transformations or "mangling" rules to dictionary words (e.g., substituting 'a' with '@' or capitalizing letters). The password "apple" is the dictionary word itself, not a modified version, making this attack type a less accurate description of its primary vulnerability.

---

1. Dictionary and Brute Force Attacks:

Narayanan

A.

& Shmatikov

V. (2005). Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In Proceedings of the 12th ACM conference on Computer and communications security (CCS '05). Association for Computing Machinery

New York

NY

USA

364–372. This paper discusses the fundamentals of dictionary attacks and their effectiveness against common-word passwords. It implicitly supports the vulnerability to brute-force by analyzing the password space. (DOI: https://doi.org/10.1145/1102120.1102168)

2. Types of Password Attacks (Hybrid and Rule-based):

University of California

Berkeley. CS 161: Computer Security

Fall 2020. Lecture 10: "Web Security II & Authentication". The lecture notes describe different password cracking techniques. They define dictionary attacks for common words

brute-force for short passwords

and hybrid/rule-based attacks for predictable variations of dictionary words (e.g.

Password123). This supports that "apple" is primarily vulnerable to dictionary and brute-force attacks

and secondarily to hybrid attacks (which encompass dictionary attacks)

but that rule-based attacks are meant for modified words. (Reference: https://cs161.org/assets/lectures/10.pdf

Slide 58

"Password Cracking").

3. Attack Method Definitions:

Weir

M.

Aggarwal

S.

de Medeiros

B.

& Glodek

M. (2009). Password cracking using probabilities

patterns

and permutations. In 2009 IEEE Symposium on Security and Privacy (pp. 35-49). IEEE. This publication details password cracking methodologies

explaining that hybrid attacks test dictionary words with simple additions

while more complex rule systems are used for common user-created patterns. This distinction justifies why a simple dictionary word is vulnerable to a hybrid process but is not an example of a password needing a rule-based attack. (DOI: https://doi.org/10.1109/SP.2009.11)

A Trojan engine, in the context of an Intrusion Detection System (IDS), refers to a specialized component designed to detect specific Trojan horse programs. Advanced Trojans, such as Tribe Flood Network 2000 (TFN2K) and Back Orifice 2000 (BO2K), often use custom, non-standard, or covert protocols for command and control (C2) communications to evade detection. A key function of a detection engine targeting these threats is to perform deep packet inspection and protocol analysis to identify and decode these non-standard communication patterns, which would be missed by systems that only analyze well-known, standard protocols.

A. Trojans often increase, rather than limit, system resource usage to perform their malicious functions.

B. This describes a signature-based rule for detecting network scanning or a denial-of-service (DoS) attack, not a general Trojan engine.

C. This describes the functionality of a correlation engine, typically found in a Security Information and Event Management (SIEM) system.

1. Dittrich

D. (1999). The Tribe Flood Network 2000 Distributed Denial of Service Attack Tool. University of Washington. In Section 4

"TFN2K Communications

" the paper details how TFN2K uses "decoy" packets and non-standard communication channels (e.g.

ICMP ECHO REPLY packets for commands)

which necessitates a specialized analysis engine for detection.

2. Du

W. (2019). Computer & Internet Security: A Hands-on Approach (2nd ed.). Chapter 16.3.2

"Protocol Anomaly Detection." This section explains that intrusion detection systems can be designed to look for violations of protocol specifications. This principle is directly applicable to detecting Trojans like BO2K and TFN2K that intentionally use protocols in non-standard ways to communicate.

3. Handley

M.

& Paxson

V. (2001). Network Intrusion Detection: Evasion

Traffic Normalization

and End-to-End Protocol Semantics. In Proceedings of the 10th USENIX Security Symposium. This paper discusses the challenges of network intrusion detection

including how attackers use ambiguous

non-standard protocol usage to evade detection

reinforcing the need for sophisticated analysis engines that understand these variations.

All listed options are valid and recommended countermeasures against Denial-of-Service (DoS) attacks. Blocking specific malicious IP addresses (A) and applying router filtering (B) are direct methods to stop malicious traffic flows at the network edge. Disabling unneeded network services (C) is a critical hardening step that reduces the attack surface, eliminating potential targets for protocol-based or application-layer DoS attacks. Permitting only desired traffic (D) establishes a "default-deny" policy, a fundamental security principle that proactively blocks all unauthorized and potentially harmful traffic, including DoS attempts. Together, these measures form a robust, layered defense-in-depth strategy.

As all provided options are correct countermeasures against DoS attacks, this section is not applicable.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (Special Publication 800-61 Rev. 2).

Page 3-21

Section 3.4.3

"Denial of Service": This section explicitly discusses filtering as a primary containment strategy. It states

"Filtering can be performed based on a number of traffic characteristics

such as source and destination IP addresses...". This directly supports options A

B

and D.

2. Cisco Systems

Inc. (n.d.). Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks.

Section: "Filtering": This document details various filtering techniques

including ingress/egress filtering and Access Control Lists (ACLs) on routers to block traffic from specific sources or allow only legitimate traffic. This supports options A

B

and D.

Section: "Disabling Unnecessary Services": In related hardening guides like the Cisco Guide to Harden Cisco IOS Devices

disabling unused services (e.g.

finger

bootp

chargen) is a standard recommendation to reduce the attack surface

which directly supports option C.

3. Mirkovic

J.

& Reiher

P. (2004). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review

34(2)

39–53.

Page 46

Section 4.2

"Filtering Mechanisms": The paper describes ingress/egress filtering and history-based filtering

which involve blocking traffic based on IP addresses and established communication patterns. This supports options A

B

and D.

Page 45

Section 4.1

"Attack Prevention and Preemption": This section discusses minimizing the attack surface by "securing the local network before it is attacked

" which includes disabling unnecessary services

directly supporting option C. (DOI: https://doi.org/10.1145/997150.997156)

4. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2017). 6.857 Computer and Network Security

Fall 2017.

Lecture 15 Notes

"Network Security": The course materials discuss the role of firewalls and packet filtering in network security. The concept of creating rulesets to permit or deny traffic based on IP addresses and services (ports) is a core topic

validating options A

B

and D. The principle of least privilege

which extends to running only necessary services

is also a foundational concept taught

supporting option C.