GIAC GCIH Exam Questions 2025

A. Internal attack: This describes the origin of an attacker (from within the network perimeter), not the objective or type of the attack itself.

B. Reconnaissance attack: This is a preliminary phase of an attack focused on gathering information about a target, not actively disrupting its services.

C. Land attack: This is a specific and now largely historical type of DoS attack. The general category "DoS attack" is the most accurate and encompassing description of the attacker's intent.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2). Section 2.3.4, "Denial of Service," states: "A denial of service (DoS) is an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources..."

2. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.858 Computer Systems Security, Lecture 15: Network Security & Denial of Service. The lecture notes define a DoS attack as an "attack that prevents legitimate users from using a service."

3. Mirkovic, J., & Reiher, P. (2004). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 34(2), 39–53. The introduction (p. 39) defines a DoS attack as "an attempt to make a computer resource unavailable to its intended users." DOI: https://doi.org/10.1145/997150.997156

A. printf()

This function's primary vulnerability is related to format string bugs, not buffer overflows, as it writes to standard output, not a user-specified memory buffer.

D. strlength()

Assuming this is a typo for strlen(), this function only reads from a buffer to calculate its length; it does not write data and therefore cannot cause a buffer overflow.

1. Carnegie Mellon University, CERT Secure Coding Standards. The standard STR31-C, "Guarantee that storage for strings has sufficient space for character data and a null terminator," explicitly warns against the use of unbounded string functions. It states, "The strcpy() and strcat() functions are common sources of buffer overflow vulnerabilities." (See Noncompliant Code Example for STR31-C).

2. Microsoft Corporation, Official Vendor Documentation. In the documentation for the secure function strcpys, Microsoft explicitly states, "Because strcpy does not check for sufficient space in strDestination before copying strSource, it is a potential cause of buffer overruns." A similar warning is provided for strcat. (See "Security Remarks" section in the strcpy, wcscpy, mbscpy documentation on Microsoft Learn).

3. Aleph One (Elias Levy), "Smashing The Stack For Fun And Profit," Phrack Magazine, Volume 7, Issue 49, 1996. This foundational paper on buffer overflow exploitation identifies strcpy() as a primary example of a function that enables stack-based buffer overflows. It details how copying a long string into a fixed-size buffer using strcpy() can overwrite the return address on the stack. (See Section 4: "The Stack, Functions and Stack Frames" and Section 5: "Buffer Overflows").

B. Run consistency check.

A consistency check is a subsequent action performed after the VM is added back to a protection group (Step C) to synchronize the DPM replica. It is a sub-task of re-establishing protection, not a primary step in the migration process itself.

1. Microsoft Corporation. (2010). Data Protection Manager 2010 Documentation. In the DPM Operations Guide, the procedure for moving a protected data source consistently follows the pattern of stopping protection, moving the data, and then re-configuring the protection group for the new location. For example, in the section "Managing protected servers," it states, "If you move a data source that is a member of a protection group, DPM will raise an alert that the replica is inconsistent... You must then run a consistency check." This confirms the consistency check (B) is a consequence of re-protecting (C), not a primary migration step. The primary steps are stopping protection (A), moving the data (D), and re-protecting (C).

2. Microsoft TechNet Archives. (2012). How to move a DPM protected Hyper-V guest to another CSV. This official blog post, while specific to CSVs, outlines the general procedure. The administrator must first "Stop protection of the selected data" (related to step A), then "Migrate the virtual machine" (Step D), and finally "run the Modify Protection Group wizard" to update the VM's new location (related to step C).

3. Orin, T. (2013). Microsoft Virtualization with Hyper-V. Sybex. Chapter 11, "Hyper-V and System Center," discusses integration with DPM. The text describes that when a protected VM is moved, the DPM administrator must update the protection group to reflect the new host. This action corresponds to Step C, which follows the physical move (Step D) and is preceded by stopping the original protection job (Step A).

C. DSniff: DSniff is a suite of tools for network sniffing and traffic analysis, primarily designed to intercept and parse credentials from unencrypted protocols. It is not a DNS query tool and lacks the functionality to initiate a zone transfer.

1. Internet Systems Consortium (ISC), BIND 9.18 Administrator Reference Manual.

For dig: Chapter 7, "Server and Tools," section on dig, describes the usage of query types, including AXFR. The manual states, "dig supports specifying the query type on the command line... An AXFR query can be requested by specifying the type AXFR."

For host: Chapter 7, "Server and Tools," section on host, details the -l option. The manual specifies, "host -l is used to list all of the hosts in a zone; this is a synonym for -t AXFR."

For nslookup: Chapter 7, "Server and Tools," section on nslookup, explains the ls command in interactive mode, which is used to list addresses in a domain, effectively performing a zone transfer.

2. University of California, Berkeley, EECS Department Courseware, CS 161: Computer Security.

Lecture notes on Network Security II discuss DNS attacks. They explicitly mention using dig @ns.victim.com victim.com axfr as the command to attempt a DNS zone transfer, demonstrating dig as a primary tool for this enumeration technique.

3. Dug Song, "DSniff - Tools for network auditing and penetration testing."

The official documentation and description for the DSniff tool suite on the author's page at the University of Michigan (monkey.org/~dugsong/dsniff/) outlines its capabilities as a collection of sniffers (dsniff, filesnarf, msgsnarf, etc.). The tool's purpose is passive data interception, not active DNS querying or zone transfer requests.

C. Crimeware – Broad marketing term for toolkits (e.g., Zeus) that combine multiple malware elements; removal often needs specialized disinfection utilities beyond standard AV signatures.

E. Adware – Generally classed as potentially-unwanted software; many AV products ignore or just flag it, leaving full removal to dedicated anti-spyware/adware tools rather than core AV engines.

1. NIST SP 800-83 Rev.1 “Guide to Malware Incident Prevention & Handling”, §2.2.1-2.2.3 (pp. 2-5)—describes AV removal capabilities for viruses, worms, Trojans.

2. Microsoft KB 926079 “Detection and Removal of Rootkits”, para. 1–3—states up-to-date AV products incorporate anti-rootkit modules.

3. University of Maryland (UMUC) CYBR 620 Course Notes, Week 4: “Traditional AV is ineffective against adware/spyware; separate tools recommended.”

4. US-CERT Security Tip ST04-006 “Virus Basics”, lines 14-22—lists viruses, worms, Trojans as malware countered by antivirus software.

5. Symantec Security Response Whitepaper “Understanding Malware”, v1.0, p.6—AV engines target virus, worm, Trojan, rootkit signatures; crimeware defined as composite threat often requiring specialized remediation.

A. Attack phase: This phase involves actively exploiting the vulnerabilities identified during the pre-attack phase to gain unauthorized access, not the initial data gathering.

C. Post-attack phase: This phase occurs after a successful compromise and includes activities like maintaining access, covering tracks, and preparing the final report.

D. Out-attack phase: This is not a recognized or standard term within established penetration testing methodologies.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.

Reference: Section 3.2, "Discovery," page 3-2. The document outlines a four-phase methodology. The "Discovery" phase, which precedes the "Attack" phase, is described as the stage for information gathering and scanning. It states, "The discovery phase is used to discover and probe the target systems... It begins with reconnaissance to identify networks, systems, and potential vulnerabilities." This directly corresponds to the pre-attack phase.

2. Ahmed, Z. Z., Hossain, M. A., & Maleque, M. A. (2020). A Study on Penetration Testing Process and Tools. 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT), 1-6.

Reference: Section III, "Penetration Testing Process," subsection A, "Information Gathering (Reconnaissance)," page 2. This academic paper details the penetration testing process, identifying "Information Gathering (Reconnaissance)" as the first major step. The authors state, "In this phase, the tester tries to collect as much information as possible about a target of evaluation." This aligns with the purpose of the pre-attack phase.

DOI: https://doi.org/10.1109/ICCCNT49239.2020.9225553

3. The Penetration Testing Execution Standard (PTES). (2012). PTES Technical Guidelines.

Reference: Section "Intelligence Gathering." The PTES, a widely respected industry standard, defines "Intelligence Gathering" as a core phase that precedes vulnerability analysis and exploitation. The standard describes this phase as using "numerous techniques to learn as much as possible about the target." This phase is functionally identical to the pre-attack phase.

C. Preparation – concerns policies, training, and infrastructure readied before any incident; it does not fix an already discovered problem.

E. Identification – is the detection/analysis step that recognized the misuse; the question states the misuse has already been identified.

1. NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, §3.2–3.3, pp. 19–27, 44-48 – defines Containment, Eradication, Recovery stages used after detection.

2. Skoudis, E. & Zeltser, L., SANS Incident Handler’s Handbook, v2.6, §4 “Containment, Eradication & Recovery”, pp. 18-25 – describes limiting damage, eliminating root cause, restoring service.

3. SANS SEC504: Hacker Tools, Techniques, Exploits & Incident Handling (GIAC GCIH courseware), Day 5 notes, slides 37-46 – lists phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned and details actions in each.

1. Aung, M. M., & Aung, S. H. H. (2016). Firmware-based rootkits: a survey. In 2016 IEEE Conference on Computer Applications and Information Processing Technology (CAIPT). The abstract states, "Firmware-based rootkits are a type of malware that resides in the firmware of a device, such as a computer's BIOS or a network card's firmware." DOI: https://doi.org/10.1109/CAIPT.2016.7975821

2. Regenscheid, A. (2018). NIST Special Publication 800-193: Platform Firmware Resiliency Guidelines. National Institute of Standards and Technology. Section 2.1, "Introduction" (p. 3), discusses the threat: "A successful attack on firmware can be difficult to detect and can give an attacker a high degree of privilege and persistence on the platform." DOI: https://doi.org/10.6028/NIST.SP.800-193

3. Saltzer, J. H., & Kaashoek, M. F. (2014). 6.858 Computer Systems Security, Fall 2014, Lecture 15: Malware. Massachusetts Institute of Technology: MIT OpenCourseWare. Slide 23, "Rootkit Types," explicitly lists "Firmware rootkits (e.g., in BIOS)" as a category of rootkit. Retrieved from https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/mit6858f14lec15/

1. Silberschatz, A., Galvin, P. B., & Gagne, G. (2013). Operating System Concepts (9th ed.). John Wiley & Sons. In Chapter 2, Section 2.8.3, when discussing Windows layers, the text states, "A popular free software package that provides a UNIX-like environment on Windows is Cygwin."

2. MacKenzie, D. J., Tishler, R., Eyring, C., & Noer, G. (2001). Cygwin: A UNIX-like Environment for Windows. In Proceedings of the 2001 USENIX Windows Systems Symposium. The abstract explicitly states, "Cygwin is a project which provides a UNIX-like environment for Windows. It consists of a DLL which implements the POSIX API in terms of Win32 API calls, and a collection of tools."

3. MIT OpenCourseWare. (2014). 6.858 Computer Systems Security, Fall 2014. Massachusetts Institute of Technology. In Lab 1 assignment materials, Cygwin is recommended as a necessary tool for students using Windows to "get a Unix-like environment" required for the course projects.

4. IEEE Computer Society. (2004). Porting Applications to Cygwin. IEEE Distributed Systems Online, 5(7). DOI: 10.1109/MDSO.2004.1315491. The article describes Cygwin as "a free Unix subsystem that runs on top of Windows" and details its function as a POSIX compatibility layer.

A. rkhunter: While also a script-based scanner, rkhunter performs more extensive checks, including comparing file hashes against known-good databases, checking for wrong file permissions, and looking for suspicious kernel modules, not just signature scanning with strings and grep.

B. OSSEC: This is a comprehensive Host-based Intrusion Detection System (HIDS). Its rootkit detection relies primarily on file integrity monitoring (comparing checksums over time) and log analysis, which is a different and broader methodology.

D. Blue Pill: Blue Pill is a proof-of-concept for a virtual machine-based rootkit (VMBR). It is a type of malware, not a tool used to detect rootkits.

1. Shmatikov, V. (2012). Lecture 15: Malware II: Viruses, Rootkits. CS 378 - Network Security and Privacy, University of Texas at Austin. On slide 29, chkrootkit is described as a script that "runs strings, grep, etc. on system binaries to find signatures of known rootkits." Available at: https://www.cs.utexas.edu/~shmat/courses/cs378/l15.pdf

2. chkrootkit Project. (n.d.). chkrootkit - locally checks for signs of a rootkit. The official project page describes its function as checking system binaries for modification. The tool's source code is a shell script that heavily utilizes commands like strings, grep, egrep, and awk for its checks. Retrieved from: http://www.chkrootkit.org/

3. Bace, R., & Mell, P. (2001). NIST Special Publication 800-31: Intrusion Detection Systems. National Institute of Standards and Technology. Section 4.2.2 discusses signature-based detection, the method employed by chkrootkit, which involves searching for specific patterns or strings within files.