GIAC GCIH Practice Test Questions, Exam Dumps

Practice Exams:

View All

GCIH GIAC Practice Test Questions and Exam Dumps

Question 1

Adam works as an Incident Handler for Umbrella Inc. He has been sent to the California unit to train the members of the incident response team. As a demo project he asked members of the incident response team to perform the following actions:
✑ Remove the network cable wires.
✑ Isolate the system on a separate VLAN
✑ Use a firewall or access lists to prevent communication into or out of the system.
✑ Change DNS entries to direct traffic away from compromised system

Which of the following steps of the incident handling process includes the above actions?

A. Identification
B. Containment
C. Eradication
D. Recovery

Correct Answer: B

Explanation:

The incident handling process generally consists of the following key phases:

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Let’s break down what each phase includes and why the correct answer is Containment.

Identification:

This phase focuses on detecting and confirming that a security incident has occurred. Activities include:

Monitoring alerts and logs
Analyzing unusual behavior
Determining scope and nature of the incident

While crucial, no mitigation or disruption actions are taken during this phase — it’s purely for detection and confirmation.

Containment:

The primary goal here is to limit the spread and impact of the incident before it causes further damage. This is where the actions described in the question fall:

Removing network cable wires – Immediately severs connectivity to isolate the affected system.
Isolating the system on a separate VLAN – Segregates the affected machine to prevent lateral movement across the network.
Using firewalls or ACLs to restrict communication – Ensures the attacker cannot control the system remotely or exfiltrate data.
Changing DNS entries to redirect traffic – Prevents traffic from reaching malicious destinations or compromised systems.

These are classic containment tactics. They are used to quickly minimize the risk and exposure, giving responders time to investigate and move to eradication and recovery without risking further damage.

Eradication:

After containment, the next step is to remove the root cause of the attack:

Deleting malware
Disabling compromised accounts
Applying patches
Removing backdoors

The key distinction is that eradication is about cleanup, not about stopping the attack from spreading — that's containment’s role.

Recovery:

This step involves restoring systems to normal operation, which includes:

Reconnecting systems to the network
Restoring from clean backups
Monitoring for residual malicious activity

It happens after containment and eradication and is focused on bringing business operations back online safely.

The actions listed in the scenario — isolating the system, cutting off communication, and redirecting traffic — are all intended to contain the incident and prevent it from causing further harm. These are not detection (identification), cleanup (eradication), or restoration (recovery) activities, but direct containment actions.

Question 2

Adam, a novice computer user, works primarily from home as a medical professional. He just bought a brand new Dual Core Pentium computer with over 3 GB of RAM. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to. Adam uses antivirus software, anti-spyware software, and keeps the computer up-to-date with Microsoft patches. After another month of working on the computer, Adam finds that his computer is even more noticeably slow. He also notices a window or two pop up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Adam notices that his computer only has about 10 GB of free space available. Since his hard drive is a 200 GB hard drive, Adam thinks this is very odd.

Which of the following is most likely the cause of the problem?

A. Computer is infected with the stealth kernel level rootkit.
B. Computer is infected with stealth virus.
C. Computer is infected with the Stealth Trojan Virus.
D. Computer is infected with the Self-Replication Worm.

Correct Answer: A

Explanation:

Adam’s computer is showing multiple signs of deep-level infection, and while he is taking all the “standard” precautions like using antivirus, anti-spyware tools, and regularly applying patches, the symptoms indicate a much more stealthy and sophisticated threat. Let’s break down the symptoms and how they align with the given options.

Key Observations:

System Slowing Down Significantly Over Time
This is a classic sign of resource exhaustion — often caused by malicious processes running in the background, such as bots, worms, or rootkits.
Pop-up Windows That Quickly Disappear
Indicates the presence of processes that run GUI interfaces briefly — possibly command-and-control connections, malware update scripts, or malicious code executions.
Pop-ups Occur Even When Not Online
Suggests that the malware resides and operates at a system level, not just through the browser or online activity.
Hard Drive Losing a Massive Amount of Free Space (only 10 GB free from 200 GB)
This could be due to:

Log files being stored by malware.
Malicious scripts constantly duplicating files or creating fake data.
Rootkits or worms installing components that bloat the storage.

Option Analysis:

A. Computer is infected with the stealth kernel level rootkit

Correct.
A kernel-level rootkit operates below the OS or within the core system files, making it extremely difficult to detect using normal antivirus or anti-spyware tools. These rootkits can:

Hide processes, files, registry keys, and network activity.
Maintain long-term persistence.
Give attackers full control over a system.
Be responsible for massive hidden file creation, resulting in lost hard drive space.
Launch background scripts and even GUI programs (brief windows popping up).
Operate without requiring the user to be actively connected to the internet.

All of Adam’s symptoms align with this.

B. Computer is infected with stealth virus

Incorrect.
A stealth virus typically hides the effects of file changes by intercepting system calls, but it's not as deeply integrated as a rootkit. It also usually doesn't result in heavy system degradation or drastic storage loss by itself.

C. Computer is infected with the Stealth Trojan Virus

Incorrect.
A Trojan, while dangerous, typically presents as a single malicious application, often used for data theft or access. It may not explain the file space depletion or undetectable behavior, unless paired with a rootkit.

D. Computer is infected with the Self-Replication Worm

Incorrect.
A worm might replicate and consume storage, but most self-replicating worms are easily detected by antivirus software. Adam is already using up-to-date protection, which suggests the malware is operating below that detection layer — again pointing to a rootkit.

The most plausible and technically accurate cause of all these symptoms — extreme system slowness, unexplained pop-ups, stealthy persistence, and storage consumption despite protective software — is a kernel-level rootkit, which is extremely dangerous, hard to detect, and well-aligned with the scenario.

Question 3

Which of the following types of attacks is only intended to make a computer resource unavailable to its users?

A. Denial of Service attack
B. Replay attack
C. Teardrop attack
D. Land attack

Correct Answer: A

Explanation:

Cyberattacks come in various forms, targeting different layers and functions of systems. Some aim to steal information, others to compromise security, and some are simply designed to disrupt normal operations. The question specifically asks about an attack intended only to make a resource unavailable to its users, which is a strong hint toward attacks that disrupt availability — one of the core principles of cybersecurity known as CIA: Confidentiality, Integrity, and Availability.

Let’s analyze the options:

A. Denial of Service attack

Correct.
A Denial of Service (DoS) attack is designed specifically to make a computer, network, or service unavailable to its intended users. It does so by overwhelming the system with an excessive amount of traffic or data, exhausting its resources (such as memory, bandwidth, or processing power), and preventing legitimate users from accessing it.

Common targets: Web servers, DNS servers, online services, and network devices.
Variants: Distributed Denial of Service (DDoS), where multiple systems coordinate to launch the attack simultaneously, making it harder to block or trace.

The intent behind DoS attacks is not to steal data, but simply to disrupt service — which fits the question exactly.

B. Replay attack

Incorrect.
A replay attack is a type of network attack where valid data transmission is intercepted and retransmitted maliciously to trick the receiver into doing something unauthorized, such as reusing a login token.

Replay attacks target authentication protocols and often aim to gain access or impersonate users.
They do not aim to make systems unavailable but rather to exploit sessions or gain unauthorized access.

C. Teardrop attack

Incorrect.
A teardrop attack is a type of DoS attack, but more specifically it exploits a vulnerability in the TCP/IP fragmentation reassembly process. Malformed or overlapping IP fragments are sent to a system, and older systems that cannot handle these correctly crash or become unstable.

While this does result in denial of service, the question asks for the type of attack, not a specific method — and "teardrop" is an example within the broader category of DoS. Therefore, Denial of Service attack is the better, more general answer.

D. Land attack

Incorrect.
A Land attack is also a subtype of DoS attack. In a land attack, the attacker sends a spoofed packet with the same source and destination IP address, tricking the system into replying to itself, leading to confusion or resource exhaustion. Like the teardrop, it falls under the broader DoS category.

Again, while it fits the scenario of unavailability, "Denial of Service attack" is the type, and "Land attack" is a specific example.

Denial of Service is the type of attack aimed at making a system unavailable.
Teardrop and Land are specific implementations or examples of DoS attacks.
Replay attack does not cause unavailability but rather aims to impersonate or hijack communication.

Question 4

Which of the following types of attack can guess a hashed password?

A. Brute force attack
B. Evasion attack
C. Denial of Service attack
D. Teardrop attack

Correct Answer: A

Explanation:

In cybersecurity, one of the common protective measures for user credentials is to hash passwords, which means converting the plain-text password into a fixed-length encrypted representation. However, hashes are not foolproof — especially if weak hashing algorithms or weak passwords are used. Certain types of attacks are specifically aimed at guessing or cracking hashed passwords.

Let’s break down each of the answer options:

A. Brute force attack

Correct.
A brute force attack is a method where an attacker tries every possible combination of characters until the correct password or hash is found. If the password is hashed, the attacker may use a brute-force method to try and generate hashes from guessed inputs and compare them with the stolen hashed password.

This method can be very time-consuming, especially for complex or long passwords.
It's often used in combination with dictionary attacks, where common passwords are tried first.
Brute force attacks can be highly effective if:

Weak passwords are used.
Weak hashing algorithms like MD5 or SHA-1 are in place.
No salt (random data added to the password before hashing) is used.

In cases where the attacker has obtained a database of hashed passwords, brute force attacks are a primary tool for cracking them.

B. Evasion attack

Incorrect.
An evasion attack is typically used to bypass intrusion detection systems (IDS) or intrusion prevention systems (IPS). It is focused on avoiding detection rather than attempting to guess credentials or hashes.

It might involve breaking a payload into fragments, encoding it, or sending it in a way that evades pattern-matching systems.
This attack does not involve password guessing or hashing mechanisms.

C. Denial of Service attack

Incorrect.
A Denial of Service (DoS) attack aims to disrupt the availability of services by overwhelming the system with traffic or resource requests.

It does not involve guessing or cracking hashed passwords.
It's focused on availability, not confidentiality or authentication.

D. Teardrop attack

Incorrect.
A Teardrop attack is a specific form of DoS attack where fragmented packets with overlapping payloads are sent to a system, causing crashes or instability.

Like option C, this attack type focuses on system disruption and does not involve password hashes or credential compromise.

Additional Note:

When brute force attacks are used against hashed passwords, attackers often employ tools such as:

John the Ripper
Hashcat
RainbowCrack (uses precomputed hash lookup tables known as rainbow tables)

Modern systems use salting to protect against such attacks by ensuring that the same password does not generate the same hash across different users.

Brute force attacks are specifically designed to guess or crack passwords, including hashed ones.
Evasion, DoS, and Teardrop attacks do not relate to password guessing or hashes.

Question 5

In which of the following DoS attacks does an attacker send an ICMP packet larger than 65,536 bytes to the target system?

A. Ping of death
B. Jolt
C. Fraggle
D. Teardrop

Correct Answer: A

Explanation:

Denial of Service (DoS) attacks are designed to disrupt the availability of systems or networks. One such method involves exploiting vulnerabilities in the way systems handle oversized or malformed packets. Let's review the options with focus on the attack that involves sending oversized ICMP packets.

A. Ping of death

Correct.
The Ping of Death is a classic type of DoS attack that involves sending malformed or oversized ICMP packets to a target system. Normally, ICMP packets — like those used in the ping utility — are much smaller, typically 32 or 64 bytes in size. However:

In this attack, an ICMP packet larger than the maximum allowable size of 65,535 bytes is constructed.
Due to the IP protocol limitations, IP packets cannot exceed 65,535 bytes. Attackers circumvent this by fragmenting the oversized packet into smaller packets, which appear legitimate to routers and firewalls.
When the receiving system reassembles the fragments, the total size exceeds the IP limit, which can cause buffer overflows, crashes, freezes, or system reboots.
This attack was particularly effective on older operating systems like Windows 95, Windows NT, and Linux kernels from the 1990s, before patches were introduced.

Hence, the Ping of Death attack directly matches the description: sending ICMP packets larger than 65,536 bytes.

B. Jolt

Incorrect.
Jolt is another form of DoS attack, but it uses ICMP fragments with invalid headers, targeting Windows systems. It exploits a vulnerability in how systems handle fragmented ICMP packets, but it does not involve sending packets larger than 65,536 bytes. Instead, Jolt is more about sending rapid ICMP traffic with malformed fields.

C. Fraggle

Incorrect.
The Fraggle attack is a variation of the Smurf attack, and it uses UDP rather than ICMP. In a Fraggle attack:

The attacker sends UDP packets (often to port 7 — echo) with a spoofed source IP address (that of the victim) to a broadcast address.
All the systems in the broadcast domain respond to the victim, flooding it with traffic.
This attack overwhelms the target, but it has nothing to do with oversized packets.

D. Teardrop

Incorrect.
The Teardrop attack exploits vulnerabilities in how an operating system reassembles fragmented IP packets with overlapping offset fields.

When the system tries to reassemble the fragments, it encounters invalid offset values and may crash or become unstable.
This is different from sending oversized ICMP packets.

The Ping of Death involves sending ICMP packets larger than 65,535 bytes, violating the IP specification limit, leading to system crashes.
The other options — Jolt, Fraggle, and Teardrop — involve malformed or spoofed packets, but do not involve ICMP packet sizes exceeding 65,536 bytes.

Question 6

Adam has installed and configured his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Adam notices that when he uses his wireless connection, the speed is sometimes 16 Mbps and sometimes it is only 8 Mbps or less. Adam connects to the management utility wireless router and finds out that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop.

Which of the following attacks has been occurred on the wireless network of Adam?

A. NAT spoofing
B. DNS cache poisoning
C. MAC spoofing
D. ARP spoofing

Correct Answer: C

Explanation:

Adam has taken several prudent steps to secure his wireless network—such as changing the SSID, enabling WPA encryption, and applying MAC address filtering. However, the issue he's facing—an unfamiliar device connected to the network using the same MAC address as his laptop—indicates that an attacker has bypassed MAC filtering. Let's break down how this occurred and why MAC spoofing is the correct answer.

What is MAC Spoofing?

MAC spoofing is an attack where the attacker fakes (spoofs) the MAC address of another legitimate device on the network. In this case:

The attacker observed the MAC address of Adam’s laptop (e.g., through passive sniffing or a brief unauthorized connection).
The attacker then configured their own device to use the same MAC address as Adam’s laptop.
Since MAC filtering only checks MAC addresses (not device names or IPs), the attacker’s device was mistaken for Adam’s by the router and granted access.

This explains:

The fluctuating connection speed (two devices competing on the same MAC).
The unfamiliar device name using Adam’s MAC address in the router’s logs.

This is a classic symptom of MAC spoofing, where two devices share the same MAC, often resulting in network instability or connectivity issues.

Why the Other Options Are Incorrect:

A. NAT spoofing
This involves an attacker manipulating or mimicking Network Address Translation, usually on a gateway, to intercept or reroute traffic. It does not directly relate to MAC address duplication or impersonation on a local Wi-Fi network.

B. DNS cache poisoning
This is an attack on the DNS resolution system, where an attacker inserts malicious DNS entries into a system’s cache, leading to domain redirection. It would cause websites to resolve incorrectly, not MAC address conflicts or multiple devices on the same MAC.

D. ARP spoofing
ARP spoofing is a local network attack where the attacker sends forged ARP responses to associate their MAC address with the IP address of another device, enabling man-in-the-middle attacks. While it's related to local address resolution, it doesn't explain why a foreign device shows up with the same MAC address as Adam’s.

MAC spoofing allows an attacker to masquerade as a trusted device by copying its MAC address.
This bypasses MAC filtering and leads to authentication issues, reduced speed, or connection instability due to MAC address conflicts.
Adam’s security measures are solid but insufficient to stop MAC spoofing, which is why additional protections like 802.1X authentication are often recommended.

Question 7

Which of the following is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems, and fax machines?

A. Demon dialing
B. Warkitting
C. War driving
D. Wardialing

Correct Answer: D. Wardialing

Explanation:

Wardialing is a technique used to search for computers, modems, bulletin board systems (BBS), fax machines, and other devices by dialing a list of telephone numbers automatically. The term originated from the movie WarGames (1983), where the protagonist used a modem to dial numbers in order to find potential systems to access.

Why the other answers are incorrect:

A. Demon dialing – This term isn't widely used in the context of hacking or scanning. It might be confused with "Wardialing" but is not the correct term in this case.
B. Warkitting – This refers to the act of using a computer or mobile device to search for wireless networks while driving, usually with tools like Wi-Fi scanners. It's not related to dialing telephone numbers.
C. War driving – This involves searching for Wi-Fi networks while moving around, typically in a car. It’s similar to "warkitting" but specifically related to Wi-Fi networks, not telephone dialing.

Wardialing is the correct term used for the process of dialing a series of phone numbers automatically to find and connect to different systems, like modems or BBS.

Question 8

Network mapping provides a security testing team with a blueprint of the organization. Which of the following steps is NOT a part of manual network mapping?

A. Gathering private and public IP addresses
B. Collecting employees information
C. Banner grabbing
D. Performing Neotracerouting

Correct Answer: B. Collecting employees information

Explanation:

Manual network mapping involves creating a diagram of the organization's network to understand the structure, vulnerabilities, and points of access. The steps in manual network mapping typically include identifying systems, IP addresses, and services, as well as discovering network topology.

Here’s why each option stands:

A. Gathering private and public IP addresses – This is part of network mapping. Identifying both private and public IP addresses helps the security team understand the network layout and which systems are exposed to external networks.
C. Banner grabbing – This is a technique used during network mapping to gather information about services running on a remote system. It involves connecting to a service (like a web server or FTP server) and collecting its response banner, which often contains version numbers and other valuable details.
D. Performing Neotracerouting – This is a tool or technique that can be used to map network paths and measure latency, which is part of network mapping. It helps identify the routing and points of access between different network segments.
B. Collecting employees information – This is NOT typically part of network mapping. While employee information might be useful in social engineering or targeting specific personnel, it doesn’t directly relate to mapping out a network’s physical or logical structure.

Collecting employee information is not part of manual network mapping. The focus of network mapping is on identifying network components, such as IP addresses, systems, and services, rather than gathering personal information about employees.

Question 9

Which of the following statements are true about tcp wrappers? Each correct answer represents a complete solution. (Choose all that apply.)

A. tcp wrapper provides access control, host address spoofing, client username lookups, etc.
B. When a user uses a TCP wrapper, the inetd daemon runs the wrapper program tcpd instead of running the server program directly.
C. tcp wrapper allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens to filter for access control purposes.
D. tcp wrapper protects a Linux server from IP address spoofing.

Correct Answers:

Explanation:

A. tcp wrapper provides access control, host address spoofing, client username lookups, etc.

This is correct. tcp wrappers help with access control based on the client IP address, hostname, and usernames. They can also provide logging and allow filtering of access based on these criteria.

B. When a user uses a TCP wrapper, the inetd daemon runs the wrapper program tcpd instead of running the server program directly.

This is correct. The inetd (Internet Daemon) is responsible for starting network services on demand. When inetd is configured to use tcp wrappers, it invokes the tcpd wrapper program first, which checks the access control lists (ACLs) before invoking the actual server program. This adds an extra layer of security.

C. tcp wrapper allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens to filter for access control purposes.

This is correct. tcp wrappers can filter access based on the IP address or hostname (using DNS lookups), and even the ident service, which returns information about the user trying to connect. This allows for flexible access control.

D. tcp wrapper protects a Linux server from IP address spoofing.

This is incorrect. tcp wrappers themselves do not specifically protect against IP address spoofing. They can filter access based on IP addresses, but they don’t provide protection against spoofing attacks. For IP spoofing prevention, other mechanisms like firewalls, anti-spoofing filters, and network intrusion detection systems (NIDS) would be necessary.

True Statements:

A, B, and C are correct.
D is incorrect because tcp wrappers do not prevent IP address spoofing directly.

Question 10

Which of the following types of attacks is the result of vulnerabilities in a program due to poor programming techniques?

A. Evasion attack
B. Denial-of-Service (DoS) attack
C. Ping of death attack
D. Buffer overflow attack

Correct Answer: D. Buffer overflow attack

Explanation:

A. Evasion attack

Evasion attacks typically involve bypassing security measures or detection systems using techniques like encryption, obfuscation, or fragmentation. These attacks don't stem from poor programming techniques directly.

B. Denial-of-Service (DoS) attack

A DoS attack is designed to make a system or service unavailable by overwhelming it with excessive requests or traffic. While certain vulnerabilities may be exploited during a DoS attack, it’s not typically a result of poor programming techniques.

C. Ping of death attack

The Ping of Death is a DoS attack that involves sending a maliciously crafted ICMP (ping) packet that exceeds the allowed size, causing a system to crash. While it exploited buffer-related vulnerabilities, it's specifically a type of DoS attack, and not directly related to programming flaws in modern systems.

D. Buffer overflow attack

A buffer overflow attack occurs when a program allows more data to be written to a buffer (a temporary data storage area) than it can handle, causing the program to overwrite adjacent memory. This type of attack is the direct result of poor programming techniques, such as not properly validating input sizes, and it can be exploited to execute arbitrary code or gain unauthorized access to a system.

Buffer overflow attacks are typically caused by poor programming techniques where memory handling is not adequately controlled, making it the correct answer.