GSNA GIAC Systems and Network Auditor Free Practice Exam Questions (2025 Updated)

Secure Sockets Layer (SSL) is a protocol used to transmit private documents via the Internet. SSL uses a combination of public key and symmetric encryption to provide communication privacy, authentication, and message integrity. Using the SSL protocol, clients and servers can communicate in a way that prevents eavesdropping and tampering of data on the Internet. Many Web sites use the SSL protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:. By default, SSL uses port 443 for secured communication. For a SSL connection between a Web browser and Web server, you must enter https, for example, "https://www.vzen.com ", instead of http as the protocol type in the URL. This will instruct the Web browser to use a different port for communication. SSL uses TCP port 443 for communication.

In the pre-attack phase, there are seven steps, which have been defined by the EC-Council, as follows: 1.Information gathering 2.Determining network range 3.Identifying active machines 4.Finding open ports and applications 5.OS fingerprinting 6.Fingerprinting services 7.Mapping the network Answer: C is incorrect. In the enumeration phase, the attacker gathers information such as the network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. The techniques used in this phase are as follows: 1.Obtaining Active Directory information and identifying vulnerable user accounts 2.Discovering NetBIOS names 3.Employing Windows DNS queries 4.Establishing NULL sessions and queries

David system is a network management system that allows a user to manage the resources and services through both Intranet and Internet. It provides auto-discovering and network topology building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources, real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured interfaces for monitored devices permit a user to focus on the most important aspects of their work. Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network discovery, mapping, alerts and alarm management, and bandwidth management system. It enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to monitor IPv6 devices, as well as services such as DNS, http, and email. Answer: A is incorrect. eBox is an open source distribution and web development framework. This framework is used to manage server application configuration. It is based on Ubuntu Linux. It is projected to manage services in a computer network. The modular design of eBox allows a user to pick and choose the services. Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT infrastructure health and performance. It is an NMS integrated system. It is designed to help in optimizing the performance and availability of the networks, systems, and applications. It facilitates trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.

The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker. Answer: B is incorrect. The RPC (Remote Procedure Call) scan is used to find the RPC applications. After getting the RPC application port with the help of another port scanner, RPC port scanner sends a null RPC packet to all the RPC service ports, which are open into the target system. Answer: A is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily. Answer: D is incorrect. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:

1. The attacker sends SYN packet to the target port.

2. If the port is open, the attacker receives SYN/ACK message.

3. Now the attacker breaks the connection by sending an RST packet.

4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.

Firewall logs will show all incoming and outgoing traffic. By examining those logs you can detect anomalous traffic, which can indicate the presence of malicious code such as rootkits. Answer: B is incorrect. While an IDS might be the most obvious solution in this scenario, it is not the only one. Answer: C is incorrect. It is very unlikely that anything in your domain controller logs will show the presence of a rootkit, unless that rootkit is on the domain controller itself. Answer: A is incorrect. A DMZ is an excellent firewall configuration but will not aid in detecting rootkits.

You took 3 seconds to establish a connection. During this time, the value of the Initial Sequence Number would become [24171311 + (1 * 64000) + (3 * 128000)], i.e., 24619311.

The MARGINHEIGHT and MARGINWIDTH attributes are used in the tag to adjust the top and left margins of a Web page to be displayed in Netscape Navigator. Specifying MARGINHEIGHT="0" and MARGINWIDTH="0" within the tag will create a borderless page structure when viewed in Netscape Navigator. Answer: D is incorrect. The TOPMARGIN and LEFTMARGIN attributes are used in the tag to adjust the top and left margins of a Web page to be displayed in Internet Explorer. Specifying TOPMARGIN="0" and LEFTMARGIN="0" within the tag will create a borderless page structure when viewed in Internet Explorer. Answer: C is incorrect. These attributes are used to adjust margins and not to delete text from margins.

A user can hide his identity using any firewall (such as IPChains), a proxy server, or an anonymizer.

According to the network diagram, the IP address range used on the network is from the class C private address range. The class C IP address uses the following default subnet mask: 255.255.255.0 The question specifies that the subnet mask used in Host B is 255.255.0.0, which is an incorrect subnet mask.

According to the scenario, you have enabled system message logging (syslog) service on all the routers that are currently working in the network. If you want to store all the repots, important error and notification messages sent by the routers, you can store all of these in the buffer, console, syslog server, and tty lines. You can use buffer, if you want to store syslog messages for later analysis of the network. Buffer is the memory of the router. The syslog messages that you have stored in the buffer are later available for the network analysis until the router is rebooted. You can use console port of the routers to send syslog messages to the attached terminal. You can also use vty and tty lines to send syslog messages to the remote terminal. However, the messages send through the console, vty, and tty lines are not later available for network analysis. You can use syslog server to store all the reports, and important error and notification messages. It is the best option to store all these because it is easy to configure a syslog server and you can store a large volume of logs. Note: If you have configured to run an SNMP agent, the routers send all the reports, and important error and messages in the form of SNMP traps to an SNMP server. Using this you can store the reports and messages for a long period of time. Answer: A is incorrect. You cannot store syslog messages in the auxiliary line.

A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer: B is incorrect. Hosting a server on the intranet for public access will not be good from a security point of view.

The routing table displays various RIP and Connected routes. There is no routing entry for 10.10.100.0/24, but there is a default route in the routing table using 172.18.1.1 as the next hop router. Given that 10.10.100.0/24 does not have a direct entry in the routing table, RouterA will forward traffic to the default route next hop address of 172.18.1.1. Answer: A is incorrect. The address does not appear in the routing table as a next hop router, in addition to being an actual subnet number for 192.168.10.0/24. Answer: C is incorrect. 172.18.50.1 is the next hop for reaching 192.168.11.0. Answer: B is incorrect. 172.18.60.1 is the next hop for reaching 192.168.12.0.

MAC filtering is a security access control technique that allows specific network devices to access, or prevents them from accessing, the network. MAC filtering can also be used on a wireless network to prevent certain network devices from accessing the wireless network. MAC addresses are allocated only to hardware devices, not to persons.

With either encryption method (WEP or WPA) you can give the password to customers who need it, and even change it frequently (daily if you like). So this won't be an inconvenience for customers.

Whois queries are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro and Sam Spade can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com. Answer: B is incorrect. A SQL injection attack is a process in which an attacker tries to execute unauthorized SQL statements. These statements can be used to delete data from a database, delete database objects such as tables, views, stored procedures, etc. An attacker can either directly enter the code into input variables or insert malicious code in strings that can be stored in a database. For example, the following line of code illustrates one form of SQL injection attack: query = "SELECT * FROM users WHERE name = '" + userName + "';" This SQL code is designed to fetch the records of any specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious hacker, the SQL statement may do more than the code author intended. For example, if the attacker puts the "userName" value as ' or ''=', the SQL statement will now be as follows: SELECT * FROM users WHERE name = '' OR ''=''; Answer: D is incorrect. Web ripping is a technique in which the attacker copies the whole structure of a Web site to the local disk and obtains all files of the Web site. Web ripping helps an attacker to trace the loopholes of the Web site. Answer: C is incorrect. Snooping is an activity of observing the content that appears on a computer monitor or watching what a user is typing. Snooping also occurs by using software programs to remotely monitor activity on a computer or network device. Hackers or attackers use snooping techniques and equipment such as keyloggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications. Sometimes, organizations also snoop their employees legitimately to monitor their use of organizations' computers and track Internet usage.

A Cisco router can have multiple connections to networks. These connections are known as interfaces for Cisco Routers. For naming each interface, Cisco generally uses the type of interface as part of the name. Following are some of the naming conventions of Cisco Router interfaces: An Ethernet interface that is fast always starts with an F. An interface connected to a serial connection always starts with an S. An interface connected to an Ethernet segment of the network always starts with an E. An interface connected to a Token Ring segment always starts with To.

The cat data.txt.* command will display both the splitted files, and the > command will redirect the output into a new data.txt file.

A null session is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers. It allows immediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003. The command to be inserted at the DOS-prompt is as follows: net use \\IP address_or_host name\ipc$ "" "/user:" net use Port numbers 139 TCP and 445 UDP can be used to start a NULL session attack.

In Unix, the /etc/securetty file is used to identify the secure terminals from where the root can be allowed to log in. Answer: B is incorrect. In Unix, the /etc/ioports file shows which I/O ports are in use at the moment. Answer: A is incorrect. In Unix, the /etc/services file is the configuration file that lists the network services that the system supports. Answer: C is incorrect. In Unix, the /proc/interrupts file is the configuration file that shows the interrupts in use and how many of each there has been.