[GIAC] GIAC - GCIH Exam Dumps & Study Guide

Free [GIAC] GIAC - GCIH Practice Questions Preview

• Question 1

  Adam works as an Incident Handler for Umbrella Inc. He has been sent to the California unit to train the members of the incident response team. As a demo project he asked members of the incident response team to perform the following actions:
  ✑ Remove the network cable wires.
  ✑ Isolate the system on a separate VLAN
  ✑ Use a firewall or access lists to prevent communication into or out of the system.
  ✑ Change DNS entries to direct traffic away from compromised system
  Which of the following steps of the incident handling process includes the above actions?
  

  • A. Identification
  • B. Containment
  • C. Eradication
  • D. Recovery

  Correct Answer: B

  Explanation:

  I agree with the suggested answer B (Containment). The actions described are standard methods used to limit the scope and magnitude of an incident by preventing the spread of a threat or isolating a compromised system from the rest of the network.

  Reason

  The actions listed—physically disconnecting network cables, logically isolating via VLAN, implementing Firewall/ACL blocks, and rerouting DNS—are all classic strategies within the Containment phase of the SANS/GIAC Incident Handling methodology. The goal of this phase is to stop the bleeding and prevent the attacker from communicating with Command and Control (C2) servers or pivoting to other internal systems.

  Why the other options are not as suitable

  • Option A is incorrect because Identification involves detecting the incident, determining its scope, and confirming that an actual breach has occurred, rather than taking active steps to isolate systems.
  • Option C is incorrect because Eradication focuses on removing the root cause of the incident, such as deleting malware, disabling breached user accounts, and patching vulnerabilities after the system has already been contained.
  • Option D is incorrect because Recovery is the process of restoring systems to normal operation, verifying they are functional and secure, and returning them to the production environment.

  Citations

  • https://www.sans.org/white-papers/639/
  • https://www.giac.org/certifications/certified-incident-handler-gcih/

• Question 2

  Adam, a novice computer user, works primarily from home as a medical professional. He just bought a brand new Dual Core Pentium computer with over 3 GB of
  RAM. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to. Adam uses antivirus software, anti- spyware software, and keeps the computer up-to-date with Microsoft patches. After another month of working on the computer, Adam finds that his computer is even more noticeably slow. He also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Adam notices that his computer only has about 10 GB of free space available. Since his hard drive is a 200 GB hard drive, Adam thinks this is very odd.
  Which of the following is the mostly likely the cause of the problem?
  

  • A. Computer is infected with the stealth kernel level rootkit.
  • B. Computer is infected with stealth virus.
  • C. Computer is infected with the Stealth Trojan Virus.
  • D. Computer is infected with the Self-Replication Worm.

  Correct Answer: A

  Explanation:

  I disagree with the community vote for Option D and agree with the suggested answer Option A. While self-replicating worms consume resources, the combination of stealth behavior (disappearing windows), persistence despite modern security patches and antivirus software, and the massive, unexplained consumption of 190 GB of hard drive space is a hallmark of a stealth kernel-level rootkit which can hide files and processes from the OS itself.

  Reason

  Option A is correct because a kernel-level rootkit operates with the highest privileges, allowing it to hide its presence from antivirus and anti-spyware software. The massive loss of disk space (190 GB) suggests the rootkit is hiding a large amount of data or a malicious payload that the operating system cannot 'see' or report correctly. The disappearing windows even when offline suggest a sophisticated local persistence mechanism designed to evade detection.

  Why the other options are not as suitable

  • Option B is incorrect because a stealth virus generally focuses on infecting files while hiding its size increase, but it rarely consumes hundreds of gigabytes of disk space or bypasses modern, fully patched antivirus suites as effectively as a rootkit.
  • Option C is incorrect because 'Stealth Trojan Virus' is a redundant and technically imprecise term; while a Trojan could be the delivery mechanism, the symptoms described (hiding massive disk usage and evading patches) point more specifically to rootkit functionality.
  • Option D is incorrect because while a Self-Replicating Worm can slow a system and fill a hard drive, its primary goal is network propagation; a worm would likely be detected by the antivirus software Adam uses, and it does not typically exhibit the 'stealth' behavior of disappearing windows associated with rootkit-level manipulation of the GUI.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih
  • https://www.sans.org/white-papers/1149/

• Question 3

  Which of the following types of attacks is only intended to make a computer resource unavailable to its users?
  

  • A. Denial of Service attack
  • B. Replay attack
  • C. Teardrop attack
  • D. Land attack

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. A Denial of Service (DoS) attack is explicitly defined by its objective to exhaust resources and prevent legitimate users from accessing a service, whereas the other options describe specific technical methods that can lead to a DoS but are not the broad category requested by the question's definition.

  Reason

  Option A is correct because a Denial of Service attack is a general category of cyberattack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

  Why the other options are not as suitable

  • Option B is incorrect because a Replay attack involves capturing a valid data transmission and retransmitting it later to gain unauthorized access or perform an unauthorized action, typically targeting authentication rather than availability.
  • Option C is incorrect because a Teardrop attack is a specific subtype of DoS that involves sending fragmented packets to a target machine; while it causes unavailability, it is a specific implementation rather than the general type defined in the prompt.
  • Option D is incorrect because a Land attack is a specific type of DoS where a spoofed TCP SYN packet is sent with the target's IP address as both source and destination, causing the machine to lock up; like Teardrop, it is a specific method rather than the broad definition of the attack's intent.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih/
  • https://owasp.org/www-community/attacks/Denial_of_Service

• Question 4

  Which of the following types of attack can guess a hashed password?
  

  • A. Brute force attack
  • B. Evasion attack
  • C. Denial of Service attack
  • D. Teardrop attack

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. While specialized techniques like Rainbow Tables exist specifically for reversing hashes, Brute force attack is the only option provided that fundamentally functions by systematically guessing inputs to match a known hash.

  Reason

  Brute force attack is correct because it involves an attacker using automated tools to systematically guess every possible password combination, hashing each guess, and comparing it to the target hash until a match is found. In the context of GCIH and password cracking, this is a primary method for offline hash recovery.

  Why the other options are not as suitable

  • Option B is incorrect because an Evasion attack is a technique used to bypass security controls, such as Firewalls or IDS/IPS, rather than cracking password hashes.
  • Option C is incorrect because a Denial of Service (DoS) attack aims to disrupt the availability of a system or service by overwhelming it with traffic, not to steal or guess credentials.
  • Option D is incorrect because a Teardrop attack is a specific type of DoS attack that involves sending fragmented IP packets to a target machine to crash it, which has no relevance to password hashing or guessing.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih/
  • https://www.sans.org/cyber-security-courses/hacker-tools-techniques-incident-handling/

• Question 5

  Which of the following is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems, and fax machines?
  

  • A. Demon dialing
  • B. Warkitting
  • C. War driving
  • D. Wardialing

  Correct Answer: D

  Explanation:

  I agree with the community choice of D. Wardialing. The question perfectly describes the classic reconnaissance technique of scanning phone lines to identify modems and remote access points.

  Reason

  Wardialing (Option D) is correct because it is the specific method of using a computer and a modem to dial a sequential or randomized list of telephone numbers to identify active data connections such as fax machines, BBS, or remote access servers. It was famously depicted in the film 'WarGames' and remains a foundational concept in legacy reconnaissance.

  Why the other options are not as suitable

  • Option A is incorrect because Demon dialing refers to repeatedly dialing a single busy phone number to get through as soon as it becomes available, rather than scanning a range of numbers.
  • Option B is incorrect because Warkitting is not a standard industry term, though it might be confused with rootkits or war-prefixing; it does not describe modem scanning.
  • Option C is incorrect because War driving involves searching for wireless (Wi-Fi) networks by moving around in a vehicle, using a computer and a wireless adapter rather than a modem and telephone lines.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih/
  • https://www.sans.org/blog/what-is-wardialing/

• Question 6

  Network mapping provides a security testing team with a blueprint of the organization. Which of the following steps is NOT a part of manual network mapping?
  

  • A. Gathering private and public IP addresses
  • B. Collecting employees information
  • C. Banner grabbing
  • D. Performing Neotracerouting

  Correct Answer: B

  Explanation:

  I agree with the community and the suggested answer of Option B. Network mapping is specifically focused on identifying the technical topology, active hosts, and services within a network infrastructure; while collecting employee information is a critical part of Reconnaissance or Social Engineering, it does not constitute a technical mapping of the network itself.

  Reason

  Option B is correct because it is the only choice that does not involve discovering technical network infrastructure. Manual network mapping is the process of identifying nodes, connectivity, and protocols. Employee details (names, emails, titles) fall under organizational reconnaissance rather than the technical blueprinting of routers, switches, and IP address spaces.

  Why the other options are not as suitable

  • Option A is incorrect because gathering private and public IP addresses is a fundamental step in network mapping to identify the boundaries and internal addressing scheme of the target.
  • Option C is incorrect because Banner grabbing is a standard mapping technique used to identify the versions of services and operating systems running on discovered hosts.
  • Option D is incorrect because Neotracerouting (using tools like NeoTrace or advanced traceroute utilities) is used to visualize the path packets take through the network, which is essential for determining the logical layout and identifying gateway devices.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih/
  • https://www.sans.org/cyber-security-courses/hacker-tools-techniques-incident-handling/

• Question 7

  Which of the following statements are true about tcp wrappers?
  Each correct answer represents a complete solution. (Choose all that apply.)
  

  • A. tcp wrapper provides access control, host address spoofing, client username lookups, etc.
  • B. When a user uses a TCP wrapper, the inetd daemon runs the wrapper program tcpd instead of running the server program directly.
  • C. tcp wrapper allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens to filter for access control purposes.
  • D. tcp wrapper protects a Linux server from IP address spoofing.

  Correct Answer: ABC

  Explanation:

  I agree with the suggested answer ABC. TCP Wrappers (tcpd) provide host-based access control and logging for network services, but they operate at the application layer and cannot prevent low-level network attacks like IP spoofing.

  Reason

  Option A is correct because TCP Wrappers provide access control via hosts.allow and hosts.deny, log connection attempts (including basic protection against host address spoofing via DNS reverse lookups), and can perform ident lookups for client usernames. Option B is correct because in traditional configurations, the inetd or xinetd daemon is configured to execute tcpd, which then checks access permissions before handoff to the actual service daemon. Option C is correct because the tcpd logic allows for filtering based on specific IP addresses, subnetworks, hostnames, and ident query responses.

  Why the other options are not as suitable

  • Option D is incorrect because while TCP Wrappers can detect inconsistencies between a IP address and its DNS hostname (reverse lookup), they do not protect the server from IP address spoofing at the network layer; a sophisticated attacker can still bypass these checks if they control the routing or the source headers. Genuine protection against spoofing requires Ingress Filtering at the router level or iptables/nftables configurations.

  Citations

  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-tcp_wrappers_and_xinetd-tcp_wrappers
  • https://linux.die.net/man/8/tcpd

• Question 8

  John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He finds that the We-are- secure server is vulnerable to attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP printing capability from the server. He is suggesting this as a countermeasure against __________.
  

  • A. IIS buffer overflow
  • B. NetBIOS NULL session
  • C. SNMP enumeration
  • D. DNS zone transfer

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. The recommendation to remove Internet Printing Protocol (IPP) is a classic countermeasure for a specific IIS vulnerability (MS01-023) where the ISAPI extension used for printing was susceptible to a buffer overflow.

  Reason

  Option A is correct because the Internet Printing Protocol (IPP) implementation in Microsoft IIS 5.0 (msw3prt.dll) contained a critical buffer overflow vulnerability. An attacker could send a specially crafted HTTP request to the .printer extension to execute arbitrary code with SYSTEM privileges. Disabling or removing the IPP functionality is the primary countermeasure to eliminate this attack surface.

  Why the other options are not as suitable

  • Option B is incorrect because NetBIOS NULL sessions relate to anonymous access via TCP port 445 or 139 to enumerate shares and users; it is unrelated to IPP or web server printing extensions.
  • Option C is incorrect because SNMP enumeration involves querying network devices via UDP port 161 using community strings; while IPP might reveal printer status, 'removing capability' is specifically documented as a fix for the IIS overflow, not an SNMP mitigation.
  • Option D is incorrect because DNS zone transfers (AXFR) are used to replicate DNS databases between servers and are mitigated by restricting access to specific IP addresses, not by disabling web printing features.

  Citations

  • https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-023
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0241

• Question 9

  Which of the following applications is an example of a data-sending Trojan?
  

  • A. SubSeven
  • B. Senna Spy Generator
  • C. Firekiller 2000
  • D. eBlaster

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D. In the context of the GCIH and general malware classification, eBlaster is specifically categorized as a data-sending Trojan because its primary function is to record user activity (keystrokes, emails, chats) and exfiltrate that data to a remote recipient via email.

  Reason

  eBlaster is the correct choice because it is a commercial-grade surveillance tool often classified as a Data-Sending Trojan. It operates by capturing sensitive information such as keystrokes, passwords, and screenshots, then automatically sending these logs to a pre-defined email address at regular intervals.

  Why the other options are not as suitable

  • Option A is incorrect because SubSeven is primarily classified as a Remote Access Trojan (RAT). While it can exfiltrate data, its core purpose is to provide full remote desktop control and administrative access to the attacker.
  • Option B is incorrect because Senna Spy Generator is a toolkit used to create or 'generate' Trojans rather than being the data-sending Trojan itself.
  • Option C is incorrect because Firekiller 2000 is a specialized utility designed to disable local security software, such as firewalls and antivirus programs, to pave the way for other malware; it does not function as a data-sending agent.

  Citations

  • https://www.giac.org/certifications/certified-incident-handler-gcih/
  • https://csrc.nist.gov/glossary/term/trojan_horse

• Question 10

  Which of the following are the primary goals of the incident handling team?
  Each correct answer represents a complete solution. (Choose all that apply.)
  

  • A. Freeze the scene.
  • B. Repair any damage caused by an incident.
  • C. Prevent any further damage.
  • D. Inform higher authorities.

  Correct Answer: ABC

  Explanation:

  I agree with the suggested answer ABC. According to GCIH and SANS methodology, the primary goals of incident handling are centered on containment, eradication, and recovery, which directly map to preventing further damage and repairing the environment. While forensic preservation (freezing the scene) is part of the process, informing higher authorities is a secondary communication task rather than a primary technical goal of the handling team.

  Reason

  Option A is correct because freezing the scene is a fundamental step in the Identification and Containment phases to ensure evidence is preserved for potential legal action or root cause analysis. Option B is correct because repairing damage is the core objective of the Recovery phase, where systems are restored to their original state. Option C is correct because preventing further damage is the primary definition of the Containment phase, which is critical to stop the 'bleeding' of data or system integrity.

  Why the other options are not as suitable

  • Option D is incorrect because informing higher authorities is considered a communication or reporting requirement rather than a primary goal of the incident handling process itself. While management must be kept in the loop, the team's immediate priority is the technical mitigation and restoration of the environment.

  Citations

  • https://www.sans.org/white-papers/639/
  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf