CompTIA Security+ Question L-67

The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk?

A. Enforce password rules requiring complexity.
B. Shorten the maximum life of account passwords.
C. Increase the minimum password length.
D. Enforce account lockout policies.

Answer: A

Explanation:
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.

CompTIA Security+ Question K-57

The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media web sites. This advice would BEST protect people from which of the following?

A. Rainbow tables attacks
B. Brute force attacks
C. Birthday attacks
D. Cognitive passwords attacks

Answer: D

Explanation:
Social Networking Dangers are ‘amplified’ in that social media networks are designed to mass distribute personal messages. If an employee reveals too much personal information it would be easy for miscreants to use the messages containing the personal information to work out possible passwords.

CompTIA Security+ Question J-52

Which of the following application security principles involves inputting random data into a program?

A. Brute force attack
B. Sniffing
C. Fuzzing
D. Buffer overflow

Answer: C

Explanation:
Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

CompTIA Security+ Question H-18

Which of the following can be used by a security administrator to successfully recover a user’s forgotten password on a password protected file?

A. Cognitive password
B. Password sniffing
C. Brute force
D. Social engineering

Answer: C

Explanation:
One way to recover a user’s forgotten password on a password protected file is to guess it. A brute force attack is an automated attempt to open the file by using many different passwords.

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers. An attack of this nature can be time- and resource-consuming. Hence the name “brute force attack;” success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm.

CompTIA Security+ Question H-10

Which of the following wireless protocols could be vulnerable to a brute-force password attack? (Select TWO).

A. WPA2-PSK
B. WPA – EAP – TLS
C. WPA2-CCMP
D. WPA -CCMP
E. WPA – LEAP
F. WEP

Answer: A,E

Explanation:
A brute force attack is an attack that attempts to guess a password. WPA2-PSK and WEP both use a “Pre-Shared Key”. The pre-shared key is a password and therefore is susceptible to a brute force attack.

CompTIA Security+ Question A-86

A malicious user is sniffing a busy encrypted wireless network waiting for an authorized client to connect to it. Only after an authorized client has connected and the hacker was able to capture the client handshake with the AP can the hacker begin a brute force attack to discover the encryption key. Which of the following attacks is taking place?

A. IV attack
B. WEP cracking
C. WPA cracking
D. Rogue AP

Answer: C

Explanation:
There are three steps to penetrating a WPA-protected network. Sniffing Parsing Attacking

CompTIA Security+ Question A-40

The system administrator is reviewing the following logs from the company web server:
12:34:56 GET /directory_listing.php?user=admin&pass=admin1
12:34:57 GET /directory_listing.php?user=admin&pass=admin2
12:34:58 GET /directory_listing.php?user=admin&pass=1admin
12:34:59 GET /directory_listing.php?user=admin&pass=2admin
Which of the following is this an example of?

A. Online rainbow table attack
B. Offline brute force attack
C. Offline dictionary attack
D. Online hybrid attack

Answer: D

Explanation:
This is an example of an online hybrid attack. A hybrid attack is a combination of attacks. In this example, we have a combination of a dictionary attack and a brute-force attack. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters or numbers or even other words to the beginning or end of the password guesses. In this example we have a password guess of ‘admin’. From the word admin, we have four combinations, ‘admin1, 1admin, admin2, 2admin’.

CompTIA A+ Core 2 Question H-13

A technician has configured the ability to connect to a small office server using remote desktop from a workstation within the office. The technician has reviewed logs that show constant brute force attacks to that server from outside the network. Which of the following would prevent this from occurring?

A. Configure the server to use a static IP
B. Logically move the server to the DMZ
C. Reallocate the server to a different networking closet
D. Disable the remote desktop port