exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam

Exam CS0-002 topic 1 question 9 discussion

Actual exam question from CompTIA's CS0-002
Question #: 9
Topic #: 1
[All CS0-002 Questions]

While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The analyst sees the following on the laptop's screen:
[*] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORP\jsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7...
[*] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORP\progers
[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A...
Which of the following is the BEST action for the security analyst to take?

  • A. Force all users in the domain to change their passwords at the next login.
  • B. Disconnect the laptop and ask the users jsmith and progers to log out.
  • C. Take the FILE-SHARE-A server offline and scan it for viruses.
  • D. Initiate a scan of devices on the network to find password-cracking tools.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
nonjabusiness
Highly Voted 2 years, 5 months ago
Selected Answer: B
The output on the laptop looks like the authentication service has been poisoned, and 2 accounts have been compromised. Requiring all users to change their passwords could be overkill, if there isn't more to this output. Though taking the server offline and scanning for viruses may be a good idea, this answer however does nothing to remediate the compromised accounts which would be my main concern given the scenario. Disconnecting the laptop, and remediating the compromised hashes would be the best course of action for this in my opinion. As this would stop the poisoning, and prevent any unauthorized access from cracking the hashes.
upvoted 16 times
db97
2 years ago
Totally agree
upvoted 1 times
...
Xoomalla
1 year, 7 months ago
Agree on B. Was confused between A and B. But since, - Nothing mentioned about disconnecting the Laptop and only mentioned Password reset this is not correct. hmm, but asking the users to logout only, would this prevent there password from being cracked offline?
upvoted 1 times
...
...
Laudy
Highly Voted 2 years, 6 months ago
Selected Answer: B
Obviously scanning the file sever would be good, but it doesn't stop the DNS poisoning... Feels more like the users have a better chance of being infected than the file server...Maybe I'm wrong, but I feel like disconnecting the known bad laptop, and having the two users who tried navigating to the "file server" log off, would be better than just scanning the File Server.
upvoted 6 times
...
JimmyJams
Most Recent 1 year, 9 months ago
Selected Answer: B
Defo not A as the server itself isn't infected. The laptop is poisoning traffic not a device
upvoted 1 times
...
DerekM
1 year, 10 months ago
Selected Answer: B
Based on the provided information, the BEST action for the security analyst to take in this scenario is: B. Disconnect the laptop and ask the users jsmith and progers to log out. The analyst has discovered a suspicious laptop connected to the network infrastructure, and the screen displays indications of potentially malicious activity related to network poisoning and SMBv2 communication. To contain the potential threat and prevent further compromise, the immediate action should be to disconnect the laptop from the network. Asking the users "jsmith" and "progers" to log out from the laptop is also important to ensure that they do not continue any unauthorized activities. While other actions like changing passwords, scanning the FILE-SHARE-A server, or initiating network scans may be necessary as part of a broader incident response plan, the immediate focus should be on isolating the suspicious device and preventing any further potential harm.
upvoted 1 times
...
SimonR2
1 year, 11 months ago
This is an attack using the command line Responder Tool which poisons responses to NetBIOS, LLMNR and MDNS name resolution requests. It basically performs a man in the middle attack and allows retrieval of password hashes over a file sharing network. The simple answer here is to get the laptop off the network as soon as possible and prevent the MITM attack from occurring so answer is B.
upvoted 2 times
...
2Fish
2 years ago
Selected Answer: B
B. Stop the assumed threat and then have a look at the server.
upvoted 1 times
...
DrVoIP
2 years ago
B. Disconnect the laptop and ask the users jsmith and progers to log out is the best action for the security analyst to take. The laptop is using the responder tool to perform a man-in-the-middle attack, and the output on the screen indicates that it has successfully obtained NTLMv2-SSP hashes for two users on the network: jsmith and progers. This attack could be used to steal user credentials and gain access to sensitive information on the network. ChatGPT
upvoted 4 times
...
CL_QRT
2 years, 1 month ago
another tricky COMPTIA questions again. Guys, after the analyst discovered the event, what is the BEST NEXT action to take? Answer is B. - then from there do the other necessary steps
upvoted 3 times
Sweety_Certified7
5 days, 2 hours ago
The question does not mention "next": Which of the following is the BEST action for the security analyst to take? If it says "best action to take" (without specifying order), then A is a better choice because it neutralizes the most critical risk (compromised credentials).
upvoted 1 times
...
...
Stiobhan
2 years, 1 month ago
The log output is a capture of traffic flow for said users as they have requested access to the file server and (in this case) the requests have been captured by a malicious tool such as Responder (available in Kali). The best answer here is B, but if I had the option to pick 2 then I would also pick D. Even at that, the choice of answers are poor because on their own this incident will not resolve, have a wee read at this to help you understand what is really happening here - https://www.cynet.com/attack-techniques-hands-on/llmnr-nbt-ns-poisoning-and-credential-access-using-responder/ . On reading the scenario more in depth, I'd say the laptop is a plank with Responder installed and the threat is internal! So, disconnect the laptop (which only solves part of the issue, if it were real). The laptop should then be investigated, possibly forensically.
upvoted 1 times
...
sho123
2 years, 3 months ago
Selected Answer: B
No answer here yet. the correct answer should be disconnect the laptop and scan the file server for malicious input.
upvoted 1 times
...
Dcfc_Doc
2 years, 4 months ago
I feel like I would do all of these steps. The only thing that i would debate is the order in Which i would do them. Voting B
upvoted 2 times
...
Kelz56
2 years, 4 months ago
Selected Answer: C
Prevention is better than cute. Server is possibly compromise base on logs so we should check the server first. Resetting the user's passwords is a good option but will not remediate the possible server issue.
upvoted 1 times
Goat54
2 years, 2 months ago
Scanning the server will check for vulnerabilities but what about the compromised accounts of the 2 users? Answer B may be a better choice.
upvoted 1 times
...
...
amateurguy
2 years, 4 months ago
Selected Answer: B
B seems like the best answer.
upvoted 1 times
...
IT_Master_Tech
2 years, 4 months ago
What is the RIGHT answer?
upvoted 2 times
...
TeyMe
2 years, 4 months ago
A tool called Responder will generate such output, the tool can intercept LLMNR and NBT-NS requests and an attacker can obtain Password hashes in the process. I would say answer: D
upvoted 3 times
TeyMe
2 years, 3 months ago
B is correct
upvoted 2 times
...
AcidoNZ
2 years, 3 months ago
Its D for sure https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html
upvoted 1 times
...
...
A_core
2 years, 4 months ago
Selected Answer: C
although not best step but this is the only option make sense in the choices. B is close but, it talked about reset an account which does not constitute best action. Best action is take action on the source and the target
upvoted 1 times
...
wico
2 years, 4 months ago
Selected Answer: A
A few things happening here. Big part is gathered credentials. We see two credentials on the screen, but who knows how many other credentials we dont see? What are our options? We can have the users immediately log out, but what will that protect? If the attacker has the user's credentials, we can spend time telling each user to log off and disconnect the laptop. Meanwhile the attacker will be using their credentials to steal DATA from the file server and do whatever else they want with the credentials. The only reasonable option here is to have all users change their passwords while also disconnecting the laptop.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago