Examice

Exam SY0-601 All QuestionsBrowse all questions from this exam

Question 828

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.

Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.

Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

A brute-force attack was used against the time-keeping website to scan for common passwords.

A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.

The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.

ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

Correct Answer: C

The most likely reason for this compromise is that the internal DNS servers were poisoned, redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials before passing them through to the real site. This aligns with the behavior described, where only credentials of employees clocking in and out from inside the building were affected, whereas those accessing the site from other networks (like at home) were not compromised. This suggests that the issue was specific to the internal network, indicating a probable DNS poisoning attack within the building's network.

Discussion

sysicsOption: C

C makes more sense to me. BTW the question is tooo long to read.

chizzuck

Some Comptia questions are very long to read. during the tests I think... I hope this is worth a ton of points.

LinkinTheStinkinOption: C

The question says that multiple routers are in use within the building. This rules out ARP poisoning, since ARP is a layer 2 protocol, and limited to a single broadcast domain, it would only affect a portion of the network. It says people at home were able to use the website and not have their credentials compromised, so the website itself has no issue. The only answer it can be is is C.

mikzer

That's correct. DNS poisoning can occur for a brief period and return to normal allowing the people outside the building to later clock out without having their credentials stolen. ARP will stay poisoned because it involves storing the attacker's MAC in everyone’s cache.

Hs1208Option: C

C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.

Baba111222Option: C

It can't be B. If the actual website was compromised, employees signing after they left would also be affected. In this case only ones using the kiosks connected to the same network were affected, thus DNS poisoning being the only logical option here.

7308365Option: D

ARP poisoning attacks can compromise systems and redirect network traffic to the threat actor, who leverages their position to insert malware and steal sensitive data. Only those who clocked in and out while inside the building had credentials stolen. D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

[Removed]

..Each of the kiosks are on different floors, and there are multiple routers..think about it .. dns poisoning is better attack then arp poisoning because you have different routers so probably differeng gw on each floor ..atc..

BD69

ARP poisoning would be the most difficult way of achieving this and require a lot more information about the internal network, not to mention would also require malware on all segments.

Rami1996Option: B

there are some potential issues with option C: Complexity: DNS poisoning attacks, while possible, typically require a significant level of access to internal systems. If internal DNS servers were compromised, it would likely have broader implications beyond just redirecting traffic to a single website. Detection: DNS poisoning attacks are usually detectable, especially if employees were being redirected to a malicious domain. Such activities often trigger security alerts or anomalies that would prompt investigation. While option C offers a plausible explanation, it may not be the most likely scenario given the complexity and detectability of DNS poisoning attacks.

Mehe323

B doesn't explain why only those with a hourly wage AND used the kiosks inside the building to clock in and out were affected, and not the hourly paid that only clocked out. It can't be an attack on the website for the hourly salaried.

Gigi42

I agree with you 💯. The acmetimekeeping site is available on the internet, so why is it that only employees who clocked in and out inside the building are the only ones affected? Those were left the building and clocked out at home, didn't get their credentials stolen. If a malicious actor did something to website, wouldn't everyone, everywhere be affected? Option C seems like the BEST answer here.

Payu1994Option: D

D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine. Explanation: ARP Poisoning (Option D): ARP (Address Resolution Protocol) poisoning involves manipulating the ARP cache on a local network, leading to the association of incorrect MAC addresses with IP addresses. In this scenario, if ARP poisoning occurred, it could lead to the kiosks sending a copy of the submitted credentials to a malicious machine before reaching the legitimate server. This could happen if the ARP cache on the local network was manipulated to redirect traffic through a malicious machine.

BD69

true, but not the most likely way to do it as the difficulty level is a bit higher. Many internal DNS servers are not secure, for starters, and will accept record changes from non-authoritative sources, if not locked down.

licks0reOption: C

Clearly C, see comments below.

johnabayotOption: B

This option explains why only the hourly employees who used the kiosks inside the building were affected, and not the salaried employees or the hourly employees who clocked out from home. If the time-keeping website was compromised, then anyone who accessed it from the kiosks would have their credentials stolen by the malicious code. The other options do not account for this scenario.

johnabayot

DNS poisoning (option C) would affect anyone who tried to access the website from any device, not just the kiosks. DNS poisoning is a technique that alters the DNS records of a domain name, so that it points to a different IP address than the legitimate one. This would redirect users to a fake website that looks like the real one, but steals their credentials. This would also affect both hourly and salaried employees, and those who clocked out from home.

licks0re

"internal dns" were poisoned. Hence ppl from home arrived on a safe website while people inside arrived on a fake website. C is my choice.

Payu1994

DNS poisoning redirecting the time-keeping website to a malicious domain is less likely since employees would likely notice if they were redirected to a different website. Additionally, DNS poisoning would likely affect all users accessing the time-keeping website, not just those inside the building.

TM78

Not if it’s from a DNS cache.

BD69Option: C

With so many internal DNS servers (especially windows domains) default settings to allow non-authoritative changes to DNS records, answer C is the most likely via MITM attack. Answer B is certainly possible, however, that would affect every company that uses that service (this was not mentioned), not just the company in question. Answer D would work too, but this requires a bit more work, non-locked down switches and would be identified quickly by security & network software (immediate conflict alerts) .

MF757Option: B

The fact that only hourly employees who clocked in and out while inside the building had their credentials stolen suggests that the compromise is likely related to the usage of the time-keeping website.

TM78Option: D

D. DNS Poisoning You can get a very basic explanation here (time stamp 5:50 if you don’t care to watch the whole video): https://youtu.be/7MT1F0O3_Yw?si=K7Rung_UtsGcnX7Y If you don’t feel the warm fuzzies about clicking some random link, go YouTube > search DNS Cache Poisoning - Computerphile. The reason why I don’t think it is ARP is because of an assumption (yeah, bad word) that the time card website is https, meaning that the information intercepted by the bad actor should be encrypted and unable to use.

TM78

Gosh. I mean C. DNS Poisoning.