CEH - Exam Review 3
Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
The WAP does not recognize the client's MAC address
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?
[site:]
A penetration tester is performing the footprinting process and is reviewing publicly available information about an organization by using the Google search engine. Which of the following advanced operators would allow the pen tester to restrict the search to the organization's web domain?
Place a front-end web server in a demilitarized zone that only handles external web traffic
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank?
The gateway is not routing to a public IP address.
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines but cannot successfully reach the Internet. When the technician examines the IP address and default gateway, they are both on the 192.168.1.0/24. Which of the following has occurred?
Dynamic ARP Inspection (DAI)
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
Dorian is signing the message with his private key, and Poly will verify that the message came from Dorian by using Dorian's public key.
Dorian is sending a digitally signed email to Poly. With which key is Dorian signing this message and how is Poly validating it?
Not informing the employees that they are going to be monitored could be an invasion of privacy.
Due to a slowdown of normal network operations, the IT department decided to monitor internet traffic for all of the employees. From a legal standpoint, what would be troublesome to take this kind of measure?
Stateful firewall
During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded(not obstructed). What type of firewall is inspecting outbound traffic?
STARTTLS or SSL
Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?
Reconnaissance
Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, President, or Managers. The time a hacker spends performing research to locate this information about a company is known as?
Port 123
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?
Cross-Site Scripting (XSS)
Identify the web application attack where the attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users.
Hping
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?
-F
If you want to only scan fewer ports than the default scan using Nmap tool, which option would you use?
Privilege Escalation
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this?
Extraction of cryptographic secrets through coercion or torture.
In the field of cryptanalysis, what is meant by a "rubber-hose" attack?
Gaining Access
Infecting a system with malware and using phishing to gain credentials to a system or web application are examples of which phase of the ethical hacking methodology?
Authenticate
Internet Protocol Security IPsec is actually a suite pf protocols. Each protocol within the suite provides different functionality. Collective IPsec does everything except. A. Protect the payload and the headers B. Encrypt C. Work at the Data Link Layer D. Authenticate
Evil Twin
Jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password. However, Jane has a long, complex password on her router. What attack has likely occurred?
Buffer overflow
John is investigating web-application firewall logs and observers that someone is attempting to inject the following: char buff[10]; buff[10] = 'a'; What type of attack is this?
Use Marie's public key to encrypt the message
John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly using this type of encryption?
Elicitation
Johnson, an attacker, performed online research for the contact details of reputed cybersecurity firms. He found the contact number of sibertech.org and dialed the number, claiming himself to represent a technical support team from a vendor. He warned that a specific server is about to be compromised and requested sibertech.org to follow the provided instructions. Consequently, he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical information to Johnson's machine. What is the social engineering technique Steve employed in the above scenario?
VPN Footprinting
Louis, a professional hacker, had used specialized tools or search engines to encrypt all his browsing activity and navigate anonymously to obtain sensitive/hidden information about official government or federal databases. After gathering the information, he successfully performed an attack on the target government organization without being traced. Which of the following techniques is described in the above scenario?
False positives
Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities. During analysis, he found that these issues are not true vulnerabilities. What will you call these issues?
Public Key
PGP, SSL, and IKE are all examples of which type of cryptography?
Footprinting
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?
WHOIS Footprinting
Richard, an attacker, targets an MNC. In this process, he uses a footprinting technique to gather as much information as possible. Using this technique, he gathers domain information such as the target domain name, contact details of its owner, expiry date, and creation date. With this information, he creates a map of the organization's network and misleads domain owners with social engineering to obtain internal details of its network. What type of footprinting technique is employed by Richard?
DROWN attack
Samuel, a security administrator, is assessing the configuration of a web server. He noticed that the server permits SSLv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. This vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information. Which of the following attacks can be performed by exploiting the above vulnerability?
Clickjacking Attack
Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content URL. 4. Attacker creates a transparent 'iframe' in front of the URL which the victim attempts to click, so the victim thinks that he/she clicks on the 'Do you want to make $1000 in a day?' URL but actually he/she clicks on the content or URL thatexists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?
File-less Malware (resides and executes from memory)
Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfiltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non-whitelisted programs. What type of malware did the attacker use to bypass the company's application whitelisting?
The use of DNSSEC
Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning. What should Bob recommend to deal with such a threat?
Open-source intelligence
The collection of potentially actionable, overt, and publicly available information is known as
The CFO can use a hash algorithm in the document once he approved the financial statements
The company ABC recently contracts a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. Which of the following options can be useful to ensure the integrity of the data?
SYN
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?
Adware
The network users are complaining because their systems are slowing down. Further, every time they attempt to go to a website, they receive a series of pop-ups with advertisements. What type of malware have the systems been infected with?
Fuzzing
To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing?
Presentation
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?
Transport layer port numbers and application layer headers
What does a firewall check to prevent particular ports and applications from getting packets into an organization?
A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party.
What is correct about digital signatures?
Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.
What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?
Bug bounty program
What is the common name for a vulnerability disclosure program opened by companies in platforms such as HackerOne? is a challenge hosted by organizations, websites, or software developers to tech-savvy individuals or ethical hackers to participate and break into their security to report the latest bugs and vulnerabilities This program focuses on identifying the latest security flaws in software or any web application that most security developers fail to detect
Port 48101
What is the port to block first in case you are suspicious that an IoT device has been compromised?
Firewalking
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packetfiltering of the firewall?
Cloud Based
What kind of detection techniques is being used in antivirus software that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the provider's environment?
Has to be unforgeable, and has to be authentic.
What two conditions must a digital signature meet?
False positive
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type of an alert is this?
http-methods
When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What Nmap script will help you with this task?
Network-based intrusion detection system (NIDS)
Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?
Checking if the remote host is alive
Which is the first step followed by Vulnerability Scanners for scanning a network?
Brute Force Attack
Which method of password cracking Technique is considered the most powerful and randomly generates passwords and the associated hash?
Brute Force
Which method of password cracking takes the most time and effort? A. Dictionary attack B. Shoulder surfing C. Rainbow tables D. Brute force
Bluesmacking
Which of the following Bluetooth hacking techniques refers to a DoS attack, which overflows Bluetooth-enabled devices with random packets, causes the devices to crash
Bluesnarfing
Which of the following Bluetooth hacking techniques refers to the theft of information from a wireless device through Bluetooth?
VRFY
Which of the following commands checks for valid users on an SMTP server?
Preparation phase
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
Social Engineering
Which of the following is a low-tech way of gaining unauthorized access to systems?
Unicode Characters
Which of the following is an extremely common IDS evasion technique in the web world?
Integrity
Which of the following is assured by the use of a hash?
Using encryption protocols to secure network communications
Which of the following is the BEST way to defend against network sniffing?
Keep some generation of off-lie backup
Which of the following is the best countermeasure to encrypting ransomwares?
PKI
Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?
Multipartite Virus
Which of the following program infects the system boot sector and the executable files at the same time?
tcpdump
Which of the following tools can be used for passive OS fingerprinting?
tcptrace
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
Nikto
Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?
Stealth/Tunneling virus
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
NIST-800-53
Which regulation defines security and privacy controls for Federal information systems and organizations?
Results matching "accounting" in domain target.com but not on the site Marketing.target.com
Which results will be returned with the following Google search query? site:target.com - site:Marketing.target.com accounting
CA
Which service in a PKI will vouch for the identity of an individual or company?
WHOIS
Which system consists of a publicly available set of databases that contain domain name registration contact information?
Stealth virus
Which type of virus can change its own code and then cipher itself multiple times as it replicates?
Cross-Site Request Forgery
While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?
A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
Why is a penetration test considered to be more thorough than vulnerability scan?
Infoga
Wilson, a professional hacker, targets an organization for financial benefit and plans to compromise its systems by sending malicious emails. For this purpose, he uses a tool to track the emails of the target and extracts information such as sender identities, mail servers, sender IP addresses, and sender locations from different public sources. He also checks if an email address was leaked using the haveibeenpwned.com API. Which of the following tools is used by Wilson in the above scenario?
Evil Twin Attack
is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there." Fill in the blank with appropriate choice.
Common Vulnerability Scoring System (CVSS)
it provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement, while enabling users to view the underlying vulnerability characteristics used to generate the scores. CVSS v3.0 Ratings - Severity Levels: None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10
Domain Name System Security Extensions (DNSSEC)
provide a way to authenticate DNS response data and can secure information provided by DNS.
A sniffer
turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment.
.bash_history
By performing a penetration test, you gained access under a user account. During the test, you established a connection with your own machine via the SMB service and occasionally entered your login and password in plaintext. Which file do you have to clean to clear the password?
ARP ping scan
Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?
Docker daemon
Annie, a cloud security engineer, uses the Docker architecture to employ a client/server model in the application she is working on. She utilizes a component that can process API requests and handle various Docker objects, such as containers, volumes, images, and networks. What is the component of the Docker architecture used by Annie in the above scenario
FCC ID Search
Bob, an attacker, has managed to access a target IoT device. He employed an online tool to gather information related to the model of the IoT device and the certifications granted to it. Which of the following tools did Bob employ to gather the above information?
Cloud Hopper attack
Alice, a professional hacker, targeted an organization's cloud services. She infiltrated the target's MSP(Managed service Provider) provider by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and gain remote access to the cloud service. Further, she accessed the target customer profiles with her MSP account, compressed the customer data, and stored them in the MSP. Then, she used this information to launch further attacks on the target organization. Which of the following cloud attacks did Alice perform in the above scenario?
Ipsec
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?
False Negative
An IDS technician is analyzing IDS logs when he realizes connections from the outside of the LAN have been sending packets where the Source IP address and Destination IP addresses are the same. The IDS however, did not send any alerts via email nor did it log anything. Which type of alert/situation is this?
Protocol analyzer
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Make sure that legitimate network routers are configured to run routing protocols with authentication.
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?
Hosts
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", the user is directed to a phishing site. Which file does the attacker need to modify?
DNS spoofing
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gain access to the DNS server and redirect the direction www.google.com to his own IP address. Now when the employees of the office want to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
BetterCAP Ettercap dnsiff MITMf Arpoison
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?
The network devices are not all synchronized.
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?
Inference-based assessment
An organization is performing a vulnerability assessment for mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization's machines to detect which ports are attached to services such as an email server, a web server, or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?
Exploitation
You are a penetration tester working to test the user awareness of the employees of the client XYZ. You harvested two employees' emails from some public sources and are creating a client-side backdoor to send it to the employees via email. Which stage of the cyber kill chain are you at?
nmap -sT -O -T0
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?
Social engineering
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
Traffic is Blocked on UDP Port 53
You are the Network Admin, and you get a complaint that some of the websites are no longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL. What may be the problem?
An Intrusion Detection System
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ""FTP on the network!"";)
A web server facing the Internet, an application server on the internal network, a database server on the internal network
You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?
Use a scan tool like Nessus
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?
