CEH Oriyano Practice Tests
1.77. In a packet analyzer, where can you see where the FIN flag is set? a. tcp - header b. tcp - packet c. udp - flags d. tcp - flags
d. in a packet analyzer such as wireshark, the fin flag can be viewed under the tcp section and then the flags section.
1.92. Which RAID configuration is not viable or used anymore? a. raid-1 b. raid-3 c. raid-5 d. raid-2
d. raid2 uses hamming code, which does not provide any redundancy and requires using either 14 or 39 hard disks to implement. Because of the hard disk requirements, it is not fiscally acceptable due to other better and more capable raid configurations avialable. therefore, raid2 is primarily not used.
1.113. At what bandwidth does an 802.11a access point operate? a. 54 Mbps b. 1 Gbps c. 5 GHz d. 2.4 GHz
a. a wireless access point using an 802.11a standard will have an operating speed of 54 megabits per second (Mbps).
1.97. Which OS build provides a suite of tools for network defense purposes? a. kali linux b. windows server 2012 r2 c. freebsd d. security onion
d. security onion is a linux distribution based on ubuntu. It uses an array of sensors and applications that can be customized to monitor and defend the network environment.
1.91. Which of the following tools allows you to create certificates that are not officially signed by the CA? a. cain and abel b. nmap c. ettercap d. darkether
a. cain and abel allows the adversary or pentester to carefully craft their own certificates or have the application creat its own, depending on the scenario. in either case, then prompted to accept the certificate from cain and abel, the browser will warn the user that this certificate has not been verified (trusted).
1.37 What is the main drawback to using Kerberos? a. symmetric keys can be compromised if not secured b. kerberos uses weak cryptography and keys can be easily cracked c. kerberos uses asymmetric crytopgraphy and can be easily exploited d. the adversary can replay the ticket-granting ticket to gain access to a system or service
a. if the adversary can capture the symmetric key used in kerberos for an account, the adversary will have a wide arrange of access to network resources.
1.46. As a network admin, you see a familiar ip address pinging the broadcast address. What do you believe is happening? a. smurf attack b. dn poisoning c. mitm attack d. trojan virus infecting the gateway
a. in a smurf attack, the adversary spoofs a victims ip address. the adversary will then ping the broadcast address and all the nodes on the lan respond back to the spoofed ip address of the victim. the result is a DoS attack on the victims workstation.
1.96. Which of the following has no key associated with it? a. md5 b. aes c. skipjack d. pgp
a. md5 is a hashing algorithm. it has no key associated with it, and therefore, it can be used by anyone. The purpose of hashing data is to provide a way to verify integrity, not origin.
1.25 Out of the following, which is one of RSA's registered key strengths? a. 1,024 bits b. 256 bits c. 128 bits d. 512 bits
a. rsa uses 1,024 and 2,048 bit key strengths as asymmetric encryption algorithms.
1.71. Which exploitation was associated with the heart bleed attack? a. buffer overflow b. mitm c. fraggle attack d. smurf attack
a. the heart bleed attack leveraged a buyer overflow exploitation in order to push the service into replying with more payload data than designed. this results in data leakage.
1.57 You are the attacker that has successfully conducted a sql injection vulnerability assessment on a target site. Which keyword would you use to join the target db with your own malicious db as part of the sql injection? a. union b. add c. select d. join
a. the keyword UNION is a sql command that joins two db's. In this case, you are joining the target db with your own malicious db. you might do something like this to steal credentials from the db for later use.
1.33 Which scanning tool is more likely going to yield accurate results for the hacker? a. ncat b. nmap c. ping d. nslookup
a. within the ncat program, an adversary is able to conduct a sweeping array of scanning functions against a target system or range of hots. it is more accurate than using map or nectar b/c cat can fingerprint the os and other special and unique features. cat is installed with most versions of the linux distributions.
1.88. When considering the risks of local storage vs. third-party cloud storage, which statement is most accurate? a. cloud storage is more secure because the commercial vendor has trained security professionals. b. when storage is local, you are responsible and accountable for the storage services c. you can sue the cloud provider for damages d. the cloud has more layers of security than traiditional local storage infrastructures
b. although cloud computing is very versatile, it lacks the encompassing security posture one would think it may have. Because of the fact that you are depending on the commercial provider to enforce strict security practices and policies, you may actually never know what they are. One thing to keep in mind is that by using a free cloud solution, the contract that you agree to may very well provide cover for the provider from being sued by its customers for data loss, theft and damages, and other cyber incidents.
1.107. What type of attack best defines the following? An email contains a linke with the subjhect line "congrats on your cruise". The email instructs the reader to click a hyperlink to claim the cruise. When the link is clicked, the reader is presented with a series of questions within an online form, such as name, ss# and date of birth. a. email phishing b. spear phishing c. social engineering d. identify theft
b. an example of spear phishing is an email soliciting the user to click a link or reply back with sensitive information. spear phishing targets individuals of high importance.
1.3. What tool is able to conduct a man in the middle attack on an 802.3 environment? a. etter ap b. cain and abel c. wireshark d. nmap
b. cain and abel provides a suite of tools for password cracking and arp poisoning, for example
1.26 To provide nonrepudiation for email, which algorithm would you choose to implement? a. AES b. DSA c. 3DES d. Skipjack
b. digital signature authority (DSA) provides only nonrepudiation for emails. It does not provide confidentiality, integrity, or even authentication.
1.39. Which response would the adversary receive on closed ports if they conducted an XMAS scan? a. rst b. rst/ack c. no response d. fin/ack
b. during an xmas scan, the adversary would receive an rst/ack response from the port if it is closed because the scan sends the fin, arg, and the psh flags.
1.28 Your end clients report that they cannot reach any website on the external network. As the network admin, you decide to conduct some fact finding. Upon your investigation, you determine that you are able to ping outside of the LAN to external websites using their IP address. Pinging websites with their domain name resolution does not work. What is most likely causing the issue? a. the firewall is blcoking dns resolution b. the dns server is not functioning correctly c. the external websites are not responding d. http get request is being dropped at the firewall from going out
b. if you are able to ping and even visit an external website using its ip address and not its fully qualified domain name (fqdn), it is more probable that the dos sever is having issues. Check with the dos server for functionality.
1.69. What is patch management? a. deploying patches when they are available b. testing patches in a testing env before they are deployed they are deployed to the production env c. deploying patches at the end of the month d. determinng what vulnerabilities are currently on your network and deploying patches immediately to eliminate the threat
b. patch management is actively testing patches in a testing environment and then deploying them into production. it also includes a fallback or rollback plan that i associated with patch mgt in case there were side effects that were not identified during the testing phase.
1.35. Why would an attacker want to avoid tapping into a fiber-optic line? a. it costs a lot of money to tap b. if done wrong, it could cause the entire connection signal to drop, therefore bringing unwanted attention from the targeted organization. c. the network traffic would slow down significantly d. tapping the line could alert an IPS/IDS
b. tapping a fiber line is very complicated. unlike tapping into ethernet, tapping into a fiber line could potentially drop network per traffic or even bring down the entire connection if too much light escapes the glass or plastic core.
1.17 What is the default TTL values for MS Win7 OS? a. 64 b. 128 c. 255 d. 256
b. the default tel value for most ms os is 128.
1.76. In linux, what file allows you to see user information such as full name, phone number, and office information? a. shadow file b. passwd file c. userinfo file d. useraccount file
b. the passwd file stores general information about the users account such as name and location.
1.101. What is the max byte size for a udp packets? a. 65,535 b. 65,507 c. 1,500 c, 65,527
b. the total udp packet size is 65,535. you must subtract 8 bytes from the ump header and 8 bytes from the 28 byte ip header. The total ump packet size is 65,535 bytes, so you subtract 28 bytes from the total size. This should give you a value of 65,507 for the total ump payload size.
1.66 What port number or numbers is/are associated with the ip protocol? a. 0 to 65535 b. no ports c. 53 d. 80
b. there are not port numbers associated with ip because it is a connectionless protocol.
1.94. "Something you are" is considered part of which authentication factor type? a. type 1 b. type 3 c. type 2 d. multifactor authentication
b. when implementing an identification process, "something you are" refers to biometric authentication This is considered a type 3 authentication factor.
1.61. Where is the logifle that is associated with the activities of the last user that signed in within a linux system? a. /var/log/user_log b. /var/log/messages c. /var/log/lastlog d. /var/log/last_user
c. in linux, the lastlog file is located in the /var/log/ directory. this file contains the last user that was logged in, with all of their activity recorded.
1.93. Thei protocol is used for authentication purposes; it sends cleattet usernames and passwords with no forms of encryption or a means of challenging. What authentication protocol is this? a. chap b. pop c. pap d. mschap
c. password authentication protocol (pap) is a weak authentication protocol. it does not encrypt any data and the authentication credentials are sent in the clear. there is no method for challenging at either end; therefore it is very easy to intercept and masquerade as a legitimate user.
1.8 A hacker is conducting the following on the target workstation: nmap -sT 192.33.10.5. The attacker is in which phase? a. covering tracks b. enumeration c. scanning and enumeration d. gaining access
c. the attacker is using the nmap function to conduct a tcp connection scan on the target, which is part of the scanning and enumeration phase.
1.43. Which of the following allows the adversary to forge certificates for authentication? a. wireshark b. ettercap c. cain and able d. ncat
c. with cain and abel, the adversary can forge certificates; however, the application lacks the ability to make the certificates look authentic. The user will be prompted, indicating that the certificate is not trusted.
1.81. Which of the following functions is no longer utilized within ipv6? a. multicast b. anycast c. unicast d. broadcast
d. broadcast is no longer used within ipv6 because of its inefficiency. ipv6 contains advanced protocols for host discovery.
1.115. What Transport layer protocol does DHCP operate with? a. ip b. tcp c. icmp d. udp
d. dhcp uses the ump protocol because it is a connectionless service.
1.83. Which application users two ports? a. telnet b. icmp c. https d. ftp
d. ftp uses port 21 for commands and port 20 for data control
1.42. Which of the followin best describes dns poisoning? a. the adversary intercepts and replaces the victims mac address with their own b. the adversary replaces their malicious ip address with the victims ip address for the domain name c. the adversary replaces the legitimate domain name with the malicious domain name d. the adversary replaces the legitimate ip address that is mapped to the domain name with the malicious ip address
d. the adversary replaces the legitimate ip address for the domain name with the malicious ip address. the victim will not be aware of the switch because the domain name is being used and not the ip address.
1.49. Which regional internet registry is responsible for n. and s. america? a. ripe b. amernic c. lacnic d. arin
d. the american registry for internet numbers (ARIN) is one of the five domain name registrants and is responsible for north and south america..
1.13 What is the major vulnerability for an ARP request? a. it sends out an address request to all the hosts on the LAN b. the address is returned with a username and password in cleartext c. the address request can cause a DoS d. the address request can be spoofed with the attackers MAC address
d. the arp request does not authenticate with the requested host; therefore, it is possible that the attacker can spoof the address of the victim with its own mac address.
1.78. Which type of packet does a fraggle attack use to create a DoS attack? a. tcp b. ip c. icmp d. udp
d. the fragile attack uses a spoofed source ip and ump packets as its method of delivery because of speed and lack of error correction.
1.41 Which pasword is more secure? a. 19Apple b. pass123!! c. P@$$w0rD d. keepyourpasswordsecuretoyourself
d. the longer the password, the more it uses the advantage of the key space for encryption. Short complex passwords can be cracked within a reasonable amount of time. A password that is simple but longer will be exponentially harder to crack.
1.14 You are the CISO for a popular social website. You recently learned that your web servers have been compromised with the SSL heart bleed zero day exploit. What will be your most likely first course of action to defend against? a. patch all systems b. establish new cryptographic keys c. shut down internet facing web services d. restrict access to sensitive information
d. the most likely course of action is to restrict access to sensitive information. By doing so, you allow business services to continue while protecting user private data until a remediation can be performed.
1.80. What protocol would you use to conduct banner grabbing? a. ftp b. irc c. dns d. telnet
d. using telnet allows the adversary to enumerate services and versioning of a target system.