CEH Q&A
12. A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred? A. The gateway is not routing to a public IP address. B. The computer is using an invalid IP address. C. The gateway and the computer are not on the same network. D. The computer is not using a private IP address.
Answer: A
13. Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications? A. Ping of death B. SYN flooding C. TCP hijacking D. Smurf attack
Answer: A
14. Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS? A. Timing options to slow the speed that the port scan is conducted B. Fingerprinting to identify which operating systems are running on the network C. ICMP ping sweep to determine which hosts on the network are not available D. Traceroute to control the path of the packets sent during the scan
Answer: A
20. Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit? A. SHA-1 B. MD5 C. HAVAL D. MD4
Answer: A
22. Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide? A. Incident response services to any user, company, government agency, or organization in partnership with the Department of Homeland Security B. Maintenance of the nation's Internet infrastructure, builds out new Internet infrastructure, and decommissions old Internet infrastructure C. Registration of critical penetration testing for the Department of Homeland Security and public and private sectors D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Department, as well as private sectors
Answer: A
26. When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? A. At least once a year and after any significant upgrade or modification B. At least once every three years or after any significant upgrade or modification C. At least twice a year or after any significant upgrade or modification D. At least once every two years and after any significant upgrade or modification
Answer: A
27. Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports? A. Sarbanes-Oxley Act (SOX) B. Gramm-Leach-Bliley Act (GLBA) C. Fair and Accurate Credit Transactions Act (FACTA) D. Federal Information Security Management Act (FISMA)
Answer: A
28. How can a policy help improve an employee's security awareness? A. By implementing written security procedures, enabling employee security training, and promoting the benefits of security B. By using informal networks of communication, establishing secret passing procedures, and immediately terminating employees C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative help line D. By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring that managers know employee strengths
Answer: A
29. Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation? A. Penetration testing B. Social engineering C. Vulnerability scanning D. Access control list reviews
Answer: A
31. International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining A. guidelines and practices for security controls. B. financial soundness and business viability metrics. C. standard best practice for configuration management. D. contract agreement writing standards.
Answer: A
38. A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response? A. Say no; the friend is not the owner of the account. B. Say yes; the friend needs help to gather evidence. C. Say yes; do the job for free. D. Say no; make sure that the friend knows the risk she's asking the CEH to take.
Answer: A
40. As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester? A. Terms of Engagement B. Project Scope C. Non-Disclosure Agreement D. Service Level Agreement
Answer: A
6. Which of the following levels of algorithms does Public Key Infrastructure (PKI) use? A. RSA 1024 bit strength B. AES 1024 bit strength C. RSA 512 bit strength D. AES 512 bit strength
Answer: A
8. Which security strategy requires using several, varying methods to protect IT systems against attacks? A. Defense in depth B. Three-way handshake C. Covert channels D. Exponential backoff algorithm
Answer: A
After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access, what would you do first? A. Create User Account B. Disable Key Services C. Disable IPTables D. Download and Install Netcat
Answer: A
Your company performs penetration tests and security assessments for small and medium-sized business in the local are a. During a routine security assessment, you discover information that suggests your client is involved with human trafficking. What should you do? A. Immediately stop work and contact the proper legal authorities. B. Copy the data to removable media and keep it in case you need it. C. Confront the client in a respectful manner and ask her about the data. D. Ignore the data and continue the assessment until completed as agreed.
Answer: A
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank? A. Place a front-end web server in a demilitarized zone that only handles external web traffic B. Require all employees to change their passwords immediately C. Move the financial data to another server on the same IP subnet D. Issue new certificates to the web servers from the root certificate authority
Answer: A Explanation: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. References: https://en.wikipedia.org/wiki/DMZ_(computing)
39. It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition? A. Threat B. Attack C. Vulnerability D. Risk
Answer: A Explanation: A threat is at any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/ordenial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. References: https://en.wikipedia.org/wiki/Threat_(computer)
Which of the following is the BEST way to defend against network sniffing? A. Using encryption protocols to secure network communications B. Register all machines MAC Address in a Centralized Database C. Restrict Physical Access to Server Rooms hosting Critical Servers D. Use Static IP Address
Answer: A Explanation: A way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet's payload so that all the sniffer sees is encrypted gibberish. References: http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. Which of the following tools is being described? A. Aircrack-ng B. Airguard C. WLAN-crack D. wificracker
Answer: A Explanation: Aircrack-ng is a complete suite of tools to assess WiFi network security. The default cracking method of Aircrack-ng is PTW, but Aircrack-ng can also use the FMS/KoreK method, which incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. References: http://www.aircrack-ng.org/doku.php?id=aircrack-ng
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic? A. Application B. Circuit C. Stateful D. Packet Filtering
Answer: A Explanation: An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications. References: http://searchsoftwarequality.techtarget.com/definition/application-firewall
Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? A. The port will ignore the packets. B. The port will send an RST. C. The port will send an ACK. D. The port will send a SYN.
Answer: A Explanation: An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the all flags sent in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. References: https://capec.mitre.org/data/definitions/303.html
43. It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition? A. Bluetooth B. Radio-Frequency Identification C. WLAN D. InfraRed
Answer: A Explanation: Bluetooth is a standard for the short-range wireless interconnection of mobile phones, computers, and other electronic devices. References: http://www.bbc.co.uk/webwise/guides/about-bluetooth
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Forward the message to your company's security response team and permanently delete the message from your computer. B. Reply to the sender and ask them for more information about the message contents. C. Delete the email and pretend nothing happened D. Forward the message to your supervisor and ask for her opinion on how to handle the situation
Answer: A Explanation: By setting up an email address for your users to forward any suspicious email to, the emails can be automatically scanned and replied to, with security incidents created to follow up on any emails with attached malware or links to known bad websites. References: https://docs.servicenow.com/bundle/helsinki-security-management/page/product/threatintelligence/ task/t_ConfigureScanEmailInboundAction.html
An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database. <iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe> What is this type of attack (that can use either HTTP GET or HTTP POST) called? A. Cross-Site Request Forgery B. Cross-Site Scripting C. SQL Injection D. Browser Hacking
Answer: A Explanation: Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Different HTTP request methods, such as GET and POST, have different level of susceptibility to CSRF attacks and require different levels of protection due to their different handling by web browsers. References: https://en.wikipedia.org/wiki/Cross-site_request_forgery
45. You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach? A. Install Cryptcat and encrypt outgoing packets from this server. B. Install and use Telnet to encrypt all outgoing traffic from this server. C. Use Alternate Data Streams to hide the outgoing packets from this server. D. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection Systems.
Answer: A Explanation: Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish. References: http://null-byte.wonderhowto.com/how-to/hack-like-pro-create-nearly-undetectablebackdoor- with-cryptcat-0149264/
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called? A. Split DNS B. DNSSEC C. DynDNS D. DNS Scheme
Answer: A Explanation: In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution. References: http://www.webopedia.com/TERM/S/split_DNS.html
44. A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Botnet Trojan B. Turtle Trojans C. Banking Trojans D. Ransomware Trojans
Answer: A Explanation: In computer science, a zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack.
Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip file is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt." In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered? A. Trojan B. Worm C. Macro Virus D. Key-Logger
Answer: A Explanation: In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened? A. Piggybacking B. Masqurading C. Phishing D. Whaling
Answer: A Explanation: In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. References: https://en.wikipedia.org/wiki/Piggybacking_(security)
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis? A. Maltego B. Cain & Abel C. Metasploit D. Wireshark
Answer: A Explanation: Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. References: https://en.wikipedia.org/wiki/Maltego
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use a scan tool like Nessus B. Use the built-in Windows Update tool C. Check MITRE.org for the latest list of CVE findings D. Create a disk image of a clean Windows installation
Answer: A Explanation: Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for Unix- or Windows-based operating systems. Note: Significant capabilities of Nessus include: References: http://searchnetworking.techtarget.com/definition/Nessus
Perspective clients want to see sample reports from previous penetration tests. What should you do next? A. Decline but, provide references. B. Share full reports, not redacted. C. Share full reports with redactions. D. Share reports, after NDA is signed.
Answer: A Explanation: Penetration tests data should not be disclosed to third parties.
46. It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition? A. Ransomware B. Adware C. Spyware D. Riskware
Answer: A Explanation: Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan. References: https://en.wikipedia.org/wiki/Ransomware
What is the benefit of performing an unannounced Penetration Testing? A. The tester will have an actual security posture visibility of the target network. B. Network security would be in a "best state" posture. C. It is best to catch critical infrastructure unpatched. D. The tester could not provide an honest analysis.
Answer: A Explanation: Real life attacks will always come without expectation and they will often arrive in ways that are highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to succeed against network security systems, despite the billions invested in the data protection industry. A possible solution to this danger is to conduct intermittent "unannounced" penentration tests whose scheduling and occurrence is only known to the hired attackers and upper management staff instead of every security employee, as would be the case with "announced" penetration tests that everyone has planned for in advance. The former may be better at detecting realistic weaknesses. References: http://www.sitepronews.com/2013/03/20/the-pros-and-cons-of-penetration-testing/
Which of the following is a component of a risk assessment? A. Administrative safeguards B. Physical security C. DMZ D. Logical interface
Answer: A Explanation: Risk assessment include: References: https://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment
What is the best description of SQL Injection? A. It is an attack used to gain unauthorized access to a database. B. It is an attack used to modify code in an application. C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server. D. It is a Denial of Service Attack.
Answer: A Explanation: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). References: https://en.wikipedia.org/wiki/SQL_injection
It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers). Which of the following vulnerabilities is being described? A. Shellshock B. Rootshock C. Rootshell D. Shellbash
Answer: A Explanation: Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";) A. An Intrusion Detection System B. A firewall IPTable C. A Router IPTable D. FTP Server rule
Answer: A Explanation: Snort is an open source network intrusion detection system (NIDS) for networks . Snort rule example: This example is a rule with a generator id of 1000001. alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;) References: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html
Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called? A. zero-day B. zero-hour C. zero-sum D. no-day
Answer: A Explanation: Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. References: https://en.wikipedia.org/wiki/Stuxnet
33. An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job? A. Start by foot printing the network and mapping out a plan of attack. B. Ask the employer for authorization to perform the work outside the company. C. Begin the reconnaissance phase with passive information gathering and then move into active information gathering. D. Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack.
Answer: B
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical dat a. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description? A. HIPAA B. ISO/IEC 27002 C. COBIT D. FISMA
Answer: A Explanation: The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[15] By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates". References: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule
49. Which of the following statements is TRUE? A. Sniffers operate on Layer 2 of the OSI model B. Sniffers operate on Layer 3 of the OSI model C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model. D. Sniffers operate on the Layer 1 of the OSI model.
Answer: A Explanation: The OSI layer 2 is where packet sniffers collect their data. References: https://en.wikipedia.org/wiki/Ethernet_frame
This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described? A. Payment Card Industry (PCI) B. Center for Disease Control (CDC) C. Institute of Electrical and Electronics Engineers (IEEE) D. International Security Industry Organization (ISIO)
Answer: A Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS standards are very explicit about the requirements for the back end storage and access of PII (personally identifiable information). References: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
While using your bank's online servicing you notice the following string in the URL bar: "http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site? A. Web Parameter Tampering B. Cookie Tampering C. XSS Reflection D. SQL injection
Answer: A Explanation: The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. References: https://www.owasp.org/index.php/Web_Parameter_Tampering
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy? A. Private B. Public C. Shared D. Root
Answer: A Explanation: The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties likely to be confidential, including any form post data in users' requests. Moreover, the confidential data exposed could include authentication secrets such as session cookies and passwords, which might allow attackers to impersonate a user of the service. An attack may also reveal private keys of compromised parties. References: https://en.wikipedia.org/wiki/Heartbleed
42. You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled. Which port would you see listening on these Windows machines in the network? A. 445 B. 3389 C. 161 D. 1433
Answer: A Explanation: The following ports are associated with file sharing and server message block (SMB) communications: References: https://support.microsoft.com/en-us/kb/298804
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site. Which file does the attacker need to modify? A. Hosts B. Sudoers C. Boot.ini D. Networks
Answer: A Explanation: The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names. References: https://en.wikipedia.org/wiki/Hosts_(file)
You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening? A. ICMP could be disabled on the target server. B. The ARP is disabled on the target server. C. TCP/IP doesn't support ICMP. D. You need to run the ping command with root privileges.
Answer: A Explanation: The ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages. Note: The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet protocol suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. References: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test state. Which of the following activities should not be included in this phase? (see exhibit) Exhibit: A. I. Removing all files uploaded on the system B. II. Cleaning all registry entries C. III. Mapping of network state D. IV. Removing all tools and maintaining backdoor for reporting
Answer: A Explanation: The post-attack phase revolves around returning any modified system(s) to the pretest state. Examples of such activities: References: Computer and Information Security Handbook, John R. Vacca (2012), page 531
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk? A. Delegate B. Avoid C. Mitigate D. Accept
Answer: A Explanation: There are five main ways to manage risk: acceptance, avoidance, transference, mitigation or exploitation. References: http://www.dbpmanagement.com/15/5-ways-to-manage-risk
In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving. Which Algorithm is this referring to? A. Wired Equivalent Privacy (WEP) B. Wi-Fi Protected Access (WPA) C. Wi-Fi Protected Access 2 (WPA2) D. Temporal Key Integrity Protocol (TKIP)
Answer: A Explanation: WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. In 2007, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. Note: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA). References: https://events.ccc.de/camp/2007/Fahrplan/events/1943.en.html
41. Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario? A. Watering Hole Attack B. Heartbleed Attack C. Shellshock Attack D. Spear Phising Attack
Answer: A Explanation: Watering Hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.
You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS). What is the best way to evade the NIDS? A. Encryption B. Protocol Isolation C. Alternate Data Streams D. Out of band signalling
Answer: A Explanation: When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against today's networks are primarily targeted against network services (application layer entities), packet level analysis ends up doing very little to protect our core business assets. References: http://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/
The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router? A. Wireshark B. Nessus C. Netcat D. Netstat
Answer: A Explanation: Wireshark is a Free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
48. You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! What seems to be wrong? A. OS Scan requires root privileges. B. The nmap syntax is wrong. C. This is a common behavior for a corrupted nmap application. D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
Answer: A Explanation: You requested a scan type which requires root privileges. References: http://askubuntu.com/questions/433062/using-nmap-for-information-regarding-web-host
You've gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's password or to activate disabled Windows accounts? A. CHNTPW B. Cain & Abel C. SET D. John the Ripper
Answer: A Explanation: chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8 and 8.1. It does this by editing the SAM database where Windows stores password hashes. References: https://en.wikipedia.org/wiki/Chntpw
47. You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? A. nmap -T4 -F 10.10.0.0/24 B. nmap -T4 -r 10.10.1.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap -T4 -q 10.10.0.0/24
Answer: A Explanation: command = nmap -T4 -F description = This scan is faster than a normal scan because it uses the aggressive timing template and scans fewer ports. References: https://svn.nmap.org/nmap/zenmap/share/zenmap/config/scan_profile.usp
50. You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line. Which command would you use? A. c:\compmgmt.msc B. c:\services.msc C. c:\ncpa.cp D. c:\gpedit
Answer: A To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console. References: http://www.waynezim.com/tag/compmgmtmsc/
16. Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities? A. WebBugs B. WebGoat C. VULN_HTML D. WebScarab
Answer: B
18. Which of the following algorithms provides better protection against brute force attacks by using a 160- bit message digest? A. MD5 B. SHA-1 C. RC4 D. MD4
Answer: B
3. Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company? A. Poly key exchange B. Cross certification C. Poly key reference D. Cross-site exchange
Answer: B
32. Which type of security document is written with specific step-by-step details? A. Process B. Procedure C. Policy D. Paradigm
Answer: B
34. A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take? A. Threaten to publish the penetration test results if not paid. B. Follow proper legal procedures against the company to request payment. C. Tell other customers of the financial problems with payments from this company. D. Exploit some of the vulnerabilities found on the company webserver to deface it.
Answer: B
36. A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization? A. Say nothing and continue with the security testing. B. Stop work immediately and contact the authorities. C. Delete the pornography, say nothing, and continue security testing. D. Bring the discovery to the financial organization's human resource department.
Answer: B
7. Which of the following is a characteristic of Public Key Infrastructure (PKI)? A. Public-key cryptosystems are faster than symmetric-key cryptosystems. B. Public-key cryptosystems distribute public-keys within digital signatures. C. Public-key cryptosystems do not require a secure key distribution channel. D. Public-key cryptosystems do not provide technical non-repudiation via digital signatures.
Answer: B
10. Which statement best describes a server type under an N-tier architecture? A. A group of servers at a specific layer B. A single server with a specific role C. A group of servers with a unique role D. A single server at a specific layer
Answer: C
21. Which element of Public Key Infrastructure (PKI) verifies the applicant? A. Certificate authority B. Validation authority C. Registration authority D. Verification authority
Answer: C
24. Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion? A. Regulatory compliance B. Peer review C. Change management D. Penetration testing
Answer: C
25. Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11? A. Truecrypt B. Sub7 C. Nessus D. Clamwin
Answer: C
35. Which initial procedure should an ethical hacker perform after being brought into an organization? A. Begin security testing. B. Turn over deliverables. C. Sign a formal contract with non-disclosure. D. Assess what the organization is trying to protect.
Answer: C
4. Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)? A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost. B. The root CA stores the user's hash value for safekeeping. C. The CA is the trusted root that issues certificates. D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.
Answer: C
5. A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack? A. Implementing server-side PKI certificates for all connections B. Mandating only client-side PKI certificates for all connections C. Requiring client and server PKI certificates for all connections D. Requiring strong authentication for all DNS queries
Answer: C
9. SOAP services use which technology to format information? A. SATA B. PCI C. XML D. ISDN
Answer: C
1. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key? A. Sender's public key B. Receiver's private key C. Receiver's public key D. Sender's private key
Answer: D
11. If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as? A. SDLC process B. Honey pot C. SQL injection D. Trap door
Answer: D
15. When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is A. OWASP is for web applications and OSSTMM does not include web applications. B. OSSTMM is gray box testing and OWASP is black box testing. C. OWASP addresses controls and OSSTMM does not. D. OSSTMM addresses controls and OWASP does not.
Answer: D
17. What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes? A. Legal, performance, audit B. Audit, standards based, regulatory C. Contractual, regulatory, industry D. Legislative, contractual, standards based
Answer: D
19. Which cipher encrypts the plain text digit (bit or byte) one by one? A. Classical cipher B. Block cipher C. Modern cipher D. Stream cipher
Answer: D
2. Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method? A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained. B. If a user forgets the password, it can be easily retrieved using the hash key stored by administrators. C. Hashing is faster compared to more traditional encryption algorithms. D. Passwords stored using hashes are non-reversible, making finding the password much more difficult.
Answer: D
23. How do employers protect assets with security policies pertaining to employee surveillance activities? A. Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness. B. Employers use informal verbal communication channels to explain employee monitoring activities to employees. C. Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes. D. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.
Answer: D
30. Which of the following guidelines or standards is associated with the credit card industry? A. Control Objectives for Information and Related Technology (COBIT) B. Sarbanes-Oxley Act (SOX) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standards (PCI DSS)
Answer: D
37. A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step? A. Ignore the problem completely and let someone else deal with it. B. Create a document that will crash the computer when opened and send it to friends. C. Find an underground bulletin board and attempt to sell the bug to the highest bidder. D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
Answer: D
