CEH ?s #3
Which protocol is used for setting up secure channels between two devices, typically in VPNs? A. PEM B. ppp C. IPSEC D. SET
IPSEC
What firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers? A. Packet fragmentation scanning B. Spoof source address scanning C. Decoy scanning D. Idle scanning
Idle scanning
Attacker Lauren has gained the credentials of an organization's internal server system, and she was often logging in during irregular times to monitor the network activities. The organization was skeptical about the login times and appointed security professional Robert to determine the issue. Robert analyzed the compromised device to find incident details such as the type of attack, its severity, target, impact, method of propagation, and vulnerabilities exploited. What is the incident handling and response (IH&R) phase, in which Robert has determined these issues? A. Incident triage B. Preparation C. Incident recording and assignment D. Eradication
Incident triage
You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach? A. Use Alternate Data Streams to hide the outgoing packets from this server. B. Use HTTP so that all traffic can be routed vis a browser, thus evading the internal Intrusion Detection Systems. C. Install Cryptcat and encrypt outgoing packets from this server. D. Install and use Telnet to encrypt all outgoing traffic from this server.
Install Cryptcat and encrypt outgoing packets from this server.
You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze? A. IDS log B. Event logs on domain controller C. Internet Firewall/Proxy log. D. Event logs on the PC
Internet Firewall/Proxy log
Which of the following is a passive wireless packet analyzer that works on Linux-based systems? A. Burp Suite B. OpenVAS C. tshark D. Kismet
Kismet
Garry is a network administrator in an organization. He uses SNMP to manage networked devices from a remote location. To manage nodes in the network, he uses MIB, which contains formal descriptions of all network objects managed by SNMP. He accesses the contents of MIB by using a web browser either by entering the IP address and Lseries.mib or by entering the DNS library name and Lseries.mib. He is currently retrieving information from an MIB that contains object types for workstations and server services. Which of the following types of MIB is accessed by Garry in the above scenario? A. LNMIB2.MIB B. DHCP.MIB C. MIB_II.MIB D. WINS.MIB
LNMIB2.MIB
Larry, a security professional in an organization, has noticed some abnormalities in the user accounts on a web server. To thwart evolving attacks, he decided to harden the security of the web server by adopting a few countermeasures to secure the accounts on the web server. Which of the following countermeasures must Larry implement to secure the user accounts on the web server? A. Retain all unused modules and application extensions. B. Limit the administrator or root-level access to the minimum number of users. C. Enable all non-interactive accounts that should exist but do not require interactive login. D. Enable unused default user accounts created during the installation of an OS.
Limit the administrator or root-level access to the minimum number of users.
Which tier in the N-tier application architecture is responsible for moving and processing data between the tiers? A. Presentation tier B. Application Layer C. Logic tier D. Data tier
Logic tier
Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system? A. Maltego B. Wireshark C. Nessus D. Metasploit
Metasploit
When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network. Which of the following cannot be performed by the passive network sniffing? A. Capturing a network traffic for further analysis B. Collecting unencrypted information about usernames and passwords C. Modifying and replaying captured network traffic D. Identifying operating systems, services, protocols and devices
Modifying and replaying captured network traffic
Which of the following protocols can be used to secure an LDAP service against anonymous queries? A. NTLM B. RADIUS C. WPA D. SSO
NTLM
Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bab denies that he had ever sent a mail. What do you want to know to prove yourself that it was Bob who had send a mail? A. Non-Repudiation B. Integrity C. Authentication D. Confidentiality
Non-Repudiation
You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server.~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! What seems to be wrong? A. The nmap syntax is wrong. B. This is a common behavior for a corrupted nmap application. C. The outgoing TCP/IP fingerprinting is blocked by the host firewall. D. OS Scan requires root privileges.
OS Scan requires root privileges.
Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP). Which of the following is an incorrect definition or characteristics of the protocol? A. Exchanges data between web services B. Only compatible with the application protocol HTTP C. Provides a structured model for messaging D. Based on XML
Only compatible with the application protocol HTTP
Which of the following statements is TRUE? A. Packet Sniffers operate on the Layer 1 of the OSI model. B. Packet Sniffers operate on Layer 2 of the OSI model. C. Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model. D. Packet Sniffers operate on Layer 3 of the OSI model.
Packet Sniffers operate on Layer 2 of the OSI model.
Morris, a professional hacker, performed a vulnerability scan on a target organization by sniffing the traffic on the network to identify the active systems, network services, applications, and vulnerabilities. He also obtained the list of the users who are currently accessing the network. What is the type of vulnerability assessment that Morris performed on the target organization? A. Credentialed assessment B. Internal assessment C. External assessment D. Passive assessment
Passive assessment
How can rainbow tables be defeated? A. Use of non-dictionary words B. All uppercase character passwords C. Password salting D. Lockout accounts under brute force password cracking attempts
Password salting
What would be the fastest way to perform content enumeration on a given web server by using the Gobuster tool? A. Performing content enumeration using the bruteforce mode and 10 threads B. Performing content enumeration using the bruteforce mode and random file extensions C. Skipping SSL certificate verification D. Performing content enumeration using a wordlist
Performing content enumeration using a wordlist
Attacker Steve targeted an organization's network with the aim of redirecting the company's web traffic to another malicious website. To achieve this goal, Steve performed DNS cache poisoning by exploiting the vulnerabilities in the DNS server software and modified the original IP address of the target website to that of a fake website. What is the technique employed by Steve to gather information for identity theft? A. Pharming B. Skimming C. Pretexting D. Wardriving
Pharming
Which of the following provides a security professional with most information about the system's security posture? A. Phishing, spamming, sending trojans B. Social engineering, company site browsing tailgating C. Wardriving, warchalking, social engineering D. Port scanning, banner grabbing service identification
Port scanning, banner grabbing service identification
During the process of encryption and decryption, what keys are shared? A. Public keys B. Private keys C. Public and private keys D. User passwords
Public and private keys
An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol is the most likely able to handle this requirement? A. RADIUS B. Kerberos C. DIAMETER D. TACACS+
RADIUS
David is a security professional working in an organization, and he is implementing a vulnerability management program in the organization to evaluate and control the risks and vulnerabilities in its IT infrastructure. He is currently executing the process of applying fixes on vulnerable systems to reduce the impact and severity of vulnerabilities. Which phase of the vulnerability-management life cycle is David currently in? A. Remediation B. Verification C. Risk assessment D. Vulnerability scan
Remediation
A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed? A. Firewall-management policy B. Acceptable-use policy C. Permissive policy D. Remote-access policy
Remote-access policy
Richard, an attacker, aimed to hack IoT devices connected to a target network. In this process, Richard recorded the frequency required to share information between connected devices. After obtaining the frequency, he captured the original data when commands were initiated by the connected devices. Once the original data were collected, he used free tools such as URH to segregate the command sequence. Subsequently, he started injecting the segregated command sequence on the same frequency into the IoT network, which repeats the captured signals of the devices. What is the type of attack performed by Richard in the above scenario? A. Cryptanalysis attack B. Reconnaissance attack C. Side-channel attack D. Replay attack
Replay attack
Bill is a network administrator. He wants to eliminate unencrypted traffic inside his company's network. He decides to setup a SPAN port and capture all traffic to the datacenter. He immediately discovers unencrypted traffic in port UDP 161. What protocol is this port using and how can he secure that traffic? A. RPC and the best practice is to disable RPC completely. B. SNMP and he should change it to SNMP V3. C. SNMP and he should change it to SNMP V2, which is encrypted. D. It is not necessary to perform any actions, as SNMP is not carrying important information.
SNMP and he should change it to SNMP V3.
Widespread fraud at Enron, WorldCom, and Tyco led to the creation of a law that was designed to improve the accuracy and accountability of corporate disclosures. It covers accounting firms and third parties that provide financial services to some organizations and came into effect in 2002. This law is known by what acronym? A. SOX B. FedRAMP C. HIPAA D. PCI DSS
SOX
Robin, a professional hacker, targeted an organization's network to sniff all the traffic. During this process, Robin plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the network. What is the attack performed by Robin in the above scenario? A. ARP spoofing attack B. STP attack C. DNS poisoning attack D. VLAN hopping attack
STP attack
Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet? A. ACK flag probe scanning B. ICMP Echo scanning C. SYN/FIN scanning using IP fragments D. IPID scanning
SYN/FIN scanning using IP fragments
During the enumeration phase, Lawrence performs banner grabbing to obtain information such as OS details and versions of services running. The service that he enumerated runs directly on TCP port 445. Which of the following services is enumerated by Lawrence in this scenario? A. Remote procedure call (RPC) B. Telnet C. Server Message Block (SMB) D. Network File System (NFS)
Server Message Block (SMB)
Jason, an attacker, targeted an organization to perform an attack on its Internet-facing web server with the intention of gaining access to backend servers, which are protected by a firewall. In this process, he used a URL https://xyz.com/feed.php?url=externalsite.com/feed/to to obtain a remote feed and altered the URL input to the local host to view all the local resources on the target server. What is the type of attack Jason performed in the above scenario? A. Web server misconfiguration B. Server-side request forgery (SSRF) attack C. Web cache poisoning attack D. Website defacement
Server-side request forgery (SSRF) attack
Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems? A. Role Based Access Control (RBAC) B. Discretionary Access Control (DAC) C. Single sign-on D. Windows authentication
Single sign-on
You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity. What tool would you most likely select? A. Snort B. Cain & Abel C. Nessus D. Nmap
Snort
Sam, a professional hacker, targeted an organization with intention of compromising AWS IAM credentials. He attempted to lure one of the employees of the organization by initiating fake calls while posing as a legitimate employee. Moreover, he sent phishing emails to steal the AWS IAM credentials and further compromise the employee's account. What is the technique used by Sam to compromise the AWS IAM credentials? A. Insider threat B. Social engineering C. Password reuse D. Reverse engineering
Social engineering
What piece of hardware on a computer's motherboard generates encryption keys and only releases a part of the key so that decrypting a disk on a new piece of hardware is not possible? A. CPU B. UEFI C. GPU D. TPM
TPM
An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed? A. Piggybacking B. Announced C. Tailgating D. Reverse Social Engineering
Tailgating
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any A. The ACL 104 needs to be first because is UDP B. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router C. The ACL for FTP must be before the ACL 110 D. The ACL 110 needs to be changed to port 80
The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? TCP port 21 no response - TCP port 22 no response - TCP port 23 Time-to-live exceeded A. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server B. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host
The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall
After an audit, the auditors inform you that there is a critical finding that you must tackle immediately. You read the audit report, and the problem is the service running on port 389. Which service is this and how can you tackle the problem? A. The service is NTP, and you have to change it from UDP to TCP in order to encrypt it. B. The service is LDAP. and you must change it to 636, which is LDAPS. C. The findings do not require immediate actions and are only suggestions. D. The service is SMTP, and you must change it to SMIME, which is an encrypted way to send emails.
The service is LDAP. and you must change it to 636, which is LDAPS
An attacker scans a host with the below command. Which three flags are set? # nmap -sX host.domain.com A. This is SYN scan. SYN flag is set. B. This is Xmas scan. URG, PUSH and FIN are set. C. This is ACK scan. ACK flag is set. D. This is Xmas scan. SYN and ACK flags are set.
This is Xmas scan. URG, PUSH and FIN are set.
What is the most common method to exploit the Bash Bug or Shellshock vulnerability? A. SYN Flood B. SSH C. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server D. Manipulate format strings in text fields
Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server
Which tool can be used to silently copy files from USB devices? A. USB Grabber B. USB Snoopy C. USB Sniffer D. USB Dumper
USB Dumper
Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. Identify the behavior of the adversary in the above scenario. A. Unspecified proxy activities B. Use of command-line interface C. Data staging D. Use of DNS tunneling
Unspecified proxy activities
Which IOS jailbreaking technique patches the kernel during the device boot so that it becomes jailbroken after each successive reboot? A. Tethered jailbreaking B. Semi-untethered jailbreaking C. Semi-tethered jailbreaking D. Untethered jailbreaking
Untethered jailbreaking
Consider the following Nmap output: Starting Nmap X.XX (http://nmap.org) at XXX-XX-XX XX:XX EDT Nmap scan report for 192.168.1.42 Host is up (0.00023s latency). Not shown: 932 filtered ports, 56 closed ports PORT STATE SERVICE - 21/Rep open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds What command-line parameter could you use to determine the type and version number of the web server? A. -sV B. -sS C. -Pn D. -V
-sV
You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following IP addresses could be leased as a result of the new configuration? A. 10.1.255.200 B. 10.1.4.156 C. 10.1.4.254 D. 10.1.5.200
10.1.5.200
Henry is a cyber security specialist hired by BlackEye Cyber Security Solutions. He was tasked with discovering the operating system (OS) of a host. He used the Unicornscan tool to discover the OS of the target system. As a result, he obtained a TTL value, which indicates that the target system is running a Windows OS. Identify the TTL value Henry obtained, which indicates that the target OS is Windows. A. 128 B. 255 C. 64 D. 138
128
From the following table, identify the wrong answer in terms of Range (ft). Standard Range (ft) 802.11a 150-150 802.11b 150-150 802.11g 150-150 802.16 (WiMax) 30 miles A. 802.16 (WiMax) B. 802.11g C. 802.11b D. 802.11a
802.16 (WiMax)
Allen, a professional pen tester, was hired by XpertTech Solutions to perform an attack simulation on the organization's network resources. To perform the attack, he took advantage of the NetBIOS API and targeted the NetBIOS service. By enumerating NetBIOS, he found that port 139 was open and could see the resources that could be accessed or viewed on a remote system. He came across many NetBIOS codes during enumeration. Identify the NetBIOS code used for obtaining the messenger service running for the logged-in user? A. <00> B. <20> C. <03> D. <1B>
<03>
In both pharming and phishing attacks, an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks? A. In a pharming attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack, an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name B. In a phishing attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack, an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name C. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering D. Both pharming and phishing attacks are identical
A
Cross-site request forgery involves: A. A request sent by a malicious user from a browser to a server B. A server making a request to another server without the user's knowledge C. Modification of a request by a proxy between client and server. D. A browser making a request to a server without the user's knowledge
A browser making a request to a server without the user's knowledge
What is the least important information when you analyze a public IP address in a security alert? A. DNS B. Whois C. Geolocation D. ARP
ARP
John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization. Which of the following attack techniques is used by John? A. Insider threat B. Diversion theft C. Spear-phishing sites D. Advanced persistent threat
Advanced persistent threat
John, a disgruntled ex-employee of an organization, contacted a professional hacker to exploit the organization. In the attack process, the professional hacker installed a scanner on a machine belonging to one of the victims and scanned several machines on the same network to identify vulnerabilities to perform further exploitation. What is the type of vulnerability assessment tool employed by John in the above scenario? A. Agent-based scanner B. Network-based scanner C. Cluster scanner D. Proxy scanner
Agent-based scanner
Based on the below log, which of the following sentences are true? Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip A. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server. B. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client. C. SSH communications are encrypted; it's impossible to know who is the client or the server. D. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.
Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80. The engineer receives this output: HTTP/1.1 200 OK - Server: Microsoft-IIS/6 - Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type: text/html - Accept-Ranges: bytes - Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 - Which of the following is an example of what the engineer performed? A. Banner grabbing B. SQL injection C. Whois database query D. Cross-site scripting
Banner grabbing
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following? A. Compound SQLi B. Blind SQLi C. Classic SQLi D. DMS-specific SQLi
Blind SQLi
Which of the following Bluetooth hacking techniques refers to the theft of information from a wireless device through Bluetooth? A. Bluesmacking B. Bluesnarfing C. Bluejacking D. Bluebugging
Bluesnarfing
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Botnet Trojan B. Banking Trojans C. Turtle Trojans D. Ransomware Trojans
Botnet Trojan
#!/usr/bin/python import socket buffer=[''''A''''] counter=50 while len(buffer)<=100: buffer.append (''''A''''*counter) counter=counter+50 commands= [''''HELP'''',''''STATS .'''',''''RTIME .'''',''''LTIME. '''',''''SRUN .''',''''TRUN .'''',''''GMON.'''',''''GDOG .'''',''''KSTET .'',''''GTER .'''',''''HTER .'''', ''''LTER .'',''''KSTAN .''''] for command in commands: for buffstring in buffer: print ''''Exploiting'''' +command +'''':''''+str(len(buffstring)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('127.0.0.1', 9999)) s.recv(50)s.send(command+buffstring) s.close() What is the code written for? A. Denial-of-service (DOS) B. Buffer Overflow C. Bruteforce D. Encryption
Buffer Overflow
On performing a risk assessment, you need to determine the potential impacts when some of the critical business processes of the company interrupt its service. What is the name of the process by which you can determine those critical businesses? A. Emergency Plan Response (EPR) B. Business Impact Analysis (BIA) C. Risk Mitigation D. Disaster Recovery Planning (DRP)
Business Impact Analysis (BIA)
When configuring wireless on his home router, Javik disables SSID broadcast. He leaves authentication open but sets the SSID to a 32-character string of random letters and numbers. What is an accurate assessment of this scenario from a security perspective? A. Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute-force attacks. B. Disabling SSID broadcast prevents 802.11 beacons from being transmitted from the access point, resulting in a valid setup leveraging security through obscurity C. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association. D. Javik's router is still vulnerable to wireless hacking attempts because the SSID broadcast setting can be enabled using a specially crafted packet sent to the hardware address of the access point.
C
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS? A. Cannot deal with encrypted network traffic B. Requires vendor updates for new threats C. Can identify unknown attacks D. Produces less false positives
Can identify unknown attacks
If executives are found liable for not properly protecting their company's assets and information systems, what type of law would apply in this situation? A. Criminal B. International C. Common D. Civil
Civil
Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he uses a detection method where the antivirus executes the malicious codes on a virtual machine to simulate CPU and memory activities. Which type of virus detection method did Chandler use in this context? A. Heuristic Analysis B. Code Emulation C. Scanning D. Integrity checking
Code Emulation
An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database. <iframe src=""http://www.vulnweb.com/updateif.php"" style=""display:none""></iframe> What is this type of attack (that can use either HTTP GET or HTTP POST) called? A. Browser Hacking B. Cross-Site Scripting C. SQL Injection D. Cross-Site Request Forgery
Cross-Site Request Forgery
What type of a vulnerability/attack is it when the malicious person forces the user's browser to send an authenticated request to a server? A. Session hijacking B. Server side request forgery C. Cross-site request forgery D. Cross-site scripting
Cross-site request forgery
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software? A. Cross-site scripting vulnerability B. SQL injection vulnerability C. Web site defacement vulnerability D. Cross-site Request Forgery vulnerability
Cross-site scripting vulnerability
Abel, a security professional, conducts penetration testing in his client organization to check for any security loopholes. He launched an attack on the DHCP servers by broadcasting forged DHCP requests and leased all the DHCP addresses available in the DHCP scope until the server could not issue any more IP addresses. This led to a DoS attack, and as a result, legitimate employees were unable to access the client's network. Which of the following attacks did Abel perform in the above scenario? A. Rogue DHCP server attack B. VLAN hopping C. STP attack D. DHCP starvation
DHCP starvation
Scenario: Joe turns on his home computer to access personal online banking. When he enters the URL www.bank.com, the website is displayed, but it prompts him to re-enter his credentials as if he has never visited the site before. When he examines the website URL closer, he finds that the site is not secure and the web address appears different. What type of attack he is experiencing? A. DHCP spoofing B. DoS attack C. ARP cache poisoning D. DNS hijacking
DNS hijacking
Ricardo has discovered the username for an application in his target's environment. As he has a limited amount of time, he decides to attempt to use a list of common passwords he found on the Internet. He compiles them into a list and then feeds that list as an argument into his passwordcracking application. What type of attack is Ricardo performing? A. Brute force B. Known plaintext C. Dictionary D. Password spraying
Dictionary
A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography attack is the student attempting? A. Man-in-the-middle attack B. Brute-force attack C. Dictionary attack D. Session hijacking
Dictionary attack
While testing a web application in development, you notice that the web server does not properly ignore the dot dot slash (../) character string and instead returns the file listing of a folder higher up in the folder structure of the server. What kind of attack is possible in this scenario? A. Cross-site scripting B. SQL injection C. Denial of service D. Directory traversal
Directory traversal
You are a penetration tester tasked with testing the wireless network of your client Brakeme SA. You are attempting to break into the wireless network with the SSID Brakeme-Internal. You realize that this network uses WPA3 encryption. Which of the following vulnerabilities is the promising to exploit? A. Cross-site request forgery B. Dragonblood C. Key reinstallation attack D. AP misconfiguration
Dragonblood
Mary found a high vulnerability during a vulnerability scan and notified her server team. After analysis, they sent her proof that a fix to that issue had already been applied. The vulnerability that Marry found is called what? A. False-negative B. False-positive C. Brute force attack D. Backdoor
False-positive
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a benign user Ned. Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability? A. GET /restricted/goldtransfer?to=Rob&from=1 or 1=1 HTTP/1.1Host: westbank.com B. GET restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com C. GET /restricted/accounts/?name=Ned HTTP/1.1 Host westbank.com D. GET /restricted/ HTTP/1.1 Host: westbank.com
GET /restricted/accounts/?name=Ned HTTP/1.1 Host westbank.com
Bob was recently hired by a medical company after it experienced a major cyber security breach. Many patients are complaining that their personal medical records are fully exposed on the Internet and someone can find them with a simple Google search. Bob's boss is very worried because of regulations that protect those data. Which of the following regulations is mostly violated? A. PCI DSS B. PII C. ISO 2002 D. HIPPA/PHI
HIPPA/PHI
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28. Why he cannot see the servers? A. He needs to add the command ip address just before the IP address B. He needs to change the address to 192.168.1.0 with the same mask C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range D. The network must be dawn and the nmap command and IP address are ok
He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range
Emily, an extrovert obsessed with social media, posts a large amount of private information, photographs, and location tags of recently visited places. Realizing this, James, a professional hacker, targets Emily and her acquaintances, conducts a location search to detect their geolocation by using an automated tool, and gathers information to perform other sophisticated attacks. What is the tool employed by James in the above scenario? A. ophcrack B. VisualRoute C. Hootsuite D. HULK
Hootsuite
A newly joined employee, Janet, has been allocated an existing system used by a previous employee. Before issuing the system to Janet, it was assessed by Martin, the administrator. Martin found that there were possibilities of compromise through user directories, registries, and other system parameters. He also identified vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. What is the type of vulnerability assessment performed by Martin? A. Database assessment B. Host-based assessment C. Credentialed assessment D. Distributed assessment
Host-based assessment
There have been concerns in your network that the wireless network component is not sufficiently secure. You perform a vulnerability scan of the wireless network and find that it is using an old encryption protocol that was designed to mimic wired encryption. What encryption protocol is being used? A. RADIUS B. WPA C. WEP D. WPA3
WEP
Which of these is capable of searching for and locating rogue access points? A. NIDS B. HIDS C. WISS D. WIPS
WIPS
This wireless security protocol allows 192-bit minimum-strength security protocols and cryptographic tools to protect sensitive data, such as GCMP-256, HMAC SHA384, and ECDSA using a 384-bit elliptic curve. Which is this wireless security protocol? A. WPA3-Personal B. WPA3-Enterprise C. WPA2-Enterprise D WPA2-Personal
WPA3-Enterprise
Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on predefined set of rules. Which of the following types of firewalls can protect against SQL injection attacks? A. Data-driven firewall B. Packet firewall C. Web application firewall D. Stateful firewall
Web application firewall
Susan, a software developer, wants her web API to update other applications with the latest information. For this purpose, she uses a user-defined HTTP callback or push APIs that are raised based on trigger events; when invoked, this feature supplies data to other applications so that users can instantly receive real-time information. Which of the following techniques is employed by Susan? A. Web shells B. Webhooks C. REST API D. SOAP API
Webhooks
Nicolas just found a vulnerability on a public-facing system that is considered a zero-day vulnerability. He sent an email to the owner of the public system describing the problem and how the owner can protect themselves from that vulnerability. He also sent an email to Microsoft informing them of the problem that their systems are exposed to. What type of hacker is Nicolas? A. Black hat B. White hat C. Gray hat D. Red hat
White hat
You want to analyze packets on your wireless network. Which program would you use? A. Airsnort with Airpcap B. Wireshark with Airpcap C. Wireshark with Winpcap D. Ethereal with Winpcap
Wireshark with Airpcap
Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF? A. Yagi antenna B. Dipole antenna C. Parabolic grid antenna D. Omnidirectional antenna
Yagi antenna
George is a security professional working for iTech Solutions. He was tasked with securely transferring sensitive data of the organization between industrial systems. In this process, he used a short-range communication protocol based on the IEEE 802.15.4 standard. This protocol is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m. What is the short-range wireless communication technology George employed in the above scenario? A. LPWAN B. MQTT C. NB-IoT D. Zigbee
Zigbee
Bobby, an attacker, targeted a user and decided to hijack and intercept all their wireless communications. He installed a fake communication tower between two authentic endpoints to mislead the victim. Bobby used this virtual tower to interrupt the data transmission between the user and real tower, attempting to hijack an active session. Upon receiving the user's request, Bobby manipulated the traffic with the virtual tower and redirected the victim to a malicious website. What is the attack performed by Bobby in the above scenario? A. aLTEr attack B. Jamming signal attack C. Wardriving D. KRACK attack
aLTEr attack
You are logged in as a local admin on a Windows 7 system, and you need to launch the Computer Management Console from the command line. Which command would you use? A. c:\compmgmt.msc B. c:\ncpa.cpl C. c:\gpedit D. c:\services.msc
c:\compmgmt.msc
You have been authorized to perform a penetration test against a website. You want to use Google dorks to footprint the site but only want results that show file extensions. What Google dork operator would you use? A. inurl B. site C. ext D. filetype
filetype
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax? A. hping2 -1 host.domain.com B. hping2 host.domain.com C. hping2 -l host.domain.com D. hping2 --set-ICMP host.domain.com
hping2 -1 host.domain.com
ping-* 6 192.168.0.101 Output: Pinging 192.168.0.101 with 32 bytes of data: Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: Ping statistics for 192.168.0101 Packets: Sent = 6, Received = 6, Lost = 0 (0% loss). Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms What does the option * indicate? A. t B. s C. a D. n
n
What would you enter if you wanted to perform a stealth scan using Nmap? A. nmap -sM B. nmap -sU C. nmap -sS D. nmap -sT
nmap -sS
What are common files on a web server that can be misconfigured and provide useful information for a hacker such as verbose error messages? A. httpd.conf B. administration.config C. php.ini D. idq.dll
php.ini
