CEHv9 Questions 101-200

188 This kind of password cracking method uses word lists in combination with numbers and special characters: A. Hybrid B. Linear C. Symmetric D. Brute Force

A Explanation: A Hybrid (or Hybrid Dictionary) Attack uses a word list that it modifies slightly to find passwords that are almost from a dictionary (like St0pid)

165 Exhibit: 97 Study the following log extract and identify the attack. A. Hexcode Attack B. Cross Site Scripting C. Multiple Domain Traversal Attack D. Unicode Directory Traversal Attack

D Explanation: The "Get /msadc/....../....../....../winnt/system32/cmd.exe?" shows that a Unicode Directory Traversal Attack has been performed.

128 Which of the following nmap command in Linux procedures the above output? A. sudo nmap -sP 192.168.0.1/24 B. root nmap -sA 192.168.0.1/24 C. run nmap -TX 192.168.0.1/24 D. launch nmap -PP 192.168.0.1/24

A Explanation: This is an output from a ping scan. The option -sP will give you a ping scan of the 76 192.168.0.1/24 network. Topic 4, Enumeration

116 Samantha has been actively scanning the client network for which she is doing a vulnerability assessment test. While doing a port scan she notices ports open in the 135 to 139 range. What protocol is most likely to be listening on those ports? A. SMB B. FTP C. SAMBA D. FINGER 68

A Explanation: Port 135 is for RPC and 136-139 is for NetBIOS traffic. SMB is an upper layer service that runs on top of the Session Service and the Datagram service of NetBIOS.

127 While reviewing the results of a scan run against a target network you come across the following: What was used to obtain this output? A. An SNMP Walk B. Hping2 diagnosis C. A Bo2K System query D. Nmap protocol/port scan 75

A Explanation: The snmpwalk command is designed to perform a sequence of chained GETNEXT requests automatically, rather than having to issue the necessary snmpgetnext requests by hand. The command takes a single OID, and will display a list of all the results which lie within the subtree rooted on this OID.

109 Jenny a well known hacker scanning to remote host of 204.4.4.4 using nmap. She got the scanned output but she saw that 25 port states is filtered. What is the meaning of filtered port State? A. Can Accessible B. Filtered by firewall C. Closed D. None of above

B Explanation: The state is either open, filtered, closed, or unfiltered. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

148 Sara is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer. A. A zone harvesting B. A zone transfer C. A zone update D. A zone estimate

B Explanation: The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls -d domain-name > file-name you have initiated a zone transfer.

133 Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites. Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well. In this context, what would be the most affective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer) A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards. B. Hire more computer security monitoring personnel to monitor computer systems and networks. C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life. D. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.

A 79 Explanation: Bridging the gap would consist of educating the white hats and the black hats equally so that their knowledge is relatively the same. Using books, articles, the internet, and professional training seminars is a way of completing this goal.

108 Your are trying the scan a machine located at ABC company's LAN named mail.abc.com. Actually that machine located behind the firewall. Which port is used by nmap to send the TCP synchronize frame to on mail.abc.com? A. 443 B. 80 C. 8080 D. 23

A Explanation: 64

159 Which of the following represents the initial two commands that an IRC client sends to join an IRC network? A. USER, NICK B. LOGIN, NICK C. USER, PASS D. LOGIN, USER

A Explanation: A "PASS" command is not required for either client or server connection to be registered, but it must precede the server message or the latter of the NICK/USER combination. (RFC 1459)

144 85 What is a NULL scan? A. A scan in which all flags are turned off B. A scan in which certain flags are off C. A scan in which all flags are on D. A scan in which the packet size is set to zero E. A scan with a illegal packet size

A Explanation: A null scan has all flags turned off.

114 Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels. How should mark protect his network from an attacker using Hping2 to scan his internal network? A. Blocking ICMP type 13 messages B. Block All Incoming traffic on port 53 C. Block All outgoing traffic on port 53 D. Use stateful inspection on the firewalls

A Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0. 67

194 When discussing passwords, what is considered a brute force attack? A. You attempt every single possibility until you exhaust all possible combinations or discover the password B. You threaten to use the rubber hose on someone unless they reveal their password C. You load a dictionary of words into your cracking program D. You create hashes of a large number of words and compare it with the encrypted passwords E. You wait until the password expires

A Explanation: Brute force cracking is a time consuming process where you try every possible combination of letters, numbers, and characters until you discover a match.

178 Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers. A. Hardware, Software, and Sniffing. B. Hardware and Software Keyloggers. C. Passwords are always best obtained using Hardware key loggers. D. Software only, they are the most effective.

A Explanation: Different types of keylogger planted into the environment would retrieve the passwords for Bob..

117 Paula works as the primary help desk contact for her company. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. Paula walks over to the user's computer and sees the Blue Screen of Death screen. The user's computer is running Windows XP, but the Blue screen looks like a familiar one that Paula had seen a Windows 2000 Computers periodically. The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. She checks the network IDS live log entries and notices numerous nmap scan alerts. What is Paula seeing happen on this computer? A. Paula's Network was scanned using FloppyScan B. Paula's Netwrok was scanned using Dumpsec C. There was IRQ conflict in Paula's PC D. Tool like Nessus will cause BSOD

A Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP Send the results by e-mail to a remote server.

121 The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. A. True B. False 71

A Explanation: For sequence number purposes, the SYN is considered to occur before the first actual data octet of the segment in which it occurs, while the FIN is considered to occur after the last actual data octet in a segment in which it occurs. So packets receiving out of order will still be accepted.

115 Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. Lori's company does not own any commercial scanning products, so she decides to download a free one off the Internet. Lori has never done a vulnerability scan before, so she is unsure of some of the settings available in the software she downloaded. One of the option is to choose which ports that can be scanned. Lori wants to do exactly what her boos has told her, but she does not know ports should be scanned. If Lori is supposed to scan all known TCP ports, how many ports should she select in the software? A. 65536 B. 1024 C. 1025 D. Lori should not scan TCP ports, only UDP ports

A Explanation: In both TCP and UDP, each packet header will specify a source port and a destination port, each of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).

113 66 John has performed a scan of the web server with NMAP but did not gather enough information to accurately identify which operating system is running on the remote host. How could you use a web server to help in identifying the OS that is being used? A. Telnet to an Open port and grab the banner B. Connect to the web server with an FTP client C. Connect to the web server with a browser and look at the web page D. Telnet to port 8080 on the web server and look at the default page code

A Explanation: Most Web servers politely identify themselves and the OS to anyone who asks.

122 Which type of scan does not open a full TCP connection? A. Stealth Scan B. XMAS Scan C. Null Scan D. FIN Scan

A Explanation: Stealth Scan: Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determined the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active.

175 SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False) A. True B. False

A Explanation: TCP and UDP provide transport services. But UDP was preferred. This is due to TCP characteristics, it is a complicate protocol and it consume to many memory and CPU resources. Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built simple version of IP and UDP. 105

160 What does FIN in TCP flag define? 94 A. Used to close a TCP connection B. Used to abort a TCP connection abruptly C. Used to indicate the beginning of a TCP connection D. Used to acknowledge receipt of a previous packet or transmission

A Explanation: The FIN flag stands for the word FINished. This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection.

125 Which of the following is a patch management utility that scans one or more computers on your network and alerts you if you important Microsoft Security patches are missing. It then provides links that enable those missing patches to be downloaded and installed. A. MBSA B. BSSA C. ASNB D. PMUS

A Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning the system for security problems in Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

176 Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network. Why would an attacker try to create a null session with a computer on a network? A. Enumerate users shares B. Install a backdoor for later attacks C. Escalate his/her privileges on the target server D. To create a user with administrative privileges for later use

A Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host: - List of users and groups - List of machines - List of shares - Users and host SID' (Security Identifiers) Topic 5, System Hacking

139 One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 D. 2400 E. 60 F. 4800

A Explanation: The SOA starts with the format of YYYYMMDDVV where VV is the version.

105 Bob is a Junior Administrator at ABC.com is searching the port number of POP3 in a file. The partial output of the file is look like: In which file he is searching? 62 A. services B. protocols C. hosts D. resolve.conf

A Explanation: The port numbers on which certain standard services are offered are defined in the RFC 1700 Assigned Numbers. The /etc/services file enables server and client programs to convert service names to these numbers -ports. The list is kept on each host and it is stored in the file /etc/services.

132 78 Jess the hacker runs L0phtCrack's built-in sniffer utility which grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashed from the network. Why? A. The network protocol is configured to use SMB Signing. B. The physical network wire is on fibre optic cable. C. The network protocol is configured to use IPSEC. D. L0phtCrack SMB filtering only works through Switches and not Hubs.

A Explanation: To protect against SMB session hijacking, NT supports a cryptographic integrity mechanism, SMB Signing, to prevent active network taps from interjecting themselves into an already established session.

124 Gerald, the systems administrator for Hyped Enterprise, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, his discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What tool Geralds's attacker used to cover their tracks? 73 A. Tor B. ISA C. IAS D. Cheops

A Explanation: Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

142 Under what conditions does a secondary name server request a zone transfer from a primary name server? 84 A. When a primary SOA is higher that a secondary SOA B. When a secondary SOA is higher that a primary SOA C. When a primary name server has had its service restarted D. When a secondary name server has had its service restarted E. When the TTL falls to zero

A Explanation: Understanding DNS is critical to meeting the requirements of the CEH. When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server, a zone transfer will take place.

185 E-mail scams and mail fraud are regulated by which of the following? A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

A Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html 111

171 A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers. A. Use port security on his switches. B. Use a tool like ARPwatch to monitor for strange ARP activity. C. Use a firewall between all LAN segments. D. If you have a small network, use static ARP entries. E. Use only static IP addresses on all PC's.

A,B,D Explanation: Explanations: By using port security on his switches, the switches will only allow the first MAC address that is connected to the switch to use that port, thus preventing ARP spoofing. ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help, but is usually pretty unrealistic. On a very small network, static ARP entries are a possibility. However, on a large network, this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus, this option won't help you.

172 Peter, a Network Administrator, has come to you looking for advice on a tool that would 103 help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for? Select the best answers. A. SNMPUtil B. SNScan C. SNMPScan D. Solarwinds IP Network Browser E. NMap

A,B,D Explanation: Explanations: SNMPUtil is a SNMP enumeration utility that is a part of the Windows 2000 resource kit. With SNMPUtil, you can retrieve all sort of valuable information through SNMP. SNScan is a SNMP network scanner by Foundstone. It does SNMP scanning to find open SNMP ports. Solarwinds IP Network Browser is a SNMP enumeration tool with a graphical tree-view of the remote machine's SNMP data.

198 Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three) A. Converts passwords to uppercase. B. Hashes are sent in clear text over the network. C. Makes use of only 32 bit encryption. D. Effective length is 7 characters.

A,B,D Explanation: The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$%", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. The hashes them self are sent in clear text over the network instead of sending the password in clear text. 118

141 Which of the following tools can be used to perform a zone transfer? A. NSLookup B. Finger C. Dig D. Sam Spade E. Host F. Netcat G. Neotrace

A,C,D,E Explanation: There are a number of tools that can be used to perform a zone transfer. Some of these include: NSLookup, Host, Dig, and Sam Spade.

107 What are the four steps is used by nmap scanning? A. DNS Lookup B. ICMP Message C. Ping D. Reverse DNS lookup E. TCP three way handshake F. The Actual nmap scan

A,C,D,F Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.

146 86 Which of the following statements about a zone transfer correct?(Choose three. A. A zone transfer is accomplished with the DNS B. A zone transfer is accomplished with the nslookup service C. A zone transfer passes all zone information that a DNS server maintains D. A zone transfer passes all zone information that a nslookup server maintains E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections F. Zone transfers cannot occur on the Internet

A,C,E Explanation: Securing DNS servers should be a priority of the organization. Hackers obtaining DNS information can discover a wealth of information about an organization. This information can be used to further exploit the network.

119 Jack is conducting a port scan of a target network. He knows that his target network has a web server and that a mail server is up and running. Jack has been sweeping the network but has not been able to get any responses from the remote target. Check all of the following that could be a likely cause of the lack of response? A. The host might be down B. UDP is filtered by a gateway C. ICMP is filtered by a gateway D. The TCP window Size does not match E. The destination network might be down F. The packet TTL value is too low and can't reach the target

A,C,E,F Explanation: Wrong answers is B and D as sweeping a network uses ICMP 70

173 SNMP is a protocol used to query hosts, servers and devices about performance or health status data. Hackers have used this protocol for a long time to gather great amount of information about remote hosts. Which of the following features makes this possible? A. It is susceptible to sniffing B. It uses TCP as the underlying protocol C. It is used by ALL devices on the market D. It uses a community string sent as clear text

A,D Explanation: SNMP uses UDP, not TCP, and even though many devices uses SNMP not ALL devices use it and it can be disabled on most of the devices that does use it. However SNMP is susceptible to sniffing and the community string (which can be said acts as a password) is sent in clear text. 104

195 Which of the following are well know password-cracking programs?(Choose all that apply. 116 A. L0phtcrack B. NetCat C. Jack the Ripper D. Netbus E. John the Ripper

A,E Explanation: L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking

177 If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? 106 A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

B Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

102 Which Type of scan sends a packets with no flags set ? Select the Answer A. Open Scan B. Null Scan C. Xmas Scan D. Half-Open Scan

B Explanation: The types of port connections supported are:

155 Which definition among those given below best describes a covert channel? A. A server program using a port that is not well known. B. Making use of a protocol in a way it is not intended to be used. C. It is the multiplexing taking place on a communication link. D. It is one of the weak channels used by WEP which makes it insecure.

B Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.

157 Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack? A. Interceptor B. Man-in-the-middle C. ARP Proxy D. Poisoning Attack

B Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

140 MX record priority increases as the number increases.(True/False. 83 A. True B. False

B Explanation: The highest priority MX record has the lowest number.

161 What port number is used by LDAP protocol? A. 110 B. 389 C. 445 D. 464

B Explanation: Active Directory and Exchange use LDAP via TCP port 389 for clients.

184 What is the algorithm used by LM for Windows2000 SAM ? A. MD4 B. DES C. SHA D. SSL

B Explanation: Explanation: Okay, this is a tricky question. We say B, DES, but it could be A "MD4" depending on what their asking - Windows 2000/XP keeps users passwords not "apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It's size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length, and hash used during the authentication of access to the common resources of other computers LanMan Hash, or simply LM Hash, of the same 16-byte length. Algorithms of the formation of these hashes are following: NT Hash formation: LM Hash formation:

111 Which FTP transfer mode is required for FTP bounce attack? A. Active Mode B. Passive Mode C. User Mode D. Anonymous Mode

B Explanation: FTP bounce attack needs the server the support passive connections and the client program needs to use PORT command instead of the PASV command.

166 Exhibit: 98 Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? A. har.txt B. SAM file C. wwwroot D. Repair file

B Explanation: He is actually trying to get the file har.txt but this file contains a copy of the SAM file. 99

126 74 You are conducting an idlescan manually using HPING2. During the scanning process, you notice that almost every query increments the IPID- regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Which of he following options would be a possible reason? A. Hping2 can't be used for idlescanning B. The Zombie you are using is not truly idle C. These ports are actually open on the target system D. A stateful inspection firewall is resetting your queries

B Explanation: If the IPID increments more than one value that means that there has been network traffic between the queries so the zombie is not idle.

181 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this? A. There is a NIDS present on that segment. B. Kerberos is preventing it. C. Windows logons cannot be sniffed. D. L0phtcrack only sniffs logons to web servers.

B Explanation: In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.

104 While doing fast scan using -F option, which file is used to list the range of ports to scan by nmap? A. services B. nmap-services C. protocols D. ports

B Explanation: Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the /etc/services file applicable for the current operating system.

196 Password cracking programs reverse the hashing process to recover passwords.(True/False. A. True B. False

B Explanation: Password cracking programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password.

190 _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes. A. Trojan B. RootKit C. DoS tool D. Scanner E. Backdoor

B Explanation: Rootkits are tools that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

182 You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting? 109 A. MD4 B. DES C. SHA D. SSL

B Explanation: The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$%", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

151 Which DNS resource record can indicate how long any "DNS poisoning" could last? A. MX B. SOA C. NS D. TIMEOUT

B Explanation: The SOA contains information of secondary servers, update intervals and expiration times.

120 War dialing is one of the oldest methods of gaining unauthorized access to the target systems, it is one of the dangers most commonly forgotten by network engineers and system administrators. A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network. Through wardialing an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line. 'Dial backup' in routers is most frequently found in networks where redundancy is required. Dial-on-demand routing(DDR) is commonly used to establish connectivity as a backup. As a security testers, how would you discover what telephone numbers to dial-in to the router? A. Search the Internet for leakage for target company's telephone number to dial-in B. Run a war-dialing tool with range of phone numbers and look for CONNECT Response C. Connect using ISP's remote-dial in number since the company's router has a leased line connection established with them D. Brute force the company's PABX system to retrieve the range of telephone numbers to dial-in

B Explanation: Use a program like Toneloc to scan the company's range of phone numbers.

131 John is a keen administrator, and has followed all of the best practices as he could find on securing his Windows Server. He has renamed the Administrator account to a new name that he is sure cannot be easily guessed. However, there are people who already attempt to compromise his newly renamed administrator account. How is it possible for a remote attacker to decipher the name of the administrator account if it has been renamed? A. The attacker used the user2sid program. B. The attacker used the sid2user program. C. The attacker used nmap with the -V switch. D. The attacker guessed the new name.

B Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.

193 How can you determine if an LM hash you extracted contains a password that is less than 8 characters long? 115 A. There is no way to tell because a hash cannot be reversed B. The right most portion of the hash is always the same C. The hash always starts with AB923D D. The left most portion of the hash is always the same E. A portion of the hash will be all 0's

B Explanation: When looking at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long.

130 SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts. Which of the following features makes this possible? (Choose two) A. It used TCP as the underlying protocol. B. It uses community string that is transmitted in clear text. C. It is susceptible to sniffing. D. It is used by all network devices on the market. 77

B,C Explanation: Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE). If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. Version 1 of SNMP has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext.

168 As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers. A. Use the same machines for DNS and other applications B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers

B,C,D,E Explanation: Explanations: A is not a correct answer as it is never recommended to use a DNS server for any other application. Hardening of the DNS servers makes them less vulnerable to attack. It is recommended to split internal and external DNS servers (called split-horizon operation). Zone transfers should only be accepted from authorized DNS servers. By having DNS servers on different subnets, you may prevent both from going down, even if one of your networks goes down.

143 What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply. A. 110 B. 135 C. 139 D. 161 E. 445 F. 1024

B,C,E Explanation: NetBIOS traffic can quickly be used to enumerate and attack Windows computers. Ports 135, 139, and 445 should be blocked.

153 Which of the following tools are used for enumeration? (Choose three.) A. SolarWinds B. USER2SID C. Cheops D. SID2USER E. DumpSec

B,D,E Explanation: USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.

186 Which of the following LM hashes represent a password of less than 8 characters? (Select 2) A. BA810DBA98995F1817306D272A9441BB B. 44EFCE164AB921CQAAD3B435B51404EE C. 0182BD0BD4444BF836077A718CCDF409 D. CEC52EB9C8E3455DC2265B23734E0DAC E. B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D

B,E Explanation: Notice the last 8 characters are the same

180 Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored? (Choose the best answer) A. symmetric algorithms B. asymmetric algorithms C. hashing algorithms D. integrity algorithms

C 108 Explanation: In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

103 You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next? A. Use NetScan Tools Pro to conduct the scan B. Run nmap XMAS scan against 192.168.1.10 61 C. Run NULL TCP hping2 against 192.168.1.10 D. The firewall is blocking all the scans to 192.168.1.10

C Explanation:

106 Exhibit: Please study the exhibit carefully. Which Protocol maintains the communication on that way? A. UDP B. IP C. TCP D. ARP E. RARP

C Explanation: A TCP connection is always initiated with the 3-way handshake, which establishes 63 and negotiates the actual connection over which data will be sent.

183 In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack? A. Full Blown B. Thorough C. Hybrid D. BruteDics

C Explanation: A combination of Brute force and Dictionary attack is called a Hybrid attack or Hybrid dictionary attack. 110

156 Susan has attached to her company's network. She has managed to synchronize her boss's sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of attack is Susan carrying on? 92 A. A sniffing attack B. A spoofing attack C. A man in the middle attack D. A denial of service attack

C Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

187 Which of the following is the primary objective of a rootkit? A. It opens a port to provide an unauthorized service B. It creates a buffer overflow C. It replaces legitimate programs D. It provides an undocumented opening in a program

C Explanation: Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn't show the files and process implanted by the attacker. 112

192 What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? A. All are hacking tools developed by the legion of doom B. All are tools that can be used not only by hackers, but also security personnel C. All are DDOS tools D. All are tools that are only effective against Windows E. All are tools that are only effective against Linux

C Explanation: All are DDOS tools.

189 Exhibit You receive an e-mail with the message displayed in the exhibit. From this e-mail you suspect that this message was sent by some hacker since you have using their e-mail services for the last 2 years and they never sent out an e-mail as this. You also observe the URL in the message and confirm your suspicion about 340590649. You immediately enter the following at the Windows 2000 command prompt. ping 340590649 You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? 113 A. 192.34.5.9 B. 10.0.3.4 C. 203.2.4.5 D. 199.23.43.4

C Explanation: Convert the number in binary, then start from last 8 bits and convert them to decimal to get the last octet (in this case .5)

158 Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate 93 Alice machine. From the command prompt, she types the following command. For /f "tokens=1 %%a in (hackfile.txt) do net use * \\10.1.2.3\c$ /user:"Administrator" %%a What is Eve trying to do? A. Eve is trying to connect as an user with Administrator privileges B. Eve is trying to enumerate all users with Administrative privileges C. Eve is trying to carry out a password crack for user Administrator D. Eve is trying to escalate privilege of the null user to that of Administrator

C Explanation: Eve tries to get a successful login using the username Administrator and passwords from the file hackfile.txt.

150 Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.) A. Install DNS logger and track vulnerable packets B. Disable DNS timeouts C. Install DNS Anti-spoofing D. Disable DNS Zone Transfer

C Explanation: Explantion: Implement DNS Anit-Spoofing measures to prevent DNS Cache Pollution to occur.

152 Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!'' From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page: H@cker Mess@ge: Y0u @re De@d! Fre@ks! After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack? A. ARP spoofing B. SQL injection C. DNS poisoning D. Routing table injection

C Explanation: External calls for the Web site has been redirected to another server by a successful 90 DNS poisoning.

179 Study the snort rule given below: 107 From the options below, choose the exploit against which this rule applies. A. WebDav B. SQL Slammer C. MS Blaster D. MyDoom

C Explanation: MS Blaster scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. TCP ports 139 and 445 may also provide attack vectors.

147 You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries? collegae.edu.SOA,cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600) A. One day B. One hour C. One week D. One month

C Explanation: The numbers represents the following values: 200302028; se = serial number 3600; ref = refresh = 1h 3600; ret = update retry = 1h 604800; ex = expiry = 1w 87 3600; min = minimum TTL = 1h

174 Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. How can a remote attacker decipher the name of the administrator account if it has been renamed? A. The attacker guessed the new name B. The attacker used the user2sid program C. The attacker used to sid2user program D. The attacker used NMAP with the V option

C Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.

118 You are scanning the target network for the first time. You are able to detect few convention open ports. While attempting to perform conventional service identification by 69 connecting to the open ports, the scan yields either bad or no result. As you are unsure of the protocols in use, you want to discover as many different protocols as possible. Which of the following scan options can help you achieve this? A. Nessus sacn with TCP based pings B. Netcat scan with the switches C. Nmap scan with the P (ping scan) switch D. Nmap with the O (Raw IP Packets switch

D Explanation: -sO IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an ICMP protocol unreachable message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts (AIX, HPUX, Digital UNIX) and firewalls may not send protocol unreachable messages.

123 Study the log below and identify the scan type. tcpdump -w host 192.168.1.10 72 A. nmap R 192.168.1.10 B. nmap S 192.168.1.10 C. nmap V 192.168.1.10 D. nmap -sO -T 192.168.1.10

D Explanation: -sO: IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine.

199 You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results? A. Online Attack B. Dictionary Attack C. Brute Force Attack D. Hybrid Attack

D Explanation: A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8 characters in the password makes a brute force attack time consuming. A hybrid attack where you take a word from a dictionary and exchange a number of letters with numbers and special characters will probably be the fastest way to crack the passwords.

164 Exhibit: 96 What type of attack is shown in the above diagram? A. SSL Spoofing Attack B. Identity Stealing Attack C. Session Hijacking Attack D. Man-in-the-Middle (MiTM) Attack

D Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

101 One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker source IP address. You send a ping request to the broadcast address 192.168.5.255. [root@ceh/root]# ping -b 192.168.5.255 WARNING: pinging broadcast address PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms --- --- --- There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why? 60 A. You cannot ping a broadcast address. The above scenario is wrong. B. You should send a ping request with this command ping 192.168.5.0-255 C. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. D. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

D Explanation: As stated in the correct option, Microsoft Windows does not handle pings to a broadcast address correctly and therefore ignores them.

170 What tool can crack Windows SMB passwords simply by listening to network traffic? Select the best answer. A. This is not possible 102 B. Netbus C. NTFSDOS D. L0phtcrack

D Explanation: Explanations: This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

135 Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"? A. Overloading Port Address Translation B. Dynamic Port Address Translation C. Dynamic Network Address Translation D. Static Network Address Translation

D Explanation: Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

162 Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network? A. 137 and 139 B. 137 and 443 C. 139 and 443 D. 139 and 445

D Explanation: NULL sessions take advantage of "features" in the SMB (Server Message Block) 95 protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Primarily the following ports are vulnerable if they are accessible: 139 TCP NETBIOS Session Service 139 UDP NETBIOS Session Service 445 TCP SMB/CIFS

200 An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -l -p 1234 < secretfile Machine B: netcat 192.168.3.4 > 1234 He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the information before transmitting onto the wire? 119 A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234 B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234 C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 - pw password D. Use cryptcat instead of netcat

D Explanation: Netcat cannot encrypt the file transfer itself but would need to use a third party application to encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryption.

154 What did the following commands determine? C : user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH 91 A. That the Joe account has a SID of 500 B. These commands demonstrate that the guest account has NOT been disabled C. These commands demonstrate that the guest account has been disabled D. That the true administrator is Joe E. Issued alone, these commands prove nothing

D Explanation: One important goal of enumeration is to determine who the true administrator is. In the example above, the true administrator is Joe.

129 Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports? A. Finger B. FTP C. Samba D. SMB

D Explanation: The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.

138 One of your team members has asked you to analyze the following SOA record. What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 82 D. 2400 E. 60 F. 4800

D Explanation: The SOA includes a timeout value. This value can tell an attacker how long any DNS "poisoning" would last. It is the last set of numbers in the record.

112 Nathalie would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable? A. A FIN Scan B. A Half Scan C. A UDP Scan D. The TCP Connect Scan

D Explanation: The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. This is the fastest scanning method supported by nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is easily detectable and filterable.

136 What is the following command used for? net use \targetipc$ "" /u:"" A. Grabbing the etc/passwd file B. Grabbing the SAM C. Connecting to a Linux computer through Samba. D. This command is used to connect as a null session E. Enumeration of Cisco routers 81

D Explanation: The null session is one of the most debilitating vulnerabilities faced by Windows. Null sessions can be established through port 135, 139, and 445.

149 A zone file consists of which of the following Resource Records (RRs)? A. DNS, NS, AXFR, and MX records B. DNS, NS, PTR, and MX records C. SOA, NS, AXFR, and MX records D. SOA, NS, A, and MX records

D Explanation: The zone file typically contains the following records: 88 SOA - Start Of Authority NS - Name Server record MX - Mail eXchange record A - Address record

163 What sequence of packets is sent during the initial TCP three-way handshake? A. SYN, URG, ACK B. FIN, FIN-ACK, ACK C. SYN, ACK, SYN-ACK D. SYN, SYN-ACK, ACK

D Explanation: This is referred to as a "three way handshake." The "SYN" flags are requests by the TCP stack at one end of a socket to synchronize themselves to the sequence numbering for this new sessions. The ACK flags acknowlege earlier packets in this session. Obviously only the initial packet has no ACK flag, since there are no previous packets to acknowlege. Only the second packet (the first response from a server to a client) has both the SYN and the ACK bits set.

167 Exhibit: The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack? A. The buffer overflow attack has been neutralized by the IDS B. The attacker is creating a directory on the compromised machine C. The attacker is attempting a buffer overflow attack and has succeeded D. The attacker is attempting an exploit that launches a command-line shell

D Explanation: This log entry shows a hacker using a buffer overflow to fill the data buffer and trying to insert the execution of /bin/sh into the executable code part of the thread. It is probably an existing exploit that is used, or a directed attack with a custom built buffer overflow with the "payload" that launches the command shell. 100

197 While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an 117 attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective? A. Block port 25 at the firewall. B. Shut off the SMTP service on the server. C. Force all connections to use a username and password. D. Switch from Windows Exchange to UNIX Sendmail. E. None of the above.

E Explanation: Blocking port 25 in the firewall or forcing all connections to use username and password would have the consequences that the server is unable to communicate with other SMTP servers. Turning of the SMTP service would disable the email function completely. All email servers use SMTP to communicate with other email servers and therefore changing email server will not help.

137 What is the proper response for a NULL scan if the port is closed? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

E Explanation: Closed ports respond to a NULL scan with a reset.

191 What is the BEST alternative if you discover that a rootkit has been installed on one of your computers? 114 A. Copy the system files from a known good system B. Perform a trap and trace C. Delete the files and try to determine the source D. Reload from a previous backup E. Reload from known good media

E Explanation: If a rootkit is discovered, you will need to reload from known good media. This typically means performing a complete reinstall.

110 You want to scan the live machine on the LAN, what type of scan you should use? A. Connect B. SYN C. TCP D. UDP E. PING

E Explanation: The ping scan is one of the quickest scans that nmap performs, since no actual ports are queried. Unlike a port scan where thousands of packets are transferred between two stations, a ping scan requires only two frames. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. 65

145 What is the proper response for a NULL scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

F Explanation: A NULL scan will have no response if the port is open.

134 Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor". Here is the output of the SIDs: s-1-5-21-1125394485-807628933-54978560-100Johns s-1-5-21-1125394485-807628933-54978560-652Rebecca s-1-5-21-1125394485-807628933-54978560-412Sheela s-1-5-21-1125394485-807628933-54978560-999Shawn s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-500chang s-1-5-21-1125394485-807628933-54978560-555Micah From the above list identify the user account with System Administrator privileges. A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

F Explanation: The SID of the built-in administrator will always follow this example: S-1-5-domain- 500 80