Ethical Hacking
Which of the following options of Sublist3r allows the user to specify a comma-separated list of search engines?
-e
Which of the following Nbtstat parameters is used to display the count of all names resolved by a broadcast or WINS server?
-r
Which of the following Nmap options is used by an attacker to perform an SCTP COOKIE ECHO scan?
-sZ
A hacker is attempting to check for all the systems alive in the network by performing a ping sweep. Which NMAP switch would the hacker use?
-sn
Which of the following NetBIOS service codes is used to obtain information related to the master browser name for the subnet?
<1D>
Which of the following types of DNS records points to a host's IP address?
A
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?
Active
Which of the following protocols is widely used by Internet service providers (ISPs) to maintain huge routing tables and efficiently process Internet traffic?
BGP
Which of the following protocols uses TCP port 179 to enable routers for establishing sessions between them?
BGP
Which of the following activities of an organization on social networking sites helps an attacker footprint or collect information regarding the type of business handled by the organization?
Background checks to hire employees
Which of the following techniques helps the attacker in identifying the OS used on the target host in order to detect vulnerabilities on a target system?
Banner grabbing
In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process?
Brute-force active directory
Steve, an attacker, wants to track the most shared content that belongs to the target organization. For this purpose, he used an advanced social search engine that displayed shared activity across all major social networks including Twitter, Facebook, LinkedIn, Google Plus, and Pinterest. What is the tool employed by Steve in the above scenario?
BuzzSumo
Which of the following tools is used for gathering email account information from different public sources and checking whether an email was leaked using the haveibeenpwned.com API?
Infoga
Which of the following protocols uses the port number 88/TCP and can verify the identity of a user or host connected to a network?
Kerberos
Which of the following protocols uses TCP or UDP as its transport protocol over port 389?
LDAP
Which of the following countermeasure should be used to prevent a ping sweep?
Limiting ICMP traffic with access-control lists (ACLs) to the ISP's specific IP addresses
Which of the following operating systems can be identified when scan results show a TTL value of 64 and TCP window size of 5840?
Linux (Kernel 2.4 and 2.6)
Which of the following DNS record type helps in DNS footprinting to determine a domain's mail server?
MX
Which of the following open-source tools would be the best choice to scan a network for potential targets?
NMAP
Which of the following parameters enable NMAP's operating system detection feature?
NMAP -O
Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?
NMAP -PN -A -O -sS 192.168.2.0/24
Which of the following web services is a repository that contains a collection of user-submitted notes or messages on various subjects and topics?
NNTP Usenet newsgroups
An attacker identified that port 139 on the victim's Windows machine is open and he used that port to identify the resources that can be accessed or viewed on the remote system. What is the protocol that allowed the attacker to perform this enumeration?
NetBIOS
Smith, a professional hacker, has targeted an organization. He employed some footprinting tools to scan through all the domains, subdomains, reachable IP addresses, DNS records, and Whois records to perform further attacks. What is the type of information Smith has extracted through the footprinting attempt?
Network info
Which of the following information is collected using enumeration?
Network resources, network shares, and machine names
Which of the following tools supports the nbstat.nse script that allows attackers to retrieve the target's NetBIOS names and MAC addresses?
Nmap
Which of the following commands displays various options that a user can utilize to obtain a list of words from a target website?
ruby cewl.rb -help
Which of the following tools does an attacker use to perform a query on the platforms included in OSRFramework?
searchfy.py
Which Google search query will search for any files a target certifiedhacker.com may have?
site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini
Which Google search query can you use to find mail lists dumped on pastebin.com?
site:pastebin.com intext:*@*.com:*
Which of the following Google search queries allows an attacker to identify the FTP servers of the target organization and identify sensitive directories on FTP?
type:mil inurl:ftp ext:pdf | ps
Which of the following utilities is used by Recon-Dog to detect technologies existing in the target system?
wappalyzer.com
In which of the following scanning techniques does an attacker send a spoofed source address to a computer to determine the available services?
IDLE/IPID header scan
You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get very reliable results?
Connect scan
Ronnie disguised himself as a salesperson, entered a target company, and managed to access phone bills, contact information, and financial information secretly from printer trash bins and user desks to perform further exploitation. What is the attack performed by Ronnie in the above scenario?
Dumpster diving
Which of the following types of techniques is used to prevent IP spoofing by blocking outgoing packets with a source address that is not inside?
Egress filtering
Which of the following tools allows an attacker to extract information such as sender identity, mail server, sender's IP address, location, and so on?
Email tracking tools
Which of the following should NOT be followed when securing an organization from footprinting attacks?
Enabling the geo-tagging functionality on cameras
Which of the following is the best practice to follow to secure a system or network against port scanning?
Ensure that the versions of services running on the ports are non-vulnerable
Which of the following deep and dark web searching tools helps an attacker obtain information about official government or federal databases and navigate anonymously without being traced?
ExonerTor
What type of information is gathered by an attacker through Whois database analysis and tracerouting?
DNS records and related info
Which of the following is NOT an objectives of network scanning?
Discover usernames and passwords
Which of the following countermeasure helps organizations to prevent information disclosure through banner grabbing?
Display false banners
Which of the following footprinting techniques allows an attacker to gather information passively about the target without direct interaction?
Extracting info using Internet archives
Which of the following TCP communication flags is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated?
FIN Flag
A pen tester was hired to perform penetration testing on an organization. The tester was asked to perform passive footprinting on the target organization. Which of the following techniques comes under passive footprinting?
Finding the top-level domains (TLDs) and sub-domains of a target through web services
Which of the following scanning tools is a mobile app for Android and iOS that provides complete network information, such as the IP address, MAC address, device vendor, and ISP location?
Fing
Which of the following footprinting techniques allows an attacker to gather information about a target with direct interaction?
Gathering website information using web spidering and mirroring tools
Which of the following techniques is used to create complex search engine queries?
Google hacking
Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping?
ICMP address mask ping scan
Which of the following tools is not a NetBIOS enumeration tool?
OpUtils
Which of the following features in FOCA allows an attacker to find more servers in the same segment of a determined address?
PTR Scanning
A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching the bank employees time in and out, searching the bank's job postings (paying special attention to IT-related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in?
Passive info gathering
What is the default port used by IPSEC IKE protocol?
Port 500
Which of the following types of scanning involves the process of checking the services running on a target computer by sending a sequence of messages to break in?
Port scanning
Which of the following IDS/firewall evasion techniques helps an attacker increase their Internet anonymity?
Proxy chaining
Which of the following command-line tools displays the CPU and memory information or thread statistics?
PsList
Passive reconnaissance involves collecting information through which of the following?
Publicly accessible sources
What information is gathered about the victim using email tracking tools?
Recipient's IP address, geolocation, proxy detection, operating system, and browser information
Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting
Results matching "accounting" in domain target.com but not on the site Marketing.target.com
Which of the following DNS record types indicates the authority for a domain of the target DNS server?
SOA
You are doing research on SQL injection attacks. Which of the following combination of Google operators will you use to find all Wikipedia pages that contain information about SQL, injection attacks, or SQL injection techniques?
SQL injection site:Wikipedia.org
Which of the following scanning techniques is used by an attacker to check whether a machine is vulnerable to UPnP exploits?
SSDP scanning
Which of the following tools is a network scanner for iPhone and iPad that is used to scan LAN, Wi-Fi networks, websites, open ports, and network devices and can support several networking protocols?
Scany
Sean works as a professional ethical hacker and penetration tester. He is assigned a project for information gathering on a client's network. He started penetration testing and was trying to find out the company's internal URLs, looking for any information about the different departments and business units. Sean was unable find any information. What should Sean do to get the information he needs?
Sean should use Sublist3r tool
What is the output returned by search engines when extracting critical details about a target from the Internet?
Search engine results pages ("SERPs")
Which of the following activities of a user on social networking sites helps an attacker footprint or collect the identity of the user's family members, the user's interests, and related information?
Sharing photos and videos
Robert, an attacker, targeted a high-level executive of an organization and wanted to obtain information about the executive on the Internet. He employed a tool through which he discovered the target user on various social networking sites, along with the complete URL. What is the tool used by Robert in the above scenario?
Sherlock
Sean works as a penetration tester in ABC firm. He was asked to gather information about the target company. Sean begins with social engineering by following the steps: Secretly observes the target to gain critical information Looks at employee's password or PIN code with the help of binoculars or a low-power telescope Based on the above description, identify the social engineering technique.
Shoulder surfing
Smith works as a professional Ethical Hacker with a large MNC. He is a CEH certified professional and was following the CEH methodology to perform the penetration testing. He is assigned a project for information gathering on a client's network. He started penetration testing and was trying to find out the company's internal URLs, (mostly by trial and error), looking for any information about the different departments and business units. Smith was unable to find any information. What should Smith do to get the information he needs?
Smith should use online services such as netcraft.com to find the company's internal URLs
In which of the following footprinting threats does an attacker collect information directly and indirectly through persuasion without using any intrusion methods?
Social Engineering
Which of the following is the direct approach technique that serves as the primary source for attackers to gather competitive intelligence?
Social engineering
In website footprinting, which of the following information is acquired by the attacker when they examine the cookies set by the server?
Software in use and its behavior
A security engineer is attempting to perform scanning on acompany's internal network to verify security policies of their networks. The engineer uses the following NMAP command: nmap -n -sS -P0 -p 80 ***.***.**.**. What type of scan is this?
Stealth scan
Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment?
TCP
Which of the following port numbers is used by the Windows NetBIOS session service for both null-session establishment as well as file and printer sharing?
TCP 139
Which of the following scans detects when a port is open after completing the three-way handshake, establishes a full connection, and closes the connection by sending an RST packet?
TCP connect scan
Which of the following is the active banner grabbing technique used by an attacker to determine the OS running on a remote target system?
TCP sequence ability test
Which of the following port number is used to exploit vulnerabilities within DNS servers to launch attacks?
TCP/UDP 53
Jake, an attacker, is performing an attack on a target organization to gather sensitive information. In this process, he exploited the protocol running on port 23 to perform banner grabbing on other protocols, such as SSH and SMTP, as well as brute-forcing attacks on login credentials. Which of the following protocols is running on port 23?
Telnet
A penetration tester is conducting a port scan on a specific host. The tester found several open ports that were confusing in concluding the operating system (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 7.70 at 2018-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:89
The host is likely a printer
Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS?
Timing options to slow the speed that the port scan is conducted
Which of the following tools are useful in extracting information about the geographical location of routers, servers, and IP devices in a network?
Traceroute tools
InfoTech Security hired a penetration tester Sean to do physical penetration testing. On the first day of his assessment, Sean goes to the company posing as a repairman and starts checking trash bins to collect the sensitive information. What is Sean trying to do?
Trying to attempt social engineering by dumpster diving
Which of the following ports provides a name-resolution service for computers running NetBIOS that is also known as the Windows Internet Name Service (WINS)?
UDP 137
While performing a UDP scan of a subnet, you receive an ICMP reply of Code 3/Type 3 for all the pings you have sent out. What is the most likely cause of this?
UDP port is closed
Which of the following countermeasures is used to avoid banner grabbing attacks?
Use ServerMask tools to disable or change banner information
Which of the following is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system?
WHOIS lookup
Which of the following tools consists of a publicly available set of databases that contain personal information of domain owners?
WHOIS lookup tools
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?
hping
Which of the following Hping3 command is used to perform ACK scan?
hping3 -A <IP Address> -p 80
Which of the following hping commands is used by an attacker to collect the initial sequence number?
hping3 192.168.1.103 -Q -p 139 -s
An attacker is using the scanning tool Hping to scan and identify live hosts, open ports, and services running on a target network. He/she wants to collect all the TCP sequence numbers generated by the target host. Which of the following Hping commands he/she needs to use to gather the required information?
hping3 <Target IP> -Q -p 139 -s
Which of the following is the Google dork that helps an attacker find the configuration pages for online VoIP devices?
intitle:"Sipura.SPA.Configuration" -.pdf
Which one of the following is a Google search query used for VoIP footprinting to extract Cisco phone details?
inurl:"NetworkConfiguration" cisco
Robin, a professional hacker, targeted an organization for financial benefit. He initiated footprinting attacks on the target organization. In this process, he used an advanced Google search query that returns a list of FTP servers by IP address, which are mostly Windows NT servers with guest login capabilities. What is the advanced Google search query employed by Robin in the above scenario?
inurl:~/ftp://193 filetype:(php | txt | html | asp | xml | cnf | sh) ~'/html'
Which of the following web services provides useful information about a target company, such as the market value of the company's shares, company profile, and competitor details?
investing.com
Which of the following windows utilities allow an attacker to perform NetBIOS enumeration?
nbtstat
