CEH Ch. 5 Questions
You see the following command in a Linux history file review: someproc & Which of the following best describe the command result? (Choose two) A. The process "someproc" will stop when the user logs out. B. The process "someproc" will continue to run when the user logs out. C. The process "someproc" will run as a background task. D. The process "someproc" will prompt the user when logging off.
A, C. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding nohup before the process name), it will die when the user logs out.
Which of the following best describes steganography? A. Steganography is used to hide information within existing files. B. Steganography is used to create hash values of existing files. C. Steganography is used to encrypt data communications, allowing files to be passed unseen. D. Steganography is used to create multimedia communication files.
A. Steganography is designed to place information in files where it will lay hidden until needed. Information can be hidden in virtually any file, although image and video files are traditionally associated with steganography.
Which of the following can migrate the machine's actual operating system into a virtual machine? A. Hypervisor-level rootkit B. Kernel-level rootkit C. Virtual rootkit D. Library-level rootkit
A. The hypervisor-level rootkit is defined by ECC as one that basically replaces your physical OS with a virtual one.
After gaining access to a Windows machine, you see the last command executed on the box looks like this: net use F: \\MATTBOX\BankFiles /persistent:yes Assuming the user had appropriate credentials, which of the following are true? (Choose all that apply) A. In Windows Explorer, a folder will appear under the root directory named BankFiles. B. In Windows Explorer, a drive will appear denoted as BankFiles (\\MATTBOX) (F:). C. The mapped drive will remain mapped after a reboot. D. The mapped drive will not remain mapped after a reboot.
B, C. Net use commands were the rage back in the day. This command connects to a shared folder on MATTBOX. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The persistent:yes portion means it will remain mapped forever, until you turn it off.
Examining a database server during routine maintenance you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation? A. The log file is simply corrupted. B. The server was compromised by an attacker. C. The server was rebooted. D. No activity occurred during the hour time frame.
B. It's a database server during normal business hours and there's nothing in the log? Forget the fact a reboot would've shown up somewhere--none of the users complained about it being down at all. No, we think this one is going to require some forensics work. Call the IR team.
Which of the following would be considered a passive online password attack? A. Guessing passwords against an IPC$ share B. Sniffing subnet traffic to intercept a password C. Running John the Ripper on a stolen copy of the SAM D. Sending a specially crafted PDF to a user for that user to open
B. Passive online attacks simply involve stealing passwords passed in clear text or copying the entire password exchange in the hopes of pulling off a reply or man-in-the-middle attack.
An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file? A. start readme.txt>badfile.exe B. start readme.txt:badfile.exe C. start badfile.exe>readme.txt D. start badfile.exe | readme.txt
B. The command, start readme.txt:badfile.exe, says "Start the executable badfile.exe that is hidden in the readme.txt file." In other variants of this question, the bad guy could create a link and execute it simply by typing the link name (for example, mklink innocent.exe readme.txt:badfile.exe would create a link and the bad file could be executed simply by typing innocent).
A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this? A. Multifactor authentication B. Three-factor authentication C. Two-factor authentication D. Token authentication
C. Because Joe's users need something they have--a token--and something they know--thePIN--this is considered two-factor authentication.
Which encryption standard is used by LM? A. MD5 B. SHA-1 C. DES D. SHA-2 E. 3DES
C. LAN Manager (LAN), an old outdated authentication system, used DES, an old and outdated means for hashing files (in this case, passwords).
While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password has reads 9FAF6B755DC38E12AAD3B435B514O4EE. Is this user following good password procedures? A. Yes, the hash shows a 14-character, complex password. B. No, the hash shows a 14-character password; however, it is not complex. C. No, the hash reveals a seven-character-or-less password has been used. D. It is impossible to determine simply by looking at the hash.
C. LM hashes pad a password with blank spaces to reach 14 characters, split it into two 7-character sections, and then hash both separately. Because the LM hash of seven blank characters is always AAd3B435B51404EE, you can tell from the hash that the user has used only seven or fewer characters in the password. Because CEH has recommended that a password be a minimum of eight characters, be complex, and expire after 30 days, the user is not following good policy.
Where is the SAM file stored on a Windows 7 system? A. \etc\ B. C:\Windows\System32\etc\ C. C:\Windows\System32\Config\ D. C:\Windows\System32\Drivers\Config
C. The SAM file is stored in the same folder o most Windows machines: C:\Windows\System32\Config\.
Which of the following best describes a hybrid attack? A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked. B. The attack tries random combinations of characters until the password is cracked. C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked. D. The attack use rainbow tables, randomly attempting hash values throughout the list until the password is cracked.
C. The hybrid attack takes any old dictionary list and juices it up a little. It will substitute numbers for letters, inject a character or two, and run all sorts of hybrid versions of your word list in an attempt to crack passwords.