Study Guide
If you want your nmap scan to blend in the regular network traffic and scan in the slowest possible speed, what is the command line options to be used?
-T0
You are configuring a Wireshark filter and want to look at all NTP packets. Which port should you filter on?
123
Which port number is used by DNS for zone transfers?
53 TCP
Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups?
A
A full-open scan means that the three-way handshake has been completed, what is the difference between this and a half-open scan?
A half-open removes the final ACK
What separates a suicide hacker from other attackers?
A lack of fear of being caught
What is an ICMP Echo scan?
A ping sweep
Which of the following best describes the role that the U.S. Computer Security Indient Response Team (CSIRT) provides?
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
A reverse ARP request maps to two hosts.
Which best describes a vulnerability scan?
A way to automate the discovery of vulnerabilities
An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date.
A white hat is attempting a black-box test
What is missing from a half-open scan?
ACK
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
ARP poisoning
Footprinting has two types:
Active and passive
What can be configured in most search engines to monitor and alert you of changes to content?
Alerts
There are 5 regional Internet registries, what are their functionalities?
Allocating IP addresses to different regions
An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place?
Anomaly-based
Which of the following intrusion detection tools generally generates more false alarms?
Anomaly-based IDS
How do you look for zero day threats?
As it is a threat without known fix, you mainly depend on exploit news or zero day outbreaks for this kind of threat
Why you may prefer tcpdump than Wireshark in certain situations?
As it is command line based tool, it is easier to dump result to a file or transferring result to a forensic workstation
a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working?
Assessment
What info you are looking for during footprinting of a target?
Business functions Network range Physical security measures
You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
CNAME
What common tool can be used for launching an ARP-poisoning attack?
Cain and Abel
Which of the following is a passive footprinting method?
Checking DNS replies for network mapping purpose Collecting information through publicly accessible sources
You are examining the output of a recent SYN scan. You see a port from one machine has returned an RST/ACK. What is the state of the port?
Closed
You are running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?
Closed
A white box test means the tester has which of the following?
Complete knowledge
Which of the following forms are usually malicious?
Computer Viruses
What is DNS cache poisoning?
DNS server caches bogus IP addresses for certain domain names
An SOA record gathered from a zone transfer is shown here:IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. (4 ; serial number3600 ; refresh[1h]600; retry[10m]86400; expire[1d]3600 ); min TTL[1h]What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates?
DNSRV1.anycomp.com, 3,600 seconds
Which of the following is not a flag on a packet?
END
Port scanning can be used to discover open ports on one or a few boxes running on a network, but it cannot be used to scan the entire subnet.
False
Threat and Vulnerability are the same thing in cybersecurity
False
What is the purpose of social engineering?
Gain information from a human being
Which of the following protocol traffic can be easily sniffed?
HTTP, TFTP, SNMP
Which of the following describes an attacker who goes after a target to draw attention to a cause?
Hacktivist
An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this?
Half-open
Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity?
Hash
What device will not limit the abilities of a sniffer?
Hub
A banner can?
Identify a service
ICMP protocol is at ________ layer of TCP/IP model.
Internet
Which of the following best describes footprinting?
Investigation of a target
What is the purpose of "dig" command?
It does DNS query
What is ping sweep?
It is about finding out which boxes are running on a network
Every organization tries to achieve CIA (confidentiality, integrity, and availability). Here is the summary of an attack happened in 2020. What kind of attack is this? Twitter saw one of the most brazen online attacks to date when on July 15, 2020, hackers verified Twitter accounts of many high-profile figures and celebrities, everyone from Kim Kardashian and Kanye West to Barack Obama, Elon Musk, and Bill Gates. The successful attack targeted a small number of employees though a phone spear phishing campaign, granting hackers access to Twitter's internal support system which then enabled them to target additional employees. According to Twitter, using the acquired credentials, 130 Twitter accounts were targeted, with the hackers Tweeting from 45, accessing the direct messaging inbox of 36 and downloading the Twitter Data of 7. Twitter Support released a statement saying...
It is an attack on Confidentiality and Integrity
What is the presentation layer in OSI model about?
It is designed to put a message into a format all system can understand
In which operating system is OSI network model implemented?
It is not implemented in any operating system network stack
Which of the following is true for IDLE scan?
It is not noisy and can not be easily identified by IDS It is stealthy but you need to get one additional box as zombine/idle box for it to work
What does SYN segment mean?
It means the SYN bit in TCP segment is set to 1
What is a MX record in DNS?
It specifies the email server for a domain
If you send FIN scan to a closed port, what will happen?
It will return RST packet if the port is closed
Which of the following is the best for an attacker to use to determine the technology within an organization?
Job boards
You've been hired to test security for a business headquartered in Chile. Which regional registry would be the best place to go for network range determination?
LACNIC
MAC address is the address at which layer of TCP/IP model?
Layer 1 (Network Access)
What level of knowledge about hacking does a script kiddie have?
Low
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
MAC flooding
Which of the following are approriate active sniffing techniques against a switched network?
MAC flooding ARP poisoning
While footpriting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company's e-mail server?
MX
Which of the following types of attacks has no flags set?
NULL
Which of the following is used for identifying a web server OS?
Netcraft
Which of the following is used to perform network scans?
Nmap
Which of the following represents the broadcast address prefix for IPv6?
None of the above
If you send XMAS scan to an open port, what will happen?
Nothing will be returned
Footprinting can determine all of the following except:
Number of personnel
Which of the following is a method of manipulating search results?
Operators
As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work and rumage through the trash outside the building for useful information. Which type of footprinting are you accomplishing?
Passive
Is Google hacking passive footprinting or active footprinting?
Passive footprinting
What is the difference between passive and active recon?
Passive recon gathers info without the knowledge of the organization targeted Active recon uses tools and techniques that may or may not be discovered but put your activities as a hacker at more risk of discovery
Which of the following does an ethical hacker require to start evaluating a system?
Permission
An nmap is required to perform what type of scan?
Port Scan
Which of the following cannot be used during footprinting?
Port scanning
What mode must be configured to allow an NIC to capture all traffic on the wire?
Promiscuous mode
Wireshark requires a network card to be able to enter which mode to sniff all network traffic?
Promiscuous mode
During a Xmas scan what indicates a port is closed?
RST
During an FIN scan, what indicates that a port is closed?
RST
Which flag forces a termination of communication in both direction?
RST
Which of the following nmap scan is stealthy?
SYN scan IDLE port scan
A pen tester configures this filter on a wireshark capture: tcp.flags == 0x18. Which TCP flags are being filtered on?
SYN+ACK
What flag or flags are sent in the segment during the second step of the TCP three-way handshake?
SYN/ACK
What is the difference between scanning and footprinting?
Scanning is a more targeted and detail oriented info gathering
Which attacks take advantage of the built-in code and scripts most off-the-shelf application come with?
Shrink-wrap
What is (are) IDS evasion techniques?
Slow down network scanning traffic Flood the network with tons of fake attacks along with true attacks
Which of the following is (are) activing sniffing?
Sniffing traffic using SPAN port Sniffing traffic using MAC Flooding
Which of the following the most widely deployed IDS?
Snort
Which of the following would be effective for social engineering?
Social Networking
Which of the following can help you determine business processes of your target?
Social engineering
Which of the following is correct regarding IP ID (used by IDLE scan)?
Some OS increments IP ID by 1 for the next packet generated IP ID is inside IP header
Which of the following methods of concealment involves a hacker spoofing an IP address to have packets returned directly to him regardless of the routers between sender and receiver?
Source routing
Which of the following can be used to assess physical security?
Street views
His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be?
Suicide hacker
Which network device can block sniffing to a single network collision domain?
Switch
An SYN attack uses which protocol?
TCP
Which of the following is correct for TCP connect scan?
TCP 3-way hand shake is finished during the scan when the port is open It is very noisy and can be identified by IDS
The command-line equivalent of Windump is known as?
TCPdump
Which of the following is active footprinting?
Talking to employees of a company
You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab?
Telnet 168.15.22.4 80 nc -v -n 168.15.22.4 80
Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary?
The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.
A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened?
The attacker took advantage of zero-day vulnerability on the machine
What is the three-way handshake?
The opening sequence of a TCP connection
An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true?
The packet capture will provide the MAC addresses of other machines connected to the switch. The packet capture will display all traffic intended for the laptop
You are port scanning a system and begin sending TCP packets with the FIN flag set. A response from the host on a particular port comes back as RST/ACK. Which of the following is a true statement regarding the response?
The response indicates a closed port
What is Tor used for?
To hide a process of scanning
Which tool can trace the path of a packet?
Tracert
What is a piece of malware that relies on social engineering?
Trojan horse
A box can accept unsolicited ARP reply packet even if the box did not ask for it.
True
A router can have multiple IP addresses assigned to it
True
Attacks against availability fall into "Denial-of-Service" realm
True
DHCP starvation may cause a box not being able to get a IP address, thus causes denial of service.
True
Each switch port has its own collision domain.
True
Hub is like bus in a box. All machines connecting to it are on the same collision domain.
True
Which of the following is not part of EC-Council's CEH scanning methodology?
Try social engineering
Which of the following is not a defense against sniffing?
Using hubs within the network
The Wayback Machine is used to do which of the following?
View archived versions of websites
If you have been contracted to perform an attack against a target system, you are what type of hacker?
White hat
How is black box testing performed?
With no knowledge
What is self-replicating piece of malware?
Worm
Is it legal to gather competitive intelligence of a company through passive footprinting?
Yes
You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation?
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Attempted FTP")
Which Google hack would display all pages that have the words "SQL" and "Version" in their titles?
allintitle:SQL version
As security in the enterprise increases,
functionality decreases and ease of use decreases.
When an attack by a hacker is politically motivated, the hacker is said to be participating in
hactivism
Which Wireshark filter displays only traffic from 192.168.1.1?
ip.addr==192.168.1.1
You are reviewing a packet capture in Wireshark but only need to see packets from IP address 198.162.15.17. Which of the following filters will provide the output you want to see?
ip.src==198.162.15.17
You're using Nmap to run port scans. What syntax will attempt a half-open scan as stealthily as possible?
nmap -sS 192.168.1.0/24 -T0
What is the generic syntax of a Wireshark filter?
protocol.field operator value
Which display filter for Wireshark shows all packets containing the word facebook?
tcp contains facebook
Jason is using TCPdump to capture traffic on his network. He would like to review a capture log gathered previously. What command can Jason use?
tcpdump -r capture.log
Jason is using TCPdump to capture traffic on his network. He would like to save the capture for later review. What command can Jason use?
tcpdump -w capture.log
What is the retry time in a DNS SOA record?
the amount of time a secondary server will wait to retry if the zone transfer fails
Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact?
whois
A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode?
winpcap