Study Guide

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

If you want your nmap scan to blend in the regular network traffic and scan in the slowest possible speed, what is the command line options to be used?

-T0

You are configuring a Wireshark filter and want to look at all NTP packets. Which port should you filter on?

123

Which port number is used by DNS for zone transfers?

53 TCP

Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups?

A

A full-open scan means that the three-way handshake has been completed, what is the difference between this and a half-open scan?

A half-open removes the final ACK

What separates a suicide hacker from other attackers?

A lack of fear of being caught

What is an ICMP Echo scan?

A ping sweep

Which of the following best describes the role that the U.S. Computer Security Indient Response Team (CSIRT) provides?

A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security

MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

A reverse ARP request maps to two hosts.

Which best describes a vulnerability scan?

A way to automate the discovery of vulnerabilities

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date.

A white hat is attempting a black-box test

What is missing from a half-open scan?

ACK

What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?

ARP poisoning

Footprinting has two types:

Active and passive

What can be configured in most search engines to monitor and alert you of changes to content?

Alerts

There are 5 regional Internet registries, what are their functionalities?

Allocating IP addresses to different regions

An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place?

Anomaly-based

Which of the following intrusion detection tools generally generates more false alarms?

Anomaly-based IDS

How do you look for zero day threats?

As it is a threat without known fix, you mainly depend on exploit news or zero day outbreaks for this kind of threat

Why you may prefer tcpdump than Wireshark in certain situations?

As it is command line based tool, it is easier to dump result to a file or transferring result to a forensic workstation

a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working?

Assessment

What info you are looking for during footprinting of a target?

Business functions Network range Physical security measures

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?

CNAME

What common tool can be used for launching an ARP-poisoning attack?

Cain and Abel

Which of the following is a passive footprinting method?

Checking DNS replies for network mapping purpose Collecting information through publicly accessible sources

You are examining the output of a recent SYN scan. You see a port from one machine has returned an RST/ACK. What is the state of the port?

Closed

You are running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?

Closed

A white box test means the tester has which of the following?

Complete knowledge

Which of the following forms are usually malicious?

Computer Viruses

What is DNS cache poisoning?

DNS server caches bogus IP addresses for certain domain names

An SOA record gathered from a zone transfer is shown here:IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. (4 ; serial number3600 ; refresh[1h]600; retry[10m]86400; expire[1d]3600 ); min TTL[1h]What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates?

DNSRV1.anycomp.com, 3,600 seconds

Which of the following is not a flag on a packet?

END

Port scanning can be used to discover open ports on one or a few boxes running on a network, but it cannot be used to scan the entire subnet.

False

Threat and Vulnerability are the same thing in cybersecurity

False

What is the purpose of social engineering?

Gain information from a human being

Which of the following protocol traffic can be easily sniffed?

HTTP, TFTP, SNMP

Which of the following describes an attacker who goes after a target to draw attention to a cause?

Hacktivist

An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this?

Half-open

Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity?

Hash

What device will not limit the abilities of a sniffer?

Hub

A banner can?

Identify a service

ICMP protocol is at ________ layer of TCP/IP model.

Internet

Which of the following best describes footprinting?

Investigation of a target

What is the purpose of "dig" command?

It does DNS query

What is ping sweep?

It is about finding out which boxes are running on a network

Every organization tries to achieve CIA (confidentiality, integrity, and availability). Here is the summary of an attack happened in 2020. What kind of attack is this? Twitter saw one of the most brazen online attacks to date when on July 15, 2020, hackers verified Twitter accounts of many high-profile figures and celebrities, everyone from Kim Kardashian and Kanye West to Barack Obama, Elon Musk, and Bill Gates. The successful attack targeted a small number of employees though a phone spear phishing campaign, granting hackers access to Twitter's internal support system which then enabled them to target additional employees. According to Twitter, using the acquired credentials, 130 Twitter accounts were targeted, with the hackers Tweeting from 45, accessing the direct messaging inbox of 36 and downloading the Twitter Data of 7. Twitter Support released a statement saying...

It is an attack on Confidentiality and Integrity

What is the presentation layer in OSI model about?

It is designed to put a message into a format all system can understand

In which operating system is OSI network model implemented?

It is not implemented in any operating system network stack

Which of the following is true for IDLE scan?

It is not noisy and can not be easily identified by IDS It is stealthy but you need to get one additional box as zombine/idle box for it to work

What does SYN segment mean?

It means the SYN bit in TCP segment is set to 1

What is a MX record in DNS?

It specifies the email server for a domain

If you send FIN scan to a closed port, what will happen?

It will return RST packet if the port is closed

Which of the following is the best for an attacker to use to determine the technology within an organization?

Job boards

You've been hired to test security for a business headquartered in Chile. Which regional registry would be the best place to go for network range determination?

LACNIC

MAC address is the address at which layer of TCP/IP model?

Layer 1 (Network Access)

What level of knowledge about hacking does a script kiddie have?

Low

Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?

MAC flooding

Which of the following are approriate active sniffing techniques against a switched network?

MAC flooding ARP poisoning

While footpriting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company's e-mail server?

MX

Which of the following types of attacks has no flags set?

NULL

Which of the following is used for identifying a web server OS?

Netcraft

Which of the following is used to perform network scans?

Nmap

Which of the following represents the broadcast address prefix for IPv6?

None of the above

If you send XMAS scan to an open port, what will happen?

Nothing will be returned

Footprinting can determine all of the following except:

Number of personnel

Which of the following is a method of manipulating search results?

Operators

As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work and rumage through the trash outside the building for useful information. Which type of footprinting are you accomplishing?

Passive

Is Google hacking passive footprinting or active footprinting?

Passive footprinting

What is the difference between passive and active recon?

Passive recon gathers info without the knowledge of the organization targeted Active recon uses tools and techniques that may or may not be discovered but put your activities as a hacker at more risk of discovery

Which of the following does an ethical hacker require to start evaluating a system?

Permission

An nmap is required to perform what type of scan?

Port Scan

Which of the following cannot be used during footprinting?

Port scanning

What mode must be configured to allow an NIC to capture all traffic on the wire?

Promiscuous mode

Wireshark requires a network card to be able to enter which mode to sniff all network traffic?

Promiscuous mode

During a Xmas scan what indicates a port is closed?

RST

During an FIN scan, what indicates that a port is closed?

RST

Which flag forces a termination of communication in both direction?

RST

Which of the following nmap scan is stealthy?

SYN scan IDLE port scan

A pen tester configures this filter on a wireshark capture: tcp.flags == 0x18. Which TCP flags are being filtered on?

SYN+ACK

What flag or flags are sent in the segment during the second step of the TCP three-way handshake?

SYN/ACK

What is the difference between scanning and footprinting?

Scanning is a more targeted and detail oriented info gathering

Which attacks take advantage of the built-in code and scripts most off-the-shelf application come with?

Shrink-wrap

What is (are) IDS evasion techniques?

Slow down network scanning traffic Flood the network with tons of fake attacks along with true attacks

Which of the following is (are) activing sniffing?

Sniffing traffic using SPAN port Sniffing traffic using MAC Flooding

Which of the following the most widely deployed IDS?

Snort

Which of the following would be effective for social engineering?

Social Networking

Which of the following can help you determine business processes of your target?

Social engineering

Which of the following is correct regarding IP ID (used by IDLE scan)?

Some OS increments IP ID by 1 for the next packet generated IP ID is inside IP header

Which of the following methods of concealment involves a hacker spoofing an IP address to have packets returned directly to him regardless of the routers between sender and receiver?

Source routing

Which of the following can be used to assess physical security?

Street views

His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be?

Suicide hacker

Which network device can block sniffing to a single network collision domain?

Switch

An SYN attack uses which protocol?

TCP

Which of the following is correct for TCP connect scan?

TCP 3-way hand shake is finished during the scan when the port is open It is very noisy and can be identified by IDS

The command-line equivalent of Windump is known as?

TCPdump

Which of the following is active footprinting?

Talking to employees of a company

You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab?

Telnet 168.15.22.4 80 nc -v -n 168.15.22.4 80

Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary?

The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.

A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened?

The attacker took advantage of zero-day vulnerability on the machine

What is the three-way handshake?

The opening sequence of a TCP connection

An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true?

The packet capture will provide the MAC addresses of other machines connected to the switch. The packet capture will display all traffic intended for the laptop

You are port scanning a system and begin sending TCP packets with the FIN flag set. A response from the host on a particular port comes back as RST/ACK. Which of the following is a true statement regarding the response?

The response indicates a closed port

What is Tor used for?

To hide a process of scanning

Which tool can trace the path of a packet?

Tracert

What is a piece of malware that relies on social engineering?

Trojan horse

A box can accept unsolicited ARP reply packet even if the box did not ask for it.

True

A router can have multiple IP addresses assigned to it

True

Attacks against availability fall into "Denial-of-Service" realm

True

DHCP starvation may cause a box not being able to get a IP address, thus causes denial of service.

True

Each switch port has its own collision domain.

True

Hub is like bus in a box. All machines connecting to it are on the same collision domain.

True

Which of the following is not part of EC-Council's CEH scanning methodology?

Try social engineering

Which of the following is not a defense against sniffing?

Using hubs within the network

The Wayback Machine is used to do which of the following?

View archived versions of websites

If you have been contracted to perform an attack against a target system, you are what type of hacker?

White hat

How is black box testing performed?

With no knowledge

What is self-replicating piece of malware?

Worm

Is it legal to gather competitive intelligence of a company through passive footprinting?

Yes

You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Attempted FTP")

Which Google hack would display all pages that have the words "SQL" and "Version" in their titles?

allintitle:SQL version

As security in the enterprise increases,

functionality decreases and ease of use decreases.

When an attack by a hacker is politically motivated, the hacker is said to be participating in

hactivism

Which Wireshark filter displays only traffic from 192.168.1.1?

ip.addr==192.168.1.1

You are reviewing a packet capture in Wireshark but only need to see packets from IP address 198.162.15.17. Which of the following filters will provide the output you want to see?

ip.src==198.162.15.17

You're using Nmap to run port scans. What syntax will attempt a half-open scan as stealthily as possible?

nmap -sS 192.168.1.0/24 -T0

What is the generic syntax of a Wireshark filter?

protocol.field operator value

Which display filter for Wireshark shows all packets containing the word facebook?

tcp contains facebook

Jason is using TCPdump to capture traffic on his network. He would like to review a capture log gathered previously. What command can Jason use?

tcpdump -r capture.log

Jason is using TCPdump to capture traffic on his network. He would like to save the capture for later review. What command can Jason use?

tcpdump -w capture.log

What is the retry time in a DNS SOA record?

the amount of time a secondary server will wait to retry if the zone transfer fails

Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact?

whois

A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode?

winpcap


Kaugnay na mga set ng pag-aaral

peds endocrine/metabolic disorder ch 48

View Set

Information Systems: A manager's guide to harnessing technology: Chapter 6

View Set

Infection/Inflammation/Immunity (Med Surg)

View Set

Chapter 10 Head, Eyes, Ears, Nose and Throat

View Set

Baruch College - Financial Accounting 2101 Midterm EXAM - Spring 2018

View Set