CEH All Chapters Practice Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

A homeowner accesses an app on his cell phone to set up a view list on his television. Which IoT communication model is in play here? A. Device-to-Gateway B. Back-End Data-Sharing C. Device-to-Cloud D. Device-to-Device

Which of the following methods should be used to check for the Heartbleed vulnerability? A. Use the ssl-heartbleed script in nmap. B. Connect via TLS to each system and examine the response handshake. C. Use ping -ssl and examine the responses. D. Use Tripwire.

Which of the following is true regarding cloud computing? A. Security in the cloud is the responsibility of the provider only. B. Security in the cloud is the responsibility of the consumer only. C. Security in the cloud is the responsibility of both the consumer and the provider. D. None of the above.

Which of the following should not be included in a security policy? A. Policy exceptions B. details on non-compliance disciplinary actions C. technical details and procedures D. supporting document references

Which of the following statements is not true? A. Private cloud is operated solely for a single organization. B. Public cloud makes use of virtualized servers. C. Public cloud is operated over an intranet. D. Private cloud makes use of virtualized servers.

Which of the following statements is true regarding cloud computing? A. In IaaS, applications, data, middleware, virtualization, and servers are part of the service provision. B. In PaaS, applications, data, middleware, virtualization, and servers are part of theservice provision. C. In SaaS, applications, data, middleware, virtualization, and servers are part of theservice provision. D. None of the above.

Which of the following statements is true regarding encryption algorithms? A. Symmetric algorithms are slower, are good for bulk encryption, and have no scalability problems. B. Symmetric algorithms are faster, are good for bulk encryption, and have no scalability problems. C. Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems. D. Symmetric algorithms are faster but have scalability problems and are not suited for bulk encryption.

Which of the following is not a benefit of virtualization? A. Allows for more efficient backup, data protection, and disaster recovery B. Reduces system administration work C. Improves operational efficiency D. Locks individual hardware to each individual virtual machine

Which of the following is one of the most common methods for an attacker to exploit the Shellshock vulnerability? A. SSH brute force B. CSRF C. Form field entry manipulation D. Through web servers utilizing CGI (Common Gateway Interface)

Which of the following is the appropriate means to pivot within a Metasploit attack session? A. Use the pivot exploit outside meterpreter. B. Reconfigure network settings in meterpreter. C. Set the payload to propagate. D. Create a route statement in the meterpreter.

Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover

Which of the following is true regarding n-tier architecture? A. Each tier must communicate openly with every other tier. B. N-tier always consists of presentation, logic, and data tiers. C. N-tier is usually implemented on one server. D. N-tier allows each tier to be configured and modified independently.

Which of the following is used by SOAP services to format information? A. Unicode B. HTML entities C. NTFS D. XML

Which of the following is used to distribute a public key within the PKI system, verifying the user's identity to the recipient? A. Digital signature B. Hash value C. Private key D. Digital certificate

Which of the following statements is true regarding Port scanning? A. Port scanning's primary goal is to identify live targets on a network. B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed. C. Port scanning is designed as a method to view all traffic to and from a system D. Port scanning is used to identify potential vulnerabilities on a target system

Which of the following statements is true regarding digital signatures? A. Digital signatures are issued once per user, to be used on all documents until they expire. B. A digital signature is a plain hash of the document contents. C. Digital signatures are issued per file type, allowing each to be used on multiple files until they expire. D. A digital signature cannot be moved from one document to another.

(p113) The following HOSTS file was pulled during an incident response: Which of the following best describes the HOSTS file? A. A user on the machine attempting to go to check their bank account at mybank.com will be directed to a Chinese IP address instead. B. A user on the machine attempting to go to google.com will receive an HTTP return code of 400. C. A user on the machine attempting to go to gmail.com will redirect to the local host. D. Any DNS resolution to IP 220.181.0.16 will be redirected to one of the five sites listed in round-robin fashion.

(p266) A pen test team member uses the following entry at the command line: Which of the following is true regarding the intent of the command? A. The team member is attempting to see which HTTP methods are supported by somesystem.com. B. The team member is attempting XSS againstsomesystem.com. C. The team member is attempting HTTP response splitting against somesystem.com. D. The team member is attempting to site mirror somesystem.com.

(p65) A penetration tester is examining the following and map result: Which of the following is a true statement? A. The host is likely a printer B. the host is likely a Windows machine C. the host is likely a Linux machine D. the host is likely a router

(p87) Given the following Wireshark filter, what is the attacker attempting to view? A. SYN, SYN/ACK, ACK B. SYN, FIN, URG, and PSH C. ACK, ACK, SYN, URG D. SYN/ACK only

A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key? A. Capture the WPA2 authentication traffic and crack the key. B. Capture a large amount of initialization vectors and crack the key inside. C. Use a sniffer to capture the SSID. D. WPA2 cannot be cracked.

Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP

A company relies solely on Google Docs, Google Sheets, and other provisions for their office documentation software needs. Which of the following cloud computing types best describes this? A. SaaS B. PaaS C. IaaS D. Public

A hacker feeds plain-text files into a hash, eventually finding two or more that create the same fixed-value hash result. This anomaly is known as what? A. Collision B. Chosen plain text C. Hash value compromise D. Known plain text

A Security administrator is attempting to lock down her network and block access from internal to external on all external firewall ports except for TCP 80 and TCP 443. an internal user wants to make use of other protocols to access services on remote systems ( FTP, as well as some non-standard port numbers). Which of the following is the most likely choice the user could attempt to communicate with the remote system over the protocol of her choice? A. Use HTTP tunnel length B. send all traffic over UDP instead of TCP C. crack the firewall and open the ports required for communication D. MAC flood the switch connected to the firewall

A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this? A. Technical B. Single factor C. Computer based D. Operational

A member of your team enters the following command: nmap -sV -sC - O -traceroute IPAddress which of the following nmap commands performs the same task? A. nmap -A IPAddress B. nmap -all IPAddress C. nmap -Os IPAddress D. nmap -aA IPAddress

A mobile device communication session using SSL fails, and data is available for viewing by an attacker. Which OWASP Top 10 Mobile Vulnerability category has been made available for exploit? A. M3 - Insecure communication B. M4 - Insufficient authentication C. M5 - Insufficient cryptography D. M10 - Extraneous Functionality

A pen test team member types the following command: nc 222.15.66.78 -p 8765 Which of the following is true regarding this attempt? A. The attacker is attempting to connect to an established listening port on a remote computer. B. The attacker is establishing a listening port on his machine for later use. C. The attacker is attempting a DoS against a remote computer. D. The attacker is attempting to kill a service on a remote machine.

A portion of a digital certificate is shown here: Version V3 Serial Number 26 43 03 62 e9 6b 39 a4 9e 15 00 c7 cc 21 a220 Signature Algorithm sha1RSA Signature Hash Algorithm sha1 Issuer VeriSign Class 3 Secure Server Valid From Monday, October 17, 2011 8:00 PM Valid To Wednesday, October 17, 2012 7:59:59 PM. Public Key RSA (2048). Which of the following statements is true? A. The hash created for the digital signature holds 160 bits. B. The hash created for the digital signature holds 2048 bits. C. RSA is the hash algorithm used for the digital signature. D. This certificate contains a private key.

A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to? A. Phishing B. Internet level C. Reverse social engineering D. Impersonation

A subscriber purchases machine virtualization and hosting through Amazon EC2. Which of the following cloud computing types does this describe? A. IaaS B. PaaS C. SaaS D. Hybrid

A tester is attempting a CSPP attack. Which of the following is she most likely to use inconjunction with the attack? A. ; B. : C. ' D. " E. -- F. ~

A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of thefollowing is most likely the vulnerability the developer is attempting to mitigate against? A. Cross-site scripting B. Cross-site request forgery C. Connection string parameter pollution D. Phishing

Amazon's EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service? A. IaaS B. PaaS C. SaaS D. Public

An angry former employee of the organization discovers a web form vulnerable toSQL injection. Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = 'Orlando', he is able to see all pending orders from Orlando. If he wanted to delete the Orders_Pend table altogether, which SQL injection string should be used? A. SELECT * FROM Orders_Pend WHERE Location_City = 'Orlando';DROP TABLE Orders_Pend; -- B. SELECT * FROM Orders_Pend WHERE 'Orlando';DROP_TABLE; -- C. DROP TABLE Orders_Pend WHERE ' Orlando = 1'; -- D. WHERE Location_City = Orlando'1 = 1': DROP_TABLE; --

An attacker is attempting to elevate privileges on a machine by using Java or other functions, through nonvalidated input, to cause the server to execute a malicious piece of code and provide command-line access. Which of the following best describes this action? A. Shell injection B. File injection C. SQL injection D. URL injection

An attacker leverages a vulnerability within Bluetooth on an IoT device and successfully shuts down the air conditioning to the data center floor. Which of the following best describes the attack type used? A. HVAC B. BlueAir C. Rolling code D. BlueBorne

An attacker makes use of the Beacon implant on a target system to hijack a browser session. Which of the following best describes this attack? A. Man in the browser B. Man in the middle C. Man in the pivot D. IE hijacking

An attacker performs a SQL injection attack but receives nothing in return. She then proceeds to send multiple SQL queries, soliciting TRUE or FALSE responses. Which attack is being carried out? A. Blind SQL injection B. SQL denial of service C. SQL code manipulation D. SQL replay

An attacker sets up a VM on the same physical cloud host as the target's VM. He then takes advantage of the shared physical resources to steal data. Which of the following describes this attack? A. Side channel B. VM flood C. Session riding D. Cybersquatting

An ethical hacker is ACK-Scanning against the network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate? A. the port is filtered at the firewall B. the port is not filtered at the firewall C. the firewall allows the packet, but the device has the port closed D. it is impossible to determine any port status from this response

An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes of effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway? A. Bluesmacking B. Bluejacking C. Bluesniffing D. Bluesnarfing

An organization participates in a real-world exercise designed to test all facets of their security systems. An independent group is hired to assist the organization's security groups, assisting in the defense of assets against the attacks from the attacking group. Which of the following statements is true? A. The group assisting in the defense of the systems is referred to as a blue team. B. The group assisting in the defense of the systems is referred to as a red team. C. The group assisting in the defense of the systems is known as a white-hat group. D. The team attacking the systems must provide all details of any planned attack with the defense group before launching to ensure security measures are tested appropriately.

An organization requires an option to control network traffic and perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality ofLinux can achieve this? A. iptables B. ipchains C. ipsniffer D. ipfirewall

During a TCP data exchange, the client has offered a sequence number of 100, and the server has offered 500. During acknowledgments, the packet shows 101 and 501, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session? A. 102 through 104 B. 102 through 501 C. 102 through 502 D. Anything above 501

Examine the partial command-line output listed here: Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:912 COMPUTER11:0 LISTENINGTCP 0.0.0.0:3460 COMPUTER11:0 LISTENINGTCP 0.0.0.0:3465 COMPUTER11:0 LISTENINGTCP 0.0.0.0:8288 COMPUTER11:0 LISTENINGTCP 0.0.0.0:16386 COMPUTER11:0 LISTENINGTCP 192.168.1.100:139 COMPUTER11:0 LISTENINGTCP 192.168.1.100:58191 173.194.44.81:https ESTABLISHEDTCP 192.168.1.100:58192 173.194.44.81:https TIME_WAITTCP 192.168.1.100:58193 173.194.44.81:https TIME_WAITTCP 192.168.1.100:58194 173.194.44.81:httpsESTABLISHEDTCP 192.168.1.100:58200 bk-in-f138:http TIME_WAIT Which of the following is a true statement regarding the output? A. This is output from a netstat -an command. B. This is output from a netstat -b command. C. This is output from a netstat -e command. D. This is output from a netstat -r command.

IPSec is an effective preventative measure against session hijacking. Which IPSec mode encrypts only the data payload? A. Transport B. Tunnel C. Protected D. Spoofed

In "NIST Cloud Computing Reference Architecture", which entity manages cloud services and maintains the relationship between cloud providers and subscribers? A. Cloud broker B. Cloud auditor C. Cloud carrier D. Cloud consumer

In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script? A. CONNECT B. GET C. POST D. HEAD

In which phase of a pen test is scanning performed? A. Pre-attack B. Attack C. Post-attack D. Reconnaissance

In which phase of a penetration test is scanning performed? A. Pre-attack B. Attack C. Post-attack D. Reconnaissance

Lighting, locks, fences, and guards are all examples of __________ measures within physical security. A. physical B. technical C. operational D. exterior

Matty is examining malware as part of a security effort. She performs analysis of the malware executable without running or installing it. Instead, she examines source and binary code to find data structures, function calls, and other indicators of malicious behavior. Which of the following best describes the type of malware analysis Matty is performing? A. Static B. Dynamic C. File fingerprinting D. Code emulation

NIST SP 800-30 defines steps for conducting a risk assessment. Which of the following statements is true regarding the process? A. Threats are identified before vulnerabilities. B. Determining the magnitude of impact is the first step. C. Likelihood is determined after the risk assessment is complete. D. Risk assessment is not a recurring process.

SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode

The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromised. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play? A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items. B. The attacker has used SQL injection to update the database to reflect new prices for the items. C. The attacker has taken advantage of a server-side include that altered the price. D. The attacker used Metasploit to take control of the web application.

What frequency does Bluetooth operate in? A. 2.4-2.48 GHz B. 2.5 GHz C. 2.5-5 GHz D. 5 GHz

What is the integrity check mechanism for WPA2? A. CBC-MAC B. CCMP C. RC4 D. TKIP

What occurs when an IDS does not properly identify a malicious packet entering the network? A. False negative B. False positive C. True negative D. True positive

Which ICMP message type flash code indicates the packet could not arrive at the recipient due to exceeding it's time to live? A. Type 11 B. Type 3, Code 1 C. Type 0 D. Type 8

Which Port scanning method presents the most risk of Discovery but provides the most reliable results? A. full-connect B. half-open C. null scan D. XMAS scan

Which flag forces a termination of Communications in both directions? A. RST B. FIN C. ACK D. PSH

Which folder in Linux holds administrative commands and daemons? A. /sbin B. /bin C. /dev D. /mnt E. /usr

Which hash algorithm produces a 160-bit output value? A. SHA-1 B. SHA-2 C. Diffie-Hellmann D. MD5

Which of the following attacks acts as a man-in-the-middle, exploiting fallback mechanisms in TLS clients? A. POODLE B. Heartbleed C. FREAK D. DROWN

Which of the following attacks occurs during the translation of SOAP messages? A. Wrapping attack B. Cross-guest VM C. Side channel D. Session riding

Which of the following best defines steganography? A. Steganography is used to hide information within existing files. B. Steganography is used to create hash values of data files. C. Steganography is used to encrypt data communications, allowing files to be passed unseen. D. Steganography is used to create multimedia communication files.

Which of the following best describes Cygwin? A. Cygwin is a Unix subsystem running on Windows. B. Cygwin is a Windows subsystem running on top of Unix. C. Cygwin is a C++ compiler. D. Cygwin is a password-cracking tool.

Which of the following is not a method used to control or mitigate against static electricity in a computer room? A. Positive pressure B. Proper electrical grounding C. Anti-static wrist straps D. A humidity control system

Which of the following best describes a DRDoS? A. Multiple intermediary machines send the attack at the behest of the attacker. B. The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address. C. The attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets. D. The attack involves sending a large number of garbled IP fragments with overlapping, oversized payloads to the target machine.

Which of the following best describes a blue team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. A performance group at Universal Studios in Orlando

Which of the following can migrate the machine's actual operating system into a virtual machine? A. Hypervisor-level rootkit B. Kernel-level rootkit C. Virtual rootkit D. Library-level rootkit

Which of the following cloud computing attacks can be best described as a CSRF attack? A. Session riding B. Side channel C. Cross-guest VM breach D. Hypervisor attack

Which of the following describes risk that remains after all security controls have been implemented to the best of one's ability? A. Residual B. Inherent C. Deferred D. Remaining

Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems? A. Nessus B. Hping C. LOIC D. SNMPUtil

Which of the following is a group of Internet computers set up to forward transmissions to other computers on the Internet without the owner's knowledge or permission? A. Botnet B. Zombie C. Honeypot D. DDoS

Which of the following is a legitimate communication path for the transfer of data? A. Overt B. Covert C. Authentic D. Imitation E. Actual

Which of the following is a pairing mode in Bluetooth that rejects every pairing request? A. Non-pairing B. Non-discoverable C. Promiscuous D. Bluejack

Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail? A. PGP B. SSL C. PPTP D. HTTPS

Which of the following is a true statement regarding biometric systems? A. The lower the CER, the better the biometric system. B. The higher the CER, the better the biometric system. C. The higher the FRR, the better the biometric system. D. The higher the FAR, the better the biometric system.

Which of the following is a true statement regarding wireless security? A. WPA2 is a better encryption choice than WEP. B. WEP is a better encryption choice than WPA2. C. Cloaking the SSID and implementing MAC filtering eliminate the need forencryption. D. Increasing the length of the SSID to its maximum increases security for the system.

Which of the following is a true statement? A. Sequence prediction attacks are specific to TCP. B. Using a protocol in a way it is not intended to be used is an example of an overt channel. C. All DoS and DDoS attacks are specific to TCP. D. Fraggle is a TCP-based attack.

Which of the following is best defined as an encryption protocol commonly used fore-mail security? A. PGP B. Keyczar C. RSA D. MD5

Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES

Which of the following takes advantage of weaknesses in the fragment reassembly functionality of TCP/IP? A. Teardrop B. SYN flood C. Smurf attack D. Ping of death

Which of the following tools is a vulnerability scanner for Android devices? A. X-ray B. evasi0n7 C. Pangu D. DroidSheep Guard

Which of the following will extract an executable file from NTFS streaming? A. c:\> cat file1.txt:hidden.exe > visible.exe B. c:\> more file1.txt | hidden.exe > visible.exe C. c:\> type notepad.exe > file1.txt:hidden.exe D. c:\> list file1.txt$hidden.exe > visible.exe

Which security assessment is designed to check policies and procedures within an organization? A. Security audit B. Vulnerability assessment C. Pen test D. None of the above

Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them? A. Vulnerability assessment B. Scanning assessment C. Penetration test D. None of the above

Which virus type is only executed when a specific condition is met? A. Sparse infector B. Multipartite C. Metamorphic D. Cavity

Within a PKI, which of the following verifies the applicant? A. Registration authority B. User authority C. Revocation authority D. Primary authority

Within the Attify Zigbee Framework, which of the following is used to discover target devices within range? A. zbstumbler B. zbdump C. zbreplay D. zbassoc/flood

You are Port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true? A. The response indicates an open port B. B response indicates a closed for it C. the response indicates a Windows machine with a non standard TCP/IP stack D. ICMP is filtered on the machine

You are enumerating a subnet. While examining messages traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community string should you use? A. Public (read only) and Private (read/write) B. Private (read only) and Public (read/write) C. Read (read-only) and Write (read/write) D. Default (both read and read/write)

You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contains the string HR_admin. Which of the following filters would accomplish this pack? A. ip.addr==192.168.22.5 &&tcp contains HR_admin B. ip.addr 192.168.22.5 && "HR_admin" C. ip.addr 192.168.22.5 &&tcp string ==HR_admin D. ip.addr==192.168.22.5 +tcp contains tide

You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump? A. tcpdump -1 eth0 -w my.log B. tcpdump -l eth0 -c my.log C. tcpdump /i eth0 /w my.log D. tcpdump /l eth0 /c my.log

You've decided to begin scanning against a Target organization but want to keep your efforts as quiet as possible. Which IDS evasion techniques splits the TCP header among multiple packets? A. Fragmenting B. IP spoofing C. proxy scanning D. anonymizer

Your client tells you they know beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn't appear to be alerting on the traffic. Which of the following is most likely true? A. The attacker is sending messages over an SSL tunnel. B. The attacker has corrupted ACLs on every router in the network. C. The attacker has set up port security on network switches. D. The attacker has configured a trunk port on a switch

Which of the following is an open source project produced by OISSG (Open Information Systems Security Group) intended to provide security testing assistance? A. OSSTMM B. OWASP C. COBIT D. ISSAF

What information is required in order to attempt to crack a WEP AP? (Choose two.) A. Network SSID B. MAC address of the AP C. IP address of the AP D. Starting sequence number in the first initialization vector

A, B

Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.) A. ARP poisoning B. MAC flooding C. SYN flooding D. Birthday attack E. Firewalking

A, B

A pen test member has configured a wireless access point with the same SSID as the target organization's SSID and has set it up inside a closet in the building. After some time, clients begin connecting to his access point. Which of the following statements aretrue regarding this attack?(Choose all that apply.) A. The rogue access point may be discovered by security personnel using NetStumbler. B. The rogue access point may be discovered by security personnel using NetSurveyor. C. The rogue access point may be discovered by security personnel using Kismet. D. The rogue access point may be discovered by security personnel using Aircrack. E. The rogue access point may be discovered by security personnel using ToneLoc.

A, B, C

In which of the following would you find in a final report from a full penetration test? (Choose all that apply.) A. Executive summary B. A list of findings from the test C. The names of all the participants D. A list of vulnerabilities patched or otherwise mitigated by the team

A, B, C

Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.) A. Ensure e-mail is from a trusted, legitimate e-mail address source. B. Verify spelling and grammar is correct. C. Verify all links before clicking them. D. Ensure the last line includes a known salutation and copyright entry (if required).

A, B, C

Which of the following are considered offline password attacks? (Choose all that apply.) A. Using a hardware keylogger B. Brute-force cracking with Cain and Abel on a stolen SAM file C. Using John the Ripper on a stolen passwd file D. Shoulder surfing

A, B, C

Which of the following tools can assist in discovering the use of NTFS file streams?(Choose all that apply.) A. LADS B. ADS Spy C. Sfind D. Snow

A, B, C

Which of the following are indicators of a phishing e-mail? (Choose all that apply.) A. It does not reference you by name. B. It contains misspelled words or grammatical errors. C. It contains spoofed links. D. It comes from an unverified source.

A, B, C, D

Which of the following are valid countermeasures in the prevention of IoT hacking? (Choose all that apply.) A. Disable guest and demo accounts. B. Enable lockout features for excessive login attempts. C. Disable telnet. D. Implement patch management and ensure device firmware is up to date.

A, B, C, D

Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.) A. Enforce elevated privilege control. B. Secure all dumpsters and shred collection boxes. C. Enforce good physical security practice and policy. D. Perform background checks on all employees.

A, B, C, D

Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.) A. Classification of information B. Strong security policy C. User education D. Strong change management process

A, B, C, D

Which of the following statements are true concerning Kerberos? (Choose all that apply.) A. Kerberos uses symmetric encryption. B. Kerberos uses asymmetric encryption. C. Clients ask for authentication tickets from the KDC in clear text. D. KDC responses to clients never include a password. E. Clients decrypt a TGT from the server.

A, B, C, D

You are discussing malware with a new pen test member who asks about restarting executables. Which registry keys within Windows automatically run executables and instructions?(Choose all that apply.) A. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce D. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

A, B, C, D

Which of the following may be effective countermeasures against social engineering? (Choose all that apply.) A. Security policies B. Operational guidelines C. Appropriately configured IDS D. User education and training E. Strong firewall configuration

A, B, D

Which of the following tools can assist with IDS evasion? (choose all that apply) A. whisker B. fragroute C. capsa D. wireshark E. ADMmutate F. inundator

A, B, E, F

An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true? (Choose all that apply.) A. The packet capture will provide the MAC addresses of other machines connected to the switch. B. The packet capture will provide only the MAC addresses of the laptop and the default gateway. C. The packet capture will display all traffic intended for the laptop. D. The packet capture will display all traffic intended for the default gateway.

A, C

Which of the following Wireshark filters would display all traffic sent from, or destined to, systems on the 172.17.15.0/24 subnet? (Choose all that apply.) A. ip.addr == 172.17.15.0/24 B. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24 C. ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24 D. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

A, C

You see the following command in a Linux history file review: someproc & Which of the following best describe the command result? (Choose two.) A. The process "someproc" will stop when the user logs out. B. The process "someproc" will continue to run when the user logs out. C. The process "someproc" will run as a background task. D. The process "someproc" will prompt the user when logging off.

A, C

You want to perform Banner grabbing Against the Machine you suspect as being a web server. Assuming you have the correct tools installed, which of the following command line entries will successfully perform a banner grab? (choose all that apply) A. telnet 168.15.22.4 80 B. telnet 80 168.15.22.4 C. nc -v -n 168.15.22.4 80 D. nc -v -n 80 168.15.22.4

A, C

Claire's Windows system at work begins displaying strange activity, and she places a call to the IT staff. On investigation, it appears Claire's system is infected with several viruses. The IT staff removes the viruses, deleting several file and folder locations and using an AV tool, and the machine is reconnected to the network. Later in the day, Claire's system again displays strange activity, and the IT staff is called once again. Which of the following are likely causes of the re-infection? (Choose all that apply.) A. Claire revisits a malicious website. B. Claire opens her Microsoft Outlook e-mail client and newly received e-mail is loaded to her local folder (.pst file). C. Claire uses a system restore point to regain access to deleted files and folders. D. Claire uses the organization's backup application to restore files and folders.

A, C, D

Which of the following could provide useful defense against ARP spoofing? (choose all that apply) A. use ARP wall B. set all NICs to promiscuous mode C. used private VLANs D. use static ARP entries

A, C, D

Which of the following provide automated pen test-like results for an organization?(Choose all that apply.) A. Metasploit B. Nessus C. Core Impact D. CANVAS E. SAINT F. GFI Languard

A, C, D

A team member is using nmap and asks about the scripting engine in the tool. Which options switches can be used to invoke the nmap scripting engine? (choose two) A. --script B. -z C. -sA D. -sC

A, D

Which of the following don't use ICMP in the attack? (Choose two.) A. SYN flood B. Ping of Death C. Smurf D. Peer to peer

A, D

Which of the following statements are true regarding TKIP? (Choose all that apply.) A. Temporal Key Integrity Protocol forces a key change every 10,000 packets. B. Temporal Key Integrity Protocol ensures keys do not change during a session. C. Temporal Key Integrity Protocol is an integral part of WEP. D. Temporal Key Integrity Protocol is an integral part of WPA.

A, D

You are examining a packet capture of all traffic from a host on the subnet. The host sends the segment with the SYN flag set in order to set up a TCP Communications Channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this Communications Channel? (choose all that apply) A. The host will be attempting to retrieve an HTML file B. the source port field on this packet can be any number between 1024 and 65535 C. the first packet from the destination in response to this host will have the SYN and ACK flags set D. the packet returned in answer to this SYN request will acknowledge the sequence number by returning 10.

A, D

(p 117) Examine the following portion of a log file, captured during a hacking attempt: What was the attacker attempting to do? A. Copy files for later examination B. Cover his tracks C. Change the shell to lock out other users D. Upload a rootkit

(p144)An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following: What is the attacker attempting to perform? A. A SQL injection attack against the blog's underlying database B. A cross-site scripting attack C. A buffer overflow DoS attack D. A file injection DoS attack

(p60) A pentester is performing banner grabbing and executes the following command: Which of the following is a true statement? A. Nmap can't perform Banner grabbing, as it cannot retrieve the version number of any running remote service B. the pen tester was successful in Banner grabbing C. using nmap -O host.domain.com would have been a better choice for banner grabbing D. Banner grabbing failed because the result did not return the version of the Apache web server

(p63) Considering the ports shown in the nmap output returned on an IP scans during footprinting: Which of the following is true regarding the output? A. The host is most likely a router or has routing enabled B. the host is most likely a printer or has a printer installed C. B host is definitely a Windows server D. the host is definitely a Linux server

(p90) Examine the snort output shown here: Which of the following statements is true regarding the packet capture? A. The capture indicates a NOP sled attack B. the capture show step 2 of a TCP handshake C. the packet source is 213.132.44.56 D. the packet capture shows an SSH session attempt

A colleague enters the following command: root@mybox: #hping3 -A 192.168.2.x -p 80 What is being attempted here? A. An ACK scan using hping3 on port 80 for a single address B. An ACK scan using hping3 on port 80 for a group of addresses C. Address validation using hping3 on port 80 for a single address D. Address validation using hping3 on port 80 for a group of addresses

A hacker has gained access to several files. Many are encrypted, but one is not, and it happens to be an unencrypted version of an encrypted file. Which of the following is the best choice for possibly providing a successful break into the encrypted files? A. Cipher text only B. Known plain text C. Chosen cipher text D. Replay

A network and Security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check for the NIDS during the time frame of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS? A. False positives B. false negatives C. true positives D. true negatives

A security admin has a control in place that embeds a unique image into e-mails on specific topics, which verifies the message as authentic and trusted. Which anti-phishing method is being used? A. Steganography B. Sign-in seal C. PKI D. CAPTCHA

A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt? A. The attacker is attempting SQL injection. B. The attacker is attempting LDAP injection. C. The attacker is attempting SOAP injection. D. The attacker is attempting directory traversal.

A software company has decided to build and test web applications in a cloud computing environment. Which of the following cloud computing types best describes this effort? A. IaaS B. PaaS C. SaaS D. Community

A software company puts an application through stringent testing and, on the date of release, is confident the software is free of known vulnerabilities. An organization named BigBiz purchases the software at a premium cost, with a guarantee of service, maintenance, and liability. Which risk management method is in use by the BigBiz organization? A. Accept B. Transfer C. Avoid D. Mitigate

A target machine (MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent? A. The attacker will seed message 1 B. the attacker will see message 2 C. the attacker will see both messages D. the attacker will see neither message

A team member issues the command. Which of the following best represents the intent of the command? A. It displays the IP route table for the machine B. it displays the NetBIOS name cash C. it displays active and inactive services D. it puts in a NIC into promiscuous mode for sniffing

An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. Jim follows the user inside. Which social engineering attack is in play here? A. Piggybacking B. Tailgating C. Phishing D. Shoulder surfing

An attacker discovers a legitimate username (user1) and enters the following into a webform authentication window: username > user1)(&))password > meh Which of the following is most likely the attack being attempted? A. SQL injection B. LDAP injection C. URL tampering D. DHCP amplification

An attacker has gained access to an internal system. Using Metasploit, he accesses and attacks other internal systems. Which of the following terms best describe the action taken? A. Attack splitting B. Pivoting C. Attack swinging D. Hinging

An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file? A. start readme.txt>badfile.exe B. start readme.txt:badfile.exe C. start badfile.exe > readme.txt D. start badfile.exe | readme.txt

An attacker identifies a potential target and spends some time profiling her. After gaining some information, the attacker sends a text to the target's cell phone. The text appears to be from her bank and advises her to call a provided phone number immediately regarding her account information. She dials the number and provides sensitive information to the attacker, who is posing as a bank employee. Which of the following best defines this attack? A. Vishing B. Smishing C. Phishing D. Tishing

An attacker is attempting to crack a WEP code to gain access to the network. After enabling monitor mode on wlan0 and creating a monitoring interface (mon 0), she types this command: aireplay -ng -0 0 -a 0A:00:2B:40:70:80 -c mon0 What is she trying to accomplish? A. To gain access to the WEP access code by examining the response to deauthenticationpackets, which contain the WEP code B. To use deauthentication packets to generate lots of network traffic C. To determine the BSSID of the access point D. To discover the cloaked SSID of the network

An attacker is looking at a target website and is viewing an account from the store on URL http://www.anybiz.com/store.php?id=2. He next enters the following URL: http://www.anybiz.com/store.php?id=2 and 1=1The web page loads normally. He then enters the following URL: http://www.anybiz.com/store.php?id=2 and 1=2A generic page noting "An error has occurred" appears. Which of the following is a correct statement concerning these actions? A. The site is vulnerable to cross-site scripting. B. The site is vulnerable to blind SQL injection. C. The site is vulnerable to buffer overflows. D. The site is not vulnerable to SQL injection.

An attacker is successful in using a cookie, stolen during an XSS attack, during an invalid session on the server by forcing a web application to act on the cookie's contents. How is this possible? A. A cookie can be replayed at any time, no matter the circumstances. B. Encryption was accomplished using a single key. C. Authentication was accomplished using XML. D. Encryption was accomplished at the network layer.

An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used? A. POODLE B. Heartbleed C. FREAK D. DROWN

An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred? A. Tailgating B. Piggybacking C. Identity theft D. Impersonation

An organization is concerned about corporate espionage and has evidence suggesting an internal employee has been communicating trade secrets to a competitor. After some investigation, the employee trading secrets was identified. Monitoring of the employee's previous communications outside the company revealed nothing out of the ordinary, save for some large unencrypted e-mails containing image files of humorous pictures to external addresses. Which of the following is the most logical conclusion based on these facts? A. E-mail encryption allowed the user to hide files. B. The user hid information in the image files using steganography. C. Logical watermarking of images and e-mails fed the sensitive files piece by piece to the competitor. D. SMTP transport fuzzing was used.

As a pen test on a major international business moves along, a colleague discovers an IIs server and a Mail Exchange Server on the DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the Ping. Which is the most likely reason for the lack of response? A. The hosts might be turned off or disconnected B. ICMP is being filtered C. the destination Network might be down D. the servers are linux-based and do not respond to Ping requests

Claire is surfing the Web and, after some time, a message pops up stating her system has been infected by malware, and offers a button to click for removal of the virus. After she clicks the button, another message window appears stating the system has been quarantined due to the nature of the infection and provides a link with instructions to pay in order to regain control and to clear the virus. Which of the following best describes this infection? A. Spyware B. Ransomware C. Trojan D. Adware

Examining a database server during routine maintenance you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation? A. The log file is simply corrupted. B. The server was compromised by an attacker. C. The server was rebooted. D. No activity occurred during the hour time frame.

In "NIST Cloud Computing Reference Architecture", which of the following is the intermediary for providing connectivity between the cloud and the subscriber? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud auditor

In May of 2017, this ransomware took advantage of a Windows SMB vulnerability known as the Eternal Blue exploit and spread worldwide in a matter of hours. A hidden kill switch inside the coding was quickly discovered, halting its spread. Which of the following best fits this description? A. Petya B. WannaCry C. Zeus D. Botnet

In examining the About Us link in the menu of a target organization's website, an attacker discovers several different individual contacts within the company. To one of these contacts, she crafts an e-mail asking for information that appears to come from an individual within the company who would be expected to make such a request. The e-mail provides a link to click, which then prompts for the contact's user ID and password. Which of the following best describes this attack? A. Trojan e-mailing B. Spear phishing C. Social networking D. Operational engineering

In regard to Trojans, which of the following best describes a wrapper? A. The legitimate file the Trojan is attached to B. A program used to bind the Trojan to a legitimate file C. A method of obfuscation using compression D. A software tool that uses encryption and code manipulation to hide malware

In the NIST Cloud Computing Reference Architecture, which of the following has the responsibility of transmitting the data? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

In the trusted computing model, what is a set of functions called that's always trusted by the computer's operating system? A. SOA B. RoT C. TCG D. VM

In what layer of the OSI reference model is session hijacking carried out? A. Data link layer B. Transport layer C. Network layer D. Physical layer

In which phase of a pen test will the team penetrate the perimeter and acquire targets? A. Pre-attack B. Attack C. Post-attack D. None of the above

In which phase of the IoT hacking methodology would the Shodan search engine most likely be used? A. Vulnerability scanning B. Information gathering C. Launching attacks D. Gaining access

Jack receives a text message on his phone advising him of a major attack at his bank. The message includes a link to check his accounts. After clicking the link, an attacker takes control of his accounts in the background. Which of the following attacks is Jack facing? A. Phishing B. Smishing C. Vishing D. App sandboxing

Joe and Bob are both ethical hackers and have gained access to a folder. Joe has several encrypted files from the folder, and Bob has found one of them unencrypted. Which of the following is the best attack vector for them to follow? A. Cipher text only B. Known plain text C. Chosen cipher text D. Replay

Which encryption algorithm uses variable block sizes (from 32 to 128 bits)? A. SHA-1 B. RC5 C. 3DES D. AES

Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While the attacker is sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary? A. The ARP cache of the router would need to be poisoned, changing the entry for Machine A to 00-01-02-CC-DD-EE. B. The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02- AA-BB-CC. C. The ARP cache of Machine C would need to be poisoned, changing the entry for the default gateway to 00-01-02- AA-BB-CC. D. The ARP cache of Machine A would need to be poisoned, changing the entry for Machine C to 00-01-02-BB-CCDD.

OWASP, an international organization focused on improving the security of software, produced a "Top Ten Security Priorities" for web applications. Which item is the primary concern on the list? A. XSS B. Injection flaws C. insufficient logging and monitoring D. Broken authentication and session management

Of the tools listed, which is the best choice for quickly discovering IP addresses of IoT devices on your network? A. IoTInspector B. MultiPing C. Z-Wave Sniffer D. beSTORM

One of your team members is analyzing tll fields and TCP window sizes in order to fingerprint the OS of a Target. Which of the following is most likely being attempted? A. Online OS fingerprinting B. passive OS fingerprinting C. aggressive OS fingerprinting D. active OS fingerprinting

RC4 is a simple, fast encryption cipher. Which of the following is not true regarding RC4? A. RC4 can be used for web encryption. B. RC4 uses block encryption. C. RC4 is a symmetric encryption cipher. D. RC4 can be used for file encryption.

The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to? A. SQL injection B. Buffer overflow C. Parameter tampering D. Cookie manipulation

Which MSFconsole command allows you to connect to a host from within the console? A. pivot B. connect C. get D. route

Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up? A. Inline B. Meterpreter C. Staged D. Remote

Which OWASP Top 10 IoT vulnerability category deals with poorly protected passwords? A. I1 - Insecure Web Interface B. I2 - Insufficient Authentication/Authorization C. I8 - Insufficient Security Configurability D. I9 - Insecure Software/Firmware

Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data? A. URG B. PSH C. RST D. BUF

Which cloud computing model is geared toward software development? A. IaaS B. PaaS C. SaaS D. Private

Which denial-of-service attack involves using multiple intermediary and secondary machines to contribute to the DoS effort? A. SYN flood B. DRDoS C. Application-level flood D. LOIC

Which display filter for Wireshark shows all packets containing the word facebook? A. content==facebook B. tcp contains facebook C. display==facebook D. tcp.all contains ==facebook

Which of the following DoS categories consume all available bandwidth for the system or service? A. Fragmentation attacks B. Volumetric attacks C. Application attacks D. TCP state-exhaustion attacks

Which of the following allows an Android user to attain privileged control of the device? A. DroidSheep B. SuperOneClick C. Faceniff D. ZitMo

Which of the following best describes a honeypot? A. It is used to filter traffic from screened subnets. B. It is used to gather information about potential network attackers. C. It is used to analyze traffic for detection signatures. D. Its primary function involves malware and virus protection.

Which of the following best describes a red team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. Security team members dedicated to policy audit review

Which of the following best describes a teardrop attack? A. The attacker sends a packet with the same source and destination address. B. The attacker sends several overlapping, extremely large IP fragments. C. The attacker sends UDP Echo packets with a spoofed address. D. The attacker uses ICMP broadcast to DoS targets.

Which of the following best describes pharming? A. An attacker redirects victims to a malicious website by sending an e-mail that provides a URL that appears to be legitimate. B. An attacker redirects victims to a malicious website by modifying their host configuration file or by exploiting vulnerabilities in DNS. C. An attacker targets specific members of an organization based on their duties, roles, or responsibilities. D. An attacker inserts malicious code and malware into sites employees visit on a regular basis.

Which of the following causes a potential security breach? A. Vulnerability B. Threat C. Exploit D. Zero day

Which of the following is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services? A. NIST Cloud Architecture B. FedRAMP C. PCI DSS Cloud Special Interest Group D. Cloud Security Alliance

Which of the following is a symmetric encryption method that transforms a fixed length amount of plain text into an encrypted version of the same length? A. Stream B. Block C. Bit D. Hash

Which of the following is a true statement? A. Symmetric encryption scales easily and provides for nonrepudiation. B. Symmetric encryption does not scale easily and does not provide for nonrepudiation. C. Symmetric encryption is not suited for bulk encryption. D. Symmetric encryption is slower than asymmetric encryption.

Which of the following is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network? A. API B. SOA C. EC2 D. IaaS

Which type of social engineering attack uses phishing, pop-ups, and IRC? A. Technical B. Computer based C. Human based D. Physical

Which of the following is not a recommended step in recovering from a malwareinfection? A. Delete system restore points. B. Back up the hard drive. C. Remove the system from the network. D. Reinstall from original media.

Which of the following is not true regarding WebGoat? A. WebGoat is maintained and made available by OWASP. B. WebGoat can be installed on Windows systems only. C. WebGoat is based on a black-box testing mentality. D. WebGoat can use Java or .NET.

Which of the following is not true regarding steganography? A. Steganography can use least significant bit insertion, masking, and filtering as techniques to hide messaging. B. Steganography only works on color images. C. Image files embedded with steganography may be larger in size and display strange color palettes. D. Character positioning, text patterns, unusual blank spaces, and language anomalies can all be symptoms of a text file embedded with steganography.

Which of the following is the best representation of a technical control? A. Air conditioning B. Security tokens C. Automated humidity control D. Fire alarms E. Security policy

Which of the following is the most popular short-range communication technology for IoT devices? A. RFID B. Zigbee C. QR codes D. LiFi

Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot? A. Tethered B. Untethered C. Semi-tethered D. Rooted

Which of the following opens the Computer Management MMC in a Windows command line? A. compmgmt.mmc B. compmgmt.msc C. compmgmt.exe D. computermgmt.exe

Which of the following propagates without human interaction? A. Trojan B. Worm C. Virus D. MITM

Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS

Which of the following would be considered a passive online password attack? A. Guessing passwords against an IPC$ share B. Sniffing subnet traffic to intercept a password C. Running John the Ripper on a stolen copy of the SAM D. Sending a specially crafted PDF to a user for that user to open

Which of the tools listed here is a passive discovery tool? A. Aircrack B. Kismet C. NetStumbler D. Netsniff

While on vacation, Joe receives a phone call from his identity alert service notifying him that two of his accounts have been accessed in the past hour. Earlier in the day, he did connect a laptop to a wireless hotspot at McDonald's and accessed the two accounts in question. Which of the following is the most likely attack used against Joe? A. Unauthorized association B. Honeyspot access point C. Rogue access point D. Jamming signal

Within IoT architecture, which of the following carries out message routing and identification? A. Edge Technology layer B. Access Gateway layer C. Internet layer D. Middleware layer

You are examining history logs on a Linux machine and note the attacker added an ampersand (&) after a few process commands. Which of the following is true regarding this? A. The & symbol has no effect on the process command. B. The & symbol runs the process as a background task and closes it when the user logs off. C. The & symbol ensures the process continues to run after the user logs off. D. The & symbol concatenates the process to subsequent commands.

You are examining log files and come across this URL:http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64 Which of the following best describes this potential attack? A. This is not an attack but a return of SSL handshakes. B. An attacker appears to be using Unicode. C. This appears to be a buffer overflow attempt. D. This appears to be an XSS attempt.

You are told to monitor a packet capture from any attempted DNS Zone transfer. Which Port should you focus your search on? A. TCP 22 B. TCP 53 C. UDP 22 D. UDP 53

You have discovered an access point using WEP for encryption purposes. Which of the following is the best choice for uncovering the network key? A. NetStumbler B. Aircrack C. John the Ripper D. Kismet

You have tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to interpret messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B, while also sending messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here? A. ARP poisoning to allow you to see all messages from either host without interrupting their communication process B. ARP poisoning to allow you to see messages from host A to host B C. ARP poisoning to allow you to see messages from host B to host A D. ARP poisoning to allow you to see messages from host A destined to any address E. ARP poisoning to allow you to see messages from host B destined to any address

You receive a RST-ACK from a port during a SYN scam. What is the state of the port? A. open B. close d C. filtered D. unknown

You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device? A. Pangu B. SuperOneClick C. Cydia D. evasi0n7

You're running an idle scan and send the first packet to the Target machine. Next the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the open target machine? A. open B. closed C. unknown D. none of the above

Your organization installs mantraps in the entranceway. Which of the following attacks is it attempting to protect against? A. Shoulder surfing B. Tailgating C. Dumpster diving D. Eavesdropping

Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort? A. BCP B. BIA C. DRP D. ALE

an administrator enters the following command on a Linux system: iptables -t nat -L Which of the following best describes the intent of the command entered? A. The administrator is attempting a port scan B. the administrator is configuring IP masquerading C. the administrator is preparing to flood switch D. the administrator is preparing a DOS attack

Which of the following techniques can be used to gather information from a fully switched Network or to disable some of the traffic isolation features of a switch? (choose two) A. DHCP starvation B. MAC flooding C. promiscuous mode D. ARP spoofing

B, D

Which IoT communication model makes use of a component adding a collective before sending data to the cloud, which adds a measure of security control to the application? A. Device to device B. Device to cloud C. Device to gateway D. Device to security

Which of the following are true statements regarding a pen test?(Choose all that apply.) A. Pen tests do not include social engineering. B. Pen tests may include unannounced attacks against the network. C. During a pen test, the security professionals can carry out any attack they choose. D. Pen tests always have a scope. E. A list of all personnel involved in the test is not included in the final report.

B, D

Which of the following are true statements? (Choose all that apply.) A. WEP uses shared key encryption with TKIP. B. WEP uses shared key encryption with RC4. C. WPA2 uses shared key encryption with RC4. D. WPA2 uses TKIP and AES encryption.

B, D

Which of the following best describes active sniffing? (Choose all that apply.) A. Active sniffing is usually required when hubs are in place. B. Active sniffing is usually required when switches are in place. C. Active sniffing is harder to detect than passive sniffing. D. Active sniffing is easier to detect than passive sniffing.

B, D

Which of the following statements are true regarding a PKI system? (Choose two.) A. The CA encrypts all messages. B. The CA is the trusted root that issues certificates. C. The CA is the recovery agent for lost certificates. D. The RA verifies an applicant to the system0. E. The RA issues all certificates. F. The RA encrypt all messages.

B, D

Regarding SSIDs, which of the following are true statements? (Choose all that apply.) A. SSIDs are always 32 characters in length. B. SSIDs can be up to 32 characters in length. C. Turning off broadcasting prevents discovery of the SSID. D. SSIDs are part of every packet header from the AP. E. SSIDs provide important security for the network. F. Multiple SSIDs are needed to move between APs within an ESS.

B, D

(p223) After gaining access to a Windows machine, you see the last command executed on the box looks like this: Assuming the user had appropriate credentials, which of the following are true? (Choose all that apply.) A. In Windows Explorer, a folder will appear under the root directory named BankFiles. B. In Windows Explorer, a drive will appear denoted as BankFiles (\\MATTBOX) (F:). C. The mapped drive will remain mapped after a reboot. D. The mapped drive will not remained mapped after a reboot.

B, C

Which of the following are the best preventative measures to take against DHCP starvation attacks? (choose two) A. block all UDP Port 67 and 68 traffic B. enable DHCP snooping on the switch C. use port Security on the switch D. configure DHCP filters on the switch

B, C

Which of the following are true statements? (Choose two.) A. WebGoat is maintained by the IETF. B. WebGoat is maintained by OWASP. C. WebGoat can be installed on Windows or Linux. D. WebGoat is designed for Apache systems only.

B, C

Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.) A. Phishkill B. Netcraft C. Phishtank D. IDA Pro

B, C

Which of the following use a 48-bit initialization vector? (Choose all that apply.) A. WEP B. WPA C. WPA2 D. WEP2

B, C

Which of the following statements are true regarding OSSTMM?(Choose all that apply.) A. OSSTMM is a non-profit, international research initiative dedicated to defining standards in security testing and business integrity testing. B. OSSTMM recognizes ten types of controls, which are divided into two classes C. ISECOM maintains the OSSTMM. D. OSSTMM defines three types of compliance.

B, C, D

You are discussing WEP cracking with a junior pen test team member. Which of the following are true statements regarding the initialization vectors? (Choose all that apply.) A. IVs are 32 bits in length. B. IVs are 24 bits in length. C. IVs get reused frequently. D. IVs are sent in clear text. E. IVs are encrypted during transmission. F. IVs are used once per encryption session.

B, C, D

(p60) You are examining traffic between hosts and note the following exchange: Which of the following statements are true regarding this traffic? (choose all that apply) A. It appears to be part of an ACK scan B. it appears to be part of an XMAS scan C. it appears Port 4083 is open D. it appears Port 4083 is closed

B, D

(p89) Examine the following snort rule: Which of the following statements are true regarding the rule? (choose all that apply) A. this rule will alert on package coming from the designated home network B. this rule will alert on packets coming from outside the designated home address C. this rule will alert on packets designated for any port, from Port 23, containing the "admin" string D. this rule will alert on packets designated on Port 23, from any port, containing the "admin" string

B, D

(p114) Examine the following passwd file: Which of the following statements are true regarding this passwd file? (Choose all that apply.) A. None of the user accounts has passwords assigned. B. The system makes use of the shadow file. C. The root account password is root. D. The root account has a shadowed password. E. Files created by Alecia will initially be viewable by Jason.

B, D, E

Which of the following is a recommendation to protect against session hijacking?(Choose two.) A. Use only nonroutable protocols. B. Use unpredictable sequence numbers. C. Use a file verification application, such as Tripwire. D. Use a good password policy. E. Implement IPSec throughout the environment.

B, E

(p113) You are examining test logs from the day's pen test activities and note the following entries on a Windows 8 machine: Which of the following is true regarding the code listing? A. The team member added a user account. B. The team member switched his login to that of a different user. C. The team member changed the password of a user. D. The team member renamed a user account.

(p266) You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such: What type of attack is in use? A. SQL injection B. Unicode parameter tampering C. Directory traversal D. Cross-site scripting

Which authentication method uses DES for encryption and forces 14-character passwords for hash storage? A. NTLMv1 B. NTLMv2 C. LAN Manager D. Kerberos

Which encryption standard is used by LM? A. MD5 B. SHA-1 C. DES D. SHA-2 E. 3DES

If a rootkit is discovered on the system, which of the following is the best alternative for recovery? A. Replacing all data files from a good backup B. Installing Tripwire C. Reloading the entire system from known-good media D. Deleting all data files and reboot

Which flag or flags are sent in the segment during the second step of the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK/FIN

A business owner is advised that inventory, storage, sales, and backup online services can be provided cheaper and more securely via a cloud service. After investigating the options, the business owner determines the best cloud service provider for his needs also happens to be the provider for several of his competitors. Should he decide to engage the same provider, which cloud service deployment model will be used? A. Private B. IaaS C. Community D. Public

A company hires you as part of their security team. They are implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice? A. Create a BYOD policy and ensure all employees are educated and aware of it. B. Whitelist applications and ensure all employees are educated and aware of them. C. Allow jailbroken and rooted devices on the network, as long as the employee has signed the policy. D. Implement MDM.

A company relies on a private cloud solution for most of its internal computing needs. After expanding into more online retailing, they rely on a portion of a public cloud for external sales and e-commerce offerings. Which of the following best describes the cloud deployment type in use? A. Private B. Public C. Hybrid D. Community

A man receives a text message on his phone purporting to be from Technical Services. The text advises of a security breach and provides a web link and phone number to follow up on. When the man calls the number, he turns over sensitive information. Which social engineering attack was this? A. Phishing B. Vishing C. Smishing D. Man in the middle

A pen test colleague is attempting to use a wireless connection inside the target's building. On his Linux laptop he types the following commands: ifconfig wlan0 downifconfig wlan0 hw ether 0A:0B:0C:1A:1B:1Cifconfig wlan0 up What is the most likely reason for this action? A. Port security is enabled on the access point. B. The SSID is cloaked from the access point. C. MAC filtering is enabled on the access point. D. Weak signaling is frustrating connectivity to the access point.

A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here? A. Eavesdropping B. Tailgating C. Shoulder surfing D. Piggybacking

A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode? A. libpcap B. winprom C. winpcap D. promsw

A person approaches a network administrator and wants advice on how to send encrypted e-mail from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following offers a method for sending encrypted e-mail without having to pay for license fees or manage a server? A. IP Security (IPSec) B. Multipurpose Internet Mail Extensions (MIME) C. Pretty Good Privacy (PGP) D. Hypertext Transfer Protocol with Secure Socket Layer (HTTPS)

A security administrator sets the HttpOnly flag in cookies. Which of the following is he most likely attempting to mitigate against? A. CSRF B. CSSP C. XSS D. Buffer overflow E. SQL injection

A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this? A. Multifactor authentication B. Three-factor authentication C. Two-factor authentication D. Token authentication

Pen test team member Amy attempts to guess the ISN for a TCP session. Which attack is she most likely carrying out? A. XSS B. Session splicing C. Session hijacking D. Multipartite attack

Which hash algorithm was developed by the NSA and produces output values up to 512 bits? A. MD5 B. SHA-1 C. SHA-2 D. SSL

Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover his tracks? A. ISA proxy B. IAS proxy C. TOR proxy D. Netcat

An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place? A. Stateful B. Signature based C. Anomaly based D. Packet filtering

An attacker employs a Metasploit auxiliary module that exploits a built-in feature of OpenSSL. In the effort, the attacker's system sends a single byte of data representing it has received 64KB. The target responds by sending back 64KB of data from its memory. Which of the following describes this attack? A. POODLE B. FREAK C. Heartbleed D. DROWN

An attacker has physical access to a building and wants to attain access credentials to the network using nontechnical means. Which of the following social engineering attacks is the best option? A. Tailgating B. Piggybacking C. Shoulder surfing D. Sniffing

An attacker performs a Whois search against a target organization and discovers the technical point of contact (POC) and site ownership e-mail addresses. He then crafts an e-mail to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place? A. Phishing B. Man in the middle C. Spear phishing D. Human based

An attacker tricks a user into visiting a malicious website via a phishing email. The user clicks the email link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user's web browser to send requests to the bank website. Which of the following best describes this attack? A. CSPP B. XSS C. CSRF D. Hidden form field

An attacker wishes to make his malware as stealthy and undetectable as possible. He employs an effort that uses compression to reduce the file size of the malware. Which of the following best describes this? A. Crypter B. Wrapper C. Packer D. Compressor

An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this? A. ping sweep B. XMAS C. Stealth D. full

An organization has decided upon AES with a 256-bit key to secure data exchange. What is the primary consideration for this? A. AES is slow. B. The key size makes data exchange bulky and complex. C. It uses a shared key for encryption. D. AES is a weak cypher.

Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of __________ measures within physical security. A. physical B. technical C. operational D. None of the above

Bart receives an e-mail that appears to be from his lawyer containing a zip file namedCourtdoc.zip. Bart double-clicks the zip file to open it and a message stating "This word document is corrupt" appears. In the background, a file named Courtdoc.doc.exe runs and copies itself to the local APPDATA directory. It then begins beaconing to an external server. Which of the following best describes the malware Bart installed? A. Worm B. Virus C. Trojan D. Macro

Efforts to gain information from a target website have produced the following error message: Microsoft OLE DB Provider for ODBC Drivers error '80040e08' [Microsoft]{OBDC SQL Server Driver} Which of the following best describes the error message? A. The site may be vulnerable to XSS. B. The site may be vulnerable to buffer overflow. C. The site may be vulnerable to SQL injection. D. The site may be vulnerable to a malware injection.

Examine the wireshark filter shown here: ip.src -- 192.168.1.1 &&tcp.srcport == 80 Which of the following correctly describes the capture filter? A. The results will display all traffic from 192.168.1.1 Dustin for Port 80 B. the results will display all HTTP traffic to 192.168.1.1 C. the results will display all HTTP traffic from 192.168.1.1 D. no results will display because of invalid syntax

Google Docs and Salesforce CRM are two examples of which cloud computing model? A. IaaS B. PaaS C. SaaS D. Public

HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)? A. HEAD B. PUT C. GET D. POST

In a discussion on symmetric encryption, a friend mentions that one of the drawbacks with this system is scalability. He goes on to say that for every person you add to the mix, the number of keys increases dramatically. If seven people are in a symmetric encryption pool, how many keys are necessary? A. 7 B. 14 C. 21 D. 28

In the NIST Cloud Computing Reference Architecture, which component acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

In what situation would you employ a proxy server? (Choose the best answer.) A. You wish to share files inside the corporate network. B. You want to allow outside customers into a corporate website. C. You want to filter Internet traffic for internal systems. D. You want to provide IP addresses to internal hosts.

In which phase of a penetration test would you compile a list of vulnerabilities found? A. Pre-attack B. Attack C. Post-attack D. Reconciliation

In your social engineering efforts, you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here? A. Piggybacking B. Reverse social engineering C. Technical support D. Halo effect

Incident response (IR) is an important part of organizational security. In what step of the incident-handling process would IR team members disable or delete user accounts and change firewall rules? A. Detection and Analysis B. Classification and Prioritization C. Containment D. Forensic Investigation

Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about? A. Implement WPA. B. Add MAC filtering to all WAPs. C. Implement MDM. D. Ensure all WAPs are from a single vendor.

The PKI system you are auditing has a certificate authority (CA) at the top that creates and issues certificates. Users trust each other based on the CA. Which trust model is in use here? A. Stand-alone CA B. Web of trust C. Single authority D. Hierarchical trust

Tim is part of a pen test team and is attempting to gain access to a secured area of the campus. He stands outside a badged entry gate and pretends to be engaged in a contentious cell phone conversation. An organization employee walks past and badges the gate open. Tim asks the employee to hold the gate while flashing a fake ID badge and continuing his phone conversation. He then follows the employee through the gate. Which of the following best defines this effort? A. Shoulder surfing B. Piggybacking C. Tailgating D. Drafting

What is being attempted with the following command? nc -u -v -w2 192.168.1.100 1-1024 A. a full connect scan on ports 1-1024 for a single address B. a full connect scan on ports 1-1024 for a subnet C. a UDP port scan on ports 1-1024 on a single address D. a UDP scan of ports 1-1024 on a subnet

What is the XOR output of 01010101 and 11001100? A. 01100110 B. 10101010 C. 10011001 D. 00110011

What is the difference between a dictionary attack and a hybrid attack? A. Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables. B. Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters. C. Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words. D. Hybrid and dictionary attacks are the same.

What is the second step in the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK-SYN E. FIN

When is session hijacking performed? A. Before the three-step handshake B. During the three-step handshake C. After the three-step handshake D. After a FIN packet

Where is the SAM file stored on a Windows 7 system? A. /etc/ B. C:\Windows\System32\etc\ C. C:\Windows\System32\Config\ D. C:\Windows\System32\Drivers\Config

Which of the following SIDs indicates the true administrator account? A. S-1-5-21-1388762127-2960977290-773940301-1100 B. S-1-5-21-1388762127-2960977290-773940301-1101 C. S-1-5-21-1388762127-2960977290-773940301-500 D. S-1-5-21-1388762127-2960977290-773940301-501

Which of the following attacks an already-authenticated connection? A. Smurf B. Denial of service C. Session hijacking D. Phishing

Which of the following best defines a hybrid attack? A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked. B. The attack tries random combinations of characters until the password is cracked. C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked. D. The attack use rainbow tables, randomly attempting hash values throughout the list until the password is cracked

Which of the following best describes a wrapping attack? A. CSRF-type attack against cloud computing resources. B. An attack involving leveraging a new or existing VM on a physical device against another VM. C. A SOAP message is intercepted, data in the envelope is changed, and then the data is sent/replayed. D. The virtual machine management system on the physical machine is corrupted oradministrative control is gained over it.

Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them? A. Penetration test B. Partial penetration test C. Vulnerability assessment D. Security audit

Which of the following best describes the comparison between spoofing and session hijacking? A. Spoofing and session hijacking are the same thing. B. Spoofing interrupts a client's communication, whereas hijacking does not. C. Hijacking interrupts a client's communication, whereas spoofing does not. D. Hijacking emulates a foreign IP address, whereas spoofing refers to MAC addresses.

Which of the following best represents SOA? A. File server B. An application containing both the user interface and the code allowing access to the data C. An API that allows different components to communicate D. A single database accessed by multiple sources

Which of the following contains a listing of port numbers for well-known services defined by IANA? A. %windir%\etc\lists B. %windir%\system32\drivers\etc\lmhosts C. %windir%\system32\drivers\etc\services D. %windir%\system32\drivers\etc\hosts

Which of the following is a common SOA vulnerability? A. SQL injection B. XSS C. XML denial of service D. CGI manipulation

Which of the following is a standard method for web servers to pass a user's request to an application and receive data back to forward to the user? A. SSI B. SSL C. CGI D. CSI

Which of the following is a true statement? A. SOAP cannot bypass a firewall. B. SOAP encrypts messages using HTTP methods. C. SOAP is compatible with HTTP and SMTP. D. SOAP messages are usually bidirectional.

Which of the following is an advanced hardware- and software-designed radio used for security testing in IoT? A. Fluke B. Raspberry pi C. HackRF One D. Alfa AWUS036NH

Which of the following is the best choice in setting an NIDS tap? A. connect directly to a server inside the DMZ B. connect directly to a server in the intranet C. connect to a span port on a switch D. connect to the console port of a router

Which of the following is the proper syntax on Windows systems for spawning a command shell on port 56 using Netcat? A. nc -r 56 -c cmd.exe B. nc -p 56 -o cmd.exe C. nc -L 56 -t -e cmd.exe D. nc -port 56 -s -o cmd.exe

Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files? A. snort B. Netcat C. TCPflow D. Tcpdump

Which of the following tools is the best choice for sniffing IoT traffic? A. Firmalyzer B. beSTORM C. Foren6 D. Shodan

Which of the following tools is the best choice to assist in evading an IDS? A. Nessus B. Nikto C. Libwhisker D. Snort

Which of the following tools would be used in a blackjacking attack? A. Aircrack B. BBCrack C. BBProxy D. Paros Proxy

Which of the following works at Layer 5 of the OSI model? A. Stateful firewall B. Packet-filtering firewall C. Circuit-level firewall D. Application-level firewall

Which of the following would be the best choice in the prevention of XSS? A. Challenge tokens B. Memory use controls C. HttpOnly flag in cookies D. Removing hidden form fields

Which of the following would be the best protection against XSS attacks? A. Invest in top-of-the-line firewalls. B. Perform vulnerability scans against your systems. C. Configure input validation on your systems. D. Have a pen test performed against your systems.

Which symmetric algorithm uses variable block sizes (from 32 to 128 bits)? A. DES B. 3DES C. RC D. MD5

Which threat presents the highest risk to a target network or resource? A. Script kiddies B. Phishing C. A disgruntled employee D. A white-hat attacker

Which tool offers penetration-test-like services for Amazon EC2 customers? A. CloudPassage Halo B. Core Cloud C. CloudInspect D. Panda Cloud Office Protection

Which type of jailbreaking allows user-level access but does not allow iBoot-level access? A. iBoot B. Bootrom C. Userland D. iRoot

Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating? A. Physical B. Technical C. Human based D. Computer based

Which wireless standard is designed to work at 54 Mbps on a frequency range of 2.4 GHz? A. 802.11a B. 802.11b C. 802.11g D. 802.11n

Which wireless technology uses RC4 for encryption? A. WAP B. WPA C. WEP D. WPA2 E. All of the above

While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures? A. Yes, the hash shows a 14-character, complex password. B. No, the hash shows a 14-character password; however, it is not complex. C. No, the hash reveals a seven-character-or-less password has been used. D. It is impossible to determine simply by looking at the hash.

Within a TCP packet dump, a packet is noted with the SYN flag set and a sequence number set at A13F. What should the acknowledgment number in the return SYN/ACK packet be? A. A131 B. A130 C. A140 D. A14F

You are a member of a pen test team conducting tests. Your team has all necessary scope, terms of engagement, and nondisclosure and service-level agreements in place. You gain access to an employee's system and during further testing discover child pornography on a hidden drive folder. Which of the following is the best course of action for the ethical hacker? A. Continue testing without notification to anyone, but ensure the information is included in the final out-brief report. B. Continue testing without interruption, but completely remove all hidden files and the folder containing the pornography. C. Stop testing and notify law enforcement authorities immediately. D. Stop testing and remove all evidence of intrusion into the machine.

You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation? A. alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:″Attempted FTP″) B. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:″Attempted FTP″) C. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″) D. alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:″Attempted FTP″).

You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measure is being discussed? A. Physical B. Technical C. Operational D. Practical

You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable? A. WEP keys are easier to crack when MAC filtering is in place. B. MAC addresses are dynamic and can be sent via DHCP. C. An attacker could sniff an existing MAC address and spoof it. D. An attacker could send a MAC flood, effectively turning the AP into a hub.

You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. What type of firewall is most likely in use at your location? A. Packet filtering B. IPS C. thankful D. active

You are reviewing security plans and policies, and you wish to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot? A. Cloud computing B. SSL/TLS C. Full disk encryption D. AES

You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your nice needs to be in "promiscuous mode". What allows you to put your NIC into promiscuous mode? A. installing lmpcap B. installing npcap C. installing WinPcap D. installing libPcap E. Manipulating the NIC properties through control panel | network and internet | change adapter settings

You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option? A. nmap 192.168.1.0/24 B. nmap -sT 192.168.1.0/24 C. nmap -sP 192.168.1.0/24 D. nmap -P0 192.168.1.0/24

You want to run a scan against a target network. You're concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation? A. nmap -sN targetIPaddress B. nmap -sO targetIPaddress C. nmap -sS targetIPaddress D. nmap -sT targetIPaddress

Your pen test team is discussing services with a potential client. The client indicates they do not see the value in penetration testing. Which of the following is the correct response from your team? A. Run a few tests and display the results to the client to prove the value of penetration testing. B. Provide detailed results from other customers you've tested, displaying the value of planned testing and security deficiency discovery. C. Provide information and statistics regarding pen testing and security vulnerabilities from reliable sources. D. Perform the penetration test anyway in case they change their mind.

Which of the following commands would you use to quickly identify live Targets on a subnet? (choose all that apply) A. nmap -A 172.17.24.17 B. nmap -O 172.17.24.0/24 C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24

C, D

Which of the following would be a good choice for an automated penetration test?(Choose all that apply.) A. nmap B. Netcat C. Core Impact D. CANVAS

C, D

You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.) A. /etc/passwd B. /etc/shadow C. c:\windows\system32\config D. c:\winnt\configE. c:\windows\repair

C, E

The team has discovered an access point configured with WEP encryption. What is needed to perform a fake authentication to the AP in an effort to crack WEP? (Choose all that apply.) A. A replay of a captured authentication packet B. The IP address of the AP C. The MAC address of the AP D. The SSID

C, D

(p267) You are examining IDS logs and come across the following entry: What can you infer from this log entry? A. The attacker, using address 192.168.119.56, is attempting to connect to 64.118.55.64 using a DNS port. B. The attacker, using address 64.118.55.64, is attempting a directory traversal attack. C. The attacker is attempting a known SQL attack against 192.168.119.56. D. The attacker is attempting a buffer overflow against 192.168.119.56.

(p268) An attacker inputs the following into the Search text box on an entry form: The attacker then clicks the Search button and a pop-up appears stating, "It Worked." What can you infer from this? A. The site is vulnerable to buffer overflow. B. The site is vulnerable to SQL injection. C. The site is vulnerable to parameter tampering. D. The site is vulnerable to XSS.

Four terms make up the common criteria process. Which of the following contains seven levels used to rate the target? A. TOE B. ST C. PP D. EAL

A company acquires a cloud environment for much of its business IT needs. The environment is used and operated solely for the single organization. Which of the following represents the cloud deployment model in question? A. Public B. IaaS C. Sole-source D. Private

A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced? A. Active B. promiscuous C. blind D. passive E. session

A pen test member is running the Airsnarf tool from a Linux laptop. What is she attempting? A. MAC flooding against an AP on the network B. Denial-of-service attacks against APs on the network C. Cracking network encryption codes from the WEP AP D. Stealing usernames and passwords from an AP

A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company's help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here? A. Technical support B. Impersonation C. Phishing D. Reverse social engineering

A review of the command history on a Linux box shows the following command entered: Which of the following is the best description of what the attacker is attemptingto accomplish? A. Add a user to the system. B. Elevate current login privileges. C. Change passwords for users. D. Display password file contents.

A security staff is preparing for a security audit and wants to know if additional security training for the end user would be beneficial. Which of the following methods would be the best option for testing the effectiveness of user training in the environment? A. Vulnerability scanning B. Application code reviews C. Sniffing D. Social engineering

A systems administrator is applying digital certificates for authentication and verification services inside his network. He creates public and private key pairs using Apple's Keychain and uses the public key to sign documents that are used throughout the network. Which of the following certificate types is in use? A. Public B. Private C. Signed D. Self-signed

A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program? A. Insploit B. Finglonger C. Metasplation D. Fuzzing

After TLS had largely replaced SSL for secure communications, many browsers retained backward compatibility to SSL 3.0. Which vulnerability takes advantage of the degradation of service down to SSL 3.0 in the TLS handshake? A. Heartbleed B. FREAK C. DROWN D. POODLE

After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here? A. Offline B. Physical C. Piggybacking D. Dumpster diving

Amy and Claire work in an organization that has a PKI system in place for securing messaging. Amy encrypts a message for Claire and sends it on. Claire receives the message and decrypts it. Within a PKI system, which of the following statements is true? A. Amy encrypts with her private key. Claire decrypts with her private key. B. Amy encrypts with her public key. Claire decrypts with her public key. C. Amy encrypts with Claire's private key. Claire decrypts with her public key. D. Amy encrypts with Claire's public key. Claire decrypts with her private key.

An SSL session requires a client and a server to pass information between each other via a handshake and agree on a secured channel. Which of the following best describes the session key creation during the setup of an SSL session? A. The server creates the key after verifying the client's identity. B. The server creates the key immediately on the client connection. C. The client creates the key using the server's public key. D. The client creates the key after verifying the server's identity.

An attacker is attempting a DoS attack against a machine. She first spoofs the target's IP address and then begins sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway? A. ICMP flood B. Ping of death C. SYN flood D. Smurf E. Fraggle

An attacker is using Shodan to search for devices on a target. She types the following as the search string: webcam geo:"-85.97,31.81". Which of the following correctly describes this action? A. The search string syntax is incorrect. B. The attacker is searching for webcams with serial numbers starting between 3181 and 8597. C. The attacker is searching for webcam manufacturers starting with "geo." D. The attacker is searching for webcams in the geographic location -31.80, 85.95 (longitude and latitude).

An attacker targets a specific group inside the organization. After some time profiling the group, she notes several websites the individual members of the group all visit on a regular basis. She spends time inserting various malware and malicious codes into some of the more susceptible websites. Within a matter of days, one of the group member's system installs the malware from an infected site, and the attacker uses the infected machine as a pivot point inside the network. Which of the following best defines this attack? A. Spear phishing B. Whaling C. Web-ishing D. Watering hole attack

An ethical hacker is assigned to scan a server and wants to avoid IDs detection. She uses a tactic wherein the TCP header is split into many packets, making it difficult to detect what packets are intended for. Which of the following best describes the technique employed? A. TCP scanning B. IP fragment scanning C. ACK scanning D. Inverse TCP scanning

Bit streams are run through an XOR operation. Which of the following is a true statement for each bit pair regarding this function? A. If the first value is 0 and the second value is 1, then the output is 0. B. If the first value is 1 and the second value is 0, then the output is 0. C. If the first value is 0 and the second value is 0, then the output is 1. D. If the first value is 1 and the second value is 1, then the output is 0.

Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test? A. Covering tracks B. Pre-attack C. Attack D. Post-attack

Cloud computing would be best suited for which of the following businesses? A. A medical practice B. An established rural general sales store C. A law enforcement agency D. A Christmas supply store

Hope works on a security team, and her laptop contains many confidential files. Which of the following is the best choice for protection of those files from loss or theft of the laptop? A. Set a BIOS password B. Create hidden folders to store the files in C. Password protect the files D. Install Full Disk Encryption

How does Tripwire (and programs like it) help against Trojan attacks? A. Tripwire is an AV application that quarantines and removes malware immediately. B. Tripwire is an AV application that quarantines and removes malware after a scan. C. Tripwire is a file-integrity-checking application that rejects malware packets intended for the kernel. D. Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.

Implementing cloud computing provides many benefits. Which of the following is the best choice of a security principle applicable to implementing cloud security? A. Need to know B. Least privilege C. Job rotation D. Separation of duties

In October of 2016, a DDoS attack involving millions of IoT devices caused a disruption of service to large numbers of users in North America and Europe. Which of the following malware was used in the attack? A. WannaCry B. Cryptolocker C. Locky D. Mirai

In the NIST Cloud Computing Reference Architecture, which component acquires and uses cloud products and services? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

In this attack on VANET, vehicles appear to be in multiple places at once, causing congestion and severely impairing the use of data. Which of the following best describes this attack? A. Rolling code B. BlueBorne C. Side channel D. Sybil

In which step of EC-Council's system hacking methodology would you find steganography? A. Cracking passwords B. Escalating privileges C. Executing applications D. Hiding files E. Covering tracks

Joe is part of a penetration test team and is starting a test. The client has provided him a system on one of their subnets but did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Joe performing? A. External, white box B. External, black box C. Internal, white box D. Internal, black box

Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a PIN. Which of the following are true? A. Joe and Jill are using single-factor authentication. B. Joe and Jill are using two-factor authentication. C. Joe is using two-factor authentication. D. Jill is using two-factor authentication.

Metasploit is a framework allowing for the development and execution of exploit code against a remote host and is designed for use in pen testing. The framework consists of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework? A. MSF Core B. MSF Base C. MSF interfaces D. Rex

Nmap is a powerful scanning and enumeration tool. What does the following end map command attempt to accomplish? nmap -sA -T4 192.168.15. 0/24 A. A serial, slow operating system discovery scan of a Class C subnet B. a parallel, fast operating system discovery scan of a Class C subnet C. a serial, slow ACK scan of a Class C subnet D. a parallel, fast ACKscan of a Class C subnet

Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Sally performing? A. External, white box B. External, black box C. Internal, white box D. Internal, black box

The following results are from an nmap scan: Which of the following is the best option to assist in identifying the operating system? A. Attempt an ACK scan B. traceroute to the system C. run the same nmap scan with the -vv option D. attempt banner grabbing

Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this? A. Key exchange portal B. Key revocation portal C. Cross-site exchange D. Cross-certification

What marks the major difference between a hacker and an ethical hacker (pen test team member)? A. Nothing. B. Ethical hackers never exploit vulnerabilities; they only point out their existence. C. The tools they use. D. The predefined scope and agreement made with the system owner.

What provides for both authentication and confidentiality in IPSec? A. AH B. IKE C. OAKLEY D. ESP

Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote

Which character is your best option in testing for SQL injection vulnerability? A. The @ symbol B. A double dash C. The + sign D. A single quote

Which command is used to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file, on a Linux machine? A. chmod 411 file1 B. chmod 114 file1 C. chmod 117 file1 D. chmod 711 file1 E. chmod 744 file1

Which mode of IPSec is most often chosen for internal communications? A. AH B. ESP C. Tunnel D. Transport

Which of the following attacks attempts to re-send a portion of a cryptographic exchange in hopes of setting up a communications channel? A. Known plain text B. Chosen plain text C. Man in the middle D. Replay

Which of the following best describes the difference between a professional pen test team member and a hacker? A. Ethical hackers are paid for their time. B. Ethical hackers never exploit vulnerabilities; they only point out their existence. C. Ethical hackers do not use the same tools and actions as hackers. D. Ethical hackers hold a predefined scope and agreement from the system owner.

Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner? A. ls B. chmod C. pwd D. lsof

Which of the following common criteria processes refers to the system or product being tested? A. ST B. PP C. EAL D. TOE

Which of the following constitutes the highest risk to the organization? A. Black-hat hacker B. White-hat hacker C. Gray-hat hacker D. Disgruntled employee

Which of the following doesn't define a method of transmitting data that violates a security policy? A. Backdoor channel B. Session hijacking C. Covert channel D. Overt channel

Which of the following is a true statement? A. Kismet can be installed on Windows, but not on Linux. B. NetStumbler can be installed on Linux, but not on Windows. C. Kismet cannot monitor traffic on 802.11n networks. D. NetStumbler cannot monitor traffic on 802.11n networks.

Which of the following is a true statement? A. Configuring a strong SSID is a vital step in securing your network. B. An SSID should always be more than eight characters in length. C. An SSID should never be a dictionary word or anything easily guessed. D. SSIDs are important for identifying networks but do little to nothing for security

Which of the following is a true statement? A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks. B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks. C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks. D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.

Which of the following is an effective deterrent against TCP session hijacking? A. Install and use an HIDS on the system. B. Install and use Tripwire on the system. C. Enforce good password policy. D. Use unpredictable sequence numbers.

Which of the following is an iOS jailbreaking type that cannot be patched by Apple, as the failure is within the hardware itself, and provides admin-level access after successful completion? A. iBoot B. Userland C. Untethered D. BootROM

Which of the following statements is true regarding the discovery of sniffers on a network? A. To discover the sniffer, ping all addresses and examine latency and responses B. to discover the sniffer, send ARP messages to all systems and watch for NOARP responses C. to discover the sniffer, configure the IDS to watch for NICs in promiscuous mode D. it is almost impossible to discover the sniffer on a network

Which of the following tests is generally faster and costs less but is susceptible to more false reporting and contract violation? A. Internal B. External C. Manual D. Automatic

Which port number is used by default for syslog? A. 21 B. 23 C. 69 D. 514

While observing a target organization's building, you note the lone entrance to the building has a guard posted just inside the door. After entering the external door, you note the lobby of the building is separated from the external door by a small glass-paneled room, with a closed door facing the exterior and a closed door to the interior. There appears to be an RFID scanning device and a small keyboard with video display in the room. Which of the following best defines this physical security control? A. Guard shack B. Turnstile C. Man shack D. Man trap

Within a PKI system, Julia encrypts a message for Heidi and sends it. Heidi receives the message and decrypts the message using what? A. Julia's public key B. Julia's private key C. Heidi's public key D. Heidi's private key

Within a PKI system, which of the following is an accurate statement? A. Bill can be sure a message came from Sue by using his public key to decrypt it. B. Bill can be sure a message came from Sue by using his private key to decrypt it. C. Bill can be sure a message came from Sue by using her private key to decrypt the digital signature. D. Bill can be sure a message came from Sue by using her public key to decrypt the digital signature.

You are concerned about protecting data on organization laptops from loss or theft. Which of the following technologies best accomplishes this goal? A. Single sign-on B. Cloud computing C. IPSec tunnel mode D. Full Disk Encryption

You're describing a basic PKI system to a new member of the team. He asks how the public key can be distributed within the system in an orderly, controlled fashion so that the users can be sure of the sender's identity. Which of the following would be your answer? A. Digital signature B. Hash value C. Private key D. Digital certificate E. Nonrepudiation

You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security? A. Unauthorized users will not be able to associate because they must know the SSID in order to connect. B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast. C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode. D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.

You are examining LM password hashes and see the following: 3A02DF5289CF6EEFAAD3B435B51404EE Which of the following passwords is most likely to have created the hash? A. 123456789 B. CEHISHARD C. c3HisH@RD! D. CEHhard

You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? A. 52.93.24.255 B. 52.93.0.255 C. 52.93.32.255 D. 52.93.31.255 E. 52.93.255.255

You are examining traffic and notice on ICMP type 3, code 13 response. What does this normally indicate? A. The network is unreachable B. the host is unknown C. congestion control is enacted for traffic to the tow D. a firewall is prohibiting connection

You are examining website files and find the following text file: # robots.txt for http://www.anybiz.com/ User-agent: GooglebotDisallow: /tmp/ User-agent: * Disallow: / Disallow: /private.php Disallow: /listing.html Which of the following is a true statement concerning this file? A. All web crawlers are prevented from indexing the listing.html page. B. All web crawlers are prevented from indexing all pages on the site. C. The Googlebot crawler is allowed to index pages starting with /tmp/. D. The Googlebot crawler can access and index everything on the site except for pagesstarting with /tmp/.

You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports open by the administrator. In firewalking the device, you find that Port 80 is open. Which technique could you employ to send data and commands to or from the target system? A. Encrypt the data to hide it from the firewall B. used session splicing C. used Mac flooding D. use HTTP tunneling

You have established a Netcat connection to a target machine. Which flag can be used to launch a program? A. -p B. -a C. -l D. -e

You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review? A. ls -d B. ls -l C. su D. ps -ef E. ifconfig

You want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service? A. sc query B. sc query type=all C. sc query type=service D. sc query state=all

Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.org, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall protection? A. an ACK scan B. Fire-walking C. false positive flooding D. TCP over DNS

Which of the following activities are not considered passive footprinting? (choose two) A. Dumpster diving B. reviewing financials sites for company information C. clicking links within the company's public website D. calling the company's help desk line E. employing passive sniffing

D, E

Cloud computing faces many of the same security concerns as traditional network implementations. Which of the following are considered threats to cloud computing? A. Data breach or loss B. Abuse of services C. Insecure interfaces D. Malicious insiders E. All of the above

You are examining files on a Windows machine and note one file's attributes include "h."What does this indicate? A. The file is flagged for backup. B. The file is part of the help function. C. The file is fragmented because of size. D. The file has been quarantined by an antivirus program. E. The file is hidden.

You are examining traffic to see if there are any network enabled printers on the subnet. Which of the following ports should you be monitoring for? A. 53 B. 88 C. 445 D. 514 E. 631

Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. What type of IDS are you using? A. stateful B. snort C. passive D. signature based E. anomaly based

12. Which technology can provide protection against session hijacking? a. ipsec b. udp c. tcp d. ids

a. ipsec can protect against session hijacking.

9. Jennifer has captured the following URL; ww.snaz22enu.com/&w25/session=22525. She realizes that she can perform a session hijack. Which utility would she use? a. shark b. droidsheep c. airmon d. droid

b. droidsheep is used to perform session hijacks.

8. What utility could be used to avoid sniffing of traffic? a. sandroproxy b. proxify c. psiphon d. shark

c psiphon is essetially a vpn technology that would thwart sniffing of traffic.

(p80) An SOA record gathered from a zone transfer is shown here: What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates? A. DNSRV1.anycomp.com, every 3600 seconds B. DNSRV1.anycomp.com, every 600 seconds C. DNSRV1.anycomp.com, every 4 seconds D. postmaster.anycomp.com, every 600 seconds

As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for? A. Grey box B. Black Box C. white hat D. black hat

Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact? A. whois B. nslookup C. dig D. traceroute

Brad is auditing an organization and is asked to provide suggestions on improving DNS security. Which of the following would be valid options to recommend? (choose all that apply.) A. Implementing a split horizon operation B. restricting zone transfers C. obfuscating DNS by using the same server for other applications and functions D. blocking all access to the server on Port 53

A, B

An ethical hacker searches for IP ranges owned by the client, reads news articles, observes when bank employees arrive and leave from work, searches the clients job postings, and visits the client's dumpster. Which of the following is a true statement? A. All of the actions are active footprinting B. all of the actions are passive footprinting C. the ethical hacker is in the system attack face D. the ethical hacker is acting as a black hat attacker

As a pentest team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing? A. Active B. passive C. reconnaissance D. none of the above

Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources? A. Grey box B. White box C. black box D. active reconnaissance

While performing a pen test, you find success in exploiting a machine. Your attack sector took advantage of a common mistake the Windows 7 installer script you still load the machine left the administrative account with a default password. Which attacks did you successfully execute? A. Application Level B. operating system C. shrink wrap D. social engineering E. Misconfiguration

You are looking for pages with the terms CEH and V10 in their title. Which Google Hack is the appropriate one? A. inurl:CEHinurl:V10 B. allintitle:CEH V10 C. intitle:CEHintitle:V10 D. allinurl: CEH V10

A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology? A. Scanning B. Enumeration C. Reconnaissance D. Application attack

A pen test team member sends an email to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action? A. To possibly gather information about internal hosts used in the organization's email system B. to start a denial-of-service attack C. to determine an email administrators contact information D. to gather information about how email systems deal with invalidity addressed messages

A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step? A. Continue applying controls until all risk is eliminated B. Ignore any remaining risks as "best effort controlled" C. Ensure that any remaining risk is residual or low and accept the risk D. Remove all controls

An organization has a DNS server located in the DMZ and other DNS servers located on the internet. What is this implementation commonly called? A. Dynamic DNS B. DNSSEC C. split DNS D. Auto DNS

Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures? A. GLBA B. HIPAA C. SOX D. FITARA

Which of the following would be the best choice for footprinting restricted URLs and OS information from a target? A. www.archive.org B. www.alexa.org C. Netcraft D. Yesware

Which of the following would be the best example of a deterrent control? A. A log aggregation system B. hidden cameras on site C. a guard posted outside the door D. backup recovery systems

Which protocol and port number combination is used by default for DNS Zone transfer? A. UDP 53 B. UDP 161 C. TCP 53 D. TCP 22

One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction? A. NS B. PTR C. MX D. CNAME E. SOA

You are setting up DNS for your Enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can't use. Which DNS record type would you use to accomplish this? A. NS B. SOA C. MX D. PTR E. CNAME

20. NetCut is used to do what? (choose two) a. test firewalls b. craft packets c. take over a session d. scan a network

a, b. netcut can test a firewall and craft packets.

11. What option would you use to install software thats not from the Google Play store a. install from unknown sources b install unsigned sources c. install from unknown locations d install from unsigned services

a. if install from unknown sources is enabled on android devices, unsafe or unprotected applications could compromise a device, but still will be installed.

16. A man-in-the-browser attack delivered by a piece of malware can be prevented by which of the following? a. anti-virus b. anti-spyware c. using firefox d. rooting a device

a. much like desktop systems, installing an antivirus can prevent this type of malware based attack.

15. A denial of service application for Android is ______. a. blaster b LOIC c. evil d. pryfi

b. LOIC is software used to perform denial of service attacks.

1. What is the benefit of encryption on mobile devices? a. protection against stolen devices b. protection of data on lost or stolen devices c. prevention of malware d. protection of data being sent to website

b. encryption safeguards data on devices that have been lost or stolen.

5. iOS is based on which operating system? a. windows b. os x c. unix d linux

b. ios is based on os X

10. Jennifer is concerned about her scans being tracked back to her tablet. What could she use to hide the source of the scans? a. sniffing b. sandroproxy c. faceniff d. blind scanning

b. sandroproxy would be ueful to disguise the soure of a scan.

13. When a device is rooted, what is the effect on security? a. improved b. lowered c. stays the same d. hardened

b. security is lowered on a device when rooting is performed.

7. A utility for auditing WordPress from Android is _____? a. droidsheep b. firesheep c. wpscan d. nmap

c wpscan is used to look for weaknesses in wordpress sites.

2. Jailbreaking a phone refers to what? a. removing DRM from the system b. removing a device from a network c. acquiring root access on a device d. removing ransomware from a system

c. jail braking refers to gaining root access on a mobile device specifically iOS devices.

4. Android is based on which operating system? a. windows b. os x c. unix d. linux

d. android is based on linux

An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, non-disclosure agreements, and a completion date definition. Which of the following statements is true? A. A white hat is attempting a black box test B. a white hat is attempting a white box test C. a black hat is attempting a black box test D. a black hat is attempting a grey box test

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, non-disclosure agreements, and the completion date. Which of the following is a true statement? A. A white hat is attempting a black box test B. a white hat is attempting a white box test C. a black hat is attempting a black box test D. a black hat is attempting a grey box test

Enacted in 2002, this US law requires every Federal agency to implement Information Security Programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTMM

Examine the following command sequence: C:\> nslookup Default Server: nsl.anybiz.com Address: 188.87.99.6 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 188.87.100.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 Which of the following statements best describes the intent of the command sequence? A. The operator is enumerating a system named someserver B. the operator is attempting DNS poisoning C. the operator is attempting a Zone transfer D. the operator is attempting to find a name server

Which OSRF application checks to see if a username has been registered in up to 22 different email providers? A. mailfy.py B. usufy.py C. entify.py D. searchfy.py

As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII). You are asked about controls placed on the dissemination of this information. Which of the following acts should you check? A. FISMA B. Privacy Act C. Patriot Act D. Freedom of Information Act

Which of the following best defines a logical or technical control? A. Air conditioning B. security tokens C. fire alarms D. security policy

Which of the following statements is true regarding the p0f tool? A. It is an active OS fingerprinting tool B. it is a passive OS fingerprinting tool C. it is designed to extract metadata for Microsoft files D. it is designed for remote access

You've been hired as part of a pen test team. During the brief, you learn that the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which type of test does the client want? A. White box B. grey box C. Black Box D. hybrid

Examine the following command line entry: C:\>nslookup Default Server: ns1.somewhere.com Address: 128.189.72.5 >set q=mx >mailhost Which statements are true regarding this command sequence? (choose two) A. nslookup is in non-interactive mode B. nslookup is an interactive mode C. the output will show all mail servers in the zone somewhere.com D. The output will show all name servers in the zone somewhere.com

B, C

A machine and your environment uses an open X server to allow remote access. The X server access control is disabled, allowing for connections from almost anywhere and with little to no authentication method measures. Which of the following are true statements regarding this situation? (choose all that apply) A. an external vulnerability can take advantage of the misconfigured X-server threat. B. An external threat can take advantage of the misconfigured X-server vulnerability. C. an internal vulnerability can take advantage of the misconfigured X-server threat. D. An internal threat can take advantage of the misconfigured X-server vulnerability.

B, D

A security peer is confused about a recent incident. An attacker successfully accessed the machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened? A. The attacker took advantage of a zero-day vulnerability on the machine B. the attacker performed a full rebuild of the machine after he was done C. the attacker performed a denial-of-service attack D. security measures on the device were completely disabled before the attack began

Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told that they do not see any problem with the site - no files have been changed, and when access from their terminals (inside the company), the site appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain this issue? A. DNS poisoning B. route poisoning C. SQL injection D. ARP poisoning

Which incident response phase is responsible for setting rules, identifying the workforce and rolls, and creating back up and test plans for the organization? A. Preparation B. Identification C. Containment D. Recovery

Which of the following best describes an intranet zone? A. It has few heavy security restrictions. B. A highly secured zone, usually employing VLANs and encrypted communication channels. C. A controlled buffer network between public and private networks. D. A very restricted zone with no users.

Which of the following is a detective control? A. Audit Trail B. CONOPS C. procedure D. smart card Authentication E. process

A company has a public-facing web application. It's internal internet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration? A. Allowing zone transfers to ANY B. ensuring there are no a records for internal hosts on the public-facing name server C. change the preference number on all MX records to zero D. not allowing any DNS query to the public-facing name server

Brad has done some research and determined a certain set of systems on his network fail once every 10 years. The purchase price for each of these systems is $1,200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate 5 hours to replace the machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with? A. $2075 B. $207.50 C. $120 D. $1200

Examine the following SOA record: If a secondary server in the Enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary? A. The zone copy is dumped B. the zone copy is unchanged C. the serial number of the zone copy is decremented D. the serial number of the zone copy is incremented

In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network? A. Reconnaissance B. scanning and enumeration C. gaining access D. maintaining access E. covering tracks

In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on targets? A. Active reconnaissance B. scanning and enumeration C. gaining D. Passive reconnaissance

Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. What type of hacker is Joe considered to be? A. Hacktivist B. Suicide Hacker C. black hat D. script kiddie

Sally is a member of a pen test team newly hired to test a bank security. She begins searching for IP addresses the bank may own by searching public records on the internet. She also looks up news articles and job postings to discover information that may be valuable. In what phase of the pen test is Sally working? A. Preparation B. assessment C. conclusion D. reconnaissance

Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization? A. BCP B. BIA C. MTD D. DRP

Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides? A. Vulnerability measurement and assessments for the US Department of Defense B. a reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security C. incident response services for all internet providers D. pen test registration for public and private sector

Which of the following is a good foot printing tool for discovering information on a publicly traded companies founding, history, and financial status? A. Spiderfoot B. Edgar database C. Sam Spade D. Pipl.com

Which of the following may be a security concern for an organization? A. The internal Network uses private IP addresses registered to an active directory integrated DNS server. B. An external DNS server is active directory integrated. C. All external name resolution requests are accomplished by an ISP. D. None of the above.

(p32) From the partial email header provided, which of the following represents the true originator of the email message? A. 220.15.10.254 B. 158.190.50.254 C. 217.88.53.154 D. The email header does not show this information

An organization's leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering? A. They are accepting the risk B. they are avoiding the risk C. they are mitigating the risk D. they are transferring the risk

Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity? A. Encryption B. UPS C. hashing D. passwords

What method does traceroute use to map routes traveled by a packet? A. By carrying a hello packet in the payload, forcing the host to respond B. by using DNS queries at each hop C. by manipulating the time-to-live (TTL) parameter D. by using icmp type 5, code 0 packages

Which of the following consists of a publicly-available set of databases that contain domain name registration contact information? A. IETF B. IANA C. Whois D. OSRF

Which of the following statements is true regarding the TCP three-way handshake? A. The recipient sets the initial sequence number in the second step B. The sender sets the initial sequence number in the third step C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step D. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the third step

You have an FTP Service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. NS B. SOA C. CNAME D. PTR

18 Remote wipes do what (choose two). a. wipe all data off a device b. remove sensitive information such as contacts from a remote system c. factory reset a device d. insert cookies and devices

a, b. remote wipes remove data and other sensitive information from a device.

6. What could a company do to protect itself from a loss of data when a phone is stolen? (choose all that apply) a. passwords b. patching c. encryption d. remote wipe

a, c, d, A company should proactively set passwords and use encryption, as well as employ remote wipe on a mobile device in the event that it is lost or stolen.

19 A session hijack can be used against a mobile device using all of the following except? a. emails b browsers c. worms d. cookies

c worms do not cause session hijacks.

17. An attack that can be performed using FaceNiff is _____. a. infecting the client system b. infecting the server system c. inserting oneself into an active session d. inserting oneself into a web application

c. faceniff is used to take over active sessions.

3. What does rooting a device do? a. removes updates from a system b. removes access to a user c. provides root-level access to a user on a system d. increases security on a device

c. rooting is the process of increasing the amount of access a user has on an android device.

14. Session hijacking can be thwarted with which of the following? a. sandroproxy b. droidsheep c. faceniff d. psiphon

d. psiphon would provide some protection against sniffing and session hijacking.

Which of the following is a primary service of the US computer security incident response team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide B. CSIRT provides a computer security surveillance service to supply the government with important intelligence information on individuals traveling abroad C. CSIRT provides a penetration testing service to support exception reporting on incidence worldwide by individuals and multinational corporations D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling and individuals property or company asset E. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company asset

Which of the following is best described as a set of processes used to identify, analyze, prioritize, and resolve security incidents? A. Incident Management B. vulnerability management C. change management D. patch management

Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at? A. Mandatory Access Control B. Authorized Access Control C. Role-based Access Control D. Discretionary Access Control

You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you want to use for lookup is named ADNS_Server and the target machine you want the information on is the ATARGET_SYSTEM. Which of the following nslookup command series is the best choice for discovering this information? A. >server ADNS_SERVER ... >set type=HINFO >ATARGET_SYSTEM B. >server ATARGET_SYSTEM ... >set type=HINFO >ADNS_SERVER C. >server ADNS_SERVER ... >set ATARGET_SYSTEM >type=HINFO D. >server type=HINFO ... >set ADNS_SERVER >ATARGET_SYSTEM

You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine or incrementing randomly. What does this mean? A. Your IDLE scan results will not be useful to you B. the zombie system is a Honeypot C. there is a misbehaving firewall between you and the zombie machine D. this is an expected result during an IDLE scan

Your client's business is headquartered in Japan. Which Regional registry would be the best place to look for footprinting information? A. APNIC B. RIPE C. ASIANIC D. ARIN E. LACNIC

Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is fine by all employees prior to their network access. Which of the following best describes this policy? A. Information security policy B. special access policy C. information audit policy D. network connection policy

Which of the following are passive footprinting methods? (choose all that apply) A. checking DNS replies for Network mapping purposes B. collecting information through publicly-accessible sources C. performing a ping sweep against the network range D. sniffing Network traffic through a network tap

A, B

A zone file consists of which records? (choose all that apply) A. PTR B. MX C. SN D. SOA E. DNS F. A G. AX

A, B, D, F

Your team is hired to test a business named Matt's Bait 'n' Tackle Shop (domain name mattsBTshop.com). A team member runs into the following command: metagoofil -d mattsBTshop.com -t doc,docx -1 50 -n 20 -f results.html Which of the following best describes what the team member is attempting to do? A. Extracting metadata info from web pages in mattsBTshop.com, outputting results in Microsoft Word format B. Extracting metadata info from the results.html page in mattsBTshop.com, outputting results in Microsoft Word format C. extracting metadata info from Microsoft Word documents found in masttsBTshop.com, outputting results in an HTML file D. uploading results.html as a macro attachment to any Microsoft Word documents found in mattsBTshop.com

A colleague enters the following into a Google search string: intitle:intranet inurl:intranet intext:"finance" Which of the following statements is most correct concerning this attempt? A. The search engine will not respond with any result because you cannot combine Google hacks in one line. B. The search engine will respond with all pages having the word intranet in their title and Finance in the URL C. the search engine will respond with all pages having the word intranet in the title and in the URL D. the search engine will respond with only those pages having the word internet in the title and URL and with Finance in the text

A pen tester is attempting to use nslookup and has the tool in interactive mode for the search. Which command should be used to request the appropriate records? A.request type=ns B. transfer type=ns C. locate type=ns D. set type=ns

Amanda works as a senior security analyst and overhears a colleague discussing confidential corporate information being posted on an external website. When questioned on it, he claims about a month ago he tried random URLs on the company's website and found confidential information. Amanda visits the same URLs but finds nothing. Where can a man go to see past versions and pages of a website? A. Search.com B. Google cache C. pasthash.com D. archive.org

During an assessment, your pen test team discovered child porn on a system. Which of the following is the appropriate response? A. Continue testing and report findings at the outbrief. B. Continue testing but report findings to the business owners. C. Cease testing immediately and refused to continue to work for the client. D. Cease testing immediately and contact authorities.

In which phase of the attack would a hacker set up and configure "zombie" machines? A. Reconnaissance B. covering tracks C. gaining access D. maintaining access

Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the cracker? A. The cracker always attempts white-box testing B. the ethical hacker always attempts Black Box testing C. the cracker posts results to the internet D. the ethical hacker always obtains written permission before testing

When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following? A. Black hat hacking B. grey box attacks C. gray hat attack D. hacktivism

Which Google Hack would display all pages that have the words SQL and Version in their titles? A. inurl:SQL inurl:version B. allinurl:SQL version C. intitle:SQL inurl:version D. allintitle: SQL version

Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud? A. TCSEC B. common criteria C. ISO 27002 D. PCI-DSS

Within the OSRframework, which tool verifies if a username/profile exists in up to 306 different platforms? A. domainfy.py B. mailfy.py C. searchfy.py D. usufy.py

You are on a Cisco router and want to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this? A. ping B. ifconfig C. tracert D. traceroute

Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1,000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. 10 employees, earning an average of $20 per hour, rely on the servers, and even one of them going down puts the whole group in a wait state until it's brought back up. Which of the following represents the ARO for the server? A. $296 B. $1,480 C. $1,000 D. 0.20

CEH All Chapters Practice Questions

Ensembles d'études connexes

Science Topic 3 Lesson 3

Classroom management

MGMT

Chapter 3

chem review quiz 6

Chapter 19 section 1 - Europeans Explore the East

Project Management Exam 1 practice

SPM Speaking - Pros and Cons of Working Part Time as a Student

NUR415 Remediation Qs (Session 1- Bleeding & Cardiovascular)

French Final Exam study guide

MGMT 3080 Test 2

Macroeconomics 1040 Final Exam pt.2

THE SPECIAL SENSES

Hematology & Immunology Peds NCLEX ?'s

Chapter 14: Perioperative Care

Musculoskeletal Trauma and Orthopedic Surgery

Ch. 27: Restoring ADLs

MGT4000 Exam 2 Prep

Astro 20 Chapter 11

Energetics