CEH - Part 1
Scanning
A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?
A multihomed firewall
A DMZ is created with which of the following?
Synchronize server information
A DNS zone transfer is used to do which of the following?
SSL
A POODLE attack targets what exactly?
RAT
A Trojan can include which of the following?
Social engineering
A Trojan relies on __________ to be activated.
Capture the WPA2 authentication traffic and crack the key.
A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key?
SAM
A __________ is a file used to store passwords.
Rainbow attack
A __________ is a type of offline attack.
NULL session
A __________ is used to connect to a remote system using NetBIOS.
Hash
A __________ is used to represent a password.
Bollard
A ____________ is used to prevent cars from ramming a building.
Identify a service
A banner can do what?
Error messages are not available.
A blind SQL injection attack is used when which of the following is true?
Private network
A closed network is typically which of the following?
LaaS
A cloud environment can be in which of the following configurations except?
Networks
A cloud-based firewall is used to separate which of the following?
Buffer overflow
A common attack against web servers and web applications is __________.
Gives proof
A contract is important because it does what?
An SDK
A covert channel or backdoor may be detected using all of the following except __________.
LOIC
A denial of service application for Android is __________.
Networks
A firewall is used to separate which of the following?
A half-open does not include the final ACK.
A full-open scan means that the three-way handshake has been completed. What is the difference between this and a half-open scan?
Complex passwords
A good defense against password guessing is __________.
Collision
A hacker feeds plain-text files into a hash, eventually finding two or more that create the same fixed-value hash result. This anomaly is known as what?
Attract victims to connect to it.
A honeyspot is designed to do what?
Two
A logic bomb has how many parts, typically?
Time and date Actions Events
A logic bomb is activated by which of the following?
An external threat can take advantage of the misconfigured X-server vulnerability. An internal threat can take advantage of the misconfigured X-server vulnerability.
A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)
Smishing
A man receives a text message on his phone purporting to be from Technical Services. The text advises of a security breach and provides a web link and phone number to follow up on. When the man calls the number, he turns over sensitive information. Which social engineering attack was this?
Anti-virus
A man-in-the-browser attack delivered by a piece of malware can be prevented by which of the following?
Trojans
A man-in-the-browser attack is typically enabled by using which mechanism?
Insert themselves into an active session
A man-in-the-middle attack is an attack where the attacking party does which of the following?
nmap -A IPAddress
A member of your team enters the following command: nmap -sV -sC -O -traceroute IPAddress Which of the following nmap commands performs the same task?
Hashing
A message digest is a product of which kind of algorithm?
Insertion
A method for overwhelming an IDS using packets with incorrect TTL values or flags is known as what?
winpcap
A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode?
Gaining access
A penetration test usually has three phases: preparation, conducting, and conclusion. The most crucial phase of a penetration test, the phase in which you conduct the test, consists of five stages. What is the third stage?
Evades detection through rewriting itself
A polymorphic virus __________.
URL embedding
A public use workstation contains the browsing history of multiple users who logged in during the last seven days. While digging through the history, a user runs across the following web address: www.snaz22enu.com/&w25/session=22525. What kind of embedding are you seeing?
Security examination
A quantitative risk analysis involves the measurement and statistical evaluation of all the elements of risk analysis. What step is usually performed before conducting a quantitative risk analysis? Choose the best option(s) from those listed below.
Sniff traffic
A remote access Trojan would be used to do all of the following except __________.
The attacker is attempting LDAP injection.
A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt?
XSS
A security administrator sets the HttpOnly flag in cookies. Which of the following is he most likely attempting to mitigate against?
Tailgating
A security camera picks up someone who doesn't work at the company following closely behind an employee while they enter the building. What type of attack is taking place?
The attacker took advantage of a zero-day vulnerability on the machine.
A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened?
Social engineering
A security staff is preparing for a security audit and wants to know if additional security training for the end user would be beneficial. Which of the following methods would be the best option for testing the effectiveness of user training in the environment?
Ensure that any remaining risk is residual or low and accept the risk.
A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?
Cookies and devices
A session hijack can be initiated from all of the following except which one?
Worms
A session hijack can be used against a mobile device using all of the following except?
Networks and applications
A session hijack can happen with which of the following?
Infects files selectively
A sparse infector virus __________.
Two-factor authentication
A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this?
WPScan
A utility for auditing WordPress from Android is __________.
Display pop-ups
A virus does not do which of the following?
Find open ports Find weaknesses
A vulnerability scan is a good way to do what?
Complete knowledge
A white-box test means the tester has which of the following?
NTFS
ADS requires what to be present?
Mandatory access control
Access control models are used as part of the overall security model to specify how users access objects. Each access control model is designed to be used in a specific environment and is administered based on the needs of that environment. Which access control model is designed to be used by organizations that work with highly classified data?
Push and pop
Adding to and removing from a program stack are known as what?
Assist in the sniffing of wireless traffic.
AirPcap is used to do which of the following?
Evade an NIDS
Altering a checksum of a packet can be used to do what?
Evade an NIDS.
Altering a checksum of a packet can be used to do what?
NTFS
Alternate Data Streams are supported in which file systems?
IaaS
Amazon's EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service?
Host
An HIDS is used to monitor activity on which of the following?
Anomaly based
An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place?
Packet sniffing
An NIDS is based on technology similar to which of the following?
Identify a network.
An SSID is used to do which of the following?
IDS
An administrator has just been notified of irregular network activity; what appliance functions in this manner?
Deviations from known traffic patterns
An anomaly-based NIDS is designed to look for what?
PaaS
An application would be developed on what type of cloud service?
Inserting oneself into an active session
An attack that can be performed using FaceNiff is __________.
NetBIOS
An attacker can use __________ to enumerate users on a system.
Backdoor
An attacker can use a(n) __________ to return to a system.
Name-dropping
An attacker can use which technique to influence a victim?
Tailgating
An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. Jim follows the user inside. Which social engineering attack is in play here?
start readme.txt:badfile.exe
An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file?
Shoulder surfing
An attacker has physical access to a building and wants to attain access credentials to the network using nontechnical means. Which of the following social engineering attacks is the best option?
The packet capture will provide the MAC addresses of other machines connected to the switch. The packet capture will display all traffic intended for the laptop.
An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true? (Choose all that apply.)
Spear phishing
An attacker performs a Whois search against a target organization and discovers the technical point of contact (POC) and site ownership e-mail addresses. He then crafts an e-mail to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place?
Heartbleed
An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used?
The port is filtered at the firewall.
An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate?
A white hat is attempting a black-box test.
An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true?
A white hat is attempting a black-box test.
An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement?
Stealth
An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this?
Source routing
An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using?
It uses a shared key for encryption.
An organization has decided upon AES with a 256-bit key to secure data exchange. What is the primary consideration for this?
An obvious method of using a system
An overt channel is __________.
Linux
Android is based on which operating system?
Passive
As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing?
Ensure the company specifies what areas you are required to test. Do not reveal any company information to a third party.
As an ethical hacker, you are required to breach a system's security and attempt to access sensitive data. Although these actions are performed with a company's knowledge, you need to ensure that you will not be held liable for any actions you perform as part of your duties. This would also include any consequences, such as damage to a system, that result from testing. In which ways can you protect yourself when performing ethical hacking?
Privacy Act
As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII) information. You are asked about controls placed on the dissemination of this information. Which of the following acts should you check?
Gray box
As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for?
Layer 3
At which layer of the OSI model does a packet-filtering firewall work?
Application
At which layer of the OSI model does a proxy operate?
Layer 3 Layer 4
At which layer of the OSI model would you expect a cloud based solution to operate at?
operational
Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of __________ measures within physical security.
Sending unsolicited messages
Bluejacking is a means of which of the following?
Read information from a device.
Bluesnarfing is used to perform what type of attack?
Reverse social engineering
Bob decides to employ social engineering during part of his pen test. He sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a phone number to call. Later that day, Bob performs a DoS on a network segment and then receives phone calls from users asking for assistance. Which social engineering practice is in play here?
MAC flooding
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
$207.50
Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with?
Hidden fields
Browsers do not display __________.
They are effective risk management tools.
Business intelligence tools can be used to collect and analyze data and present information in a way that allows business to easily process information and data. This enables a more informed decision-making capability within the organization. How can business intelligence tools be used to enhance an organization's information security?
Application firewall
Choosing a protective network appliance, you want a device that will inspect packets at the most granular level possible while providing improved traffic efficiency. What appliance would satisfy these requirements?
Increase management options Offload operations onto a third party Cut costs
Cloud technologies are used to accomplish which of the following?
Legal reasons Regulatory reasons To perform an audit
Companies may require a penetration test for which of the following reasons?
Chosen plaintext attack
Consider an attack in which the attacker already has access to the encryption algorithm. Using the algorithm, they encrypt plaintext and then examine the resulting ciphertext to see how it was encrypted. This is an example of which type of cryptanalytic attack?
Integrity Authentication
Cryptography is the conversion of data into a scrambled code that can be decrypted by the intended recipient. This allows data to remain confidential when sent across a private or public network. Cryptography can be used to protect confidential data such as email messages, chat sessions, web transactions, personal data, and corporate data. In addition to confidentiality, what other objectives can cryptography meet?
Configuration
Databases can be a victim of code exploits depending on which of the following?
Employ robust key management Deploy IPS
Defense in depth is a philosophy that is used to help protect information systems in complex environments. Which of the following are defense in depth principles? Choose the best option(s) from those listed below.
102 through 104
During a TCP data exchange, the client has offered a sequence number of 100, and the server has offered 500. During acknowledgments, the packet shows 101 and 501, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session?
RST
During a Xmas tree scan what indicates a port is closed?
RST
During an FIN scan, what indicates that a port is closed?
The phone number is publicly available.
During an assessment you discovered that the target company was using a fax machine. Which of the following is the least important?
Cease testing immediately and contact authorities.
During an assessment, your pen test team discovers child porn on a system. Which of the following is the appropriate response?
Hashing
Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity?
FISMA
Enacted in 2002, this U.S. law requires every Federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition?
Ports
Enumeration does not uncover which of the following pieces of information?
Passwords Usernames
Enumeration is useful to system hacking because it provides __________.
Usernames
Enumeration is useful to system hacking because it provides which of the following?
The server was compromised by an attacker.
Examining a database server during routine maintenance you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation?
Analyze a firewall.
Firewalking is done to accomplish which of the following?
Distribution and number of personnel
Footprinting can determine all of the following except __________?
Active and passive
Footprinting has two phases. What are they?
8
For a fence to deter a determined intruder, it should be at least how many feet tall?
EAL
Four terms make up the Common Criteria process. Which of the following contains seven levels used to rate the target?
False rejection rate
Frequency of type 2 errors is also known as what?
SaaS
Google Docs and Salesforce CRM are two examples of which cloud computing model?
Hacktivists
Groups and individuals who hack systems based on principle or personal beliefs are known as ___________.
Hacktivists
Groups and individuals who may hack a web server or web application based on principle or personal beliefs are known as __________.
80
HTTP is typically open on which port in a firewall?
443
HTTPS is typically open on which port in a cloud based firewall?
Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.
How does Tripwire (and programs like it) help against Trojan attacks?
By exhausting memory by caching the fragments
How does a fragmentation attack, which takes a packet, breaks it into fragments, and sends only some of the fragments to the target, cause a DoS?
By trying all possible combinations of characters
How is a brute-force attack performed?
With no knowledge
How is black-box testing performed?
nc -l -p 192.168.1.1
How would you use Netcat to set up a server on a system?
Layer 1
Hubs operate at what layer of the OSI model?
Habits
Human beings tend to follow set patterns and behaviors known as __________.
Anti-replay
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides encryption and authentication services while creating VPN services through an IP network. Why does IPSec read packet sequence numbers?
AH/ESP
IPsec uses which two modes?
Layer 2
If a device is using node MAC addresses to funnel traffic, what layer of the OSI model is this device working in?
NTLMv2
If a domain controller is not present, what can be used instead?
Competitive analysis
If you can't gain enough information directly from a target, what is another option?
White hat
If you have been contracted to perform an attack against a target system, you are what type of hacker?
Separation of duties
Implementing cloud computing provides many benefits. Which of the following is the best choice of a security principle applicable to implementing cloud security?
Level 3
In IPsec, encryption and other processes happen at which layer of the OSI model?
Authentication services
In IPsec, what does Authentication Header (AH) provide?
Data security
In IPsec, what does Encapsulating Security Payload (ESP) provide?
Internet Relay Chat (IRC)
In a DDoS attack, what communications channel is commonly used to orchestrate the attack?
Hierarchical
In addition to relational databases, there is also what kind of database?
As a duplicate of a real system
In practice a honeypot will be configured how?
Keep an attacker's origin hidden
In social engineering a proxy is used to __________.
Cloud consumer
In the NIST Cloud Computing Reference Architecture, which component acquires and uses cloud products and services?
Cloud broker
In the NIST Cloud Computing Reference Architecture, which component acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers?
Cloud carrier
In the NIST Cloud Computing Reference Architecture, which of the following has the responsibility of transmitting the data?
To provide better protection
In the field of IT security, the concept of defense in depth is layering more than one control on another. Why would this be helpful in the defense of a system of session-hijacking?
To provide better protection
In the field of IT security, the concept of defense in depth is the layering of more than one control on another. Why is this?
You want to filter Internet traffic for internal systems.
In what situation would you employ a proxy server? (Choose the best answer.)
Executive summary A list of findings from the test The names of all the participants
In which of the following would you find in a final report from a full penetration test? (Choose all that apply.)
Pre-attack
In which phase of a penetration test is scanning performed?
Maintaining access
In which phase of the attack would a hacker set up and configure "zombie" machines?
Scanning and enumeration
In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network?
Scanning and enumeration
In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets?
Bad input SQL injection
Input validation is used to prevent which of the following?
/sbin
It is important to understand the directory structure for the Linux operating system. This information will provide some insight as to where important files are stored. Which directory in the Linux file system would most likely contain executable files that run at root-level?
Acquiring root access on a device
Jailbreaking a phone refers to what?
Phishing
Janet receives an email enticing her to click a link. But when she clicks this link she is taken to a website for her bank, asking her to reset her account info. However, Janet noticed that the bank is not hers and the website is not for her bank. What type of attack is this?
Implement ingress filtering.
Jason is the local network administrator who has been tasked with securing the network from possible DoS attacks. Within the last few weeks, some traffic logs appear to have internal clients making requests from outside the internal LAN. Based on the traffic Jason has been seeing, what action should he take?
Identity theft
Jason notices that he is receiving mail, phone calls, and other requests for information. He has also noticed some problems with his credit checks such as bad debts and loans he did not participate in. What type of attack did Jason become a victim of?
Identity theft
Jason receives notices that he has unauthorized charges on his credit card account. What type of attack is Jason a victim of?
Passive
Jennifer has been working with sniffing and session-hijacking tools on her company network. Since she wants to stay white hat—that is, ethical—she has gotten permission to undertake these activities. What would Jennifer's activities be categorized as?
DroidSheep
Jennifer has captured the following URL: www.snaz22enu.com/&w25/session=22525. She realizes that she can perform a session hijack. Which utility would she use?
ARP poisoning
Jennifer is a junior system administrator for a small firm of 50 employees. For the last week a few users have been complaining of losing connectivity intermittently with no suspect behavior on their part such as large downloads or intensive processes. Jennifer runs Wireshark on Monday morning to investigate. She sees a large amount of ARP broadcasts being sent at a fairly constant rate. What is Jennifer most likely seeing?
SSH
Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?
SandroProxy
Jennifer is concerned about her scans being tracked back to her tablet. What could she use to hide the source of the scans?
tcpdump -r capture.log
Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously. What command can Jennifer use?
tcpdump -w capture.log
Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use?
Phishing
Jennifer receives an email claiming that her bank account information has been lost and that she needs to click a link to update the bank's database. However, she doesn't recognize the bank, because it is not one she does business with. What type of attack is she being presented with?
Known plain text
Joe and Bob are both ethical hackers and have gained access to a folder. Joe has several encrypted files from the folder, and Bob has found one of them unencrypted. Which of the following is the best attack vector for them to follow?
Suicide hacker
Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be?
internal, black box
Joe is part of a penetration test team and is starting a test. The client has provided him a system on one of their subnets but did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Joe performing?
Blind hijacking
Julie has sniffed an ample amount of traffic between the targeted victim and an authenticated resource. She has been able to correctly guess the packet sequence numbers and inject packets, but she is unable to receive any of the responses. What does this scenario define?
Query a database
LDAP is used to perform which function?
physical
Lighting, locks, fences, and guards are all examples of __________ measures within physical security.
A pick and a tension wrench
Lock-pick sets typically contain which of the following at a minimum?
A reverse ARP request maps to two hosts.
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.
Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While the attacker is sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary?
Capture information about wireless networks.
Monitor mode is used by wireless cards to do what?
Three
Multihomed firewall has a minimum of how many network connections?
Security
NTLM provides what benefit versus LM?
Test firewalls. Craft packets.
NetCut is used to do what? (Choose two.)
Stealing session IDs
Network-level hijacking focuses on the mechanics of a connection such as the manipulation of packet sequencing. What is the main focus of web app session hijacking?
Collision domain
On a switch, each switchport represents a ____________.
LM
On newer Windows systems, what hashing mechanism is disabled?
Risk mitigation
Once a risk analysis has been completed, the organization must decide how to handle the risk. Total and residual risk may be handled in one of four ways. Which response is a company taking if it uses strong access controls to protect its trade secrets? Choose the best option(s) from those listed below.
Passive OS fingerprinting
One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted?
Implement MDM.
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
They are mitigating the risk.
Organization leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering?
Deadman doors
Organizations should have proper physical controls in place to safeguard against physical access exposures. One such exposure is the entry point to the information processing facility. Which physical controls would provide the best protection against piggybacking? Choose the best option(s) from those listed below.
Footprinting
Penetration testing entails scanning, footprinting, enumerating, and fingerprinting. Each of these activities focuses on obtaining different information that can be used to attack a target. What is considered to be a passive activity that hackers employ to gather as much information about a target network as possible, including locating the IP address range in use?
Spam filtering Education
Phishing can be mitigated through the use of __________.
Ensure e-mail is from a trusted, legitimate e-mail address source. Verify spelling and grammar is correct. Verify all links before clicking them.
Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.)
Phishing takes place using __________.
Computer based
Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack?
Tailgating
Physical security can prevent which of the following?
53 TCP
Port number __________ is used by DNS for zone transfers.
25
Port number __________ is used for SMTP
Operating system exploits
Proper input validation can prevent what from occurring?
RC4 uses block encryption.
RC4 is a simple, fast encryption cipher. Which of the following is not true regarding RC4?
RC4
RSA is a widely used Internet encryption and authentication system that is considered one of the de-facto encryption standards. It provides encryption by using modular arithmetic and elementary number theories to perform computations using two large prime numbers. Which encryption algorithm used by RSA uses a variable key-size stream cipher to accomplish this?
Wipe all data off a device. Remove sensitive information such as contacts from a remote system.
Remote wipes do what? (Choose two.)
Send email messages
SMTP is used to perform which function?
Monitor network devices
SNMP is used to do which of the following?
Trap messages
SNMP is used to perform which function in relation to hardware?
SMNP
SNScan is used to access information for which protocol?
XML
SOAP is used to package and exchange information for web services. What does SOAP use to format this information?
Enable communication between applications
SOAP is used to perform what function?
Databases
SQL injection attacks are aimed at which of the following?
Securing transmitted data
SSL is a mechanism for which of the following?
Software hosting
SaaS is a cloud hosting environment that offers what?
Assessment
Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working?
Web applications
Session fixation is a vulnerability in which of the following?
IPsec
Session hijacking can be performed on all of the following protocols except which one?
Authentication
Session hijacking can be thwarted with which of the following?
Psiphon
Session hijacking can be thwarted with which of the following?
Place a cookie on a server
Session hijacking can do all of the following except which one?
SSL
Several cryptography techniques are available to help protect information that is being sent across an unsecure network, such as the Internet. Many of the techniques available provide different security functions, and therefore, they are best suited for certain aspects of protecting information. Which cryptography technique is designed to provide a means of transmitting individual messages securely across the Internet?
Biometrics Smartcards
Several methods can be used to guess user passwords, such as dictionary, hybrid, and brute-force attacks. Therefore, it is important to put measures in place to prevent password guessing attacks from allowing an attacker to access user accounts. This helps prevent attackers from compromising user accounts and accessing sensitive data. What technical access control methods can be added to defend against password guessing?
Graham-Denning model
Several security models have been created over the years to address the different security needs of organizations. While there are some similarities within the models, each of them focuses on different aspects of protecting resources. Which security model focuses on controlling how a subject can access and manipulate objects, such as how they can create and delete an object?
Technical Administrative Physical
Social engineering can be thwarted using what kinds of controls?
Phishing
Social engineering can be used to carry out email campaigns known as __________.
Viruses
Social engineering can use all the following except __________.
Manipulate human behavior
Social engineering is designed to __________.
Technology People Human nature Physical
Social engineering preys on many weaknesses, including __________.
14
Subnetting is used to logically divide an IP network range into multiple smaller networks. It is important to know how many hosts are contained within subnets when creating a network map. How many hosts can be contained in the 192.168.0.0/28 subnet?
Shared key cryptography
Symmetric cryptography is also known as __________.
Number of keys
Symmetric key systems have key distribution problems due to __________.
SOA
The Domain Name Service (DNS) is used to resolve domain names to IP addresses. An attacker can gather DNS information to determine key information about network hosts. For example, this information can be used to identify the location and type of servers in use. Which DNS resource record type can be used by a hacker to identify the primary name server for the DNS zone?
A medical record containing a patient's Social Security Number. A birth date, requested verbally from a patient, to confirm the individual's identity. Medical record numbers used in place of patient names on treatment histories
The Health Insurance Portability and Accountability Act (HIPAA) impose strict standards related to the privacy of individually identifiable health information. Specifically, these standards are contained in the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, which examples of information would be considered protected health information (PHI)? Choose the best option(s) from those listed below.
View archived versions of websites
The Wayback Machine is used to do which of the following?
Archived versions of websites
The Wayback Machine would be useful in viewing what type of information relating to a web application?
The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items.
The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromised. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?
Tcpdump
The command-line equivalent of WinDump is known as what?
OCTAVE
The first step in performing a risk assessment is to identify vulnerabilities. Several methods have been developed to be used as the basis for assessing an organization's security posture. Which information security risk assessment methodology is made up of a suite of tools and focuses on the principle of self-direction? Choose the best option(s) from those listed below.
Keys are automatically destroyed when subject to forcible disclosure Key integrity can be protected by the integrity of the storage mechanism
The keys in a public key infrastructure (PKI) need to be protected to maintain the authenticity of data. The keys can be modified, corrupted, or given away to unauthorized people. For this reason, PKI has to address various security issues related to confidentiality, integrity, authentication, and nonrepudiation. In which ways can storage mechanisms safeguard key integrity?
LIFO
The stack operates on _______ a basis.
Locating wireless networks
The wardriving process involves which of the following?
Three
There are how many different types of cloud hosting environments?
To contain the incident and repair the damage as quickly as possible
There are many types of threats that face a computer network and a variety of different ways to deal with each threat. One method of handling threats is to implement and define an incident handling process. What is the primary goal of the incident handling process? Choose the best option(s) from those listed below.
Nmap
There are several tools available that can be used to help test network security. Scanning the network to identify unnecessary open ports is essential to ensure hackers are not able to use them to their advantage. Which tool can be used for port scanning?
Vulnerability assessment Security audit
There are various types of tests that you can use to assess an information system's security. Which tests are least likely to disrupt business operations?
139
Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?
Phishing Tailgating/piggybacking
Training and education of end users can be used to prevent __________.
Cross-certification
Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this?
The ethical hacker always obtains written permission before testing.
Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"?
Validate an email address
VRFY is used to do which of the following?
Retina
Vulnerabilities are weaknesses in operating systems, and applications running on them, that make them susceptible to attacks. As such, locating vulnerabilities on devices attached to the network is a very important part of securing the network environment. Which tool can be used to scan the hosts on a network for vulnerabilities?
Passively uncovering vulnerabilities
Vulnerability research deals with which of the following?
Wired networks
WEP is designed to offer security comparable to which of the following?
Make others aware of a wireless network.
Warchalking is used to do which of the following?
Provide dynamic content
Web applications are used to __________.
Rapid replication
What are worms typically known for?
Success of an attack Failure of an attack Structure of a database
What can an error message tell an attacker?
IP address
What can be used instead of a URL to evade some firewalls used to protect a cloud based web application?
IP address
What can be used instead of a URL to evade some firewalls?
netstat -an
What command is used to listen to open ports with netstat?
hping3
What command-line utility can you use to craft custom packets with specific flags set?
Cain & Abel
What common tool can be used for launching an ARP poisoning attack?
Passwords Encryption Remote wipe
What could a company do to protect itself from a loss of data when a phone is stolen? (Choose all that apply.)
Logs
What could be used to monitor application errors and violations on a web server or application?
Hub
What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing?
Target of evaluation
What does TOE stand for?
Integrity
What does hashing preserve in relation to data?
Provides root-level access to a user on a system
What does rooting a device do?
Ports
What does the enumeration phase not discover?
SYN/ACK
What flag or flags are sent in the segment during the second step of the TCP three-way handshake?
Network SSID MAC address of the AP
What information is required in order to attempt to crack a WEP AP? (Choose two.)
Check financial filings
What is EDGAR used to do?
To hide the process of scanning
What is Tor used for?
A key entered into each client
What is a PSK?
Ad hoc
What is a client-to-client wireless connection called?
A backdoor
What is a covert channel?
A false ceiling
What is a drop ceiling?
An access point not managed by a company
What is a rogue access point?
LOIC
What is a single-button DDoS tool suspected to be used by groups such as Anonymous?
Bastion host
What is a system used as a chokepoint for traffic?
Cipher lock
What is a type of combination lock?
A way to reveal vulnerabilities
What is a vulnerability scan designed to provide to those executing it?
Identify a user
What is an SID used to do?
Targa
What is an eight-in-one DoS tool that can launch such attacks as land and teardrop?
Mantraps
What is another word for portals?
Difficult to install
What is not a benefit of hardware keyloggers?
Protection of data on lost or stolen devices
What is the benefit of encryption on mobile devices?
Training
What is the best option for thwarting social-engineering attacks?
telnet <website name> 80
What is the command to retrieve header information from a web server using Telnet?
Fences
What is the first defense that a physical intruder typically encounters?
protocol.field operator value
What is the generic syntax of a Wireshark filter?
0x90
What is the hexadecimal value of a NOP instruction in an Intel system?
TCP vs. UDP
What is the key difference between a smurf and a fraggle attack?
Number of attackers
What is the main difference between DoS and DDoS?
Slow performance
What is the most common sign of a DoS attack?
Heap
What is the name for the dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization?
Cookie
What is used to store session information?
The predefined scope and agreement made with the system owner.
What marks the major difference between a hacker and an ethical hacker (pen test team member)?
Encryption
What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel?
Encryption
What mechanism is intended to deter theft of hard drives?
Promiscuous mode
What mode must be configured to allow an NIC to capture all traffic on the wire?
False negative
What occurs when an IDS does not properly identify a malicious packet entering the network?
Install from unknown sources.
What option would you use to install software that's not from the Google Play store?
UDP
What protocol is used to carry out a fraggle attack?
ACK
What response is missing in a SYN flood attack?
Bastion host
What system is used as a choke point for traffic and could be offered through IaaS?
ARP poisoning
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
SaaS
What type of cloud service would provide email hosting and associated security services?
Distributed
What type of database has its information spread across many disparate systems?
Relational
What type of database uses multiple tables linked together in complex relationships?
Stateful inspection
What type of firewall analyzes the status of traffic and would be part of a IaaS solution?
Stateful inspection
What type of firewall analyzes the status of traffic?
Psiphon
What utility could be used to avoid sniffing of traffic?
Auditpol
What utility may be used to stop auditing or logging of events?
Lowered
When a device is rooted, what is the effect on security?
Infrastructure
When a wireless client is attached to an access point, it is known as which of the following?
Hactivism
When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following?
Keywords
When talking to a victim, using __________ can make an attack easier.
C:\Windows\System32\Config\
Where is the SAM file stored on a Windows 7 system?
A
Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups?
Land
Which DoS attack sends traffic to the target with a spoofed IP of the target itself?
allintitle:SQL version
Which Google hack would display all pages that have the words SQL and Version in their titles?
Type 11
Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its time to live?
ip.addr == 192.168.1.1
Which Wireshark filter displays only traffic from 192.168.1.1?
MitM
Which attack alters data in transit within the cloud?
Session hijacking
Which attack can be used to take over a previous session?
Single quote
Which character is the best choice to start a SQL injection attempt?
PaaS
Which cloud computing model is geared toward software development?
xp_cmdshell
Which command can be used to access the command prompt in SQL Server?
nbtstat
Which command can be used to view NetBIOS information?
WHERE SELECT from
Which command is used to query data in SQL Server?
drop table
Which command is used to remove a table from a database?
tshark
Which command launches a CLI version of Wireshark?
nc 192.168.10.27 80
Which command would retrieve banner information from a website at port 80?
tcp contains facebook
Which display filter for Wireshark shows all packets containing the word facebook?
DES
Which encryption standard is used by LM?
WPS support
Which feature makes WPA easy to defeat?
RST
Which flag forces a termination of communications in both directions?
whois
Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact?
gets() strcpy() scanf() strcat()
Which function(s) are considered dangerous because they don't check memory bounds? (Choose all that apply.)
SHA-1
Which hash algorithm produces a 160-bit output value?
Bollards
Which intrusion prevention system can be used in conjunction with fences?
A virus is malware. A virus replicates with user interaction.
Which is/are a characteristic of a virus?
Null
Which kind of values is injected into a connection to the host machine in an effort to increment the sequence number in a predictable fashion?
Means of dress or appearance
Which mechanism can be used to influence a targeted individual?
Switch
Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring?
TOE
Which of the following Common Criteria processes refers to the system or product being tested?
Volumetric attacks
Which of the following DoS categories consume all available bandwidth for the system or service?
ip.addr == 172.17.15.0/24 ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24
Which of the following Wireshark filters would display all traffic sent from, or destined to, systems on the 172.17.15.0/24 subnet? (Choose all that apply.)
ARP poisoning MAC flooding
Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.)
POODLE
Which of the following attacks acts as a man-in-the-middle, exploiting fallback mechanisms in TLS clients?
Session hijacking
Which of the following attacks an already-authenticated connection?
The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked.
Which of the following best defines a hybrid attack?
Security tokens
Which of the following best defines a logical or technical control?
Steganography is used to hide information within existing files.
Which of the following best defines steganography?
The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address.
Which of the following best describes a DRDoS?
Security team members defending a network
Which of the following best describes a blue team?
It is used to gather information about potential network attackers.
Which of the following best describes a honeypot?
Security team members attacking a network
Which of the following best describes a red team?
The attacker sends several overlapping, extremely large IP fragments.
Which of the following best describes a teardrop attack?
Code designed to be run on the server
Which of the following best describes a web application?
A SOAP message is intercepted, data in the envelope is changed, and then the data is sent/replayed.
Which of the following best describes a wrapping attack?
Active sniffing is usually required when switches are in place. Active sniffing is easier to detect than passive sniffing.
Which of the following best describes active sniffing? (Choose all that apply.)
BIA
Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization?
It has few heavy security restrictions.
Which of the following best describes an intranet zone?
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security
Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides?
An API that allows different components to communicate
Which of the following best represents SOA?
Encryption
Which of the following can be used to evade an IDS?
Port scanning
Which of the following can be used to identify a firewall?
Drive encryption
Which of the following can be used to protect data stored in the cloud?
Hypervisor-level rootkit
Which of the following can migrate the machine's actual operating system into a virtual machine?
Input validation
Which of the following can prevent bad input from being presented to an application through a form?
Protection against scanning
Which of the following challenges can be solved by firewalls?
Session riding
Which of the following cloud computing attacks can be best described as a CSRF attack?
nmap -sn 172.17.24.0/24 nmap -PI 172.17.24.0/24
Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all that apply.)
A visual alerting method An audio alerting method
Which of the following could be considered required components of an alarm system?
Blue team
Which of the following describes security personnel who act in defense of the network during attack simulations?
Overt channel
Which of the following doesn't define a method of transmitting data that violates a security policy?
SYN flood Peer to peer
Which of the following don't use ICMP in the attack? (Choose two.)
Easily hidden
Which of the following is a characteristic of USB flash drives that makes security a problem?
Alarms
Which of the following is a detective control when not used in real time?
Audit trail
Which of the following is a detective control?
Wi-Fi jammer
Which of the following is a device used to perform a DoS on a wireless network?
Mantraps
Which of the following is a good defense against tailgating and piggybacking?
Checking DNS replies for network mapping purposes Collecting information through publicly accessible sources
Which of the following is a passive footprinting method? (Choose all that apply.)
Use unpredictable sequence numbers Implement ICMP throughout the environment.
Which of the following is a recommendation to protect against session hijacking? (Choose two.)
CGI
Which of the following is a scripting language?
PGP
Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail?
Block
Which of the following is a symmetric encryption method that transforms a fixed-length amount of plain text into an encrypted version of the same length?
Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.
Which of the following is a true statement?
TRK
Which of the following is a utility used to reset passwords?
False wall
Which of the following is a wall that is less than full height?
Secure HttpOnly Domain
Which of the following is an attribute used to secure a cookie?
PHP
Which of the following is an example of a server-side scripting language?
Row
Which of the following is another name for a record in a database?
Incident management
Which of the following is best defined as a set of processes used to identify, analyze, prioritize, and resolve security incidents?
Netcat
Which of the following is capable of port redirection?
Mandatory access control
Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at?
Site survey
Which of the following is designed to locate wireless access points?
TCPTROJAN
Which of the following is not a Trojan?
Positive pressure
Which of the following is not a method used to control or mitigate against static electricity in a computer room?
Back up the hard drive.
Which of the following is not a recommended step in recovering from a malware infection?
Anonymous login
Which of the following is not a source of session IDs?
Blooover
Which of the following is the best choice for performing a bluebugging attack?
nc -L 56 -t -e cmd.exe
Which of the following is the proper syntax on Windows systems for spawning a command shell on port 56 using Netcat?
N-tier allows each tier to be configured and modified independently.
Which of the following is true regarding n-tier architecture?
Directory traversal
Which of the following is used to access content outside the root of a website?
Digital certificate
Which of the following is used to distribute a public key within the PKI system, verifying the user's identity to the recipient?
ACL
Which of the following is used to set permissions on content in a website?
A worm is malware. A worm replicates on its own.
Which of the following is/are true of a worm?
Reduced costs Improved performance Increased redundancy
Which of the following issues would be a good reason for moving to a cloud based environment?
Untethered
Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot?
802.11a
Which of the following operates at 5 GHz?
WPA2, WPA, WEP, Open
Which of the following options shows the protocols in order from strongest to weakest?
IP DHCP Snooping
Which of the following prevents ARP poisoning?
Worm
Which of the following propagates without human interaction?
MIC
Which of the following protects against man-in-the-middle attacks in WPA?
CCMP
Which of the following provides for integrity in WPA2?
Technical details and procedures
Which of the following should not be included in a security policy?
802.11i
Which of the following specifies security standards for wireless?
Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems.
Which of the following statements is true regarding encryption algorithms?
Port scanning is used to identify potential vulnerabilities on a target system.
Which of the following statements is true regarding port scanning?
When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step.
Which of the following statements is true regarding the TCP three-way handshake?
Automatic
Which of the following tests is generally faster and costs less but is susceptible to more false reporting and contract violation?
Signature file
Which of the following uses a database of known attacks?
PCI DSS
Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud?
SOX
Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures?
Circuit-level firewall
Which of the following works at Layer 5 of the OSI model?
Core Impact CANVAS
Which of the following would be a good choice for an automated penetration test? (Choose all that apply.)
Sniffing subnet traffic to intercept a password
Which of the following would be considered a passive online password attack?
Which of the following would be hosted as SaaS?
Netcraft
Which of the following would be the best choice for footprinting restricted URLs and OS information from a target?
A guard posted outside the door
Which of the following would be the best example of a deterrent control?
Configure input validation on your systems.
Which of the following would be the best protection against XSS attacks?
vrfy chell
Which of the following would confirm a user named chell in SMTP?
EIP
Which pointer in a program stack gets shifted or overwritten during a successful overflow attack?
514
Which port number is used by default for syslog?
443
Which port uses SSL to secure web traffic?
161 and 162
Which ports does SNMP use to function?
Security audit
Which security assessment is designed to check policies and procedures within an organization?
Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine.
Which statement defines session hijacking most accurately?
WHERE
Which statement is used to limit data in SQL Server?
Trojans are malware. Malware covers all malicious software.
Which statement(s) defines malware most accurately?
RC
Which symmetric algorithm uses variable block sizes (from 32 to 128 bits)?
Kerberos
Which system should be used instead of LM or NTLM?
NAT
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world?
IPsec
Which technology can provide protection against session hijacking?
A disgruntled employee
Which threat presents the highest risk to a target network or resource?
Netcraft
Which tool can be used to view web server information?
Tracert
Which tool can trace the path of a packet?
Mesh
Which topology has built-in redundancy because of its many client connections?
White box
Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources?
Fingerprint
Which type of biometric system is frequently found on laptops but can be used on entryways as well?
Vulnerability assessment
Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them?
TCPView
Which utility will tell you in real time which ports are listening or in another state?
Sparse infector
Which virus type is only executed when a specific condition is met?
WPA
Which wireless encryption technology makes use of temporal keys?
WEP
Which wireless technology uses RC4 for encryption?
MX
While footprinting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company's e-mail server?
Liability
While guards and dogs are both good for physical security, which of the following is a concern with dogs?
No, the hash reveals a seven-character-or-less password has been used.
While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures?
Operating system
While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?
The client
Who has legal responsibility for data hosted in the cloud?
To reduce costs
Why wouldn't someone create a private cloud?
Hub
Wireless access points function as a ____________.
Promiscuous mode
Wireshark requires a network card to be able to enter which mode to sniff all network traffic?
Bob's private key
Within a PKI system, Joe encrypts a message for Bob and sends it. Bob receives the message and decrypts the message using what?
Registration authority
Within a PKI, which of the following verifies the applicant?
Web browsers
XSS is typically targeted toward which of the following?
Performing a qualitative risk analysis
You are conducting risk assessment in your organization because there have been incidents of information loss. You are currently estimating the dollar value associated with implementing security controls to protect the organization's information assets. What best describes what you are doing? Choose the best option(s) from those listed below.
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″)
You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation?
An attacker could sniff an existing MAC address and spoof it.
You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable?
Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.
You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security?
Due care
You are drawing up a security policy document for your company and have included a section on identifying and assessing security risks to client information. Which section of the security policy is used to identify and assign security risks to client information? Choose the best option(s) from those listed below.
52.93.31.255
You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet?
The response indicates an open port.
You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true?
Full disk encryption
You are reviewing security plans and policies, and you wish to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot?
CNAME
You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
Mantrap
You need to ensure that only authorized individuals are able to gain access to a restricted section of your facility. You need to implement an automated system that makes sure that every person is individually identified and authorized before they are permitted to enter. Which authentication method would best suit your needs?
Telnet 168.15.22.4 80 nc -v -n 168.15.22.4 80
You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.)
SuperOneClick
You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device?
Closed
You're running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?
Gray box
You've been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?
Fragmenting
You've decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets?
The attacker is sending messages over an SSL tunnel.
Your client tells you they know beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn't appear to be alerting on the traffic. Which of the following is most likely true?
Information Security Policy
Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy?
0.20
Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it's brought back up. Which of the following represents the ARO for a server?
Tailgating
Your organization installs mantraps in the entranceway. Which of the following attacks is it attempting to protect against?
BIA
Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort?
Reverse proxy
Zombies Inc. is looking for ways to better protect their web servers from potential DoS attacks. Their web admin proposes the use of a network appliance that receives all incoming web requests and forwards them to the web server. He says it will prevent direct customer contact with the server and reduce the risk of DoS attacks. What appliance is he proposing?
SQL injection
__________ can be used to attack databases.
Banner grab
__________ can be used to identify a web server.
Zone transfer
__________ involves grabbing a copy of a zone file.
JavaScript
__________ is a client-side scripting language.
LM
__________ is a hash used to store passwords in older Windows systems.
EXPN
__________ is a method for expanding an email list.
System hacking
__________ is the process of exploiting services on a system.
SQLPing
__________ is used to audit databases.
SYSKEY
__________ is used to partially encrypt the SAM.
NTP
__________ is used to synchronize clocks on a network.
OS X
iOS is based on which operating system?
Port scan
nmap is required to perform what type of scan?
Telnet
A scan of a network client shows that port 23 is open; what protocol is this aligned with?
TCP
An SYN attack uses which protocol?
Public key
Asymmetric encryption is also referred to as which of the following?
During transmission
At what point can SSL be used to protect data?
Alerts
What can be configured in most search engines to monitor and alert you of changes to content?
Proxy
What device acts as an intermediary between an internal client and a web resource?
A description of expected behavior
What is a code of ethics?
A ping sweep
What is an ICMP echo scan?
ACK
What is missing from a half-open scan?
SYN, SYN-ACK, ACK
What is the proper sequence of the TCP three-way-handshake?
To keep a scan hidden
What is the purpose of a proxy?
Gain information from a human being through face-to-face or electronic means
What is the purpose of social engineering?
To gain information from human beings
What is the role of social engineering?
SYN, SYN-ACK, ACK
What is the sequence of the three-way handshake?
The opening sequence of a TCP connection
What is the three-way handshake?
Collision domain
What kind of domain resides on a single switchport?
Low
What level of knowledge about hacking does a script kiddie have?
IPS
What network appliance senses irregularities and plays an active role in stopping that irregular activity from continuing?
Scanning
What phase comes after footprinting?
49152 to 65535
What port range is an obscure third-party application most likely to use?
A lack of fear of being caught
What separates a suicide hacker from other attackers?
Get permission
What should a pentester do prior to initiating a new penetration test?
All nodes attached to the same port
When scanning a network via a hardline connection to a wired-switch NIC in promiscuous mode, what would be the extent of network traffic you would expect to see?
Windows
Which OS holds 90 percent of the desktop market and is one of our largest attack surfaces?
A way to automate the discovery of vulnerabilities
Which best describes a vulnerability scan?
Packet
Which category of firewall filters is based on packet header data only?
Ring
Which network topology uses a token-based access methodology?
A way of encrypting data in a reversible method
Which of the following best describes PGP?
A weakness
Which of the following best describes a vulnerability?
Investigation of a target
Which of the following best describes footprinting?
Nonreversible
Which of the following best describes hashing?
Hacks for political reasons
Which of the following best describes what a hacktivist does?
Hacks without stealth
Which of the following best describes what a suicide hacker does?
Job boards
Which of the following can an attacker use to determine the technology and structure within an organization?
Street views
Which of the following can be used to assess physical security?
Operators
Which of the following can be used to tweak or fine-tune search results?
Social engineering
Which of the following can help you determine business processes of your target through human interaction?
Suicide hacker
Which of the following describes a hacker who attacks without regard for being caught or punished?
Hacktivist
Which of the following describes an attacker who goes after a target to draw attention to a cause?
PKI
Which of the following does IPsec use?
Permission
Which of the following does an ethical hacker require to start evaluating a system?
MD5
Which of the following is a common hashing protocol?
END
Which of the following is not a flag on a packet?
Port scanning
Which of the following is not typically used during footprinting?
Telnet
Which of the following is used for banner grabbing?
Netcraft
Which of the following is used for identifying a web server OS?
nmap
Which of the following is used to perform customized network scans?
Certificate authority
Which of the following manages digital certificates?
NULL
Which of the following types of attack has no flags set?
Social networking
Which of the following would be a very effective source of information as it relates to social engineering?
White hat
Which of the following would most likely engage in the pursuit of vulnerability research?
TCP
Which of these protocols is a connection-oriented protocol?
MX
Which record will reveal information about a mail server for a domain?
PKI
Which system does SSL use to function?
Gray hat
Which type of hacker may use their skills for both benign and malicious goals at different times?
Netscape
Who first developed SSL?
To fine-tune search results
Why use Google hacking?
To enhance anonymity
Why would you need to use a proxy to perform scanning?
Two keys
A public and private key system differs from symmetric because it uses which of the following?
PKI system
A public key is stored on the local computer by its owner in a __________.
Hacktivists
The group Anonymous is an example of what?
SMTP
You have selected the option in your IDS to notify you via email if it senses any network irregularities. Checking the logs, you notice a few incidents but you didn't receive any alerts. What protocol needs to be configured on the IDS?
