CEH Quiz 1
It is vulnerability in GNU's bash shell, discovered in September of 2014 that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers). Which of the following vulnerabilities is being described? A. Shellshock B. Rootshell C. Rootshock D. Shellbash
A. Shellshock
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization? A. Containment phase B. Recovery phase C. Identification phase D. Preparation phase
D. Preparation phase
This asymmetry cipher is based on factoring the product of two large prime numbers. What cipher is described above? A. RC5 B. SHA C. MD5 D. RSA
D. RSA
Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange? A. PKI B. SOA C. biometrics D. single sign on
A. PKI
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk? A. Delegate B. Mitigate C. Accept D. Avoid
A. Delegate
Which of the following is assured by the use of a hash? A. Integrity B. Confidentiality C. Availability D. Authentication
A. Integrity
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrators bitcoin account. What should you do? A. Do not report it and continue the penetration test. B. Do not transfer the money but steal the bitcoins. C. Report immediately to the administrator. D. Transfer money from the administrator's account to another account.
A. Do not report it and continue the penetration test.
The security concept of "separation of duties" is most similar to the operation of which type of security device? A. Firewall B. Bastion host C. Intrusion Detection System D. Honeypot
A. Firewall
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed Considering the NMAP result below which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:4B:0D:EE:08 A. The host is likely a printer. B. The host is likely a router. C. The host is likely a Windows machine. D. The host is likely a Linux machine.
A. The host is likely a printer.
Which of the following is the BEST way to defend against network sniffing? A. Using encryption protocols to secure network communications B. Use Static IP Address C. Register all machines MAC Address in a Centralized Database D. Restrict Physical Access to Server Rooms hosting Critical Servers
A. Using encryption protocols to secure network communications
While using your bank's online servicing you notice the following string in the URL bar: "http://www.MyPersonalBank.com/account?id=36894091102B3B9&Damount=10980&Camount=21" You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reject the changes. Which type of vulnerability is present on this site? A. Web Parameter Tampering B. SQL injection C. Cookie Tampering D. XSS Rejection
A. Web Parameter Tampering
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Forward the message to your supervisor and ask for her opinion on how to handle the situation B. Forward the message to your company's security response team and permanently delete the message from your computer. C. Delete the email and pretend nothing happened D. Reply to the sender and ask them for more information about the message contents
B. Forward the message to your company's security response team and permanently delete the message from your computer.
Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company? A. Fingerprints B. Height and Weight C. Voice D. Iris patterns
B. Height and Weight
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do? A. Conduct compliance testing B. Identify and evaluate existing practices C. Terminate the audit D. Create a procedures document
B. Identify and evaluate existing practices
Which of the following is a low-tech way of gaining unauthorized access to systems? A. Scanning B. Social Engineering C. Sniffing D. Eavesdropping
B. Social Engineering
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called? A. DNSSEC B. Split DNS C. DNS Scheme D. DynDNS
B. Split DNS
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks? A. Burp B. Whisker C. Hydra D. tcpsplice
B. Whisker
Which of the following is a command line packet analyzer similar to GUI-based Wireshark? A. etherea B. tcpdump C. nessus D. Jack the ripper
B. tcpdump
WPA2 uses AES for wireless data encryption at which of the following encryption levels? A. 128 bit and TKIP B. 128 bit and CRC C. 128 bit and CCMP D. 64 bit and CCMP
C. 128 bit and CCMP
Which of the following is a component of a risk assessment? A. Physical security B. DMZ C. Administrative safeguards D. Logical interface
C. Administrative safeguards
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Banking Trojans B. Ransomware Trojans C. Botnet Trojan D. Turtle Trojans
C. Botnet Trojan
You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening? A. You need to run the ping command with root privileges. B. The ARP is disabled on the target server. C. ICMP could be disabled on the target server. D. TCP/IP doesn't support ICMP.
C. ICMP could be disabled on the target server.
What is the process of logging, recording, and resolving events that take place in an organization? A. Metrics B. Internal Procedure C. Incident Management Process D. Security Policy
C. Incident Management Process
How does the Address Resolution Protocol (ARP) work? A. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. B. It sends a request packet to all the network elements, asking for the domain name from a specific IP. C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP. D. It sends a reply packet for a specific IP, asking for the MAC address.
C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
In Risk Management, how is the term "likelihood" related to the concept of "threat"? A. Likelihood is a possible threat-source that may exploit a vulnerability. B. Likelihood is the probability that a vulnerability is a threat-source. C. Likelihood is the probability that a threat-source will exploit a vulnerability. D. Likelihood is the likely source of a threat that could exploit a vulnerability.
C. Likelihood is the probability that a threat-source will exploit a vulnerability.
The "black box testing" methodology enforces which kind of restriction? A. The internal operation of a system is only partly accessible to the tester. B. Only the internal operation of a system is known to the tester. C. Only the external operation of a system is accessible to the tester. D. The internal operation of a system is completely known to the tester.
C. Only the external operation of a system is accessible to the tester.
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use? A. Tailgating B. Piggybacking C. Social engineering D. Eavesdropping
C. Social engineering
Which of the following is the successor of SSL? A. GRE B. RSA C. TLS D. IPSec
C. TLS
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use the built-in Windows Update tool B. Check MITRE.org for the latest list of CVE findings C. Use a scan tool like Nessus D. Create a disk image of a clean Windows installation
C. Use a scan tool like Nessus
When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What nmap script will help you with this task? A. http-git B. http-headers C. http-methods D. http enum
C. http-methods
A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001 00111010 A. 10011101 B. 11011000 C. 10111100 D. 10001011
D. 10001011
Which of the following is the greatest threat posed by backups? A. A backup is unavailable during disaster recovery. B. A backup is the source of Malware or illicit information. C. A backup is incomplete because no verification was performed. D. An un-encrypted backup can be misplaced or stolen.
D. An un-encrypted backup can be misplaced or stolen.
Which method of password cracking takes the most time and effort? A. Rainbow tables B. Shoulder surfing C. Dictionary attack D. Brute force
D. Brute force
When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners. What proxy tool will help you find web vulnerabilities? A. Proxychains B. Maskgen C. Dimitry D. Burpsuite
D. Burpsuite
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving? A. False Positive B. True Negative C. True Positive D. False Negative
D. False Negative
Which of the following parameters describe LM Hash: I - The maximum password length is 14 characters. II - There are no distinctions between uppercase and lowercase. III - It's a simple algorithm, so 10,000,000 hashes can be generated per second A. II B. I, II, and III C. I D. I and II
D. I and II
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause? A. The attacker altered or erased events from the logs. B. The security breach was a false positive. C. Proper chain of custody was not observed while collecting the logs. D. The network devices are not all synchronized.
D. The network devices are not all synchronized.
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications? A. Use digital certificates to authenticate a server prior to sending data B. Verify access right before allowing access to protected information and UI controls C. Use security policies and procedures to define and implement proper security settings D. Validate and escape all information sent to a server
D. Validate and escape all information sent to a server
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit? A. Port scanner B. Protocol analyzer C. Intrusion Detection System D. Vulnerability scanner
D. Vulnerability scanner
The purpose of a [blank] is to deny network access to local area networks and other information assets by unauthorized wireless devices. A. Wireless Access Point B. Wireless Access Control List C. Wireless Analyzer D. Wireless Intrusion Prevention System
D. Wireless Intrusion Prevention System