CEH Quiz 4
The Snort management console consists of:
ACID analyst console MySQL database Apache web server
Data at rest can be protected by which of the following:
AES
In the context of the Microsoft Windows NT, which Security Identifier (SID) represents the administrator account?
S-1-5- and end with -500
You have selected the option in your IDS to notify you via email if it discovers any network irregularities. Checking the logs, you notice a few incidents, but you didn't receive any alerts. What protocol needs to be configured on the IDS?
SMTP
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
a reverse arp request maps to two hosts
Which of the following may be an indication that a system may be compromised?
a system log showing telnet starting a network link running in promiscous mode scheduled tasks that runs as admin or root
A new member of the pen test team has discovered a WAP that is using WEP for encryption. He wants a fast tool that can crack the encryption. Which of the following is his best choice?
aircrack-ng
Secure Data Deletion, Overwriting metadata, steganography are techniques used for ___________
anti-forensics
What performs attack recognition and sends relevant alerts for the network?
NIDS
In terms of Order of Volatility (OOV) for forensic investigation, which of the following needs to be investigated first?
OOV does not distinguish between these types of storage
What is the role of test automation in security testing?
it can accelerate benchmark tests and repeat them with a consistent test setup. but cannot replace manual testing completely
Which of the following are functions of Arpwatch?
keeping track of ethernet/IP address pairing
If the IDS cannot keep up with the amount of traffic, it will:
let them all pass
What type of rootkits will patch, hook, or replace the version of system call in order to hide information?
library level rootkits
A hierarchical data model uses a tree structure and a parent/child relationship. You can find this model also used in the Windows Registry structure and different file systems, but it is not commonly used in newer database products. What is the name of the model?
lightweight directory access protocol (LDAP)
What is the first step in a form based SQL injection attack?
locate a user input field on a web page
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?
malicious code is attempting to execute instruction in a non-executable memory region
In Unix, the concept of 'salting' is implemented to __________________________
mix random string in password hash
Penetration testers hide Metasploit shellcode to evade Windows Defender by using which of the following Metasploit framework tools?
msfencode
Which tool performs comprehensive tests against web servers, including dangerous files and CGI's?
nikto
Which of these web vulnerability scanners involve an IDS evasion technique?
nikto whisker sandcat
From a security perspective, containers are the Wild West - full of exciting possibilities, but also unfamiliar dangers. What two security issues are related to containers as compared to VMs?
open network traffic across servies sharing the OS kernel
OpenSSL comes with a client tool that you can use to connect to a secure server. What is the correct syntax to connect an SSL server?
openssl s_client -connect www.fiestyduck.com:443
Jimmy is standing outside a secure entrance to a facility. He is pretending to be having a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?
piggybacking
In order to evade signature-based IDS, a(n) ____ code would ensure a unique attack pattern that cannot be detected on signature basis.
polymorphic
What should every IT administrator know about downtime of an alternate site? [Select all risks that apply]
power/network outages flood/fire/hurricanes/tornadoes/riots human error/virus attack/data leakage
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
protocol analyzer
Which of the following are AAA (Authentication, Authorization and Accounting) implementations? (Select all that apply.)
radius tacacs+
An attack method which uses rainbow tables and specialized computing architectures would be which type of attack?
rainbow table attack
What attack is used to crack passwords by using a precomputed table of hashed passwords?
rainbow table attack
Which of the following tactics is used in social engineering attacks? [Select all that apply]
reciprocity social validation authority
A big concern in distributed environments is the ______, in which an attacker captures some type of data and resubmits it with the hopes of fooling the receiving device into thinking it is legitimate information.
replay attack
A system is compromised and is able to spawn a connection back to the adversary. What is the common term used to describe this activity?
reverse shellcode
Which of the following is a random string of data which is used to modify a password hash?
salt
Which of the following techniques could be used to test the strength of firewall rules?
send specifically crafted packets by manipulating TCP headers and flags
Bluejacking is an attack that does which of the following to a compromised Bluetooth device?
sending unsolicited messages
Which of the following is a honeypot detection tool?
sobek
Which of the following is a true statement regarding SSIDs?
ssids are more important for identifying networks, by do little to nothing for security
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
stealth virus
What is the main reason the use of stored biometrics are vulnerable to attacks?
stored information could be stolen and used by an attacker to impersonate the individual identified by the biometric
Mike is a black hat hacker and forges an identification badge and dresses in clothes associated with a maintenance worker. He attempts to follow other maintenance personnel as they enter the power grid facility. What is he attempting to do?
tailgating
The company ABC recently contracted a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the account was not modified once he approved it. What of the following options can be useful to ensure the integrity of the data?
the CFO can use a hash algorithm in the document once he approved the financial statments
When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what is meant by processing?
the amount of time it takes to be either accepted or rejected from when an individual provides identification and authentication information
An organization has just experienced a breach. When the investigator/incident handler attempts to correlate the information in all of the logs, the sequence of many of the logged events doesn't match up or line up properly. What is likely the cause?
the attacker altered or erased events from the logs
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any access-list 102 deny tcp any any
the first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
You identify a WAP network that you are going to attack. You discover that the WAP is using WEP. Which method will you utilize in order to exploit the WAP?
the initialization vector (IV)
Why are many programs vulnerable to SQL injection and buffer overflow attacks?
the programs are written quickly and use poor programming techniques
What are some of the techniques hackers utilize to frustrate forensic investigators?
the system refuses to run when debugging mode is enabled
Data hiding is provided by encapsulation. (T or F)
true
Digital Forensics can be decomposed into computer forensics, network forensics, forensic data analysis, mobile device forensics and Database forensics. (T or F)
true
The following rule is a valid rule in a Snort IDS: alert tcp any any -> any any (msg:"alert"; sid:1000000;) (T or F)
true
What authentication factor is based on the location of the user?
type 4
Which of the following is true about cloud based malware detection?
typically examines metadata rather than the actual file
Which of the following is an extremely common IDS evasion technique in the web world?
using unicode characters
Which of the following is an extended version of Nikto designed for Windows and is a tool that can examine web servers and probe for vulnerabilities?
wikto
Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet- facing services, which OS did it not directly affect?
windows
Keatron calls you and tells you that his wireless router increases in temperature noticeably after 7 PM every night. What tool could you use to view network traffic being sent and received by Keatron's wireless router?
wireshark
When discussing password attacks, what is considered a rubber hose attack?
you threaten someone with physical harm unless they reveal their password
During a blackbox pentest you attempt to pass IRC traffic over port 80/tcp from a compromised web enabled host. The traffic gets blocked; however outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
application
What is the First Step required in preparing a computer for forensics investigation
do not turn the computer off or on, run any programs, or attempt to access data on a computer
After trying multiple exploits, you've gained root access to a CentOS server. To ensure you maintain access, what would you do first?
download and install netcat
What is a type of code that can be utilized to circumvent a signature-based IDS?
encrypted code
What's the birthday attack?
exploiting a collision on a hashing algorithm
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files and one is a binary file named nc (netcat). The logs show the user logged in anonymously, uploaded the files, extracted the contents and ran the script using a function provided by the ftp server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability had to have existed to make this remote attack possible?
file system permissions
Which of the following is an attribute in one relation that has values matching the primary key in other relation?
foreign key
There are some programs that can be used to provide unexpected or random inputs to computer programs. This is referred to as:
fuzzing
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28. Why he cannot see the servers?
he is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range
In wireshark, the packet bytes pane shows the data of the current packet in which of the following format styles?
hex dump
An attacker has installed a RAT trojan on a host. The attacker now has control of the machine through the RAT (remote access trojan). The attacker wants to now ensure that if the user attempts to go to www.mybank.com that the user is directed to a phishing site. Which file does the attacker need to modify to make this happen?
host
SSIDs serve many functions, but the primary goal is which of the following?
identify the network to clients or potential clients
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
install a CCTV with cameras pointing to the entrance doors and the street
Which biometric parameters are best suited for authentication use for a longer time period?
iris patterns
Which device is typically used with software such as Wireshark to aid in wireless network traffic analysis?
AirPcap
A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?
BBProxy
Which of the following commands could a hacker enter in a web form field to obtain a directory listing?
Blah';exec master..xp_cmdshell"dir c:\\*.*/s>c:\directory.txt"--
What is the most common method to exploit the shellshock vulnerability?
Common Gateway Interface (CGI)
Which of these protocols is also known as X.500-lite?
LDAP
The IDS cannot recognize attack patterns from encrypted packets. (T or F)
False
LDAPS is:
LDAP over SSL
Snort can be used in which of the following modes?
IDS packet sniffer packet logger
What is a modification made to attacks called that prevents detection by an Intrusion Detection System?
IDS evasion technique
A penetration test is underway in Natasha's office as per directive from their CISO. Natasha has been receiving alerts from Symantec Endpoint Protection that seems confusing and she can't tell if she has an infection or not. The IPS Alert Name is "Attack: an intrusion attempt was blocked." Is Natasha really being attacked by a hacker?
IPS is alarming her on port block events due to pretesting exercise
Botnet masters typically employ ______ protocol to "herd" their bots.
IRC
If session hijacking is a concern on a network, the administrator can implement a protocol, such as: [Select any two best answers]
VPN IPSEC
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start using netcat to port 80. The engineer receives this output: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type:text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 Which of the following is an example of what the engineer performed?
banner grabbing
Which of the following is a denial-of-service attack against a Bluetooth device?
bluesmacking
Possible methods to hide data include
both slack space and steganography
A hacker has successfully infected an internet facing server which he will then use to send junk mail, take part in the coordinated attacks, or host junk email content. Which sort of trojan infects this server?
botnet trojan
Mike is performing an activity of guessing every possible password combination of an account? What activity is he performing?
brute force
Pentest results indicate voice over IP traffic is traversing the network. Which of the following tools will decode a packet capture and extract the voice conversations?
cain
An ethical hacker is doing a pentest and he is testing to see if it's possible to obtain login credentials. Server scanning shows that all servers are patched and physical access is denied. The only access is through RDP (Remote Desktop Protocol). Which technique could be used to obtain login credentials?
capture administrators RDP traffic and decode it with Cain and Able
ARP poisoning alters ARP table mappings to align all traffic to the attacker's interface before traveling to the proper destination. What does this allow to an attacker? [Select two]
capture all traffic on the network jumping off point for future attacks
ARP poisoning alters ARP table mappings to align all traffic to the attacker's interface before traveling to the proper destination. What does this allow to an attacker? [Select two]
capture all traffic on the network jumping-off point for future attacks
During the Evidence Gathering and Collection phases of incident response, the investigator collecting the evidence (and all others who have custody of the items) must maintain positive control of the evidence at all times. This requires at minimum the following: [Select multiple answers]
case number and evidence tag number with a brief description of the items date and time the evidence was collected a means to store and transport any evidence in a manner that protects the evidence and prevents unauthorized access
During forensic investigation, all the tasks such as collecting evidence, seizing the equipment, and locking down the perimeter, all need to follow ______ for keeping the integrity of the task.
chain of custody
What command is used to launch the computer management console in Windows 7?
compmgmt.msc
A company's CEO wants the perimeter of the building monitored 24/7 by CCTV. This security control addresses which of the following goals? [Select best answer]
crime and disruption detection
A background program that resides on a computer and services requests is called a(n):
daemon
Data hiding analysis can be useful in
detecting and recovering data that may indicate knowledge, ownership or intent
A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography attack is the student attempting?
dictionary attack
