CEH Test 3

59. On which port does a standard DNS zone transfer operate? A. 53 B. 80 C. 8080 D. 25

A - 53

7. Prior to deploying an anomaly-based detection system on a network, what must be achieved? A. Baseline B. Updated file definition C. Updated network infrastructure D. Patches pushed to clients before installation

A - A baseline must be set in order for an anomaly detection system to run optimally. If not, the IDS will not be able to monitor network traffic accurately and may alert due to false positives.

81. What must a signature-based IDS have in order to be effective? A. An up-to-date set of rules B. A baseline C. Active rules D. Access to update user profiles

A - A signature-based IDS must have an up-to-date signature list, which are a set of rules used to accurately alert and defend against attacks.

114. What does stateful inspection provide to the network administrator? A. It tracks all communications streams, and packets are inspected. B. It provides the administrator with a slower network response. C. It ensures that communications are terminated. D. It provides the administrator with reduced admin work.

A - A stateful firewall keeps track of all communications and inspects the packets. This can help protect against things like spoofed packets, where a state is trying to be faked with headers.

31. Software that creates pop-up advertisement messages while visiting websites is known as what? A. Adware B. Malware C. Pop-up blocker D. Freeware

A - Adware is a type of malware that creates pop-up windows on the desktop to advertise for commercial products.

41. Which of the following scanners provides ping sweeps and at times can be very noisy if not properly configured? A. Angry IP B. Cain & Abel C. nmap -sT -T0 D. Nslookup

A - Angry IP is an application that provides an array of tools for ping sweeping. Depending on the configuration, there is a good chance an IPS/IDS appliance will detect your presence conducting ping sweeps.

60. What is the process of sending data to a device over Bluetooth without having to go through the pairing process called? A. Bluejacking B. Blueboxing C. Bluesnarfing D. Bluebugging

A - Bluejacking is the technique used by attackers to send atta to a device without going through the pairing typically necessary for Bluetooth devices.

42. Which of the following is an application that provides ARP spoofing? A. Cain & Abel B. Evercrack C. Kismet D. John the Ripper

A - Cain & Abel is an application that provides an array of tools to the user, such as tools for password cracking, ARP spoofing, and conducting man-in-the-middle attacks. Kismet is used for wireless sniffing.

23. What strategy does a local, caching DNS server use to look up records when asked? A. Recursive B. Iterative C. Combinatorics D. Bistromathics

A - DNS requests are commonly sent to a local caching server, which looks in its cache. A failure there causes a request to root servers and then subsequent servers, always getting closer to the final destination. This process of asking a question, getting an answer, and asking again using the new information is called recursion.

12. The SAM log file entry is located in what part of a Windows Registry system? A. HKEY_LOCAL_MACHINE\SAM B. HKEY_LOCAL_SAM C. HKEY_LOCAL_MACHINE\WINDOWS D. HKEY_SYSTEM_MACHINE\SAME.L

A - HKEY_LOCAL_MACHINE\SAM is the Registry entry where the SAM and SAM.log parameters can be found.

27. Which standard advocates the Plan, Do, Check, Act process for implementation and validation of security controls? A. ISO 27001 B. ISO 27002 C. NIST 800-53 D. NIST 800-161

A - ISO 27001 is a standard for managing information security, including a set of controls and how to manage those controls. This includes the cycle Plan, Do, Check, Act.

45. Which Linux distribution is best suited to support an attacker by providing the necessary pre installed tools? A. Kali B. Security Onion C. Mint D. Ubuntu

A - Kali

35. Which of the following tools can be used to DDoS a target system? A. LOIC B. SIMM C. Cain & Abel D. AOL Punter

A - LOIC, Low Orbit Ion Cannon, is an application that can be used to conduct a DDoS on a system by using TCP, UDP, or HTTP requests. Cain & Abel is used for cracking passwords.

16. A system is compromised and is able to spawn a connection back to the adversary. What do you call the system or infrastructure the adversary is using to connect back to? A. Command and control B. Command processor C. Shellcode manager D. Command manager

A - Malware often communicates with a command-and-control infrastructure (C2) infrastructure managed by the attacker.

110. What three services are usually included with the NetBIOS protocol? A. NBT, NetBIOS session, and NetBIOS datagram B. NBT, asymmetric session, and NetBIOS datagram C. NetBIOS datagram, NBT, and NetBIOS AD D. NetBIOS datagram, NBT, and NetBIOS SCP

A - NBT (NetBIOS over TCP/IP) uses UDP 137; NetBIOS session uses TCP 139; NetBIOS datagram uses UDP 138.

10. What technique might you be able to use to get around older intrusion detection systems when sending traffic into a network? A. Fragmentation B. ARP spoofing C. DNS hijacking D. Phishing

A - Older intrusion detection systems may have had a harder time reconstructing packets that had been fragmented. With extreme fragmentation, it may have been harder for these systems to reconstruct and identify issues fast enough.

95. As the security administrator, you are tasked with implementing an access control strategy that will assign permissions to users based on the roles they will be hired to fill. What type of access control are you being asked to implement for your organization? A. RBAC B. MAC C. DAC D. UAC

A - Role-based access control, or RBAC, is an access control model that is developed around a job position. For example, if you worked at a bank as a teller, your login resources are tailored to what a bank teller would have access to. It is a cookie-cutter type of profile that aids in controlling employee access and limits capabilities to do one and only one job.

63. What does the TTL value mean? A. The number of hops remaining until the packet times out B. The number of hops to the destination C. The number of the packets left D. The number of routing loops that are permitted

A - TTL is a header that defines the lifetime of a packet on the network. A value such as 64 is assigned, and every time the packet reaches a layer 3 device (router), the value decrements by 1. When it reaches 0, the router will drop the packet and send back an ICMP error message indicating the time was exceeded in transit.

75. Which of the following malware achieved a historical first by causing physical damage to a nuclear reactor facility? A. Stuxnet B. Blue's Revenge C. ILOVEYOU virus D. BackOrifice

A - The Iran nuclear centrifuges were infected with the Stuxnet viruses. It caused the centrifuges to spin out of control, causing irrecoverable physical damage.

112. What do wireless access points use to advertise their presence? A. Beacon frame B. Homing beacon C. Homing broadcast D. Broadcast frame

A - The WAP will send out a beacon frame advertising its SSID to wireless devices.

26. Which of the following must be conducted first in order to hijack a session? A. Track the session. B. Desynchronize the session. C. Inject the adversary's packet into the stream. D. Disrupt the stream first and then inject the adversary's packet information.

A - The adversary must first track the session before making a successful attempt at hijacking it.

49. When you are attacking a web application, what server would you typically need to go through first to get to any programmatic content if the application is designed using a typical n-tier architecture? A. Web server B. Database server C. Logic server D. Application server

A - The first server you are likely to pass through is the web server. You would be looking to get the application server, but the first server would be the web server.

92. Due to the ILOVEYOU virus, Microsoft implemented a new business practice in its software to prevent such attacks from occurring again. What was it? A. Disabling the macro features in Microsoft Office by default B. Disabling the CD-ROM autorun feature C. Setting user profiles to disabled D. Removing HEKY_LOCAL_MACHINE\USER

A - The macro feature that was once enabled by default when you installed Microsoft Office is now disabled. The ILOVEYOU virus took advantage of that capability by capturing contacts in the users' email address books and sending out mass copies of itself to those recipients.

25. What would you use the program packETH for? A. Packet crafting B. Ethernet testing C. Man-in-the-middle attack D. IP analysis

A - The tool packETH can be used to craft packets with data in both the headers and payload that is set to what you want it to be set to.

18. What type of attack would the following code be vulnerable to? char[5] attacker; strcpy (attacker, "cat /etc/passwd");? scanf(&attacker); A. Buffer overflow B. SQL injection C. Command injection D. Heap spraying

A - The variable attacker is used to store a character string that is 5 bytes long. The first strcpy will overflow that buffer, but it may cause no problem aside from potentially crashing the program.

98. What prevents IP packets from circulating throughout the Internet forever? A. TTL B. Spanning tree C. Broadcast domains D. NAT

A - Time to live (TTL) is a value set on IP packets that decrements each and every time they pass through a router. Some operating systems, such as Linux and Microsoft, will set the TTL value. When the TTL value of a packet reaches 0, that packet will be dropped, and an ICMP destination not found message will be returned to the source.

71. What tool can be used to spoof a MAC address? A. MAC and Cheese B. Cheesy MAC C. GodSMAC D. arpspoof

A - arpspoof is a tool that will allow the ability to temporarily spoof the MAC address on a network interface card.

11. You are a security administrator for an online dating website. Your logs are showing a lot of obfuscated PowerShell script execution. What do you think may be happening? A. Attacker is living off the land. B. Normal maintenance on servers. C. PowerShell is supposed to be encrypted. D. PowerShell is being updated.

A - attackers are moving to using tools available on Windows systems, just as they have used existing scripting languages on Unix-like systems. When attackers use existing tools, its called living off the land.

101. When a layer 2 switch is flooded, what mode does it default to? A. Fail open mode, where it mimics a hub. B. Fail closed, where nothing is passed anymore. C. Layer 2 switches process IP packets and not datagrams. D. Layer 2 switches cannot be flooded because they are collision domains.

A - if a switch receives too many sets of instructions and it cannot keep up with demand, it fails open.

116. What security property would you be addressing through the use of AES? A. Confidentiality B. Integrity C. Availability D. Non-repudiation

A. Confidentiality

111. What social networking site would likely be most useful for performing reconnaissance against a target? A. LinkedIn B. WhatsApp C. Facebook D. Friendster

A. LinkedIn

53. What is an advantage of a phone call over a phishing email? A. You are able to go into more detail with pretexting using a conversation. B. Phishing attacks are rarely successful. C. Not everyone has email, but everyone has a phone. D. Pretexting requires the use of a phone.

A. You are able to go into more detail with pretexting using a conversation.

43. Which of these attacks targets the client in a web application? A. XML external entity B. Cross-site scripting C. SQL injection D. Command injection

B - A cross-site scripting attack targets the client side since the script runs in the user's browser.

43. Which of these attacks targets the client in a web application? A. XML external entity B. Cross-site scripting C. SQL injection D. Command injection

B - A cross-site scripting attack targets the client side since the script runs in the user;s browser.

55. Your biometric system at the entrance to your facility is having issues with a false failure rate. What is the most likely result of that? A. People having to change their password. B. Authorized people not being allowed in. C. The mantrap needs to be replaced. D. People stop using biometrics.

B - A false failure rate, also called a false reject rate, is an indication of the number of legitimate users whose authentication attempts result in failure. This means, in the case of building entry, a number of people are not being allowed access.

64. Which of the following indicates the authoritative DNS server for the zone being requested? A. EX B. NS C. EM D. PTR

B - An NS record indicates the name server associated with a domain. This may include sub-domains, which is why sometimes the term zone is used since 'domain' can be ambiguous. Domains and subdomains each have their own zone and require an NS record to indicate the name server used for that zone. A PTR record is used to provide a hostname mapping to an IP address.

103. What sort of an attack might you suspect if you had found an access point with the same name as an enterprise SSID? A. SSID scanning B. Evil twin C. Deauthentication D. Injection

B - An evil twin is a rogue access point masquerading as a legitimate AP to gather authentication data.

2. Which of the following is part of a DMZ but bridges access from organization to organization? A. Internet B. Extranet C. Intranet D. Outernet

B - An extranet is a subnet that functions like a DMZ, but it allows two businesses that depend on one another to share resources.

32. The ability for information or services that must be accessible at a moment's notice is called what? A. Survivability B. Availability C. CIA D. Redundancy

B - Availability ensures that data is readily available to the customer.

19. What is the issue when there is no boundary being checked or validated in programming? A. The program will assign its own values. B. The program does not validate if the input values can be stored without overwriting the next memory segment. C. The program executes without checking what other programs are open. D. Memory allocation has already been reserved for a program.

B - Boundary checking is validating all input. If a user inputs a value that is greater than the memory allocated for it, the program will return with an invalid operation. It will continue to do so until the user inputs a value that is within the specific container value.

58. If you were to see the subnet mask 255.255.254.0, what would be the CIDR designation for that network? A. /24 B. /23 C. /22 D. /25

B - Each full octet is 8 bits, which means 255.255.255.0 is 3 bytes of 8 bits, or a total of 24 bits. With CIDR, we count the number of bits in the subnet mask. Since 255.255.255.0 is 24 bits, 255.255.254.0 is one bit less. The last bit would make the value of that third octet 255. That means instead of /24, we have a CIDR designation of /23.

56. Why would you be most likely to use REST when developing a web application? A. HTML is stateless. B. HTTP is stateless. C. HTML is stateful. D. HTTP is stateful.

B - HTTP is a stateless protocol, which requires the application to perform some sort of state transfer. REST is representational State Transfer (REST), which allows the client and server to communicate information about the state of the client and the application between them.

44. Which option describes an adversary pretending to be someone else in order to obtain credit or attempt fraud? A. Impersonation B. Identity theft C. Masquerading D. Cloning

B - Identify theft is the process in which the adversary impersonates the victim in order to gain some type of access to the victim's financial resources or other critical resources.

14. In Linux, what command is used to search for information inside files? A. ser B. grep C. info > D. ls -l

B - In the command line, when searching for a particular string, you use the grep command to search for contents. Most often, admins would pipe the string into another command or to an output format such as a text document.

115. As a white hat, you're tasked to identify all vulnerabilities possible on a network segment that your customer provided to you. You are provided nothing but a network identification, including an IP address and subnet mask. What type of assessment are you conducting? A. White box B. Gray box C. Black box D. Crystal box

B - In this scenario, you are conducting a gray box test. This is because you are given a network mask to go off on, you now know how big the network is you are testing. This is your only clue, but it's still partial knowledge.

38. Of the following, which allows you to conduct password cracking? A. LOIC B. John the Ripper C. CPU Dump D. Wireshark

B - John the Ripper is a program that allows an individual to crack an account.

47. Which of the following organizations provides government-backed standards? A. EC-Council B. NIST C. CAIN D. NITS

B - NIST, or National Institute of Standards and Technology, is a government organization that provides standards to an array of industries, including standards for information systems management and cryptology.

88. Why might you use Metasploit for a port scan over Nmap? A. Metasploit supports more port scan types. B. Metasploit stores results. C. Metasploit is scriptable. D. Nmap doesn't support port scanning

B - Nmap does support port scanning. Both Nmap and Metasploit support scripting interfaces. Metasploit is unlikely to be any faster when it does port scans. It does, though, store results in a database so the results can be looked up later.

78. What type of attack does POODLE invoke? A. Denial of service B. Man in the middle C. Distributed denial of service D. Credential harvesting

B - POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, exploits the SSL 3.0 requests. After the last request, the attacker will be able to retrieve 1 byte of data that is between the client and server.

91. Which of the following is the most common network access translation type used? A. S-NAT B. PAT C. Basic NAT D. Public NAT

B - Port address translation (PAT) uses the source computer's port number as a unique web session when the packet leaves the local network.

22. What is the region in memory that is assigned to a process or a program when it is initiated? A. Cluster B. Stack C. Heap D. Pointer

B - Programs that are initially executed have a segment in memory allocated called a stack. A stack has a fixed allocation of memory when it is created. The heap is where dynamic memory is allocated. A pointer is a variable that points at a memory location.

73. Which of the following encrypts community strings and provides authentication? A. ICMP B. SNMPv3 C. SNMP D. IMAP

B - SNMPv3 is the most recent version of SNMP for network device management. It adds encryption and user authentication in order to allow management messaging and polling to be sent to devices.

68. How does ARP spoofing work? A. Sending gratuitous ARP requests B. Sending gratuitous ARP responses C. Filling up the ARP cache D. Flooding a switch

B - Sending gratuitous ARP responses mapping an IP address to an attacker's ARP address can get frames sent to the attacker. A gratuitous response is a response in the absence of a request.

6. What encryption algorithm is used within TLS for the handshake and key negotiation? A. AES B. RSA C. PGP D. ECE

B - TLS uses RSA 1024 or the 2048-bit key strength during key negotiation. In most web browsers, you are able to view this information in the Security tab in the preferences panel.

65. Which of the following switches enables an idle scan within the Nmap tool? A. -Si B. -sI C. -Is D. None, because Nmap does not support idle scans

B - The -sI switch allows the user to conduct an idle scan. It is used to gather the IP address of the target system by crafting special packets that are bounced off a zombie machine.

40. What flag is used to order a connection to terminate? A. SYN B. FIN C. PSH D. RST

B - The FIN flag set informs the distant end to terminate its connection with the sender. No action will be taken after it is set. The PSH flag is used to get data sent immediately to the application rather than being held in a buffer.

107. IPv6 uses IPSec. Which of the following establishes the key agreement? A. IKE B. ISAKMP C. Diffie-Hellman D. TLS

B - The Internet Security Association and Key Management Protocol (ISAKMP) is responsible for negotiating and conducting the key agreement.

39. In the TCP/IP model, what is the equivalent of the OSI Network layer? A. Network B. Internet C. Transport D. Network Access

B - The Internet segment is the 3rd layer in the TCP/IP model, which is equivalent to the Network layer in the OSI model.

67. What layer of the OSI model is the Network layer? A. 2 B. 3 C. 4 D. 1

B - The layers of the OSI model from the bottom are Physical, Data Link, Network, Transport, Session, Presentation, and Application. Network is number 3.

99. As a white hat, you are conducting an audit of your customer's security policies. You notice that the policies the organization published do not conform to its actual practices. You also note that the security administrators are implementing different corrective actions than what is supposed to be happening according to the policies. What is the correct action to take here? A. Inform the security administrators that they need to follow the security policies published by the organization. B. Recommend a once-a-month meeting that evaluates and make changes to the security policies. C. Allow the security administrators to tailor their practices as they see fit. D. Shred the old policies

B - When the security admins are no longer following the security policies set in place by the organization, it is a telltale sign that the p[olicies are not up-t0=o-date. Policies should be evaluated often because the operational tempo and working environment can be and will be dynamic.

4. In a Linux system, where is the password file stored? A. /etc/passwd B. /etc/shadow C. /etc/user/password D. /shadow/etc

B -The file location is /etc/shadow, and it contains a list of passwords that are hashed. I

94. Which of the following denotes the root directory in a Linux system? A. root/ B. / C. home\ D. \home\

B. /

79. What is another name for Tor? A. The other router B. The onion router C. TLS open router D. Tunnel open router

B. The onion router

106. If you wanted to use a browser plugin to identify technologies used in a website, what might you use? A. TamperData B. WappAlyzer C. GreaseMonkey D. Nova

B. WappAlyzer

77. In a SQL injection attack, where does the attack actually execute? A. Web server B. Application server C. Database server D. Browser

C - A SQL injection attack sends SQL code into the web app. This is a language that runs in relational database servers to perform functions on the data stored there. It executes on a database server.

37. What type of attack would be used to collect authentication data between a station and an access point by forcing reauthentication? A. WEP cracking B. Rogue access point C. Deauthentication D. Handshaking attack

C - A deauthentication attack sends a deauthentication message to the station, causing it to send a new authentication message. This will allow the attacker to collect this authentication information for cracking later.

69. A key that has to be known ahead of time to be able to encrypt data between two parties is known as what? A. Asymmetric encryption B. Symmetric encryption C. Pre-shared key D. Secret key

C - A pre-shared key is one that has to be known ahead of time in order to encrypt data.

80. In Kerberos, which of the following grants access to a service? A. Ticket-granting ticket B. Ticket authentication service C. Ticket-granting service D. Ticket granted access

C - A ticket-granting service provides access to a subject for a certain resource or object.

9. What technique might you use if you had access to a local (physical) network but the network used switches and you wanted to see all the traffic? A. DNS poisoning B. Phishing C. ARP spoofing D. Packet fragmentation

C - ARP spoofing, you tell every system on the network your MAC address maps to all of the IP addresses.

85. Which report would be best given to a client's senior leadership team? A. Analysis report B. Project summary report C. Executive summary report D. Chapter summary report

C - An executive report is a high-level view of the overall penetration testing result. It is geared towards senior officials and managers.

122. What Bluetooth attack would allow you to make a call after gaining access to a device for the purpose of surveillance? A. BlueSnarf B. BlueSurveill C. BlueBug D. BlueBang

C - BlueBug is a way of gaining access to a Bluetooth device and getting it to place a phone call. Once the call has been completed, the called party can listen in on anything happening in the vicinity of the phone.

50. What does the Clark-Wilson model use to refer to objects when it is looking at integrity? A. UTC and CDI B. CDI and CTI C. UDI and CDI D. UTI and UDI

C - Clark-Wilson uses unconstrained data items (UDIs) and constrained data items (CDIs) to talk about the integrity of data objects.

29. Within SNMP, which of the following is used for authentication? A. PIN B. Asymmetric strings C. Community strings D. Cryptographic strings

C - Community strings contain data that provides authentication. Depending on the type of string, it will provide the user with a certain level of privileges. For example, the public community string derives only a read-only privilege.

90. As a CISO, you published a security policy to your organization that a cross-shred shredder must be used to destroy classified documents in a secure manner. What type of security control did you implement? A. Technical B. Physical C. Administrative D. Controlled destruction

C - Even though using a shredder is a physical control to prevent info from being leaked, a mandatory policy was used to get the organization to conform.

87. What tactic are you using if you are using the keyword filename:? A. Footprinting B. Doxing C. Google Hacking D. IoT device lookup

C - Google Hacking uses sets of keywords to be able to narrow the results provided by Google.

105. Once the three-way handshake has been completed, in what state would a stateful firewall consider the communication flow to be? A. NEW B. RELATED C. ESTABLISHED D. STATELESS

C - Once a SYN message has been sent, the communication is considered to be NEW. If the traffic is a different stream that has an association with an existing stream, it would be considered RELATED. There is no STATELESS state. Once the three-way handshake has been completed, the communication is considered to be ESTABLISHED.

34. Which of these programming protocols passes objects between systems? A. SunRPC B. Portmapper C. RMI D. Nma

C - RMI is a way to implement interprocess communications using Java. Since Java is an object-oriented programming language, it would transmit objects. SMB is the Server Message Block protocol. Portmapper is a program that is used for remote procedure calls.

93. If you needed to generate a message authentication code (MAC), what would you use? A. AES B. PGP C. SHA D. MB4

C - SHA is the secure hashing algorithm, which could be used to generate a cryptographic hash that is used for message authentication codes.

100. As an attacker, you are trying to prevent an IDS from alerting your presence to the network administrators. You determine that the rules that are set in place by the firewall are pretty effective and you dare not risk any more attempts to get past the security appliances. What is one method that may defeat the security policies set in place by the IDS and other security appliances? A. Firewalking B. Conducting a reverse shell exploit C. Session splicing D. Using HTTP

C - Session splicing is the process of breaking up a payload among different packets that the IDS may ignore. When the host gets all of the packets and processes them, the exploit may trigger the arbitrary payload the adversary has sent, such as installing malware or providing a reverse command shell.

54. Which form of biometrics scans a pattern in the area of the eye around the pupil? A. Retinal scanning B. Fingerprint scanning C. Iris scanning D. Uvea scanning

C - The iris is the pattern in the area around the pupil. This is the colored part of the eye, and it has a distinct pattern, which is different from everyone else. The retina is a layer at the back of the eye, which is also distinct.

97. In Snort, which part of the rule dictates the source, destination, rule type, and direction? A. Rule body B. Rule action C. Rule header D. Rule connection

C - The rule header defines the rule type, the protocol, the source IP and port, the direction, and then the destination IP address and the port.

84. How many fields are there in a UDP header? A. Two B. Three C. Four D. Six

C - There are four fields in a UDP header: source and destination port as well as checksum and length.

51. Which wireless mode is used when there is a point-to-point connection but no wireless access point involved? A. One to one B. Synchronization setting C. Ad hoc D. Clients must access a WAP

C - When clients communicate directly with one another without aid of a wireless access point, they are communicating in ad hoc mode.

13. Under which auxiliary in Metasploit can you scan for SNMP configurations? A. auxiliary/snmp/scanner B. auxiliary/snmp/version C. auxiliary/scanner/snmp D. auxiliary/scan/snmp

C - When scanning for SNMP using Metasploit, the command is 'use auxiliary/scanner/snmp/<device name>'. Once that is setm you will set your listening and receiving host information and then execute the scan entering run into the command line.

72. Why might you use a phone call for a social engineering attack over a phishing message? A. Phishing attacks don't guarantee success. B. Pretexting only works over the phone. C. Pretexting is more detailed on the phone. D. More people have phones than email.

C - You can get access to more people with the phone than with email, and the people you access may be less sophisticated in recognizing these types of attacks.

30. What is the function of a CNAME record? A. Provides authentication to a website B. Encrypts DNS zone transfers C. Supplements an alias to a domain name D. Replaces the MX for security transactions

C - a canonical name (CNAME) record provides an alias to a domain name. This maps a hostname to another hostname. While you may have multiple aliases, at some point there needs to be an A record to map a hostname to an IP address.

20. When writing a program, what is one of the fundamental tasks that should be done when declaring a variable? A. Assign a random value to it. B. Do not assign a value because it can corrupt data. C. Initialize the variable. D. A variable does not need to be initialized.

C - it is highly recommended to initialize variables with a value that is pertinent to its function. If you don't initialize the variable, data residue may still be present, and when it comes time to execute a set of instructions, the data output may not be accurate.

28. Which of the following is used for recording key strokes at a terminal or keyboard using malicious software? A. Spyware B. Malware C. Key logger D. Recordware

C. Key logger

61. What UDP flag forces a connection to terminate at both ends of the circuit? A. RST B. FIN C. None D. URG and RST C - UDP does not use any flags.

C. None

113. As a security administrator, you notice that your users are writing down their login credentials and sticking them on their monitors. What is an effective way of combating this security issue? A. Implement a PKI solution. B. Mandate password changes every 30 days. C. Set up a user and security awareness training session. D. Inform users that they need to memorize their credentials.

C. Set up a user and security awareness training session.

104. If we send an ACK message to a system and there is no response, what can we determine from the port? A. ACK does not use a port. B. The port is open and ready to receive a SYN packet. C. The port is filtered. D. A SYN/ACK is returned.

C. The port is filtered.

3. How many subnets can be provided using a /26 Classless Inter-Domain Routing (CIDR) from a /24 allocation? A. 1 B. 2 C. 3 D. 4

D - A Class C subnet has 256 bits. Subtracting 192 bits from 256 bits results in 64 hosts per subnet. Dividing 256 by 64 provides 4 usable networks.

82. What type of attack is a Fraggle attack? A. XML entity B. False error C. Fragmentation D. Amplification

D - A Smurf attack is one where ICMP messages are used to get large volumes of responses sent to a target. Similarly, a Fraggle attack uses UDP messages to cause the same effect. As the goal is to get large volumes of messages sent to a victim, this is an amplification attack.

74. A wireless access point that looks like a known and legitimate wireless network may actually be what? A. Rogue AP B. Man in the middle C. Ad hoc solution D. Evil twin

D - An evil twin is a wireless access point that is made to look like an actual legitimate WAP. The adversary is tempting users to reconnect to it by having the victims send their credentials.

89. As a network administrator, your manager instructs you to reduce the organization's accessibility to the file server. She claims that doing so will aid in preventing company trade secrets from being leaked to the public; however, you understand that doing so will have a negative impact on productivity and aggravate employees. Which part of the confidentiality, integrity, and availability triad is being impacted here? A. Integrity B. Confidentially C. Least privilege/need to know D. Availability

D - Availability is part of the triad that deals with how easy or hard it is to use resources or data. The easier it is to access data, the less secure it may be, but it's also true that the harder it is to access, the less likely it will be compromised and the more likely work production will be slowed down.

83. Who were the first ones to discover the POODLE vulnerability? A. Phil Zimmerman B. Akodo Toturi C. Urza and Mishra D. Moller, Duong, and Kotowicz

D - Bodo Olloer, Thai Duong, and Krysztof Kotowicz published the vulnerability to the public domain on Oct. 14 2014.

46. If you were looking up information about a company in Brazil, which RIR would you be looking in for data? A. AFRINIC B. RIPE C. APNIC D. LACNIC

D - Brazil is in South American, which is considered to be in Latin America. This means it falls under the Latin America and Caribbean Network Information Center (LACNIC).

21. What is a heap? A. A static allocation of memory B. A memory segment located within the CPU C. Memory that is swapped to the hard drive D. Memory allocation of a size and location that is assigned dynamically

D - Heaps are used during the execution of a program. Because a program can have dynamic processes, heaps are used to allocate the amount of memory for it. Registers are memory that is stored in the CPU. Swap Files are where data is stored that is swapped out of memory. Static allocation of memory is done on the stack.

108. What ICMP type denotes a "Time Exceeded" response? A. Type 3 B. Type 0 C. Type 5 D. Type 11

D - ICMP Type 11 provides the source with a "Time Exceeded" response. Time exceeded is more prevalent if satellite communications are involved and an IP booster is not in use.

52. To sniff wireless traffic at layer 2, what must you have set on your wireless adapter? A. Transport mode B. Promiscuous mode C. Transparency mode D. Monitor mode

D - Monitor mode allows the wireless adapter to receive the packets, read them, and then forward them to the sniffer. This allows traffic at the radio layer to be captured. While promiscuous mode is used to capture network traffic usually, it is not enough to capture wireless traffic, meaning down to layer 2.

96. As a black hat, you are conducting a reconnaissance operation on a potential target. You gather intelligence by using publicly available information, conducting stakeouts of the facility, and observing workers as they enter and leave the premises from across the street. What phase of the hacking methodologies are you operating within? A. Footprinting B. Fingerprinting C. Enumeration D. Passive reconnaissance

D - Passive reconnaissance is the act of gathering as much knowledge and intelligence you can without directly impacting operations of the target. Although it is much harder to gather information through this phase, it almost guarantees that as a black hat, you and your operation will not be compromised.

86. What is the security principle that might result in requiring two people to perform a single task? A. Least privilege B. Two-man source C. Biba Model D. Separation of duties

D - Separation of duties is the principle that requires two or more people to perform a task. These tasks are usually tied to a sensitive action such as making a large deposit in a bank or even launching nukes. It stops one person or entity form having total control.

102. Using Nmap, what switches allows us to fingerprint an operating system and conduct a port scan? A. -sS -sO B. -sSO C. -O -Ss D. -O -sS

D - The -sS conducts a SYN scan, and the -O scans the system and fingerprints for an OS type.

109. Which of the following is a lightweight Cisco proprietary protocol for building security tunnels? A. EAP B. PEAP C. CHAP D. LEAP

D - The Lightweight Extensible Authentication Protocol (LEAP) is a Cisco proprietary protocol and can be used in place of TKIP.

8. Which of the following records determines a mail server in your domain? A. SOA B. CNAME C. A D. MX

D - The MX, or mail exchange record is the record that is used in a DNS server to identify the actual mail server. The SOA record is the start of authority record and is used to provide information about the domain itself. An A record is an IPv4 address, used to map a hostname with an IP address. A CNAME is a canonical name, or an alias, allowing a hostname to be mapped to another hostname, which may have an IP address associated with it.

36. In SQL, which of the following allows an individual to update a table? A. DROP B. ADD C. COPY D. UPDATE

D - The UPDATE command is used to update data in a record in a table. Depending on the situation, the adversary can add, create, or even change an admin's password in a SQL database.

48. You are performing an assessment on a cloud service that is the backend for a mobile application. What are you most likely to spend time testing? A. NoSQL database B. Data bus C. Microservices D. RESTful API

D - The interface to the backend of a mobile application is likely to be RESTful API.

24. What tool could be used to collect information like email addresses from PGP servers, Bing, Google, or LinkedIn? A. MegaPing B. nbtstat C. dig D. theHarvester

D - TheHarvester is used to collect information like email addresses from PGP servers, Bing, Google and LinkedIn.

62. What information does the traceroute tool provide? A. Username of the person logged in B. What links are encrypted on the network C. Layer 3 protocol details D. Route path information and hop count

D - Traceroute is a useful tool because it will tell the admin what path the packets are taking and possibly inform the admin of firewalls within its path.

15. Which of the following tools is used to encode your payload in Metasploit? A. msfconsole B. msfpayload C. encodesploit D. msfencode

D - When you're using msfencode in Metasploit, the payload will be converted into a raw output format. Encoding the payload allows the signature of your malware to be changed, greatly decreasing your ability to be detected by signature-based technology.

66. If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use? A. MegaPing B. Nmap C. Nessus D. Metasploit

D - While Nmap is an excellent program in its own right and can be used to enumerate data across multiple services, it doesn't store data in a database for retrieval later without some additional help. Metasploit can also be used to enumerate data across multiple services and also uses a database on the back end to store data to be retrieved later. Nessus is used to scan for vulnerabilities,a dn Masscan can be used to perform rapid port scans on large networks.

76. You have found an SMTP server open. What SMTP command might you be able to use to identify users on that SMTP server? A. EXPN B. EHLO C. VRML D. VRFY

D - You may be able to use VRFY (verify) to check an email address. EXPN is used to expand mailing lists. EHLO is how you would greet an extended SMTP server. VRML is not a command used for SMTP.

33. What do you call a device that facilitates connections and acts as a middleman between user workstations and servers they communicate with, commonly outside the network? A. Firewall B. Main in the middle C. Gateway D. Proxy server

D - a proxy server is a device that acts as a buffer between user workstations, which are trusted and servers commonly outside the enterprise, which are untrusted. Connections originated from the user system will pass through the proxy, which will originate the message to the server.

57. What steps does the TCP handshake follow as described by the flags that are set? A. FIN, ACK, FIN B. SYN, SYN, ACK C. SYN, ACK, FIN D. SYN, SYN/ACK, ACK

D. SYN, SYN/ACK, ACK

1. Which protocol is used for network management and can gather statistics and derive a current status from the node that it is operating on? A. NTP B. SMNP C. SSH D. SNMP

D. The Simple Network Management Protocol is a protocol that is used with network appliances and nodes. You can gather statistical, performance, and status updates from your devices with this protocol.

5. What command can you use to switch to a different user in Linux? A. swu B. user C. sudo D. su

D. su

skip

skip