CEHv9 Questions 601-700
601 Curt has successfully compromised a web server sitting behind a firewall using a vulnerability in the web server program. He would now like to install a backdoor program but knows that all ports are not open inbound on the firewall. Which port in the list below will most likely be open and allowed to reach the server that Curt has just compromised? (Select the Best Answer) A. 53 B. 25 C. 110 363 D. 69
A Explanation:
614 The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user: The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following: SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago' How will you delete the OrdersTable from the database using SQL Injection? A. Chicago'; drop table OrdersTable -- B. Delete table'blah'; OrdersTable -- C. EXEC; SELECT * OrdersTable > DROP -- D. cmdshell'; 'del c:\sql\mydb\OrdersTable' //
A Explanation:
659 One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term? A. Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process B. Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack C. Replicating servers that can provide additional failsafe protection D. Load balance each server in a multiple-server architecture
A Explanation:
674 In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a 407 sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access. A. Token Injection Replay attacks B. Shoulder surfing attack C. Rainbow and Hash generation attack D. Dumpster diving attack
A Explanation:
675 Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network. He receives the following SMS message during the weekend. An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command. Which of the following hping2 command is responsible for the above snort alert? A. chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118 B. chenrocks:/home/siew # hping -F -Q -J -A -C -W 192.168.2.56 -p 22 -c 5 -t 118 408 C. chenrocks:/home/siew # hping -D -V -R -S -Z -Y 192.168.2.56 -p 22 -c 5 -t 118 D. chenrocks:/home/siew # hping -G -T -H -S -L -W 192.168.2.56 -p 22 -c 5 -t 118
A Explanation:
685 Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this? A. Use HTTP Tunneling B. Use Proxy Chaining C. Use TOR Network D. Use Reverse Chaining
A Explanation:
688 In which location, SAM hash passwords are stored in Windows 7? A. c:\windows\system32\config\SAM B. c:\winnt\system32\machine\SAM C. c:\windows\etc\drivers\SAM D. c:\windows\config\etc\SAM
A Explanation:
660 Attackers footprint target Websites using Google Hacking techniques. Google hacking is a term that refers to the art of creating complex search engine queries. It detects websites that are vulnerable to numerous exploits and vulnerabilities. Google operators are used to locate specific strings of text within the search results. The configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. WordPress uses config.php that stores the database Username and Password. 399 Which of the below Google search string brings up sites with "config.php" files? A. Search:index config/php B. Wordpress:index config.php C. intitle:index.of config.php D. Config.php:index list
C Explanation:
634 Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sys Which step would you perform to detect this type of Trojan? 382 A. Scan for suspicious startup programs using msconfig B. Scan for suspicious network activities using Wireshark C. Scan for suspicious device drivers in c:\windows\system32\drivers D. Scan for suspicious open ports using netstat
C Explanation:
644 You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? A. display==facebook B. traffic.content==facebook C. tcp contains facebook D. list.display.facebook 388
C Explanation:
648 What type of Trojan is this? A. RAT Trojan B. E-Mail Trojan C. Defacement Trojan D. Destructing Trojan E. Denial of Service Trojan
C Explanation:
680 E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient. Select a feature, which you will NOT be able to accomplish with this probe? A. When the e-mail was received and read B. Send destructive e-mails C. GPS location and map of the recipient D. Time spent on reading the e-mails E. Whether or not the recipient visited any links sent to them F. Track PDF and other types of attachments G. Set messages to expire after specified time H. Remote control the User's E-mail client application and hijack the traffic
H Explanation:
696 What is the IV key size used in WPA2? A. 32 B. 24 C. 16 418 D. 48 E. 128
D Explanation:
618 An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. Google's Gmail was hacked using this technique and attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company. 373 What is this deadly attack called? A. Spear phishing attack B. Trojan server attack C. Javelin attack D. Social networking attack
A Explanation:
627 Google uses a unique cookie for each browser used by an individual user on a computer. This cookie contains information that allows Google to identify records about that user on its database. This cookie is submitted every time a user launches a Google search, visits a site using AdSense etc. The information stored in Google's database, identified by the cookie, includes Everything you search for using Google Every web page you visit that has Google Adsense ads How would you prevent Google from storing your search keywords? 378 A. Block Google Cookie by applying Privacy and Security settings in your web browser B. Disable the Google cookie using Google Advanced Search settings on Google Search page C. Do not use Google but use another search engine Bing which will not collect and store your search keywords D. Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.
A Explanation:
635 Shayla is an IT security consultant, specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security. No employees for the company, other than the IT director, know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics offices. What type of insider threat would Shayla be considered? A. She would be considered an Insider Affiliate B. Because she does not have any legal access herself, Shayla would be considered an Outside 383 Affiliate C. Shayla is an Insider Associate since she has befriended an actual employee D. Since Shayla obtained access with a legitimate company badge; she would be considered a Pure Insider
A Explanation:
637 A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service. Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus. 384 Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments. Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail. How do you ensure if the e-mail is authentic and sent from fedex.com? A. Verify the digital signature attached with the mail, the fake mail will not have Digital ID at all B. Check the Sender ID against the National Spam Database (NSD) C. Fake mail will have spelling/grammatical errors D. Fake mail uses extensive images, animation and flash content
A Explanation:
641 Which Steganography technique uses Whitespace to hide secret messages? A. snow B. beetle C. magnet D. cat
A Explanation:
650 Web servers often contain directories that do not need to be indexed. You create a text file with search engine indexing restrictions and place it on the root directory of the Web Server. User-agent: * Disallow: /images/ Disallow: /banners/ Disallow: /Forms/ Disallow: /Dictionary/ Disallow: /_borders/ Disallow: /_fpclass/ Disallow: /_overlay/ Disallow: /_private/ Disallow: /_themes/ 393 What is the name of this file? A. robots.txt B. search.txt C. blocklist.txt D. spf.txt
A Explanation:
651 Attackers target HINFO record types stored on a DNS server to enumerate information. These are information records and potential source for reconnaissance. A network administrator has the option of entering host information specifically the CPU type and operating system when creating a new DNS record. An attacker can extract this type of information easily from a DNS server. Which of the following commands extracts the HINFO record? 394 A. Option A B. Option B C. Option C D. Option D
A Explanation:
652 What is War Dialing? A. War dialing involves the use of a program in conjunction with a modem to penetrate the modem/PBX-based systems B. War dialing is a vulnerability scanning technique that penetrates Firewalls C. It is a social engineering technique that uses Phone calls to trick victims D. Involves IDS Scanning Fragments to bypass Internet filters and stateful Firewalls
A Explanation:
656 This tool is widely used for ARP Poisoning attack. Name the tool. 396 A. Cain and Able B. Beat Infector C. Poison Ivy D. Webarp Infector
A Explanation:
658 You receive an e-mail with the following text message. "Microsoft and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible." 398 You launch your antivirus software and scan the suspicious looking file hidserv.exe located in c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legitimate Windows system file "Human Interface Device Service". What category of virus is this? A. Virus hoax B. Spooky Virus C. Stealth Virus D. Polymorphic Virus
A Explanation:
691 One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP address. You send a ping request to the broadcast address 192.168.5.255. There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why? A. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO 416 request aimed at the broadcast address or at the network address. B. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. C. You should send a ping request with this command ping ? 192.168.5.0-255 D. You cannot ping a broadcast address. The above scenario is wrong.
A Explanation:
692 Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to attempt this task? A. Charlie can use the command: ping -l 56550 172.16.0.45 -t. B. Charlie can try using the command: ping 56550 172.16.0.45. C. By using the command ping 172.16.0.45 Charlie would be able to lockup the router D. He could use the command: ping -4 56550 172.16.0.45.
A Explanation:
697 What type of session hijacking attack is shown in the exhibit? A. Session Sniffing Attack B. Cross-site scripting Attack C. SQL Injection Attack D. Token sniffing Attack
A Explanation:
699 Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time? A. Brute force attack B. Birthday attack C. Dictionary attack D. Brute service attack
A Explanation:
604 Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Multiple Recognition on the switch
A Explanation: 365
611 How do you defend against Privilege Escalation? 369 A. Use encryption to protect sensitive data B. Restrict the interactive logon privileges C. Run services as unprivileged accounts D. Allow security settings of IE to zero or Low E. Run users and applications on the least privileges
A,B,C,E Explanation:
673 What techniques would you use to evade IDS during a Port Scan? (Select 4 answers) A. Use fragmented IP packets B. Spoof your IP address when launching attacks and sniff responses from the server C. Overload the IDS with Junk traffic to mask your scan D. Use source routing (if possible) E. Connect to proxy servers or compromised Trojaned machines to launch attacks
A,B,D,E Explanation:
615 371 What are the limitations of Vulnerability scanners? (Select 2 answers) A. There are often better at detecting well-known vulnerabilities than more esoteric ones B. The scanning speed of their scanners are extremely high C. It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner D. The more vulnerabilities detected, the more tests required E. They are highly expensive and require per host scan license
A,C Explanation:
606 This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do. A. UDP Scanning B. IP Fragment Scanning C. Inverse TCP flag scanning D. ACK flag scanning
B Explanation:
608 TCP SYN Flood attack uses the three-way handshake mechanism. 1. An attacker at system A sends a SYN packet to victim at system B. 2. System B sends a SYN/ACK packet to victim A. 3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. This status of client B is called _________________ A. "half-closed" B. "half open" C. "full-open" D. "xmas-open"
B Explanation:
620 How does traceroute map the route a packet travels from point A to point B? A. Uses a TCP timestamp packet that will elicit a time exceeded in transit message B. Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message C. Uses a protocol that will be rejected by gateways on its way to the destination D. Manipulates the flags within packets to force gateways into generating error messages
B Explanation:
621 How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack 375
B Explanation:
624 In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them: FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR = 128 Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters. What is Jason trying to accomplish here? A. SYN, FIN, URG and PSH B. SYN, SYN/ACK, ACK C. RST, PSH/URG, FIN D. ACK, ACK, SYN, URG
B Explanation:
632 In which part of OSI layer, ARP Poisoning occurs? 381 A. Transport Layer B. Datalink Layer C. Physical Layer D. Application layer
B Explanation:
633 You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this? A. copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt C. copy secret.txt c:\windows\system32\tcpip.dll |secret.txt D. copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt
B Explanation:
636 This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker. A. Unique SQL Injection B. Blind SQL Injection C. Generic SQL Injection D. Double SQL Injection
B Explanation:
653 Steven the hacker realizes the network administrator of Acme Corporation is using syskey in Windows 2008 Server to protect his resources in the organization. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to use brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2008 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch the attack. How many bits does Syskey use for encryption? A. 40-bit encryption B. 128-bit encryption C. 256-bit encryption D. 64-bit encryption
B Explanation:
654 Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study 395 engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered? A. Ursula would be considered a gray hat since she is performing an act against illegal activities. B. She would be considered a suicide hacker. C. She would be called a cracker. D. Ursula would be considered a black hat.
B Explanation:
671 TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set? A. SYN flag B. ACK flag C. FIN flag D. XMAS flag
B Explanation:
672 What framework architecture is shown in this exhibit? 406 A. Core Impact B. Metasploit C. Immunity Canvas D. Nessus
B Explanation:
630 This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site. A. Wiresharp attack 380 B. Switch and bait attack C. Phishing attack D. Man-in-the-Middle attack
C Explanation:
677 Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network. Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, 409 Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building. How was Bill able to get Internet access without using an agency laptop? A. Bill spoofed the MAC address of Dell laptop B. Bill connected to a Rogue access point C. Toshiba and Dell laptops share the same hardware address D. Bill brute forced the Mac address ACLs
B Explanation:
682 What type of Virus is shown here? A. Macro Virus B. Cavity Virus C. Boot Sector Virus D. Metamorphic Virus E. Sparse Infector Virus
B Explanation:
689 File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers? 415 A. Use disable-eXchange B. Use mod_negotiation C. Use Stop_Files D. Use Lib_exchanges
B Explanation:
693 What type of encryption does WPA2 use? A. DES 64 bit B. AES-CCMP 128 bit C. MD5 48 bit D. SHA 160 bit
B Explanation:
623 Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this? A. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. B. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. C. He will have to setup an Ether channel port to get a copy of all network traffic to the analyzer. D. He should setup a MODS port which will copy all network traffic.
B Explanation: 376
647 Fake Anti-Virus, is one of the most frequently encountered and persistent threats on the web. This 390 malware uses social engineering to lure users into infected websites with a technique called Search Engine Optimization. Once the Fake AV is downloaded into the user's computer, the software will scare them into believing their system is infected with threats that do not really exist, and then push users to purchase services to clean up the non-existent threats. The Fake AntiVirus will continue to send these annoying and intrusive alerts until a payment is made. What is the risk of installing Fake AntiVirus? A. Victim's Operating System versions, services running and applications installed will be published on Blogs and Forums B. Victim's personally identifiable information such as billing address and credit card details, may be extracted and exploited by the attacker C. Once infected, the computer will be unable to boot and the Trojan will attempt to format the hard disk D. Denial of Service attack will be launched against the infected computer crashing other machines on the connected network
B Explanation: 391
669 This method is used to determine the Operating system and version running on a remote target system. What is it called? A. Service Degradation B. OS Fingerprinting C. Manual Target System D. Identification Scanning
B Explanation: 405
683 John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool? A. hping2 B. nessus C. nmap D. make
B Explanation: 413
646 Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, and lack of respect or promotion. Disgruntled employees may pass company secrets and intellectual property to competitors for monitory benefits. Here are some of the symptoms of a disgruntled employee: a. Frequently leaves work early, arrive late or call in sick b. Spends time surfing the Internet or on the phone c. Responds in a confrontational, angry, or overly aggressive way to simple requests or comments d. Always negative; finds fault with everything These disgruntled employees are the biggest threat to enterprise security. How do you deal with these threats? (Select 2 answers) A. Limit access to the applications they can run on their desktop computers and enforce strict work hour rules B. By implementing Virtualization technology from the desktop to the data centre, organizations can isolate different environments with varying levels of access and security to various employees C. Organizations must ensure that their corporate data is centrally managed and delivered to users just and when needed D. Limit Internet access, e-mail communications, access to social networking sites and job hunting portals
B,C Explanation:
616 Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization. Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com. He tries random URLs on the company's website and finds confidential information leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website. Where can Stephanie go to see past versions and pages of a website? A. She should go to the web page Samspade.org to see web pages that might no longer be on the website B. If Stephanie navigates to Search.com; she will see old versions of the company website C. Stephanie can go to Archive.org to see past versions of the company website D. AddressPast.com would have any web pages that are no longer hosted on the company's website
C Explanation:
607 Anonymizer sites access the Internet on your behalf, protecting your personal information from disclosure. An anonymizer protects all of your computer's identifying information while it surfs for you, enabling you to remain at least one step removed from the sites you visit. You can visit Web sites without allowing anyone to gather information on sites visited by you. Services that provide anonymity disable pop-up windows and cookies, and conceal visitor's IP address. These services typically use a proxy server to process each HTTP request. When the user requests a Web page by clicking a hyperlink or typing a URL into their browser, the service retrieves and displays the information using its own server. The remote server (where the requested Web page resides) receives information on the anonymous Web surfing service in place of your information. In which situations would you want to use anonymizer? (Select 3 answers) A. Increase your Web browsing bandwidth speed by using Anonymizer B. To protect your privacy and Identity on the Internet C. To bypass blocking applications that would prevent access to Web sites or parts of sites that you want to visit. D. Post negative entries in blogs without revealing your IP identity
B,C,D Explanation: 367
666 A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. What is Rogue security software? A. A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites B. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. C. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. D. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. E. Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites F. This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker
B,C,D Explanation: 404
663 Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers) 401 A. Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address B. The ICMP packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network C. ECHO packets are flooded on the network saturating the bandwidth of the subnet causing denial of service D. A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system.
B,D Explanation:
605 If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. How would you prevent such type of attacks? A. It is impossible to block these attacks B. Hire the people through third-party job agencies who will vet them for you C. Conduct thorough background checks before you engage them D. Investigate their social networking profiles
C 366 Explanation:
609 Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company. She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture. What technique was used by the Kiley Innovators employee to send information to the rival 368 marketing company? A. The Kiley Innovators employee used cryptography to hide the information in the emails sent B. The method used by the employee to hide the information was logical watermarking C. The employee used steganography to hide information in the picture attachments D. By using the pictures to hide information, the employee utilized picture fuzzing
C Explanation:
610 You run nmap port Scan on 10.0.0.5 and attempt to gain banner/server information from services running on ports 21, 110 and 123. Here is the output of your scan results: Which of the following nmap command did you run? A. nmap -A -sV -p21,110,123 10.0.0.5 B. nmap -F -sV -p21,110,123 10.0.0.5 C. nmap -O -sV -p21,110,123 10.0.0.5 D. nmap -T -sV -p21,110,123 10.0.0.5
C Explanation:
628 In Trojan terminology, what is required to create the executable file chess.exe as shown below? A. Mixer 379 B. Converter C. Wrapper D. Zipper
C Explanation:
662 Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. Why will this not be possible? A. Firewalls cannot inspect traffic coming through port 443 B. Firewalls can only inspect outbound traffic C. Firewalls cannot inspect traffic at all, they can only block or allow certain ports D. Firewalls cannot inspect traffic coming through port 80
C Explanation:
664 Lori was performing an audit of her company's internal Sharepoint pages when she came across the following code: What is the purpose of this code? 402 A. This JavaScript code will use a Web Bug to send information back to another server. B. This code snippet will send a message to a server at 192.154.124.55 whenever the "escape" key is pressed. C. This code will log all keystrokes. D. This bit of JavaScript code will place a specific image on every page of the RSS feed.
C Explanation:
668 Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here? A. Lee is seeing activity indicative of a Smurf attack. B. Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing. C. Lee is seeing a Ping of death attack. D. This is not unusual traffic, ICMP packets can be of any size.
C Explanation:
676 Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. What Google search will accomplish this? A. related:intranet allinurl:intranet:"human resources" B. cache:"human resources" inurl:intranet(SharePoint) C. intitle:intranet inurl:intranet+intext:"human resources" D. site:"human resources"+intext:intranet intitle:intranet
C Explanation:
681 Which of the following Trojans would be considered 'Botnet Command Control Center'? A. YouKill DOOM B. Damen Rock C. Poison Ivy 412 D. Matten Kit
C Explanation:
695 Which port, when configured on a switch receives a copy of every packet that passes through it? A. R-DUPE Port B. MIRROR port C. SPAN port D. PORTMON
C Explanation:
643 David is a security administrator working in Boston. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email. How can David block POP3 at the firewall? A. David can block port 125 at the firewall. B. David can block all EHLO requests that originate from inside the office. C. David can stop POP3 traffic by blocking all HELO requests that originate from inside the office. D. David can block port 110 to block all POP3 traffic.
D Explanation:
602 You are the chief information officer for your company, a shipping company based out of Oklahoma City. You are responsible for network security throughout the home office and all branch offices. You have implemented numerous layers of security from logical to physical. As part of your procedures, you perform a yearly network assessment which includes vulnerability analysis, internal network scanning, and external penetration tests. Your main concern currently is the server in the DMZ which hosts a number of company websites. To see how the server appears to external users, you log onto a laptop at a Wi-Fi hot spot. Since you already know the IP address of the web server, you create a telnet session to that server and type in the command: HEAD /HTTP/1.0 After typing in this command, you are presented with the following screen: What are you trying to do here? A. You are attempting to send an html file over port 25 to the web server. B. By typing in the HEAD command, you are attempting to create a buffer overflow on the web server. C. You are trying to open a remote shell to the web server. D. You are trying to grab the banner of the web server. *
D Explanation:
613 Which of the following type of scanning utilizes automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Port Scanning B. Single Scanning C. External Scanning D. Vulnerability Scanning
D Explanation:
619 Vulnerability scanners are automated tools that are used to identify vulnerabilities and misconfigurations of hosts. They also provide information regarding mitigating discovered vulnerabilities. Which of the following statements is incorrect? A. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. B. Vulnerability scanners can help identify out-of-date software versions, missing patches, or system upgrades C. They can validate compliance with or deviations from the organization's security policy D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities 374 without user intervention
D Explanation:
622 What type of session hijacking attack is shown in the exhibit? A. Cross-site scripting Attack B. SQL Injection Attack C. Token sniffing Attack D. Session Fixation Attack
D Explanation:
625 Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this? A. Jayden can use the command: ip binding set. B. Jayden can use the command: no ip spoofing. C. She should use the command: no dhcp spoofing. 377 - - D. She can use the command: ip dhcp snooping binding.
D Explanation:
629 Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate a means to notify administrators of problems or performance. What default port Syslog daemon listens on? A. 242 B. 312 C. 416 D. 514
D Explanation:
631 What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected? A. nc -port 56 -s cmd.exe B. nc -p 56 -p -e shell.exe C. nc -r 56 -c cmd.exe D. nc -L 56 -t -e cmd.exe
D Explanation:
639 What is a sniffing performed on a switched network called? A. Spoofed sniffing B. Passive sniffing C. Direct sniffing D. Active sniffing
D Explanation:
640 A rootkit is a collection of tools (programs) that enable administrator-level access to a computer. This program hides itself deep into an operating system for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and may be used to create a hidden directory or folder designed to keep out of view from a user's operating system and security software. 386 What privilege level does a rootkit require to infect successfully on a Victim's machine? A. User level privileges B. Ring 3 Privileges C. System level privileges D. Kernel level privileges
D Explanation:
642 Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an 387 attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by "spoofing" the IP address of that machine. How would you detect IP spoofing? A. Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet B. Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet, if the connection completes then it is a spoofed packet C. Turn on 'Enable Spoofed IP Detection' in Wireshark, you will see a flag tick if the packet is spoofed D. Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet
D Explanation:
645 XSS attacks occur on Web pages that do not perform appropriate bounds checking on data entered by users. Characters like < > that mark the beginning/end of a tag should be converted into HTML entities. What is the correct code when converted to html entities? 389 A. Option A B. Option B C. Option C D. Option D
D Explanation:
649 Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security. Maintaining the security of a Web server will usually involve the following steps: 1. Configuring, protecting, and analyzing log files 392 2. Backing up critical information frequently 3. Maintaining a protected authoritative copy of the organization's Web content 4. Establishing and following procedures for recovering from compromise 5. Testing and applying patches in a timely manner 6. Testing security periodically. In which step would you engage a forensic investigator? A. 1 B. 2 C. 3 D. 4 E. 5 F. 6
D Explanation:
655 Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system. Which of the following is NOT an example of default installation? A. Many systems come with default user accounts with well-known passwords that administrators forget to change B. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system C. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services D. Enabling firewall and anti-virus software on the local system
D Explanation:
661 Which of the following tool would be considered as Signature Integrity Verifier (SIV)? 400 A. Nmap B. SNORT C. VirusSCAN D. Tripwire
D Explanation:
665 You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7. Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online. What built-in Windows feature could you have implemented to protect the sensitive information on these laptops? A. You should have used 3DES which is built into Windows B. If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out C. You should have utilized the built-in feature of Distributed File System (DFS) to protect the sensitive information on the laptops D. You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops 403
D Explanation:
670 You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization? A. To learn about the IP range used by the target network B. To identify the number of employees working for the company C. To test the limits of the corporate security policy enforced in the company D. To learn about the operating systems, services and applications used on the network
D Explanation:
678 Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has created a security policy requiring all employees to use complex 14 character passwords. Unfortunately, the members of management do not want to have to use such long complicated passwords so they tell Harold's boss this new password policy should not apply to them. To comply with the management's wishes, the IT department creates another Windows domain and moves all the management users to that domain. This new domain has a password policy only requiring 8 characters. Harold is concerned about having to accommodate the managers, but cannot do anything about it. Harold is also concerned about using LanManager security on his network instead of NTLM or NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain using Pwdump6. Harold uses the password cracking software John the Ripper to crack users' passwords to make sure they are strong enough. Harold expects that the users' passwords in the original domain will take much longer to crack than the management's passwords in the new domain. After running the software, Harold discovers that the 14 character passwords only took a short time longer to crack than the 8 character passwords. Why did the 14 character passwords not take much longer to crack than the 8 character passwords? A. Harold should have used Dumpsec instead of Pwdump6 B. Harold's dictionary file was not large enough 410 - - - - - - C. Harold should use LC4 instead of John the Ripper D. LanManger hashes are broken up into two 7 character fields
D Explanation:
679 You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place. DNS query is sent to the DNS server to resolve www.google.com DNS server replies with the IP address for Google? SYN packet is sent to Google. Google sends back a SYN/ACK packet Your computer completes the handshake by sending an ACK The connection is established and the transfer of data commences Which of the following packets represent completion of the 3-way handshake? A. 4th packet B. 3rdpacket C. 6th packet 411 D. 5th packet
D Explanation:
684 Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean? A. This response means the port he is scanning is open. B. The RST/ACK response means the port Fred is scanning is disabled. C. This means the port he is scanning is half open. D. This means that the port he is scanning on the host is closed.
D Explanation:
687 How do you defend against MAC attacks on a switch? A. Disable SPAN port on the switch B. Enable SNMP Trap on the switch C. Configure IP security on the switch D. Enable Port Security on the switch
D Explanation:
690 NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use? A. 443 B. 139 C. 179 D. 445
D Explanation:
694 Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this? 417 A. RST flag scanning B. FIN flag scanning C. SYN flag scanning D. ACK flag scanning
D Explanation:
700 An Attacker creates a zuckerjournals.com website by copying and mirroring HACKERJOURNALS.COM site to spread the news that Hollywood actor Jason Jenkins died in a car accident. The attacker then submits his fake site for indexing in major search engines. When users search for "Jason Jenkins", attacker's fake site shows up and dupes victims by the fake news. 420 This is another great example that some people do not know what URL's are. Real website: Fake website: http://www.zuckerjournals.com 421 The website is clearly not WWW.HACKERJOURNALS.COM. It is obvious for many, but unfortunately some people still do not know what an URL is. It's the address that you enter into the address bar at the top your browser and this is clearly not legit site, its www.zuckerjournals.com How would you verify if a website is authentic or not? A. Visit the site using secure HTTPS protocol and check the SSL certificate for authenticity B. Navigate to the site by visiting various blogs and forums for authentic links C. Enable Cache on your browser and lookout for error message warning on the screen D. Visit the site by clicking on a link from Google search engine
D Explanation:
612 You are the security administrator of Jaco Banking Systems located in Boston. You are setting up e-banking website (http://www.ejacobank.com) authentication system. Instead of issuing banking customer with a single password, you give them a printed list of 100 unique passwords. Each time the customer needs to log into the e-banking system website, the customer enters the next password on the list. If someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is done because the password will not be accepted a second time. Once the list of 100 passwords is almost finished, the system automatically sends out a new password list by encrypted e-mail to the customer. You are confident that this security implementation will protect the customer from password abuse. Two months later, a group of hackers called "HackJihad" found a way to access the one-time password list issued to customers of Jaco Banking Systems. The hackers set up a fake website (http://www.e-jacobank.com) and used phishing attacks to direct ignorant customers to it. The fake website asked users for their e-banking username and password, and the next unused entry from their one-time password sheet. The hackers collected 200 customer's username/passwords this way. They transferred money from the customer's bank account to various offshore accounts. Your decision of password policy implementation has cost the bank with USD 925,000 to hackers. You immediately shut down the e-banking website while figuring out the next best security solution What effective security solution will you recommend in this case? A. Implement Biometrics based password authentication system. Record the customers face image to the authentication database B. Configure your firewall to block logon attempts of more than three wrong tries C. Enable a complex password policy of 20 characters and ask the user to change the password immediately after they logon and do not store password histories D. Implement RSA SecureID based authentication system
D Explanation: 370
686 You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable auditing from the cmd? A. stoplog stoplog ? B. EnterPol /nolog C. EventViewer o service D. auditpol.exe /disable
D Explanation: 414
698 What is the default Password Hash Algorithm used by NTLMv2? A. MD4 B. DES C. SHA-1 D. MD5
D Explanation: 419
603 Josh is the network administrator for Consultants Galore, an IT consulting firm based in Kansas City. Josh is responsible for the company's entire network which consists of one Windows Server 2003 Active Directory domain. Almost all employees have Remote Desktop access to the servers so they can perform their work duties. Josh has created a security group in Active Directory called "RDP Deny" which contains all the user accounts that should not have Remote Desktop permission to any of the servers. What Group Policy change can Jayson make to ensure that all users in the "RDP Deny" group cannot access the company servers through Remote Desktop? 364 A. Josh should add the "RDP Deny" group into the list of Restricted Groups to prevent the users from accessing servers remotely. B. By adding the "RDP Deny" group to the "Deny logon as a service" policy, the users in that security group will not be able to establish remote connections to any of the servers. C. He should add the "RDP Deny" group to the "Deny RDP connections to member servers" policy. D. Josh needs to add the "RDP Deny" group to the "Deny logon through Terminal Services" policy. *
D Explanation: New questions
626 Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges? A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah
F Explanation:
617 What type of Virus is shown here? 372 A. Cavity Virus B. Macro Virus C. Boot Sector Virus D. Metamorphic Virus E. Sparse Infector Virus
E Explanation:
638 In what stage of Virus life does a stealth virus gets activated with the user performing certain actions such as running an infected program? 385 A. Design B. Elimination C. Incorporation D. Replication E. Launch F. Detection
E Explanation:
657 BankerFox is a Trojan that is designed to steal users' banking data related to certain banking entities. When they access any website of the affected banks through the vulnerable Firefox 3.5 browser, the Trojan is activated and logs the information entered by the user. All the information entered in that website will be logged by the Trojan and transmitted to the attacker's machine using covert channel. BankerFox does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. 397 What is the most efficient way an attacker located in remote location to infect this banking Trojan on a victim's machine? A. Physical access - the attacker can simply copy a Trojan horse to a victim's hard disk infecting the machine via Firefox add-on extensions B. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer C. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer D. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer E. Downloading software from a website? An attacker can offer free software, such as shareware programs and pirated mp3 files
E Explanation:
667 Which of the following is NOT part of CEH Scanning Methodology? A. Check for Live systems B. Check for Open Ports C. Banner Grabbing D. Prepare Proxies E. Social Engineering attacks F. Scan for Vulnerabilities G. Draw Network Diagrams
E Explanation:
