CEH 1-7 Review Questions

"You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security? A. Unauthorized users will not be able to associate because they must know the SSID in order to connect. B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast. C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode. D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it's broadcast from the AP.

"Which of the following is true regarding n-tier architecture? A. Each tier must communicate openly with every other tier. B. N-tier always consists of presentation, logic, and data tiers. C. N-tier is usually implemented on one server. D. N-tier allows each tier to be configured and modified independently." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained servers, each providing a specific service or tasking." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

While pen testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures?" "A. Yes, the hash shows a 14-character, complex password. B. No, the hash shows a 14-character password; however, it is not complex. C. No, the hash reveals a 7-character-or-less password has been used. D. It is impossible to determine simply by looking at the hash.

C. LM hashes pad a password with blank spaces to reach 14 characters, split it into two 7-character sections, and then hash both separately. Because the LM hash of seven blank characters is always AAD3B435B51404EE, you can tell from the hash that the user has used only seven or fewer characters in the password. Because CEH recommends that a password be a minimum of eight characters, be complex, and expire after 30 days, the user is not following good policy.

"You see the following command in a Linux history file review: someproc & Which of the following best describe the command result? (Choose two.) A. The process someproc will stop when the user logs out. B. The process someproc will continue to run when the user logs out. C. The process someproc will run as a background task. D. The process someproc will prompt the user when logging off." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" A, C. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding nohup before the process name), it will die when the user logs out." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following best describes a honeypot? A. It is used to filter traffic from screened subnets. B. It is used to gather information about potential network attackers. C. It is used to analyze traffic for detection signatures. D. Its primary function involves malware and virus protection." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" B. A honeypot is designed to draw attackers in so you can watch what they do, how they do it, and where they do it from." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following would be the best protection against XSS attacks? A. Invest in top-of-the-line firewalls. B. Perform vulnerability scans against your systems. C. Configure input validation on your systems. D. Have a pen test performed against your systems." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" C. "Best" is always a tricky word in an exam question. In this case, configuring server-side operations to validate what's being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by themselves they don't do anything to protect you." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such: http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\ system32\cmd.exe What type of attack is in use? A. SQL injection B. Unicode parameter tampering C. Directory traversal D. Cross-site scripting

" C. This connection is attempting to traverse the directory from the Inetpub folders (in MS IIS servers) to a command shell for the attacker. Instead of dot-dot-slash, Unicode is used in this example to bypass potential IDS signatures." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"? A. The cracker always attempts white-box testing. B. The ethical hacker always attempts black-box testing. C. The cracker posts results to the Internet. D. The ethical hacker always obtains written permission before testing.

" D. The ethical hacker always obtains written permission before testing and never performs a test without it!

"Configuring the web server to send random challenge tokens is the best mitigation for which of the following? A. XSS attacks B. Buffer overflow attacks C. Parameter manipulation attacks D. CSRF attacks" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" D. The requests from the bad guy masquerading with your session ID through your browser (cross-site request forgery, CSRF) can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it's deemed bad and dropped." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.) A. ARP poisoning B. MAC flooding C. SYN flooding D. Birthday attack E. Firewalking" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A, B. ARP poisoning can be used to trick a system into sending packets to your machine instead of recipients (including the default gateway). MAC flooding is an older attack used to fill a CAM table and make a switch behave like a hub." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following are passive footprinting methods? (Choose all that apply.) A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources C. Performing a ping sweep against the network range D. Sniffing network traffic through a network tap

"A, B. Passive footprinting is all about publicly accessible sources." Excerpt From: Matt Walker.

"What information is required in order to attempt to crack a WEP AP? (Choose two.) A. Network SSID" B. MAC address of the AP C. IP address of the AP D. Starting sequence number in the first initialization vector" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A, B. The network SSID and the MAC address of the AP are required for attempting a WEP crack." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.) A. telnet 168.15.22.4 80 B. telnet 80 168.15.22.4 C. nc -v -n 168.15.22.4 80 D. nc -v -n 80 168.15.22.4

"A, C. Both Telnet and Netcat, among others, can be used for banner grabbing. The correct syntax for both has the port number last.

"Which of the following Wireshark filters would display all traffic sent from, or destined to, systems on the 172.17.15.0/24 subnet? (Choose all that apply.) A. ip.addr == 172.17.15.0/24 B. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24 C. ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24 D. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A, C. In Wireshark filter questions, always pay attention to the operators. While answer A shows any packet with the correct IP address in it, anywhere, the or operator in answer C shows packets meeting both options." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true? (Choose all that apply.) A. The packet capture will provide the MAC addresses of other machines connected to the switch. B. The packet capture will provide only the MAC addresses of the laptop and the default gateway. C. The packet capture will display all traffic intended for the laptop. D. The packet capture will display all traffic intended for the default gateway." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A, C. Switches filter or flood traffic based on the address. Broadcast traffic, such as ARP requests and answers, is flooded to all ports. Unicast traffic, such as traffic intended for the laptop itself or the default gateway, is sent only to the port on which the machine rests." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. A MIC (message integrity code) provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any frames arrive out of sequence, the whole session is dropped." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which ICMP message type/code indicates the packet could not arrive at the recipient due to"exceeding its time to live?" A. Type 11 B. Type 3, Code 1 C. Type 0 D. Type 8

"A. A Type 11 ICMP packet indicates the TTL for the packet has reached 0; therefore, it must take the Carrousel (from the movie Logan's Run) and disappear to a better place.

"A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened? A. The attacker took advantage of a zero-day vulnerability on the machine. B. The attacker performed a full rebuild of the machine after he was done. C. The attacker performed a denial-of-service attack. D. Security measures on the device were completely disabled before the attack began.

"A. A zero-day vulnerability is one that security personnel, vendors, and even vulnerability scanners simply don't know about yet. It's more likely the attacker is using an attack vector unknown to the security personnel than he somehow managed to turn off all security measures without alerting anyone.

"You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true? A. The response indicates an open port. B. The response indicates a closed port. C. The response indicates a Windows machine with a nonstandard TCP/IP stack. D. ICMP is filtered on the machine.

"A. According to ECC, if the TTL of the returned RST packet is less than 64, the port is open.

"An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate? A. The port is filtered at the firewall. B. The port is not filtered at the firewall. C. The firewall allows the packet, but the device has the port closed. D. It is impossible to determine any port status from this response.

"A. An ACK packet received by a stateful firewall will not be allowed to pass unless it was "sourced" from inside the network. No response indicates the firewall filtered that port packet and did not allow it passage

" Your client tells you they know beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn't appear to be alerting on the traffic. Which of the following is most likely true? A. The attacker is sending messages over an SSL tunnel. B. The attacker has corrupted ACLs on every router in the network. C. The attacker has set up port security on network switches. D. The attacker has configured a trunk port on a switch." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. Encryption is the bane of an IDS's existence. If traffic is encrypted, the IDS is blind as a bat." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

Enacted in 2002, this U.S. law requires every federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTMM

"A. FISMA has been around since 2002 and was updated in 2014. It gave certain information security responsibilities to NIST, OMB, and other government agencies, and declared the Department of Homeland Security (DHS) as the operational lead for budgets and guidelines on security matters."

" You've decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets? A. Fragmenting B. IP spoofing C. Proxy scanning D. Anonymizer

"A. Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across "multiple packets can serve to keep you hidden while scanning.

"The accounting department of an online business notices several orders that seem to have been made erroneously. In researching the issue, you discover that the prices of items on several web orders do not match the listed prices on the business's public website. You verify that the web server and the ordering database do not seem to have been compromised. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play? A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items. B. The attacker has used SQL injection to update the database to reflect new prices for the items. C. The attacker has taken advantage of a server-side include that altered the price. D. The attacker used Metasploit to take control of the web application." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. In this case, because the logs and IDSs show no direct attack, it's most likely the attacker has copied the source code directly to his machine and altered the hidden "price" fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.

"A. In this example, an ethical hacker was hired under a specific agreement, making him a white hat. The test he was hired to perform is a no-knowledge attack, making it a black-box test.

"Which of the following is the best choice for detecting wireless LANs using the 802.11a/b/g/n WLAN standards on a Linux platform? A. Kismet B. Nessus C. NetStumbler D. Cain and Abel" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. Kismet is your best option here, as the other tools simply don't fit the bill." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. SOAP formats its information exchange in XML." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following best defines steganography? A. Steganography is used to hide information within existing files. B. Steganography is used to create hash values of data files. C. Steganography is used to encrypt data communications, allowing files to be passed unseen. D. Steganography is used to create multimedia communication files.

"A. Steganography is designed to place information in files where it will lay hidden until needed. Information can be hidden in virtually any file, although image and video files are traditionally associated with steganography.

"A member of your team enters the following command: nmap -sV -sC -O -traceroute IPAddress Which of the following Nmap commands performs the same task? A. nmap -A IPAddress B. nmap -all IPAddress C. nmap -Os IPAddress D. nmap -aA IPAddress

"A. The -A switch turns on OS detection, version detection, script scanning, and traceroute, just as the -O, -sV, -sC, and -traceroute switches do in conjunction with each other.

" Which flag forces a termination of communications in both directions? A. RST B. FIN" "C. ACK D. PSH

"A. The RST flag forces both sides of the communications channel to stop. A FIN flag signifies an ordered close to the communications.

"An SOA record gathered from a zone transfer is shown here: @ IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. ( 4 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 3600 ) ; min TTL [1h] What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates? A. DNSRV1.anycomp.com, every 3600 seconds B. DNSRV1.anycomp.com, every 600 seconds C. DNSRV1.anycomp.com, every 4 seconds D. postmaster.anycomp.com, every 600 seconds

"A. The SOA record always starts by defining the authoritative server—in this case, DNSRV1—followed by e-mail contact and a host of other entries. Refresh time defines the interval in which secondary servers will check for updates—in this case, every 3600 seconds (1 hour).

"A pen test team member uses the following entry at the command line: nmap --script http-methods --script-args somesystem.com Which of the following is true regarding the intent of the team member? A. The team member is attempting to see which HTTP methods are supported by somesystem.com. B. The team member is attempting XSS against somesystem.com. C. The team member is attempting HTTP response splitting against somesystem.com. D. The team member is attempting to site-mirror somesystem.com.

"A. The http-methods script tests a target to see what HTTP methods are supported (by sending an HTTP OPTIONS request). Why would an attacker do this? If you know what GET, POST, and PUT do, then you know the answer to this question already." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following can migrate the machine's actual operating system into a virtual machine? A. Hypervisor-level rootkit B. Kernel-level rootkit C. Virtual rootkit D. Library-level rootkit" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. The hypervisor-level rootkit is defined by ECC as one that basically replaces your physical OS with a virtual one.

"Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy? A. Information security policy B. Special access policy C. Information audit policy D. Network connection policy

"A. The information security policy defines what is allowed and not allowed, and what the consequences are for misbehavior in regard to resources on the corporate network. Generally this is signed by employees prior to their account creation.

"Which OSRF application checks to see if a username has been registered in up to 22 different e-mail providers? A. mailfy.py B. usufy.py C. entify.py D. searchfy.py

"A. The tool mailfy.py checks if a user name (e-mail) has been registered in up to 22 different e-mail providers. The choices usufy.py (verifies if a user name/profile exists in up to 306 different platforms), entify.py (looks for regular expressions), and searchfy.py (looks for profiles using full names and other info in seven platforms) are incorrect.

"A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key? A. Capture the WPA2 authentication traffic and crack the key. B. Capture a large amount of initialization vectors and crack the key inside. C. Use a sniffer to capture the SSID. D. WPA2 cannot be cracked." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. WPA2 is a strong encryption method, but almost everything can be hacked, given enough time. Capturing the password pairwise master key (PMK) during the handshake is the best way to do it, and even then it's virtually impossible if it's a complicated password." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"What occurs when an IDS does not properly identify a malicious packet entering the network? A. False negative B. False positive C. True negative D. True positive" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A. When traffic gets to the IDS, is examined, and is still let through even though it's malicious, a false negative has occurred. And a false negative is really, really bad." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact? A. whois B. nslookup C. dig D. traceroute

"A. Whois provides information on the domain registration, including technical and business POCs' addresses and e-mails.

"After gaining access to a Windows machine, you see the last command executed on the box looks like this: net use F: \\MATTBOX\BankFiles /persistent:yes""Assuming the user had appropriate credentials, which of the following are true? (Choose all that apply.) A. In Windows Explorer, a folder appears under the root directory named BankFiles. B. In Windows Explorer, a drive appears denoted as BankFiles (\\MATTBOX) (F:). C. The mapped drive will remain mapped after a reboot. D. The mapped drive will not remain mapped after a reboot.

"B, C. net use commands were the rage back in the day. This command connects to a shared folder on MATTBOX. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The persistent:yes portion means it will remain mapped forever, until you turn it off." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following best describes active sniffing? (Choose all that apply.) A. Active sniffing is usually required when hubs are in place. B. Active sniffing is usually required when switches are in place. C. Active sniffing is harder to detect than passive sniffing. D. Active sniffing is easier to detect than passive sniffing.

"B, D. If you're on a hub, why bother with active sniffing techniques? You're already seeing everything. Also, active sniffing is much more likely to get you caught than simply plugging in a wire and sitting back" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be? A. Hacktivist B. Suicide hacker C. Black hat D. Script kiddie

"B. A suicide hacker doesn't care about being caught. Jail time and punishment mean nothing to these guys. While sometimes they are tied to a political or religious group or function, sometimes they're just angry folks looking to make an entity pay for some perceived wrongdoing.

". Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources? A. Gray box B. White box C. Black box D. Active reconnaissance

"B. A white-box attack is intended to simulate an internal attacker with elevated privileges, such as a network administrator.

"Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should be his answer? A. $2075 B. $207.50 C. $120 D. $1200

"B. ALE = ARO × SLE. To determine ARO, divide the number of occurrences by the number of years (1 occurrence/10 years = 0.1). To determine SLE, add the purchase cost (1200) plus the amount of time to replace (5 × 50 = 250) plus the amount of lost work (5 hours × 5 employees × 25 = 625). In this case, it all adds up to $2075. ALE = 0.1 × 2075, or $207.50.

"Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While the attacker is sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary? A. The ARP cache of the router would need to be poisoned, changing the entry for Machine A to 00-01-02-CC-DD-EE. B. The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC. C. The ARP cache of Machine C would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC. D. The ARP cache of Machine A would need to be poisoned, changing the entry for Machine C to 00-01-02-BB-CC-DD" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. ARP poisoning is done on the machine creating the frame—the sender. Changing the default gateway entry on the sending machine results in all frames intended for an IP out of"the subnet being delivered to the attacker. Changing the ARP cache on the other machine or the router is pointless.

"As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing? A. Active B. Passive C. Reconnaissance D. None of the above

"B. All the methods discussed are passive in nature, per EC-Council's definition.

"Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. Cipher Block Chaining Message Authentication Code Protocol uses message integrity codes (MICs) for integrity purposes" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted? A. Online OS fingerprinting B. Passive OS fingerprinting C. Aggressive OS fingerprinting D. Active OS fingerprinting

"B. Generally, any activity noted in a question that does not explicitly state you are crafting packets and injecting them toward a system indicates you are passively observing traffic—in this case, most likely with a sniffed traffic log.

" Examining a database server during routine maintenance, you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation? A. The log file is simply corrupted. B. The server was compromised by an attacker. C. The server was rebooted. D. No activity occurred during the hour time frame." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. It's a database server during normal business hours and there's nothing in the log? Forget the fact a reboot would've showed up somewhere—none of the users complained about it being down at all. No, this one is going to require some forensics work. Call the IR team." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" Which of the following would be considered a passive online password attack? A. Guessing passwords against an IPC$ share B. Sniffing subnet traffic to intercept a password C. Running John the Ripper on a stolen copy of the SAM D. Sending a specially crafted PDF to a user for that user to open" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. Passive online attacks simply involve stealing passwords passed in clear text or copying the entire password exchange in the hopes of pulling off a reply or man-in-the-middle attack." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You're running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine? A. Open B. Closed C. Unknown D. None of the above

"B. Since the IPID incremented by only one, this means the zombie hasn't sent anything since your original SYN/ACK to figure out the starting IPID. If the IPID had increased by two, then the port would be open because the zombie would have responded to the target machine's SYN/ACK.

" A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this user name login attempt? "A. The attacker is attempting SQL injection. B. The attacker is attempting LDAP injection. C. The attacker is attempting SOAP injection. D. The attacker is attempting directory traversal." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. The )(&) indicates an LDAP injection attempt." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which display filter for Wireshark shows all TCP packets containing the word facebook? A. content==facebook B. tcp contains facebook C. display==facebook D. tcp.all contains ==facebook" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. The appropriate Wireshark display filter is the following: tcp contains search-string" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

" Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. In what phase of the pen test is Sally working? A. Preparation B. Assessment C. Conclusion D. Reconnaissance

"B. The assessment phase, which EC-Council also likes to interchangeably denote as the "conduct" phase sometimes, is where all the activity takes place—including the passive information gathering performed by Sally in this example.

"Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization? A. BCP B. BIA C. MTD D. DRP

"B. The business impact analysis best matches this description. Although maximum tolerable downtime is part of the process, and a continuity plan certainly addresses it, a BIA is the actual process to identify those critical systems.

"An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file? A. start readme.txt>badfile.exe B. start readme.txt:badfile.exe C. start badfile.exe > readme.txt D. start badfile.exe | readme.txt" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. The command start readme.txt:badfile.exe says "Start the executable badfile.exe that is hidden in the readme.txt file." In other variants of this question, the bad guy could create a link and execute it simply by typing the link name (for example, mklink innocent.exe readme.txt:badfile.exe would create a link, and the bad file could be executed simply by typing innocent)" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets? A. Active reconnaissance B. Scanning and enumeration C. Gaining access D. Passive reconnaissance

"B. The second of the five phases of an ethical hack attempt, scanning and enumeration, is the step where ethical hackers take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets

"Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. WPA uses temporal keys, making it a much stronger encryption choice than WEP." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following is not recommended as a security measure for your web servers? A. Ensure there is a backout plan for any patch or hotfix. B. Block only those ports known as relating to malicious tools and techniques. C. Avoid mapping virtual directories between servers across the network. D. Allow remote access only with properly secured encryption/tunneling" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"B. You should block or disable every port and/or service that is not in use. A "known malicious port" means nothing to an adversary, as they'll just as likely highjack your open but unused syslog port." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all that apply.) A. nmap -A 172.17.24.17 B. nmap -O 172.17.24.0/24 C. nmap -sn 172.17.24.0/24 D. nmap -PI 172.17.24.0/24

"C, D. Both the -sn and -PI switches will accomplish the task quickly and efficiently.

" Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity? A. Encryption B. UPS C. Hashing D. Passwords

"C. A hash is a unique numerical string, created by a hashing algorithm on a given piece of data, used to verify data integrity. Generally, hashes are used to verify the integrity of files after download (comparison to the hash value on the site before download) and/or to store password values. Hashes are created by a one-way algorithm.

"What flag or flags are sent in the segment during the second step of the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK/FIN

"C. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.

"A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this? A. Multifactor authentication B. Three-factor authentication C. Two-factor authentication D. Token authentication" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. Because Joe's users need something they have (a token) and something they know (the PIN), this is considered two-factor authentication." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. NS B. SOA C. CNAME D. PTR

"C. CNAME records provide for domain name aliases within the zone.

"An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this? A. Ping sweep B. XMAS C. Stealth D. Full" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. ECC defines as a stealth scan what most of us used to call a half-open scan (although I suppose it would actually make more sense mathematically to call it a two-thirds scan, since it's a three-way handshake and only two are used). This is also known as a SYN scan." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following works at Layer 5 of the OSI model? A. Stateful firewall B. Packet-filtering firewall C. Circuit-level firewall D. Application-level firewall" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. I admit, this one is tricky. Yes, circuit-level firewalls work at Layer 5. Stateful firewalls can be said to work at Layer 5, but they're focused on Layers 3 and 4. Application-level firewalls work at Layer 7." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place? A. Stateful B. Signature based C. Anomaly based D. Packet filtering" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. IDSs can be signature or anomaly based. Anomaly-based systems build a baseline of normal traffic patterns over time, and anything that appears outside of the baseline is flagged." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following would be the best example of a deterrent control? A. A log aggregation system B. Hidden cameras onsite C. A guard posted outside the door D. Backup recovery systems

"C. If you're doing something as a deterrent, you're trying to prevent an attack in the first place. In this physical security deterrent control, a guard visible outside the door could help prevent physical attacks.

"Which encryption standard is used by LM? A. MD5 B. SHA-1 C. DES D. SHA-2 E. 3DES" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. LAN Manager (LM), an old and outdated authentication system, used DES, an old and outdated means for hashing files (in this case, passwords)." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You are discussing wireless security with your client. She tells you she feels safe with her network because she has implemented MAC filtering on all access points, allowing only MAC addresses from clients she personally configures in each list. You explain this step will not prevent a determined attacker from connecting to her network. Which of the following explains why the APs are still vulnerable? A. WEP keys are easier to crack when MAC filtering is in place. B. MAC addresses are dynamic and can be sent via DHCP. C. An attacker could sniff an existing MAC address and spoof it. D. An attacker could send a MAC flood, effectively turning the AP into a hub." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following would be the best choice for footprinting restricted URLs and OS information from a target? A. www.archive.org B. www.alexa.com C. Netcraft D. Yesware

"C. Netcraft is the best choice here, as it is the only choice allowing for restricted URL and OS information footprinting.

". A security administrator sets the HttpOnly flag in cookies. Which of the following is she most likely attempting to mitigate against? A. CSRF B. CSSP C. XSS D. Buffer overflow E. SQL injection" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. Of the answers provided, XSS is the only one that makes sense. The HttpOnly flag setting prevents cookies from being accessible by a client-side script." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Your organization is deploying a new web-based software package requiring application and database support. The department has agreed on a three-server approach to make the service accessible from the Internet. Of the following choices, which would be the best option for server placement? A. A web, application, and database server on the internal network only B. A web, application, and database server facing the Internet C. A web server facing the Internet and an application and database server on the internal network D. An application and database server facing the Internet, with a web server internal" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. Of the choices provided and with no other data, C is the best option. You have to have the web server available for clients to access, but your "back-end" processes should be internal if at all possible." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following is a true statement? A. SOAP cannot bypass a firewall. B. SOAP encrypts messages using HTTP methods. C. SOAP is compatible with HTTP and SMTP. D. SOAP messages are usually bidirectional." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. SOAP is compatible with HTTP and SMTP, and usually the messages are "one-way" in nature." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules is correct for this situation? A. alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Attempted FTP") B. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Attempted FTP") C. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Attempted FTP") D. alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"Attempted FTP")" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. Snort rules follow the same syntax: action protocol src address src port -> dest address port (options)" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Where is the SAM file stored on a Windows 7 system? A. /etc/ B. C:\Windows\System32\etc\ C. C:\Windows\System32\Config\ D. C:\Windows\System32\Drivers\Config" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. The SAM file is stored in the same folder on most Windows machines: C:\Windows\System32\Config\." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following best defines a hybrid attack? A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked. B. The attack tries random combinations of characters until the password is cracked. C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked. D. The attack uses rainbow tables, randomly attempting hash values throughout the list until the password is cracked." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. The hybrid attack takes any old dictionary list and juices it up a little. It substitutes numbers for letters, injects a character or two, and runs numerous hybrid versions of your word list in an attempt to crack passwords." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"In what situation would you employ a proxy server? (Choose the best answer.)" A. You want to share files inside the corporate network. B. You want to allow outside customers into a corporate website. C. You want to filter Internet traffic for internal systems. D. You want to provide IP addresses to internal hosts." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. There are a bunch of reasons for having a proxy. In this case, you're using it to filter traffic between internal hosts and the rest of the world. Generally, proxies don't act as file servers, websites, or DHCP servers." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A user calls with a problem. Her laptop uses the same hardware and software as many of the other clients on the network, and she can see the wireless network but cannot connect. You run a sniffer, and results show the WAP is not responding to the association requests being sent by the wireless client. Of the following choices, which is the most likely source of the problem? A. The wireless client does not use DHCP. B. The wireless client is on the wrong wireless channel. C. The WAP has MAC filtering engaged and does not recognize the MAC. D. SSID security is preventing the connection." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. There may be more to the story, but given everything in the scenario, MAC filtering is probably the culprit here. Given the same hardware and software setup, it's unlikely it's a channel issue, and the other options make no sense at all." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which wireless technology uses RC4 for encryption? A. WAP B. WPA C. WEP D. WPA2 E. All of the above" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. WEP uses RC4, which is part of the reason it's so easily hacked and not considered a secure option." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following consists of a publicly available set of databases that contain domain name registration contact information? A. IETF B. IANA" C. Whois D. OSRF

"C. Whois is a great resource to scour public information regarding your target. Registration databases contain data points that may be useful, such as domain registration, points of contacts, and IP ranges.

"A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode? A. Libpcap B. WinProm" C. WinPcap D. Promsw" Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"C. WinPcap is the library used for Windows devices. Libpcap is used on Linux devices for the same purpose." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which of the following is a true statement? A. Configuring a strong SSID is a vital step in securing your network. B. An SSID should always be more than eight characters in length. C. An SSID should never be a dictionary word or anything easily guessed. D. SSIDs are important for identifying networks but do little to nothing for security." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following? A. Black-hat hacking B. Gray-box attacks C. Gray-hat attacks D. Hacktivism

"D. Hackers who use their skills and talents to forward a cause or a political agenda are practicing hacktivism

"You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? A. 52.93.24.255 B. 52.93.0.255 C. 52.93.32.255 D. 52.93.31.255 E. 52.93.255.255

"D. If you look at the address 52.93.24.42 in binary, it looks like this: 00110100.01011101.00011000.00101010. The subnet mask given, /20, tells us only the first 20 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 00110100.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 00110100.01011101.00011111.11111111 (52.93.31.255/20).

"Which of the following statements is true regarding port scanning? A. Port scanning's primary goal is to identify live targets on a network. B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed. C. Port scanning is designed as a method to view all traffic to and from a system. D. Port scanning is used to identify potential vulnerabilities on a target system." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. Port scanning has a singular purpose—to knock on ports and see if they're open (listening). Does an open port necessarily mean something is wrong? No, but it does represent a potential vulnerability you can exploit later." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"Which port number is used by default for syslog? A. 21 B. 23 C. 69 D. 514"

"D. Syslog uses 514 by default. Even if you had no idea, the other answers provided are very well-known default ports (FTP, Telnet, TFTP), so you can eliminate them as possible answers.

"Which Google hack would display all pages that have the words SQL and Version in their titles? A. inurl:SQL inurl:version B. allinurl:SQL version C. intitle:SQL inurl:version D. allintitle:SQL version

"D. The Google search operator allintitle: allows for the combination of strings in the title. The operator inurl: looks only in the URL of the site.

"Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote " Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. The single quote should begin SQL injection attempts, even though in many database systems it's not always an absolute." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"A pen tester is attempting to use nslookup and has the tool in interactive mode for the search. Which command should be used to request the appropriate records? A. request type=ns B. transfer type=ns C. locate type=ns D. set type=ns

"D. The syntax for the other commands listed is incorrect.

"Which of the following Common Criteria processes refers to the system or product being tested? A. ST B. PP C. EAL D. TOE

"D. The target of evaluation (TOE) is the system or product being tested." Excerpt From: Matt Walker.

chapter 6 question 10 "The attacker then clicks the Search button and a pop-up appears stating, "It Worked." What can you infer from this? A. The site is vulnerable to buffer overflow. B. The site is vulnerable to SQL injection. C. The site is vulnerable to parameter tampering. D. The site is vulnerable to XSS." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.

"D. This indicates a cross-site scripting vulnerability." Excerpt From: Matt Walker. "CEH Certified Ethical Hacker All-in-One Exam Guide." iBooks.