CEH Flashcards Set 1

Performed when the attacker can't use the same channel to launch an SQLi attack and gather information, or when a server is too slow or unstable for these actions to be performed. Primarily used as an alternative to the in-band and inferential SQLi techniques.

Out-of-band SQLi

What does the flag "-oX" mean in an nmap scan?

Output the results in XML format to a file.

This type of networking creates a distributed network among multiple docker daemon hosts, sitting on top of the host-specific networks, allowing containers connected to it to communicate securely when encryption is enabled.

Overlay networking.

A man-in-the-middle exploit which takes advantage of Internet and Security software clients fallback to SSL 3.0.

POODLE (Padding Oracle On Downgraded Legacy Encryption)

You analyze the logs and see the following output of logs from the machine with the IP address of 192.168.0.132: Time August 21 11:22:06 Port:20 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:08 Port:21 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:11 Port:22 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:14 Port:23 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:15 Port:25 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:19 Port:80 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP Time August 21 11:22:21 Port:443 Source:192.168.0.30 Destination:192.168.0.132 Protocol:TCP What conclusion can you make based on this output?

Port scan targeting 192.168.0.30

What is the social engineering practice of presenting oneself as someone else to obtain private information? This usually involves creating a fake identity and using it to manipulate the receipt of information.

Pretexting

Often, for a successful attack, hackers very skillfully simulate phishing messages. To do this, they collect the maximum information about the company that they will attack: emails of real employees (including information about the hierarchy in the company), information about the appearance of the message (formatting, logos), etc. What is the name of this stage of the hacker's work?

Reconnaissance stage

A non-persistent attack, occurring when a malicious script is reflected off a web application to the victim's browser. Activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts' execution.

Reflected Cross-Site Scripting

What is the risk that remains (amount left over) after natural or inherent risks have been reduced?

Residual risk

What is a person-to-person attack in which the attacker convinces the target that he or she has a problem or might have a certain problem in the future that he, the attacker, is ready to help solve.

Reverse social engineering.

A risk mitigation technique that does not reduce any effects of an action, or risk, and is commonly employed when the cost of avoidance or limitation outweighs the cost of the risk itself.

Risk Acceptance

What are the four types of Risk Mitigation?

Risk Acceptance, Risk Avoidance, Risk Transfer, and Risk Reduction.

The most common risk mitigation strategy where a company limit's it's exposure by taking some action. Employs a little bit of risk acceptance and avoidance.

Risk Limitation.

The process of taking steps to reduce adverse effects of an action (risk)

Risk Mitigation

The opposite of risk acceptance, where it is the action that an organization takes to completely remove themselves from risk exposure whatsoever by distancing themselves from the risk.

Risk avoidance.

The involvement of handing risk off to a willing third party.

Risk transference

A vulnerability with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another. Used in MITM attacks

SSL/TLS Renegotiation Vulnerability

John, a pentester, received an order to conduct an internal audit in the company. One of its tasks is to search for open ports on servers. Which of the following methods is the best solution for this task?

Scan servers with Nmap

A cryptographic protocol designed to provide communications security over a computer network. Replaced the Transport Layer Security (TLS) protocol

Secure Sockets Layer (SSL)

What IDS evasion technique involves splitting attack traffic into many packets such that no single packet triggers the IDS?

Session Splicing

An attack that exploits a valid computer session to gain unauthorized access to information or services in a computer system. Refers to the theft of a magic cookie used to authenticate a user to a remote server.

Session hijacking

A family of security bugs in the UNIX Bash shell, where it could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Shellshock (aka Bashdoor).

An attack based on information gained from the implementation of a computer system, rather than weakness in the implemented algorithm itself (e.g. cryptanalysis and software bugs.)

Side-Channel Attack

Ivan, a black hat hacker, sends partial HTTP requests to the target webserver to exhaust the target server's maximum concurrent connection pool. He wants to ensure that all additional connection attempts are rejected. What type of attack does Ivan implement?

Slowloris

What best describes two-factor authentication for a credit card (using a card and pin)?

Something you have and something you know

Part of the incident response plan which involves determining whether or not an organization has been breached.

Stage 2: Identification

Part of the incident response plan which involves that, should a breach be discovered, an organization work fast to contain the event.

Step 3: Containment

Part of the incident response plan, considered to be one of the most crucial phases, which requires the intelligence gathered throughout the previous stages to coordinate a shutdown of impacted systems.

Step 4: Neutralization.

Part of the incident response plan that involves restoring all affected systems and devices to allow for normal operations to continue.

Step 5: Recovery

Final step in incident response plan that occurs after the incident has been solved and all details have been properly documented so that the information can be used to prevent similar breaches in the future.

Step 6: Review

The evil hacker Antonio is trying to attack the IoT device. He will use several fake identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks. What kind of attack does Antonio perform?

Sybil Attack

Which of the following is the type of violation when an unauthorized individual enters a building following an employee through the employee entrance?

Tailgating

Michael, a technical specialist, discovered that the laptop of one of the employees connecting to a wireless point couldn't access the Internet, but at the same time, it can transfer files locally. He checked the IP address and the default gateway. They are both on 192.168.1.0/24. Which of the following caused the problem?

The gateway is not routing to a public IP address

An attacker sends and SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see the time the database takes to respond, whether a query is true or false. Based on the result, an HTTP response will generate instantly or after a waiting period, allowing the attacker to work out if the message they used returned true or false without relying on the data from the database. What attack is this?

Time-based Blind SQLi attack.

When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the _________ keyword can be used to retrieve data from other tables within the database, allowing the attacker to execute one or more additional SELECT queries and append the results to the original query

UNION, UNION SQLi

An attack where each character has a unique value regardless of the platform, program, or language, making it n effective way to evade an IDS.

Unicode Invasion

Rajesh, a system administrator, noticed that some clients of his company were victims of DNS Cache Poisoning. They were redirected to a malicious site when they tried to access Rajesh's company site. What is the best recommendation to deal with such a threat?

Use Domain Name System Security Extensions (DNSSEC)

Identify the type of jailbreaking which allows user-level access and does not allow iboot-level access?

Userland Exploit

You have been assigned the task of defending the company from network sniffing. Which of the following is the best option for this task?

Using encryption protocols to secure network communications.

How can you influence the intensity of an nmap scan?

Using the "-T" command. List 0-6 after -T for intensity: paranoid, sneaky, polite, normal, aggressive, insane

What is the protocol that is used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system?

WHOIS

While using your bank's online servicing you notice the following string in the URL bar: http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21 You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site?

Web Parameter Tampering

When do code injection vulnerabilities occur?

When an application sends untrusted data to an interpreter. Injection flaws are most often found in SQL, LDAP, XPath, or NoSQL queries

Session splicing is an IDS evasion technique that exploits how some IDSs do not reconstruct sessions before performing pattern matching on the data. The idea behind session splicing is to split data between several packets, ensuring that no single packet matches any patterns within an IDS signature. Which tool can be used to perform session splicing attacks?

Whisker

Which command will help you launch the Computer Management Console from "RUN" windows as a local administrator in windows 7?

compmgmt.msc

You managed to compromise a server with an IP address of 10.10.0.5, and you want to get fast a list of all the machines in this network. Which Nmap command will you need?

nmap -T4 -F 10.10.0.0/24 The -F flag is for fast (limited port) scanning.

What nmap command allows you to reduce the probability of detection by IDS when scanning common ports?

nmap -sT -O -T0

What actions should you take if you find that the company that hired you is involved with human trafficking?

stop work and contact the proper legal authorities.

An attacker tries to take advantage of a vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. What query best describes an attempt to exploit an insecure direct object using the name of the valid account "User 1"?

"GET/restricted/accounts/?name=User1 HTTP/1.1 Host:westbank.com"

What are the three major characteristics of SOAP?

- Extensibility: Security and WS-Addressing are among the extensions that are under development - Neutrality: Soap can operate over any protocol (HTTP, SMTP, TCP, UDP, etc.) - Independence: SOAP allows for any programming model.

How do you run an express scan in nmap?

-F (Fast (limited) port scan)

How do you run an Xmas scan in nmap?

-sX command

What are three possible authentication factors for 2FA?

1) something the user knows (eg. Password) 2) something the user has (eg. PIN card) 3) something the user is (eg. Biometric data)

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

1. Locating nodes (live hosts) 2. Performing service and OS discovery on them 3. Testing those services and OS for known vulnerabilities

What best describes code injection?

A form of attack in which a malicious user inserts text into a data field interpreted as code.

When data is transmitted across networks and the packets are not encrypted, the data within the network packet can be read using what method?

A network sniffer (sniffing)

Which of the following characteristics is not true about the Simple Object Access Protocol? A) Only compatible with the application protocol HTTP B) Exchanges data between web services C) Using Extensible Markup Language D) Allows for any programming model

A) Only compatible with application protocol HTTP. SOAP can be used with any application-level protocol: SMTP, FTP, HTTP, HTTPS, etc.

Your company has a risk assessment, and according to its results, the risk of a breach in the main company application is 40%. Your cybersecurity department has made changes to the application and requested a re-assessment of the risks. The assessment showed that the risk fell to 12%, with a risk threshold of 20%. Which of the following options would be the best from a business point of view?

Accept the Risk

John performs black-box testing. It tries to pass IRC traffic over port 80/TCP from a compromised web-enabled host during the test. Traffic is blocked, but outbound HTTP traffic does not meet any obstacles. What type of firewall checks outbound traffic?

Application Firewall

The firewall prevents packets from entering the organization through certain ports and applications. What does this firewall check?

Application layer port numbers and the transport layer headers.

Define Metasploit module used to perform arbitrary, one-off actions such as port scanning, denial of service, SQL injection and fuzzing?

Auxiliary Module

Ivan, an evil hacker, is preparing to attack the network of a financial company. To do this, he wants to collect information about the operating systems used on the company's computers. What technique will Ivan use to achieve the desired result?

Banner grabbing

A detection process that observes you the program executes, rather than merely emulating its execution, to identify malware.

Behavioral-based detection.

You know that the application you are attacking is vulnerable to an SQL injection, but you cannot see the result of the injection. You send a SQL query to the database, which makes the database wait before it can react. You can see from the time the database takes to respond, whether a query is true or false. What type of SQL injection did you use?

Blind SQLi

What is the SQLi attack where the attacker sends data payloads to the server and observes the response behavior, but the data is not transferred from the website database to the attacker, meaning they cannot see the information about the attack in-band?

Blind SQLi attack.

An SQLi attack where the attacker sends an SQL query to the database, prompting the application to return a result. The result varies based on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged, allowing the attacker to work out if the message generated is a true or false result. What kind of attack is this?

Boolean-based Blind SQLi attack

Jailbreaking which allows user-level access and iboot-level access.

Bootrom Exploit

In Docker, this type of network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network.

Bridge networking.

A password recovery tool for Microsoft Windows, suing recovery methods such as network packet sniffing, cracking various password hashes by using dictionary attacks, brute force, cryptanalysis, etc.

Cain and Abel (abb. Cain).

Which represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

Can identify unknown attacks. Anomaly-based IDS uses heuristics or rules and attempts to detect any type of misuse that falls outside of normal system operations

What actions should be performed before using a Vulnerability Scanner for scanning a network?

Checking if the remote host is alive.

What identifies malware by collecting data from protected computers while analyzing it on the provider's infrastructure instead of locally?

Cloud-based detection

What is a "Collision attack"?

Collision attack on a hash tries to find two inputs producing the same hash value.

A hybrid software verification technique that performs symbolic execution, a classical technique that treats program variables as symbolic variables along a concrete execution path.

Concolic testing

A web application vulnerability that permits the attacker to inject code (Typically HTML or JavaScript) into an outside website's contents. When a victim views an infected page on the website, the victim's browser executes the injected code.

Cross-site scripting (XSS)

Which of the following incident handling process phases is responsible for defining rules, employees training, creating a back-up, and preparing software and hardware resources before an incident occurs? A) Containment B) Recovery C) Identification D) Preparation

D) Preparation

What is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication, authenticated denial of existence and data integrity, but not availability or confidentiality?

DNSSEC

The company "Usual company" asked a cybersecurity specialist to check their perimeter email gateway security. To do this, the specialist creates a specially formatted email message: From: [email protected] To: [email protected] Subject: Test message Date: 5/8/2021 11:22 He sends this message over the Internet, and a "Usual company " employee receives it. This means that the gateway of this company doesn't prevent _____.

Email Spoofing

An SQLi attack where an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. The error message, in turn, gives information abut the database used and where the syntax error occurred in the query.

Error-based SQLi

Rajesh, the system administrator analyzed the IDS logs and noticed that when accessing the external router from the administrator's computer to update the router configuration, IDS registered alerts. What type of an alert is this?

False positive.

Which of the following is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall?

Firewalking

A Denial of Service (DoS) attack where attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. (Ex: When a system receives too many ICMP ping commands, and does not have enough resources to reply to these commands).

Flooding

What is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program?

Fuzz testing

Identify a vulnerability in OpenSSL that allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the Internet?

Heartbleed bug

A detection system that aims at generically detecting new malware by statically examining files for suspicious characteristics without an exact signature match.

Heuristics-based detection.

Wireshark is one of the most important tools for a cybersecurity specialist. It is used for network troubleshooting, analysis, software, etc. And you often have to work with a packet bytes pane. In what format is the data presented in this pane?

Hexadecimal

This type of networking does not isolate Docker's network container stack from the docker host (sharing the host's networking namespace) and the container does not get its own IP-address allocated.

Host networking.

TCP port scanning method that consists of sending spoofed packets to a computer to find out what services are available. Impersonates another computer whose network traffic is very slow or nonexistent (i.e. a "zombie" computer).

IDLE/IDIP scanning

Which of the following protocols is used in a VPN for setting up a secure channel between two devices? - PPP - SET - IPSEC - PEM

IPSEC

Which layer 3 protocol allows for end-to-end encryption of the connection?

IPSec

Which of the following tools is packet sniffer, network detector and IDS for 802.11(a, b, g, n) wireless LANs? - Kismet - Abel - Nmap - Nessus

Kismet

Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap's slow scan, often hidden in the background of benign traffic.

Low-bandwidth attacks.

John, a system administrator, is learning how to work with new technology: Docker. He will use it to create a network connection between the container interfaces and its parent host interface. Which of the following network drivers is suitable for John?

Macvlan networking

You can use this type of network driver to assign a MAC address to each Docker container's virtual network interface, making it appear to be a physical network.

Macvlan networking

A cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Man-in-the-middle (MITM) attacks.

Andrew is conducting a penetration test. He is now embarking on sniffing the target network. What is not available for Andrew when sniffing the network?

Modifying and replaying captured network traffic. Sniffing is a passive attack, so it does not involve modification or interacting completely with target.

How does the mechanism of a Boot Sector virus work?

Moves the Master Boot Record (MBR) to another location on the hard disk and copies itself to the original location of the MBR.

Which regulation defines security and privacy controls for all U.S. federal information systems except those related to national security?

NIST-800-53

What is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network?

Nessus

A free and open-source network scanner used to discover hosts and services on a computer network by sending packets and analyzing responses.

Nmap