CEH Retake
Which of the following Google dorks is used by an attacker to find Cisco VPN client passwords?
"[main]" "enc_GroupPwd=" ext:txt
Which of the following operators is used for string concatenation in an Oracle database?
''||'
Which of the following options in the finger command-line utility is used for preventing the matching of usernames?
-m: Prevents the matching of usernames.
Which Nmap scan is used to differentiate between stateful and stateless firewalls?
-sA TCP ACK Scan
Which of the following Nmap options is used by an attacker to perform an SCTP COOKIE ECHO scan?
-sZ
A hacker is attempting to check for all the systems alive in the network by performing a ping sweep. Which NMAP switch would the hacker use?
-sn - (all lowercase)This option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes.
In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process?
Brute force Active Directory: This is a design error in the Microsoft Active Directory implementation. If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages.
John is investing web-application firewall logs and observers that someone is attempting to inject the following : char buff[10]; buff[10] = a What type of attack?
Buffer Overflow
Which of the following tools is employed by a pen tester to find vulnerabilities in an organization's web server and evaluate its security posture by using the same techniques as those currently employed by cybercriminals?
CORE Impact
Which of the following techniques is used by an attacker to connect a fake account on the provider with a victim's account on the client side?
CSRF on Authorization Response: The attacker performs a CSRF attack to exploit a third request related to authorization code grant.
In which of the following attacks does an attacker load the target website inside a low-opacity iframe?
Clickjacking Attack: The attacker designs a page such that all the clickable items such as buttons are positioned exactly as on the selected target website. When the victim clicks on the invisible elements, the attacker performs various malicious actions
An attacker exploits a web application by tampering with the form and parameter of the web application and he is successful in exploiting the web application and gaining access. Which type of vulnerability did the attacker exploit?
Misconfiguration: vulnerabilities such as un-validated inputs, parameter/form tampering, improper error handling, insufficient transport layer protection, and so on, attackers gain unauthorized accesses to default accounts, read unused pages, read/write unprotected files and directories, and so on.
Which of the following tools does an attacker use to perform SQL injection exploitation through techniques such as union and blind SQL exploitation and bypass certain IPS/IDS rules with generic filters?
Mole: Mole is an automatic SQL injection exploitation tool.
Which of the following is not a webserver security tool?
Netcraft - an information gathering tool.
Which of the following IoC categories is useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information?
Network Indicators
Which of the following enumeration tools allows an attacker to fetch the IPv6 address of a machine through SNMP?
Enyx
In which of the following hacking stages does an attacker use Trojans, spyware, backdoors, and keyloggers to create and maintain remote access to a system?
Escalating privileges: The attacker exploits known system vulnerabilities to escalate user privileges.
Which of the following tools helps attackers find the details and certification granted to IoT devices?
FCC ID Search
What is a tool used mainly to find metadata and hidden information in the documents it scans?
FOCA (Fingerprinting Organizations with Collected Archives)
Which of the following DB2 queries allows an attacker to perform column enumeration on a target database?
SELECT*FROM syscat.columns WHERE tabname= 'tablename'
Which of the following web-service APIs is programmed to generate, recover, modify, and erase different logs such as profiles, credentials, and business leads?
SOAP API: A web-based communication protocol that enables interactions between applications running on different platforms such as Windows, macOS, Linux, etc., via XML and HTTP.
Which of the following parameters defines the level of access to an application to redirect a user agent to the authorization server?
Scope: Defines the level of access to the application
Which of the following tools does an attacker use to perform a query on the platforms included in OSRFramework?
Searchfy.py
If an attacker wants to gather information such as IP address, hostname, ISP, device's location, and the banner of the target IoT device, which of the following tools should he use to do so?
Shodan
Which of the following is an operation in the web service architecture that involves obtaining the service interface description at the time of development as well as the binding and location description calls at run time?
Find - During this operation, the requester tries to obtain the service descriptions. This operation can be processed in two different phases: obtaining the service interface description at development time and obtain the binding and location description calls at run time.
In which of the following hacking phases does an attacker create a profile of the target organization and obtain information such as its IP address range, namespace, and employees?
Footprinting
Which of the following tools uses sniffers to capture 6LoWPAN traffic and RPL-related information and identify abnormal behaviors in IoT traffic?
Foren6
Which of the following footprinting techniques allows an attacker to gather information about a target with direct interaction?
Gathering website information using web spidering and mirroring tools
What is a technical standard which defines the operation of a low-rate wireless personal area network which focuses on low-cost, low-speed, ubiquitous communication between devices that includes protocols such as Zigbee & 6LoWPAN?
IEEE 802.15.4
Which of the following techniques is also a type of network protocol for PNAC that is used to defend against MAC address spoofing and to enforce access control at the point where a user joins the network?
IEEE 802.1X suites
What is 6LoWPAN?
IPv6 Low-power wireless Personal Area Network. It is intended to bring the benefits of standard IP networking to low-power mesh and sensor networks, which, in the past, often used proprietary technologies. Allows IPv6 to operate over IEEE 802.15.4 based networks.
Which of the following database management systems contains the system table called "MsysObjects"?
MS Access
Which of the following types of payload modules in the Metasploit framework is self-contained and completely stand-alone?
Singles: Self-contained and completely standalone
Henry, a professional hacker, united with a disgruntled employee of an organization to launch a few attacks on the organization internally. To communicate with the employee, Henry used a tool that hides data in a text file by appending sequences of up to seven spaces interspersed with tabs. Which of the following tools did Henry use to communicate with the disgruntled employee?
Snow: Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages.
Which of the following is the direct approach technique that serves as the primary source for attackers to gather competitive intelligence?
Social Engineering - The direct approach serves as the primary source for competitive intelligence gathering. Direct approach techniques include gathering information from trade shows, social engineering of employees and customers, and so on.
Which of the following techniques is used by an attacker to connect a rogue switch to the network by tricking a legitimate switch and thereby creating a trunk link between them?
Switch Spoofing: Attackers connect a rogue switch onto the network by tricking a legitimate switch and thereby creating a trunk link between them
You are performing a port scan with Nmap. You are in a hurry and conducting the scans at the fastest possible speed. What type of scan should you run to get very reliable results?
TCP Connect/Full Open Scan
Which of the following is the ACTIVE banner grabbing technique used by an attacker to determine the OS running on a remote target system?
TCP Sequence Ability Test
Which of the following online tools allows attackers to collect real-time IoT data across dozens of verticals, including weather, environment, smart cities, energy, and transport?
Thingful
You are doing research on SQL injection attacks. Which of the following combination of Google operators will you use to find all Wikipedia pages that contain information about SQL, injection attacks, or SQL injection techniques?
[SQL Injection site:Wikipedia.org]
Which of the following queries is used to create a database account in Microsoft SQL Server?
exec sp_addlogin 'victor','Pass123' exec sp_addsrvolemember 'victor','sysadmin'
Which of the following hping commands is used by an attacker to collect the initial sequence number?
hping3 192.168.1.103 -Q -p 139 -s
A type of footprinting attack on the target organization using an advanced Google search query that returns a list of FTP servers by IP address, which are mostly Windows NT servers with guest login capabilities
inurl:~/ftp://193 filetype:(php | txt | html | asp | xml | cnf | sh) ~'/html'
Which of the following web services provides useful information about a target company, such as the market value of the company's shares, company profile, and competitor details?
investing.com
Which of the following Cisco IOS global commands is used to enable or disable DHCP snooping on one or more VLANs?
ip dhcp snooping vlan 4,104
Which of the following Nmap commands does an attacker use to enumerate common web applications?
nmap --script http-enum -p80 <host>
Which of the following Nmap commands is used by an attacker to identify the IPv6 capabilities of a target IoT device?
nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX <Name> <IP>
Which of the following Nmap commands helps attackers identify the HMI systems in a target OT network?
nmap -Pn -sT -p 46824 <Target IP>
Which of the following Nmap commands helps attackers scan ethernet/IP devices?
nmap -Pn -sU -p 44818 --script enip-info <Target IP>
Which of the following Nmap commands is used by an attacker to enumerate the SMB service running on the target IP address?
nmap -p 445 -A <target IP>
Which of the following Nmap commands is used by an attacker to enumerate the TFTP service running on the target domain?
nmap -p 69 <target domain>
Which of the following commands does an attacker use to detect HTTP Trace?
nmap -p80 --script http-trace <host>
Out of the following RFCrack commands, which command is used by an attacker to perform jamming?
python RFCrack.py -j -F 314000000
Which of the following types of DNS records points to a host's IP address?
A Record
Which of the following TCP communication flags confirms the receipt of a transmission and identifies the NEXT (not new) expected sequence number?
ACK (Acknowledgement) Flag
A tester is attempting to capture and analyze the traffic on a given network and realizes that the network has several switches. What could be used to successfully sniff the traffic on this switched network?
ARP spoofing MAC duplication MAC flooding
Which of the following DHCPv6 messages is sent by a server to a client in response to DHCPDiscover with the offer of configuration parameters?
Advertise
In which of the following cookie exploitation attacks does an attacker modify the cookie contents to obtain unauthorized information about a user and thereby perform identity theft?
Cookie Poisoning
Which of the following is a clickjacking technique that overlays only the selected controls from a transparent page and involves masking buttons with hyperlinks and text labels containing false information?
Cropping: May involve masking buttons with hyperlinks and text labels with false information, changing the button labels with wrong commands, and completely covering the legitimate page with misleading information while exposing only one original button.
Which of the following are the correct steps for automated patch management process?
Detect -> Assess -> Acquire -> Test -> Deploy ->
In one of the following methods, an attacker attempts to replicate error-free navigation by injecting simple inputs such as ' and '1' = '1 or ' and '1' = '2 and forces and application to generate application errors that reveal information such as table names, column names, and data types. Which is this method?
Determining a SELECT query structure
Which of the following is an attack performed by measuring the approximate time taken by a server to process a POST request so that the existence of a username can be deduced?
Direct Timing Attack
Which of the following countermeasure helps organizations to prevent information disclosure through banner grabbing?
Display false banners.
In which of the following steganography techniques does a user implement a sequence of modifications to the cover to obtain a stego-object?
Distortion Techniques
Which of the following steganography techniques allows the user to add white spaces and tabs at the end of the lines?
Document Steganography
Which of the following tools is a simple Internet server identification utility that is capable of performing reverse DNS lookup and HTTP server identification?
ID Serve: A simple Internet server identification utility.
If you are responsible for securing a network from any type of attack and if you have found that one of your employees is able to access any website that may lead to clickjacking attacks, what would you do to avoid the attacks?
Harden browser permission rules
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?
Hping
During a penetration test, a tester finds that the web application being analyzed is vulnerable to XSS. Which of the following conditions must be met to exploit this vulnerability?
HttpOnly flag is not set: A web server can defend against such attacks by setting the HttpOnly flag on a cookie it creates which is not accessible to the client.
Which of the following are valid types of rootkits?
Hypervisor-level rootkit: Kernel-level rootkit: Application-level rootkit:
Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping?
ICMP Address Mask Ping - This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping
An attacker is sending spoofed router advertisement messages so that all the data packets travel through his system. Then the attacker is trying to sniff the traffic to collect valuable information from the data packets to launch further attacks such as man-in-the-middle, denial-of-service, and passive sniffing attacks on the target network. What is this attack?
IRDP Spoofing: The IRDP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. An attacker can use this to send spoofed router advertisement messages so that all the data packets travel through the attacker's system.
Which of the following protocols provides a flexible framework for addressing and mitigating current and future security vulnerabilities in industrial automation and control systems?
ISA/IEC 62443
An attacker wants to exploit a webpage. From which of the following points does he start his attack process?
Identify entry points for user inputs
Which of the following tools is used for gathering email account information from different public sources and checking whether an email was leaked using the haveibeenpwned.com API?
Infoga - a tool gathering email accounts informations (ip, hostname, country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API.
Which of the following protocols uses the port number 88/TCP and can verify the identity of a user or host connected to a network?
Kerberos
In which layer of the web-application vulnerability stack does an attacker scan an operating system to find open ports and vulnerabilities and develop viruses/backdoors to exploit them
Layer 3: Attackers scan an operating system to find open ports and vulnerabilities, and they develop viruses/backdoors to exploit them.
In which layer of the web application vulnerability stack does an attacker exploit business-logic flaws and technical vulnerabilities to perform input validation attacks such as XSS?
Layer 7: If an attacker finds vulnerabilities in the business logic (implemented using languages such as .NET and Java), he/she can exploit these vulnerabilities by performing input validation attacks such as XSS.
Whic statement is true pertaining to Firewalls preventing web application attacks?
Network firewalls cannot prevent attacks because ports 80 and 443 must be kept opened
Which of the following API vulnerabilities allows attackers to gain unauthorized access to API objects or perform actions such as viewing, updating, or deleting?
No ABAC (Attribute Based Access Contorls)
Which of the following conditions must be given to allow a tester to exploit a cross-site request forgery (CSRF) vulnerable web application?
No Random Tokens: In order to exploit a CSRF vulnerable web application, the web application should not use random tokens
Which of the following functions can be used by an attacker to link a target SQL server's database to the attacker's own machine and retrieve data from the target SQL server database?
OPENROWSET(): An SQL Server can be linked back to an attacker's DB via OPENROWSET.
Which of the following features in FOCA allows an attacker to find more servers in the same segment of a determined address?
PTR Scanning
A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching the bank employees time in and out, searching the bank's job postings (paying special attention to IT-related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in?
Passive information gathering
Which of the following protocols is used to enable fast and seamless interaction with nearby IoT devices and reveals the list of URLs being broadcasted by nearby devices with BLE beacons?
Physical Web
Which of the following HTTP service port numbers is used for connecting to a remote network server system?
Port 384
In which type of fuzz testing does the protocol fuzzer send forged packets to the target application that is to be tested?
Protocol based
Which of the following issues can be detected when testers send long strings of junk data, similar to strings for detecting buffer overruns that throw SQL errors on a page?
Truncation: To detect issues, testers send long strings of junk data, similar to strings to detect buffer overruns; this action might throw SQL errors on the page.
Which of the following techniques enables devices to detect the existence of unidirectional links and disable the affected interfaces in the network, in addition to causing STP topology loops?
UDLD (Unidirectional Link Detection): UDLD enables devices to detect the existence of unidirectional links and further disable the affected interfaces in the network. These unidirectional links in the network can cause STP topology loops.
Which of the following technique defends servers against blind server side response forgery, where an application can be induced to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application's front-end response?
UDP source port randomization
Which of the following countermeasures should be followed to protect web applications from command injection attacks?
Use modular shell disassociation from the kernel
While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?
Validate web content input for, type length, and range
In which of the following evasion techniques does an attacker use WHERE statement that is always evaluated as "true" so that any mathematical or string comparison can be used, such as ' or '1'='1'?
Variations: Uses the WHERE statement that always evaluates to 'true'
Which of the following components of the web service architecture is an extension of SOAP and can be used to maintain the integrity and confidentiality of SOAP messages?
WS-Security: It is an extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users
Which of the following APIs is a user-defined HTTP callback or push API that is raised based on events triggered, such as receiving a comment on a post or pushing code to the registry?
Webhooks: Webhooks allow applications to update other applications with the latest information
In the options given below; identify the nature of a library-level rootkit?
Works higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown.
Which of the following technologies is a short-range communication protocol based on the IEEE 802.15.4 standard and is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m?
Zigbee
Billy, an employee in an organization, received an image file in his email. As he was suspicious about the email and attachment, he reached out to the organization's IT team. The IT team used a tool to detect a hidden secret message in the image file. Which of the following tools did the IT team use to find the hidden text?
Zsteg: A tool used to detect stegano-hidden data in PNG and BMP image files.
Which of the following Cisco switch port configuration commands is used to enter a secure MAC address for the interface and the maximum number of secure MAC addresses?
switchport port-security mac-address mac_address
Which of the following IOS switch commands is used to drop packets with unknown source addresses until a sufficient number of secure MAC addresses are removed?
switchport port-security violation restrict
