Multiple choice Certified Ethical Hacker Book
What is the sequence of the three-way handshake? A. SYN, SYN-ACK, ACK B. SYN, SYN-ACK C. SYN, ACK, SYN-ACK D. SYN, ACK, ACK
A. A three-way handshake is part of every TCP connection and happens at the beginning of every connection. It includes the sequence SYN, SYN-ACK, and ACK to be fully completed.
If you have been contracted to perform an attack against a target system, you are what type of hacker? A. White hat B. Gray hat C. Black hat D. Red hat
A. A white hat hacker always has permission to perform pen testing against a target system.
What is a self-replicating piece of malware? A. A worm B. A virus C. A Trojan horse D. A rootkit
A. A worm is a self-replicating piece of malware that does not require user interaction to proceed.
What is an ICMP Echo scan? A. A ping sweep B. A SYN scan C. A Xmas scan D. Part of a UDP scan
A. An ICMP echo scan is a ping sweep type scan.
How is black box testing performed? A. With no knowledge B. With full knowledge C. With partial knowledge D. By a black hat
A. Black box testing is performed with no knowledge to simulate an actual view of what a hacker would have.
In IPSec, what does Encapsulating Security Payload (ESP) provide? A. Data security B. Header security C. Authentication services D. Encryption
A. Data security services are provided by ESP.
What does hashing preserve in relation to data?: A. Integrity B. Confidentiality C. Availability D. Repudiation~
A. Hashing is intended to verify and preserve the integrity of data, but it cannot preserve confidentiality of that data.
Hubs operate at what layer of the OSI model? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4
A. Hubs operate at layer 1, the physical layer of the OSI model. Hubs simply forward the data they receive. There is no filtering or directing of traffic; thus they are categorized at layer 1.
IPSec uses which two modes? A. AH/ESP B. AES/DES C. EH/ASP D. AES/ESP
A. IPSec uses two modes: Authentication Header (AH) and Encapsulating Security Payload (ESP). Both modes offer protection to data, but do so in different ways.
Which of the following can an attacker use to determine the technology within an organization? A. Job boards B. Archives C. Google hacking D. Social engineering
A. Job boards are useful in getting an idea of the technology within an organization. By looking at job requirements, you can get a good idea of the technology present. While the other options here may provide technical data, job boards tend to have the best chance of providing it.
Which of the following is a common hashing protocol?: AMD5 B. AES C. DES D. RSA
A. MD5 is the most widely used hashing algorithm, followed very closely by SHA1 and the SHA family of protocols.
Who first developed SSL? A. Netscape B. Microsoft C. Sun D. Oracle
A. Netscape originally developed SSL, but since its introduction the technology has spread to become a standard supported by many clients such as e-mail, web browsers, VPNs, and other systems.
An Nmap is required to perform what type of scan? A. Port scan B. Vulnerability scan C. Service scan D. Threat scan
A. Nmap is designed to perform scans against ports on a system or group of systems, but it is by far the most popular tool in many categories.
A scan of a network client shows that port 23 is open; what protocol is this aligned with? A. Telnet B. NetBIOS C. DNS D. SMTP
A. Port 23 is used for telnet traffic.
Which port uses SSL to secure web traffic? A. 443 B. 25 C. 23 D. 80
A. Port 443 is used for HTTPS traffic, which is secured by SSL.
Which port number is used by DNS for zone transfers? A. 53 TCP B. 53 UDP C. 25 TCP D. 25 UDP
A. Port TCP is used for zone transfers concerning DNS.
What level of knowledge about hacking does a script kiddie have? A. Low B. Average C. High D. Advanced
A. Script kiddies have low or no knowledge of the hacking process but should still be treated as dangerous.
Which of the following can help you determine business processes of your target? A. Social engineering B. E-mail C. Website D. Job boards
A. Social engineering can reveal how a company works.
Which of the following would be effective for social engineering? A. Social networking B. Port scanning C. Websites D. Job boards
A. Social networking has proven especially effective for social engineering purposes. Due to the amount of information people tend to reveal on these sites, they make prime targets for information gathering.
Symmetric cryptography is also known as: A. Shared key cryptography B. Public key cryptography C. Hashing D. Steganography
A. Symmetric cryptography is also known as shared key cryptography.
An SYN attack uses which protocol? A. TCP B. UDP C. HTTP D. Telnet
A. Syn flags are seen only on TCP-based transmissions and not in UDP transmissions of any kind.
Which of the following is the process of exploiting services on a system? A. System hacking B. Privilege escalation C. Enumeration D. Backdoor
A. System hacking is concerned with several items, including exploiting services on a system.
What does TOE stand for? A. Target of evaluation B. Time of evaluation C. Type of evaluation D. Term of evaluation
A. TOE stands for target of evaluation and represents the target being tested.
Which of the following is used for banner grabbing? A. Telnet B. FTP C. SSH D. Wireshark
A. Telnet is used to perform banner grabs against a system. However, other tools are available to do this as well.
Symmetric key systems have key distribution problems due to: A. Number of keys B. Generation of key pairs C. Amount of data D. Type of data
A. The number of keys increases dramatically with more and more parties using symmetric encryption hence it does not scale well.
Which of the following would most likely engage in the pursuit of vulnerability research? A. White Hat B. Gray Hat C. Black Hat D. Suicide
A. White hat hackers are the most likely to engage in research activities; though grey and black hats may engage in these activities they are not typical.
Which OS holds 90 percent of the desktop market and is one of our largest attack surfaces? A. Windows B. Linux C. Mac OS D. iOS
A. Windows remains king for sheer volume and presence on desktop and servers.
Why would you need to use a proxy to perform scanning? A. To enhance anonymity B. To fool firewalls C. Perform half-open scans D. To perform full-open scans
A. You do not need to use a proxy to perform scanning, but using one will hide the process of scanning and make it more difficult to monitor by the victim or other parties.
Which of the following types of attacks has no flags set? A. SYN B. NULL C. Xmas tree D. FIN
B. A NULL scan has no flags configured on its packets.
If a device is using node MAC addresses to funnel traffic, what layer of the OSI model is this device working in? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4
B. A network device that uses MAC addresses for directing traffic resides on layer 2 of the OSI model. Devices that direct traffic via IP addresses, such as routers, work at layer 3.
A public key is stored on the local computer by its owner in a: A. Hash B. PKI system C. Smart card D. Private key
B. A public key is not necessarily stored on the local system, but a private key will always be present if the user is enrolled.
Which of the following best describes what a suicide hacker does? A. Hacks with permission B. Hacks without stealth C. Hacks without permission D. Hacks with stealth
B. A suicide hacker does not worry about stealth or otherwise concealing their activities but is more concerned with forwarding an agenda.
What is missing from a half-open scan? A. SYN B. ACK C. SYN-ACK D. FIN
B. An ACK flag is part of the last part of the three-way handshake, and this part never happens in a half-open scan.
During an FIN scan, what indicates that a port is closed? A. No return response B. RST C. ACK D. SYN
B. An RST indicates that the port is closed.
During a Xmas scan what indicates a port is closed? A. No return response B. RST C. ACK D. SYN
B. An RST indicates the port is closed in many of the TCP scan types. The RST is sent in response to a connection request and the RST indicates that the port is not available.
Which of the following does an ethical hacker require to start evaluating a system? A. Training B. Permission C. Planning D. Nothing
B. An ethical hacker never performs their services against a target without explicit permission of the owner of that system.
Asymmetric encryption is also referred to as which of the following?: A. Shared key B. Public key C. Hashing D. Block
B. Asymmetric encryption uses two separate keys and is referred to as public key cryptography. Symmetric algorithms use only one key that is used by both the sender and receiver.
What is EDGAR used to do? A. Validate personnel B. Check financial filings C. Verify a website D. Gain technical details
B. EDGAR can be used to verify the financial filings of a company.
Footprinting has two phases: A. Active and pseudonomyous B. Active and passive C. Social and anonymous D. Scanning and enumerating
B. Footprinting is typically broken into active and passive phases, which are characterized by how aggressive the process actually is. Active phases are much more aggressive than their passive counterparts.
Which type of hacker may use their skills for both benign and malicious goals at different times? A. White Hat B. Gray Hat C. Black Hat D. Suicide Attackers
B. Grey hat hackers are typically thought of as those that were formally black hats, but have reformed. However they have been known to use their skills for both benign and malicious purposes.
Which tool can be used to view web server information? A. Netstat B. Netcraft C. Warcraft D. Packetcraft
B. Netcraft can be used to view many details about a web server, including IP address, netblock, last views, OS information, and web server version.
Which of the following is used for identifying a web server OS? A. Telnet B. Netcraft C. Nmap D. Wireshark
B. Netcraft is used to gather information about many aspects of a system, including operating system, IP address, and even country of origin.
Which of the following is a method of manipulating search results? A. Archiving B. Operators C. Hacking D. Refining
B. Operators such as filetype are used to manipulate search results for some search engines such as Google.
What is the proper sequence of the TCP three-way-handshake? A. SYN-ACK, ACK, ACK B. SYN, SYN-ACK, ACK C. SYN-SYN, SYN-ACK, SYN D. ACK, SYN-ACK, SYN
B. Remember this three-way handshake sequence; you will see it quite a bit in packet captures when sniffing the network. Being able to identify the handshake process allows you to quickly find the beginning of a data transfer.
SSL is a mechanism for which of the following?: A. Securing stored data B. Securing transmitted data C. Verifying data D. Authenticating data
B. SSL is used to secure data when it is being transmitted from client to server and back. The system is supported by most clients, including web browsers and e-mail clients.
What is Tor used for? A. To hide web browsing B. To hide a process of scanning C. To automate scanning D. To hide the banner on a system
B. Tor is designed to hide the process of scanning as well as the origin of a scan. Additionally, it can provide encryption services to hide the traffic itself.
Which tool can trace the path of a packet? A. ping B. Tracert C. whois D. DNS
B. Tracert is a tool used to trace the path of a packet from source to ultimate destination.
Vulnerability research deals with which of the following? A. Actively uncovering vulnerabilities B. Passively uncovering vulnerabilities C. Testing theories D. Applying security guidance
B. Vulnerability research is a way of passively uncovering weaknesses.
A vulnerability scan is a good way to? A. Find open ports B. Find weaknesses C. Find operating systems D. Identify hardware
B. Vulnerability scanners are necessary for a security person to use in order to assist them in strengthening their systems by finding weaknesses before an attacker does.
What is a piece of malware that relies on social engineering? A. A worm B. A virus C. A Trojan horse D. A rootkit
C. A Trojan horse relies more on social engineering than on technology to be successful.
A contract is important because it does what? A. Gives permission B. Gives test parameters C. Gives proof D. Gives a mission
C. A contract gives proof that permission and parameters were established.
Which of the following best describes what a hacktivist does? A. Defaces websites B. Performs social engineering C. Hacks for political reasons D. Hacks with basic skills
C. A hacktivist engages in mischief for political reasons.
Which of the following describes an attacker who goes after a target to draw attention to a cause? A. Terrorist B. Criminal C. Hacktivist D. Script kiddie
C. A hacktivist is an individual or group that performs hacking and other disruptive activities with the intention of drawing attention to a particular cause or message.
A message digest is a product of which kind of algorithm?: A. Symmetric B. Asymmetric C. Hashing D. Steganography
C. A message digest is a product of a hashing algorithm, which may also be called a message digest function.
What is the purpose of a proxy? A. To assist in scanning B. To perform a scan C. To keep a scan hidden D. To automate the discovery of vulnerabilities
C. A proxy is used to hide the party launching a scan.
A public and private key system differs from symmetric because it uses which of the following?: A. One key B. One algorithm C. Two keys D. Two algorithms
C. A public and private key are mathematically related keys, but they are not identical. In symmetric systems only one key is used at a time.
A full-open scan means that the three-way handshake has been completed, what is the difference between this and a half-open scan? A. A half-open uses TCP B. A half-open uses UDP C. A half-open removes the final ACK D. A half-open includes the final ACK
C. A three way handshake is part of every TCP connection and happens at the beginning of every connection. In the case of a half-open scan, however, a final ACK is not sent therefore leaving the connection halfway complete.
Which of the following best describes a vulnerability? A. A worm B. A virus C. A weakness D. A rootkit
C. A vulnerability is a weakness. Worms, viruses, and rootkits are forms of malware.
What can be configured in most search engines to monitor and alert you of changes to content? A. Notifications B. Schedules C. Alerts D. HTTP
C. Alerts can be set up with Google as well as other search engines to monitor changes on a given website or URL. When a change is detected, the alert is sent to the requestor.
When scanning a network via a hardline connection to a wired-switch NIC in promiscuous mode, what would be the extent of network traffic you would expect to see? A. Entire network B. VLAN you are attached to C. All nodes attached to the same port D. None
C. Because each switchport is its own collision domain, only nodes that reside on the same switchport will be seen during a scan.
In IPSec, encryption and other processes happen at which layer of the OSI model? ALevel 1 BLevel 2 CLevel 3 DLevel 4
C. IPSec operates at the Network layer, or layer 3, of the OSI model, unlike many previous techniques.
An administrator has just been notified of irregular network activity; what appliance functions in this manner? A. IPS B. Stateful packet filtering C. IDS D. Firewall
C. Intrusion detection systems (IDSs) react to irregular network activity by notifying support staff of the incident; however, unlike IPSs, they do not proactively take steps to prevent further activity from occurring.
What network appliance senses irregularities and plays an active role in stopping that irregular activity from continuing? A. System Administrator B. Firewall C. IPS D. IDP
C. Intrusion prevention systems (IPSs) play an active role in preventing further suspicious activity after it is detected.
Which of the following best describes PGP?: A. A symmetric algorithm B. A type of key C. A way of encrypting data in a reversible method D. A key escrow system
C. PGP is a method of encrypting stored data to include e-mails, stored data, and other similar information. It is a form of public and private key encryption.
Which category of firewall filters is based on packet header data only? A. Stateful B. Application C. Packet D. Proxy
C. Packet filtering firewalls inspect solely the packet header information.
Which of the following cannot be used during footprinting? A. Search engines B. E-mail C. Port scanning D. Google hacking
C. Port scanning is typically reserved for later stages of the attack process.
What phase comes after footprinting? A. System hacking B. Enumeration C. Scanning D. Transfer files
C. Scanning comes after the footprinting phase. Footprinting is used to get a better idea of the target.
Which of the following can be used to assess physical security? A. Web cams B. Satellite photos C. Street views D. Interviews
C. Street-level views using technology such as Google Street View can give you a picture of what types of security and access points may be present in a location.
In IPSec, what does Authentication Header (AH) provide? A. Data security B. Header security C. Authentication services D. Encryption
C. The Authentication Header provides authentication services to data, meaning that the sender of the data can be authenticated by the receiver of the data.
The Wayback Machine is used to do which of the following? A. Get job postings B. View websites C. View archived versions of websites D. Back up copies of websites
C. The Wayback Machine is used to view archived versions of websites if available (not all websites are archived via the Wayback Machine).
Which of the following forms are usually malicious? A. Software applications B. Scripts C. Viruses D. Grayware
C. Viruses are the oldest and best known form of malicious code or malware.
A white box test means the tester has which of the following? A. No knowledge B. Some knowledge C. Complete knowledge D. Permission
C. White box testers have complete knowledge of the environment they have been tasked with attacking.
A banner can? A. Identify an OS B. Help during scanning C. Identify weaknesses D. Identify a service
D. A banner can be changed on many services keeping them from being easily identified. However, if this is not done it is possible to use tools such as telnet to gain information about a service and use that information to fine-tune an attack.
Which of the following manages digital certificates?: A. Hub B. Key C. Public key D. Certification authority
D. A certification authority is responsible for issuing and managing digital certificates as well as keys.
What separates a suicide hacker from other attackers? A. A disregard for the law B. A desire to be helpful C. The intent to reform D. A lack of fear of being caught
D. A suicide hacker?s main difference over other hacker?s is their complete and utter lack of concern in regards to being caught.
Which topology has built-in redundancy because of its many client connections? A. Token ring B. Bus C. Hybrid D. Mesh
D. A true mesh topology creates a natural amount of redundancy due to the number of connections used to establish connectivity.
If you can?t gain enough information directly from a target, what is another option? A. EDGAR B. Social engineering C. Scanning D. Competitive analysis
D. Competitive analysis can prove very effective when you?re trying to gain more detailed information about a target. Competitive analysis relies on looking at a target?s competitors in an effort to find out more about the target.
At what point can SSL be used to protect data? A. On a hard drive B. On a flash drive C. On Bluetooth D. During transmission
D. Data can be protected using SSL during transmission. If data is being stored on a hard drive or flash drive, SSL is not effective at proving cryptographic services.
Which of the following is not a flag on a packet? A. URG B. PSH C. RST D. END
D. END is not a type of flag. Valid flags are ACK, FIN, SYN, and PSH.
What kind of domain resides on a single switchport? A. Windows domain B. Broadcast domain C. Secure domain D. Collision domain
D. Each port on a switch represents a collision domain.
Footprinting can determine all of the following except: A. Hardware types B. Software types C. Business processes D. Number of personnel
D. Footprinting is not very effective at gaining information about number of personnel.
Which of the following best describes footprinting? A. Enumeration of services B. Discovery of services C. Discussion with people D. Investigation of a target
D. Footprinting is the gathering of information relating to an intended target. The idea is to gather as much information about the target as possible before starting an attack.
Which of the following is the purpose of the footprinting process? A. Entering a system B. Covering tracks C. Escalating privileges D. Gathering information
D. Footprinting is used to gather information about a target environment.
Which of the following describes a hacker who attacks without regard for being caught or punished? A. Hacktivist B. Terrorist C. Criminal D. Suicide hacker
D. Much like suicide bombers in the real world, suicide hackers do not worry about getting caught; they are concerned with their mission first.
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world? A. VPN B. Tunneling C. NTP D. NAT
D. Network Address Translation (NAT) is a technology that funnels all internal traffic through a single public connection. NAT is implemented for both cost savings and network security.
Which of the following is used to perform network scans? A. Nessus B. Wireshark C. AirPcap D. Nmap
D. Nmap is a utility used to scan networks and systems and for other types of custom scans.
Which system does SSL use to function? A. AES B. DES CDES D. PKI
D. PKI is used in the process of making SSL function. While it is true that AES, DES, and 3DES can be used in SSL connections, PKI is the only one used consistently in all situations.
Which of the following does IPSec use? A. SSL B. AES C. DES D. PKI
D. PKI is used with IPSec to allow it to function in environments of any size. IPSec is also capable of using Preshared Keys if desired by the system owner.
What port range is an obscure third-party application most likely to use? A. 1 to 1024 B. 1024 to 32767 C. 32767 to 49151 D. 49151 to 65535
D. Ports 49152 to 65535 are known as the dynamic ports and are used by applications that are neither well known nor registered. The dynamic range is essentially reserved for those applications that are not what we would consider mainstream. Although obscure in terms of port usage, repeated showings of the same obscure port during pen testing or assessment may be indicative of something strange going on.
What device acts as an intermediary between an internal client and a web resource? A. Router B. PBX C. VTC D. Proxy
D. Proxies act as intermediaries between internal host computers and the outside world.
At which layer of the OSI model does a proxy operate? A. Physical B. Network C. Data link D. Application
D. Proxies operate at layer 7, the application layer of the OSI model. Proxies are capable of filtering network traffic based on content such as keywords and phrases. Because of this, a proxy digs down further than a packet?s header and reviews the data within the packet as well.
You have selected the option in your IDS to notify you via e-mail if it senses any network irregularities. Checking the logs, you notice a few incidents but you didn't receive any alerts. What protocol needs to be configured on the IDS? A. NTP B. SNMP C. POP3 D. SMTP
D. Simple Mail Transfer Protocol (SMTP) operates on port 25 and is used for outgoing mail traffic. In this scenario, the IDS SMTP configuration needs to be updated.
What is the purpose of social engineering? A. Gain information from a computer B. Gain information from the Web C. Gain information from a job site D. Gain information from a human being
D. While a computer, e-mail, or phone may be used, social engineering ultimately uses other items as tools to gain information from a human being.
Choosing a protective network appliance, you want a device that will inspect packets at the most granular level possible while providing improved traffic efficiency. What appliance would satisfy these requirements? A. Layer 3 switch B. NAT-enabled router C. Proxy firewall D. Packet filtering firewall
DPacket filtering firewalls operate at layer 7 of the OSI model and thus filter traffic at a highly granular level.
Which of the following is used to increase access to a system? A. System hacking B. Privilege escalation C. Enumeration D. Backdoor
A. The purpose of system hacking is to gain access to a system with the intention of making it available for later attacks and interaction.
What is the three-way handshake? A. The opening sequence of a TCP connection B. A type of half-open scan C. A Xmas scan D. Part of a UDP scan
A. The three-way handshake happens at the beginning of every TCP connection.
Which of the following best describes hashing? A. An algorithm B. A cipher C. Nonreversible D. A cryptosystem
C. Hashing is referred to as a cipher or algorithm or even a cryptosystem, but it can be uniquely referred to as a nonreversible mechanism for verifying the integrity of data. Remember that hashing doesn?t enforce confidentiality.
Which network topology uses a token-based access methodology? A. Ethernet B. Star C. Bus D. Ring
D. Token ring networks use a token-based access methodology. Each node connected to the network must wait for possession of the token before it can send traffic via the ring.
Which of these protocols is a connection-oriented protocol? A. FTP B. UDP C. POP3 D. TCP
D. Transmission Control Protocol (TCP) is a connection-oriented protocol that uses the three-way-handshake to confirm a connection is established. FTP and POP3 use connections, but they are not connection-oriented protocols.
Which best describes a vulnerability scan? A. A way to find open ports B. A way to diagram a network C. A proxy attack D. A way to automate the discovery of vulnerabilities
D. Vulnerability scans are designed to pick up weaknesses in a system. They are typically automated.
