CEH
What attack is used to crack passwords by using a precomputed table of hashed passwords?
A rainbow table attack
You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled. Which port would you see listening on these Windows machines in the network? A. 445 B. 3389 C. 161 D. 1433
A. 445
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server? A. Botnet Trojan B. Banking Trojans C. Turtle Trojans D. Ransomware Trojans
A. Botnet Trojan
Which method of password cracking takes the most time and effort? A. Brute force B. Rainbow tables C. Dictionary attack D. Shoulder surfing
A. Brute force
After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access, what would you do first? A. Create User Account B. Disable Key Services C. Disable IPTables D. Download and Install Netcat
A. Create User Account
________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types. A. DNSSEC B. Zone transfer C. Resource transfer D. Resource records
A. DNSSEC
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named `nc.` The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. File system permissions B. Privilege escalation C. Directory traversal D. Brute force login
A. File system permissions
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description? A. HIPAA B. COBIT C. FISMA D. ISO/IEC 27002
A. HIPPA
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next? A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer. B. He will activate OSPF on the spoofed root bridge. C. He will repeat this action so that it escalates to a DoS attack. D. He will repeat the same attack against all L2 switches of the network.
A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
What is the process of logging, recording, and resolving events that take place in an organization? A. Incident Management Process B. Metrics C. Internal Procedures D. Security Policy
A. Incident Management Process
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? A. Install a CCTV with cameras pointing to the entrance doors and the street. B. Use an IDS in the entrance doors and install some of them near the corners. C. Use lights in all the entrance doors and along the company's perimeter. D. Use fences in the entrance doors.
A. Install a CCTV with cameras pointing to the entrance doors and the street.
What is the role of test automation in security testing? A. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely. B. It is an option but it tends to be very expensive. C. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies. D. Test automation is not usable in security due to the complexity of the tests.
A. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack? A. Make sure that legitimate network routers are configured to run routing protocols with authentication. B. Disable all routing protocols and only use static routes C. Only using OSPFv3 will mitigate this risk. D. Redirection of the traffic cannot happen unless the admin allows it explicitly.
A. Make sure that legitimate network routers are configured to run routing protocols with authentication.
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis? A. Maltego B. Cain & Abel C. Metasploit D. Wireshark
A. Maltego
You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task? A. Metagoofil B. Armitage C. Dimitry D. cdpsnarf
A. Metagoofil
Using Windows CMD, how would an attacker list all the shares to which the current user context has access? A. NET USE B. NET CONFIG C. NET FILE D. NET VIEW
A. NET USE
You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through. invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! What seems to be wrong? A. OS Scan requires root privileges. B. The nmap syntax is wrong. C. This is a common behavior for a corrupted nmap application. D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
A. OS Scan requires root privileges.
How can rainbow tables be defeated? A. Password salting B. Use of non-dictionary words C. All uppercase character passwords D. Lockout accounts under brute force password cracking attempts
A. Password salting
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank? A. Place a front-end web server in a demilitarized zone that only handles external web traffic B. Move the financial data to another server on the same IP subnet C. Require all employees to change their passwords immediately D. Issue new certificates to the web servers from the root certificate authority
A. Place a front-end web server in a demilitarized zone that only handles external web traffic
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a backup plan, and testing plans for an organization? A. Preparation Phase B. Identification Phase C. Recovery Phase D. Containment Phase
A. Preparation Phase
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client? A. Reconnaissance B. Enumeration C. Scanning D. Escalation
A. Reconnaissance
Which of the following security operations is used for determining the attack surface of an organization? A. Running a network scan to detect network services in the corporate DMZ B. Training employees on the security policy regarding social engineering C. Reviewing the need for a security clearance for each employee D. Using configuration management to determine when and where to apply security patches
A. Running a network scan to detect network services in the corporate DMZ
You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out? A. Scan servers with Nmap B. Physically go to each server C. Scan servers with MBSA D. Telent to every port on each server
A. Scan servers with Nmap
By using a smart card and pin, you are using a two-factor authentication that satisfies A. Something you have and something you know B. Something you are and something you remember C. Something you know and something you are D. Something you have and something you are
A. Something you have and something you know
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.What is this type of DNS configuration commonly called? A. Split DNS B. DNSSEC C. DynDNS D. DNS Scheme
A. Split DNS
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A. Stealth/ Tunneling virus B. Macro virus C. Cavity virus D. Polymorphic virus
A. Stealth/ Tunneling virus
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP? A. TCP ping B. Hping C. Traceroute D. Broadcast ping
A. TCP ping
A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can he use it? A. The password file does not contain the passwords themselves. B. He can open it and read the user ids and corresponding passwords. C. The file reveals the passwords to the root user only. D. He cannot read it because it is encrypted.
A. The password file does not contain the passwords themselves.
Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? A. The port will ignore the packets. B. The port will send an RST. C. The port will send an ACK. D. The port will send a SYN.
A. The port will ignore the packets.
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer? A. Use a scan tool like Nessus B. Use the built-in Windows Update tool C. Check MITRE.org for the latest list of CVE findings D. Create a disk image of a clean Windows installation
A. Use a scan tool like Nessus
Which of the following is the BEST way to defend against network sniffing? A. Using encryption protocols to secure network communications B. Register all machines MAC Address in a Centralized Database C. Restrict Physical Access to Server Rooms hosting Critical Servers D. Use Static IP Address
A. Using encryption protocols to secure network communications
Which system consists of a publicly available set of databases that contain domain name registration contact information? A. WHOIS B. IANA C. CAPTCHA D. IETF
A. WHOIS
The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router? A. Wireshark B. Nessus C. Netcat D. Netstat
A. Wireshark
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax? A. hping2 -1 host.domain.com B. hping2 host.domain.com C. hping2 -l host.domain.com D. hping2 --set-ICMP host.domain.com
A. hping2 -1 host.domain.com
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? A. nmap -T4 -F 10.10.0.0/24 B. nmap -T4 -r 10.10.1.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap -T4 -q 10.10.0.0/24
A. nmap -T4 -F 10.10.0.0/24
When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine? A. site: target.com filetype:xls username password email B. domain: target.com archieve:xls username password email C. inurl: target.com filename:xls username password email D. site: target.com file:xls username password email
A. site: target.com filetype:xls username password email
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What wireshark filter will show the connections from the snort machine to kiwi syslog machine? A. tcp.dstport==514 && ip.dst==192.168.0.150 B. tcp.srcport==514 && ip.src==192.168.0.99 C. tcp.dstport==514 && ip.dst==192.168.0.0/16 D. tcp.srcport==514 && ip.src==192.168.150
A. tcp.dstport==514 && ip.dst==192.168.0.150
Which of the following is a command line packet analyzer similar to GUI-based Wireshark? A. tcpdump B. nessus C. etherea D. Jack the ripper
A. tcpdump
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek? A. tcptrace B. Nessus C. OpenVAS D. tcptraceroute
A. tcptrace
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation? A . ACK B . SYN C . RST D . SYN-ACK
B . SYN
A newly discovered flaw in a software application would be considered which kind of security vulnerability? A. Input validation flaw B. 0-day vulnerability C. Time-to-check to time-to-use flaw D. HTTP header injection vulnerability
B. 0-day vulnerability
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? A. Passive B. Active C. Reflective D. Distributive
B. Active
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.The engineer receives this output:HTTP/1.1 200 OK -Server: Microsoft-IIS/6 -Expires: Tue, 17 Jan 2011 01:41:33 GMTDate: Mon, 16 Jan 2011 01:41:33 GMTContent-Type: text/html -Accept-Ranges: bytes -Last-Modified: Wed, 28 Dec 2010 15:32:21 GMTETag: "b0aac0542e25c31:89d"Content-Length: 7369 - Which of the following is an example of what the engineer performed? A. Cross-site scripting B. Banner grabbing C. SQL injection D. Who is database query
B. Banner grabbing
Which type of security feature stops vehicles from crashing through the doors of a building? A. Turnstile B. Bollards C. Mantrap D. Receptionist
B. Bollards
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gains access to the DNS server and redirects the direction www.google.com to his own IP address. Now when the employees of the office want to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack? A. MAC Flooding B. DNS spoofing C. ARP Poisoning D. Smurf Attack
B. DNS spoofing
What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script? A. User Access Control (UAC) B. Data Execution Prevention (DEP) C. Address Space Layout Randomization (ASLR) D. Windows firewall
B. Data Execution Prevention (DEP)
A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography attack is the student attempting? A. Session hijacking B. Dictionary-attack C. Brute-force attack D. Man-in-the-middle attack
B. Dictionary-attack
Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7 He receives this output: Nmap scan report for 192.168.99.1 Host is up (0.00082s latency). Not shown: 994 filtered ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 80/tcp open http 161/tcp closed snmp MAC Address: B0:75:D5:33:57:74 (ZTE) Device type: general purpose Running: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Nmap scan report for 192.168.99.7 Host is up (0.000047s latency). All 1000 scanned ports on 192.168.99.7 are closed Too many fingerprints match this host to give specific OS details Network Distance: 0 hops What is his conclusion? A. Host 192.168.99.7 is an iPad. B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7. C. Host 192.168.99.1 is the host that he launched the scan from. D. Host 192.168.99.7 is down.
B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
Which of the following parameters describe LM Hash:? I- The maximum password length is 14 characters. II- There are no distinctions between uppercase and lowercase. III- It's a simple algorithm, so 10,000,000 hashes can be generated per second. A. I B. I, II, and III C. II D. I and II
B. I, II, and III
You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user's password or activate disabled Windows accounts? A . John the Ripper B . SET C . CHNTPW D . Cain & Abel
C . CHNTPW chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8 and 8.1. It does this by editing the SAM databasewhere Windows stores password hashes.
The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP What type of activity has been logged? A. Port scan targeting 192.168.1.103 B. Port scan targeting 192.168.1.106 C. Denial of service attack targeting 192.168.1.103 D. Teardrop attack targeting 192.168.1.106
B. Port scan targeting 192.168.1.106
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described? A. Multi-cast mode B. Promiscuous mode C. WEM D. Port forwarding
B. Promiscuous mode
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive? A. Intrusion Prevention System (IPS) B. Protocol analyzer C. Network sniffer D. Vulnerability scanner
B. Protocol analyzer
Which results will be returned with the following Google search query?site:target.com -site:Marketing.target.com accounting A. Results matching all words in the query B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting D. Results for matches on target.com and Marketing.target.com that include the word "accounting"
B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
An attacker tries to do banner grabbing on a remote web server and executes the following command. $ nmap -sV host.domain.com -p 80 He gets the following output. Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for host.domain.com (108.61.158.211) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds What did the hacker accomplish? A. nmap can't retrieve the version number of any running remote service. B. The hacker successfully completed the banner grabbing. C. The hacker should've used nmap -O host.domain.com. D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.
B. The hacker successfully completed the banner grabbing.
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System(OS) version installed. Considering that NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8 A. The host is likely a Linux machine. B. The host is likely a printer. C. The host is likely a router. D. The host is likely a Windows machine.
B. The host is likely a printer.
What is the benefit of performing an unannounced Penetration Testing? A. It is the best to catch critical infrastructure unpatched B. The tester will have an actual security posture visibility pf the target network C. Network security would be in a "best state" posture D. The tester could not provide an honest analysis
B. The tester will have an actual security posture visibility pf the target network
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4? A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too. B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical. C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addresses. D. Vulnerabilities in the application layer are greatly different from IPv4.
B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
Which of the following tools can be used for passive OS fingerprinting? A. nmap B. tcpdump C. tracert D. ping
B. tcpdump
Which of the following security policies defines the use of VPN for gaining access to an internal corporate network? A. Network security policy B. Access control policy C. Remote access policy D. Information protection policy
C. Remote access policy
Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system? A. A biometric system that bases authentication decisions on behavioral attributes. B. A biometric system that bases authentication decisions on physical attributes. C. An authentication system that creates one-time passwords that are encrypted with secret keys. D. An authentication system that uses passphrases that are converted into virtual passwords.
C. An authentication system that creates one-time passwords that are encrypted with secret keys.
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? A. Discovery B. Eradication C. Containment D. Recovery
C. Containment
What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities? A. Security through obscurity B. Host-Based Intrusion Detection System C. Defense in depth D. Network-Based Intrusion Detection System
C. Defense in depth
An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which order should he perform these steps? A. The sequence does not matter. Both steps have to be performed against all hosts. B. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests. C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time. D. The port scan alone is adequate. This way he saves time.
C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.
You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back. What is happening? A. You need to run the ping command with root privileges. B. The ARP is disabled on the target server. C. ICMP could be disabled on the target server. D. TCP/IP doesn't support ICMP.
C. ICMP could be disabled on the target server.
Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test state. Which of the following activities should not be included in this phase? I. Removing all files uploaded on the system. II. Cleaning all registry entries III. Mapping of network state IV. Removing all tools and maintaining backdoor for reporting. A. III B. IV C. III and IV D. All
C. III and IV
Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting? A. Internal Whitebox B. External, Whitebox C. Internal, Blackbox D. External, Blackbox
C. Internal, Blackbox
How does the Address Resolution Protocol (ARP) work? A. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. B. It sends a reply packet for a specfic IP, asking for the MAC address. C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP. D. It sends a request packet to all the network elements, asking for the domain name from a specific IP.
C. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values. Which of the following is true hash type and sort order that is using in the psexec module's 'smbpass'? A. NT:LM B. LM:NT C. LM:NTLM D. NTLM:LM
C. LM:NTLM
Which of the following programs is usually targeted at Microsoft Office products? A. Stealth virus B. Polymorphic virus C. Macro virus D. Multipart virus
C. Macro virus
Which of the following describes the characteristics of a Boot Sector Virus? A. Modifies directory table entries so that directory entries point to the virus code instead of the actual program. B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR. C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR. D. Overwrites the original MBR and only executes the new virus code.
C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
The "black box testing" methodology enforces what kind of restriction? A. Only the internal operation of a system is known to the tester B. The internal operation of a system is completely known to the tester C. Only the external operation of a system is accessible to the tester D. The internal operation of a system, is only partly accessible to the tester
C. Only the external operation of a system is accessible to the tester
This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described? A. International Security Industry Organization (ISIO) B. Center for Disease Control (CDC) C. Payment Card Industry (PCI) D. Institute of Electrical and Electronics Engineers (IEEE)
C. Payment Card Industry (PCI)
In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for vulnerabilities. Example: allintitle: root passwd A. Maintaining Access B. Scanning and Enumeration C. Reconnaissance D. Gaining Access
C. Reconnaissance
John the Ripper is a technical assessment tool used to test the weakness of which of the following? A. Usernames B. File permissions C. Firewall rulesets D. Passwords
D. Passwords
A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed? A. Firewall-management policy B. Permissive policy C. Remote-access policy D. Acceptable-use policy
C. Remote-access policy
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used? A. Spoof Scan B. TCP Connect scan C. TCP SYN D. Idle Scan
C. TCP SYN
The "gray box testing" methodology enforces what kind of restriction? A. Only the external operation of a system is accessible to the tester B. The internal operation of a system is completely known to the tester C. The internal operation of a system, is only partly accessible to the tester D. Only the internal operation of a system is known to the tester
C. The internal operation of a system, is only partly accessible to the tester
Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip file is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a window appears stating, "This word document is corrupt." In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered? A. Macro Virus B. Worm C. Trojan D. Key-Logger
C. Trojan
In order to have an anonymous Internet surf, which of the following is best choice? A. Use shared WiFi B. Use SSL sites when entering personal information C. Use Tor network with multi-node D. Use public VPN
C. Use Tor network with multi-node
Craig received a report of all the computers on the network that showed all the missing patches and weak passwords. What type of software generated this report? A. a port scanner B. a malware scanner C. a vulnerability scanner D. a virus scanner
C. a vulnerability scanner
Which of the following will perform an Xmas scan using NMAP? A. nmap -sA 192.168.1.254 B. nmap -sP 192.168.1.254 C. nmap -sX 192.168.1.254 D. nmap -sV 192.168.1.254
C. nmap -sX 192.168.1.254
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic? A. tcp.contains port 25 B. request smtp 25 C. tcp.port eq 25 D. smtp port
C. tcp.port eq 25
Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called? A. zero-hour B. no-day C. zero-day D. zero-sum
C. zero-day
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this? A. Hacking Active Directory B. Port Scanning C. Shoulder-Surfing D. Privilege Escalation
D. Privilege Escalation
Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that? A. A new username and password B. Disable his username and use just a fingerprint scanner. C. His username and a stronger password. D. A fingerprint scanner and his username and password.
D. A fingerprint scanner and his username and password.
What is the correct process for the TCP three-way handshake connection establishment and connection termination? A. Connection Establishment: FIN, ACK-FIN, ACK Connection Termination: SYN, SYN-ACK, ACK B. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: ACK, ACK-SYN, SYN C. Connection Establishment: ACK, ACK-SYN, SYN Connection Termination: FIN, ACK-FIN, ACK D. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACK Connection Termination: FIN, ACK-FIN, ACK
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28. Why he cannot see the servers? A. He needs to add the command ''''ip address'''' just before the IP address. B. He needs to change the address to 192.168.1.0 with the same mask. C. The network must be down and the nmap command and IP address are ok. D. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
D. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to"www.MyPersonalBank.com", the user is directed to a phishing site. Which file does the attacker need to modify? A. Networks B. Sudoers C. Boot.ini D. Hosts
D. Hosts
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place? A. Malware is executing in either ROM or a cache memory area. B. A page fault is occurring, which forces the operating system to write data from the hard drive. C. A race condition is being exploited, and the operating system is containing the malicious process. D. Malicious code is attempting to execute instruction in a non-executable memory region.
D. Malicious code is attempting to execute instruction in a non-executable memory region.
Eve stole a file named secret.txt, transferred it to her computer and she just entered these commands: [eve@localhost ~]$ john secret.txt Loaded 2 password hashes with no different salts (LM [DES 128/128 SSE2-16]) Press 'q' or Ctrl-C to abort. almost any other key for status What is she trying to achieve? A. She is encrypting the file. B. She is using John the Ripper to view the contents of the file. C. She is using ftp to transfer the file to another hacker named John. D. She is using John the Ripper to crack the passwords in the secret.txt file.
D. She is using John the Ripper to crack the passwords in the secret.txt file.
Which of the following statements is TRUE? A. Sniffers operate on the Layer 1 of the OSI model. B. Sniffers operate on Layer 3 of the OSI model C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model. D. Sniffers operate on Layer 2 of the OSI model
D. Sniffers operate on Layer 2 of the OSI model
Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'securitythrough obscurity'. What technique is Ricardo using? A. Public-key cryptography B. Encryption C. RSA algorithm D. Steganography
D. Steganography
Look at the following output. What did the hacker accomplish? ;<<>> Dig 9.7-P1 <<>> axfr domain.com @192.168.1.105;; global options +cmd domain.com 3600 IN SOA srv1.domain.com hostsrv1.domain.com 131 900 600 86400 3600 domain.com 600 IN A 192.168.1.102 domain.com 600 IN A 192.168.1.105 domain.com 3600 IN NS srv1.domain.com domain.com 3600 IN NS srv2.domain.com vpn.domain.com 3600 IN A 192.168.1.1 server.domain.com 3600 IN A 192.168.1.3 office.domain.com 3600 IN A 192.168.1.4 remote.domain.com 3600 IN A 192.168.1.48 support.domain.com 3600 IN A 192.168.1.47 ns1.domain.com 3600 IN A 192.168.1.41 ns2.domain.com 3600 IN A 192.168.1.42 ns3.domain.com 3600 IN A 192.168.1.34 ns4.domain.com 3600 IN A 192.168.1.45 srv1.domain.com 3600 IN A 192.168.1.102 srv2.domain.com 1200 IN A 192.168.1.105 domain.com 3600 IN SOA srv1.domain.com hostsrv1.domain.com 131 900 600 86400 3600 A. The hacker used who is to gather publicly available records for the domain. B. The hacker used the "fierce" tool to brute force the list of available domains. C. The hacker listed DNS records on his own domain. D. The hacker successfully transferred the zone and enumerated the hosts.
D. The hacker successfully transferred the zone and enumerated the hosts.
The "white box testing" methodology enforces what kind of restriction? A. The internal operation of a system, is only partly accessible to the tester B. Only the external operation of a system is accessible to the tester C. Only the internal operation of a system is known to the tester D. The internal operation of a system is completely known to the tester
D. The internal operation of a system is completely known to the tester
Which tool can be used to silently copy files from USB devices? A. USB Grabber B. USB Snoopy C. USB Sniffer D. USB Dumper
D. USB Dumper
Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services, which OS did it not directly affect? A. Linux B. Unix C. OS X D. Windows
D. Windows
This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering and it will tell you the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time? A. network mapping B. escalating privileges C. gaining access D. footprinting
D. footprinting
Which of the following Nmap commands will produce the following output? Starting Nmap 6.47 (http://nmap.org ) at 2015-05-26 12:50 EDT Nmap scan report for 192.168.1.1 Host is up (0.00042s latency). Not shown: 65530 open|filtered ports, 65529 filtered ports PORT STATE SERVICE 111/tcp open rpcbind 999/tcp open garcon 1017/tcp open unknown 1021/tcp open exp1 1023/tcp open netvenuechat 2049/tcp open nfs 17501/tcp open unknown 111/udp open rpcbind 123/udp open ntp 137/udp open netbios-ns 2049/udp open nfs 5353/udp open zeroconf 17501/udp open|filtered unknown 51857/udp open|filtered unknown 54358/udp open|filtered unknown 56228/udp open|filtered unknown 57598/udp open|filtered unknown 59488/udp open|filtered unknown 60027/udp open|filtered unknown A. nmap -sN -Ps -T4 192.168.1.1 B. nmap -sT -sX -Pn -p 1-65535 192.168.1.1 C. nmap -sS -Pn 192.168.1.1 D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1
D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1
It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again. Which of the following terms best matches the definition? Ransomware Adware Spyware Riskware
Ransomware