CEH quiz ISM4220
What is it called when a hacker pretends to be a valid user on the system?
Impersonation
What is privilege escalation?
Increasing privileges on a user account
What is a countermeasure for SNMP enumeration?
Remove the SNMP agent from the device
In which type of attack are passwords never cracked?
Replay attacks involve capturing passwords, most likely encrytped, and playing them back to fake authentication.
Which step in the framework of a security audit is critical to protect the ethical hacker from legal liability?
Sign an ethical hacking agreement and NDA with the client prior to the testing
Why would an attacker want to perform a scan on port 137?
To discover a target system with the NetBIOS null session vulnerability
Which of the following command-line switches would you use for OS detection in Nmap?
-0
Windows is dangerously insecure when unpacked from the box; which of the following must you do before you use it? (Choose all that apply.)
-Make sure a new installation of Windows is patched by installing the latest service packs. -Install the latest security patches for applications such as Adobe Acrobat, Macromedia Flash, Java, and WinZip. -Install a personal firewall and lock down unused ports from connecting to your computer -Install the latest signatures for antivirus software Installing service packs, personal firewall software, and antivirus signatures should all be done prior to using a new computer on the network
What filter in Ethereal will you use to view Hotmail messages?
. (http contains "hotmail") && (http contains "Reply-To"). A way of locating Hotmail messages in Ethereal is to use a filter of email and Reply-to to find actual email messages
SNMP is a protocol used to manage network infrastructure devices. What is the SNMP read/write community name used for?
. Changing the configuration information
What is the best way to prevent a social-engineering attack?
. Employee training and education
What information-gathering tool will give you information regarding the operating system of a web server?
. Netcraft
Where are passwords kept in Linux?
. Passwords are stored in the /shadow file in Linux.
A packet with all flags set is which type of scan?
. XMAS
What is the proper command to perform an nmap SYN scan every 5 minutes?
. nmap -sS -paranoid
. Snort is a Linux-based intrusion detection system. Which command enables Snort to use network intrusion detection (NIDS) mode assuming snort.conf is the name of your rules file and the IP address is 192.168.1.0 with Subnet Mask:255.255.255.0?
./snort -c snort.conf 192.168.1.0/24
To prevent a hacker from using SMB session hijacking, which TCP and UDP ports would you block at the firewall?
139 and 445
Which term best describes a hacker who uses their hacking skills for destructive purposes?
A cracker is a hacker who uses their hacking skills for destructive purposes.
Which of the following is the best example of reverse social engineering?
A hacker pretends to be a person of authority in order to get a user to give them information.
Which are the four regional Internet registries?
APNIC, LACNIC, ARIN, RIPE NCC
What is footprinting?
Accumulation of data by gathering information on a target
If the password is 7 characters or less, then the second half of the LM is always:
An LM hash splits a password into two sections. If the password is 7 characters or less, then the blank portion of the password will always be a hex value of AAD3B435B51404EE. 0x preceding the value indicates it is in Hex.
When a hacker attempts to attack a host via the Internet, it is known as what type of attack?
An attack from the Internet is known as a remote attack
What is a rootkit?
An invasive program that affects the system files, including the kernel and libraries
The security, functionality, and ease of use triangle illustrates which concept?
As security increases, it makes it more difficult to use and less functional.
MAC address spoofing is which type of attack?
Authentication
Which is an example of social engineering?
Calling a help desk and convincing them to reset a password for a user account
Faking a website for the purpose of getting a user's password and username is which type of social-engineering attack?
Computer-based
Using pop-up windows to get a user to give out information is which type of social-engineering attack?
Computer-based
What is a null session?
Connecting to a system with no username and password
Which step comes after enumerating users in the CEH hacking cycle
Crack password
What types of attacks target DNS servers directly?
DNS reflector and amplification attack. The DNS reflector and amplification type attacks DNS servers directly. By adding amplification to the attack, many hosts send the attack and results in a denial-of-service to the DNS servers
LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP?
Disable LM authentication in the Registry.
Which type of person poses the most threat to an organization's security?
Disgruntled employee
Which type of hacker represents the highest risk to your network?
Disgruntled employees
Which tool will only work on publicly traded companies?
EDGAR. EDGAR is the SEC database of filings and will only work on publicly traded firms
How would you prevent a user from connecting to the corporate network via their home computer and attempting to use a VPN to gain access to corporate LAN?
Enforce Machine Authentication and disable VPN access to all your employee accounts from any machine other than corporate-issued PCs. Machine Authentication would require the host system to have a domain account that would only be valid for corporate PCs.
What port number does FTP use?
FTP uses TCP port 21. This is a well-known port number and can be found in the Windows Services file.
Which of the following should be included in an ethical hacking report? (Choose all that apply.)
Findings of the test, risk analysis.
Which law allows for gathering of information on targets?
Freedom of Information Act. The Freedom of Information Act ensures public release of many documents and records and can be a rich source of information on potential targets.
What port number does HTTPS use?
HTTPS uses TCP port 443. This is a well-known port number and can be found in the Windows Services file.
Hacking for a cause is called
Hacktivism is performed by individuals who claim to be hacking for a political or social cause.
NSlookup can be used to gather information regarding which of the following?
Hostnames and IP addresses
. Dumpster diving can be considered which type of social-engineering attack?
Human-based
What of the following is an IDS defeating technique?
IP fragmentation or session splicing
Who are the primary victims of SMURF attacks on the Internet?
IRC servers. In a Smurf attack a large amount of ICMP echo request (ping) traffic is send to an IP broadcast address, with a spoofed source IP address of the intended victim. IRC servers are commonly used to perpetuate this attack so they are considered primary victims
Every company needs which of the following documents?
ISP- Information Security Policy
What is enumeration?
Identifying users and machine names
How would you compromise a system that relies on cookie-based security?
Intercept the communication between the client and the server and change the cookie to make the server believe that there is a user with higher privileges. Privilege escalation can be done through capturing and modifying cookies
How does a polymorphic shellcode work?
It encrypts the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode. Polymorphic shellcode changes by using the XOR process to encrypt and decrypt the shellcode
What is the best reason to implement a security policy?
It removes the employee's responsibility to make judgments.
Which of these is a patch management and security utility?
MBSA. Microsoft Baseline Security Analyzer is a patch management utility built into Windows for analyzing security
Which tool can be used to perform a DNS zone transfer on Windows?
NSlookup
What are two methods used to hide files? (Choose all that apply.)
NTFS file streaming, attrib command
What does the hacking tool Netcat do?
Netcat is called the TCP/IP Swiss army knife. It is a simple Unix utility that reads and writes data across network connections using the TCP or UDP protocol. Netcat is a multiuse Unix utility for reading and writing across network connections.
____ is a Cisco IOS mechanism that examines packets on layer 4-7.
Network-based application recognition is a Cisco IOS mechanism for controlling traffic through network ingress points.
What defensive measures will you take to rotect your network from password brute-force attacks? (select all).
Never leave a default password, never use a password that can be found in a dictionary Never use a password related to the hostname,domain name, or anything else that can be found with Whois.
Which are good sources of information about a company or its employees? (Choose all that apply.)
Newsgroups, job postings, company websites, and press releases are all good sources for information gathering.
Which of the following is a type of social engineering?
Of the choices listed here, shoulder surfing is considered a type of social engineering.
Banner grabbing is an example of what?
Passive operating system fingerprinting. Banner grabbing is not detectible; therefore it is considered passive OS fingerprinting
Which law gives authority to intercept voice communications in computer hacking attempts?
Patriot Act
What type of ethical hack tests access to the physical infrastructure?
Physical access tests access to the physical infrastructure.
What are the three types of scanning?
Port, network, and vulnerability are the three types of scanning.
What is the first phase of hacking?
Reconnaissance is gathering information necessary to perform the attack.
What is the countermeasure against XSS scripting?
Replace < and > characters with < and > using server scripts. A protecting against cross-site scripting is to secure the server scripts.
How do you secure a GET method in web page posts?
Replace GET with the POST method when sending data. POST should be used instead of GET for web page posts
What is a command-line tool used to look up a username from a SID?
SID2User
Why would the network security team be concerned about ports 135-139 being open on a system?
SMB is enabled, and the system is susceptible to null sessions.
What is the proper sequence of a TCP connection?
SYN-SYN-ACK-ACK
What is the next immediate step to be performed after footprinting?
Scanning. According to CEH methodology, scanning occurs after footprinting. Enumeration and system hacking are performed after footprinting. Bypassing an IDS would occur later in the hacking cycle.
Which of the following statements best describes a white-hat hacker?
Security professional,White-hat hackers are "good" guys who use their skills for defensive purposes
The Securely Protect Yourself Against Cyber Trespass Act prohibits which of the following? (Choose all that apply.)
Sending spam, installing and using keystroke loggers, and implementing pop-up windows are all prohibited by the SPY ACT.
What are the two types of buffer overflow?
Stack-based buffer overflow, Heap-based buffer overflow
What is the process of hiding text within an image called?
Steganography is the process of hiding text within an image
What is the main problem with using only ICMP queries for scanning?
Systems may not respond because of a firewall. Systems may not respond to ICMP because they have firewall software installed that blocks the responses.
Which of the following is a system, program, or network that is the subject of a security analysis?
Target of evaluation
What is war dialing used for?
Testing remote access system security. War dialing involves placing calls to a series of numbers in hopes that a modem will answer the call. It can be used to test the security of a remote-access system.
Which items should be included in an ethical hacking report? (Choose all that apply.)
Testing type, vulnerabilities discovered, suggested countermeasures.
Which act was intended to prevent spam mails?
The CANSPAM Act is an acronym for Controlling the Assault of Non-Solicited Pornography and Marketing Act; the act attempts to prevent unsolicited spam. For more information
What does FIN in a TCP flag define?
The FIN flag is used to close a TCP/IP connection.
What does the TCP RST command do?
The TCP RST command resets the TCP connection.
How do you prevent SMB hijacking in Windows operating systems?
The only effective way to block SMB hijacking is to use SMB signing.
What are the three phases of a security evaluation plan? (Choose three answers.)
The three phases of a security evaluation plan are preparation, security evaluation, and conclusion.
What does ICMP (type 11, code 0) denote?
Time exceeded.
Which federal law is most commonly used to prosecute hackers?
Title 18 of the US Code is most commonly used to prosecute hackers
Why would hackers want to cover their tracks?
To prevent detection or discovery
How does traceroute work?
Traceroute uses the TTL values to determine how many hops the router is from the sender. Each router decrements the TTL by one under normal conditions.
TCP/IP session hijacking is carried out in which OSI layer?
Transport Layer. TCP operates at the Transport layer, or Layer 4 of the OSI model, and consequently a TCP/IP session hijack occurs at the Transport layer
Which tool is a file and directory integrity checker that aids system administrators and users in monitoring a designated set of files for any changes?
Tripwire is a file and directory integrity checker
T/F. Data is sent over the network as a cleartext ( unencrypted) when basic authentication is configured on web servers.
True, Basic authentication uses cleartext passwords.
True or False: A digital signature is simply a message that is encrypted with the public key instead of the private key.
True. A message is encrypted with a user's private key so that only the user's public key can decrypt the signature and the user's identity can be verified.
What is the term used in serving different types of web pages based on the user's IP address?
Website Cloaking. Website cloaking is serving different web pages based on the source IP address of the user
A security audit performed on the internal network of an organization by the network administration is also known as
White-box testing
What tool is a good source of information for employee's names and addresses?
Whois
Which of the following is a tool for performing footprinting undetected?
Whois search. Whois is the only tool listed that won't trigger an IDS alert or otherwise be detected by an organization.
Which of the following tools are used for footprinting? (Choose 3.)
Whois, Sam Spade, and NSlookup are all used to passively gather information about a target
You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?
ip.src== is the syntax to filter on a source IP address.
Which of the following Nmap commands launches a stealth SYN scan against each machine in a class C address space where target.example.com resides and tries to determine what operating system is running on each host that is up and running?
nmap -sS -O target.example.com/24. nmap -sS creates a stealth scan and the -O switch performs operating system detection.
Buffer overflow vulnerabilities are due to applications that do not perform bound checks in the code. Which of the following C/C++ functions do not perform bound checks?
strcat()
