CEH test 1
108. What is a network of zombie computers used to execute a DDoS on a target system called? A. Botnet B. Whaling C. Social engineering D. DoS
A - A botnet is a collection of zombie computers that are used in concert to conduct a distributed denial of service (DDoS) on a target system.
59. Of the following methods, which one acts as a middleman between an external network and the private network by initiating and establishing the connection? A. Proxy server B. Firewall C. Router D. Switch
A - A proxy server is a middleman between the private internal network and the untrusted network. By initiating the connection, it can provide core protections associated with web exploits.
50. Which of the following actions is the last step in scanning a target? A. Scan for vulnerabilities B. Identify live systems C. Discover open ports D. Identify the OS and servers
A - After identifying live systems, detecting open ports, and detecting the OS and IT services, you will then begin to scan for vulnerabilities. This will give you a list of potential targets you can exploit to gain access or gather additional essential information.
91. Which of the following tools allows you to create certificates that are not officially signed by a CA? A. Cain & Abel B. Nmap C. Ettercap D. Darkether
A - Cain & Abel allows the adversary or pen tester to carefully craft their own certificates or have the application create its own, depending on the scenario.
74. Which option describes a server-side attack targeting web applications? A. SQL injection B. Cross-site malware injection C. Cross-site scripting D. SQL site scripting
A - Cross-site scripting attacks the client side. SQL injection is a server-side attack. The other answers are not real things.
112. What process would you use to help ensure only the right people got access to sensitive information? A. Data classification B. Data masking C. Data encryption D. Data processing
A - Data classification is used to identify sensitivity levels of information. Once data has been classified, it can be tagged in some way to ensure only the right people get access to it.
22. You are part of the help desk team. You receive a ticket from one of your users that their computer is periodically slow. The user also states that from time to time, documents have either disappeared or have been moved from their original location to another. You remote desktop to the user's computer and investigate. Where is the most likely place to see if any new processes have started? A. The Processes tab in Task Manager B. C:\Temp C. The Logs tab in Task Manager D. C:\Windows\System32\User
A - If there is a question whether a Windows PC has been compromised, a sure way to see what processes are being executed can be found within the processes tab of Task Manager. Programs such as iexplore.exe are legitimate; however, some programs such as !explore.exe and explore.exe attempt to look legitimate to avoid detection.
48. In the Windows SAM file, what security identifier would indicate to the adversary that a given account is an administrator account? A. 500 B. 1001 C. ADM D. ADMIN_500
A - If you look in the SAM file, after the username, the next value will be numerical. If it is a 500, this is the security identifier for the admin account. The same security identifier is used on all Windows-based systems, just a 0 is used as the user id for the root user on Unix-based OSs.
58. Which option describes the concept of injecting code into a portion of data in memory that allows for arbitrary commands to be executed? A. Buffer overflow B. Crash C. Heap spraying D. Format string
A - In a buffer overflow, data is written over memory that has been allocated for a function on the stack. This could cause several outcomes, including data corruption, system crashing, freezing, and other untold consequences. While the program may crash from a buffer overflow, a crash won't allow for arbitrary commands to be executed. Heap spraying and format string attacks are different types of attacks and may not allow for remote code execution.
98. Which operating system build provides a suite of tools for network offensive (attack your target) purposes? A. Kali Linux B. Windows Server 2012 R2 C. FreeBSD D. Security Onion
A - Kali Linux (formerly known as BackTrack) is an operating system that is widely used by hackers and pen testers alike.
37. What is a common attack type of the Kerberos protocol that can look like legitimate traffic? A. Kerberoasting B. Javaroasting C. Man-in-the-middle D. Ticket granting compromise
A - Kerberoasting can be used to send requests using Kerberos with the intent of gathering information about accounts that could be used offline. This information would allow the attacker to gain subsequent access to those services. A man-in-the-middle attack is not a common attack type against Kerberos.
96. Which of the following has no key associated with it? A. MD5 B. AES C. Skipjack D. PGP
A - MD5 is a hashing algorithm. It has no key associated with it, and therefore, it can be used by anyone.
109. Cipher locks, mantraps, and bollards are considered what? A. Physical controls B. Technical controls C. Crime prevention through environmental design D. Physical barriers
A - Physical controls are measures put in place to physically prevent someone from gaining access and entrance to a resource or a location.
52. Which of the following port ranges will show you the ports requiring administrative access? A. 0 to 1023 B. 0 to 255 C. 1024 to 49151 D. 1 to 128
A - Ports 0 - 1023 are considered admin ports because they require administrator level access to listen on them. Higher-numbered ports are typically used as ephemeral, meaning they are used to assign source port numbers, which the server would respond to.
25. Out of the following, which is one of RSA's registered key strengths? A. 1,024 bits B. 256 bits C. 128 bits D. 512 bits
A - RSA uses 1,024 and 2,048-bit key strengths as asymmetric encryption algorithms.
10. What is the most important part of conducting a penetration test? A. Receiving a formal written agreement B. Documenting all actions and activities C. Remediating serious threats immediately D. Maintaining proper handoff with the information assurance team
A - Receiving a formal written agreement is critical because it sets the legal limit of what is allowed and not allowed to be conducted. It protects the pentester from legal action if they stay within the agreed work performance statement.
19. What is the advantage of using SSH for command-line traffic? A. SSH encrypts the traffic and credentials. B. You cannot see what the adversary is doing. C. Data is sent in the clear. D. A and B.
A - SSH encrypts all traffic. If an attacker is using SSH, you wouldn't be able to see what they are doing, that's an advantage only to the attacker.
1. Which of the following is considered a passive reconnaissance action? A. Searching through the local paper B. Calling Human Resources C. Using the nmap -sT command D. Conducting a man-in-the-middle attack
A - Searching through the local paper is considered passive because it does not directly impact, alert, or establish any type of connection between the victim and the adversary. All the other answers involve directly connecting with the company or its network.
92. What type of social engineering attack uses SMS (text) messages to communicate with the victim? A. Smishing B. Vishing C. Phishing D. Kishing
A - Smishing uses SMS (text) messages to initiate a social engineering attack against a victim.
54. Which of the following switches for the Nmap command does nothing but fingerprinting an operating system? A. -O B. -sFRU C. -sA D. -sX
A - The -O switch evokes Nmap to conduct an analysis of the target that is used to identify the OS.
62. What default TCP port does SSH utilize? A. Port 22 B. Port 21 C. Port 443 D. Port 25
A - The secure shell (SSH) application utilizes port 22 to establish a connection byh default. Port 21 is an FTP port, port 25 is for SMTP, and port 443 is the port used for encrypted web communication.
113. What do we call the model used to determine who has to handle patching of systems at a cloud services provider? A. Shared responsibility B. Bell-LaPadula C. Carnegie Mellon Maturity D. Ford model
A - The shared responsibility model determines who has responsibility for what aspects of a service with a cloud services provider. Bell-LaPadula is used for data classification and management. Carnegie Mellon Maturity Model is an old name for the Capability Maturity Model, used to assess maturity, especially within software development organizations.
85. Which of the following is part of the account management lifecycle? A. Account provisioning B. Access denied C. User authentication D. None of the above
A - User account provisioning is a lifecycle program in which users are reviewed and granted need-to know and least-privilege access and accounts are disabled or deleted. User accounts should be reviewed every 30 - 45 days to identify stale accounts.
16. What method of exploitation might allow the adversary to pass arbitrary SQL queries within the URL? A. SQL injection B. XSS C. Spear phishing D. Ruby on Rails injection method
A - Using SQL queries such as ' or 1=1 is a way to get more information than should be provided through the application. This technique is used to test for SQL injection vulnerabilities.
72. Which switch in Nmap invokes the XMAS scan? A. -sX B. -sS C. -xS D. -sT
A - Using the -sX switch causes Nmap to send packets with the FIN, PSH, and URG flags set. -sS is a SYN scan. -sT is a TCP scan, sometimes called a full connect scan.
27. Which of the following describes a race condition? A. Where two conditions occur at the same time and there is a chance that arbitrary commands can be executed with a user's elevated permissions, which can then be used by the adversary B. Where two conditions cancel one another out and arbitrary commands can be used based on the user privilege level C. Where two conditions are executed under the same user account D. Where two conditions are executed simultaneously with elevated user privileges
A - When a race condition occurs, either process may occur. If the timing is right, arbitrary commands may be executed with the current user-level privileges until the next process begins.
30. Which method would be targeting the client in a web-based communication? A. Cross-site scripting (XSS) B. SQL injection C. XML external entity D. Command injection
A - XSS is the only one of these attack types that target a client, the user's browser, in a web-based communication. The script in question executes within the browser (client). The other types of attacks are targeting the server.
82. What are you creating when you set up a server with certain configurations and document step-by-step instructions? A. Baseline B. Procedure C. Technical advisory D. Guideline
B - A procedure is a step-by-step document that instructs the users to configure or set up a certain task or function. The result may be a baseline to build additional services on top of, but the step-by-step instructions are not a baseline. A technical advisory is a note that provides technical information but would not necessarily have step-by-step instructions in it. A guideline is a piece of info that should be followed but again doesn't have step-by-step instructions.
107. An email contains a link with the subject line "Congratulations on your cruise!" and is sent to the finance person at a company. The email instructs the reader to click a hyperlink to claim the cruise. When the link is clicked, the reader is presented with a series of questions within an online form, such as name, Social Security number, and date of birth. What type of attack would this be considered? A. Email phishing B. Spear phishing C. Social engineering D. Identity theft
B - An example of spear phishing is an email soliciting the user to click a link or reply with sensitive information. Spear phishing targets specific individuals. Email phishing attacks would be sent to a large number of people, potentially. While it is a type of social engineering, that doesn't capture the specific type of attack in use. While the final result of this might be identity theft, the information provided here doesn't guarantee that's the case.
99. What is a major drawback of most antivirus software? A. It can be extremely slow. B. It must have the latest virus definitions. C. It can take up a lot of host resources. D. It requires a lot of effort to administer.
B - Antivirus software must be loaded with the latest virus definitions. Virus definitions are considered the DNA, or "signature," of known viruses. Without an updated virus signature in its database, the antivirus software does not know what new viruses are out in the wild.
26. To provide non-repudiation for email, which algorithm would you choose to implement? A. AES B. DSA C. 3DES D. Skipjack
B - Digital signature algorithms (SA) provide non-repudiation for emails. The others are encryption algorithms, which would not be used for nonrepudiation but would be used for confidentiality.
39. Which response would the adversary receive on closed ports if they conducted an XMAS scan? A. RST B. RST/ACK C. No Response D. FIN/ACK
B - During an XMAS scan, the adversary would receive an RST/ACK response from the port if it is closed because the scan sends the FIN, URG, and PSH flags, which is not a valid request according to the TCP RFC.
114. What is the governing council of the CEH exam? A. (ISC)2 B. EC-Council C. CompTIA D. Microsoft
B - EC-Council
70. At which layer of the OSI model does FTP reside? A. Session B. Application C. Network D. Transport
B - FTP occurs at the Application level along with Telnet and other application services. The Network layer includes IP, while the Transport layer includes TCP and UDP. PPTP and RPC are commonly considered to be at the session layer.
53. What is the length of an IPv6 address? A. 64 bits B. 128 bits C. 256 bits D. 32 bits
B - IPv4 used 32 bits for the address length, which was determined to be insufficient for the expected number of addresses of network-connected devices. As a result, IPv6 uses 128 bits, which is generally considered to be enough address space, as it allows 3.4 x 10^38 addresses.
8. Your end clients report that they cannot reach any website on the external network. As the network administrator, you decide to conduct some fact finding. Upon your investigation, you determine that you are able to ping outside of the LAN to external websites using their IP address. Pinging websites with their domain name resolution does not work. What is most likely causing the issue? A. The firewall is blocking DNS resolution. B. The DNS server is not functioning correctly. C. The external websites are not responding. D. An HTTP GET request is being dropped at the firewall, preventing it from going out.
B - If you are able to ping and even visit an external website using its IP address and not its fully qualified domain name (FQDN), it is more probable that the DNS server is having issues. While it's possible the firewall is blocking DNS requests, it's much less likely. Firewalls don't typically drop specific web requests, and it doesn't explain why you can ping an IP address but not its FQDN.
100. What is the value of using the four-way handshake in WPA2? A. Encrypts traffic B. Prevents replay attacks C. Ensures multifactor authentication is in use D. Performs host checking
B - In the four-way handshake, a replay counter is used. This helps to protect against replay attacks, which could be used to allow an attacker to gain access to a wireless network.
46. If a web application is using a RESTful API, NoSQL databases, and microservices in containers, what style of design is it likely using? A. Model-view-controller B. Cloud-native design C. Traditional architecture D. NoSQL design
B - Model-view-controller is a common approach to developing applications for Apple devices. Microservices are not commonly used in a traditional application design. There is no such thing as NoSQL design. A RESTful API, NoSQL database, and microservices, especially if they are implemented in containers, suggest a cloud-native design.
33. Which scanning tool is more likely going to yield accurate and useful results during reconnaissance and enumeration? A. ncat B. Nmap C. ping D. nslookup
B - Nmap is the most useful.
69. What is patch management? A. Deploying patches when they are available B. Making determinations about patch disposition for business systems C. Deploying patches at the end of the month D. Determining what vulnerabilities are currently on your network and deploying patches immediately to eliminate the threat
B - Patch management requires understanding what the vulnerabilities are and then evaluating the patch for applicability before deciding whether to deploy the patch.
87. What are two common ports used to connect to a web server? A. 80 and 25 B. 80 and 8080 C. 443 and 53 D. 20 and 21
B - Ports 80 and 8080 are ports that are commonly used to connect to a web server. Port 80 is the well-known port for HTTP (web). Port 8080 is considered an alternate port and is used for web servers where the user does not have admin privileges to listen on the lower numbered port.
12. What does a SYN scan accomplish? A. It establishes a full TCP connection. B. It establishes only a "half open" connection. C. It opens an ACK connection with the target. D. It detects all closed ports on the target system.
B - The SYN scan is used to detect open ports but does not complete the full 3-way hand-shake. It is considered a "half-open" connection.
17. What is the default TTL value for Microsoft Windows 10 OS? A. 64 B. 128 C. 255 D. 256
B - The default TTL value for most Microsoft OSs is 128.
56. You are a passenger in an airport terminal. You glance across the terminal and notice a man peering over the shoulder of a young woman as she uses her tablet. What do you think he is doing? A. Wardriving B. Shoulder surfing C. War shouldering D. Shoulder jacking
B - The man is conducting a shoulder surfing attack. By looking over her solder, the man is able to pick up passwords and any other sensitive information that she is using on her tablet without her knowledge or approval.
76. In Linux, what file allows you to see user information such as full name, phone number, and office information? A. Shadow file B. Passwd file C. Userinfo file D. Useraccount file
B - The passwd file stores information about the user's account such as name and location.
45. You are sitting inside of your office, and you notice a strange person in the parking lot with what appears to be a tall antenna connected to a laptop. What is the stranger most likely doing? A. Brute-forcing their personal electronic device B. Wardriving C. Warflying D. Bluesnarfing
B - The stranger is wardriving. Wardriving is the act of traveling with a high-powered antenna to pick up and use free or compromising weak Wi-Fi access points.
101. What is the maximum byte size for a UDP datagram payload? A. 65,535 B. 65,507 C. 1,500 D. 65,527
B - The total UDP packet size is 65,535. You subtract 8 bytes for the UDP header size and 20 bytes for the IP header size, which is 28 bytes total. Subtract 28 bytes from the total size of 65,535. This should give you a value of 65,507 for the max UDP payload size.
71. What open-source tool could you use to gather information about email addresses from various search providers? A. Nmap B. theHarvester C. Netcat D. John the Ripper
B - TheHarvester is a tool that can gather email addresses during recon.
66. What port number or numbers is/are associated with the IP protocol? A. 0 to 65535 B. No ports C. 53 D. 80
B - There are no port numbers associated with IP because the addressing mechanism used there is the IP address. UDP and TCP both use port numbers as the way to address applications using those protocols.
88. When considering the risks of local storage vs. third-party cloud storage, which statement is most accurate? A. Cloud storage is more secure because the commercial vendor has trained security professionals. B. When storage is local, you are responsible and accountable for the storage services. C. You can sue the cloud provider for damages. D. The cloud has more layers of security than traditional local storage infrastructures.
B - When storage is local, you are responsible and accountable for the storage services.
103. When sending a packet with a FIN flag set, what will the target respond with if the port is open? A. RST is returned. B. No response is returned. C. RST/ACK is returned. D. SYN/ACK is returned.
B - When the target has an open port and receives a packet with the FIN flag set, the target will not respond with anything. That is because the target knows that the sender has finished communicating. A RST is sent back from a SYN message on a closed port. A SYN/ACK is sent back from a SYN message on an open port. A RST/ACK is sent back to an ACK message that is not part of an existing connection.
95. When two or more authentication methods are used, what is it called? A. Multitiered authentication factor B. Multifactor authentication C. Multicommon factor authentication D. Multiauthentication factor
B - Whenever you are implementing more than one authentication factor, it is considered multi factor authentication.
36. You are an attacker who has successfully infiltrated your target's web server. You performed a web defacement on the targeted organization's website, and you were able to create your own credential with administrative privileges. Before conducting data exfiltration, what is the next move? A. Log into the new user account that you created. B. Go back and delete or edit the logs. C. Ensure that you log out of the session. D. Ensure that you migrate to a different session and log out.
B - Whenever you infiltrate a system, you would always want to cover your tracks by either editing or deleting your logs. This is important so the security admins and investigators cannot trace your accounts, your location, and the method you used to exploit the system.
5. What is one of the advantages of IPv6 over IPv4 from a security perspective? A. IPv4 has a smaller address space. B. IPv6 allows for header authentication. C. IPv6 is more flexible about extensions. D. IPv6 is typically represented in hexadecimal.
B - While all of the answers are true, the only answer that relates to security is option B, that IPv6 allows for header authentication. This ensures that packets have not been tampered with. This feature, Authentication Headers, is commonly throughof as part of IPsec.
89. Which packet sniffing tool allows you to specify the individual fields you want printed in the output? A. Nmap B. tshark C. tcpdump D. Snoop
B - While snoop and tcpdump are packet sniffers, they don't allow you to specify the fields out of a packet you want printed when a packet is seen on the network interface.
24. What does a checksum indicate? A. That the data has made it to its destination B. That the three-way TCP/IP handshake finished C. That there were changes to the data during transit or at rest D. The size of the data after storage
C - A checksum is a small-size datum that is computed against the message itself and creates its own fingerprint. It is a means of detecting any changes in the message itself for integrity purposes. If the two checksums of the original message and the received message do not match, the message has been compromised. A checksum servers as a validation that no errors occurred.
60. As an attacker, you successfully exploited your target using a service that should have been disabled. The service had vulnerabilities that you were able to exploit with ease. There appeared to be a large cache of readily accessible information. What may be the issue here? A. The administrator did not apply the correct patches. B. The web server was improperly configured. C. You are dealing with a honeypot. D. The firewall was not configured correctly.
C - A honeypot is a server that is made to look like a legitimate target; however, it is configured to be vulnerable to an adversary's attack. The purpose is to learn about the adversary's methodologies of attack.
15. What is the purpose of a man-in-the-middle attack? A. Gaining access B. Maintaining access C. Hijacking a session D. Covering tracks
C - A man-in-the-middle attack is typically used to hijack a network conversation.
64. Which type of firewall would you use if you wanted to have the firewall check for malware as it passed through the firewall? A. Web application firewall B. Stateful firewall C. Next-generation firewall D. Stateless firewall
C - A next-generation firewall, sometimes called a unified threat management device, often includes multiple capabilities to prevent bad actors from getting into the network. One of these capabilities is malware scanning. A stateful firewall just keeps track of client state to make determinations about whether to allow traffic through. A stateless firewall can't keep track of state, and a web application firewall is used to identify attacks like SQL injection and cross-site scripting. It does not scan for malware.
11. You are a CISO for a giant tech company. You are charged with implementing an encryption cipher for your new mobile devices that will be introduced in 2022. What encryption standard will you most likely choose? A. RC4 B. MD5 C. AES D. Skipjack
C - AES remains the best encryption algorithm to use. It is flexible in its key size and economical in the computational power required. RC4 is a bad choice since it's known to be vulnerable to attack. MD5 is a hashing algorithm. Skipjack is an older algorithm.
51. Which of the following best describes the ICMP Type 8 code? A. Device is being filtered B. Network route is incorrect or missing C. Echo request D. Destination unreachable
C - An ICMP Type 8 code is an echo request that is used within the Ping application. ICMP Type 0 is used for an echo response code. Destination unreachable is an ICMP type 3 message.
90. A classification label is associated with which of the following? A. A subject B. A file C. An object D. A folder
C - An object such as a file will have a classification level appended to it depending on its value and sensitivity level.
67. Which two protocols are connectionless? A. IP and TCP B. IP and FTP C. IP and UDP D. TCP and UDP
C - Both IP and UDP are connectionless protocols. They do not form a connection-oriented bond between two ends.
75. What port is used by DNS? A. 80 B. 8080 C. 53 D. 25
C - DNS, or Domain Name Server, is an IP-to-name resolution service that utilizes port 53.
111. Which of the following best describes steganography? A. A symmetric encryption algorithm B. Allowing the public to use your private key C. Hiding information within a picture or concealing it in an audio format D. Encrypting data using transposition and substitution
C - Hiding information within a picture or concealing it in an audio format
61. Where is the log file that is associated with the activities of the last user that signed in within a Linux system? A. /var/log/user_log B. /var/log/messages C. /var/log/lastlog D. /var/log/last_user
C - In Linux, the lastlog file is located in the /var/log/ directory. This file contains information about users that have logged in. None of the other logs referenced here exist.
84. Which of the following capabilities does the MegaPing tool not support? A. Vulnerability detection B. Scanning C. Vulnerability exploitation D. DNS name lookup
C - MegaPing is a tool that has a lot of capabilities, including the ability to detect vulnerabilities as well as network scanning and DNS name lookup. It does not exploit vulnerabilities, however.
73. Which of the following best describes fingerprinting? A. Scanning for vulnerabilities B. Using the -sX switch for Nmap C. Matching OS characteristics from a scan to a database in Nmap D. Checking to see what ports are open by firewalking
C - Nmap uses a database of known characteristics that best matches the target to determine the operating system. The fingerprint scan, in this case, is looking for the OS fingerprint, based on lots of information gathered by Nmap while performing port scans.
93. This protocol is used for authentication purposes; it sends cleartext usernames and passwords with no forms of encryption or a means of challenging. What authentication protocol is this? A. CHAP B. POP C. PAP D. MSCHAP
C - Password Authentication Protocol (PAP) is a weak authentication protocol. It does not encrypt any data, and the credentials are sent in the clear. There is no method for challenging at either end; therefore, it is very easy to intercept and masquerade as a legitimate user.
21. Which type of malware is likely the most impactful? A. Worm B. Dropper C. Ransomware D. Virus
C - Ransomware is the most impactful. It has cost businesses billions of dollars in recovery costs as well as lost productivity.
106. Which of the following denial-of-service attacks would be most likely to be successful today? A. Fraggle B. Smurf C. Slowloris D. None of the above
C - Smurf attacks make use of a broadcast address to send ICMP echo requests, relying on large numbers of replies to overwhelm the victim. There are no longer any large smurf amplifiers, and most directed broadcast traffic using ICMP is blocked on the Internet. Fraggle is similar to a smurf attack, except it uses UDP. This is another attack that has been rendered mostly obsolete. A slowloris attack, though, may be successful against web servers since it relies on particular configurations and no protections in place in front of the web server. Many web servers may be vulnerable to this type of attack.
3. What cloud service would you be most likely to use if you wanted to share documents with another person? A. Software as a Service B. Platform as a Service C. Storage as a Service D. Infrastructure as a Service
C - Storage as a Service offers the ability to store documents or other unstructured data which could then be shared with others. Software as a Service keeps the data in the application, generally, and doesn't allow document sharing. Platform as a Service or Infrastructure as a Service could be used, but they would require additional work to allow files to be uploaded and shared. Storage as a Service would be the easiest and most likely.
8. An attacker is conducting the following on the target workstation: nmap -sT 192.33.10.5. The attacker is in which phase? A. Covering tracks B. Enumeration C. Scanning and enumeration D. Gaining access
C - The attacker is using the nmap function to conduct a TCP connection scan on the target, which is part of the scanning and enumeration phase.
9. Which encryption algorithm is a symmetric stream cipher? A. AES B. ECC C. RC4 D. PGP
C - Unlike RC5 and RC6, RC4 is the stream cipher - it is the only symmetric cip[her that uses streams. PGP is not an encryption algorithm. AES is a block cipher. ECC is an approach to encryption, allowing more computational challenge to key creation, but not an encryption algorithm itself.
102. As an attacker, which of the following resources would be the best place to begin reconnaissance of your target? A. Nmap using the -sO switch B. Suricata C. LinkedIn D. Calling the help desk masquerading as an authorized user
C - Using LinkedIn can be a very good way to gather information about a target. Often, jobs are posted on LinkedIn, and they can include information about the target environment. Additionally, job responsibilities posted by the employees will provide similar information.
55. What command would the adversary use to show all the systems within the domain using the command-line interface in Windows? A. netstat -R /domain B. net view /<domain_name>:domain C. net view /domain:<domain_name> D. netstat /domain:<domain_name>
C - Using the command net view /domain:<domain_name> will retrieve all the systems that are joined to the domain. The netstat command is used for network information, including the routing table, which netstat -r will provide. The other netstat command provided as an option doesn't do anything. The correct syntax for net view is net view /domain:<domain_name>, not net view /<domain_name>:domain.
97. What type of authentication is used in WPA2 to ensure the validity of both the client and the access point? A. Two-way handshake B. Three-way handshake C. Four-way handshake D. Five-way handshake
C - WPA2 uses a 4-way handshake to establish the validity of both the client or terminal and the access point.
31. As a penetration tester, only you and a few key selected individuals from the company will know of the targeted network that will be tested. You also have zero knowledge of your target other than the name and location of the company. What type of assessment is this called? A. Gray box testing B. White box testing C. Black box testing D. Blue box testing
C - When black box testing is performed, only the penetration testing team and a few selected individuals know about it. However, the pentest team does not know anything about the target because this simulates a real-world threat against the company's network and incident response posture. White box testing means you have full knowledge of the network. Gay box testing is a mix of both black and white box.
68. Into which phase of the MITRE ATT&CK framework does transmitting files found in an enterprise network by tunneling through DNS requests fall? A. Privilege escalation B. Persistence C. Exfiltration D. Defense evasion
C - When data is being sent out from the corporate network, it is called exfiltration.
63. As a pen tester, you are hired to conduct an assessment on a group of systems for your client. You are provided with a list of critical assets, a list of domain controllers, and a list of virtual share drives. Nothing else was provided. What type of test are you conducting? A. White hat testing B. Gray hat testing C. Gray box testing D. Red hat testing
C - When you are conducting gay box testing, you have partial knowledge of the systems in play.
43. Which of the following allows the adversary to forge certificates for authentication? A. Wireshark B. Ettercap C. Cain & Abel D. Ncat
C - With Cain & Abel, the adversary can forge certificates; however, the application lacks the ability to make the certificates look authentic. The user will be prompted, indicating that the certificate is not trusted.
104. What is the result of conducting a MAC flood on a switch? A. The switch would fail to respond. B. It would create a DoS. C. The switch would operate as if it were a hub. D. The switch would continue to operate as normal.
C. The switch would operate as if it were a hub.
14. You are the CISO for a popular social website. Your engineers are telling you they are seeing multiple authentication failures but with multiple usernames, none of them ever repeated. What type of attack are you seeing? A. Brute force password attack B. Authentication failure attack C. Denial-of-service attack D. Credential stuffing attack
D - A brute force attack is when the same username is tried with multiple passwords. There is no evidence here that any service is being impacted in a negative may, so this is not a denial-of-service attack. This is a credential stuffing attack, where the attacker uses known username/password combos.
32. As an attacker, you are searching social media sites as well as job listings. What phase of the attack are you in? A. Casing the target B. Gaining access C. Maintaining access D. Reconnaissance
D - Although casing the target sounds right, the correct term for this activity is recon. In this phase, the attacker tries to gather all the facts they can about their target and answer any assumptions they may have through this activity. You are neither gaining access nor maintaining access if you are gathering information that could be used.
4. What is the difference between a traditional firewall and an IPS? A. Firewalls don't generate logs. B. An IPS cannot drop packets. C. An IPS does not follow rules. D. An IPS can inspect and drop packets.
D - An IPS has to inspect packets in order to match against rules written to look for malicious traffic. Both an IPS and firewall would typically generate logs. An IPS does follow rules and can drop packets, which is what differentiates the IPS from an IDS.
23. Your security team notifies you that they are seeing the same SSID being advertised in your vicinity, but the BSSID is different from ones they are aware of. What type of attack is this? A. Deauthentication attack B. Wardriving C. MAC spoofing D. Evil twin
D - An evil twin attack is when an attacker uses a known SSID in order to lure unsuspecting users who would be encouraged to provide usernames and passwords that an attacker could then use to gain access to the legitimate network.
81. Which of the following functions is no longer utilized within IPv6? A. Multicast B. Anycast C. Unicast D. Broadcast
D - Broadcast is no longer used with IPv6 because of its inefficiency. IPv6 uses multicast instead of broadcast.
40. Why would the adversary encode their payload before sending it to the target victim? A. Encoding the payload will not provide any additional benefit. B. By encoding the payload, the adversary actually encrypts the payload. C. The encoded payload can bypass the firewall because there is no port associated with the payload. D. Encoding the payload may bypass IPS/IDS detection because it changes the signature.
D - By encoding the payload, the adversary is trying to avoid IDS/IPS detection because it changes the signature of the original payload to a different format. Encoding may have some benefits, though encoding and encryption are not the same thing.
115. What Transport layer protocol does DHCP operate with? A. IP B. TCP C. ICMP D. UDP
D - DHCP uses the User Datagram Protocol (UDP) because it is a connectionless service. IP is not a transport layer protocol. TCP is a connection-orientated protocol and would slow down the DHCP process unnecessarily. ICMP is also not a transport layer protocol.
86. Which of the following activities describes the act of a person rummaging through a trash container looking for sensitive information? A. Trash jumping B. Dumpster party C. Trash diving D. Dumpster diving
D - Dumpster Diving
83. Which application uses two ports? A. Telnet B. ICMP C. HTTPS D. FTP
D - FTP uses port 21 for commands and port 20 for data control.
6. You are the senior manager in the IT department for your company. What is the most cost-effective way to prevent social engineering attacks? A. Install HIDS. B. Ensure that all patches are up-to-date. C. Monitor and control all email activity. D. Implement security awareness training.
D - Implementing an annual awareness training with the focus on social engineering will raise awareness in the organization. The training can be conducted by the information assurance section with the IT department.
94. What would you use "something you are" for? A. Challenge-response authentication B. Token-based authentication C. Single-factor authentication D. Multi Factor authentication
D - Multi Factor authentication uses a combo of factors from something you have, something you know, and something you are.
65. Which tool can be used to conduct layer 4 scanning and enumeration? A. Cain & Abel B. John the Ripper C. Ping-eater D. Nmap
D - Nmap is a tool that can be used to conduct scanning and other enumeration functions. It is capable of determining what ports and services are functional and to, a certain degree, what operating systems are installed on the host. Cain & Abel is used to gether passwords. John the Ripper is used to crack passwords, and ping-eater dosn't exist.
38. Where is the password file located on a Windows system? A. C:\Windows\temp B. C:\Win\system\config C. C:\Windows\accounts\config D. C:\Windows\system32\config
D - Passwords are located in the Security Account Manager (SAM) file, which is located in C:\Windows\system32\config. You may be able to retrieve the passwords from the C:\Windows\repair folder as well, even though this folder may not be available.
35. Why would an attacker want to avoid tapping into a fiber-optic line? A. It costs a lot of money to tap into a fiber line. B. If done wrong, it could cause the entire connection signal to drop, therefore bringing unwanted attention from the targeted organization. C. The network traffic would slow down significantly. D. Tapping the line could alert an IPS/IDS.
D - Tapping a fiber line is very complicated. Unlike trapping into ethernet, tapping into a fiber line could potentially drop network user traffic or even bring down the entire connection if too much light escapes the glass or plastic core.
80. What tool would you use to conduct banner grabbing? A. aescrypt B. Ettercap C. netstat D. Telne
D - Telnet
79. Which instruction value is used to invoke a NOP (non-operating procedure)? A. 0x99 B. 0x91 C. 0xGH D. 0x90
D - The 0x90 is an instruction that tells the CPU to move to the next set of instructions in main memory. 0xGH is not a legitimate hexadecimal. 0x99 is an add instruction. 0x01 is a duplicate instruction.
13. What is the major vulnerability for an ARP request? A. It sends out an address request to all the hosts on the LAN. B. The address is returned with a username and password in cleartext. C. The address request can cause a DoS. D. The address request can be spoofed with the attacker's MAC address.
D - The ARP request does not authenticate with the requested host; therefore it is possible that the attacker can spoof the address of the victim with its own MAC address. ARP does not implement a username and password. You wouldn't use an ARP request as part of any DoS, Sending out messages to all hosts on a network is by design in ARP.
49. Which regional Internet registry is responsible for North and South America? A. RIPE B. AMERNIC C. LACNIC D. ARIN
D - The American Registry for Internet Numbers (ARIN) is one of the five domain name registrants and is responsible for North and South America.
2. Which encryption was selected by NIST as the principal method for providing confidentiality after the DES algorithm? A. 3DES B. Twofish C. RC4 D. AES
D - The Dijndael cipher was selected and then named the Advanced Encryption Standard (AES), 3DES was a stopgap to make it harder to decrypt DES messages while AES was being developed. Twofish and RC4 were not selected for AES, though they are encryption algorithms.
78. Which type of packet does a Fraggle attack use to create a DoS attack? A. TCP B. IP C. ICMP D. UDP
D - The Fraggle attack uses a spoofed source IP and UDP packets as its method of delivery because of speed and lack of error correction.
20. What year did the Ping of Death first appear? A. 1992 B. 1989 C. 1990 D. 1996
D - The Ping Of Death first appeared in 1996 because applications misinterpreted oversized packets.
44. Which encryption standard is used in WEP? A. AES B. RC5 C. MD5 D. RC4
D - The RC4 algorithm is used in WEP. Although RC4 is for the most part secure, the initialize vector is fairly short and therefore easily predictable.
110. Which of the following describes the X.509 standard? A. It defines the LDAP structure. B. It is a symmetric encryption algorithm. C. It uses a sandbox method for security. D. It describes the standard for creating a digital certificate.
D - The X.509 standard describes what and how certificates are created. It includes the version of the certificate, serial number, who issued it, and the type of signature algorithm used. LDAP is an implementation of X.500
42. Which of the following best describes DNS poisoning? A. The adversary intercepts and replaces the victim's MAC address with their own. B. The adversary replaces their malicious IP address with the victim's IP address for the domain name. C. The adversary replaces the legitimate domain name with the malicious domain name. D. The adversary replaces the legitimate IP address that is mapped to the fully qualified domain name with the malicious IP address.
D - The adversary replaces the legitimate IP address for the FQDN witht he malicious IP address. DNS does not make use of MAC addresses directly. Replacing one domain with another domain name doesn't make a lot sense since the query response wouldn't match the query so the target wouldn't know what to do with the response.
7. In which phase within the ethical hacking framework do you alter or delete log information? A. Scanning and enumeration B. Gaining access C. Reconnaissance D. Covering tracks
D - The attacker would edit and/or delete log information during the covering tracks phase, which is the last phase during the attack. Recon as well as scanning and enumeration are early on the process, followed by gaining access.
105. Which of the following is the correct way to search for a specific IP address in Wireshark using a display filter? A. ip.addr = 192.168.1.100 B. ip == 192.168.1.100 C. ip = 192.168.1.199 D. ip.addr == 192.168.1.100
D - The correct syntax to filter for a specific IP address is ip.addr ==.
41. Which password is more secure? A. keepyourpasswordsecuretoyourself B. pass123!! C. P@$$w0rD D. KeepY0urPasswordSafe!D
D - The longer the password, the more it uses the advantage of key space fro encryption. Short complex passwords can be cracked with a reasonable amount of time. A password that is simple but longer will be exponentially harder to crack. However, adding in additional complexity using different cases as well as numbers and symbols makes it less likely the attacker will be able to break the passphrase.
29. You are the security administration for your local city. You just installed a new IPS. Other than plugging it in and applying some basic IPS rules, no other configuration has been made. You come in the next morning, and you discover that there was so much activity generated by the IPS in the logs that it is too time-consuming to view. What most likely caused the huge influx of logs from the IPS? A. The clipping level was established. B. A developer had local admin rights. C. The LAN experienced a switching loop. D. The new rules were poorly designed.
D - The most likely answer is that the new rules were poorly designed, so a lot of traffic was triggering the rules.
18. Which input value would you utilize in order to evaluate and test for SQL injection vulnerabilities? A. SQL test B. admin and password C. || or |! D. 1=1'
D - Using the value 1=1 in the URL will test for SQL vulnerabilities that would allow the attacker to assume that the web app can implement arbitrary commands.
47. Which is the best example of a denial-of-service (DoS) attack? A. A victim's computer is infected with a virus. B. A misconfigured switch is in a switching loop. C. An adversary is forging a certificate. D. An adversary is consuming all available memory of a target system by opening as many "half-open" connections on a web server as possible.
D - When all the memory from the target server is drained, the server will not able to process or store any information. This will eventually cause the server to freeze or crash, or it will possibly corrupt data. The end result is that none of the users will be able to use its resources.
34. Why would an attacker conduct an open TCP connection scan using Nmap? A. The attacker does not want to attack the system. B. The attacker made a mistake by not selecting a SYN scan function. C. The attacker is trying to connect to network services. D. The attacker is trying to make the scan look like normal traffic.
D - While Nmap can't attack a system in the sense of providing any sort of access, the reason for using a connect scan over a SYN scan is to make the scan look more like legitimate traffic. It's possible that leaving a lot of half-open connections would be more suspicious.
77. What tool could you use to check flag settings in a TCP segment? A. Nmap B. SuperPing C. Ettercap D. Wireshark
D - Wireshark can be used to collect and analyze information in TCP segments.
