CEH - Tools/Systems/Programs/Background
ICMP Type 3 Code 13
Communication administratively prohibited
hping3 -8 50-60 -S <IP Address> -V
SYN scan on port 50-60
Sub7
a Trojan horse program.
Netcat
a networking utility that reads and writes data across network connections, using the TCP/IP protocol.
eMailTrackerPro
analyzes email headers and reveals information such as sender's geographical location, IP address and so on.
Which of the following Hping3 command is used to perform ACK scan? hping3 -1 <IP Address> -p 80 hping3 -A <IP Address> -p 80 hping3 -2 <IP Address> -p 80 hping3 -8 50-60 -S <IP Address> -V
hping3 -A <IP Address> -p 80 : ACK scan on port 80
What is BeEF?
is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured? nessus + nessus *s nessus & nessus -d
nessus &
LDAP
(Lightweight Directory Access Protocol), with links to more information. LDAP is the Internet standard for providing "white pages" (phone book-like) service to organizations, workgroups, or the public.
netbios port
139
LDAP Port Number
389
Kerberos Port
88
Which element in a vulnerability scanning report allows the system administrator to obtain additional information about the scanning such as the origin of the scan? Scan information Target information Services Classification
? Classification: This subtopic allows the system administrator to obtain additional information about the scanning such as origin of the scan.
Fraggle Attack
A Fraggle Attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.
You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three-way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. What is the range of packet sequence numbers that would be accepted by the server? A. 121-371 B. 120-370 C. 200-250 D. 121-231 E. 120-321
A. 121-371 Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250).
Steve scans the network for SNMP enabled devices. Which port number Steve should scan? A. 161 B. 169 C. 150 D. 69
A. 161 The default SNMP port is 161. Port 69 is for TFTP, Port 150 is for SQL-NET and 169 is for SEND.
Which type of scan does not open a full TCP connection? A. Stealth Scan B. XMAS Scan C. Null Scan D. FIN Scan
A. A stealth scan. Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determined the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active.
Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. A. True B. False
A. True. Using HTTP basic authentication will result in your PW being sent over the internet as clear-text. Don't use this technique unless you understand what the ramifications of this are.
An NMAP scan of a server shows port 25 is open. What risk could this pose? Open printer sharing Web portal data leak Clear text authentication Active mail relay
Active mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send email through it, not just mail destined to or originating from known users. Simple Mail Transfer Protocol (SMTP) uses port 25 for email routing between mail servers. In the above scenario, Nmap scan shows port 25 is open; it is vulnerable to active mail relay.
SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. Hackers have used this protocol for a long time to gather great amount of information about remote hosts. Which of the following features makes this possible? A. It uses TCP as the underlying protocol B. It uses a community string sent as clear text C. It is susceptible to sniffing D. It is used by ALL devices on the market
B. It uses a community string sent as cleartext C. It is susceptible to sniffing. SNMP uses UDP, not TCP, and even though many devices use SNMP, not all devices use it and it can be disabled on most of the devices that do use it. However, SNMP is susceptible to sniffing and the community string (which can be said to act as a password) is sent in cleartext.
Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform? A. Smurf B. Ping of Death C. Fraggle D. SYN Flood
B. Ping of Death
Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with different IVs. What is this attack most appropriately called?
B. Replay attack. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack.)
A program that defends against a port scanner will attempt to: A. Log a violation and recommend use of security-auditing tools B. Update a firewall rule in real time to prevent the port scan from being completed C. Sends back bogus data to the port scanner D. Limit access by the scanning system to publicly available ports only
B. Update a firewall rule in realtime to prevent the port scan from being completed.
While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which process below would be a more efficient way of doing this type of validation? A. Useget utility to download all pages locally for further inspection B. Use wget utility to download all pages locally for further inspection C. Use mget utility to download all pages locally for further inspection D. Use get * utility to download all pages locally for further inspection
B. Use wget utility to download all pages locally for further inspection. Wget is a utility used for mirroring websites, get* doesn't work, as for the actual FTP command to work there needs to be a space between get and *. get( ); is just bogus, that's a C function that's written 100% wrong. mget dis a command used from "within" ftp itself, ruling out A. Which leaves B use wget which is designed for mirroring and download files, especially webpages if used with the -R option (i.e. wget -R) it could mirror a site, all except the protected portions, of course. GNU Wget is a free network utility to retrieve files from teh Web using FTP and HTTP, and can be used to make mirrors of archives and home pages, thus enabling work in the background after logging off.
Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library? A. NTPCAP B. WinPCAP C. PCAP D. LibPCAP
B. WinPCAP Win PCAP is the industry standard tool for link-layer network access in Windows environments. It allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine, and support for remote packet capture.
Which of the following is an sh-compatible shell that stores command history in a file? BASH Tcsh/Csh Zsh ksh
BASH: is an sh-compatible shell which stores command history in a file called bash history. You can view the saved command history using more ~/.bash_history command. This feature of BASH is a problem for hackers as the bash_history file could be used by investigators in order to track the origin of an attack and the exact commands used by an intruder in order to compromise a system.
Which of the following commands will you run in Linux to check for the presence of rootkits? A. $ sudo runvirus B. $ sudo avcheck C. $ sudo chrootkit D. $ sudo rootvirus
C. $ sudochrootkit
ARP poisoning is achieved in _____ steps A. 1 B. 3 C. 2 D. 4
C. 2 The hacker begins by sending a malicious ARP reply (for which there was no previous request) to your router, associating his computer's MAC address with your IP address. Now, your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC address with the router's IP address. Now, your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MITM attack.
What is Cygwin? A. Cygwin isa X Windows GUI subsytem that runs on top of Linux GNOME environment B. Cygwin is a free C++ compiler that runs on Windows C. Cygwin is a freeUnix subsystem that runs on top of Windows D. Cygwin is a free Windows subsystem that runs on top of Linux
C. Cygwin is a free Unix subsystem that runs on top of windows. Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality, and a collection of tools which provide Linux look and feel.
What is the command used by an attacker to establish a null session with the target machine? C :\>auditpol \\<ip address of target> /disable C:\>auditpol \\<ip address of target> auditpol /get /category:* C:\clearlogs.exe -app
C:\>auditpol \\<ip address of target> Auditpol.exe is the command-line utility tool to change Audit Security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events.
Which among the following is not a metric for measuring vulnerabilities in common vulnerability scoring system (CVSS)? Base Metrics Active Metrics Temporal Metrics Environmental Metrics
CVSS assessment consists of three metrics for measuring vulnerabilities: ? Base metrics: It represents the inherent qualities of a vulnerability. ? Temporal metrics: It represents the features that keep on changing during the lifetime of a vulnerability. ? Environmental metrics: It represents the vulnerabilities that are based on a particular environment or implementation.
DNS footprinting: CNAME
Canonical naming allows aliases to a host
filetype: "cisco" "GroupPwd"
Cisco VPN with Group Passwords for remote access
ClamWin
ClamWin is a free and open-source antivirus tool for Windows.
What type of port scan is shown below? Scan directed at open port: ClientServer 192.5.2.92:4079 ---------FIN--------->192.5.2.110:23 192.5.2.92:4079 <----NO RESPONSE------192.5.2.110:23 Scan directed at closed port: ClientServer 192.5.2.92:4079 ---------FIN--------->192.5.2.110:23 192.5.2.92:4079<-----RST/ACK----------192.5.2.110:23
D. FIN scan
What is the command used to create a binary log file using tcpdump? A. tcpdump -r log B. tcpdump -l /var/log/ C. tcpdump -vde log D. tcpdump -w ./log
D. tcpdump -w ./log
Which type of assessment tools are used to find and identify previously unknown vulnerabilities in a system? Depth assessment tools Scope assessment tools Application-layer vulnerability assessment tools Active Scanning Tools
Depth Assessment Tools Depth assessment tools are used to find and identify previously unknown vulnerabilities in a system. Generally, these tools are used to identify vulnerabilities to an unstable degree of depth. Such types of tools include fuzzers that give arbitrary input to a system's interface. Many of these tools use a set of vulnerability signatures for testing that the product is resistant to a known vulnerability or not.
ICMP Type 3 Code 6
Destination network unknown
ICMP Type 3 Code 0
Destination network unreachable
"Config" intitle:"Index of" intext:vpn
Directory with keys of VPN servers
ICMP Type 8
Echo Request
FOCA
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans.
"[Main]" "enc_GroupPwd=" ext:txt
Finds Cisco VPN client passwords (encrypted but easily cracked!)
inurl"/remote/login?lang=en
Finds FortiGate Firewall's SSL-VPN login portal
!Host=*.*intext:enc_UserPassword=*ext:pcf
Finds Sonicwall Global VPN Client files containing sensitive information and login
filetype:pcf vpn OR Group
Finds publicly accessible profile configuration files (.pcf) used by VPN clients
Which of the following registry entry you will delete to clear Most Recently Used (MRU) list? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey - stores the hotkeys. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts - is responsible for file extension association. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 - stores the network locations.
Which type of rootkit is created by attackers by exploiting hardware features such as Intel VT and AMD-V? Hypervisor Level Rootkit Hardware/Firmware Rootkit Kernel Level Rootkit Boot Loader Level Rootkit
Hypervisor Level Rootkit
Which of the following are valid types of rootkits? (Choose three.) Hypervisor level Network level Kernel level Application level Physical level Data access level
Hypervisor level Kernel level Application level
hping3 -1 <IP Address> -p 80
ICMP ping
Which of the following steps in enumeration penetration testing extracts information about encryption and hashing algorithms, authentication type, key distribution algorithms, SA LifeDuration, etc.? Perform SMTP enumeration Perform DNS enumeration Perform IPsec enumeration Perform NTP enumeration
IPsec provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between VPN end-points. Attacker can perform a simple direct scanning for ISAKMP at UDP port 500 with tools like Nmap, etc. to acquire the information related to the presence of a VPN gateway.
DNS footprinting: SOA
Indicate authority for domain
HTTrack
It downloads a Website from the Internet to a local directory, building all directories recursively, getting HTML, images, and other files from the server.
Kerberos
Kerberos is a network protocol that uses secret-key cryptography to authenticate client-server applications. Kerberos requests an encrypted ticket via an authenticated server sequence to use services.
In the options given below; identify the nature of a library-level rootkit? Operates inside the victim's computer by replacing the standard application files Functions either by replacing or modifying the legitimate bootloader with another one Works higher up in the OS and usually patches, hooks, or supplants system calls with backdoor versions Uses devices or platform firmware to create a persistent malware image in hardware
Library Level Rootkits: Library level rootkits work higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker.
Which of the following DNS record type helps in DNS footprinting to determine domain's mail server? -A -NS -CNAME -MX
MX
DNS footprinting: PTR
Maps IP address to a hostname
Which of the following vulnerabilities is found in all the Intel processors and ARM processors deployed by Apple (and others) and leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution? Privilege escalation Dylib Hijacking Meltdown DLL Hijacking
Meltdown: Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution.
meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
What is the outcome of the command "nc -l -p 2222 | nc 10.1.0.43 1234"?
Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234.
microdot
Photographs reduced to the size of a printed period, and used to transmit secret messages, photographs, and drawings.
Ping of Death
Ping of Death (PoD) is a type of network attack in which an attacker sends a network packet that is larger than what the target computer can handle. This can crash the computer, or freeze or degrade computer service.
DNS footprinting: A
Points to a host's IP address
DNS footprinting: MX
Points to domain's mail server
DNS footprinting: NS
Points to host's name server
Recon-ng
Recon-ng is a full-featured Web Reconnaissance framework written in Python
Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity? Netstat WMI Scan Silent Dependencies Consider unscanned ports as closed Reduce parallel connections on congestion
Reduce parallel connections on congestion The Netstat WMI scan finds open ports in the Windows system. Silent dependencies limit the amount of plugin data. According to Nessus Network Auditing, edited by Russ Rogers, 'Consider unscanned ports as closed' will tell Nessus that all other ports not included in the port range scan to be considered as closed. This prevents ports that are targeted against ports outside that range from running."
Which of the following term refers to the process of reducing the severity of vulnerabilities in vulnerability management life cycle? Remediation Vulnerability Assessment Verification Risk Assessment
Remediation Remediation is the process of reducing the severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps.
Which of the following tools provides comprehensive vulnerability management for mobile devices, smartphones, and tablets? zANTI FaceNiff Retina CS for Mobile Pamn IP Scanner
Retina CS for Mobile is the industry's innovative approach to security, policy, and health management for mobile devices. It provides comprehensive vulnerability management for mobile devices, smartphones, and tablets. It integrates mobile device assessment and vulnerability management for proactively discovering, prioritizing, and fixing smartphone security weaknesses. zANTI, FaceNiff, and Pamn IP Scanner are the scanning tools for mobile devices used to identify all active machines and Internet devices on the network.
Scope Assessment Tools
Scope assessment tools provides assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide a standard control and a reporting interface that allows the user to select a suitable scan.
DNS footprinting: SRV
Service records
SNMP
Simple network management protocol (SNMP) is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, servers, and so on.
An engineer is learning to write exploits in C++ and is using Kali Linux. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? g++ hackersExploit.cpp -o calc.exe g++ hackersExploit.py -o calc.exe g++ -i hackersExploit.pl -o calc.exe g++ --compile -i hackersExploit.cpp -o calc.exe
Since the engineer is writing exploit in C++, the command should be g++ hackersExploit.cpp -o calc.exe g++ hackersExploit.py -o calc.exe is for python exploit g++ -i hackersExploit.pl -o calc.exe is for perl exploit. In g++ --compile -i hackersExploit.cpp -o calc.exe, the command should be --c and not --compile. So the answer is "g++ hackersExploit.cpp -o calc.exe."
nslookup: NS
Specifies a DNS name server for the named zone
Which of the following vulnerabilities allows attackers to trick a processor to exploit speculative execution to read restricted data? Meltdown Dylib Hijacking Spectre DLL Hijacking
Spectre vulnerability is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data.
Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT
IRDP
The ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. The attacker can add default route entries on a system remotely by spoofing router advertisement messages. Since IRDP does not require any authentication, the target host will prefer the default route defined by the attacker to the default route provided by the DHCP server. The attacker accomplishes this by setting the preference level and the lifetime of the route at high values to ensure that the target hosts will choose it as the preferred route.
Which of the following techniques do attackers use to escalate privileges in the Windows operating system? Launch Daemon Plist Modification Setuid and Setgid Application Shimming
The Windows operating system uses Windows application compatibility framework called Shim to provide compatibility between the older and newer versions of Windows. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on.
Which command lets a tester enumerate live systems in a class C network via ICMP using native Windows tools? ping 192.168.2. ping 192.168.2.255 for %V in (1 1 255) do PING 192.168.2.%V for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"
The command below will ping all IP addresses on the 192.168.2.0 network and help the tester to determine live systems in the network along with replies. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply" Ping 192.168.2. and ping 192.168.2.255 will just ping the target IPs for %V in (1 1 255) do PING 192.168.2.%V command does not consist of reply from the host machines
What is port 515 used for?
The protocols TCP and UDP uses port 515 to interact with the printer. As port 515 is open in the above Nmap output, probably the host is a printer.?
Dylib hijacking
This allows an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime.
Which of the following tools are useful in extracting information about the geographical location of routers, servers and IP devices in a network?
Traceroute Tools
Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment? UDP TCP SMTP SNMP
Transmission control protocol (TCP) is a connection-oriented protocol. It is capable of carrying messages or e-mail over the Internet. It provides reliable multiprocess communication service in a multinetwork environment.
An NMAP scan of a server shows port 69 is open. What risk could this pose? Unauthenticated access Weak SSL version Cleartext login Web portal data leak
Trivial File Transfer Protocol (TFTP) is a File Transfer Protocol that allows a client to get a file from or put a file onto a remote host. This protocol includes no login or access control mechanisms, and therefore it is recommended to take care when using this protocol for file transfers where authentication, access control, confidentiality, or integrity checking are needed. Otherwise, it may result in unauthorized access to remote host.
Which of the following hping command performs UDP scan on port 80? hping3 -2 <IP Address> -p 80 hping3 -1 <IP Address> -p 80 hping3 -A <IP Address> -p 80 hping3 -F -P -U <IP Address> -p 80
UDP scan on port 80: hping3 -2 <IP Address> -p 80 - Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode.
A pen tester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pen tester pivot using Metasploit? Issue the pivot exploit and set the meterpreter. Reconfigure the network settings in the meterpreter. Set the payload to propagate through the meterpreter. Create a route statement in the meterpreter.
When malicious activities are performed on the system with Metasploit Framework, the Logs of the target system can be wiped out by launching meterpreter shell prompt of the Metasploit Framework and typing clearev command in meterpreter shell prompt followed by typing Enter.
How does the SAM database in Windows operating system store the user accounts and passwords? The operating system performs a one-way hash of the passwords. The operating system stores the passwords in a secret file that users cannot find. The operating system uses key distribution center (KDC) for storing all user passwords. The operating system stores all passwords in a protected segment of volatile memory.
Windows uses the security accounts manager (SAM) database or active directory database to manage user accounts and passwords in the hashed format (one-way hash).
Wayback Machine
a digital archive of the World Wide Web and other information on the Internet.
TrueCrypt
a discontinued source-available freeware utility used for on-the-fly encryption.
nslookup
a network administration command-line tool available for many computer operating systems for querying the Domain Name System to obtain domain name or IP address mapping or for any other specific DNS record.
Authentication Header (AH)
a protocol and part of the Internet Protocol Security (IPsec) protocol suite, which authenticates the origin of IP packets (datagrams) and guarantees the integrity of the data.
OpenVAS
a software framework of several services and tools offering vulnerability scanning and vulnerability management.
Havij
a tool that automates SQL injections (blind SQL, SQL errors, UNION) to reverse-engineer a database and gather relevant data on a server.
Nikto
an Open Source web server scanner which performs comprehensive tests against web servers for multiple items,
Netcraft
provides internet security services including anti-fraud and anti-phishing services, application testing and PCI scanning.
DNS Lookup
reveals information about DNS zone data. DNS zone data include DNS domain names, computer names, IP addresses, and much more about a particular network.
At a Windows server command prompt, which command could be used to list the running services? Sc query type= running Sc query \\servername Sc query Sc config
sc query: Obtains and displays information about the specified service, driver, type of service, or type of driver.
hashcat
the self-proclaimed world's fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software.
Traceroute
traceroute is a computer network diagnostic tool for displaying the route and measuring transit delays of packets across an Internet Protocol network.