CEH Ch 1 - Ch 5
1-18 Which of the following code lines would set a variable in a PowerShell script? Choose the best response.
$total_weight = $product_weight + $product_quantity
1-21 What characters would you used to encode an open parenthesis ( in a URL string? Choose the best response:
%28
3-5 You also want the previous script to generate output files that can be fed into two separate tools. One generates XML-based reports, and the other uses Perl to filter and single out specific results for further testing. Which additional option would most likely generate output useful to both tools? Choose the best response.
-oA
1-16 Match the script file formats with their scripting environments.
.bat - Windows Command prompt; .js - JavaScript; .ps1 - Windows Powershell; .py - Python Interpreter; .sh - Unix shell; .rb - Ruby interpreter
1-15 You're preparing for a white box test and the client sends you some WADL files that need to go with the existing target documentation. Since the message wasn't entirely clear, you have to guess which target they go with. Which of the following does it best match?
A RESTful inventory tracking application
4-4 You're reviewing discovered vulnerabilities. Which of the following are an example of privilege escalation?
A container security misconfiguration allows processes in a container to affect the host operating system.; The guest Wi-Fi network allows access to services that should only be available to authenticated users.; A web application allows users to navigate into any non-administrator user folder.
1-1 Your client wants to find missing or misconfigured security controls on a network that is full of critical services fragile enough to have problems when they receive non-standard traffic. You must use the least intrusive method possible. Which of the following would you recommend? Choose the best response.
A credentialed vulnerability scan
2-6 You're reviewing logs from a DNS server, and filtered for requests from outside addresses. Which of the following single query types against your domain name is most likely to indicate a DNS harvesting attempt? Choose the best response.
AXFR
1-14 You're writing a testing agreement for a new client. Which of the following is not an example of a comprehensiveness disclaimer? Choose the best response.
Any future changes in the network's status will change the validity of the test results.
2-3 You've discovered a server with an open Telnet service, and you suspect an administrator uses it for remote login. Since Telnet uses cleartext credentials, you placed a packet sniffer capturing traffic to the server to target that administrator passwords. Your first attempt generated a massive log filled with irrelevant traffic, and the only login you've been able to find was for a non-privileged user. It's still useful, but what can you do to more efficiently achieve your goal next time? Choose the best response.
Apply a capture filter on the port number
1-4 While conducting a vulnerability assessment, you're given a set of documents representing the network's intended security configuration along with current network performance data. Which type of review are you most likely to perform? Choose the best response.
Baseline review
1-22 You're planning to make a script with a conditional structure leading to one of three outcomes. Match each scripting language with the right syntax.
Bash - if-elif-fi; PowerShell - if-elseif-else; Python - if-elif-else; Ruby - if-elsif-else-end
1-7 Once a third-party penetration test begins, it's your job to secure the network and stop attacks before the penetration testers achieve their goal. What team are you on? Choose the best response.
Blue team
2-7 You've identified some specific vulnerabilities in software the target organization uses. What public database could you use to find useful attacks against them? Choose the best response.
CAPEC
3-8 Your SCAP-compliant vulnerability feed includes a long list of uniquely defined vulnerabilities. Which SCAP component is used to actually identify each vulnerability? Choose the best response.
CVE
3-4 A team member asked you to modify a scanning script for the target network so that it would "run less aggressively" and "work from a non-privileged account". The current command line in the script is "nmap -sS -sV -p 1-10000 -T4 -PA " $target. What changes could you make to meet the request? Choose all that apply.
Change -T4 to -T2; Change -sS to -sT
3-18 Which of the following statements is not true of container virtualization? Choose the best response.
Containers are more isolated from each other than VMs.
1-8 You perform the following steps to exfiltrate data from a secure network. Match each to a step of the Cyber Kill Chain.
Discover a code injection vulnerability on a web server - Reconnaissance; Create an exploitation script - Weaponization; Send the script in a web form request - Delivery; Inject malware code onto the server with the script - Exploitation; Deploy a backdoor as a system service on the server - Installation; Connect to the backdoor - Command and Control; Download sensitive files from the server - Actions on Target
5-6 A teammate steps up to the locked server room and sprays compressed air through the gap of the door. The door unlocks automatically, and you both step inside. What kind of vulnerability was exploited? Choose the most likely answer.
Egress sensor
5-3 A teammate just used social engineering to get the name of a particular network administrator in a black box keytest. Acting like a fellow employee, the teammate struck up conversation with someone on the way into the building and shared some light-hearted complaints about IT. By the end of the conversation, the real employee was talked into to volunteering the administrator's name to a stranger without really thinking about it. What technique did he use?
Elicitation
4-8 You found a Metasploit exploit which targets a discovered vulnerability, but the target's network IDS recognizes and blocks it. What kind of module could you use to evade detection? Choose the best response.
Encoder
1-12 Which of the following are you likely to find in a SOW rather than some other supporting document? Choose all that apply
Engagement timeline; Project deliverables
4-6 You found a published exploit to access a target application server, but it requires you to first exploit a browser in a Windows client, then an embedded NAS device. What attack technique is this an example of?
Exploit chaining
1-9 Your team is performing reconnaissance. Match each of the following tasks with the most appropriate tool.
Extracting metadata from HTML and PDF files on the target website - FOCA; Capturing Wi-Fi traffic from inside the building - Kismet; Finding vulnerabilities on a target web server - Nikto; Finding internet-accessible servers and devices in the target network - Shodan; Finding vulnerabilities on an internal domain controller - Nessus; Enumerating employee names and email addresses - The Harvester
4-2 After performing a vulnerability scan on a database server, you manually verify that each reported vulnerability actually exists on the server. What are you looking for? Choose the best response.
False positives
1-10 You've found a hard disk thrown away by an employee at the target organization. It seems to have been quickly wiped, but it might have hidden files with credentials or other information. You want to try extracting deleted data from the disk. Your team organizes software tools by use case, so which of the following categories would you look in first? Choose the best answer.
Forensics
1-2 You've been charged with conducting a vulnerability scan. Which of the following actions are you likely to perform? Choose all that apply.
Identifying vulnerabilities; Passively testing security controls; Finding open ports
2-10 While examining your target's public-facing web servers, you find one with an expired SSL certificate. Which of the following suggestions from your teammates is most relevant later exploitation?
If the certificate is expired, maybe the server isn't being actively maintained.
3-6 You're trying to perform an SNMP walk through a target network. Which of the following guidelines should you keep in mind? Choose all that apply.
If you don't receive a reply from a device it can be hard to figure out why.; The default community string is public.; Tools like snmpwalk can easily retrieve a device's entire SNMP database
3-1 Someone just did a Zenmap scan on the 192.168.1.0 subnet using the Quick scan profile, but some expected hosts don't appear at all. You're pretty sure they're running and on the target subnet. What scan profile would be the quickest way to make sure you're scanning those hosts if they're there? Choose the best response.
Intense scan, no ping
3-16 You want to test a web application, but your browser limits your ability to tailor the precise input you send to the server. What kind of tool would allow you to create specific HTTP requests the browser will not? Choose the best response.
Interception proxy
1-17 You're not really familiar with this scripting language, but one variable was defined as a "string" data type. What does that mean? Choose the best response.
It can be any combination of alphanumeric characters
3-7 Your manager wants you to plan a vulnerability scanning program using agent-based credentialed scanning. What does that likely mean, compared to the alternatives? Choose the best response.
It will be hard to set up and maintain, generate little network traffic, and find many vulnerabilities.
4-1 You researched an authentication system vulnerability last month, and while it had serious impact in theory, there was no demonstrated code that could exploit it. Last week a security researcher demonstrated such code. How will this affect the vulnerability's CVSS score? Choose the best response.
It will change the Temporal metrics.
1-11 Your organization is providing several security assessments for the same client. They all cover different personnel, locations, and types of work, but there's a single contract that governs payment terms and dispute resolution for all tests with that client. What kind of document is that contract?
MSA
3-10 After running a vulnerability scan you learn that a number of the identified vulnerabilities don't actually exist on the system. What should you do? Choose the best response.
Mark them as false positives
5-8 The target building has individual locks for each room, so you've been copying individual keys as you get a chance. You were able to get good photos of the keys for rooms 210, 211, and 214, but you really want into room 215. A teammate compares the photos, and designs a new key that works for 215. What kind of tool is it? Choose the best answer.
Master key
4-7 What Metasploit component runs on a compromised target machine and allows you to control it? Choose the best response.
Meterpreter
2-1 You want to perform packet sniffing on a Wi-Fi network which uses strong WPA2 encryption.. You hope to find the key, but even if you don't what can you still learn? Choose all valid responses.
Most active hosts; MAC addresses; SSIDs
1-3 You're performing a compliance-based assessment for a system subject to PCI DSS 3.0 regulations. Which of the following findings would fail the assessment? Choose all that apply.
Passwords are required to be six characters with a mix of letters and numbers.; User workstations automatically lock after 30 minutes idle time.
2-2 As a penetration tester you want to get a user name and password for an important server, but lockout and monitoring systems mean you'll be detected if you try brute force guessing. What techniques might directly find the credentials you need? Choose all that apply.
Phishing; Packet capture
1-23 Identify the most likely scripting language for the following statement: if $length -ge 20 -and $weight -ge 40
PowerShell
2-4 You're preparing to conduct active scans of a network in order to enumerate internal services. The network's firewall and IDS block scans from your current network location, but you arranged to bounce the scan off a server on a trusted subnet to hide its real origin. What kind of tool will that intermediate server need to have?
Proxy
5-7 You need to get into a room protected by a passive infrared motion sensor. Which of the following techniques might allow you to bypass it? Choose all that apply.
Put on insulated clothing just before moving through the field of view; Turn the thermostat up much higher than usual and wait for the room to warm; Hold a pane of glass between you and the sensor
3-9 You're performing vulnerability scans on a network with fragile systems and limited bandwidth. What option should you chose to make sure you don't cause any service interruptions?? Choose the best response.
Query throttling
4-9 You have a large number of captured hashes, and you want to crack them all in parallel rather than one at a time. What tool might be the quickest way to do so?
RainbowCrack
2-9 You're used to how Metasploit is a broad spectrum tool for the exploitation phase, and you'd like a similar modular program that performs all sorts of reconnaissance gathering. What tool should you try?
Recon-NG
3-14 You've just rebuilt the back end of an application to boost server performance, and you're ready to test thenew version. What kind of test would discover if the changes caused any problems with existing securityfeatures? Choose the best response.
Regression test
1-6 While conducting a penetration test you've exploited an application flaw to get temporary access on a proxy server. Part of your goal is to use that server as a pivot. Which of the following steps directly achieve that goal? Choose all that apply.
Running a network scan from that server; Creating a tunnel through the proxy server to the internal network
5-1. You're performing a test with a heavy social engineering component. You'd like to create phishing emails, USB key drops, and an evil twin WAP. What tool would be focused on your needs?
SET
3-12 You're performing a white box penetration test against a network running several web applications. You have vulnerability scan results for the hosts, server software and web application software, but not for the underlying database servers holding the target data. What scanner would likely focus on what you need? Choose the best response.
SQLmap
4-5 You're performing part of a penetration test from inside a secure facility with no outside network access. What tool can you use as a portable vulnerability database? Choose the best response.
Searchsploit
2-5 For business reasons, your company isn't at all secretive about its WHOIS information. What reconnaissance type does this make easier for attackers? Choose the best response.
Social engineering
5-2 You receive an email from the department manager saying a lot of people in the company have been using this new email app you've never heard of and it might be useful to you. You quickly determine the message wasn't really sent by her, and the download link would install malware. What motivation did the attacker try to use? Choose the best response.
Social proof
3-17 You want to perform source code analysis of applications written under a variety of languages, but you'd rather not learn multiple program interfaces. Which application might fit your needs? Choose the best response.
SonarQube
5-4 You want to gain access to the target's CRM web application, but the vulnerability you found requires an authenticated user to click a malicious link. You send the link in an email., an specifically target sales department members you think have limited technical experience and won't notice anything strange. Which technique are you using?
Spear phishing
3-13 The development team has just created a control flow graph for a new application. What stage of development are they in? Choose the best response.
Static code analysis
5-5 You want to get into a secure facility, but the main entrance is monitored and even the back door has a card reader you can't easily bypass. When the janitor took the trash out the back, you acted like you were hurrying from the rear parking lot. It seems your professional dress and the apparent badge on your lanyard convinced the janitor to hold the door for you. What kind of attack did you perform? Choose the best answer.
Tailgating
3-15 Which of the following statements are true of both decompilers and debuggers? Choose all that apply.
They are DAST tools; You can use them when you don't have source code access
4-3 You're reviewing vulnerabilities in a server you want to exploit. Since you plan to attack it while it's being unused over a long weekend, you need a vulnerability that doesn't require any user action to exploit. You can gain access to the same L2 segment as the server, but you can't enter the physical room it's in. Which of the following metrics would immediately disqualify a particular vulnerability for your purposes? Choose all that apply.
UI:R; AV:P
1-5 As an IT technician, you're instructed to assist outside penetration testers by giving them complete documentation on your network and its configuration. What kind of test are they performing? Choose the best response.
White box
1-13 Which of the following is true regardless of where your penetration test is taking place? Choose the best response.
You should have explicit written authorization from the owner of the system being tested.
3-11 Which of the following tools would be most appropriate to perform a vulnerability scan on a web application? Choose the best response.
ZAP
1-19 You want to make a bash script named ConnectScript executable for all users. What command should you use?
chmod +x ConnectScript
2-8 You want to perform a zone transfer from ns1.javatucana.com. Which of the following would be part of a valid command sequence for it? Choose the best response.
dig axfr javatucana.com @ns1.javatucana.com
1-24 You want to insert a loop in a Python script. Which of the following would be appropriate syntax? Choose the best response.
for host in range(1..255):
3-2 Which of the following Nmap command line options match the correct answer to the previous question? Choose the best response.
nmap -T4 -A -v -Pn 192.168.1.0/24
1-20 You want to print the address variable inside of a string in Ruby. Which of the following methods will work? Choose the best response.
puts 'Error: #{address} is not responding'