CEH FINAL EXAM P2

You are configuring your corporate firewall. You must prevent anyone from outside the network from using traceroute to gather information about your network while still allowing the use of the tool within the network. Which actions can you take? (Choose all that apply.)

*Add a rule to only allow ICMP Echo-Request and Echo Reply messages for connections originating from within the network. *Add a rule to allow TTL-Exceed and Port-Unreachable messages to only enter the network, not to leave it. *Add a rule to allow ICMP Fragmentation-DF-Set messages to enter the network, but not to leave it.

You are running a high-level vulnerability scan using the Nmap utility. The network systems include Windows machines running Internet Information Service (IIS). Which switch should you use to automate and customize vulnerability scanning for different Windows OS and SSL vulnerabilities?

-sC

Due to the need to support legacy systems, you have been forced to rely on LAN Manager password security. To ensure that users' passwords are strong enough, you plan to use John the Ripper to crack the passwords after obtaining the SAM files from the domain controllers. One of the domains requires 14 characters in the password, while another domain requires only 8. Which of the following statements is true?

14-character passwords will take only slightly longer to crack than the 8-character passwords

You are concerned about an employee's use of Telnet when connecting to routers and switches to administer these devices. You would like to perform a port scan on all of these devices to identify any that are still enabled for Telnet. Which open port number(s) are you looking for in the results?

23

Your company wants to use symmetric key cryptography in an application it is developing. Which of the following algorithms could be used?

3DES

Your company has several wireless networks implemented on its large campus. 802.1x authentication is deployed for all wireless network through a RADIUS server. Recently, you discovered that one of the wireless networks was the victim of an Extensible AP Replay attack. What occurs during this attack?

802.1x EAP packets are captured for later replay.

Using tcpdump, you acquire the TCP handshake and capture several packets sent between two devices in your network. The last packet you capture contains the following values: Based on this information, which sequence number will be used in the reply to this packet?

87698415

You have been asked to perform a thorough vulnerability assessment for your company's file server. You must ensure that you complete all of the appropriate steps for the assessment. What is the first step or phase?

Acquisition

Which of the following does a security audit evaluate?

Adherence of a company to its security policy

Obtained a valid session ID token via an XSS vulnerability Confirmed that the session ID manager validates the source IP address as well Spoofed the required IP address Replayed the session ID What will be the result?

Allan will be unable to establish an interactive session

During vulnerability assessment, you rank the public-facing website as an integral asset to the company's continued reputation and revenue. But there are several potential threats to the Apache HTTP Server that hosts the website. The static webpages in particular could be vulnerable to defacement. Which security control should you implement?

Assign read-only permission to all HTML files and folders for the www-data group

Which of the following does NOT occur during risk assessment?

Attack profile

Which of the following security tools should be examined before implementation to gauge its effects on performance?

Auditing

Which of the following are acceptable methods for handling risk? (Choose all that apply.)

Avoid/ Mitigate/ Accept

You are concerned about external hackers gaining control of a new web application. With that threat actor in mind, which of the following tests would be appropriate?

Black box

You are a security administrator working in Chicago. The Chicago office currently has a policy in place that users should not read personal email on corporate devices. However, you have recently noticed a lot of POP3 traffic over your network even though your company's email service uses SMTP and IMAP. The office manager requests that you block POP3 traffic at the firewall. What should you do?

Block all traffic over port 110.

What information is measured in a retina scan?

Blood vessels

Which trait differentiates a DoS attack from a DDoS attack?

Botnet zombies

Your company implemented both symmetric and asymmetric cryptography on its network. As a security professional, you must protect against all types of cryptography attacks. Which attack affects both types of cryptography that are implemented?

Brute-force attack

Which component in the PKI issues the certificate?

CA

hrough a company website, customers use a standard HTML form to submit service requests to the web server. The web server in turn creates an SMTP email and sends it on to a customer support email address.: Which type of attack is being attempted?

CRLF injection

You have been hired as an ethical hacker by your company. You are currently involved in footprinting from outside your company's network. During the most recent analysis, you obtain SNMP information, user, computer and group names and user passwords. Which footprinting objective are you completing?

Collecting system information

Which of the following security actions is intended to validate existing systems?

Conducting security assessments on network resources

Which of the following is NOT a threat on a Windows file server because of a missing security patch vulnerability?

Copying sensitive data to a USB drive

In which step of the CEH Hacking Methodology (CHM) do you recover the credentials for a system account?

Cracking passwords

What should the company do to prevent this shoulder surfing attack?

Create and enforce a physical security policy for remote employees.

As a security professional for your company, you must perform routine network analysis. Today you must perform a traffic capture using tcpdump. You run the tcpdump -w /log command. What does this command do?

Creates a binary log file in a specific folder.

A programmer from your company contacts you regarding a possible security breach. During the discussion, he asks you to identify and investigate unauthorized transactions. What should you use to provide him with this information?

Data-mining techniques

What is the purpose of the WebGoat application?

Demonstrates common server-side security flaws

Your network just suffered an attack. Nothing was stolen or deleted, but a key file server was unresponsive to users for about 8 hours. What kind of attack did you suffer?

Denial of service

You must design physical security for a new building your company is building. You need to select the appropriate physical control for the building itself, for the network wiring closets, and for the data center located in the building. You have been given the funds to implement smart cards and biometrics. You need to keep the cost of these systems as low as possible. Where should you deploy these systems?

Deploy the smart cards to control building access and the biometrics to control data center access.

Which threat poses the highest impact to the organization by a disgruntled employee?

Disclosure of sensitive data

What does the command netsh firewall show config do?

Displays current firewall settings at a high level

Which is true of PGP?

Does not require managing server services

You have conducted a technical assessment of the network by attempting a number of different social engineering attacks on the network. Which of the following processes is MOST LIKELY to be altered as a result?

End-user security training

An IT technician reports that he has discovered an unauthorized wireless access point attached to the company network. An employee has used the wireless access point to connect several of his personal devices to the network. Employees are not allowed to connect any personal devices to the network without prior consent from their supervisor and the IT department head. The employee explains that he used the wireless access point because he needed company data on his personal devices. What should you do?

Enforce the company security policy.

Why would an attacker work very slowly when performing a ping scan of the network?

Evade detection by the IDS

To attack a wireless network, an attacker sets up a wireless access point that is configured to look exactly like a company's valid wireless access point by using the same SSID. What kind of attack is this?

Evil twin

Which step involves removing additional user accounts created for the attack phase of a penetration test?

Execute, implant, retract

Your company has hired a third party to identify vulnerabilities on the network. Recently, one of the contractors performed a vulnerability scan over the Internet that identified the vulnerabilities on the internal Web server. Which type of vulnerability scan occurred?

External, host-based vulnerability scan

What is the term for the process of determining two numbers that can be multiplied together to equal a given starting value?

Factorization

The new NIDS (Network Intrusion Detection System) recently prevented a user from accessing resources remotely to which he should have access. Which type of alert does this represent?

False positive

Which of the following can NOT be prevented by the security and privacy settings on a client's web browser?

Filtering network packets

Given this command: telnet 192.168.5.5 443 What will it do?

Generate a banner that describes what service is running on port 443 if it is open

An employee has been found to be in direct violation of the company's security policy. When you inform him of the policy, he claims to know nothing about it. You need to find out if he was made aware of the security policy. Which entity should be able to confirm this?

HR department

Which of the following is a possible mitigation to the use of fragroute by an attacker?

Host-based IDS on the exposed system

Of the listed physical security controls, which is usually only deployed in the data center?

Hot and cold aisles

During a routine ping test later in the week, you receive a reply packet from the IP address 192.168.10.1, but the TTL value is now 40. What is the most likely reason for this discrepancy?

IP spoofing

You have been hired as a consultant for a company. You have been asked to provide guidance on establishing, implementing, maintaining, and improving their information security management system. They ask that you provide recommendations based on industry standards. Which of the following standard should you use?

ISO/IEC 27001:2013

During a risk assessment, which of the following roles is responsible for providing the security architecture to the risk assessor?

IT security analyst

When handling residual risk, which of the following is NOT an acceptable approach?

Ignore the risk

Recently, your organization was the victim of a social engineering attack. Security guards allowed a power company repairman into the company to supposedly perform some tests. The repairman actually installed a network sniffer on the network. Which type of social engineering attack occurred?

Impersonation

After successfully executing a buffer overflow attack on a Windows machine, which of the following actions is NOT allowed in the security context of the LOCAL_SYSTEM account?

Installing a driver

Which biometric scan focuses on the colored portion of the user's eye?

Iris

Which of the following statements are true of the program ipfwadm? (Choose all that apply.)

It controls the packet filter or firewall capabilities

Which of the following statements is NOT true about RSA SecurID?

It is a form of mutual authentication.

Which of the following technical assessment tools is used to test passwords for weakness?

John the Ripper

*Encryption for sensitive company data *Services run as unprivileged accounts *Multi-factor authentication and authorization Which additional countermeasure would BEST enhance the current defense?

Limit interactive logon privileges

An administrator is configuring a network intrusion detection system (IDS). Audit rules need to be configured so that only malicious activities and policy violations are detected and logged. Which of these scenarios should you NOT add as an audit rule?

Local configuration of an internal router by an internal administrative workstation

Which of the following WLAN security measures could be easily defeated with the use of a wireless sniffer? (Choose all that apply.)

MAC address filters and hidden SSID

Which of the following attacks can be mitigated by using port security on a switch? (Choose all that apply.)

MAC flooding

Which of the following would be an appropriate mitigation for tailgating?

Mantrap

The MBSA vulnerability tool is specifically designed to locate potential exploits in which operating systems?

Microsoft Windows

What file system is the alternate data streams (ADS) vulnerability designed to exploit?

NTFS

Which tool(s) are used to discover a nearby Wi-Fi network or device? (Choose all that apply.)

NetStumbler and WirelessMon

Which of the following settings can be specified in the Snort configuration file? (Choose all that apply.)

Network range of protected IP addresses

The security team has been analyzing several vulnerabilities found in the Linux kernel they are using. Any upgrades that can be delayed must be pushed to the next fiscal year. Which of the following describes a vulnerability that would require an immediate kernel upgrade?

No known workaround exists

Which of the following action does vulnerability scanning NOT perform?

Notifies of threats based on active attack signatures

Joe, who does not work for your company, was able to steal an employee badge from a car in the parking lot and use it to enter the facility. What type of threat does Joe present?

Outside affiliate

What can network vulnerability scanners NOT do?

Perform testing through a firewall

Which of the following statements BEST describes disgruntled employees?

Pose no threat to the organization

Which class of control is smart card authentication?

Preventative

*Sensitive data is encrypted *Interactive logon privileges are restricted *Services run as unprivileged accounts *Users and applications operate with the least privileges Which of the following vulnerabilities are these controls designed to mitigate?

Privilege escalation

Which two of the following are key components of the Common Criteria evaluation system?

Protection profiles

During the presentation of bids for penetration testing work, which of the following additions to a proposal would be unethical to submit?

Results of past audits as examples of previous work

*Source IP addresses *Protocol and port number Which type of security tool will use only these criteria to deny access?

Router ACL

When you are performing ACK flag scanning, what does it mean if you receive a response of RST?

Scanned port is not filtered

Which of the following is NOT a component of risk assessment?

Security awareness training

Which of the following actions becomes possible using HTTP tunneling?

Sending FTP traffic through a firewall that blocks ports 20 and 21

Which IDS technique helps to mitigate session splicing attacks?

Session reconstruction

Which of the following is the process of analyzing suspect files for viruses and other malware?

Sheep dipping

Which kind of security mechanism would require a retina scan and a fingerprint scan as logon credentials?

Single factor authentication

A customer receives an unsolicited call from a known software company. The person on the other end requires the customer to verify their user credentials over the phone. Which term describes this type of hacking?

Social engineering

Your company needs to implement a firewall. It must be able to discard TCP segments arriving at an open port when they have the header flag of FIN enabled, provided they are the first packet received from the source. Which type of firewall should be implemented?

Stateful inspection firewall

Which of the following is an example of a symmetric encryption?

Static WEP key

Which device is susceptible to MAC flood attacks?

Switches

Which of the following is an attack on physical security?

Tailgating

While researching specific security issues for your company, you want to use an anonymizer to ensure that your privacy is protected. Which of the following is NOT an anonymizer?

Tails

Which of the following tasks cannot be performed using cacls.exe, but is supported by xacls.exe?

Take ownership of a file

Which of the following statements are FALSE with regard to Whitfield Diffie and Martin Hellman? (Choose all that apply.)

The algorithm named after them performs encryption

Which scenario demonstrates a phishing attack?

The attacker sends personnel an email that appears to come from an individual with the authority to request confidential information, but the email includes a bogus link.

Which one of the following statements best describes symmetric encryption?

The same key is used to encrypt and decrypt data.

Which of the following attacks can NOT be effectively mitigated by file permissions?

Theft of a password by a coworker or remote contractor

You are responding to an active hacking attack and need to verify whether an insider suspect is involved. Which type of data analysis should you use?

Time-frame analysis

Which of the following tools is a System Integrity Verifier?

Tripwire

Which protocols are used by default when executing a traceroute in UNIX/Linux and Windows? (Choose all that apply.)

UDP/ ICMP

Which of the following combinations does NOT represent multi-factor authentication?

Username and password

Which of the following best describes a weakness or error that can lead to a security compromise?

Vulnerability

*Identify all resources on a target system. *identify the potential threats to each resource on the system. *Determine a mitigation strategy to handle serious and likely threats. What is the name of this process?

Vulnerability assessment

Which wireless encryption mechanism uses AES?

WPA2

Which of the following information can be gathered by a network vulnerability scanner? (Choose all that apply.)

application configuration errors and network topology weaknesses.

You are identifying system vulnerabilities on a NTFS system. Which of the following command-line statements is an example of alternate data streams (ADS)?

echo bad stuff > good.txt:shh

You are your company's security administrator. Your company has recently opened a new division. The division head explains to you the Privacy Rule for HIPAA. Which type of record is affected by this?

healthcare records.

Which of the following versions of the Linux firewall is required for Linux kernel versions 2.4x and above?

ipchains

An administrator has configured SMTP and HTTP services running on a FreeBSD server. She wants to allow standard email and web traffic across registered ports 25, 80, and 443. However, any unauthorized access should be logged and denied. Which daemon should you use for logging and simple access control?

tcpd

As your company's ethical hacker, you often perform routine penetration tests to check the security for your company's network. Last week, an attacker posted details obtained through operating system fingerprinting about your company's servers. You need to perform the same type of check to verify what information is available. Which tool should you use?

www.netcraft.com