CEH: Test 9

On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? a. Use "Is" b. Use "netstat" c. Use "lsof" d. Use "echo"

c. Use "lsof"

What is a primary advantage a hacker gains by using encryption or programs such as Loki? a. It allows an easy way to gain administrator rights b. It is effective against Windows computers c. Traffic will not be modified in transit d. It slows down the effective response of an IDS e. IDS systems are unable to decrypt it

e. IDS systems are unable to decrypt it

Which of the following are potential attacks on cryptography? (Select 3) a. Known-Ciphertext Attack b. Man-in-the-Middle Attack c. Chosen-Ciphertext Attack d. Replay Attack e. One-Time-Pad Attack

b. Man-in-the-Middle Attack c. Chosen-Ciphertext Attack d. Replay Attack

Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference? a. The attacker is using the ICMP protocol to have a covert channel b. Somebody is using SOCKS on the network to communicate through the firewall c. Eric has a Wingate package providing FTP redirection on his network d. Eric network has been penetrated by a firewall breach

b. Somebody is using SOCKS on the network to communicate through the firewall

Statistics from cert.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. What do you think is the main reason behind the significant increase in hacking attempts over the past years? a. It is getting more challenging and harder to hack for non technical people. b. The ease with which hacker tools are available on the Internet. c. There is a phenomenal increase in processing power. d. New TCP/IP stack features are constantly being added.

b. The ease with which hacker tools are available on the Internet.

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NI~ The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? a. Send your attack traffic and look for it to be dropped by the IDS. b. The sniffing interface cannot be detected. c. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. d. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network.

b. The sniffing interface cannot be detected.

What makes web application vulnerabilities so aggravating? (Choose two) a. They exist only on the Linux platform. b. They can be launched through an authorized port. c. A firewall will not stop them. d. They are detectable by most leading antivirus software.

b. They can be launched through an authorized port. c. A firewall will not stop them.

What is the tool Firewalk used for? a. To test the webserver configuration b. To determine what rules are in place for a firewall c. Firewalk is a firewall auto configuration tool d. To test a firewall for proper operation e. To test the IDS for proper operation

b. To determine what rules are in place for a firewall

John has a proxy server on his network which caches and filters web access. He shuts down all unnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) that will not allow users to connect to any outbound ports. Jack, a network user has successfully connected to a remote server on port 80 using netcat. He could in turn drop a shell from the remote machine. Assuming an attacker wants to penetrate John's network, which of the following options is he likely to choose? a. Use Monkey shell b. Use HTTPTunnel or Stunnel on port 80 and 443 c. Use reverse shell using FTP protocol d. Use ClosedVPN

b. Use HTTPTunnel or Stunnel on port 80 and 443

Bob, an Administrator at XYZ was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet. Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in XYZ. Based on the above scenario, please choose which would be your corrective measurement actions. (Choose two) a. Implement FAT32 filesystem for faster indexing and improved performance. b. Use encrypted protocols,like those found in the OpenSSH suite. c. Monitor for CRP caches,by using IDS products. d. Configure the appropriate spoof rules on gateways (internal and external).

b. Use encrypted protocols,like those found in the OpenSSH suite. d. Configure the appropriate spoof rules on gateways (internal and external).

While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the intrusion? a. 203.20.4.5 b. 192.10.25.9 c. 222.273.290.239 d. 10.0.3.4

c. 222.273.290.239

Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state. From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised. a. 110 b. 69 c. 53 d. 25

c. 53

Picture: (Test 9 #48) http://blendedlearning.infotecpro.com/file.php/5/2014_CEH/414-846.gif You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what? a. A Honeypot b. A host based IDS c. A stateful inspection firewall d. An application proxying firewall

c. A stateful inspection firewall

What is Cygwin? a. Cygwin is a free Unix subsystem that runs on top of Windows b. Cygwin is a free C++ compiler that runs on Windows c. Cygwin is a free Windows subsystem that runs on top of Linux d. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

a. Cygwin is a free Unix subsystem that runs on top of Windows

An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? Select the best answer. a. Fragrouter b. Manhunt c. Firewalk d. Fragids

a. Fragrouter

What is a sheepdip? a. It is the process of checking physical media for virus before they are used in a computer b. It is a machine used to coordinate honeynets c. It is another name for Honeynet d. None of the answers apply

a. It is the process of checking physical media for virus before they are used in a computer

You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Anyway you are unable to connect. Why? a. A firewall is blocking port 23 b. The OS does not reply to telnet even if port 23 is open c. You need an automated telnet tool d. You cannot spoof + TCP

a. A firewall is blocking port 23

If you come across a sheepdip machaine at your client site, what would you infer? a. A sheepdip computer is used only for virus checking. b. A sheepdip computer is another name for honeypop. c. A sheepdip computer defers a denial of service attack. d. A sheepdip coordinates several honeypots.

a. A sheepdip computer is used only for virus checking.

Which one of the following attacks will pass through a network layer intrusion detection system undetected? a. A test.cgi attack b. A DNS spoofing attack c. A SYN flood attack d. A teardrop attack

a. A test.cgi attack

In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bob's public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can decrypt the message. Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bob's public key and use it to verify Bob's signature, they cannot discover Bob's private key and use it to forge digital signatures. What does this principle refer to? a. Asymmetry b. Symmetry c. Non-repudiation d. Irreversibility

a. Asymmetry

After studying the following log entries, what is the attacker ultimately trying to achieve as inferred from the log sequence? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc a. Change the files Modification Access Creation times b. Download rootkits and passwords into a new directory c. Extract information from a local directory d. Change password of user nobody

a. Change the files Modification Access Creation times

Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools? a. Configure rules using ipchains. b. Install an intrusion detection system on her computer such as Snort. c. Ensure all files have at least a 755 or more restrictive permissions. d. Configure and enable portsentry on his server.

a. Configure rules using ipchains.

Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply. ) a. Linux passwords can be encrypted with DES b. Linux passwords can be encrypted with MD5 c. Linux passwords are encrypted with asymmetric algrothims d. Linux passwords can be encrypted with Blowfish e. Linux passwords can be encrypted with SHA

a. Linux passwords can be encrypted with DES b. Linux passwords can be encrypted with MD5 d. Linux passwords can be encrypted with Blowfish

In which of the following should be performed first in any penetration test? a. Passive information gathering b. Intrusion Detection System testing c. System identification d. Firewall testing

a. Passive information gathering

There is some dispute between two network administrators at your company. Your boss asks you to come and meet with the administrators to set the record straight. Which of these are true about PKI and encryption? Select the best answers. a. RSA is a type of encryption. b. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman. c. When it comes to eCommerce,as long as you have authenticity,and authenticity,you do not need encryption. d. PKI provides data with encryption,compression,and restorability.

a. RSA is a type of encryption. b. Public-key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman.

There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? Select the best answers. a. Tend to be used for production b. Tend to be used for research c. More likely to be penetrated d. More detectable e. Emulators of vulnerable programs f. Easier to deploy and maintain

a. Tend to be used for production d. More detectable e. Emulators of vulnerable programs f. Easier to deploy and maintain

Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain. What is the probable cause of Bill's problem? a. The HTML file has permissions of ready only. b. There is a problem with the shell and he needs to run the attack again. c. You cannot use a buffer overflow to deface a web page. d. The system is a honeypot.

a. The HTML file has permissions of ready only.

All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ? a. The company is not using a stateful firewall b. They are all Windows based webserver c. The company is not using IDS d. They are all Unix based webserver

a. The company is not using a stateful firewall

What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? a. The monitor will know if counterfeit messages are being generated because they will not be encrypted b. Encryption of agent communications will conceal the presence of the agents c. An intruder could intercept and delete data or alerts and the intrusion can go undetected d. Alerts are sent to the monitor when a potential intrusion is detected

a. The monitor will know if counterfeit messages are being generated because they will not be encrypted

Which of the following snort rules look for FTP root login attempts? a. alert tcp any any -> any any 21 (content:"user root";) b. alert tcp -> any port 21 (message:"user root";) c. alert ftp -> ftp (content:"user password root";) d. alert tcp -> any port 21 (msg:"user root";)

a. alert tcp any any -> any any 21 (content:"user root";)

What is SYSKEY # of bits used for encryption? a. 256 b. 128 c. 40 d. 64

b. 128

A client has approached you with a penetration test requirements. They are concerned with the possibility of external threat, and have invested considerable resources in protecting their Internet exposure. However, their main concern is the possibility of an employee elevating his/her privileges and gaining access to information outside of their respective department. What kind of penetration test would you recommend that would best address the client's concern? a. A Black Hat test b. A Grey Box test c. A Black Box test d. A White Box test e. A White Hat test f. A Grey Hat test

b. A Grey Box test

If you come across a sheepdip machine at your client's site, what should you do? a. A sheepdip coordinates several honeypots. b. A sheepdip computer is used only for virus-checking. c. A sheepdip computer is another name for a honeypot d. A sheepdip computers defers a denial of service attack.

b. A sheepdip computer is used only for virus-checking.

Exhibit Picture: (Test 9 #5) http://blendedlearning.infotecpro.com/file.php/5/2014_CEH/414-818.gif Study the log given in the exhibit, Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate? a. Disallow UDP 53 in from outside to DNS server b. Allow UDP 53 in from DNS server to outside c. Disallow TCP 53 in form secondaries or ISP server to DNS server d. Block all UDP traffic

b. Allow UDP 53 in from DNS server to outside

Vulnerability mapping occurs after which phase of a penetration test? a. Host scanning b. Analysis of host scanning c. Passive information gathering d. Network level discovery

b. Analysis of host scanning

tackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use _____ defense against buffer overflow attacks. a. Non-executing stack b. Canary c. Hex editing d. Format checking

b. Canary

Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? a. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice b. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS c. He can use a shellcode that will perform a reverse telnet back to his machine d. He can use a dynamic return address to overwrite the correct value in the target machine computer memory

b. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS

Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as? a. Combined system b. Hybrid system c. Symmetric system d. Asymmetric system

b. Hybrid system

Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality of Linux can achieve this? a. IP Chains b. IP Tables c. IP ICMP d. IP Sniffer

b. IP Tables

Which of the following is NOT true of cryptography? a. Method of storing and transmitting data in a form that only those it is intended for can read and process b. Science of protecting information by encoding it into an unreadable format c. An effective way of protecting sensitive information in storage but not in transit d. Most (if not all) algorithms can be broken by both technical and non-technical means

c. An effective way of protecting sensitive information in storage but not in transit

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold. What is the most common cause of buffer overflow in software today? a. High bandwidth and large number of users. b. Usage of non standard programming languages. c. Bad quality assurance on software produced. d. Bad permissions on files.

c. Bad quality assurance on software produced.

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? a. Create a ping flood b. Create multiple false positives c. Create a network tunnel d. Create a SYN flood

c. Create a network tunnel

You may be able to identify the IP addresses and machine names for the firewall, and the names of internal mail servers by: a. Sending a mail message to an invalid address on the target network,and examining the header information generated by the POP servers b. Examining the SMTP header information generated by using the -mx command parameter of DIG c. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address d. Sending a mail message to a valid address on the target network,and examining the header information generated by the IMAP servers

c. Examining the SMTP header information generated in response to an e-mail message sent to an invalid address

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload? a. Defrag b. Tcpfrag c. Fragroute d. Tcpdump

c. Fragroute

When referring to the Domain Name Service, what is denoted by a 'zone'? a. It is a collection of domains. b. It is the first resource record type in the SO{ c. It is a collection of resource records. d. It is the first domain that belongs to a company.

c. It is a collection of resource records.

John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module. What does this mean in the context of Linux Security? a. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted. b. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation. c. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. d. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation.

c. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation.

Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? a. Rebecca should make a recommendation to set all child-process to sleep within the execve() b. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege c. Rebecca should make a recommendation to upgrade the Linux kernel promptly d. Rebecca should make a recommendation to disable the() system call

c. Rebecca should make a recommendation to upgrade the Linux kernel promptly

Joe the Hacker breaks into XYZ's Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. Picture: (Test 9 #13) What can Joe do to hide the wiretap program from being detected by ifconfig command? a. You cannot disable Promiscuous mode detection on Linux systems. b. Run the wiretap program in stealth mode from being detected by the ifconfig command. c. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. d. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu

c. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console.

Which of the following is not an effective countermeasure against replay attacks? a. Digital signatures b. Sequence numbers c. System identification d. Time Stamps

c. System identification

While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation? a. They are using UNIX based web servers. b. They are using Windows based web servers. c. They are not using a stateful inspection firewall. d. They are not using an intrusion detection system.

c. They are not using a stateful inspection firewall.

A program that defends against a port scanner will attempt to: a. Sends back bogus data to the port scanner b. Limit access by the scanning system to publicly available ports only c. Update a firewall rule in real time to prevent the port scan from being completed d. Log a violation and recommend use of security-auditing tools

c. Update a firewall rule in real time to prevent the port scan from being completed

To scan a host downstream from a security gateway, Firewalking: a. Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway b. Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets c. Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway d. Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment.

c. Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway

Steven the hacker realizes that the network administrator of XYZ is using syskey to protect organization resources in the Windows 2000 Server. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to brute force dictionary attacks on the hashes. Steven runs a program called "SysCracker" targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch attach. How many bits does Syskey use for encryption? a. 64 bit b. 40 bit c. 256 bit d. 128 bit

d. 128 bit

How many bits encryption does SHA-1 use? a. 256 bits b. 64 bits c. 128 bits d. 160 bits

d. 160 bits

Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? a. DMZ host b. DWZ host c. Honeypot d. Bastion Host

d. Bastion Host

The programmers on your team are analyzing the free, open source software being used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C++ functions do not check bounds. What kind of attack is this program susceptible to? a. Denial of Service b. Shatter Attack c. Password Attack d. Buffer of Overflow

d. Buffer of Overflow

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer) a. Create a SYN flood. b. Create a ping flood. c. Create a multiple false positives. d. Create a network tunnel.

d. Create a network tunnel.

You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as? a. Enumeration b. Footprinting c. Idle scanning d. Firewalking

d. Firewalking

Network Intrusion Detection systems can monitor traffic in real time on networks. Which one of the following techniques can be very effective at avoiding proper detection? a. Use of only TCP based protocols. b. Use of fragmented ICMP traffic only. c. Use of only UDP based protocols. d. Fragmentation of packets.

d. Fragmentation of packets.

Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? a. Give users tokens b. Give users a strong policy document c. Give users two passwords d. Give user the least amount of privileges

d. Give user the least amount of privileges

Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features offered by Snort? a. IDS,Sniffer,Proxy b. IDS,Sniffer,content inspector c. IDS,Firewall,Sniffer d. IDS,Packet Logger,Sniffer

d. IDS,Packet Logger,Sniffer

Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? Select the best answer. a. Ipchains b. Checkpoint FW for Linux c. Ipfwadm d. Iptables

d. Iptables

Why would an ethical hacker use the technique of firewalking? a. It is a technique used to map routers on a network link. b. It is a technique used to discover interfaces in promiscuous mode. c. It is a technique used to discover wireless network on foot. d. It is a technique used to discover the nature of rules configured on a gateway.

d. It is a technique used to discover the nature of rules configured on a gateway.

Which of the following best describes session key creation in SSL? a. It is created by the server after verifying the user's identity b. It is created by the server upon connection by the client c. It is created by the client from the server's public key d. It is created by the client after verifying the server's identity

d. It is created by the client after verifying the server's identity

What is the expected result of the following exploit? Picture: (Test 9 #14) http://blendedlearning.infotecpro.com/file.php/5/2014_CEH/414-802.gif a. Creates a share called "sasfile" on the target system. b. Creates an account with a user name of Anonymous and a password of [email protected]. c. Create a FTP server with write permissions enabled. d. Opens up a telnet listener that requires no username or password.

d. Opens up a telnet listener that requires no username or password.

What type of attack changes its signature and/or payload to avoid detection by antivirus programs? a. Rootkit b. Boot sector c. File infecting d. Polymorphic

d. Polymorphic

You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data. What kind of program can you use to track changes to files on the server? a. Personal Firewall b. Network Based IDS (NIDS) c. Linux IP Chains d. System Integrity Verifier (SIV)

d. System Integrity Verifier (SIV)

Study the following exploit code taken from a Linux machine and answer the questions below: echo "ingreslock stream tcp nowait root /bin/sh sh -I" > /tmp/x; /usr/sbin/inetd -s /tmp/x; sleep 10; /bin/ rm -f /tmp/x AAAA...AAA In the above exploit code, the command "/bin/sh sh -I" is given. What is the purpose, and why is 'sh' shown twice? a. It is a giveaway by the attacker that he is a script kiddy. b. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually. The second 'sh' automates this function. c. It checks for the presence of a codeword (setting the environment variable) among the environment variables. d. The command /bin/sh sh -i appearing in the exploit code is actually part of an inetd configuration file.

d. The command /bin/sh sh -i appearing in the exploit code is actually part of an inetd configuration file.

Clive is conducting a pen-test and has just port scanned a system on the network. He has identified the operating system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and attests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this? a. This indicates that the telnet and SMTP server have crashed b. An attacker has replaced the services with trojaned ones c. There is a honeypot running on the scanned machine d. The services are protected by TCP wrappers

d. The services are protected by TCP wrappers

What do you conclude from the nmap results below? Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) (The 1592 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed - 1 IP address (1 host up) scanned in 91.66 seconds a. The system is a Windows Domain Controller. b. The system is not running Linux or Solaris. c. The system is not properly patched. d. The system is not firewalled.

d. The system is not firewalled.

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this? a. Block UDP at the firewall. b. Block ICMP at the firewall. c. Both A and B d. There is no way to completely block doing a trace route into this area.

d. There is no way to completely block doing a trace route into this area.

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction? a. They have been able to compromise the firewall,modify the rules,and give themselves proper access b. They are using an older version of Internet Explorer that allow them to bypass the proxy server c. They are using UDP that is always authorized at the firewall d. They are using tunneling software that allows them to communicate with protocols in a way it was not intended

d. They are using tunneling software that allows them to communicate with protocols in a way it was not intended

WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use? a. LibPcap b. None of the answers apply c. Wincap d. WinPcap

d. WinPcap

After studying the following log entries, how many user IDs can you identify that the attacker has tampered with? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc a. acmr,dns b. nobody,IUSR_ c. IUSR_ d. nobody,dns

d. nobody,dns