CEH TEST1

55. What command would the adversary use to show all the systems within the domain using the command line interface in Windows? A. netstat -R /domain B. net view /<domain_name>:domain C. net view /domain:<domain_name> D. netstat /domain:<domain_name>

C

60. As an attacker, you successfully exploited your target using a service that should have been disabled. The service had vulnerabilities that you were able to exploit with ease. What may be the issue here? A. The administrator did not apply the correct patches. B. The web server was improperly configured. C. You are dealing with a honeypot. D. The firewall was not configured correctly.

C

61. Where is the logfile that is associated with the a activities of the last user that signed in within a Linux system? A. /var/log/user_log B. /var/log/messages C. /var/log/lastlog D. /var/log/last_user

C

20. What year did the Ping of Death first appear? A. 1992 B. 1989 1990 1996

D

1. Which of the following is considered a passive reconnaissance action? A. Searching through the local paper B. Calling Human Resources C. Using the nmap -sT command D. Conducting a man-in-the-middle attack E. Setting up a rogue hot spot

1. A. Searching through the local paper is considered passive because it does not directly impact, alert, or establish any type of connection between the victim and the adversary.`

19. What is the downside of using SSH with Telnet when it comes to security? A. SSH encrypts the traffic and credentials. B. You cannot see what the adversary is doing. C. Data is sent in the clear. D. You do not know what keys you are using.

B

26. To provide nonrepudiation for email, which algorithm would you choose to implement? A. AES B. DSA C. 3DES D. Skipjack

B

39. Which response would the adversary receive on closed ports if they conducted an XMAS scan? A. RST B. RST/ACK C. No Response D. FIN/ACK

B

23. As a network engineer, you received the task of bridging two corporate facilities by way of wireless communication. These facilities are more than 20 miles apart, contain more than 400 employees at each site, and have a $20,000 budget. Each site has a single-mode fiber connection. Which antenna would you use to bridge the gap? A. Multimode fiber B. Very small aperture terminal (VSAT) C. Omni direction antenna D. Directional antenna

D

56. You are a passenger in an airport terminal. You glance across the terminal and notice a man peering over the shoulder over a young woman as she uses her tablet. What do you think he is doing? A. Wardriving B. Shoulder surfing C. War shouldering D. Shoulder jacking

B

24. What does a checksum indicate? A. That the data has made it to its destination B. That the three-way TCP/IP handshake finished C. That there were changes to the data during transit or at rest D. The size of the data after storage

C

43. Which of the following allows the adversary to forge certificates for authentication? A. Wireshark B. Ettercap C. Cain & Abel D. Ncat

C

5. Why is it important to scan your target network slowly? A. To avoid alerting the IDS B. It is not necessary to scan the network slowly. C. To evade the firewall D. Services may not have started, so starting slowly ensures that you capture services that started late.

5. A. Scanning the target network slowly prevents an IDS from alerting because the traffic may not be considered an anomaly. If the sensor sees a huge amount of traffic being generated, it may cause the sensor to alert; therefore, it is best practice to scan slowly.`

6. You are the senior manager in the IT department for your company. What is the most cost effective way to prevent social engineering attacks? A. Install HIDS. B. Ensure that all patches are up-to-date. C. Monitor and control all email activity. D. Implement user awareness training.

6. D. Implementing an annual awareness training with the focus on social engineering will raise awareness in the organization. The training can be conducted by the information assurance section within the IT department.`

7. In which phase within the ethical hacking framework do you alter or delete log information? A. Scanning and enumeration B. Gaining access Reconnaissance Covering tracks

7. D. The attacker would edit and/or delete log information during the covering tracks phase, which is the last phase during the attack.`

8. A hacker is conducting the following on the target workstation: nmap -sT 192.33.10.5. The attacker is in which phase? A. Covering tracks B. Enumeration C. Scanning and enumeration

8. C. The attacker is using the Nmap function to conduct a TCP connection scan on the target, which is part of the scanning and enumeration phase.` D. Gaining access

9. Which encryption algorithm is a symmetric stream cipher? A. AES B. ECC C. RC4 D. PGP

9. C. Unlike RC5 and RC6, RC4 is the stream block cipher—it is the only symmetric cipher that uses stream.`

21. Which of the following viruses was the most infectious? A. The Melisa virus B. I Love You Virus C. Blue Cross virus punter D. Stuxnet

A

22. You are part of the help desk team. You receive a ticket from one of your users that their computer is periodically slow. The user also states that from time to time, documents have either disappeared or have been moved from their original location to another. You remote desktop to the user's computer and investigate. Where is the most likely place to see if any new processes have started? A. The Processes tab in Task Manager B. C:\Temp C. The Logs tab in Task Manager D. C:\Windows\System32\User

A

25. Out of the following, which is one of RSA's registered key strengths? A. 1,024 bits B. 256 bits C. 128 bits D. 512 bits

A

27. Which of the following describes a race condition? A. Where two conditions occur at the same time and there is a chance that arbitrary commands can be executed with a user's elevated permissions, which can then be used by the adversary B. Where two conditions cancel one another out and arbitrary commands can be used based on the user privilege level C. Where two conditions are executed under the same user account D. Where two conditions are executed simultaneously with elevated user privileges

A

30. Which method would be considered a client-side attack? A. Cross-site scripting (XSS) B. Man-in-the-middle attack C. Watering hole attack D. Denial of service (DoS)

A

33. Which scanning tool is more likely going to yield accurate results for the hacker? A. Ncat B. Nmap C. Ping D. Nslookup

A

37. What is the main drawback to using Kerberos? A. Symmetric keys can be compromised if not secured. B. Kerberos uses weak cryptography and keys can be easily cracked. C. Kerberos uses asymmetric cryptography and can be easily exploited. D. The adversary can replay the ticket-granting ticket to gain access to a system or service.

A

46. As a network administrator, you see a familiar IP address pinging the broadcast address. What do you believe is happening? A. Smurf attack B. DNS poisoning C. Man-in-the-middle attack D. Trojan virus infecting the gateway

A

48. In the Windows SAM file, what attributes would indicate to the adversary that a given account is an administrator account? A. 500 B. 1001 C. ADM D. ADMIN_500

A

50. Which of following actions is the last step in scanning a target? A. Scan for vulnerabilities. B. Identify live systems. C. Discover open ports. D. Identify the OS and servers.

A

52. Which of the following options shows the well-known ports? A. 0 to 1023 B. 0 to 255 C. 1024 to 49151 D. 1 to 128

A

54. Which of the following switches for the Nmap command fingerprints an operating system? A. -sO B. -sFRU C. -sA D. -sX

A

57. You are the attacker that has successfully conducted a SQL injection vulnerability assessment on a target site. Which keyword would you use to join the target database with your own malicious database as part of the SQL injection? A. UNION B. ADD C. SELECT D. JOIN

A

59. Of the following methods, which one acts as a middleman between an external network and the private network by initiating and establishing the connection? A. Proxy server B. Firewall C. Router D. Switch

A

62. What default port does SSH utilize? A. Port 22 B. Port 21 C. Port 443 D. Port 25

A

31. As a penetration tester, only you and a few key selected individuals from the company will know of the targeted network that will be tested. You also have zero knowledge of your target other than the name and location of the company. What type of assessment is this called? A. Gray box testing B. White box testing Black box testing Blue box testing

C

51. Which of the following best describes the ICMP Type 8 code? A. Device is being filtered B. Network route is incorrect or missing C. Echo request D. Destination unreachable

C

63. As a pentester, you are hired to conduct an assessment on a group of systems for your client. You are provided with a list of critical assets, a list of domain controllers, and a list of virtual share drives. Nothing else was provided. What type of test are you conducting? A. White hat testing B. Gray hat testing C. Gray box testing D. Red hat testing

C

11. You are a CISO for a giant tech company. You are charged with implementing an encryption cipher for your new mobile devices that will be introduced in 2017. What encryption standard will you most likely choose? A. RC4 B. MD5 C. ECC D. Skipjack

answer 11. C. Elliptic Curve Cryptography requires less computational resources because it uses shorter keys compared with other asymmetric methods. It is often used in lower-power devices for this reason.`

12. What does a SYN scan accomplish? A. It establishes a full TCP connection. B. It establishes only a "half open" connection. C. It opens an ACK connection with the target. D. It detects all closed ports on a target system.

answer 12. B. The SYN scan is used to detect open ports but does not complete the full three-way handshake. It is considered a "half open" connection.`

13. What is the major vulnerability for an ARP request? A. It sends out an address request to all the hosts on the LAN. B. The address is returned with a username and password in cleartext. C. The address request can cause a DoS. D. The address request can be spoofed with the attacker's MAC address.

answer 13. D. The ARP request does not authenticate with the requested host; therefore, it is possible that the attacker can spoof the address of the victim with its own MAC address.`

14. You are the CISO for a popular social website. You recently learned that your web s ervers have been compromised with the SSL Heart Bleed zero day exploit. What will be your most likely first course of action to defend against? A. Patch all systems. B. Establish new cryptographic keys. C. Shut down Internet-facing web services. D. Restrict access to sensitive information.

answer 14. D. The most likely course of action is to restrict access to sensitive information. By doing so, you allow business services to continue while protecting user private data until a remediation can be performed.`

15. In what phase is an attacker who is currently conducting a successful man-in-the-middle attack? A. Gaining access B. Maintaining access C. Reconnaissance D. Covering tracks

answer 15. B. If the attacker is successfully conducting a man-in-the-middle attack, he is currently maintaining access to the victim's network traffic.

16. What method of exploitation allows the adversary to test for SQL queries within the URL? A. SQL injection B. XSS C. Spear phishing D. Ruby on Rails injection method

answer 16. A. Using SQL queries such ' or 1=1 is a method called fuzzing. This technique is used to test for SQL injection vulnerabilities.

17. What is the default TTL values for Microsoft Windows 7 OS? A. 64 B. 128 C. 255 D. 256

answer 17. B. The default TTL value for most Microsoft operating systems is 128.

4. What is the difference between a traditional firewall and an IPS? A. Firewalls do not generate logs. B. IPS cannot drop packets. C. IPS does not follow rules. D. IPS can dissect packets.

4. D. An IPS can have rules set that can dissect a packet to, for example, inspect the contents in hex or binary format.`

10. What is the most important aspect when conducting a penetration test? A. Receiving a formal written agreement B. Documenting all actions and activities C. Remediating serious threats immediately D. Maintaining proper handoff with the information assurance team

10. A. Receiving a formal written agreement is critical because it sets the legal limit of what is allowed and not allowed to be conducted. It protects the pentesters from legal action if they stay within the agreed work performance statement.`

2. Which encryption was selected by NIST as the principal method for providing confidentiality after the DES algorithm? A. 3DES B. Twofish C. RC4 D. AES

2. D. The Rijndael cipher was selected and then named the Advanced Encryption Standard (AES).`

3. What tool is able to conduct a man-in-the-Middle Attack on an 802.3 environment? A. Ettercap B. Cain & Abel C. Wireshark D. Nmap

3. B. Cain & Abel provides a suite of tools for password cracking and ARP poisoning, for example.`

28. Your end clients report that they cannot reach any website on the external network. As the network administrator, you decide to conduct some fact finding. Upon your investigation, you determine that you are able to ping outside of the LAN to external websites using their IP address. Pinging websites with their domain name resolution does not work. What is most likely causing the issue? A. The firewall is blocking DNS resolution. B. The DNS server is not functioning correctly. C. The external websites are not responding. D. HTTP GET request is being dropped at the firewall from going out.

B

35. Why would an attacker want to avoid tapping into a fiber-optic line? A. It costs a lot of money to tap into a fiber line. B. If done wrong, it could cause the entire connection signal to drop, therefore bringing unwanted attention from the targeted organization. C. The network traffic would slow down significantly. D. Tapping the line could alert an IPS/IDS.

B

36. You are an attacker who has successfully infiltrated your target's web server. You performed a web defacement on the targeted organization's website, and you were able to create your own credential with administrative privileges. Before conducting data exfiltration, what is the next move? A. Log in to the new user account that you created. B. Go back and delete or edit the logs. C. Ensure that you log out of the session. D. Ensure that you migrate to a different session and log out.

B

45. You are sitting inside of your office and you notice a strange person in the parking lot with what appears to be a tall antenna connected to a laptop. What is the stranger most likely doing? A. Brute-forcing their personal electronic device B. Wardriving C. Warflying D. Bluesnarfing

B

53. What is war dialing? A. An adversary conducting a DoS on a modem B. An adversary dialing to see what modems are open C. An adversary using a modem as an evil twin D. An adversary verifying closed modems

B

29. You are the security administration for your local city. You just installed a new IPS. Other than plugging it in and applying some basic IPS rules, no other configuration has been made. You come in the next morning and you discover that there was a so much activity generated by the IPS in the logs that it is too time consuming to view. What most likely caused the huge influx of logs from the IPS? A. The clipping level was established. B. There was a DoS attack on the network. C. The LAN experienced a switching loop. D. There was no baseline established.

D

32. As an attacker, you found your target. You spend the next two weeks observing and watching personnel move in and move out of the facility. You also observe how the front desk handles large packages that are delivered as well as people who do not have access badges. You finally come up with a solid schedule of security patrols that you see being conducted. What is it that you are doing? A. Casing the target B. Gaining access C. Maintaining access D. Reconnaissance

D

34. Why would an attacker conduct an open TCP connection scan using Ncat? A. The attacker does not want to attack the system. B. The attacker made a mistake using the nmap function. C. The attacker is trying to connect to network services. D. The attacker is trying to see what ports are open for connection.

D

38. Where is the password file located on a Windows system? A. C:\Windows\temp B. C:\Win\system\config C. C:\Windows\accounts\config D. C:\Windows\system32\config

D

40. Why would the adversary encode their payload before sending it to the target victim? A. Encoding the payload will not provide any additional benefit. B. By encoding the payload, the adversary actually encrypts the payload. C. The encoded payload can bypass the firewall because there is no port associated with the payload. D. Encoding the payload can bypass IPS/IDS detection because it changes the signature.

D

41. Which password is more secure? A. !9Apple B. pass123!! C. P@$$w0rD D. keepyourpasswordsecuretoyourself

D

42. Which of the following best describes DNS poisoning? A. The adversary intercepts and replaces the victims MAC address with their own. B. The adversary replaces their malicious IP address with the victim's IP address for the domain name. C. The adversary replaces the legitimate domain name with the malicious domain name. D. The adversary replaces the legitimate IP address that is mapped to the domain name with the malicious IP address.

D

44. Which encryption standard is used in WEP? A. AES B. RC5 C. MD5 D. RC4

D

47. Which best describes a denial of service (DoS)? A. Victim's computer is infected with a virus. B. A misconfigured switch is in a switching loop. C. An adversary is forging a certificate. D. An adversary is consuming all available memory of a target system by opening as many "half-open" connections on a web server as possible.

D

49. Which regional Internet registry is responsible for North and South America? A. RIPE B. AMERNIC C. LACNIC D. ARIN

D

18. Which input value would you utilize in order to evaluate and test for SQL injection vulnerabilities? A. SQL test B. admin and password C. || or |! D. 1'or'1'='1

D