CEH

Who do these WHOIS belong to? A) ARIN B) AFRINIC C) RIPENCC D) LACNIC E) APNIC

A) ARIN: US B) AFRINIC: Africa C) RIPENCC: Europe, Middle East, Central Asia D) LACNIC: South America (Latin America, Caribbean) E) APNIC: Asia Pacific

What is WinARP Attacker? A) ARP Poisoning Tool B) ARP Poisoning Defender C) ARP Spoofer

A) ARP Poisoning Tool

How does Traceroute work? A) By increasing the TTL field in the header of ICMP packets to discover routers on the path to a target host B) By modifying the TTL field in the header of UDP packets to discover switches on the path to a target host. C) By decreasing the checksum in a TCP packet to bypass an IDS.

A) By increasing the TTL field in the header of ICMP packets to discover routers on the path to a target host

Netcat Command Shell Trojan: A) Command run on Attackers machine - B) Command run on Victim's machine m-

A) C:> <ip> <port> B) C:> nc -L -p <port> -t -e cmd.exe

What does CAM stand for? A) Content Addressable Memory Table B) Camera C) Current Accessible Memory Table

A) Content Addressable Memory Table

What are DHCPStarv and Yersinia? A) DHCP Starvation Attack Tools B) DDOS Attack Tols C) DHCP Defense Tools

A) DHCP Starvation Attack Tools

Rootkits are kernel programs that have the ability to hide themselves and cover their traces. It replaces certain OS calls and utilities with its own modified versions of those routines. Which of the following rootkits modifies the boot sequence of the machine to load themselves instead of the original virtual machine monitor or OS? A) Hypervisor Rootkit B) Kernel Rootkit C) Boot Loader Rootkit D) Library Rootkit

A) Hypervisor Rootkit

How do computer worms work? A) Independently, without human interaction B) Requires human interaction C) Requires internet access D) Nothing, it just sits there

A) Independently, without human interaction

What does a packet sniffer do? A) Lists packets B) Analyzes Packets C) Tells you what the packets smell like

A) Lists packets

Which of the following scans only work if the operating system's TCP/IP implementation is based on RFC 793? A) NULL Scan B) IDLE Scan C)TCP Connection Scan D)FTP Bounce Scan

A) NULL Scan

Enumeration is defined as the process of extracting usernames, machine names, network resources, shares, and services from a system. Which of the following enumerations does an attacker use to obtain a list of PCs that belong to a domain? A) Netbios B) SNMP C) NTP D) SMTP

A) Netbios

What layer does the Packet filtering Firewall work at? A) Network B) Data Link C) Application D) Session

A) Network

What are TCPDump and WinDump? A) Packet Sniffing Tools B) Packet Capture Tools C) Packet Analyzer Tools

A) Packet Sniffing Tools

What is the correct order of the OSI model? A) Physical, Data Link, Network, Transport, Session, Presentation, Application B) Physical, Transport, Session, Data Link, Network, Presentation, Application C) Application, Physical, Transport, Session, Data Link, Network, Presentation

A) Physical, Data Link, Network, Transport, Session, Presentation, Application

Attackers craft malicious probe packets and scan for services such as HTTP over SSL (HTTPS) to detect honeypots in a network. Which of the following condition shows the presence of a honeypot? A) Ports show a particular service running but deny a three-way handshake connection B) Ports show a particular service running and allow a three-way handshake C) Ports do not show any particular service running D) Scan shows that no scanned ports are live on the network

A) Ports show a particular service running but deny a three-way handshake connection

What are the 8 steps of Incident Management in order? A) Preparation for Handling and Response, Detection and Analysis, Classification and Prioritization, Notification, Containment, Forensic Investigation, Eradication and Recovery, Post-Incident Activities B) Preparation for Handling and Response, Forensic Investigation, Detection and Analysis, Classification and Prioritization, Notification, Containment, Eradication and Recovery, Post-Incident Activities C) B) Preparation for Handling and Response, Eradication and Recovery, Forensic Investigation, Detection and Analysis, Classification and Prioritization, Notification, Containment, Post-Incident Activities

A) Preparation for Handling and Response, Detection and Analysis, Classification and Prioritization, Notification, Containment, Forensic Investigation, Eradication and Recovery, Post-Incident Activities

What are the three places to change your MAC address? A) SMAC, Registry, Ethernet Properties B) NIC, Regsitry, Router C) Ipconfig, FMAC, Switch

A) SMAC, Registry, Ethernet Properties

What does Currports do? A) Same as netstat -ano but also kills processes within program B) shows all current processes C) kills all current processes

A) Same as -ano but also kills processes within program

At what point in the session hijacking process do you start predicting session information? A) Session ID Prediction B) Monitor C) Sniff

A) Session ID Prediction

A sniffer turns the NIC to promiscuous mode to listen to all of the data transmitted on its segment. It can constantly read all the information entering the PC through the NIC by decoding the information encapsulated in the data packet. Passive sniffing is one of the types of sniffing. Passive sniffing refers to: A) Sniffing through a hub B) Sniffing through a router C) Sniffing through a switch D) Sniffing through a bridge

A) Sniffing through a hub

Address Resolution Protocol(ARP) is a protocol for mapping an IP address to a physical machine address that is recognized on the local network. ARP spoofing involves constructing a large number of forged ARP requests and reply packets to overload: A) Switch B) Router C) Hub D) Bridge

A) Switch

What are the differences in the types of modes for IPSEC? A) Tunnel - B) Transport -

A) Tunnel - Encapsulates packets being transferred, has option to encrypt data, not compatible with NAT B) Transport - authenticates 2 connected computers, option to encrypt data, compatible with NAT

Network Time Protocol(NTP) is designed to sync clocks of networked computers. Which of the following ports does NTP use as its primary means of communication? A) UDP 123 B) UDP 113 C) UDP 161 D) UDP 320

A) UDP 123

If someone wants to gain access to another mailbox on the same mailbox server, what would you do? A) Use SQL Injection and change the mailbox number to the other persons in the URL B) Use Session Hijacking C) Use Social Engineering to get their password

A) Use SQL Injection and change the mailbox number to the other persons in the URL

What wireless security protocol was designed to be just as secure as wired? A) WEP B) WPA C) WPA-TKIP

A) WEP

What does WIPS stand for? A) Wireless Intrusion Protection System B) Wireless Information Protection System C) Wireless Identification Prediction System

A) Wireless Intrusion Protection System

Is WPA2 FIPS compliant? A) Yes B) No

A) Yes

What do the following nbstat options do? A) nbtstat.exe -c B) nbtstat.exe -a <Target IP>

A) nbtstat.exe -c: Get contents of NetBIOS name cache, table of NetBIOS names, and resolved IP addresses B) nbtstat.exe -a <Target IP>: Get NetBIOS name table of a remote computer

What does each Nmap scan do? A) nmap -sP B) nmap -sS C) nmap -sT D) nmap -sU E) nmap -sO

A) nmap -sP: Ping Scan B) nmap -sS: Syn(Half Open) Scan C) nmap -sT: Connect(TCP) scan D) nmap -sU: UDP Scan E) nmap -sO: Protocol Scan

Which of the following UNIX commands can be used to enumerate the shared directories on a machine? A) showmount B) finger C) rpcinfo D) rpcclient

A) showmount

What do each of these Wireshark filters do? A) tcp.port==125 B) ip.addr=192.168.5.53 && tcp.port==80 C) tcp contains facebook D) !

A) tcp.port==125 - Search TCP packets for port 125 B) ip.addr=192.168.5.53 && tcp.port==80 - Search that IP address for HTTP packets on port 80 C) tcp contains facebook - Search for Facenbook packets on TCP D) ! - Disregard or do not include something in the search.

What is the size of WEP initialization vector(IV)? A) 8-bit B) 16-bit C) 24-bit D) 32-bit

C) 24-bit

What is considered the admin account? A) 501 B) 1000 C) 500 D) 2000

C) 500

Hoe many packets are needed to crack WEP with Aircrack-ng? A) 5000 B) 100000 C) 50000 D) 10000

C) 50000

What is a Cavity Virus? A) A tooth virus B) A virus that infects the empty fragments in your hard drive C) A virus that is sent in an empty PDF file

C) A virus that is sent in an empty PDF file

What are the different types of firewall architectures? A) Screened Bastion, Multi-homed Subnet, Firewall Host B) Screened Subnet, Single, Bastion Server C) Bastion Host, Screened Subnet, Multi-homed Firewall

C) Bastion Host, Screened Subnet, Multi-homed Firewall

What does FF:FF:FF:FF:FF:FF mean? A) Someone didn't set up a MAC address correctly B) Random MAC address that matches C) Broadcast address sniffing

C) Broadcast address sniffing

What does CCMP stand for? A) Computer Countermeasure Message Protocol B) Control Countermeasure Management Protection C) Counter Mode Cipher Block Chaining Message Authentication Code Protocol

C) Counter Mode Cipher Block Chaining Message Authentication Code Protocol

What is ReadNotify? A) Hotmail Utility B) File tracking tool C) E-mail tracking tool D) Notifies when someone looks at your files

C) E-mail Tracking Tool

What does FCIV stand for? A) Fancy Chihuahuas Imminently Vomiting B) File Computer Information Verifier C) File Checker Integrity Verifier

C) File Checker Integrity Verifier

What is a protocol analyzer? A) Another type of packet sniffer B) Analyzes ports on a network C) Functions as a packet sniffer but analyzes each frame and details data inside it.

C) Functions as a packet sniffer but analyzes each frame and details data inside it.

Which of the following IDS evasion technique relies on TTL in TCP/IP packets? A) DoS Attack B) Obfuscation C) Insertion Attack D) Unicode Evasion

C) Insertion Attack

What does ISKAMP stand for? A) Information Security Key Mission Protection B) Internet Security Key Mapping Protocol C) Internet Security Key Management Protocol

C) Internet Security Key Management Protocol

What are Ollydbg and IDAPro? A) Debugging Tools B) Website Copying Tools C) Malware Analysis Tools D) Pentesting Tools

C) Malware Analysis Tools

What are BinTXT and UPX? A) Debugging Tools B) Website Copying Tools C) Malware Analysis and Pattern Matching Tools D) Pentesting Tools

C) Malware Analysis and pattern matching tools

In what order is Malware created? A) Dropper>Wrapper>Malware>Execute B) Malware>Execute>Dropper>Wrapper C) Malware>Dropper>Wrapper>Execute

C) Malware>Dropper>Wrapper>Execute

What is Ettercap? A) Packet Injection Tool B) Packet Capturing Tool C) Packet Sniffer

C) Packet Sniffer

What is the order of Social Engineering Attack Phases? A)Select Victim>Research Target>Develop Relationship>Exploit Relationship B)Select Victim>Develop Relationship>Research Target>Exploit Relationship C) Research Target>Select Victim>Develop Relationship>Exploit Relationship

C) Research Target>Select Victim>Develop Relationship>Exploit Relationship

How can you secure SNMP? A) Use an IDS B) Run antivirus C) Run SNMP Version 3 D) Run SNMP Version 4

C) Run SNMP Version 3 - has encryption between endpoints

What is admin on SQL? A) Admin B) Root C) SA

C) SA

How can you monitor for MAC floods? A) Turn on DHCP Snooping - ip snooping B) Turn on DHCP Snooping - dhcp snooping C) Turn on DHCP Snooping - ip dhcp snooping

C) Turn on DHCP Snooping - ip dhcp snooping

What is Blackwidow? A) Website Copier? B) Archiver C) Website Mirror D) Penetration Testing Utility

C) Website Mirror

What does MSCONFIG do?

Shows startup/autorun programs. Can enable/disable from here.

What is Zeus?

Steals bank and credit card information via web browsers and protected storage.

What does LDAP stand for?

Lightweight Directory Access Protocol

Differences in Source Routing: A) Loose Routing - B) Strict Routing -

Loose: Part of the path is set in advance. Strict: Most or All of the path is designated in advance.

Which wireless standard has bandwidth up to 54mbps and signals in a regulated frequency spectrum around 5GHz? A) 802.11a B) 802.11b C) 802.11g D) 802.11i

A) 802.11a

What is a macro virus? A) A virus that infects files created by Microsoft Word or Excel B) A virus that infects Visual Basic C) A virus that is really small D) A virus that infect macros in video games

A) A virus that infects files created by Microsoft Word or Excel

What does each nmap option do? A) -p1-145 B) -T[0-5] C) -n D) -O E) -A F) -sV G) -PN H) -6 I) -f

A) -p1-145: Scan port range B) -T[0-5]: TTL C) -n: No DNS Resolution D) -O: Operating System E) -A: Aggressive Scan F) -sV: Version Detection G) -PN: No Ping H) -6: IPv6 I) -f: fragment packets(firewall evasion)

What speed do you have to drive to Wardrive? A) 35mph or below B) 55mph or below C) 15mph or above

A) 35mph or below

What does each valid record do? A, MX, NS, CNAME, SOA, SRV, PTR, RP, HINFO, TXT

A: Points to Host IP address MX: Points to Domain Mail Server NS: Points to Host's Name Server CNAME: Canonical naming allows aliases to a host SOA: Indicates authority for domain SRV: Service Records PTR: Maps IP addresses to a hostname RP: Responsible Person HINFO: Host Information Record indicates CPU types and OS(LEGACY, DO NOT USE ANYMORE) TXT: Unstructured Text Records

What is SplitDNS?

Allows the hostname to resolve one IP on the internal network and one on the external network.

How often are temporal keys changed? A) 5000 B) 10000 C) 1000 D) 100000

B) 10000

What are the stats of Bluetooth? A) 1GHz, 1Mbps, 10ft range B) 2.4GHz, 1-3Mbps, 25ft range C) 5GHz, 5Mbps, 50ft range

B) 2.4GHz, 1-3Mbps, 25ft range

Secure Hashing Algorithm(SHA)-512 uses what size word block? A) 32 B) 64 C) 128 D) 256

B) 64

What is Tripwire? A) IDS B) A system integrity verifier C) File integrity verifier

B) A system integrity verifier

What is not true about SQL and servers? A) Anything in single quotes is read as literal on SQL side B) Anything in double quotes is read as literal on both SQL and server side C) Anything in double quotes is read as literal on server side

B) Anything in double quotes is read as literal on both SQL and server side

What is true about IPSEC? A) Is less secure than SSL B) Can be run as a packet filter C) Does not has Authentication Headers(AH) and Encapsulation Security Payloads(ESP)s

B) Can be run as a packet filter

Some viruses effect PCs as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met. Identify the virus that modifies the directory table so that the directory entries point to the the virus code instead of the actual program: A) Macro B) Cluster C) Encryption D) Boot Sector

B) Cluster

What is the difference between Dynamic and Static Cache? A) You should always use dynamic cache B) Dynamic cache is overwritten by static cache C) Static cache is overwritten by dynamic cache

B) Dynamic cache is overwritten by static cache

Lawful intercept is a process that enables a Law Enforcement Agency(LEA) to perform electronic surveillance on a target as authorized by a judicial or adiminstrative order. Which of the following is true for lawful intercept? A) Affects the subscriber's services on the router B) Hides information about lawful intercept from all but the most privileged users C) Does not allow multiple LEAs to run a lawful intercept on the same target without each others knowledge D) Allows wiretaps only for outgoing communication

B) Hides information about lawful intercept from all but the most privileged users

RSA is a public-key cryptosystem. Identify the statement that is true for the RC6 algorithm: A) Is a variable key-size stream cipher with byte-oriented operations and is based on the used of random permutation B) Includes integer multiplication and the use of four 4-bit working registers C) Is a parameterized algorithm, with variable block size, key size, and a variable number of rounds. D) Is a 64-bit blick cipher that uses key length that can vary between 32 and 448 bits.

B) Includes integer multiplication and the use of four 4-bit working registers

What is a Sparse Infector Virus? A) Has a low rate of infection due to sucking B) Infects in a narrow date/range of infection C) Only infects certain things D) Has a short lifespan

B) Infects in a narrow date/range of infection

What does PRISM Stand for? A) Protocol Resource Information Segmentation Management B) Planning Tool for Resource Integration, Synchronization, and Management C) Primary Resource Integration Station Manager

B) Planning Tool for Resource Integration, Synchronization, and Management

Which of the following is a mutation technique used for writing buffer overflow exploits in order to avoid IDS and other filtering mechanism? A) Assuming that a string function is exploited, send a long string as the input B) Randomly replace the NOPs with functionally equivalent segments of the code (e.g.: x++; x-; ? NOP NOP) C) Pad the Beginning of the intended buffer overflow with a longer run of NOP instructions (a NOP slide or sled) so the CPU will do nothing until it gets to the "main event" D) Makes a buffer to overflow on the lower part of the heap, overwriting other dynamic variables which can have unexpected and unwanted effects.

B) Randomly replace the NOPs with functionally equivalent segments of the code (e.g.: x++; x-; ? NOP NOP)

How do viruses work? A) Independently, without human interaction B) Requires human interaction C) Requires internet access D) Nothing, it just sits there

B) Requires human interaction

What is fuzzing? A) Rubbing fuzz on the screen B) Sending a bunch of things to see what breaks C) Type of DoS attack

B) Sending a bunch of things to see what breaks

Steganography is the technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data. Which of the following steganography techniques embed the decret message in the frequency domain of a signal? A) Substitution B) Transform Domain C) Spread Spectrum D) Domain Distortion

B) Transform Domain

What is HTTrack? A) IDS B) Website Copier C) Cookie Tracker D) Archiver

B) Website Copier

What is the correct NetView command? A) net view //see/<computername> B) net view \\<computername> C) netview \computername D) netview //<computername>

B) net view \\<computername>

What does the Netstat -ano scan option do? A) scans for analog number options B) scans for suscpicious ports, PID, Local IPs, Foriegn IPs, and State C) scans for ports open, operating systems, and IPs

B) scans for suscpicious ports, PID, Local IPs, Foriegn IPs, and State

OS Fingerprinting is the method used to determine the OS running on a remote target system. Active stack fingerprinting is one of the types of OS Finger printing. Which of the following is true about active stack fingerprinting? A) Uses password crackers to escalate system privileges B)Is based on the fact that various vendors of OS implement the TCP stack differently C) TCP Connect Scan

B)Is based on the fact that various vendors of OS implement the TCP stack differently

Define the different types of bluetooth hacking: Bluejacking - Bluesnarfing - Bluesniffing - Bluesmacking -

Bluejacking - Sending unsolicited messages over bluetooth to bluetooth-enabled devices Bluesnarfing - theft of info from a wireles device through a bluetooth connection Bluesniffing - proof of concept code for a bluetooth wardriving utility Bluesmacking - DoS attack which overflows bluetooth-enable devices with random packets causing the device to crash

What is a Metamorphic Virus?

Changes so antivirus cannot detect it.

What is CCTT?

Covert Channel Tunneling Tool Trojan - creates arbitrary data transfer channels in data streams to gain an external shell from within an internal network, and vice-versa.

What is the timeframe in which NTP can maintain within? A) 10000 seconds B) 10 seconds C) 100 seconds D) 10 milliseconds

D) 10 milliseconds - 1/100 seconds

What is DIG? A) Data Incident Gatherer B) Data Insurance Group C) Domain Information Gatherer D) Domain Information Grouper

D) Domain Information Grouper

What layer does the Circuit Level Gateway Firewall work at? A) Network B) Data Link C) Application D) Session

D) Session

What do each of thes eDHCP Request/Reply message do? DHCP Discover: DHCP Offer: DHCP Request: DHCP ACK:

DHCP Discover: Solicit - Client broadcast ro locate available DHCP servers DHCP Offer: Advertise - Ser to client in response to DHCPDISCOVER with offer of config parameters DHCP Request: Request, Confirm, Renew, Rebind - Client message to servers either requesting offered parameters, confirming correctness of previously allocated address, or extending lease period DHCP ACK: Reply - Server to client with config parameters, including committed network addresses

What is HijackThis?

Generates a log file of the current state of your PC to help file malware and rootkits.

How do you do a DNS zone transfer with nslookup?

Inside the program type nslookup ServerNAME - change to another like 8.8.8.8 Set OPTION - see all MX records "set querytype=mx" ls -d <domainname>

If ACK probe is pushed and no response is recieved, what does that mean?

It is being filtered by a firewall.

What is Servermask?

Masks information in headers so attacks cannot see things like files extensions that could give away the type of system that you are using (e.g. aspx = Microsoft).

What does MBSA stand for?

Microsoft Baseline Security Analyzer

What does OWASP stand for?

Open Web Application Security Platform/Program

What is PoisionIvy?

Remote Administration Tool(RAT) good for Botnet DDOS

What does SATAN stand for?

Security Administration Tool for Analyzing Networks

What does SAINT stand for?

Security Administrators Integrated Network Tool