CEHv9
What does the enumeration phase not discover? A. Services B. User accounts C. Ports D. Shares
Ports Ports are usually uncovered during the scanning phase and not the enumeration phase.
What is a PSK?
Pre-Shared Key (PSK) is a key entered into each client A PSK is entered into each client that is going to access the wireless network. It is commonly found in WEP, WPA, and WPA2 deployments. PSKs represent a security risk because they can be extracted from a compromised client and then allow a malicious party to access the network.
A closed network is typically which of the following? A. Public network B. Private network C. Hot spot D. Kiosk location
Private network A closed network is typically considered a private network and not meant for public use. The network is usually not visible, and you can locate and connect to it only if you already know the SSID.
What mode must be configured to allow an NIC to capture all traffic on the wire?
Promiscuous mode An NIC must be configured to operate in promiscuous mode to capture all traffic on the network. More specifically, it allows the interface to capture both traffic that is intended for the host and traffic that is intended for other clients.
Wireshark requires a network card to be able to enter which mode to sniff all network traffic?
Promiscuous mode To sniff all traffic on a network segment, promiscuous mode is required, which allows all network traffic to be captured.
Which of the following challenges can be solved by firewalls? A. Protection against buffer overflows B. Protection against scanning C. Enforcement of privileges D. Ability to use nonstandard ports
Protection against scanning Firewalls can prevent the scanning of systems and the probing or discovery of a database.
What is the benefit of encryption on mobile devices? A. Protection against stolen devices B. Protection of data on lost or stolen devices C. Prevention of malware D. Protection of data being sent to websites
Protection of data on lost or stolen devices Encryption safeguards data on devices that have been lost or stolen.
Web applications are used to _______. A. Provide dynamic content B. Stream video C. Apply scripting D. Implement security controls
Provide dynamic content Web applications are ideally suited for providing dynamic content of all types. Although some of this can be done on the client side, there is much more power and capability on the server side.
What does rooting a device do?
Provides root-level access to a user on a system Rooting is the process of increasing the amount of access a user has on an Android device.
What utility could be used to avoid sniffing of traffic?
Psiphon Psiphon is essentially a VPN technology that would thwart sniffing of traffic.
Session hijacking can be thwarted with which of the following? A. SandroProxy B. DroidSheep C. FaceNiff D. Psiphon
Psiphon Psiphon would provide some protection against sniffing and session hijacking.
Which of the following does IPsec use? A. SSL B. AES C. DES D. PKI
Public Key Infrastructure (PKI) PKI is used with IPsec to allow it to function in environments of any size. IPsec is also capable of using a Preshared Key (PSK) if desired by the system owner.
A public key is stored on the local computer by its owner in a _____________.
Public Key Infrastructure (PKI) system A public key is not necessarily stored on the local system, but a private key will always be present if the user is enrolled.
Asymmetric encryption is also referred to as which of the following? A. Shared key B. Public key C. Hashing D. Block
Public key Asymmetric encryption uses two separate keys and is referred to as public key cryptography. Symmetric algorithms use only one key that is used by both the sender and receiver.
Adding to and removing from a program stack are known as what?
Push and pop Adding an item to the stack is known as pushing, and removing an item from the stack is known as popping. Remember that adding and removing occur only at the top.
LDAP is used to perform which function? A. Query a network B. Query a database C. Query a directory D. Query a file system
Query a database LDAP is used to query and structure databases; this database could include a directory service, but it is not necessarily one.
A Trojan can include which of the following? A. RAT B. TCP C. Nmap D. Loki
RAT A remote access Trojan (RAT) is a common payload to include in a Trojan.
During an FIN scan, what indicates that a port is closed?
RST An RST indicates that the port is closed.
During a Xmas tree scan what indicates a port is closed?
RST An RST indicates the prot is closed in many of the TCP scan types. The RST is sent in response to a connection request and the RST indicates that the port is not available.
Port number ______ is used by DNS for zone transfers.
53 TCP Port 53 TCP is used by DNS for zone transfers.
For a fence to deter a determined intruder, it should be at least how many feet tall? A. 4 B. 6 C. 8 D. 10
8 A fence should be at least 8 feet tall to deter a determined intruder from entering a facility.
HTTP is typically open on which port in a firewall?
80 Port 80 is associated with HTTP and will usually allow traffic to pass through firewalls unimpeded.
Which of the following operates at 5 GHz? A. 802.11a B. 802.11b C. 802.11g D. 802.11i
802.11a 802.11a operates exclusively at the 5 GHz frequency range, whereas 802.11b and 802.11g operate at the 2.54 GHz range. The newer 802.11n standard can operate at both frequency ranges.
Which of the following specifies security standards for wireless? A. 802.11a B. 802.11b C. 802.11g D. 802.11i
802.11i 802.11i specifies security standards for wireless and is not concerned with specifying new network standards for communication. WPA and WPA2 are designed to be compatible with this standard.
What is a covert channel?
A backdoor A covert channel is a backdoor or unintended vulnerability on a system that may or may not be created through the use of a Trojan.
What is a drop ceiling?
A false ceiling A drop ceiling is a false ceiling.
A DMZ is created with which of the following?
A multihomed firewall A multihomed firewall can be used to create a DMZ as can two separate firewalls. In either case, a buffer zone between public and private networks is created.
MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client? A. The MAC address doesn't map to a manufacturer. B. The MAC address is two digits too long. C. A reverse ARP request maps to two hosts. D. The host is receiving its own traffic.278
A reverse ARP request maps to two hosts. MAC spoofing results in duplicate MAC addresses on a network unless the compromised client has been bumped from its connection. Two IP addresses mapping to one MAC indicates a bogus client.
What is a vulnerability scan designed to provide to those executing it?
A way to reveal vulnerabilities A vulnerability scan is designed to pick up weaknesses in a system. Such scans are typically automated.
What is missing from a half-open scan?
ACK An ACK flag belongs to the last part of the three-way handshake, and this part never happens in a half-open scan.
What response is missing in a SYN flood attack?
ACK During a SYN flood, the last step of the three-way handshake is missing, which means that after the SYN and SYN-ACK are performed, the final ACK is not received.
Which of the following is used to set permissions on content in a website? A. HIDS B. ACE C. ACL D. ALS
ACL Access Control Lists (ACLs) are used to set permissions on web content and prevent or control certain levels of interaction by users.
IPsec uses which two modes?
AH/ESP IPsec uses two modes: Authentication Header (AH) and Encapsulating Security Payload (ESP). Both modes offer protection to data but to do so in different ways.
What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
ARP poisoning ARP poisoning alters ARP table mappings to align all traffic to the attacker's interface before traveling to the proper destination. This allows the attacker to capture all traffic on the network and provides a jumping-off point for future attacks.
Jennifer is a junior system administrator for a small firm of 50 employees. For the last week a few users have been complaining of losing connectivity intermittently with no suspect behavior on their part such as large downloads or intensive processes. Jennifer runs Wireshark on Monday morning to investigate. She sees a large amount of ARP broadcasts being sent at a fairly constant rate. What is Jennifer most likely seeing?
ARP poisoning An excessive number of ARP broadcasts would indicate an ARP poisoning attack. The users' reporting loss of connectivity may indicate an attempted session hijacking with a possible DoS attack.
Jailbreaking a phone refers to what?
Acquiring root access on a device Jailbreaking refers to gaining root access on a mobile device, specifically iOS devices.
What is a client‐to‐client wireless connection called?
Ad hoc When two clients attach to each other in a wireless setting, it is known as an ad hoc network.
Which of the following is a detective control when not used in real time? A. Fences B. Alarms C. CCTV D. Locks
Alarms Alarms are a detective control in that they can detect and react to an action but not prevent an intrusion.
A covert channel or backdoor may be detected using all of the following except _____. A. Nmap B. Sniffers C. An SDK D. Netcat
An SDK A software development kit (SDK) is used to develop software but not to detect a covert channel.
What is a rogue access point?
An access point not managed by a company A rogue access point is one not managed by the organization and may be set up by an attacker or may even be set up by an employee trying to circumvent the rules.
An overt channel is ______.
An obvious method or legitimate use of a system An overt channel is mechanism on a system or process that is typically put in place by design and intended to be used a specific way.
Firewalking is done to accomplish which of the following?
Analyze a firewall. Firewalking can be used to analyze the configuration and rules on a firewall.
The group Anonymous is an example of what?
Anonymous is an example of hacktivists.
Which of the following is not a source of session IDs? A. URL B. Cookie C. Anonymous login D. Hidden login
Anonymous login URLs, cookies, and hidden logins are all sources of session IDs.
A man-in-the-browser attack delivered by a piece of malware can be prevented by which of the following? A. Anti-virus B. Anti-spyware C. Using Firefox D. Rooting a device
Anti-virus Much like desktop systems, installing an anti-virus can prevent this type of malware based attack.
Choosing a protective network appliance, you want a device that will inspect packets at the most granular level possible while providing improved traffic efficiency. What appliance would satisfy these requirements?
Application firewall Application firewalls operates at Layer 7 (and all layers) of the OSI model and thus filters traffic at a highly granular level.
The Wayback Machine would be useful in viewing what type of information relating to a web application?
Archived versions of websites The Wayback Machine is used to view archived versions of websites if available. Not all websites are archived on the Wayback Machine, however.
In practice a honeypot will be configured how? A. As an unpatched system B. As a decoy server C. As a duplicate of a real system D. As an analysis tool
As a duplicate of a real system Honeypots are configured identically to a legitimate counterpart such as a web server. When the honeypot is placed near the real web server, it should be subject to the same type of good and bad traffic that the real server would. Because the honeypot has no reason to have legitimate traffic on it, any activity would indicate that something malicious is occurring.
AirPcap is used to do which of the following? A. Assist in the sniffing of wireless traffic. B. Allow network traffic to be analyzed. C. Allow the identification of wireless networks. D. Attack a victim.
Assist in the sniffing of wireless traffic. AirPcap is a device designed to allow in-depth analysis of traffic on wireless networks. The device is typically used with software such as Wireshark.
A honeyspot is designed to do what?
Attract victims to connect to it. Honeyspots are intended to attract victims to attach to it with the intention of gathering information.
What utility may be used to stop auditing or logging of events?
Auditpol Auditpol is used to stop the logging of events on a Windows system.
Session hijacking can be thwarted with which of the following? A. SSH B. FTP C. Authentication D. Sniffing
Authentication Authentication mechanisms such as Kerberos can provide protection against session hijacking. Authentication provides verification of the party or parties involved in the communication.
In IPsec, what does Authentication Header (AH) provide?
Authentication services The Authentication Header provides authentication services to data, meaning that the sender of the data can be authenticated by the receiver of the data.
An attacker can use a(n) _______ to return to a system.
Backdoor A backdoor gives an attacker a means to come back to the system later for further attacks.
_________can be used to identify a web server. A. Session hijacking B. Banner grab C. Traversal D. Header analysis
Banner grab A banner grab can be used to connect to a service and extract information about it.
What is a system used as a chokepoint for traffic?
Bastion host A bastion host is a hardened dedicated system that traffic is filtered through prior to entering or exiting the network.
What system is used as a choke point for traffic and could be offered through IaaS? A. IDS B. DMZ C. Bastion host D. SNMP host
Bastion host A bastion host is used as a choke point.
Julie has sniffed an ample amount of traffic between the targeted victim and an authenticated resource. She has been able to correctly guess the packet sequence numbers and inject packets, but she is unable to receive any of the responses. What does this scenario define?
Blind hijacking The key portion of the question is that Julie is not receiving a response to her injected packets and commands. Although the sequence prediction does relate to TCP hijacking, the best answer is blind hijacking.
A ____________ is used to prevent cars from ramming a building.
Bollard A bollard is a barrier that prevents cars and trucks from passing it to enter a facility.
Which intrusion prevention system can be used in conjunction with fences? A. Infrared wave patter B. Bollards C. Audio D. PIDAS
Bollards Bollards can be used with fences to block a vehicle from crashing through a fence and making an easy-to-use entrance.
Which of the following could be considered required components of an alarm system? A. A visual alerting method B. An audio alerting method C. Automatic dialup D. Both A and B
Both A and B Audio and visual components are both vital.
How is a brute-force attack performed?
Brute-force attacks are carried out by trying all possible combination of characters in an attempt to uncover the correct one.
A common attack against web servers and web applications is ____________. A. Banner grab B. Input validation C. Buffer validations D. Buffer overflow
Buffer overflow Buffer overflows are a common flaw in software that typically can be fixed only by a software engineer.
How does a fragmentation attack, which takes a packet, breaks it into fragments, and sends only some of the fragments to the target, cause a DoS?
By exhausting memory by caching the fragments When a packet is fragmented and directed at an IDS, but only part of the fragments are sent or received, the fragments will continue to consume memory on some IDSs. The reason is that a less-capable or less-intelligent IDS will hold onto the fragments while they wait for the remainder, thus consuming memory.
How is a brute‐force attack performed?
By trying all possible combinations of characters Brute-force attacks are carried out by trying all possible combinations of characters in an attempt to uncover the correct one.
What common tool can be used for launching an ARP poisoning attack? A. Cain & Abel B. Nmap C. Scooter D. Tcpdump
Cain & Abel Cain & Abel is a well-known suite of tools used for various pen-testing functions such as sniffing, password cracking, and ARP poisoning.
Monitor mode is used by wireless cards to do what? A. Capture traffic from an associated wireless access point. B. Capture information from ad hoc networks. C. Capture information about wireless networks. D. Capture traffic from access points.
Capture information about wireless networks. Monitor mode is a feature supported by wireless network cards that allows the capturing of wireless traffic from unassociated wireless networks.
What is a type of combination lock? A. Key lock B. Card lock C. Cipher lock D. Trucker lock
Cipher lock A cipher lock is a form of combination lock that requires a code to be entered in order to open the door.
Which of the following best describes a web application?
Code designed to be run on the server A web application is code designed to be run on the server with the results sent to the client for presentation.
On a switch, each switchport represents a _________.
Collision domain Each switchport represents a collision domain, thereby limiting sniffing to only the clients residing on that port.
A good defense against password guessing is _______.
Complex passwords Complex passwords are a great defense against password guessing.
Databases can be a victim of code exploits depending on which of the following?
Configuration Databases can be a victim of source code exploits, depending on their configuration and design.
What is used to store session information?
Cookie A cookie is used to store session information about browsing sessions and is a file that resides on a client.
A session hijack can be initiated from all of the following except which one? A. Emails B. Browsers C. Web applications D. Cookies and device
Cookies and devices Cookies can be used during a session hijack and indeed the information contained therein may be the goal of the attack, but devices alone cannot initiate an attack.
In IPsec, what does Encapsulating Security Payload (ESP) provide?
Data security Data security services are provided by ESP.
SQL injection attacks are aimed at which of the following? A. Web applications B. Web servers C. Databases D. Database engines
Databases SQL injection operates at the database layer and attacks databases directly.
Which of the following best describes what a hacktivist does? A. Defaces websites B. Performs social engineering C. Hacks for political reasons D. Hacks with basic skills
Defaces websites A hacktivist engages in mischief for political reasons.
An anomaly-based NIDS is designed to look for what? A. Patterns of known attacks B. Deviations from known traffic patterns C. Log alterations D. False positives
Deviations from known traffic patterns An anomaly-based NIDS is designed to look for deviations from known traffic patterns and behaviors on the network. Such NIDSs need to be tuned to the network they are connected to.
What is not a benefit of hardware keyloggers? A. Easy to hide B. Difficult to install C. Difficult to detect D. Difficult to log
Difficult to install Hardware keyloggers are not difficult to install on a target system.
Which of the following is used to access content outside the root of a website?
Directory traversal Directory traversals are used to browse outside the root of the site or location and access files or directories that should otherwise be hidden.
A virus does not do which of the following? A. Replicate with user interaction B. Change configuration settings C. Exploit vulnerabilities D. Display pop-ups
Display pop-ups Typically a virus does not display pop-ups. That is a characteristic of adware.
What type of database has its information spread across many disparate systems? A. Hierarchical B. Relational C. Distributed D. Flat
Distributed A distributed database is one that has its information spread across many different systems that are networked together and linked via code.
Which of the following can be used to protect data stored in the cloud?
Drive encryption Drive encryption or its equivalent would be useful in protecting data stored in the cloud.
Jennifer has captured the following URL: www.snaz22enu.com/&w25/session=22525. She realizes that she can perform a session hijack. Which utility would she use? A. Shark B. DroidSheep C. Airmon D. Droid
DroidSheep DroidSheep is used to perform session hijacks.
At what point can SSL be used to protect data?
During transmission Data can be protected using SSL during transmission. If data is being stored on a hard drive or flash drive, SSL is not effective at providing cryptographic services.
Which pointer in a program stack gets shifted or overwritten during a successful overflow attack? A. ESP B. ECP C. EIP D. EBP
EIP A successful overflow attack can change the value of an Extended Instruction Pointer (EIP) saved on the stack.
Which of the following is not a flag on a packet? A. URG B. PSH C. RST D. END
END END is not a type of flag. Valid flags are ACK, FIN, SYN, URG, RST, and PSH.
___________is a method for expanding an email list. A. VRFY B. EXPN C. RCPT TO D. SMTP
EXPN The EXPN command will display the recipients of an email list.
Which of the following is a characteristic of USB flash drives that makes security a problem?
Easily hidden Flash drives offer several advantages, including their size, speed, and portability. A disadvantage for security personnel is that they can hold a lot of data and be very easily hidden.
Which of the following would be hosted as SaaS?
Email Email would be a prime example of SaaS as would hosting office suites and other types of software.
Phishing takes place using ________.
Email Phishing is performed using email to entice the target to provide information of a sensitive nature.
Simple Object Access Protocol (SOAP) is used to perform what function?
Enable communication between applications SOAP is used to enable protocol-independent communication between applications.
Which of the following can be used to evade an IDS? A. Packet sniffing B. Port scanning C. Enumeration D. Encryption
Encryption Encryption can be used to avoid specific types of firewalls because of their inability to decrypt the traffic.
What mechanism is intended to deter theft of hard drives?
Encryption Encryption of an entire drive dilutes the value of the data if the drive is subject to theft; however, it will not keep the drive from being physically stolen.
What may be helpful in protecting the content on a web server from being viewed by unauthorized personnel? A. Encryption B. Permissions C. Redirection D. Firewalls
Encryption Encryption offers the ability to prevent content from being viewed by anyone not specifically authorized to view it.
A blind SQL injection attack is used when which of the following is true? A. Error messages are not available. B. The database is not SQL compatible. C. The database is relational. D. All of the above.
Error messages are not available. When error messages are not descriptive or not available, a blind SQL injection attack can be used to ascertain information from performance or indirect observations.
Altering a checksum of a packet can be used to do what?
Evade an NIDS If an NIDS is employed within a cloud environment, attacks such as altering checksums of a packet can be used to avoid detection.
Altering a checksum of a packet can be used to do what?
Evade an NIDS. You can evade an NIDS by altering a checksum because some systems cannot handle the differences in checksums on a packet when encountered.
A polymorphic virus _______.
Evades detection through rewriting itself
Frequency of type 2 errors is also known as what? A. False rejection rate B. Failure rate C. Crossover error rate D. False acceptance rate
False rejection rate A type 2 error is also known as a false rejection error, where someone who should have had access was denied it.
Which of the following is a wall that is less than full height?
False wall A false wall is one that extends only to a drop ceiling and not to the actual ceiling. These types of walls can easily be climbed over to allow access to a previously inaccessible room.
What is the first defense that a physical intruder typically encounters?
Fences Fences in many cases are the first line of defense that an intruder would encounter.
Which type of biometric system is frequently found on laptops but can be used on entryways as well?
Fingerprint Fingerprint systems are becoming more common on laptops and portable devices. They can also be used to authenticate individuals for access to facilities.
What is the purpose of social engineering?
Gain information from a human being through face-to-face or electronic means While a computer, email, or phone may be used, social engineering ultimately uses other items as tools to gain information from a human being.
What should a pentester do prior to initiating a new penetration test? A. Plan B. Study the environment C. Get permission D. Study the code of ethics
Get permission Permission is absolutely essential to be obtained prior to performing any sort of test against a system you don't own. Permission should also be in writing and never verbal.
A contract is important because it does what?
Gives proof A contract gives proof that permission and parameters were established.
Which type of hacker may use their skills for both benign and malicious goals at different times?
Gray-hat Gray-hat hackers are typically thought of as those that were formally black hats but have reformed. However, they have been known to use their skills for both benign and malicious purposes.
Human beings tend to follow set patterns and behaviors is known as__________.
Habits Habits are set patterns of behavior that individuals tend to follow or revert to frequently.
Groups and individuals who hack systems based on principle or personal beliefs are known as _____.
Hacktivists Hacktivists get their title from the paradigm of hacktivism. These hackers launch attacks against targets because they believe those targets violate the attackers' morals, ethics, or principles.
Groups and individuals who may hack a web server or web application based on principle or personal beliefs are known as _______.
Hacktivists Hacktivists get their title from the paradigm of hacktivism. These hackers launch attacks against targets because they believe those targets violate the attackers' morals, ethics, or principles.
A _______ is used to represent a password.
Hash A password hash is commonly used to represent a password in an encrypted format that is not reversible in locations such as the SAM database.
What is the name for the dynamic memory space that, unlike the stack, doesn't rely on sequential ordering or organization?
Heap Along with the stack, the heap provides a program with a dynamic memory space that can serve as a non-sequential storage location for variables and program items.
Browsers do not display ____.
Hidden fields Browsers do not render hidden fields, but these fields can be viewed if you use the browser's ability to view source code.
In addition to relational databases, there is also what kind of database? A. Hierarchical B. SQL C. ODBC D. Structured
Hierarchical A hierarchical database is an alternative to the popular relational database structure.
An HIDS is used to monitor activity on which of the following? A. Network B. Application C. Log file D. Host
Host An HIDS (host-based intrusion detection system) is used to monitor security violations on a particular host.
What device will neither limit the flow of traffic nor have an impact on the effectiveness of sniffing? A. Hub B. Router C. Switch D. Gateway
Hub A hub cannot limit the flow of traffic in any way, meaning that all traffic flowing through the hub can be viewed and analyzed.
Wireless access points function as a ________.
Hub All wireless access points are essentially hubs in that they do not segregate traffic the way a traditional wired switch does.
What is the key difference between a smurf and a fraggle attack?
ICMP vs. UDP A Smurf Attack uses ICMP to carry out its action whereas UDP is used during Fraggle Attacks. TCP is not used in either attack.
Which of the following prevents ARP poisoning?
IP DHCP Snooping IP DHCP Snooping can be used on Cisco devices to prevent ARP poisoning by validating IP-to-MAC mappings based on a saved database.
What can be used instead of a URL to evade some firewalls used to protect a cloud based web application?
IP address An IP address can be used instead of a URL to evade some firewalls. Much like standard web applications, ones based in the cloud could still be exploited in the same way.
What can be used instead of a URL to evade some firewalls?
IP address An IP address will in some cases allow a website to be accessed through a firewall, whereas a URL would not.
What network appliance senses irregularities and plays an active role in stopping that irregular activity from continuing? A. System administrator B. Firewall C. IPS D. IDP
IPS An intrusion prevention system (IPS) plays an active role in preventing further suspicious activity after it is detected.
Session hijacking can be performed on all of the following protocols except which one? A. FTP B. SMTP C. HTTP D. IPsec
IPsec IPSec is designed with many goals in mind; one of them is that it is not as vulnerable to session hijacking as the other protocols and services listed here.
Which technology can provide protection against session hijacking? A. JavaScript B. ASP C. ASP.NET D. PHP
IPsec IPsec can protect against session hijacking.
Which technology can provide protection against session hijacking? A. IPsec B. UDP C. TCP D. IDS
IPsec IPsec provides encryption and other related services that can thwart the threat of session hijacking.
An SSID is used to do which of the following? A. Identify a network. B. Identify clients. C. Prioritize traffic. D. Mask a network.
Identify a network. SSIDs serve many functions, but the primary goal is to identify the network to clients or potential clients. SSIDs are configurable by the owner of the network and should be changed from their defaults in every case.
What is an SID used to do?
Identify a user An SID is used to identify a user.
Jason notices that he is receiving mail, phone calls, and other requests for information. He has also noticed some problems with his credit checks such as bad debts and loans he did not participate in. What type of attack did Jason become a victim of?
Identity theft This attack is most likely a result of identity theft. The information to carry out this attack may have been obtained through the use of techniques such as phishing or social engineering. However, those techniques can be used for other attacks as well and not just identity theft.
Jason receives notices that he has unauthorized charges on his credit card account. What type of attack is Jason a victim of?
Identity theft This attack is most likely the result of identity theft, and while we don't know exactly how it was stolen, candidates include phishing, social engineering, keyloggers, or Trojan horses.
Jason is the local network administrator who has been tasked with securing the network from possible DoS attacks. Within the last few weeks, some traffic logs appear to have internal clients making requests from outside the internal LAN. Based on the traffic Jason has been seeing, what action should he take?
Implement ingress filtering. Throttling network traffic will slow down a potential DoS attack; however, an ingress filter will check for internal addresses coming in from the public side. This is a good indicator of a spoofed IP.
A sparse infector virus ________. A. Creates backdoors B. Infects data and executables C. Infects files selectively D. Rewrites itself
Infects files selectively A sparse infector virus evades detection by infecting only a handful or selection of files instead of all of them.
When a wireless client is attached to an access point, it is known as which of the following? A. Infrastructure B. Client‐server C. Peer‐to‐peer D. Ad hoc
Infrastructure In an infrastructure network the client attaches directly to an access point instead of another client.
Which of the following can prevent bad input from being presented to an application through a form?
Input validation Input validation is the process of checking input for correctness prior to its being accepted by an application. Unlike filtering, which works on the server side, validation works on the client side and prevents bad input from making it to the server.
A man-in-the-middle attack is an attack where the attacking party does which of the following? A. Infect the client system B. Infect the server system C. Insert themselves into an active session D. Insert themselves into a web application
Insert themselves into an active session A man-in-the-middle attack occurs when the attacking party inserts themselves into the communication between two different parties.
An attack that can be performed using FaceNiff is ______.
Inserting oneself into an active session FaceNiff is used to take over active sessions.
A method for overwhelming an IDS using packets with incorrect TTL values or flags is known as what? A. Session splicing B. Insertion C. Fragmenting D. ACK scanning
Insertion An insertion attack is one where packets that would be dropped by an end system are accepted by the IDS. Because the IDS accepts packets, it results in a denial of service with some IDSs.
What option would you use to install software that's not from the Google Play store? A. Install from unknown sources. B. Install unsigned sources. C. Install from unknown locations. D. Install from unsigned services.
Install from unknown sources. If Install From Unknown Sources is enabled on Android devices, unsafe or unprotected applications could compromise a device, but still will be installed.
In a DDoS attack, what communications channel is commonly used to orchestrate the attack?
Internet Relay Chat (IRC) A DDoS attacker commonly uses IRC to communicate with handlers, which in turn send the attack signal to the infected clients (zombies).
_________is a client‐side scripting language. A. JavaScript B. ASP C. ASP.NET D. PHP
JavaScript JavaScript is a client-side scripting language as opposed to languages such as ASP and ASP.NET.
In social engineering a proxy is used to _________.
Keep an attacker's origin hidden An attacker could keep their activities masked and covered up to prevent themselves from being discovered.
Which system should be used instead of LM or NTLM?
Kerberos Kerberos is the authentication mechanism preferred over LM and NTLM (all versions).
When talking to a victim, using _________ can make an attack easier. A. Eye contact B. Keywords C. Jargon D. Threats
Keywords Using keywords or buzzwords can make a victim believe the attacker is in the know about how a company works.
On newer Windows systems, what hashing mechanism is disabled?
LAN Manager (LM) LM hashig is diabled on newer Windows systems, but it can be re-enabled for legacy support.
________ is a hash used to store passwords in older Windows systems.
LAN Manager (LM) LM is a hashing format used to store passwords.
The stack operates on a _________.
LIFO The stack uses a last-in, first-out scheme. Items are pushed onto or popped from the top, so at any time the only accessible item on the stack is the last one pushed there.
What is a single-button DDoS tool suspected to be used by groups such as Anonymous?
LOIC The DDoS tool Low Orbit Ion Cannon (LOIC) is a single-button utility that is suspected of being used in large-scale DDoS attacks.
A cloud environment can be in which of the following configurations except? A. IaaS B. PaaS C. SaaS D. LaaS
LaaS There is no officially recognized environment referred to as LaaS.
Which DoS attack sends traffic to the target with a spoofed IP of the target itself?
Land A land attack fits this description. Smurf Attacks deal with ICMP echo requests going back to a spoofed target address. SYN floods use custom packets that barrage a target with requests. Teardrop attacks use custom fragmented packets that have overlapping offsets.
While guards and dogs are both good for physical security, which of the following is a concern with dogs?
Liability Liability is a huge issue for dogs and security considering the fact that they may attack and cannot discern attackers without human intervention.
Android is based on which operating system?
Linux Android is based on Linux.
The wardriving process involves which of the following? A. Locating wireless networks B. Breaking into wireless networks C. Sniffing traffic D. Performing spectrum analysis
Locating wireless networks Wardriving is used to locate wireless networks when using a mobile device as you are traveling around a city or neighborhood. Typically a GPS is also included to pin-point networks.
What could be used to monitor application errors and violations on a web server or application?
Logs Logs can be used to monitor activity on a system, including web applications or web servers.
A denial of service application for Android is _______.
Low Orbit Ion Canon (LOIC) LOIC is software used to perform denial of service attacks.
When a device is rooted, what is the effect on security?
Lowered Security is lowered on a device when rooting in performed.
Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?
MAC flooding Bob can launch a MAC flooding attack against the switch, thereby converting the switch into a large hub. If successful, this will allow Bob to sniff all traffic passing through the switch.
Based on the diagram, what attack is occurring?
MITM Man-in-the-middle (MITM) attacks are an exam favorite; just remember that the broader category of session hijacking encompasses MITM attacks. Anytime you see a computer placed in the middle, you should immediately suspect MITM or session hijacking.
Warchalking is used to do which of the following?
Make others aware of a wireless network. Warchalking is used specifically to draw others' attention to the presence of a wireless network. The practice consists of drawing chalk symbols in the area of a detected wireless network that indicates the name, channel, and other information about the network.
Social engineering is designed to ________. A. Manipulate human behavior B. Make people distrustful C. Infect a system D. Gain a physical advantage ________.
Manipulate human behavior Social engineering is designed to exploit human nature with the intention of gaining information.
Which of the following is a good defense against tailgating and piggybacking?
Mantraps Mantraps are intended to control access and thus stop the occurrence of physical breaches as a result of piggybacking and tailgating.
What is another word for portals? A. Doors B. Mantraps C. GlaDOS D. Booths
Mantraps Portals are more commonly referred to by the term mantrap.
Which mechanism can be used to influence a targeted individual? A. Means of dress or appearance B. Technological controls C. Physical controls D. Training
Means of dress or appearance Appearance can easily impact the opinion that an individual or a group has about someone. The other options here are types of countermeasures used to stop physical attacks.
Which attack alters data in transit within the cloud? A. Packet sniffing B. Port scanning C. MitM D. Encryption
MitM Man-in-the-middle attacks are effective at altering data in transit between applications and the cloud.
SNMP is used to do which of the following? A. Transfer files B. Synchronize clocks C. Monitor network devices D. Retrieve mail from a server
Monitor network devices SNMP is used to monitor and send messages to network devices.
Alternate Data Streams are supported in which file systems?
NTFS Alternate Data Streams are only supported on NTFS. None of the other file systems available in Windows currently support the ADS feature.
If a domain controller is not present, what can be used instead?
NTLMv2 NTLMv2 should be used if a domain controller is not present.
______ is used to synchronize clocks on a network.
NTP NTP (Network Time Protocol) is used to synchronize clocks on a network.
A _____ is used to connect to a remote system using NetBIOS.
NULL session A NULL session can be used to connect to a remote system via the ipc$ share.
An attacker can use which technique to influence a victim? A. Tailgating B. Piggybacking C. Name-dropping D. Acting like tech support
Name-dropping Name-dropping can be used by an attacker to make a victim believe the attacker has power or knows people who are in power.
An attacker can use ____ to enumerate users on a system. (Windows)
NetBIOS NetBIOS can be used to enumerate the users on a system.
Which of the following is capable of port redirection?
Netcat Netcat can do port redirection.
Which tool can be used to view web server information? A. Netstat B. Netcraft C. Warcraft D. Packetcraft
Netcraft Netcraft can be used to view many details about a web server, including IP address, netblock, last views, OS information, and web server version.
At which layer of the OSI model does a packet-filtering firewall work?
Network Layer (Layer 3) A packet-filtering firewall works at the Network Layer (Layer 3) of the OSI model.
A cloud-based firewall is used to separate which of the following? A. Networks B. Hosts C. Permissions D. ACL
Networks Cloud-based firewalls are used to separate networks with different security ratings.
A firewall is used to separate which of the following? A. Networks B. Hosts C. Permissions D. ACL
Networks Networks are separated into different zones of trust through the use of firewalls, with the most typical setup being public and private networks on either side.
A session hijack can happen with which of the following? A. Networks and applications B. Networks and physical devices C. Browsers and applications D. Cookies and devices
Networks and applications Session hijacks can occur with both network and application traffic, depending on the attacker's desired goals.
ADS requires what to be present?
New Technology File System (NTFS) NTFS is required in order to use ADS.
Which kind of value is injected into a connection to the host machine in an effort to increment the sequence number in a predictable fashion?
Null Null values are used to increment the sequence numbers of packets between the victim and the host. The null packets are sent to the host machine in an effort to prepare for desynchronizing the client.
What is the main difference between DoS and DDoS?
Number of attackers The main difference between the two types of attacks is the number of attackers. The goal is the same and the scale is different but hard to define.
Which is/are a characteristic of a virus? A. A virus is malware. B. A virus replicates on its own. C. A virus replicates with user interaction. D. A virus is an item that runs silently.
(A) A virus is malware & a (C) virus replicates with user interaction. Unlike a worm, a virus requires that a user interact with it or initiate replication in some manner.
Which of the following is/are true of a worm? A. A worm is malware. B. A worm replicates on its own. C. A worm replicates with user interaction. D. A worm is an item that runs silently.
(A) A worm is malware & (B) replicates on its own. A worm replicates without user interaction.
Input validation is used to prevent which of the following? A. Bad input B. Formatting issues C. Language issues D. SQL injection
(A) Bad input and (D) SQL injection Input validation is intended to prevent the submission of bad input into an application, which could allow SQL injection to take place.
Cloud technologies are used to accomplish which of the following? A. Increase management options B. Offload operations onto a third party C. Transfer legal responsibility of data to a third party D. Cut costs
(A) Increase management options, (B) Offload operations onto a third party, and (D) Cut costs Cloud technologies can be used for many reasons, but legal responsibility cannot ever be transferred to a third party.
What could a company do to protect itself from a loss of data when a phone is stolen? (Choose all that apply.) A. Passwords B. Patching C. Encryption D. Remote wipe
(A) Passwords, (C) Encryption, and (D) Remote wipe A company should proactively set passwords and use encryption, as well as employ remote wipe on a mobile device in the event that it is lost or stolen.
Training and education of end users can be used to prevent _________. A. Phishing B. Tailgating/piggybacking C. Session hijacking D. Wireshark
(A) Phishing & (B) Tailgating/piggybacking Training and education are specifically used to prevent the practice of tailgating or piggybacking. Attacks such as session hijacking can't be prevented through training and education of end users.
Which of the following issues would be a good reason for moving to a cloud based environment? A. Reduced costs B. Improved performance C. Easier forensics D. Increased redundancy
(A) Reduced costs, (B) Improved performance, and (D) Increased redundancy Forensics would not be easier in the cloud; in fact, it may be harder if not impossible to perform.
What can an error message tell an attacker? A. Success of an attack B. Failure of an attack C. Structure of a database D. All of the above
(A) Success of an attack, (B) Failure of an attack, and (C) Structure of a database Error messages can reveal success of an attack, failure of an attack, structure of a database, as well as configuration and other information.
iOS is based on which operating system?
OS X iOS is based on OS X.
Proper input validation can prevent what from occurring?
Operating system exploits SQL injection attacks are made possible through improper input validation, thus allowing bogus commands to be issued to a database and processed.
Which of the following is an example of a server‐side scripting language? A. JavaScript B. PHP C. SQL D. HTML
PHP PHP is a server-side language that has its actions handled by the server before delivering the results to the requester.
Which system does SSL use to function? A. AES B. DES C. 3DES D. PKI
PKI PKI is used in the process of making SSL function. While it is true that AES, DES, and 3DES can be used in SSL connections, PKI is the only one used consistently in all situations.
An application would be developed on what type of cloud service? A. BaaS B. SaaS C. IaaS D. PaaS
PaaS Platform as a service is ideally suited for development and deployment of custom applications.
An NIDS is based on technology similar to which of the following? A. Packet sniffing B. Privilege escalation C. Enumeration D. Backdoor
Packet sniffing An NIDS includes extra features not found in programs such as Wireshark, but at its core it functions in a similar way to a packet sniffer.
Jennifer has been working with sniffing and session-hijacking tools on her company net-work. Since she wants to stay white hat—that is, ethical—she has gotten permission to undertake these activities. What would Jennifer's activities be categorized as? A. Passive B. Monitoring C. Active D. Sniffing
Passive Julie is operating in the passive sense in this scenario. Sniffing traffic is a passive activity.
Social engineering can be thwarted using what kinds of controls? A. Technical B. Administrative C. Physical D. Proactive controls
(A) Technical, (B) Administrative, and (C) Physical Technology alone cannot stop the impact of social engineering and must be accompanied by other mechanisms as well, such as education. The strongest defense against social engineering tends to be proper training and education.
Social engineering preys on many weaknesses, including __________. A. Technology B. People C. Human nature D. Physical
(A) Technology, (B) People, (C) Human nature, and (D) Physical The targets of social engineering are people and the weaknesses present in human beings.
NetCut is used to do what? (Choose two.) A. Test firewalls. B. Craft packets. C. Take over a session. D. Scan a network.
(A) Test firewalls and (B) Craft packets NetCut can test a firewall and craft packets.
A logic bomb is activated by which of the following? A. Time and date B. Vulnerability C. Actions D. Events
(A) Time and date, (C) Actions, and (D) Events A logic bomb may be activated by any of these options except the presence of a vulnerability.
Remote wipes do what? (Choose two.) A. Wipe all data off a device. B. Remove sensitive information such as contacts from a remote system. C. Factory reset a device. D. Insert cookies and devices.
(A) Wipe all data off a device and (B) Remove sensitive information such as contacts from a remote system. Remote wipes remove data and other sensitive information from a device.
Which of the following is an attribute used to secure a cookie? A. Encrypt B. Secure C. HttpOnly D. Domain
(B) Secure, (C) HttpOnly, and (D) Domain Each of these flags can be used to provide security for a cookie, which wouldn't otherwise be provided.
Which statement(s) defines malware most accurately? A. Malware is a form of virus. B. Trojans are malware. C. Malware covers all malicious software. D. Malware only covers spyware.
(B) Trojans are malware & (C) Malware covers all malicious software. Malware covers all types of malicious software, including viruses, worms, Trojans, spyware, adware, and other similar items.
Which command is used to query data in SQL Server? A. cmdshell B. WHERE C. SELECT D. from
(B) WHERE, (C) SELECT, and (D) from The SELECT command is used to craft SQL queries, whereas WHERE and FROM are used to customize queries to get more desirable results.
At which layer of the OSI model would you expect a cloud based solution to operate at? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4
(C) Layer 3 and (D) Layer 4 Since one of the goals of a cloud based solution is to abstract the hardware from the client, Layers 3 and above would likely be the only layers that the user would interact with.
Social engineering can be used to carry out email campaigns known as __________.
Phishing Phishing is a social engineering attack designed to gather information from victims using email.
Janet receives an email enticing her to click a link. But when she clicks this link she is taken to a website for her bank, asking her to reset her account info. However, Janet noticed that the bank is not hers and the website is not for her bank. What type of attack is this?
Phishing This is an example of phishing because it involves enticing the user to click a link and presumably provide information.
Jennifer receives an email claiming that her bank account information has been lost and that she needs to click a link to update the bank's database. However, she doesn't recognize the bank, because it is not one she does business with. What type of attack is she being presented with?
Phishing This type of attack is a clear example of phishing: An attacker crafts an attractive-looking email with the intention of enticing the victim to perform an action.
Lock-pick sets typically contain which of the following at a minimum? A. Tension wrenches and screwdrivers B. A pick C. A pick and a driver D. A pick and a tension wrench
Pick and a tension wrench A pick and a tension wrench are the minimum equipment included in a lock-pick kit.
Session hijacking can do all of the following except which one? A. Take over an authenticated session B. Be used to steal cookies C. Take over a session D. Place a cookie on a server
Place a cookie on a server A session hijack can be used to read cookies on a client but not place a cookie on a server.
Which of the following can be used to identify a firewall? A. Search engines B. Email C. Port scanning D. Google hacking
Port scanning Port scanning can be used to identify certain firewalls because specific ports are known to be open and available on some firewalls.
Enumeration does not uncover which of the following pieces of information? A. Services B. User accounts C. Ports D. Shares
Ports Ports are usually uncovered during the scanning phase and not the enumeration phase.
A public use workstation contains the browsing history of multiple users who logged in during the last seven days. While digging through the history, a user runs across the following web address: www.snaz22enu.com/&w25/session=22525. What kind of embedding are you seeing?
URL embedding A session ID coded directly into a URL is categorized as a URL-embedded session ID. Remnant session information left in a browser's history can potentially lead to another user or attacker attempting to reuse an abandoned session.
Enumeration is useful to system hacking because it provides which of the following? A. Passwords B. IP ranges C. Configurations D. Usernames
Usernames Usernames are especially useful in the system hacking process because they allow you to target accounts for password cracking.
Enumeration is useful to system hacking because it provides ____. A. Passwords B. IP ranges C. Configurations D. Usernames
Usernames Usernames are especially useful in the system-hacking process because they let you target accounts for password cracking. Enumeration can provide information regarding usernames and accounts.
VRFY is used to do which of the following? A. Validate an email address B. Expand a mailing list C. Validate an email server D. Test a connection
Validate an email address VRFY validates an email address in SMTP.
Social engineering can use all the following except __________. A. Mobile phones B. Instant messaging C. Trojan horses D. Viruses
Viruses Social engineering takes advantage of many mechanisms, including Trojan horses, but it does not use viruses. However, instant messaging, mobile phones, and Trojan horses are all effective tools for social engineering.
Which statement is used to limit data in SQL Server? A. cmdshell B. WHERE C. SELECT D. to
WHERE The WHERE statement limits the results of a SQL query.
Which of the following options shows the protocols in order from strongest to weakest? A. WPA, WEP, WPA2, Open B. WEP, WPA2, WPA, Open C. Open, WPA, WPA2, WEP D. WPA2, WPA, WEP, Open
WPA2, WPA, WEP, Open WEP is by far the weakest of the protocols here; WPA is the next stronger, and WPA2 is the strongest of the group. Open implies little or no protection at all.
Which feature makes WPA easy to defeat? A. AES encryption B. WPS support C. TKIP support D. RC4 support
WPS support WPS support is a feature of WPA and later networks that allows push-button association of wireless clients to access points.
A utility for auditing WordPress from Android is ____.
WPScan WPScan is used to look for weaknesses in WordPress sites.
Session fixation is a vulnerability in which of the following? A. Web applications B. Networks C. Software applications D. Protocols
Web applications Web applications can be vulnerable to session fixation if the right conditions exist. Typically, this means that session IDs are not regenerated often enough or can be easily ascertained.
XSS is typically targeted toward which of the following?
Web browsers XSS is targeted toward web browsers and can take advantage of defects in web applications and browsers.
WEP is designed to offer security comparable to which of the following?
Wired networks WEP is intended to offer security comparable to that experienced on traditional wired networks. In practice the security has been less than intended.
How is black‐box testing performed?
With no knowledge Black-box testing is performed with no knowledge to simulate an actual view of what a hacker would have.
Which of the following is a device used to perform a DoS on a wireless network? A. WPA jammer B. WPA2 jammer C. WEP jammer D. Wi‐Fi jammer
Wi‐Fi jammer A Wi-Fi jammer can be used to shut down a wireless network while it is running.
A session hijack can be used against a mobile device using all of the following except? A. Emails B. Browsers C. Worms D. Cookies
Worms Worms do not cause session hijacks.
_______ involves grabbing a copy of a zone file.
Zone transfer Zone transfers are used to retrieve a copy of the zone file from the server and store it in another location.
Which command is used to remove a table from a database?
drop table The drop table command is used to remove a table from a database. This command deletes a table from the database.
Which function(s) are considered dangerous because they don't check memory bounds? (Choose all that apply.)
gets(), strcpy(), scanf(), and strcat() All of these C functions are considered dangerous because they do not check memory bounds. Thus, code containing any of these can be part of a buffer overflow attack.
What command-line utility can you use to craft custom packets with specific flags set? A. Nmap B. Zenmap C. Ping D. hping3
hping3 Although the Nmap and Zenmap utilities can activate specific TCP flags based on the custom scan desired, the hping3 utility was designed for creating custom packets and manipulating TCP flags.
Which Wireshark filter displays only traffic from 192.168.1.1?
ip.addr == 192.168.1.1 The Wireshark operator == means equal to. In this scenario, using the == operator filters down to 192.168.1.1 as the specific host to be displayed.
Which command can be used to view NetBIOS information?
nbtstat nbtstat lets you view information about NetBIOS.
How would you use Netcat to set up a server on a system? A. nc -l -p 192.168.1.1 B. nc -l -p 1000 C. nc -p -u 1000 D. nc -l -p -t 192.168.1.1
nc -l -p 192.168.1.1 Netcat uses the syntax nc -l -p to listen on a specific port, with the port number being specified as a number following the -p. For example, nc -l -p 1000 would tell the server to listen on port 1000 for incoming connections.
Which command would retrieve banner information from a website at port 80? A. nc 192.168.10.27 80 B. nc 192.168.19.27 443 C. nc 192.168.10.27 -p 80 D. nc 192.168.10.27 -p -l 80
nc 192.168.10.27 80 The command nc <target ip address> <port number> would allow a banner grab. Once the connection is established, you would issue the command HEAD /HTTP/1.0 to retrieve HTTP headers.
What command is used to listen to open ports with netstat?
netstat -an Netstat -a or -an lists ports on a system that are listening in Windows.
Which of the following is used to perform customized network scans? A. Nessus B. Wireshark C. AirPcap D. nmap
nmap Nmap is a utility used to scan networks and systems and for other types of custom scans.
What is the generic syntax of a Wireshark filter?
protocol.field operator value Wireshark filters use the basic syntax of putting the protocol first followed by the field of interest, the operator to be used, and finally the value to look for ( tcp.port == 23 ).
Jennifer is using tcpdump to capture traffic on her network. She would like to review a capture log gathered previously. What command can Jennifer use?
tcpdump -r capture.log The option -r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.
Jennifer is using tcpdump to capture traffic on her network. She would like to save the capture for later review. What command can Jennifer use? A. tcpdump -r capture.log B. tcpdump - l capture.log C. tcpdump -t capture.log D. tcpdump -w capture.log
tcpdump -w capture.log Tcpdump uses the option -w to write a capture to a log file for later review. The option -r is used to read the capture file, or the capture can be opened in a GUI-based sniffer such as Wireshark.
What is the command to retrieve header information from a web server using Telnet?
telnet <website name> 80 The correct command for retrieving header information from a website is telnet <website name> 80.
Which command launches a CLI version of Wireshark?
tshark The command for the CLI version of Wireshark is tshark .
Which of the following would confirm a user named chell in SMTP?
vrfy chell vrfy chell, the verify command, is used within SMTP to verify that the object provided is legitimate.
Which command can be used to access the command prompt in SQL Server? A. WHERE B. SELECT C. xp_cmdshell D. cmdshell
xp_cmdshell The xp_cmdshell command is available in all versions of SQL Server and can be used to open a command shell. The command has been disabled in current versions of the product, though it is still available to be enabled.
A ______ is a type of off-line attack.
Rainbow attack A rainbow attack or rainbow table is designed to generate the hashes necessary to perform an off-line attack against an extracted hash.
What are worms typically known for? A. Rapid replication B. Configuration changes C. Identity theft D. DDoS
Rapid replication Worms are typically known for extrememly rapid replication rates once they are released into the wild.
Bluesnarfing is used to perform what type of attack?
Read information from a device. Bluesnarfing is used to read information from a Bluetooth-enabled device.
What type of database uses multiple tables linked together in complex relationships?
Relational A relational database uses complex relationships between tables to describe data in an understandable format.
Zombies Inc. is looking for ways to better protect their web servers from potential DoS attacks. Their web admin proposes the use of a network appliance that receives all incoming web requests and forwards them to the web server. He says it will prevent direct customer contact with the server and reduce the risk of DoS attacks. What appliance is he proposing?
Reverse proxy Reverse proxies are implemented to protect the destination resource, not the client or user. In this scenario, a reverse proxy will field all outside requests, thereby preventing direct traffic to the web server and reducing the risk of a DoS attack.
Which of the following is another name for a record in a database? A. Row B. Column C. Cell D. Label
Row A row is a name for a line in a database typically associated with a record.
A _______ is a file used to store passwords? (Windows Operating system)
SAM The SAM database is used to store credential information on a local system.
_____can be used to attack databases. A. Buffer overflows B. SQL injection C. Buffer injection D. Input validation
SQL injection SQL injection can be used to attack databases.
_____is used to audit databases. A. Ping B. IpconfigReview Questions C. SQLPing D. Traceroute
SQLPing SQLPing is used to audit databases and help identify issues that may be of concern or problematic.
Jennifer is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jennifer is not concerned with the future impact on legitimate troubleshooting. What technology can Jennifer implement?
SSH Jennifer can implement a form of encryption for the traffic that she wants to protect from sniffing. Secure Shell traffic would not be readable if captured by a sniffer; however, any legitimate network troubleshooting efforts would also prove more challenging because of packet encryption.
A POODLE attack targets what exactly?
SSL SSL, specifically SSL 3.0 is targeted in this attack. This attack is possible when a browser cannot use TLS so instead switches to SSL 3.0, which has been deprecated.
While monitoring traffic on the network, Jason captures the following traffic. What is he seeing occur?
SYN flood Looking at the amount of SYN flags without a full handshake, it appears a SYN flood is occurring.
What is the proper sequence of the TCP three‐way‐handshake?
SYN, SYN‐ACK, ACK Remember this three-way handshake sequence; you will see it quite a bit in packet captures when sniffing the network. Being able to identify the handshake process allows you to quickly find the beginning of a data transfer.
_________ is used to partially encrypt the SAM.
SYSKEY SYSKEY is used to partially encrypt the SAM database in Windows versions from NT 4 onward.
What type of cloud service would provide email hosting and associated security services? A. PaaS B. SaaS C. IaaS D. SSaS
SaaS SaaS is the platform type that hosts email services as well as security services in most cases.
Jennifer is concerned about her scans being tracked back to her tablet. What could she use to hide the source of the scans? A. Sniffing B. SandroProxy C. FaceNiff D. Blind scanning
SandroProxy SandroProxy would be useful to disguise the source of a scan.
What phase comes after footprinting?
Scanning Scanning comes after the footprinting phase. Footprinting is used to get a better idea of the target.
NTLM provides what benefit versus LM?
Security NTLM is more secure protocol than LM. A little stronger still is NTLMv2, which provides additional features such as mutual authentication and stronger encryption.
SMTP is used to perform which function? A. Monitor network equipment B. Transmit status information C. Send email messages D. Transfer files
Send email messages SMTP is primarily intended to transfer email messages from email servers and clients.
Bluejacking is a means of which of the following? A. Tracking a device B. Breaking into a device C. Sending unsolicited messages D. Crashing a device
Sending unsolicited messages Bluejacking is a means of sending unsolicited messages to a Bluetooth-enabled device.
Which attack can be used to take over a previous session? A. Cookie snooping B. Session hijacking C. Cookie hijacking D. Session sniffing
Session hijacking Session hijacking can be used to take over an existing session that has been authenticated or to forge a valid session.
Which statement defines session hijacking most accurately? A. Session hijacking involves stealing a user's login information and using that information to pose as the user later. B. Session hijacking involves assuming the role of a user through the compromise of physical tokens such as common access cards. C. Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine. D. Session hijacking involves only web applications and is specific to stealing session IDs from compromised cookies.
Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine. Session hijacking focuses on the victim's session. There are different ways of accomplishing this task, but the basic concept is the same. Be sure to know what constitutes a session hijack; the exam will expect you to be able to recognize one at first glance.
Which of the following uses a database of known attacks?
Signature file Signature files are used by IDSs to match traffic against known attacks to determine if an attack has been found or if normal traffic is present.
SNScan is used to access information for which protocol?
Simple Network Management Protocol (SNMP) SNScan is designed to access and display information for SNMP.
Which of the following is designed to locate wireless access points? A. Site survey B. Traffic analysis C. Pattern recognition D. Cracking
Site survey The purpose of a site survey is to map out a site and locate access points and other wireless-enabled devices.
What is the most common sign of a DoS attack?
Slow performance Although any of these options could be symptomatic of a DoS attack, the most common is slow performance.
A remote access Trojan would be used to do all of the following except? A. Steal information B. Remotely control a system C. Sniff traffic D. Attack another system
Sniff traffic Typically, a RAT is not used to sniff traffic, but it may be used to install software to perform this function.
A Trojan relies on ________to be activated. A. Vulnerabilities B. Trickery and deception C. Social engineering D. Port redirection
Social engineering A Trojan relies on social engineering to entice the victim to open or activate the payload.
Which of the following can help you determine business processes of your target through human interaction? A. Social engineering B. Email C. Website D. Job boards
Social engineering Social engineering can reveal how a company works.
SaaS is a cloud hosting environment that offers what?
Software hosting SaaS, or Software as a Service, is an environment used to host software services offsite and possibly license just what a company needs and only for as long as they need it.
Based on the packet capture shown in the graphic, what is contained in the highlighted section of the packet?
Source and destination IP addresses This question may seem unfair, but the exam will expect you to take what looks like unrelated data and extrapolate those parts that make sense. Remember, catching only the first octet of an IPv4 address is enough to give you a firm indication of what the question is asking.
An ethical hacker sends a packet with a deliberate and specific path to its destination. What technique is the hacker using?
Source routing Source routing specifies the path the packet will take to its destination. Source routing can give an attacker the flexibility to direct traffic around areas that may prevent traffic flow or redirect traffic in an undesired fashion.
Phishing can be mitigated through the use of _________.
Spam filtering and Education Education and spam filtering are tremendously helpful at lessening the impact of phishing. Pure antivirus and anti-malware typically do not include this functionality unless they are part of a larger suite.
What type of firewall analyzes the status of traffic and would be part of a IaaS solution?
Stateful inspection A firewall with stateful inspection analyzes the status of traffic.
What type of firewall analyzes the status of traffic? A. Circuit level B. Packet filtering C. Stateful inspection D. NIDS
Stateful inspection Stateful inspection firewalls analyze the status of traffic.
Network-level hijacking focuses on the mechanics of a connection such as the manipulation of packet sequencing. What is the main focus of web app session hijacking? A. Breaking user logins B. Stealing session IDs C. Traffic redirection D. Resource DoS
Stealing session IDs Stealing session IDs is the main objective in web session hijacking. Session IDs allow the attacker to assume the role of the legitimate client without the time-consuming task of brute-forcing user logins or sniffing out authentication information.
Which network device can block sniffing to a single network collision domain, create VLANs, and make use of SPAN ports and port mirroring?
Switch A switch can limit sniffing to a single collision domain, unlike a lesser device such as a hub.
A DNS zone transfer is used to do which of the following?
Synchronize server information A zone transfer is used to synchronize information, namely records, between two or more DNS servers.
_____ is the process of exploiting services on a system.
System hacking System hacking is intended to increase access to a system.
Which of the following is not a Trojan? A. BO2K B. LOKI C. Subseven D. TCPTROJAN
TCPTROJAN TCPTROJAN is not a Trojan. All the other utilities on this list are different forms of Trojans.
Which utility will tell you in real time which ports are listening or in another state? A. Netstat B. TCPView C. Nmap D. Loki
TCPView TCPView lists ports and their statuses in real time.
Which of the following is a utility used to reset passwords?
TRK Trinity Rescue Kit (TRK) is a Linux distribution used to reset passwords.
Physical security can prevent which of the following? A. DDoS B. FTP C. Tailgating D. Cracking
Tailgating Tailgating is an attack where an intruder follows an approved individual into a facility. Devices such as mantraps can thwart this attack.
A security camera picks up someone who doesn't work at the company following closely behind an employee while they enter the building. What type of attack is taking place?
Tailgating This attack is called tailgating and involves a person being closely followed by another individual through a door or entrance.
What is an eight-in-one DoS tool that can launch such attacks as land and teardrop?
Targa Targa has eight different DoS attacks included in its capabilities. TFN2K and Trinoo are designed to carry out DDoS attacks and be a part of a botnet.
The command-line equivalent of WinDump is known as what?
Tcpdump Tcpdump is a command-line equivalent of WinDump, which allows the sniffing of network traffic.
Who has legal responsibility for data hosted in the cloud? A. The Cloud Service Provider B. The IT department of the client C. The client D. The consumer
The client The client who pays the cloud service provider to host their data still has legal responsibility for its safety.
During an assessment you discovered that the target company was using a fax machine. Which of the following is the least important? A. The phone number is publicly available. B. The fax machine is in an open, unsecured area. C. Faxes frequently sit in the printer tray. D. The fax machine uses a ribbon.
The phone number is publicly available. A publicly available phone number is not a security risk in many cases because the machine may be one that can be sent information from anywhere.
Multihomed firewall has a minimum of how many network connections?
Three Multihomed firewalls are defined typically as having three or more network connections.
There are how many different types of cloud hosting environments?
Three Three forms of cloud-hosting environments are currently recognized: Software as a service (Saas), Platform as a service (PaaS), and Infrastructure as a service (IaaS).
Why use Google hacking?
To fine-tune search results Google hacking is used to produce more targeted and useful search results than would be possible using normal searches.
What is the role of social engineering?
To gain information from human beings. Social engineering can gain information about computers and other items, but it does so by interacting with people to extract that information.
What is the purpose of a proxy? A. To assist in scanning B. To perform a scan C. To keep a scan hidden D. To automate the discovery of vulnerabilities
To keep a scan hidden A proxy is used to hide the party launching scan.
In the field of IT security, the concept of defense in depth is layering more than one control on another. Why would this be helpful in the defense of a system of session‐hijacking? A. To provide better protection B. To build dependency among layers C. To increase logging ability D. To satisfy auditors
To provide better protection Defense in depth provides much better protection than a single layer. It also provides a means of slowing down and frustrating an attacker.
In the field of IT security, the concept of defense in depth is the layering of more than one control on another. Why is this?
To provide better protection Defense in depth provides much better protection than a single layer. It also provides a means to slow down and frustrate an attacker.
Why wouldn't someone create a private cloud?
To reduce costs You would not create a private cloud to reduce costs as most likely it would increase costs due to the need to acquire and maintain expensive hardware and software.
Which network topology uses a token‐based access methodology?
Token ring Token ring networks use a token-based access methodology. Each node connected to the network must wait for possession of the token before it can send traffic via the ring.
Which tool can trace the path of a packet? A. Ping B. Tracert C. Whois D. DNS
Tracert Tracert is a tool used to trace the path of a packet from source to ultimate destination.
What is the best option for thwarting social-engineering attacks?
Training Training is the best and most effective method of blunting the impact of social engineering. Addressing the problem through education can lessen the need for somecountermeasures.
SNMP is used to perform which function in relation to hardware?
Trap messages SNMP is designed to aid in the management of devices by transmitting and receiving messages known as traps.
A man-in-the-browser attack is typically enabled by using which mechanism? A. Virus B. Worms C. Logic bombs D. Trojans
Trojans Trojans are commonly used to deploy malware onto a client system, which can be used to perform a session hijack.
A logic bomb has how many parts, typically? A. One B. Two C. Three D. Four
Two A logic bomb comes in two parts: a trigger and a payload. The payload stays dormant until the trigger wakes up.
A public and private key system differs from symmetric because it uses which of the following? A. One Key B. One Algorithm C. Two Keys D. Two Algorithms
Two keys A public and private key are mathematically related keys, but they are not identical. In symmetric systems, only one key is used at a time.
What protocol is used to carry out a fraggle attack?
UDP UDP is the protocol that is used to carry out a Fraggle Attack. ICMP plays a role in ping floods, which are a different type of attack. TCP and IPX do not play any role in this type of attack.
Which port uses SSL to secure web traffic?
443 Port 443 is used for HTTPS traffic, which is secured by SSL.
Which ports does SNMP use to function?
161 and 162 Ports 161 and 162 are used by SNMP and can be verified via a banner grab if the service is running and present.
Which ports does SNMP use to function?
161 and 162 Ports 161 and 162 are used by SNMP.
Port number _____ is used for SMTP.
25 Port 25 is for SMTP.
HTTPS is typically open on which port in a cloud based firewall?
443 Even though it would be a cloud based solution, the same ports would be used for common services and endpoints.
What is the hexadecimal value of a NOP instruction in an Intel system?
0x90 0x90 is the hexadecimal value of a NOP instruction for Intel-based systems. Remember to keep an eye out for this value; it indicates a NOP and possibly a NOP sled, which could indicate a buffer overflow condition in progress.
Tiffany is analyzing a capture from a client's network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?
139 Tiffany looks for NetBIOS traffic on port 139. She can use the filter string tcp.port eq 139 .
Which of the following is a scripting language? A. ActiveX B. Java C. CGI D. ASP.NET
CGI CGI is a scripting language that is designed to be processed on the server side before the results are provided to the client.
Which best describes a vulnerability scan?
A way to automate the discovery of vulnerabilities Vulnerability scans are designed to pick up weaknesses in a system. They are typically automated.
Which of the following best describes a vulnerability? A. A worm B. A virus C. A weakness D. A rootkit
A weakness A vulnerability is a weakness. Worms, viruses, and rootkits are forms of malware.
Footprinting has two phases. What are they?
Active and passive Footprinting is typically broken into active and passive phases, which are characterized by how aggressive the process actually is. Active phases are much more aggressive than their passive counterparts.
What can be configured in most search engines to monitor and alert you of changes to content?
Alerts Alerts can be set up with Google as well as other search engines to monitor changes on a given website or URL. When a change is detected, the alert is sent to the requestor.
When scanning a network via a hardline connection to a wired‐switch NIC in promiscuous mode, what would be the extent of network traffic you would expect to see?
All nodes attached to the same port Because each switchport is its own collision domain, only nodes that reside on the same switchport will be seen during a scan.
At which layer of the OSI model does a proxy operate?
Application Proxies operate at Layer 7, the Application layer of the OSI model. Proxies are capable of filtering network traffic based on content such as keywords and phrases. Because of this, a proxy digs down farther than a packet's header and reviews the data withing the packet as well.
Which of the following manages digital certificates? A. Hub B. Key C. Public key D. Certificate authority
Certificate Authority (CA) A certificate authority is responsible for issuing and managing digital certificates as well as keys.
What is EDGAR used to do?
Check financial filings EDGAR can be used to verify the financial filings of a company.
What kind of domain resides on a single switchport?
Collision domain Each port on a switch represents a collision domain.
If you can't gain enough information directly from a target, what is another option?
Competitive analysis Competitive analysis can prove very effective when you're trying to gain more detailed information about a target. Competitive analysis relies on looking at a target's competitors in an effort to find out more about the target.
A white‐box test means the tester has which of the following? A. No knowledge B. Some knowledge C. Complete knowledge D. Permission
Complete knowledge White-box testers have complete knowledge of the environment they have been tasked with attacking.
Footprinting can determine all of the following except _____________? A. Hardware types B. Software types C. Business processes D. Distribution and number of personnel
Distribution and number of personnel Footprinting is not very effective at gaining information about the number of personnel.
Which of the following best describes what a suicide hacker does? A. Hacks with permission B. Hacks without stealth C. Hacks without permission D. Hacks with stealth
Hacks without stealth A suicide hacker does not worry about stealth or otherwise conceal their activities but is more concerned with forwarding an agenda.
A message digest is a product of which kind of algorithm?
Hashing algorithm A message digest is a product of a hashing algorithm, which may also be called a message digest function.
An administrator has just been notified of irregular network activity; what appliance functions in this manner? A. IPS B. Stateful packet filtering C. IDS D. Firewall
IDS Intrusion detection system (IDSs) react to irregular network activity by notifying support staff of the incident; however, unlike IPSs, they do not proactively take steps to prevent further activity from occurring.
A banner can do what? A. Identify an OS B. Help during scanning C. Identify weaknesses D. Identify a service
Identify a service A banner can be changed on many services, keeping them from being easily identified. If this is not done, it is possible to use tools such as Telnet to gain information about a service and use that information to fine-tune an attack.
What does hashing preserve in relation to data?
Integrity Hashing is intended to verify and preserve the integrity of data, but is cannot preserve the confidentiality of the data.
Which of the following best describes footprinting?
Investigation of a target Footprinting is the gathering of information relating to an intended target. The idea is to gather as much information about the target as possible before starting an attack.
Which of the following can an attacker use to determine the technology and structure within an organization? A. Job boards B. Archives C. Google hacking D. Social engineering
Job boards Job boards are useful in getting an idea of the technology within an organization. By looking at job requirements, you can get a good idea of the technology present. While the other options here may provide technical data, job boards tend to have the best chance of providing it.
Hubs operate at what layer of the OSI model?
Layer 1 Hubs operate at Layer 1, the Physical layer of the OSI model. Hubs simply forward the data they receive. There is no filtering or directing of traffic; thus, they are categorized at Layer 1.
If a device is using node MAC addresses to funnel traffic, what layer of the OSI model is this device working in?
Layer 2 A network device that uses MAC addresses for directing traffic resides on Layer 2 of the OSI model. Devices that direct traffic via IP addresses, such as routers, work at Layer 3.
What level of knowledge about hacking does a script kiddie have?
Low Script kiddies have low or no knowledge of the hacking process but should still be treated as dangerous.
Which of the following is a common hashing protocol? A. MD5 B. AES C. DES D. RSA
MD5 is the most widely used hashing algorithm, followed very closely by SHA1 and SHA family of protocols.
Which record will reveal information about a mail server for a domain?
MX MX records are DNS records used to locate the mail server for a domain.
Which topology has built‐in redundancy because of its many client connections?
Mesh A true mesh topology creates a natural amount of redundancy due to the number of connections used to establish connectivity.
Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world? A. VPN B. Tunneling C. NTP D. NAT
NAT Network Address Translation (NAT) is a technology that funnels all internal traffic through a single public connection. NAT is implemented for both cost savings ad network security.
Which of the following types of attack has no flags set?
NULL A NULL scan has no flags configured on its packets.
Which of the following is used for identifying a web server OS? A. Telnet B. Netcraft C. Fragroute D. Wireshark
Netcraft Netcraft is used to gather information about many aspects of a system, including operating system, IP address, and even country of origin.
Who first developed SSL?
Netscape originally developed SSL, but since its introduction the technology has spread to become a standard supported by many clients such as email, web browsers, VPNs and other systems.
In IPsec, encryption and other processes happen at which layer of the OSI model?
Network layer (Layer 3) IPsec operates at the Network layer (Layer 3), of the OSI model, unlike many previous techniques.
Which of the following best describes hashing? A. An algorithm B. A cipher C. Nonreversible D. A cryptosystem
Nonreversible Hashing is referred to as a cipher or algorithm or even a cryptosystem, but it can be uniquely referred to as a nonreversible mechanism for verifying the integrity of data. Remember that hashing doesn't enforce confidentiality.
Symmetric key systems have key distribution problems due to _____________. A. Number of keys B. Generation of key pairs C. Amount of data D. Type of data
Number of keys The number of keys increases dramatically with more and more parties using the symmetric encryption; hence it does not scale well.
Which of the following can be used to tweak or fine-tune search results?
Operators Operators such as filetype are used to manipulate search results for some search engines such as Google.
Which category of firewall filters is based on packet header data only? A. Stateful B. Application C. Packet D. Proxy
Packet Packet-filtering firewalls inspect solely the packet header information.
Vulnerability research deals with which of the following? A. Actively uncovering vulnerabilities B. Passively uncovering vulnerabilities C. Testing theories D. Applying security guidance
Passively uncovering vulnerabilities Vulnerability research is a way of passively uncovering weakness.
Which of the following does an ethical hacker require to start evaluating a system? A. Training B. Permission C. Planning D. Nothing
Permission An ethical hacker never performs their services against a target without the explicit permission of the owner of that system.
Nmap is required to perform what type of scan?
Port scan Nmap is designed to perform scans against ports on a system or group of systems, but it is by far the most popular tool in many categories.
Which of the following is not typically used during footprinting? A. Search engines B. Email C. Port scanning D. Google hacking
Port scanning Port scanning is typically reserved for later stages of the attack process.
What device acts as an intermediary between an internal client and a web resource?
Proxy A proxy acts as an intermediary between internal host computers and the outside world.
What is the sequence of the three-way handshake?
SYN, SYN-ACK, ACK A three-way handshake is part of every TCP connection and happens at the beginning of every connection. It includes the sequence SYN, SYN-ACK, ACK to be fully completed.
SSL is a mechanism for which of the following? A. Securing stored data B. Securing transmitted data C. Verifying data D. Authenticating data
Securing transmitted data SSL is used to secure data when it is being transmitted from the client to server and back. The system is supported by most clients, including web browsers and email clients.
Symmetric cryptography is also known as _____________.
Shared key cryptography Symmetric cryptography is also known as shared key cryptography.
You have selected the option in your IDS to notify you via email if it senses any network irregularities. Checking the logs, you notice a few incidents but you didn't receive any alerts. What protocol needs to be configured on the IDS?
Simple Mail Transfer Protocol (SMTP) SMTP operates on port 25 and is used for outgoing mail traffic. In this scenario, the IDS SMTP configuration needs to be updated.
Which of the following would be a very effective source of information as it relates to social engineering? A. Social networking B. Port scanning C. Websites D. Job boards
Social networking Social networking has proven especially effective for social engineering purposes. Due to the amount of information people ten to reveal on these sites, they make prime targets for information gathering.
Which of the following can be used to assess physical security? A. Web cams B. Satellite photos C. Street views D. Interviews
Street views Street-level views using technology such as Google Street View can give you a picture of what types of security and access points may be present in a location.
Which of the following describes a hacker who attacks without regard for being caught or punished? A. Hacktivist B. Terrorist C. Criminal D. Suicide hacker
Suicide hacker Much like suicide bombers in the real world, suicide hackers do not worry about getting caught; they are only concerned with their mission.
An SYN attack uses which protocol?
TCP SYN flags are seen only on TCP-based transmissions and not in UDP transmissions of any kind.
Which of these protocols is a connection‐oriented protocol? A. FTP B. UDP C. POP3 D. TCP
TCP ransmission Control Protocol (TCP) is a connection-oriented protocol that uses the three-way-handshake to confirm that a connection is established. FTP and POP3 use connections, but they are not connection-oriented protocols.
What does TOE stand for?
Target of evaluation TOE stands for target of evaluation and represents the target being tested.
A scan of a network client shows that port 23 is open; what protocol is this aligned with?
Telnet Port 23 is used for Telnet traffic.
Which of the following is used for banner grabbing? A. Telnet B. FTP C. SSH D. Wireshark
Telnet Telnet is used to perform banner grabs against a system. However, other tools are available to do this as well.
What is the three-way handshake?
The opening sequence of a TCP connection The three-way handshake happens at the beginning of every TCP connection.
Why would you need to use a proxy to perform scanning?
To enhance anonymity You do not need to use a proxy to perform scanning, but using one will hide the process of scanning and make it more difficult to monitor by the victim or other parties.
What is Tor used for?
To hide the process of scanning Tor is designed to hide the process of scanning as well as the origin of a scan. In addition, it can provide encryption services to hide the traffic itself.
The Wayback Machine is used to do which of the following?
View archived versions of websites The Wayback Machine is used to view archived versions of websites if available (not all websites are archived via the Wayback Machine).
If you have been contracted to perform an attack against a target system, you are what type of hacker?
White hat A white-hat hacker always has a permission to perform pen testing against a target system.
Which of the following would most likely engage in the pursuit of vulnerability research? A. White hat B. Gray hat C. Black hat D. Suicide hacker
White hats White hats are the most likely to engage in research activities, and although gray and black hats may engage in these activities, they are not typical.
Which OS holds 90 percent of the desktop market and is one of our largest attack surfaces?
Windows Windows remains king for sheer volume and presence on desktop and servers.
A vulnerability scan is a good way to do what? A. Find open ports B. Find weaknesses C. Find operating systems D. Identify hardware
(A) Find open ports & (B) Find weaknesses Vulnerability scanners are necessary for a security person to use to strengthen their systems by finding weaknesses before an attacker does.
Companies may require a penetration test for which of the following reasons? A. Legal reasons B. Regulatory reasons C. To perform an audit D. To monitor network performance
(A) Legal reasons, (B) Regulatory reasons, and (C) to perform an Audit Network performance is not the goal of security audits or penetration tests.
What port range is an obscure third‐party application most likely to use?
49152 to 65535 Ports 49152 to 65535 are known as the dynamic ports and are used by applications that are neither well known nor registered. The dynamic range is essentially reserved for those applications that are not what we would consider mainstream. Although obscure in terms of port usage, repeated showings of the same obscure port during pen testing or assessment may be indicative of something strange going on.
What is a code of ethics?
A description of expected behavior Code of ethics is a description of expected behavior. While not adhering to ethics typically does not result in legal action, it can result in expulsion from certain organizations such as EC-Council certification.
Which of the following describes an attacker who goes after a target to draw attention to a cause? A. Terrorist B. Criminal C. Hacktivist D. Script kiddie
A hacktivist is an individual or group that performs hacking and other disruptive activities with the intention of drawing attention to a particular cause of message.
A full-open scan means that the three-way handshake has been completed. What is the difference between this and a half-open scan?
A half-open does not include the final ACK. A three-way handshake is part of every TCP connection and happens at the beginning of every connection. In the case of a half-open scan, however, a final ACK is not sent, therefore leaving the connection halfway complete.
What separates a suicide hacker from other attackers? A. A disregard for the law B. A desire to be helpful C. The intent to reform D. A lack of fear of being caught
A lack of fear of being caught A suicide hacker's main difference from other hackers is their complete and utter lack of concern in regard to being caught.
What is an ICMP echo scan? A. A ping sweep B. A SYN scan C. A Xmas tree scan D. Part of a UDP scanning
A ping sweep An ICMP echo scan is a ping sweep-type scan.
Which of the following best describes PGP? A. A symmetric algorithm B. A type of key C. A way of encrypting data in a reversible method D. A key escrow system
A way of encrypting data in a reversible method PGP is a method of encrypting stored data to include emails, stored data, and other similar information. It is a form of public and private key encryption.