Certified Ethical Hacker Exam prep
What kind of a scan delivers specially designed packets to a system (remote) and then analyzes the output? a. Active b. Bounce c. Passive d. Directive
a. Active
Detective controls help administrators find problems within an organization's processes. Choose the two options below that represent this kind of control. a. Audits b. DRP c. CCTV d. Encryption e. Two-factor or multi-factor authentication
a. Audits d. Encryption
What is the process of identifying hosts or services by sending packets into the network perimeter to see which ones get through? a. Firewalking b. Enumerating c. Trace-configuring d. Banner Grabbing
a. Firewalking
Routing protocols are used to show how computers communicate. From the below options, select the two routing protocols. a. TCP or SMTP b. BGP c. UDP d. RIP
b. BGP d. RIP
Which of the below is not a packet capturing utility? a. Cain b. Aero peek c. Wireshark d. Aircrack-ng
d. Aircrack-ng
When determining which services are active on a target machine as well as possible entry points to attack, which of the below would you use? a. Nmap scan b. Ping c. Traceroute d. Banner grabbing
a. Nmap scan
Which of the below netcat command switches will you use to telnet a remote host? a. nc -t b. nc -z c. nc -g d. nc -l -p
a. nc -t
Which of the below is a passive, non-direct information-gathering tool? a. Ettercap b. Whois c. Nmap d. Snort
b. Whois
Robert hopes to start a career in computer security. As a new college-level student, he has just learned the term ethical hacking, which is a key part of secure information systems. Of the below options, choose which will be key areas of expertise for Robert's future career. Answer is complete. Select more than one answer if applicable. a. Robert needs to gain a large body of knowledge about how computers function, with special regard to networking and programming. b. Operating systems are very important to Robert's career. Because companies utilize varying operating systems, including Windows (multiple versions), Mac (multiple versions), UNIX, and Linux, he must develop an advanced understanding of each of the major operating systems. c. Robert should gain familiarity with computing and hardware platforms, which are key to software development. d. Robert should be able to write reports related to his field and have great expertise in communication relating to computer security.
All of the above are correct
Background: Anonymizers are used to mask a user's web surfing. Anonymizers work by removing all identifying information from a computer throughout the time the user is surfing online. Internet users seeking privacy will use an anonymizer. Once they have enabled online access anonymization, each link they open for the remainder of the session will also be accessed anonymously, with no extra actions on the part of the user. However, anonymizers do have limitations. Which of the below represent examples of such limitations? Answer is complete. Select more than one answer if applicable. a. Secure protocols b. Plugins c. ActiveX controls d. Java applications e. JavaScript
All of the above are correct. Breakdown: These are the limitations of anonymizers: Secure protocols including 'HTTPS': will not be anonymized correctly by an anonymizer because a browser must be able access the site directly in order to maintain truly secure encryption. Third-party plugins accessed by websites cannot be properly anonymized. There is simply no way to ensure that any independent direct connection between the user's machine and a remote site will remain established. When a Javaapplication is accessed via an anonymizer, it cannot circumvent a Java security wall. ActiveXapplications will have nearly unlimited access to the computer system of the user. The JavaScript language will be disabled with anonymizers that are URL-based.
Security, which is a measurement of how safe a system or network is for individuals and organizations, is the condition of well-being of information and infrastructure. With a secure system, theft (particularly undetected), tampering, and/or disruption (through Denial of Service Attacks) of services and information are limited to low or tolerable levels. Select the elements of security from the list below. a. Integrity b. Availability c. Non-Repudiation d. Authenticity e. Confidentiality
All of the above.
What is the definition of a script kiddie? a. A script kiddie utilizes hacking programs found online and developed by someone else to hack into information systems and deface websites. They are not independently knowledgeable about hacking. b. A script kiddie has lost the respect of others in an organization. Their integrity is suspect. c. A script kiddie focuses their attacks on communication systems. d. script kiddie has been working with various computer systems from a young age. They are experts in many computer fields and operating systems, in addition to being knowledgeable in networks, frameworks, software and hardware. They love to root out vulnerabilities and threats on a server to boost its security.
a. A script kiddie utilizes hacking programs found online and developed by someone else to hack into information systems and deface websites. They are not independently knowledgeable about hacking.
If two unique corporations or companies go through a merger, what should they do to make sure that the Certificate of one company would trust the Certificate generated by the other? a. Cross-certification b. Public Key Exchange Authorization c. Federated Identity d. Must start from scratch - unique PKI system required.
a. Cross-certification
How can an attacker discover what rules have been set up on a specific gateway? a. Firewalking b. Firewalling c. OS Fingerprinting d. Ping Scan
a. Firewalking Breakdown: The Firewalking technique can help a hacker learn which rules have been set up on a gateway. Packets are ordinarily sent to a remote host with the exact TTL of a target. Hping2 be used for firewalking as well.
You want to access and pull password files from various websites. These passwords are stored within the index directory of a website's server. What could you use from the below options that would allow you to do this? a. Google b. Nmap c. Whois d. Sam Spade
a. Google Breakdown: Google hacking is a way to find and retrieve password files which have been indexed within a web server's directory) from specified websites. Search queries on Google will potentially discover information from a web server's index directory.
There are many credos within the computer security world. Which of the below groups believes that a hacker's purpose is to make social change, regardless of whether it involves breaking laws and/or defacing webpages? a. Hactivists b. Script kiddies c. Crackers d. Phreakers
a. Hactivists
Erik is a System Administrator. He has the responsibility to ensure network security for an organization. Erik is currently working with the advanced features of a Windows firewall in order to block/prevent a client machine from responding to any pings. Which of the below advanced setting types will require modification? a. ICMP b. SMTP c. SNMP d. UDP
a. ICMP
The attacker works through a spoofed IP address to send a SYN packet to a target. Which of the below methods did the attacker choose? a. IDLE b. NULL c. TCP FIN d. XMAS
a. IDLE Breakdown: In the IDLE scan method, an attacker delegates sending the SYN packet (to a target) to a spoofed IP address. The IDLE scan is initiated with a third party's IP address and therefore this is the only totally stealth scan technique. This makes it very difficult to detect the hacker, since the IDLE scan uses a different address from the attacker's own.
Molly is employed as an Ethical Hacker. Her newest project involves testing the security of a website. Which of the below are the three pre-testing phases of an attack used in measuring the security of this website? a. Identifying the active system b. Web server hacking c. Enumerating the system d. Session hijacking e. Placing backdoors f. Footprinting
a. Identifying the active system c. Enumerating the system f. Footprinting
Wireshark will excel in which one of the below situations you might face as an Ethical Hacker? a. If you need to target networks using switches or so-called "full-duplex" hubs (which are actually switches). b. If you need to target networks utilizing repeaters/hubs. c. If your target is a Windows-based network. d. If your target is a Linux-based network.
a. If you need to target networks using switches or so-called "full-duplex" hubs (which are actually switches). Breakdown: When a device is a hub, it is convenient for capturing through Wireshark. A hub based on switches will only transmit 'clean' packets—whereas a real hub will simply act as a repeater with no verification of packets. Network hubs do not manage network traffic. Therefore, each packet that enters a port is repeated on every other port. A switch learns and maintains a table of MAC addresses. A switch does not simply forward all packets to all other ports, but rather uses a bridge to determine which packets are forwarded to which ports.
While performing a security assessment of a web server, Erin realizes she needs to identify a cross-site scripting vulnerability. Which of the below suggestions would correct the vulnerability? a. Inform the Web Administrator that all Web application data inputs must be validated before they are processed. b. Add a warning to users that cookies can be transferred only via a secure connection. c. Disable ActiveX support within all Web browsers. d. Disable Java applet support within all Web browsers.
a. Inform the Web Administrator that all Web application data inputs must be validated before they are processed.
Markus works as an Ethical Hacker. His main project is to test the security of his client's website. He starts by performing footprinting and scanning. What does this entail? Answer is complete. Select more than one answer if applicable. a. Information-gathering b. Determining the network range c. Identifying all active machines d. Finding any open ports and/or applications e. Enumeration through a four-step process
a. Information-gathering b. Determining the network range c. Identifying all active machines d. Finding any open ports and/or applications
Which of the below scans can measure facial and other features through the use of a webcam or other digital camera capable of taking videos? a. Iris scan b. Facial recognition scan c. Signature dynamics scan d. Retina scan
a. Iris scan b. Facial recognition scan
Which information can an attacker get after tracerouting any network? Answer is complete. Select more than one answer if applicable. a. Network topology b. Web administrator email address c. Firewall locations d. Trusted routers
a. Network topology c. Firewall locations d. Trusted routers
What core principle states that an individual or party cannot deny a role it had in an action or event (including document transmission)? a. Non-repudiation b. Perjury c. Confidentiality d. Secrecy and Privacy
a. Non-repudiation
What method is the most widespread method for an attacker to find victims for social engineering strikes? a. Phone b. War driving c. Session hijacking d. Email
a. Phone
While browsing an online job board, you come across a job posting for tech professionals. You visit the company's website and analyze its contents and conclude that they are looking for professionals who possess a strong knowledge of Windows Server 2003 and Windows active directory installations. Which of the below hacking phase(s) does this fall under? a. Reconnaissance b. Gaining access c. Covering tracks d. Scanning
a. Reconnaissance
Which is the correct sequence of packets needed to perform the 3-way handshake method? a. SYN, SYN/ACK, ACK b. SYN, ACK, SYN/ACK c. SYN, ACK, ACK d. SYN, SYN, ACK
a. SYN, SYN/ACK, ACK
Nick needs to send a file to an FTP server. It will be segmented into several packets, sent to the server and reassembled upon reaching the destination target (the FTP server). In order to maintain the integrity of the packets, which information will help Nick accomplish his task? a. Sequence number b. TTL c. Checksum d. Acknowledgement number
a. Sequence number
Which of the below techniques cannot be used to perform active OS fingerprinting? Answer is complete. Select more than one answer if applicable. a. Sniffing and analyzing packets b. ICMP error message quoting c. Sending FIN packets to open ports on a remote system. d. Analyzing the email headers.
a. Sniffing and analyzing packets d. Analyzing the email headers.
In which of the below scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed? a. TCP FIN b. TCP SYN c. FTP bounce d. UDP port
a. TCP FIN
An attacker sends a FIN packet to a target port. What type of stealth scanning did the attacker likely use? a. TCP FIN scanning b. TCP FTP proxy scanning c. TCP SYN scanning d. UDP port scanning
a. TCP FIN scanning Breakdown: Port scanning is a process of connecting to TCP and UDP ports to discover services and applications active on a target system. Data packets are sent to each port to collect information.
Which of the below scanning methods is most accurate and reliable, with the downside being that it is also incredibly easy to detect? a. TCP SYN/ACK b. TCP FIN c. TCP half-open d. Xmas Tree
a. TCP SYN/ACK
The use of alert thresholding in an intrusion detection system (IDS) can reduce the repeated alerts. However, it will introduce one of the below vulnerabilities. Which one? a. The IDS does not distinguish among packets originating from different sources. b. An attacker, working slowly enough, may be able to evade detection by the IDS. c. Network packets will be dropped once the volume exceeds the threshold. d. Thresholding disables the IDS' ability to reassemble fragmented packets.
a. The IDS does not distinguish among packets originating from different sources.
Fred is an Ethical Hacker. His newest assignment is to test the security of his company's website. Once he performs a Teardrop attack on the web server, it crashes. Why did this happen? a. The server is not capable of handling overlapping data fragments. b. Ping requests at its server level are too high. c. The ICMP packet is too large. It cannot be larger than 65,536 bytes. d. The spoofed TCP SYN packet that contains the target's IP address has been filled in at both source and destination fields.
a. The server is not capable of handling overlapping data fragments. Breakdown: In performing a Teardrop attack, Fred sent a series of data packets with overlapping offset field values to the web server. The server was unable to reassemble the packets correctly and is therefore forced to crash, hang, or reboot.
Which of the below is true about the TCP/IP model? Answer is complete. Select more than one answer if applicable. a. This model sets forth design guidelines and implementations for different networking protocols, enabling computers to interface through a network. b. This model allows end-to-end connectivity, delineating the format of data as well as the way it is addressed, transmitted and/or routed, and even how it will be received. c. This data model has five (5) separate layers of abstraction. d. Each layer of this model contains several different protocols.
a. This model sets forth design guidelines and implementations for different networking protocols, enabling computers to interface through a network. b. This model allows end-to-end connectivity, delineating the format of data as well as the way it is addressed, transmitted and/or routed, and even how it will be received.d. Each layer of this model contains several different protocols.
What is true about vulnerability in computer security? a. This security weak spot is discovered and possibly exploited in a Target of Evaluation and results from failed analysis, design and implementation, or an operation. b. It is caused by the incompetence of humans, natural disasters, or other indefensible situations. c. This agent can take advantage of a weakness in an information system or network. d. It is the threat or potential threat of a security violation and occurs only where there is a situation, action, or event that has the potential to break through security and damage a network or information system.
a. This security weak spot is discovered and possibly exploited in a Target of Evaluation and results from failed analysis, design and implementation, or an operation.
War dialers are used to scan thousands of phone numbers to detect any modems that have vulnerabilities. This provides an attacker with unauthorized access to a target computer. Which of the below utilities would work for war dialing? Each correct answer represents a complete solution. Choose two. a. ToneLoc b. THC-Scan c. Wingate d. NetStumbler
a. ToneLoc b. THC-Scan
As Database Manager for a local company, Mick has a lot of responsibilities. He decides to set up remote control software on his work machine so that he will be able to login from home or otherwise. After installing the connection, he connects a modem to an otherwise-unused fax line. With no authentication to enable him to set a password for a host connection to the remote connection, Mick's remote connection will be accessible to for anyone to connect to his host system. Which of the below attacks can be performed on Mick's remote connection? a. War dialing b. Zero-day c. War driving d. Warchalking
a. War dialing
Which of the below techniques uses a modem in order to automatically scan a list of telephone numbers? a. War dialing b. Warkitting c. Warchalking d. War driving
a. War dialing
Background: In her career as an Ethical Hacker, Diane has been assigned to a new project. She must test the security of a website. The only information that she is provided about the network infrastructure is as follows: Diagrams from the network infrastructure Names and source code for necessary security tools Details about the IP addresses of the network Based on the information provided above, what testing methodology is being implemented by the website? a. White-box testing b. Black-box testing c. Gray-box testing d. Alpha or simulated testing
a. White-box testing
Background: Google hacking is a method of utilizing the Google search engine and other Google apps to discover security holes in the configuration and/or computer code of websites use. Keying in advanced operators in the Google search engine enables a hacker to pinpoint specific strings of text in a search result. Which of the below terms is a valid Google search operator that can be used in searching for a specific file type? a. filetype b. inurl c. file type d. intitle
a. filetype Breakdown: The filetype Google search query operator can be utilized to search a specify file type. If you wanted to search all pdf files with the word hacking in their filenames, you could key in the search query filetype:pdf pdf hacking. inurl is used to search for specified text within a URL of websites. file type, with a space between words, is not a valid search operator. intitle can be used to search for specified text in website titles.
You need to obtain the default security report from Nessus. Which of the below Google search queries could you use? a. filetype:pdf "Assessment Report" nessus b. link:pdf nessus "Assessment report" c. filetype:pdf nessus d. site:pdf nessus "Assessment report"
a. filetype:pdf "Assessment Report" nessus
Background: TCP/IP stack fingerprinting involves passive collecting of configuration attributes from remote devices during standard layer 4 network communications. These combinations could then be used to infer the remote operating system or to incorporate the information into a device fingerprint. Which of the below Nmap switches can be utilized to perform TCP/IP stack fingerprinting? a. nmap -O -p b. nmap -sU -p c. nmap -sS d. nmap -sT
a. nmap -O -p
Which Nmap switch would you use to retrieve as many different protocols as possible that are being used by a remote host? a. nmap -sO b. nmap -sS c. nmap -sT d. nmap -vO
a. nmap -sO Breakdown: The nmap -sO switch is used to scan IPs. To search additional IP protocols, you can utilize the IP protocol scan. Such protocols include ICMP, TCP and UDP. This scan will unearth uncommon IP protocols that could be active on a system. Nmap will not allow you to combine the verbose and OS scanning options. It will display the below error message: Invalid argument to -v: "O" The nmap -sT switch performs a TCP full scan. The nmap -sS is performs a TCP half scan. Here an attacker will send a SYN packet to a target port.
Steve 2. is a black hat and wishes to run a port scan on a machine he is attacking to try to find some open ports and other valuable information. He decides to use the nmap command to execute his scan. Because he is worried that the admin may be running PortSentry in order to block any scans, he will slow the scan downs so that they are less suspicious. What nmap options can he use to do this? a. nmap -sS -PT -PI -O -T1 ip address b. nmap -sF -P0 -O ip address c. nmap -sO -PT -O -C5 ip address d. nmap -sF -PT -PI -O ip address
a. nmap -sS -PT -PI -O -T1 ip address
Which of the below Nmap commands is used to perform a UDP port scan? a. nmap -sU b. nmap -sS c. nmap -sF d. nmap -sN
a. nmap -sU Breakdown: The nmap -sU command performs a UDP port scan. The nmap -sS command performs stealth scanning. The nmap -sF command performs FIN scanning. The nmap -sN command performs TCP NULL port scanning.
As a contracted Ethical Hacker, Al has recently contracted to complete a project to do security checking on a website. He wants to find out which operating system is used by the web server. Which of the below commands can he use to complete this task? Each correct answer represents a complete solution. Choose two. a. nmap -v -O 208. 100. 2. 25 b. nc -v -n 208. 100. 2. 25 80 c. nc 208. 100. 2. 25 23 d. nmap -v -O [www.website.com]
a. nmap -v -O 208. 100. 2. 25 d. nmap -v -O [www.website.com] Breakdown: According to the scenario, Al will probably choose "nmap -v -O 208. 100. 2. 25" to uncover the OS used by the server. Verbose = -v / -O = TCP/IP fingerprinting (to guess the remote OS). Al could also use the DNS name of the website instead of using its server IP address. In this case, he would also use the nmap command "nmap -v -O www.website.com ".
The PCI-DSS requires organization to perform external pentests. How often will this organization need to be done? a. Once a quarter b. At least once a year and after a major change or update c. Every two years d. Once a year
b. At least once a year and after a major change or update
Administrators use Remote Desktop to gain access their servers from different locations. In which of the below ways could a hacker exploit Remote Desktop to gain access? a. Capture any LANMAN (or LM) hashes and crack each of them with Cain and Abel. b. Capture the RDP traffic and then decode with Cain and Abel. c. Utilize a social engineering tool to capture the domain name of the remote server. d. Scan the server to see what ports are open.
b. Capture the RDP traffic and then decode with Cain and Abel.
Which of the below statements are true about N-tier architecture? (Choose two). a. N-tier architecture requires at least one logical layer. b. Each layer should exchange information only with the layers above and below it. c. When any layer is modified or updated, the other layers must also be updated so that they agree. d. Each layer must be able to function on a physically independent system.
b. Each layer should exchange information only with the layers above and below it. d. Each layer must be able to function on a physically independent system.
If a hacker wanted to modify prices on a website, which of the below methods would they use? As an aside, there are no alerts shown through IDS. a. XSS b. Hidden form fields c. SQL injection d. Port scanning
b. Hidden form fields
Ian must analyze the results of an internal vulnerability scan to be run on website hosting servers. The code is written in Java and his team lead wants to it for buffer overflow vulnerabilities using the SAINT scanning tool. Why should Ian discourage his team lead from this avenue? a. SAINT, as an automated vulnerability assessment tool, is too resource-heavy. b. Java is not vulnerable to buffer overflow attacks. c. All vulnerability signatures will need to be manually updated before SAINT runs a scan. d. The SAINT scanner fails to incorporate the new OWASP Top 10 web application scanning policies and procedures.
b. Java is not vulnerable to buffer overflow attacks. Breakdown: Because Java uses a sandbox to isolate code, it is not vulnerable to buffer overflow attacks. Most web, application servers and web application environments are actually susceptible to buffer overflows. However, environments written in interpreted languages such as Java or Python are a notable exception. They are immune to these attacks (except for overflows within an Interpreter).
Which of the below are password-cracking utilities? (Choose 3.) a. Nmap b. John the Ripper c. Cain and Abel d. KerbCrack e. Wireshark f. WebGoat
b. John the Ripper c. Cain and Abel d. KerbCrack
You need to obtain a packet capture for a network. Which of the below devices would allow you to capture a total picture of the traffic on the wire through Wireshark? a. Network tap b. Layer 3 switch c. Network bridge d. Router
b. Layer 3 switch
Which of the below ways could be used to defeat a multi-level security solution? a. Leak data via asymmetric routing b. Leak data via a covert channel c. Leak data via steganography d. Leak data via an overt channel
b. Leak data via a covert channel
IPSec offers which of the below? a. DDOS protection b. Non-repudiation c. Anti-virus protection d. Availability
b. Non-repudiation
Which of the below can be used to determine which range of IP addresses is mapped to live hosts? a. TRACERT utility b. Ping sweep c. PATHPING d. KisMAC
b. Ping sweep
Grace has made a career as an Ethical Hacker. Her company asks her to test the security of their server against potential Denial of Service (DoS) attacks. In order to accomplish this, she sends ICMP ECHO packets en masse to a set computer. She is employing which of the below techniques against DoS attacks? a. SmurfDenial of Service (DoS) attack b. PingFlood Denial of Service (DoS) attack c. TeardropDenial of Service (DoS) attack d. LandDenial of Service (DoS) attack
b. PingFlood Denial of Service (DoS) attack
Background: Placing backdoors, web server hacking and session hijacking are among the phases of executing attacks. From the below list, which, if any, of these tools can be used to obscure identity? Answer is complete. Select more than one answer if applicable. a. War dialer b. Proxyserver c. IPChain d. Anonymizer e. Rootkit
b. Proxyserver c. IPChain d. Anonymizer
Which authority of PKI will verify an applicant? a. Certificate Authority b. Registration Authority c. Root Central Authority d. Validation Authority
b. Registration Authority
Various devices, in the form of hardware and software, can emulate key computer services, such as browsers and email. Through these tools, system administrators can determine what vulnerabilities are enabling a hacker to break into a system. What is another name for this kind of device? a. Honeypot b. Router c. Port Scanner d. Core Switch
b. Router
Which of the below tools can be used for footprinting? Answer is complete. Select more than one answer if applicable. a. Brutus b. Sam spade c. Traceroute d. Whois
b. Sam spade c. Traceroute d. Whois
A tester detects an access point via WPA2 during a routine wireless penetration test. Which of the below attacks would be useful in obtaining a key? a. First she needs to reset the MAC address of the wireless network card. Next, she should utilize the AirCrack tool to capture the key. b. She should capture the WPA2 authentication handshake and then work to crack the handshake. c. She should try the key cracking tool airodump-ng [airocrack-ng] through the network ESSID. d. She must reset the network and start from scratch because WPA2 simply cannot be cracked.
b. She should capture the WPA2 authentication handshake and then work to crack the handshake.
Rodger, a security administrator, is very worried about his system becoming infected with a virus. He decides to implement a multi-layered strategy involving anti-virus software on each of his client machines as well an e-mail gateway. What form of attack will this defend against? a. Scanning attack b. Social engineering attack c. ARP spoofing attack d. Forensic attack
b. Social engineering attack
Which of the below represents the type of packet inspection used by a firewall when scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered? a. Deep b. Stateless c. Proxy d. Stateful
b. Stateless
Which of the below network scanning utilities is a TCP/UDP port scanner that can also operate as a ping sweeper and/or hostname resolver? a. Netstat b. SuperScan c. Hping d. Nmap
b. SuperScan Breakdown: SuperScan is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver as well. Given a range to ping, it will resolve the host name of a remote system.
What is the chief reason that using a stored biometric opens an individual up to an attack? a. This kind of authorization runs a comparison on the original to the copy rather than the other way around. b. The symbols used to represent a stored biometric might not be original in a digital or stored format. c. An attacker can use the stored biometric data to easily masquerade as the individual identified by that data. d. A stored biometric is no longer "something you have" and instead becomes "something you are."
c. An attacker can use the stored biometric data to easily masquerade as the individual identified by that data.
Nessus is a proprietary vulnerability scanner utilized by many organizations. Which of the below is a technique used by vulnerability scanners? a. Banner grabbing b. Port Scanning c. Analyzing service responses d. Malware analysis
c. Analyzing service responses
Which type of hacker uses their computer knowledge to invade the privacy of others, thereby breaking security laws and rendering the security of information systems weak? a. Security Providing Organization b. Gray Hat c. Black Hat d. White Hat
c. Black Hat
How can you establish that policies, configurations and procedural changes/updates are made in a controlled and well-documented environment? a. Vulnerability scanning b. Compliance c. Change management d. Peer review
c. Change management
When a match for an alert rule is found in Snort, the intrusion detection system carries out which of the below actions? a. Blocks a connection with the source IP address in the packet b. Halts rule query, sends a network alert, and freezes the packet c. Continues to analyze the packet until each rule has been checked d. Drops the packet and selects the next packet detection option
c. Continues to analyze the packet until each rule has been checked
Which of the below methods would succeed in protecting a router from prospective smurf attacks? a. Disabling the ability to forward ports on the router b. Placing the router into broadcast-only mode for a full cycle c. Disabling the router from accepting any broadcast ping messages d. Installing a new router in the DMZ
c. Disabling the router from accepting any broadcast ping messages
You need to find out which protocols a router or firewall blocks as well as which protocols a router or firewall will simply pass onto downstream hosts. You are going to map out any intermediate routers or hops between a scanning host and your target host. After viewing the results, you need to identify which ports are open. The tool displays "A!" when it determines that the metric host is directly behind the target gateway. Which tool are you using for the scan? a. Firewalk b. NMAP c. HPing d. Traceroute
c. HPing Breakdown: Hping is a TCP/IP packet crafter that can be utilized to create IP packets containing TCP, UDP, or ICMP payloads. All header fields can be modified and controlled using the command line. A good understanding of IP and TCP/UDP is mandatory to use and understand the utility, which was actually used to exploit the idle scan technique from another utility by the same developer.
Security teams should do which of the below to reduce attack surface? a. Harvesting b. Scanning c. Hardening d. Windowing
c. Hardening
Which of the below items is a straightforward example of two-factor authentication? a. Fingerprint and smartcard b. Username/login and password c. ID and token or pin d. Iris scanning and fingerprinting
c. ID and token or pin
What are some end objectives of an effective pentesting attempt? a. Verify whether certain data can still be restored with a regular backup in the event of hardware damage. b. Examine the IT infrastructure in terms of its compliance, efficiency, effectiveness, etc. c. Identify vulnerabilities and flaws and improve security of technical systems. d. Catalog the assets and resources in a system.
c. Identify vulnerabilities and flaws and improve security of technical systems.
Which of the below will record everything a user types using a keyboard connected to the machine it is installed within? a. Firewall b. Port scanner c. Keystroke logger d. Line conditioner
c. Keystroke logger
Microsoft's print and file servers are among the more common targets for hackers. Which of the below is a common—but potentially harmful—vulnerability? a. XSS b. SQLinfraction c. Missing patches d. Poor IV standards
c. Missing patches
Background: Luke is an Ethical Hacker. In scanning his company's wireless network, he utilizes a free, open-source tool. The tool analyzes raw IP packets to discover the following: • Which ports are open on the network systems? • Which hosts are available on the network? • Are there unauthorized wireless access points? • Which services (application name, version) are the available hosts providing? • Which operating systems (and OS versions) are the hosts running? • Which types of packet filters/firewalls are being utilized? Based on the above information, which of the below tools is Luke using? a. Nessus b. Kismet c. Nmap d. Sniffer
c. Nmap Breakdown: Nmap is an active data collection tool. The port-scanning ability of the nmap utility can be the open ports on a Linux machine. Administrators can employ this tool to discover which services are accessible to external users.
Scott, a professional Ethical Hacker, has been assigned to do security and vulnerability testing for an organization. In order to find out whether certain computers are connected to the server or not, he will need to ping about 500 computers. Which of the below techniques would save him time and energy? a. PING b. NETSTAT c. Ping sweeping d. TRACEROUTE
c. Ping sweeping Breakdown: The Ping sweeping technique allows you to ping a batch of devices and get the list of active devices. It is a tedious task to ping every address on the network, the ping sweeping technique is highly recommended. The ping command-line utility tests connectivity with a host on a TCP/IP-based network by sending a series of packets to a destination host.
You are starting a new Nessus policy and need to turn on (or enable) Global Variable Settings. Where should you go to enable them? a. Plugins b. General c. Preferences d. Credentials
c. Preferences
Which of the policies listed below is a valid set of rules regarding connecting a system to an internal network while physically in a different location? a. Computer Security Policy b. User Account Policy c. Remote Access Policy d. Network Security Policy
c. Remote Access Policy
Which of the below options represents the best defense against privilege escalation (exploitation of a bug) vulnerability? a. Patch all computers and servers immediately after the release of any updates. b. Run apps without administrator privileges and download a content registry tool for storage of tracking cookies. c. Run services with your least privileged account(s) and then implement multi-factor authentication, or MFA. d. Monthly reviews of user and administrator roles.
c. Run services with your least privileged account(s) and then implement multi-factor authentication, or MFA.
A pentester (otherwise known as a penetration tester) keys in the below command. What kind of scan is this? nmap -N -sS -PO -p 123 192.168.2.25 a. Idle scan b. Intense scan c. Stealth scan d. Fin scan
c. Stealth scan
In which of the below methods does a hacker send SYN packets followed by a RST packet? a. XMAS scan b. TCP FIN scan c. TCP SYN scan d. IDLE scan
c. TCP SYN scan
How is a penetration tester different from an attacker? a. A penetration tester uses various vulnerability assessment tools. b. A penetration tester does not test the physical security. c. A penetration tester does not perform a sniffing attack. d. A penetration tester differs from an attacker by his lack of malicious intent.
d. A penetration tester differs from an attacker by his lack of malicious intent.
Which of the below tools (based in Linux) can be used for penetration testing? a. JPlag b. Vedit c. Ettercap d. BackTrack (now KALI)
d. BackTrack (now KALI)
Background: You run the following command in the command prompt: Telnet IP Address Port 80 HEAD /HTTP/1.0 Return Return Which of the below of information collection methods did you use? a. Port scanning b. Dumpster diving c. OS fingerprinting d. Banner grabbing
d. Banner grabbing
Adam is a malicious hacker who attacks a company's server. Once he has gotten in, he sets up a backdoor on the company's server and modifies the log files. Which of the above-discussed phases includes that modification? a. Reconnaissance b. Maintaining access c. Gaining access d. Covering/Clearing tracks
d. Covering/Clearing tracks
Which of the below types of privacy invasion involves modifying data or information before or during input into a computer system with the intent to steal or commit fraud? a. Spoofing b. Wiretapping c. Eavesdropping d. Data diddling
d. Data diddling
Which of the below kinds of machines do security teams often use for attracting potential intruders? a. Bastion host b. Data pot c. Files pot d. Honeypot
d. Honeypot Breakdown: A honeypot is a machine/computer that can be used to draw in potential intruders or attackers. A honeypot has intentionally low security permissions and is useful in collecting intelligence about attackers and their tactics.
How can gray box testing be distinguished from black box testing? a. In white box testing, the tester has no knowledge of the target. He was given only the company's name. b. In black box testing, the tester has complete knowledge of the internal company network. c. In gray box testing, the tester has to try to gain access into a system using commercially available tools only. d. In gray box testing, the attacker performs attacks with a normal user account to see if he can escalate privileges.
d. In gray box testing, the attacker performs attacks with a normal user account to see if he can escalate privileges.
Phil needs to procure information related to a server with an IP address range that is within the IP address range that is used in Brazil. There are many registries available online for discovering the details of web server IP addresses, or reverse Domain Name Service (DNS) lookup. Which of the below registries will be most useful to him? a. RIPE NCC b. APNIC c. ARIN d. LACNIC
d. LACNIC Breakdown: Phil needs to obtain information about a web server situated in Brazil. Registries are available throughout the world, most often broken up into geographic locations. So the Latin American and Caribbean Internet Addresses Registry, or LACNIC, is the Regional Internet Registry for the Latin American and Caribbean regions and is therefore the best registry for doing a DNS lookup. LACNIC is one of five (5) regional Internet registries available worldwide. Its chief purpose is to assign and administrate IP addresses for the region of Latin America and parts of the Caribbean. The Réseaux IP Européens Network Coordination Centre, or RIPE NCC, is the Regional Internet Registry (RIR) for Europe, the Middle East, and certain parts of Central Asia. The Asia Pacific Network Information Centre (APNIC), Regional Internet Registry for the Asia Pacific region, assigns and administers numerical resource allocation as well as registration services to support the global operation of the Internet The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for Canada, parts of the Caribbean, some North Atlantic islands, and the United States.
Chuck needs to perform a basic vulnerability scan using Nmap. When dealing with protocols like FTP and HTTP, what key engine does Nmap utilize? a. SAINT b. Metasploit c. NESSUS d. Nmap
d. Nmap
What is the first thing an ethical hacker must do before running a pentest? a. Perform an nmap scan. b. Uncover social engineering metadata. c. Print a findings report. d. Obtain a signed document from senior management
d. Obtain a signed document from senior management
Penetration tests occur in phasing. Recall from a previous question the terms 'data gathering' and reconnaissance. During which phase(s) do these two actions occur? a. Out-attack phase b. Post-attack phase c. Attack phase d. Pre-attack phase
d. Pre-attack phase
In his profession as an Ethical Hacker, Chistov is often assigned jobs where he needs to test the security of a website. In this case, he is assigned to check the security of a new website. He can't remember what the first step is in malicious hacking, but he needs to know it in order to protect against hackers. What is the first step? a. Maintaining Access b. Scanning c. Covering/Clearing Tracks d. Reconnaissance e. Gaining Access
d. Reconnaissance
Background: When data provided to a caching name server that has not originated from a non-authentic source (in other words, a DNS source), this is called DNS cache poisoning. Once a DNS server receives this non-authentic data and caches it for future performance increases, it will be considered "poisoned" because it will thereafter supplying server clients with that non-authentic data. In order to determine the end-time for DNS cache poisoning, which of the below DNS records should you examine? a. MX b. NS c. PTR d. SOA
d. SOA Breakdown: A start of authority (SOA) record contains information about the DNS zone on which it is stored and about other DNS records. A DNS zone is the area of a domain that is within the responsibility of a specific DNS server. There is only one SOA record for each DNS. As stated above, when data is provided to a DNS serve that did not originate from authoritative Domain Name System (DNS) sources (whether due to intentional or unintentional circumstances) it is called DNS Cache poisoning. To perform such an attack, the attacker discovers and takes advantage of a flaw in the DNS software. A server must correctly validate DNS responses have originated from an authentic source, or the server may end up caching incorrect entries locally and inevitably deliver them to users whom key in identical requests. Also called a "mail exchanger record," an MX is also stored in the zone file of Domain Name Server (DNS). The MX record associates a domain name to another domain name sorted within an address record (an "A" record). A name server record, or NS record, establishes the server that is considered an authoritative server for the DNS zone. The pointer record (PTR), is housed on the Domain Name System (DNS) database responsible for mapping an IP address to a specific host name on the in-addr.arpa domain. These records are used when performing reverse DNS lookups.
As the Security Consultant for a firm, Ingrid must check security for her client's network. Her client informs her that of his many concerns, the security of the firm's Web applications hosted on its Web server is the most important to him. With this in mind, which of the below should be Ingrid's highest priority? a. Setting up an intrusion detection system (IDS). b. Configuring a believable honeypot. c. Scanning for open ports. d. Scanning and removing vulnerabilities.
d. Scanning and removing vulnerabilities.
While running an Nmap scan for filtered ports, you send an ACK flag and receive a RST packet for open and closed ports. What kind of Nmap scan did you run? a. Null Scan - sN b. Fin Scan - sF c. XMAS Scan -sX d. TCP ACK scan - sA
d. TCP ACK scan - sA Breakdown: The TCP ACK Scan will not discover open and closed ports—it will determine whether or not a port is filtered or unfiltered. When an ACK flag is sent, Open/Closed ports will return RST. Any ports that do not respond are considered filtered. Conversely, with a NULL Scan, no flags are set on a packet. The target must follow RFC 793, a TCP specification. If the port is open or filtered, it will receive no response. If the port is closed, it will receive RST. In Fin Scan, a Fin flag is set on a packet. Again, the target must follow RFC 793. If a port is open or filtered, it will receive no response; yet it will receive RST if a port is actually closed. In XMAS Scan, the FIN, URG, and PSH flags are set on a packet. The target must still follow RFC 793. It will receive no response if a port is open or filtered and will receive RST if a port is closed.
Which of the below is a good definition the principle of least privilege? a. A manager should have all the access and privileges of his or her employees. b. People at the bottom of an organization's hierarchy should have lower privileges than the highest members of the hierarchy. c. All users should need to input a unique password before given any access. d. Users should have access only to the data and services that are necessary and important to perform their job(s).
d. Users should have access only to the data and services that are necessary and important to perform their job(s).
Which of the below utilities is a protocol analyzer with the ability to capture packet traffic as it comes into the network ("in real time")? a. NetWitness b. Netresident c. Snort d. Wireshark
d. Wireshark Breakdown: Wireshark is a protocol analyzer with the ability to capture packet traffic as it comes into the network ("in real time"). It is free and open source, and will act as a packet sniffer, capturing network traffic for purposes of troubleshooting, development of software/communications protocol, analysis, and as a teaching tool. It was originally called Ethereal. Wireshark will work on Windows, Mac, Linux, or Unix machines.
Jay is using Facebook, Twitter, and other social networking sites to gather information on his targets. What sort of methods is he employing? (Select 2.) a. Distributed denial of service attack b. MiTM attack c. Teardrop attack d. SQL injection attack e. Phishing attack f. Social engineering attack
e. Phishing attack f. Social engineering attack