Certified Ethical Hacker v13

What are the phases of the ethical hacking framework?

1. Reconnaissance 2. Vulnerability scanning 3. Gaining access 4. Maintaining access 5. Clearing tracks

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection? NMAP -Pn -A -O -sS -p1-65535 192.168.2.0/24NMAP -P0 -A -sT -p0-65535 192.168.0/16NMAP -Pn -O -sS -p 1-1024 192.168.0/8NMAP -P0 -A -O -p1-65535 192.168.0/24

A.

Which of the following protocols uses TCP port 179 to enable routers for establishing sessions between them? BGPLDAPSIPSNMP

A. BGP

Which of the following tools allows an attacker to extract information such as sender identity, mail server, sender's IP address, location, and so on?

A. Email tracking tools B. Web updates monitoring tools C. Metadata extraction tools D. Website mirroring tools

Maya, a security analyst, was tasked with assessing the security of smart devices within an organization's network. While performing security scanning, Maya identified an insecure placement of some smart devices and made necessary amendments to the network. Which of the following types of scanning did Maya perform in the above scenario? Host-based scanningDatabase scanningIoT device vulnerability scanningDistributed scanning

C

Which of the following Nmap options is used by an attacker to perform an SCTP COOKIE ECHO scan? A. -sL B. -sU- C. sZ D. -sY

C

When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the remote computer is called ___________ A.Botnet B.Server C.Bot D.C&C

C&C

Which of the following protocols uses TCP port 179 to enable routers for establishing sessions between them? A.LDAP B.SIP C.BGP D.SNMP

C. BGP

Which of the following ping methods is effective in identifying active hosts similar to the ICMP timestamp ping, specifically when the administrator blocks the conventional ICMP ECHO ping? ICMP address mask ping scanUDP ping scanICMP ECHO ping sweepICMP ECHO ping scan

A. ICMP address mask ping scan ICMP Address Mask Ping Scan: This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping

Identify the metric group within CVSS that reflects the potential or direct consequence of a successful exploit on the confidentiality, integrity, and availability of the information. A.Impact metrics B.Environmental metrics C.Supplemental metrics D.Threat metrics

A. Impact metrics

Which of the following protocols uses TCP or UDP as its transport protocol over port 389? A.LDAP B.SIP C.SMTP D.SNMP

A. LDAP

Jude, a professional hacker, targeted an organization's web server. Jude wanted to extract the information removed from older copies or archived links of the target website. For this purpose, he employed an exploration tool that assisted him in retrieving the archived URLs of the target website. Identify the tool employed by Jude in the above scenario. A. Photon B. Gephi C. Burp Suite D. Netcraft

A. Photon

In which of the following scanning techniques does an attacker send a spoofed source address to a computer to determine the available services? A. Inverse TCP flag scan B. IDLE/IPID header scan C. TCP Maimon scan D. ACK flag probe scan

B. IDLE/IPID header scan

Which of the following intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision? Protocol anomaly detection Anomaly detection Obfuscating Signature recognition

Signature recognition

Cryptographic method used to verify Integrity by creating a unique fixed-size string from a message

Hashing

Elements of Information Security

1. Confidentiality 2. Integrity 3. Availability 4. Authenticity 5. Non-repudiation

Categories of Information Warfare

1. Hacker warfare 2. Psychological warfare 3. Electronic warfare 4. C2 warfare 5. Intelligence-based warfare 6. Cyber warfare 7. Economic warfare

NTP (Network Time Protocol)

123/tcp

Which of the following TCP communication flags confirms the receipt of a transmission and identifies the next expected sequence number? 1. FIN flag 2. ACK flag 3. SYN flag 4. RST flag

2. ACK

TFTP (Trivial File Transfer Protocol)

69/tcp

finger

79/tcp

Kerberos

88/tcp

Sean who works as a network administrator has just deployed an IDS in his organization's network. Sean deployed an IDS that generates four types of alerts that include: true positive, false positive, false negative, and true negative. In which of the following conditions does the IDS generate a true positive alert? A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress. A true positive is a condition occurring when an IDS fails to react to an actual attack event. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.

A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.

Alex, a professional hacker, plans to gather detailed information about a target network's infrastructure and performance metrics. For this purpose, he needs a tool that can trace network routes, monitor packet loss, and visualize latency over time.Which of the following tools would help Alex achieve his goal? A. PingPlotter B. Sherlock C. Shodan D. IP2LOCATION's Email Header Tracer

A. PingPlotter PingPlotter allows attackers to collect traceroute data for target hosts using ICMP, UDP, and TCP packets. It automatically discovers the network hops and tracks latency and packet loss over time. Using this tool, attackers can visualize the traceroute data in readable graphs. This tool aids attackers in identifying bandwidth bottlenecks, WiFi interference, or hardware faults on the target network.

Which of the following protocols typically uses port 22 to ensure secure data exchange over a single Internet connection? SFTPBGPSMBSMTP

A. SFTP TCP 22: Secure Shell (SSH) / Secure File Transfer Protocol (SFTP) SFTP, by default, uses port 22, facilitating the secure exchange of data over a single Internet connection. This designated port for SFTP enhances its security and simplicity compared to protocols like FTP/S that require multiple ports for operation.

Which of the following is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system?

A. Traceroute B. Whois lookup C. DNS lookup D. TCP/IP

Which of the following ports provides a name-resolution service for computers running NetBIOS that is also known as the Windows Internet Name Service (WINS)? A.UDP 137 B.TCP 22 C.UDP 161 D.TCP 135

A. UDP 137 NBNS, also known as the Windows Internet Name Service (WINS), provides a name-resolution service for computers running NetBIOS.

Which Google search query will search for any files a target certifiedhacker.com may have?

A. allinurl: certifiedhacker.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini B. site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini C. site: certifiedhacker.com ext:xml || ext:conf || ext:cnf || ext:reg || ext:inf || ext:rdp || ext:cfg || ext:txt || ext:ora || ext:ini D.site: certifiedhacker.com intext:xml | intext:conf | intext:cnf | intext:reg | intext:inf | intext:rdp | intext:cfg | intext:txt | intext:ora | intext:ini

What is the formula for information security attacks?

Attacks = Motive (Goal) x Method (TTP) x Vulnerability

IPsec protocol that provides Data Integrity and Origin Authentication, but DOES NOT provide Confidentiality (Encryption)

Authentication Header

Identify the AI-powered vulnerability assessment tool that uses machine-learning algorithms for vulnerability detection and API protection. A) NetScanTools Pro B) Equixly C) SnmpWalk D) thc-hydra

B

Which of the following tools are useful in extracting information about the geographical location of routers, servers, and IP devices in a network? A. Web spidering tools B. Traceroute tools C. Website mirroring tools D. Email tracking tools

B

Identify the tool that uses AI and ML to detect a wide range of vulnerabilities, including the top 10 OWASP application security risks. A) DNSQuerySniffer B) Beagle Security C) inSSIDer D) HawkEye

B Beagle Security is a comprehensive web application security testing platform that combines automated scanning and manual penetration testing. It uses AI and ML to detect a wide range of vulnerabilities, including the top 10 OWASP risks, and provides detailed reports to help organizations improve their application security.

Mark, an attacker, aimed to identify active hosts on a target network without drawing significant attention. To streamline his reconnaissance efforts, he used ShellGPT to generate the appropriate Nmap command. By providing a prompt via ShellGPT, Mark was able to perform an ICMP ECHO ping sweep on the target network. Which of the following commands did ShellGPT generate for Mark in the above scenario? nmap -sM -v 10.10.1.10 nmap -sn -PE 10.10.1.0/24 ping -c 1 10.10.1.9 | grep "ttl" nmap -sX 10.10.1.11

B.

In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process? Extracting usernames using email IDsBrute-force Active DirectoryExtracting usernames using SNMPExtracting information using default passwords

B. Brute-force Active Directory

Which of the following types of software vulnerability occurs due to coding errors and allows attackers to gain access to the target system? Unpatched serversBuffer overflowMisconfigurationOpen services

B. Buffer Overflow

Which of the following tools is specifically used for scanning and enumerating subdomains and identifying non-contiguous IP spaces associated with a target domain? A. BuzzSumo B. Fierce C. IP2Location D. Sherlock

B. Fierce

Peter, a professional hacker, targeted an organization's network to gather as much information as possible to perform future attacks. For this purpose, he employed a reconnaissance framework that helped him gather confidential information such as private Secure Shell (SSH) and Secure Sockets Layer (SSL) keys as well as dynamic libraries from an online third-party repository. Identify the online third-party repository targeted by Peter in the above scenario. A. Sublist3r B. GitLab C. BeRoot D. MITRE ATT&CK framework

B. Gitlab (only answer that is a repository) GitHub : Source code-based repositories are online services or tools available on internal servers or can be hosted on third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. These sites contain sensitive data related to configuration files, private Secure Shell (SSH) and Secure Sockets Layer (SSL) keys, source-code files, dynamic libraries, and software tools developed by contributors, which can be leveraged by attackers to launch attacks on the target organization.

Which of the following terms is referred to as an undesirable incident that occurs when software or a system program depends on the execution of processes in a sequence and on the timing of the programs? A.Memory leaks B.Race condition C.Integer overflows D.Null pointer/object dereference

B. Race Condition Race condition: A race condition is an undesirable incident that occurs when a software or system program depends on the execution of processes in a sequence and on the timing of the programs. This condition occurs when a system that handles events in a sequential format is coerced to perform multiple operations simultaneously.

Jacob, a professional hacker, targeted an organization's website to find a way into its network. To achieve his goal, he employed a footprinting tool that helped him in gathering confidential files and other relevant information related to the target website from public source-code repositories. Identify the footprinting tool employed by Jacob in the above scenario. A. ShellPhish B. Recon-ng C. Reverse Lookup D. Netcraft

B. Recon-ng

A security engineer is attempting to perform scanning on a company's internal network to verify security policies of their networks. The engineer uses the following NMAP command: nmap -n -sS -P0 -p 80 ***.***.**.**. What type of scan is this? Intense scanStealth scanComprehensive scanQuick scan

B. Stealth Scans

Which protocol and port number might be needed to send log messages to a log analysis tool that resides behind a firewall? UDP 415UDP 514UDP 541UDP 123

B. UDP 514

Tom, an ethical hacker, was tasked with evaluating the security posture of his organization's network. As part of his job, Tom used an AI tool to automate network scanning tasks. He executed an hping3 scan on port 80 of a target IP address and determined the status. Identify the command that assisted Tom in the above scenario. A. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp B. hping3 --ack -p 80 10.10.1.11 C. hping3 -F -P -U 10.0.0.25 -p 80 D. hping3 --icmp --count 10 10.10.1.11

B. hping3 --ack -p 80 10.10.1.11`hping3 This is the command to invoke the Hping3 tool, which is a network scanning and testing utility.`--ack`: This parameter specifies the TCP ACK scan mode. In this mode, Hping3 sends TCP packets with the ACK flag set.`-p 80`: This parameter specifies the destination port to which the TCP packets will be sent. In this case, it is set to port 80, which is commonly used for HTTP (web) traffic.`10.10.1.11`: This is the target IP address to which the TCP packets will be sent.

Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment? SMTPTCPSNMPUDP

B. tcp

Which of the following information is collected using enumeration? A.Email Recipient's system IP address and geolocation B.Network resources, network shares, and machine names C.Open ports and services D.Operating systems, location of web servers, users, and passwords

B.Network resources, network shares, and machine names

Which of the following elements in the firewall architecture is a computer system designed and configured to protect network resources from attacks and acts as a mediator between inside and outside networks? Multi-homed firewall Demilitarized zone Bastion host Screened subnet

Bastion Host

Steve, an attacker, wants to track the most shared content that belongs to the target organization. For this purpose, he used an advanced social search engine that displayed shared activity across all major social networks including Twitter, Facebook, LinkedIn, Google Plus, and Pinterest. What is the tool employed by Steve in the above scenario?

BuzzSumo

In which of the following enumeration techniques does an attacker take advantage of different error messages generated during the service authentication process? A.Extracting usernames using email IDs B.Extracting information using default passwords C.Brute-force Active Directory D.Extracting usernames using SNMP

C. Brute-force Active Directory This is a design error in the Microsoft Active Directory implementation. If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages.

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP? A. Broadcast ping B. Traceroute C. Hping D. TCP ping

C. Hping

Which of the following tools is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use? A. Spyse B. DroidSniff C. SearchSploit D. Spokeo

C. SearchSploit

Which of the following tools allows attackers to search for people belonging to the target organization? A. Netcraft B. GFI LanGuard C. Spokeo D. OpenVAS

C. Spokeo

Jake, an attacker, is performing an attack on a target organization to gather sensitive information. In this process, he exploited the protocol running on port 23 to perform banner grabbing on other protocols, such as SSH and SMTP, as well as brute-forcing attacks on login credentials. Which of the following protocols is running on port 23? A. File Transfer Protocol B. Border Gateway Protocol C. Telnet D. Secure Shell

C. Telnet

Which of the following vulnerabilities occurs in software due to a lack of proper certificate validation, or having an expired certificate that could allow attackers to embed malicious code and trick users into installing it? A.Improper input handling B.Race conditions C.Code signing weakness D.Time of check/time of use

C. code signing

Which of the following location and data examination tools allows ethical hackers to perform two or more scans on different machines in the network? A) Agent-based scanner B) Network-based scanner C) Cluster scanner D) Proxy scanner

Cluster scanner

An attacker is using the scanning tool Hping to scan and identify live hosts, open ports, and services running on a target network. He/she wants to collect all the TCP sequence numbers generated by the target host.Which of the following Hping commands he/she needs to use to gather the required information? A. hping3 -S <Target IP> -p 80 --tcp-timestamp B. hping3 -A <Target IP> -p 80 C. hping3 -F -P -U 10.0.0.25 -p 80 D. hping3 <Target IP> -Q -p 139 -s

D

Which of the following hping commands is used by an attacker to collect the initial sequence number? A. hping3 -A 10.0.0.25 -p 80 B. hping3 -2 10.0.0.25 -p 80 C. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp D. hping3 192.168.1.103 -Q -p 139 -s

D

Jim, an ethical hacker, was hired to perform a vulnerability assessment on an organization to check the security posture of the organization and its vulnerabilities. Jim used a tool that helped him continuously identify threats and monitor unexpected changes in the network before they turn into breaches.Which of the following tools did Jim employ in the above scenario? A) Octoparse B) theHarvester C) Sherlock D) Qualys VM

D Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches

Given below is the command generated by ShellGPT to gather email accounts associated with the target organization:theHarvester -d microsoft.com -l 200 -b Baidu -f Microsoft_emails.xmlWhich of the following parameters from the above command is used to specify the data source for gathering email accounts? A. -l 200 B. -d microsoft.com C. theHarvester D. -b baidu

D. -b baidu

Which of the following protocols is widely used by Internet service providers (ISPs) to maintain huge routing tables and efficiently process Internet traffic? TFTP FTP SIP BGP

D. BGP Border Gateway Protocol (BGP): BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179. The misconfiguration of BGP may lead to various attacks such as dictionary attacks, resource-exhaustion attacks, flooding attacks, and hijacking attacks.

Which of the following protocols uses the port number 88/TCP and can verify the identity of a user or host connected to a network? A.TFTP B.Finger C.NTP D.Kerberos

D. Kerberos

Which of the following features in FOCA allows an attacker to find more servers in the same segment of a determined address? A. IP resolution B. Web search C. DNS search D. PTR scanning

D. PTR scanning Finds more servers in the same segment of a determined address; IP FOCA executes a PTR log scan.

Which of the following types of scanning involves the process of checking the services running on a target computer by sending a sequence of messages to break in? A. Banner grabbing B. Vulnerability scanning C. Network scanning D. Port scanning

D. Port Scanning

Henry, an employee of an organization, faced issues with a newly allocated system, which was purchased from a refurbished market. When he raised a complaint, the security team analyzed the system components and identified that the vendor did not properly sanitize the system's drive.Identify the third-party risk demonstrated in the above scenario. A.Design flaws B.Unpatched firmware C.Data storage D.Supply-chain risk

D. Supply-chain risk

Which of the following scans detects when a port is open after completing the three-way handshake, establishes a full connection, and closes the connection by sending an RST packet? A. ACK flag probe scan B. IDLE/IPID header scan C. Stealth scan D. TCP connect scan

D. TCP connect scan TCP Connect scan detects when a port is open after completing the three-way handshake. TCP Connect scan establishes a full connection and then closes the connection by sending an RST packet

Which of the following port number is used to exploit vulnerabilities within DNS servers to launch attacks? A.TCP/UDP 135 B.UDP 137 C.TCP 139 D.TCP/UDP 53

D. port 53

Jack, a professional hacker, searched for Fortinet VPN login pages using an AI-based automated tool. After accessing the search results, Jack wants to filter out the lines containing a specific string from the output. Which command would help Jack to achieve this objective? A. | cut -d "=" -f2> B. recon1.txt| grep -o C. "http[^&]*" D. | grep "http"

D. | grep "http"

Which of the following protocols provides reliable multiprocess communication service in a multinetwork environment? A.SMTP B.UDP C.SNMP D.TCP

D.TCP

Robert, a professional hacker, has launched a reflection attack on the target organization's Microsoft Azure environment to downgrade its network capacity. For this purpose, he initiated sending a large number of spoofed UDP packets with fake IP addresses that resembled the source IP addresses to an intermediary server. The intermediary server started responding to all the source IP addresses at once causing legitimate users to wait for some time to receive the resources. Which of the following types of attacks did Robert launch in the above scenario? MarioNet attack IRDP spoofing DNS server hijacking DDoS attack

DDoS attack

Electronic document that binds a Public Key to an Identity, used to establish Authenticity (e.g., in SSL/TLS)

Digital Certificate

Technology that provides Non-Repudiation by proving a message originated from a specific sender's private key

Digital Signatures

Primary technical control used to ensure Confidentiality for data at rest and in transit

Encryption

Which of the following TCP communication flags is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated? ACK flagSYN flagFIN flagRST flag

FIN flag

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone? Source IP address Direction Interface TCP flag bits

Interface: Used to check whether the packet is coming from an unreliable zone.

Classification of Attacks

Passive Attacks, Active Attacks, Close-in Attacks, Insider Attacks, Distribution Attacks

Attribution

The process of identifying and tracing the origins of cyberattacks to specific threat actors

Based of a NMAP result, what does port 515/tcp being open say about what's installed on the target machine by the OS?

The protocols TCP and UDP uses port 515 to interact with the printer. As port 515 is open in the above Nmap output, probably the host is a printer.

Information Warfare

use of information and communication technologies (ICT) to gain competitive advantages over an opponent