Ethical Hacking - C701 CEH Certified Ethical Hacker Practice Exams, Fourth Edition 1/2

What is being attempted with the following command? nc -u -v -w2 192.168.1.100 1-1024

A UDP port scan of ports 1-1024 on a single address . In this example, netcat is being used to run a scan on UDP ports (the -u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are -v (for verbose) and -w2 (defines the two-second timeout for connection, where netcat will wait for a response).

A team member is using nmap and asks about the "scripting engine" in the tool. Which option switches can be used to invoke the nmap scripting engine? (Choose two.)

-sC --script Nmap is a great scanning tool, providing numerous options, and you'll need to know the syntax very well. The NSE (Nmap Scripting Engine) is a portion of the tool that allows the use of scripts in scanning. Directly from nmap's site (https://nmap.org/book/nse.html), "NSE is activated with the -sC option (or --script if you wish to specify a custom set of scripts) and results are integrated into Nmap normal and XML output."

Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it's brought back up. Which of the following represents the ARO for a server?

0.20 When performing business impact analysis (or any other value analysis for that matter), the annualized loss expectancy (ALE) is an important measurement for every asset. To compute the ALE, multiply the annualized rate of occurrence (ARO) by the single loss expectancy (SLE). The ARO is the frequency at which a failure occurs on an annual basis. In this example, servers fail once every five years, so the ARO would be 1 failure / 5 years = 20 percent.

From the partial e-mail header provided, which of the following represents the true originator of the e-mail message? Return-path: <[email protected]>Delivery-date: Tue, 12 Mar 2019 00:31:13 +0200Received: from mailexchanger.anotherbiz.com([220.15.10.254])by mailserver.anotherbiz.com running ExIM with esmtpid xxxxxx-xxxxxx-xxx; Tue, 12 Mar 2019 01:39:23 +0200Received: from mailserver.anybiz.com ([158.190.50.254] helo=mailserver.anybiz.com)by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xxfor [email protected]; Tue, 12 Mar 2019 01:39:23 +0200Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer])by mailserver.anybiz.com with esmtpa (Exim x.xx)(envelope-from <[email protected]) id xxxxx-xxxxxx-xxxxfor [email protected]; Mon, 11 Mar 2019 20:36:08 -0100Message-ID: <[email protected]>Date: Mon, 11 Mar 2019 20:36:01 -0100X-Mailer: Mail ClientFrom: SOMEONE Name <[email protected]>To: USERJOE Name <[email protected]>Subject: Something to consider

217.88.53.154 E-mail headers are packed with information showing the entire route the message has taken, and I can guarantee you'll see at least one question on your exam about them. You'll most likely be asked to identify the true originator—the machine (person) who sent the e-mail in the first place (even though in the real world with proxies and whatnot to hide behind, it may be impossible). This is clearly shown in line 9: Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]). But don't just study and rely on that one section. Watch the entire trek the message takes and make note of the IPs along the way.

You are examining traffic to see if there are any network-enabled printers on the subnet. Which of the following ports should you be monitoring for?

631 You will probably see three to five questions on port numbering alone. So just exactly how do you commit 1024 port numbers (0-1023 is the well-known range) to memory when you have all this other stuff to keep track of? You probably won't, and maybe you can't. The best advice I can give you is to memorize the really important ones—the ones you know beyond a shadow of a doubt you'll see on the exam somewhere—and then use the process of elimination to get to the right answe

1. You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you want to use for lookup is named ADNS_Server, and the target machine you want the information on is ATARGET_SYSTEM. Which of the following nslookup command series is the best choice for discovering this information? (The output of the commands is redacted.)

> server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ... This question gets you on two fronts. One regards knowledge on HINFO, and the other is nslookup use. First, the DNS record HINFO (per RFC 1035) is a resource type that identifies values for CPU type and operating system. Are you absolutely required to include an HINFO record for each host in your network? No, not at all. Should you? I'm sure there's some reason, somewhere and sometime, that adding HINFO makes sense, but I certainly can't think of one. In other words, this is a great record type to remember for your exam, but your chances of seeing it in use in the real world rank somewhere between seeing Lobster on the menu at McDonald's and catching a Leprechaun riding a unicorn through your backyard.

You are examining traffic and notice an ICMP Type 3, Code 13 response. What does this normally indicate?

A firewall is prohibiting connection. . ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about "destination unreachable," and the code in each packet tells you why it's unreachable. Code 13 indicates "communication administratively prohibited," which indicates a firewall filtering traffic. Granted, this occurs only when a network designer is nice enough to configure the device to respond in such a way, and you'll probably never get that nicety in the real world, but the definitions of what the "type" and "code" mean are relevant here.

Nmap is a powerful scanning and enumeration tool. What does the following nmap command attempt to accomplish? nmap -sA -T4 192.168.15.0/24

A parallel, fast ACK scan of a Class C subnet You are going to need to know nmap switches well for your exam. In this example, the -A switch indicates an ACK scan, and the -T4 switch indicates an "aggressive" scan, which runs fast and in parallel.

An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true?

A white hat is attempting a black-box test. A. I love these types of questions. Not only is this a two-for-one question, but it involves identical but confusing descriptors, causing all sorts of havoc. The answer to attacking such questions—and you will see them, by the way—is to take each section one at a time. Start with what kind of hacker he is. He's hired under a specific agreement, with full knowledge and consent of the target, thus making him a white hat. That eliminates C and D right off the bat. Second, to address what kind of test he's performing, simply look at what he knows about the system. In this instance, he has no prior knowledge at all (apart from the agreement), thus making it a black-box test.

Your client's business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information?

APNIC . This one is easy as pie and should be a freebie if you see it on the test. There are five regional Internet registries that provide overall management of the public IP address space within a given geographic region. APNIC handles the Asia and Pacific realms.

ou have tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B, while also sending messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?

ARP poisoning to allow you to see messages from Host A to Host B ARP poisoning is a relatively simple way to place yourself as the "man in the middle" and spy on traffic (by the way, be careful with the term man in the middle because it usually refers to a position where you are not interrupting traffic). The ARP cache is updated whenever your machine does a name lookup or when ARP (a broadcast protocol) receives an unsolicited message advertising a MAC-to-IP match. In this example, you've told Host A that you hold the MAC address for Host B. Host A will update its cache, and when a message is being crafted by the OS, it will happily put the spoofed address in its place. Just remember that ARP poisoning is oftentimes noisy and may be easy to discover if port security is enabled: depending on implementation, the port will lock (or amber in nerd terminology) when an incorrect MAC tries to use it or when multiple broadcasts claiming different MACs are seen. Additionally, watch out for denial-of-service side effects of attempting ARP poisoning—you may well bring down a target without even trying to, not to mention Host B is eventually going to find out it's not receiving anything from Host A. As a side note, detection of ARP poisoning can be done with a tool called xAR

An ethical hacker searches for IP ranges owned by the client, reads news articles, observes when bank employees arrive and leave from work, searches the client's job postings, and visits the client's dumpster. Which of the following is a true statement?

All of the actions are passive footprinting I know, I know—I can hear you professional test takers screaming at me already: "Any answer that starts with 'all' can be eliminated!" And, normally, I'd agree with you, but it's precisely why I added it here. Each and every example in this question happens to be an example of passive footprinting.

A colleague enters the following command: root@mybox: # hping3 -A 192.168.2.x -p 80 What is being attempted here?

An ACK scan using hping3 on port 80 for a group of addresses Hping is a great tool that provides a variety of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you're simply performing a basic ACK scan (the -A switch) using port 80 (-p 80) on an entire Class C subnet (the x in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows a human-readable description of TCP/IP packets.

hich of the following may be a security concern for an organization?

An external DNS server is Active Directory integrated. If you have a Windows Active Directory (AD) network, having AD-integrated DNS servers has some great advantages. For example (and directly from Microsoft, I might add), "with directory-integrated storage, dynamic updates to DNS are conducted based upon a multimaster update model. In this model, any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain." Zones are also replicated and synchronized to new domain controllers automatically whenever a new one is added to an Active Directory domain, and directory replication is faster and more efficient than standard DNS replication. But having an Active Directory server facing externally is a horrible idea.

A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)

An internal threat can take advantage of the misconfigured X-server vulnerability. An external threat can take advantage of the misconfigured X-server vulnerability. This is an easy one because all you have to understand are the definitions of threat and vulnerability. A threat is any agent, circumstance, or situation that could potentiality cause harm or loss to an IT asset. In this case, the implication is the threat is an individual (hacker) either inside or outside the network. A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset. In both these answers, the vulnerability—the access controls on the X-server are not in place—can be exploited by the threat, whether internal or external

Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?

Anomaly based The scenario described here is precisely what an anomaly- or behavior-based system is designed for. The system watches traffic and, over time, develops an idea of what "normal" traffic looks like—everything from source and destinations, ports in use, and times of higher data flows. In one sense, it's better than a plain signature-based system because it can find things heuristically based on behavior; however, anomaly-based systems are notorious for the number of false positives they spin off—especially early on.

Amanda works as senior security analyst and overhears a colleague discussing confidential corporate information being posted on an external website. When questioned on it, he claims about a month ago he tried random URLs on the company's website and found confidential information. Amanda visits the same URLs but finds nothing. Where can Amanda go to see past versions and pages of a website?

Archive.org . The Internet Archive (http://archive.org) is a nonprofit organization "dedicated to build an Internet library. Its purposes include offering permanent access for researchers, historians, scholars, people with disabilities, and the general public to historical collections that exist in digital format." The good-old Wayback Machine has been used for a long time to pull up old copies of websites, for good and maybe not-so-good purposes. Archive.org includes "snapshots of the World Wide Web," which are archived copies of pages taken at various points in time dating back to 1996. As an additional note, Archive.org is only going to pull and store pages that were linked, shared, or commonly available, so don't assume every page ever put up by anyone anywhere will always be available.

The following results are from an nmap scan: Starting nmap V. 3.10A ( www.insecure.org/nmap/ <http://www.insecure.org/nmap/> ) Interesting ports on 192.168.15.12: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 263.47 seconds Which of the following is the best option to assist in identifying the operating system?

Attempt banner grabbing. Of the options presented, banner grabbing is probably your best bet. In fact, it's a good start for operating system fingerprinting. You can telnet to any of these active ports or run an nmap banner grab. Either way, the returning banner may help in identifying the OS.

Which of the following is a detective control?

Audit trail . A detective control is an effort used to identify problems, errors, or (in the case of post-attack discovery) cause or evidence of an exploited vulnerability—and an audit log or trail is a perfect example. Ideally, detective controls should be in place and working such that errors can be corrected as quickly as possible. Many compliance laws and standards (the Sarbanes-Oxley Act of 2002 is one example) mandate the use of detective controls.

Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort?

BIA A business impact analysis (BIA) best matches this description. In a BIA, the organization looks at all the systems and processes in use and determines which ones are absolutely critical to continued operation. Additionally, the assessor (the person or company conducting the analysis) will look at all the existing security architecture and make an evaluation on the likelihood of any system or resource being compromised. Part of this is assigning values to systems and services, determining the maximum tolerable downtime (MTD) for any, and identifying any overlooked vulnerabilities.

What method does traceroute use to map routes traveled by a packet?

By manipulating the Time-To-Live (TTL) parameter Traceroute (at least on Windows machines) tracks a packet across the Internet by incrementing the TTL on each packet it sends by one after each hop is hit and returns, ensuring the response comes back explicitly from that hop and returns its name and IP address. This provides route path and transit times. It accomplishes this by using ICMP ECHO packets to report information on each "hop" (router) from the source to destination. As an aside, Linux machines use a series of UDP packets by default to carry out the same function in traceroute.

You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can use. Which DNS record type would you use to accomplish this?

CNAME We all know—or should know by now—that a hostname can be mapped to an IP using an A record within DNS. CNAME records provide for aliases within the zone on that name. For instance, your server might be named mattserver1.matt.com. A sample DNS zone entry to provide HTTP and FTP access might look like this:

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide. EC-Council loves CSIRT, and I promise you'll see it mentioned somewhere on the exam. Per its website (www.csirt.org/), the Computer Security Incident Response Team (CSIRT) "provides 24x7 Computer Security Incident Response Services to any user, company, government agency or organization. CSIRT provides a reliable and trusted single point of contact for reporting computer security incidents worldwide. CSIRT provides the means for reporting incidents and for disseminating important incident-related information." A privately held company that started in 2001, CSIRT seeks "to raise awareness among its customers of computer security issues, and provides information for secure protection of critical computing infrastructure and equipment against potential organized computer attacks."

Which of the following activities are not considered passive footprinting? (Choose two.)

Calling the company's help desk line Employing passive sniffing E. This one may be a little tricky, but only because we live and work in the real world and this is an exam question. EC-Council has several questionable takes on things regarding real-world application and what they say you should remember for your exam, and this is one of those examples. Just remember ECC wants you to know active and passive footprinting can be defined by two things: what you touch and how much discovery risk you put yourself in. Social engineering in and of itself is not all passive or active in nature. In the case of dumpster diving, it's also considered passive (despite the real-world risk of discovery and the action you have to take to pull it off) according to EC

You receive a RST-ACK from a port during a SYN scan. What is the state of the port?

Closed . Remember, a SYN scan occurs when you send a SYN packet to all open ports. If the port is open, you'll obviously get a SYN/ACK back. However, if the port is closed, you'll get a RST-ACK

Which of the following is the best choice in setting an NIDS tap?

Connect to a SPAN port on a switch. . A network intrusion detection system (NIDS) only works well if it can see all the network traffic, and placement obviously makes a huge difference. One common implementation is to connect via a SPAN (Switched Port Analyzer) port on a switch. The configuration for a SPAN port ensures all traffic from a defined range of ports is also sent to the SPAN port. This makes the best option for your NIDS tap, at least as far as this question goes: in the real world, you would most likely set up a passive tap, positioned in the correct location to see everything coming across the wire.

Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site—no files have been changed, and when accessed from their terminals (inside the company), the site appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue?

DNS poisoning . DNS poisoning makes the most sense here. In many cases (such as mine right here in my own work-from-home office), a VPN connection back to the company forces you to use the company DNS instead of your local resolution. In this example, Joe's connection from home uses a different DNS server for lookups than that of the business network. It's entirely possible someone has changed the cache entries in his local server to point to a different IP than the one hosting the real website—one that the hackers have set up to provide the defaced version. The fact the web files haven't changed and it seems to be displaying just fine from inside the network also bears this out. If it turns out Joe's DNS modification is the only one in place, there is a strong likelihood that Joe is being specifically targeted for exploitation—something Joe should take very seriously. Lastly, the HOSTS and LMHOSTS files can also play a big role in this kind of scenario—however, if an attacker already has that kind of access to Joe's computer, he has bigger problems than the corporate website.

Four terms make up the Common Criteria process. Which of the following contains seven levels used to rate the target?

EAL Common Criteria is an international standard of evaluation of Information Technology (IT) products. Per the website (https://www.commoncriteriaportal.org/), Common Criteria ensures evaluations and ratings "are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles." Four terms within Common Criteria make up the process. The EAL (Evaluation Assurance Level) is made up of seven levels, which are used to rate a product after it has been tested. The current EAL levels are as follows:

Which of the following is a good footprinting tool for discovering information on a publicly traded company's founding, history, and financial status?

EDGAR Database The EDGAR Database—https://www.sec.gov/edgar.shtml —holds various competitive intelligence information on businesses and is an old favorite of EC-Council. Per the website, "All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can access and download this information for free. Here you'll find links to a complete list of filings available through EDGAR and instructions for searching the EDGAR database." Finally, one more note on EDGAR and the SEC: They have purview only over publicly traded companies. Privately held companies are not regulated or obligated to put information in EDGAR. Additionally, even publicly traded companies might not provide information about privately owned subsidiaries, so be careful and diligent.

Which of the following are the best preventive measures to take against DHCP starvation attacks? (Choose two.)

Enable DHCP snooping on the switch. Use port security on the switch DHCP starvation is a denial-of-service attack EC-Council somehow slipped into the sniffing section. The attack is pretty straightforward: the attacker requests all available DHCP addresses from the server, so legitimate users cannot pull an address and connect or communicate with the network subnet. DHCP snooping on a Cisco switch (using the ip dhcp snooping command) creates a whitelist of machines that are allowed to pull a DHCP address. Anything attempting otherwise can be filtered. Port security, while not necessarily directly related to the attack, can be a means of defense as well. By limiting the number of MACs associated with a port, as well as whitelisting which specific MACs can address it, you could certainly reduce an attacker's ability to drain all DHCP addresses

A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls is put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?

Ensure that any remaining risk is residual or low and accept the risk.

A company has a public-facing web application. Its internal intranet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration?

Ensuring there are no A records for internal hosts on the public-facing name server If your company has a publicly facing website, it follows that a name server somewhere has to answer lookups in order for your customers to find the site. That name server, however, does not need to provide lookup information to internal machines. Of the choices provided, as silly as it seems to point out, ensuring there are no A records (those used to map hostnames to an IP address) on the external name server is a good start.

You've been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?

Gray box A gray-box test is designed to replicate an inside attacker. Otherwise known as the partial knowledge attack (don't forget this term), the idea is to simulate a user on the inside who might know a little about the network, directory structure, and other resources in your enterprise. You'll probably find this one to be the most enlightening attack in out-briefing your clients in the real world—it's amazing what you can get to when you're a trusted, inside user. As an aside, you'll often find in the real world that gray-box testing can also refer to a test where any inside information is given to a pen tester—you don't necessarily need to be a fully knowledgeable inside user. In other words, if you have usable information handed to you about your client, you're performing gray-box testing.

Your team is hired to test a business named Matt's Bait'n' Tackle Shop (domain name mattsBTshop.com). A team member runs the following command: metagoofil -d mattsBTshop.com -t doc,docx -l 50 -n 20 -f results.html Which of the following best describes what the team member is attempting to do?

Extracting metadata info from Microsoft Word documents found in mattsBTshop.com, outputting results in an HTML file This is an example of good tool knowledge and use. Metgoofil, per www.edge-security.com/metagoofil.php, "is an information gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, .xlsx) belonging to a target company. It performs a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase." In the syntax given, metagoofil will search mattsBTshop.com for up to 50 results (the -l switch determines the number of results) of any Microsoft Word documents (in both doc and .docx format) it can find. It will then attempt to download the first 20 found (the -n switch handles that), and the -f switch will send the results where you want (in this case, to an HTML file).

A network and security administrator installs an NIDS. After a few weeks, a successful intrusion into the network occurs and a check of the NIDS during the timeframe of the attack shows no alerts. An investigation shows the NIDS was not configured correctly and therefore did not trigger on what should have been attack alert signatures. Which of the following best describes the actions of the NIDS?

False negatives When it comes to alerting systems, false negatives are much more concerning than false positives. A false negative occurs when there is traffic and circumstances in place for an attack signature, but the IDS does not trigger an alert. In other words, if your system is firing a lot of false negatives, the security staff may feel like they're secure when, in reality, they're really under successful attack. Keep in mind a false negative is different from your IDS simply not seeing the traffic. For example, if you tell your IDS to send an alert for Telnet traffic and it simply didn't see those packets (for whatever reason), that may be a false negative for exam purposes but in the real world is probably more of a configuration issue. A better example of a false negative in the real world would be for the attacker to encrypt a portion of payload so that the IDS doesn't recognize it as suspicious. In other words, the IDS sees the traffic, it just doesn't recognize anything bad about it.

Which port-scanning method presents the most risk of discovery but provides the most reliable results?

Full-connect A full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It's loud and easy to see happening, but the results are indisputable. As an aside, the -sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).

As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for?

Gray box Once again, this is a play on words the exam will throw at you. Note the question is asking about a test type, not the attacker. Reviewing CEH documentation, you'll see there are three types of tests—white, black, and gray—with each designed to test a specific threat. White tests the internal threat of a knowledgeable systems administrator or an otherwise elevated privilege level user. Black tests external threats with no knowledge of the target. Gray tests the average internal user threat to expose potential security problems inside the network.

As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?

ICMP is being filtered. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I've seen questions like this before). The key here is the "most likely" designator. It's entirely possible—dare I say, even expected—that the systems administrator for those two important machines would turn off ICMP. Of the choices provided, this one is the most likely explanation.

Brad is auditing an organization and is asked to provide suggestions on improving DNS security. Which of the following would be valid options to recommend? (Choose all that apply.)

Implementing a split-horizon operation Restricting zone transfers Split-horizon DNS (also known as split-view or split DNS) is a method of providing different answers to DNS queries based on the source address of the DNS request. It can be accomplished with hardware or software solutions and provides one more step of separation between you and the bad guys. Restricting zone transfers to only those systems you desire to have them is always a good idea. If you leave it open for anyone to grab, you're just asking for trouble. DNSSEC should also be included, but isn't an option listed.

Which of the following is best defined as a set of processes used to identify, analyze, prioritize, and resolve security incidents?

Incident management Admittedly, this one is fairly easy—or at least it should be. Incident management is the process of dealing with incidents and generally always has the same features/steps—identify the problem or root cause, analyze and research the issue, contain the malicious effort, eradicate the effort, and resolve any damage caused. ECC defines the process as having eight steps: 1. Preparation, 2. Detection and Analysis, 3. Classification/Prioritization, 4. Notification, 5. Containment, 6. Forensic Investigation, 7. Eradication and Recovery, and 8. Post-incident Activities. The incident response team (IRT) is charged with handling this process.

. You want to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark but quickly discover your NIC needs to be in "promiscuous mode." What allows you to put your NIC into promiscuous mode?

Installing WinPcap . To understand this, you have to know how a NIC is designed to work. The NIC "sees" lots of traffic but pulls in only the traffic it knows belongs to you. It does this by comparing the MAC address of each frame against its own: if they match, it pulls the frame in and works on it; if they don't match, the frame is ignored. If you plug a sniffer into a NIC that looks only at traffic designated for the machine you're on, you've kind of missed the point, wouldn't you say? Promiscuous mode tells the NIC to pull in everything. This allows you to see all those packets moving to and fro inside your collision domain. WinPcap is a library that allows NICs on Windows machines to operate in promiscuous mo

Which of the following best describes an intranet zone?

It has few heavy security restrictions. An intranet can be thought of, for testing purposes, as your own happy little networking safe space. It's protected from outside attacks and interference by the DMZ and all the layers of security on the outside. Internally, you don't assign loads of heavy security restrictions, because, as explained in the security versus usability discussion in the CEH All-in-One Exam Guide, Fourth Edition, as security increases, usability and functionality decrease. If your organization's users are on the intranet, you want them as productive as possible, right?

Which of the following statements is true regarding the p0f tool?

It is a passive OS fingerprinting tool. p0f, per http://lcamtuf.coredump.cx/p0f3/, "is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics."

Which of the following statements is true regarding the discovery of sniffers on a network?

It is almost impossible to discover the sniffer on the network This question is more about active versus passive sniffing than anything else. I'm not saying it's impossible, because almost nothing is, but discovering a passive sniffer on your network is very difficult. When a NIC is set to promiscuous mode, it just blindly accepts any packet coming by and sends it up the layers for further processing (which is what allows Wireshark and other sniffers to analyze the traffic). Because sniffers are sitting there pulling traffic and not sending anything in order to get it, they're difficult to detect. Active sniffing is another thing altogether. If a machine is ARP spoofing or MAC flooding in order to pull off sniffing, it's much easier to spot it.

Which of the following tools is the best choice to assist in evading an IDS?

Libwhisker It's a hallmark of EC-Council certification exams to have a few off-the-wall, tool-specific questions, and this is a great example. Libwhisker (https://sourceforge.net/projects/whisker/) is a full-featured Perl library used for a number of things, including HTTP-related functions, vulnerability scanning, exploitation, and IDS evasion. In fact, some scanners actually use libwhisker for session splicing in order to scan without being seen.

Which of the following techniques can be used to gather information from a fully switched network or to disable some of the traffic isolation features of a switch? (Choose two.)

MAC flooding ARP spoofing . Switches filter all traffic—unless you tell them otherwise, make them behave differently, or the traffic is broadcast or multicast. If you can gain administrative access to the IOS, you can tell it to behave otherwise by configuring a span port (which sends copies of messages from all ports to yours). Legitimate span ports are designed for things such as network IDS. To make the switch behave differently (at least on older switches, because newer ones don't allow this much anymore), send more MAC addresses to the switch than it can handle. This fills the CAM and turns the switch, effectively, into a hub (sometimes called a fail open state). Using a tool such as MacOF or Yersinia, you can send thousands and thousands of fake MAC addresses to the switch's CAM table. ARP spoofing doesn't really involve the switch much at all—it continues to act and filter traffic just as it was designed to do. The only difference is you've lied to it by faking a MAC address on a connected port. The poor switch, believing those happy little ARP messages, will forward all packets destined for that MAC address to you instead of the intended recipient. How fun!

In which phase of the attack would a hacker set up and configure "zombie" machines?

Maintaining access Zombies are basically machines the hacker has commandeered to do his work for him. If the attacker is really good, the owners of the zombie machines don't even know their machines have been drafted into the war. There are a bajillion methods for maintaining access on a machine you've already compromised, and maintaining that access does not necessarily mean the system will be used as a zombie—you could, for example, simply want to check in from time to time to see what new juicy information the user has decided to leave in a file or folder for you, or to check on new logins, credentials, and so on. However, configuring zombie systems definitely belongs in this phase.

Which of the following is defined as ensuring that the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at?

Mandatory access control Access control is defined as the selective restraint of access to a resource, and there are several overall mechanisms to accomplish this goal. Mandatory access control (MAC) is one type that constrains the ability of a subject to access or perform an operation on an object by assigning and comparing "sensitivity labels." Suppose a person (or a process) attempts to access or edit a file. With MAC, a label is placed on the file indicating its security level. If the entity attempting to access it does not have that level, or higher, then access is denied. With mandatory access control, security is centrally controlled by a security policy administrator, and users do not have the ability to override security settings.

Examine the following command-line entry: C:\>nslookup Default Server: ns1.somewhere.com Address: 128.189.72.5 > set q=mx >mailhost Which statements are true regarding this command sequence? (Choose two.)

Nslookup is in interactive mode. The output will show all mail servers in the zone somewhere.com. Nslookup runs in one of two modes—interactive and noninteractive. Noninteractive mode is simply the use of the command followed by an output. For example, nslookup www.google.com will return the IP address your server can find for Google. Interactive mode is started by simply typing nslookup and pressing ENTER. Your default server name will display, along with its IP address, and a caret (>) will await entry of your next command. In this scenario, we've entered interactive mode and set the type to MX, which we all know means "Please provide me with all the mail exchange servers you know about."

. While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?

Operating system Operating system (OS) attacks target common mistakes many people make when installing operating systems (for instance, accepting and leaving all the defaults). Examples usually include things such as administrator accounts with no passwords, ports left open, and guest accounts left behind. Another OS attack you may be asked about deals with versioning. Operating systems are never released fully secure and are consistently upgraded with hotfixes, security patches, and full releases. The potential for an old vulnerability within the enterprise is always high.

Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud?

PCI-DSS Payment Card Industry Data Security Standard (PCI-DSS) is a security standard for organizations that handle credit cards. A council including American Express, JCB, Discover, MasterCard, and Visa developed standards for the protection and transmission of card data to reduce credit card fraud. It's administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually. The standard is composed of 12 requirements:

Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

PSH This answer normally gets mixed up with the URG flag because we all read it as urgent. However, just remember the key word with PSH is "buffering." In TCP, buffering is used to maintain a steady, harmonious flow of traffic. Every so often, though, the buffer itself becomes a problem, slowing things down. A PSH flag tells the recipient stack that the data should be pushed up to the receiving application immediately.

A zone file consists of which records? (Choose all that apply.)

PTR MX SOA A SRV Service This record defines the hostname and port number of servers providing specific services, such as a Directory Services server. SOA Start of Authority This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain. PTR Pointer This record maps an IP address to a hostname (providing for reverse DNS lookups). You don't absolutely need a PTR record for every entry in your DNS namespace, but PTR records are usually associated with e-mail server records. NS Name Server This record defines the name servers within your namespace. These servers are the ones that respond to your client's requests for name resolution. MX Mail Exchange This record identifies your e-mail servers within your domain. CNAME Canonical Name This record provides for domain name aliases within your zone. For example, you may have an FTP server and a web service running on the same IP address. CNAME records could be used to list both within DNS for you. A Address This record maps an IP address to a hostname and is used most often for DNS lookups.

. A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?

Passive This is one of those weird CEH definitions that drive us all crazy on the exam. Knowing the definition of passive versus active isn't really going to make you a better pen tester, but it may save you a question on the test. When it comes to sniffing, if you are not injecting packets into the stream, it's a passive exercise. Tools such as Wireshark are passive in nature. A tool such as Ettercap, though, has built-in features to trick switches into sending all traffic its way, and other sniffing hilarity. This type of sniffing, where you use packet interjection to force a response, is active in nature. As a quick aside here, for you real-world preppers out there, true passive sniffing with a laptop is pretty difficult to pull off. As soon as you attach a Windows machine, it'll start broadcasting all kinds of stuff (ARP and so on), which is, technically, putting packets on the wire. The real point is that passive sniffing is a mindset where you are not intentionally putting packets on a wire.

Which incident response (IR) phase is responsible for setting rules, identifying the workforce and roles, and creating backup and test plans for the organization?

Preparation So even if you weren't aware of incident response phases, this one should've been a rather easy guess. In the preparation phase, your IR (incident response) team should be preparing for an incident. Preparation includes lots of things—some of which are mentioned here. But virtually anything you can think of that does not involve actions taken during the incident belongs here. Training, exercises, and policies are all examples.

As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII). You are asked about controls placed on the dissemination of this information. Which of the following acts should you check?

Privacy Act The Privacy Act of 1974 protects information of a personal nature, including Social Security numbers. The Privacy Act defines exactly what "personal information" is, and it states that government agencies cannot disclose any personal information about an individual without that person's consent. It also lists 12 exemptions for the release of this information (for example, information that is part of a law enforcement issue may be released). In other questions you see, keep in mind that the Privacy Act generally will define the information that is not available to you in and after a test. Dissemination and storage of privacy information needs to be closely controlled to keep you out of hot water. As a side note, how you obtain PII is oftentimes just as important as how you protect it once discovered. In your real-world adventures, keep the Wiretap Act (18 U.S. Code Chapter 119—Wire and Electronic Communications Interception and Interception of Oral Communications) and others li

You are enumerating a subnet. While examining message traffic, you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?

Public (read-only) and Private (read/write) SNMP uses a community string as a form of a password. The read-only version of the community string allows a requester to read virtually anything SNMP can drag out of the device, whereas the read/write version is used to control access for the SNMP SET requests. The read-only default community string is Public, whereas the read/write string is Private. If you happen upon a network segment using SNMPv3, though, keep in mind that SNMPv3 can use a hashed form of the password in transit versus the clear text.

One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction?

SOA The SOA record holds all sorts of information, and when it comes to DNS poisoning, the TTL is of primary interest. The shorter the TTL, the less time records are held in cache. While it won't prevent DNS poisoning altogether, it can limit the problems a successful cache poisoning attack causes.

Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures?

SOX The Sarbanes-Oxley Act (SOX; https://www.sec.gov/about/laws.shtml#sox2002) introduced major changes to the regulation of financial practice and corporate governance in 2002 and is arranged into 11 titles. SOX mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud, and it created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession.

. Given the following Wireshark filter, what is the attacker attempting to view? ((tcp.flags == 0x02) || (tcp.flags == 0x12) ) || ((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0) )

SYN, SYN/ACK, ACK You'll see bunches of Wireshark questions on your exam—it's probably the subject EC-Council loves the most regarding this chapter—and syntax will be the key to answering all of them. For this particular question subject, remember Wireshark has the ability to filter based on a decimal numbering system assigned to TCP flags. The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding these numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For example, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (the attacker here will see all SYN packets, all SYN/ACK packets, and all ACK packets). In this example, the decimal numbers were used, just not in a simplified manner.

What is the second step in the TCP three-way handshake?

SYN/ACK Admittedly, this is an easy one, but I'd bet dollars to doughnuts you will see it in some form on your exam. It's such an important part of scanning and enumeration because, without understanding this basic principle of communication channel setup, you're almost doomed to failure. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.

2. A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?

Scanning CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks. While you may be groaning about scanning and enumeration both appearing as answers, they're placed here in this way on purpose. This exam is not only testing your rote memorization of the methodology but also how the methodology actually works. Remember, after scoping out the recon on your target, your next step is to scan it. After all, you have to know what targets are there first before enumerating information about them.

n which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network?

Scanning and enumeration . The scanning and enumeration phase is where you'll use things such as ping sweeps to discover available targets on the network. This step occurs after reconnaissance. In this step, tools and techniques are actively applied to information gathered during recon to obtain more in-depth information on the targets. For example, reconnaissance may show a network subnet to have 500 or so machines connected inside a single building, whereas scanning and enumeration would discover which ones are Windows machines and which ones are running FTP.

Which of the following best defines a logical or technical control?

Security tokens B. A logical (or technical) control is one used for identification, authentication, and authorization. It can be embedded inside an operating system, application, or database management system. A security token (such as RSA's SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication, or it may provide a built-in number on a USB device that must be attached during authentication. A physical control is something, well, physical in nature, such as a lock or key or maybe a guard.

You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?

Stateful Most people think of a firewall as a simple packet filter, examining packets as they are coming in against an access list—if the port is allowed, let the packet through. However, the stateful inspection firewall has the ability to examine the session details regarding the packet and make a determination on its state. For a common (dare I say, textbook) example, if a stateful firewall receives an ACK packet, it's smart enough to know whether there is an associated SYN packet that originated from inside the network to go along with it. If there isn't—that is, if communications did not start from inside the subnet—it'll drop the packet.

You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you focus your search on?

TCP 53 DNS uses port 53 in both UDP and TCP. Port 53 over UDP is used for DNS lookups. Zone transfers are accomplished using port 53 over TCP. Considering the reliability and error correction available with TCP, this makes perfect sense.

Which protocol and port number combination is used by default for DNS zone transfers?

TCP 53 TCP 53 is the default protocol and port number for zone transfers. DNS actually uses both TCP and UDP to get its job done, and if you think about what it's doing, they make sense in particular circumstances. A name resolution request and reply? Small and quick, so use port 53 on UDP. A zone transfer, which could potentially be large and requires some insurance it all gets there? Port 53 on TCP is the answer.

Your target subnet is protected by a firewalled DMZ. Reconnaissance shows the external firewall passes some traffic from external to internal, but blocks most communications. HTTP traffic to a web server in the DMZ, which answers to www.somebiz.com, is allowed, along with standard traffic such as DNS queries. Which of the following may provide a method to evade the firewall's protection?

TCP over DNS Of the choices provided, TCP over DNS is the only one that makes any sense. TCP over DNS is exactly what it sounds like—sending TCP traffic that would otherwise use a different port number in packets using port 53. Because the firewall usually allows DNS requests to pass, hiding traffic under port 53 is convenient and fairly easy. The whole thing does require a special DNS server and DNS client setup, but the steps to pull it off aren't rocket science. While TCP over DNS will allow you to evade the firewall and send traffic internally, it will not provide you instant access to machines or anything like that—it simply allows you to send traffic unnoticed through a firewall. TCP over DNS tools include Iodine (http://code.kryo.se/iodine/), DNS Tunnel (http://dnstunnel.de), and Netcross (https://soureforge.net/projects/netcross).

Which of the following tools can be used to extract application layer data from TCP connections captured in a log file into separate files?

TCPflow TCPflow (https://github.com/simsong/tcpflow/wiki/tcpflow-%E2%80%94-A-tcp-ip-session-reassembler) is "a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows. tcpflow is similar to 'tcpdump', in that both process packets from the wire or from a stored file. But it's different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis."

An administrator enters the following command on a Linux system: iptables -t nat -L Which of the following best describes the intent of the command entered?

The administrator is configuring IP masquerading Do you remember network address translation? It's a neat little technology that allows lots of internal hosts, using nonroutable private addressing, to access the Internet by borrowing and using a single address (or a group of addresses) managed by a router or other system. IP masquerading is much the same thing; it's just accomplished through a Linux host. In short, a Linux machine can act as a NAT translator by employing proper routing configuration, using one NIC to communicate with the internal network and one for the external, and enabling IP masquerading.

A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF:FF:FF:FF:FF:FF. Which of the following statements is true regarding the messages being sent?

The attacker will see message 2 This question is all about how a switch works, with a little MAC knowledge thrown in. Remember that switches are designed to filter unicast messages but to flood multicast and broadcast messages (filtering goes to only one port, whereas flooding sends to all). Broadcast MAC addresses in the frame are easy to spot—they're always all Fs, indicating all 48 bits turned on in the address. In this case, message 1 is a unicast address and went off to its destination, whereas message 2 is clearly a broadcast message, which the switch will gladly flood to all ports, including the attacker's.

. Examine the Snort output shown here: 08/28-12:23:13.014491 01:10:BB:17:E3:C5 ->A5:12:B7:55:57:AB type:0x800 len:0x3C 190.168.5.12:33541 ->213.132.44.56:23 TCP TTL:128 TOS:0x0 ID:12365 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0xA153BD Ack: 0xA01657 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOPSackOK 0x0000: 00 02 B3 87 84 25 00 10 5A 01 0D 5B 08 00 45 00 .%..Z..[..E. 0x0010: 00 30 98 43 40 00 80 06 DE EC C0 A8 01 04 C0 A8 .0.C@... 0x0020: 01 43 04 DC 01 BB 00 A1 8B BD 00 00 00 00 70 02 .C....p. 0x0030: 20 00 4C 92 00 00 02 04 05 B4 01 01 04 02 .L..... Which of the following statements is true regarding the packet capture?

The capture shows step 2 of a TCP handshake. . You'll probably see at least one or two Snort capture logs on the exam, and most of them are just this easy. If you examine the capture log, it shows a TCP port 23 packet from 190.168.5.12 headed toward 213.132.44.56. The TCP flags are clearly shown in line 5 as ***A**S*, indicating the SYN and ACK flags are set. Because the three-way handshake is SYN, SYN/ACK, and ACK, we've solved another one!

. A penetration tester is examining the following NMAP result: Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8 Which of the following is a true statement?

The host is likely a printer. . Honestly there's not a lot to go on here, so we take a look at the port numbers: 21, 23, and 80 don't really tell us much, because loads of hosts can run FTP, Telnet, and HTTP, but 515 and 631? Those have printer written all over them: 515 is a well-known printer spooler port (and is often used by malware), and 631 is the Internet Printing Protocol (IPP) port.

Consider the ports shown in the nmap output returned on an IP scanned during footprinting: PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 01:2A:48:0B:AA:81 Which of the following is true regarding the output?

The host is most likely a printer or has a printer installed. So this output is pretty interesting, huh? There's some FTP, Telnet, and HTTP open, and a little NetBIOS action going on there, too. The TCP ports 515 and 631, however, are the ones to note here. 515 corresponds to the Line Printer Daemon protocol/Line Printer Remote protocol (or LPD/LPR), which is used for submitting print jobs to a remote printer. Port 631 corresponds to the Internet Printing Protocol (IPP). Both of which point to printing. A final note on this: in our modern world the definition of what constitutes a server and what does not is a blurred line. If your printer allows Telnet access to a terminal, is it really just a printer? For that matter, many printers actually work off of an embedded operating system. In other words, in real-world testing, your printer may actually be a Linux OS server of sorts. Your exam will stick with the academic memorization and evaluation of port numbers, but things are much more entangled in the real world

An organization has a DNS server located in the DMZ and other DNS servers located on the intranet. What is this implementation commonly called? Dynamic DNS DNSSEC Split DNS Auto DNS

The idea behind split DNS is pretty simple: create two zones for the same domain, with one just for the internal network while the other is used by any external networks. Internal hosts are directed to the internal domain name server. Separating the domain servers greatly restricts the footprinting an attacker can perform from the outside.

Examine the following command sequence:. C:\> nslookup Default Server: ns1.anybiz.com Address: 188.87.99.6 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 188.87.100.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 Which of the following statements best describes the intent of the command sequence?

The operator is enumerating a system named someserver. The HINFO record type is one of those really great ideas that was designed to make life easier on everyone yet turned out to be a horrible idea. Defined in RFC 1035, Host Information (HINFO) DNS records were originally intended to provide the type of computer and operating system a host uses (back in the day, you could also put things like room numbers and other descriptions in the record). However, to avoid publicly advertising that information (for obvious reasons), this record type simply is not used much anymore. And if you find one on a public-facing machine, it's a sure sign of incompetence on the part of the server administrators. In this example, the type is set to HINFO, and a machine name—someserver—is provided. The attacker can use the information contained in the record as an enumeration source.

You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)

The packet returned in answer to this SYN request will acknowledge the sequence number by returning 10. The host will be attempting to retrieve an HTML file. Yes, it is true that port 80 traffic is generally HTTP; however, there are two problems with this statement. The first is all that is happening here is an arbitrary connection to something on port 80. For all we know, it's a listener, Telnet connection, or anything at all. Second, assuming it's actually an HTTP server, the sequence described here would do nothing but make a connection—not necessarily transfer anything. Sure, this is picky, but it's the truth. Next, sequence numbers are acknowledged between systems during the three-way handshake by incrementing by 1. In this example, the source sent an opening sequence number of 10 to the recipient. The recipient, in crafting the SYN/ACK response, will first acknowledge the opening sequence number by incrementing it to 11. After this, it will add its own sequence number to the packet (a random number it will pick) and send both off.

A pen tester is performing banner grabbing and executes the following command: $ nmap -sV host.domain.com -p 80 He gets the following output: Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmap scan report for host.domain.com (108.61.158.211) Host is up (0.032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at http://nmap.org/submit/. VCEConvert.com Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds Which of the following is a true statement?

The pen tester was successful in banner grabbing. You can expect a few versions of this type of question on your exam. Not only are there bunches of ways to do banner grabbing, but the outputs of each method are different. In this case, the nmap attempt was successful in identifying it as an Apache server.

1. Examine the Wireshark filter shown here: ip.src == 192.168.1.1 &&tcp.srcport == 80 Which of the following correctly describes the capture filter?

The results will display all HTTP traffic from 192.168.1.1. . Wireshark filters will be covered quite a bit on your exam, and, as stated earlier, these are easy questions for you. The preceding syntax designates the source IP and combines it with a source TCP port. This is effectively looking at answers to port 80 requests by 192.168.1.1. As another important study tip, watch for the period (.) between "ip" and "src" on the exam because they'll drop it or change it to a dash (-) to trick you. And lastly, for real-world application, it's important to note that Wireshark considers certain friendly terms such as HTTP as simple placeholders for the actual port. This means in Wireshark (at least as far as CEH is concerned), HTTP and 80 are more or less identical. As a budding ethical hacker, you should know by now that even though something is traveling on port 80, it may or may not be HTTP traffic. A is incorrect because port 80 is defined as the source port, not the destination; 192.168.1.1 is answering a request for an HTML page. B is incorrect because 192.168.1.1 is defined as the source address, not the destination. D is incorrect because the syntax is indeed correct.

3. A colleague enters the following into a Google search string: intitle:intranet inurl:intranet intext:"finance" Which of the following statements is most correct concerning this attempt?

The search engine will respond with only those pages having the word intranet in the title and URL and with finance in the text This is a great Google hack that's listed on several websites providing Google hacking examples. Think about what you're looking for here—an internal page (intranet in title and URL) possibly containing finance data. Don't you think that would be valuable? This example shows the beauty of combining Google hacks to really burrow down to what you want to grab. Granted, an intranet being available from the Internet, indexed by Google and open enough for you to touch it, is unlikely, but these are questions concerning syntax, not reality.

Examine the following SOA record: @ IN SOARTDNSRV1.somebiz.com. postmaster.somebiz.com. ( 200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ) ; min TTL [2h] If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary?

The zone copy is unchanged. You will definitely see questions about the SOA record. In this question, the key portion you're looking for is the TTL (Time-To-Live) value at the bottom, which is currently two hours (7200 seconds). This sets the time a secondary server has to verify its records are good. If it can't check in, this TTL for zone records will expire, and they'll all be dumped. Considering, though, this TTL is set to two hours and the question states it has been only one hour since update, the zone copy on the secondary will remain unchanged.

13. An organization's leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering?

They are mitigating the risk. . When it comes to risks, there are four different methods of attempting to deal with them. In risk mitigation, steps are taken to reduce the chance that the risk even will occur, and in this example that's exactly what's happening. Training on social engineering should help reduce the likelihood an employee will fall victim (real-life concerns on this notwithstanding—we are talking about test questions here).

Examine the following Snort rule: alerttcp !$HOME_NET any -> $HOME_NET 23 (content: "admin";msg:"Telnet attempt..admin access";) Which of the following statements are true regarding the rule? (Choose all that apply.)

This rule will alert on packets designated on port 23, from any port, containing the "admin" string. This rule will alert on packets coming from outside the designated home address. . Snort rules, logs, entries, and configuration files will definitely be part of your exam. This particular rule takes into account a lot of things you'll see. First, note the exclamation mark (!) just before the HOME_NET variable. Any time you see this, it indicates the opposite of the following variable—in this case, any packet from an address not in the home network and using any source port number, intended for any address that is within the home network. Following that variable is a spot for a port number, and the word any indicates we don't care what the source port is. Next, we spell out the destination information: anything in the home network and destined for port 23. Lastly, we add one more little search before spelling out the message we want to receive: the "content" designator allows us to spell out strings we're looking for.

pen test team member sends an e-mail to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action?

To possibly gather information about internal hosts used in the organization's e-mail system The thought process behind this is a lot like banner grabbing or any of a hundred different forced-error situations in hacking: lots of information can be gleaned from responses to an error situation. A bogus internal address has the potential to provide more information about the internal servers used in the organization, including IP addresses and other pertinent details.

Which of the following could provide useful defense against ARP spoofing? (Choose all that apply.)

Use ARPWALL. Use private VLANs. Use static ARP entries. ARPWALL is an application available for download from SourceForge (http://sourceforge.net/projects/arpwall/). It gives an early warning when an ARP attack occurs and simply blocks the connection. Virtual LANs (VLANs) provide a means to create multiple broadcast domains within a single network. Machines on the same switch are in different networks, and their traffic is isolated. Since ARP works on broadcast, this can help prevent large-scale ARP spoofing. Per courseware, static ARP entries are a good idea and at least one way to fix ARP poisoning, since no matter what is banging around out on the network, the system uses the static mapping you configured. An IDS may also be helpful in spotting ARP shenanigans, but wouldn't necessarily do anything about it.

You are separated from your target subnet by a firewall. The firewall is correctly configured and allows requests only to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?

Use HTTP tunneling. HTTP tunneling is a successful "hacking" technique. (Microsoft makes use of HTTP tunneling for lots of things, and it has been doing so for years.) The tactic is fairly simple: because port 80 is almost never filtered by a firewall, you can craft port 80 segments to carry a payload for protocols the firewall may have otherwise blocked. Of course, you'll need something on the other end to pull the payload out of all those port 80 packets that IIS is desperately wanting to answer, but that's not altogether difficult.

Which of the following statements is true regarding the TCP three-way handshake?

When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step. The three-way handshake will definitely show up on your exam, and in much trickier wording than this. It's easy enough to memorize "SYN, SYN/ACK, ACK," but you'll need more than that for the exam. In step 1, the host sends a segment to the server, indicating it wants to open a communications session. Inside this segment, the host turns on the SYN flag and sets an initial sequence number (any random 32-bit number). When the recipient gets the segment, it crafts a segment in response to let the host know it's open and ready for the communications session. It does this by turning on the SYN and ACK flags, acknowledging the initial sequence number by incrementing it, and adding its own unique sequence number. Lastly, when the host gets this response back, it sends one more segment before the comm channel opens. In this segment, it sets the ACK flag and acknowledges the other's sequence number by incrementing it.

You want to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?

nmap -sP 192.168.1.0/24 The -sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan options><target>. If you don't define a switch, nmap performs a basic enumeration scan of the targets. The switches, though, provide the real power with this tool

You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

Your IDLE scan results will not be useful to you. . An IDLE scan makes use of a zombie machine and IP's knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it's probable your zombie is not, in fact, idle, and your results are moot. See, if it's not idle, it's going to increment haphazardly because communications from the device will be shooting hither and yon with wild abandon. You're banking on the fact the machine is quietly doing your bidding—and nothing else.

You are looking for pages with the terms CEH and V10 in their title. Which Google hack is the appropriate one?

allintitle:CEH V10 The Google search operator allintitle searches for pages that contain the string, or strings, you specify. It also allows for the combination of strings in the title, so you can search for more than one term within the title of a page.

You are examining traffic between hosts and note the following exchange: Source Prot Port Flag Destination 192.168.5.12 TCP 4082 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4083 FIN/URG/PSH 192.168.5.50 192.168.5.12 TCP 4084 FIN/URG/PSH 192.168.5.50 192.168.5.50 TCP 4083 RST/ACK 192.168.5.12 192.168.5.12 TCP 4085 FIN/URG/PSH 192.168.5.50 Which of the following statements are true regarding this traffic? (Choose all that apply.)

appears port 4083 is closed. It appears to be part of an XMAS scan. B, D. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it'll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it's an XMAS scan. If the destination port is open, you won't receive anything back; if it's closed, you'll see a RST/ACK. This tells you port 4083 looks like it's open. As an addendum, did you know there are two reasons why it's called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit. As an aside, you probably won't see this much out in the real world because it just really doesn't have much applicability. But on your exam? Oh yes—it'll be there.

Which of the following should not be included in a security policy?

echnical details and procedures The whole policy/standard/procedure/guideline thing can get confusing sometimes. Policy is a high-level document that doesn't get down and dirty into technical details/specifications and is intended to improve awareness. Policies are mandatory, generally short, and easy to understand, providing everyone with the rules of the road. Standards are mandatory rules designed to support a policy, and they must include one or more specifications for hardware, software, or behavior. Procedures are step-by-step instructions for completing a task. Guidelines are not mandatory, but rather are recommendations for accomplishing a goal or on how to act in a given situation.

You have a large packet capture file in Wireshark to review. You want to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task? ip.addr==192.168.22.5 &&tcp contains HR_admin ip.addr 192.168.22.5 && "HR_admin" ip.addr 192.168.22.5 &&tcp string ==HR_admin ip.addr==192.168.22.5 + tcp contains tide

ip.addr==192.168.22.5 &&tcp contains HR_admin . This is a perfect example of a typical question on your exam regarding Wireshark syntax. Answer A is the only one that sticks to Wireshark filter syntax. Definitely know the ip.addr, ip.src, and ip.dst filters; the "tcp contains" filter is another favorite of test question writers. When you combine filters in one search, use the && designator, and don't forget the use of double equals signs. Another fun version of this same question involves reading the output from Wireshark. A tool that can help you out with the raw files—including output from other tools like tcpdump—is tcptrace

Which of the following commands is the best choice to use on a Linux machine when attempting to list processes and the UIDs associated with them in a reliable manner?

lsof . Supported in most Unix-like flavors, the "list open files" command (lsof) provides a list of all open files and the processes that opened them. The lsof command describes, among other things, the identification number of the process (PID) that has opened the file, the command the process is executing, and the owner of the process. With optional switches, you can also receive all kinds of additional information. As an aside, the command ps (for process status) is probably an even better choice for the task listed.

You want to run a scan against a target network. You're concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?

nmap -sS targetIPaddress A half-open scan, as defined by this nmap command line, is the best option in this case. The SYN scan was created with stealth in mind because the full connect scan was simply too noisy (or created more entries in an application-level logging system, whichever your preference). As far as the real world is concerned, it's a fact that most IDSs can pick up a SYN scan just as easily as a full connect, but if you go slow enough, both a SYN and a full connect can be almost invisible. A connect scan is indistinguishable from a real connection, whereas a SYN scan can be. In other words, the full connect will look like any other conversation—just bunches of them all at once—where a SYN scan will show a lot of systems answering a conversation starter only to be met with rude silence. The lesson is any scan can and probably will be seen in the real world by a monitoring IDS; however, the slower you go, the less chance you'll have of being seen, all things being e

u want to display active and inactive services on a Windows Server machine. Which of the following commands best performs this service?

sc query state= all The sc command will definitely make an appearance or two somewhere on the exam. Per Microsoft, SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, as well as stop and start a service.

A team member issues the nbtstat.exe -c command. Which of the following best represents the intent of the command?

t displays the NetBIOS name cache.

You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

tcpdump -i eth0 -w my.log Tcpdump syntax is simple: tcpdump flag(s) interface. The -i flag specifies the interface (in this example, eth0) for tcpdump to listen on, and the -w flag defines where you want your packet log to go. For your own study, be aware that many study references—including EC-Council's official reference books—state that the -i flag "puts the interface into listening mode." It doesn't actually modify the interface at all, so this is a little bit of a misnomer—it just identifies to tcpdump which interface to listen on for traffic. Lastly, be aware that the -w flag dumps traffic in binary format. If you want the traffic to be readable, you'll need to have it display onscreen. Better yet, you can dump it to a file using the | designator and a filename

You are on a Cisco router and want to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this?

traceroute . You probably knew, right up front, this was a traceroute question, but the kicker comes when deciding which traceroute command to use. Traceroute, of course, uses ICMP packets and the TTL (Time-To-Live) value to map out a path between originator and destination. The first packet sent uses a TTL of 1, to show the first hop. The next packet sets it to 2, and so on, and so on, until the destination is found. Each ICMP response provides information on the current hop (unless ICMP is being filtered). On a Windows machine, you'd use the command tracert. On Linux (and Cisco for that matter), you'd use traceroute.

Within the OSRFramework, which tool verifies if a username/profile exists in up to 306 different platforms?

usufy.py . The OSRFramework (https://github.com/i3visio/osrframework) is an open source research framework in Python that helps you in the task of user profiling by making use of different open source intelligence (OSINT) tools. The framework design itself is reminiscent of the Metasploit framework. It also has a web-based GUI that does the work for you if you like to work without the command line. In other words, it's a set of libraries used to perform OSINT tasks, helping you gather more, and more accurate, data using multiple applications in one easy-to-use package. Usufy.py is but one of the tools in the framework, and it verifies if a username/profile exists in up to 306 different platforms