New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

GAQM CEH-001 Certified Ethical Hacker (CEH) Exam Practice Test

Page: 1 / 88
Total 878 questions

Certified Ethical Hacker (CEH) Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?

Options:

A.

The consultant will ask for money on the bid because of great work.

B.

The consultant may expose vulnerabilities of other companies.

C.

The company accepting bids will want the same type of format of testing.

D.

The company accepting bids will hire the consultant because of the great work performed.

Question 2

Which initial procedure should an ethical hacker perform after being brought into an organization?

Options:

A.

Begin security testing.

B.

Turn over deliverables.

C.

Sign a formal contract with non-disclosure.

D.

Assess what the organization is trying to protect.

Question 3

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

Options:

A.

NMAP -PN -A -O -sS 192.168.2.0/24

B.

NMAP -P0 -A -O -p1-65535 192.168.0/24

C.

NMAP -P0 -A -sT -p0-65535 192.168.0/16

D.

NMAP -PN -O -sS -p 1-1024 192.168.0/8

Question 4

To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message?

Options:

A.

Recipient's private key

B.

Recipient's public key

C.

Master encryption key

D.

Sender's public key

Question 5

What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

Options:

A.

tcp.src == 25 and ip.host == 192.168.0.125

B.

host 192.168.0.125:25

C.

port 25 and host 192.168.0.125

D.

tcp.port == 25 and ip.host == 192.168.0.125

Question 6

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

Options:

A.

OWASP is for web applications and OSSTMM does not include web applications.

B.

OSSTMM is gray box testing and OWASP is black box testing.

C.

OWASP addresses controls and OSSTMM does not.

D.

OSSTMM addresses controls and OWASP does not.

Question 7

Which type of access control is used on a router or firewall to limit network activity?

Options:

A.

Mandatory

B.

Discretionary

C.

Rule-based

D.

Role-based

Question 8

Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?

Options:

A.

ping 192.168.2.

B.

ping 192.168.2.255

C.

for %V in (1 1 255) do PING 192.168.2.%V

D.

for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

Question 9

A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature?

Options:

A.

Perform a vulnerability scan of the system.

B.

Determine the impact of enabling the audit feature.

C.

Perform a cost/benefit analysis of the audit feature.

D.

Allocate funds for staffing of audit log review.

Question 10

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

Options:

A.

Hping

B.

Traceroute

C.

TCP ping

D.

Broadcast ping

Question 11

A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?

Options:

A.

Spoofing an IP address

B.

Tunneling scan over SSH

C.

Tunneling over high port numbers

D.

Scanning using fragmented IP packets

Question 12

A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records?

Options:

A.

Locate type=ns

B.

Request type=ns

C.

Set type=ns

D.

Transfer type=ns

Question 13

How does an operating system protect the passwords used for account logins?

Options:

A.

The operating system performs a one-way hash of the passwords.

B.

The operating system stores the passwords in a secret file that users cannot find.

C.

The operating system encrypts the passwords, and decrypts them when needed.

D.

The operating system stores all passwords in a protected segment of non-volatile memory.

Question 14

Which of the following is an example of IP spoofing?

Options:

A.

SQL injections

B.

Man-in-the-middle

C.

Cross-site scripting

D.

ARP poisoning

Question 15

A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50 characters. What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field?

Options:

A.

if (billingAddress = 50) {update field} else exit

B.

if (billingAddress != 50) {update field} else exit

C.

if (billingAddress >= 50) {update field} else exit

D.

if (billingAddress <= 50) {update field} else exit

Question 16

Which of the following is an application that requires a host application for replication?

Options:

A.

Micro

B.

Worm

C.

Trojan

D.

Virus

Question 17

Which of the statements concerning proxy firewalls is correct?

Options:

A.

Proxy firewalls increase the speed and functionality of a network.

B.

Firewall proxy servers decentralize all activity for an application.

C.

Proxy firewalls block network packets from passing to and from a protected network.

D.

Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

Question 18

How do you defend against Privilege Escalation?

Options:

A.

Use encryption to protect sensitive data

B.

Restrict the interactive logon privileges

C.

Run services as unprivileged accounts

D.

Allow security settings of IE to zero or Low

E.

Run users and applications on the least privileges

Question 19

Consider the following code:

text=

If an attacker can trick a victim user to click a link like this, and the Web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting the user to another Web site.

What is the countermeasure against XSS scripting?

Options:

A.

Create an IP access list and restrict connections based on port number

B.

Replace "<" and ">" characters with "& l t;" and "& g t;" using server scripts

C.

Disable Javascript in IE and Firefox browsers

D.

Connect to the server using HTTPS protocol instead of HTTP

Question 20

Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor.

Without any proof, Jason's company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on.

Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them.

What technique has Jason most likely used?

Options:

A.

Stealth Rootkit Technique

B.

ADS Streams Technique

C.

Snow Hiding Technique

D.

Image Steganography Technique

Question 21

You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this?

Options:

A.

copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt

B.

copy secret.txt c:\windows\system32\tcpip.dll:secret.txt

C.

copy secret.txt c:\windows\system32\tcpip.dll |secret.txt

D.

copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt

Question 22

This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site.

Options:

A.

Wiresharp attack

B.

Switch and bait attack

C.

Phishing attack

D.

Man-in-the-Middle attack

Question 23

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago'

How will you delete the OrdersTable from the database using SQL Injection?

Options:

A.

Chicago'; drop table OrdersTable --

B.

Delete table'blah'; OrdersTable --

C.

EXEC; SELECT * OrdersTable > DROP --

D.

cmdshell'; 'del c:\sql\mydb\OrdersTable' //

Question 24

Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by "spoofing" the IP address of that machine.

How would you detect IP spoofing?

Options:

A.

Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet

B.

Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet, if the connection completes then it is a spoofed packet

C.

Turn on 'Enable Spoofed IP Detection' in Wireshark, you will see a flag tick if the packet is spoofed

D.

Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet

Question 25

How many bits encryption does SHA-1 use?

Options:

A.

64 bits

B.

128 bits

C.

256 bits

D.

160 bits

Question 26

In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary combined together to have variations of words, what would you call such an attack?

Options:

A.

Full Blown Attack

B.

Thorough Attack

C.

Hybrid Attack

D.

BruteDict Attack

Question 27

Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company.

She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture.

What technique was used by the Kiley Innovators employee to send information to the rival marketing company?

Options:

A.

The Kiley Innovators employee used cryptography to hide the information in the emails sent

B.

The method used by the employee to hide the information was logical watermarking

C.

The employee used steganography to hide information in the picture attachments

D.

By using the pictures to hide information, the employee utilized picture fuzzing

Question 28

How do you defend against DHCP Starvation attack?

Options:

A.

Enable ARP-Block on the switch

B.

Enable DHCP snooping on the switch

C.

Configure DHCP-BLOCK to 1 on the switch

D.

Install DHCP filters on the switch to block this attack

Question 29

In which part of OSI layer, ARP Poisoning occurs?

Options:

A.

Transport Layer

B.

Datalink Layer

C.

Physical Layer

D.

Application layer

Question 30

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization's Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

Options:

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

Question 31

SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains:

Options:

A.

The source and destination address having the same value

B.

A large number of SYN packets appearing on a network without the corresponding reply packets

C.

The source and destination port numbers having the same value

D.

A large number of SYN packets appearing on a network with the corresponding reply packets

Question 32

One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term?

Options:

A.

Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process

B.

Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack

C.

Replicating servers that can provide additional failsafe protection

D.

Load balance each server in a multiple-server architecture

Question 33

TCP SYN Flood attack uses the three-way handshake mechanism.

1. An attacker at system A sends a SYN packet to victim at system B.

2. System B sends a SYN/ACK packet to victim A.

3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.

This status of client B is called _________________

Options:

A.

"half-closed"

B.

"half open"

C.

"full-open"

D.

"xmas-open"

Question 34

Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him ''just to double check our records.'' Jane does not suspect anything amiss, and parts with her password. Jack can now access Brown Co.'s computers with a valid user name and password, to steal the cookie recipe. What kind of attack is being illustrated here?

Options:

A.

Reverse Psychology

B.

Reverse Engineering

C.

Social Engineering

D.

Spoofing Identity

E.

Faking Identity

Question 35

What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

Options:

A.

Blue Book

B.

ISO 26029

C.

Common Criteria

D.

The Wassenaar Agreement

Question 36

If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?

Options:

A.

SDLC process

B.

Honey pot

C.

SQL injection

D.

Trap door

Question 37

A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am.

Which of the following programming languages would most likely be used?

Options:

A.

PHP

B.

C#

C.

Python

D.

ASP.NET

Question 38

A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location.

During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis.

Which of the following is an issue with the situation?

Options:

A.

Segregation of duties

B.

Undue influence

C.

Lack of experience

D.

Inadequate disaster recovery plan

Question 39

Which of the following levels of algorithms does Public Key Infrastructure (PKI) use?

Options:

A.

RSA 1024 bit strength

B.

AES 1024 bit strength

C.

RSA 512 bit strength

D.

AES 512 bit strength

Question 40

The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?

Options:

A.

Asymmetric

B.

Confidential

C.

Symmetric

D.

Non-confidential

Question 41

Which statement is TRUE regarding network firewalls preventing Web Application attacks?

Options:

A.

Network firewalls can prevent attacks because they can detect malicious HTTP traffic.

B.

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.

C.

Network firewalls can prevent attacks if they are properly configured.

D.

Network firewalls cannot prevent attacks because they are too complex to configure.

Question 42

How can a policy help improve an employee's security awareness?

Options:

A.

By implementing written security procedures, enabling employee security training, and promoting the benefits of security

B.

By using informal networks of communication, establishing secret passing procedures, and immediately terminating employees

C.

By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative help line

D.

By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring that managers know employee strengths

Question 43

A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?

Options:

A.

Issue the pivot exploit and set the meterpreter.

B.

Reconfigure the network settings in the meterpreter.

C.

Set the payload to propagate through the meterpreter.

D.

Create a route statement in the meterpreter.

Question 44

A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The integrity of the encrypted email is dependent on the security of which of the following?

Options:

A.

Public key

B.

Private key

C.

Modulus length

D.

Email server certificate

Question 45

In the OSI model, where does PPTP encryption take place?

Options:

A.

Transport layer

B.

Application layer

C.

Data link layer

D.

Network layer

Question 46

Which of the following is a client-server tool utilized to evade firewall inspection?

Options:

A.

tcp-over-dns

B.

kismet

C.

nikto

D.

hping

Question 47

Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?

Options:

A.

Ping of death

B.

SYN flooding

C.

TCP hijacking

D.

Smurf attack

Question 48

When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true?

Options:

A.

The key entered is a symmetric key used to encrypt the wireless data.

B.

The key entered is a hash that is used to prove the integrity of the wireless data.

C.

The key entered is based on the Diffie-Hellman method.

D.

The key is an RSA key used to encrypt the wireless data.

Question 49

WPA2 uses AES for wireless data encryption at which of the following encryption levels?

Options:

A.

64 bit and CCMP

B.

128 bit and CRC

C.

128 bit and CCMP

D.

128 bit and TKIP

Question 50

Which of the following is a preventive control?

Options:

A.

Smart card authentication

B.

Security policy

C.

Audit trail

D.

Continuity of operations plan

Question 51

Which of the following techniques will identify if computer files have been changed?

Options:

A.

Network sniffing

B.

Permission sets

C.

Integrity checking hashes

D.

Firewall alerts

Question 52

Identify SQL injection attack from the HTTP requests shown below:

Options:

A.

http://www.myserver.c0m/search.asp?

lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00

B.

http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22

C.

http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e

D.

http://www.victim.com/example accountnumber=67891 &creditamount=999999999

Question 53

Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the Department of Defense's front end Exchange Server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password.

What tool would be best used to accomplish this?

Options:

A.

SMBCrack

B.

SmurfCrack

C.

PSCrack

D.

RainbowTables

Question 54

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

Options:

A.

Visit Google's search engine and view the cached copy

B.

Crawl the entire website and store them into your computer

C.

Visit Archive.org web site to retrieve the Internet archive of the company's website

D.

Visit the company's partners and customers website for this information

Question 55

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

Options:

A.

Token Injection Replay attacks

B.

Shoulder surfing attack

C.

Rainbow and Hash generation attack

D.

Dumpster diving attack

Question 56

Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?

Options:

A.

Semi Column

B.

Double Quote

C.

Single Quote

D.

Exclamation Mark

Question 57

You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about?

Options:

A.

Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain

B.

"zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks

C.

"Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks

D.

Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway

Question 58

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

Options:

A.

Use the Cisco's TFTP default password to connect and download the configuration file

B.

Run a network sniffer and capture the returned traffic with the configuration file from the router

C.

Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

D.

Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

Question 59

A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

Options:

A.

A buffer overflow attack has been attempted

B.

A buffer overflow attack has already occurred

C.

A firewall has been breached and this is logged

D.

An intrusion detection system has been triggered

E.

The system has crashed

Question 60

How does a denial-of-service attack work?

Options:

A.

A hacker prevents a legitimate user (or group of users) from accessing a service

B.

A hacker uses every character, word, or letter he or she can think of to defeat authentication

C.

A hacker tries to decipher a password by using a system, which subsequently crashes the network

D.

A hacker attempts to imitate a legitimate user by confusing a computer or even another person

Question 61

What type of attack is shown here?

Options:

A.

Bandwidth exhaust Attack

B.

Denial of Service Attack

C.

Cluster Service Attack

D.

Distributed Denial of Service Attack

Question 62

This method is used to determine the Operating system and version running on a remote target system. What is it called?

Options:

A.

Service Degradation

B.

OS Fingerprinting

C.

Manual Target System

D.

Identification Scanning

Question 63

Yancey is a network security administrator for a large electric company. This company provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him. What would Yancey be considered?

Options:

A.

Yancey would be considered a Suicide Hacker

B.

Since he does not care about going to jail, he would be considered a Black Hat

C.

Because Yancey works for the company currently; he would be a White Hat

D.

Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing

Question 64

What is the correct order of steps in CEH System Hacking Cycle?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 65

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

">See foobar

What is this attack?

Options:

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Question 66

Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald's attacker used to cover their tracks?

Options:

A.

ISA proxy

B.

IAS proxy

C.

TOR proxy

D.

Cheops proxy

Question 67

Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean?

Options:

A.

This response means the port he is scanning is open.

B.

The RST/ACK response means the port Fred is scanning is disabled.

C.

This means the port he is scanning is half open.

D.

This means that the port he is scanning on the host is closed.

Question 68

What is the IV key size used in WPA2?

Options:

A.

32

B.

24

C.

16

D.

48

E.

128

Question 69

A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network?

Options:

A.

Fraggle

B.

MAC Flood

C.

Smurf

D.

Tear Drop

Question 70

To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?

Options:

A.

Winston is attempting to find live hosts on your company's network by using an XMAS scan.

B.

He is utilizing a SYN scan to find live hosts that are listening on your network.

C.

This type of scan he is using is called a NULL scan.

D.

He is using a half-open scan to find live hosts on your network.

Question 71

During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?

Options:

A.

The tester must capture the WPA2 authentication handshake and then crack it.

B.

The tester must use the tool inSSIDer to crack it using the ESSID of the network.

C.

The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.

D.

The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

Question 72

Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?

Options:

A.

The victim user must open the malicious link with an Internet Explorer prior to version 8.

B.

The session cookies generated by the application do not have the HttpOnly flag set.

C.

The victim user must open the malicious link with a Firefox prior to version 3.

D.

The web application should not use random tokens.

Question 73

If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response?

Options:

A.

31400

B.

31402

C.

The zombie will not send a response

D.

31401

Question 74

Passive reconnaissance involves collecting information through which of the following?

Options:

A.

Social engineering

B.

Network traffic sniffing

C.

Man in the middle attacks

D.

Publicly accessible sources

Question 75

Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?

Options:

A.

Incident response services to any user, company, government agency, or organization in partnership with the Department of Homeland Security

B.

Maintenance of the nation’s Internet infrastructure, builds out new Internet infrastructure, and decommissions old Internet infrastructure

C.

Registration of critical penetration testing for the Department of Homeland Security and public and private sectors

D.

Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Department, as well as private sectors

Question 76

Least privilege is a security concept that requires that a user is

Options:

A.

limited to those functions required to do the job.

B.

given root or administrative privileges.

C.

trusted to keep all data and access to that data under their sole control.

D.

given privileges equal to everyone else in the department.

Question 77

Jake is a network administrator who needs to get reports from all the computer and network devices on his network. Jake wants to use SNMP but is afraid that won't be secure since passwords and messages are in clear text. How can Jake gather network information in a secure manner?

Options:

A.

He can use SNMPv3

B.

Jake can use SNMPrev5

C.

He can use SecWMI

D.

Jake can use SecSNMP

Question 78

June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

Options:

A.

Yes. June can use an antivirus program since it compares the parity bit of executable files to the database of known check sum counts and it is effective on a polymorphic virus

B.

Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus

C.

No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program

D.

No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus

Question 79

When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?

Options:

A.

Vulnerability scanning

B.

Social engineering

C.

Application security testing

D.

Network sniffing

Question 80

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

Options:

A.

Drops the packet and moves on to the next one

B.

Continues to evaluate the packet until all rules are checked

C.

Stops checking rules, sends an alert, and lets the packet continue

D.

Blocks the connection with the source IP address in the packet

Question 81

Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.

Options:

A.

hping3 -T 10.8.8.8 -S netbios -c 2 -p 80

B.

hping3 -Y 10.8.8.8 -S windows -c 2 -p 80

C.

hping3 -O 10.8.8.8 -S server -c 2 -p 80

D.

hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

Question 82

What type of port scan is shown below?

Options:

A.

Idle Scan

B.

Windows Scan

C.

XMAS Scan

D.

SYN Stealth Scan

Question 83

Which type of scan measures a person's external features through a digital video camera?

Options:

A.

Iris scan

B.

Retinal scan

C.

Facial recognition scan

D.

Signature kinetics scan

Question 84

What type of port scan is represented here.

Options:

A.

Stealth Scan

B.

Full Scan

C.

XMAS Scan

D.

FIN Scan

Question 85

Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers)

Options:

A.

Alternate between typing the login credentials and typing characters somewhere else in the focus window

B.

Type a wrong password first, later type the correct password on the login page defeating the keylogger recording

C.

Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.

D.

The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd".

Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies

"asdfsd"

E.

The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd".

Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies

"asdfsd"

Question 86

Which of the following Nmap commands would be used to perform a stack fingerprinting?

Options:

A.

Nmap -O -p80

B.

Nmap -hU -Q

C.

Nmap -sT -p

D.

Nmap -u -o -w2

E.

Nmap -sS -0p target

Question 87

Bob has been hired to perform a penetration test on XYZ.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online.

Within the context of penetration testing methodology, what phase is Bob involved with?

Options:

A.

Passive information gathering

B.

Active information gathering

C.

Attack phase

D.

Vulnerability Mapping

Question 88

NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish?

nslookup

> server

> set type =any

> ls -d

Options:

A.

Enables DNS spoofing

B.

Loads bogus entries into the DNS table

C.

Verifies zone security

D.

Performs a zone transfer

E.

Resets the DNS cache

Question 89

A very useful resource for passively gathering information about a target company is:

Options:

A.

Host scanning

B.

Whois search

C.

Traceroute

D.

Ping sweep

Question 90

You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible.

Which kind of scan would you use to achieve this? (Choose the best answer)

Options:

A.

Nessus scan with TCP based pings.

B.

Nmap scan with the –sP (Ping scan) switch.

C.

Netcat scan with the –u –e switches.

D.

Nmap with the –sO (Raw IP packets) switch.

Question 91

An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

Options:

A.

2

B.

256

C.

512

D.

Over 10, 000

Question 92

A distributed port scan operates by:

Options:

A.

Blocking access to the scanning clients by the targeted host

B.

Using denial-of-service software against a range of TCP ports

C.

Blocking access to the targeted host by each of the distributed scanning clients

D.

Having multiple computers each scan a small number of ports, then correlating the results

Question 93

What is the disadvantage of an automated vulnerability assessment tool?

Options:

A.

Ineffective

B.

Slow

C.

Prone to false positives

D.

Prone to false negatives

E.

Noisy

Question 94

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?

Options:

A.

Overloading Port Address Translation

B.

Dynamic Port Address Translation

C.

Dynamic Network Address Translation

D.

Static Network Address Translation

Question 95

You receive an email with the following message:

Hello Steve,

We are having technical difficulty in restoring user database record after the recent blackout. Your account data is corrupted. Please logon to the SuperEmailServices.com and change your password.

If you do not reset your password within 7 days, your account will be permanently disabled locking you out from our e-mail services.

Sincerely,

Technical Support

SuperEmailServices

From this e-mail you suspect that this message was sent by some hacker since you have been using their e-mail services for the last 2 years and they have never sent out an e-mail such as this. You also observe the URL in the message and confirm your suspicion about 0xde.0xad.0xbde.0xef which looks like hexadecimal numbers. You immediately enter the following at Windows 2000 command prompt:

Ping 0xde.0xad.0xbe.0xef

You get a response with a valid IP address.

What is the obstructed IP address in the e-mail URL?

Options:

A.

222.173.190.239

B.

233.34.45.64

C.

54.23.56.55

D.

199.223.23.45

Question 96

What is the proper response for a NULL scan if the port is closed?

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Question 97

Which of the following is considered an acceptable option when managing a risk?

Options:

A.

Reject the risk.

B.

Deny the risk.

C.

Mitigate the risk.

D.

Initiate the risk.

Question 98

MX record priority increases as the number increases. (True/False.

Options:

A.

True

B.

False

Question 99

What does an ICMP (Code 13) message normally indicates?

Options:

A.

It indicates that the destination host is unreachable

B.

It indicates to the host that the datagram which triggered the source quench message will need to be re-sent

C.

It indicates that the packet has been administratively dropped in transit

D.

It is a request to the host to cut back the rate at which it is sending traffic to the Internet destination

Question 100

What flags are set in a X-MAS scan?(Choose all that apply.

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

URG

Question 101

To what does “message repudiation” refer to what concept in the realm of email security?

Options:

A.

Message repudiation means a user can validate which mail server or servers a message was passed through.

B.

Message repudiation means a user can claim damages for a mail message that damaged their reputation.

C.

Message repudiation means a recipient can be sure that a message was sent from a particular person.

D.

Message repudiation means a recipient can be sure that a message was sent from a certain host.

E.

Message repudiation means a sender can claim they did not actually send a particular message.

Question 102

Which of the following LM hashes represents a password of less than 8 characters?

Options:

A.

0182BD0BD4444BF836077A718CCDF409

B.

44EFCE164AB921CQAAD3B435B51404EE

C.

BA810DBA98995F1817306D272A9441BB

D.

CEC52EB9C8E3455DC2265B23734E0DAC

E.

B757BF5C0D87772FAAD3B435B51404EE

F.

E52CAC67419A9A224A3B108F3FA6CB6D

Question 103

In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration.

If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?

Options:

A.

Full Blown

B.

Thorough

C.

Hybrid

D.

BruteDics

Question 104

Which of the following LM hashes represent a password of less than 8 characters? (Select 2)

Options:

A.

BA810DBA98995F1817306D272A9441BB

B.

44EFCE164AB921CQAAD3B435B51404EE

C.

0182BD0BD4444BF836077A718CCDF409

D.

CEC52EB9C8E3455DC2265B23734E0DAC

E.

B757BF5C0D87772FAAD3B435B51404EE

F.

E52CAC67419A9A224A3B108F3FA6CB6D

Question 105

Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers.

Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?

Options:

A.

Hardware, Software, and Sniffing.

B.

Hardware and Software Keyloggers.

C.

Passwords are always best obtained using Hardware key loggers.

D.

Software only, they are the most effective.

Question 106

Exhibit:

You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

Options:

A.

ip = 10.0.0.22

B.

ip.src == 10.0.0.22

C.

ip.equals 10.0.0.22

D.

ip.address = 10.0.0.22

Question 107

What hacking attack is challenge/response authentication used to prevent?

Options:

A.

Replay attacks

B.

Scanning attacks

C.

Session hijacking attacks

D.

Password cracking attacks

Question 108

_________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

Options:

A.

Trojan

B.

RootKit

C.

DoS tool

D.

Scanner

E.

Backdoor

Question 109

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters.

With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

Options:

A.

Online Attack

B.

Dictionary Attack

C.

Brute Force Attack

D.

Hybrid Attack

Question 110

What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?

Options:

A.

Fraggle Attack

B.

Man in the Middle Attack

C.

Trojan Horse Attack

D.

Smurf Attack

E.

Back Orifice Attack

Question 111

What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.

Options:

A.

110

B.

135

C.

139

D.

161

E.

445

F.

1024

Question 112

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.

What do you think is the most likely reason behind this?

Options:

A.

There is a NIDS present on that segment.

B.

Kerberos is preventing it.

C.

Windows logons cannot be sniffed.

D.

L0phtcrack only sniffs logons to web servers.

Question 113

A POP3 client contacts the POP3 server:

Options:

A.

To send mail

B.

To receive mail

C.

to send and receive mail

D.

to get the address to send mail to

E.

initiate a UDP SMTP connection to read mail

Question 114

Which of the following is not considered to be a part of active sniffing?

Options:

A.

MAC Flooding

B.

ARP Spoofing

C.

SMAC Fueling

D.

MAC Duplicating

Question 115

In the context of Windows Security, what is a 'null' user?

Options:

A.

A user that has no skills

B.

An account that has been suspended by the admin

C.

A pseudo account that has no username and password

D.

A pseudo account that was created for security administration purpose

Question 116

E-mail scams and mail fraud are regulated by which of the following?

Options:

A.

18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers

B.

18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices

C.

18 U.S.C. par. 1362 Communication Lines, Stations, or Systems

D.

18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

Question 117

LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP?

Options:

A.

Stop the LM service in Windows XP

B.

Disable LSASS service in Windows XP

C.

Disable LM authentication in the registry

D.

Download and install LMSHUT.EXE tool from Microsoft website

Question 118

What is the proper response for a NULL scan if the port is open?

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Question 119

The follows is an email header. What address is that of the true originator of the message?

Options:

A.

19.25.19.10

B.

51.32.123.21

C.

168.150.84.123

D.

215.52.220.122

E.

8.10.2/8.10.2

Question 120

What are the main drawbacks for anti-virus software?

Options:

A.

AV software is difficult to keep up to the current revisions.

B.

AV software can detect viruses but can take no action.

C.

AV software is signature driven so new exploits are not detected.

D.

It’s relatively easy for an attacker to change the anatomy of an attack to bypass AV systems

E.

AV software isn’t available on all major operating systems platforms.

F.

AV software is very machine (hardware) dependent.

Question 121

Jim’s organization has just completed a major Linux roll out and now all of the organization’s systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.

Which built-in functionality of Linux can achieve this?

Options:

A.

IP Tables

B.

IP Chains

C.

IP Sniffer

D.

IP ICMP

Question 122

Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack?

Select the best answer.

Options:

A.

He should disable unicast on all routers

B.

Disable multicast on the router

C.

Turn off fragmentation on his router

D.

Make sure all anti-virus protection is updated on all systems

E.

Make sure his router won't take a directed broadcast

Question 123

What is Hunt used for?

Options:

A.

Hunt is used to footprint networks

B.

Hunt is used to sniff traffic

C.

Hunt is used to hack web servers

D.

Hunt is used to intercept traffic i.e. man-in-the-middle traffic

E.

Hunt is used for password cracking

Question 124

Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.)

Options:

A.

Identifies the wireless network

B.

Acts as a password for network access

C.

Should be left at the factory default setting

D.

Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools

Question 125

Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler?

Select the best answer.

Options:

A.

GPSDrive

B.

GPSMap

C.

WinPcap

D.

Microsoft Mappoint

Question 126

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

Options:

A.

Defrag

B.

Tcpfrag

C.

Tcpdump

D.

Fragroute

Question 127

How many bits encryption does SHA-1 use?

Options:

A.

64 bits

B.

128 bits

C.

160 bits

D.

256 bits

Question 128

You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization.

While some of the methods listed below work, which holds the least risk of detection?

Options:

A.

Make some phone calls and attempt to retrieve the information using social engineering.

B.

Use nmap in paranoid mode and scan the web server.

C.

Telnet to the web server and issue commands to illicit a response.

D.

Use the netcraft web site look for the target organization’s web site.

Question 129

Which of the following wireless technologies can be detected by NetStumbler? (Select all that apply)

Options:

A.

802.11b

B.

802.11e

C.

802.11a

D.

802.11g

E.

802.11

Question 130

What is a sheepdip?

Options:

A.

It is another name for Honeynet

B.

It is a machine used to coordinate honeynets

C.

It is the process of checking physical media for virus before they are used in a computer

D.

None of the above

Question 131

Why do you need to capture five to ten million packets in order to crack WEP with AirSnort?

Options:

A.

All IVs are vulnerable to attack

B.

Air Snort uses a cache of packets

C.

Air Snort implements the FMS attack and only encrypted packets are counted

D.

A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

Page: 1 / 88
Total 878 questions