CEH Prep Guide

CEH Study Guide

The Certified Ethical Hacker certification exam is a standalone certification from

EC-Council with the exam code 312-50v8. The certification is targeted at Ethical

Hacking professionals involved with hacking fundamentals, footprinting,

scanning. The exam covers hacking skills, Linux System Security, Trojans, Web

server hacking, and Wireless hacking.

© 2013 TrainACE / Advanced Security.

www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.

www.trainace.com/security

Mike wants to use NMAP to do basic vulnerability scanning. What does NMAP use for

protocols such as FTP and HTTP?

a. NESSUS scripting engine

b. Metasploit scripting engine

c. SAINT scripting engine

d. NMAP scripting engine

Answer: D

39. Q: John is a college student. He is interested in computer security. He wants to gain

knowledge about ethical hacking so that he can make information systems secure. In which

of the following areas should John acquire expertise in order to fulfill his dream?

Each correct answer represents a complete solution. Choose all that apply.

a. John should have excellent knowledge of computers and their functioning, including

programming and networking.

b. Since organizations have a variety of operating systems, such as UNIX, Linux,

Windows, and Macintosh, John must be an expert in dealing with these operating

systems.

c. John should be familiar with a number of hardware platforms.

d. John should be an expert in security-related communication and report writing.

Explanation: Answer options A, B, C, and D are correct.

According to the scenario, John should have expertise in all the areas listed in the above options. An

ethical hacker should have an excellent knowledge of computers and their functioning, including

programming and networking. Since organizations have a variety of operating systems, such as

UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these

operating systems. Ethical hackers should also be familiar with a number of hardware platforms.

They should be knowledgeable about security areas and related issues as well.


Routers use "routing" protocols. Which of the following would a router use? (Choose 2)

a. UDP

b. RIP

c. TCP

d. BGP

e. SMTP

Answer: B and D

39. Q: Which of the following classes of hackers describes an individual who uses his computer

knowledge for breaking security laws, invading privacy, and making information systems

insecure?

a. Black Hat

b. White Hat

c. Gray Hat

d. Security providing organizations

Explanation: Answer option A is correct.

A Black Hat Hacker is an individual who uses his computer knowledge for breaking security laws,

invading privacy, and making information systems insecure.


Hackers are categorized into the following classes:

Black Hat Hackers (Crackers): These are persons who are computer specialists and use their

hacking skills to carry out malicious attacks on information systems.

Gray Hat Hackers: These are persons who sometimes do not break laws and help to defend a

network, but sometimes act as Black Hat Hackers.

White Hat Hackers (Ethical Hackers): These are persons who have excellent computer skills

and use their knowledge to secure information systems.

Security Providing Organizations: Some organizations and communities also provide security to

information systems.

39. Q: Which of the following statements is true of vulnerability?

a. It is a security weakness in a Target of Evaluation due to failures in analysis, design,

implementation, or operation.

b. It refers to a situation in which humans or natural occurrences can cause an

undesirable outcome.

c. It is an agent that can take advantage of a weakness.

d. It is a potential for violation of security, which exists when there is a circumstance,

capability, action, or event that could breach security and cause harm.


Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing

harm to the information systems or networks. It can exist in hardware, operating systems, firmware,

applications, and configuration files.

Answer options B, C, and D are incorrect. A threat is an indication of a potential undesirable event.

It refers to a situation in which humans or natural occurrences can cause an undesirable outcome

Vulnerability is an agent that can take the advantage of the weakness.

5. Q: Maria works as a professional Ethical Hacker. She recently has been assigned a

project to test the security of www.we-are-secure.com. The company has provided the

following information about the infrastructure of its network:

Network diagrams of the we-are-secure infrastructure

Source code of the security tools

IP addressing information of the we-are-secure network


Which of the following testing methodologies is we-are-secure.com using to test the security

of its network?

a. Whitebox

b. Blackbox

c. Graybox

d. Alpha testing


According to the scenario, we-are-secure.com is using the whitebox testing technique. Whitebox

testing is a testing technique in which an organization provides full knowledge about the

infrastructure to the testing team.

Answer option B is incorrect. Blackbox testing is a technique in which the testing team has no

knowledge about the infrastructure of the organization. This testing technique is costly and time

consuming.

Answer option C is incorrect. Graybox testing is a combination of whitebox testing and blackbox

testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs

test cases or test data based on system knowledge.

What is the principle that a party cannot deny its role (i.e. sending a document) in an activity?

a. Non-repudiation

b. Availability

c. Privacy

d. Confidentiality

Answer: A

Microsoft servers (file and print) are often a target of attackers. What are common

vulnerabilities?

a. XSS

b. SQL injection

c. missing patches

d. weak IVs


answer: C

6. Q: Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the

security of the we-are-secure server for DoS attacks. She sends a large number of ICMP

ECHO packets to the target computer. Which of the following DoS attacking techniques is

she using to accomplish her task?

a. Smurf dos attack

b. Ping flood attack

c. Teardrop attack

d. Land attack

Explanation: Answer option B is correct.

According to the scenario, Samantha is using the ping flood attack. In a ping flood attack, an

attacker sends a large number of ICMP packets to the target computer.

Answer option A is incorrect. In a smurf DoS attack, the attacker sends a large amount of ICMP

echo request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source

address of the intended victim.

Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target

system with overlapping offset field values. As a result, the target system is unable to reassemble

these packets and is forced to crash, hang, or reboot.

Answer option D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in

which the IP address of the target host is filled in both the source and destination fields

Q: Which individuals believe that hacking and defacing web sites can promote social changes?

e. Hactivists

f. Crackers

g. Script kiddies

h. Phreakers


Hactivists are individuals who believe that hacking and defacing web sites can promote social

changes.


Hacktivism is the act of hacking or breaking into a computer system for a politically or socially

motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A

hacktivist uses the same tools and techniques as those used by a hacker.

Answer option B is incorrect. Crackers are individuals who use their skill and knowledge for harmful

activities.

Answer option C is incorrect. Script kiddies are individuals who have little or no programming skills

and use freely available hacking software.

Answer option D is incorrect. Phreakers are individuals who focus on communication systems to

steal information.

To limit the possibility of a system being compromised, also referred to as reducing the attack

surface, what should your security team do?

a. Harvesting

b. Hardening

c. Scanning

d. Windowing

answer: B

7. Q: Which of the following statements are true about threats?


a. A threat is a sequence of circumstances and events that allows a human or other

agent to cause an information-related misfortune by exploiting vulnerability in an IT

product.

b. A threat is a potential for violation of security which exists when there is a

circumstance, capability, action, or event that could breach security and cause harm.

c. A threat is a weakness or lack of safeguard that can be exploited by vulnerability,

thus causing harm to the information systems or networks.

d. A threat is any circumstance or event with the potential of causing harm to a system

in the form of destruction, disclosure, modification of data, or denial of service.

Explanation: Answer options A, B, and D are correct.

A threat is an indication of a potential undesirable event. It refers to a situation in which humans or

natural occurrences can cause an undesirable outcome.


8. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security

of www.we-are-secure.com. He knows the steps taken by a malicious hacker to perform

hacking. What steps are performed in malicious hacking?

a. Step 1: Reconnaissance: In this phase, the attacker gathers information about the

victim.

b. Step 2: Scanning: In this phase, the attacker begins to probe the target for

vulnerabilities that can be exploited.

c. Step 3: Gaining Access: In this phase, the attacker exploits a vulnerability to gain

access into the system.

d. Step 4: Maintaining Access: In this phase, the attacker maintains access to fulfill his

purpose of entering into the network.

e. Step 5:Covering\Clearing Tracks: In this phase, the attacker attempts to cover his

tracks so that he cannot be detected or penalized under criminal law.

Explanation: The following are the phases of malicious hacking:

When using Wireshark to acquire packet capture on a network, which device would enable the

capture of all traffic on the wire?

A. Layer 3 switch

B. Network tap

C. Network bridge

D. router

answer: B

.


Q: John is a malicious attacker. He illegally accesses the server of We-are-secure Inc. He then

places a backdoor in the We-are-secure server and alters its log files. Which of the following steps of

malicious hacking includes altering the server log files?

f. Reconnaissance

g. Maintaining access

h. Gaining access

i. Covering\Clearing tracks

Explanation: Answer option i. is correct.

According to the scenario, John has installed a backdoor on the We-are-secure server so that he

can have access whenever he wants to log in. This process comes under the Maintaining access

phase of malicious hacking. Further, John alters the server's log files, which could give a clue about

his malicious intent to the Network Administrator. This process comes under the Covering tracks

phase of malicious hacking.

if two companies merge what must be done so that each company’s Certificate Authority will trust

the certificates generated by the other company?

a. Cross-certification

b. Federated Identity

c. Public Key Exchange Authorization

d. It cannot be done; a new PKI system will need to be created

answer: A

Which system of PKI verifies the applicant?

a. Certificate Authority

b. Registration Authority

c. Root CA

d. Validation Authority

answer: B

9. Q: Which of the following statements correctly defines a script kiddie?


a. He is an individual who uses hacking programs developed by others to attack

information systems and spoil websites.

b. He is an individual who has lost respect and integrity as an employee in any

organization.

c. He is an individual who breaks communication systems to perform hacking.

d. He is an individual who is an expert in various computer fields, such as operating

systems, networking, hardware, software, etc. and enjoys the mental challenge of

decoding computer programs, solving network vulnerabilities and security threats,

etc.


Answer option B is incorrect. This option defines a disgruntled employee. A disgruntled employee

is an individual who has lost respect and integrity as an employee in an organization. Most of the

time, he/she has more knowledge than a script kiddie.

10. Q: Which of the following penetration testing phases involves reconnaissance or data

gathering?

a. Pre-attack phase

b. Attack phase

c. Post-attack phase

d. Out-attack phase


The pre-attack phase is the first step for a penetration tester. The pre-attack phase involves

reconnaissance or data gathering. It also includes gathering data from Whois, DNS, and network

scanning, which help in mapping a target network and provide valuable information regarding the

operating system and applications running on the systems

Q: Which of the following policies defines the acceptable methods of remotely connecting a

system to the internal network?

e. Remote access policy

f. Network security policy

g. Computer security policy

h. User Account Policy



Remote access policy is a document, which outlines and defines acceptable methods of remotely

connecting to the internal network

Answer option B is incorrect. A network security policy is a generic document that outlines rules

for computer network access. It also determines how policies are enforced and lays out some of the

basic architecture of the company security/ network security environment

Answer option C is incorrect. A computer security policy defines the goals and elements of the

computer systems of an organization. The definition can be highly formal or informal. Security

policies are enforced by organizational policies or security mechanisms.

Answer option D is incorrect. The User Account Policy is a type of document, which focuses on the

requirements for requesting and maintaining an account on computer systems or networks within an

organization.

Q: Security is a state of well-being of information and infrastructure in which the possibilities

of successful yet undetected theft, tampering, and/or disruption of information and services

are kept low or tolerable. Which of the following are the elements of security?


a. Confidentiality

b. Authenticity

c. Availability

d. Integrity

e. Non-Repudiation


The elements of security are as follows:

1. Confidentiality: It is the concealment of information or resources.

2. Authenticity: It is the identification and assurance of the origin of information.

3. Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper

and unauthorized changes.

4. Availability: It refers to the ability to use the information or resources as desired.

5. Non-Repudiation - refers to inability of a sender to disassociate him/herself with a message


Explanation: Answer options B and C are correct.

5. Q: Which of the following is the most common way of performing social engineering

attacks?

a. Phone

b. Email

c. War driving

d. Session hijacking


The phone is the most common way of performing social engineering attacks. Social engineering is

the art of convincing people and making them disclose useful information such as account names

and passwords.

Answer option C is incorrect. War driving, also called access point mapping, is the act of locating

and possibly exploiting connections to wireless local area networks while driving around a city or

elsewhere.

Answer option D is incorrect. Session hijacking refers to the exploitation of a valid computer

session to gain unauthorized access to information or services in a computer system. In particular, it

is used to refer to the theft of a magic cookie used to authenticate a user to a remote server

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since

most authentication only occurs at the start of a TCP session, this allows the hacker to gain access

to a machine.

During a wireless penetration test, a tester detects an access point using WPA2,

which of the following attacks should she use to obtain the key?

A. The tester must use the tool airodump-ng to crack it using the ESSID of the network.

B. The tester must capture the WPA2 authentication handshake and then crack it.

C. The tester must change the MAC address of the wireless network card and then use the AirCrack

tool to obtain the key.

D. WPA2 cannot be cracked

answer: B

What is the main reason the use of a stored biometric is vulnerable to an attack?

A. The stored biometric data can be stolen and used by an attacker to impersonate the individual

identified by the biometric.


B. A stored biometric is no longer “something you have” and instead becomes “something you are”.

C. Authentication using a stored biometric compares the original to a copy instead of the original to a

copy

D. The digital representation of the biometric might not be unique

answer: A

Which type of scan measures a person’s external features through a digital video camera?

A. Facial recognition scan

B. Retina scan

C. Signature dynamics scan

D. Iris scan

answer: A

When creating a new Nessus policy, where would you enable Global Variable Settings?

A. Plugins

b. General

c. Preferences

D. Credentials

answer: C

A pentester enters the following command. What type of scan is this?

nmap -N -sS -PO -p 123 192.168.2.25

a. Stealth scan

b. intense scan

c. idle scan

d. Fin scan

answer: A


A hacker has been successfully modifying the purchase price of several items on your

client’s web site. What is she using to do this? (The IDS shows no signs of alerts)

a. sql injection

b. hidden form fields

c. XSS

d. port scanning

answer: B

If you are sending specially designed packets to a remote system and analyzing the results

what type of scan would this be considered?

a. active

b. passive

c. directive

d. bounce

answer: A

6. Q: You run the following command in the command prompt:

Telnet <IP Address><Port 80>

HEAD /HTTP/1.0

<Return>

<Return>

Which of the following types of information gathering techniques are you using?

a. Banner grabbing

b. OS fingerprinting

c. Dumpster diving

d. Port scanning



Banner grabbing is an enumeration technique used to glean information about computer systems

on a network and the services running its open ports. Administrators can use this to take inventory of

the systems and services on their network.

Answer option B is incorrect. OS Fingerprinting is the easiest way to detect the Operating System

(OS) of a remote system. OS detection is important because, after knowing the target system's OS,

it becomes easier to hack the system. The comparison of data packets that are sent by the target

system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which

operating system is being used by the remote system. There are two types of fingerprinting

techniques as follows:

1. Active fingerprinting

2. Passive fingerprinting

In active fingerprinting, ICMP messages are sent to the target system and the response message

of the target system shows which OS is being used by the remote system. In passive

fingerprinting, the number of hops reveals the OS of the remote system.

Answer option C is incorrect. Dumpster diving is a term that refers to going through someone's

trash in an attempt to find out useful or confidential information.

Answer option D is incorrect. Port scanning is the first basic step to get the details of open ports on

the target system. Port scanning is used to find a hackable server with a hole or vulnerability. A port

is a medium of communication between two computers. Every service on a host is identified by a

unique 16-bit number called a port.

Q: Which of the following involves changing data prior to or during input to a

computer in an effort to commit fraud?

e. Eavesdropping

f. Spoofing

g. Wiretapping

h. Data diddling

Explanation: Answer option D is correct.

Data diddling involves changing data prior to or during input to a computer in an effort to commit

fraud. It also refers to the act of intentionally modifying information, programs, or documentations.


Answer option A is incorrect. Eavesdropping is the process of listening to private conversations. It

also includes attackers listening the network traffic.

Answer option B is incorrect. Spoofing is a technique that makes a transmission appear to have

come from an authentic source by forging the IP address, email address, caller ID, etc. In IP

spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity.

However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging

the source IP address causes the responses to be misdirected.

Answer option C is incorrect. Wiretapping is an act of monitoring telephone and Internet

conversations by a third party. It is only legal with prior consent. Legalized wiretapping is generally

practiced by the police or any other recognized governmental authority.

Q: Maria works as a professional Ethical Hacker. She recently got a project to test the

security of www.we-are-secure.com. What are three pre-test phases of the attack to

test the security of we-are-secure?

Identifying the active system

Web server hacking

Enumerating the system

Session hijacking

Placing backdoors

Footprinting

Explanation: Following are the three pretest phases of the attack:

Footprinting

Identifying the active system

Enumerating the system

Placing backdoors, Web server hacking, and session hijacking are the phases of executing attacks.

Q: Which of the following tools can a user use to hide his identity?


a. War dialer

b. Proxy server

c. IPchains

d. Anonymizer


e. Rootkit

Explanation: Answer options B, C, and D are correct.

A user can hide his identity using any firewall (such as IPChains), a proxy server, or an anonymizer.

A proxy server hides the identity of a user's system from the outside world. Instead of creating a

connection directly with the remote host, the user's system creates a direct connection with the proxy

server, and the proxy server establishes a connection with the remote host to which the user wants

to connect.

Anonymizers are the services that help make a user's own Web surfing anonymous. An

anonymizer removes all the identifying information from a user's computer while the user surfs the

Internet. In this manner, it ensures the privacy of the user.

IPChains is a linux packet filtering firewall that allows a Network Administrator to ACCEPT, DENY,

MASQ, or REDIRECT packets. There are three built-in chains in the IPChains firewall as follows:

Note: Each packet passing through the forward chain also passes through both the input and output

chains.

Answer option A is incorrect. A war dialer is a tool that is used to scan thousands of telephone

numbers to detect vulnerable modems to provide unauthorized access to the system. THC-Scan,

ToneLoc, and PhoneSweep are some good examples of war dialer tools. There are various War

Dialing tools, such as THC Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools,

etc.

Answer option E is incorrect. A rootkit is a set of tools that take Administrative control of a computer

system without authorization by the computer owners and/or legitimate managers. A rootkit requires

root access to be installed in the Linux operating system, but once installed, the attacker can get root

access at any time.

1. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing

the security of www.we-are-secure.com. He begins to perform footprinting and scanning.

Which of the following steps do footprinting and scanning include?


a. Information gathering

b. Determining network range

c. Identifying active machines

d. Finding open ports and applications

e. Enumeration



Fingerprinting services

1. Mapping the network

Answer option E is incorrect. In the enumeration phase, the attacker gathers information, such as

the network user and group names, routing tables, and Simple Network Management Protocol

(SNMP) data. The techniques used in this phase are as follows:

1. Obtaining Active Directory information and identifying vulnerable user accounts

2. Discovering NetBIOS names

3. Employing Windows DNS queries

4. Establishing NULL sessions and queries

4. Q: Which of the following is a passive information gathering tool?

a. Nmap

b. Whois

c. Snort

d. Ettercap


The whois tool is a passive information gathering tool. whois queries are used to determine the IP

address ranges associated with clients. A whois query can be run on most UNIX environments. In a

Windows environment, the tools, such as WsPingPro and Sam Spade, can be used to perform

whois queries. Whois queries can also be executed over the Web from www.arin.net and

www.networksolutions.com.

Answer option A is incorrect. Nmap is an active information gathering tool. The nmap utility, also

commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by

the administrators to determine which services are available for external users.

Answer option C is incorrect. Snort is an active information gathering tool. Snort is an open source

network intrusion prevention and detection system that operates as a network sniffer. It logs

activities of the network that is matched with the predefined signatures.

The three main modes in which Snort can be configured are as follows:


Sniffer mode: It reads the packets of the network and displays them in a continuous stream on

the console.

Packet logger mode: It logs the packets to the disk.

Network intrusion detection mode: It is the most complex and configurable configuration,

allowing Snort to analyze network traffic for matches against a user-defined rule set.

Answer option D is incorrect. Ettercap is an active information gathering tool. Ettercap is a UNIX

and Windows tool for computer network protocol analysis and security auditing. It is capable of

intercepting traffic on a network segment, capturing passwords, and conducting active

eavesdropping against a number of common protocols.

Q: You want to retrieve password files (stored in the Web server's index directory) from various Web

sites. Which of the following tools can you use to accomplish the task?

e. Google

f. Whois

g. Sam spade

h. Nmap

Explanation: Answer option E is correct.

You can use Google to retrieve password files (stored in the Web server's index directory) from

various Web sites. Google allows the search queries that can search information from the Web

server's index directory. Such search technique is known as Google hacking.

Q: You see the career section of a company's Web site and analyze the job profile requirements.

You conclude that the company wants professionals who have a sharp knowledge of Windows

server 2003 and Windows active directory installation and placement. Which of the following steps

are you using to perform hacking?

i. Reconnaissance

j. Scanning

k. Gaining access

l. Covering tracks


When an alert rule is matched in snort, the IDS does which of the following?


A. Blocks the connection with the source IP address in the packet

B. Stops checking rules, sends an alert, and drops the packet

C. Continues to evaluate the packet until all rules are checked

D. Drops the packet and moves on to the next one

answer: C

7. Q: Anonymizers are the services that help make a user's own Web surfing anonymous. An

anonymizer removes all the identifying information from a user's computer while the user

surfs the Internet. It ensures the privacy of the user in this manner. After the user

anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also

automatically accessed anonymously. Which of the following are limitations of anonymizers?


a. Secure protocols

b. Plugins

c. ActiveX controls

d. Java applications

e. JavaScript

Explanation: Answer options A, B, C, D, and E are correct.

Anonymizers have the following limitations:

1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs

to access the site directly to properly maintain secure encryption.

2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established

independent direct connection from the user computer to a remote site.

3. Java: Any Java application accessed through an anonymizer will not be able to bypass the Java

security wall.

4. ActiveX: ActiveX applications have almost unlimited access to the user's computer system.

5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

8. Q: Which of the following statements are true of the TCP/IP model?



a. It describes a set of general design guidelines and implementations of specific

networking protocols to enable computers to communicate over a network.

b. It provides end-to-end connectivity specifying how data should be formatted,

addressed, transmitted, routed, and received at the destination.

c. It is generally described as having five abstraction layers.

d. It consists of various protocols present in each layer.


The TCP/IP model is a description framework for computer network protocols. It describes a set of

general design guidelines and implementations of specific networking protocols to enable computers

to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data

should be formatted, addressed, transmitted, routed, and received at the destination. Protocols exist

for a variety of different types of communication services between computers. The TCP/IP model is

sometimes called the Internet Model or the DoD Model.

The TCP/IP model has four unique layers as shown in the image. This layer architecture is often

compared with the seven-layer OSI Reference Model. The TCP/IP model and related protocols are

maintained by the Internet Engineering Task Force (IETF).

Layer 4 Application

The application layer is where programs communicate. Sometimes called the user interface layer

because it is an easy way to think about its purpose. This is where web browsers, file sharing

software, email, and other user facing software interacts. Encryption and session details are also

handled in this layer.

Layer 3 Transport

In the transport layer, devices negotiate and decide how they will communicate over the network.

The devices will decide on communication type (e.g., UDP or TCP), window size, port, error


handling, and sequencing. This layer does a large portion of the work in device communications.

Layer 2 Internet

IP addressing, internetworking, and path determination happen in the internet layer. Routers

communicate at this layer to determine the path that a packet will take through a network. Given

multiple possibilities, the protocols at this layer will determine the best way for one host to connect to

another.

Layer 1 Link

Based on the type of network in use, the link layer encapsulates the data. For testing purposes this

may be in the form of Ethernet, Frame Relay, PPP, HDLC or CDP encapsulation protocols. The

protocol selected depends on the physical connection of the devices and the network topology.

Answer option C is incorrect. This option is invalid, as TCP/IP model consists of four abstraction

layers NOT five.

9. Q: You want to obtain information of a Web server whose IP address range comes in the IP

address range used in Brazil. Which of the following registries can be used to get information

about Web server IP addresses, reverse DNS, etc?

a. RIPE NCC

b. APNIC

c. ARIN

d. LACNIC


According to the scenario, you have to get information about Web server IP addresses, reverse

DNS, etc. of a Web server situated in Brazil. For this, you will search information in Latin American

and Caribbean Internet Addresses Registry (LACNIC). LACNIC is the Regional Internet Registry for

the Latin American and Caribbean regions. LACNIC provides number resource allocation and

registration services that support the global operation of the Internet.

Answer option A is incorrect. The Reseaux IP Europeens Network Coordination Centre (RIPE NCC)

is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia.


Answer option B is incorrect. The Asia Pacific Network Information Centre (APNIC) is the Regional

Internet Registry for the Asia Pacific region. APNIC provides number resource allocation and

registration services that support the global operation of the Internet

Answer option C is incorrect. The American Registry for Internet Numbers (ARIN) is the Regional

Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United

States.

What best defines the principle of least privilege?

A. At a minimum, a manager should have all the privileges of his or her employees.

B. People lower in the organization’s hierarchy should have fewer privileges than people higher in

the hierarchy.

C. At a minimum, all users should supply a password before accessing a service.

D. One should have access only to the data and services that are required to perform one’s job.

answer: D

10. Q: John works as a System Administrator for uCertify Inc. He is responsible for securing the

network of the organization. He is configuring some of the advanced features of the Windows

firewall so that he can block a client machine from responding to pings. Which of the

following advanced setting types should John change for accomplishing the task?

a. ICMP

b. SMTP

c. SNMP

d. UDP


According to the scenario, John should change ICMP because it is a protocol that is used when a

PING command is issued, received, and responded to. Internet Control Message Protocol (ICMP) is

an integral part of IP. It is used to report an error in datagram processing.

Answer option B is incorrect. Simple Mail Transfer Protocol (SMTP-25) is a protocol for sending e-

mail messages between servers

Answer option C is incorrect. The Simple Network Management Protocol (SNMP-161) allows a

monitored device (for example, a router or a switch) to run an SNMP agent. This protocol is used for


managing many network devices remotely.

Answer option D is incorrect. User Datagram Protocol (UDP) is often used for one-to-many

communications, using broadcast or multicast IP datagrams. UDP is a connectionless and unreliable

communication protocol. It does not guarantee delivery or verify sequencing for any datagram. UDP

provides faster transportation of data between TCP/IP hosts than TCP.

Q: DNS cache poisoning is a maliciously created or unintended situation that provides data to a

caching name server that did not originate from authoritative Domain Name System (DNS) sources.

Once a DNS server has received, such non-authentic data and caches it for future performance

increase, it is considered poisoned, supplying the non-authentic data to the clients of the server.

Which of the following DNS records can indicate the time up to which DNS cache poisoning will be

effective?

a. MX

b. NS

c. PTR

d. SOA


What is a start of authority (SOA) record?

A start of authority (SOA) record is information stored in a domain name system (DNS) zone about

that zone and about other DNS records. A DNS zone is the part of a domain for which an individual

DNS server is responsible. Each zone contains a single SOA record.

DNS cache poisoning attack

DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching

name server that did not originate from authoritative Domain Name System (DNS) sources. Once a

DNS server has received such non-authentic data and caches it for future performance increase, it is

considered poisoned, supplying the non-authentic data to the clients of the server. To perform a

cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not

correctly validate DNS responses to ensure that they are from an authoritative source, the server will

end up caching the incorrect entries locally and serve them to other users that make the same

request.

Answer option A is incorrect. An MX record is also known as mail exchanger record in the zone file


of Domain Name Server (DNS). MX record associates the domain name to a domain name

classified in an address record (A record).

Answer option B is incorrect. An NS record or name server record is used to denote the server that

is authoritative for a DNS zone.

Answer option C is incorrect. PTR record, also known as pointer record, is a record in the Domain

Name System (DNS) database that maps an Internet Protocol (IP) address to a host name in the in-

addr.arpa domain. PTR records are used to perform reverse DNS lookups.

Which of following is an example of two factor authentication?

a. fingerprint and smartcard

b. username and password

c. ID and token

d. Iris scan and fingerprint

answer A

What is a successful method for protecting a router from potential smurf attacks?

A. Disabling port forwarding on the router

B. Placing the router in broadcast-only mode

C. Disabling the router from accepting broadcast ping messages

D. Installing the router in the DMZ

answer: C

11. Q: Which of the following tools are used for footprinting?


a. Traceroute

b. Sam spade

c. Brutus

d. Whois



The traceroute, sam spade, and whois tools are used for footprinting.

What is TRACEROUTE utility?

TRACEROUTE is a route-tracing utility that displays the path an IP packet takes to reach its

destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully

Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote

host.

Q: Which information can an attacker get after tracerouting any network?


a. Network topology

b. Trusted routers

c. Firewall locations

d. Web administrator email address

Explanation: Answer options A, B, and C are correct.

What is Google hacking?

Google hacking is a computer hacking technique that uses Google search and other Google

applications to find security holes in the configuration and computer code that Web sites use. Google

hacking involves using advance operators in the Google search engine to locate specific strings of

text within search results.

Q: Which of the following is a valid Google searching operator that is used to search a specified file

type?

e. filetype

f. inurl

g. file type

h. intitle


The filetype google search query operator is used to search a specified file type. For example, if you

want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf


hacking.

Answer option B is incorrect. inurl is used to search a specified text in the URL of Web sites.

Answer option C is incorrect. file type is not a valid search operator.

Answer option D is incorrect. intitle is used to search a specified text in the title of Web sites.

12. Q: You want to retrieve the default security report of nessus. Which of the following Google

search queries will you use?

a. filetype:pdf "Assessment Report" nessus

b. filetype:pdf nessus

c. site:pdf nessus "Assessment report"

d. link:pdf nessus "Assessment report"


Nessus is a vulnerability scanner. What techniques do vulnerability scanners use?

a. Port Scanning

b. banner grabbing

c. analyzing service responses

d. malware analysis

answer: C

One way to defeat a multi-level security solution is to leak data via

A. asymmetric routing

B. a covert channel.

C. steganography.

D. an overt channel

answer: B

Administrators access their servers through Remote Desktop. How could a hacker exploit this to

gain access?

a. Capture the LANMAN hashes and crack them with Cain and Abel

b. capture the RDP traffic and decode it with Cain and Abel

c. Use social engineering to get the domain name of the server

d. scan the server to see what ports are open

answer: B


What is the best defense against privilege escalation vulnerability?

A. Require all computers and servers to be patched immediately upon release of new updates.

B. Run administrator and applications on least privileges and use a content registry for tracking.

C. Run services with least privileged accounts and implement multi-factor authentication

D. Periodically review user roles and administrator

answer: C

Hardware and software devices have been created to emulate computer services, such as web and

mail. These can also be used to capture various information. What is being described?

a. Core Switch

b. Honeypot

c. Port Scanner

d. Router

answer: B

1. Q: You are the Security Consultant and have been hired to check security for a client's

network. Your client has stated that he has many concerns but the most critical is the

security of Web applications on their Web server. What should be your highest priority now in

checking his network?

a. Port scanning

b. Setting up IDS

c. Setting up a honey pot

d. Vulnerability scanning


Q: If you want to know what services are running on a target and the possible entry points to launch

an attack, what will you do?

a. Nmap scan

b. Ping

c. Traceroute

d. Banner grabbing



In scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered. What type of

packet inspection is the firewall using?

a. Stateless

b. Proxy

c. Deep

d. Stateful

answer: A

Which of the following are detective controls? (Choose 2)

a. audits

b. encryption

c. DRP

d. CCTV

e. two-factor authentication

answer: A and D

IPSec can provides for which of the following?

a. availability

b. non-repudiation

c. anti-virus protection

d. DDOS protection

answer: B

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces

which of the following vulnerabilities?

A. The IDS will not distinguish among packets originating from different sources.

B. An attacker, working slowly enough, may be able to evade detection by the IDS.


C. Network packets will be dropped once the volume exceeds the threshold.

D. Thresholding disables the IDS’ ability to reassemble fragmented packets.

answer A

Q: Which of the following netcat command switches will you use to telnet a remote host?

a. nc -t

b. nc -z

c. nc -g

d. nc -l -p


Netcat is a freely available networking utility that reads and writes data across network connections

using the TCP/IP protocol. Netcat has the following features:

It provides outbound and inbound connections for TCP and UDP ports.

It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network

parameters.

It is a good port scanner.

It contains advanced usage options, such as buffered send-mode (one line every N seconds),

and hexdump (to stderr or to a specified file) of transmitted and received data.

It is an optional RFC854 telnet code parser and responder.

The common Netcat switches are as follows:

Command Description

nc -d It is used to detach Netcat from the console.

nc -l -p [port] It is used to create a simple listening TCP port; adding u will put it in UDP mode.


nc -e [program] It is used to redirect stdin/stdout from a program.

nc -z It is used for port scanning.

nc -g or nc -G It is used to specify source routing flags.

nc -t It is used for Telnet negotiation.

nc -w [timeout] It is used to set a timeout before Netcat automatically quits.

nc -v It is used to put Netcat into verbose mode.

Q: You are brought in as an external consultant to review the results of a vulnerability of an internal

scan to be run on website hosting servers. All code has been developed in Java and the team wants

to test the code for buffer overflow vulnerabilities with the SAINT scanning tool. When the internal

team asks for your opinion, you discourage them from starting this exercise. What is the probable

reason for your recommendation?

a. An automated vulnerability assessment tool like SAINT is too noisy.

b. Java is not vulnerable to buffer overflow attacks.

c. The vulnerability signatures have to be updated prior to running the scan.

d. The SAINT scanner does not incorporate the new OWASP Top 10 web application

scanning policy.


Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks.

Almost all known web servers, application servers, and web application environments are

susceptible to buffer overflows, the notable exception being environments written in interpreted

languages like Java or Python, which are immune to these attacks (except for overflows in the

Interpreter itself).

Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of


www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are

connected to the server or not. Which of the following will he use to ping these computers?

a. PING

b. TRACEROUTE

c. Ping sweeping

d. NETSTAT

Explanation: Answer option C is correct.

The Ping sweeping technique is used to ping a batch of devices and to get the list of active devices.

Since it is a time taking and tedious task to ping every address into the network, the ping sweeping

technique is used by the attacker.

Answer option A is incorrect. The ping command-line utility is used to test connectivity with a host on

a TCP/IP-based network. This is achieved by sending out a series of packets to a specified

destination host.

2. Q: During the attack process, what method is used to discover what rules are configured on

a gateway?

a. Firewalking

b. Firewalling

c. OS Fingerprinting

d. Ping Scan


Firewalking is a technique used to discover what rules are configured on a gateway. Usually

packets are sent to the remote host with the exact TTL of the target. Hping2 can also be used for

firewalking.

What is the process of identifying hosts or services by sending packets into the network perimeter to

see which ones get through?

A. firewalking

B. Banner Grabbing

C. Enumerating

D. Trace-configuring


answer: A

Answer option B is incorrect. There is no separate term called Firewalling.

Which of the following statements are true regarding N-tier architecture? (Choose two.)

A. The N-tier architecture must have at least one logical layer

B. Each layer should exchange information only with the layers above and below it.

C. When a layer is changed or updated, the other layers must also be changed

D. Each layer must be able to exist on a physically independent system.

ANSWER: B, D

Q: Which of the following is a technique used to determine which range of IP addresses is mapped

to live hosts?

a. TRACERT utility

b. Ping sweep

c. KisMAC

d. PATHPING


Q: You want to determine which protocols a router or firewall will block and which they will pass on

to downstream hosts. You want to map out all intermediate routers or hops between a scanning host

and the target host. Based upon the results of the scans, you are going to identify which ports are

open. The tool displays "A!" when it determines that the metric host is directly behind the target

gateway. Which tool are you using for the scan?

a. Firewalk

b. nmap

c. hping

d. traceroute


Answer option C is incorrect. hping is a free packet generator and analyzer for the TCP/IP protocol.


Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was

used to exploit the idle scan scanning technique.

9. Q: You are running an nmap scan to determine which ports are filtered. You send an ACK

flag and receive a RST packet for open and closed ports. What kind of nmap scan are you

running?

a. Null Scan -sN

b. Fin Scan -sF

c. XMAS Scan -sX

d. TCP ACK scan -sA


TCP ACK Scan does not determine open/closed ports; instead it determines which ports are

filtered/unfiltered. When ACK flag is sent, Open/Closed ports will send RST. Ports that do not send a

response are considered Filtered.

Answer option A is incorrect. In a NULL Scan, no flags are set on the packet. Target must follow

RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is

closed.

Answer option B is incorrect. In Fin Scan, the Fin flag is set on the packet. Target must follow RFC

793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.

Answer option C is incorrect. In XMAS Scan, the FIN, URG, and PSH flags are set on the packet.

Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive

RST if the port is closed.

Reference: http://nmap.org/

11. Q: A war dialer is a tool that is used to scan thousands of telephone numbers to detect

vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the

following tools can an attacker use to perform war dialing?

Each correct answer represents a complete solution. Choose two.

a. THC-Scan

b. ToneLoc

c. NetStumbler


d. Wingate

Explanation: Answer options A and B are correct.

THC-Scan and ToneLoc are tools used for war dialing. A war dialer is a tool that is used to scan

thousands of telephone numbers to detect vulnerable modems. It provides the attacker unauthorized

access to a computer.

Q: Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping

sweeper and hostname resolver?

a. SuperScan

b. Nmap

c. Netstat

d. Hping


SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It

can ping a given range of IP addresses and resolve the host name of the remote system.

Q: Which of the following is the correct sequence of packets to perform the 3-way handshake

method?

e. SYN, SYN/ACK, ACK

f. SYN, ACK, SYN/ACK

g. SYN, ACK, ACK

h. SYN, SYN, ACK


The TCP/IP 3-way handshake method is used by the TCP protocol to establish a connection

between a client and the server. It involves three steps:

1. In the first step of the three-way handshake method, a SYN message is sent from a client to the

server.

2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the

client.

3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is

sent from the client to the server. At this point, both the client and server have received an

acknowledgment of the TCP connection.


13. Q: In which of the following scanning methods do Windows operating systems send only RST

packets irrespective of whether the port is open or closed?

a. TCP FIN

b. FTP bounce

c. UDP port

d. TCP SYN


In the TCP FIN scanning method, Windows operating systems send only RST packets irrespective

of whether the port is open or closed. TCP FIN scanning is a type of stealth scanning through which

the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this

packet was sent mistakenly by the attacker and sends the RST packet to the attacker

Q: Which of the following Nmap commands is used to perform a UDP port scan?

e. nmap -sU

f. nmap -sS

g. nmap -sF

h. nmap -sN



The nmap -sU command is used to perform a UDP port scan.

Answer option B is incorrect. The nmap -sS command is used to perform stealth scanning.

Answer option C is incorrect. The nmap -sF command is used to perform FIN scanning.

Answer option D is incorrect. The nmap -sN command is used to perform TCP NULL port scanning.

14. Q: In which of the following scanning methods does an attacker send SYN packets and then a

RST packet?

a. TCP FIN scan

b. IDLE scan

c. TCP SYN scan

d. XMAS scan


In a TCP SYN scan, an attacker sends SYN packets and then a RST packet. TCP SYN scanning is

also known as half-open scanning because in this type of scanning, a full TCP connection is never

opened. The steps of TCP SYN scanning are as follows:

1. The attacker sends a SYN packet to the target port.

2. If the port is open, the attacker receives the SYN/ACK message.

3. Now the attacker breaks the connection by sending an RST packet.

4. If the RST packet is received, it indicates that the port is closed.

15.

Answer option D is incorrect. Xmas scanning is just the opposite of null scanning. In Xmas Tree

scanning, multiple flags( at least FIN, URG and PSH) are turned on. If the target port is open, the

service running on the target port discards the packets without any reply. According to RFC 793,

if the port is closed, the remote system replies with the RST packet

16. Q: In which of the following scanning methods does an attacker send the spoofed IP address to

send a SYN packet to the target?

a. IDLE

b. NULL

c. TCP FIN

d. XMAS



In the IDLE scan method, an attacker sends the spoofed IP address to send a SYN packet to the

target. The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only

totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes difficult to

detect the hacker.

What is a sequence number?

A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the

network, it is broken into fragments (packets) at the source and reassembled at the destination

system. Each packet contains a sequence number that is used by the destination system to

reassemble the data packets in the correct order. Each time a system boots, it has an initial

sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When the

system connects to another system and establishes a connection, the ISN is incremented by 64,000.

For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the ISN

value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.

Conditions Increment in the ISN Value

Transfer of SYN packet 1

Transfer of FIN packet 1

Transfer of ACK packet 0

Transfer of SYN/ACK packet 1

Transfer of FIN/ACK packet 1

Passage of 1 second 128,000

Establishment of one connection 64,000

17. Q: Which of the following scanning methods is most accurate and reliable, although it is easily

detectable and hence avoided by a hacker?


a. TCP SYN/ACK

b. TCP half-open

c. TCP FIN

d. Xmas Tree


Although the TCP SYN/ACK connection method is most reliable, it can be easily detected. A hacker

should avoid this scanning method

Q: Which nmap switch have you used to retrieve as many different protocols as possible being used

by the remote host?

e. nmap -sO

f. nmap -vO

g. nmap -sT

h. nmap -sS


the nmap -sO switch, which is used for IP scanning. The IP protocol scan is used for searching

additional IP protocols, such as ICMP, TCP, and UDP. It locates uncommon IP protocols that may

be in use on a system..

Answer option F is incorrect. Nmap doesn't permit you to combine the verbose and OS scanning

options. It produces this error:

Invalid argument to -v: "O"

Answer option G is incorrect. The nmap -sT switch is used to perform a TCP full scan.

Answer option D is incorrect. The nmap -sS is used to perform a TCP half scan. The attacker sends

a SYN packet to the target port.

18.

19. Q: Mark is performing a security assessment of a Web server. He wants to identify a cross-site

scripting vulnerability also. Which of the following recommendations can Mark give to correct the

vulnerability?

a. Inform the Web Administrator to validate all Web application data inputs before

processing.


b. Inform Website users to ensure that cookies are transferred only over secure

connections.

c. Disable ActiveX support within Web browsers.

d. Disable Java applet support within Web browsers.


The best way to address cross-site scripting vulnerabilities is to validate data input. It will fix

occurrences of cross-site scripting on ActiveX controls and Java applets that are downloaded to the

client and any vulnerability located on server-side code within the application.

Answer option B is incorrect. Disabling cookies is not a countermeasure against cross-site scripting.

Answer options C and D are incorrect. XSS vulnerabilities can exist within downloaded Java applets

or ActiveX controls, but these controls are executed on the client and will not address the server-side

cross-site scripting vulnerability.

Q: Which of the following are packet capturing tools?


a. Aero peek

b. Cain

c. Wireshark

d. Aircrack-ng


Q: Which of the following is a type of stealth scanning through which the attacker sends a FIN

packet to the target port?

a. TCP FIN scanning

b. TCP FTP proxy scanning

c. UDP port scanning

d. TCP SYN scanning

Explanation: Answer option A is correct. Port scanning is the process by which an attacker

connects to TCP and UDP ports to find the services and applications running on the target system.

In port scanning, data packets are sent to a port to gather information about it. The following are

Q: You are sending a file to an FTP server. The file will be broken into several pieces of information

packets (segments) and will be sent to the server. The file will again be reassembled and


reconstructed once the packets reach the FTP server. Which of the following information should be

used to maintain the correct order of information packets during the reconstruction of the file?

e. Sequence number

f. Acknowledge number

g. Checksum

h. TTL



the security of www.we-are-secure.com. He performs a Teardrop attack on the we-are-

secure server and observes that the server has crashed. Which of the following is the most

likely cause of this?

a. The we-are-secure server cannot handle the overlapping data fragments.

b. Ping requests at the server are too high.

c. The ICMP packet is larger than 65,536 bytes.

d. The spoofed TCP SYN packet containing the IP address of the target is filled in both

the source and destination fields.


In such a situation, while performing a Teardrop attack, John sends a series of data packets with

overlapping offset field values to the we-are-secure server. As a result, the server is unable to

reassemble these packets and is forced to crash, hang, or reboot.

Q: Which of the following techniques uses a modem in order to automatically scan a list of telephone

numbers?

e. War dialing

f. Warchalking

g. War driving

h. Warkitting

Explanation: Answer option A is correct. War dialing is a technique of using a modem to

automatically scan a list of telephone numbers, usually dialing every number in a local area code to

search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various

purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for

password guessing.


Answer option B is incorrect. Warchalking is the drawing of symbols in public places to advertise an

open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on

a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived

from the cracker terms war dialing and war driving.

Q: You work as a Database Manager for uCertify Inc. Due to a lot of pending work, you decide to

install remote control software on your desktop at work, so that you can work from anywhere in the

organization. After installing the remote desktop connection, you connect a modem to a fax line that

is not being used yet. As you have no authentication to configure a password for host connection of

the remote connection, the remote connection is open for anyone to connect to the remotely

controlled host system. Which of the following types of attacks can be performed by an attacker on

the remote connection?

i. War dialing

j. Warchalking

k. War driving

l. Zero-day


Q: John works as a contract Ethical Hacker. He has recently got a project to do security checking for

www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in

the information gathering step. Which of the following commands will he use to accomplish the task?


m. nmap -v -O 208. 100. 2. 25

n. nc -v -n 208. 100. 2. 25 80

o. nc 208. 100. 2. 25 23

p. nmap -v -O www.we-are-secure.com

Explanation: Answer options A and D are correct.

According to the scenario, John will use "nmap -v -O 208. 100. 2. 25" to detect the operating system

of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting to

guess the remote operating system. John may also use the DNS name of we-are-secure instead of

using the IP address of the we-are-secure server. So, he can also use the nmap command "nmap -v

-O www.we-are-secure.com ".

Q: Which of the following techniques are NOT used to perform active OS fingerprinting?



a. ICMP error message quoting

b. Sniffing and analyzing packets

c. Sending FIN packets to open ports on the remote system

d. Analyzing email headers

Explanation: Answer options B and D are correct.

Sniffing and analyzing packets and analyzing email headers are some of the techniques used to

perform passive OS fingerprinting.

What is email header passive OS fingerprinting?

Email header passive OS fingerprinting is a method by which an attacker can use the email

header for remote OS detection. The email header is analyzed to get information about the remote

OS. Email headers usually give information about the mail daemon of a remote computer. Since a

specific mail daemon is usually used for a particular OS, an attacker can easily guess the OS of the

remote computer with the help of the mail daemon information.

Answer options A and D are incorrect. ICMP error message quoting and sending FIN packets to

open ports on the remote system are some of the techniques used to perform active OS

fingerprinting.

29. Q: You have received a file named new.com in your email as an attachment. When you

execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

a. Clean up your laptop with antivirus.

b. Do nothing.

c. Traverse to all of your drives, search new.com files, and delete them.

d. Immediately shut down your laptop.



When you get the new.com file and execute it, the following error message is displayed:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

This indicates it might be the EICAR virus, which is a test virus to check whether an antivirus is

working or not. The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test

the response of computer antivirus (AV) programs. The rationale behind it is to allow people,

companies, and antivirus programmers to test their software without having to use a real computer

virus that could cause actual damage should the antivirus not respond correctly

30. Q: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a

remote device during standard layer 4 network communications. The combination of

parameters may then be used to infer the remote operating system (OS fingerprinting), or

incorporated into a device fingerprint. Which of the following Nmap switches can be used to

perform TCP/IP stack fingerprinting?

a. nmap -O -p

b. nmap -sU -p

c. nmap -sS

d. nmap -sT


Q: Which of the following tools allow you to perform HTTP tunneling?


e. HTTPort

f. Tunneled

g. BackStealth

h. Nikto


The HTTPort, Tunneled, and BackStealth tools are used to perform HTTP tunneling.

Answer option D is incorrect. Nikto is a Web scanner


Q: Your company has blocked all the ports via an external firewall and only allows port 80/443 to

connect to the Internet. You want to use FTP to connect to some remote server on the Internet.

Which of the following tools will you use to accomplish the task?


a. HTTPort

b. Backstealth

c. Nmap

d. BiDiBLAH


HTTP tunneling is a technique by which communications performed using various network

protocols are encapsulated using the HTTP protocol. . The HTTP protocol therefore acts as a

wrapper for a covert channel that the network protocol being tunneled uses to communicateHTTPort:

The HTTPort tool is used to create a transparent tunnel through a proxy server or a firewall. It

allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses HTTPS

and HTTP proxies, transparent accelerators, and firewalls.

29. Q: You have been called in as a security consultant to investigate the case of an internal

employee who is suspected of doing ftp of sensitive corporate data to a competitor's remote

ftp server. The system and network administrators confirm that ftp protocol and ports are

disallowed by the firewall. You suspect that the employee is bypassing the firewall by using

the following technique.

a. IP spoofing

b. Tor Proxy Chaining software

c. HTTP tunneling


Answer option A is incorrect. IP-spoofing is when an attacker changes his source address. By

forging the header to contain a different address, an attacker can make it appear that the packet was

sent by a different machine. The machine that receives spoofed packets will send a response back

to the forged source address.

Answer option B is incorrect. Tor is a network of virtual tunnels connected together and works like a

big chained proxy. It masks the identity of the originating computer from the Internet and uses a

random set of intermediary nodes to reach the target system.


30. Q: You configure a rule on your gateway device to block packets from outside of the network

that have a source address from inside the network. Which attacks are you trying to protect

your network from?

a. ARP spoofing

b. IP spoofing

c. Egress filtering

d. DOS attack


Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually

performs ingress filtering, which is blocking of packets from outside the network with a source

address inside the network. This prevents from an outside attacker spoofing the address of an

internal machine.

Answer option A is incorrect. ARP spoofing, also known as ARP cache poisoning or ARP poison

routing, is a technique used to attack a local-area network. ARP spoofing may allow an attacker to

intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. The attack can only

be used on local networks.

Answer option C is incorrect. Egress filtering is performed on outgoing packets, which is blocking of

packets from inside the network with a source address that is not inside. This prevents an attacker

within the network performing filtering from launching IP spoofing attacks against external machines.

1. Q: Brutus is a password cracking tool that can be used to crack the following

authentications:

HTTP (Basic Authentication)

HTTP (HTML Form/CGI)

POP3 (Post Office Protocol v3)

FTP (File Transfer Protocol)

SMB (Server Message Block)

Telnet

Which of the following attacks can be performed by Brutus for password cracking?

Each correct answer represents a complete solution. Choose three.


a. Brute force attack

b. Dictionary attack

c. Hybrid attack

d. Man-in-the-middle attack

e. Replay attack


Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.

Brute force attack

In a brute force attack, the attacker uses software that tries a large number of key combinations in

order to get a password. To prevent such attacks, users should create passwords more difficult to

guess, e.g., using a minimum of six characters, alphanumeric combinations, lower-upper case

combinations, etc.

2. Q: You are a Network Administrator of a TCP/IP network. You are facing DNS resolution

problems. Which of the following utilities will you use to diagnose the problem?

a. NSLOOKUP

b. PING

c. TRACERT

d. IPCONFIG


NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It

performs its function by sending queries to the DNS server and obtaining detailed responses at the

command prompt. This information can be useful for diagnosing and resolving name resolution

issues, verifying whether or not the resource records are added or updated correctly in a zone, and

debugging other server-related problems.

Q: Which of the following tools can be used to perform tasks such as Windows password cracking,

Windows enumeration, and VoIP session sniffing?

a. Cain

b. L0phtcrack

c. John the Ripper

d. Obiwan



Cain and Abel is a multipurpose tool that can be used to perform many tasks, such as Windows

password cracking, Windows enumeration, and VoIP session sniffing. This password-cracking

program can perform the following types of password cracking attacks:

Dictionary attack

Brute force attack

Rainbow attack

Hybrid attack

Answer option B is incorrect. L0phtcrack is a tool that identifies and remediates security

vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows

and Unix account passwords to access user and administrator accounts.

Answer option C is incorrect. John the Ripper is a fast password-cracking tool that is available for

most versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and

Windows NT/2000/XP/2003 LM hashes.

An attacker has captured VOIP traffic on your network. What tool can he use to recreate the

conversation from these captured packets.

a. HPing

b. NMAP

c. Cain and Abel

d. VOIP-killer

answer: C

You have been instructed to open ports on your firewall to allow web and email services. Which

ports must you open. (choose 4)

a. 80

b. 53

c. 25


d. 139

e. 443

f. 21


the security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure

server is open. Assuming that the Network Administrator of We-are-secure Inc. has not

changed the default port values of the services, which of the following services is running on

UDP port 137?

a. NetBIOS

b. HTTP

c. HTTPS

d. TELNET


NetBIOS is a Microsoft service that enables applications on different computers to communicate

within a LAN. The default port value of NetBIOS Name Resolution Service is 137/UDP.

Q: In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone

file for a domain from a DNS server. The information provided by the DNS zone can help an attacker

gather user names, passwords, and other valuable information. To attempt a zone transfer, an

attacker must be connected to a DNS server that is the authoritative server for that zone. Besides

this, an attacker can launch a Denial of Service attack against the zone's DNS servers by flooding

them with a lot of requests. Which of the following tools can an attacker use to perform a DNS zone

transfer?


a. Host

b. Dig

c. NSLookup

d. DSniff


An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer.


Answer option D is incorrect. DSniff is a sniffer that can be used to record network traffic.

4. Q: John works as a Security Professional. He is assigned a project to test the security of

www.we-are-secure.com. John wants to get information of all network connections and

listening ports in numerical form. Which of the following commands will he use?

a. netstat -an

b. netstat -e

c. netstat -r

d. netstat -s


According to the scenario, John will use the netstat -an command to accomplish the task. The

netstat -an command is used to get information of all network connections and listening ports in

numerical form.

Answer option B is incorrect. The netstat -e command displays Ethernet information.

Answer option C is incorrect. The netstat -r command displays routing table information.

Answer option D is incorrect. The netstat -s command displays per-protocol statistics. By default,

statistics are shown for TCP, UDP, and IP.

5. Q: Which of the following can be the countermeasures to prevent NetBIOS NULL session

enumeration in Windows 2000 operating systems?


a. Disabling TCP port 139/445

b. Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP

from the interface

c. Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value

RestrictAnonymous

d. Denying all unauthorized inbound connections to TCP port 53


NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of

the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session

vulnerabilities:


1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a

Network Administrator.

2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding

WINS Client TCP/IP from the interface.

3. A Network Administrator can also restrict the anonymous user by editing the registry values:

a. Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.

b. Choose edit > add value.

Value name: RestrictAnonymous

Data Type: REG_WORD

Value: 2

Answer option D is incorrect. TCP port 53 is the default port for DNS zone transfer. Although

disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure

against NetBIOS NULL session enumeration.


6. Q: You have just installed a Windows 2003 server. What action should you take regarding

the default shares?

a. Disable them.

b. Disable them only if this is a domain server.

c. Make them hidden shares.

d. Leave them, as they are needed for Windows Server operations.


Default shares should be disabled, unless they are absolutely needed. They pose a significant

security risk by providing a way for an intruder to enter your machine.

Q: Which of the following is an attempt to give false information or to deny that a real event or

transaction should have occurred?

a. A DDoS attack

b. A repudiation attack

c. A reply attack

d. A dictionary attack


A repudiation attack is an attempt to give false information or to deny that a real event or

transaction should have occurred.

Answer option A is incorrect. In a distributed denial of service (DDOS) attack, the attacker uses

multiple computers throughout the network that it has previously infected. Such computers act as

zombies and work together to send out bogus messages, thereby increasing the amount of phony

traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that

multiple machines can generate more attack traffic than one machine, multiple attack machines are

harder to turn off than one attack machine, and that the behavior of each attack machine can be

stealthier, making it harder to track down and shut down.

Answer option C is incorrect. A replay attack is a type of attack in which attackers capture packets

containing passwords or digital signatures whenever packets pass between two hosts on a network.

In an attempt to obtain an authenticated connection, the attackers then resend the captured packet

to the system.

Answer option D is incorrect. A dictionary attack is a type of password guessing attack. This type of


attack uses a dictionary of common words to find out the password of a user. It can also use

common words in either upper or lower case to find a password.

7. Q: You work as a Network Administrator for Infonet Inc. The company's network has an FTP

server. You want to secure the server so that only authorized users can access it. What will

you do to accomplish this?

a. Disable anonymous authentication.

b. Enable anonymous authentication.

c. Stop the FTP service on the server.

d. Disable the network adapter on the server.


You will have to disable anonymous authentication. This will prevent unauthorized users from

accessing the FTP server. Using this method, a user can establish a Web connection to the IIS

server without providing a username and password.

Q: You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000

Server operating system. You want to harden the security of the server. Which of the following

changes are required to accomplish this?


a. Enable the Guest account.

b. Remove the Administrator account.

c. Rename the Administrator account.

d. Disable the Guest account.

Explanation: Answer options C and D are correct.

A company has publicly hosted web applications and an internal Intranet protected by a firewall.

Which technique will help protect against enumeration?

A. Enable null session pipes

B. Remove A records for internal hosts.

C. Allow full DNS zone transfers to non-authoritative servers

D. Reject all email received via POP3


answer: B

Q: John works as a professional Ethical Hacker. He has been assigned a project for testing the

security of www.we-are-secure.com. He runs an SNMP scanner named snmpbulkwalk to send

SNMP requests to multiple IP addresses. He tries different community strings and waits for a reply.

However, he does not get any response. Which of the following statements may be valid reasons for

getting no response?


a. The target system is unreachable due to low Internet connectivity.

b. The target system has stopped SNMP services.

c. John is searching for Public and Private community strings, but the Network

administrator has changed their default names.

d. The target system is using SNMP version 2, which cannot be scanned by

snmpbulkwalk.


What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

A. Injecting parameters into a connection string using semicolons as a separator

B. Adding multiple parameters with the same name in HTTP requests

C. Inserting malicious Javascript code into input parameters

D. adding a single quote after a URP

answer: A

What is snmpwalk?

The SNMP application snmpwalk retrieves SNMP GETNEXT requests to query a network entity for

a tree of information. The command syntax for SNMP is as follows:

Q: Which of the following statements are true about SNMPv1 and SNMPv3 enumeration?


a. All the versions of SNMP protocols use community strings in clear text format, which

is easily recognizable.

b. Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol that is

used for remote monitoring and managing hosts, routers, and devices on a network.


c. Gathering information about host, routers, devices etc. with the help of SNMP is

known as SNMP enumeration.

d. Implementing Access control list filtering to allow only access to the read-write

community from approved stations or subnets can be a valid countermeasure against

SNMP enumeration.


Although SNMP version 3 provides data encryption, the more widely used SNMP version 1 is a clear

text protocol that offers limited security by using community strings. The names of the default

community strings are public and private, which are transmitted in clear text

22. Q: John works as a professional Ethical Hacker. He has been assigned a project for testing

the security of www.we-are-secure.com. He wants to perform an SNMP enumeration of the

We-are-secure server so that he can gather information about the hosts, routers, devices,

etc. of We-are-secure Inc. However, he is unable to perform an SNMP scan until he gives

the password for the SNMP service. Now, he thinks that it may be possible that the Network

Administrator of We-are-secure Inc. has not changed the default password of the SNMP

service. He enters the default password and gets the SNMP service details. Which of the

following passwords does SNMP use as a default password?


a. Password

b. Administrator

c. Public

d. Private


Public and Private are the default passwords that are used by SNMP.

Q: Which of the following SNMP versions does not send passwords and messages in clear text

format?

a. SNMPv3

b. SNMPv2

c. SNMPv1

d. SNMPv2c



Q: IP Network Browser scans an IP subnet and shows what devices are responding on that subnet.

Each of the responding devices is then queried via SNMP. Which of the following ports is used by IP

Network Browser to scan SNMP enabled devices?

a. 80

b. 161

c. 22

d. 21


Q: Which of the following are countermeasures against SNMP enumeration?


a. Removing the SNMP agent or disabling the SNMP service

b. Changing the default PUBLIC community name when 'shutting off SNMP' is not an

option

c. Implementing the Group Policy security option called Additional restrictions for

anonymous connections

d. Allowing access to NULL session pipes and NULL session shares


Following are the countermeasures against SNMP enumeration:

1. Removing the SNMP agent or disabling the SNMP service

2. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option

3. Implementing the Group Policy security option called Additional restrictions for anonymous

connections

4. Restricting access to NULL session pipes and NULL session shares

5. Upgrading SNMP Version 1 with the latest version

6. Implementing Access control list filtering to allow only access to the read-write community from

approved stations or subnets

22. Q: SNMP is not usually audited, and may pose a significant threat if it is not configured

properly. SNMP can be used to enumerate user accounts and devices on a target system.

SNMP has two passwords to access and configure the SNMP agent from the management


station: read and read-write community string. What tool or utility would you use for SNMP

enumeration?


a. SNMP Util

b. SNMP Agent

c. SNMP Manager

d. SNMPEnum


Which Open Web Application Security Project (OWASP) implements a web application with known

vulnerabilities?

A. WebVuln

B. Hackme.com

C. BackTrack

D. WebGoat

answer: D

Which of the following best dictates whether or not a certain behavior is allowed?

a. Network Firewall

b. Data Loss Prevention Policy

c. Acceptable Use Policy

d. Information Security Policy

answer: D

WebScarab

SNMPUtil is a command-line tool which gathers Windows user accounts information via SNMP in

Windows system. Information such as routing tables, ARP tables, IP Addresses, MAC Addresses,

TCP/UDP open ports, user accounts and shares can be obtained using this tool.

What risk could this pose? A server shows port 25 is open.


A. Web portal data leak

B. Active mail relay

C. Clear text authentication

D. Open printer sharing

answer: B

Which of the following is an example of an asymmetric encryption implementation? (choose 2)

A. PGP

B. 3DES

C. RSA

D. SHA1

E. 3DES

answer: A and C

1. \Q: John works as a Network Security Professional. He is assigned a project of testing the

security of www.we-are-secure.com. He analyzes that the company has blocked all ports

except port 80. Which of the following attacking methods can he use to send insecure

software protocols?

a. HTTP tunneling

b. MAC spoofing

c. URL obfuscation

d. Banner grabbing


According to the scenario, the company has blocked all ports except port 80. Hence, John can use

HTTP tunneling to send insecure software protocols.

Answer option B is incorrect. MAC spoofing is a hacking technique of changing an assigned Media

Access Control (MAC) address of a networked device to a different one.


Answer option C is incorrect. URL obfuscation is a technique through which an attacker changes

the format of URLs so that they can bypass filters or other application defenses that have been put

in place to block specific IP addresses.

The Advanced Encryption Standard (AES) is primarily used for?

A. key exchange

B. bulk data encryption

c. key creation

d. IPSec

answer: B

1. Q: Which of the following password cracking attacks is based on a pre-calculated hash table

to retrieve plain text passwords?

a. Dictionary attack

b. Rainbow attack

c. Hybrid attack

d. Brute Force attack


A rainbow attack uses a hash table to retrieve plain text passwords. A rainbow attack is one of the

fastest method of password cracking. This method of password cracking is implemented by

calculating all the possible hashes for a set of characters and then storing them in a table known as

the Rainbow table.

Q: Which of the following password cracking tools can work on UNIX and Linux environments?

a. Cain and Abel

b. Brutus

c. John the Ripper

d. Ophcrack


John the Ripper (JTR) is a password cracking tool that works successfully on UNIX, Linux, and

Windows environments. JTR implements the dictionary and brute force attacks.


4. Q: Which of the following attacks allow the bypassing of access control lists on servers or

routers, and help an attacker to hide?


a. MAC spoofing attack

b. DNS cache poisoning attack

c. DDoS attack

d. IP spoofing attack


Either the IP spoofing attack or the MAC spoofing attack can be performed to hide the identity in the

network. MAC spoofing is a hacking technique of changing an assigned Media Access Control

(MAC) address of a networked device to a different one. The changing of the assigned MAC address

may allow the bypassing of access control lists on servers or routers, either hiding a computer on a

network or allowing it to impersonate another computer.

Answer option B is incorrect. DNS cache poisoning is a maliciously created or unintended situation

that provides data to a caching name server that did not originate from authoritative Domain Name

System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for

future performance increase, it is considered poisoned, supplying the non-authentic data to the

clients of the server

Q: Fill in the blank with the appropriate attack name.

It is a maliciously created or unintended situation that provides data to a caching name server that

did not originate from authoritative Domain Name System (DNS) sources. To perform a cache

poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as

attack.

Correct Answer:

It is a maliciously created or unintended situation that provides data to a caching name server that

did not originate from authoritative Domain Name System (DNS) sources. To perform a cache

poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as

attack. DNS cache poisoning


5. Q: Which of the following statements are true of session hijacking?


a. It is the exploitation of a valid computer session to gain unauthorized access to

information or services in a computer system.

b. TCP session hijacking occurs when a hacker takes over a TCP session between two

machines.

c. It uses a long random number or string as the session key reduces session hijacking.

d. It is used to slow down the working of the victim's network resources.


Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access

to information or services in a computer system. In particular, it is used to refer to the theft of a

magic cookie used to authenticate a user to a remote server.

How do operating systems protect login passwords?

A. The operating system stores all passwords in a protected segment of non-volatile memory.

B. The operating system encrypts the passwords, and decrypts them when needed.

C. The operating system stores the passwords in a secret file that users cannot find.

D. The operating system performs a one-way hash of the passwords.

answer: D

Which of the following are password cracking tools? (choose 3)

A. NMAP

B. John the Ripper

C. WebGoat

D. KerbCrack

E. Wireshark

F. Cain and Abel

answer: A, B and D

Q: In which of the following attacks does an attacker use packet sniffing to read network traffic

between two parties to steal the session cookie?

e. Session sidejacking

f. Session fixation

g. Cross-site scripting

h. ARP spoofing



In Session sidejacking, the attacker uses packet sniffing to read network traffic between two

parties to steal the session cookie. Many Web sites use SSL encryption for login pages to prevent

attackers from seeing the password, but do not use encryption for the rest of the site once

authenticated. This allows attackers that can read the network traffic to intercept all the data that is

submitted to the server or Web pages viewed by the client. Since this data includes the session

cookie, it allows him to impersonate the victim, even if the password itself is not compromised.

Answer option B is incorrect. In Session fixation, the attacker sets a user's session id to one known

to him, for example, by sending the user an email with a link that contains a particular session id.

The attacker now only has to wait until the user logs in.

Answer option C is incorrect. In cross-site scripting, the attacker tricks the user's computer into

running code, which is treated as trustworthy because it appears to belong to the server, allowing

the attacker to obtain a copy of the cookie or perform other operations.

6. Q: Which of the following statements are true of firewalking?


a. malicious attacker can use firewalking to determine the types of ports/protocols that

can bypass the firewall.

b. To use firewalking, the attacker needs the IP address of the last known gateway

before the firewall and the IP address of a host located behind the firewall.

c. Firewalking works on UDP packets.

d. In this technique, the attacker sends a crafted packet with a TTL value that is set to

expire one hop past the firewall.


Q: Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which

Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is

eavesdropping the conversation and keeps the password. After the interchange is over, Eve

connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password

read from the last session, which Bob accepts. Which of the following attacks is being performed by

Eve?


e. Replay

f. Cross-site scripting

g. Firewalking

h. Session fixation


Q: Which of the following commands can be used for port scanning?

i. nc -z

j. nc -g

k. nc -t

l. nc -w


The nc -z command is used to switch the netcat command in port scanning mode. Netcat is a freely

available networking utility that reads and writes data across network connections using the TCP/IP

protocol. Netcat has the following features:

Q: John works as a Security Administrator for Enet Inc. He uses a 4-digit personal identification

number (PIN) to access his laptop, and a token to perform offline checking whether he has entered

the correct PIN or not. Which of the following attacks is possible on John's computer?

a. Brute force

b. Man-in-the-middle

c. Smurf

d. Replay


A brute force attack is possible on John's laptop. According to the scenario, John uses a 4-digit

personal identification number (PIN) to access his computer and a token to perform offline checking

whether he has entered the correct PIN or not. Since the PIN contains only 4 digits, it is vulnerable

to a brute force attack.

Answer option B is incorrect. Since the token is checking the PIN offline, it is not possible to perform

a man-in-the-middle attack. Man-in-the-middle attacks occur when an attacker successfully inserts

an intermediary software or program between two communicating hosts. The intermediary software


or program allows attackers to listen to and modify the communication packets passing between the

two hosts. The software intercepts the communication packets and then sends the information to the

receiving host. The receiving host responds to the software, presuming it to be the legitimate client.

Q: John works as a contract Ethical Hacker. He recently got a project to do a security check for

www.we-are-secure.com. While performing the security check, he successfully steals the SAM file

from the server of we-are-secure. The output of the SAM file is given below:

Mark:501:D4DCC2975DC76FB2AAD3B435B51404EE James:500:5351CF62FC930923AAD3B435B51404EE

Administrator:1002:8AD7EAA34F1A9A31DA5A59A9D0150C17

Samantha:1001:F1402A82F3AB3A2EBA12F405D7E7327B

Which of the following user accounts, given in the above list, will John break to get administrative

privileges?

a. Administrator

b. Samantha

c. James

d. Mark


RID 500 is used for the Administrator account. In the given scenario, the RID code of James is

500. Therefore, John will break the user account of James to get administrative privileges.

Q: Which of the following tools can be used for cracking the password of Server Message Block

(SMB)?


a. L0phtCrack

b. KrbCrack

c. SMBRelay

d. Pwddump2

Explanation: Answer options A and C are correct.

L0phtCrack is a Windows password recovery tool that performs dictionary, brute-force, and

hybrid password cracking attacks. It can also capture a Server Message Block (SMB) packet on the

local network segment and capture individual login sessions. SMBRelay is an SMB server that


captures usernames and password hashes from incoming SMB traffic.

Answer option B is incorrect. KrbCrack is a Kerberos password cracker and sniffer.

Answer option D is incorrect. Pwddump2 is a program that extracts the password hashes from a

SAM file on a Windows system.

Q: You want to connect to your friend's computer and run a Trojan on it. Which of the

following tools will you use to accomplish the task?

a. PSExec

b. Remoxec

c. GetAdmin.exe

d. Hk.exe


You will use the PSExec tool to accomplish the task. PsExec is a light-weight telnet-replacement

tool that executes processes on remote computers and has full interactivity for console applications.

The main advantage of using PsExec is that there is no need to manually install client software on

remote computers for executing processes remotely

Q: You are auditing the security of a client company. You find that their password policy only

requires a minimum of 5 characters with letters and numbers. What, if anything, is wrong with

this policy?

e. Nothing, this is a strong password policy.

f. The only flaw is that the password policy should require symbols as well.

g. The password policy is too weak for multiple reasons.

h. The only flaw is that the password policy should require a minimum of 6 characters.

Explanation: Answer option G is correct.

A good password policy is a minimum of 6 characters, but also has letters and numbers required.

However, a good password policy also sets how often passwords are changed, and how long the

password history should be kept. Answer A is incorrect. This password policy is very weak.

Q: LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft

Windows versions prior to Windows NT to store user passwords. It is very much vulnerable

to various types of password cracking attacks. Which of the following are known weaknesses

of LAN Manager hash?



a. It converts passwords to uppercase.

b. Hashes are sent in clear text over the network.

c. Its effective length is 7 characters.

d. It does not use cryptographic salt.

e. It uses only 16-bit encryption.


LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft Windows

versions prior to Windows NT to store user passwords. It is very much vulnerable to various types of

password cracking attacks. Security caveats in LAN Manager hash are as follows:

It converts passwords to uppercase.

Hashes are sent in clear text over the network.

Its effective length is 7 characters.

It does not use cryptographic salt.

5. Q: Passwords are the most common access control methods used by system

administers to manage the usage of network resources and applications. Password

stealing is used by hackers to exploit user credentials and may cause serious data

loss in the system. Which of these is NOT a type of password attack?

a. Social engineering

b. Phishing

c. Password hashing

d. Shoulder surfing


Password hashing is a way of encrypting a password before it's stored so that if your database gets

into the wrong hands, the damage is limited. A hash or message digest can be thought of as the

digital fingerprint of a piece of data.

Answer option A is incorrect. Social engineering is the human side of breaking into a corporate

network to get personal information. In a typical example, an unknown person gets hold of user

credentials from the victim by manipulating him or her into believing a contrived situation.


Answer option B is incorrect. Phishing is an example of social engineering techniques used to

deceive users, and exploits the poor usability of current web security technologies. Phishing is

typically carried out by e-mail spoofing and it often directs users to enter details at a fake website

whose look and feel are almost identical to the legitimate one.

Answer option D is incorrect. Shoulder surfing is done using direct observation techniques, such as

looking over someone's shoulder when they enter a password or PIN code

Q: Which of the following is generally practiced by the police or any other recognized

governmental authority?

a. SMB signing

b. Wiretapping

c. Spoofing

d. Phishing


Answer option A is incorrect. Server Message Block (SMB) signing is a security feature of

Windows operating systems. SMB signing ensures that the transmission and reception of files

across a network are not altered in any way.

Note: Enabling SMB signing on the network reduces the performance of the network because of the

increased processing and network traffic required to digitally sign each SMB packet.

Q: Which of the following records everything a person types using the keyboard?

e. Line conditioner

f. Port scanner

g. Keystroke logger

h. Firewall


A keystroke logger records everything a person types using the keyboard. Keystroke logging is a

method of logging and recording user keystrokes. It can be performed with software or hardware

devices.


Answer option B is incorrect. A port scanner is a software tool that is designed to search a network

host for open ports. This tool is often used by administrators to check the security of their networks.

It is also used by hackers to compromise the network and systems.

Answer option D is incorrect. A firewall is a tool to provide security to a network. It is used to protect

an internal network or intranet against unauthorized access from the Internet or other outside

networks. It restricts inbound and outbound access and can analyze all traffic between an internal

network and the Internet.

Q: Which of the following user authentications are supported by the SSH-1 protocol but not

by the SSH-2 protocol?


a. Rhosts (rsh-style) authentication

b. TIS authentication

c. Password-based authentication

d. Kerberos authentication


The SSH-2 protocol supports the following user authentications:

Public key authentication (DSA, RSA*, OpenPGP)

Host-based authentication

Password-based authentication

Note: SSH-1 supports a wider range of user authentications, i.e., the public-key, RSA only,

RhostsRSA, password, Rhosts (rsh-style), TIS, and Kerberos authentications.

Q: Which of the following are the drawbacks of the NTLM Web authentication scheme?


e. It can be brute forced easily.

f. It works only with Microsoft Internet Explorer.

g. The password is sent in clear text format to the Web server.

h. The password is sent in hashed format to the Web server.


Explanation: Answer options E and F are correct.

The following are drawbacks of the NTLM Web Authentication Scheme:

NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response

pairs) can be cracked with the help of brute force password guessing. The "cracking" program

would repeatedly try all possible passwords, hashing each and comparing the result to the hash

that the malicious user has obtained.

This authentication technique works only with Microsoft Internet Explorer.

5. Q: Which of the following statements is true of the Digest Authentication scheme?

a. It uses the base64 encoding encryption scheme.

b. The password is sent over the network in clear text format.

c. In this authentication scheme, the username and password are passed with every

request, not just when the user first types them.

d. A valid response from the client contains a checksum of the username, the

password, the given random value, the HTTP method, and the requested URL.


The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This

authentication scheme is based on the challenge response model. In Digest authentication, the

password is never sent across the network in clear text format but is always transmitted as an MD5

digest of the user's password.

Q: Which of the following Web authentication techniques uses a single sign-on scheme?

a. Basic authentication

b. Digest authentication

c. NTLM authentication

d. Microsoft Passport authentication


Microsoft Passport authentication is based on single sign-on authentication in which a user needs to

remember only one username and password to be authenticated for multiple services

5. Q: What is L0phtcrack (LC4) used for?

a. Launch Denial of service attacks through cracks in the network


b. Run lofty port scans for open services in a network

c. Windows password cracking tool

d. Network traffic sniffing tool


Q: According to a password policy, which of the following rules should be followed by a user

while creating a password?


e. Use of both upper- and lower-case letters (case sensitivity)

f. Inclusion of one or more numerical digits

g. Inclusion of special characters

h. Inclusion of words found in a dictionary or the user's personal information

Explanation: Answer options E, F and G are correct.

A password policy is a set of rules designed to enhance computer security by encouraging users to

employ strong passwords and use them properly

Q: You work as a professional Ethical Hacker. You are assigned a project to test the security

of www.we-are-secure.com. You are working on the Windows Server 2003 operating system.

You suspect that your friend has installed the keyghost keylogger onto your computer.

Which of the following countermeasures would you employ in such a situation?


a. Monitor the programs running on the server to see whether any new process is

running on the server or not.

b. Use on-screen keyboards and speech-to-text conversion software which can also be

useful against keyloggers, as there are no typing or mouse movements involved.

c. Use commercially available anti-keyloggers such as PrivacyKeyboard.

d. Remove the SNMP agent or disable the SNMP service.

e.

5. Q: In which of the following malicious hacking steps does email tracking come under?

a. Reconnaissance

b. Scanning

c. Gaining access

d. Maintaining Access



Email tracking comes under the reconnaissance step of malicious hacking.

Q: In which of the following attacks does an attacker create the IP packets with a forged

(spoofed) source IP address with the purpose of concealing the identity of the sender or

impersonating another computing system?

a. IP address spoofing

b. Rainbow attack

c. Cross-site request forgery

d. Polymorphic shell code attack


Answer option C is incorrect. Cross-site request forgery, also known as one-click attack or session

riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted

from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user

has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works

by including a link or script in a page that accesses a site to which the user is known to have

authenticated.

Q: Which of the following tools can be used for anti-phishing?

e. Netcraft

f. Legion

g. eblaster

h. Spector


The Netcraft Web site stores data of phishing Web sites and provides a toolbar that tells whether or

not a Web site is authenticated.

Netcraft is a Web site that periodically polls Web servers to determine the operating system version

and the Web-server software version. It provides Web server and Web hosting market-share

analysis, including Web server and operating system detection.


Q: John works as a Network Administrator for We-are-secure Inc. The We-are-secure server

is Linux-based. John wants to install a tool that can be used to filter packets according to the

MAC address and TCP header flag values. Which of the following tools will he use to

accomplish his task?

a. Chkrootkit

b. PsLogList

c. PsExec

d. IPTables


IPTables is a firewall that is a replacement of the IPChains firewall for the Linux 2.4 kernel and later

versions.

5. Q: John works as a professional Ethical Hacker. He is assigned a project to test the

security of www.we-are-secure.com. He installs a rootkit on the Linux server of the

We-are-secure network. Which of the following statements are true about rootkits?


a. They allow an attacker to run packet sniffers secretly to capture passwords.

b. They allow an attacker to conduct a buffer overflow.

c. They allow an attacker to set a Trojan in the operating system and thus open a

backdoor for anytime access.

d. They allow an attacker to replace utility programs that can be used to detect the

attacker's activity.

Explanation: Answer options A, C, and D are correct.

6. Q: You have placed a Trojan file trojan.exe inside another text file readme.txt using

NTFS streaming. Which of the following commands will you execute to extract the

Trojan from the readme.txt file?

a. c:\> cat readme.txt:trojan.exe > trojan.exe

b. c:\> cat trojan.exe > readme.txt > trojan.exe

c. c:\> cat readme.txt > trojan.exe

d. c:\> cat trojan.exe



Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one data

stream to be associated with a filename, using the filename format "filename:streamname". Alternate

streams are not listed in Windows Explorer, and their size is not included in the file size. ADS

provides the hacker a place to hide root kits or hacker tools, which can be executed without being

detected by the system administrator.

7. Q: You work as a Network Security Administrator for we-are-secure Inc. You feel that

someone has accessed your computer and used your e-mail account. To check

whether there is any virus installed on your computer, you scan your computer but do

not find any illegal software. Which of the following types of security attacks generally

runs behind the scenes on your computer?

a. Rootkit

b. Zero-day

c. Hybrid

d. Replay


Answer option B is incorrect. A zero-day attack, also known as zero-hour attack, is a computer

threat that tries to exploit computer application vulnerabilities which are unknown to others,

undisclosed to the software vendor, or for which no security fix is available.

Q: Victor works as a professional Ethical Hacker for SecureNet Inc. He wants to use the

Steganographic file system method to encrypt and hide some secret information. Which of

the following disk spaces will he use to store this secret information?


e. Unused sectors

f. Dumb space

g. Hidden partition

h. Slack space

Explanation: Answer options E , G and H are correct.

The Steganographic file system is a technique of storing files in such a manner that it encrypts data

and hides it in an efficient way so that it cannot be traced. There are three basic methods of hiding

data in disk space:


Unused sectors

Slack space

Hidden partition

8. Q: John used to work as a Network Administrator for We-are-secure Inc. Now he has

resigned from the company for personal reasons. He wants to send out some secret

information of the company. To do so, he takes an image file and simply uses a tool

image hide and embeds the secret file within an image file of the famous actress,

Jennifer Lopez, and sends it to his Yahoo mail id. Since he is using the image file to

send the data, the mail server of his company is unable to filter this mail. Which of the

following techniques is he performing to accomplish his task?

a. Web ripping

b. Social engineering

c. Email spoofing

d. Steganography


According to the scenario, John is performing the Steganography technique for sending malicious

data. Steganography is an art and science of hiding information by embedding harmful messages

within other seemingly harmless messages

9. Q: Which of the following tools is used to hide secret data in text files and is based on

the concept that spaces and tabs are generally not visible in text viewers, and

therefore a message can be effectively hidden without affecting the text's visual

representation for the casual observer?

a. Image hide

b. Snow.exe

c. SARA

d. Fpipe


Snow.exe is a Steganography tool that is used to hide secret data in text files. It is based on the

concept that spaces and tabs are generally not visible in text viewers and therefore a message can

be effectively hidden without affecting the text's visual representation for the casual observer


Watermarking is the irreversible process of embedding information into digital media. The purpose

of digital watermarks is to provide copyright protection for intellectual property that is in digital form.

Watermarking is basically divided into two main sections

Q: You have physical access to Maria's laptop. You have downloaded a keylogger and

installed there with password protection. Now, in the covering tracks step, what will you

perform before leaving the laptop?


a. Clear recent docs from registry

b. Clear caches

c. Delete cookies

d. Disabling auditing

e. Changing OS password


Covering Tracks is the last and important step of remote hacking, which includes the deletion of all

logs on the remote system. In Linux or UNIX, all entries of the /var folder need to be deleted, and if it

is a Windows operating system, all events and logs are deleted. This step is used by hackers to

keep their identity anonymous. The hacker generally removes security events or error messages

that have been logged to avoid being detected. To prevent detection, hackers either clear the event

logs or disable auditing.

Q: A hacker broke into an application, but forgot to cover his track within the enterprise

systems. You have been called in as a forensics investigator and were easily able to trace

back the activities of the hacker. What should the hacker have done to cover her tracks and

make her difficult to identify?


a. Disable auditing

b. Clear the event log

c. Run Traceless

d. Use Armor Tools


Q: A Windows server has been hacked and you have been brought in to investigate how the


incident may have occurred. You look for malicious activity traces in the event logs to

investigate the hacker's attack pattern. Which of the following is a tool that system

administrators often use to enable auditing on Windows systems to capture such events?

a. Auditpol

b. WinZapper

c. Evidence Eliminator

d. ELSave


Auditpol is a tool included in the Windows NT Resource Kit for system administrators. This tool can

disable or enable auditing from the Windows command line. It can also be used to determine the

level of logging implemented by a system administrator.

The EC-Council group has divided Trojans into seven primary types:

1. Remote Access Trojans: They allow attackers to gain full control over computer systems.

Remote access Trojans are usually set up as client/server programs, so that an attacker can

connect to the infected system and control it remotely.

2. Data Sending Trojans: They are used to capture and redirect data. eBlaster is an example of

this type of Trojan. It can capture keystrokes, passwords, or any other type of information and

send them back to the attacker via email.

3. Destructive Trojans: They are used to destroy files or operating systems.

4. DoS Attack Trojans: They are designed to cause a DoS attack.

5. Proxy Trojans: They are designed to work as proxies. These programs can help a hacker hide

and perform activities from the victim's computer.

6. FTP Trojans: They are specifically designed to work on port 21. These Trojans allow a hacker to

upload, download, or move files on the victim's computer.

7. Security Software Disabler Trojans: They are designed to attack and kill antivirus or software

firewalls. The goal of disabling these programs is to make it easier for the hacker to control the

system.

A Trojan horse is a malicious software program code that masquerades itself as a normal program.

When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard

disk.


4. Q: Ralph wants to provide a demo to his team of an attack type that cannot be

detected by regular firewall and IDS systems. The attack can be detected only with

tcpdump used to capture all packets entering and leaving the server machine. He

initiates a TCP connection with the server on port 80. Two separate hosts on two

separate networks were used - one machine served as a server and the other as a

client. The latest version of Snort with all the current rule sets was installed and kept

running, yet could not identify the attacks. What method of attack is Ralph planning to

use?

a. Covert channel attack

b. Tor attacks

c. Inside-Out Attack

d. White-listing attack


A Covert Channel is a communication channel that allows a process to transfer information in a

manner that violates the system's security policy without alerting any firewalls and IDS's on the

network.

5. Q: Which of the following are uses of the covert channel?


a. Transferring a file from the victim's computer to the hacker's computer and vice-versa

b. Launching applications on the victim's computer

c. Interactive remote control access from the hacker's computer to the victim's

computer

d. Vigilance of any corporate filtered firewall rules


Q: A company suspects that a disgruntled employee or a malicious insider is sending

information to an accomplice outside the corporate network. You are brought in as a security

consultant to test for insider attacks which are initiated from inside the corporate network.

What are some of the tests that you perform?


a. Reverse Engineering


b. Bypass corporate filter firewall rules from inside-out

c. DNS Tunneling

d. Social Engineering


Q: You check your snort log and get the following suspicious part:

What type of attack might it be?

a. Back orifice

b. Netbus

c. SubSeven

d. BoBo


In the log used in the question, you can see that packets are coming from 31337,

Q: Which of the following parameters of the NETSTAT command is used to display all active

connections and the TCP and UDP ports on which the computer is listening?

a. -a

b. -b

c. -e

d. -f


-a: It is used to display all active connections and the TCP and UDP ports on which the

computer is listening.


-b: It is used to display the binary program's name involved in creating each connection or

listening port.

-e: It is used to display ethernet statistics, such as the number of bytes and packets sent and

received. This parameter can be combined with -s.

-f: It is used to display fully qualified domain names <FQDN> for foreign addresses.

5. Q: Which of the following parameters of the NETSTAT command is used to display the

contents of the IP routing table?

a. -r

b. -p

c. -s

d. -t


Q: You have placed a Trojan in the we-are-secure.com server, which is transmitting data from

the server to the attacker . In the meantime, the attacker runs the following command:

nc -l -u -p 22222 < /etc/passwd What does this command do?

a. It loads the /etc/passwd file on the server.

b. It downloads the /etc/password from the server.

c. It deletes the /etc/password from the server.

d. It updates the /etc/password of the server.


Q: Which of the following statements are true about ICMP tunneling?


a. It is a method in which ICMP packets are sent in encrypted form via the HTTP port.

b. It is a method in which tunneling of another protocol through ICMP is performed.

c. An example of this technique is tunneling complete TCP traffic over ping requests

and replies.

d. ICMP tunneling is used to bypass firewalls, which do not block ICMP packets.


A wrapper is a program that is used to combine a harmful executable file with a harmless


executable file.

Q: You want to add a netbus Trojan in the chess.exe game program so that you can gain

remote access to a friend's computer. Which of the following tools will you use to accomplish

the task?


a. Wrapper

b. Yet Another Binder

c. Beast

d. Tripwire

Explanation: Answer options A are correct.

Q: Mark works as a Network Security Administrator for uCertify Inc. He is responsible for

securing and analyzing the network of the organization. Mark is concerned about the current

network security, as individuals can access the network with bypass authentication, thus

allowing them to get more permissions than allotted. Which of the following is responsible

for this type of privilege escalation?

a. Backdoor

b. Rootkit

c. Boot sector

d. Master Boot Record



According to the scenario, a backdoor is responsible for this type of privilege escalation. A backdoor

is a program or account that allows access to a system by skipping the security checks. Many

vendors and developers implement backdoors to save time and effort by skipping the security

checks while troubleshooting. A backdoor is considered to be a security threat and should be treated

with the highest security. If a backdoor becomes known to attackers and malicious users, they can

use it to exploit the system.

Q: Which of the following are symptoms of a virus attack on your computer?


a. Faster read/write access of the CD-ROM drive

b. Sudden reduction in system resources

c. Corrupted or missing files

d. Unclear monitor display


Q: Your Web server crashes at exactly the point where it reaches 1 million total visits. You

discover the cause of the server crash is malicious code. Which description best fits this

code?

a. Virus

b. Polymorphic Virus

c. Worm

d. Logic Bomb


A logic bomb is malware that executes its malicious activity when a certain condition is met, often

when a certain date/time is reached. In this case it waited for the Web server to pass a certain

threshold.

Worms are programs that replicate themselves from system to system without the use of a host file.

5. Q: John works as a Marketing Manager for we-are-secure Inc. Today, when he opens

his email account, he gets an email of subject security issue. In the email, he gets the

following message:


Remove the Boot.ini file because it is harmful for operating system.

When John reads about the Boot.ini file on the Internet, he discovers that it is a system file

that is used to load the operating system on the computer. Which of the following types of

virus has attacked John's computer?

a. Hoax

b. Polymorphic

c. Macro

d. Multipartite


According to the scenario, John's computer has been attacked by a virus hoax. A computer virus

hoax is a message warning the recipient of a non-existent computer virus threat. the system.

6. Q: Which of the following statements is true about the difference between worms and

Trojan horses?

a. Trojan horses are a form of malicious code, while worms are not.

b. Trojan horses are harmful to computers while worms are not.

c. Worms replicate themselves while Trojan horses do not.

d. Worms can be distributed through emails while Trojan horses cannot.


Worms replicate themselves while Trojan horses do not. A worm is a software program that uses

computer networks and security holes to replicate itself from one computer to another.

Q: Which of the following is used to describe the type of FTP access in which a user does not

have permissions to list the contents of directories, but can access the contents if he knows

the path and file name?

e. Blind FTP

f. Secure FTP

g. Passive FTP

h. Hidden FTP



Blind FTP (sometimes called anonymous FTP) gives a user the ability to go directly to specific

directories if the user knows the path and file name. However, they cannot peruse items. This is a

more secure way of allowing FTP.

Q: Which of the following tasks can be performed by a malicious bot/botnet?


a. Performing DDoS attacks

b. Harvesting email addresses from contact forms or guestbook pages

c. Downloading entire Web site to suck the bandwidth of a target

d. Stealing information like credit card numbers, login, ids, etc.

e. Performing a spoofing attack


A malicious bot is automated software that is used for various unethical activities. A bot/botnet can

be used to perform any or all of the following malicious activities:

Q: A user has opened a Web site that automatically starts downloading malicious code onto

his computer. What should he do to prevent this?


a. Configure Security Logs

b. Disable ActiveX Controls

c. Implement File Integrity Auditing

d. Disable Active Scripting


In order to prevent malicious code from being downloaded from the Internet onto a computer, you

will have to disable unauthorized ActiveX Controls and Active Scripting on the Web browser.

Disabling Active Scripting and ActiveX controls makes browsers safer for browsing the Web.

4. Q: John works as a professional Ethical Hacker. He has been assigned a project to

test the security of www.we-are-secure.com. He wants to test the effect of a virus on

the We-are-secure server. He injects the virus on the server and, as a result, the server

becomes infected with the virus even though an established antivirus program is


installed on the server. Which of the following do you think are the reasons why the

antivirus installed on the server did not detect the virus injected by John?


a. John has changed the signature of the virus.

b. John has created a new virus.

c. The virus, used by John, is not in the database of the antivirus program installed on

the server.

d. The mutation engine of the virus is generating a new encrypted code.


Every virus cannot be detected by a signature-based antivirus, largely for the following reasons:

If an attacker has changed the signature of a virus, any signature-based antivirus will not be able

to find the virus.

Any new virus will not be captured by the antivirus, as it will not be on the list in the antivirus

database.

If the virus is not in the database of a signature-based antivirus, it will be virtually impossible for

the antivirus to detect that virus.

If the mutation engine of a polymorphic virus is generating a new encrypted code, this changes

the signature of the virus. Therefore, polymorphic viruses cannot be detected by a signature-

based antivirus.

Promiscuous mode is a configuration of a network card that makes the card pass all traffic it

receives to the central processing unit rather than just packets addressed to it.

Q: Which of the following tools is an open source protocol analyzer that can capture traffic in

real time?

a. Snort

b. NetWitness

c. Netresident

d. Wireshark


Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a

free packet sniffer computer application. It is used for network troubleshooting, analysis, software

and communications protocol development, and education.


Q: Which of the following is a network maintenance protocol of the TCP/IP protocol suite that

is responsible for the resolution of IP addresses to media access control (MAC) addresses of

a network interface card (NIC)?

e. ARP

f. DHCP

g. RARP

h. PIM


Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol

suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses.

2. Q: Which of the following is the Windows GUI tool that can perform MITM attacks,

along with sniffing and ARP poisoning?

a. CAIN

b. Ettercap

c. wsniff

d. Airjack


3. Q: In which of the following attacks does an attacker change the MAC address on the sniffer

to one that is the same in another system on the local subnet?

a. MAC duplicating

b. MAC flooding

c. ARP spoofing

d. IP spoofing


In a MAC duplicating attack, the attacker confuses the switch and the switch begins to think that two

ports have the same MAC address. To perform a MAC duplicating attack, the attacker changes the

MAC address on the sniffer to one that is the same in another system on the local subnet. This

differs from ARP Spoofing because, in ARP Spoofing, the attacker confuses the host by poisoning

its ARP cache.


Q: Which of the following tools can be used for an ARP poisoning attack?


e. Arpspoof

f. Cain and Abel

g. Ettercap

h. Brutus


Arpspoof (part of the DSniff suite of tools), Cain and Abel, and Ettercap are the tools that can be

used to carry out ARP poisoning attacks.

4. Q: Which of the following attacks allows an attacker to sniff data frames on a local

area network (LAN) or stop the traffic altogether?

a. ARP spoofing

b. Port scanning

c. Man-in-the-middle

d. Session hijacking


Q: As a security consultant, you are investigating a possible attack scenario where corporate

employees within a corporation get redirected an unknown website page when entering a

public email site address in the browser. This new site requests their user id and password to

validate credentials, before forwarding the request to the email site. As a consultant, you

want to validate this website change, and when you access this site from your iPhone, you

directly go to the original webpage of the email site. What possible attack has the company

been subjected to?

a. DNS cache poisoning attack

b. DNS zone transfer attack

c. Webcache poisoning attack of the email server

d. Directory traversal attack



Q: You want to install Windump, the Windows substitute of the TCPDump packet sniffer,

which is Linux-based. For this, you need to install a library. Which of the following is the

name of the library?

a. WinPCAP

b. idconfig

c. Winconf

d. WinTCP


WinDump is the Windows version of tcpdump that is used to view, diagnose, and save to disk

network traffic as defined in the various rules. It is used in Windows 95, Windows 98, Windows ME,

Windows NT, Windows 2000, Windows XP, Windows 2003, and Windows Vista. WinDump uses the

WinPcap library and drivers for packet capturing. It also uses the 802.11b/g wireless capturing

technique and the CACE Technologies AirPcap adapter.

WinPcap is the tool that is used for link-layer network access in Windows environments. It allows

applications to capture and transmit network packets bypassing the protocol stack, and has

additional useful features, which includes kernel-level packet filtering, a network statistics engine and

support for remote packet capture.

2. Q: In which of the following conditions does Ethereal(Wireshark) work best?

a. When you are targeting networks using hubs

b. When you are targeting switched networks

c. When you are targeting Windows-based networks

d. When you are targeting Linux-based networks


Q: Which of the following attacks can be performed by attacking the CAM switches?

a. MAC flooding

b. ARP spoofing

c. IP address spoofing

d. DNS cache poisoning



MAC flooding is an attack that can be performed by attacking the CAM switches. MAC flooding is a

technique employed to compromise the security of network switches. In a typical MAC flooding

attack, a switch is flooded with packets, each containing different source MAC addresses. The

intention is to consume the limited memory set aside in the switch to store the MAC address-to-

physical port translation table. The result of this attack causes the switch to enter a state called

failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead

of just down the correct port as per normal operation

Q: Which of the following statements are true of spoofing and session hijacking?


e. Spoofing is an attack in which an attacker can spoof the IP address or other identity

of the target but the valid user can be active.

f. Session hijacking is an attack in which the attacker takes over the session, and the

valid user's session is disconnected.

g. Session hijacking is an attack in which the attacker takes over the session, and the

valid user's session is not disconnected.

h. Spoofing is an attack in which the attacker can spoof the IP address or other identity

of the target, and the valid user cannot be active.

Explanation: Answer options E and G are correct.

Q: Which of the following options is used by hackers to control a malicious bot?

a. IRC channels

b. IM tools

c. Websites

d. FTP servers


IRC connections are usually unencrypted and typically span long time periods, they are an attractive

target for malicious crackers.

Q: Against which of the following does SSH provide protection?



a. IP spoofing

b. Broadcast storm

c. DoS attack

d. Password sniffing


Secure Shell (SSH) is a protocol that provides strong authentication and secure communications

over insecure channels. It uses public key encryption as the main method for user authentication.

SSH secures connections over the Internet by encrypting passwords and other data. It also protects

networks against IP spoofing, packet spoofing, password sniffing, and eavesdropping. SSH uses

TCP port 22 as the default port and operates at the application layer.

Q: Which of the following are the parts of active sniffing?


a. MAC flooding

b. ARP spoofing

c. MAC duplicating

d. OS fingerprinting


Q: Which Snort mode reads the packets of the network and displays them in a continuous

stream on the console?

a. Sniffer

b. Packet logger

c. Network intrusion detection

d. Output module


Q: Which of the following steps can be taken as countermeasures against sniffer attacks?


a. Use encrypted protocols for all communications.


b. Use switches instead of hubs since they switch communications, which means that

information is delivered only to the predefined host.

c. Use tools such as StackGuard and Immunix System to avoid attacks.

d. Reduce the range of the network to avoid attacks into wireless networks.


1. Q: John works as a claims processor for an Insurance company. He gets an email marked

urgent from a customer who says she uploaded all her accident pictures online and that John

could click on the link to view pictures of the damaged vehicle. John understands that this is

not the usual process to review accident claims, but clicks on the link out of curiosity. It takes

him to a website which he does not recognize, and after a few moments, he closes his

browser. Later on, John notices that his workstation has become slower and documents are

taking significantly longer time to open up. What could be a probable cause for this

slowness?

a. The system has been subjected to a pharming attack.

b. John has been subjected to a vishing attack.

c. John has been subjected to a phishing attack.

d. The system slowness is due to inadequate capacity planning.


Phishing involves sending emails that appear to come from reliable sources and that try to get users

click on a link to a spoofed web page.

2. Q: Please identify from the scenario described what kind of hacking attack it is - A

coworker hacker renames or moves a file so that the target thinks that it no longer

exists. The hacker speculates that they can get the file back. The target, keen to get on

with their work, or concerned that the loss of the information could be their own fault,

leaps at this offer. The hacker states that this could only be done if they were to log on

as the target. He or she may even say company policy prohibits this. The target will

beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker

agrees, reinstates the original file, and steals the target's user ID and password. He or

she has even embellished their reputation such that they receive requests to assist

other coworkers. This approach can bypass the regular IT support channels and make

it easier for the hacker to remain unnoticed.


a. Tailgating

b. Piggybacking

c. Reverse social engineering

d. Dumpster diving


Answer option A is incorrect. In tailgating, an unauthorized person wearing a fake ID badge enters

a secured area by closely following an authorized person through a door requiring key access. An

authorized person may not be aware of having provided an unauthorized person access to a

secured area.

Answer option B is incorrect. Piggybacking occurs when an authorized person allows the hacker to

pass through a secure door either intentionally or unintentionally. The attacker may fabricate a story

of having forgotten the ID or badge and the victim may fall for it. Sometimes piggybacking can

happen without awareness or intention.

4. Q: John works as an IT Technician for uCertify Inc. One morning, John receives an e-

mail from the company's Manager asking him to provide his logon ID and password,

but the company policy restricts users from disclosing their logon IDs and

passwords. Which type of possible attack is this?

a. DoS

b. Replay attack

c. Social engineering

d. Trojan horse


Q: You work as an IT Technician for BlueBell Inc. Your work includes implementing security

for the company's network to protect users against social engineering attacks. Which of the

following are most commonly used by a social engineering hacker?


a. E-mail

b. Telephone

c. Personal approaches

d. Brute force


e. Trojan horse


Q: Which of the following are examples of passive attacks?


a. Eavesdropping

b. Dumpster diving

c. Shoulder surfing

d. Placing a backdoor


Q: John works as a professional Ethical Hacker. He has been assigned the project of testing

the security of www.we-are-secure.com. He is using dumpster diving to gather information

about We-are-secure, Inc. In which of the following steps of malicious hacking does

dumpster diving come under?

a. Reconnaissance

b. Scanning

c. Gaining access

d. Maintaining access


According to the scenario, John is performing dumpster diving, which comes under the

Reconnaissance step of malicious hacking. Reconnaissance is the first step in malicious hacking in

which the attacker gathers information about the victim.

5. Q: John works as a Programmer for We-are-secure Inc. On one of his routine visits to

the company, he noted down the passwords of some employees while they were

typing them on their computer screens. Which of the following social engineering

attacks did he just perform?

a. Dumpster diving

b. Shoulder surfing

c. Important user posing

d. Authorization by third party



In the given scenario, John was performing a shoulder surfing attack. Shoulder surfing is a type of

in person attack in which the attacker gathers information about the premises of an organization.

This attack is often performed by looking surreptitiously at the keyboard of an employee's computer

while he is typing in his password at any access point such as a terminal/Web site.

Q: In which of the following social engineering attacks does an attacker first damage any part

of the target's equipment and then advertise himself as an authorized person who can help

fix the problem?

e. Reverse social engineering attack

f. Impersonation attack

g. Important user posing attack

h. In person attack


A reverse social engineering attack is a person-to-person attack in which the attacker convinces

the target that he or she has a problem or might have a certain problem in the future and that he, the

attacker, is ready to help solve the problem.

6. Q: You are the Network Administrator for a bank. In addition to the usual security

issues, you are concerned that your customers could be the victim of phishing

attacks that use fake bank Web sites. Which of the following would protect against

this?

a. Mutual authentication

b. Two factor authentication

c. Three factor authentication

d. MAC


In mutual authentication, not only does the server (in this case, the banks Web server)

authenticate the client, but the client authenticates the server.


7. Q: Which of the following statements are true about a phishing attack?

a. It is a way of attempting to obtain sensitive information, such as usernames,

passwords, and credit card details.

b. It is usually carried out by e-mail spoofing or instant messaging.

c. It frequently directs users to enter details at a fake website whose look and feel are

almost identical to the legitimate one.

d. In a phishing attack, an attacker sends multiple SYN packets to the target computer.


Q: Which of the following is a technique through which an attacker changes the format of

URLs so that they can bypass filters or other application defenses that have been put in place

to block specific IP addresses?

a. URL obfuscation

b. Reverse social engineering

c. Dumpster diving

d. Shoulder surfing


Q: Into which two primary categories can all social engineering attacks be divided?

a. Human-based and computer-based attacks

b. Fear-based and persuasion-based attacks

c. Phishing-based and spear-phishing based attacks

d. Insider-based attacks and outsider-based attacks


Q: A social engineer is someone who uses deception, persuasion, and influence to get

information that would otherwise be unavailable. Please order as per sequence the general

methodology used by a hacker to complete a social engineering attack.

a. Select victim, Research, Develop relationship, Exploit relationship

b. Research, Develop relationship, Select victim, Exploit relationship

c. Research, Select victim, Develop relationship, Exploit relationship

d. Select victim, Develop relationship, Research, Exploit relationship



5. Q: What are some of the possible countermeasures for social engineering attacks?


a. Use relevant firewalls and updated tools.

b. Enforce appropriate security policies.

c. Have an open-minded corporate culture.

d. Implement relevant security training and awareness methods.


Appropriate security policies around passwords, auditability, separation of duties and accountability

will make the employees less susceptible to social engineering attacks. Specify that service desk is

the single point of contact for reporting user issues.

1. Q: In which of the following DoS attacks does an attacker send an ICMP packet larger

than 65,536 bytes to the target system?

a. Jolt

b. Ping of death

c. Teardrop

d. Fraggle


In the ping of death attack, the attacker sends an ICMP packet larger than 65,536 bytes.

Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target

system with overlapping offset field values. As a result, the target system is unable to reassemble

these packets and is forced to crash, hang, or reboot.

Answer option D is incorrect. In a fraggle DoS attack, an attacker sends a large amount of UDP

echo request traffic to the IP broadcast addresses. These UDP requests have a spoofed source

address of the intended victim.

Q: Maria works as a professional Ethical Hacker. She has been assigned a project to test the

security of www.we-are-secure.com. She wants to test a DoS attack on the We-are-secure


server. She finds that the firewall of the server is blocking the ICMP messages, but it is not

checking the UDP packets. Therefore, she sends a large amount of UDP echo request traffic

to the IP broadcast addresses. These UDP requests have a spoofed source address of the

We-are-secure server. Which of the following DoS attacks is Maria using to accomplish her

task?

a. Fraggle DoS attack

b. Smurf DoS attack

c. Ping flood attack

d. Teardrop attack


A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason

that a honey pot has low security permissions. A honeypot is used to gain information about the

intruders and their attack strategies.

2. Q: John works as a professional Ethical Hacker. He has been assigned the project of

testing the security of www.we-are-secure.com. He is using the TFN and Trin00 tools

to test the security of the We-are-secure server, so that he can check whether the

server is vulnerable or not. Using these tools, which of the following attacks can John

perform to test the security of the We-are-secure server?

e. DDoS attack

f. Reply attack

g. Brute force attack

h. Cross site scripting attack


DDoS attack

In a distributed denial of service (DDOS) attack, the attacker uses multiple computers throughout the

network that it has previously infected. Such computers act as zombies and work together to send

out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an

attacker of using a distributed denial-of-service attack are that multiple machines can generate more

attack traffic than one machine, multiple attack machines are harder to turn off than one attack

machine, and that the behavior of each attack machine can be stealthier, making it harder to track

down and shut down. TFN, TRIN00, etc. are tools used for the DDoS attack.


4. Q: In which of the following attacks does an attacker send a spoofed TCP SYN packet

in which the IP address of the target is filled in both source and destination fields?

a. Land attack

b. Jolt DoS attack

c. Smurf DoS attack

d. Fraggle DoS attack


In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the

target host is filled in both the source and destination fields.

Q: Which of the following can be applied as countermeasures against DDoS attacks?


a. Using Intrusion detection systems

b. Limiting the amount of network bandwidth

c. Using network-ingress filtering

d. Blocking the IP address

e. Using LM hashes for passwords


The techniques to prevent DDoS attacks are as follows:

Applying router filtering

Blocking undesired IP addresses

Permitting network access only to desired traffic

Disabling unneeded network services

Updating antivirus software regularly

Establishing and maintaining appropriate password policies, especially for access to highly

privileged accounts such as UNIX root or Microsoft Windows NT Administrator

Limiting the amount of network bandwidth

Using network-ingress filtering

Using automated network-tracing tools

5. Q: John works as a professional Ethical Hacker. He has been assigned the project of

testing the security of www.we-are-secure.com. He observes that the We-are-secure

server is vulnerable to a special type of DoS attack and he makes the following


suggestions to the security authority to protect the server from this DoS attack. The

countermeasures against this type of DoS attack are as follows:

Disabling IP-directed broadcasts at the We-are-secure router

Configuring local computers so as not to respond to such ICMP packets that are configured to

be sent to IP broadcast addresses

Which of the following DoS attacks has John discovered as a vulnerability for the We-are-secure

security network?

a. Teardrop attack

b. Smurf attack

c. Fraggle attack

d. Jolt attack


According to the countermeasures, John has discovered that the We-are-secure server is vulnerable

to a smurf DoS attack. In a smurf DoS attack, the attacker sends a large amount of ICMP echo

request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source address

of the intended victim.

6. Q: Which of the following are malicious activities performed by a bot/botnet?


a. It can work as spambots that harvest email addresses from contact forms or

guestbook pages.

b. It can be a malicious downloader program that sucks bandwidth by downloading

entire Web sites.

c. It can work as a virus or as a worm.

d. It can detect honeypots.


A malicious bot is automated software that is used for various unethical activities. A bot/botnet can

be used to perform any or all of the following malicious activities:

It can work as spambots, which harvest email addresses from contact forms or guestbook

pages.


It can be a malicious downloader program that sucks bandwidth by downloading entire Web

sites.

It can be Web site scrapers that grab the content of Web sites and re-use it without permission

on automatically generated doorway pages.

It can work as virus or as a worm.

It can perform DDoS attacks.

It can be malicious File-name modifiers on peer-to-peer file-sharing networks. These change the

names of files (often containing malware) to match user search queries.

Botnet is a type of malware that allows an attacker to take control over an infected computer. It is

also known as Web robots. Botnets are usually part of a network of infected machines, which is

typically made up of victim machines that stretch across the globe

7. Q: As part of a forensic investigation done on a hacked network, the investigator

discovered that the password of the administrator account had been discovered

locally, despite preventative measures like anti-virus and anti-spyware software being

installed on the domain controller servers. What technique did the attacker possibly

use?

a. Stealth anonymizer

b. Hardware keylogger

c. SNMP community strings

d. SMB signing


A hardware keylogger cannot be detected by anti-virus or anti-spyware products

Q: You suspect that your server is being subjected to SYN flooding attacks, as the server is

becoming unresponsive and the listen queue is filling up very quickly. This attack works by

filling up the table reserved for half open TCP connections in the operating system's TCP IP

stack. In a 3 way TCP handshake, what missing process is contributing to this attack?

a. SYN

b. SYN-ACK

c. ACK-SYN

d. ACK



1. Q: Which of the following are methods to prevent session hijacking?


a. Regenerating the session id after a successful login

b. Using a short straight number or string as the session key

c. Encrypting data passed between the parties, in particular the session key

d. Changing the value of the cookie with each and every request


Following are the methods to prevent session hijacking:

Use a long random number or string as the session key. This reduces the risk that an attacker

could simply guess a valid session key through trial and error or brute force attacks.

Regenerate the session id after a successful login. This prevents session fixation because the

attacker does not know the session id of the user after he has logged in.

Encrypt the data passed between the parties, in particular the session key. This technique is

widely relied-upon by Web-based banks and other e-commerce services, because it completely

prevents sniffing-style attacks. However, it could still be possible to perform some other kind of

session hijack.

Some services make secondary checks against the identity of the user. For example, a Web

server could check with each request made that the IP address of the user matched the one last

used during that session. This does not prevent attacks by somebody who shares the same IP

address, however, and could be frustrating for users whose IP address is liable to change during

a browsing session.

Alternatively, some services will change the value of the cookie with each and every request.

This dramatically reduces the window in which an attacker can operate and makes it easy to

identify whether an attack has taken place, but can cause other technical problems (for example,

preventing the back button from working properly on the Web).

1. Q: You are in the process of recommending mitigation attacks against possible session

hijacking threats. You advise the development team to use a random long number as the

session key. Which session hijacking attack are you trying to mitigate?

a. Brute force

b. Misdirected Trust


c. Blind Hijacking

d. IP Spoofing



the security of www.we-are-secure.com. John notices that the We-are-secure network is

vulnerable to the man-in-the-middle attack since the key exchange process of the

cryptographic algorithm does not authenticate participants. Which cryptographic algorithm is

being used by the We-are-secure server?

a. RSA

b. Diffie-Hellman

c. Blowfish

d. Twofish


Diffie-Hellman encryption is a key agreement protocol


Cryptography

Cryptography is a technique of encrypting and decrypting messages. When the text is encrypted, it

is unreadable by humans but when it is decrypted, it is readable. The terms used in cryptography are

as follows:

Plaintext: This text can be read by a user.

Ciphertext: This text can be converted to a non-readable format.

Encryption: It is the process of creating ciphertext from plaintext.

Decryption: It is the process of converting ciphertext to plaintext.

Cipher: It is an algorithm that is used to encrypt and decrypt text.

Key: Keys are the elements used in the technology of encrypting and decrypting text.

Q: Which type of attack is the Man in the middle attack?

e. Active

f. Passive

g. Both active and passive

h. Neither active nor passive.


Q: Which of the following can be used to perform session hijacking?


i. Session fixation

j. Session sidejacking

k. Cross-site scripting

l. ARP spoofing


3. Q: Which of the following types of attack techniques forces a user's session ID to an explicit

value?

a. Session Fixation attack

b. FMS attack

c. Zero-day attack

d. Max Age attack



Q: In this particular mode of hijacking, the authentication check is performed only when the session

is open. A hijacker who successfully launches this attack is able to take control of the connection

throughout the duration of the session. If an attacker is able to steal the session cookie, he can

pretend to be the same user, or hijack the session during its lifetime. What countermeasures can the

developer implement to prevent this kind of hijacking?


a. Ignore or report unknown or suspicious links forwarded through mails or IM's.

b. Clear cookie after browser session is closed.

c. Reduce the life span of a session or a cookie.

d. Regenerate the session id after a successful login.


Reducing the life or session of a cookie can increase security, as the expiration of the cookie after a

certain time will cause an interruption in application usage.

Q: You have been tasked with finding vulnerabilities in a web application. You run a sniffer and try to

predict the sessionID number, and try to establish connection impersonating as another user. What

vulnerability are you checking for?

a. Session hijacking

b. Cross site scripting

c. SQL injection

d. Insecure direct object reference


4. Q: Which of the following consists of exploiting insufficient security validation/sanitization of

user-supplied input file names?

a. Directory traversal

b. Dictionary

c. Hybrid

d. Smart Force


Explanation: Answer option A is correct

Directory traversal (or path traversal) is an attacking method to exploit insufficient security

validation/sanitization of user-supplied input file names, so that characters representing "traverse to

parent directory" are passed through to the file APIs.

Q: Jack was provided a pre-installed Apache server. The server came with default and sample files,

including applications, configuration files, scripts, and web pages. In addition, it also had content

management and remote administration services enabled. Debugging functions were enabled and

administrative functions were made accessible to anonymous users. When Jack's manager takes a

look at the server, what does he recommend?

a. Appreciate Jack's willingness to leave the default features enabled, so that the server

functionalities can be leveraged.

b. Alerts Jack that this opens up the possibility that server misconfiguration attacks

exploit configuration weaknesses found in web servers and application servers.

c. Runs a performance test on the server to check CPU utilization with default files and

passwords.

d. Gives a go ahead to deploy the server for production applications.


Q: Jill is a senior developer who is aware of security threats. She writes her code so that when a

malicious user makes a URI request for a file/directory , it will build a full path to the file/directory if it

exists, and normalize all characters (e.g., %20 converted to spaces). Which web application

vulnerability is Jill securing the application against?

a. SQL injection

b. Cross site scripting

c. Security misconfiguration

d. Directory traversal attacks


Q: You are trying to test your webserver security and try navigating to web pages such as

http://target.tgt/../../etc/password or http://target.tgt/../../etc/shadown in an effort to pull the files

containing user accounts and hashed passwords. What kind of attack are you initially performing?


a. Rainbow table attack

b. Brute force attack

c. Dictionary-based attack

d. Directory traversal attack


Q: You have come to know that your online store page has changed. However, you have not

performed any Website update. Which of the following attacks can be the cause of this?

e. Session hijacking

f. DoS

g. DNS cache poisoning

h. Social engineering


This situation is caused by a DNS cache poisoning attack. DNS cache poisoning is a maliciously

created or unintended situation that provides data to a caching name server that did not originate

from authoritative Domain Name System (DNS) sources.

Q: Mark is trying to mitigate again his application so that user-supplied parameters which are placed

into HTTP headers should be checked for illegal characters such as carriage returns (%0d) and

newlines (%0a). Which web vulnerability is Mark securing his application for?

a. SQL injection

b. Http response splitting attacks

c. Broken authentication and session management

d. Security misconfiguration


5. Q: On which port is an SSH brute force attack usually executed and what is the purpose of

the attack?

a. On port 22 to try to do remote login to guess passwords on user accounts

b. On port 25 to send emails from the open port


c. On port 80 to send multiple TCP handshake attacks

d. On port 21 to check for ftp accounts


Q: You are investigating SSH logs and notice different patterns of attack. In one instance, you see a

user ID, and guess with password1, password2, password3, etc. One log file showed that instead of

the password changing, the user ID was changed. For example, pick a password and try it with

userid1, userid2, userid3, etc. Quite a few IP addresses showed up in different logs examined. The

most common user IDs were root, admin, administrator, mysql, oracle, nagios. What kind of attack

are you seeing?


a. Replay attack

b. Bit flipping attack

c. Dictionary attack

d. Brute force attack


5. Q: Which of the following types of attacks occurs when an attacker successfully inserts an

intermediary program between two communicating hosts?

a. Denial-of-service attack

b. Password guessing attack

c. Dictionary attack

d. Man-in-the-middle attack


Q: In which of the following processes would a DNS server return an incorrect IP address, diverting

traffic to another computer?

e. TCP FIN scanning

f. DNS poisoning

g. TCP SYN scanning


h. Snooping


6. Q: Encrypted viruses use cryptographic techniques to avoid detection. Which of the following

statements are true of encrypted viruses?


a. Encrypted viruses are quite similar to polymorphic viruses in their outward

appearance.

b. Each infected system has a virus with a different signature.

c. Encrypted viruses protect Internet clients from forged DNS data, such as DNS cache

poisoning.

d. Encrypted viruses facilitate slave DNS servers to transfer records from the master

server to a slave server.


Q: Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data

created by DNS cache poisoning?

e. Domain Name System Extension (DNSSEC)

f. Split-horizon DNS

g. Stub resolver

h. BINDER


Domain Name System Security Extension (DNSSEC) was designed to protect Internet resolvers

(clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in

DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if

the information is identical (correct and complete) to the information on the authoritative DNS server.

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force

(IETF) specifications for securing certain kinds of information provided by the Domain Name System

(DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to

DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity,

but not availability or confidentiality.


1. Q: Which of the following protocols is designed to secure a wireless network and can be

considered equivalent to the security of a wired network?

a. WPA2

b. WTLS

c. WEP

d. WAP


WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers

enhanced protection to wireless networks than WPA and WEP standards. It is also available as

WPA2-PSK and WPA2-EAP for home and enterprise environment respectively.

Answer option B is incorrect. Wireless Transport Layer Security (WTLS) is a security layer of WAP

which is specifically designed for a wireless environment. It provides privacy, data integrity, and

authentication for client-server communications over a wireless network

3. Q: A developer assigns the value of a watch as $500. A hacker alters the value of the watch

using an HTML Editor and changes it from $500 to $20. He submits the slightly altered

HTML page and concludes a transaction of the item. What kind of attack has the website

been subjected to?

a. Buffer overflow

b. Hidden field manipulation

c. Cross site scripting

d. SQL injection


Sometimes developers working under tight timelines may take the help of hidden fields to store

information. Sensitive information should not be made available in the client code where a malicious

user can change it. In this case, even though the hidden fields are beyond the reach of usual users,

a curious hacker with the knowledge of programming can unearth the fields and data and exploit

them. Hidden field manipulation attacks can expose crucial business information of a website and

make the online store face huge losses.

Q: An attacker posts a message that contains malicious code to any newsgroup site. When another

user views this message, the browser interprets this code and executes it and, as a result, the


attacker takes control of the user's system. Which of the following attacks has the attacker

performed?

a. Cross-site scripting attack

b. Code injection attack

c. Replay attack

d. Buffer-overflow attack


A cross-site scripting attack is one in which an attacker enters malicious data into a Website

Q: John works as a Network Security Administrator for uCertify Inc. An employee of the company

meets John and tells him that a few months ago, he had filled an online bank form for some account

related work. Today, when he revisits the same site, he finds that some of his personal information is

still being displayed on the web page. Which of the following types of cookies should John disable to

resolve the issue?

a. Persistent

b. Temporary

c. Session

d. Secure


According to the scenario, John should disable the persistent cookie. Persistent cookies are those

that remain on a computer even when Internet Explorer is closed

Q: You visit a malicious website soon after visiting your bank website. Your session on the previous

site might still be valid. The malicious website causes a form post to the previous website. Your

browser sends the authentication cookie back to that site and appears to be making a request on

your behalf, even though you did not authorize it. What kind of attack have you been exposed to?

a. CSRF attack

b. Stored cross site scripting attack

c. Reflected cross site scripting attack

d. Dom based cross-site scripting attack



CSRF exploits the trust that a site has in a user's browser. The attack works by including a script in

a malicious site that accesses a site to which the user is known to have been authenticated. CSRF

exploits vulnerable web applications that perform actions based on input from trusted and

authenticated users without requiring the user to authorize the specific action.

Q: Which of the following is a proxy server for security testing of Web applications?

e. BURP

f. BlackWidow

g. cURL

h. Instant Source


BURP: Burp Proxy is a proxy server for security testing of Web applications, which operates as

a man-in-the-middle between the browser and the target application.

4. Q: You have been invited as a web application security architect to recommend important

countermeasures to the development team that will protect web application against common

attacks. What is one of the most basic checks that you would recommend developers

implement in their code for malicious user entries?

a. Input validation

b. ESAPI locators

c. Security Misconfiguration

d. Randomizers


A malicious user may enter scripts where data or numerical variables are expected. Input validation

can be done by sanitizing, encoding or replacing user inputs.

5. Q: You are an application security architect who is designing a defense in depth security for

common website vulnerabilities like cross-site scripting, SQL injection etc. You ensure that

secure coding practices are followed by developers and the network team deploys IDS/IPS

appliances. Personal firewalls and anti-virus systems are deployed. What else do you

configure to counter web application attacks?


a. Honeypot

b. Web application firewalls

c. VPN

d. RBAC


A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules

to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting

(XSS) and SQL Injection.

Answer option A is incorrect. A honeypot is a trap set to detect, deflect, or in some manner

counteract attempts at unauthorized use of information systems. Generally, it consists of a

computer, data, or a network site that appears to be part of a network, but is actually isolated and

monitored, and which seems to contain information or a resource of value to attackers.

Chapter 14

SQL Injection

1. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security

of www.we-are-secure.com. He enters a single quote in the input field of the login page of

the We-are-secure Web site and receives the following error message:

Microsoft OLE DB Provider for ODBC Drivers error '0x80040E14'

This error message shows that the We-are-secure Website is vulnerable to __________.

a. An XSS attack

b. A Denial-of-Service attack

c. A buffer overflow

d. A SQL injection attack



3. Q: You work as a Network Penetration tester in Secure Inc. Your company takes the projects

to test the security of various companies. Recently, Secure Inc. has assigned you a project

to test the security of a Web site. You go to the Web site login page and you run the

following SQL query:

1. SELECT email, passwd, login_id, full_nameFROM membersWHERE email

='[email protected]'; DROP TABLE members;--'

What task will the above SQL query perform?

a. Deletes the entire members table.

b. Deletes the rows of members table where email id is '[email protected]'

given.

c. Deletes the database in which members table resides.

d. Performs the XSS attacks.


4. Q: Which of the following characters will you use to check whether an application is

vulnerable to a SQL injection attack?

a. Single quote (')

b. Double quote (")

c. Semi colon (;)

d. Dash (-)


A single quote (') can be used to explore a SQL injection attack. A SQL injection attack is a process

in which an attacker tries to execute unauthorized SQL statements.

5. Q: The security department of a financial company has mandated that developers secure

applications against SQL injection. Developers must never allow client supplied data to

modify the syntax of the SQL statements. All SQL statements required by the applications

should be in stored procedures and kept on a database server. However, the organization is

worried about the increasing number of attacks, and asks you if any additional defensive

security scanning tools should be deployed. What would you recommend?

a. Acutenix


b. sqlninja

c. SQLIer

d. sqlmap


Acunetix Web Vulnerability Scanner automatically checks web applications for SQL Injection,

XSS, and other web vulnerabilities.

6. Q: The Voyager worm is a computer worm that was posted on the Internet on October 31,

2005, and is designed to target Oracle databases. If activated, it will grant DBA to PUBLIC.

What methodology does the Voyager worm use to attack Oracle servers?

a. SQL Injection

b. Buffer Overflow

c. Code Injection attack

d. By using default accounts and passwords


Chapter 15

Hacking Wireless Networks

1. Q: Every network device contains a unique built-in Media Access Control (MAC) address,

which is used to identify the authentic device to limit network access. Which of the following

addresses is a valid MAC address?

a. 1011-0011-1010-1110-1100-0001

b. A3-07-B9-E3-BC-F9

c. 132.298.1.23

d. F936.28A1.5BCD.DEFA



The general format for writing MAC addresses is to use six groups of two hexadecimal digits, each

separated by a hyphen

Q: Which of the following wireless security features provides the best wireless security mechanism?

a. WEP

b. WPA with Pre Shared Key

c. WPA with 802.1X authentication

d. WAP


WPA with 802.1X authentication provides the best wireless security mechanism. 802.1X

authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks.

802.1X provides port-based authentication, which involves communications between a supplicant,

authenticator, and authentication server.

What is an Initialization Vector (IV)?


An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher

to be executed in any of several streaming modes of operation to produce a unique stream

independent from other streams produced by the same encryption key, without having to go through

a re-keying process. The size of the IV depends on the encryption algorithm and on the

cryptographic protocol in use and is normally as large as the block size of the cipher or as large as

the encryption key. The IV must be known to the recipient of the encrypted information to be able to

decrypt it.

2. Q: Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the

wireless network of the company. He uses a tool that is a free open-source utility for network

exploration. The tool uses raw IP packets to determine the following:

To determine what ports are open on network systems

To determine what hosts are available on the network

To identify unauthorized wireless access points

To determine what services (application name and version) those hosts are offering

To determine what operating systems (and OS versions) they are running

To determine what type of packet filters/firewalls are in use

Which of the following tools is Victor using?

a. Kismet

b. Nessus

c. Nmap

d. Sniffer


Nmap is an active information gathering tool. The nmap utility, also commonly known as port

scanner, is used to view the open ports on a Linux computer. It is used by administrators to

determine which services are available for external users.

5. Q: Victor works as a network administrator for DataSecu Inc. He uses a dual firewall

Demilitarized Zone (DMZ) to insulate the rest of the network from the portions that are

available to the Internet. Which of the following security threats may occur if DMZ protocol

attacks are performed?


a. The attacker can gain access to the Web server in a DMZ and exploit the database.


b. The attacker can exploit any protocol used to go into the internal network or intranet

of the company.

c. The attacker can perform a Zero Day attack by delivering a malicious payload that is

not a part of the intrusion detection/prevention systems guarding the network.

d. The attacker managing to break the first firewall defense can access the internal

network without breaking the second firewall if it is different.


Q: Which of the following statements are true about SSIDs?


e. An SSID is used to identify a wireless network.

f. SSIDs are case insensitive text strings and have a maximum length of 64 characters.

g. All wireless devices on a wireless network must have the same SSID in order to

communicate with one another.

h. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of

other networks will create a conflict.


SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case

sensitive text strings and have a maximum length of 32 characters.

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They will slow down the interfaces on the user's machine

B. They are easier to install and configure.

C. They do not use the host system's resources.

D. They are placed at the boundary

answer: C

Which security strategy requires using several, varying methods to protect IT systems

against attacks?

A. Data Loss Prevention


B. Overt channels

C. Three-way handshake

D. Defense in depth

answer: D

6. Q: Which of the following statements are true for WPA?


a. WPA provides better security than WEP.

b. WPA-PSK requires that a user enter an 8-character to 63-character passphrase into

a wireless client.

c. WPA-PSK converts the passphrase into a 256-bit key.

d. Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is

used.


WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better security

than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP.

7. Q: You are concerned about attackers simply passing by your office, discovering your

wireless network, and getting into your network via the wireless connection. Which of the

following are NOT the steps involved in securing your wireless connection?


a. Using either WEP or WPA encryption

b. MAC filtering on the router

c. Hardening the server OS

d. Not broadcasting SSID

e. Using strong password policies on workstations

Explanation: Answer options C and E are correct.

Both hardening the server OS and using strong password policies on workstations are good ideas,

but neither has anything to do with securing your wireless connection.


Q: A Web developer with your company wants to have wireless access for contractors that come in

to work on various projects. The process of getting this approved takes time. So rather than wait, he

has put his own wireless router attached to one of the network ports in his department. What security

risk does this present?

a. None, adding a wireless access point is a common task and not a security risk.

b. It is likely to increase network traffic and slow down network performance.

c. An unauthorized WAP is one way for hackers to get into a network.

d. This circumvents network intrusion detection.


What is WAP?

Wireless Access Point (WAP) is a communication device that is capable of both transmitting and

receiving signals in a wireless LAN. This unit is connected to servers or directly to a network and

other devices using a standard cabled network protocol.

Q: You are concerned about rogue wireless access points being connected to your network. What is

the best way to detect and prevent these?

a. Network anti-virus software

b. Network anti-spyware software

c. Site surveys

d. Protocol analyzers


Q: You have detected what appears to be an unauthorized wireless access point on your network.

However, this access point has the same MAC address as one of your real access points and is

broadcasting with a stronger signal. What is this called?

a. The evil twin attack

b. Bluesnarfing

c. DOS

d. WAP cloning



In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as

one of your legitimate access points. That rogue WAP will often then initiate a denial of service

attack on your legitimate access point, making it unable to respond to users, so they are redirected

to the 'evil twin'.

Q: You are concerned about war driving bringing the hacker's attention to your wireless network.

What is the most basic step you can take to mitigate this risk?

a. Don't broadcast SSID

b. Implement WEP

c. Implement WPA

d. Implement MAC filtering


Q: Which of the following statements are true about locating rogue access points using WLAN

discovery software such as NetStumbler, Kismet, or MacStumbler if you are using a Laptop

integrated with Wi-Fi compliant MiniPCI card?


a. These tools cannot detect rogue access points if the victim is using data encryption.

b. These tools detect rogue access points if the victim is using IEEE 802.11 frequency

bands.

c. These tools can determine the rogue access point even when it is attached to a

wired network.

d. These tools can determine the authorization status of an access point.


Q: Which of the following tools monitors the radio spectrum for the presence of unauthorized,

rogue access points and the use of wireless attack tools?

a. WIPS

b. IDS

c. Snort

d. Firewall



Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of

unauthorized, rogue access points and the use of wireless attack tools. The system monitors the

radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a

rogue access point is detected.

Q: You work as an Administrator for Bluesky Inc. The company has 145 Windows XP Professional

client computers and eighty Windows 2003 Server computers. You want to install a security layer of

WAP specifically designed for a wireless environment. You also want to ensure that the security

layer provides privacy, data integrity, and authentication for client-server communications over a

wireless network. Moreover, you want a client and server to be authenticated so that wireless

transactions remain secure and the connection is encrypted. Which of the following options will you

use to accomplish the task?

a. Wireless Transport Layer Security (WTLS)

b. Recovery Console

c. Wired Equivalent Privacy (WEP)

d. Virtual Private Network (VPN)


Wireless Transport Layer Security (WTLS) is a security layer of WAP which is specifically

designed for a wireless environment. It provides privacy, data integrity, and authentication for client-

server communications over a wireless network

Q: Ryan wants to create an ad hoc wireless network so that he can share some important files with

another employee of his company. Which of the following wireless security protocols should he

choose for setting up an ad hoc wireless network?


e. WEP

f. WPA2 -EAP

g. WPA-PSK

h. WPA-EAP

Explanation: Answer options E and G are correct.


6. Q: An executive in your company reports odd behavior on her PDA. After investigation, you

discover that a trusted device is actually copying data of the PDA. The executive tells you

that the behavior started shortly after accepting an e-business card from an unknown person.

What type of attack is this?

a. Bluesnarfing

b. PDA hijacking

c. Session hijacking

d. Privilege escalation


Bluesnarfing is a rare attack in which an attacker takes control of a Bluetooth-enabled device. One

way to do this is to get your PDA to accept the attacker's device as a trusted device.

7. Q: One of the sales people in your company complains that sometimes he gets a lot of

unsolicited messages on his PDA. After asking a few questions, you determine that the issue

only occurs in crowded areas such as airports. What is the most likely problem?

a. Bluesnarfing

b. Bluejacking

c. A virus

d. Spam


Bluejacking is the process of using another Bluetooth device that is within range (about 30' or less)

and sending unsolicited messages to the target.

Q: Mark works as a project engineer in Tech Perfect Inc. His office is configured with Windows XP-

based computers. The computer that he uses is not configured with a default gateway. He is able to

access the Internet, but is not able to use e-mail services via the Internet. However, he is able to

access e-mail services via the intranet of the company. Which of the following could be the reason of

not being able to access e-mail services via the Internet?

a. Protocols other than TCP/IP

b. IP packet filter


c. Router

d. Proxy server


A proxy server exists between a client's Web-browsing program and a real Internet server

1. Q: When no anomaly is present in an Intrusion Detection, but an alarm is generated, the

response is known as __________.

a. False positive

b. False negative

c. True positive

d. True negative


The following are the types of responses generated by an IDS :

1. True Positive: A valid anomaly is detected, and an alarm is generated.

2. True Negative: No anomaly is present, and no alarm is generated.

3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case

scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and

not used.

4. False Negative: A valid anomaly is present, and no alarm is generated.

2. Q: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to

be monitored. HIDS monitors only the data that it is directed to, or originates from the

system on which HIDS is installed. Besides monitoring network traffic for detecting

attacks, it can also monitor other parameters of the system such as running

processes, file system access and integrity, and user logins for identifying malicious

activities. Which of the following tools are examples of HIDS?


a. Tripwire

b. BlackIce Defender

c. HPing

d. Legion



Tripwire and BlackIce Defender are examples of HIDS. Tripwire is an HIDS tool that automatically

calculates the cryptographic hashes of all system files as well as any other file that a Network

Administrator wants to monitor for modifications. It then periodically scans all monitored files and

recalculates the information to see whether the files have been modified or not

Q: You work as a Network Administrator for Tech2tech Inc. You have configured a network-

based IDS for your company. You have physically installed sensors at all key positions

throughout the network such that they all report to the command console. What will be the

key functions of the sensors in such a physical layout?


a. To analyze for known signatures

b. To collect data from operating system logs

c. To collect data from Web servers

d. To notify the console with an alert if any intrusion is detected


In a network-based IDS, when sensors are installed at key positions throughout a network-based

IDS, they work as full detection engines. In such a case, they have the ability to sniff the packets,

analyze them for known signatures, and notify to the console as soon as an intrusion is detected.

Q: You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-

based routed network. You have recently come to know about the Slammer worm, which

attacked computers in 2003 and doubled the number of infected hosts every 9 seconds or so.

Slammer infected 75000 hosts in the first 10 minutes of the attack. To mitigate such security

threats, you want to configure security tools on the network. Which of the following tools will

you use?

e. Intrusion Detection Systems

f. Intrusion Prevention Systems

g. Anti-x

h. Firewall



Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the

network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that

use particular patterns of messages, and other factors

6. Q: John works as a Network Security Administrator for uCertify Inc. He has been

assigned the task of installing a MySQL server. John wants to monitor only the data

that is directed to or originating from the server. He also wants to monitor running

processes, file system access and integrity, and user logins for identifying malicious

activities. Which of the following intrusion detection techniques will John use to

accomplish the task?

a. Host-based

b. Network-based

c. Anomaly-based

d. Signature-based


A host-based IDS (HIDS) is an Intrusion Detection System that runs on the system that is to be

monitored. HIDS monitors only the data that is directed to or originating from the system on which

HIDS is installed. Besides relying on network traffic for detecting attacks,

Q: Adam works as a Security Analyst for Umbrella Inc. He is retrieving a large amount

of log data from various resources such as Apache log files, IIS logs, streaming

servers, and some FTP servers. He is facing difficulties in analyzing the logs that he

has retrieved. To solve this problem, Adam decides to use the AWStats application.

Which of the following statements are true of AWStats?


e. It generates advanced Web, streaming, or mail server statistics graphically.

f. It works only as a CGI and shows all possible information contained in the log.

g. It can analyze log files server tools such as Apache log files, WebStar, IIS and other

Web, proxy, and some ftp servers.

h. It can work with all Web hosting providers, which allow Perl, CGI, and log access.


AWStats is a free powerful tool, which is used to generate Web, streaming, mail server statistics

graphically. It works as a CGI or from command line. AWStats shows all possible information

contained in a log. It can analyze log files from almost all server tools such as Apache log files,

WebStar, IIS (W3C log format) and various other Web, proxy, wap, streaming servers, mail servers


and some ftp servers. AWStats can work with all Web hosting providers, which allow Perl, CGI and

log access.

Answer option B is incorrect. AWStats works as a CGI or from command line.

Reference: EC-Council Certified Security Analyst Course Manual, Contents: "Log Analysis"

7. Q: You work as a Network Administrator for NetTech Inc. Employees in remote

locations connect to the company's network using Remote Access Service (RAS).

Which of the following will you use to pass or block packets from specific IP

addresses and ports?

a. Firewall

b. Bridge

c. Gateway

d. Antivirus software


A firewall is a tool to provide security to a network. It is used to protect an internal network or

intranet against unauthorized access from the Internet or other outside networks. It restricts inbound

and outbound access and can analyze all traffic between an internal network and the Internet. Users

can configure a firewall to pass or block packets from specific IP addresses and ports. An

administrator can configure the following settings for a firewall:

Q: Which of the following statements about packet filtering is true?

a. It allows or restricts the flow of specific types of packets to provide security.

b. It is used to send confidential data on the public network.

c. It allows or restricts the flow of encrypted packets to provide security.

d. It is used to store information about confidential data.


Packet filtering is a method that allows or restricts the flow of specific types of packets to provide

security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a

network interface based on the source and destination addresses, ports, or protocols.

Q: Which of the following areas of a network contains DNS servers and Web servers for

Internet users?


e. VLAN

f. VPN

g. MMZ

h. DMZ


The DMZ is an IP network segment that contains resources available to Internet users such as Web

servers, FTP servers, e-mail servers, and DNS servers. DMZ provides a large enterprise network or

corporate network the ability to use the Internet while still maintaining its security.


6.

7. Q: Which of the following types of computers is used for attracting potential intruders?

a. Files pot

b. Honeypot

c. Bastion host

d. Data pot


A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason

that a honey pot has low security permissions. A honeypot is used to gain information about the

intruders and their attack strategies.

8. Q: Which of the following two cryptography methods are used by the NTFS

Encrypting File System (EFS) to encrypt data stored on a disk on a file-by-file basis?


a. Public key

b. Twofish

c. RSA

d. Digital certificates


EFS uses public key cryptography and digital certificates to encrypt data stored on a disk on a file-

by-file basis.

Q: Which of the following tools is based on Linux and used to carry out the Penetration

Testing?

e. Ettercap

f. JPlag

g. Vedit

h. BackTrack (now KALI)



46.

46. Q: You want to create a binary log file using tcpdump. Which of the following

commands will you use?

a. tcpdump -w

b. tcpdump -B

c. tcpdump -d

d. tcpdump -dd


The term tcpdump refers to a common packet sniffer that runs under the command line

54. Q: Which of the following protocols is used by Internet Relay Chat (IRC) for its proper

working?

a. TCP

b. ICMP

c. SMTP

d. IMAP


Q: Adam works as a Network Administrator. He discovers that the wireless AP transmits 128

bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the

resulting ciphertext using the same key and cipher that are used by WEP to encrypt

subsequent network traffic. Which of the following types of authentication mechanism is

used here?

a. Single key authentication

b. Open system authentication

c. Pre-shared key authentication

d. Shared key authentication



57. Q: Adam works as a professional Ethical Hacker. A project has been assigned to him

to test the security of www.adam-forgenet.com. He starts a port scan, which gives the

following result:

Scan directed at open port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH-----

>192.168.1.120:23adam-forgenet.com192.168.1.90:4079 <----NO RESPONSE------

192.168.1.120:23

Scan directed at the closed port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH-----

>192.168.1.120:23192.168.1.90:4079<-----RST/ACK----------192.168.1.120:23

Which of the following types of scans is Adam implementing?

a. XMAS scan

b. SYN scan

c. RPC scan

d. IDLE scan


59. Q: Adam works as a sales manager for Umbrella Inc. He wants to download software

from the Internet. As the software comes from a site in his untrusted zone, Adam

wants to ensure that the downloaded software has not been Trojaned. Which of the

following options would indicate the best course of action for Adam?

a. Compare the file's virus signature with the one published on the distribution.

b. Compare the file size of the software with the one given on the Website.

c. Compare the version of the software with the one published on the distribution

media.

d. Compare the file's MD5 signature with the one published on the distribution media.


The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit

"fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to

produce two messages having the same message digest, or to produce any message having a

given pre-specified target message digest.

Q: Which of the following tools is described in the statement given below?

"It has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX,


Windows, and commonly used web CGI scripts. Moreover, the database detects DDoS zombies and

Trojans as well."

a. Nmap

b. Nessus

c. SARA

d. Anti-x


Nessus is proprietary comprehensive vulnerability scanning software. It is free of charge for

personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on tested

systems. It is capable of checking various types of vulnerabilities, some of which are as follows:

63. Q: Which of the following attacks can be overcome by applying cryptography?

a. Buffer overflow

b. Sniffing

c. Web ripping

d. DoS


where the hostlist.txt file contains the list of IP addresses and request.txt is the output file. Which of

the following tasks do you want to perform by running this script?

a. You want to perform banner grabbing to the hosts given in the IP address list.

b. You want to perform port scanning to the hosts given in the IP address list.

c. You want to put nmap in the listen mode to the hosts given in the IP address list.

d. You want to transfer the hostlist.txt file to the hosts given in the IP address list.



a. Firewall testing

b. Port scanning and service identification

c. Creating a Backdoor

d. Checking file integrity



NetCat can be used to perform various tasks, such as firewall testing, port scanning and service

identification, creating a backdoor, etc.

Q: Adam works as a Security Administrator for Umbrella Inc. While monitoring his IDS, Adam

discovers that there are a large number of ICMP Echo Reply packets being received on the

external gateway interface. On further inspection, he notices that the ICMP Echo Reply

packets are coming from the Internet without any request from the internal host. Which of the

following is the most likely cause of this issue?

a. A smurf attack has occurred on the company's network.

b. A land attack has occurred on the company's network.

c. A DoS attack has occurred on the company's network.

d. A fraggle attack has occurred on the company's network.


What are common signs that a system has been compromised or hacked? (Choose three.)

A. Server hard drives become fragmented

B. Partitions are encrypted

C. Consistency in usage baselines

D. Patterns in time gaps in system and/or event logs

E. New user accounts created

F. Increased amount of failed logon events

answer: b, c and f

which of the following is the BEST option when dealing with risk?

a. ignore the risk

b. mitigate the risk

c. deny the risk

d. exploit the risk


answer: B

72. Q: Adam works as a professional Penetration tester. A project has been assigned to

him to employ penetration testing on the network of Umbrella Inc. He is running the

test from home and had downloaded every security scanner from the Internet. Despite

knowing the IP range of all of the systems and the exact network configuration, Adam

is unable to get any useful results. Which of the following is the most like cause of

this problem?


a. Security scanners are not designed to do testing through a firewall.

b. Security scanners cannot perform vulnerability linkage.

c. Security scanners are only as smart as their database and cannot find unpublished

vulnerabilities.

d. Security scanners are as smart as their database and can find unpublished

vulnerabilities.


Your manager has asked you to develop something that will show improvement of the state

of security of your network over time. What must you develop?

a. reports

b. metrics

c. standards

d. testing policy

answer B

7. Q: John works as a C programmer. He develops the following C program:

#include <stdlib.h>#include <stdio.h>#include <string.h> int buffer(char *str) { char

buffer1[10]; strcpy(buffer1, str); return 1;} int main(int argc, char *argv[]) { buffer

(argv[1]); printf("Executed\n"); return 1;}


His program is vulnerable to a __________ attack.

a. Buffer overflow

b. Denial-of-Service

c. SQL injection

d. Cross site scripting


This program takes a user-supplied string and copies it into 'buffer1', which can hold up to 10 bytes

of data. If a user sends more than 10 bytes, it would result in a buffer overflow.

Buffer Overflow

Buffer overflow is a condition in which an application receives more data than it is configured to

accept. It helps an attacker not only to execute a malicious code on the target system but also to

install backdoors on the target system for further attacks

Q: Which of the following is a term that refers to unsolicited e-mails sent to a large number of

e-mail users?

a. Buffer overflow

b. Biometrics

c. Hotfix

d. Spam


Spam is a term that refers to the unsolicited e-mails sent to a large number of e-mail users.

Q: Which of the following languages are vulnerable to a buffer overflow attack?


a. C

b. C++

c. Java

d. Action script


C and C++ are the languages that are vulnerable to a buffer overflow attack


1. Q: Which of the following algorithms can be used to check the integrity of a file?


a. md5

b. sha

c. rsa

d. blowfish


Any hashing algorithm can be used to know whether any changes have occurred in a file or not. In

this process, the hashing algorithm calculates the hash value of the file specified and a sender

sends hash value also with the file. Now, a receiver recalculates the hash value of the file and

matches whether both the hashes are the same or not. Since md5 and sha are hashing algorithms,

these can be used to check the integrity of a file.

Functions of SSL

Secure Sockets Layer (SSL) is used to secure Web communications between clients and Web

servers. The SSL protocol provides communications privacy, authentication, and message integrity.

This protocol enables clients and servers to communicate in a manner that prevents eavesdropping

and tampering.

Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of

VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN

connections that use the L2TP protocol. It secures both data and password. IPSec cannot be used

with Point-to-Point Tunneling Protocol (PPTP).

Which property ensures that a hash function will not produce the same hashed value for two

different messages?

A. Entropy

B. Key length

C. Bit strength

D. Collision resistance

answer: D


5. Q: You work as a Network Administrator for Tech Perfect Inc. The company has a

Linux-based network. You have configured a VPN server for remote users to connect

to the company's network. Which of the following encryption types will Linux use?

a. RC2

b. MSCHAP

c. CHAP

d. 3DES


For VPN connections, Linux uses 3DES encryption.

8. Q: Andrew works as a Software Developer for Mansoft Inc. The company's network

has a Web server that hosts the company's Web site. Andrew wants to enhance the

security of the Web site by implementing Secure Sockets Layer (SSL). Which of the

following types of encryption does SSL use?


a. Secret

b. IPSec

c. Asymmetric

d. Symmetric


SSL uses asymmetric and symmetric encryptions to accomplish the task.Secure Sockets Layer

(SSL) is a protocol used to transmit private documents via the Internet. SSL uses a combination of

public key and symmetric encryption to provide communication privacy, authentication, and

message integrity.

Q: Which of the following encryption algorithms are based on stream ciphers?


a. Blowfish

b. FISH

c. Twofish

d. RC4



FISH and RC4 encryption algorithms are based on stream ciphers.

Q: Which of the following cryptographic algorithms is a hashing algorithm that is vulnerable

to collision and rainbow attacks?

a. MD5

b. RC5

c. AES

d. RSA


Q: Which of the following cryptographic algorithms is easiest to crack?

a. AES

b. DES

c. SHA-1

d. RC5



a. RC4

b. MD5

c. SHA

d. AES


MD5 and SHA are hashing algorithms.

Q: Which of the following protocols provides a framework for the negotiation and

management of security associations between peers and traverses the UDP/500 port?

a. ISAKMP

b. IKE

c. ESP


d. AH


Q: Which of the following statements is true of digital signature?

a. Digital signature verifies the identity of the person who applies it to a document.

b. Digital signature is required for an e-mail message to get through a firewall.

c. Digital signature compresses the message to which it is applied.

d. Digital signature decrypts the contents of documents.


Digital signature is a personal authentication method based on encryption and authorization

codes. It is used for signing electronic documents. Digital signature not only validates the sender's

identity, but also ensures that the document's content has not been altered.

20. Q: Mark is implementing security on his e-commerce site. He wants to ensure that a

customer sending a message is really the one he claims to be. Which of the following

techniques will he use to ensure this?

a. Digital signature

b. Authentication

c. Packet filtering

d. Firewall


Q: In which of the following cryptographic attacking techniques does an attacker obtain

encrypted messages that have been encrypted using the same encryption algorithm?

a. Known plaintext attack

b. Ciphertext only attack

c. Chosen plaintext attack

d. Chosen ciphertext attack



In a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using

the same encryption algorithm.

Known plaintext attack: In a known plaintext attack, the attacker should have both the plaintext

and ciphertext of one or more messages. These two items are used to extract the cryptographic

key and recover the encrypted text.

Ciphertext only attack: In this attack, the attacker obtains encrypted messages that have been

encrypted using the same encryption algorithm. For example, the original version of WEP used

RC4, and if sniffed long enough, the repetitions would allow a hacker to extract the WEP key.

Such types of attacks do not require the attacker to have the plaintext because the statistical

analysis of the sniffed log is enough.

Chosen plaintext attack: In a chosen plaintext attack, the attacker somehow picks up the

information to be encrypted and takes a copy of it with the encrypted data. This is used to find

patterns in the cryptographic output that might uncover vulnerability or reveal a cryptographic

key.

Chosen ciphertext attack: In this type of attack, the attacker can choose the ciphertext to be

decrypted and can then analyze the plaintext output of the event. The early versions of RSA

used in SSL were actually vulnerable to this attack.

2. Q: How is Gray box testing different from black hat testing?

a. In the white box testing, the tester has no knowledge of the target. He has been

given only the name of the company.

b. In the black box testing, the test has complete knowledge of the internal company

network.

c. In the gray box testing, the tester has to try to gain access into a system using

commercially available tools only.

d. In the gray box testing, the attacker performs attacks with a normal user account to

see if he can escalate privileges.


In the gray box testing, the attacker performs attacks with a normal user account to see if he can

escalate privileges.

Answer option A is incorrect. White box testing is a security testing method that can be used to

validate whether application implementation follows the intended design, to validate implemented

security functionality, and to uncover exploitable vulnerabilities.

Answer option B is incorrect. Black box testing assumes no prior knowledge of the infrastructure to


be tested. The testers must first determine the location and extent of the systems before

commencing their analysis.

Q: As a security consultant, you have been brought in to run vulnerability assessment on a

large entertainment organization. Company management wants to know how long it will take

before you can break into and get access to sensitive financial data. How would you respond

to them?

a. You would try your best, and should be able to get access within 2-3 weeks.

b. You politely point out to them that you are running a vulnerability assessment and

that does not involve pentesting, which includes getting access to sensitive data.

c. You let me know that it is directly dependant on the security posture of the

organization, and how well controls have been implemented.

d. You let them know that it depends on the contract on whether white-box testing is

allowed or black-box testing approach has to be taken.


Q: What are some of the end goals of a successful pentesting effort?

a. Verifying whether in the event of hardware damage, certain data could be restored

with a regular backup

b. Generally examining the IT infrastructure in terms of its compliance, efficiency,

effectiveness, etc

c. Identifying vulnerabilities and improving security of technical systems

d. Cataloging assets and resources in a system

Explanation: Answer option C is correct. For a successful penetration test that meets the client's

expectations, the clear definition of goals is absolutely essential. If goals cannot be attained or

cannot be achieved efficiently, the tester should notify the client in the preparation phase and

recommend alternative procedures such as an IT audit or IT security consulting services.

Q: Which of the following statements differentiates a penetration tester from an attacker?

a. A penetration tester uses various vulnerability assessment tools.

b. A penetration tester does not test the physical security.

c. A penetration tester does not perform a sniffing attack.

d. A penetration tester differs from an attacker by his intent and lack of malice.



A penetration test is a method of evaluating the security of a computer system or network by

simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker. The process

involves an active analysis of the system for any potential vulnerabilities that may result from poor or

improper system configuration, known and/or unknown hardware or software flaws, or operational

weaknesses in process or technical countermeasures.

7. Q: Which of the following principle steps of risk management includes identification

of vulnerabilities, assessment of losses caused by threats materialized, cost-benefit

examination of countermeasures, and assessment of attacks?

a. Risk assessment

b. Vulnerability management

c. Assessment, monitoring, and assurance

d. Adherence to security standards and policies for development and deployment


Risk assessment includes identification of vulnerabilities, assessment of losses caused by threats

materialized, cost-benefit examination of countermeasures, and assessment of attacks.

9. Q: If you are trying domain name related records for a given organization, which tool

would you first use?

a. NSLookup

b. Nmap

c. Neotrace

d. Traceroute

Explanation: Answer option A is correct. NSLookup is used to query Internet domain name servers.

It is used to display DNS records for IP and host names of important servers.

10. Q: What command will you use to grab a password file through Netcat?

a. pwdump> file.txt.

b. nc -l -p <port number> -e cmd.exe -d

c. nc -l -u -p 1111 < /etc/passwd


d. nc <ip address><port number><passwd>

Explanation: Answer option C is correct. You can use netcat to grab a password file. This command

is listening on port 1111 and grabbing the /etc/passwd file.

Q: A fast food chain is planning to tighten the security posture of the IT infrastructure. For

the initial period, a lower security budget has been approved, and the company is planning to

run the tests via tools with an internal team in a concurrent fashion that will replicate the

attacks from external intruders. When an increased budget gets approved, the new

assessments will take into account other areas such as security architecture and policy.

What testing sequence should the company follow?

a. Black box testing followed by white box testing

b. Automated testing followed by manual testing

c. Grey box testing all through

d. Manual testing followed by automated testing


Q: Mark, a malicious hacker, hides a hacking tool from a system administrator of his

company by using Alternate Data Streams (ADS). Which of the following statements is true in

this situation?

a. Mark is using the NTFS file system.

b. Mark is using the FAT file system.

c. Alternate Data Streams is a feature of the Linux operating system.

d. Mark's computer runs on the Microsoft Windows 98 operating system.

answer: A

13. Q: Mark works as a backup administrator for uCertify Inc. He is responsible for taking

backups of important data, and so he is only authorized to access this data for backing it

up. However, sometimes users with different roles need to access the same resources. By

which of the following can this situation be handled?

a. Role-Based Access Control (RBAC)

b. Mandatory Access Control (MAC)

c. Discretionary Access Control (DAC)

d. Access Control List (ACL)


Explanation: Answer option A is correct. Role-based access control (RBAC) is an access control

model. In this model, a user can access resources according to his role in the organization. For

example, a backup administrator is responsible for taking backups of important data. Therefore, he

is only authorized to access this data for backing it up. However, sometimes users with different

roles need to access the same resources. This situation can also be handled using the RBAC

model.

Answer option B is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined

set of access privileges for an object of the system. Access to an object is restricted on the basis of

the sensitivity of the object and granted through authorization. Sensitivity of an object is defined by

the label assigned to it. For example, if a user receives a copy of an object that is marked as

"secret", he cannot grant permission to other users to see this object unless they have the

appropriate permission.

Answer option C is incorrect. Discretionary access control (DAC) is an access policy determined

by the owner of an object. The owner decides who is allowed to access the object and what

privileges they have. Two important concepts in DAC are as follows:

14. Q: You are a malicious hacker and want to run a port scan on a system to investigate

open ports and other valuable information. You are using the nmap command for this

purpose. As you are concerned that someone running PortSentry could block your scans,

you decide to slow the scans so that no one can detect them. Which nmap command will

you use to accomplish the task?

a. nmap -sS -PT -PI -O -T1 <ip address>

b. nmap -sO -PT -O -C5 <ip address>

c. nmap -sF -P0 -O <ip address>

d. nmap -sF -PT -PI -O <ip address>


Q: You work as a security administrator for uCertify Inc. Mark, a manager of the sales

department, is currently out of station due to some urgent work. He has asked that you send

some very sensitive data to him in a USB Flash drive. You are concerned about the security

of the data. For security reasons, you initially think of encrypting these files, but decide

against it out of fear that the encryption keys could eventually be broken. Which software

application will you use to hide the data in the USB flash drive?

a. Snow

b. EFS


c. File Sniff

d. File Sneaker


Q: You work as a security administrator for uCertify Inc. You discover that there are a large

number of ICMP Echo Reply packets being received on the external gateway interface while

monitoring your IDS. After more investigations, you notice that the ICMP Echo Reply packets

are coming from the Internet without any request from the internal host. Which of the

following types of attacks can be the reason of this issue?

e. Smurf attack

f. Land attack

g. DoS attack

h. Fraggle attack


Q: Which of the following are the effects of a DoS attack?


i. Saturates network resources

j. Helps services to a specific computer

k. Causes failure to access a Web site

l. Results in an increase in the amount of spam


Q: You work as a professional ethical hacker. You have been assigned the project of testing

the security of www.ucertify.com. You want to perform a stealth scan to discover open ports

and applications running on the uCertify server. For this purpose, you want to initiate

scanning with the IP address of any third party. Which of the following scanning techniques

will you use to accomplish the task?

m. IDLE

n. RPC

o. UDP

p. TCP SYN/ACK



The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan.

Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the

hacker.

Q: Mark works as a security administrator for uCertify Inc. He wants to perform an active

session hijack against Secure Inc. He has found a target that allows a Telnet session. He has

also searched an active session because of the high level of traffic on the network. What

should be the next step taken by Mark?

q. Guess the sequence numbers.

r. Use Brutus to crack the telnet password.

s. Use a sniffer to listen to the network traffic.

t. Use macoff to change the MAC address.


Q: Your client has given you the permission to execute exploit code on the corporate network

to test if IDS/IPS is able to identify and prevent the attacks. What mechanism can you

potentially employ to bypass the security mechanisms of the network?

u. Payload

v. Metapreter

w. Exploit

x. Encoder


An encoder scrambles the payloads to hide the exploit. Most encoders use an algorithm to change

parts of the payload. This algorithm includes a decoder so that when the payload reaches to its

target, the machine can understand what it really needs to do after it runs the decoder.

13. Q: When users access a certain popular news site, they are being redirected to a similar

looking site that contains malicious software. You suspect that your router has been

attacked. What kind of attack has the hacker launched?

a. Route table poisoning

b. Black hole attack

c. Hit and Run Attacks


d. Persistent Attacks


Routing table poisoning is considered to be an effective and one of the most prominent types of

attacks, and consists of unauthorized altering or poisoning routing tables. Wrong entries in the

routing table lead to a false destination address and several other defects.

Q: As a new pentester, you are developing your arsenal of tools. Name a bootable open

source live-CD Linux distribution with a huge variety of Security and Forensics tools that is a

must have in your toolkit.

e. BackTrack (now Kali)

f. Bidiblah

g. VMware

h. botnets


Which protocol and port number is needed to allow log messages through a firewall?

a. SMNP - 161

b. SMTP - 25

c. Syslog - 514

d. POP3 -110

answer: C

In PGP what is used to encrypt a message before it is sent?

a. receiver's private key

b. senders private key

c. receiver's public key

d. sender's public key

answer C

Which of the following is a preventative control?


a. audits

b. smart cards

c. disaster recovery plan

d. digital signatures

answer: b

The main difference between symmetric and asymmetric encryption is that symmetric

encryption...

a. uses multiple keys to encrypt and decrypt data

b. uses sessions keys generated from each parties private key

c. uses the same key to encrypt and decrypt data

d. creates a one way hash that cannot be reversed

answer: c

As the Sec Engineer you have been tasked with creating a secure remote access solution

that minimizes the chance for a MiTM attack, what should you use?

a. SSL

b. IPSec

c. TLS

d. HTTP over DNS

answer: B

If after applying all of your security controls you still have not eliminated all risk what now?

a. cancel the project (go in a different direction)

b. deny to management that there is remaining risk

c. accept the risk if it is low enough (to management)

d. continue to apply additional controls until all risk is eliminated

answer: c


Information gathered from social networking websites such as Facebook, Twitter and

LinkedIn can be used to launch which of the following types of attacks? (Choose two.)

A. Distributed denial of service attack

B. MiTM attack

C. Teardrop attack

D. SQL injection attack

E. Phishing attack

F. Social engineering attack

answer: E and F

Which of the following is true about proxy firewalls?

A. Proxy firewalls block network packets from passing to and from a protected network.

B. Proxy firewalls increase the speed and functionality of a network

C. systems establish a connection with a proxy firewall which then creates a new network

connection for that device

D. Firewall proxy servers decentralize all activity for an application.

answer: C

Which of the following provides for protection against brute force attacks by using 160-bit

hash?

a. PGP

b. MD5

c. SHA-1

d. RSA

answer: C


A security administrator has decided to use multiple layers of anti-virus defense, such as end

user desktop anti-virus and E-mail gateway. This will mitigate which kind of attack?

A. Scanning attack

B. Social engineering attack

C. ARP spoofing attack

D. Forensic attack

answer: B

Which would be most effective in determining whether additional end user training is

needed?

a. sql injection

b. social engineering

c. vulnerability scanning

d. application hardening

answer: B

Which type of access control is used on firewalls and routers?

a. mandatory

b. rule-based

c. discretionary

d. role-based

answer: B

Which type of detection system can monitor, log and alert but will not stop an attack?

a. active

b. passive

c. reative

d. detective


answer: D

How can we defeat rainbow tables?

a. salt

b. pepper

c. cinnamon

d. juju beans

answer: A

How often does the PCI-DSS require an organization to perform an external pentest?

a. once a quarter

b. once a year

c. every two years

d. at least once a year and after a major change or update

answer: D

Which of the following is used to ensure that policies, configurations and procedural

modications are made in a controlled and are documented?

a. peer review

b. compliance

c. change management

d. vulnerability scanning

answer: C

What is the name of the international standard for the functionality of IT systems?

a. ISO 18011

b. Orange Book

c. Common Criteria

d. ITSec


answer: C

What should an ethical hacker first get before starting a pentest?

a. report on findings

b. nmap scan

c. social engineering

d. get a signed document from senior management

answer: D

Date post:	28-Oct-2015
Category:	Documents
Upload:	yrwright
View:	681 times
Download:	7 times

CEH Prep Guide

Documents