CEH Flashcards
What is the nmap parameter for aggressive scanning?
-A
What is the nmap parameter for enabling the script engine?
-sC
What is the nmap parameter used for OS fingerprinting?
-O
What is the nmap parameter used to identify the path taken by a packet as it travels toward the destination?
–traceroute
What nmap parameter is used to disable ICMP pings?
- P0 or -PN (old)
- Pn (new)
What nmap parameter configures nmap to perform a stealth scan, also known as a SYN scan or half-open scan?
-sS
What nmap parameter configures nmap to disable DNS?
-n
What nmap parameter configures nmap to always perform DNS?
-R
What nmap command is equivalent to nmap -A?
nmap -sV -sC -O –traceroute
What is JXplorer?
Java-based LDAP browser
What is Luma?
Python-based LDAP browser
What is Coral Directory?
LDAP browser specific to Windows 2000 or later
What are Cloudborne attacks?
How can they be mitigated?
firmware backdoor is installed on cloud server that is later repurposed for another client
Reflash the firmware on a server before repurposing it
What was Operation Cloud Hopper?
Spear phishing was used to infiltrate cloud provider networks, enabling attackers to compromise target data stored in the cloud
Which MIB stores information about TCP/IP on network hosts as well as information about SNMP configuration itself?
MIB_II
Which MIB contains information about the network traffic between hosts and DHCP servers?
DHCP.MIB
Which MIB contains information about workstation and server services?
LMMIB2.MIB
Which MIB contains information the windows internet name service, a name resolution service for NetBIOS?
WINS.MIB
Which MIB contains information about managing and monitoring resources on hosts on the network, such as host’s date and time, users, processes, memory, physical storage, etc.?
HOSTMIB.MIB
What is KoreK chopchop?
An attack that can decrypt a WEP packet without requiring the key
What is KRACK?
Key Reinstallation Attack. Replay attack that exploits WPA2’s four-way handshake process.
The attacker captures the shared secret and tricks the victim into reinstalling a key that is already in use.
What type of information is included in a WHOIS query?
information about the IP network range from which the IP address was allocated
technical, administrative, and billing contact information for the parties associated with a particular domain name
Which DNS records contain information about the OSs implemented and the hardware platforms in an organization?
HINFO
Which nmap parameter configures nmap to perform an ACK scan?
-sA
What is a DROWN attack?
a vulnerability in servers that support SSLv2 related to its handling of the cipher text in an RSA certificate during the initial handshake
What is a linear cryptanalysis attack?
using both the plain text and corresponding cipher text to extract an encryption key. Also known as a known plaintext attack
Describe blowfish
A symmetric 64-bit block cipher that uses a variable-length key ranging from 32 to 448 bits
Describe Twofish
A symmetric 128-bit block cipher that uses a key length of 128 or 256 bits
Describe IDEA
A symmetric 64-bit block cipher that uses a 128-bit key. It uses a series of eight rounds of 64-bit block encryption
Describe AES
A symmetric block cipher with 128 bit block size that uses a key length of 128, 192, or 256 bits
Describe 3DES
A 64-bit block symmetric encryption algorithm that uses multiple 56-bit passes to encrypt data, resulting in a 168-bit key
Describe RSA
An asymmetric encryption algorithm that uses prime numbers to generate keys, recommended at least 2048 bits long.
Describe SHA1
A hashing algorithm that creates a 160-bit hash
Which key is created when a TPM is manufactured?
endorsement key
Which key is created when a user takes ownership of a TPM?
storage root key
What is an STP attack?
rogue switch added to network and advertises as having the lowest bridge priority value, making it a root bridge
What is switch spoofing?
a VLAN hopping attack in which an attacker configures their system to act like a switch with a trunk port and uses DTP (dynamic trunking protocol) to negotiate a trunk link with a switch port
What is a MITC attack?
Attacker uses malware to steal synchronization tokens used to authenticate and synchronize data with cloud providers
How can MITC attacks be mitigated?
Educating users about social engineering
Installing a CASB
What is HULK?
HTTP Unbearable Load King tool
A tool that can initiate an HTTP flood and can evade IDSs
What is MEDUSA?
Tool used to gather open-source intelligence (OSINT) from social media platforms
What is hootsuite?
A social media management platform
What is VisualRotue?
a suite of networking tools that can visualize networking issues
Which port does SMB use?
445
Which port does SNMP use?
161 and 162
What algorithms do the different wireless protocols use to encrypt communications?
WEP: RC4
WPA: TKIP
WPA2: AES-CCMP
WPA3: AES-GCMP
What is dnsenum?
a Perl script used to enumerate DNS information
What is Bluto?
a python script that can query a target domain for MX and NS records and can perform an AXFR query to discover subdomains. Can also brute force using Alexa Top 1 Million subdomains list
What is SubBrute?
a python script used for DNS enumeration that recursively crawls enumerated DNS records similar to how a search engine spider crawls a website. Can enumerate any DNS record type
What is InstaRecon?
A python-based DNS enumeration tool which adds the ability to use Shodan for performing queries and can perform reverse DNS lookups on an entire IP range
What do the various error directives in a php.ini file do?
error_log: configures the error log itself
log_errors: whether or not to write errors to log
display_errors: whether or not to display errors on browser
error_reporting: determines the level at which the PHP process will produce error messages
What is DGA?
Domain Generation Algorithm. Attack relying on domains that have not yet been categorized or classified by a reputation-based security system.
Commonly used to ensure that C2 systems remain accessible.
Malware dynamically generates predicable list of domain names that can be used to contact C2 server
What is fast fluxing?
Using a network of compromised hosts to proxy services for an attacker. The attackers communications are dynamically proxied through the botnet, making it difficult for the security team to blacklist the IP of the hosts of the botnet
Can be mitigated by taking down the domain server that corresponds to the malicious domain
What is double fluxing?
similar to fast fluxing, but a separate botnet is used to proxy the DNS services for the attacker, protecting the attacker’s DNS server from takedown efforts
Can be mitigated by contacting the appropriate Top Level Domain (TLD) registrar to take down the domain
What does the mod_negotiation module do on an Apache server?
Disables file extensions on the server. The file extensions are not revealed in the URL, and the extension of the file returned by the server is based on the browser’s preferences
Which parameter should be used to silence error messages when using the curl command to scrape hyperlinks from a webpage?
-s
What is a DNS DDoS?
Flooding TCP port 53 of a DNS server with illegitimate traffic to deny access to the server
What is a DNS amplification attack?
A DRDoS attack in which attackers send a flood of DNS queries from their own servers, but the queries contain spoofed source addresses that are sent to the address of the target
What is DNS tunneling?
data exfiltration technique in which nonstandard traffic is sent over TCP port 53 in order to bypass firewall protections
What does the NSE smb-os-discovery script return?
OS Computer name Domain name Forest name FQDN NetBIOS name NetBIOS domain name Workgroup System time
What does the NSE enip-info script return?
If target device is listening on port 44818: Device type vendor ID Product name Serial number Product Code Revision number Status State IP Address
What does the netbus-info NSE script return?
Uses port 12345 to return: Applications Installation path Restart persistence User login ID number of connected clients Log settings Password Email address SMTP server Sound volume settings
What does the http-enum NSE script return?
exposed applications, directories, and files on web servers
What does a passive aLTEr attack do?
Uses OSI Layer 2 meta-information to determine which sites a user visits
What is an active aLTEr attack?
Attacker simulates a legitimate cell tower to redirect connections
What is Maltego?
Software used for OSINT and forensics. Specializes in displaying info in graph format. Permits creating custom entities, allowing it to represent any type of information.
What was the previous name for Wireshark?
Ethereal
What is Nessus?
A proprietary vulnerability scanner
What TTL value indicates a Windows OS?
128
Describe the four iOS jailbreaking techniques
Tethered: Computer is required to boot and maintain jailbreak after restart
Untethered: Device remains jailbroken after restarting
Semi-tethered: Rebooting returns device to non-jailbroken status. Must use a computer to re-jailbreak
Semi-untethered: Device reboots to normal state, but can be re-jailbroken using an app installed on the device
What are the common NetBIOS suffixes (also called NetBIOS End Character)?
Unique names: 00: Workstation Name 03: Messenger service 06: remote access service 20: file service 21: Remote access service client 1B: domain master browser 1D: Master browser
Group names:
00: Workstation service (workgroup/domain name)
1C: domain controllers
1E: browser service elections
What is RADIUS?
Remote Authentication Dial In User Service. AAA protocol for users who connect and use a networks service. Runs in the application layer and can use TCP or UDP. Provides 802.1X authentication.
What are the different modes for Hping2?
default: TCP
- 1: ICMP
What port do compromised IoT devices typically use to spread malware?
48101
What type of web-service API uses HTTP methods such as PUT, POST, GET, and DELETE?
RESTful API
What is Burp Suite?
A java-based web penetration testing framework. Industry standard suite of tools. Helps identify vulnerabilities and verify attack vectors affecting web apps
Can be classified as an interception proxy. Pen tester can configure their internet browser to route traffic through Burp Suite proxy server, which then acts as sort of a man in the middle, capturing and analyzing each request to and from the web app
What SMTP command is used to verify a user ID on a mail domain?
VRFY
Which SMTP command asks for confirmation about the ID of a mailing list?
EXPN
What is an encryption virus?
Ransomware. Encrypts victims data and demands ransom to decrypt it
What is a tunneling virus?
attempts to intercept anti-virus software before it can detect malicious code
What is a teardrop attack?
DoS attacks in which an attacker sends several large overlapping IP fragments. When the victim system tries to reassemble the packets, the system will sometimes crash
Which nmap parameter is used to perform a TCP ACK Ping scan?
-PA
Which nmap parameter is used to indicate that nmap should not perform a port scan after performing host discovery?
-sn
Which nmap parameter is used to perform a TCP SYN ping scan?
-PS
Which nmap parameter is used to perform a UDP ping scan?
-PU
What is Flowmon?
A company that provides network flow-based monitoring solutions
What is Robotium?
An open-source test automation framework for Android apps
What is URLFuzzer?
An app that uses fuzzing to seek out hidden files, directories, and other resources on a web server
What is IntentFuzzer
a fuzzing framework which targets the Inter-process communication (IPC) mechanisms of Android apps
Which type of nmap scan is most appropriate for scanning large IP ranges?
-PR ARP scan because it’s faster and more accurate than IP-based scans
Which MSFVenom option is used to specify the output format?
-f or –format
What file is a rich target to discover the structure of a website during web-server footprinting?
Robots.txt - used to control crawling access.
What is the folder where the website files for a domain name are stored, such as index.php, index.html, default.html, etc.?
Document root
What was operation cloud hopper?
Attackers used MSPs as intermediaries to acquire assets and trade secrets from MSP clients. Malware was delivered through spear-phishing emails. Stolen data was then compressed and exfiltrated from MSP’s network
What is ZoomInfo?
Vancouver-based software company providing subscription-based SaaS services
What is Factiva?
Business information and research tool which aggregates content from more than 32,000 news sources such as newspapers, journals, magazines, etc.
What is Infoga?
Tool for gathering email account information from different public sources and checks to see if emails were leaked
What is Netcraft
Internet services company from England. Provides cybercrime disruption services.
What is cryptcat?
a tool that enables communication between two systems and encrypts the communication with twofish in order to evade IDS
What is a webhook?
a method of augmenting or altering the behaviour of a web page or web app with custom callbacks
This is usually done with HTTP POST requests
What is a TCP Maimon scan?
-sM
nmap scan using the FIN/ACK flags. a RST packet should be generated whether the port is open or closed. However, BSD-derived systems often drop the packet if it’s open
What is a CRIME attack?
Compression Ratio Info-leak Made Easy. A security exploit against secret web cookies over connections using HTTPS and SPDY protocols. Can be used to perform session hijacking
What is a slowloris attack?
DoS attack which allows single machine to take down another machine’s web server by keeping as many connections to the target server open, maxing out the concurrent connection pool
What is Phlashing?
permanent DoS attack that exploits a vulnerability in network-based firmware updates. Currently theoretical.
What is ike-scan?
a command-line IPSec VPN scanner and testing tool used to discover, fingerprint, and test IPSEC VPN systems
What type of SQLi makes use of DNS to pass data to an attacker?
out-of-band
What MSFVenom option can be used to manually specify the architecture for the output payload?
-a or –arch
Which MSFVenom option can be used to specify characters which should not be included in the shellcode?
-b or –bard-chars
Which MSFVenom option can be used to specify the payload?
-p or –payload
Which techniques does Aircrack-ng use to crack WEP keys?
Dictionary
Pyshkin, Tews, Weinmann (PTW)
Fluhrer, Mantin, Shamir (FMS)
KoreK
Which type of rootkit can migrate the OS into a VM?
hypervisor-level
They install themselves between the hardware layer and the OS
What is the difference between DNS spoofing and DNS hijacking?
DNS spoofing is the same as poisoning. Malicious DNS data is inserted into a DNS server.
DNS hijacking is the same as DNS redirection. Malware is used to hijack DNS services and place them under the control of the attacker.
Rather than injecting data into a legitimate DNS server, DNS hijacking reconfigures the TCP/IP stack to point at a malicious server
What is domain hijacking?
Registrar-level attack in which name servers assigned to resolve a target’s top-level domain are modified, redirecting requests for those domains to malicious servers
If a computer’s data is protected with BitLocker and then Windows fails to start, how do you access the data?
Use the BitLocker recovery password
What is the GNU Bash Shellshock vulnerability?
A vulnerability in GNU Bash versions 4.3 and earlier that enables an attacker to send trailing information in an environment variable and execute arbitrary commands on the remote host
Which Bash shell file is parsed when Bash shell starts, automatically executing any config commands contained in the file?
.bashrc
Typically sets display coloring, command aliases, command history configurations, etc.
Which Bash shell file contains a limited amount of the user’s command history?
.bash_history
Which Bash shell file contains configuration commands that are executed when a user logs in and are only executed once regardless of the number of shells the user opens
.bash_profile
typically configured to search for a .bashrc file in order to configure command aliases and other info
Which Bash shell file is executed when a user logs out of a session and contains cleanup routines?
.bash_logout
Which cURL option is used to prevent errors from displaying in the output?
-s
Which cURL option is used to specify a delimiter instead of the default delimiter?
-d
Which cURL option is used to specify which field’s parsed input line will be included in the output line?
-f
Thus, -f 2 specifies that the second field will be in the output. As in, if a line is delimited into 2 parts, only the second part will be output
What is the purpose of the classes.dex file in android apps?
It includes the java libraries that the app requires
What is the RIR for China, India, Japan, and Australia?
APNIC
What is the RIR for Africa and parts of the indian ocean?
AFRINIC
What is the RIR for North America, including Canada and the US?
ARIN
What is the RIR for Europe, the Middle East, and Central Asia?
RIPE NCC
What is the RIR for Mexico, Central America, South America, and portions of the Caribbean?
LACNIC
Where do network and agent-based vulnerability scanners operate from?
Network runs on a dedicated host such as an appliance or VM
Agent requires a small amount of code on each host to be scanned
What is Zigbee?
Wireless communications protocol used in electronics such as switches, timers, remote controls, and sensors.
Low-cost alternative to other wireless PANs, but has a short range
What is NB-IoT?
Narrowband-IoT. A cellular WAN tech used to power cellular services that do not operate on LTE. Can be considered a cellular implementation of LPWAN
What is MQTT?
Message Queuing Telemetry Transport. a TCP/IP publish/subsribe network used to send messages between devices. Intended for use in remote environments with limited bandwidth. Involves message brokers (servers) and clients.
What is LPWAN?
Low-Power Wide Area Network. A wireless comm protocol used to communicate over long distances at a low bit rate. Low cost to implement and maintain
What is juice jacking?
A type of malware attack that exploits USB power delivery systems to inject malware into a phone or tablet
What is XML-RPC?
an HTTP-based call method which returns a single result in XML format
What year was XML-RPC first developed?
1998
What is NSTX?
A tool that is used to tunnel IP traffic within DNS packets
What is Bitvisie?
a windows-based tool used to tunnel packets over SSH
What is Loki?
A tool used to tunnel traffic over ICMP
What is Super Network Tunnel?
A tool used to tunnel packets over HTTP
What is a Mirai attack?
Very pervasive IoT malware. Spreads by scanning for vulnerable IoT devices, typically through port 48101
What is a Heartbleed attack?
An OpenSSL vulnerability that allows an attacker to obtain approximately 65kb of information from a server’s memory at regular intervals. Allows attackers to obtain a server’s private key, enabling the decryption of communications
What is a Gobuster attack?
a command line tool that can be used to enumerate applications, directories, and files, including hidden ones, on internet connected web servers
What is a Dragonblood attack?
a vulnerability in WPA3 that allows attackers to steal passwords and crash WAPs. Caused by design flaws in the Dragonfly key exchange mechanism used by WPA3
What are the 4 components of a risk assessment?
Technical, Organizational, Physical, and Administrative safeguards
Describe a counter-based authentication system
Authentication system which creates one time passwords that are encrypted with secret keys. A counter value kept on the authenticating server is also used to generate the OTP
What is blackjacking?
hijacking a blackberry connection, usually with the BBProxy tool
What are the names of two vulnerabilities in modern processors such as Intel, AMD, and ARM using speculative execution?
Spectre and Meltdown
Which nmap parameter is used to change the scan speed?
-Tx
x is replaced with numbers 0-5
What is tcpdump?
A command-line packet analyzer that can be used for OS fingerprinting
What is hping?
an open-source packet generator and analyzer for TCP/IP protocol. Inspired by ping unix command, but not limited to ICMP echo
Which SMTP command is used to transmit email over TLS?
STARTTLS
What is nessus?
a vulnerability scanner
What is code emulation?
a virus detection technique in which a virtual machine is implemented to simulate CPU and memory management to mimic code execution. Malicious code is simulated in the virtual machine and no virus code is executed by the real processor
What is a Markov Chain?
A password cracking technique in which attackers assemble a password database, split each password, and calculate the probability of placing characters in a quasi-brute attack
What is PRINCE?
Probability Infinite Chained Elements. Uses an algorithm to try the most likely password candidates with a refined combinator attack. Creates chains of combined words using a single dictionary
At which layer do sniffers operate?
Layer 2
Which open port indicates a network device is likely a printer?
515
Which IPSec mode should be used to ensure integrity and confidentiality of data on the same LAN?
ESP Transport
Which IPSec mode should be used to ensure the integrity of LAN data?
AH transport
Which IPSec mode should be used to ensure integrity and confidentiality of data between networks?
ESP tunnel mode
Which IPSec mode should be used to ensure integrity of data between networks?
AH tunnel
Which linux command is used to resolve a domain name into an IP address?
host -t a
What is crypter?
a type of software that can encrypt, obfuscate, and manipulate malware to make it harder to detect by security programs
What is dropper?
a program that secretly installs malicious programs
What is global deduction?
attacker discovers a functionally equivalent algorithm for encryption and decryption, without learning the key
What is instance (local) deduction?
attacker discovers additional plaintext (or cipherteexts) not previously known
hat is information deduction?
attacker gains some Shannon information about plaintexts or ciphertexts not previously known
What is ettercap?
a free and open soruuce network security tool for MITM attacks on LAN
Where does active sniffing occur vs passive sniffing?
active is on switch, passive is on hub
What is the min number of network connections in a multihomed firewall?
2
What is nikto?
a free software command-line vulnerability scanner for webservers
What is chntpw?
a linux-based software utility for resetting or blanking local passwords on windows.
Which nmap parameter can be used to help evade IDS systems?
-T (0 and 1 option)
