CEH

Question 1

What protocol does traceroute use by default when sending a test message to a target host on Unix/Linux systems?

Answer 1

UDP is used in a traceroute request on Unix/Linux systems while ICMP is used in a tracert command on Windows systems.

Question 2

Wireless standard 802.11a has an operating speed of how many Mbps?

Answer 2

54Mbps

Question 3

Wireless standard 802.11g has an operating speed of how many Mbps?

Answer 3

54Mbps

Question 4

Wireless standard 802.11a has a maximum range of how many feet indoors?

Answer 4

75 feet

Question 5

Wireless standard 802.11b has an operating speed of how many Mbps?

Answer 5

11Mbps

Question 6

Which wireless standard has a range of 25 to 75 feet indoors?

Answer 6

802.11a

Question 7

Which 802.11 wireless standards use the OFDM modulation type?

Answer 7

802.11a, 802.11g, and 802.11n wireless standards use the OFDM modulation type.

Question 8

The wireless standards 802.11b and 802.11g both use what wireless frequency?

Answer 8

2.4GHz

Question 9

The wireless standard 802.11n has a range of how many feet indoors?

Answer 9

175+ feet

Question 10

What is the correct order of scanning methodology?

Answer 10

Check for live systems, check for open ports, scan beyond IDS, perform banner grabbing, scan for vulnerabilities, draw network diagrams, prepare proxies

Question 11

What are the steps in the vulnerability life cycle according to ECC?

Answer 11

Creating a baseline, vulnerability assessment, risk assessment, remediation, verification, monitor

Question 12

Fingerprinting VPN firewalls is possible with which of the following tools?

Answer 12

Ike-scan

Question 13

What is a client-server tool utilized to evade firewall inspection?

Answer 13

tcp-over-dns

Question 14

Pentest results indicate that voice over IP traffic is traversing a network. Which tool will decode a packet capture and extract the voice conversations?

Answer 14

Cain

Question 15

A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?

Answer 15

BBProxy

Question 16

Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?

Answer 16

UDP 514

Question 17

Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?

Answer 17

sigverif.exe

Question 18

What tool can crack Windows SMB passwords simply by listening to network traffic?

Answer 18

L0phtcrack. This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

Question 19

What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

Answer 19

All are DDOS tools.

Question 20

Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK’s implementation. Which tool would you recommend from the list below?

Answer 20

Aircrack. Implementing KoreK’s attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available.

Question 21

What is the tool Firewalk used for?

Answer 21

To determine what rules are in place for a firewall. Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device “firewall” will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.

Question 22

You gained a copy of both the plain-text and corresponding cipher-text messages and want to use this information to figure out the key that has been used. What kind of cryptographic attack are you conducting?

Answer 22

Known plain-text attack. In a known plain-text attack, you use a copy of both the plain-text and corresponding cipher-text messages and want to use this information to figure out the key that has been used.

Question 23

You decide to conduct a chosen cipher attack. How would you go about conducting this attack?

Answer 23

Choose a cipher-text message and use comparative analysis with multiple keys and a plain-text version to figure out the correct key. In a chosen cipher attack, an attacker would typically choose a single cipher-text message and then use comparative analysis with multiple keys and a plain-text version of the chosen message. The overall goal is to use comparative analysis on these two versions of the message, along with multiple keys, to discover the correct key.

Question 24

You are on a pen test assignment and just launched a chosen plain-text attack and gained access to the key. What did you do during this attack to gain the key?

Answer 24

Encrypted various plain-text copies yourself. During a chosen plain-text attack, an attacker encrypts various plain-text copies on their own in order to gain a key.

Question 25

A penetration tester is performing a vulnerability assessment. They started by building an inventory of protocols found in the system and have started to determine what services are attached to those parts. After finding those services, the pen tester will determine the vulnerabilities that most affect each machine in order to execute the relevant tests. This approach to vulnerability assessments is called what?

Answer 25

Inference-based assessment. Inference-based assessments start with the auditor investigating the system or network they are working on and scanning it to build an inventory of protocols used. From this information, they can determine what services are using the ports and what applications/functionality may be at work. After determining the services and applications, the pen tester can tailor the testing strategy to those specific items to ensure a more efficient assessment.

Question 26

You just finished conducting your risk assessment. What is the next step that you would take in the vulnerability assessment life cycle?

Answer 26

Remediation. After conducting a risk assessment, you would typically begin to remediate vulnerabilities based on their severity.

Question 27

Which vulnerability assessment would start by building on inventory of the protocols found and then develop a profile in order to execute only the relevant tests?

Answer 27

Inference-based. In an inference-based assessment, scanning begins with developing an inventory of protocols found on the machine. After locating the protocols, the scanning process begins to determine what ports are attached to the discovered services, such as whether it is a web, email, or database server. After isolating the services, it then selects the vulnerabilities on each machine and executes only the relevant tests.

Question 28

Which is a U.S. government repository of standards based on vulnerability management data?

Answer 28

NVD. The National Vulnerability Database (NVD) is a repository owned by the U.S. government which houses standards-based vulnerability managment data represented using the Security Content Automation Protocol (SCAP). It provides an ability to automate vulnerability management, security measurement and compliance. It has troves of information in various databases such as security checklist references, software flaws, potential misconfigurations, produc names, and impact metrics.

Question 29

Which of the following would not be in the post-assessment phase of the vulnerability managment life cycle.

Answer 29

Baseline. After completing the vulnerability assessment, it is important to properly analyze the results, remedy any discovered vulnerabilities appropriately, ensure they are resolved, and then continue to monitor. The post-assessment phase in the vulnerability management life cycle contain the following: - Risk Assessment - Remediation - Verification - Monitoring

Question 30

What is an example of an application layer attack?

Answer 30

Slowloris. In a slowloris attack, the attacker sends a large number of partial HTTP requests to the target web server or application. In response, the target server opens up connections with each request, waiting for them to complete. However, the connections will never be complete and close, and therefore, the server will reach its maximum concurrent connection pool and additional attempts will be denied.

Question 31

A malicious actor is looking to take down a competitor's website. He has attempted a ping of death attack on the server, and the web server has frozen. What would be the appropriate mitigation technique?

Answer 31

Add a check to the packet reassembly process to verify packet size is not over the maximum. A ping of death (PoD) attack is where an attacker sends an oversize pocket via the ping command. For example, if an attacker sends a packet with a size of 65,536 bytes, it might cause the system to crash during reassembly, since the packet size limit prescribed by RFC 791 IP states that packet sized should be 65,535 bytes. To mitigate this attack, an administrator would configure hosts to check the packet size before reassembly.

Question 32

A pen tester is looking to verify that the firewalls of Acme Inc. can handle potential protocol-based DoS attacks directed at them and at other devices like load balancers and application servers. Which of the following would not be a protocol-based DoS attack that the tester would conduct?

Answer 32

ICMP flood. An ICMP flood is considered a volumetric attack that seeks to consume the bandwidth of the target network or service. In contrast, a protocol attack such as a SYN flood, ACK flood, or TCP state exhaustion look to consume other types of resources, such as connection state tables that are present in infrastructure components on the network, including firewalls, load balancers, and application servers.

Question 33

A network administrator determines that the organization's public web store is receiving a slowloris attack, makint it unavailable to legitimate customers. Which of the following methods would be an appropriate mitigation technique?

Answer 33

Implement a timeout for open connections. In a slowloris attack, an attacker sends a multitude of HTTP requests to the target web server but never completes the connection. As the connection stays open, with the server awaiting communications, the attacker then sends another HTTP request and another. The server responds to each request by opening a connection, but since they are never being closed, the server reaches its concurrent connection limit and starts rejecting all connections.

Question 34

How does a SYN flood work?

Answer 34

It utilizes a flaw in the TCP three-way hanshake. A SYN flood takes advantage of the way SYN commands are handled. When a computer recieves a SYN request, it must hold the connection in the "listen queue" for at least 75 seconds. So, if an attacker sends many SYN commands, the target's queue will be quickly filled up and thus, unable to make legitimate connections.

Question 35

Which is the second leading IoT vulnerability according to OWASP?

Answer 35

Insufficient authentication authorization

Question 36

What are the top 4 OWASP IoT vulnerabilities?

Answer 36

1. Insecure web interface 2. Insufficient authentication/authorization 3. Insecure network services 4. Lack of transport encryption/integrity verification

Question 37

You want to launch attacks against a vulnerable IoT device. What is an example of a tool that would achieve this?

Answer 37

Firmalyzer. Firmalyzer is a useful tool that allows you to conduct active security assessments on IoT devices. A few other tools for launching attacks include KillerBee, JTAGulator, and Attify Zigbee Framework.

Question 38

Clear-text credentials, third-party encryption, and encryption keys affect which IoT attack suface areas?

Answer 38

Device Memory

Question 39

What are the layers in the IoT architecture according to the EC Council?

Answer 39

The Internet of Things (IoT) refers to the network of Internet-connected devices with embedded sensors and processors. The architecture on which they function typically consists of 5 layers according to the EC-Council: - Application Layer - Middleware Layer - Internet Layer - Access Gateway Layer - Edge Technology Layer

Question 40

What are the IoT communication models as described by the EC-Council?

Answer 40

There are 4 typical IoT Communication Models: - Device-to-Device Model: An example would be a light switch being wirelessly connected with a WiFi light bulb. - Device-to-Cloud Model: An example could be a temperature sensor connected to an Application Service Provider's cloud. - Devide-to-Gateway Model: An example would be where an IoT device transfers the data to a gateway which may or may not communicate that data with a cloud for additional access - Back-end Data-Sharing Model: An example of this model would be where an IoT light sensor is connected to a readily available Application Service provider #1 who enables other service providers to access and utilize Application Service provider #1's data

Question 41

A utility provider has a hardware sensor that detects humidity, temperature, and UV exposure for their own utility poles but they also allow this data to be accessed by third party service providers for their own purposes. This is an example of which IoT Communication model?

Answer 41

Back-end Data-Sharing model

Question 42

Which Nmap switch performs an IP protocol scan?

Answer 42

-sO

Question 43

What is the function of the Nmap command -Pn 10.0.0.8/24?

Answer 43

Tells Nmap to skip the discovery stage entirely and just test all IPs within 10.0.0.8/24 (i.e. no ping scan).

Question 44

What is the function of the Nmap command -sn 10.0.0.8/24?

Answer 44

Runs a discovery scan and no port scan on the target network of 10.0.0.8/24.

Question 45

Which Nmap switch is for NO ping?

Answer 45

-Pn

Question 46

What is the correct switch for Nmap to perform a TCP NULL scan?

Answer 46

-sN

Question 47

Which Nmap switch is for TCP SYN pinging?

Answer 47

-PS

Question 48

What is the function of the command nmap-sL 10.0.0.8/24?

Answer 48

Runs a DNS scan on the target subnet 10.0.0.8/24.

Question 49

Which Nmap switch performs a TCP ACK scan?

Answer 49

-sA

Question 50

Which switch tells Nmap to perform a TCP FIN scan?

Answer 50

-sF

Question 51

Which command line switch tells Nmap to perform a TCP XMAS scan?

Answer 51

-sX