Certified Ethical Hacker, CEH Practice Test - Results (Solomon)

Question 1

Which security standard was created by a council concerned with the protection of credit card data?
A.PCI DSS
B.TCSEC
C.OSSTMM
D.HIPAA

Answer 1

A.PCI DSS

Explanation

Correct Answer: The Payment Card Industry Data Security Standard (PCI DSS) is a security standard created by the Payment Card Industry Security Standards Council (PCI SSC). It’s designed to protect consumer credit card data in transit and in storage. PCI DSS consists of 12 requirements: for example, Requirement 1 compels the use of firewalls to protect data, Requirement 4 necessitates encryption for data in transit, and Requirement 11 mandates quarterly external vulnerability scans and annual penetration tests.

Incorrect Answers: HIPAA deals with the protection of private health information.

Trusted Computer System Evaluation Criteria (TCSEC) was created by the DoD (and is also known as the Orange Book).

OSSTMM (Open Source Security Testing Methodology Manual) is a peer-reviewed manual of penetration and security testing and analysis.

Question 2

Which of the following is a legitimate use for tcp-over-dns?
A.Packet crafting
B.Firewall evasion
C.Network Sniffing
D.OS Fingerprint

Answer 2

B.Firewall evasion

Explanation

Correct Answer: Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because…well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.

Incorrect Answers: These are not uses for the tcp-over-dns tool.

Question 3

What is the primary difference between PGP and S/MIME?
A.PGP uses SHA-1 for integrity
B.S/MIME uses RSA for digital signatures
C.S/MIME can encrypt email, but PGP cant
D.PGP can be used to encrypt hard drives, but S/MIME cannot

Answer 3

D.PGP can be used to encrypt hard drives, but S/MIME cannot

Explanation

Correct Answer: Pretty Good Privacy (PGP) can handle a lot more than e-mail, and that is one of the primary differences between it and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is an application, whereas S/MIME is a protocol.

Incorrect Answers: The remaining choices are not true regarding either PGP or S/MIME.

Question 4

Which nmap script can be used to show potentially risky HTTP methods?
A.http-risk
B.http-headers
C.http-get
D.http-methods

Answer 4

D.http-methods

Explanation

Correct Answer: Per nmap’s site (https://nmap.org/nsedoc/scripts/http-methods.html), the http-methods script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS.”

Incorrect Answers: These are not valid nmap scripts.

Question 5

An attacker installs malicious software on a Blackberry device without the user's knowledge, and then leverages the Blackberry as a proxy into the private network. Which of the following attacks matches this description?
A.Bluejacking
B.Bluesmacking
C.Bluescarfing
D.Bluejacking

Answer 5

A.Bluejacking

Explanation

Correct Answer: Blackjacking involves leveraging a user’s Blackberry device as a proxy, allowing the attacker to come in from the Internet and gain access into the internal, private network. This attack can be carried out using a tool called BBProxy, which is included in the Blackberry Attack Toolkit (https://sourceforge.net/projects/bbat/).

Incorrect Answers: Bluejacking is an attack centering on Bluetooth vectors, bluesmacking is a DoS attack, and blackscarfing is not a real term.

Question 6

Your team is testing a server that serves PHP pages for the Shellshock vulnerability. Which of the following actions should you take?
A.Send speciality created environment variables and trailing commands
B.Create special HTML entries for web forms
C.Modify the URL parameters
D.Craft specific SQL entries to attack the vulnerability

Answer 6

A.Send speciality created environment variables and trailing commands

Explanation

Correct Answer: Shellshock allows an attacker to add trailing information in environment variables.

Incorrect Answers: These answers do not match the Shellshock vulnerability.

Question 7

Which character is the best choice to start a SQL injection attempt?
A.Colon
B.Double quote
C.Single quote
D.Semicolon

Answer 7

C.Single quote

Explanation

Correct Answer: The single quote starts many SQL attacks.

Incorrect Answers: The other choices do not start SQL injection attacks.

Question 8

Which of the following tools can be used for remote password cracking of web servers? (Choose two.)
A.Brutus
B.THC-Hydra
C.Nikto
D.BlackWidow

Answer 8

A.Brutus
B.THC-Hydra

Explanation

Correct Answer: Brutus is a fast, flexible remote password cracker. It was originally invented to help its creator check routers and network devices for default and common passwords, but has since grown and evolved into much more, and it’s among the more popular security tools available for remote password cracking. THC-Hydra is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.

Incorrect Answers: Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items.

BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.

Question 9

An attacker calls the help desk and asks for a password reset on a user ID he has obtained information on. Which type of social engineering attack is this?
A.Impersonation
B.Reverse engineering
C.Spoofing
D.Technical support

Answer 9

D.Technical support

Explanation

Correct Answer: A technical support attack is one in which the attacker calls a support desk in an effort to gain a password reset or other useful information. This is a very valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.

Incorrect Answers: Impersonation occurs when an attacker pretends to be a person of authority.

Reverse social engineering occurs when the user calls the attacker for assistance.

Spoofing is not a social engineering attack

Question 10

What presents the highest risk to a target network or resource?
A.A disgruntled employee
B.Phishing
C.Script kiddies
D.A white-hat attacker

Answer 10

A.A disgruntled employee

Explanation

Correct Answer: Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.

Incorrect Answers: Script kiddies usually don’t pose much threat–defenses are aligned against them.

Phishing is a definite threat, but again defenses are in place.

White-hat attackers are hired by the organization, so they’re not an intentional threat.

Question 11

A user calls the help desk complaining about large amounts of unsolicited messages being received on her Bluetooth-enabled device. Which Bluetooth attack may be in play here?
A.Bluesmacking
B.Bluesniffing
C.Bluejacking
D.Bluescaffing

Answer 11

C.Bluejacking

Explanation

Correct Answer: Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target. In many cases, this is done as part of social engineering in an effort to get the user to do something beneficial for the attacker.

Incorrect Answers: Bluesmacking is a DoS attack.

Bluesniffing is an effort to sniff data from Bluetooth exchanges.

Bluescarfing is the actual theft of data from a Bluetooth device.

Question 12

A standard ping sweep using ICMP over TCP attempts to identify live hosts on the network. Which of the following provides an explanation for no response from a ping request?
A.The hosts might be turned off or disconnected
B.TTL value is too low
C.The destination network might be down
D.All of the answers are correct
E.ICMP is being filtered

Answer 12

D.All of the answers are correct

Explanation

Correct Answer: Ping basically asks a host to return the packet sent. It’s used mainly to identify live hosts and to help in troubleshooting.

If the host isn’t available–because it’s turned off or ICMP is being filtered by an external (or internal) device–then it cannot respond (almost like yelling to your kids who can’t hear you due to the loud music in the room).

The TTL value tells the ping packet when to “die” and is decremented after passing through a router (hop). If it isn’t high enough to reach the host system, there will be no reply.

Incorrect Answers: Because all these are correct responses, “All of the answers are correct.” is the only appropriate choice.

Question 13

Which of the following is defined as a process of evaluating assets to determine the amount of vulnerability each represents to the organization?
A.Vulnerability scanning
B.Pen test
C.Security analysis
D.Risk assessment

Answer 13

D.Risk assessment

Explanation

Correct Answer: A risk assessment, part of overall risk management, is an evaluation process whereby everything is looked at through the prism of “what vulnerabilities does this asset add to my environment?” Risk assessors should consider security and administrative safeguards in place and evaluate how likely each system is to be compromised. From this analysis, companies can decide to accept, mitigate, transfer, or avoid the risk.

Incorrect Answers: The remaining answers do not reflect the definition provided.

Question 14

You have network anomaly-based IPS set up, along with multiple other tools for security controls. This morning on the way to work, you receive an e-mail alert on your phone regarding possible malicious traffic. In investigating, you see that the IPS saw the anomalous traffic coming into the network and leaving, with the alert based on the unexpected behavior. The traffic turned out to be a user coming into work very early to get a project finished. Which of the following best describes what the IPS noted?
A.False positive
B.True negative
C.False negative
D.True positive

Answer 14

A.False positive

Explanation

Correct Answer: The IPS saw the traffic, obviously, but made a decision it was bad traffic based on previous noted behavior, when it was, indeed, normal traffic (just at an abnormal time). The traffic was flagged as malicious even though it wasn’t, which is the definition of a false positive.

Incorrect Answers: A false negative occurs when the IPS sees traffic as good when it is actually malicious. The other two answers are distractors.

Question 15

ICMP packets do not work in identifying targets on a particular subnet. Which of the following is the best option in this situation?
A.TCP Ping
B.Nslookup
C.Traceroute
D.Broadcast ping

Answer 15

A.TCP Ping

Explanation

Correct Answer: A single target not responding doesn’t necessarily means it’s not “awake”–there could be several reasons why it’s not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can’t ping over TCP, so you may have to use tcping.exe (or another comparable tool).

Incorrect Answers: Traceroute does use UDP packets (tracert, on the Windows side, uses TCP and the TTL count), so it wouldn’t be blocked. However, it’s designed to display path information, not to necessarily identify targets.

Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can’t tell you what’s necessarily alive.

A broadcast ping is simply ICMP sent to the broadcast address in the subnet.

Question 16

Which of the following allow for Bluetooth device discovery? (Choose two.)
A.BT Browser
B.PhoneSnoop
C.BBPRoxy
D.BlueScanner

Answer 16

A.BT Browser
D.BlueScanner

Explanation

Correct Answer: BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.

Incorrect Answers: BBProxy is a BlackBerry-centric tool that’s useful in an attack called blackjacking.

PhoneSnoop is good for spyware on a BlackBerry.

Question 17

You are performing tests from a Cisco device. Which of the following commands should be used to help identify a packet's path to its destination?
A.Ping
B.Traceroute
C.tracert
D.ipconfig

Answer 17

B.Traceroute

Explanation

Correct Answer: Traceroute is a good tool to show a packet’s path to its destination. On a Windows machine, the command is tracert, and the tool uses TTL to map each hop along the way. On virtually everything else (including Linux and most Cisco devices), the command is traceroute, and the tool uses UDP instead.

Incorrect Answers: These are not the correct tools to use. Ping sends an echo request, and ipconfig displays NIC information.

Question 18

Which of the following laws protects the confidentiality and integrity of personal information collected by financial institutions?
A.PCI DSS
B.GLBA
C.HIPAA
D.Sarbanes-Oxley

Answer 18

B.GLBA

Explanation

Correct Answer: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.

Incorrect Answers: HIPAA deals with the protection of personal data in the medical realm.

SOX deals with publicly traded companies, forcing them to allow independent audits and to post financial findings.

PCI DSS is in place to secure data used in credit card transactions and storage.

Question 19

You are performing reconnaissance on a target and want to see domain name registration contact information. Which of the following is your best choice?
A.Whois
B.IETF
C.CAPTCHA
D.IANA

Answer 19

A.Whois

Explanation

Correct Answer: Whois provides all sorts of information on registrants–technical POCs, who registered the domain, contact numbers, and so on.

Incorrect Answers: CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it. IANA regulates IP allocation, and IETF is a standards organization.

Question 20

Which of the following nmap scans would be the least likely to be detectable?
A.nmap -sS -PT -PI -O -TI 
B.nmap -sF -P0 -O  
C.nmap -sF -PT -PI -O 
D.nmap -sO -PT -O -CS

Answer 20

A.nmap -sS -PT -PI -O -TI

Explanation

Correct Answer: The T1 switch slows the scan down tremendously.

Incorrect Answers: The remaining scans either have poor syntax (C5 switch) or do not address speed/stealth.

Question 21

A security tester wants to see what can be found from the company's public-facing web servers. He enters the command nc 187.55.66.77 80. The returned output reads as follows:HTTP/1.1 200 OKServer: Microsoft-IIS/6Expires: Tue, 17 Apr 2016 01:41:33 GMTDate: Mon, 16 Apr 2016 01:41:33 GMTContent-Type: text/htmlAccept-Ranges: bytesLast-Modified: Wed, 28 Dec 2015 15:32:21 GMTETag: "b0aac0542e25c31:89d"Content-Length: 7369Which of the following is an example of what the engineer performed?
A.Cross-site scripting
B.SQL Injection
C.Banner Grabbing
D.Whois database query

Answer 21

C.Banner Grabbing

Explanation

Correct Answer: You can perform banner grabbing with netcat easily.

Incorrect Answers: Netcat isn’t used to query Whois (registration information) or to perform SQL injection or XSS.

Question 22

Examine the following command :nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]Which of the following would you expect to see returned?
A.A List of SSL versions within the scan scope
B.A return of “State:NOT VULNERABLE” on systems protected against Heartbleed
C.An error response because the syntaxt and script are invalid
D.None of the answers are correct

Answer 22

B.A return of “State:NOT VULNERABLE” on systems protected against Heartbleed

Explanation

Correct Answer: You can use the nmap command “nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]” to search for the vulnerability; the return will say “State: NOT VULNERABLE” if you’re good to go.

Incorrect Answers: The other answers do not match the command provided. “None of the answers are correct.” is not correct because there is a correct answer.

Question 23

You have network IPS set up, along with multiple other tools for security controls. This morning before you came to work, hackers successfully attacked the network. In investigating, you see that the IPS saw the traffic coming into the network and leaving, but did not alert on it. Which of the following best describes what the IPS noted?
A.False positive
B.False negative
C.True negative
D.True positive

Answer 23

B.False negative

Explanation

Correct Answer: The IPS saw the traffic, obviously, but made a decision it was good traffic when it was, indeed, naughty. It should have triggered as a positive hit, but instead allowed it to pass with no action. This is known as a “false negative.”

Incorrect Answers: A false positive occurs when the IPS sees traffic as naughty when it is actually okay. The other two answers are distractors.

Question 24

Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
A.Ensure all WAPs are from a single vendor
B.Implement MDM
C.Add MAC filtering to all WAPs
D.Implement WPA

Answer 24

B.Implement MDM

Explanation

Correct Answer: Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.

Incorrect Answers: WPA is an encryption algorithm. MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment. WAPs being from a single vendor or multiple vendors is irrelevant.

Question 25

Amazon's EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service?
A.Public
B.PaaS
C.IaaS
D.Saas

Answer 25

C.IaaS

Explanation

Correct Answer: Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.

Incorrect Answers: These do not match the Amazon EC2 service description.

Question 26

You are offering your team’s pen test services to a potential client. The customer reviews things and seems unconvinced a manual pen test will be helpful in securing their systems. Which of the following should you do as an ethical hacker and representative of your team?
A.Bring statistical information to the table,showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike
B.Perform a partial pen test and show the customer what youve found with minimal effort
C.Find a single security vulnerability and exploit it, thus proving pen testing is necessary
D.Show pen test results from other assessments and explain the value those customers received

Answer 26

A.Bring statistical information to the table,showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike

Explanation

Correct Answer: Ethically, this is the only choice that makes any sense. You can’t do anything without an agreement in place first, and it’s your job to convince them they need it.

Incorrect Answers: Each of these answers–although funny and providing some satisfaction for the “See, I told you so!” crowd among us–is highly unethical.

Question 27

Which of the following is the best choice for protection against privilege escalation vulnerabilities?
A.Set admin accounts to run on least privilege
B.Ensure drives are appropriately signed
C.Make maximum use automated services
D.Ensure services run with least privileges

Answer 27

D.Ensure services run with least privileges

Explanation

Correct Answer: Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation.

Incorrect Answers: Ensuring drivers are in good shape is good practice but doesn’t have a lot to do with privilege escalation prevention.

Admin accounts don’t run with least privilege; they’re admin accounts for a reason.

Automating services may save time but don’t slow down hacking efforts.

Question 28

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
A.PTR
B.SOA
C.NS
D.CNAME

Answer 28

D.CNAME

Explanation

Correct Answer: CNAME (Canonical Name) records provide for aliases within the zone.

Incorrect Answers: NS records represent name servers.

SOA is the Start of Authority record.

PTR records map an IP address to a host name (providing for reverse DNS lookups).

Question 29

Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of \_\_\_\_\_\_\_\_\_\_\_ measures within physical security.
A.Physical
B.None of the answers are correct
C.Technical
D.Operational

Answer 29

D.Operational

Explanation

Correct Answer: Operational measures are the policies and procedures you set up to enforce a security-minded operation.

Incorrect Answers: Physical controls include all the things you can touch, taste, smell, or get shocked by.

Technical controls are measures taken with technology in mind to protect explicitly at the physical level.

“None of the answers are correct.” is not correct because there is a correct answer.

Question 30

Which of the following is an example of a logical control?
A.Security tokens
B.Guards
C.Fire alarms
D.Security policy

Answer 30

A.Security tokens

Explanation

Correct Answer: Of the answers provided, security tokens are the only example of a logical (technical) control.

Incorrect Answers: The remaining answers are not technical controls.

Question 31

Which of the following is the best way to defend against network sniffing?
A.Use MAC controls on switches
B.Implement encryption throughout the environment
C.Use static IP addressing throughout the network
D.Implement strong physical security control measures

Answer 31

B.Implement encryption throughout the environment

Explanation

Correct Answer: Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine it in between is pointless. Of the choices, this is the best available option.

Incorrect Answers: Physical security and static IP addressing won’t do a thing about sniffing.

MAC access control can provide some protection, but not at the level encryption could.

Question 32

Your organization leadership wants security to monitor all traffic coming into and out of your network for malicious intent. Which of the following should you implement?
A.Proxy
B.Network-based IDS
C.Firewall
D.Host-based IDS

Answer 32

B.Network-based IDS

Explanation

Correct Answer: An intrusion detection system is what’s being called for here, and an NIDS (network IDS) will watch all network traffic. The network tap location is very important in setting up an NIDS–if not tapped at a location (or in locations) where all network traffic flows through, the tool won’t see everything.

Incorrect Answers: Answer A gets the IDS part right, but misses out with “host” (which only monitors a single system, not an entire subnet).

Firewalls aren’t used for this purpose–they’re designed to block and allow specific traffic.

A proxy is used either to hide behind when you’re on the outside trying to get in, as an anonymizer-type front from internal to external, or as a repository for information internal machines can hit instead of going outside the subnet.

Question 33

A team member advises that sometimes metadata in publicly available documents can provide valuable intelligence on a target. Which of the following tools can perform a metadata search for you?
A.Google Matrix
B.netcat
C.metagoofil
D.nmap

Answer 33

C.metagoofil

Explanation

Correct Answer: Metagoofil (http://www.edge-security.com/metagoofil.php) is an information-gathering tool designed for extracting metadata of public documents belonging to a target company. It performs Google searches to identify and download documents to a local disk and then extract the metadata (using different libraries such as Hachoir, PdfMiner, and others).

Incorrect Answers: With the results, it will generate a report with usernames, software versions, and servers or machine names that will help penetration testers in the information-gathering phase.nmap is a great scanner, and netcat can do wonders in setting up a backdoor and other tasks, but neither are designed for this task. Google Matrix does not exist.

Question 34

A web application in your organization provides significant benefit to the accounting team. However, after a vulnerability scan and a risk assessment, it is determined the application presents significant risk if exposed to external attackers. The server hosting the application is moved inside the DMZ and strong access controls are put into place allowing only the accounting team to use it. Which of the following best describes the risk method used here?
A.The organization is transferring the risk
B.The organization is mitigating the risk
C.THe organization is avoiding the risk
D.The organization is accepting the risk

Answer 34

B.The organization is mitigating the risk

Explanation

Correct Answer: The actions taken and controls put in place are designed to mitigate the risk–reducing greatly the likelihood it will ever happen.

Incorrect Answers: Accepting the risk equates to not doing anything at all.

Transferring the risk occurs when a company shifts the risk to another party.

Avoiding the risk is removing it altogether.

Question 35

Which of the following provides specific services to untrusted networks or hosts?
A.Proxy Firewall
B.Stateful firewall
C.Packet-filtering firewall
D.Bastion host

Answer 35

D.Bastion host

Explanation

Correct Answer: Bastion hosts are deliberately placed on the edge of the network–publicly facing–to handle external requests for . They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.

Incorrect Answers: Proxy firewalls are designed primarily to hide networks. Packet filtering is exactly what it sounds like, and stateful is used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed, externally sourced is not).

Question 36

This security assessment notifies the client of potential vulnerabilities but does not actually exploit them.
A.Security assessment
B.None of the answers are correct
C.Vulnerability assessment
D.Penetration test

Answer 36

C.Vulnerability assessment

Explanation

Correct Answer: A vulnerability assessment only points out potential problems to the client.

Incorrect Answers: The other choices do not comply with what the question is asking. Pen testers will definitely take advantage of open vulnerabilities (provided they’re within the boundaries of the test scope).

Scanning assessment is not a valid term.

“None of the answers are correct.” is not correct because there is a correct answer.

Question 37

Which of the following best describes a biometric passport?
A.Something you have
B.Something you require
C.Something you are
D.Something you know

Answer 37

A.Something you have

Explanation

Correct Answer: There are three main types of authentication: something you know, something you have, and something you are. When we see “biometric,” we instantly want to click “something you are” and move on. But in this case it’s asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.

Incorrect Answers: These do not match the authentication type.

Question 38

Which of the following refers to monitoring security configuration changes over time?
A.Patch management
B.Baselining
C.Vulnerability management
D.Change management

Answer 38

B.Baselining

Explanation

Correct Answer: To develop a baseline, you take a snapshot of the current system’s security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren’t are cut.

Incorrect Answers: Patch and vulnerability management supervise patching and the tracking of vulnerabilities, respectively. Change management deals with controlling changes to systems in the environment.

Question 39

A team member enters the following nmap command:nmap --script http-methods --script-args one.two.sample.comWhen the command executes, the following appears:PORT STATE SERVICE REASON80/tcp open http syn-ack| http-methods:|_ Supported Methods: GET PUT HEAD POST OPTIONSBased on the output, which HTTP methods will the script consider potentially risky?
A.PUT
B.GET
C.POST
D.HEAD

Answer 39

A.PUT

Explanation

Correct Answer: The http-methods script will report whether the HTTP GET, PUT, HEAD, POST, and OPTIONS methods are supported by the target system. Of the available options, however, PUT will most likely be marked as potentially risky.

Incorrect Answers: HTTP PUT permits HTTP clients to update files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE.GET, HEAD, and POST are not considered risky by the script.

Question 40

Which of the following statements is true regarding the use of a proxy server on your network?
A.Proxy servers can filter Internet traffic for internal hosts
B.Proxy servers automate IP addressing on your network
C.Proxy servers monitor unauthorized access to the network
D.Proxy servers allow outisde customers access to the organization

Answer 40

A.Proxy servers can filter Internet traffic for internal hosts

Explanation

Correct Answer: Proxy servers stand in the stead of internal hosts. You can have them go out of the network and do all the dirty work for you, or have them “host” services for you. Providing controlled access to Internet traffic with a proxy is an excellent example–browsers point to a proxy that then handles the work of grabbing and returning requested data.

Incorrect Answers: IDS monitors traffic, and DHCP servers automate addressing. A web server would be used to host a website, not a proxy.

Question 41

An attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. Which of the following correctly describes this attack?
A.Smishing
B.Phishing
C.Vishing
D.Text attack

Answer 41

A.Smishing

Explanation

Correct Answer: Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.

Incorrect Answers: Vishing refers to using a phone in social engineering, and phishing uses e-mail. Text attack is not a valid term.

Question 42

An attacker sees guard dogs inside the perimeter. Which of the following best describes this control effort?
A.Technical corrective control
B.Technical preventive control
C.Physical deterrent control
D.Physical detective control

Answer 42

C.Physical deterrent control

Explanation

Correct Answer: What can deter you more than the sight of a dog patrolling an area, just waiting for an intruder to chew on? Note the terminology here, though–“preventive” could just has easily been used as a descriptor; however, “deterrent” is usually found with the physical descriptor.

Incorrect Answers: Dogs aren’t technical. Even smart ones. And while you can use a bloodhound as a means to track down an escapee, dogs are not detective controls.

Question 43

In which phase of the Security Development Lifecycle is "fuzz" testing performed?
A.Implementation
B.Design
C.Release
D.Verification

Answer 43

D.Verification
Explanation

Correct Answer: The Security Development Lifecycle (SDL) phases include Training, Requirements, Design, Implementation, Verification, Release, and Response, and each phase holds specific actions. For example, in the Training phase, core security training for developers is performed. In the Requirements phase, the level of security desired is set. In the Verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed.

Incorrect Answers: The Implementation phase includes using approved tools and static analysis and turning off unsafe functions.

Design includes requirements, attack surface analysis, and threat modeling.

Release includes an incident response plan, final security review, and certification.

Question 44

A security staff implements a network IDS and a host-based IDS. Which security control role is being implemented?
A.Detective
B.Defensive
C.Preventive
D.Corrective

Answer 44

A.Detective

Explanation

Correct Answer: Controls fall into three categories: preventive, detective, and corrective. Detective controls are designed to watch for security breaches and detect when they occur, and you can’t get much more detective than an intrusion detection system.

Incorrect Answers: Preventive controls (such as encryption) are in place to prevent a successful attack in the first place.

Corrective controls are designed to fix things after an attack has been discovered and stopped.

Defensive is not a legitimate security control role.

Question 45

In Amazon's EC2, virtual machines are provided and can be controlled through a service API. Which of the following best defines this service?
A.Public
B.PaaS
C.IaaS
D.Saas

Answer 45

C.IaaS

Explanation

Correct Answer: Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.

Incorrect Answers: These do not match the Amazon EC2 service description.

Question 46

In categorizing risk, which of the following refers to choosing not to use a technology or service due to the risk?
A.Risk transfer
B.Risk mitigation
C.Risk avoidance
D.Risk acceptance

Answer 46

C.Risk avoidance

Explanation

Correct Answer: Of the four main methods of dealing with risk, if you choose not to engage in or use the technology or service, you are avoiding risk.

Incorrect Answers: Risk acceptance occurs when you are aware of the risk, but decide to continue using the technology.

Risk mitigation (also known as risk reduction) occurs when you take every measure possible to remove or mitigate the risk.

Risk transfer occurs when another party assumes the risk for you.

Question 47

Which of the following is a password-cracking tool?
A.Hping
B.Wireshark
C.THC Hydra
D.PackETH

Answer 47

C.THC Hydra

Explanation

Correct Answer: THC Hydra (http://sectools.org/tool/hydra/) uses dictionary methods for password cracking. Per the site, “When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.”

Incorrect Answers: Hping is a powerful network scanner, and Wireshark is a standard in sniffing traffic.

PackETH is a packet crafter.

Question 48

NIST SP 800-30 defines this as the step that determines whether any weaknesses exist in an organization's systems, policies, or procedures. Which of the following best matches this definition?
A.Threat identification
B.Impact analysis
C.Vulnerability identification
D.Risk determination

Answer 48

C.Vulnerability identification

Explanation

Correct Answer: NIST SP 800-30 defines nine steps in risk assessments:1. Purpose, scope, and source identification, or system characterization 2.Threat identification 3.Vulnerability identification 4.Control analysis 5.Likelihood determination 6.Impact analysis 7.Risk determination 8.Communicating and sharing risk assessment information 9.Maintaining the risk assessment. Step 3 (vulnerability identification) determines whether any flaws or weaknesses might exist in a company’s systems, policies, or procedures.

Incorrect Answers: In risk determination, assessors assign values to risk probabilities. In impact analysis, a determination of the extent of loss or degradation due to an exploited risk is made. Threat identification identifies sources that could cause harm to the environment.

Question 49

Which of the following best describes a red team?
A.Security team members with full knowledge of the internal network
B.Security team members attacking a network
C.Security team members dedicated to policy audit review
D.Security team members defending a network

Answer 49

B.Security team members attacking a network

Explanation

Correct Answer: Red teams are on offense. They are employed to go on the attack, simulating the bad guys out in the world trying to exploit anything they can find. They typically have little to no knowledge of the target to start.

Incorrect Answers: Blue teams work on the defensive side and have internal knowledge of the environment.

Question 50

Which of the following best describes a hybrid password-cracking attack?
A.It substitutes numbers and characters in words to discover a password
B.It uses a combination of letters, numbers and special characters in random order to crack the password
C.It uses a rainbow table to crack the password
D.It uses a dictionary file to crack the password

Answer 50

A.It substitutes numbers and characters in words to discover a password

Explanation

Correct Answer: Usually a hybrid attack involves a list of passwords that get altered along the way in order to guess the password. For example, if your list contained the word “Fishing,” a hybrid attack would start substituting numbers and characters: f1$hing, Fi$H1n6, and so on.

Incorrect Answers: These do not describe a hybrid attack.