Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CEH Practice Exam from Marcus > Day 4 1-38 > Flashcards

Day 4 1-38 Flashcards

1
Q

4.1 When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

A. Network tap
B. Layer 3 switch
C. Network bridge
D. Application firewall

A

A. Network tap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4.2 SSL has been seen as the solution to a lot of common security problems. Administrator will often make use of SSL to encrypt communications from point A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

A. SSL is redundant if you already have IDS’s in place
B. SSL will trigger rules at regular interval and force the administrator to turn them off
C. SSL will slow down the IDS while it is breaking the encryption to see the packet content
D. SSL will hide the content of the packets and Intrusion Detection Systems will not be able to detect them

A

D. SSL will hide the content of the packets and Intrusion Detection Systems will not be able to detect them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

4.3 Which TWO types of detection methods are employed by Network Intrusion Detection Systems (NIDS)?

A. Signature
B. Anomaly
C. Passive
D. Reactive

A

A. Signature

B. Anomaly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

4.4 Which of the following problems can be solved by using Wireshark?

A. Tracking version changes of source code
B. Checking creation dates on all webpages on a server
C. Resetting the administrator password on multiple systems
D. Troubleshooting communication resets between two systems

A

D. Troubleshooting communication resets between two systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

4.5 Your IDS generated an alert because there was a lot of traffic hitting your SQL server. You investigate the server, but there is no indication of an attack and everything looks fine. How then should you classify the IDS alert?

A. True negatives
B. False negatives
C. True positives
D. False positives

A

D. False positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

4.6 You logged in to your corporate firewall to do some work, but the IDS logged your activity as an attack. How would you categorize the alert?

A. False positive
B. False negative
C. True positive
D. True negative

A

A. False positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

4.7 What hardware requirement should your IDS, IPS, or proxy server have as a best-practice?

A. Fast processor to help with network traffic analysis
B. They should be dual-homed
C. Similar RAM requirements
D. Fast network interface cards

A

B. They should be dual-homed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

4.8 A hacker has been attacking your network. You find that your IDS wasn’t configured correctly and couldn’t notify you about the attacks. Which type of alert is the IDS giving?

A. True positives
B. True negatives
C. False positives
D. False negatives

A

D. False negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

4.9 A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique that the tester should consider using?

A. Spoofing an IP address
B. Tunneling scan over SSH
C. Tunneling over high port numbers
D. Scanning using fragmented IP packets

A

B. Tunneling scan over SSH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

4.10 This IDS defeating technique works by splitting a datagram (or packet) into a continuous stream of multiple (small) fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network.
What is this technique called?

A. IP Routing or Packet Dropping
B. IDS Spoofing or Session Assembly
C. IP Fragmentation or Session Splicing
D. IP Splicing or Packet Reassembly

A

C. IP Fragmentation or Session Splicing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

4.11 In keeping with the best practices of layered security, where are the best places to place intrusion detection/intrusion prevention systems? (Choose two.)

A. HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)

B. NID/NIP (Node-based Intrusion Detection/Node-based Intrusion Prevention)

C. NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)

D. CID/CIP (Computer-based Intrusion Detection/Computer-based Intrusion Prevention)

A

A. HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)

C. NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

4.12 Which FOUR of these techniques could you use to evade an IDS, or at least protect yourself, during a port scan?

A. Use fragmented IP packets
B. Spoof your IP address when launching attacks and sniff responses from the server
C. Overload the IDS with Junk traffic to mask your scan
D. Use source routing (if possible)
E. Connect to proxy servers or compromised Trojan’d machines to launch attacks

A

A. Use fragmented IP packets
B. Spoof your IP address when launching attacks and sniff responses from the server
D. Use source routing (if possible)
E. Connect to proxy servers or compromised Trojan’d machines to launch attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

4.13 Which of these will recognize attempts to penetrate the network?

A. Router
B. Firewall
C. Proxy
D. Intrusion Detection System

A

D. Intrusion Detection System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

4.14 Which of these would be the best way to evade the NIDS?

A. Encryption
B. Out of band signaling
C. Protocol Isolation
D. Alternate Data Streams

A

A. Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

4.15 How can telnet be used to fingerprint a web server?

A. telnet webserverAddress 80
HEAD / HTTP/1.0
B. telnet webserverAddress 80
PUT / HTTP/1.0
C. telnet webserverAddress 80
HEAD / HTTP/2.0
D. telnet webserverAddress 80
PUT / HTTP/2.0
A

A. telnet webserverAddress 80

HEAD / HTTP/1.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4.16 On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured?

A. nessus +
B. nessus *s
C. nessus &
D. nessus -d

A

C. nessus &

17
Q

4.17 What is it called when an IDS can discover attacks but not stop them?

A. Detective
B. Passive
C. Intuitive
D. Reactive

A

B. Passive

18
Q

4.18 A Security Engineer has been tasked with discovering how much information can be obtained from the firm’s public facing web servers. The engineer decides to start by using netcat to port 80. The engineer receives this output:

HTTP/1.1 200 OK
Server: Microsoft-IIS/6
Expires: Tue, 17 Jan 2011 01:41:33 GMT
DatE. Mon, 16 Jan 2011 01:41:33 GMT
Content-TypE. text/html
Accept-Ranges: bytes
Last-ModifieD. Wed, 28 Dec 2010 15:32:21 GMT

Which of the following is an example of what the engineer performed?

A. Cross-site scripting
B. Banner grabbing
C. SQL injection
D. Whois database query

A

B. Banner grabbing

19
Q

4.19 What’s the best approach to tuning security alerts?

A. Raise false positives and raise false negatives.
B. Decrease false negatives.
C. Tune to avoid false positives and false negatives.
D. Decrease false positives

A

C. Tune to avoid false positives and false negatives.

20
Q

4.20 Which type of scanning technique splits the TCP header into many packets so that it becomes hard for network monitoring devices to figure out what the packets are meant for?

A. Ack flag scanning
B. IP fragment scanning
C. TCP scanning
D. Inverse TCP flag scanning

A

B. IP fragment scanning

21
Q

4.21 What’s it called when someone sends a large amount of traffic, in order generate a large amount of alerts on the IDS, in an attempt to hide the real traffic?

A. Insertion attack
B. Denial-of-Service
C. Obfuscating
D. False Positive Generation

A

D. False Positive Generation

An Obfuscation Technique will encode the payload in such a way that the IDS can’t understand it, but the target can understand. A False Positive Generation Attack attempts to hide the attack traffic in a large volume of false positive alerts.

22
Q

4.22 Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

A. They are written in Java.
B. They send alerts to security monitors.
C. They use the same packet analysis engine.
D. They use the same packet capture utility.

A

D. They use the same packet capture utility.

23
Q

4.23 Which of the following does proper basic configuration of snort as a network intrusion detection system require?

A. Limit the packets captured to the /var/log/snort directory
B. Capture every packet on the network segment
C. Limit the packets captured to a single segment
D. Limit the packets captured to the snort configuration file

A

D. Limit the packets captured to the snort configuration file

24
Q

4.24 When discussing trojans, what is a wrapper?

A. An encryption tool to protect the Trojan
B. A tool used to bind the Trojan with a legitimate file
C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan
D. A tool used to encapsulate packets within a new header and footer

A

B. A tool used to bind the Trojan with a legitimate file

25
4.25 What is the problem with low humidity in a data-center? A. Heat B. Corrosion C. Static electricity D. Airborne contamination
C. Static electricity
26
4.26 The use of technologies like IPsec can help guarantee the following: authenticity, integrity, confidentiality and A. Operability B. Security C. Non-repudiation D. Usability
C. Non-repudiation IPSec offers many functions for security, including confirmation of the data’s origin (non-repudiation/signing)
27
4.27 Company a and Company B have just merged and each has its own public key infrastructure (PKI). What must the certificate authority establish so that the private PKIs for company A and company B trust one another and each private PKI can validate digital certificates from the other company? A. Poly key reference B. Cross certification C. Cross exchange D. poly key exchange
B. Cross certification They must exchange certificates with each other so that they can validate any future certificates issued by the other company’s CA.
28
4.28 On a Windows 2008 server, how many bits does Syskey use to encrypt password hashes? A. 40-bit encryption B. 128-bit encryption C. 256-bit encryption D. 64-bit encryption
B. 128-bit encryption
29
4.29 Study the snort rule given below and interpret the rule. When would an alert be generated? alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg "mountd access";) A. When a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 B. When any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet C. When a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet D. When a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
D. When a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
30
4.30 What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected? A. nc -port 56 -s cmd.exe B. nc -p 56 -p -e shell.exe C. nc -r 56 -c cmd.exe D. nc -l 56 -t -e cmd.exe
D. nc -l 56 -t -e cmd.exe
31
4.31 A corporation hired an ethical hacker to test if it is possible to obtain users' login credentials using methods other than social engineering. Access to offices and to a network node is granted. Results from server scanning indicate all are adequately patched and physical access is denied, thus, administrators have access only through Remote Desktop. Which technique could be used to obtain login credentials? A. Capture every users' traffic with Ettercap. B. Capture LANMAN Hashes and crack them with LC6. C. Guess passwords using Medusa or Hydra against a network service. D. Capture administrators RDP traffic and decode it with Cain and Abel.
D. Capture administrators RDP traffic and decode it with Cain and Abel.
32
4.32 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25? A. tcp.src == 25 and ip.host == 192.168.0.125 B. host 192.168.0.125:25 C. port 25 and host 192.168.0.125 D. tcp.port == 25 and ip.host == 192.168.0.125
C. port 25 and host 192.168.0.125
33
4.33 What file system vulnerability does the following command take advantage of? type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. Backdoor access C. XFS D. ADS
D. ADS
34
4.34 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following? A. Drops the packet and moves on to the next one B. Continues to evaluate the packet until all rules are checked C. Stops checking rules, sends an alert, and lets the packet continue D. Blocks the connection with the source IP address in the packet
B. Continues to evaluate the packet until all rules are checked
35
4.35 What is the main advantage that a network-based IDS/IPS system has over a host-based solution? A. They are placed at the boundary, allowing them to inspect all traffic B. They are easier to install and configure C. They do not use host system resources D. They will not interfere with user interfaces
C. They do not use host system resources A is out because your IDS is not necessarily at your boundary. Also, they can’t inspect “all” traffic as there could be a threat within your company already and that traffic wouldn’t pass through the boundary devices.
36
4.36 Which of the following identifies the three modes in which Snort can be configured to run? A. Sniffer, Packet Logger, and Network Intrusion Detection System B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System D. Sniffer, Packet Logger, and Host Intrusion Prevention System
A. Sniffer, Packet Logger, and Network Intrusion Detection System
37
4.37 Tom is writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msG. "BACKDOOR SIG – SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids, 485;) alert A. The payload of 485 is what this Snort signature will look for. B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload. C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged. D. From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.
B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload.
38
4.38 Your IDS suddenly alerts you to multiple attacks against several different company servers and devices. In which order should you investigate? A. Investigate based on the maintenance schedule of the affected systems. B. Investigate based on the service level agreements of the systems. C. Investigate based on the potential effect of the incident. D. Investigate based on the order that the alerts arrived in.
C. Investigate based on the potential effect of the incident.

CEH Practice Exam from Marcus (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions