ethical hacking exam

Question 1

1 (a) List four attributes/skills which a security tester should possess. (4 marks)

Answer 1

Programming skills, knowledge of OS, Problem-solving, technical expertise, analytical mindset, attention to detail, communication skills, ethics, teamwork, time management.

Question 2

(b) Define the following terms:
i. Hacker (3 marks)
ii. Penetration Tester (3 marks)
iii. Penetration Tests
iv. vulnerability assessment
v. security tests.

Answer 2

i. Hacker (3 marks)
is a person that uses their skills to gain unauthorized access to networks for malicious purposes or for personal gain.
ii. Penetration Tester (3 marks)
a security professional that simulates an attack on networks to identify vulnerabilities and exploits.
iii. Penetration Tests
penetration tests is a type of testing in which a security professional simulates an attack on networks to identify vulnerabilities on the system.
iv. vulnerability assessment
is a process of identifying and assessing vulnerabilities in a system or networks to determine potential security risks.
v. security tests.
Is a set of tests that are performed to identify and evaluate the security controls of a network to ensure that they are effective in protecting against potential threats.

Question 3

(c) What is the main difference between an ethical hacker and a hacker.

Answer 3

the ethical hacker works with permission to identify vulnerabilities and improve a system or network security, while a hacker uses their skills to gain unauthorized access for personal gain or to cause harm.

Question 4

(d) Why should a security professional or student learning hacking techniques be aware of the country’s laws that apply to their field of study?

Answer 4

To avoid legal implications, ensure ethical considerations, protect their professional reputation, and comply with organizational requirements.

Question 5

(e) Why are Ethical hackers employed or contracted by a company to conduct vulnerability assessments, penetration tests, and security tests?

Answer 5

They are employed for many reasons, to identify vulnerabilities in the system or network, to enhance security measures, for compliance requirements, for a cost-effective solution (is cheaper to hire a ethical hacker than to recover from security breaches).

Question 6

(f) Describe 2 actions which security testers cannot perform legally. [10]

Answer 6

Performing tests without authorization, access unauthorized systems, stealing data, breaching confidentiality, interfering with system performance.

Question 7

(g) Why are employees sometimes not told that the company’s computer systems are being monitored

Answer 7

To ensure the employees do not act differently than they normally would, and also it can help companies detect and prevent any insider threats or malicious activities that may put the company data and assets at risk.

Question 8

a) Define the following terms: “ethical hacking” and “security testing”, making clear the
distinction between them. (8 marks)

Answer 8

ethical hacking is identifying vulnerabilities or security threats with permission, while security testing is a broader range of techniques used to evaluate the effectiveness of security measures in a network.

Question 9

(b) Describe the three models used by penetration or security testers to conduct tests.

Answer 9

Black-box: is a testing model in which the tester has no prior knowledge of the system or network being tested.
White-box: is a testing model in which the tester has full knowledge of the system being tested, including source code, network architecture, and security controls.
Grey-box: falls somewhere in between black and white-box. The test has some but not all knowledge of a system or network.

Question 10

2 (a) What are TCP flags and why are they used? (3 marks)

Answer 10

SYN is used to initiate a TPC connection.
ACK is used to confirm that data has been received and accepted by the receiver.
FIN is used to termina a TPC connection.
RST is used to reset a connection in an event of an error.
PSH is used to request that data is sent to the receiver.
URG is used to identify urgent data that needs to be processed before any other data.

Question 11

(b) What is session hijacking and how is it achieved? (3 marks)

Answer 11

Session hijacking is a type of attack where the attacker takes control of a valid session between a user and a server to perform unauthorized actions or gain access to sensitive data. This can be achieved through session prediction, session sniffin, XSS, or man-in-the-middle attacks.

Question 12

(c) What is ICMP used for? How network professionals troubleshoot network connectivity problems with ICMP. Explain with an example.

Answer 12

ICMP is a network protocol used for diagnostic purposes, network professionals use ICMP tools like ping and traceroute to test network connectivity and track the path of packets. ICMP is also used to send error messages to notify network admin of network problems.

Question 13

(d) What is the use of DNS? Where can DNS servers be located?

Answer 13

DNS translates human-readable domain name into machine-readable IP addresses. DNS servers can be located in companies data center.

Question 14

(e) What steps are involved in TCP’s three-way handshake?

Answer 14

It involves a client sending a SYN packet to a server to initiate a connection. Then the server respond with a SYN-ACK packet to acknowledge the client request and establish a connection. Then client then sends a last ACK to confirm that the connection has been established.

Question 15

(f) List 4 critical components of a TCP header?

Answer 15

Source port – the port number on the sender’s device.
Destination port – the port number on the receiver’s device.
Sequence number (ISN) – the sequence number of the first data byte.
Acknowledge number – contains a value of the next sequence number.

Question 16

(g) Why should security testers be concerned with TCP header components? Give an example. (8 marks)

Answer 16

Because the header plays a crucial role in establishing and maintaining a secure and reliable connection between two endpoints. For example the security tester can analyse a TCP header and identify that the source and destination ports are a well-know port number associated with a vulnerability service, this ports can be a target of an exploit for an attack. Similarly if a unexpected sequence number or acknowledgement number is identified it could indicate a man-in-the-middle attack.

Question 17

3 (a) What is the difference between spyware and adware? (4 marks)

Answer 17

Spyware collects sensitive information without permission, and adware displays unwanted ads.

Question 18

(b) Describe the following terms:
i. Denial of Service (DoS) (3 marks)
ii. Botnet (or Zombies) (3 marks)
iii. DDoS Attack, how it work, example
iv. Trojan programs operate
v. Ping of death

Answer 18

i. Denial of Service (DoS) (3 marks)
is a type of attack that aims to make a website or network unavailable to users by overwhelming traffic into that service
ii. Botnet (or Zombies) (3 marks)
botnet is the term to describe a network of compromised computers (zombies) that are controlled by a control server to carry out malicious activities such as DDoS.
iii. DDoS Attack, how it work, example
Distributed Denial of Service is a type of DoS attack that uses botnet, a network of compromised computers to flood a system with traffic requests and makes the service unavailable to legitimate users.
iv. Trojan programs operate
is a type of malware that appears to be a legitimate software but it actually contains malicious code to damage or steal data from computer systems.
v. Ping of death
a type of network attack that sends a maliciously ping packet to a target device causing it to crash or become unresponsive.

Question 19

(c) Explain how a basic computer virus operates and how it uses other host programs.

Answer 19

a basic virus infects a host program or file and replicates itself to spread to other files or systems.
It can modify its code to include the virus code. When this infected program is executed, the virus is also executed allowing it to replicate it self and infect other programs or systems

Question 20

(d) How do buffer overflow attack? Explain with an example.

Answer 20

Buffer overflow occurs when a program writes more data to a buffer that it can handle causing the extra data to overflow into adjacent memory regions.

Question 21

(e) What is the difference between a computer virus and worm? Your answer should explain how each replicates itself and propagates through a network. (8 marks)

Answer 21

Computer virus infects a host (file/softwares) and require these hosts to spread, while worms are standalone viruses that can spread independently.

Question 22

4 (a) Social engineers use many different tactics in their attempt to gain information from unsuspected people. Using suitable examples describe each of the following common tactics:
i. Urgency (2 marks)
ii. Quid pro quo (2 marks)
iii. Status quo (2 marks)
iv. Kindness (2 marks)
v. Position (2 marks)

Answer 22

i. Urgency (2 marks)
they use a sense of urgency to pressure the victims into making quick and bad decisions without thinking. An attacker may impersonate a technical support agent and tell a victim that their computer has a critical security issue that needs to be fix, and the attack may ask for login details
ii. Quid pro quo (2 marks)
social engineers offer something in exchange for information like login credentials or access to a victims system. An attacker may offer a free service or program in exachange for their login details.
iii. Status quo (2 marks)
social engineers use the status quo bias to convince victims to maintain the current state of affairs. An attacker may send a phishing email that appears to be from a legitimate source and instructions for the victim to confirm their acc details to prevent it from being suspended.
iv. Kindness (2 marks)
use kindness to gain a victims trust and compliance. An attacker may pose as a charity worker and ask for donations or personal information

v. Position (2 marks)
use their perceived authority or position to convince victims to comply with their request. An attacker may impersonate a police officer or a senior executive and ask a victim to provide sensitive information or access to a system.

Question 23

(b) What type of information is usually gathered by social engineering? Give 2 examples.

Answer 23

Usernames and passwords. Attackers may convince their victim to give them login details
Personal information. Attackers may ask for personal information such as name, date of birth, national issurance number.
Financial information. Attackers may request credit card information, bank account details and more.

Question 24

(c) List 4 techniques used by social engineers in their attempts to gain information from unsuspecting people. Describe each with an example. [4]

Answer 24

Phishing: attackers may use email, text or phone calls that appear to be from a legitimate source such as bank or online service to trick victims into giving their personal information or login details.
Tailgating: attackers gain physical access to a building by following an authorized person without proper identification or authorization. For example they can ask for an employee to hold the door open pretending to be a new employee without an id card.
Dumpster diving: a physical form of attack that involves searching through trash or recycling bins to find sensitive information like discarded hard drives.
Impersonation: attacker may pretend to be someone else, such a colleague or a supplier, or even a law enforcement like police to gain the victim trust.

Question 25

(d) A simple process like dumpster diving can be very effective when gathering information utilising social engineering. Explain with 2 examples.

Answer 25

Gathering confidential documents, an attacker can search through a companys trash to find unshredded documents contatining sensitive data, such as financial records, employee details, or customer information.
Discarded hard drives: attacker may find discarded hard drives or memory sticks or other computer equipment that contain sensitive information such as emails, documents or financial records.

Question 26

(e) How can a company prevent social engineers gaining information from unsuspecting employees? Describe with an example. [5]

Answer 26

One effective way to prevent social engineers attack is to implement a comprehensive security awareness program that educates employees about social engineering tactics and encourages them to follow best practices for information security.

Question 27

(f) What is Piggybacking? How does it work?

Answer 27

Piggybacking or tailgating is a social engineer technique where an unauthorized person gains physical access to a restricted area or system by following an authorized person without proper identification. For example an “attack” may ask an employee to hold the door as he is a “new” employee and forgot his or her identification.

Question 28

5 (a) Using suitable examples distinguish between open ports, closed ports and filtered ports, which are reported by scanning programs. (6 marks)

Answer 28

Open ports are actively accepting incoming connections from other devices.
Closed ports are not active, and not accepting connections.
Filtered ports are closed ports as they are not responding to incoming connection requests due to a firewall or other security measure.
Scanning programs will report open port, and use this information to identify potential vulnerabilites in a system.

Question 29

(b) What is the best method of preventing NetBIOS attacks? (2 marks)

Answer 29

the best method of preventing NetBIOS attacks is to disable NetBIOS over TCP/IP on systems that do not require it.

Question 30

(c) Give one reason why security testers conduct enumeration. (2 marks)

Answer 30

to gather information about the target system or network that can be used to identify vulnerabilities and plan a targeted attack.

Question 31

(d) Which ports should security professionals scan when doing a test? Why? [3]

Answer 31

Security professionals should scan all ports when conducting a test to ensure that all potential entry point is covered. However certain ports may be more commonly targeted by attacks such as ports 21 ftp, 22 ssh, 23 telnet, 80 http, 139 smb, 443 https and 445.

Question 32

(e) Why is it important for a security tester to be able to use Nmap? [2]

Answer 32

Nmap is a powerful networking scanning tool that allows testers to discover hosts and services on a network, identify potential vulnerabilities and gather other critical information that can be used to assess the security of a target system.

Question 33

(f) Why is port scanning useful for hackers? What does an open, closed and filtered port indicate?

Answer 33

it is useful because it allows them to identify possible vulnerabilities in a system. Open port means a port is actively accepting connections, and a hacker may find some kind of vulnerability to exploit. A close port is the safest it can be, as the port is not accepting any connections. A filtered ports is also a closed port that is being blocked by a firewall and is being protected by security measures.

Question 34

(g) Name and briefly describe 5 types of port scans

Answer 34

SYN scan: this is the stealthier scan, it sends syn packets to each port on a system. If any port reponds the port is already considered open. No full handshake is made.
Connect scan: most basic of the port scans. It attemps to connect to each port by using a full handshake method. It is easy to be tracked.
Fin scan: this is another stealthy port scan by sending FIN packets to each port. If no response the port is consired closed.
XMAS scan: this is more aggressive approach that send FIN, PSH, and URG flags. If no response the port is considered closed.
UDP scan: this is by sending UDP packets and a closed port will respond with ICMP port unreachable message, means the port is closed.

Question 35

(h) What does crafting IP packets involve? Give an example. (10 marks)

Answer 35

it involves creating or modifying IP packets to include specific data or payloads that can be used to exploit vulnerabilities in target systems. Hping and Fping tools are used for this.

Question 36

(i) How does port scanning aid an attacker? (10 marks)

Answer 36

by allowing them to identify potential entry points to a targeted system and to identify services or applications that may be running on those systems

Question 37

6 (a) Why are rootkits that infect a device’s firmware considered the biggest threat to any OS (embedded or general-purpose)? (6 marks)

Answer 37

It is considered the biggest threat because they can persist even after the OS has been reinstalled or replaced. Once a rootkit infects a firmware it can take control of the system at a lower level, making it difficult to detect and remove it.

Question 38

(b) Specify two best practices for password protection. (4 marks)

Answer 38

Use strong complex passwords that are difficult to guess or crack.
Use unique passwords for each account or service rather than the same password for every account.
Use multi-factor authentication wherever is possible.
Regularly change your passwords.

Question 39

7 (a) What type of information can be gathered by wardriving? Provide three examples. (6 marks)

Answer 39

Wardriving involves driving around and looking for available wireless networks in the area.
Information that can be gathered includes:
SSIDs – identifying the names of wireless networks that are available in the area.
Encryption types – can also detect whether wireless network is encrypted and what type of encryption is being used.
GPS coordinates - can log the coordinates of wireless networks. This can be useful to map out the locations of potential targets.
Signal Strength: By measuring the signal strength at different locations, wardriving can determine the approximate range of a wireless network.

Question 40

(b) Describe two main purposes of a firewall. (4 marks)

Answer 40

Network Security: firewall are used to protect netwoks from unauthorized access and potential threats by blocking incoming traffic.
Access Control: can also be used to control access to specific resources or services within a network.
Packet Filtering
Network Monitoring

Question 41

8 (a) Give three reasons why embedded OSs are more likely to have unpatched security vulnerabilities than general-purpose OSs? (6 marks)

Answer 41

Limited resources: they are often designed to run on devices with limited resources, such as memory or processing power.
Customizations: the are often customzed for specific devices or applications, which make it more difficult to apply general-purpose security and updates.
Lack of encryption: some embedded devices may not use encryption or other security measures to protect sensitive data.

Question 42

(b) Describe two common Web application vulnerabilities. (4 marks)

Answer 42

Cross-site scripting or XSS is a vulnerability where the attacker inject malicious code script into a web page using some kind of form or text entry field.
SQL injection is a vulnerability where the attacker is able to inject malicious SQL code into a websites database by exploiting a poorly configured sql queries or input validation mechanism.

Question 43

9 (a) What is competitive intelligence? Why is it important to a company that engage an ethical hacker? [2]

Answer 43

Competitive intelligence is gathering information about competitors, customer or markets that may affect a company’s operation. It is important to engage with an ethical hacker as the hacker can identify vulnerabilities or weaknesses in the company’s own system or on their competitors and help the company to strengthen their system security.

Question 44

(b) How can DNS be used for foot printing? [2]

Answer 44

DNS can be used by gathering information using DNS queries and DNS zones transfers to obtains information about the target domain name, ip addresses and other network infrastructure.

Question 45

(c) What is the purpose of a Web bug, and do they relate to or differ from spyware? Why do Security professionals need to be aware of Web bugs?

Answer 45

Web bug is small and often invisible image embedded in a web page or email used to track user behaviour, like when a user opens a email or webpage. Web bug and spyware are related as they both can be used for tracking user behaviour without their consent. Security professionals need to be aware of web bugs as they can be used to gather sensitive information.

Question 46

(d) Describe Whois utility. How can computer criminals use the Whois utility for their purposes?

Answer 46

Whois is used to look up domain name registration information. Attacker cans use it to launch targeted attacks or identify potential vulnerabilities.

Question 47

(e) Define and briefly explain footprinting methods

Answer 47

Footprinting is a techinique to gather information about a network or company. These methods can be passive, active, DNS, web, and email. Attackers use these methods to identify potential vulnerability in a system.

Question 48

(f) How can an attacker use HTTP methods before running an exploit on a server? (8 marks)

Answer 48

Attacker can use HTTP methods as part of a reconnaissance attack to gather information about the server or website. They can use the HEAD method to retrieve information about the server such as the server type and version as well as the existence of custom headers.

Question 49

(g) Briefly, how can a cookie be used in an attack? (2 marks)

Answer 49

Cookies can be used in attacks such as cookie poisoning or session hijacking to gain unauthorized access to a users account. Cookie poisoning is modifying the cookie value to impersonate a user and perform actions on their behalf. Session hijacking is similar to poisoning byt the attacker steals the users session ID which is stored in the cookie and use to impersonate that user.

Question 50

10 (a) Why is enumeration a more intrusive process than port scanning or footprinting? Give an example. [2]

Answer 50

Enumeration involves actively querying a target system for information, potentially exposing sensitive data and triggering alarms. For example, user enumeration involves sending login requests with different username or passwords to determine if a valid account exists on the system

Question 51

(b) What is the primary purpose of enumeration, and give 3 examples of information that can be acquired through enumeration? [4]

Answer 51

Primary purpose is to gather as much information as needed. Some examples bellow:
Usernames can be acquired using enumeration which can then be used in password bruteforce, or spear-phishing attacks.
Network resources can be found, like shares, printers, and other resources that may be vulnerable.
Software and services can be found, which type of software and services running on a systems network.

Question 52

(c) What version of Windows Server has completely eliminated the option for telnet server? [2]

Answer 52

Server 2008 no longer has telnet server component, instead Microsoft recommends using PowerShell or Remote Desktop Protocol (RDP)

Question 53

(d) Why do hackers pay attention to NetBIOS computer name suffixes?

Answer 53

Because they can be used to determine the OS running on a target system. For example the suffix _NT indicates is Windows NT, while _XP is Window XP. By identifying the OS, a hacker can easily find a vulnerability to exploit.

Question 54

(e) What is a “null session” and how does it relate to Window’s systems? [10]

Answer 54

A null session is a type of connection to a Windows system where the user do not need any credentials to connect. This allows an user to obtain basic information about the system and its resources.

Question 55

(f) Why is understanding the protocol “Simple Network Management Protocol” important for security professionals?

Answer 55

SNMP is important to be understood as it is a very widely used protocol for managing and monitoring networks devices such as routers, switches and servers.

Question 56

11 (a) Why is a comprehensive password policy is critical? What should a password policy include?

Answer 56

It is critical because a weak or easily guessable passwords are target for attackers to gain unauthorized access to a system. A password policy should include password complexity, length, and expiration date as well as rules regarding password reuse and sharing.

Question 57

(b) Which Windows OS is designed for use on tablets and traditional PCs and only allows trusted applications by default through Device Guard?

Answer 57

Windows 10 enterprise and education editions come with Device Guard included which is designed for tables and traditional PCs

Question 58

(c) What is Server Message Block (SMB) used for in Windows and can a hacker still damage a network using SMB?

Answer 58

SMB is used for file sharing. SMB is designed to be secure, but a hacker can easily damage a network if the administrator do not implement the correct security measures

Question 59

(d) What is the purpose of a file system?

Answer 59

File system is to manage and organize data stored in a computer or hard drive. It provides a hierarchical structure for storing, organizing and retrieving files and directories as well as managing access permissions and security settings.

Question 60

(e) The file system organizes information that users create as well as the OS files needed to boot the system, so the file system is the most vital part of any OS. Why should a systems administrator disable unused services and filtering ports? Discuss with an example.

Answer 60

They should disable these ports to prevent any potential security breach. Unused services and ports can provide a point of entry for hackers. For example, if a system adm leaves an FTP service running but not in use, it can be exploited by an attack who gains access to the system through that open port.

Question 61

(f) Why should you review logs regularly, and how should you manage this task?

Answer 61

Its important to identify a security breaches or suspicious activities on the system. This allows to timely response to any security issues.
To manage this task, a adm should have a log management plan in place, which includes setting up automated log reviews and alerts.

Question 62

12 (a) What is GDPR? [5]

Answer 62

General Data Protection Regulation. It is a set of data protection and privacy regulations implemented by the European Union (EU) to safeguard the personal data of individuals within the EU

Question 63

(b) List the technical term that matches the following descriptions. [5]
a. Network of robot computers:
b. A program that usually hides in the OS tools, so it’s almost impossible to detect:
c. A program that disguises itself as a useful program and can install a backdoor or a rootkit on a computer:
d. An attack that uses a large ICMP packet to causes the victim computer to freeze and malfunction:
e. An attack that prevents legitimate users from accessing network resources:

Answer 63

Botnet
Rootkit
Trojan
Ping of Death
Denial of Service