Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH > Examen 4 > Flashcards

Examen 4 Flashcards

1
Q

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?
A. Use digital certificates to authenticate a server prior to sending data.
B. Verify access right before allowing access to protected information and UI controls.
C. Verify access right before allowing access to protected information and UI controls.
D. Validate and escape all information sent to a server.

A

D. Validate and escape all information sent to a server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Which of the following is a preventive control?
A. Smart card authentication
B. Security policy
C. Audit trail
D. Continuity of operations plan
A

A. Smart card authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program.
What term is commonly used when referring to this type of testing?
A. Fuzzing
B. Randomizing
C. Mutating
D. Bounding

A

A. Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
What is the broadcast address for the subnet 190.86.168.0/22?
A. 190.86.168.255
B. 190.86.255.255
C. 190.86.171.255
D. 190.86.169.255
A

C. 190.86.171.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following security operations is used for determining the attack surface of an organization?
A. Running a network scan to detect network services in the corporate DMZ
B. Training employees on the security policy regarding social engineering
C. Reviewing the need for a security clearance for each employee
D. Using configuration management to determine when and where to apply security patches

A

A. Running a network scan to detect network services in the corporate DMZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
Which tier in the N-tier application architecture is responsible for moving and processing data between the tiers?
A. Application Layer
B. Data tier
C. Presentation tier
D. Logic tier
A

D. Logic tier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network?
A. The ACL 104 needs to be first because is UDP
B. The ACL 110 needs to be changed to port 80
C. The ACL for FTP must be before the ACL 110
D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

A

D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can a policy help improve an employee’s security awareness?
A. By implementing written security procedures, enabling employee security training, and promoting the benefits of security
B. By using informal networks of communication, establishing secret passing procedures, and
immediately terminating employees
C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative help line
D. By decreasing an employee’s vacation time, addressing ad-hoc employment clauses, and ensuring that managers know employee strengths

A

A. By implementing written security procedures, enabling employee security training, and promoting the benefits of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company?
A. Poly key exchange
B. Cross certification
C. Poly key reference
D. Cross-site exchange
A

B. Cross certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q 
Risks = Threats x Vulnerabilities is referred to as the:
A. Risk equation
B. Threat assessment
C. BIA equation
D. Disaster recovery formula
A

A. Risk equation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving.
Which Algorithm is this referring to?
A. Wired Equivalent Privacy (WEP)
B. Wi-Fi Protected Access (WPA)
C. Wi-Fi Protected Access 2 (WPA2)
D. Temporal Key Integrity Protocol (TKIP)

A

A. Wired Equivalent Privacy (WEP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q 
This kind of password cracking method uses word lists in combination with numbers and special characters:
A. Hybrid
B. Linear
C. Symmetric
D. Brute Force
A

A. Hybrid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
Which of the following security policies defines the use of VPN for gaining access to an
internal corporate network?
A. Network security policy
B. Remote access policy
C. Information protection policy
D. Access control policy
A

B. Remote access policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion?
A. Regulatory compliance
B. Peer review
C. Change management
D. Penetration testing
A

C. Change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Within the context of Computer Security, which of the following statements describes Social Engineering best?
A. Social Engineering is the act of publicly disclosing information
B. Social Engineering is the means put in place by human resource to perform time accounting
C. Social Engineering is the act of getting needed information from a person rather than breaking into a system
D. Social Engineering is a training program within sociology studies

A

C. Social Engineering is the act of getting needed information from a person rather than breaking into a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a successful method for protecting a router from potential smurf attacks?
A. Placing the router in broadcast mode
B. Enabling port forwarding on the router
C. Installing the router outside of the network’s firewall
D. Disabling the router from accepting broadcast ping messages

A

D. Disabling the router from accepting broadcast ping messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q 
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?
A. Blind SQLi
B. DMS-specific SQLi
C. Classic SQLi
D. Compound SQLi
A

A. Blind SQLi

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Your company performs penetration tests and security assessments for small and mediumsized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking.
What should you do?
A. Immediately stop work and contact the proper legal authorities.
B. Copy the data to removable media and keep it in case you need it.
C. Confront the client in a respectful manner and ask her about the data.
D. Ignore the data and continue the assessment until completed as agreed.

A

A. Immediately stop work and contact the proper legal authorities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is a serious vulnerability in the popular OpenSSL cryptographic
software library? This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
A. Heartbleed Bug
B. POODLE
C. SSL/TLS Renegotiation Vulnerability
D. Shellshock

A

A. Heartbleed Bug

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q 
Which of the following is not a Bluetooth attack?
A. Bluedriving
B. Bluejacking
C. Bluesmacking
D. Bluesnarfing
A

A. Bluedriving

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that?
A. A new username and password
B. A fingerprint scanner and his username and password.
C. Disable his username and use just a fingerprint scanner.
D. His username and a stronger password.

A

B. A fingerprint scanner and his username and password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q 
Which of the following is considered an acceptable option when managing a risk?
A. Reject the risk.
B. Deny the risk.
C. Mitigate the risk.
D. Initiate the risk.
A

C. Mitigate the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q 
Which of the following examples best represents a logical or technical control?
A. Security tokens
B. Heating and air conditioning
C. Smoke and fire alarms
D. Corporate security policy
A

A. Security tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50
characters. What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field?
A. if (billingAddress = 50) {update field} else exit
B. if (billingAddress != 50) {update field} else exit
C. if (billingAddress >= 50) {update field} else exit
D. if (billingAddress <= 50) {update field} else exit

A

D. if (billingAddress <= 50) {update field} else exit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A distributed port scan operates by:
A. Blocking access to the scanning clients by the targeted host
B. Using denial-of-service software against a range of TCP ports
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Having multiple computers each scan a small number of ports, then correlating the results

A

D. Having multiple computers each scan a small number of ports, then correlating the results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The network team has well-established procedures to follow for creating new rules on the firewall. This includes having approval from a manager prior to implementing any new rules. While reviewing the firewall configuration, you notice a recently implemented rule but cannot locate manager approval for it. What would be a good step to have in the procedures for a situation like this?
A. Have the network team document the reason why the rule was implemented without prior
manager approval.
B. Monitor all traffic using the firewall rule until a manager can approve it.
C. Do not roll back the firewall rule as the business may be relying upon it but try to get manager approval as soon as possible.
D. Immediately roll back the firewall rule until a manager can approve it

A

D. Immediately roll back the firewall rule until a manager can approve it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Sam is working as a pen-tester in an organization in Houston. He performs penetration
testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large number of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS?
A. Denial-of-Service
B. False Positive Generation
C. Insertion Attack
D. Obfuscating

A

B. False Positive Generation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the best defense against privilege escalation vulnerability?
A. Patch systems regularly and upgrade interactive login privileges at the system administrator level.
B. Run administrator and applications on least privileges and use a content registry for tracking.
C. Run services with least privileged accounts and implement multi-factor authentication and
authorization.
D. Review user roles and administrator privileges for maximum utilization of automation services.

A

C. Run services with least privileged accounts and implement multi-factor authentication and
authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q 
A botnet can be managed through which of the following?
A. IRC
B. E-Mail
C. Linkedin and Facebook
D. A vulnerable FTP server
A

A. IRC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Under the “Post-attack Phase and Activities”, it is the responsibility of the tester to restore the systems to a pre-test state.
Which of the following activities should not be included in this phase?
I. Removing all files uploaded on the system
II. Cleaning all registry entries
III. Mapping of network state
IV. Removing all tools and maintaining backdoor for reporting
A. III
B. IV
C. III and IV
D. All should be included.

A

A. III

III. Mapping of network state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The practical realities facing organizations today make risk response strategies essential.
Which of the following is NOT one of the five basic responses to risk?
A. Accept
B. Mitigate
C. Delegate
D. Avoid

A

C. Delegate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q 
Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except.
A. Protect the payload and the headers
B. Authenticate
C. Encrypt
D. Work at the Data Link Layer
A

D. Work at the Data Link Layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A penetration test was done at a company. After the test, a report was written and given to the company’s IT authorities. A section from the report is shown below:
According to the section from the report, which of the following choice is true?
A. MAC Spoof attacks cannot be performed.
B. Possibility of SQL Injection attack is eliminated.
C. A stateful firewall can be used between intranet (LAN) and DMZ.
D. There is access control policy between VLANs.

A

C. A stateful firewall can be used between intranet (LAN) and DMZ.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q 
You want to analyze packets on your wireless network. Which program would you use?
A. Wireshark with Airpcap
B. Airsnort with Airpcap
C. Wireshark with Winpcap
D. Ethereal with Winpcap
A

A. Wireshark with Airpcap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q 
Bluetooth uses which digital modulation technique to exchange information between paired devices?
A. PSK (phase-shift keying)
B. FSK (frequency-shift keying)
C. ASK (amplitude-shift keying)
D. QAM (quadrature amplitude modulation)
A

A. PSK (phase-shift keying)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q 
Which of these is capable of searching for and locating rogue access points?
A. HIDS
B. WISS
C. WIPS
D. NIDS
A

C. WIPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Study the snort rule given below and interpret the rule.
alert tcp any any –> 192.168.1.0/24
111 (content:”|00 01 86 a5|”; msG. “mountd access”;)
A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
B. An alert is generated when any packet other than a TCP packet is seen on the network and
destined for the 192.168.1.0 subnet
C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
192.168.1.0 subnet
D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

A

D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q 
Which type of antenna is used in wireless communication?
A. Omnidirectional
B. Parabolic
C. Uni-directional
D. Bi-directional
A

A. Omnidirectional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

You are the Network Admin, and you get a compliant that some of the websites are no
longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL.
What may be the problem?
A. Traffic is Blocked on UDP Port 53
B. Traffic is Blocked on UDP Port 80
C. Traffic is Blocked on UDP Port 54
D. Traffic is Blocked on UDP Port 80

A

A. Traffic is Blocked on UDP Port 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q 
How is the public key distributed in an orderly, controlled fashion so that the users can be sure of the sender's identity?
A. Hash value
B. Private key
C. Digital signature
D. Digital certificate
A

D. Digital certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
A. Copy the system files from a known good system
B. Perform a trap and trace
C. Delete the files and try to determine the source
D. Reload from a previous backup
E. Reload from known good media

A

E. Reload from known good media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q 
Which of the following is optimized for confidential communications, such as bidirectional voice and video?
A. RC4
B. RC5
C. MD4
D. MD5
A

A. RC4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

In the context of Windows Security, what is a ‘null’ user?
A. A user that has no skills
B. An account that has been suspended by the admin
C. A pseudo account that has no username and password
D. A pseudo account that was created for security administration purpose

A

C. A pseudo account that has no username and password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q 
A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use?
A. -sO
B. -sP
C. -sS
D. -sU
A

B. -sP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In Risk Management, how is the term “likelihood” related to the concept of “threat?”
A. Likelihood is the probability that a threat-source will exploit a vulnerability.
B. Likelihood is a possible threat-source that may exploit a vulnerability.
C. Likelihood is the likely source of a threat that could exploit a vulnerability.
D. Likelihood is the probability that a vulnerability is a threat-source.

A

A. Likelihood is the probability that a threat-source will exploit a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?
A. The tester must capture the WPA2 authentication handshake and then crack it.
B. The tester must use the tool inSSIDer to crack it using the ESSID of the network.
C. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
D. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

A

A. The tester must capture the WPA2 authentication handshake and then crack it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is the main disadvantage of the scripting languages as opposed to compiled programming languages?
A. Scripting languages are hard to learn.
B. Scripting languages are not object-oriented.
C. Scripting languages cannot be used to create graphical user interfaces.
D. Scripting languages are slower because they require an interpreter to run the code.

A

D. Scripting languages are slower because they require an interpreter to run the code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q 
A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform?
A. Man trap
B. Tailgating
C. Shoulder surfing
D. Social engineering
A

B. Tailgating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q 
You are about to be hired by a well-known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protects both the bank's interest and your liabilities as a tester?
A. Service Level Agreement
B. Non-Disclosure Agreement
C. Terms of Engagement
D. Project Scope
A

C. Terms of Engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

A person approaches a network administrator and wants advice on how to send encrypted email from home.
The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend?
A. IP Security (IPSEC)
B. Multipurpose Internet Mail Extensions (MIME)
C. Pretty Good Privacy (PGP)
D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

A

C. Pretty Good Privacy (PGP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

MX record priority increases as the number increases. (True/False.)
A. True
B. False

A

B. False

52
Q 
Which of the following is a low-tech way of gaining unauthorized access to systems?
A. Social Engineering
B. Sniffing
C. Eavesdropping
D. Scanning
A

A. Social Engineering

53
Q

Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well.
In this context, what would be the most effective method to bridge the knowledge gap between the “black” hats or crackers and the “white” hats or computer security professionals? (Choose the test answer.)
A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems and networks.
C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life.
D. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.

A

A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.

54
Q

What statement is true regarding LM hashes?
A. LM hashes consist in 48 hexadecimal characters.
B. LM hashes are based on AES128 cryptographic standard.
C. Uppercase characters in the password are converted to lowercase.
D. LM hashes are not generated when the password length exceeds 15 characters.

A

D. LM hashes are not generated when the password length exceeds 15 characters.

55
Q 
What information should an IT system analysis provide to the risk assessor?
A. Management buy-in
B. Threat statement
C. Security architecture
D. Impact analysis
A

C. Security architecture

56
Q 
An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file?
A. Timing attack
B. Replay attack
C. Memory trade-off attack
D. Chosen plain-text attack
A

D. Chosen plain-text attack

57
Q

International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining
A. guidelines and practices for security controls.
B. financial soundness and business viability metrics.
C. standard best practice for configuration management.
D. contract agreement writing standards.

A

A. guidelines and practices for security controls.

58
Q

Which of the following is the primary objective of a rootkit?
A. It opens a port to provide an unauthorized service
B. It creates a buffer overflow
C. It replaces legitimate programs
D. It provides an undocumented opening in a program

A

C. It replaces legitimate programs

59
Q

The “gray box testing” methodology enforces what kind of restriction?
A. The internal operation of a system is only partly accessible to the tester.
B. The internal operation of a system is completely known to the tester.
C. Only the external operation of a system is accessible to the tester.
D. Only the internal operation of a system is known to the tester.

A

A. The internal operation of a system is only partly accessible to the tester.

60
Q

An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim’s profile to a text file and then submit the data to the attacker’s database.
< iframe src=”http://www.vulnweb.com/updateif.php” style=”display:none”> What is this type of attack (that can use either HTTP GET or HTTP POST) called?
A. Cross-Site Request Forgery
B. Cross-Site Scripting
C. SQL Injection
D. Browser Hacking

A

A. Cross-Site Request Forgery

61
Q 
Which of the following tools are used for enumeration? (Choose three.)
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec
A

B. USER2SID
D. SID2USER
E. DumpSec

62
Q

A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?
A. Issue the pivot exploit and set the meterpreter.
B. Reconfigure the network settings in the meterpreter.
C. Set the payload to propagate through the meterpreter.
D. Create a route statement in the meterpreter.

A

D. Create a route statement in the meterpreter.

63
Q

Which of the following describes the characteristics of a Boot Sector Virus?
A. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
B. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program
D. Overwrites the original MBR and only executes the new virus code

A

A. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR

64
Q

In order to have an anonymous Internet surf, which of the following is best choice?
A. Use SSL sites when entering personal information
B. Use Tor network with multi-node
C. Use shared WiFi
D. Use public VPN

A

B. Use Tor network with multi-node

65
Q

A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application’s search form and introduces the following code in the search input field:
IMG SRC=vbscript:msgbox(“Vulnerable”);> originalAttribute=”SRC” originalPath=”vbscript;msgbox (“Vulnerable”);>”
When the analyst submits the form, the browser returns a pop-up window that says “Vulnerable”.
Which web applications vulnerability did the analyst discover?
A. Cross-site request forgery
B. Command injection
C. Cross-site scripting
D. SQL injection

A

C. Cross-site scripting

66
Q 
You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order to do fast, efficient searches of the logs you must use regular expressions. Which command-line utility are you most likely to use?
A. Grep
B. Notepad
C. MS Excel
D. Relational Database
A

A. Grep

67
Q

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?
A. Ignore the problem completely and let someone else deal with it.
B. Create a document that will crash the computer when opened and send it to friends.
C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

A

D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

68
Q 
Which of the following is an application that requires a host application for replication?
A. Micro
B. Worm
C. Trojan
D. Virus
A

D. Virus

69
Q

An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?
A. The wireless card was not turned on.
B. The wrong network card drivers were in use by Wireshark.
C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
D. Certain operating systems and adapters do not collect the management or control packets.

A

D. Certain operating systems and adapters do not collect the management or control packets.

70
Q

An attacker scans a host with the below command. Which three flags are set? (Choose
three.)
#nmap -sX host.domain.com
A. This is ACK scan. ACK flag is set
B. This is Xmas scan. SYN and ACK flags are set
C. This is Xmas scan. URG, PUSH and FIN are set
D. This is SYN scan. SYN flag is set

A

C. This is Xmas scan. URG, PUSH and FIN are set

71
Q

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company’s Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?
A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques
D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

A

C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques

72
Q 
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
A. Spoofing an IP address
B. Tunneling scan over SSH
C. Tunneling over high port numbers
D. Scanning using fragmented IP packets
A

B. Tunneling scan over SSH

73
Q 
A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain connectivity passwords that can be decoded with which of the following?
A. Cupp
B. Nessus
C. Cain and Abel
D. John The Ripper Pro
A

C. Cain and Abel

74
Q 
Which of the following is an example of IP spoofing?
A. SQL injections
B. Man-in-the-middle
C. Cross-site scripting
D. ARP poisoning
A

B. Man-in-the-middle

75
Q

A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred?
A. The gateway is not routing to a public IP address.
B. The computer is using an invalid IP address.
C. The gateway and the computer are not on the same network.
D. The computer is not using a private IP address.

A

A. The gateway is not routing to a public IP address.

76
Q

A certified ethical hacker (CEH) is approached by a friend who believes her husband is
cheating. She offers to pay to break into her husband’s email account in order to find proof so she can take him to court. What is the ethical response?
A. Say no; the friend is not the owner of the account.
B. Say yes; the friend needs help to gather evidence.
C. Say yes; do the job for free.
D. Say no; make sure that the friend knows the risk she’s asking the CEH to take.

A

A. Say no; the friend is not the owner of the account.

77
Q

env x=(){ :;};echo exploit bash -c ‘cat /etc/passwd’
What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
A. Display passwd content to prompt
B. Removes the passwd file
C. Changes all passwords in passwd
D. Add new user to the passwd file

A

A. Display passwd content to prompt

78
Q

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?
A. Use the same machines for DNS and other applications
B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers

A

B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers

79
Q

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?
A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
B. If a user forgets the password, it can be easily retrieved using the hash key stored by
administrators.
C. Hashing is faster compared to more traditional encryption algorithms.
D. Passwords stored using hashes are non-reversible, making finding the password much more
difficult.

A

D. Passwords stored using hashes are non-reversible, making finding the password much more
difficult.

80
Q

A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration?
A. Reject all invalid email received via SMTP.
B. Allow full DNS zone transfers.
C. Remove A records for internal hosts.
D. Enable null session pipes.

A

C. Remove A records for internal hosts.

81
Q 
Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
A. Preparation phase
B. Containment phase
C. Identification phase
D. Recovery phase
A

A. Preparation phase

82
Q

In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?
A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name.
B. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering.
C. Both pharming and phishing attacks are identical.
D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name.

A

A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name.

83
Q

While you were gathering information as part of security assessments for one of your
clients, you were able to gather data that show your client is involved with fraudulent activities. What should you do?
A. Immediately stop work and contact the proper legal authorities
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Copy the data to removable media and keep it in case you need it

A

A. Immediately stop work and contact the proper legal authorities

84
Q 
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?
A. Semicolon
B. Single quote
C. Exclamation mark
D. Double quote
A

B. Single quote

85
Q

While using your bank’s online servicing you notice the following string in the URL bar:
“http://www.MyPersonalBank.com/account?id=368940911028389 & Damount=10980&Camount=21”
You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes.
Which type of vulnerability is present on this site?
A. Web Parameter Tampering
B. Cookie Tampering
C. XSS Reflection
D. SQL injection

A

A. Web Parameter Tampering

86
Q

When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
A. At least once a year and after any significant upgrade or modification
B. At least once every three years or after any significant upgrade or modification
C. At least twice a year or after any significant upgrade or modification
D. At least once every two years and after any significant upgrade or modification

A

A. At least once a year and after any significant upgrade or modification

87
Q

A covert channel is a channel that
A. transfers information over, within a computer system, or network that is outside of the security policy.
B. transfers information over, within a computer system, or network that is within the security policy.
C. transfers information via a communication path within a computer system, or network for transfer of data.
D. transfers information over, within a computer system, or network that is encrypted.

A

A. transfers information over, within a computer system, or network that is outside of the security policy.

88
Q 
Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?
A. ICMP Echo scanning
B. SYN/FIN scanning using IP fragments
C. ACK flag probe scanning
D. IPID scanning
A

B. SYN/FIN scanning using IP fragments

89
Q

Which of the following parameters describe LM Hash
I The maximum password length is 14 characters
II There are no distinctions between uppercase and lowercase
III It’s a simple algorithm, so 10,000,000 hashes can be generated per second
A. I, II, and III
B. I
C. II
D. I and II

A

A. I, II, and III

90
Q 
A hacker was able to sniff packets on a company's wireless network. The following information was discovered:
The Key 10110010 01001011
The Cyphertext 01100101 01011010
Using the Exlcusive OR, what was the original message?
A. 00101000 11101110
B. 11010111 00010001
C. 00001101 10100100
D. 11110010 01011011
A

B. 11010111 00010001

91
Q 
Which of the following is a form of penetration testing that relies heavily on human interaction and often involves tricking people into breaking normal security procedures?
A. Social Engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping
A

A. Social Engineering

92
Q 
This asymmetry cipher is based on factoring the product of two large prime numbers.
What cipher is described above?
A. RSA
B. SHA
C. RC5
D. MD5
A

A. RSA

93
Q 
Which property ensures that a hash function will not produce the same hashed value for two different messages?
A. Collision resistance
B. Bit length
C. Key strength
D. Entropy
A

A. Collision resistance

94
Q

Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide.
All the developed components are reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in JavaScript and can track the customer’s activity on the site. These tools are located on the servers of the marketing company.
What is the main security risk associated with this scenario?
A. External script contents could be maliciously modified without the security team knowledge
B. External scripts have direct access to the company servers and can steal the data from there
C. There is no risk at all as the marketing services are trustworthy
D. External scripts increase the outbound company data traffic which leads greater financial losses

A

A. External script contents could be maliciously modified without the security team knowledge

95
Q 
What attack is used to crack passwords by using a precomputed table of hashed passwords?
A. Brute Force Attack
B. Hybrid Attack
C. Rainbow Table Attack
D. Dictionary Attack
A

C. Rainbow Table Attack

96
Q

A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm’s public facing web servers. The engineer decides to start by using netcat to port 80.
The engineer receives this output:
Which of the following is an example of what the engineer performed?
A. Cross-site scripting
B. Banner grabbing
C. SQL injection
D. Whois database query

A

B. Banner grabbing

97
Q

Which of the following is an adaptive SQL Injection testing technique used to discover
coding errors by inputting massive amounts of random data and observing the changes in the
output?
A. Function Testing
B. Dynamic Testing
C. Static Testing
D. Fuzzing Testing

A

D. Fuzzing Testing

98
Q

What two conditions must a digital signature meet?
A. Has to be unforgeable, and has to be authentic.
B. Has to be legible and neat.
C. Must be unique and have special characters.
D. Has to be the same number of characters as a physical signature and must be unique.

A

A. Has to be unforgeable, and has to be authentic.

99
Q 
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close.
What just happened?
A. Piggybacking
B. Masquerading
C. Phishing
D. Whaling
A

A. Piggybacking

100
Q

You have the SOA presented below in your Zone.
Your secondary servers have not been able to contact your primary server to synchronize
information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?
collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
A. One day
B. One hour
C. One week
D. One month

A

C. One week

101
Q 
Study the log below and identify the scan type.
A. nmap -sR 192.168.1.10
B. nmap -sS 192.168.1.10
C. nmap -sV 192.168.1.10
D. nmap -sO -T 192.168.1.10
A

D. nmap -sO -T 192.168.1.10

102
Q

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in
common?
A. They are written in Java.
B. They send alerts to security monitors.
C. They use the same packet analysis engine.
D. They use the same packet capture utility.

A

D. They use the same packet capture utility.

103
Q 
Which of the following is a component of a risk assessment?
A. Administrative safeguards
B. Physical security
C. DMZ
D. Logical interface
A

A. Administrative safeguards

104
Q

What is the outcome of the comm”nc -l -p 2222 | nc 10.1.0.43 1234”?
A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.
B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234.
C. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222.
D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.

A

B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234.

105
Q 
Which type of cryptography does SSL, IKE and PGP belongs to?
A. Secret Key
B. Hash Algorithm
C. Digest
D. Public Key
A

D. Public Key

106
Q

A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
A. Place a front-end web server in a demilitarized zone that only handles external web traffic
B. Require all employees to change their passwords immediately
C. Move the financial data to another server on the same IP subnet
D. Issue new certificates to the web servers from the root certificate authority

A

A. Place a front-end web server in a demilitarized zone that only handles external web traffic

107
Q 
What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?
A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024
A

B. 135
C. 139
E. 445

108
Q

In Trojan terminology, what is a covert channel?
A. A channel that transfers information within a computer system or network in a way that violates the security policy
B. A legitimate communication path within a computer system or network for transfer of data
C. It is a kernel operation that hides boot processes and services to mask detection
D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections

A

A. A channel that transfers information within a computer system or network in a way that violates the security policy

109
Q

To reduce the attack surface of a system, administrators should perform which of the
following processes to remove unnecessary software, services, and insecure configuration settings?
A. Harvesting
B. Windowing
C. Hardening
D. Stealthing

A

C. Hardening

110
Q 
What tool should you use when you need to analyze extracted metadata from files you collected when you were in the initial stage of penetration test (information gathering)?
A. Armitage
B. Dimitry
C. Metagoofil
D. cdpsnarf
A

C. Metagoofil

111
Q 
While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server. What specific octet within the subnet does the technician see?
A. 10.10.10.10
B. 127.0.0.1
C. 192.168.1.1
D. 192.168.168.168
A

B. 127.0.0.1

112
Q 
Which of the following is NOT an ideal choice for biometric controls?
A. Iris patterns
B. Fingerprints
C. Height and weight
D. Voice
A

C. Height and weight

113
Q 
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this?
A. Port Scanning
B. Hacking Active Directory
C. Privilege Escalation
D. Shoulder-Surfing
A

C. Privilege Escalation

114
Q 
Which of the following is designed to verify and authenticate individuals taking part in a data exchange within an enterprise?
A. SOA
B. Single-Sign On
C. PKI
D. Biometrics
A

C. PKI

115
Q 
One of your team members has asked you to analyze the following SOA record.
What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
A

D. 2400

116
Q 
Which one of the following Google advanced search operators allows an attacker to restrict the results to those websites in the given domain?
A. [cache:]
B. [site:]
C. [inurl:]
D. [link:]
A

B. [site:]

117
Q

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?
A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.
B. CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals travelling abroad.
C. CSIRT provides a penetration testing service to support exception reporting on incidents
worldwide by individuals and multi-national corporations.
D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual’s property or company’s asset.

A

A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

118
Q 
Which specific element of security testing is being assured by using hash?
A. Authentication
B. Integrity
C. Confidentiality
D. Availability
A

B. Integrity

119
Q 
Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without the recipient's consent, similar to email spamming?
A. Bluesmacking
B. Bluesniffing
C. Bluesnarfing
D. Bluejacking
A

D. Bluejacking

120
Q 
While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?
A. Clickjacking
B. Web Form Input Validation
C. Cross-Site Request Forgery
D. Cross-Site Scripting
A

C. Cross-Site Request Forgery

121
Q 
Which of the following is the most important phase of ethical hacking wherein you need to spend considerable amount of time?
A. Gaining access
B. Escalating privileges
C. Network mapping
D. Footprinting
A

D. Footprinting

122
Q

Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn’t log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons.
Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand the importance of keeping confidential information a secret?
A. Warning to those who write password on a post it note and put it on his/her desk
B. Developing a strict information security policy
C. Information security awareness training
D. Conducting a one to one discussion with the other employees about the importance of
information security

A

A. Warning to those who write password on a post it note and put it on his/her desk

123
Q

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?
A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
number
D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0

A

B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system

124
Q 
XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
A. 10111100
B. 11011000
C. 10011101
D. 10001011
A

D. 10001011

125
Q

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?
A. The web application does not have the secure flag set.
B. The session cookies do not have the HttpOnly flag set.
C. The victim user should not have an endpoint security solution.
D. The victim’s browser must have ActiveX technology enabled.

A

B. The session cookies do not have the HttpOnly flag set.

CEH (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions