Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH v12 Exam Prep "Hard" > Module 12 - Evading IDS , Firewalls, and Honeypots ( EC Mode Part 01 ) > Flashcards

Module 12 - Evading IDS , Firewalls, and Honeypots ( EC Mode Part 01 ) Flashcards

1
Q

Deleted

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?

A. TCP flag bits
B. Direction
C. Interface
D. Source IP address

A

Correct Answer: C. Interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following types of firewall inspects only header information in network traffic?

A. Application-level gateway
B. Stateful inspection
C. Packet filter
D. Circuit-level gateway

A

Correct Answer: C. Packet filter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision?

A. Anomaly Detection
B. Signature Recognition
C. Protocol Anomaly Detection
D. Obfuscating

A

Correct Answer: B. Signature Recognition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following statements concerning proxy firewalls is correct?

A. Proxy firewalls block network packets from passing to and from a protected network
B. Firewall proxy servers decentralize all activity for an application
C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client
D. Proxy firewalls increase the speed and functionality of a network

A

Correct Answer: C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

A. Honeypot
B. Intrusion detection system (IDS)
C. DeMilitarized zone (DMZ)
D. Firewall

A

Correct Answer: A. Honeypot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

which of the following conditions does the IDS generate a true positive alert?

A. A true positive is a condition occurring when an IDS fails to react to an actual attack event
B. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
D. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress

A

Correct Answer: C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They are easier to install and configure
B. They will not interfere with user interfaces
C. They are placed at the boundary, allowing them to inspect all traffic
D. They do not use host system resources

A

Correct Answer: D. They do not use host system resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following indicators identifies a network intrusion?

A. Repeated probes of the available services on your machines
B. Sudden decrease in bandwidth consumption is an indication of intrusion
C. Connection requests from IPs from those systems within the network range
D. Rare login attempts from remote hosts

A

Correct Answer: A. Repeated probes of the available services on your machines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

At which two traffic layers do most commercial IDSes generate signatures? (Select Two)

A. Application layer
B. Network layer
C. Session layer
D. Transport layer

A

Correct Answer: B. Network layer and D. Transport layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Jamie has purchased and deployed an application firewall to protect his company infrastructure which includes various email servers, file server shares, and applications. Also, all the systems in his company share the same onsite physical datacenter. Jamie has positioned the newly purchased firewall nearest to the application systems so as to protect the applications from attackers. This positioning does not protect the complete network.

What can be done to address the security issues by this deployment for Jamie?

A. Jamie will need to add at least three additional firewalls at the DMZ, internet, and intranet
B. Jamie will need to add at least three additional firewalls at the untrusted network, router side, and application side
C. Jamie will need to replace the application firewall with a packet filtering firewall at the network edge
D. Jamie will need to add at least one additional firewall at the network edge

A

Correct Answer: D. Jamie will need to add at least one additional firewall at the network edge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Jamie was asked by their director to make new additions to the firewall in order to allow traffic for a new software package. After the firewall changes, Jamie receives calls from users that they cannot access other services, such as email and file shares, that they were able to access earlier.

What was the problem in the latest changes that is denying existing users from accessing network resources?

A. Jamie’s additional entries were processed first
B. Jamie needs to restart the firewall to make the changes effective
C. Jamie should exit privileged mode to allow the settings to be effective
D. Jamie needs to have the users restart their computers in order to make settings effective

A

Correct Answer: A. Jamie’s additional entries were processed first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this?

A. False negative
B. True negative
C. False positive
D. True positive

A

Correct Answer: A. False negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s computer to update the router configuration. What type of an alert is this?

A. True-negative
B. True-positive
C. False-negative
D. False-positive

A

Correct Answer: D. False-positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator understand this situation?

A. False negatives
B. True positives
C. True negatives
D. False positives

A

Correct Answer: D. False positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following methods detects an intrusion based on the fixed behavioral characteristics of the users and components of a computer system?

A. Signature recognition
B. Bastion host
C. Anomaly detection
D. Protocol anomaly detection

A

Answer: C. Anomaly detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The general indicators of which of the following types of intrusions are repeated login attempts from remote hosts, a sudden influx of log data, and a sudden increase in bandwidth consumption?

A. System intrusion
B. File-system intrusion
C. Signature recognition
D. Network intrusion

A

Answer: D. Network intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following types of honeypots is very effective in determining the entire capabilities of adversaries and is mostly deployed in an isolated virtual environment along with a combination of vulnerable servers?

A. Honeynets
B. Spider honeypots
C. Spam honeypots
D. Malware honeypots

A

Correct Answer: A. Honeynets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?

A. Source IP address
B. Interface
C. Direction
D. TCP flag bits

A

Correct Answer: B. Interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In which of the following conditions does the IDS generate a true positive alert?

A. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
C. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress
D. A true positive is a condition occurring when an IDS fails to react to an actual attack event

A

Correct Answer: B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They are easier to install and configure
B. They do not use host system resources
C. They are placed at the boundary, allowing them to inspect all traffic
D. They will not interfere with user interfaces

A

Correct Answer: B. They do not use host system resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

A. Similar RAM requirements
B. They must be dual-homed
C. Fast processor to help with network traffic analysis
D. Fast network interface cards

A

Correct Answer: B. They must be dual-homed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

A. Detective
B. Passive
C. Intuitive
D. Reactive

A

Correct Answer: B. Passive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An advantage of an application-level firewall is the ability to

A. Filter packets at the network level
B. Monitor TCP handshaking
C. Filter specific commands, such as http:post
D. Retain state information for each packet

A

Correct Answer: C. Filter specific commands, such as http:post

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Teyla is a security analyst for BAYARA Company. She is responsible for the firewall, antivirus, IPS, and web filtering security controls. She wants to protect the employees from a new phishing attack. What should Teyla do?

A. Use the web filtering application to prevent the employees from accessing the phishing webpage
B. Use IPS to block phishing
C. Block the phishing via antivirus
D. Block outbound traffic to the ports 80 and 443 in the firewall

A

Correct Answer: A. Use the web filtering application to prevent the employees from accessing the phishing webpage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this?

A. True negative
B. False positive
C. False negative
D. True positive

A

Correct Answer: C. False negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is a mobile intrusion detection tool that allows users to find all the devices connected to a network and provides relevant data such as the IP addresses, manufacturer names, device names, and MAC addresses of the connected devices?

A. Wifiphisher
B. Wifi Inspector
C. WIBR+
D. Reaver

A

Correct Answer: B. Wifi Inspector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following commands is an example of a Snort rule using a bidirectional operator?

A. log tcp any any -> 192.168.1.0/24 !6000:6010
B. alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111
C. 192.168.1.0/24 1:1024
D. log !192.168.1.0/24 any <> 192.168.1.0/24 23

A

Correct Answer: D. log !192.168.1.0/24 any <> 192.168.1.0/24 23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is a security solution for mobile devices that can reduce a mobile device’s network traffic and battery consumption as well as allow users to create network rules based on apps, IP addresses, and domain names?

A. Bitvise
B. NetPatch Firewall
C. KFSensor
D. Snort

A

Correct Answer: B. NetPatch Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following:

A. Blocks the connection with the source IP address in the packet
B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Drops the packet and moves on to the next one

A

Correct Answer: B. Continues to evaluate the packet until all rules are checked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following is not an action present in Snort IDS?

A. Alert
B. Pass
C. Audit
D. Log

A

Correct Answer: C. Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following firewalls is used to secure mobile device?

A. NetPatch firewall
B. Glasswire
C. TinyWall
D. Comodo firewall

A

Correct Answer: A. NetPatch firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Manav wants to simulate a complete system and provide an appealing target to push hackers away from the production systems of his organization. Can you identify the tool?

A. PeerBlock
B. TinyWall
C. SPECTER
D. Glasswire

A

Correct Answer: C. SPECTER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following firewall solution tool has the following features:

Two-way firewall that monitors and blocks inbound as well as outbound traffic
Allows users to browse the web privately
Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption
Through Do Not Track, it stops data-collecting companies from tracking the online users
Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure

A. Vangaurd Enforcer
B. zIPS
C. Wifi Inspector
D. ZoneAlarm Free Firewall

A

Correct Answer: D. ZoneAlarm Free Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following is a malware research tool that allows security analysts to detect and classify malware or other malicious codes through a rule-based approach?

A. Hping3
B. Nmap
C. YARA
D. Fing

A

Correct Answer: C. YARA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following tools helps security professionals in generating YARA rules from strings identified in malware files?

A. yarGen
B. Weevely
C. Tamper Chrome
D. HoneyBOT

A

Correct Answer: A. yarGen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects?

A. Insertion attack
B. Fragmentation attack
C. Obfuscation
D. Invalid RST packets

A

Correct Answer: A. Insertion attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

One of the following is an IDS evasion technique used by an attacker to send a huge amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not analyze the noise traffic, the true attack traffic goes undetected.

A. Flooding
B. Encryption
C. Overlapping fragments
D. Denial-of-service attack

A

Correct Answer: A. Flooding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

In which of the following IDS evasion techniques does an attacker use an existing buffer-overflow exploit and set the “return” memory address on the overflowed stack to the entrance point of the decryption code?

A. Urgency flag
B. Polymorphic shellcode
C. Invalid RST packets
D. Overlapping fragments

A

Correct Answer: B. Polymorphic shellcode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following techniques is used by an attacker to exploit a host computer and results in the IDS discarding packets while the host that must receive the packets accepts them?

A. Fragmentation attack
B. Obfuscation
C. Evasion
D. Session splicing

A

Correct Answer: C. Evasion

41
Q

In which of the following IDS evasion techniques does an attacker split the attack traffic into an excessive number of packets such that no single packet triggers the IDS?

A. Evasion
B. Session splicing
C. Insertion attack
D. Denial-of-service attack (DoS)

A

Correct Answer: B. Session splicing

42
Q

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

A. Network packets are dropped if the volume exceeds the threshold
B. Thresholding interferes with the IDS’ ability to reassemble fragmented packets
C. The IDS will not distinguish among packets originating from different sources
D. An attacker, working slowly enough, can evade detection by the IDS

A

Correct Answer: D. An attacker, working slowly enough, can evade detection by the IDS

43
Q

Which evasion technique is used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS?

A. Unicode evasion
B. Obfuscation
C. Session splicing
D. Fragmentation attack

A

Correct Answer: B. Obfuscation

44
Q

How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable?

A. 14-bit
B. 16-bit
C. 15-bit
D. 13-bit

A

Correct Answer: B. 16-bit

45
Q

An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker.

A. Polymorphic shellcode
B. Preconnection SYN
C. Postconnection SYN
D. ASCII shellcode

A

Correct Answer: A. Polymorphic shellcode

46
Q

Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?

A. Unicode evasion
B. Overlapping fragments
C. Fragmentation attack
D. Session splicing

A

Correct Answer: D. Session splicing

47
Q

Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects?

A. Invalid RST packets
B. Obfuscation
C. Insertion attack
D. Fragmentation attack

A

Correct Answer: C. Insertion attack

48
Q

Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?

A. Fragmentation attack
B. Overlapping fragments
C. Session splicing
D. Unicode evasion

A

Correct Answer: C. Session splicing

49
Q

Which of the following is a technique used by an attacker masquerading as a trusted host to conceal their identity for hijacking browsers or gaining unauthorized access to a network?

A. Port scanning
B. IP address spoofing
C. Firewalking
D. Banner grabbing

A

Correct Answer: B. IP address spoofing

50
Q

Which of the following techniques routes all traffic through an encrypted tunnel directly from a laptop to secure and harden servers and networks?

A. Tiny fragments
B. Source routing
C. ACK tunneling method
D. Anonymizer

A

Correct Answer: D. Anonymizer

51
Q

Which of the following attack techniques is used by an attacker to exploit the vulnerabilities that occur while processing the input parameters of end users and the server responses in a web application?

A. Denial-of-service attack
B. XSS attack
C. MITM attack
D. Social engineering attack

A

Correct Answer: B. XSS attack

52
Q

Which of the following techniques is used by attackers for collecting information about remote networks behind firewalls, where the TTL value is used to determine ACL gateway filters and map networks by analyzing the IP packet response?

A. Firewalking
B. Banner grabbing
C. Tiny fragments
D. Source routing

A

Correct Answer: A. Firewalking

53
Q

Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below.

What conclusions can be drawn based on these scan results?

TCP port 21—no response
TCP port 22—no response
TCP port 23—Time-to-live exceeded

A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
B. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.
C. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.
D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.

A

Correct Answer: A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.

54
Q

Check Point’s FireWall-1 listens to which of the following TCP ports?

A. 1745
B. 1080
C. 259
D. 1072

A

Correct Answer: C. 259

55
Q

Which of the following is a two-way HTTP tunneling software tool that allows HTTP, HTTPS, and SOCKS tunneling of any TCP communication between any client–server systems?

A. Super network tunnel
B. Bitvise
C. Loki
D. Secure Pipes

A

Correct Answer: B. Loki

56
Q

Which of the following tools is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall?

A. Anonymizer
B. Loki
C. HTTPTunnel
D. AckCmd

A

Correct Answer: D. AckCmd

57
Q

Which feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks?

A. Remote backwards
B. SOCKS proxies
C. Local forwards
D. Remote forwards

A

Correct Answer: C. Local forwards

58
Q

Which of the following is a hijacking technique where an attacker masquerades as a trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access to a network?

A. IP address spoofing
B. Port scanning
C. Firewalking
D. Source routing

A

Correct Answer: A. IP address spoofing

59
Q

An organization’s web application firewall (WAF) allows specific queries and syntaxes that originate from their internal addresses. Jack, a professional hacker, exploited this functionality to send spoofed requests to trick the target WAF and server into believing that the request originated from their internal network. Jack also appended various extensions such as X-Originating-IP, X-Forwarded-For, X-Remote-IP, and X-Remote-Addr to the spoofed requests to bypass the target WAF.

Identify the technique employed by Jack to bypass the target WAF.

A. HTTP header spoofing
B. VLAN hopping
C. MAC spoofing
D. ARP spoofing

A

Correct Answer: A. HTTP header spoofing

60
Q

In which of the following techniques do attackers first send payloads to the WAF connected to their local network to identify the payloads that can be used for evasion and then send those payloads to the target WAF for evasion?

A. Fuzzing/brute-forcing
B. Code emulation
C. Function testing
D. Runtime execution path profiling

A

Correct Answer: A. Fuzzing/brute-forcing

61
Q

In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine?

A. URL encoding
B. Pre-connection SYN
C. HTML smuggling
D. Polymorphic shellcode

A

Correct Answer: C. HTML smuggling

62
Q

Which of the following practices helps security professionals in defending against HTML smuggling attacks?

A. Recommend user to access web browser activated with Microsoft Defender SmartScreen
B. Disable cloud delivery-based protection
C. Never block auto-execution of .js and .jse files
D. Never verify the perimeter operation of security devices

A

Correct Answer: A. Recommend user to access web browser activated with Microsoft Defender SmartScreen

63
Q

Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates.

Which of the following features did Mark abuse in the above scenario?

A. ICMP protocol
B. SSH tunneling
C. Windows BITS
D. HTTP tunneling

A

Correct Answer: C. Windows BITS

64
Q

Which of the following tools audits and validates the behavior of security devices and is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of a non-proxy packet filtering device?

A. Colasoft Packet Builder
B. AckCmd
C. SPECTER
D. Traffic IQ Professional

A

Correct Answer: D. Traffic IQ Professional

65
Q

In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine?

A. Polymorphic shellcode
B. URL encoding
C. Pre-connection SYN
D. HTML smuggling

A

Correct Answer: D. HTML smuggling

66
Q

Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates.

Which of the following features did Mark abuse in the above scenario?

A. Windows BITS
B. HTTP tunneling
C. SSH tunneling
D. ICMP protocol

A

Correct Answer: A. Windows BITS

67
Q

Which of the following tools is used by attackers to bypass antivirus software by utilizing binary deconstruction, insertion of arbitrary assembly code, and reconstruction?

A. Ghostwriting.sh
B. FaceNiff
C. Colasoft Packet Builder
D. KFSensor

A

Correct Answer: A. Ghostwriting.sh

68
Q

Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security.

A. Application whitelisting
B. Using blacklist detection
C. Fake security applications
D. Overlapping fragments

A

Correct Answer: A. Application whitelisting

69
Q

Identify the technique in which attackers abuse Microsoft Excel macro sheets to bypass endpoint protection and execute a malicious payload on a target system.

A. Fuzzing/brute-forcing
B. Fast flux DNS method
C. XLM weaponization
D. Password grabbing

A

Correct Answer: C. XLM weaponization

70
Q

Which of the following tools allows an attacker to identify the hooked syscalls that are stored in the memory during execution?

A. USM Anywhere
B. X64dbg debugger
C. Censys
D. WIBR+-WIfi BRuteforce

A

Correct Answer: B. X64dbg debugger

71
Q

Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities?

A. Mention
B. Euromonitor
C. Symantec Endpoint Protection
D. Followerwonk

A

Correct Answer: C. Symantec Endpoint Protection

72
Q

Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection?

A. Covenant C2 Framework
B. Metagoofil
C. Sherlock
D. Octoparse

A

Correct Answer: A. Covenant C2 Framework

73
Q

Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms.

A. Heuristic analysis
B. Passing encoded commands
C. Website defacement
D. Honey trap

A

Correct Answer: B. Passing encoded commands

74
Q

Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies?

A. Web application fuzz testing
B. Reverse DNS lookup
C. Fast flux DNS method
D. WHOIS lookup

A

Correct Answer: C. Fast flux DNS method

75
Q

James, a professional hacker, was targeted to bypass endpoint security and gain access to the internal systems connected to a corporate network. For this purpose, he employed a technique through which malware is executed when a victim performs specific actions such as opening a particular window and clicking it; as a result, the malware gets activated after the system reboots.

Identify the technique employed by James to evade endpoint security.

A. Timing-based evasion
B. Unicode evasion
C. Flooding
D. IP address spoofing

A

Correct Answer: A. Timing-based evasion

76
Q

Which of the following techniques allows attackers to leverage trusted in-built utilities for the execution of malicious codes to evade EDR solutions?

A. Distortion techniques
B. Signed binary proxy execution
C. Masking and filtering
D. Spawning using XMLDOM

A

Correct Answer: B. Signed binary proxy execution

77
Q

Identify the evasion technique used by attackers to bypass endpoint detection and response (EDR) to infect the devices with potential malware and establish command and control to maintain a foothold without being detected.

A. Dark web footprinting
B. Website mirroring
C. Banner grabbing
D. XLM weaponization

A

Correct Answer: D. XLM weaponization

78
Q

Which of the following is a simple VLAN enumeration and hopping script that sniffs out CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID, and IOS version of Cisco devices?

A. Nikto
B. got-responded
C. Frogger
D. Maltego

A

Correct Answer: C. Frogger

79
Q

Which of the following tools allows attackers to place their device between a network switch and an authenticated device to ensure that the traffic flows through their device?

A. InSpectre
B. nac_bypass_setup.sh
C. Dependency Walker
D. OmniPeek

A

Correct Answer: B. nac_bypass_setup.sh

80
Q

Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security.

A. Using blacklist detection
B. Application whitelisting
C. Overlapping fragments
D. Fake security applications

A

Correct Answer: B. Application whitelisting

81
Q

Which of the following tools allows attackers to analyze the detection rate of a malicious file that is being propagated to bypass the antivirus solution?

A. Zsteg
B. VirusTotal
C. BeRoot
D. Robber

A

Correct Answer: B. VirusTotal

82
Q

Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities?

A. Euromonitor
B. Symantec Endpoint Protection
C. Mention
D. Followerwonk

A

Correct Answer: B. Symantec Endpoint Protection

83
Q

Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection?

A. Metagoofil
B. Octoparse
C. Covenant C2 Framework
D. Sherlock

A

Correct Answer: C. Covenant C2 Framework

84
Q

Which of the following commands allows attackers to transform a malicious payload created using Covenant C2 Framework into a position-independent shellcode?

A. Get-ObjectAcl -SamAccountName “users” -ResolveGUIDs
B. mimikatz “lsadump::dcsync /domain:(domain name) /user:Administrator”
C. ntdsutil “ac in ntds” “ifm” “cr fu c:\temp” q
D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin

A

Correct Answer: D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin

85
Q

Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms.

A. Passing encoded commands
B. Heuristic analysis
C. Website defacement
D. Honey trap

A

Correct Answer: A. Passing encoded commands

86
Q

Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies?

A. WHOIS lookup
B. Web application fuzz testing
C. Reverse DNS lookup
D. Fast flux DNS method

A

Correct Answer: D. Fast flux DNS method

87
Q

Which of the following is a simple VLAN enumeration and hopping script that sniffs out CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID, and IOS version of Cisco devices?

A. Frogger
B. Nikto
C. got-responded
D. Maltego

A

Correct Answer: A. Frogger

88
Q

Which of the following techniques manipulates the TCP/IP stack and is effectively employed to slow down the spread of worms and backdoors?

A. Layer 4 tar pits
B. Layer 2 tar pits
C. Layer 7 tar pits
D. Honeyd honeypot

A

Correct Answer: A. Layer 4 tar pits

89
Q

One of the following techniques redirects all malicious network traffic to a honeypot after any intrusion attempt is detected. Attackers can identify such honeypots by examining specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP timestamp. Which is this technique?

A. User-Mode Linux (UML)
B. Fake AP
C. Snort_inline
D. Bait and switch

A

Correct Answer: D. Bait and switch

90
Q

Which honeypot detection tool has the following features:

Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports
Checks several remote or local proxylists at once
Can upload “Valid proxies” and “All except honeypots” files to FTP
Can process proxylists automatically every specified period
May be used for usual proxylist validating as well
A. WAN Killer
B. Send-Safe Honeypot Hunter
C. Ostinato
D. WireEdit

A

Correct Answer: B. Send-Safe Honeypot Hunter

91
Q

Which of the following methods is NOT a countermeasure to defend against IDS evasions?

A. Regularly update the antivirus signature database
B. Never define the DNS server for client resolver in routers
C. Shut down switch ports associated with known attack hosts
D. Train users to identify attack patterns

A

Correct Answer: B. Never define the DNS server for client resolver in routers

92
Q

Which of the following countermeasures allows security professionals to defend against IDS evasion?

A. Always open switch ports associated with known attack hosts
B. Never store the attack information for future analysis
C. Avoiding traffic normalization solutions at the IDS to protect the system from evasions
D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

A

Correct Answer: D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

93
Q

Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique?

A. Configure a remote syslog server and apply strict measures to protect it from malicious users
B. Look for the nopopcode other than 0x90
C. Catalog and review all inbound and outbound traffic
D. Disable all FTP connections to or from the network

A

Correct Answer: B. Look for the nopopcode other than 0x90

94
Q

Which of the following practices makes an organization’s network susceptible to IDS evasion attempts?

A. Perform an in-depth analysis of ambiguous network traffic for all possible threats
B. Allow malicious script injection in snort rules directory
C. Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions
D. Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem

A

Correct Answer: B. Allow malicious script injection in snort rules directory

95
Q

Which of the following practices helps security professionals defend their organizational network against IDS evasion attempts?

A. Ensure that the packets are arriving from a path secured with IDS
B. Do not store the attack information for future analysis
C. Look for 0x90 other than nop opcode to defend against the polymorphic shellcode problem
D. Never use a traffic normalizer to remove potential ambiguity from the packet stream

A

Correct Answer: A. Ensure that the packets are arriving from a path secured with IDS

96
Q

Which of the following practices helps security professionals defend their network against firewall bypass attempts?

A. By default, enable all FTP connections to or from the network
B. Never configure a remote syslog server
C. Use HTTP Evader to run automated testing for suspected firewall evasions
D. The firewall should be configured such that the IP address of an intruder should not be filtered out

A

Correct Answer: C. Use HTTP Evader to run automated testing for suspected firewall evasions

97
Q

Which of the following practices makes an organization’s network susceptible to firewall evasion attempts?

A. Specify the source and destination IP addresses as well as the ports
B. Do not use HTTP Evader to run automated testing for suspected firewall evasions
C. Run regular risk queries to identify vulnerable firewall rules
D. Monitor user access to firewalls and control who can modify the firewall configuration

A

Correct Answer: B. Do not use HTTP Evader to run automated testing for suspected firewall evasions

98
Q

Which of the following is a honeypot application that captures rootkits and other malicious malware that hijacks the read() system call?

A. Sebek
B. Bait and switch
C. Tar pits
D. Fake AP

A

Correct Answer: A. Sebek

99
Q

In what way do the attackers identify the presence of layer 7 tar pits?

A. By looking at the IEEE standards for the current range of MAC addresses
B. By looking at the latency of the response from the service
C. By analyzing the TCP window size
D. By looking at the responses with unique MAC address 0:0:f:ff:ff:ff

A

Correct Answer: B. By looking at the latency of the response from the service

CEH v12 Exam Prep "Hard" (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions