Module 5 All Possible Questions

Question 1

Which of the following best describes steganography?
A. Steganography is used to hide information within existing files.
B. Steganography is used to create hash values of existing files.
C. Steganography is used to encrypt data communications, allowing files to be passed unseen.
D. Steganography is used to create multimedia communication files.

Answer 1

A. Steganography is designed to place information in files where it will lay hidden until needed. Information can be hidden in virtually any file, although image and video files are traditionally associated with steganography.

Question 2

Which encryption standard is used by LM?
A. MD5
B. SHA-1
C. DES
D. SHA-2
E. 3DES

Answer 2

C. LAN Manager (LAN), an old outdated authentication system, used DES, an old and outdated means for hashing files (in this case, passwords).

Question 3

Which of the following would be considered a passive online password attack?
A. Guessing passwords against an IPC$ share
B. Sniffing subnet traffic to intercept a password
C. Running John the Ripper on a stolen copy of the SAM
D. Sending a specially crafted PDF to a user for that user to open

Answer 3

B. Passive online attacks simply involve stealing passwords passed in clear text or copying the entire password exchange in the hopes of pulling off a reply or man-in-the-middle attack.

Question 4

A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this?
A. Multifactor authentication
B. Three-factor authentication
C. Two-factor authentication
D. Token authentication

Answer 4

C. Because Joe’s users need something they have–a token–and something they know–thePIN–this is considered two-factor authentication.

Question 5

Which of the following best describes a hybrid attack?
A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked.
B. The attack tries random combinations of characters until the password is cracked.
C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked.
D. The attack use rainbow tables, randomly attempting hash values throughout the list until the password is cracked.

Answer 5

C. The hybrid attack takes any old dictionary list and juices it up a little. It will substitute numbers for letters, inject a character or two, and run all sorts of hybrid versions of your word list in an attempt to crack passwords.

Question 6

While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password has reads 9FAF6B755DC38E12AAD3B435B514O4EE. Is this user following good password procedures?
A. Yes, the hash shows a 14-character, complex password.
B. No, the hash shows a 14-character password; however, it is not complex.
C. No, the hash reveals a seven-character-or-less password has been used.
D. It is impossible to determine simply by looking at the hash.

Answer 6

C. LM hashes pad a password with blank spaces to reach 14 characters, split it into two 7-character sections, and then hash both separately. Because the LM hash of seven blank characters is always AAd3B435B51404EE, you can tell from the hash that the user has used only seven or fewer characters in the password. Because CEH has recommended that a password be a minimum of eight characters, be complex, and expire after 30 days, the user is not following good policy.

Question 7

Where is the SAM file stored on a Windows 7 system?
A. \etc\
B. C:\Windows\System32\etc\
C. C:\Windows\System32\Config\
D. C:\Windows\System32\Drivers\Config

Answer 7

C. The SAM file is stored in the same folder o most Windows machines: C:\Windows\System32\Config.

Question 8

Examining a database server during routine maintenance you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation?
A. The log file is simply corrupted.
B. The server was compromised by an attacker.
C. The server was rebooted.
D. No activity occurred during the hour time frame.

Answer 8

B. It’s a database server during normal business hours and there’s nothing in the log? Forget the fact a reboot would’ve shown up somewhere–none of the users complained about it being down at all. No, we think this one is going to require some forensics work. Call the IR team.

Question 9

Which of the following can migrate the machine's actual operating system into a virtual machine?
A. Hypervisor-level rootkit
B. Kernel-level rootkit
C. Virtual rootkit
D. Library-level rootkit

Answer 9

A. The hypervisor-level rootkit is defined by ECC as one that basically replaces your physical OS with a virtual one.

Question 10

After gaining access to a Windows machine, you see the last command executed on the box looks like this:net use F: \MATTBOX\BankFiles /persistent:yesAssuming the user had appropriate credentials, which of the following are true? (Choose all that apply)
A. In Windows Explorer, a folder will appear under the root directory named BankFiles.
B. In Windows Explorer, a drive will appear denoted as BankFiles (\MATTBOX) (F:).
C. The mapped drive will remain mapped after a reboot.
D. The mapped drive will not remain mapped after a reboot

Answer 10

B, C. Net use commands were the rage back in the day. This command connects to a shared folder on MATTBOX. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The persistent:yes portion means it will remain mapped forever, until you turn it off.

Question 11

An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file?
A. start readme.txt>badfile.exe
B. start readme.txt:badfile.exe
C. start badfile.exe>readme.txt
D. start badfile.exe | readme.txt

Answer 11

B. The command, start readme.txt:badfile.exe, says “Start the executable badfile.exe that is hidden in the readme.txt file.” In other variants of this question, the bad guy could create a link and execute it simply by typing the link name (for example, mklink innocent.exe readme.txt:badfile.exe would create a link and the bad file could be executed simply by typing innocent).

Question 12

You see the following command in a Linux history file review: someproc &Which of the following best describe the command result? (Choose two)
A. The process “someproc” will stop when the user logs out.
B. The process “someproc” will continue to run when the user logs out.
C. The process “someproc” will run as a background task.
D. The process “someproc” will prompt the user when logging off

Answer 12

A, C. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding nohup before the process name), it will die when the user logs out.

Question 13

You are examining test logs from the day’s pen test activities and note the following entries on a Windows 8 machine:
Which of the following is true regarding the code listing?

A. The team member added a user account>.
B. The team member switched his login to that of a different user.
C. The team member changed the password of a user.
D. The team member renamed a user account.

Answer 13

C. The team member changed the password of a user.

Question 14

Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover his tracks?

A. ISA proxy
B. IAS proxy
C. TOR proxy
D. Netcat

Answer 14

C

Question 15

The following HOSTS file was pulled during an incident response:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#

Which of the following best describes the HOSTS file?

A. A user on the machine attempting to go to check their bank account at mybank.com will be directed to a Chinese IP address instead.
B. A user on the machine attempting to go to google.com will receive an HTTP return code of 400.
C. A user on the machine attempting to go to gmail.com will redirect to the local host.
D. Any DNS resolution to IP 220.181.0.16 will be redirected to one of the five sites listed in round-robin fashion.
…

Answer 15

A

Question 16

Which of the following opens the Computer Management MMC in a Windows command line?
A. compmgmt.mmc
B. compmgmt.msc
C. compmgmt.exe
D. computermgmt.exe

Answer 16

B

Question 17

Which of the following will extract an executable file from NTFS streaming?
A. c:> cat file1.txt:hidden.exe > visible.exe
B. c:> more file1.txt | hidden.exe > visible.exe
C. c:> type notepad.exe > file1.txt:hidden.exe
D. c:> list file1.txt$hidden.exe > visible.exe

Answer 17

A

Question 18

Which command is used to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file, on a Linux machine?
A. chmod 411 file1
B. chmod 114 file1
C. chmod 117 file1
D. chmod 711 file1
E. chmod 744 file1

Answer 18

D

Question 19

Examine the following passwd file:

Which of the following statements are true regarding this passwd file? (Choose all that apply.)

A. None of the user accounts has passwords assigned.
B. The system makes use of the shadow file.
C. The root account password is root.
D. The root account has a shadowed password.
E. Files created by Alecia will initially be viewable by Jason.

Answer 19

B, D, E

Question 20

You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)
A. /etc/passwd
B. /etc/shadow
C. c:\windows\system32\config
D. c:\winnt\config
E. c:\windows\repair

Answer 20

C, E.

Question 21

Which of the following statements are true concerning Kerberos? (Choose all that apply.)
A. Kerberos uses symmetric encryption.
B. Kerberos uses asymmetric encryption.
C. Clients ask for authentication tickets from the KDC in clear text.
D. KDC responses to clients never include a password.
E. Clients decrypt a TGT from the server.
…

Answer 21

A, B, C, D, E

Question 22

What is the difference between a dictionary attack and a hybrid attack?
A. Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.
B. Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.
C. Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.
D. Hybrid and dictionary attacks are the same.

Answer 22

C

Question 23

Which of the following contains a listing of port numbers for well-known services defined by IANA?
E. %windir%\etc\lists
F. %windir%\system32\drivers\etc\lmhosts
G. %windir%\system32\drivers\etc\services
H. %windir%\system32\drivers\etc\hosts

Answer 23

C

Question 24

Which of the following SIDs indicates the true administrator account?
A. S-1-5-21-1388762127-2960977290-773940301-1100
B. S-1-5-21-1388762127-2960977290-773940301-1101
C. S-1-5-21-1388762127-2960977290-773940301-500
D. S-1-5-21-1388762127-2960977290-773940301-501

Answer 24

C In a Windows system, the true administrator account always has an RID (relative identifier) of 500.

Question 25

In which step of EC-Council's system hacking methodology would you find steganography?
A. Cracking passwords
B. Escalating privileges
C. Executing applications
D. Hiding files
E. Covering tracks

Answer 25

D

Question 26

A review of the command history on a Linux box shows the following command entered:

env x= ’(){ :;};echo exploit ’ bash –c ’cat/etc/passwd

Which of the following is the best description of what the attacker is attempting to accomplish?

A. Add a user to the system.

B. Elevate current login privileges.

C. Change passwords for users.

D. Display password file contents.

Answer 26

D

Question 27

You are examining LM password hashes and see the following:

3A02DF5289CF6EEFAAD3B435B51404EE

Which of the following passwords is most likely to have created the hash?

A. 123456789

B. CEHISHARD

C. c3HisH@RD!

D. CEHhard

Answer 27

D

Question 28

You are examining history logs on a Linux machine and note the attacker added an ampersand (&) after a few process commands. Which of the following is true regarding this?

A. The & symbol has no effect on the process command.

B. The & symbol runs the process as a background task and closes it when the user logs off.

C. The & symbol ensures the process continues to run after the user logs off.

D. The & symbol concatenates the process to subsequent commands.

Answer 28

B

Question 29

Which of the following are considered offline password attacks? (Choose all that apply.)

A. Using a hardware keylogger

B. Brute-force cracking with Cain and Abel on a stolen SAM file

C. Using John the Ripper on a stolen passwd file

D. Shoulder surfing

Answer 29

A, B, C

Question 30

Examine the following portion of a log file, captured during a hacking attempt:

Images

What was the attacker attempting to do?

A. Copy files for later examination

B. Cover his tracks

C. Change the shell to lock out other users

D. Upload a rootkit

Answer 30

B

Question 31

You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

A. ls -d

B. ls -l

C. su

D. ps -ef

E. ifconfig

Answer 31

D. The ps command is used in Linux to display processes. The -e switch selects all processes, running or not, and the -f switch provides a full listing.

Question 32

An organization wants to control network traffic and perform stateful inspection of traffic going into and out of their DMZ. Which built-in functionality of Linux can achieve this?

A. iptables

B. ipchains

C. ipsniffer

D. ipfirewall

Answer 32

A. iptables is a built-in “user space” application in Linux that allows you to configure the tables used by the Linux kernel firewall.

Question 33

Which of the following best describes Cygwin?

A. Cygwin is a Unix subsystem running on top of Windows.

B. Cygwin is a Windows subsystem running on top of Unix.

C. Cygwin is a C++ compiler.

D. Cygwin is a password-cracking tool.

Answer 33

A. Cygwin (http://www.cygwin.com/) provides a Linux-like environment for Windows.

Question 34

Which folder in Linux holds administrative commands and daemons?

A. /sbin

B. /bin

C. /dev

D. /mnt

E. /usr

Answer 34

A. The system binaries folder holds most administrative commands (/etc holds others) and is the repository for most of the routines Linux runs (known as daemons).

Question 35

Which of the following is the appropriate means to pivot within a Metasploit attack session?

A. Use the pivot exploit outside meterpreter.

B. Reconfigure network settings in meterpreter.

C. Set the payload to propagate.

D. Create a route statement in the meterpreter.

Answer 35

D Pivoting is the unique technique of using an instance (also referred to as a plant or foothold) to be able to ‘move’ around inside a network.

Question 36

You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?

A. The file is flagged for backup.

B. The file is part of the help function.

C. The file is fragmented because of size.

D. The file has been quarantined by an antivirus program.

E. The file is hidden.

Answer 36

E. The hidden attribute can be set on any file to hide it from standard directory searches

Question 37

An attacker has gained access to an internal system. Using Metasploit, he accesses and attacks other internal systems. Which of the following terms best describe the action taken?

A. Attack splitting

B. Pivoting

C. Attack swinging

D. Hinging

Answer 37

B

Question 38

Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

A. LADS

B. ADS Spy

C. Sfind

D. Snow

Answer 38

A, B, C.

Question 39

Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

A. NTLMv1

B. NTLMv2

C. LAN Manager

D. Kerberos

Answer 39

C. LAN Manager is an older authentication model that burst onto the scene around the Windows 95 launch.