Practice Exam 2 Flashcards
PE2.1 You are attempting to find out the operating system and CPU type of systems in your target organization. The DNS server you want to use for lookup is named ADNS_Server, and the target machine you want the information on is ATARGET_SYSTEM.
Which of the following nslookup command series is the best choice for discovering this information? (The output of the commands is redacted.)
A. > server ADNS_SERVER ... > set type=HINFO > ATARGET_SYSTEM ... B. > server ATARGET_SYSTEM ... > set type=HINFO > ADNS_SERVER ... C. > server ADNS_SERVER ... > set ATARGET_SYSTEM > type=HINFO ... D. > server type=HINFO ... > set ADNS_SERVER > ATARGET_SYSTEM ...
A
A. This question gets you on two fronts. One regards knowledge on HINFO, and the other is nslookup use. First, the DNS record HINFO (per RFC 1035) is a resource type that identifies values for CPU type and operating system. Are you absolutely required to include an HINFO record for each host in your network? No, not at all. Should you? I’m sure there’s some reason, somewhere and sometime, that adding HINFO makes sense, but I certainly can’t think of one. In other words, this is a great record type to remember for your exam, but your chances of seeing it in use in the real world rank somewhere between seeing Lobster on the menu at McDonald’s and catching a Leprechaun riding a unicorn through your backyard.
Nslookup syntax is the second portion of this question, and you’ll definitely need to know it. The syntax for the tool is fairly simple:
nslookup [-options] {hostname | [-server]}
The command can be run as a single instance, providing information based on the options you choose, or you can run it in interactive mode, where the command runs as a tool, awaiting input from you. For example, on a Microsoft Windows machine, if you simply type nslookup at the prompt, you’ll see a display showing your default DNS server and its associated IP address. From there, nslookup sits patiently, waiting for you to ask whatever you want (as an aside, this is known as interactive mode). Typing a question mark shows all the options and switches you have available.
B, C, and D are incorrect because the syntax does not match.
PE2.2 A pen test team member sends an e-mail to an address that she knows is not valid inside an organization. Which of the following is the best explanation for why she took this action?
A. To possibly gather information about internal hosts used in the organization’s e-mail system
B. To start a denial-of-service attack
C. To determine an e-mail administrator’s contact information
D. To gather information about how e-mail systems deal with invalidly addressed messages
A
A. The thought process behind this is a lot like banner grabbing or any of a hundred different forced-error situations in hacking: lots of information can be gleaned from responses to an error situation. A bogus internal address has the potential to provide more information about the internal servers used in the organization, including IP addresses and other pertinent details.
B is incorrect because a bogus e-mail doesn’t necessarily indicate the beginning of a DoS attack.
C is incorrect because the e-mail administrator’s contact information is not sent on invalid e-mail responses.
D is incorrect because the pen tester would already know how systems deal with bogus e-mail addresses—what she wouldn’t know is what servers inside this particular organization carry out those steps.
PE2.3. From the partial e-mail header provided, which of the following represents the true originator of the e-mail message?
Return-path:
Delivery-date: Tue, 12 Mar 2019 00:31:13 +0200
Received: from mailexchanger.anotherbiz.com([220.15.10.254])
by mailserver.anotherbiz.com running ExIM with esmtp
id xxxxxx-xxxxxx-xxx; Tue, 12 Mar 2019 01:39:23 +0200
Received: from mailserver.anybiz.com ([158.190.50.254] helo=mailserver.anybiz.com)
by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx for USERJOE@anotherbiz.com; Tue, 12 Mar 2019 01:39:23 +0200
Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]) by mailserver.anybiz.com with esmtpa (Exim x.xx) (envelope-from
Date: Mon, 11 Mar 2019 20:36:01 -0100
X-Mailer: Mail Client
From: SOMEONE Name
To: USERJOE Name
Subject: Something to consider …
A. 220.15.10.254
B. 158.190.50.254
C. 217.88.53.154
D. The e-mail header does not show this information.
Ch 3.3
C. E-mail headers are packed with information showing the entire route the message has taken, and I can guarantee you’ll see at least one question on your exam about them. You’ll most likely be asked to identify the true originator—the machine (person) who sent the e-mail in the first place (even though in the real world with proxies and whatnot to hide behind, it may be impossible). This is clearly shown in line 9: Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]). But don’t just study and rely on that one section. Watch the entire trek the message takes and make note of the IPs along the way.
A and B are incorrect because these IPs do not represent the true originator of the message. They show e-mail servers that are passing/handling the message.
D is incorrect because the e-mail header definitely shows the true originator.
PE2.4 You are looking for pages with the terms CEH and V10 in their title. Which Google hack is the appropriate one?
A. inurl:CEHinurl:V10
B. allintitle:CEH V10
C. intitle:CEHinurl:V10
D. allinurl:CEH V10
Ch 3.4
B. The Google search operator allintitle searches for pages that contain the string, or strings, you specify. It also allows for the combination of strings in the title, so you can search for more than one term within the title of a page.
A is incorrect because the operator inurl looks only in the URL of the site, not the page title. In this example, the search might bring you to a page like this: http://anyplace.com/apache_Version/pdfs.html.
C is incorrect because the inurl operator isn’t looking in the page title. Yes, you can combine operators, but these two just won’t get this job done.
D is incorrect because allinurl does not look at page titles; it’s concerned only with the URL itself. As with the title searches, this allinurl operator allows you to combine search strings.
PE2.5.You are on a Cisco router and want to identify the path a packet travels to a specific IP. Which of the following is the best command choice for this?
A. ping
B. ifconfig
C. tracert
D. traceroute
Ch 2.5
D. You probably knew, right up front, this was a traceroute question, but the kicker comes when deciding which traceroute command to use. Traceroute, of course, uses ICMP packets and the TTL (Time-To-Live) value to map out a path between originator and destination. The first packet sent uses a TTL of 1, to show the first hop. The next packet sets it to 2, and so on, and so on, until the destination is found. Each ICMP response provides information on the current hop (unless ICMP is being filtered). On a Windows machine, you’d use the command tracert. On Linux (and Cisco for that matter), you’d use traceroute.
A is incorrect because the ping command simply tests for connectivity and to see if the system is “live.” ICMP Echo Request packets are sent to the destination, and ICMP Echo Reply packets are returned with information on the system. Of course, ICMP is often filtered at the host (or firewall) level, so a negative ping response doesn’t necessarily mean the system is down.
B is incorrect because the ifconfig command is used in Linux systems to display information about the system’s network interfaces. Ifconfig allows for configuring, controlling, and querying TCP/IP network interface parameters—for example, setting the IP address and subnet mask (netmask) on a NIC.
C is incorrect because the tracert command will work on a Windows system, but not on a Cisco device.
PE2.6. Which of the following activities are not considered passive footprinting? (Choose two.)
A. Dumpster diving
B. Reviewing financial sites for company information
C. Clicking links within the company’s public website
D. Calling the company’s help desk line
E. Employing passive sniffing
Ch 2.6
D, E. This one may be a little tricky, but only because we live and work in the real world and this is an exam question. EC-Council has several questionable takes on things regarding real-world application and what they say you should remember for your exam, and this is one of those examples. Just remember ECC wants you to know active and passive footprinting can be defined by two things: what you touch and how much discovery risk you put yourself in. Social engineering in and of itself is not all passive or active in nature. In the case of dumpster diving, it’s also considered passive (despite the real-world risk of discovery and the action you have to take to pull it off) according to ECC. However, pick up a phone and call someone inside the company or talk to people in the parking lot, and you’ve exposed yourself to discovery and are now practicing active footprinting. As far as “passive” sniffing goes, sniffing isn’t a footprinting action at all. The term “passive sniffing” concerns the act of simply plugging in and watching what comes by, without any packet interjection or other action required on your part.
A, B, and C are incorrect because these are all examples of passive reconnaissance. Other examples might include checking out DNS records (DNS is publicly available and, per ECC, you can passively footprint an organization by using freely available DNS records) and checking job listings for the company.
PE2.7 Examine the following command sequence: Which of the following statements best describes the intent of the command sequence?
C:\> nslookup Default Server: ns1.anybiz.com Address: 188.87.99.6 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 188.87.100.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8
A.The operator is enumerating a system named someserver.
B. The operator is attempting DNS poisoning.
C. The operator is attempting a zone transfer.
D.The operator is attempting to find a name server.
A
A. The HINFO record type is one of those really great ideas that was designed to make life easier on everyone yet turned out to be a horrible idea. Defined in RFC 1035, Host Information (HINFO) DNS records were originally intended to provide the type of computer and operating system a host uses (back in the day, you could also put things like room numbers and other descriptions in the record). However, to avoid publicly advertising that information (for obvious reasons), this record type simply is not used much anymore. And if you find one on a public-facing machine, it’s a sure sign of incompetence on the part of the server administrators. In this example, the type is set to HINFO, and a machine name—someserver—is provided. The attacker can use the information contained in the record as an enumeration source.
B is incorrect because DNS poisoning is not carried out this way. In this command sequence, the operator is asking for information, not pushing up false entries to a name server.
C is incorrect because this is not how nslookup is used to perform a zone transfer. To do that, you would use the set type=any command and then ls -d anybiz.com. You’ll more than likely see that on your exam, too.
D is incorrect because checking for name servers in the domain would require the set type=NS command.
PE2.8 An organization has a DNS server located in the DMZ and other DNS servers located on the intranet. What is this implementation commonly called?
A. Dynamic DNS
B. DNSSEC
C. Split DNS
D. Auto DNS
C
C. The idea behind split DNS is pretty simple: create two zones for the same domain, with one just for the internal network while the other is used by any external networks. Internal hosts are directed to the internal domain name server. Separating the domain servers greatly restricts the footprinting an attacker can perform from the outside.
A is incorrect because dynamic DNS doesn’t work this way. In “regular” DNS, a name is tied to a static IP address; however, for any number of reasons, a hosted device may need to change its IP address often. In dynamic DNS, a service provider uses a program that runs on the system, contacting the DNS service each time the IP address changes and subsequently updating the DNS database to reflect the change in IP address. That way, even though a domain name’s IP address changes, users don’t have to do anything out of the ordinary to continue service—the dynamic DNS service will ensure they’re pointed in the right direction.
B is incorrect because Domain Name System Security Extensions (DNSSEC) is a suite of IETF specifications for securing certain kinds of information provided by DNS. Dan Kaminsky made DNS vulnerabilities widely known back around 2010, and most service providers roll this out to ensure that DNS results are cryptographically protected. It’s designed to provide origin authentication of DNS data and data integrity.
D is incorrect because this term simply doesn’t exist. It’s here purely as a distractor.
PE2.9 You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You want to advertise both services for this machine as name references your customers can use. Which DNS record type would you use to accomplish this?
A. NS B. SOA C. MX D. PTR E. CNAME
NAME TYPE VALUE
E
E. We all know—or should know by now—that a hostname can be mapped to an IP using an A record within DNS. CNAME records provide for aliases within the zone on that name. For instance, your server might be named mattserver1.matt.com. A sample DNS zone entry to provide HTTP and FTP access might look like this:
ftp.matt.com CNAME mattserver.matt.com
www.matt.com CNAME mattserver.matt.com
mattserver1.matt.com A 202.17.77.5
A is incorrect because a Name Server (NS) record shows the name servers within your zone. These servers are the ones that respond to your client’s requests for name resolution.
B is incorrect because the Start of Authority (SOA) entry identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
C is incorrect because the Mail Exchange (MX) record identifies the e-mail servers within your domain.
D is incorrect because a Pointer (PTR) record works the opposite to an A record. The pointer maps an IP address to a hostname and is generally used for reverse lookups.
PE2.10 A company has a public-facing web application. Its internal intranet-facing servers are separated and protected by a firewall. Which of the following choices would be helpful in protecting against unwanted enumeration?
A. Allowing zone transfers to ANY
B.Ensuring there are no A records for internal hosts on the public-facing name server
C.Changing the preference number on all MX records to zero
D.Not allowing any DNS query to the public-facing name server
B. If your company has a publicly facing website, it follows that a name server somewhere has to answer lookups in order for your customers to find the site. That name server, however, does not need to provide lookup information to internal machines. Of the choices provided, as silly as it seems to point out, ensuring there are no A records (those used to map hostnames to an IP address) on the external name server is a good start.
A is incorrect because allowing a zone transfer to anyone asking for it is just plain dumb. It may or may not help an attacker enumerate your internal network (maybe you don’t have anything in there to worry about), but it’s just a horrendously bad idea.
C is incorrect because changing the preference number on an MX record doesn’t have a thing to do with enumeration. The preference number (a lower number means first used) determines only which server handles e-mail first.
D is incorrect because if your customers can’t query for the IP associated with the hostname, how are they supposed to find your website?
PE2.11 An ethical hacker searches for IP ranges owned by the client, reads news articles, observes when bank employees arrive and leave from work, searches the client’s job postings, and visits the client’s dumpster. Which of the following is a true statement?
A. All of the actions are active footprinting.
B. All of the actions are passive footprinting.
C.The ethical hacker is in the system attack phase.
D.The ethical hacker is acting as a black-hat attacker.
B
B. I know, I know—I can hear you professional test takers screaming at me already: “Any answer that starts with ‘all’ can be eliminated!” And, normally, I’d agree with you, but it’s precisely why I added it here. Each and every example in this question happens to be an example of passive footprinting.
A is incorrect because none of these actions are active footprinting. An active footprinting effort is one that requires the attacker to touch the device, network, or resource, whereas passive footprinting refers to measures to collect information from publicly accessible sources.
C is incorrect because the attacker is in the reconnaissance phase.
D is incorrect because there is no indication which “hat” the attacker is acting as, although as an ethical hacker, it should be as a white hat.
PE2.12 Examine the following SOA record:
@ IN SOARTDNSRV1.somebiz.com postmaster.somebiz.com (200408097 ; serial number 3600 ; refresh [1h] 600 ; retry [10m] 86400 ; expire [1d] 7200 ; min TTL [2h]
If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary?
A. The zone copy is dumped.
B. The zone copy is unchanged.
C.The serial number of the zone copy is decremented.
D.The serial number of the zone copy is incremented.
B
B. You will definitely see questions about the SOA record. In this question, the key portion you’re looking for is the TTL (Time-To-Live) value at the bottom, which is currently two hours (7200 seconds). This sets the time a secondary server has to verify its records are good. If it can’t check in, this TTL for zone records will expire, and they’ll all be dumped. Considering, though, this TTL is set to two hours and the question states it has been only one hour since update, the zone copy on the secondary will remain unchanged.
A is incorrect because the secondary is still well within its window for verifying the zone copy it holds. It dumps the records only when TTL is exceeded.
C is incorrect because, first, serial numbers are never decremented; they’re always incremented. Second, the serial number of the zone copy is changed only when a connection to the primary occurs and a copy is updated.
D is incorrect because while serial numbers are incremented on changes (the secondary copies the number from the primary’s copy when transferring records), the serial number of the zone copy is changed only when a connection to the primary occurs and a copy is updated. That has not occurred here.
PE2.13 Which protocol and port number combination is used by default for DNS zone transfers ?
A . UDP 53
B . UDP 161
C . TCP 53
D . TCP 22
C . TCP 53 is the default protocol and port number for zone transfers . DNS actually uses both TCP and UDP to get its job done , and if you think about what it’s doing , they make sense in particular circumstances . A name resolution request and reply ? Small and quick , so use port 53 on UDP . A zone transfer , which could potentially be large and requires some insurance it all gets there ? Port 53 on TCP is the answer . 
A , B , and D are incorrect because they do not represent the default port and protocol combination for a zone transfer .
PE2.14 Examine the following command - line entry :
c:\>nslookup Default Server: ns1.somewhere.com Address: 128.189.72.5 > set q=mx > mailhost
Which statements are true regarding this command sequence ? ( Choose two . )
A . Nslookup is in noninteractive mode .
B . Nslookup is in interactive mode .
C . The output will show all mail servers in the zone somewhere.com .
D . The output will show all name servers in the zone somewhere.com .
B , C . Nslookup runs in one of two modes — interactive and noninteractive . Noninteractive mode is simply the use of the command followed by an output . For example , nslookup www.google.com will return the IP address your server can find for Google . Interactive mode is started by simply typing nslookup and pressing ENTER . Your default server name will display , along with its IP address , and a caret ( > ) will await entry of your next command . In this scenario , we’ve entered interactive mode and set the type to MX , which we all know means “ Please provide me with all the mail exchange servers you know about . ” 
A is incorrect because we are definitely in interactive mode . 
D is incorrect because type was set to MX , not NS .
PE2.15 Joe accesses the company website , www.anybusi.com , from his home computer and is presented with a defaced site containing disturbing images . He calls the IT department to report the website hack and is told they do not see any problem with the site — no files have been changed , and when accessed from their terminals ( inside the company ) , the site appears normally . Joe connects over VPN into the company website and notices the site appears normally . Which of the following might explain the issue ?
A . DNS poisoning
B . Route poisoning
C . SQL injection
D . ARP poisoning
A . DNS poisoning makes the most sense here . In many cases ( such as mine right here in my own work - from - home office ) , a VPN connection back to the company forces you to use the company DNS instead of your local resolution . In this example , Joe’s connection from home uses a different DNS server for lookups than that of the business network . It’s entirely possible someone has changed the cache entries in his local server to point to a different IP than the one hosting the real website — one that the hackers have set up to provide the defaced version . The fact the web files haven’t changed and it seems to be displaying just fine from inside the network also bears this out . If it turns out Joe’s DNS modification is the only one in place , there is a strong likelihood that Joe is being specifically targeted for exploitation — something Joe should take very seriously . Lastly , the HOSTS and LMHOSTS files can also play a big role in this kind of scenario — however , if an attacker already has that kind of access to Joe’s computer , he has bigger problems than the corporate website . 
B is incorrect because route poisoning has nothing to do with this . Route poisoning is used in distance vector routing protocols to prevent route loops in routing tables . 
C is incorrect because although SQL injection is , indeed , a hacking attack , it’s not relevant here . The fact the website files remain intact and unchanged prove that access to the site through an SQL weakness isn’t what occurred here . 
D is incorrect because ARP poisoning is relevant inside a particular subnet , not outside it ( granted , you can have ARP forwarded by a router configured to do so , but it simply isn’t the case for this question ) . ARP poisoning will redirect a request from one machine to another inside the same subnet and has little to do with the scenario described here .