Practice Exam 8 Flashcards

1
Q

PE8.1 A company hires you as part of its security team. The company is implementing new policies and procedures regarding mobile devices in the network. Which of the following would not be a recommended practice?

A.Create a BYOD policy and ensure all employees are educated about and made aware of it.
B.Whitelist applications and ensure all employees are educated about and made aware of them.
C.Allow jailbroken and rooted devices on the network, as long as employees have signed the policy.
D. Implement MDM.

A

C
C. Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are becoming more and more of a headache for security administrators. BYOD is the idea that employees can bring their own smartphones, tablets, and mobile devices to the workplace and use them as part of the enterprise network. Mobile Device Management (often implemented with the use of a third-party product containing management features for mobile device vendors) is an effort to administrate and secure mobile device use within the organization. Obviously having mobile devices roaming in and out of a network can cause a variety of security issues, and there are lots of commonsense steps that can be taken. Allowing rooted and jailbroken devices—essentially devices that could have any number of installed (knowingly or not) issues on them—is not among the good steps to take.

A, B, and D are incorrect choices because these are all good ideas regarding mobile device use and management. Other good ideas include ensuring all devices have a screen lockout code enabled, using encryption (in transit and for data-at-rest concerns), making sure there are clear delineations between business and personal data, implementing antivirus, and making sure the OS and patching are up to date.

\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

PE8.2 Which of the following tools would be used in a blackjacking attack?

A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy

A

C
C. This is another tool-specific question, but one that should be relatively easy. Blackjacking and BBProxy were exposed at Defcon several years ago, so this isn’t anything new in terms of an attack. In short, a Blackberry device is, in effect, part of the internal network, and configuring an attack properly on the handset may provide access to resources on the internal network. BBProxy is used in part of this attack, and you can see the whole thing pulled off at the following link from the original presentation in 2006: www.praetoriang.net/presentations/blackjack.html

A, B, and D are incorrect because these tools aren’t used in blackjacking attempts. Aircrack is used in wireless network encryption cracking, and Paros is a proxy service, but neither is used in blackjacking. BBCrack doesn’t exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
PE8.3 Which of the following tools is a vulnerability scanner for Android devices? 
A.   X-ray 
B.   evasi0n7 
C.   Pangu 
D.   DroidSheep Guard
A

A. Mobile tools will pop up all over the place on your exam, so do your best to get as much exposure to as many of them as possible. X-ray is an Android vulnerability scanner explicitly called out by EC-Council. It searches out unpatched vulnerabilities and automatically updates for new vulnerability signatures as they are discovered.

B and C are incorrect because both are jailbreaking applications for iOS devices.

D is incorrect because DroidSheep Guard is a tool that monitors the ARP table on your phone, alerting on suspicious entries and disabling shady Wi-Fi connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
PE8.4 Which type of jailbreaking allows user-level access but does not allow iBoot-level access? 
A.   iBoot 
B.   Bootrom 
C.   userland 
D.   iRoot
A

C. I don’t own an iPhone, iPod, or iAnything, and have no desire to. However, since iOS is one of the most popular mobile device operating systems, I have to have at least some working knowledge of it. And you do, too, if you want to be a CEH. Jailbreaking an iPhone is the process of removing the software restrictions imposed by Apple so you can install a modified set of kernel patches, thereby allowing you to run whatever software or updates you want. EC-Council lists three main methods of jailbreaking, two of which (iBoot and Bootrom) allow something called iBoot access. iBoot access basically refers to the ability to affect the firmware itself. Userland is a term referring to the software running on the iOS device after the kernel has loaded. Therefore, a userland jailbreak, being entirely software based, can be patched by Apple after the effort. Userland jailbreaks include JailbreakMe Star, Saffron, Spirit, Absinthe, evasi0n, and Pangu.

A and B are incorrect because both jailbreaking efforts allow iBoot access. In other words, each method allows for boot chain-of-trust and firmware update.

D is incorrect because this is not a type of jailbreaking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PE8.5 Jack receives a text message on his phone advising him of a major attack at his bank. The message includes a link to check his accounts. After he clicks the link, an attacker takes control of his accounts in the background. Which of the following attacks is Jack facing?

A. Phishing
B. Smishing
C. Vishing
D. App sandboxing

A

B. Smishing is the term given to a mobile device attack whereby an attacker sends an SMS text message to a target with an embedded link. If the user clicks the malicious link, the attacker gains valuable information and control. These attacks are successful for largely the same reasons phishing is so effective in the e-mail world—people just click through sometimes without pausing to think about it. Users who would otherwise ignore an e-mail with a link in it from an unknown (or even known) source sometimes don’t think twice when the link is in a text message.

A is incorrect because the term phishing refers to e-mail messaging and works in much the same way as smishing.

C is incorrect because vishing is a term referring to the use of phone calls and voice messaging to carry out an attack.

D is incorrect because app sandboxing is not an attack on its own: it’s a security measure designed to limit resources an application can access on a mobile device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
PE8.6 Which of the following allows an Android user to attain privileged control of the device? 
A.   DroidSheep 
B.   SuperOneClick 
C.   Faceniff 
D.   ZitMo
A

B. Rooting of an Android device is the same idea as jailbreaking an iOS one: allowing the user total control over the device to add applications, modify system files and actions, and (in some cases and usually risking security to do so) improve performance. Rooting can be done in a variety of methods, but some tools you can use are SuperOneClick, Superboot, One Click Root, and Kingo. In SuperOneClick, you simply connect the phone to a system over USB (ensuring it’s in charge mode only), enable USB Debugging, and run the application.

A is incorrect because DroidSheep is a tool used for session hijacking on Android devices. It can extract session IDs and sidejack on WEP, WPA, and WPA2 networks.

C is incorrect because Faceniff is a sniffer for Android, designed to sniff and intercept web profiles.

D is incorrect because ZitMo (Zeus-in-the-Mobile) is a banking Trojan. ZitMo can even enable bot-like command and control for attackers over the infected device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PE8.7 An individual attempts to make a call using his cell phone; however, it seems unresponsive. After a few minutes of effort, he turns it off and turns it on again. During his next phone call, the phone disconnects and becomes unresponsive again. Which Bluetooth attack is underway?

A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing

A

A. From the description, it appears the phone is either defective or—since it’s spelled out so nicely in the question for you—there is a denial-of-service attack against the phone. Bluesmacking is a denial-of-service attack on a Bluetooth device. An attacker somewhere nearby (within ten meters or, for the real bad guys, farther away using a big enough transmitter, amplifier, and antenna) is using something like the Linux Bluez packages (www.bluez.org) to carry out a DoS against the phone.

B is incorrect because Bluejacking involves sending unsolicited messages—much like spam—to a Bluetooth device.

C is incorrect because Bluesniffing is a basic sniffing attempt, where the device’s transmissions are sniffed for useful information.

D is incorrect because Bluesnarfing refers to the actual theft of data directly from the device. This takes advantage of the “pairing” feature of most Bluetooth devices, willingly seeking out other devices to link up with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PE8.8 Which of the following is a pairing mode in Bluetooth that rejects every pairing request?

A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack

A

A. When you get a simple question on the exam, celebrate. Bluetooth has two pairing modes and three discovery modes. Pairing—the decision to pair with another device requesting it—is either turned on (pairing mode, where every request is accepted) or off (non-pairing mode, where every request is rejected). Discovery—the decision to respond to search requests and let the inquiry know the device is live and available—can be fully on (discoverable mode, responding to everything from everyone), partially on (limited-discoverable mode, responding only during a short time span), or off altogether (non-discoverable mode, never answering an inquiry).

B is incorrect because non-discoverable is a discovery mode, not a pairing one.

C is incorrect because promiscuous has no meaning in this context.

D is incorrect because Bluejack refers to a Bluetooth attack where an attacker can leverage the target phone’s contacts, resulting in anonymous, unsolicited message transmission to targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PE8.9 An attacker is using Shodan to search for devices on a target. She types the following as the search string: webcam geo:“-85.97,31.81”. Which of the following correctly describes this action?

A. The search string syntax is incorrect.
B.The attacker is searching for webcams with serial numbers starting between 3181 and 8597.
C.The attacker is searching for webcam manufacturers starting with “geo.”
D.The attacker is searching for webcams in the geographic location -31.80, 85.95 (longitude and latitude).

A

D
D. While Google and other search engines index the web, Shodan (https://www.shodan.io) indexes everything connected to the Internet. It’s an incredible search engine tool for, well, everything. Want to find Samsung wearables in a specific city? Grab a model number and use the city: argument. How about IIS servers on a specific subnet? Try iis net:xxx.xxx.xxx.xxx/yy (where the x’s are your subnet and yy is your CIDR notation). If you want to get really specific on your location, you can use the geo: argument, along with latitude and longitude coordinates. The Shodan geo: argument actually accepts between two and four coordinate parameters. The example used two, showing a latitude/longitude pair. If the example used three coordinates, they would represent latitude, longitude, and range. Add a fourth argument, and you create a geographic box to search in: top-left latitude, top-left longitude, bottom-right latitude, bottom-right longitude.

A is incorrect because there’s nothing wrong with the syntax. As a matter of fact, Shodan will accept almost anything you type as a search string, which can sometimes get you some really weird responses.

B is incorrect because this syntax has nothing to do with serial numbers. ‘

C is incorrect because this syntax has nothing to do with manufacturer names.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
PE8.10 Which of the following is the most popular short-range communication technology for IoT devices? 
A.RFID 
B.Zigbee 
C.QR codes 
D.LiFi 
A

B
B. IoT devices make use of many wireless communications technologies, and some of them have fairly weird names. Zigbee (https://www.zigbee.org/what-is-zigbee/) is, according to EC-Council, the world’s most popular IoT device communication technology. As a result, you should that it is based on the IEEE 203.15.4 standard, and you can use tools like KillerBee to attack devices using it. Yes, I know this is a weird thing to ask a question about. No, I didn’t do it because I’m a sadist. Know Zigbee. Learn it well. You’ll thank me later.

A, C, and D are all incorrect for the same reason—they’re not the most popular communication technology for IoT devices according to CEH material. But I thought I’d include some information on each of them for your study purposes, in case you see something weird on the exam about them.

RFID is probably the most familiar to everyone, as it has been around and in the public eye longer than most everything else. I mean, who hasn’t heard of an RFID-blocking wallet? QR codes are those scannable, readable tags that hold information about a device, product, or item. If you’ve flown anywhere lately, I’m sure you’ve seen folks using their phone as their boarding pass, scanning the QR code to go sit in a metal tube as soon as possible.

LiFi is possibly the weirdest item on this list, and one I had honestly never heard of until prepping for this edition. LiFi is sort of like Wi-Fi in the same sense that a Lamborghini is like a Chevy Uplander minivan. Sure, packets are encoded and used much the same way, but LiFi uses light from LED bulbs to get it done. Because it uses light, speeds are incredible —up to 224 Gbps—and the interference you deal with in wireless signal communications is nonexistent, but for now it’s simply in its infancy. That said, invest in LED bulbs for your home soon—LiFi may be your next big networking adventure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

PE8.11 Within IoT architecture, which of the following carries out message routing and identification?

A.Edge Technology layer
B.Access Gateway layer
C.Internet layer
D.Middleware layer

A

B
B. IoT architecture, laid out by EC-Council, includes the Edge Technology, Access Gateway, Internet, Middleware, and Application layers. Each of these has information worth remembering for your exam, and in this case we’re talking about the Access Gateway layer. Here, we find the gap between the device and the client, and the first data handling occurs in this layer. Message routing, identification, and subscribing occurs here.

A, C, and D are all incorrect for the same reason—these layers provide different services than what is being asked about. The Edge Technology layer holds technologies like RFID tags and other readers that monitor, sense, and report on the environment. The main function of this layer is data collection and connection of devices within the network. The Internet layer is probably the one that tripped you up here, but there’s a very good explanation—or at least an explanation. The question is asking about IoT architecture, not what you know to be real-world…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

PE8.12 A homeowner accesses an app on his cell phone to set up a view list on his television. Which IoT communication model is in play here?

A.Device-to-Gateway
B.Back-End Data-Sharing
C.Device-to-Cloud
D.Device-to-Device

A

A.
A. IoT communication models seem pretty straightforward, but there are some weird one-off comparisons here and there. In this case, the smartphone—more appropriately, the app on the smartphone used by the owner—acts as the gateway and the TV is the device. In Device-to-Gateway, the IoT device communicates with an intermediary—a gateway—which in turn communicates with the cloud service. As an aside, and a good study/memorization tip, the gateway is almost always an app on a smartphone.
B is incorrect because this does not describe the Back-End Data-Sharing communications model. Back-End Data Sharing extends the connectivity of the cloud (from the device or a gateway) to a third party.

C is incorrect because this does not describe Device-to-Cloud. IoT devices communicate directly with the cloud instead of with the client in this model. A prime example of this would be a security camera you access remotely. The camera, which is the IoT device, doesn’t communicate directly with you, the client. It instead uploads to the cloud and you interact there for the data—after…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

PE8.13 In this attack on VANET, vehicles appear to be in multiple places at once, causing congestion and severely impairing the use of data. Which of the following best describes this attack?

A.Rolling code
B.BlueBorne
C.Side channel
D.Sybil

A

D. As with every other area in computing, IoT has loads of attacks and vulnerabilities to talk about. In this particular example, called the Sybil Attack, a thing (the vehicle or device) creates the illusion of another identity (in this example, being in more than one place at a time), causing congestion and the associated insanity that goes along with it. When it comes to VANET (vehicular ad-hoc network), this could be particularly dangerous. On a standard network, it can cause numerous DDoS problems.

A is incorrect because this does not describe the rolling code attack. In rolling code, the attacker jams the signal and then sniffs the code used to lock and unlock a vehicle.

B is incorrect because this does not describe the BlueBorne attack. BlueBorne refers to an effort that attacks nearby…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
PE8.14 Of the tools listed, which is the best choice for quickly discovering IP addresses of IoT devices on your network? 

A.IoTInspector 
B.MultiPing 
C.Z-Wave Sniffer 
D.beSTORM 
A

B
B. Many of the tools you already know about will work just as well in IoT land, and MultiPing (https://www.multiping.com/) is a good example. MultiPing has been around for a while and is a quick-and-dirty way to quickly discover systems hanging out on your network. Even those pesky IoT devices can be found using it. Is MultiPing the absolute best way to discover you IoT devices? Probably not. Will it work quickly, as described in this question? Absolutely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PE8.15 In October of 2016, a DDoS attack involving millions of IoT devices caused a disruption of service to large numbers of users in North America and Europe. Which of the following malware was used in the attack?

A.WannaCry
B.Cryptolocker
C.Locky
D.Mirai

A

D
D. It’s hard to believe something as simple as a baby monitor can be leveraged as an attack platform, but in the fall of 2016 that’s exactly what happened. The Mirai malware, created to deliberately find IoT devices to infect, created a botnet of immense proportions. This was then leveraged in a series of distributed denial-of-service attacks against systems operated by the DNS provider Dyn (since acquired by Oracle). The attack caused major disruptions across North America and Europe and serves as a lasting reminder that security for IoT is sorely lacking. A, B, and C are all incorrect because none of these had…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PE8.16 Which of the following are valid countermeasures in the prevention of IoT hacking? (Choose all that apply.)
A.Disable guest and demo accounts.
B.Enable lockout features for excessive login attempts.
C.Disable telnet.
D.Implement patch management and ensure device firmware is up to date.

A

A, B, C, D. I was going to say that securing IoT is the same as securing everything else, but that wouldn’t be wholly true. It’s not that the same countermeasures shouldn’t be used—of course the same basic-level approach applies across the board. Disabling unused services, ports, and built-in accounts, changing default passwords, enabling lockout mechanisms, and making sure your patch levels are current are all basic items of security note no matter what you’re talking about. It’s not the measures themselves that make securing IoT so difficult—the rub is keeping up with them. As discussed in the companion book, CEH Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition, IoT is expanding by the day, and a semi-secured network today might be blown wide open by the addition of someone’s BYOD Internet-enabled underwear tomorrow (don’t laugh, it’s actually a thing now). Countermeasures for securing IoT are the same as you’d see anywhere else, with a few additional CEH items thrown in for good measure (for example, ECC…

17
Q
PE8.17 Within the Attify Zigbee Framework, which of the following is used to discover target devices within range? 
A.zbstumbler 
B.zbdump 
C.zbreplay 
D.zbassoc/flood 
A

A. Let’s play a little Q&A game, shall we? I’ll introduce you to a collection of tools, presented by Attify in its Zigbee Framework, and then ask you to identify what each does without you ever seeing the tool, based solely on the knowledge you have from studying the rest of your CEH material. Ready? Here we go: Identify zbstumbler. Identify zbdump. Now identify zbreplay. See a pattern yet? These are all the same names and functions you’ve seen in other toolsets, except these start with zb. In this case, zbstumbler is a lot like NetStumbler, allowing you to ID devices within range.

Now before anyone gets all preachy on me, I am not advising you to ignore the framework and just memorize terms for an exam. Indeed, it’s quite the opposite—I want you to actually know how to do use these tools, so when you pass your exam the certification will matter. Go grab the framework (https://github.com/attify/Attify-Zigbee-Framework) and practice. Find a light bulb in your house and attack it (you can watch someone do it here https://www.youtube.com/watch?v=uivlSdqWS48). When you see identification questions like this on the exam, just use common sense.

B is incorrect because zbdump acts as the packet capture tool for the framework.

C is incorrect because zbreplay allows you to replay portions of a packet capture to force the device to do your bidding.

D is incorrect because zbassoc/flood is a DDoS function within the framework.

18
Q

PE8.18 Which of the following is an advanced hardware- and software-designed radio used for security testing in IoT?

A.Fluke
B.Raspberry Pi
C.HackRF One
D.Alfa AWUS036NH

A

C. There are few certainties in life—the rising and setting of the sun every day, lovebugs making life miserable for a couple months each year in the South, and ever-increasing taxes on everything from income to gas. One you can add to your list is HackRF One being on your CEH exam. This handy little piece of hardware exploded onto the scene in a Kickstarter campaign in 2014. Its creator, Michael Ossmann, called it Project Jawbone back then, and its open source nature attracted a lot of attention. On the good side, information security folks saw a great tool to help in testing their wireless offerings. On the bad side, hackers immediately saw a quick and easy way to jam, disrupt, and hack IoT devices everywhere.

For the just under $300, you too can own a HackRF One device (https://greatscottgadgets.com/hackrf/). According to the website, HackRF One was “designed to enable test and development of modern and next generation radio technologies…and is an open source hardware platform that can be used as a USB peripheral or programmed for stand-alone operation.” What’s really interesting (and quite humorous to me), however, is the very next statement: “HackRF One is test equipment for RF systems. It has not been tested for compliance with regulations governing transmission of radio signals. You are responsible for using your HackRF One legally.” HackRF One is capable of receiving and transmitting on a frequency range of 1 MHz to 6 GHz, and it transmits and receives half-duplex. It has become a valuable and prized hacking tool due to its ease of use. Just be careful, though. Remember, you are responsible for its legal use.

A, C, and D are all incorrect because these hardware devices and terms do not match the capability noted in the question. Fluke is a manufacturer that creates, among other things, spectrum analyzers and packet capturing/analysis devices. Raspberry Pi is a small, single-board computer system designed to teach programming and computer science concepts. The Alfa AWUS036NH is a small, powerful antenna used in wireless hacking.