Questions

Question 1

Which element of security ensures a data message arrives at its destination with no alteration?

Answer 1

Integrity ensures data stays in the form it was orginally intended, durring transit and at rest.

Question 2

A hacker grows frustrated in his attemps against a network server and performs a successful denial of service attack. Which security element is being compromised?

Answer 2

Availability- Ensures communication systems and data are ready for use when legitimate users need them.

Question 3

As security in the enterprise increases:

Answer 3

Security triad- As security increases, functionality and ease of use decrease.

Question 4

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, Non-disclosure agreements, and the completion date. Which of the following is a true statement?
Who is attempting what type of test?

Answer 4

An ethical hacker was hired under a specific agreement, making him a white hat.
The test he was hired to preform is a no knowledge attack, making it a black box test.

Question 5

When an attack by a hacker is politically motivated, the hacker is said to be participating in:

Answer 5

Hackers who use their skills and talents to forward a cause or a political agenda are practicing hactivism.

Question 6

Two hackers attempt to crack a company’s network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the cracker?

Answer 6

The ethical hacker always obtains written permission before testing, and never performs a test without it.

Question 7

In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets?

Answer 7

The second of the five phases of an ethical hack attempt, scanning and enumeration.

Question 8

What type of attack is generally conducted as an inside attacker with elevated privileges on the resources?

Answer 8

A White box attack is intended to simulate an internal attacker with elevated privileges, such as a network administrator.

Question 9

Which attacks take advantage of the built in code and scripts most off the shelf applications come with?

Answer 9

Most software inevitably comes with built in code and script vulnerabilities, and attacks taking advantage of this are known as shrink wrap attacks.

Question 10

A number of laws are relevant to ethical hacking. Within the United States, which federal statute specifically addresses hacking under US Law?

Answer 10

United states Code, Title 18 defines most of the US law concerning hacking and computer crime.

Question 11

Which act attempts to ensure a standard level of security in US federal systems?

Answer 11

The federal Information Security Management Act provides a green light to an ethical hacker with regard to a lot of information, because it makes this information readily available to the public.

Question 12

As part of a pen test, an ethical hacker discovers a file listing government workers social security numbers. His dissmination of this document is best governed by which act?

Answer 12

The Privacy Act protects information of a personal nature, including social security numbers.

Question 13

Cade ran a scan on a system and could not identify the operating system. There does seem to be a webserver running. How can that fact help Cade figure out the rest of the system?

Answer 13

Banner grabbing is a basic activity on a pentest. Each protocol requires different commands; therefore, this is also a good way to verify services on the open ports.

Question 14

You are conducting a test and get caught. What document will ensure that you are protected from negative consequences within the target company?

Answer 14

Make sure the person who issues your get out of jail free card actually has the authority to do so. The penetration test should be sponsored by senior management, who should also issue the other legal documents as well.

Question 15

Sara has been asked to perform a port scan on a number of servers to check for access points that should not be running but would have elevated privileges. She is not familiar with port numbers and isn’t sure how to scan only those that we know meet the scanning criteria. What advice would you give her?

Answer 15

She should scan 0-1023. The key words are ‘elevated privileges’ and ‘known ports’

Question 16

During a pentest, you retrieve a usb key from a box of discarded hardware that was just sitting by a number of other items. You check the key for files and it turns out to have a number of .pdf documents that could have sensitive information. If this information were to get leaked it would be a great risk to your client. In your report you point this out but the customer dosen’t see the problem as all the documents were password protected. Why isn’t this enough to prevent the information leakage?

Answer 16

The password must be stored in the file, but a strong key can be generated from it to protect the data from being visible to alternate readers. It is possible, however, to brute force the file and tools such as those from Elcomsoft make short work of most file formats.

Question 17

A business manager is arguing with a compliance officer that a pentest would never be needed for this company since they use single sign authentication throughout. You are asked for your opinion and say, “If I can access a network physically I can own it.”
This sounds a little extreme, but what is true about this assertion?

Answer 17

If packets can be sent and received, there are countless forms of attack that can be attempted. This is true regardless of the type of network, wired or wireless.

Question 18

During an internal pentest, you setup a fake website that results from having obtained some documentation and useful resources. You create a link and send it via-email to a few key people. When they visit, code is run on their machines that compromises their systems.
What form of attack is taking place?

Answer 18

The key words in this attack are “runs code on their own machines”
The Pentesters created a website with deliberate vulnerabilities then placed the attack in the page. Links on those pages could include a variety of attacks from XSS to malware embedded within media files. Although social engineering is involved to make this convincing attack, a browser drive by is more specific to this technique.

Question 19

During a pentest, you notice the organization uses different domains for various internal departments. In what phase of the test would this have been discovered?

Answer 19

Passive information gathering. Project scoping and rules of engagement happen before the test actually begins. The vulnerability analysis comes later in the test, after as much information has been gathered as possible.

Question 20

Knowing ports is important for attackers, pentesters and analyst. On a windows system, what are the port numbers for the following protocols? (in order)
Kerberos, WINS, RPC, SMB, CIFS

Answer 20

Kerberos - 88
WINS - 42
RPC - 135
SMB - 139
CIFS - 445

Question 21

Using netcat, cryptcat, or ncat to transfer files across a network is a common practice for a pentester because any port that will pass through the filters between the target and tiger box can be used. What command will transfer a binary file on a commonly unfliltered web port?

Answer 21

nc -l -u -p 8080

Question 22

During the network footprinting phase it is often helpful to get information from the DNS that can reveal host, which in turn reveal network segments and tracerout can reveal even more. Obtaining records like CNAME, MX, and A are examples of this. With those examples, what is the attacker looking for?

Answer 22

Zone Transfer

Using tools like nslookup, dig, and host. Full transfers might be possible. They likely will not be however, if the command only takes 5 seconds and could save you hours it could be worth a try. Be aware that it is a TCP transfer and attempts to obtain zones all at once can be detected and logged. The alternative is to attempt to get the records in a way that looks like simple client request, one at a time.

Question 23

There are three phases to a penetration test: The PreAttack Phase, the Attack phase and the post Attack phase. What will automated tools never replace?

Answer 23

Automated tools are very sophisticated, there is no question about that, They can integrate quality scanning tools, include evasion techniques, and reduce the trail and error time significantly.
But there is no substitute for creativity when it is needed. Taking an organized approach is the professional way to conduct the test and maintain the trust of your client.

Question 24

Milo is trying to learn all he can about a network. He is looking for easy things he can do that might reveal information. Eventually, he can collect all of that data and after analysis learn perhaps enough to have a complete picture. One technique is to send email to email addresses with different status such as: valid users, non-existent addresses, users on vacation, employees that no longer work there and commonly named email groups.
What would be the reason for doing this?

Answer 24

Sending email email to non existent addresses might reveal addresses of internal mail relays, but it also tells the attacker about policies for handling such mail including how to handle, bounces, full in boxes, vacations, ex-employees, undeliverable, and of course, spam.

Question 25

Gary is using an email system that allows web based access and is popular among employees of the company he is attacking. He is testing this system to see if there is a way to gain access to other accounts. He signs up for an account and begins to use it. He notices in the URL that information about his account name is present:
http://mail.exampleco.com/inbox.aspx?lang=en&mailbox=Gary+Tennenbaum
He replaces his name with someone else’s name in the target company that he gathered from a job posting site.
What attack is he attempting?

Answer 25

Query String parameter manipulation attack

If the system authenticated the client via the browser, then changing the name being passed to the account might allow the attacker to assume the identity of the target account. If the parameters are not in the query string, they could be in the http header and Paros could be used to change and resubmit them. Instead of something simple like names, sission ID values are commonly used in these attacks.

Question 26

Maureen returns from lunch and notices her PC has a BSOD but the hard drive activity light is still flashing. What too is possibly being used?

Answer 26

Floppyscan
Its a tool that can be configured to automatically footprint a network and email the results to a predetermined address. While it is scanning, it presents the BSOD so that the computer looks busy. This tool could be adapted to a modern high capacity floppy disc (USB drive).

Question 27

Host can often be attacked in layers. If the target service is not vulerable then what else should the attack try?

Answer 27

Get the user to accept a malicious file on the host.
Attack a service on one to the other open ports.
It is best to begin attacking from the lowest layer of the OSI model that can be accessed. If possible, a physical attack is always best. Remote attacks against enable services might allow access to the OS. The applications can be attacked either as a remote client or from within the host by using social engineering to plant malicious code. There are many ways to get in.

Question 28

What ISO standard provides best practice recommendations for implementing security controls?

Answer 28

ISO 27001 is a certifiable standard. ISO 27002 is a set of guidelines that will be interpreted according to unique situations.

Question 29

Wthen finished footprinting the network, the next step the attacker would use is:

Answer 29

A vulnerability scanner is too noisy to use in most cases. Even though common tools such as Nessus will do most of the footprinting work for the attacker. It is safer to pick the interesting machines one by one and try to find out as much as possible about them as it might be possible to choose an attack strategy without a vulnerability scan at all.

Question 30

Resources that an attacker can use to research or monitor vulnerabilities for a particular target include:

Answer 30

The Full Disclosure mailing list
The CVE Mitre.org
The OSVDB
The Bugtraq mailing list

Question 31

Nick wants to protect data as it moves across a network by using a tunnel, but he cannot implement a full vpn solution. Which of the following is his best option?

Answer 31

Secure Shell is a common choice for establishing secure tunnels between protocols such as telnet and ftp. It is not considered to provide a full VPN solution.

Question 32

You were conducting a white box test, and the customer has a dispute over one of the items that it reported as a critical vulnerability. He wants you to verify that it is a true weakness and has very open rules of engagement for the process. This would be an example of a:

Answer 32

In a grey box test you have limited knowledge of the situation. In this case you have an objective but can pull from all of your resources to verify the vulnerability.