Sample CEH Questions

Question 1

Which of the following can the administrator do to verify that a tape backup can be recovered in
its entirety?

A. Read the first 512 bytes of the tape
B. Perform a full restore
C. Read the last 512 bytes of the tape
D. Restore a random file

Answer 1

B. Perform a full restore

Question 2

A company’s security policy states that all Web browsers must automatically delete their HTTP
browser cookies upon terminating. What sort of security breach is this policy attempting to
mitigate?

A. Attempts by attackers to access the user and password information stored in the company’s SQL
database.
B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s
authentication credentials.
C. Attempts by attackers to access password stored on the user’s computer without the user’s
knowledge.
D. Attempts by attackers to determine the user’s Web browser usage patterns, including when sites
were visited and for how long.

Answer 2

B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s
authentication credentials.

Question 3

To maintain compliance with regulatory requirements, a security audit of the systems on a
network must be performed to determine their compliance with security policies. Which one of the
following tools would most likely be used in such an audit?

A. Protocol analyzer
B. Intrusion Detection System
C. Port scanner
D. Vulnerability scanner

Answer 3

D. Vulnerability scanner

Question 4

You are tasked to perform a penetration test. While you are performing information gathering, you
find an employee list in Google. You find the receptionist’s email, and you send her an email
changing the source email to her boss’s email (boss@company). In this email, you ask for a pdf
with information. She reads your email and sends back a pdf with links. You exchange the pdf
links with your malicious links (these links contain malware) and send back the modified pdf,
saying that the links don’t work. She reads your email, opens the links, and her machine gets
infected. You now have access to the company network.
What testing method did you use?

A. Social engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping

Answer 4

A. Social engineering

Question 5

Your team has won a contract to infiltrate an organization. The company wants to have the attack
be as realistic as possible; therefore, they did not provide any information besides the company
name. What should be the first step in security testing the client?

A. Reconnaissance
B. Escalation
C. Scanning
D. Enumeration

Answer 5

A. Reconnaissance

Question 6

A medium-sized healthcare IT business decides to implement a risk management strategy. Which
of the following is NOT one of the five basic responses to risk?
A. Accept
B. Delegate
C. Mitigate
D. Avoid

Answer 6

B. Delegate

Question 7

OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the
tool and the correct syntax to connect to a web server?

A. openssl s_client -site www.website.com:443
B. openssl_client -site www.website.com:443
C. openssl_client -connect www.website.com:443
D. openssl s_client -connect www.website.com:443

Answer 7

D. openssl s_client -connect www.website.com:443

Question 8

Which of the following describes the characteristics of a Boot Sector Virus?
A. Modifies directory table entries so that directory entries point to the virus code instead of the actual
program.
B. Moves the MBR to another location on the RAM and copies itself to the original location of the
MBR.
C. Moves the MBR to another location on the hard disk and copies itself to the original location of the
MBR.
D. Overwrites the original MBR and only executes the new virus code.

Answer 8

C. Moves the MBR to another location on the hard disk and copies itself to the original location of the
MBR.

Question 9

John is an incident handler at a financial institution. His steps in a recent incident are not up to the
standards of the company. John frequently forgets some steps and procedures while handling
responses as they are very stressful to perform. Which of the following actions should John take
to overcome this problem with the least administrative effort?

A. Increase his technical skills
B. Read the incident manual every time it occurs
C. Select someone else to check the procedures
D. Create an incident checklist

Answer 9

D. Create an incident checklist

Question 10

Which of the following is the least-likely physical characteristic to be used in biometric control that
supports a large company?

A. Voice
B. Fingerprints
C. Iris patterns
D. Height and Weight

Answer 10

D. Height and Weight

Question 11

While using your bank’s online servicing you notice the following string in the URL bar:
“http: // www. MyPersonalBank. com/
account?id=368940911028389&Damount=10980&Camount=21” You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the
changes.
Which type of vulnerability is present on this site?

A. Cookie Tampering
B. SQL Injection
C. Web Parameter Tampering
D. XSS Reflection

Answer 11

C. Web Parameter Tampering

Question 12

It is an entity or event with the potential to adversely impact a system through unauthorized
acces, destruction, disclosure, denial of service or modification of data. Which of the following
terms best matches the definition?
A. Attack
B. Vulnerability
C. Threat
D. Risk

Answer 12

C. Threat

Question 13

Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS)
flaws in software applications?
A. Use security policies and procedures to define and implement proper security settings.
B. Use digital certificates to authenticate a server prior to sending data.
C. Validate and escape all information sent to a server.
D. Verify acces right before allowing access to protected information and UI control

Answer 13

C. Validate and escape all information sent to a server.

Question 14

Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He
begins by running a scan which looks for common misconfigurations and outdated software
versions. Which of the following tools is he most likely using?

A. Armitage
B. Nikto
C. Metasploit
D. Nmap

Answer 14

B. Nikto

Question 15

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access?
A. He needs to gain physical access.
B. He must perform privilege escalation.
C. He already has admin privileges, as shown by the “501” at the end of the SID.
D. He needs to disable antivirus protection.

Answer 15

B. He must perform privilege escalation.

Question 16

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He
is determined that the application is vulnerable to SQL injection and has introduced conditional
timing delays into injected queries to determine whether they are successful. What type of SQL
injection is Elliot most likely performing?

A. NoSQL injection
B. Blind SQL injection
C. Union-based SQL injection
D. Error-based SQL injection

Answer 16

B. Blind SQL injection

Question 17

You have successfully logged on a Linux system. You want to now cover your track. Your login
attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:
A. wtmp
B. user.log
C. btmp
D. auth.log

Answer 17

B. user.log

Question 18

When you return to your desk after a lunch break, you notice a strange email in your inbox. The
sender is someone you did business with recently, but the subject line has strange characters in
it. What should you do?
A. Forward the message to your company’s security response team and permanently delete the
message from your computer.
B. Reply to the sender and ask them for more information about the message contents.
C. Delete the email and pretend nothing happened.
D. Forward the message to your supervisor and ask for her opinion on how to handle the situation.

Answer 18

A. Forward the message to your company’s security response team and permanently delete the
message from your computer.

Question 19

The “gray box testing” methodology enforces what kind of restriction?
A. Only the internal operation of a system is known to the tester.
B. The internal operation of a system is completely known to the tester.
C. The internal operation of a system is only partly accessible to the tester.
D. Only the external operation of a system is accessible to the tester.

Answer 19

C. The internal operation of a system is only partly accessible to the tester.

Question 20

Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a
Linux server occuring during non-business hours. After further examination of all login activities, it
is notices that none of the logins have occurred during typical work hours. A Linux administrator
who is investigating this problem realized the system time on the Linux server is wrong by more
than twelve hours. What protocol used on Linux serves to synchronize the time has stopped
working?
A. NTP
B. TimeKeeper
C. OSPF
D. PPP

Answer 20

A. NTP

Question 21

The “black box testing” methodology enforces what kind of restriction?
A. Only the internal operation of a system is known to the tester.
B. The internal operation of a system is completely known to the tester.
C. The internal operation of a system is only partly accessible to the tester.
D. Only the external operation of a system is accessible to the tester.

Answer 21

D. Only the external operation of a system is accessible to the tester.

Question 22

>NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following?
A. A port scan
B. A ping scan
C. An operating system detect
D. A trace sweep

Answer 22

A. A port scan

Question 23

An LDAP directory can be used to store information similar to a SQL database. LDAP uses a
____ database structure instead of SQL’s ______ structure. Because of this, LDAP has difficulty
representing many-to-one relationships.
A. Strict, Abstract
B. Simple, Complex
C. Relational, Hierarchical
D. Hierarchical, Relational

Answer 23

D. Hierarchical, Relational

Question 24

What is the purpose of DNS AAAA record?
A. Address prefix record
B. Address database record
C. Authorization, Authentication and Auditing record
D. IPv6 address resolution record

Answer 24

D. IPv6 address resolution record

Question 25

Which of the following statements is FALSE with respect to Intrusion Detection Systems?
A. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic
B. Intrusion Detection Systems can examine the contents of the data in context of the network
protocol
C. Intrusion Detection Systems can be configured to distinguish specific content in network packets
D. Intrusion Detection Systems require constant update of the signature library

Answer 25

A. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic

Question 26

You are performing a penetration test for a client and have gained shell access to a Windows
machine on the internal network. You intend to retrieve all DNS records for the internal domain. If
the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would
you type at the nslookup prompt to attempt a zone transfer?
A. list domain=abccorp.local type=zone
B. Is -d accorp.local
C. list server=192.168.10.2 type=all
D. Iserver 192.168.10.2 -t all

Answer 26

B. Is -d accorp.local

Question 27

Which command can be used to show the current TCP/IP connections?
A. Netsh
B. Net use connection
C. Netstat
D. Net use

Answer 27

C. Netstat

Question 28

You are performing information gathering for an important penetration test. You have found pdf,
doc, and images in your objective. You decide to extract metadata from these files and analyze it.
What tool will help you with the task?
A. Armitage
B. Dmitry
C. Metagoofil
D. cdpsnarf

Answer 28

C. Metagoofil

Question 29

You have several plain-text firewall logs that you must review to evaluate network traffic. You
know that in order to do fast, efficient searches of the logs you must use regular expressions.
Which command-line utility are you most likely to use?
A. Relational Database
B. MS Excel
C. Notepad
D. Grep

Answer 29

D. Grep

Question 30

This phase will increase the odds of success in later phases of the penetration test. It is also the
very first step in Information Gathering and it will tell you the “landscape” looks like. What is the
most important phase of ethical hacking in which you need to spend a considerable amount of
time?
A. network mapping
B. footprinting
C. escalating privileges
D. gaining access

Answer 30

B. footprinting

Question 31

When you are collecting information to perform a data analysis, Google commands are very
useful to find sensitive information and files. These files may contain information about
passwords, system functions, or documentation. What command will help you to search files
using Google as a search engine?
A. site: target.com filetype:xls username password email
B. domain: target.com archieve:xls username password email
C. inurl: target.com filename:xls username password email
D. site: target.com file:xls username password email

Answer 31

A. site: target.com filetype:xls username password email

Question 32

You have successfully gained access to your client’s internal network and successfully comprised
a Linux server which is part of the internal IP network. You want to know which Microsoft
Windows workstations have file sharing enabled. Which port would you see listening on these
Windows machines in the network?
A. 161
B. 3389
C. 445
D. 1433

Answer 32

C. 445

Question 33

Which of the following is assured by the use of a hash?
A. Authentication
B. Confidentially
C. Availability
D. Integrity

Answer 33

D. Integrity

Question 34

Risks=Threats x Vulnerabilities is referred to as the:
A. BIA equation
B. Disaster recovery formula
C. Risk equation
D. Threat assessment

Answer 34

C. Risk equation

Question 35

The tools which receive event logs from servers, network equipment, and applications, and
perform analysis and correlation on those logs, and can generate alarms for security relevant
issues, are known as what?
A. Network Sniffer
B. Vulnerability Scanner
C. Intrusion Prevention Server
D. Security Incident and Event Monitoring

Answer 35

D. Security Incident and Event Monitoring

Question 36

You have just been hired to perform a pen test on an organization that has been subjected to a
large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally
eliminate risk. What is one of the first things you should do when given the job?
A. Establish attribution to suspected attackers
B. Interview all employees in the company to rule out possible insider threats
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
acceptable levels.
D. Start the wireshark application to start sniffing network traffic.

Answer 36

C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
acceptable levels.

Question 37

The purpose of a \_\_\_\_\_\_\_is to deny network access to local area networks and other information
assets by unauthorized wireless devices.
A. Wireless Analyzer
B. Wireless Jammer
C. Wireless Access Point
D. Wireless Access Control List

Answer 37

D. Wireless Access Control List

Question 38

What does the -oX flag do in an Nmap scan?
A. Perform an Xmas scan
B. Perform an eXpress scan
C. Output the results in truncated format to the screen
D. Output the results in XML format to a file

Answer 38

D. Output the results in XML format to a file

Question 39

During an Xmas scan, what indicates a port is closed?
A. RST
B. SYN
C. ACK
D. No return response

Answer 39

D. No return response

Question 40

While performing online banking using a Web browser, a user receives an email that contains a
link to an interesting Web site. When the user clicks on the link, another Web browser session
starts and displays a video of cats playing a piano. The next business day, the user receives what
looks like an email from his bank, indicating that his bank account has been accessed from a
foreign country. The email asks the user to call his bank and verify the authorization of a funds
transfer that took place. What Web browser-based security vulnerability was exploited to
compromise the user?
A. Clickjacking
B. Cross-Sire Scripting
C. Cross-Sire Request Forgery
D. Web form input validation

Answer 40

C. Cross-Sire Request Forgery

Question 41

Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He
is looking for an IDS with the following characteristics: -Verifies success or failure of an attack -
Monitors system activities - Detects attacks that a network-based IDS fails to detect. - Near real-
time detection and response - Does not require additional hardware - Lower entry cost. Which
type of IDS is best suited for Tremp’s requirements?
A. Network-based IDS
B. Open source-based IDS
C. Host-based IDS
D. Gateway-based IDS

Answer 41

C. Host-based IDS

Question 42

Which of the following parameters describe LM Hash:
I - The maximum password length is 14 characters
II - There are no distinctions between uppercase and lowercase
III - The password is split into two 7-byte halves
A. II
B. I
C. I, II, and III
D. I and II

Answer 42

C. I, II, and III

Question 43

Which of the following is not a Bluetooth attack?
A. Bluesnarfing
B. Bluedriving
C. Bluesmacking
D. Bluejacking

Answer 43

B. Bluedriving

Question 44

The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable
organization focused on improving the security of software. What item is the primary concern on
OWASP’s Top Ten Project Most Critical Web Application Security Risks?
A. Cross Site Scripting
B. Injection
C. Path disclosure
D. Cross Site Request Forgery

Answer 44

B. Injection

Question 45

A pen-tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and
library are required to allow the NIC to work in promiscous mode?
A. Winprom
B. Libpcap
C. Winpsw
D. Winpcap

Answer 45

D. Winpcap

Question 46

Analyst is investigating proxy logs and found out that one of the internal user visited website
storing suspicious java scripts. After opening one of them, he noticed that it is very hard to
understand the code and that all codes differ from the typical java script. What is the name of this
technique to hide the code and extend analysis time?
A. Steganography
B. Code encoding
C. Obfuscation
D. Encryption

Answer 46

C. Obfuscation

Question 47

During the security audit of IT processes, an IS auditor found that there were no documented
security procedures. What should the IS auditor do?
A. Create a procedures document
B. Terminate the audit
C. Conduct compliance testing
D. Identify and evaluate existing practices

Answer 47

D. Identify and evaluate existing practices

Question 48

You just set up a security system in your network. In what kind of system would you find the
following string of characters used as a rule within its configuration? alert tcp any any
->192.168.100.0/24 21 (msg:”“FTP on the network!””;)
A. a firewall IPTable
B. FTP Server rule
C. A Router IPTable
D. An Intrusion Detection System

Answer 48

D. An Intrusion Detection System

Question 49

While scanning with Nmap, Patin found several hosts which have the IP ID of incremental
sequences. He then decided to conduct: nmap -Pn -p -sl kiosk.adobe.com www.riaa.com
kiosk.adobe.com is the host with incremental IP ID sequence. What is the purpose of using “-sl”
with Nmap?
A. Conduct stealth scan
B. Conduct ICMP scan
C. Conduct IDLE scan
D. Conduct silent scan

Answer 49

C. Conduct IDLE scan

Question 50

What is the process of logging, recording, and resolving events that take place in an
organization?
A. Incident Management Process
B. Security Policy
C. Internal Procedure
D. Metrics

Answer 50

A. Incident Management Process

Question 51

During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised
web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What
type of firewall is inspecting outbound traffic?
A. Circuit
B. Stateful
C. Application
D. Packet Filtering

Answer 51

C. Application

Question 52

The change of a hard drive failure is once every three years. The cost to buy a new hard drive is
$300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a
further 4 hours to restore the database from the last backup to the new hard disk. The recovery
person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1(100%). What is
the closest approximate cost of this replacement and recovery operation per year?
A. $1320
B. $440
C. $100
D. $146

Answer 52

D. $146

Question 53

An IT employee got a call from one our best customers. The caller wanted to know about the
company’s network infrastructure, systems, and team. New opportunities of integration are in
sight for both company and customer. What should this employee do?
A. The employee can not provide any information: but, anyway, he/she will provide the name of the
person in charge
B. Since the company’s policy is all about Customer Service. he/she will provide information
C. The employee should not provide any information without previous management authorization
D. Disregarding the call, the employee should hand up

Answer 53

C. The employee should not provide any information without previous management authorization

Question 54

You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a
sequence number?
A. ICMP
B. TCP
C. UPX
D. UPD

Answer 54

B. TCP

Question 55

What is a “Collision attack” in cryptography?
A. Collision attacks try to get the public key
B. Collision attacks try to break the hash into three parts to get the plaintext value
C. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the
private key
D. Collision attacks try to find two inputs producing the same hash

Answer 55

D. Collision attacks try to find two inputs producing the same hash

Question 56

Which of the following is the successor of SSL?
A. GRE
B. IPSec
C. RSA
D. TLS

Answer 56

D. TLS

Question 57

This international organization regulates billions of transactions daily and provides security
guidelines to protect personally identifiable information (PII). These security controls provide a
baseline and prevent low-level hackers sometimes known as script kiddies from causing a data
breach. Which of the following organization is being described?
A. Institute of Electrical and Electronics Engineers(IEEE)
B. International Security Industry Organization (ISIO)
C. Center for Disease Control (CDC)
D. Payment Card Industry (PCI)

Answer 57

D. Payment Card Industry (PCI)

Question 58

Which of the following DoS tools is used to attack target web applications by starvation of
available sessions on the web server? The tool keeps sessions at halt using never-ending POST
transmissions and sending an arbitrarily large content-length header value.
A. Stacheldraht
B. LOIC
C. R-U-Dead-Yet? (RUDY)
D. MyDoom

Answer 58

C. R-U-Dead-Yet? (RUDY)

Question 59

WPA2 uses AES for wireless data encryption at which of the following encryption levels?
A. 64 bit and CCMP
B. 128 bit and CRC
C. 128 bit and CCMP
D. 128 bi and TKIP

Answer 59

C. 128 bit and CCMP

Question 60

You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet
10.1.4.0/23.
Which of the following IP addresses could be leased as a result of the new configuration?
A. 10.1.4.254
B. 10.1.255.200
C. 10.1.5.200
D. 10.1.4.156

Answer 60

C. 10.1.5.200

Question 61

Your company was hired by a small healthcare provider to perform a technician assessment on
the network. What is the best approach for discovering vulnerabilities on a Windows-based
computer?
A. Create a disk image of a clean Windows installation
B. Use the built-in Windows Update tool
C. Use a scan tool like Nessus
D. Check MITRE.org for the latest of CVE findings

Answer 61

C. Use a scan tool like Nessus

Question 62

You are analyzing a traffic on the network with Wireshark. You want to routinely run a cron job
which will run the capture against a specific set of IPs. - 192.168.8.0/24. What command you
would use?
A. tshark -net 192.255.255.255 mask 192.168.8.0
B. wireshark -capture -local -masked 192.168.8.0 -range 24
C. sudo tshark -f “net 192.168.8.0/24”
D. wireshark -fetch “192.168.8/*”

Answer 62

B. wireshark -capture -local -masked 192.168.8.0 -range 24

Question 63

Initiating an attack against targeted business and organizations, threat actors compromise a
carefully selected website by inserting an exploit resulting in malware infection. The attackers run
exploits on well- known and trusted sites likely to be visited by their targeted victims. Aside from
carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits
that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense
against these exploits. What type of attack is outlined in the scenario?
A. Heartbeat Attack
B. Spear Phishing Attack
C. Shellshock Attack
D. Watering Hole Attack

Answer 63

D. Watering Hole Attack

Question 64

What kind of detection techniques is being used in antivirus softwares that identifies malware by
collecting data from multiple protected systems and instead of analyzing files locally it’s made on
the provider’s environment.
A. Behavioral based
B. Heuristics based
C. Honypot based
D. Cloud based

Answer 64

D. Cloud based

Question 65

Which of these options is the most secure procedure for storing backup tapes?
A. In a climate controlled facility offsite
B. In a cool dry environment
C. On a different floor in the same building
D. Inside the data center for faster retrieval in a fireproof safe

Answer 65

A. In a climate controlled facility offsite

Question 66

Which security strategy requires using several, varying methods to protect IT systems against
attacks?
A. Defense in depth
B. Covert channels
C. Exponential backoff algorithm
D. Three-way handshake

Answer 66

A. Defense in depth

Question 67

Which utility will tell you in real time which ports are listening or in another state?
A. Netsat
B. Loki
C. Nmap
D. TCPView

Answer 67

D. TCPView

Question 68

Which of the following statements regarding ethical hacking is incorrect?
A. An organization should use ethical hackers who do not sell vendor hardware/software or other
consulting services
B. Ethical hackers should never use tools or methods that have the potential of exploiting
vulnerabilities in an organization’s systems
C. Ethical hacking should not involve writing to or modifying the target systems.
D. Testing should be remotely performed offsite.

Answer 68

B. Ethical hackers should never use tools or methods that have the potential of exploiting
vulnerabilities in an organization’s systems

Question 69

A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001
00111010

A. 10011101
B. 10001011
C. 10111100
D. 11011000

Answer 69

B. 10001011

Question 70

Why containers are less secure that virtual machine?
A. Host OS on containers has a larger surface attack.
B. Containers are attached to the same virtual network.
C. Containers may fulfill disk space of the host.
D. A compromise container may cause a CPU starvation of the host.

Answer 70

D. A compromise container may cause a CPU starvation of the host.

Question 71

Which of the following is a component of a risk assessment?
A. Administrative safeguards
B. Physical security
C. Logical interface
D. DMZ

Answer 71

A. Administrative safeguards

Question 72

Which of the following is the structure designed to verify and authenticate the identity of
individuals within the enterprise taking part in a data exchange?
A. PKI
B. SOA
C. biometrics
D. single sign on

Answer 72

A. PKI

Question 73

You are monitoring the network of your organizations. You notice that:

1. There are huge outbound connections from your Internal Network to External IPs
2. On further investigation, you see that the external IPs are blacklisted
3. Some connections are accepted, and some are dropped
4. You find that it is a CnC communication

Which of the following solution will you suggest?

A. Block the blacklist IP’s @ Firewall
B. Update the latest signatures on you IDS/IPS
C. Clean the Malware which are trying to communicate with the External Blacklist IP’s
D. Block the Blacklist IP’s @ Firewall as well as Clean the Malware which are trying to communicate with the External Blacklist IP’s.

Answer 73

D. Block the Blacklist IP’s @ Firewall as well as Clean the Malware which are trying to communicate with the External Blacklist IP’s.

Question 74

A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and
192.168.5.0. How can NMAP be used to scan these adjacent Class C networks?
A. NMAP -P 192.168.1-5.
B. NMAP -P 192.168.0.0/16
C. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
D. NMAP -P 192.168.1/17

Answer 74

A. NMAP -P 192.168.1-5.

Question 75

A penetration tester is attempting to scan an internal corporate network from the internet without
alerting the border sensor. Which is the most efficient technique should the tester consider using?
A. Spoofing an IP address
B. Tunneling scan over SSH
C. Tunneling over high port numbers
D. Scanning using fragmented IP packets

Answer 75

B. Tunneling scan over SSH

Question 76

A hacker is attempting to see which ports have been left open on a network. Which NMAP switch
would the hacker use?
A. -sO
B. -sP
C. -sS
D. -sU

Answer 76

A. -sO

Question 77

ICMP ping and ping sweeps are used to check for active systems and to check
A. if ICMP ping traverses a firewall.
B. the route that the ICMP ping took.
C. the location of the switchport in relation to the ICMP ping.
D. the number of hops an ICMP ping takes to reach a destination.

Answer 77

A. if ICMP ping traverses a firewall.

Question 78

Which command line switch would be used in NMAP to perform operating system detection?
A. -OS
B. -sO
C. -sP
D. -O

Answer 78

D. -O

Question 79

A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses
the nslookup interactive mode for the search. Which command should the hacker type into the
command shell to request the appropriate records?
A. Locate type=ns
B. Request type=ns
C. Set type=ns
D. Transfer type=ns

Answer 79

C. Set type=ns

Question 80

A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may
contain connectivity passwords that can be decoded with which of the following?
A. Cupp
B. Nessus
C. Cain and Abel
D. John The Ripper Pro

Answer 80

C. Cain and Abel

Question 81

An NMAP scan of a server shows port 25 is open. What risk could this pose?
A. Open printer sharing
B. Web portal data leak
C. Clear text authentication
D. Active mail relay

Answer 81

D. Active mail relay

Question 82

When utilizing technical assessment methods to assess the security posture of a network, which
of the following techniques would be most effective in determining whether end-user security
training would be beneficial?
A. Vulnerability scanning
B. Social engineering
C. Application security testing
D. Network sniffing

Answer 82

B. Social engineering

Question 83

A company has publicly hosted web applications and an internal Intranet protected by a firewall.
Which technique will help protect against enumeration?

A. Reject all invalid email received via SMTP.
B. Allow full DNS zone transfers.
C. Remove A records for internal hosts.
D. Enable null session pipes.

Answer 83

C. Remove A records for internal hosts.

Question 84

Which of the following techniques will identify if computer files have been changed?
A. Network sniffing
B. Permission sets
C. Integrity checking hashes
D. Firewall alerts

Answer 84

C. Integrity checking hashes

Question 85

What are two things that are possible when scanning UDP ports? (Choose two)
A. A reset will be returned
B. An ICMP message will be returned
C. The four-way handshake will not be completed
D. An RFC 1294 message will be returned
E. Nothing

Answer 85

B. An ICMP message will be returned
C. The four-way handshake will not be completed

E. Nothing

Question 86

What does a type 3 code 13 represent?(Choose two.
A. Echo request
B. Destination unreachable
C. Network unreachable
D. Administratively prohibited
E. Port unreachable
F. Time exceeded

Answer 86

B. Destination

D. Administratively

Question 87

Destination unreachable administratively prohibited messages can inform the hacker to what?
A. That a circuit level proxy has been installed and is filtering traffic
B. That his/her scans are being blocked by a honeypot or jail
C. That the packets are being malformed by the scanning software
D. That a router or other packet-filtering device is blocking traffic
E. That the network is functioning normally

Answer 87

D. That a router or other packet-filtering device is blocking traffic

Question 88

Which of the following Nmap commands would be used to perform a stack fingerprinting?
A. Nmap -O -p80 
B. Nmap -hU -Q
C. Nmap -sT -p 
D. Nmap -u -o -w2 
E. Nmap -sS -0p target

Answer 88

A. Nmap -O -p80

Question 89

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic
TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort
has been used to capture packets on the network. On studying the packets, the penetration tester
finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
What is odd about this attack? Choose the best answer.

A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes form port 31337.
C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D. These packets were crafted by a tool, they were not created by a standard IP stack.

Answer 89

B. This is back orifice activity as the scan comes form port 31337.

Question 90

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up
by and IDS?
A. SYN scan
B. ACK scan
C. RST scan
D. Connect scan
E. FIN scan

Answer 90

D. Connect scan

Question 91

Name two software tools used for OS guessing? (Choose two.
A. Nmap
B. Snadboy
C. Queso
D. UserInfo
E. NetBus

Answer 91

A. Nmap

C. Queso

Question 92

Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle
database server has been compromised and customer information along with financial data has
been stolen. The financial loss will be estimated in millions of dollars if the database gets into the
hands of competitors. Sandra wants to report this crime to the law enforcement agencies
immediately. Which organization coordinates computer crime investigations throughout the
United States?

A. NDCA
B. NICP
C. CIRP
D. NPC
E. CIA

Answer 92

D. NPC

Question 93

Which among the following can be used to get this output?

A. A Bo2k system query.
B. nmap protocol scan
C. A sniffer
D. An SNMP walk

Answer 93

D. An SNMP walk

Question 94

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that
almost every query increments the IPID regardless of the port being queried. One or two of the
queries cause the IPID to increment by more than one value. Why do you think this occurs?

A. The zombie you are using is not truly idle.
B. A stateful inspection firewall is resetting your queries.
C. Hping2 cannot be used for idle scanning.
D. These ports are actually open on the target system.

Answer 94

A. The zombie you are using is not truly idle.

Question 95

While performing ping scans into a target network you get a frantic call from the organization’s
security team. They report that they are under a denial of service attack. When you stop your
scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you
modify your scan to prevent triggering this event in the IDS?
A. Scan more slowly.
B. Do not scan the broadcast IP.
C. Spoof the source IP address.
D. Only scan the Windows systems.

Answer 95

B. Do not scan the broadcast IP.

Question 96

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other
machines on the network. This scan is eating up most of the network bandwidth and Neil is
concerned. As a security professional, what would you infer from this scan?
A. It is a network fault and the originating machine is in a network loop
B. It is a worm that is malfunctioning or hardcoded to scan on port 500
C. The attacker is trying to detect machines on the network which have SSL enabled
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Answer 96

D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Question 97

A distributed port scan operates by:

A. Blocking access to the scanning clients by the targeted host
B. Using denial-of-service software against a range of TCP ports
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Having multiple computers each scan a small number of ports, then correlating the results

Answer 97

D. Having multiple computers each scan a small number of ports, then correlating the results

Question 98

An nmap command that includes the host specification of 202.176.56-57.* will scan \_\_\_\_\_\_\_
number of hosts.
A. 2
B. 256
C. 512
D. Over 10, 000

Answer 98

C. 512

Question 99

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of
the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO
packets had an ICMP ID:0 and Seq:0. What can you infer from this information?
A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
number
D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0
and Seq 0

Answer 99

B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system

Question 100

Which of the following commands runs snort in packet logger mode?
A. ./snort -dev -h ./log
B. ./snort -dev -l ./log
C. ./snort -dev -o ./log
D. ./snort -dev -p ./log

Answer 100

B. ./snort -dev -l ./log

Question 101

What operating system is the target host running based on the open ports shown above?
A. Windows XP
B. Windows 98 SE
C. Windows NT4 Server
D. Windows 2000 Server

Answer 101

D. Windows 2000 Server

Question 102

Which of the following command line switch would you use for OS detection in Nmap?
A. -D
B. -O
C. -P
D. -X

Answer 102

B. -O

Question 103

Why would an attacker want to perform a scan on port 137?

A. To discover proxy servers on a network
B. To disrupt the NetBIOS SMB service on the target host
C. To check for file and print sharing on Windows systems
D. To discover information about a target host using NBTSTAT

Answer 103

D. To discover information about a target host using NBTSTAT

Question 104

Which Type of scan sends a packets with no flags set? Select the Answer
A. Open Scan
B. Null Scan
C. Xmas Scan
D. Half-Open Scan

Answer 104

B. Null Scan

Question 105

Sandra has been actively scanning the client network on which she is doing a vulnerability
assessment test. While conducting a port scan she notices open ports in the range of 135 to 139.
What protocol is most likely to be listening on those ports?
A. Finger
B. FTP
C. Samba
D. SMB

Answer 105

D. SMB

Question 106

SNMP is a protocol used to query hosts, servers, and devices about performance or health status
data. This protocol has long been used by hackers to gather great amount of information about
remote hosts. Which of the following features makes this possible? (Choose two)
A. It used TCP as the underlying protocol.
B. It uses community string that is transmitted in clear text.
C. It is susceptible to sniffing.
D. It is used by all network devices on the market.

Answer 106

B. It uses community string that is transmitted in clear text.

D. It is used by all network devices on the market.

Question 107

Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have
expressed their interest in learning from him. However, this knowledge has a risk associated with
it, as it can be used for malevolent attacks as well.
In this context, what would be the most affective method to bridge the knowledge gap between
the “black” hats or crackers and the “white” hats or computer security professionals? (Choose the
best answer)

A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and
safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems and networks.
C. Make obtaining either a computer security certification or accreditation easier to achieve so more
individuals feel that they are a part of something larger than life.
D. Train more National Guard and reservist in the art of computer security to help out in times of
emergency or crises.

Answer 107

A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and
safeguards.

Question 108

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool
“SIDExtractor”. Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

A. John
B. Rebecca
C. Sheela
D. Shawn
E. Somia
F. Chang
G. Micah

Answer 108

F. Chang

Question 109

Which address translation scheme would allow a single public IP address to always correspond
to a single machine on an internal network, allowing “server publishing”?
A. Overloading Port Address Translation
B. Dynamic Port Address Translation
C. Dynamic Network Address Translation
D. Static Network Address Translation

Answer 109

D. Static Network Address Translation

Question 110

What is the following command used for?
net use \targetipc$ “” /u:””
A. Grabbing the etc/passwd file
B. Grabbing the SAM
C. Connecting to a Linux computer through Samba.
D. This command is used to connect as a null session
E. Enumeration of Cisco routers

Answer 110

D. This command is used to connect as a null session

Question 111

One of your team members has asked you to analyze the following SOA record.
What is the TTL?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600
604800 2400.

A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800

Answer 111

D. 2400

Question 112

MX record priority increases as the number increases. (True/False.)

A. True
B. False

Answer 112

B. False

Question 113

Which of the following tools can be used to perform a zone transfer?
A. NSLookup
B. Finger
C. Dig
D. Sam Spade
E. Host
F. Netcat
G. Neotrace

Answer 113

A. NSLookup
C. Dig
D. Sam Spade
E. Host

Question 114

Under what conditions does a secondary name server request a zone transfer from a primary
name server?

A. When a primary SOA is higher that a secondary SOA
B. When a secondary SOA is higher that a primary SOA
C. When a primary name server has had its service restarted
D. When a secondary name server has had its service restarted
E. When the TTL falls to zero

Answer 114

A. When a primary SOA is higher that a secondary SOA

Question 115

What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through
the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.
A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024

Answer 115

B. 135
C. 139
E. 445

Question 116

Joseph was the Web site administrator for the Mason Insurance in New York, who’s main Web
site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer
the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According
to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was
removed and replaced with an attacker’s message ‘‘Hacker Message: You are dead! Freaks!
From his office, which was directly connected to Mason Insurance’s internal network, Joseph
surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No
changes were apparent. Joseph called a friend of his at his home to help troubleshoot the
problem. The Web site appeared defaced when his friend visited using his DSL connection. So,
while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance
web site. To help make sense of this problem, Joseph decided to access the Web site using his
dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem
to dial up the same ISP used by Smith. After his modem connected, he quickly typed
www.masonins.com in his browser to reveal the following web page:
H@cker Mess@ge:
Y0u @re De@d! Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal
network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire
against the entire Web site, and determined that every system file and all the Web content on the
server were intact. How did the attacker accomplish this hack?

A. ARP spoofing
B. SQL injection
C. DNS poisoning
D. Routing table injection

Answer 116

C. DNS poisoning

Question 117

Which of the following tools are used for enumeration? (Choose three.)
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec

Answer 117

B. USER2SID
D. SID2USER
E. DumpSec

Question 118

What did the following commands determine?
C: user2sid \earth guest
S-1-5-21-343818398-789336058-1343024091-501
C:sid2user 5 21 343818398 789336058 1343024091 500
Name is Joe
Domain is EARTH
A. That the Joe account has a SID of 500
B. These commands demonstrate that the guest account has NOT been disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing

Answer 118

D. That the true administrator is Joe

Question 119

Which definition among those given below best describes a covert channel?
A. A server program using a port that is not well known.
B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure.

Answer 119

B. Making use of a protocol in a way it is not intended to be used.

Question 120

Susan has attached to her company’s network. She has managed to synchronize her boss’s
sessions with that of the file server. She then intercepted his traffic destined for the server,
changed it the way she wanted to and then placed it on the server in his home directory.
What kind of attack is Susan carrying on?
A. A sniffing attack
B. A spoofing attack
C. A man in the middle attack
D. A denial of service attack

Answer 120

C. A man in the middle attack

Question 121

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to
use these tools in his lab and is now ready for real world exploitation. He was able to effectively
intercept communications between the two entities and establish credentials with both sides of
the connections. The two remote ends of the communication never notice that Eric is relaying the
information between the two. What would you call this attack?

A. Interceptor
B. Man-in-the-middle
C. ARP Proxy
D. Poisoning Attack

Answer 121

B. Man-in-the-middle

Question 122

Eve is spending her day scanning the library computers. She notices that Alice is using a
computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice
machine. From the command prompt, she types the following command.
For /f “tokens=1 %%a in (hackfile.txt) do net use *
\10.1.2.3\c$ /user:”Administrator” %%a
What is Eve trying to do?
A. Eve is trying to connect as an user with Administrator privileges
B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator

Answer 122

C. Eve is trying to carry out a password crack for user Administrator

Question 123

Which of the following represents the initial two commands that an IRC client sends to join an IRC
network?

A. USER, NICK
B. LOGIN, NICK
C. USER, PASS
D. LOGIN, USER

Answer 123

A. USER, NICK

Question 124

Null sessions are un-authenticated connections (not using a username or password.) to an NT or
2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?

A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445

Answer 124

D. 139 and 445

Question 125

The following is an entry captured by a network IDS.You are assigned the task of analyzing this
entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel
processor. You figure that the attacker is attempting a buffer overflow attack. You also notice
“/bin/sh” in the ASCII part of the output. As an analyst what would you conclude about the attack?

A. The buffer overflow attack has been neutralized by the IDS
B. The attacker is creating a directory on the compromised machine
C. The attacker is attempting a buffer overflow attack and has succeeded
D. The attacker is attempting an exploit that launches a command-line shell

Answer 125

D. The attacker is attempting an exploit that launches a command-line shell

Question 126

Based on the following extract from the log of a compromised machine, what is the hacker really
trying to steal?
A. har.txt
B. SAM file
C. wwwroot
D. Repair file

Answer 126

B. SAM file

Question 127

As a securing consultant, what are some of the things you would recommend to a company to
ensure DNS security? Select the best answers.

A. Use the same machines for DNS and other applications
B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers

Answer 127

B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers

Question 128

Why would you consider sending an email to an address that you know does not exist within the
company you are performing a Penetration Test for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat
undeliverable mail
E. To test for virus protection

Answer 128

D. To illicit a response back that will reveal information about email servers and how they treat
undeliverable mail

Question 129

QUESTION 657
What tool can crack Windows SMB passwords simply by listening to network traffic? Select the
best answer.
A. This is not possible
B. Netbus
C. NTFSDOS
D. L0phtcrack

Answer 129

D. L0phtcrack

Question 130

A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on
his network. What are some things he can do to prevent it? Select the best answers.
A. Use port security on his switches.
B. Use a tool like ARPwatch to monitor for strange ARP activity.
C. Use a firewall between all LAN segments.
D. If you have a small network, use static ARP entries.
E. Use only static IP addresses on all PC’s.
Answer: ABD

Answer 130

A. Use port security on his switches.

B. Use a tool like ARPwatch to monitor for strange ARP activity.

D. If you have a small network, use static ARP entries.

Question 131

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him
perform SNMP enquires over the network.
Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
A. SNMPUtil
B. SNScan
C. SNMPScan
D. Solarwinds IP Network Browser
E. NMap

Answer 131

A. SNMPUtil

B. SNScan

D. Solarwinds IP

Question 132

Bob is doing a password assessment for one of his clients. Bob suspects that security policies
are not in place. He also suspects that weak passwords are probably the norm throughout the
company he is evaluating. Bob is familiar with password weaknesses and key loggers. Which of
the following options best represents the means that Bob can adopt to retrieve passwords from
his clients hosts and servers?

A. Hardware, Software, and Sniffing.
B. Hardware and Software Keyloggers.
C. Passwords are always best obtained using Hardware key loggers.
D. Software only, they are the most effective.

Answer 132

A. Hardware, Software, and Sniffing.

Question 133

Which of the following algorithms can be used to guarantee the integrity of messages being sent,
in transit, or stored? (Choose the best answer)

A. symmetric algorithms
B. asymmetric algorithms
C. hashing algorithms
D. integrity algorithms

Answer 133

C. hashing algorithms

Question 134

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the
SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
However, he is unable to capture any logons though he knows that other users are logging in.
What do you think is the most likely reason behind this?

A. There is a NIDS present on that segment.
B. Kerberos is preventing it.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to web servers.

Answer 134

B. Kerberos is preventing it.

Question 135

You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using
LM Brute force hacking tool for decryption.
What encryption algorithm will you be decrypting?

A. MD4
B. DES
C. SHA
D. SSL

Answer 135

B. DES

Question 136

In the context of password security, a simple dictionary attack involves loading a dictionary file (a
text file full of dictionary words) into a cracking application such as L0phtCrack or John the
Ripper, and running it against user accounts located by the application. The larger the word and
word fragment selection, the more effective the dictionary attack is. The brute force method is the
most inclusive, although slow. It usually tries every possible letter and number combination in its
automated exploration. If you would use both brute force and dictionary methods combined
together to have variation of words, what would you call such an attack?

A. Full Blown
B. Thorough
C. Hybrid
D. BruteDics

Answer 136

C. Hybrid

Question 137

What is the algorithm used by LM for Windows2000 SAM?

A. MD4
B. DES
C. SHA
D. SSL

Answer 137

B. DES

Question 138

E-mail scams and mail fraud are regulated by which of the following?
A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
Communication

Answer 138

A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers

Question 139

Which of the following LM hashes represent a password of less than 8 characters? (Select 2)

A. BA810DBA98995F1817306D272A9441BB
B. 44EFCE164AB921CQAAD3B435B51404EE
C. 0182BD0BD4444BF836077A718CCDF409
D. CEC52EB9C8E3455DC2265B23734E0DAC
E. B757BF5C0D87772FAAD3B435B51404EE
F. E52CAC67419A9A224A3B108F3FA6CB6D

Answer 139

B. 44EFCE164AB921CQAAD3B435B51404EE

E. B757BF5C0D87772FAAD3B435B51404EE

Question 140

Which of the following is the primary objective of a rootkit?

A. It opens a port to provide an unauthorized service
B. It creates a buffer overflow
C. It replaces legitimate programs
D. It provides an undocumented opening in a program

Answer 140

C. It replaces legitimate programs

Question 141

This kind of password cracking method uses word lists in combination with numbers and special
characters:

A. Hybrid
B. Linear
C. Symmetric
D. Brute Force

Answer 141

A. Hybrid

Question 142

_________ is a tool that can hide processes from the process list, can hide files, registry entries,
and intercept keystrokes.

A. Trojan
B. RootKit
C. DoS tool
D. Scanner
E. Backdoor

Answer 142

B. RootKit

Question 143

What is the BEST alternative if you discover that a rootkit has been installed on one of your
computers?

A. Copy the system files from a known good system
B. Perform a trap and trace
C. Delete the files and try to determine the source
D. Reload from a previous backup
E. Reload from known good media

Answer 143

E. Reload from known good media

Question 144

What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

A. All are hacking tools developed by the legion of doom
B. All are tools that can be used not only by hackers, but also security personnel
C. All are DDOS tools
D. All are tools that are only effective against Windows
E. All are tools that are only effective against Linux

Answer 144

C. All are DDOS tools

Question 145

How can you determine if an LM hash you extracted contains a password that is less than 8
characters long?

A. There is no way to tell because a hash cannot be reversed
B. The right most portion of the hash is always the same
C. The hash always starts with AB923D
D. The left most portion of the hash is always the same
E. A portion of the hash will be all 0’s

Answer 145

B. The right most portion of the hash is always the same

Question 146

When discussing passwords, what is considered a brute force attack?

A. You attempt every single possibility until you exhaust all possible combinations or discover the
password
B. You threaten to use the rubber hose on someone unless they reveal their password
C. You load a dictionary of words into your cracking program
D. You create hashes of a large number of words and compare it with the encrypted passwords
E. You wait until the password expires

Answer 146

A. You attempt every single possibility until you exhaust all possible combinations or discover the
password

Question 147

Which of the following are well know password-cracking programs?(Choose all that apply.

A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper

Answer 147

A. L0phtcrack

E. John the Ripper

Question 148

Password cracking programs reverse the hashing process to recover passwords.(True/False.)

A. True
B. False

Answer 148

B. False

Question 149

What is GINA?

A. Gateway Interface Network Application
B. GUI Installed Network Application CLASS
C. Global Internet National Authority (G-USA)
D. Graphical Identification and Authentication DLL

Answer 149

D. Graphical Identification and Authentication DLL

Question 150

Every company needs a formal written document which spells out to employees precisely what
they are allowed to use the company’s systems for, what is prohibited, and what will happen to
them if they break the rules. Two printed copies of the policy should be given to every employee
as soon as possible after they join the organization. The employee should be asked to sign one
copy, which should be safely filed by the company. No one should be allowed to use the
company’s computer systems until they have signed the policy in acceptance of its terms.
What is this document called?

A. Information Audit Policy (IAP)
B. Information Security Policy (ISP)
C. Penetration Testing Policy (PTP)
D. Company Compliance Policy (CCP)

Answer 150

B. Information Security Policy (ISP)

Question 151

Which type of sniffing technique is generally referred as MiTM attack?

A. Password Sniffing
B. ARP Poisoning
C. Mac Flooding
D. DHCP Sniffing

Answer 151

B. ARP Poisoning

Question 152

This is an attack that takes advantage of a web site vulnerability in which the site displays content
that includes un-sanitized user-provided data.
See foobar
What is this attack?

A. Cross-site-scripting attack
B. SQL Injection
C. URL Traversal attack
D. Buffer Overflow attack

Answer 152

A. Cross-site-scripting attack