Second 100 Flashcards
In which part of OSI layer, ARP Poisoning occurs?
A.
Transport Layer
B.
Datalink Layer
C.
Physical Layer
D.
Application layer
B
What ICMP message types are used by the ping command?
A. Timestamp request (13) and timestamp reply (14)
B. Echo request (8) and Echo reply (0)
C. Echo request (0) and Echo reply (1)
D. Ping request (1) and Ping reply (2)
B
You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using
ADS streams. How will you accomplish this?
A.
copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt
B.
copy secret.txt c:\windows\system32\tcpip.dll:secret.txt
C.
copy secret.txt c:\windows\system32\tcpip.dll |secret.txt
D.
copy secret.txt >
B
Which of the following systems would not respond correctly to an nmap XMAS scan?
A.
Windows 2000 Server running IIS 5
B.
Any Solaris version running SAMBA Server
C.
Any version of IRIX
D.
RedHat Linux 8.0 running Apache Web Server
A
You just purchased the latest DELL computer, which comes pre-installed with Windows 7,
McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to
your cable modem and start using the computer immediately. Windows is dangerously insecure
when unpacked from the box, and there are a few things that you must do before you use it.
A.
New installation of Windows should be patched by installing the latest service packs and
hotfixes
B.
Key applications such as Adobe Acrobat,Macromedia Flash,Java,Winzip etc.,must have the
latest security patches installed
C.
Install a personal firewall and lock down unused ports from connecting to your computer
D.
Install the latest signatures for Antivirus software
E.
Configure “Windows Update” to automatic
F.
Create a non-admin user with a complex password and logon to this account
G.
You can start using your computer as vendors such as DELL,HP and IBM would have already
installed the latest service packs.
A,C,D,E,F
In the context of Trojans, what is the definition of a Wrapper?
A.
An encryption tool to protect the Trojan
B.
A tool used to bind the Trojan with a legitimate file
C.
A tool used to calculate bandwidth and CPU cycles wasted by the Trojan
D.
A tool used to encapsulate packets within a new header and footer
B
Wrapper does not change header or footer of any packets but it mix between legitimate file and
Trojan file.
Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer
with a single file – emos.sys
Which step would you perform to detect this type of Trojan?
A.
Scan for suspicious startup programs using msconfig
B.
Scan for suspicious network activities using Wireshark
C.
Scan for suspicious device drivers in c:\windows\system32\drivers
D.
Scan for suspicious open ports using netstat
C
When Nmap performs a ping sweep, which of the following sets of requests does it send to the
target device?
A.
ICMP ECHO_REQUEST & TCP SYN
B.
ICMP ECHO_REQUEST & TCP ACK
C.
ICMP ECHO_REPLY & TFP RST
D.
ICMP ECHO_REPLY & TCP FIN
B
Which type of hacker represents the highest risk to your network?
A.
black hat hackers
B.
grey hat hackers
C.
disgruntled employees
D.
script kiddies
C
________ is one of the programs used to wardial.
A.
DialIT
B.
Netstumbler
C.
TooPac
D.
Kismet
E.
ToneLoc
E
Shayla is an IT security consultant, specializing in social engineering and external penetration
tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense.
Shayla has been given authority to perform any and all tests necessary to audit the company’s
network security.
No employees for the company, other than the IT director, know about Shayla’s work she will be
doing. Shayla’s first step is to obtain a list of employees through company website contact pages.
Then she befriends a female employee of the company through an online chat website. After
meeting with the female employee numerous times, Shayla is able to gain her trust and they
become friends. One day, Shayla steals the employee’s access badge and uses it to gain
unauthorized access to the Treks Avionics offices.
What type of insider threat would Shayla be considered?
A.
She would be considered an Insider Affiliate
B.
Because she does not have any legal access herself,Shayla would be considered an Outside
Affiliate
C.
Shayla is an Insider Associate since she has befriended an actual employee
D.
Since Shayla obtained access with a legitimate company badge; she would be considered a
Pure Insider
A
What are the default passwords used by SNMP? (Choose two.)
A.
Password
B.
SA
C.
Private
D.
Administrator
E.
Public
F.
Blank
C,E
What port number is used by Kerberos protocol?
A.
88
B.
44
C.
487
D.
419
A
Which of the following ICMP message types are used for destinations unreachables?
A.
0
B.
3
C.
11
D.
13
E.
17
B
What does FIN in TCP flag define?
A.
Used to abort a TCP connection abruptly
B.
Used to close a TCP connection
C.
Used to acknowledge receipt of a previous packet or transmission
D.
Used to indicate the beginning of a TCP connection
B
What is the proper response for a FIN scan if the port is closed?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
E
Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the
cookie even while the session is invalid on the server. Why do you think this is possible?
A.
It works because encryption is performed at the application layer (single encryption key)
B.
The scenario is invalid as a secure cookie cannot be replayed
C.
It works because encryption is performed at the network layer (layer 1 encryption)
D.
Any cookie can be replayed irrespective of the session status
A
What is the proper response for a X-MAS scan if the port is closed?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
E
This attack technique is used when a Web application is vulnerable to an SQL Injection but the
results of the Injection are not visible to the attacker.
A.
Unique SQL Injection
B.
Blind SQL Injection
C.
Generic SQL Injection
D.
Double SQL Injection
B
What flags are set in a X-MAS scan?(Choose all that apply.
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
URG
C,D,F
Which of the following is an automated vulnerability assessment tool?
A.
Whack a Mole
B.
Nmap
C.
Nessus
D.
Kismet
E.
Jill32
C
What file system vulnerability does the following command take advantage of?
type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe
A.
HFS
B.
Backdoor access
C.
XFS
D.
ADS
D
John is using a special tool on his Linux platform that has a signature database and is therefore
able to detect hundred of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts.
Additionally, the database detects DDoS zombies and Trojans. What would be the name of this
multifunctional tool?
A.
nmap
B.
hping
C.
nessus
D.
make
C
Nessus is the world’s most popular vulnerability scanner,estimated to be used by over 75,000
organizations world-wide. Nmap is mostly used for scanning,not for detecting vulnerabilities. Hping
is a free packet generator and analyzer for the TCP/IP protocol and make is used to automatically
build large applications on the *nix plattform.
You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct
assessments to protect the company’s network. During one of your periodic checks to see how
well policy is being observed by the employees, you discover an employee has attached cell
phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem
to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a
direct result of this activity. The employee explains that he used the modem because he had to
download software for a department project. How would you resolve this situation?
A.
Reconfigure the firewall
B.
Enforce the corporate security policy
C.
Install a network-based IDS
D.
Conduct a needs analysis
B
What is the disadvantage of an automated vulnerability assessment tool?
A.
Ineffective
B.
Slow
C.
Prone to false positives
D.
Prone to false negatives
E.
Noisy
E
In what stage of Virus life does a stealth virus gets activated with the user performing certain
actions such as running an infected program?
A.
Design
B.
Elimination
C.
Incorporation
D.
Replication
E.
Launch
F.
Detection
E
In what stage of Virus life does a stealth virus gets activated with the user performing certain
actions such as running an infected program?
A.
Design
B.
Elimination
C.
Incorporation
D.
Replication
E.
Launch
F.
Detection
E
What are two things that are possible when scanning UDP ports? (Choose two.
A.
A reset will be returned
B.
An ICMP message will be returned
C.
The four-way handshake will not be completed
D.
An RFC 1294 message will be returned
E.
Nothing
B,E
What is a sniffing performed on a switched network called?
A.
Spoofed sniffing
B.
Passive sniffing
C.
Direct sniffing
D.
Active sniffing
D
What does a type 3 code 13 represent?(Choose two.
A.
Echo request
B.
Destination unreachable
C.
Network unreachable
D.
Administratively prohibited
E.
Port unreachable
F.
Time exceeded
B,D
Type 3 code 13 is destination unreachable administratively prohibited. This type of message is
typically returned from a device blocking a port.
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer.
This program hides itself deep into an operating system for malicious activity and is extremely
difficult to detect. The malicious software operates in a stealth fashion by hiding its files,
processes and registry keys and may be used to create a hidden directory or folder designed to
keep out of view from a user’s operating system and security software.
What privilege level does a rootkit require to infect successfully on a Victim’s machine?
A. User level privileges B. Ring 3 Privileges C. System level privileges D. Kernel level privileges
D
Destination unreachable administratively prohibited messages can inform the hacker to what?
A.
That a circuit level proxy has been installed and is filtering traffic
B.
That his/her scans are being blocked by a honeypot or jail
C.
That the packets are being malformed by the scanning software
D.
That a router or other packet-filtering device is blocking traffic
E.
That the network is functioning normally
D
Destination unreachable administratively prohibited messages are a good way to
discover that a router or other low-level packet device is filtering traffic. Analysis of the ICMP
message will reveal the IP address of the blocking device and the filtered port. This further adds
the to the network map and information being discovered about the network and hosts.
Which of the following Nmap commands would be used to perform a stack fingerprinting?
A.
Nmap -O -p80
B.
Nmap -hU -Q
C.
Nmap -sT -p
D.
Nmap -u -o -w2
E.
Nmap -sS -0p target
A
Which Steganography technique uses Whitespace to hide secret messages?
A.
snow
B.
beetle
C.
magnet
D.
cat
A
Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic
TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
Snort has been used to capture packets on the network. On studying the packets, the penetration
tester finds it to be abnormal. If you were the penetration tester, why would you find this
abnormal?
What is odd about this attack? Choose the best answer.
A.
This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B.
This is back orifice activity as the scan comes form port 31337.
C.
The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D.
These packets were crafted by a tool,they were not created by a standard IP stack.
B
Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of ‘elite’,meaning
‘elite hackers’.
Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an
attacker gains unauthorized access to a computer or a network by making it appear that a
malicious message has come from a trusted machine, by “spoofing” the IP address of that
machine.
How would you detect IP spoofing?
A.
Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers
match then it is spoofed packet
B.
Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet,if the
connection completes then it is a spoofed packet
C.
Turn on ‘Enable Spoofed IP Detection’ in Wireshark,you will see a flag tick if the packet is
spoofed
D.
Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same
as the packet being checked then it is a spoofed packet
D
Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up
by and IDS?
A.
SYN scan
B.
ACK scan
C.
RST scan
D.
Connect scan
E.
FIN scan
D
The TCP full connect (-sT) scan is the most reliable
David is a security administrator working in Boston. David has been asked by the office’s manager
to block all POP3 traffic at the firewall because he believes employees are spending too much
time reading personal email. How can David block POP3 at the firewall?
A.
David can block port 125 at the firewall.
B.
David can block all EHLO requests that originate from inside the office.
C.
David can stop POP3 traffic by blocking all HELO requests that originate from inside the office.
D.
David can block port 110 to block all POP3 traffic.
D
Name two software tools used for OS guessing? (Choose two.
A.
Nmap
B.
Snadboy
C.
Queso
D.
UserInfo
E.
NetBus
A,C
You want to capture Facebook website traffic in Wireshark. What display filter should you use that
shows all TCP packets that contain the word ‘facebook’?
A.
display==facebook
B.
traffic.content==facebook
C.
tcp contains facebook
D.
list.display.facebook
C
Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle
database server has been compromised and customer information along with financial data has
been stolen. The financial loss will be estimated in millions of dollars if the database gets into the
hands of competitors. Sandra wants to report this crime to the law enforcement agencies
immediately.
Which organization coordinates computer crime investigations throughout the United States?
A.
NDCA
B.
NICP
C.
CIRP
D.
NPC
E.
CIA
D
Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing
with stress or conflict, and frustrated with their job, office politics, and lack of respect or promotion.
Disgruntled employees may pass company secrets and intellectual property to competitors for
monitory benefits.
Here are some of the symptoms of a disgruntled employee:
A.
Frequently leaves work early, arrive late or call in sick
Limit access to the applications they can run on their desktop computers and enforce strict work
hour rules
B.
Spends time surfing the Internet or on the phone
By implementing Virtualization technology from the desktop to the data centre,organizations
can isolate different environments with varying levels of access and security to various employees
C.
Responds in a confrontational, angry, or overly aggressive way to simple requests or comments
Organizations must ensure that their corporate data is centrally managed and delivered to
users just and when needed
D.
Always negative; finds fault with everything
These disgruntled employees are the biggest threat to enterprise security. How do you deal with
these threats? (Select 2 answers)
Limit Internet access,e-mail communications,access to social networking sites and job hunting
portals
B,C
You are manually conducting Idle Scanning using Hping2. During your scanning you notice that
almost every query increments the IPID regardless of the port being queried. One or two of the
queries cause the IPID to increment by more than one value. Why do you think this occurs?
A.
The zombie you are using is not truly idle.
B.
A stateful inspection firewall is resetting your queries.
C.
Hping2 cannot be used for idle scanning.
D.
These ports are actually open on the target system.
A
Fake Anti-Virus, is one of the most frequently encountered and persistent threats on the web. This
malware uses social engineering to lure users into infected websites with a technique called
Search Engine Optimization.
Once the Fake AV is downloaded into the user’s computer, the software will scare them into
believing their system is infected with threats that do not really exist, and then push users to
purchase services to clean up the non-existent threats.
The Fake AntiVirus will continue to send these annoying and intrusive alerts until a payment is
made.
What is the risk of installing Fake AntiVirus?
A.
Victim’s Operating System versions,services running and applications installed will be
published on Blogs and Forums
B.
Victim’s personally identifiable information such as billing address and credit card details,may
be extracted and exploited by the attacker
C.
Once infected,the computer will be unable to boot and the Trojan will attempt to format the hard
disk
D.
Denial of Service attack will be launched against the infected computer crashing other
machines on the connected network
B
While performing ping scans into a target network you get a frantic call from the organization’s
security team. They report that they are under a denial of service attack. When you stop your
scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you
modify your scan to prevent triggering this event in the IDS?
A.
Scan more slowly.
B.
Do not scan the broadcast IP.
C.
Spoof the source IP address.
D.
Only scan the Windows systems.
B
How would you describe an attack where an attacker attempts to deliver the payload over multiple
packets over long periods of time with the purpose of defeating simple pattern matching in IDS
systems without session reconstruction? A characteristic of this attack would be a continuous
stream of small packets.
A.
Session Hijacking
B.
Session Stealing
C.
Session Splicing
D.
Session Fragmentation
C
Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends
him at the canteen and tags along with him on the pretext of appraising him about potential tax
benefits. Jason waits for Jake to swipe his access card and follows him through the open door into
the secure systems area. How would you describe Jason’s behavior within a security context?
A.
Smooth Talking
B.
Swipe Gating
C.
Tailgating
D.
Trailing
C
Neil notices that a single address is generating traffic from its port 500 to port 500 of several other
machines on the network. This scan is eating up most of the network bandwidth and Neil is
concerned. As a security professional, what would you infer from this scan?
A.
It is a network fault and the originating machine is in a network loop
B.
It is a worm that is malfunctioning or hardcoded to scan on port 500
C.
The attacker is trying to detect machines on the network which have SSL enabled
D.
The attacker is trying to determine the type of VPN implementation and checking for IPSec
D
Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSECbased VPN software,such as Freeswan,PGPnet,and various vendors of in-a-box VPN solutions
such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP
(Encapsulated Security Payload) packets,IP protocol 50 (but some in-a-box VPN’s such as Cisco
are capable of negotiating to send the encrypted tunnel over a UDP channel,which is useful for
use across firewalls that block IP protocols other than TCP or UDP).
While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for
all the pings you have sent out. What is the most likely cause of this?
A.
The firewall is dropping the packets
B.
An in-line IDS is dropping the packets
C.
A router is blocking ICMP
D.
The host does not respond to ICMP packets
C
A distributed port scan operates by:
A.
Blocking access to the scanning clients by the targeted host
B.
Using denial-of-service software against a range of TCP ports
C.
Blocking access to the targeted host by each of the distributed scanning clients
D.
Having multiple computers each scan a small number of ports,then correlating the results
D
Think of dDoS (distributed Denial of Service) where you use a large number of
computers to create simultaneous traffic against a victim in order to shut them down.
Consider the following code:
URL:http://www.certified.com/search.pl?
text=alert(document.cookie)
If an attacker can trick a victim user to click a link like this, and the Web application does not
validate input, then the victim’s browser will pop up an alert showing the users current set of
cookies. An attacker can do much more damage, including stealing passwords, resetting your
home page, or redirecting the user to another Web site.
What is the countermeasure against XSS scripting?
A.
Create an IP access list and restrict connections based on port number
B.
Replace “” characters with “& l t;” and “& g t;” using server scripts
C.
Disable Javascript in IE and Firefox browsers
D.
Connect to the server using HTTPS protocol instead of HTTP
B
Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his
firewall to block password brute force attempts on his network. He enables blocking the intruder’s
IP address for a period of 24 hours’ time after more than three unsuccessful attempts. He is
confident that this rule will secure his network from hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from various IP
addresses around the world. After some investigation he realizes that the intruders are using a
proxy somewhere else on the Internet which has been scripted to enable the random usage of
various proxies on each request so as not to get caught by the firewall rule.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that
if the password is incorrect, it would take 45 seconds to return to the user to begin another
attempt. Since an intruder may use multiple machines to brute force the password, he also
throttles the number of connections that will be prepared to accept from a particular IP address.
This action will slow the intruder’s attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password attacks on his site?
A.
Enforce a password policy and use account lockouts after three wrong logon attempts even
though this might lock out legit users
B.
Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of
the intruder so that you can block them at the
Firewall manually
C.
Enforce complex password policy on your network so that passwords are more difficult to brute
force
D.
You cannot completely block the intruders attempt if they constantly switch proxies
D
An nmap command that includes the host specification of 202.176.56-57.* will scan _______
number of hosts.
A.
2
B.
256
C.
512
D.
Over 10,000
C
A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of
the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
had an ICMP ID:0 and Seq:0. What can you infer from this information?
A.
The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B.
ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C.
All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
number
D.
13 packets were from an external network and probably behind a NAT,as they had an ICMP ID
0 and Seq 0
B
Maintaining a secure Web server requires constant effort, resources, and vigilance from an
organization. Securely administering a Web server on a daily basis is an essential aspect of Web
server security.
Maintaining the security of a Web server will usually involve the following steps:
1. Configuring, protecting, and analyzing log files
2. Backing up critical information frequently
3. Maintaining a protected authoritative copy of the organization’s Web content
4. Establishing and following procedures for recovering from compromise
5. Testing and applying patches in a timely manner
6. Testing security periodically.
In which step would you engage a forensic investigator?
A.
1
B.
2
C.
3
D.
4
E.
5
F.
6
D
Which of the following commands runs snort in packet logger mode?
A.
./snort -dev -h ./log
B.
./snort -dev -l ./log
C.
./snort -dev -o ./log
D.
./snort -dev -p ./log
B
In Buffer Overflow exploit, which of the following registers gets overwritten with return address of
the exploit code?
A.
EEP
B.
ESP
C.
EAP
D.
EIP
D
Which of the following command line switch would you use for OS detection in Nmap?
A.
-D
B.
-O
C.
-P
D.
-X
B
Web servers often contain directories that do not need to be indexed. You create a text file with search engine indexing restrictions and place it on the root directory of the Web Server. User-agent: * Disallow: /images/ Disallow: /banners/ Disallow: /Forms/ Disallow: /Dictionary/ Disallow: /_borders/ Disallow: /_fpclass/ Disallow: /_overlay/ Disallow: /_private/ Disallow: /_themes/ What is the name of this file?
A.
robots.txt
B.
search.txt
C.
blocklist.txt
D.
spf.txt
A
An attacker has successfully compromised a remote computer. Which of the following comes as
one of the last steps that should be taken to ensure that the compromise cannot be traced back to
the source of the problem?
A.
Install patches
B.
Setup a backdoor
C.
Install a zombie for DDOS
D.
Cover your tracks
D
Why would an attacker want to perform a scan on port 137?
A.
To discover proxy servers on a network
B.
To disrupt the NetBIOS SMB service on the target host
C.
To check for file and print sharing on Windows systems
D.
To discover information about a target host using NBTSTAT
D
Which Type of scan sends a packets with no flags set? Select the Answer
A.
Open Scan
B.
Null Scan
C.
Xmas Scan
D.
Half-Open Scan
B
Bret is a web application administrator and has just read that there are a number of surprisingly
common web application vulnerabilities that can be exploited by unsophisticated attackers with
easily available tools on the Internet. He has also read that when an organization deploys a web
application, they invite the world to send HTTP requests. Attacks buried in these requests sail past
firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal
HTTP requests. Bret is determined to weed out vulnerabilities.
What are some of the common vulnerabilities in web applications that he should be concerned
about?
A.
Non-validated parameters,broken access control,broken account and session
management,cross-site scripting and buffer overflows are just a few common vulnerabilities
B.
Visible clear text passwords,anonymous user account set as default,missing latest security
patch,no firewall filters set and no SSL configured are just a few common vulnerabilities
C.
No SSL configured,anonymous user account set as default,missing latest security patch,no
firewall filters set and an inattentive system administrator are just a few common vulnerabilities
D.
No IDS configured,anonymous user account set as default,missing latest security patch,no
firewall filters set and visible clear text passwords are just a few common vulnerabilities
A
Sandra has been actively scanning the client network on which she is doing a vulnerability
assessment test. While conducting a port scan she notices open ports in the range of 135 to 139.
What protocol is most likely to be listening on those ports?
A.
Finger
B.
FTP
C.
Samba
D.
SMB
D
What is War Dialing?
A.
War dialing involves the use of a program in conjunction with a modem to penetrate the
modem/PBX-based systems
B.
War dialing is a vulnerability scanning technique that penetrates Firewalls
C.
It is a social engineering technique that uses Phone calls to trick victims
D.
Involves IDS Scanning Fragments to bypass Internet filters and stateful Firewalls
A
SNMP is a protocol used to query hosts, servers, and devices about performance or health status
data. This protocol has long been used by hackers to gather great amount of information about
remote hosts.
Which of the following features makes this possible? (Choose two)
A.
It used TCP as the underlying protocol.
B.
It uses community string that is transmitted in clear text.
C.
It is susceptible to sniffing.
D.
It is used by all network devices on the market.
B,D
Steven the hacker realizes the network administrator of Acme Corporation is using syskey in
Windows 2008 Server to protect his resources in the organization. Syskey independently encrypts
the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the
passwords. Steven must break through the encryption used by syskey before he can attempt to
use brute force dictionary attacks on the hashes. Steven runs a program called “SysCracker”
targeting the Windows 2008 Server machine in attempting to crack the hash used by Syskey. He
needs to configure the encryption level before he can launch the attack. How many bits does
Syskey use for encryption?
A.
40-bit encryption
B.
128-bit encryption
C.
256-bit encryption
D.
64-bit encryption
B
Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have
expressed their interest in learning from him. However, this knowledge has a risk associated with
it, as it can be used for malevolent attacks as well.
In this context, what would be the most affective method to bridge the knowledge gap between the
“black” hats or crackers and the “white” hats or computer security professionals? (Choose the test
answer)
A.
Educate everyone with books,articles and training on risk analysis,vulnerabilities and
safeguards.
B.
Hire more computer security monitoring personnel to monitor computer systems and networks.
C.
Make obtaining either a computer security certification or accreditation easier to achieve so
more individuals feel that they are a part of something larger than life.
D.
Train more National Guard and reservist in the art of computer security to help out in times of
emergency or crises.
A
Bridging the gap would consist of educating the white hats and the black hats equally so that their
knowledge is relatively the same. Using books,articles,the internet,and professional training
seminars is a way of completing this goal.
Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured
door and uses the special card in order to access the restricted area of the target company. Just
as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the
employee to hold the door open so that he can enter. What is the best way to undermine the social
engineering activity of tailgating?
A.
Issue special cards to access secure doors at the company and provide a one-time only brief
description of use of the special card
B.
Educate and enforce physical security policies of the company to all the employees on a
regular basis
C.
Setup a mock video camera next to the special card reader adjacent to the secure door
D.
Post a sign that states,”no tailgating” next to the special card reader adjacent to the secure
door
B
Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study
engineering but later changed to marine biology after spending a month at sea with her friends.
These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign
waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula
decides to hack into the parent company’s computers and destroy critical data knowing fully well
that, if caught, she probably would be sent to jail for a very long time. What would Ursula be
considered?
A.
Ursula would be considered a gray hat since she is performing an act against illegal activities.
B.
She would be considered a suicide hacker.
C.
She would be called a cracker.
D.
Ursula would be considered a black hat.
B
Which address translation scheme would allow a single public IP address to always correspond to
a single machine on an internal network, allowing “server publishing”?
A.
Overloading Port Address Translation
B.
Dynamic Port Address Translation
C.
Dynamic Network Address Translation
D.
Static Network Address Translation
D
Mapping an unregistered IP address to a registered IP address on a one-to-one
basis. Particularly useful when a device needs to be accessible from outside the network.
What is the following command used for?
net use \targetipc$ “” /u:””
A.
Grabbing the etc/passwd file
B.
Grabbing the SAM
C.
Connecting to a Linux computer through Samba.
D.
This command is used to connect as a null session
E.
Enumeration of Cisco routers
D
The null session is one of the most debilitating vulnerabilities faced by Windows.
Null sessions can be established through port 135,139,and 445.
Attacking well-known system defaults is one of the most common hacker attacks. Most software is
shipped with a default configuration that makes it easy to install and setup the application. You
should change the default settings to secure the system.
Which of the following is NOT an example of default installation?
A.
Many systems come with default user accounts with well-known passwords that administrators
forget to change
B.
Often,the default location of installation files can be exploited which allows a hacker to retrieve
a file from the system
C.
Many software packages come with “samples” that can be exploited,such as the sample
programs on IIS web services
D.
Enabling firewall and anti-virus software on the local system
D
What is the proper response for a NULL scan if the port is closed?
A.
SYN
B.
ACK
C.
FIN
D.
PSH
E.
RST
F.
No response
E
BankerFox is a Trojan that is designed to steal users’ banking data related to certain banking
entities.
When they access any website of the affected banks through the vulnerable Firefox 3.5 browser,
the Trojan is activated and logs the information entered by the user. All the information entered in
that website will be logged by the Trojan and transmitted to the attacker’s machine using covert
channel.
BankerFox does not spread automatically using its own means. It needs an attacking user’s
intervention in order to reach the affected computer.
What is the most efficient way an attacker located in remote location to infect this banking Trojan
on a victim’s machine?
A.
Physical access – the attacker can simply copy a Trojan horse to a victim’s hard disk infecting
the machine via Firefox add-on extensions
B.
Custom packaging – the attacker can create a custom Trojan horse that mimics the appearance
of a program that is unique to that particular computer
C.
Custom packaging – the attacker can create a custom Trojan horse that mimics the appearance
of a program that is unique to that particular computer
D.
Custom packaging – the attacker can create a custom Trojan horse that mimics the appearance
of a program that is unique to that particular computer
E.
Downloading software from a website? An attacker can offer free software,such as shareware
programs and pirated mp3 files
E
One of your team members has asked you to analyze the following SOA record. What is the TTL?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
A.
200303028
B.
3600
C.
604800
D.
2400
E.
60
F.
4800
D
The SOA includes a timeout value. This value can tell an attacker how long any
DNS “poisoning” would last. It is the last set of numbers in the record.
In the context of password security: a simple dictionary attack involves loading a dictionary file (a
text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper,
and running it against user accounts located by the application. The larger the word and word
fragment selection, the more effective the dictionary attack is. The brute force method is the most
inclusive – though slow. Usually, it tries every possible letter and number combination in its
automated exploration. If you would use both brute force and dictionary combined together to have
variations of words, what would you call such an attack?
A.
Full Blown Attack
B.
Thorough Attack
C.
Hybrid Attack
D.
BruteDict Attack
C
One of your team members has asked you to analyze the following SOA record. What is the
version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
A.
200303028
B.
3600
C.
604800
D.
2400
E.
60
F.
4800
A
The SOA starts with the format of YYYYMMDDVV where VV is the version.
You receive an e-mail with the following text message.
“Microsoft and HP today warned all customers that a new, highly dangerous virus has been
discovered which will erase all your files at midnight. If there’s a file called hidserv.exe on your
computer, you have been infected and your computer is now running a hidden server that allows
hackers to access your computer. Delete the file immediately. Please also pass this message to
all your friends and colleagues as soon as possible.”
You launch your antivirus software and scan the suspicious looking file hidserv.exe located in
c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file
signature and confirm that it is a legitimate Windows system file “Human Interface Device
Service”.
What category of virus is this?
A.
Virus hoax
B.
Spooky Virus
C.
Stealth Virus
D.
Polymorphic Virus
A
MX record priority increases as the number increases. (True/False.
A.
True
B.
False
B
Choose one of the following pseudo codes to describe this statement:
“If we have written 200 characters to the buffer variable, the stack should stop because it cannot
hold any more data.”
A.
If (I > 200) then exit (1)
B.
If (I = 200) then exit (1)
D
One of the effective DoS/DDoS countermeasures is ‘Throttling’. Which statement correctly defines
this term?
A.
Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe
for the server to process
B.
Providers can increase the bandwidth on critical connections to prevent them from going down
in the event of an attack
C.
Replicating servers that can provide additional failsafe protection
D.
Load balance each server in a multiple-server architecture
A
Which of the following tools can be used to perform a zone transfer?
A.
NSLookup
B.
Finger
C.
Dig
D.
Sam Spade
E.
Host
F.
Netcat
G.
Neotrace
A,C,D,E
Attackers footprint target Websites using Google Hacking techniques. Google hacking is a term
that refers to the art of creating complex search engine queries. It detects websites that are
vulnerable to numerous exploits and vulnerabilities. Google operators are used to locate specific
strings of text within the search results.
The configuration file contains both a username and a password for an SQL database. Most sites
with forums run a PHP message base. This file gives you the keys to that forum, including FULL
ADMIN access to the database. WordPress uses config.php that stores the database Username
and Password.
Which of the below Google search string brings up sites with “config.php” files?
C
Under what conditions does a secondary name server request a zone transfer from a primary
name server?
A.
When a primary SOA is higher that a secondary SOA
B.
When a secondary SOA is higher that a primary SOA
C.
When a primary name server has had its service restarted
D.
When a secondary name server has had its service restarted
E.
When the TTL falls to zero
A
Understanding DNS is critical to meeting the requirements of the CEH. When the
serial number that is within the SOA record of the primary server is higher than the Serial number
within the SOA record of the secondary DNS server,a zone transfer will take place.
Which of the following tool would be considered as Signature Integrity Verifier (SIV)?
A.
Nmap
B.
SNORT
C.
VirusSCAN
D.
Tripwire
D
What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through
the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.
A.
110
B.
135
C.
139
D.
161
E.
445
F.
1024
B,C,E
Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the
recommendations for securing the operating system and IIS. These servers are going to run
numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is
still concerned about the security of these servers because of the potential for financial loss. Bob
has asked his company’s firewall administrator to set the firewall to inspect all incoming traffic on
ports 80 and 443 to ensure that no malicious data is getting into the network.
Why will this not be possible?
A.
Firewalls cannot inspect traffic coming through port 443
B.
Firewalls can only inspect outbound traffic
C.
Firewalls cannot inspect traffic at all,they can only block or allow certain ports
D.
Firewalls cannot inspect traffic coming through port 80
C
What is a NULL scan?
A.
A scan in which all flags are turned off
B.
A scan in which certain flags are off
C.
A scan in which all flags are on
D.
A scan in which the packet size is set to zero
E.
A scan with a illegal packet size
A
A null scan has all flags turned off.
Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers)
A.
Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address
B.
The ICMP packets signal the victim system to reply and the combination of traffic saturates the
bandwidth of the victim’s network
C.
ECHO packets are flooded on the network saturating the bandwidth of the subnet causing
denial of service
D.
A DDoS ICMP flood attack occurs when the zombies send large volumes of
ICMP_ECHO_REPLY packets to the victim system.
B,D
