Download Certified Ethical Hacker Exam with Correct Answers and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
CEH Certified Ethical Hacker
- A Certified Ethical Hacker follows a specific methodology for testing a system. Which step comes after foot printing in the CEH methodology? - Scanning
- You've been hired as part of a pen test team. During the in brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want? - Gray box
- Which of the following is true regarding an ethical hacker? - The ethical hacker has authorization to proceed from the target owner.
- You begin your first pen-test assignment by checking out IP address ranges owned by the target as well as details of their domain name registration. Additionally, you visit job boards and financial websites to gather any technical information online. What activity are you performing? - Passive foot printing
- You send a message across a network and are primarily concerned that it is not altered during transit. Which security element ensures a message arrives at its destination with no alteration? - Integrity
- An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements are true? - A white hat is attempting a black box test.
- Which of the following attacks is considered an integrity attack, where the attacker is not concerned with deciphering the entirety of a plaintext message? - Bit flipping
- As part of a pen test on a U.S. Government system, you discover files containing social security numbers and other PII (Personally Identifiable Information) sensitive information. You are asked about controls placed on dissemination of this information. Which of the following acts should you check? - Privacy Act
- Joe has spent a large amount of time learning hacking tools and techniques, and has even passed certification exams to promote himself in the ethical hacking
field. Joe uses his talents during the election season to deface websites and launch denial of service attacks against opponents of his candidate. Which answer most closely correlates with Joe's actions? - Hactivism
- A hacker is attempting to gain access to a target inside a business. After trying several methods, he gets frustrated and starts a denial of service attack against a server attached to the target. Which security control is the hacker affecting? - Availability
- The security, functionality, and ease of use (SFE) triangle states which of the following as true? - As security increases, ease of use decreases and functionality decreases.
- In which phase of the ethical hacking methodology would a hacker discover available targets on a network? - Scanning and enumeration
- Which of the following are potential drawbacks to a black box test? (Choose all that apply.) - The client does not get a full picture of an internal attacker focused on their systems. ; This test takes the longest amount of time to complete.
- In which phase of a penetration test would an ethical hacker perform footprinting? - Assessment
- Which of the following would not be considered passive reconnaissance? - Ping sweeping a range of IP addresses found through a DNS lookup
- As part of the preparation phase for a pen test that you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about external threats and do not mention internal threats at all. When defining scope, the threat of internal users is not added as part of the test. Which test is this client ignoring? - Gray box
- In which phase of an attack would vulnerability mapping occur? - Scanning and enumeration
- While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute? - Operating system
- You're describing a basic PKI system to a new member of the team. He asks how the public key can be distributed within the system in an orderly, controlled fashion so that the users can be sure of the sender's identity. Which of the following would be your answer? - Digital certificate You are discussing hash values with a CEH instructor. Immediately after telling you the hash is a one-way algorithm and cannot be reversed, he explains that you can still discover the value entered into the hash, given enough time and resources. Which of the following hash anomalies might allow this? - Collision What is the standard format for digital certificates? - X. You're discussing cryptography and determine you need to ensure messages are safe from unauthorized observation. Also, you want to provide a way to ensure the identity of the sender and receiver during the communications process. Which of the following best suits your needs? - Asymmetric encryption A hacker has gained access to several files. Many are encrypted, but one is not. Which of the following is the best choice for possibly providing a successful break into the encrypted files? - Known plaintext You are discussing a steganography tool that takes advantage of the nature of "white space" to conceal information. Which tool are you discussing? - Snow At the basic core of encryption approaches, two main methods are in play: substitution and transposition. Which of the following best describes transposition? - The order of bits is changed. Jack and Jill work in an organization that has a PKI system in place for securing messaging. Jack encrypts a message for Jill and sends it on. Jill receives the message and decrypts it. Within a PKI system, which of the following statements is true? - Jack encrypts with Jill's public key. Jill decrypts with her private key. Which of the following would you find in an X.509 digital certificate? (Choose all that apply.) - Version, Algorithm ID, Public Key, and Key Usage Which of the following is a secure substitute for telnet? - SSH
An SSL session requires a client and a server to handshake information between each other and agree on a secured channel. Which of the following best describes the session key creation during the setup of an SSL session? - The client creates the key after verifying the server's identity. Which encryption algorithm uses variable block sizes (from 32 to 128 bits)? - RC Which hash algorithm was developed by the NSA and produces output values up to 512 bits? - SHA- A hacker is attempting to uncover the key used in a cryptographic encryption scheme. Which attack vector is the most resource intensive and usually takes the longest amount of time? - Brute force In a discussion on symmetric encryption, a friend mentions that one of the drawbacks with this system is scalability. He goes on to say that for every person you add to the mix, the number of keys goes up exponentially. If seven people are in a symmetric encryption pool, how many keys are necessary? - 21 Which of the following is a true statement? - Symmetric encryption does not scale easily and does not provide for nonrepudiation. The PKI system you are auditing has a Certificate Authority (CA) at the top that creates and issues certificates. Users trust each other based on the CA itself. Which trust model is in use here? - Single Authority Two bit strings are run through an XOR operation. Which of the following is a true statement for each bit pair regarding this function? - If the first value is 1 and the second value is 1, then the output is 0. Which of the following attacks attempts to re-send a portion of a cryptographic exchange in hopes of setting up a communications channel? - Replay Within a PKI system, which of the following is an accurate statement? - Bill can be sure a message came from Sue by using her public key to decrypt the digital signature. One use of hash algorithms is for the secure storage of passwords: The password is run through a one-way hash, and the value is stored instead of the plaintext version. If a
updates. If updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will a secondary name server request a zone transfer from a primary? - When the primary SOA record serial number is higher that the secondary's Which of the following footprinting tools uses ICMP to provide information on network pathways? - Traceroute Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site contained disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site: No files have been changed, and when the site is accessed from their terminals (inside the company) it appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue? - DNS poisoning One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction? - SOA You are gathering reconnaissance on your target organization whose website has a .com extension. With no other information to go on, which regional Internet registry would be the best place to begin your search? - ARIN Which of the following is a good footprinting tool for discovering information on a company's founding, history, and financial status? - EDGAR database How does traceroute map the routes traveled by a packet? - By manipulating the time to live (TTL) parameter You are footprinting a target headquartered in the Dominican Republic. You have gathered some competitive intelligence and have engaged in both passive and active reconnaissance. Your next step is to define the network range this organization uses. What is the best way to accomplish this? - Use LACNIC to look up the company range A zone file consists of which types of records? (Choose all that apply.) - PTR, MX, SOA, A A good footprinting method is to track e-mail messages and see what kind of information you can pull back. Which tool is useful in this scenario? - eMailTrackerPro
You are footprinting DNS information using dig. What command syntax should be used to discover all name servers listed by DNS server 202.55.77.12 in the anybiz.com namespace? - dig @202.55.77.12 www.anybiz.com NS What is the second step in the TCP three-way handshake? - SYN/ACK You wish to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option? - nmap -sP 192.168.1.0/ Which of the following TCP flags is used to reset a connection? - RST You are examining traffic and notice an ICMP type 3, code 13 response. What does this normally indicate? - A firewall is prohibiting connection You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean? - Your IDLE scan results will not be useful to you. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response? - ICMP is being filtered. Which of the following tools is not a good choice for determining possible vulnerabilities on live targets you have identified? - Nmap Which of the following tools can be used for operating system prediction? (Choose all that apply.) - Nmap and Queso You are in training for your new pen test assignment. Your trainer enters the following command: telnet 192.168.12.5 80 After typing the command, he hits ENTER a few times. What is being attempted? - Banner grabbing
Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data? - PSH You receive a RST-ACK from a port during a SYN scan. What is the state of the port? - Closed Which port-scanning method presents the most risk of discovery, but provides the most reliable results? - Full-connect A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF: FF: FF: FF: FF: FF. Which of the following statements is true regarding the messages being sent? - The attacker will see message 2. You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here? - ARP poisoning to allow you to see messages from Host A to Host B, and vice versa Sniffing network traffic can sometimes be a function of an investigation run by a law enforcement agency (LEA). Within the confines of the lawful intercept, what provides most of the processing of the information and is usually provided by a third party? - Mediation device An attacker has successfully tapped into a network segment and has configured port spanning for his connection, which allows him to see all traffic passing through the switch. Which of the following protocols protects any sensitive data from being seen by this attacker? - SSH You have a large packet capture file in Wireshark to review. You wish to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task? - ip.addr==192.168.22.5 &&tcp contains HR_admin Which of the following is a tool used for MAC spoofing? - SMAC
You are attempting to sniff traffic on a switch. Which of the following is a good method to ensure you are successful? (Choose all that apply.) - Configure a span port; Use MAC flooding Which of the following are modes Snort can operate in? (Choose all that apply.) - Sniffer, Packet Logger, and Network IDS You wish to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark, but quickly discover your NIC needs to be in "promiscuous mode." What allows you to put your NIC into promiscuous mode? - Installing winPcap You are attempting to deliver a payload to a target inside the organization; however, it is behind an IDS. You are concerned about successfully accomplishing your task without alerting the IDS monitoring team. Which of the following methods are possible options? (Choose all that apply.) - Encrypt the traffic between you and the host; Session splicing A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced? - Session What does this line from the Snort configuration file indicate? var RULE_PATH c:\etc\snort\rules - It defines the location of the Snort rules. As part of a security monitoring team, Joe is reacting to an incursion into the network. The attacker successfully exploited a vulnerability on an internal machine, and Joe is examining how the attacker succeeded. He reviews the IDS logs but sees no alerts for the time period; however, there is definitive proof of the attack. Which IDS shortcoming does this refer to? - False negative Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using? - Anomaly based You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet, but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location? -
Attempt all possible combinations of letters, numbers, and special characters in succession. Which password theft method is almost always successful, requires little technical knowledge, and is nearly impossible to detect? - Install a hardware keylogger. Which of the following will extract an executable file from NTFS streaming? - c:> cat file1.txt:hidden.exe > visible.exe Which command is used to allow all privileges to the user, read-only to the group and read-only for all others to a particular file, on a Linux machine? - chmod 711 file You are attempting to hack a Windows machine and wish to gain a copy of the SAM file. Where can you find it? (Choose all that apply.) - c:\windows\system32\config, or c:\windows\repair Which of the following statements are true concerning Kerberos? (Choose all that apply.) - Kerberos uses symmetric encryption; Kerberos uses asymmetric encryption; Clients ask for authentication tickets from the KDC in clear text; KDC responses to clients never include a password; Clients decrypt a TGT from the server; What is the difference between a dictionary attack and a hybrid attack? - Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words. Which of the following SIDs indicates the true administrator account? - S-1-5-21-1388762127-2960977290-773940301- You have obtained a password hash and wish to quickly determine the associated plaintext password. Which of the following is the best choice? - Use a rainbow table. You are monitoring traffic between two systems communicating over SSL. Which of the following techniques is your best bet in gaining access? - Sidejacking Which password would be considered the most secure? - C3HisH@rd Your client makes use of Sigverif on his servers. What functionality does this tool provide? -
Displays a list of unsigned drivers. Which of the following are considered offline password attacks? (Choose all that apply.)
- Using a hardware keylogger, Brute-force cracking with Cain and Abel on a stolen SAM file, and Using John the Ripper on a stolen passwd file You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review? - ps -ef Which rootkit type makes use of system-level calls to hide their existence? - Library level Which folder in Linux holds administrative commands and daemons? - /sbin What are the three commands necessary to install an application in Linux? - make, make install, ./configure You are examining files on a Windows machine and note one file's attributes include "h." What does this indicate? - The file is hidden. You have gained access to a SAM file from an older Windows machine and are preparing to run a Syskey cracker against it. How many bits are used for Syskey encryption? - 128 Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.) - LADS, ADS Spy, and Sfind Which authentication method uses DES for encryption and forces 14-character passwords for hash storage? - LAN Manager You are testing physical security measures as part of a pen test team. Upon entering the lobby of the building, you see the entrance has a guard posted at the lone entrance. A door leads into a smaller room with a second door heading into the interior of the building. Which physical security measure is in place? - Man trap In your social engineering efforts you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here? -
Dumpster diving An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred? - Piggybacking Which threat presents the highest risk to an organization's resources? - Disgruntled employees Which of the following may be effective countermeasures against social engineering? (Choose all that apply.) - Security policies, Operational guidelines, Strong firewall configuration Which of the following are indicators of a phishing e-mail? (Choose all that apply.) - It does not reference you by name; It contains misspelled words or grammatical errors; It contains spoofed links; It comes from an unverified source; You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measure is being discussed? - Operational Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.) - Netcraft and Phishtank In order, what are the three steps in a reverse social engineering attack? - Marketing, sabotage, technical support Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating? - Human based What is considered the best defense against social engineering? - User education and training Which anti-phishing method makes use of a secret message or image referenced on the communication? - Sign-in seal Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.) -
Classification of information; Strong security policy; User Education; Strong change management process; Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a pin number. Which of the following are true? - Jill is using two-factor authentication. A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this? - Technical Physical security also includes the maintenance of the environment and equipment for your data floor. Which of the following are true statements regarding this equipment? (Choose all that apply.) - The higher the MTBF, the better; The lower the MTTR, the better; Which fire extinguisher type is the best choice for an electrical system fire? - An extinguisher marked "C" You are examining connection logs from a client machine and come across this entry: http://www.business123.com/../../../../../Windows/system.ini. Which attack does this most likely indicate? - Directory traversal A hacker is looking at a publicly facing web front end. One of the pages provides an entry box with the heading "Forgot password? Enter your email address." In the entry, he types anything' OR '1'='1. A message appears stating, "Your login information has been sent to a_username@emailaddress.target.com." Which of the following is true? - The SQL injection attempt has succeeded.
