Coming mid-July
Cybrary Reimagined.
People first, Security first.
Coming mid-July.
Cybrary Reimagined.
Celebrate Cybersecurity Awareness Month with our buy 2, get 1 offer!
People first, Security first.
Valid until October 31. Elevate your skills today!
Start for free
Career Resources

CEH Certification Study Guide for CEH Exam

The Certified Ethical Hacker (CEH) certification exam is a long exam that requires a good deal of preparation, especially given the price of the exam, I’m sure you don’t want to fail. This CEH exam prep study guide will help prepare you for the exam, and it will help you to understand the material you learned in our free class. Although going through this study guide will take some time, it should be well worth it. The CEH certification is still a leading penetration testing certification and is highly sought after by employers. So, as you embark on your study, it is recommended that you have already completed the Ethical Hacking Course on Cybrary, and now you have plenty of time to devote to this study guide.

Key Parts of Secure Information Systems

Robert hopes to start a career in computer security. As a new college-level student, he has just learned the term ethical hacking, which is a key part of secure information systems. Of the below options, choose which will be key areas of expertise for Robert’s future career. Answer is complete. Select more than one answer if applicable.

  1. Robert needs to gain a large body of knowledge about how computers function, with special regard to networking and programming.
  2. Operating systems are very important to Robert’s career. Because companies utilize varying operating systems, including Windows (multiple versions), Mac (multiple versions), UNIX, and Linux, he must develop an advanced understanding of each of the major operating systems.
  3. Robert should gain familiarity with computing and hardware platforms, which are key to software development.
  4. Robert should be able to write reports related to his field and have great expertise in communication relating to computer security.

Show answer and Breakdown

Answer: All of the above are correct.

Breakdown: Each of the above areas is important for Robert’s future career. In order to be an ethical hacker, he must understand how computers work, be able to work with any operating systems (Windows, Mac, UNIX, and Linux), understand the underlying hardware platforms required, and be able to communicate with laypersons and other computer security professionals through correspondence and reports.

Hacker Classifications

Which type of hacker uses their computer knowledge to invade the privacy of others, thereby breaking security laws and rendering the security of information systems weak?

  1. Security Providing Organization
  2. Gray Hat
  3. Black Hat
  4. White Hat

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: Black Hat hackers have no qualms about breaking the law and exploiting security systems to access the private and sensitive files. They build their knowledge base in computer security to break security laws and weaken the security of information systems. Hacker Classifications are as follows: Black Hat Hackers (Crackers): As previously mentioned, these hackers seek to gain access to private files and information by attacking information systems. Gray Hat Hackers: This is the ‘gray area’ crowd. Sometimes they choose to defend an information system or network, and other times they put on their Black Hat and break laws to achieve their goals. White Hat Hackers (Ethical Hackers): These hackers have built their knowledge base in order to defend information systems. They use their computer skills to increase, rather than decrease, the security of networks. Security Providing Organizations: An organization or community that delivers computer security to networks and security systems.

What Causes Security Vulnerabilities?

What is true about vulnerability in computer security?

  1. This security weak spot is discovered and possibly exploited in a Target of Evaluation and results from failed analysis, design and implementation, or an operation.
  2. It is caused by the incompetence of humans, natural disasters, or other indefensible situations.
  3. This agent can take advantage of a weakness in an information system or network.
  4. It is the threat or potential threat of a security violation and occurs only where there is a situation, action, or event that has the potential to break through security and damage a network or information system.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Vulnerability is defined as a weak spot or lack of safeguarding procedure(s) that could likely be exploited by one or more threats, causing damage to a network and/or information system. Vulnerabilities can be found in hardware, firmware, software, applications, system utility and configuration settings/files, and operating systems. A threat is simply the sign or indication of a possible negative event. A threat can be caused by a computer user or even through a natural occurrence. Unlike a threat, vulnerability is the agent that can or does exploit a weak point.

Security Policy Rules

Which of the policies listed below is a valid set of rules regarding connecting a system to an internal network while physically in a different location?

  1. Computer Security Policy
  2. User Account Policy
  3. Remote Access Policy
  4. Network Security Policy

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A company’s remote access policy sets forth rules for connecting to an internal network remotely. A network security policy, conversely, is more general. It lays out the basic rules for accessing the computer network, describes how the rules will be enforced, and outlines the architecture of the network environment, including the security structure. A computer security policy delivers a definition of various aspects of a company’s computer system and gives an outline of its goals. This ranges from a highly professional and formal document, to a relaxed and informal one. Security policies are enforced by organizational policies or security mechanisms. The user account policy document is one that lays out the means for someone to request an account and/or maintain an account on the computer systems or networks of an organization.

Verifying Security Updates and Changes

How can you establish that policies, configurations and procedural changes/updates are made in a controlled and well-documented environment?

  1. Vulnerability scanning
  2. Compliance
  3. Change management
  4. Peer review

Show answer and Breakdown

Answer: The correct answer is 3.

Elements of Security

Security, which is a measurement of how safe a system or network is for individuals and organizations, is the condition of well-being of information and infrastructure. With a secure system, theft (particularly undetected), tampering, and/or disruption (through Denial of Service Attacks) of services and information are limited to low or tolerable levels. Select the elements of security from the list below.

  1. Integrity
  2. Availability
  3. Non-Repudiation
  4. Authenticity
  5. Confidentiality

Show answer and Breakdown

Answer: All of the above.

Breakdown: Elements of Security: Confidentiality: A bond of trust that involves refusing to reveal details about a company, product, resource, or any other sensitive and/or proprietary information. Authenticity: Proof of identity and origination of information. Integrity: The level of credibility, reliability and reputation of data and/or resources, particularly with regards to stopping unapproved or unauthorized alterations. Availability: The accessibility and ability to utilize information or resources when desired. Non-Repudiation: The inability of a sender to separate or disconnect him/herself via message.

Testing Methodologies

Background: In her career as an Ethical Hacker, Diane has been assigned to a new project. She must test the security of a website. The only information that she is provided about the network infrastructure is as follows: Diagrams from the network infrastructure Names and source code for necessary security tools Details about the IP addresses of the network Based on the information provided above, what testing methodology is being implemented by the website?

  1. White-box testing
  2. Black-box testing
  3. Gray-box testing
  4. Alpha or simulated testing

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: With the information Diane has been given, she determines that their website is using the white-box testing method. It’s a technique whereby an organization delivers a complete picture of the infrastructure to the team testing its website. The testing technique known as “black-box” is a blind situation where the team is given no information the infrastructure of the website or organization. This is the least desirable of techniques because it is a high cost, time-consuming and low ROI process. Gray-box testing is a mix between white-box and black-box techniques. In this methodology, the testing team is given some background of system and can design/implement their security systems based on at least some knowledge of the system.

Gray Box vs. Black Box Testing

How can gray box testing be distinguished from black box testing?

  1. In white box testing, the tester has no knowledge of the target. He was given only the company’s name.
  2. In black box testing, the tester has complete knowledge of the internal company network.
  3. In gray box testing, the tester has to try to gain access into a system using commercially available tools only.
  4. In gray box testing, the attacker performs attacks with a normal user account to see if he can escalate privileges.

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: In gray box testing, the attacker carries out attacks using just a normal user account to see if he can escalate privileges. White box testing is a security testing method that helps a security team to validate whether application implementation actually follows the intended design and security functionality. Additionally, the security team is responsible for uncovering exploitable vulnerabilities in white-box testing. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis.

Core Principles of Ethical Hacking

What core principle states that an individual or party cannot deny a role it had in an action or event (including document transmission)?

  1. Non-repudiation
  2. Perjury
  3. Confidentiality
  4. Secrecy and Privacy

Show answer and Breakdown

Answer: The correct answer is 1.

Common Microsoft Vulnerabilities

Microsoft’s print and file servers are among the more common targets for hackers. Which of the below is a common—but potentially harmful—vulnerability?

  1. XSS
  2. SQLinfraction
  3. Missing patches
  4. Poor IV standards

Show answer and Breakdown

Answer: The correct answer is 3.

Testing Security with DoS

Grace has made a career as an Ethical Hacker. Her company asks her to test the security of their server against potential Denial of Service (DoS) attacks. In order to accomplish this, she sends ICMP ECHO packets en masse to a set computer. She is employing which of the below techniques against DoS attacks?

  1. SmurfDenial of Service (DoS) attack
  2. PingFlood Denial of Service (DoS) attack
  3. TeardropDenial of Service (DoS) attack
  4. LandDenial of Service (DoS) attack

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: In testing the security, Grace utilized the Ping Flood style of attack. Here, the attacker delivers a mass quantity of ICMP packets, bombarding to a target computer. The definitions for a Smurf DoS attack, a teardrop attack, and a land attack are as follows. A Smurf DoS attack is arranged when the attacker delivers a large quantity of ICMP “Echo requests” to IP broadcasting address or addresses. A spoofed address is used so as to mask the ICMP requests. A teardrop DoS attack involves a sequence of data packets that are directed to a target system or computer with overlapping, offset field values and over-sized payloads. The target computer or system will then not be able to reassemble the packets and must therefore hang, crash or reboot. A land DoS attack requires the attacker to send a hoax/spoofed TCP SYN packet where the target host’s IP address is filled in in two places: the source field and the destination field.

Ethical Hacking Groups

There are many credos within the computer security world. Which of the below groups believes that a hacker’s purpose is to make social change, regardless of whether it involves breaking laws and/or defacing webpages?

  1. Hactivists
  2. Script kiddies
  3. Crackers
  4. Phreakers

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Online hactivism has seen a great deal of growth lately. Hactivists believe that they can change society through their attacks. The act itself is called “Hacktivism,” which is motivated by a political or social purpose. Hacktivists hack into a computer network or system for a “cause”—defacing or bringing down a website as a statement for their beliefs. A hacktivist uses the same tools and methods as any other hacker. Script kiddies have very limited hacking skills and/or programming experience and use open source and free hacking software to perform elementary attacks. Crackers use their expertise in hacking and programming to carry out damaging and usually illegal activities. Phreakers only rip off information from communication systems.

Reducing Attack Surface

Security teams should do which of the below to reduce attack surface?

  1. Harvesting
  2. Scanning
  3. Hardening
  4. Windowing

Show answer and Breakdown

Answer: The correct answer is 3.

Phases of Malicious Hacking

In his profession as an Ethical Hacker, Chistov is often assigned jobs where he needs to test the security of a website. In this case, he is assigned to check the security of a new website. He can’t remember what the first step is in malicious hacking, but he needs to know it in order to protect against hackers. What is the first step?

  1. Maintaining Access
  2. Scanning
  3. Covering/Clearing Tracks
  4. Reconnaissance
  5. Gaining Access

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Here is the breakdown of phases in malicious hacking: Reconnaissance: Attacker collects details about their intended victim. Scanning: Attacker seeks out vulnerabilities, which they will later exploit. Gaining Access: Attacker uses the above-discovered vulnerability in order to access the network or system. Maintaining Access: Attacker keeps their system access long enough to complete the attack. Covering/Clearing Tracks: Attacker takes steps to avoid being discovered or penalized under the crimes code.

Black Hat Hacker Tactics

Adam is a malicious hacker who attacks a company’s server. Once he has gotten in, he sets up a backdoor on the company’s server and modifies the log files. Which of the above-discussed phases includes that modification?

  1. Reconnaissance
  2. Maintaining access
  3. Gaining access
  4. Covering/Clearing tracks

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Adam placed a backdoor on a company’s server in order to ensure he has total at-will access. He maintains his access to the server in this manner. But Adam wasn’t finished. After he placed the backdoor, he carefully modified the log files on the server to avoid detection. This malicious act could actually clue the Network Administrator into the hacker’s intentions and falls within the last step of the hacker’s process—covering his tracks.

Securing Certificates

If two unique corporations or companies go through a merger, what should they do to make sure that the Certificate of one company would trust the Certificate generated by the other?

  1. Cross-certification
  2. Public Key Exchange Authorization
  3. Federated Identity
  4. Must start from scratch – unique PKI system required.

Show answer and Breakdown

Answer: The correct answer is 1.

Public Key Infrastructure

Which authority of PKI will verify an applicant?

  1. Certificate Authority
  2. Registration Authority
  3. Root Central Authority
  4. Validation Authority

Show answer and Breakdown

Answer: The correct answer is 2.

Definition of Script Kiddie

What is the definition of a script kiddie?

  1. A script kiddie utilizes hacking programs found online and developed by someone else to hack into information systems and deface websites. They are not independently knowledgeable about hacking.
  2. A script kiddie has lost the respect of others in an organization. Their integrity is suspect.
  3. A script kiddie focuses their attacks on communication systems.
  4. A script kiddie has been working with various computer systems from a young age. They are experts in many computer fields and operating systems, in addition to being knowledgeable in networks, frameworks, software and hardware. They love to root out vulnerabilities and threats on a server to boost its security.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Answer B is actually the definition of a disgruntled employee. This kind of employee has lost the respect of his superiors and coworkers, and can be untrustworthy. Still, this kind of employee often is more educated and skilled than a script kiddie.

Pen Testers vs. Attackers

How is a penetration tester different from an attacker?

  1. A penetration tester uses various vulnerability assessment tools.
  2. A penetration tester does not test the physical security.
  3. A penetration tester does not perform a sniffing attack.
  4. A penetration tester differs from an attacker by his lack of malicious intent.

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A penetration test is a technique of evaluating security of a system or network by simulating attacks. This process requires an active analysis of the system/network for potential vulnerabilities resulting from poor or improper system configurations, known and/or unknown hardware or software flaws, and/or operational weaknesses in process or technical countermeasures.

First Step in Ethical Hacking

What is the first thing an ethical hacker must do before running a pentest?

  1. Perform an nmap scan.
  2. Uncover social engineering metadata.
  3. Print a findings report.
  4. Obtain a signed document from senior management.

Show answer and Breakdown

Answer: The correct answer is 4.

Objectives of Pentesting

What are some end objectives of an effective pentesting attempt?

  1. Verify whether certain data can still be restored with a regular backup in the event of hardware damage.
  2. Examine the IT infrastructure in terms of its compliance, efficiency, effectiveness, etc.
  3. Identify vulnerabilities and flaws and improve security of technical systems.
  4. Catalog the assets and resources in a system.

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: For a successful penetration test that meets a client’s expectations, a clear definition of goals is absolutely essential. If goals are not easily attainable, the tester should notify his client in the preparation phase and recommend alternative procedures (IT audit or IT security consulting services).

Data Gathering and Reconnaissance

Penetration tests occur in phasing. Recall from a previous question the terms ‘data gathering’ and reconnaissance. During which phase(s) do these two actions occur?

  1. Out-attack phase
  2. Post-attack phase
  3. Attack phase
  4. Pre-attack phase

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: The first step is the pre-attack phase, where the penetration tester seeks out data about their target. Otherwise known as reconnaissance, the data collection stage is important because it is the foundation on which the rest of the attack is built. The attacker then gathers all of the data, from scanning Whois, DNS, and any and all networks they can discover. The attacker maps out the network and soon has in front of him a total picture, including the operating system and what applications are currently running on any one of the systems.

Linux Pentesting Tools

Which of the below tools (based in Linux) can be used for penetration testing?

  1. JPlag
  2. Vedit
  3. Ettercap
  4. BackTrack (now KALI)

Show answer and Breakdown

Answer: The correct answer is 4.

PCI-DSS

The PCI-DSS requires organization to perform external pentests. How often will this organization need to be done?

  1. Once a quarter
  2. At least once a year and after a major change or update
  3. Every two years
  4. Once a year

Show answer and Breakdown

Answer: The correct answer is 2.

Social Engineering Methods

What method is the most widespread method for an attacker to find victims for social engineering strikes?

  1. Phone
  2. War driving
  3. Session hijacking
  4. Email

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Surprisingly enough phone attacks are one of the most common social engineering attacks. What exactly is social engineering? It’s a way of conning people into divulging their personal and financial information, account logins, pin numbers and passwords by earning their trust. Sometimes war driving is referred to as access point mapping. This is when a hacker undertakes to find exploitable connections through locating wireless networks while driving. Session hijacking refers to the abuse/unauthorized use of a computer session in search of private and/or proprietary information available on a computer system. This word is most often used to refer to the illicit theft of a ‘magic cookie’ used to allow a user to login via remote server. TCP session hijacking occurs when a hacker seizes a TCP session between two machines that have already connected. This allows the hacker to skip past the initial authentication checks and achieve access to a computer system or network.

Gathering Information

Jay is using Facebook, Twitter, and other social networking sites to gather information on his targets. What sort of methods is he employing? (Select 2.)

  1. Distributed denial of service attack
  2. MiTM attack
  3. Teardrop attack
  4. SQL injection attack
  5. Phishing attack
  6. Social engineering attack

Show answer and Breakdown

Answer: The correct answers are 5 and 6.

Obtaining Network Keys

A tester detects an access point via WPA2 during a routine wireless penetration test. Which of the below attacks would be useful in obtaining a key?

  1. First she needs to reset the MAC address of the wireless network card. Next, she should utilize the AirCrack tool to capture the key.
  2. She should capture the WPA2 authentication handshake and then work to crack the handshake.
  3. She should try the key cracking tool airodump-ng [airocrack-ng] through the network ESSID.
  4. She must reset the network and start from scratch because WPA2 simply cannot be cracked.

Show answer and Breakdown

Answer: The correct answer is 2.

Biometric Attacks

What is the chief reason that using a stored biometric opens an individual up to an attack?

  1. This kind of authorization runs a comparison on the original to the copy rather than the other way around.
  2. The symbols used to represent a stored biometric might not be original in a digital or stored format.
  3. An attacker can use the stored biometric data to easily masquerade as the individual identified by that data.
  4. A stored biometric is no longer “something you have” and instead becomes “something you are.”

Show answer and Breakdown

Answer: The correct answer is 3.

Measuring Facial Features

Which of the below scans can measure facial and other features through the use of a webcam or other digital camera capable of taking videos?

  1. Iris scan
  2. Facial recognition scan
  3. Signature dynamics scan
  4. Retina scan

Show answer and Breakdown

Answer:

The correct answers is 1 and 2.

Nessus Policies

You are starting a new Nessus policy and need to turn on (or enable) Global Variable Settings. Where should you go to enable them?

  1. Plugins
  2. General
  3. Preferences
  4. Credentials

Show answer and Breakdown

Answer:

The correct answer is 3.

Nmap Scanning

A pentester (otherwise known as a penetration tester) keys in the below command. What kind of scan is this? nmap -N -sS -PO -p 123 192.168.2.25

  1. Idle scan
  2. Intense scan
  3. Stealth scan
  4. Fin scan

Show answer and Breakdown

Answer:

The correct answer is 3.

If a hacker wanted to modify prices on a website, which of the below methods would they use? As an aside, there are no alerts shown through IDS.

  1. XSS
  2. Hidden form fields
  3. SQL injection
  4. Port scanning

Show answer and Breakdown

Answer:

The correct answer is 2.

Types of Scans

What kind of a scan delivers specially designed packets to a system (remote) and then analyzes the output?

  1. Active
  2. Bounce
  3. Passive
  4. Directive

Show answer and Breakdown

Answer: The correct answer is 1.

Information Collection Methods

Background: You run the following command in the command prompt:

Telnet IP Address Port 80 HEAD /HTTP/1.0 Return Return

Which of the below of information collection methods did you use?

  1. Port scanning
  2. Dumpster diving
  3. OS fingerprinting
  4. Banner grabbing

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Banner grabbing is a type of enumeration/inventory technique utilized by hackers to extract information about computers and/or hosts on a network and determining which services are active on its open ports. A port is a medium of communication between two separate systems. A port, a unique 16-bit code/number, distinguishes each service on any host. This can be used by hackers or by an administrator to perform an inventory check for their network. OS Fingerprinting is the simplest and most straightforward way to discover which operating system is being used on a remote system. This kind of detection makes it much easier to hack a system. Fingerprinting compares data packets, which are sent by a target system. There are two categories of fingerprinting methods: Active fingerprinting Passive fingerprinting With active fingerprinting, ICMP (Internet Control Message Protocol) messages are pushed to the target system. Ordinarily, remote system’s response message will reveal the operating system. In passive fingerprinting, the hacker uses a ‘sniffer’ such as Wireshark to capture traffic, analyzing the number of hops to discover the operating system. In passive fingerprinting, no traffic is sent—it is only collected. Dumpster diving refers to rummaging through an individual’s waste/trash, including discarded mail, in an attempt to discover important or private information. The first step in learning the specifics of the open ports on any system is port scanning. Hackers utilize port scanning to locate a “hackable” network or server with an easily detectable weakness, hole, or vulnerability.

Active OS Fingerprinting

Which of the below techniques cannot be used to perform active OS fingerprinting?

Answer is complete. Select more than one answer if applicable.

  1. Sniffing and analyzing packets
  2. ICMP error message quoting
  3. Sending FIN packets to open ports on a remote system.
  4. Analyzing the email headers.

Show answer and Breakdown

Answer: Answers 1 and 4 are correct. These are the ways to perform passive OS fingerprinting. Email header passive OS fingerprinting: In this method an attacker uses the e-mail header to detect the remote OS. It (the header) is analyzed and gives information about the mail daemon of the remote computer. Each OS uses a special mail daemon, so an attacker can then figure out the OS. The other options, ICMP error message quoting, sending FIN packets to open ports on a remote system, are active forms of fingerprinting for the OS.

Types of Privacy Invasion

Which of the below types of privacy invasion involves modifying data or information before or during input into a computer system with the intent to steal or commit fraud?

  1. Spoofing
  2. Wiretapping
  3. Eavesdropping
  4. Data diddling

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Data diddling involves altering data prior to or during input to a computer in an attempt to commit fraud. It also is used to describe the act of deliberately changing information, programs, and/or documentation. Eavesdropping is the act of snooping/listening in on private conversations. This is also the term used to describe attackers watching and analyzing network traffic. Spoofing is a method used by hackers to make a transmission seem to have originated from a familiar or authentic source by faking IP addresses, email addresses, and caller ID. In IP spoofing, a hacker will tweak packet headers by inserting someone else’s IP address to mask their identity. However, spoofing is not functional for surfing the web or chatting online because the responses will be misdirected by the false IP address. Hackers use wiretapping to monitor phone and Internet communications where they are not a party. Wiretapping is actually legal, but ONLY with prior consent. Police officials and governmental authorities regularly utilize “legalized wiretapping” to in relation to investigations, whether public or secret.

Pre-Testing Phases of Pentesting

Molly is employed as an Ethical Hacker. Her newest project involves testing the security of a website. Which of the below are the three pre-testing phases of an attack used in measuring the security of this website?

  1. Identifying the active system
  2. Web server hacking
  3. Enumerating the system
  4. Session hijacking
  5. Placing backdoors
  6. Footprinting

Show answer and Breakdown

Answer: The correct answers are 6, 1 and 3.

Breakdown: These are the three pre-testing phases used in the attack: (f) Footprinting (a) Identifying an active system (c) Enumerating a system

Recording Keyboard Inputs

Which of the below will record everything a user types using a keyboard connected to the machine it is installed within?

  1. Firewall
  2. Port scanner
  3. Keystroke logger
  4. Line conditioner

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A firewall is a utility that is used to protect an internal network or intranet against unauthorized access via the Internet or other external networks. A firewall sets restrictions on access (inbound and outbound) and performs analysis on traffic (between the network and the Internet). If installed, a keystroke logger or keylogger will log and record everything a person types using their keyboard. Both hardware and software forms of keyloggers exist. A port scanner is a software utility designed to search a network host for any open ports. It is useful to security teams performing security checks on their networks. However, it is also very useful to hackers targeting a network and its systems.

How to Hide your Identity

Background: Placing backdoors, web server hacking and session hijacking are among the phases of executing attacks.

From the below list, which, if any, of these tools can be used to obscure identity?

Answer is complete. Select more than one answer if applicable.

  1. War dialer
  2. Proxyserver
  3. IPChain
  4. Anonymizer
  5. Rootkit

Show answer and Breakdown

Answer: Answers 2, 3 and 4 are correct.

Breakdown: It is possible to mask your identity using firewalls (such as IPChains), a proxy server, or through an anonymizer. A proxy server conceals the identity-related details of a user’s machine, network, or system from others. The user’s system first establishes a direct connection with a proxy server, and then that server then creates a connection with a remote host of the user’s choice. Anonymizers help make a user’s web surfing anonymous by removing any identifying details/information from a user’s computer system while the user browses the Internet. This helps to secure the user’s privacy. Linux IPChains is free software that controls the filter and firewall capabilities on a Linux operating system. Network Administrators use it to ACCEPT, DENY, MASQ, or REDIRECT packets. The kernel starts with three sets of rules, or chains, in the firewall as follows: input, output, and forward. Note: Each packet (which may come from an Ethernet card or otherwise) that passes through the forward chain will also pass through the input and output chains. A war dialer is a utility used by hackers to detect vulnerable modems; war dialers scan hundreds or thousands of phone numbers looking to discover an unauthorized way into the system. The tools available for this act are innumerable: a few include PhoneSweep, THC-Scan, and ToneLoc. A rootkit is a toolkit or group of tools that can allow a hacker to seize administrative control of a computer system with no authorization. A rootkit does require root access to be installed onto the Linux operating system, but once it has been installed, the hacker has unlimited at-will root access.

Footprinting Tools

Which of the below tools can be used for footprinting?

Answer is complete. Select more than one answer if applicable.

  1. Brutus
  2. Sam spade
  3. Traceroute
  4. Whois

Show answer and Breakdown

Answer: The correct answers are 2, 3 and 4.

Breakdown: The traceroute, Sam spade, and whois utilities are useful for footprinting. What is the SAM SPADE utility? SAM SPADE is a software tool for discovering sources of email spam. It is named after a fictional private detective who unflinchingly sought out justice. The tool itself can request a DNS server to send back details about a domain, scan IP addresses for open ports, find the route of a packet transmitting between a machine and a remote system, and guess the origin of emails from their headers. It can also decode masked URLs. What is the TRACEROUTE utility? The TRACEROUTE utility will display the path of a specific IP packet. Traceroute uses ICMP (Internet Control Message Protocol) echo packets, displaying the Fully Qualified Domain Name (FQDN) as well as the IP address for any gateway along the route to its remote host.

Stages of Ethical Hacking

Markus works as an Ethical Hacker. His main project is to test the security of his client’s website. He starts by performing footprinting and scanning. What does this entail?

Answer is complete. Select more than one answer if applicable.

  1. Information-gathering
  2. Determining the network range
  3. Identifying all active machines
  4. Finding any open ports and/or applications
  5. Enumeration through a four-step process

Show answer and Breakdown

Answer: 1, 2, 3 and 4 are correct.

Breakdown: In the enumeration phase, an attacker collects information and data, including the network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. The methods utilized in this phase are listed below: Obtaining Active Directory details and identifying vulnerable accounts Discovering NetBIOSnames Employing Windows DNSqueries Establishing NULLsessions and queries

Scanning Telephone Numbers

Which of the below techniques uses a modem in order to automatically scan a list of telephone numbers?

  1. War dialing
  2. Warkitting
  3. Warchalking
  4. War driving

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: War dialing uses a modem to auto-scan a list of phone numbers, often dialing each number in a local area code to search for computers, BBS systems and fax machines. Hobbyists can use this technique for exploration, and crackers (hackers specializing in computer security) to guess passwords. Warchalking is drawing symbols in public places to guerilla advertise an open Wi-Fi wireless network. The warchalker finds a Wi-Fi node and then draws a special symbol somewhere nearby. This is a portmanteau of the cracker terms war dialing + war driving.

Remote Connection Attacks

As Database Manager for a local company, Mick has a lot of responsibilities. He decides to set up remote control software on his work machine so that he will be able to login from home or otherwise. After installing the connection, he connects a modem to an otherwise-unused fax line. With no authentication to enable him to set a password for a host connection to the remote connection, Mick’s remote connection will be accessible to for anyone to connect to his host system. Which of the below attacks can be performed on Mick’s remote connection?

  1. War dialing
  2. Zero-day
  3. War driving
  4. Warchalking

Show answer and Breakdown

Answer: The correct answer is 1.

Passive Information Gathering Tools

Which of the below is a passive, non-direct information-gathering tool?

  1. Ettercap
  2. Whois
  3. Nmap
  4. Snort

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: The whois tool is a so-called “passive” information-gathering utility. These kinds of queries can be used to discover the IP address ranges linked to a client or clients. A whois query can be run in most UNIX environments. With Windows, the whois tools, including WsPingPro and/or Sam Spade, will to do whois queries. Whois queries can be executed online via www.arin.net or at www.networksolutions.com. Nmap is an active information-gathering tool. The nmap utility, or port scanner, is used to directly view open ports on a Linux system. Administrators can determine which of the services are currently available for external users. Snort is more than just a character in a P.D. Eastman book. This tool is an active information-gathering utility. Snort is open source and designed for network intrusion prevention, as well as detection; Snort’s system also operates as a network sniffer and records network activity matched with predefined signatures. Three primary Snort modes are listed below: Sniffermode: In this mode, snort will find the packets throughout the network and display them on the console in a continuous stream. Packetlogger mode: This is the mode where packets are logged to the disk. Network intrusion detection mode: This mode offers the most options for configuration, and it also allows users to filter network traffic using their own sets of rules. Like nmap and Snort, Ettercap is an active information-gathering tool. Ettercap, a UNIX and Windows-based tool for computer network protocol analysis and security audits, can intercept traffic on a network subnet/segment—thereby capturing user passwords and conducting active surveillance against

Determining Active Services on Target Machines

When determining which services are active on a target machine as well as possible entry points to attack, which of the below would you use?

  1. Nmap scan
  2. Ping
  3. Traceroute
  4. Banner grabbing

Show answer and Breakdown

Answer: The correct answer is 1.

Nmap Vulnerability Scan

Chuck needs to perform a basic vulnerability scan using Nmap. When dealing with protocols like FTP and HTTP, what key engine does Nmap utilize?

  1. SAINT
  2. Metasploit
  3. NESSUS
  4. Nmap

Show answer and Breakdown

Answer: The correct answer is 4.

Types of Nmap Scans

While running an Nmap scan for filtered ports, you send an ACK flag and receive a RST packet for open and closed ports. What kind of Nmap scan did you run?

  1. Null Scan – sN
  2. Fin Scan – sF
  3. XMAS Scan -sX
  4. TCP ACK scan – sA

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: The TCP ACK Scan will not discover open and closed ports—it will determine whether or not a port is filtered or unfiltered. When an ACK flag is sent, Open/Closed ports will return RST. Any ports that do not respond are considered filtered. Conversely, with a NULL Scan, no flags are set on a packet. The target must follow RFC 793, a TCP specification. If the port is open or filtered, it will receive no response. If the port is closed, it will receive RST. In Fin Scan, a Fin flag is set on a packet. Again, the target must follow RFC 793. If a port is open or filtered, it will receive no response; yet it will receive RST if a port is actually closed. In XMAS Scan, the FIN, URG, and PSH flags are set on a packet. The target must still follow RFC 793. It will receive no response if a port is open or filtered and will receive RST if a port is closed. Reference: http://nmap.org/

UDP Port Scan

Which of the below Nmap commands is used to perform a UDP port scan?

  1. nmap -sU
  2. nmap -sS
  3. nmap -sF
  4. nmap -sN

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The nmap -sU command performs a UDP port scan. The nmap -sS command performs stealth scanning. The nmap -sF command performs FIN scanning. The nmap -sN command performs TCP NULL port scanning.

Retrieving Different Protocols with Nmap

Which Nmap switch would you use to retrieve as many different protocols as possible that are being used by a remote host?

  1. nmap -sO
  2. nmap -sS
  3. nmap -sT
  4. nmap -vO

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The nmap -sO switch is used to scan IPs. To search additional IP protocols, you can utilize the IP protocol scan. Such protocols include ICMP, TCP and UDP. This scan will unearth uncommon IP protocols that could be active on a system. Nmap will not allow you to combine the verbose and OS scanning options. It will display the below error message: Invalid argument to -v: “O” The nmap -sT switch performs a TCP full scan. The nmap -sS is performs a TCP half scan. Here an attacker will send a SYN packet to a target port.

Firewall Packet Inspections

Which of the below represents the type of packet inspection used by a firewall when scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered?

  1. Deep
  2. Stateless
  3. Proxy
  4. Stateful

Show answer and Breakdown

Answer: The correct answer is 2.

Nmap OS Detection

As a contracted Ethical Hacker, Al has recently contracted to complete a project to do security checking on a website. He wants to find out which operating system is used by the web server. Which of the below commands can he use to complete this task?

Each correct answer represents a complete solution. Choose two.

  1. nmap -v -O 208. 100. 2. 25
  2. nc -v -n 208. 100. 2. 25 80
  3. nc 208. 100. 2. 25 23
  4. nmap -v -O [www.website.com]

Show answer and Breakdown

Answer: The correct answers are 1 and 4.

Breakdown: According to the scenario, Al will probably choose “nmap -v -O 208. 100. 2. 25” to uncover the OS used by the server. Verbose = -v / -O = TCP/IP fingerprinting (to guess the remote OS). Al could also use the DNS name of the website instead of using its server IP address. In this case, he would also use the nmap command “nmap -v -O www.website.com “.

TCP/IP Fingerprinting

Background: TCP/IP stack fingerprinting involves passive collecting of configuration attributes from remote devices during standard layer 4 network communications. These combinations could then be used to infer the remote operating system or to incorporate the information into a device fingerprint. Which of the below Nmap switches can be utilized to perform TCP/IP stack fingerprinting?

  1. nmap -O -p
  2. nmap -sU -p
  3. nmap -sS
  4. nmap -sT

Show answer and Breakdown

Answer: The correct answer is 1.

Attracting Data Intruders

Which of the below kinds of machines do security teams often use for attracting potential intruders?

  1. Bastion host
  2. Data pot
  3. Files pot
  4. Honeypot

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A honeypot is a machine/computer that can be used to draw in potential intruders or attackers. A honeypot has intentionally low security permissions and is useful in collecting intelligence about attackers and their tactics.

Password Cracking Utilities

Which of the below are password-cracking utilities? (Choose 3.)

  1. Nmap
  2. John the Ripper
  3. Cain and Abel
  4. KerbCrack
  5. Wireshark
  6. WebGoat

Show answer and Breakdown

Answer: The correct answers are 2, 3 and 4.

Using Tools to Analyze Raw IP Packets

Background: Luke is an Ethical Hacker. In scanning his company’s wireless network, he utilizes a free, open-source tool. The tool analyzes raw IP packets to discover the following:

• Which ports are open on the network systems? • Which hosts are available on the network? • Are there unauthorized wireless access points? • Which services (application name, version) are the available hosts providing? • Which operating systems (and OS versions) are the hosts running? • Which types of packet filters/firewalls are being utilized?

Based on the above information, which of the below tools is Luke using?

  1. Nessus
  2. Kismet
  3. Nmap
  4. Sniffer

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: Nmap is an active data collection tool. The port-scanning ability of the nmap utility can be the open ports on a Linux machine. Administrators can employ this tool to discover which services are accessible to external users.

Capturing Network Traffic in Real Time

Which of the below utilities is a protocol analyzer with the ability to capture packet traffic as it comes into the network (“in real time”)?

  1. NetWitness
  2. Netresident
  3. Snort
  4. Wireshark

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Wireshark is a protocol analyzer with the ability to capture packet traffic as it comes into the network (“in real time”). It is free and open source, and will act as a packet sniffer, capturing network traffic for purposes of troubleshooting, development of software/communications protocol, analysis, and as a teaching tool. It was originally called Ethereal. Wireshark will work on Windows, Mac, Linux, or Unix machines.

Wireshark Best Uses

Wireshark will excel in which one of the below situations you might face as an Ethical Hacker?

  1. If you need to target networks using switches or so-called “full-duplex” hubs (which are actually switches).
  2. If you need to target networks utilizing repeaters/hubs.
  3. If your target is a Windows-based network.
  4. If your target is a Linux-based network.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: When a device is a hub, it is convenient for capturing through Wireshark. A hub based on switches will only transmit ‘clean’ packets—whereas a real hub will simply act as a repeater with no verification of packets. Network hubs do not manage network traffic. Therefore, each packet that enters a port is repeated on every other port. A switch learns and maintains a table of MAC addresses. A switch does not simply forward all packets to all other ports, but rather uses a bridge to determine which packets are forwarded to which ports.

Obtaining Packet Captures

You need to obtain a packet capture for a network. Which of the below devices would allow you to capture a total picture of the traffic on the wire through Wireshark?

  1. Network tap
  2. Layer 3 switch
  3. Network bridge
  4. Router

Show answer and Breakdown

Answer: The correct answer is 2.

Timing Nmap Scans to Prevent Detection

Steve 2. is a black hat and wishes to run a port scan on a machine he is attacking to try to find some open ports and other valuable information. He decides to use the nmap command to execute his scan. Because he is worried that the admin may be running PortSentry in order to block any scans, he will slow the scan downs so that they are less suspicious. What nmap options can he use to do this?

  1. nmap -sS -PT -PI -O -T1 ip address
  2. nmap -sF -P0 -O ip address
  3. nmap -sO -PT -O -C5 ip address
  4. nmap -sF -PT -PI -O ip address

Show answer and Breakdown

Answer: The correct answer is 1.

Web Password Hacking

You want to access and pull password files from various websites. These passwords are stored within the index directory of a website’s server. What could you use from the below options that would allow you to do this?

  1. Google
  2. Nmap
  3. Whois
  4. Sam Spade

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Google hacking is a way to find and retrieve password files which have been indexed within a web server’s directory) from specified websites. Search queries on Google will potentially discover information from a web server’s index directory.

Ethical Hacking Skills in the Workplace

While browsing an online job board, you come across a job posting for tech professionals. You visit the company’s website and analyze its contents and conclude that they are looking for professionals who possess a strong knowledge of Windows Server 2003 and Windows active directory installations. Which of the below hacking phase(s) does this fall under?

  1. Reconnaissance
  2. Gaining access
  3. Covering tracks
  4. Scanning

Show answer and Breakdown

Answer: The correct answer is 1.

Snort IDS

When a match for an alert rule is found in Snort, the intrusion detection system carries out which of the below actions?

  1. Blocks a connection with the source IP address in the packet
  2. Halts rule query, sends a network alert, and freezes the packet
  3. Continues to analyze the packet until each rule has been checked
  4. Drops the packet and selects the next packet detection option

Show answer and Breakdown

Answer: The correct answer is 3.

Limitations of Anonymizers

Background: Anonymizers are used to mask a user’s web surfing. Anonymizers work by removing all identifying information from a computer throughout the time the user is surfing online. Internet users seeking privacy will use an anonymizer. Once they have enabled online access anonymization, each link they open for the remainder of the session will also be accessed anonymously, with no extra actions on the part of the user. However, anonymizers do have limitations. Which of the below represent examples of such limitations?

Answer is complete. Select more than one answer if applicable.

  1. Secure protocols
  2. Plugins
  3. ActiveX controls
  4. Java applications
  5. JavaScript

Show answer and Breakdown

Answer: All of the above are correct.

Breakdown: These are the limitations of anonymizers: Secure protocols including ‘HTTPS’: will not be anonymized correctly by an anonymizer because a browser must be able access the site directly in order to maintain truly secure encryption. Third-party plugins accessed by websites cannot be properly anonymized. There is simply no way to ensure that any independent direct connection between the user’s machine and a remote site will remain established. When a Javaapplication is accessed via an anonymizer, it cannot circumvent a Java security wall. ActiveXapplications will have nearly unlimited access to the computer system of the user. The JavaScript language will be disabled with anonymizers that are URL-based.

Facts about the TCP/IP Model

Which of the below is true about the TCP/IP model?

Answer is complete. Select more than one answer if applicable.

  1. This model sets forth design guidelines and implementations for different networking protocols, enabling computers to interface through a network.
  2. This model allows end-to-end connectivity, delineating the format of data as well as the way it is addressed, transmitted and/or routed, and even how it will be received.
  3. This data model has five (5) separate layers of abstraction.
  4. Each layer of this model contains several different protocols.

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 4.

Breakdown: As a description framework used in computer network protocols, the TCP/IP model sets forth the design guidelines in a general sense as well as the specific networking protocol implementation. This creates a way for computers to interface via network connections. TCP/IP does provide end-to-end connectivity, and also delineates the way in which data must be formatted, as well as addressed, transmitted and routed, and even the way it will be received. There are various protocols for communication services to and from computers. Another name used for this model is the Internet model or the DoD model (this is because it was created by the Department of Defense). There are four unique layers in the TCP/IP model. This is represented in the below image. The Internet Engineering Task Force (IETF) maintains the TCP/IP model and other related protocols. In another model, the OSI Reference Model, there are actually seven (7) layers. The TCP/IP model has fewer steps because it allows applications to manage actions past a certain layer. The Application Layer (or Layer 4) Programs communicate through application layers. Think of it as a “user interface layer.” Through application layers, browser, file-sharing software, email software, and other user-facing (the user interacts with the software directly) software can interact. Other aspects handled in this layer include encryption and session details. The Transport Layer (or Layer 3) In the transport layer, devices will negotiate to determine how to talk to each other over a network. This involves such decisions as communication type (e.g., User Diagram Protocol or Transmission Control Protocol), the window size, which port, how to deal with errors, as well as sequencing. Most work done in device communications is completed through this layer. The Internet Layer (or Layer 2) The Internet Layer is where IP addressing, internetworking (connecting one network with others through gateways), and path determination occur. The path that a packet will take through a network is handled in this layer through routers. The protocols in this layer will examine multiple avenues to determine the most efficient way for one host to connect to the other. The Link Layer (or Layer 1) The link layer is responsible for encapsulating the data. The network type will determine which way this layer accomplishes it task—which encapsulation protocol is appropriate. Some of them include Ethernet, Frame Relay, PPP, HDLC or CDP. The physical connection between the devices (as well as the topology of the network) plays a major part in the selection. Regarding answer C above: this option is invalid, as the TCP/IP model consists of not five (5) or seven (7) abstraction layers, but a total of four (4).

Locating Server Details with IP Addresses

Phil needs to procure information related to a server with an IP address range that is within the IP address range that is used in Brazil. There are many registries available online for discovering the details of web server IP addresses, or reverse Domain Name Service (DNS) lookup. Which of the below registries will be most useful to him?

  1. RIPE NCC
  2. APNIC
  3. ARIN
  4. LACNIC

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Phil needs to obtain information about a web server situated in Brazil. Registries are available throughout the world, most often broken up into geographic locations. So the Latin American and Caribbean Internet Addresses Registry, or LACNIC, is the Regional Internet Registry for the Latin American and Caribbean regions and is therefore the best registry for doing a DNS lookup. LACNIC is one of five (5) regional Internet registries available worldwide. Its chief purpose is to assign and administrate IP addresses for the region of Latin America and parts of the Caribbean. The Réseaux IP Européens Network Coordination Centre, or RIPE NCC, is the Regional Internet Registry (RIR) for Europe, the Middle East, and certain parts of Central Asia. The Asia Pacific Network Information Centre (APNIC), Regional Internet Registry for the Asia Pacific region, assigns and administers numerical resource allocation as well as registration services to support the global operation of the Internet The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for Canada, parts of the Caribbean, some North Atlantic islands, and the United States.

Routing Protocols

Routing protocols are used to show how computers communicate. From the below options, select the two routing protocols.

  1. TCP or SMTP
  2. BGP
  3. UDP
  4. RIP

Show answer and Breakdown

Answer: The correct answers are 2 and 4.

Definition of the Principle of Least Privilege

Which of the below is a good definition the principle of least privilege?

  1. A manager should have all the access and privileges of his or her employees.
  2. People at the bottom of an organization’s hierarchy should have lower privileges than the highest members of the hierarchy.
  3. All users should need to input a unique password before given any access.
  4. Users should have access only to the data and services that are necessary and important to perform their job(s).

Show answer and Breakdown

Answer: The correct answer is 4.

Modifying Settings for Security

Erik is a System Administrator. He has the responsibility to ensure network security for an organization. Erik is currently working with the advanced features of a Windows firewall in order to block/prevent a client machine from responding to any pings. Which of the below advanced setting types will require modification?

  1. ICMP
  2. SMTP
  3. SNMP
  4. UDP

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: According to the scenario, Erik must modify the settings related to the Internet Control Message Protocol, or ICMP. ICMP is a protocol used when PING commands are issued and received, as well as when a ping is being responded to. This is an important part of IP that is used to report errors in datagram processing. A datagram is a basic transfer unit that is associated with packet-switched networks, an independent entity of data that carries enough information to be routed from its source to a destination computer. Simple Mail Transfer Protocol (SMTP-25) is a protocol that sends e-mail messages between servers. The Simple Network Management Protocol (SNMP-161) allows a router, switch, or other monitored device to run an SNMP agent. This protocol enables the management of multiple network devices from a remote workspace. User Datagram Protocol (UDP) is generally used for “one-to-many” communications, through broadcast and/or multicast IP datagrams. This protocol does not guarantee delivery or verify sequencing for any datagram because it is a connection-less and often unreliable communication protocol. However, UDP provides faster transmission of data between TCP/IP hosts than TCP.

DNS Cache Poisoning

Background: When data provided to a caching name server that has not originated from a non-authentic source (in other words, a DNS source), this is called DNS cache poisoning. Once a DNS server receives this non-authentic data and caches it for future performance increases, it will be considered “poisoned” because it will thereafter supplying server clients with that non-authentic data. In order to determine the end-time for DNS cache poisoning, which of the below DNS records should you examine?

  1. MX
  2. NS
  3. PTR
  4. SOA

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A start of authority (SOA) record contains information about the DNS zone on which it is stored and about other DNS records. A DNS zone is the area of a domain that is within the responsibility of a specific DNS server. There is only one SOA record for each DNS. As stated above, when data is provided to a DNS serve that did not originate from authoritative Domain Name System (DNS) sources (whether due to intentional or unintentional circumstances) it is called DNS Cache poisoning. To perform such an attack, the attacker discovers and takes advantage of a flaw in the DNS software. A server must correctly validate DNS responses have originated from an authentic source, or the server may end up caching incorrect entries locally and inevitably deliver them to users whom key in identical requests. Also called a “mail exchanger record,” an MX is also stored in the zone file of Domain Name Server (DNS). The MX record associates a domain name to another domain name sorted within an address record (an “A” record). A name server record, or NS record, establishes the server that is considered an authoritative server for the DNS zone. The pointer record (PTR), is housed on the Domain Name System (DNS) database responsible for mapping an IP address to a specific host name on the in-addr.arpa domain. These records are used when performing reverse DNS lookups.

Two-Factor Authentication

Which of the below items is a straightforward example of two-factor authentication?

  1. Fingerprint and smartcard
  2. Username/login and password
  3. ID and token or pin
  4. Iris scanning and fingerprinting

Show answer and Breakdown

Answer: The correct answer is 1.

Smurf Attacks

Which of the below methods would succeed in protecting a router from prospective smurf attacks?

  1. Disabling the ability to forward ports on the router
  2. Placing the router into broadcast-only mode for a full cycle
  3. Disabling the router from accepting any broadcast ping messages
  4. Installing a new router in the DMZ

Show answer and Breakdown

Answer: The correct answer is 3.

Tracerouting a Network

Which information can an attacker get after tracerouting any network?

Answer is complete. Select more than one answer if applicable.

  1. Network topology
  2. Web administrator email address
  3. Firewall locations
  4. Trusted routers

Show answer and Breakdown

Answer: The correct answers are 1, 3, and 4.

Google Hacking

Background: Google hacking is a method of utilizing the Google search engine and other Google apps to discover security holes in the configuration and/or computer code of websites use. Keying in advanced operators in the Google search engine enables a hacker to pinpoint specific strings of text in a search result.

Which of the below terms is a valid Google search operator that can be used in searching for a specific file type?

  1. filetype
  2. inurl
  3. file type
  4. Intitle

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The filetype Google search query operator can be utilized to search a specify file type. If you wanted to search all pdf files with the word hacking in their filenames, you could key in the search query filetype:pdf pdf hacking. inurl is used to search for specified text within a URL of websites. file type, with a space between words, is not a valid search operator. intitle can be used to search for specified text in website titles.

Nessus Security Reports

You need to obtain the default security report from Nessus. Which of the below Google search queries could you use?

  1. filetype:pdf “Assessment Report” nessus
  2. link:pdf nessus “Assessment report”
  3. filetype:pdf nessus
  4. site:pdf nessus “Assessment report”

Show answer and Breakdown

Answer: The correct answer is 1.

Vulnerability Scanners Techniques

Nessus is a proprietary vulnerability scanner utilized by many organizations. Which of the below is a technique used by vulnerability scanners?

  1. Banner grabbing
  2. Port Scanning
  3. Analyzing service responses
  4. Malware analysis

Show answer and Breakdown

Answer: The correct answer is 3.

Hacking Multi-Level Security Systems

Which of the below ways could be used to defeat a multi-level security solution?

  1. Leak data via asymmetric routing
  2. Leak data via a covert channel
  3. Leak data via steganography
  4. Leak data via an overt channel

Show answer and Breakdown

Answer: The correct answer is 2.

Exploiting Remote Desktop

Administrators use Remote Desktop to gain access their servers from different locations. In which of the below ways could a hacker exploit Remote Desktop to gain access?

  1. Capture any LANMAN (or LM) hashes and crack each of them with Cain and Abel.
  2. Capture the RDP traffic and then decode with Cain and Abel.
  3. Utilize a social engineering tool to capture the domain name of the remote server.
  4. Scan the server to see what ports are open.

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: RDP is an acronym for Remote Desktop Protocol.

Privilege Escalation Defenses

Which of the below options represents the best defense against privilege escalation (exploitation of a bug) vulnerability?

  1. Patch all computers and servers immediately after the release of any updates.
  2. Run apps without administrator privileges and download a content registry tool for storage of tracking cookies.
  3. Run services with your least privileged account(s) and then implement multi-factor authentication, or MFA.
  4. Monthly reviews of user and administrator roles.

Show answer and Breakdown

Answer: The correct answer is 3.

Hacking Devices

Various devices, in the form of hardware and software, can emulate key computer services, such as browsers and email. Through these tools, system administrators can determine what vulnerabilities are enabling a hacker to break into a system. What is another name for this kind of device?

  1. Honeypot
  2. Router
  3. Port Scanner
  4. Core Switch

Show answer and Breakdown

Answer: The correct answer is 2.

Securing Web Servers

As the Security Consultant for a firm, Ingrid must check security for her client’s network. Her client informs her that of his many concerns, the security of the firm’s Web applications hosted on its Web server is the most important to him. With this in mind, which of the below should be Ingrid’s highest priority?

  1. Setting up an intrusion detection system (IDS).
  2. Configuring a believable honeypot.
  3. Scanning for open ports.
  4. Scanning and removing vulnerabilities.

Show answer and Breakdown

Answer: The correct answer is 4.

Detective Controls

Detective controls help administrators find problems within an organization’s processes. Choose the two options below that represent this kind of control.

  1. Audits
  2. DRP
  3. CCTV
  4. Encryption
  5. Two-factor or multi-factor authentication

Show answer and Breakdown

Answer: The correct answers are 1 and 4.

IPSec

IPSec offers which of the below?

  1. DDOS protection
  2. Non-repudiation
  3. Anti-virus protection
  4. Availability

Show answer and Breakdown

Answer: The correct answer is 2.

Protection Against Threats

Rodger, a security administrator, is very worried about his system becoming infected with a virus. He decides to implement a multi-layered strategy involving anti-virus software on each of his client machines as well an e-mail gateway. What form of attack will this defend against?

  1. Scanning attack
  2. Social engineering attack
  3. ARP spoofing attack
  4. Forensic attack

Show answer and Breakdown

Answer: The correct answer is 2.

Alert Thresholding

The use of alert thresholding in an intrusion detection system (IDS) can reduce the repeated alerts. However, it will introduce one of the below vulnerabilities. Which one?

  1. The IDS does not distinguish among packets originating from different sources.
  2. An attacker, working slowly enough, may be able to evade detection by the IDS.
  3. Network packets will be dropped once the volume exceeds the threshold.
  4. Thresholding disables the IDS’ ability to reassemble fragmented packets.

Show answer and Breakdown

Answer: The correct answer is 1.

Netcat Command Switches

Which of the below netcat command switches will you use to telnet a remote host?

  1. nc -t
  2. nc -z
  3. nc -g
  4. nc -l -p

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: A free networking utility called Netcat will read and write data across network connections through the TCP/IP protocol. Netcat will provide outbound and inbound connections for TCP and UDP ports. Special tunneling, such as UDPto TCP, where users can specify all network parameters; Quality scanning of ports; Advanced configurations and options, such as the buffered send-mode (one line every N seconds), and hexdump (to stderr or any specified file) of data (sent or received); Optional RFC854 telnet code parser and responder. Command Description nc -d Detach Netcat from the console. nc -l -p [port] Create a simple listening TCP port.Adding ‘u’ will put it into UDP mode. nc -e [program] Redirect stdin/stdout from a program. nc -z Port scanning. nc -g or nc -G Specify source routing flags. nc -t Telnet negotiation. nc -w [timeout] Set a timeout before Netcat automatically quits. nc -v Put Netcat into verbose mode.

Analyzing Internal Vulnerability Scans

Ian must analyze the results of an internal vulnerability scan to be run on website hosting servers. The code is written in Java and his team lead wants to it for buffer overflow vulnerabilities using the SAINT scanning tool. Why should Ian discourage his team lead from this avenue?

  1. SAINT, as an automated vulnerability assessment tool, is too resource-heavy.
  2. Java is not vulnerable to buffer overflow attacks.
  3. All vulnerability signatures will need to be manually updated before SAINT runs a scan.
  4. The SAINT scanner fails to incorporate the new OWASP Top 10 web application scanning policies and procedures.

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: Because Java uses a sandbox to isolate code, it is not vulnerable to buffer overflow attacks. Most web, application servers and web application environments are actually susceptible to buffer overflows. However, environments written in interpreted languages such as Java or Python are a notable exception. They are immune to these attacks (except for overflows within an Interpreter).

Ping Testing for Vulnerabilities

Scott, a professional Ethical Hacker, has been assigned to do security and vulnerability testing for an organization. In order to find out whether certain computers are connected to the server or not, he will need to ping about 500 computers. Which of the below techniques would save him time and energy?

  1. PING
  2. NETSTAT
  3. Ping sweeping
  4. TRACEROUTE

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: The Ping sweeping technique allows you to ping a batch of devices and get the list of active devices. It is a tedious task to ping every address on the network, the ping sweeping technique is highly recommended. The ping command-line utility tests connectivity with a host on a TCP/IP-based network by sending a series of packets to a destination host.

Discovering Rules on a Gateway

How can an attacker discover what rules have been set up on a specific gateway?

  1. Firewalking
  2. Firewalling
  3. OS Fingerprinting
  4. Ping Scan

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The Firewalking technique can help a hacker learn which rules have been set up on a gateway. Packets are ordinarily sent to a remote host with the exact TTL of a target. Hping2 be used for firewalking as well.

Sending Packets to Identify Hosts

What is the process of identifying hosts or services by sending packets into the network perimeter to see which ones get through?

  1. Firewalking
  2. Enumerating
  3. Trace-configuring
  4. Banner Grabbing

Show answer and Breakdown

Answer: The correct answer is 1.

N-tier architecture

Which of the below statements are true about N-tier architecture? (Choose two).

  1. N-tier architecture requires at least one logical layer.
  2. Each layer should exchange information only with the layers above and below it.
  3. When any layer is modified or updated, the other layers must also be updated so that they agree.
  4. Each layer must be able to function on a physically independent system.

Show answer and Breakdown

Answer: The correct answers are 2 and 4.

Mapping IP Addresses to Live Hosts

Which of the below can be used to determine which range of IP addresses is mapped to live hosts?

  1. TRACERT utility
  2. Ping sweep
  3. PATHPING
  4. KisMAC

Show answer and Breakdown

Answer: The correct answer is 2.

Router and Firewall Protocols

You need to find out which protocols a router or firewall blocks as well as which protocols a router or firewall will simply pass onto downstream hosts. You are going to map out any intermediate routers or hops between a scanning host and your target host. After viewing the results, you need to identify which ports are open. The tool displays “A!” when it determines that the metric host is directly behind the target gateway. Which tool are you using for the scan?

  1. Firewalk
  2. NMAP
  3. HPing
  4. Traceroute

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: Hping is a TCP/IP packet crafter that can be utilized to create IP packets containing TCP, UDP, or ICMP payloads. All header fields can be modified and controlled using the command line. A good understanding of IP and TCP/UDP is mandatory to use and understand the utility, which was actually used to exploit the idle scan technique from another utility by the same developer.

War Dialers

War dialers are used to scan thousands of phone numbers to detect any modems that have vulnerabilities. This provides an attacker with unauthorized access to a target computer. Which of the below utilities would work for war dialing?

Each correct answer represents a complete solution. Choose two.

  1. ToneLoc
  2. THC-Scan
  3. Wingate
  4. NetStumbler

Show answer and Breakdown

Answer: The correct answers are 1 and 2.

Breakdown: Both the THC-Scan and ToneLoc tools can be used for war dialing.

TCP/UDP Port Scanners

Which of the below network scanning utilities is a TCP/UDP port scanner that can also operate as a ping sweeper and/or hostname resolver?

  1. Netstat
  2. SuperScan
  3. Hping
  4. Nmap

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: SuperScan is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver as well. Given a range to ping, it will resolve the host name of a remote system.

3-Way Handshake Method

Which is the correct sequence of packets needed to perform the 3-way handshake method?

  1. SYN, SYN/ACK, ACK
  2. SYN, ACK, SYN/ACK
  3. SYN, ACK, ACK
  4. SYN, SYN, ACK

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The TCP/IP 3-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps: In the first step of the three-way handshake method, a SYNmessage is sent from a client to the server. In the second step of the three-way handshake method, SYN/ACKis sent from the server to the client. In the third step of the three-way handshake method, ACK(usually called SYN-ACK-ACK) is sent from the client to the server. At this point, both the client and server have received an acknowledgment of the TCP

RST Packets

In which of the below scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed?

  1. TCP FIN
  2. TCP SYN
  3. FTP bounce
  4. UDP port

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: In the TCP FIN scanning method, Windows sends only RST packets whether or not the port is open. TCP FIN scanning is a type of stealth scanning where the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker.

Replying to SYN with RST

In which of the below methods does a hacker send SYN packets followed by a RST packet?

  1. XMAS scan
  2. TCP FIN scan
  3. TCP SYN scan
  4. IDLE scan

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: In a TCP SYN scan, an attacker will send SYN packets followed by a RST packet. This is also known as half-open scanning because a full TCP connection is never opened. Steps of TCP SYN scanning: Send a SYNpacket to a target port. If it is open, you will receive a SYN/ACK Send an RSTpacket to break the connection. If an RSTpacket has been received, it indicates that a port is closed. Xmas scans: In Xmas Tree scanning, multiple flags (at least FIN, URG and PSH) will be adde4. If a target port is open, the service running on that target port will discard the packets without sending a reply. According to specification RFC 793, when a port is closed, a remote system will reply with the RST packet.

SYN Spoofing

The attacker works through a spoofed IP address to send a SYN packet to a target. Which of the below methods did the attacker choose?

  1. IDLE
  2. NULL
  3. TCP FIN
  4. XMAS

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: In the IDLE scan method, an attacker delegates sending the SYN packet (to a target) to a spoofed IP address. The IDLE scan is initiated with a third party’s IP address and therefore this is the only totally stealth scan technique. This makes it very difficult to detect the hacker, since the IDLE scan uses a different address from the attacker’s own. What is a sequence number? A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. Data sent over a network is broken into packets at the source and then reassembled at a destination system once it arrives. Each packet includes a sequence number used by the destination system to reassemble the data packets correctly upon arrival. When a system boots, it has an initial sequence number (ISN). As each second passes, the ISN will be incremented by 128,000. When the system connects and establishes a connection with another system, the ISN will be incremented by 64,000. For example, if a host has an ISN 1,254,332,454 and the host sends one SYN packet, the ISN value will be incremented by 1: Therefore, the new ISN will be 1,254,332,455. Conditions Increment in the ISN Value Transfer of SYN packet 1 Transfer of FIN packet 1 Transfer of ACK packet 0 Transfer of SYN/ACK packet 1 Transfer of FIN/ACK packet 1 Passage of 1 second 128,000 Establishment of one connection 64,000

Easily Detectable Scanning Methods

Which of the below scanning methods is most accurate and reliable, with the downside being that it is also incredibly easy to detect?

  1. TCP SYN/ACK
  2. TCP FIN
  3. TCP half-open
  4. Xmas Tree

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Although the TCP SYN/ACK connection method is very reliable, it is easy to discover. A hacker should avoid this scanning method.

Cross-Scripting Vulnerability

While performing a security assessment of a web server, Erin realizes she needs to identify a cross-site scripting vulnerability. Which of the below suggestions would correct the vulnerability?

  1. Inform the Web Administrator that all Web application data inputs must be validated before they are processed.
  2. Add a warning to users that cookies can be transferred only via a secure connection.
  3. Disable ActiveX support within all Web browsers.
  4. Disable Java applet support within all Web browsers.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Validating data input is the most efficient and secure method of fixing cross-site scripting vulnerabilities because this will address cross-site scripting on ActiveX controls and Java applets downloaded to the client as well as vulnerabilities within server-side code for an application. Disabling cookies will do nothing to counter cross-site scripting. XSS vulnerabilities do exist in downloaded Java applets and/or ActiveX controls, but such controls will be executed on the client and do nothing to solve the server-side vulnerability due to cross-site scripting.

Packet Capturing Utilities

Which of the below is not a packet capturing utility?

  1. Cain
  2. Aero peek
  3. Wireshark
  4. Aircrack-ng

Show answer and Breakdown

Answer: The correct answer is 4.

Stealth Scanning

An attacker sends a FIN packet to a target port. What type of stealth scanning did the attacker likely use?

  1. TCP FIN scanning
  2. TCP FTP proxy scanning
  3. TCP SYN scanning
  4. UDP port scanning

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Port scanning is a process of connecting to TCP and UDP ports to discover services and applications active on a target system. Data packets are sent to each port to collect information.

Sending Files to FTP Servers

Nick needs to send a file to an FTP server. It will be segmented into several packets, sent to the server and reassembled upon reaching the destination target (the FTP server). In order to maintain the integrity of the packets, which information will help Nick accomplish his task?

  1. Sequence number
  2. TTL
  3. Checksum
  4. Acknowledgement number

Show answer and Breakdown

Answer: The correct answer is 1.

Teardrop Attacks

Fred is an Ethical Hacker. His newest assignment is to test the security of his company’s website. Once he performs a Teardrop attack on the web server, it crashes. Why did this happen?

  1. The server is not capable of handling overlapping data fragments.
  2. Ping requests at its server level are too high.
  3. The ICMP packet is too large. It cannot be larger than 65,536 bytes.
  4. The spoofed TCP SYN packet that contains the target’s IP address has been filled in at both source and destination fields.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: In performing a Teardrop attack, Fred sent a series of data packets with overlapping offset field values to the web server. The server was unable to reassemble the packets correctly and is therefore forced to crash, hang, or reboot.

Countermeasures Against Viruses

Background: When you receive e-mail with an attachment and execute the file on your machine, you get this message:

‘EICAR-STANDARD-ANTIVIRUS-TEST-FILE!’ In Notepad or TextEdit, you see the below string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Which countermeasure should you take?

  1. Run your antivirus program.
  2. No action necessary.
  3. Search for files that match the name of the attachment and remove them from your drives.
  4. Shut down or restart your system and check to see what processes are running.

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: The message displayed upon execution indicates that the attachment might be the EICAR virus, which checks to see whether an antivirus is effective. The EICAR (EICAR Standard Anti-Virus Test File) virus file tests the response AV programs. It allows you to discover whether your system is protected without causing actual damage to your system.

HTTP Tunneling

Which of the below would you use to perform HTTP tunneling?

Answer is complete. Select more than one answer if applicable.

  1. HTTPort
  2. Tunneled
  3. BackStealth
  4. Nikto

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 3.

Breakdown: HTTPort, Tunneled and BackStealth will perform HTTP tunneling. Nikto is a Web scanner.

Bypassing Firewalls

A company blocked all ports through an external firewall and will only allow port 80/443 to connect. You want to use FTP to connect to a remote server online. How will you get around the firewall?

Answer is complete. Select more than one answer if applicable.

  1. HTTPort
  2. BackStealth
  3. Nmap
  4. BiDiBLAH

Show answer and Breakdown

Answer: Answers 1 and 2 are correct.

Breakdown: HTTP tunneling refers to the technique of using various network protocols to perform communications, which are then encapsulated using the HTTP protocol. The HTTP protocol then acts as the wrapper for a specific covert channel that the tunneled network protocol uses to communicate. The HTTPort tool is used to create a transparent tunnel via proxy server or firewall. This enables the user to operate Internet software from behind the proxy. It will bypass HTTPS and HTTP proxies, transparent accelerators, and even firewalls.

Using FTP to Download Sensitive Data

An employee in your company is suspected of downloading ftp of sensitive and proprietary data onto a competitor’s remote ftp server. FTP and ports are not allowed by the company’s firewall. Which technique might the employee be using?

  1. Tor Proxy Chaining software
  2. IP spoofing
  3. HTTP tunneling

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: IP-spoofing is when an attacker masks his source address by forging the header to contain a different address. Then he can make it seem like a packet was sent via another machine. A response will be sent back to a forged/spoofed source address by the target machine. Tor is a network of virtual tunnels that work like a big chain proxy. The identity of the originating computer is hidden and a random set of intermediary nodes is used to reach a target system.

Defending Against False IP Addresses

You configured a rule on a gateway device that blocks external packets with source addresses from inside the network. Which type of attack are you attempting to protect your network against?

  1. DOS attack
  2. IP spoofing
  3. Egress filtering
  4. ARP spoofing

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: Packet filtering is a defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, or blocking packets from outside the network that use an internal source address. So attackers cannot spoof the address of an internal machine and trick the network into trusting the connection. ARP spoofing is also called ARP cache poisoning or ARP poison routing. It is a technique used to attack a local area network, or LAN. ARP spoofing can enable an attacker to intercept data frames on a LAN, modify its traffic, or even stop the traffic. However, the attack can only be used on local networks. Egress filtering works on outgoing packets, by blocking the packets from inside the network with a source address that is not internal. This prevents an attacker within a network from filtering by launching IP spoofing attacks against external machines.

Using Brutus to Crack Passwords

Background: Brutus is a password-cracking tool used to crack the below authentications:

FTP(File Transfer Protocol) HTTP(Basic Authentication) HTTP(HTML Form/CGI) POP3 (Post Office Protocol v3) SMB(Server Message Block) Telnet

Which of the below attacks can Brutus perform to crack a password?

Each correct answer represents a complete solution. Choose three.

  1. Dictionary attack
  2. Brute force attack
  3. Replay attack
  4. Hybrid attack

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 4.

Breakdown: In a brute force attack, the attacker will work through software that attempts a large number of different key combinations to guess passwords. To prevent such attacks, users should create passwords that are complex and therefore more difficult to guess. Server Message Block (SMB) signing is a security feature of Windows operating systems. SMB signing ensures that the transmission and reception of files across a network are not altered in any way. Note: Enabling SMB signing on the network reduces the performance of the network because of the increased processing and network traffic required to digitally sign each SMB packet.

Preventing Brute Force Attacks

What uses a 160-bit hash to prevent against brute force attacks?

  1. PGP
  2. MD5
  3. SHA-1
  4. RSA

Show answer and Breakdown

Answer: The correct answer is 3.

Attacks using Hash Tables

Which of the below attacks uses a pre-calculated hash table, a structure that maps keys to values, to retrieve plain text passwords?

  1. Dictionary attack
  2. Rainbow attack
  3. Hybrid attack
  4. Brute Force attack

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: A rainbow attack uses a hash table, also called a hash map, to retrieve plain text passwords. This kind of attack is one of the fastest methods of password cracking. Through it, the hacker calculates all possible hashes for a set of characters, which are then stored in a table, known as the Rainbow table.

Rainbow Tables

A rainbow table is rendered useless with the use of which of the below?

  1. Uju beans
  2. Pepper
  3. Salt
  4. Cinnamon

Show answer and Breakdown

Answer: The correct answer is 3.

DNS Resolution Issues

Bryant is a Network Administrator of a TCP/IP network. There are DNS resolution issues with the network. Which of the following utilities could be used to diagnose the problem?

  1. NSLOOKUP
  2. PING
  3. TRACERT
  4. IPCONFIG

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: NSLOOKUP is a diagnostic tool for catching and troubleshooting Domain Name System (DNS) issues. NSLOOKUP will send queries to a DNS server and obtain detailed responses at the command prompt. This is useful for verifying that resource records have been added or updated correctly within a zone, as well as debugging other server-related problems.

Windows Password Cracking

Which of the below tools could potentially be used for Windows password cracking, Windows enumeration, and/or VoIP session sniffing?

  1. Cain
  2. L0phtcrack
  3. John the Ripper
  4. Obiwan

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Cain and Abel is a multipurpose tool that will assist with Windows password cracking, VoIP session sniffing, and Windows enumeration. It is capable of performing the following types of attacks to crack passwords: Dictionaryattack Brute forceattack Rainbowattack Hybrid attack L0phtcrack will identify and resolve security vulnerabilities that resulted from the use of weak passwords. This tool will recover account passwords of Windows and Unix accounts to access user and administrator accounts. John the Ripper is a speedy password-cracking tool for most versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and Windows NT/2000/XP/2003 LM hashes.

Capturing VOIP Traffic on a Network

An attacker who captures the VoIP traffic on a network can use which of the following tools to recreate a conversation from the captured packets?

  1. HPing
  2. NMAP
  3. Cain and Abel
  4. VoIP-killer

Show answer and Breakdown

Answer: The correct answer is 3.

UDP Port 137

Scott is a professional Ethical Hacker and is responsible for security testing of a company’s website. He realizes that UDP port 137 of the company’s web server is open. Assuming that the Network Administrator of the company did not modify the default port values of any services, which of the below services will be found to be running on UDP 137?

  1. NetBIOS
  2. HTTP
  3. HTTPS
  4. TELNET

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: NetBIOS is a Microsoft service that will enable applications on different machines to communicate within a LAN. The default port value of NetBIOS Name Resolution Service is 137/UDP.

DNS Zone Transfer Enumeration

In DNS Zone transfer enumeration, an attacker tries to get a copy of the entire zone file for a domain from its DNS server. The information gleaned from the DNS zone can be used to collect usernames, passwords, and other sensitive and valuable information. An attacker must first connect to the authoritative DNS server for the target zone. In addition, the attacker may launch a DoS attack against the zone’s DNS servers by flooding them with a high volume of requests. Which of the below tools can this attacker use to perform the DNS zone transfer?

Answer is complete. Select more than one answer if applicable.

  1. NSLookup
  2. Dig
  3. Host
  4. DSniff

Show answer and Breakdown

Answer: The correct answer is 1, 2, and 3.

Breakdown: An attacker can choose Host, Dig, or NSLookup for this DNS zone transfer. DSniff is a sniffer that can be used to record network traffic.

Testing Security Using netstat

Scott works as a Security Professional testing the security of a web server. He needs to find information about all network connections and listening ports, listing them in numerical form. Which of the below commands will he use?

  1. netstat -an
  2. netstat -e
  3. netstat -r
  4. netstat -s

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: According to the scenario, Scott will use the netstat -an command to accomplish the task. The netstat -an command is used to get information of all network connections and listening ports in numerical form. netstat -e will display Ethernet information. netstat -r will display routing table information. netstat -s will display per-protocol statistics. The default setting is for statistics to be displayed for TCP, UDP, and IP.

NetBIOS NULL

Which of the below options could represent countermeasures against NetBIOS NULL session enumeration on Windows 2000?

  1. Disable TCP port 139/445
  2. Disable all SMB services on individual hosts by unbinding WINS Client TCP/IP from the server’s control panel/interface.
  3. Edit registry key HKLMSYSTEMCurrentControlSetLSA and input the value RestrictAnonymous.
  4. Deny any and all unauthorized inbound connections from connecting to TCP port 53.

Show answer and Breakdown

Answer: The correct answers are 1, 2, and 3.

Breakdown: NetBIOS NULL session vulnerabilities are difficult to protect against, particularly if NetBIOS is an integral part of the infrastructure. Take the below steps to reduce NetBIOS NULL session vulnerabilities: You can disable access to the TCP139 or TCP 445 ports, blocking NULL sessions, which require this access. You could also ostensibly disable SMBservices completely on individual hosts by unbinding the WINS Client TCP/IP from the server’s interface. You can also block/restrict anonymous users by modifying the registry values in the below manner: Open regedit32, and go to HKLMSYSTEMCurrentControlSetLSA., Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2 TCP port 53 is the default port for a DNS zone transfer. Disabling it will restrict DNS zone transfer enumeration, but will not be an effective countermeasure against NetBIOS NULL session enumeration.

Default Shares

You have just installed a Windows 2003 server. What action should you take regarding the default shares?

  1. You should disable them.
  2. You should disable them only if it is a domain server.
  3. Modify the values so that they are hidden shares.
  4. Windows Server operations/services require these default shares, so they should be left as-is.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Unless they are absolutely necessary to system function, default shares should be disabled, as they pose a significant security risk. These kinds of shares give intruders the means to hack into your server.

Masquerading Attacks

Masquerading (attempting to impersonate a person or another machine), providing false information, or denying the existence of a transaction or event is classified as which of the below forms of attack?

  1. A dictionary attack
  2. A repudiation attack
  3. A DDoS attack
  4. A reply attack

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: Through a faked digital signature, email spoofing, and/or taking on the IP address of another machine, an attacker performs a repudiation attack. The attack may also involve an attempt to give misleading and incorrect information or the denial that a real event or transaction occurred. For a distributed denial of service (DDoS) attack, an attacker would act through multiple computers in the network that were previously infected. These ‘distributed’ computers will act together to send out fake messages on behalf of the hidden attacker to increasing the volume of phony traffic. In a distributed denial-of-service attack, multiple machines can generate more attack traffic than just one machine and they are more difficult to turn off than one attack machine. In addition, each attack machine can be stealthier, making it harder for network administrators to stop the attack. In a replay attack, attackers will capture packets containing passwords or digital signatures as the packets transmit between two distinct hosts. The attackers will then resend that captured packet to the target system in order to try to force an authenticated connection. In a dictionary attack, a ‘dictionary’ of common words is used to discover user passwords. It can also use common words in both upper and lower case to discover a password.

Securing FTP Servers

As a network administrator, you want to secure your company’s FTP server so that no non-authorized users can gain access to it. How can you do this?

  1. Disable anonymous authentication.
  2. Enable anonymous authentication.
  3. Stop FTP service on the server.
  4. Disable the network adapter on the server.

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Anonymous authentication allows access to an FTP site without a user account and password. So you will need to disable anonymous authentication to prevent unauthorized users from accessing the FTP server. You can do this through the IIS (Internet Information Services) Manager.

Windows 2000 Server Security

Your computer uses the Windows 2000 Server OS. You need to improve the security of the server. Which of the below changes are required to accomplish this?

Answer is complete. Select two answers from the below choices.

  1. Remove the Administrator account.
  2. Enable the Guest account.
  3. Rename the Administrator account.
  4. Disable the Guest account.

Show answer and Breakdown

Answer: Answers 3 and 4 are correct.

Protecting Against Enumeration

Your company has developed publicly hosted web apps and uses an internal Intranet protected by firewall. Which of the below techniques would provide some protection against enumeration?

  1. Reject all email received via POP3.
  2. Remove “A records” for internal hosts.
  3. Allow full DNS zone transfers to non-authoritative servers.
  4. Enable null session pipes.

Show answer and Breakdown

Answer: The correct answer is 2.

Testing Security with smpbulkwalk

Scott, an Ethical Hacker, has responsibility to test the security of his company’s website. First, he performs an SNMP scanner, snmpbulkwalk, to send SNMP requests to several IP addresses. Though he attempts multiple community strings, he gets no response. Which of the below options could be a cause for this situation?

Answer is complete. Select more than one answer if applicable.

  1. The target system is using SNMP version 2, which cannot be scanned by snmpbulkwalk.
  2. The target system has halted SNMP services.
  3. Scott was searching for the Public and Private community strings, but the company’s previous team had altered the default names.
  4. The target system is unreachable due to low Internet connectivity.

Show answer and Breakdown

Answer: The correct answers are 2, 3, and 4.

Connection Stream Parameter

Which of the following techniques will perform a Connection Stream Parameter Pollution (CSPP) attack?

  1. Adding a single quote after a URP with no resolving quote.
  2. Inserting malicious JavaScript code into the input parameters.
  3. Adding several parameters with the same name in HTTP requests.
  4. Injecting parameters into the connection string—use semicolons as a separator.

Show answer and Breakdown

Answer: The correct answer is 4.

SNMP Enumeration

Which of the following statements are true about SNMPv1 and SNMPv3 enumeration?

Answer is complete. Select more than one answer if applicable.

  1. Every version of SNMP protocols uses community strings in a clear text format, and is therefore easily recognizable.
  2. Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol used to monitor and manage hosts, routers, and other devices within a network.
  3. SNMP enumeration involves gathering information about host, routers, devices etc. with the help of SNMP.
  4. Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets can be an effective countermeasure against unauthorized SNMP enumeration.

Show answer and Breakdown

Answer: Answers 2, 3 and 4 are correct.

Breakdown: SNMP version 3 does provide data encryption; however, SNMP version 1 utilizes a clear text protocol—which offers limited security via community strings. Therefore, SNMP v1 is actually used more commonly than v3. By default, the names of the community strings are public and private and will be transmitted in clear text format.

Default Passwords for SNMP

Background: Jacob works as a professional Ethical Hacker. His latest project is testing the security of a company. He first wants to execute an SNMP enumeration of the web server to collect information about the hosts, routers, and other devices in the network. Unfortunately, without entering a password for the SNMP service, he cannot perform the SNMP scan. He has a theory that the default names may still be in use. He enters the default password and gets the SNMP service details. Which of the below are the default passwords for SNMP?

Answer is complete. Select more than one answer if applicable.

  1. Administrator
  2. Password
  3. Public
  4. Private

Show answer and Breakdown

Answer: The correct answers are 3 and 4.

Versions of SNMP

What version of SNMP will not send passwords and messages in clear text format?

  1. SNMPv3
  2. SNMPv1
  3. SNMPv2c
  4. SNMPv2

Show answer and Breakdown

Answer: The correct answer is 1.

Scanning Devices Using the IP Network Browser

The IP Network Browser will scan a specific IP subnet and displays the devices that are actively responding on that subnet. It will then query the devices that responded through SNMP. Which of the below ports would be used by IP Network Browser to scan devices with SNMP enabled?

  1. 22
  2. 161
  3. 21
  4. 80

Show answer and Breakdown

Answer: The correct answer is 2.

Countermeasures Agaisnt SNMP Enumeration

Which of the below choices would be effective countermeasures against SNMP enumeration?

Answer is complete. Select more than one answer if applicable.

  1. Disabling the SNMP service or simply removing the SNMP agent.
  2. Where disabling SNMP is not possible, changing the default PUBLIC community name to something else.
  3. Enable the Group Policy security setting, “Additional restrictions for anonymous connections.”
  4. Allowing reasonable or even unrestricted access to NULL session pipes and shares.

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 3.

Breakdown: This is a list of effective countermeasures against SNMP enumeration: Answers 1, 2, and C above. Restrict access to NULLsession pipes and shares. Run an upgrade on SNMPVersion 1 to the most recent version. Access control list filters that will only allow entry and use of the read-write community from specifically authorized stations and/or subnets.

Tools for SNMP Enumeration

Because SNMP is not generally audited it can pose a significant threat, particularly if it has not been configured properly. Attackers are likely aware that SNMP can be used for account and device enumeration. SNMP has two passwords to access and adjust the configuration of the SNMP agent from a management station: the read-only community string and the read-write community string. Which of the below tools/utilities would be useful for SNMP enumeration?

  1. SNMPEnum
  2. SNMP Agent
  3. SNMP Util
  4. SNMP Manager

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: SNMPUtil is a command-line tool that gathers Windows user accounts information via SNMP in Windows system. Using this tool you can gather information such as routing tables, ARP tables, IP Addresses, MAC Addresses, TCP/UDP open ports, user accounts and shares.

OWASP Web Application for Pen Testing

This web application from Open Web Application Security Project (OWASP) has well-known vulnerabilities (this app was deliberately developed as a way to teach ethical hackers how such vulnerabilities could be exploited).

  1. BackTrack
  2. WebVuln
  3. Hackme.com
  4. WebGoat

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: OWASP created another web security application that serves as an excellent testing tool for students and professionals, WebScarab. This app will intercept agent HTTP and HTTPS requests from a user agent and edit them before they are sent to the destination server.

Computer Policies

Which of the following best dictates if certain behaviors are allowed on a system or server?

  1. Data Loss Prevention Policy
  2. Acceptable Use Policy
  3. Network Firewall
  4. Information Security Policy

Show answer and Breakdown

Answer: The correct answer is 4.

Dangers of an Open Port 25

What risk could be posed by having an open port 25 on a server?

  1. Unrestricted sharing of printers
  2. Active mail relay
  3. Clear text authentication could easily be faked.
  4. Web portal data leak

Show answer and Breakdown

Answer: The correct answer is 2.

Asymmetric Encryption

In an asymmetric encryption scheme, any user may create an encrypted message, but only an administrator with a private key can decrypt messages. Which of the below are examples of asymmetric encryption, a scheme in which any user could encrypt messages through a public key? (Choose 2.)

  1. PGP (Pretty Good Privacy)
  2. 3DES, or Triple DES
  3. RSA, an algorithm for public-key cryptology
  4. SHA1, or secure hash algorithm (designed by the U.S. National Security Agency)

Show answer and Breakdown

Answer: The correct answers are 1 and 3.

Insecure Software Protocols

Arnold is working as a Network Security Professional. His project is testing the security of his company’s website. He determines that the company has blocked all ports except port 80. Which of the below attacks could he use to send insecure software protocols?

  1. URL obfuscation
  2. Banner grabbing
  3. HTTP tunneling
  4. MAC spoofing

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: The organization had blocked all ports outside of port 80. Therefore, Arnold can use HTTP tunneling to send insecure software protocols. MAC spoofing is a technique that involves the modification of the assigned Media Access Control (MAC) address of one machine, exchanging it instead with MAC address accepted by the target system. Using the URL obfuscation technique, an attacker can bypass filters or other defenses put in place to block specific IP addresses by altering the format of URLs.

Advanced Encryption Standard (AES)

What is the Advanced Encryption Standard (AES) is primarily used for?

  1. Key exchange
  2. Bulk data encryption
  3. Key creation
  4. IPSec

Show answer and Breakdown

Answer: The correct answer is 2.

Password Cracking in a Linux Environment

Which of the below password-cracking tools will work within the UNIX or Linux environment?

  1. Brutus
  2. Cain and Abel
  3. John the Ripper
  4. Ophcrack

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: John the Ripper (JTR) is a password-cracking utility that can be used within UNIX, Linux, and Windows environments. JTR is capable of both dictionary (entering hundreds—or millions of words to attempt decryption) and brute force attacks. Brute force attacks are also known as exhaustive key searches. Both dictionary and brute force attacks are most often mounted when an account lockout policy is not in place—in other words, a security team should simply lock out an account when too many failed password attempts have been made.

Bypassing Access Controls Lists On Servers

Which of the below hacking assaults allow you to bypass an access control list on servers or routers, helping you to mask your presence?

Each correct answer represents a complete solution. Choose two.

  1. DNS cache poisoning attack
  2. DDoS attack
  3. MAC spoofing attack
  4. IP spoofing attack

Show answer and Breakdown

Answer: Answers 3 and 4 are correct.

Breakdown: Either the IP spoofing attack or the MAC spoofing attack will mask an identity within the network. MAC spoofing is a hacking technique where an assigned Media Access Control (MAC) address is changed to another system’s MAC address—in the attempt to be accepted on the system, which may allow the bypassing of access control lists (ACLs) on servers or routers (either masking the presence of a computer on a network, or allowing the system to successfully impersonate an authorized machine). DNS cache poisoning occurs when non-authoritative information (not from accepted DNS sources) is dumped or placed onto a DNS server, rendering it ‘poisoned,’ as the information can no longer be proven safe. User clients are then supplied with this non-authentic data, which may or may not be malicious.

Session Hijacking

Which of the below assertions are accurate with regard to session hijacking?

Answer is complete. Select more than one answer if applicable.

  1. It involves the exploiting of a valid computer session, or a session key, to gain unauthorized access to information and/or services in a target system.
  2. To accomplish TCP session hijacking, a hacker will take control of a TCP session between two machines.
  3. It can be accomplished through IP spoofing and is possible because authentication usually occurs only at the start of a TCP session.
  4. It is used to slow down the functioning of network resources within a target system.

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 3.

Breakdown: Session hijacking occurs when a hacker gains unauthorized access to a TCP session when it has already started. It takes control of the session when it is between two machines, utilizing a valid computer session. That session is also referred to as a ‘session key.’ This process often involves the theft of a so-called magic cookie used to prove the authenticity of a user to a remote server.

How Operating Systems Protect Login Passwords

How does an operating system protect login passwords?

  1. It stores all passwords in a protected segment using non-volatile memory.
  2. It encrypts the passwords using an encoder, and decrypts them as necessary.
  3. It stores all passwords within a secret file that is hidden from its users.
  4. It performs a one-way hash of the passwords.

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A one-way hash is also known as a fingerprint or compression function. Some possible algorithms include MD4, MD5, SHA and SHA256. The one-way hash involves a mathematical function of a variable-length string. It can also be used to create digital signatures and/or file identification.

Stealing Session Cookies

In which of the below attacks will an attacker use packet sniffing to access and analyze network traffic between two parties, thereby stealing the session cookie?

  1. Session sidejacking
  2. Session fixation
  3. Cross-site scripting
  4. ARP spoofing

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: In Session sidejacking, an attacker will perform packet sniffing to access and analyze network traffic between two parties in an attempt to rip off the session cookie. Many websites use SSL encryption for their login pages to prevent attackers from viewing the password, but for the remainder of the session do not use any encryption. This allows attackers a chance to intercept data submitted to the server post-login, as well as any webpages viewed by the client after they have logged in. Unfortunately, this data includes the session cookie, making it easy for the attacker to impersonate the victim—even when the victim’s password has never been revealed. In Session fixation, the attacker exploits a system’s vulnerability to fixate or set a target user’s session identifier (SID). This method of attack requires a user to adopt the SID, ordinarily through a link sent in an e-mail containing the SID chosen by the attacker. From that point, the hacker can access the site through the SID, posing as the victim. In cross-site scripting, the attacker fools the user’s computer into executing malicious code, which is treated as trustworthy since it appears to belong to the server. The attacker can use this opportunity to grab a copy of the cookie or implement other operations.

Firewalking

Which of the below statements is not true about firewalking?

Answer is complete. Select more than one answer if applicable.

  1. It can be useful in discovering the types of ports or protocols capable of bypassing a specific firewall.
  2. In order to perform firewalking, an attacker must have an address accepted as secure by the firewall as well as one that is not accepted by the firewall.
  3. Firewalking works on UDP packets.
  4. In this technique, the attacker will transmit a crafted packet with a TTL (time-to-live) value that will expire after one hop past the firewall.

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: Firewalking is a way to determine how a packet will move from an distrusted external host to a protected internal host through a firewall. This will allow the attacker to discover which ports are open and whether these packets can pass through the packet-filtering devices of the firewall.

Intercepting Data

Alice wants to prove her identity to Robert. Robert asks Alice to provide him with her password, which Alice dutifully provides (possibly after some transformation with a hash function). During this time, woman named Eve observes the conversation between Robert and Alice and records the password. Later, Eve connects to Robert posing as Alice, providing the password read from the previous session. Bob accepts it, unaware that Eve is not Alice. What kind of attack does this describe?

  1. Replay
  2. Session fixation
  3. Cross-site scripting
  4. Firewalking

Show answer and Breakdown

Answer: The correct answer is 1.

Using Commands to Scan Ports

Which of the below commands can be used to scan ports?

  1. nc -z
  2. nc -g
  3. nc -t
  4. nc -w

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The nc -z command will switch the netcat command into port scanning mode. Netcat is a free networking tool that will read and write data via network connections using the TCP/IP protocol.

Password Vulnerabilities

Kyrie is a Security Administrator. To access his laptop, he only needs to enter a 4-digit personal identification number (PIN). He also set a token to perform offline checking whether he has input the right PIN. Which of the below attacks is a foreseeable result of Kyrie’s folly?

  1. Brute force
  2. Replay
  3. Smurf
  4. Man-in-the-middle

Show answer and Breakdown

Answer: The correct answer is 1. A brute force attack is conceivable and possibly even likely to occur on Kyrie’s laptop. Since his PIN contains merely 4 digits, it is highly vulnerable to a brute force attack. However, because the token checks the PIN offline, a man-in-the-middle attack is not feasible. Man-in-the-middle attacks involve an attacker successfully inserting an intermediary program between two interacting hosts. The intermediary software or program will make it possible for attackers to observe and even alter communication packets as they pass between the hosts. Once the communication packets sent from one host have been intercepted, the altered packet can be sent to the receiving host, so it seems legitimate.

Preventing Man-in-the-Middle Attacks

Jacob is his company’s security engineer and several employees are requesting that they have remote access to their work machines. What will he use to limit the risks of an MiTM attack?

  1. IPSec
  2. SSL
  3. TLS
  4. HTTP over DNS

Show answer and Breakdown

Answer: The correct answer is 1.

How to Obtain Administrator Privileges

Background: Yuri works as a full-time contracted Ethical Hacker. He recently was hired to complete a security check for a website. In his security check, he is able to teal the Security Accounts Manager (SAM) file from the server he was testing. Here is the output:

Dick:501:D4DCC2975DC76FB2AAD3B435B51404EE Bruce:500:5351CF62FC930923AAD3B435B51404EE Administrator:1002:8AD7EAA34F1A9A31DA5A59A9D0150C17 Alfred:1001:F1402A82F3AB3A2EBA12F405D7E7327B

Given the above list, whose account will Yuri attack and break into in order to obtain administrator privileges?

  1. Administrator
  2. Alfred
  3. Bruce
  4. Dick

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: RID 500 is used for the Administrator account. In the given scenario, the RID code of Mr. Wayne is 500. Therefore, Yuri will break Mr. Wayne’s account to obtain administrative privileges.

Cracking SMB Passwords

In attempting to crack the password of Server Message Block (SMB), which of the following tools would prove useful?

Answer is complete. Select more than one answer if applicable.

  1. L0phtCrack
  2. Pwddump2
  3. SMBRelay
  4. KrbCrack

Show answer and Breakdown

Answer: Answers 1 and 3 are correct.

Breakdown: L0phtCrack is a Windows password recovery tool that will assist hackers with dictionary, brute force, and hybrid password-cracking attacks. In addition, L0phtCrack is capable of capturing SMB packets on a local network segment as well as capturing the login sessions of separate users. SMBRelay is an SMB server used to grab usernames and password hashes from inbound SMB traffic. Pwddump2 will extract password hashes from a Security Accounts Manager file—on Windows systems. KrbCrack is a Kerberos (a computer authentication protocol which works through tickets) password cracker and sniffer.

How to Execute a Trojan Using a Remote Connection

Which of the below tools would be useful for achieving connection to a remote computer and then executing a Trojan on it?

  1. PsExec
  2. Remoxec
  3. GetAdmin.exe
  4. Hk.exe

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The PSExec tool lightweight telnet-replacement utility that will execute a process or processes on remote machines; it allows complete interactivity for console applications. With PsExec, there is no need to manually install software on a remote machine in order to execute remote processes.

Weak Password Policies

In performing a security audit, you discover that the password policy only requires 5 characters with letters and numbers (no special characters). Why might this method be problematic?

  1. It isn’t; this is a strong password policy.
  2. The policy ought to also require special characters.
  3. This password policy is too weak for several reasons.
  4. The password policy should require a minimum of 6 characters.

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A good password policy would involve a minimum of 6 characters, and require letters and numbers. However, a good policy would also sets how often passwords must be changed, and determine for how long a history should be kept. This is a very weak password policy. Which of the below are the well-known weaknesses/downsides of LAN Manager hash? Answer is complete. Select more than one answer if applicable. LM hash will convert any lowercase passwords to uppercase, Hashes in LM hash are transmitted in clear text via the network, Passwords longer than 7 characters are split up into 2 sections, with a max of 14 characters, It does not use cryptographic salt, It uses only 16-bit encryption

False Password Attacks

Because system administrators, in managing use of their network, universally use passwords for access control, password-hacking techniques continue to crop up and advance. Password stealing allows hackers to utilize user credentials and could potentially be the cause of significant data losses from the system. Which of these is NOT a type of password attack?

  1. Phishing
  2. Shoulder surfing
  3. Password hashing
  4. Social engineering

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: Password hashing is a method of password encryption prior to its storage so that system password databases cannot easily be decrypted. Password hashing is effective in limiting damage, so long as the proper method of hashing is utilized. Other terms that are used in place of password hashing include message digests and data fingerprinting. The Human Side Social engineering – when an unknown person manipulates a victim into divulging information or taking the action that the attacker wants. This often involves contrived circumstances, such as fooling a user into believing they are someone familiar. It could also involve ‘tailgating’ behind a person they recognize on the network. Social engineering exploits the ‘human factor,’ where people respond differently to the human element. This may also involve information gathering, whether through ‘dumpster diving,’ or some other method. This is one of the methods hackers use to infiltrate a corporate network, and a large gap in the security of most companies. Phishing, a social engineering method, is used to swindle users into providing information about themselves and their machines. Phishing relies heavily on the low usability of current security methods to protect against these kinds of attacks. Email spoofing is particularly common in phishing attacks, where an email will request details and information from a user, hooking them by providing a spoofed address of a recognizable and trustworthy website. Often the website is practically a copy of the legitimate website, fooling users into trusting it. In addition to the above, shoulder surfing is another social engineering trick. It uses the direct observation technique. The obvious example is peering over someone’s shoulder when they input a password or PIN.

How Government Officials Locate Information

Which of the below methods of information discovery is used by governmental authorities and the police?

  1. Spoofing
  2. Wiretapping
  3. Phishing
  4. SMB signing

Show answer and Breakdown

Answer: The correct answer is 2.

SSH-1 Protocol vs. SSH-2 Protocol

Which of the below account authentications are supported by SSH-1 protocol but not SSH-2 protocol?

Answer is complete. Select more than one answer if applicable.

  1. Kerberos authentication
  2. Rhosts (RSH-style) authentication
  3. Password-based authentication
  4. TIS authentication

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 4.

Breakdown: The SSH-2 protocol supports Publickey, (including DSA, RSA, and OpenPGP), Hostbased, and Password-based authentication types. Note: SSH-1 supports a wider range of account authentication types, including the above and RSA only, RhostsRSA, Rhosts (RSH-style), TIS, and Kerberos authentication types.

Disadvantages to NTLM Web Authentication Scheme

What are the disadvantages of the successor to the NTLM (NT LAN Manager) Web authentication scheme?

Answer is complete. Select more than one answer if applicable.

  1. It is vulnerable to brute force attacks.
  2. It will only work with Microsoft Internet Explorer.
  3. Passwords will be sent in clear text format to a Web server.
  4. Passwords will be sent in hashed format to a Web server.

Show answer and Breakdown

Answer: Answers 1 and 2 are correct. The following are the downsides of the NTLM Web Authentication Scheme:

Breakdown: NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The “cracking” program would repeatedly try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. Another major downside is that this authentication technique only functions on one browser: Microsoft Internet Explorer, forcing all users to login through IE.

Digest Access Authentication

Which of the below statements is accurate regarding Digest Access Authentication scheme?

  1. It often uses the base64 encoding encryption scheme.
  2. A password will be sent over a network in clear text format.
  3. A username and password are required for each request, not only when the user initially logs in.
  4. A valid response from the user will include a checksum of the username, the password, the given random value, the HTTP method, and the requested URL.

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: The Digest Authentication scheme replaces the Basic Authentication scheme. Based on the challenge response model, digest authentication never sends a password in clear text format. Instead, passwords are transmitted as an MD5 digest.

Single Sign-On Schemes

Which of the below Web authentication techniques uses a single sign-on scheme?

  1. Basic
  2. Digest
  3. NTLM
  4. Microsoft Passport authentication

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Microsoft Passport authentication uses single sign-on authentication. Users only remember one username and password to be authenticated for the use of multiple services. Microsoft Passport was formerly known as Microsoft Wallet or .NET Password, Microsoft Password, Windows Live ID, and more recently, “Microsoft account.” The service has a history of security vulnerabilities and a trail of patches and fixes that were reported by ethical hackers around the globe.

Uses of Lophtcrack (LC4)

What is L0phtcrack (LC4) used for?

  1. To launch DDoS attacks using cracks in the network.
  2. To run lofty port scans for all open services on a target network.
  3. It is a Windows password-cracking utility.
  4. It is an effective network traffic-sniffing tool.

Show answer and Breakdown

Answer: The correct answer is 3.

Rules Common to Password Policies

Which of the below rules are common to password policies?

Answer is complete. Select more than one answer if applicable.

  1. Users must use only words found in a dictionary or including their street address or other personal information.
  2. Users must include one or more special characters.
  3. Users must include one or more numerical digits.
  4. Users must make use of both upper- and lower-case letters (case sensitivity).

Show answer and Breakdown

Answer: The correct answers are 2, 3 and 4.

Breakdown: A password policy encourages users to use strong passwords and update them properly in order to enhance a web server’s security.

Locating Keyghost Keylogger on a Computer

Fred is a professional Ethical Hacker. One of his responsibilities includes security testing the web server of his company. His machine is using Windows Server 2003. If Fred suspects that a friend of his installed the keyghost keylogger onto his machine, which of the following solutions should he execute?

Answer is complete. Select more than one answer if applicable.

  1. Use a network monitor, which will alert him when an application attempts to make an unauthorized network connection (to send the data with the typed information).
  2. Use on-screen keyboards and speech-to-text conversion software that can also be useful against keyloggers, as no typing or mouse movements are involved.
  3. Use commercially available anti-keyloggers such as PrivacyKeyboard.
  4. Remove the SNMP agent or disable the SNMP service.

Show answer and Breakdown

Answer: The correct answers are 1, 2 and 3.

Breakdown: Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from “phoning home” with his or her typed information. On-Screen Keyboards and other accessibility tools will defeat some keyloggers, but is not an effective solution with all keyloggers, because many of these still send keyboard signals. In addition, screenshots can accomplish the same purpose. It is still recommended, but not by itself. PrivacyKeyboard, or another anti keylogger, will be an effective countermeasure, as these applications have been built specifically to protect against keylogging software. If run frequently, they can limit the amount of information delivered to a hidden keylogger before it’s discovered.

Email Tracking

Email tracking comes under which of the below hacking phase(s)?

  1. Scanning
  2. Maintaining Access
  3. Gaining access
  4. Reconnaissance

Show answer and Breakdown

Answer: The correct answer is 4.

Masking Identity Using a Faked Source IP Address

In which of the below attacks involves an attacker creating IP packets with a faked source IP address with the intent of masking his identity or impersonating another system?

  1. Cross-site request forgery
  2. Polymorphic shell code attack
  3. Rainbow attack
  4. IP address spoofing

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Cross-site request forgery, which is also known as a one-click attack or session riding, occurs when a hacker sends unauthorized commands from a user that a website already trusts. Unlike cross-site scripting (XSS), CSRF works through exploitation of the trust that a website has in a user’s web browser. This method often uses social engineering—for example, the hacker will send a link via message or email—and the user will be tricked into opening a link that contains a malicious request. Through this link, the attacker can force the victim to execute a command, such as a funds transfer, information modification or logout.

Tools for Anti-Phishing

Which of the below tools are used for anti-phishing?

  1. Netcraft
  2. eBlaster
  3. Spector
  4. Legion

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: The Netcraft website stores the data of phishing websites and offers a toolbar that analyzes website authentication. Periodically, Netcraft will poll web servers to discover the OS version as well as the server’s software version. Netcraft offers anti-fraud/anti-phishing services, application testing, and PCI (Payment Card Industry) scanning. In addition, Netcraft can be used for analysis in the following areas: market share of web servers, operating systems, hosting providers and Secure Sockets Layer (SSL) authorities.

Filtering Packets by MAC Address and TCP Header Flags

Aaron’s server is Linux-based, and he wants to use a tool to filter packets by MAC address and TCP header flags. One of the below tools will work for this task. Which one?

  1. PsExec
  2. Chkrootkit
  3. PsLogList
  4. IPTables

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: IPTables is the replacement for the IPChains firewall used by earlier versions of Linux (before the Linux 2.4 kernel and later versions).

Hacking Capabilites via Rootkit

Rueben has been given the task of testing security for his employer’s website. He first installs a rootkit on the Linux server of the network. Once a rootkit has been installed, what capabilities will an attacker have on a system or network?

Answer is complete. Select more than one answer if applicable.

  1. Attackers can secretly execute packet sniffers in order to grab passwords.
  2. Attackers can conduct a buffer overflow or overrun.
  3. Attackers will be able to input a Trojan in the OS to gain anytime access (also known as backdoor access).
  4. Attackers are able to replace utility programs that otherwise might be used to detect their activity on the system.

Show answer and Breakdown

Answer: The correct answers are 1, 3, and 4.

Breakdown: A rootkit is a set of tools or utilities that enable an unauthorized user to take over a system free from detection. A packet sniffer or network analyzer intercepts traffic passing over a network or a part of a network, recording the information (called a packet capture). A buffer overflow or overrun is accomplished when an attacker sends input to a web application that forces the application to input more data in a buffer than it is capable of storing, potentially crashing the application, corrupt data, or allow the execution of the attacker’s code. Attackers will often utilize buffer overflows in order to corrupt the execution stack of a web application. They cause the web server to execute code, possibly attempting to take control of the machine.

Extracting Trojans from a readme.txt File

After placing a Trojan file trojan.exe within a text file readme.txt via NTFS streaming, how can the Trojan be extracted from the readme.txt file?

  1. c:> cat trojan.exe
  2. c:> cat readme.txt > trojan.exe
  3. c:> cat trojan.exe > readme.txt > trojan.exe
  4. c:> cat readme.txt:trojan.exe > trojan.exe

Show answer and Breakdown

Answer: The correct answer is 4.

Undetected Viruses

You work as a network security administrator. You suspect that someone has gained access to your machine and used your e-mail account. To uncover potential viruses installed on your computer, you run a full scan. However, you do not find any illegal software. Which of the below security attack types often run in the background on a machine?

  1. Rootkit
  2. Hybrid
  3. Replay
  4. Zero-day

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A zero-day attack (or zero-hour attack), exploits a vulnerability that currently does not have a fix or solution. Often, the security team is unaware of the vulnerability until “day zero.”

Using the Stenographic File System for Encryption

Peter wishes to use the Stenographic file system method for encryption of data and to hide private information. Which of the below are potential storage locations for him?

Each correct answer represents a complete solution. Choose three.

  1. Unused sectors
  2. Flow space
  3. Hidden partition
  4. Slack space

Show answer and Breakdown

Answer: Answers 1, 3 and 4 are correct.

Breakdown: In the Stenographic file system, files are stored to encrypt data in an efficient, untraceable way. There are 3 methods/places for hiding this data within disk space: Unused sectors Slack space Hidden partition

Concealing Data in an Image

Alan is resigning from a company for personal reasons and now wants to send out proprietary and secret information about the company. So he edits an image file, using tool image hide and embedding the damaging file within his image, and then sends it to his private email account. The mail server doesn’t recognize the file within his image file, and does not filter it. What is his technique called?

  1. Web ripping
  2. Social engineering
  3. Email spoofing
  4. Steganography

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: Alan utilized the Steganography technique to transmit malicious data. Steganography is the art/science of concealing data/information by embedding one harmful message within another seemingly innocuous message.

Tools to Hide Secret Data Within a Text File

Which of the below tools can be used to hide secret data within a text file?

  1. Image hide
  2. Snow.exe
  3. SARA
  4. Fpipe

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: Snow.exe is a steganography tool that can be used to embed and mask secret data within simple text files. Since spaces and tabs are usually not visible in text viewers, where the file will likely open, messages can be effectively sneaked in without cluing in an unguarded observer. Watermarking is an irreversible process wherein information is permanently embedded into digital media. While steganography attempts to conceal the existence of the code, watermarking is primarily about the robustness; does it show up properly after it has been modified. The purpose of digital watermarks is to provide copyright protection for intellectual property that is in digital form. Unlike metadata, watermarking does not modify the size of the carrier signal. This protection method is considered a passive protection, because it doesn’t degrade the data or restrict access.

Covering Your Tracks

You have installed a keylogger on Margaret’s computer, complete with password protection. In the final step, or the covering tracks step, which of the following actions would you perform before walking away?

Answer is complete. Select more than one answer if applicable.

  1. Clear the recent docs from her registry.
  2. Clear all caches.
  3. Delete the cookies.
  4. Disable auditing.
  5. Change the user account password for the operating system.

Show answer and Breakdown

Answer: The correct answers are 1, 2, 3 and 4.

Breakdown: Covering Tracks is the final and very important step in remote hacking. All logs should be removed from the target system. When the target system is Linux or UNIX, all entries of the /var folder must be removed. On Windows, it is important to delete all events and logs, an action that keeps the hacker’s identity hidden. In addition, security events or error messages logged during the process should be removed to avoid detection. Hackers will therefore either clear those event logs or disable auditing altogether.

Preventing Discovery When Hacking

A hacker successfully broke into an application, but then failed to cover his tracks in the enterprise systems. The forensics investigator found it quite simple to follow the hacker’s actions back to the source. What action could a hacker take to prevent being discovered and/or identified?

Answer is complete. Select more than one answer if applicable.

  1. Use Armor Tools.
  2. Disable auditing.
  3. Run Traceless.
  4. Clear the event log.

Show answer and Breakdown

Answer: The correct answer is 2.

Tools for Tracking Activity

In order to determine how a Windows server has been attacked, you decide to check the event logs for traces of the hacker’s activity. You look for patterns in the hacker’s behavior that might later lead to identifying the responsible party. Luckily, one of the below tools has been used on the system that will capture these events. Which is the correct tool?

  1. Auditpol
  2. WinZapper
  3. Evidence Eliminator
  4. ELSave

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Through Auditpol a systems administrator can enable or disable system auditing (from the command line). It is also useful in discovering what quality of logging a security team previously implemented. Auditpol is incorporated into the Windows NT Resource Kit.

Attacking Without Detection

Ralph needs to demonstrate a type of attack that an ordinary firewall and IDS system would not detect. It should only be able to be discovered through tcpdump, which captures each packet that enters or leaves a server machine. Ralph therefore initiates his TCP connection with a server using port 80. He uses two distinct hosts on two distinct networks; one network acted as server while the other acted as a client. Even with the most current version of Snort, updated to include the latest rule sets, installed and running throughout the demonstration, Snort did not raise an alarm about any attack. Which of the below attack types does Ralph’s demonstration explore?

  1. Inside-Out Attack
  2. White-listing attack
  3. Covert channel attack
  4. Tor attack

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A Covert Channel is a channel utilized for unauthorized and policy-breaking communication that allows information to be moved through a network that goes under the wire of any firewalls or intrusion detection systems. Thus the attacker is able to send information in and out without detection. The technique is effective because it sends information through and via ports that the firewall expects will be trustworthy. Zero Day Attacks can be prevented with something called “Application Whitelisting,” which blocks unauthorized applications from running on a system. The systems administrator keeps a list of acceptable/authorized applications and any other application will not be allowed to initiate/run. Applications are checked against the whitelist when they attempt to load—an added security step is to include a hashing prevention method. White listing is more secure than black listing, which is a list comprised of all the disallowed applications. Inside-Out Attacks, otherwise known as firewall piercing, rely on the principle that a firewall cannot and should not try to protect a network against internal users. So the attacker tries to attack from the internal network by establishing a connection from a trusted machine inside a network to an outside, untrusted machine. Tor (formerly an acronym for “The Onion Router) is an anonymizing “virtual circuit” system with a bit of a dicey history. Although Tor advertises itself as an anonymity tool for “ordinary people who want to follow the law,” in reality it is often used for carrying out attacks without giving away your identity—defamation, fraud, and identity theft. The tool gives hacktivists and malicious hackers alike the chance to dodge surveillance and/or traffic analysis on a network. Tor has, however, many weaknesses.

How to Utilize a Covert Channel

How can a covert channel be utilized (select all that apply)?

  1. To transfer files between the hacker’s system and a target system, or from the target system to the hacker’s machine.
  2. To execute/launch applications and processes on the target system.
  3. To avail the hacker of an interactive, remote control from the hacker’s machine to the target machine.
  4. To securely and secretly detect any violations of any corporate firewall rules, and observe any hacking patterns without frightening off the hacker.

Show answer and Breakdown

Answer: The correct answers are 1, 2, and 3.

Security Testing to Reveal Internal Attacks

After a series of confusing and frustrating attacks, a company decides to hire you to do a security audit of its network. The company is suspicious that the attacks, which seem to have no clear purpose, might be the folly of a malicious insider or a disgruntled employee. Therefore, they direct you to perform security tests that will reveal any inside attacks initiated from within their corporate network. Which of the tests below would prove useful under these circumstances?

Each correct answer represents a complete solution. Choose two.

  1. Social Engineering
  2. DNS Tunneling
  3. Bypass corporate filter firewall rules from inside-out
  4. Reverse Engineering

Show answer and Breakdown

Answer: Answers 2 and 3 are correct.

Breakdown: Several utilities have been developed to accomplish DNS Tunneling. One example is DNScapy, which was designed to allow security teams to detect holes in their security. These utilities allow hackers to gain access to a website or connect to a hotspot that they otherwise would be prevented from accessing due to HTTP proxies. As described above, an inside-out attack allows an ethical hacker or malicious hacker to bypass firewall rules by initiating the connection from inside a network.

Determining Types of Attacks

Background: After checking a log from Snort, you notice the following:

Your systems administrator needs to report back to the company with details about the network. What kind of attack has most likely occurred according to the information given in the log above?

  1. Back orifice
  2. BoBo
  3. Netbus
  4. SubSeven

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Port 31337, where the packets initiate from, is often the port used by Back Orifice. An attacker uses Back Orifice (BO) to install an inconspicuously sized program on a machine, using another machine to remotely control that server program through a graphical interface. Then communication can flow through TCP or UDP network protocols between the two components. Netbus is a program used to remotely control (and is often used by hackers to attack) Microsoft Windows systems. Netbus also utilizes two components. Before Back Orifice, Netbus was widely used—now they are often used in conjunction with each other. Some of the capabilities of Netbus include tunneling protocol, keystroke logging and injection, screen captures, launching applications, searching files, forcing shutdown, and tunneling. SubSeven functions in much the same way as the above-mentioned tools, but has more features than Netbus, including webcam capture and a user-friendly registry editor. However, it cannot log activity. Antivirus programs ordinarily detect it.

netstat Command Parameters

Which of the below netstat command parameters would display all active TCP connections as well as the TCP and UDP ports in a listening state?

  1. -a
  2. -b
  3. -e
  4. -f

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Displays all active TCP connections as well as the TCP and UDP ports in a listening state. -b: Displays the binary program’s process file name associated with every connection and/or listening port. Time-consuming. -e: Displays statistics, including packets (sent, received) and more. This can be combined with -s. -f: Displays (in Windows Vista or newer versions of Windows only) absolute domain names for non-domestic addresses.

netstat and IP Routing Tables

Which of the below netstat command parameters would display an IP routing table?

  1. -p
  2. -r
  3. -s
  4. -t

Show answer and Breakdown

Answer: The correct answer is 2.

Using Trojans in Hacking

Background: A Trojan virus has been placed onto your server. It is sending data from your server to the attacker’s machine. Then you see the hacker has entered the below command: nc -l -u -p 22222 < /etc/passwd What will this command do?

  1. It will securely delete the /etc/password from your server.
  2. It will download the /etc/password from your server to the attacker’s machine.
  3. It will load or restore the /etc/passwd file on your server.
  4. It will run an update on the /etc/password of your server.

Show answer and Breakdown

Answer: The correct answer is 2.

ICMP Tunneling

William is learning about ICMP tunneling and needs to know which of the below statements does not represent a fact about this covert connection technique. Which of the below does not apply to ICMP tunneling?

  1. You can use ping requests and replies in order to tunnel complete TCP traffic.
  2. You can use it to tunnel another protocol via ICMP (Internet Control Message Protocol).
  3. You can use it to bypass firewalls because they will not restrict ICMP packets.
  4. You can use it to send ICMP packets in an encrypted form over an HTTP port.

Show answer and Breakdown

Answer: The correct answer is 4. All other statements are true.

netbus Trojans

A hacker wishes to use a netbus Trojan on the Windows program, chess.exe. He will use his program to break into the target machine. Which of the below tools should he choose to do this?

Answer is complete. Select more than one answer if applicable.

  1. Beast
  2. Tripwire
  3. Wrapper
  4. Yet Another Binder

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A wrapper is a program that is used to combine a harmful executable file with a harmless executable file.

Privilege Escalation

In his Network Security Administrator position, Vernard has the responsibility to observe, secure and analyze the network of his company. At the moment, Vernard is most concerned to learn that it is possible for others to utilize bypass authentication in order to access his company’s network. This gives them more permissions than they were intended to have, and creates a vulnerability that could compromise his company’s data, secrets and client list. What is the name used for this activity, which is often called privilege escalation?

  1. Rootkit
  2. Boot sector
  3. Master Boot Record
  4. Backdoor

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A backdoor would be blamable for this kind of privilege escalation. A backdoor is a software application, program, or account created or modified to access to the target system by bypassing security checks. Security professionals and vendors skim off time by using backdoors to bypass the security checks during the troubleshooting phases of a project. However, backdoors are also a threat that allows attackers to break in undetected and should be taken seriously to prevent their exploitation.

Signs of a Virus Attack

Which of the below could be signs of a virus attack on a machine?

Each correct answer represents a complete solution. Choose two.

  1. Unclear monitor display
  2. Corrupted or missing files
  3. Sudden reduction in system resources
  4. Faster read/write access of the CD-ROM drive

Show answer and Breakdown

Answer: The correct answers are 2 and 3.

Causes of Website Crashes

A web server you are working with hits 100,000,000 total visits and immediately crashes. What kind of malicious code may have been used to cause this sudden crash?

  1. Polymorphic Virus
  2. Worm
  3. Virus
  4. Logic Bomb

Show answer and Breakdown

Answer: : The correct answer is 4.

Breakdown: A type of malware, a logic bomb will execute a malicious action or function once a specific condition has been met, such as a specific date/time has been reached. In this situation, the logic bomb lay dormant until the web server hit 100,000,000 total visits. A logic bomb can be set to delete files, shut down a system, or a multitude of other functions. Worms are standalone applications/programs that copy themselves from system to system, often through networks. They do not require a host file to replicate itself. Even a worm that has no function other than to replicate itself can prove problematic as it causes an uptick in network traffic/consumes bandwidth. There may also be payload/malicious code embedded within the worm.

Scam Attacks

Background: Troy is the Marketing Manager for a company. Because he often deals with the public, his email account is routinely subject to various scams and other attacks. Upon arriving to work today, Troy notices an email with the subject “Urgent Security Message.” In the body of the e-mail, it says, “User must remove Boot.ini file due to corrupted data. This file is potentially harmful to user’s operating system. Troy is not easily scammed. After puzzling it over, he does a quick online search about the Boot.ini file, which turns out to be a vital system file. In fact, it is what loads the OS! Which attack type was carried out (but ultimately unsuccessful) against Troy?

  1. Multipartite
  2. Hoax
  3. Polymorphic
  4. Macro

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: A virus hoax falsely warns an attacker’s victim that a threat is imminent where none is actually present. Troy’s many years of experience have taught him to always research where his expertise runs short.

Worms Vs. Trojans

Which of the below statements is accurate regarding the distinction between computer worms and Trojan horses?

  1. Trojan horses are harmful to computers and networks while worms are not.
  2. Trojan horses are a form of malicious code, while worms are not (worms lay dormant until other code executes itself to complete a malicious act).
  3. Worms replicate themselves while Trojan horses do not.
  4. Worms can be sent through emails while Trojan horses can only be installed directly or remotely onto a system through a network.

Show answer and Breakdown

Answer: The correct answer is 3.

Breakdown: A Trojan horse is a malicious program code that masks itself as an ordinary and safe program. When a Trojan horse program is running, its hidden code will begin to destroy or scramble information, files, and data on the target hard disk. Worms, unlike Trojan horses, are able to replicate themselves using computer networks and security holes. Worms may either cause an increase in bandwidth or come with payload, or malicious code that has been attached to a worm.

Types of FTP Access

Where a user lacks permissions to list directory contents, yet can still achieve access to the directory and the contents—so long as he uses the correct path and filename through FTP. What is this kind of FTP access called?

  1. Hidden FTP
  2. Blind FTP
  3. Passive FTP
  4. Secure FTP

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: Blind FTP (also called anonymous FTP) allows users to go directly to a specific directory so long as they use the correct path and file name. One limitation is that these users may not peruse other items without first entering their path and filenames. Blind FTP is considered more secure.

Malicious Bots

Which of the below tasks would a malicious bot or botnet be capable of performing?

Select the best answer.

  1. Launching DDoS attacks
  2. Collecting email addresses from within contact forms and/or guestbooks.
  3. Downloading an entire website to drain a target’s bandwidth
  4. Stealing confidential and/or financial information, including credit card account numbers, logins, etc.
  5. All of the above.

Show answer and Breakdown

Answer: The correct answer is 5. All of the above answers are accurate.

Breakdown: An Internet robot, or malicious bot, runs different automated tasks, often simple and repetitive—but at a much faster rate than an individual could manually complete. Here are some activities that can be performed by one of these bots: Launching DDoS attacks. Collecting email addresses from within contact forms and/or guestbooks. Downloader bots will drain a target’s bandwidth by actually downloading the entire website. Stealing confidential and/or financial information, including credit card account numbers, logins, etc. Scraping of websites to steal and plagiarize website content. Purchase of tickets in order to resell. Resource farming on many online games is accomplished via bots.

How to Prevent Malicious Downloads

Eric is always struggling with computer issues. When Eric opens a website, it starts an automatic download containing harmful code onto his machine. What should he do to prevent this from occurring in the future?

Each correct answer represents a complete solution. Choose two.

  1. Implement File Integrity Auditing
  2. Disable Active Scripting
  3. Configure Security Logs
  4. Disable ActiveX Controls

Show answer and Breakdown

Answer: Answers 2 and 4 are correct.

Breakdown: Eric could disable certain ActiveX Controls—disallow unauthorized controls and/or active scripts through the web browser. This would enhance, but not completely shield, his computer from browsing sessions.

Hidden Viruses

Veronica is an Ethical Hacker. Her newest assignment is website security testing before the company’s website is relaunched. In order to determine how viruses might affect the server, she places one on the system. With no alerts raised by the antiviruses, which were installed and running at the time, the virus infects the system. Which of the below could serve as explanations for this situation?

Answer is complete. Select more than one answer if applicable.

  1. Veronica modified the unique hash/signature identifying the virus.
  2. Veronica developed a completely new virus.
  3. Veronica installed a virus that was not incorporated in the database of the antiviral program that was running on the server.
  4. The virus has mutation engine, which has provided further encrypted code in addition to the current code of the virus.

Show answer and Breakdown

Answer: The correct answers are 1, 2, 3, and 4.

Breakdown: A signature-based anti-virus program will not be able to detect all computer viruses. Signature-based anti-virus applications search for recognizable patterns of data/information within executable code: If the attacker has altered the virus signature, any signature-based antivirus software will be unable to identify and locate the virus. If a new virus arrives on the scene and an antivirus database has not been updated to include it, the new virus will not be discovered by the antivirus A polymorphic virus mutates itself through encryption and modification, preventing an antivirus from discovering the file/virus. Generic signatures can discovery new viruses (or their variants) by detecting recognizable malicious code in files. Sandboxing and analyzing file can help an antivirus capture malicious executable code. Promiscuous mode, which often requires administrative access, is enabled by setting a network card up in such a way that all traffic received by the network will be sent to the CPU (rather than packets specifically coded to be received by the CPU). This is useful for packet sniffing, logging traffic and decoding it for information.

Matching an IP Address to a MAC Address

The Internet Protocol Suite includes several dozen distinct protocols all utilized to accomplish different tasks. Which of the below protocols will match an IP address to MAC addresses on a network interface card?

  1. ARP
  2. RARP
  3. PIM
  4. DHCP

Show answer and Breakdown

Answer: The correct answer is 1.

Breakdown: Address Resolution Protocol (ARP) is one protocol of the TCP/IP protocol suite used for maintenance of networks. ARP is used to resolve an IP address to its matching media access control (MAC) address.

Using a GUI Utility to Perform Man-in-the-Middle

An attacker is searching for a GUI utility (for a Windows machine) that will allow him to accomplish Man-in-the-Middle attacks, ARP “poisoning” and sniffing. Which of the below would allow the attacker to launch those attack types?

  1. wsniff
  2. CAIN
  3. Airjack
  4. Ettercap

Show answer and Breakdown

Answer: The correct answer is 2.

Breakdown: ARP Spoofing works by poisoning the Address Resolution Protocol’s cache by sending phony replies from one node—claiming to be another, authorized node—tricking the network into sending data to the attacker when it believes it is sending it to an authorized node within the subnet. This requires the authorized node to have sent a more general request that the attacker can intercept and utilize in creating a false reply.

Basic Network Components

Which of the following is a component that provides resources over a network?

  1. Client
  2. LAN
  3. Router
  4. Server

Show answer and Breakdown

Answer: The correct answer is 4.

Breakdown: A server provides or “serves” up resources to a network. Examples of resources are access to email, pages on a web server, or files on a file server.

Show answer and Breakdown

Answer: The correct answer is 4

Breakdown: A server provides or “serves” up resources to a network. Examples of resources are access to email, pages on a web server, or files on a file server.