New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

ECCouncil EC0-350 Ethical Hacking and Countermeasures V8 Exam Practice Test

Demo: 131 questions
Total 878 questions

Ethical Hacking and Countermeasures V8 Questions and Answers

Question 1

What is the command used to create a binary log file using tcpdump?

Options:

A.

tcpdump -w ./log

B.

tcpdump -r log

C.

tcpdump -vde logtcpdump -vde ? log

D.

tcpdump -l /var/log/

Question 2

Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment.

Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it.

What kind of Denial of Service attack was best illustrated in the scenario above?

Options:

A.

Simple DDoS attack

B.

DoS attacks which involves flooding a network or system

C.

DoS attacks which involves crashing a network or system

D.

DoS attacks which is done accidentally or deliberately

Question 3

Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst. Joseph has been instructed on the company's strict security policies that have been implemented, and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication?

Options:

A.

Biometric device

B.

OTP

C.

Proximity cards

D.

Security token

Question 4

What type of attack is shown here?

Options:

A.

Bandwidth exhaust Attack

B.

Denial of Service Attack

C.

Cluster Service Attack

D.

Distributed Denial of Service Attack

Question 5

What port number is used by LDAP protocol?

Options:

A.

110

B.

389

C.

464

D.

445

Question 6

Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65, 536 bytes. What is Lee seeing here?

Options:

A.

Lee is seeing activity indicative of a Smurf attack.

B.

Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing.

C.

Lee is seeing a Ping of death attack.

D.

This is not unusual traffic, ICMP packets can be of any size.

Question 7

In which step Steganography fits in CEH System Hacking Cycle (SHC)

Options:

A.

Step 2: Crack the password

B.

Step 1: Enumerate users

C.

Step 3: Escalate privileges

D.

Step 4: Execute applications

E.

Step 5: Hide files

F.

Step 6: Cover your tracks

Question 8

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?

Options:

A.

0xFFFFFFFFFFFF

B.

0xDDDDDDDDDDDD

C.

0xAAAAAAAAAAAA

D.

0xBBBBBBBBBBBB

Question 9

What sequence of packets is sent during the initial TCP three-way handshake?

Options:

A.

SYN, SYN-ACK, ACK

B.

SYN, URG, ACK

C.

SYN, ACK, SYN-ACK

D.

FIN, FIN-ACK, ACK

Question 10

What type of Virus is shown here?

Options:

A.

Macro Virus

B.

Cavity Virus

C.

Boot Sector Virus

D.

Metamorphic Virus

E.

Sparse Infector Virus

Question 11

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

Options:

A.

They are using UDP that is always authorized at the firewall

B.

They are using HTTP tunneling software that allows them to communicate with protocols in a way it was not intended

C.

They have been able to compromise the firewall, modify the rules, and give themselves proper access

D.

They are using an older version of Internet Explorer that allow them to bypass the proxy server

Question 12

Identify SQL injection attack from the HTTP requests shown below:

Options:

A.

http://www.myserver.c0m/search.asp?

lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00

B.

http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22

C.

http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e

D.

http://www.victim.com/example accountnumber=67891 &creditamount=999999999

Question 13

E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient.

Select a feature, which you will NOT be able to accomplish with this probe?

Options:

A.

When the e-mail was received and read

B.

Send destructive e-mails

C.

GPS location and map of the recipient

D.

Time spent on reading the e-mails

E.

Whether or not the recipient visited any links sent to them

F.

Track PDF and other types of attachments

G.

Set messages to expire after specified time

Question 14

Jess the hacker runs L0phtCrack's built-in sniffer utility that grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashes from the network. Why?

Options:

A.

The network protocol is configured to use SMB Signing

B.

The physical network wire is on fibre optic cable

C.

The network protocol is configured to use IPSEC

D.

L0phtCrack SMB sniffing only works through Switches and not Hubs

Question 15

A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system.

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software.

What is Rogue security software?

Options:

A.

A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites

B.

A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software.

C.

Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites

D.

This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker

Question 16

The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.

Options:

A.

false

B.

true

Question 17

You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about?

Options:

A.

Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain

B.

"zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks

C.

"Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks

D.

Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway

Question 18

Which of the following describes the characteristics of a Boot Sector Virus?

Options:

A.

Moves the MBR to another location on the RAM and copies itself to the original location of the MBR

B.

Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR

C.

Modifies directory table entries so that directory entries point to the virus code instead of the actual program

D.

Overwrites the original MBR and only executes the new virus code

Question 19

Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?

Options:

A.

UDP 123

B.

UDP 541

C.

UDP 514

D.

UDP 415

Question 20

Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?

Options:

A.

Port scanning

B.

Banner grabbing

C.

Injecting arbitrary data

D.

Analyzing service response

Question 21

Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)?

Options:

A.

The root CA is the recovery agent used to encrypt data when a user's certificate is lost.

B.

The root CA stores the user's hash value for safekeeping.

C.

The CA is the trusted root that issues certificates.

D.

The root CA is used to encrypt email messages to prevent unintended disclosure of data.

Question 22

A pentester gains acess to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used?

Options:

A.

Netsh firewall show config

B.

WMIC firewall show config

C.

Net firewall show config

D.

Ipconfig firewall show config

Question 23

A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court.  What is the ethical response?

Options:

A.

Say no; the friend is not the owner of the account.

B.

Say yes; the friend needs help to gather evidence.

C.

Say yes; do the job for free.

D.

Say no; make sure that the friend knows the risk she’s asking the CEH to take.

Question 24

Which security strategy requires using several, varying methods to protect IT systems against attacks?

Options:

A.

Defense in depth

B.

Three-way handshake

C.

Covert channels

D.

Exponential backoff algorithm

Question 25

Which set of access control solutions implements two-factor authentication?

Options:

A.

USB token and PIN

B.

Fingerprint scanner and retina scanner

C.

Password and PIN

D.

Account and password

Question 26

What results will the following command yielD. 'NMAP -sS -O -p 123-153 192.168.100.3'?

Options:

A.

A stealth scan, opening port 123 and 153

B.

A stealth scan, checking open ports 123 to 153

C.

A stealth scan, checking all open ports excluding ports 123 to 153

D.

A stealth scan, determine operating system, and scanning ports 123 to 153

Question 27

A botnet can be managed through which of the following?

Options:

A.

IRC

B.

E-Mail

C.

Linkedin and Facebook

D.

A vulnerable FTP server

Question 28

Which of the following is a preventive control?

Options:

A.

Smart card authentication

B.

Security policy

C.

Audit trail

D.

Continuity of operations plan

Question 29

Which of the following is a component of a risk assessment?

Options:

A.

Physical security

B.

Administrative safeguards

C.

DMZ

D.

Logical interface

Question 30

What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?

Options:

A.

Legal, performance, audit

B.

Audit, standards based, regulatory

C.

Contractual, regulatory, industry

D.

Legislative, contractual, standards based

Question 31

Which of the following open source tools would be the best choice to scan a network for potential targets?

Options:

A.

NMAP

B.

NIKTO

C.

CAIN

D.

John the Ripper

Question 32

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

Options:

A.

They do not use host system resources.

B.

They are placed at the boundary, allowing them to inspect all traffic.

C.

They are easier to install and configure.

D.

They will not interfere with user interfaces.

Question 33

Which of the following is used to indicate a single-line comment in structured query language (SQL)?

Options:

A.

--

B.

||

C.

%%

D.

''

Question 34

What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

Options:

A.

Blue Book

B.

ISO 26029

C.

Common Criteria

D.

The Wassenaar Agreement

Question 35

How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Options:

A.

Defeating the scanner from detecting any code change at the kernel

B.

Replacing patch system calls with its own version that hides the rootkit (attacker's) actions

C.

Performing common services for the application process and replacing real applications with fake ones

D.

Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Question 36

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

Options:

A.

Multiple keys for non-repudiation of bulk data

B.

Different keys on both ends of the transport medium

C.

Bulk encryption for data transmission over fiber

D.

The same key on each end of the transmission medium

Question 37

What is the purpose of conducting security assessments on network resources?

Options:

A.

Documentation

B.

Validation

C.

Implementation

D.

Management

Question 38

A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.

The engineer receives this output:

HTTP/1.1 200 OK

Server: Microsoft-IIS/6

Expires: Tue, 17 Jan 2011 01:41:33 GMT

DatE. Mon, 16 Jan 2011 01:41:33 GMT

Content-TypE. text/html

Accept-Ranges: bytes

Last-ModifieD. Wed, 28 Dec 2010 15:32:21 GMT

ETaG. "b0aac0542e25c31:89d"

Content-Length: 7369

Which of the following is an example of what the engineer performed?

Options:

A.

Cross-site scripting

B.

Banner grabbing

C.

SQL injection

D.

Whois database query

Question 39

An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this?

Options:

A.

g++ hackersExploit.cpp -o calc.exe

B.

g++ hackersExploit.py -o calc.exe

C.

g++ -i hackersExploit.pl -o calc.exe

D.

g++ --compile –i hackersExploit.cpp -o calc.exe

Question 40

Which of the following lists are valid data-gathering activities associated with a risk assessment?

Options:

A.

Threat identification, vulnerability identification, control analysis

B.

Threat identification, response identification, mitigation identification

C.

Attack profile, defense profile, loss profile

D.

System profile, vulnerability identification, security determination

Question 41

Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?

Options:

A.

ping 192.168.2.

B.

ping 192.168.2.255

C.

for %V in (1 1 255) do PING 192.168.2.%V

D.

for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

Question 42

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash.  The technician researches the bug and discovers that no one else experienced the problem.  What is the appropriate next step?

Options:

A.

Ignore the problem completely and let someone else deal with it.

B.

Create a document that will crash the computer when opened and send it to friends.

C.

Find an underground bulletin board and attempt to sell the bug to the highest bidder.

D.

Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

Question 43

A security administrator notices that the log file of the company`s webserver contains suspicious entries:

Based on source code analysis, the analyst concludes that the login.php script is vulnerable to

Options:

A.

command injection.

B.

SQL injection.

C.

directory traversal.

D.

LDAP injection.

Question 44

The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106:

Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP

What type of activity has been logged?

Options:

A.

Port scan targeting 192.168.1.103

B.

Teardrop attack targeting 192.168.1.106

C.

Denial of service attack targeting 192.168.1.103

D.

Port scan targeting 192.168.1.106

Question 45

A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

Options:

A.

Implementing server-side PKI certificates for all connections

B.

Mandating only client-side PKI certificates for all connections

C.

Requiring client and server PKI certificates for all connections

D.

Requiring strong authentication for all DNS queries

Question 46

What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

Options:

A.

tcp.src == 25 and ip.host == 192.168.0.125

B.

host 192.168.0.125:25

C.

port 25 and host 192.168.0.125

D.

tcp.port == 25 and ip.host == 192.168.0.125

Question 47

Which of the following guidelines or standards is associated with the credit card industry?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Sarbanes-Oxley Act (SOX)

C.

Health Insurance Portability and Accountability Act (HIPAA)

D.

Payment Card Industry Data Security Standards (PCI DSS)

Question 48

Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?

Options:

A.

WebBugs

B.

WebGoat

C.

VULN_HTML

D.

WebScarab

Question 49

Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

Options:

A.

Certificate issuance

B.

Certificate validation

C.

Certificate cryptography

D.

Certificate revocation

Question 50

Data hiding analysis can be useful in

Options:

A.

determining the level of encryption used to encrypt the data.

B.

detecting and recovering data that may indicate knowledge, ownership or intent.

C.

identifying the amount of central processing unit (cpu) usage over time to process the data.

D.

preventing a denial of service attack on a set of enterprise servers to prevent users from accessing the data.

Question 51

Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

Options:

A.

Detective

B.

Passive

C.

Intuitive

D.

Reactive

Question 52

When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this?

Options:

A.

macof

B.

webspy

C.

filesnarf

D.

nfscopy

Question 53

In the context of Windows Security, what is a 'null' user?

Options:

A.

A user that has no skills

B.

An account that has been suspended by the admin

C.

A pseudo account that has no username and password

D.

A pseudo account that was created for security administration purpose

Question 54

How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network?

Options:

A.

Covert Channel

B.

Crafted Channel

C.

Bounce Channel

D.

Deceptive Channel

Question 55

What happens when one experiences a ping of death?

Options:

A.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply).

B.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535.

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

C.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address.

D.

This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).

Question 56

Exhibit:

ettercap –NCLzs --quiet

What does the command in the exhibit do in “Ettercap”?

Options:

A.

This command will provide you the entire list of hosts in the LAN

B.

This command will check if someone is poisoning you and will report its IP.

C.

This command will detach from console and log all the collected passwords from the network to a file.

D.

This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

Question 57

Ethereal works best on ____________.

Options:

A.

Switched networks

B.

Linux platforms

C.

Networks using hubs

D.

Windows platforms

E.

LAN's

Question 58

In Linux, the three most common commands that hackers usually attempt to Trojan are:

Options:

A.

car, xterm, grep

B.

netstat, ps, top

C.

vmware, sed, less

D.

xterm, ps, nc

Question 59

Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1?

Options:

A.

ip == 192.168.0.1 and tcp.syn

B.

ip.addr = 192.168.0.1 and syn = 1

C.

ip.addr==192.168.0.1 and tcp.flags.syn

D.

ip.equals 192.168.0.1 and syn.equals on

Question 60

You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption.

What encryption algorithm will you be decrypting?

Options:

A.

MD4

B.

DES

C.

SHA

D.

SSL

Question 61

Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of attack is Susan carrying on?

Options:

A.

A sniffing attack

B.

A spoofing attack

C.

A man in the middle attack

D.

A denial of service attack

Question 62

Which DNS resource record can indicate how long any "DNS poisoning" could last?

Options:

A.

MX

B.

SOA

C.

NS

D.

TIMEOUT

Question 63

Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

Options:

A.

USER, NICK

B.

LOGIN, NICK

C.

USER, PASS

D.

LOGIN, USER

Question 64

You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the information in and where?

Select the best answer.

Options:

A.

%windir%\\etc\\services

B.

system32\\drivers\\etc\\services

C.

%windir%\\system32\\drivers\\etc\\services

D.

/etc/services

E.

%windir%/system32/drivers/etc/services

Question 65

What is a NULL scan?

Options:

A.

A scan in which all flags are turned off

B.

A scan in which certain flags are off

C.

A scan in which all flags are on

D.

A scan in which the packet size is set to zero

E.

A scan with a illegal packet size

Question 66

A file integrity program such as Tripwire protects against Trojan horse attacks by:

Options:

A.

Automatically deleting Trojan horse programs

B.

Rejecting packets generated by Trojan horse programs

C.

Using programming hooks to inform the kernel of Trojan horse behavior

D.

Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

Question 67

What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

Options:

A.

logs the incoming connections to /etc/passwd file

B.

loads the /etc/passwd file to the UDP port 55555

C.

grabs the /etc/passwd file when connected to UDP port 55555

D.

deletes the /etc/passwd file when connected to the UDP port 55555

Question 68

One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out?

Select the best answers.

Options:

A.

John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case.

B.

BY using NTLMV1, you have implemented an effective countermeasure to password cracking.

C.

SYSKEY is an effective countermeasure.

D.

If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899.

E.

Enforcing Windows complex passwords is an effective countermeasure.

Question 69

A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users?

Options:

A.

Perform a dictionary attack.

B.

Perform a brute force attack.

C.

Perform an attack with a rainbow table.

D.

Perform a hybrid attack.

Question 70

You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons?

What is the length of the MD5 hash?

Options:

A.

32 character

B.

64 byte

C.

48 char

D.

128 kb

Question 71

Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

Options:

A.

Key registry

B.

Recovery agent

C.

Directory

D.

Key escrow

Question 72

Which of the following statements are true regarding N-tier architecture? (Choose two.)

Options:

A.

Each layer must be able to exist on a physically independent system.

B.

The N-tier architecture must have at least one logical layer.

C.

Each layer should exchange information only with the layers above and below it. 

D.

When a layer is changed or updated, the other layers must also be recompiled or modified.

Question 73

In order to show improvement of security over time, what must be developed?

Options:

A.

Reports

B.

Testing tools

C.

Metrics

D.

Taxonomy of vulnerabilities

Question 74

John the Ripper is a technical assessment tool used to test the weakness of which of the following?

Options:

A.

Usernames

B.

File permissions

C.

Firewall rulesets

D.

Passwords

Question 75

Which of the following represent weak password? (Select 2 answers)

Options:

A.

Passwords that contain letters, special characters, and numbers ExamplE. ap1$%##f@52

B.

Passwords that contain only numbers ExamplE. 23698217

C.

Passwords that contain only special characters ExamplE. &*#@!(%)

D.

Passwords that contain letters and numbers ExamplE. meerdfget123

E.

Passwords that contain only letters ExamplE. QWERTYKLRTY

F.

Passwords that contain only special characters and numbers ExamplE. 123@$45

G.

Passwords that contain only letters and special characters ExamplE. bob@&ba

Question 76

One way to defeat a multi-level security solution is to leak data via

Options:

A.

a bypass regulator.

B.

steganography.

C.

a covert channel.

D.

asymmetric routing.

Question 77

A security engineer is attempting to map a company’s internal network. The engineer enters in the following NMAP commanD.

NMAP –n –sS –P0 –p 80 ***.***.**.**

What type of scan is this?

Options:

A.

Quick scan

B.

Intense scan

C.

Stealth scan

D.

Comprehensive scan

Question 78

Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets?

alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msG. "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids, 485;) alert

Options:

A.

The payload of 485 is what this Snort signature will look for.

B.

Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

C.

Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged.

D.

From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

Question 79

On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured?

Options:

A.

nessus +

B.

nessus *s

C.

nessus &

D.

nessus -d

Question 80

Which of the following is a hashing algorithm?

Options:

A.

MD5

B.

PGP

C.

DES

D.

ROT13

Question 81

Which type of antenna is used in wireless communication?

Options:

A.

Omnidirectional

B.

Parabolic

C.

Uni-directional

D.

Bi-directional

Question 82

SOAP services use which technology to format information?

Options:

A.

SATA

B.

PCI

C.

XML

D.

ISDN

Question 83

What is the broadcast address for the subnet 190.86.168.0/22?

Options:

A.

190.86.168.255

B.

190.86.255.255

C.

190.86.171.255

D.

190.86.169.255

Question 84

Which type of scan measures a person's external features through a digital video camera?

Options:

A.

Iris scan

B.

Retinal scan

C.

Facial recognition scan

D.

Signature kinetics scan

Question 85

Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses?

Options:

A.

Only Windows systems will reply to this scan.

B.

A switched network will not respond to packets sent to the broadcast address.

C.

Only Linux and Unix-like (Non-Windows) systems will reply to this scan.

D.

Only servers will reply to this scan.

Question 86

How does traceroute map the route a packet travels from point A to point B?

Options:

A.

Uses a TCP timestamp packet that will elicit a time exceeded in transit message

B.

Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message

C.

Uses a protocol that will be rejected by gateways on its way to the destination

D.

Manipulates the flags within packets to force gateways into generating error messages

Question 87

Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges?

Options:

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

Question 88

If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.

How would you prevent such type of attacks?

Options:

A.

It is impossible to block these attacks

B.

Hire the people through third-party job agencies who will vet them for you

C.

Conduct thorough background checks before you engage them

D.

Investigate their social networking profiles

Question 89

While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for all the pings you have sent out. What is the most likely cause of this?

Options:

A.

The firewall is dropping the packets

B.

An in-line IDS is dropping the packets

C.

A router is blocking ICMP

D.

The host does not respond to ICMP packets

Question 90

Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization. Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com. He tries random URLs on the company 's website and finds confidential information leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website.

Where can Stephanie go to see past versions and pages of a website?

Options:

A.

She should go to the web page Samspade.org to see web pages that might no longer be on the website

B.

If Stephanie navigates to Search.com; she will see old versions of the company website

C.

Stephanie can go to Archive.org to see past versions of the company website

D.

AddressPast.com would have any web pages that are no longer hosted on the company's website

Question 91

What does FIN in TCP flag define?

Options:

A.

Used to abort a TCP connection abruptly

B.

Used to close a TCP connection

C.

Used to acknowledge receipt of a previous packet or transmission

D.

Used to indicate the beginning of a TCP connection

Question 92

Which Steganography technique uses Whitespace to hide secret messages?

Options:

A.

snow

B.

beetle

C.

magnet

D.

cat

Question 93

XSS attacks occur on Web pages that do not perform appropriate bounds checking on data entered by users. Characters like < > that mark the beginning/end of a tag should be converted into HTML entities.

What is the correct code when converted to html entities?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 94

Which type of hacker represents the highest risk to your network?

Options:

A.

black hat hackers

B.

grey hat hackers

C.

disgruntled employees

D.

script kiddies

Question 95

TCP/IP Session Hijacking is carried out in which OSI layer?

Options:

A.

Datalink layer

B.

Transport layer

C.

Network layer

D.

Physical layer

Question 96

The SYN flood attack sends TCP connections requests faster than a machine can process them.

  • Attacker creates a random source address for each packet
  • SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
  • Victim responds to spoofed IP address, then waits for confirmation that never arrives (timeout wait is about 3 minutes)
  • Victim's connection table fills up waiting for replies and ignores new connections
  • Legitimate users are ignored and will not be able to access the server

How do you protect your network against SYN Flood attacks?

Options:

A.

SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first.

B.

RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally

C.

Check the incoming packet's IP address with the SPAM database on the Internet and enable the filter using ACLs at the Firewall

D.

Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection

E.

Micro Blocks. Instead of allocating a complete connection, simply allocate a micro record of 16-bytes for the incoming SYN object

Question 97

How do you defend against Privilege Escalation?

Options:

A.

Use encryption to protect sensitive data

B.

Restrict the interactive logon privileges

C.

Run services as unprivileged accounts

D.

Allow security settings of IE to zero or Low

E.

Run users and applications on the least privileges

Question 98

In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:

FIN = 1

SYN = 2

RST = 4

PSH = 8

ACK = 16

URG = 32

ECE = 64

CWR = 128

Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters.

What is Jason trying to accomplish here?

Options:

A.

SYN, FIN, URG and PSH

B.

SYN, SYN/ACK, ACK

C.

RST, PSH/URG, FIN

D.

ACK, ACK, SYN, URG

Question 99

Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate a means to notify administrators of problems or performance.

What default port Syslog daemon listens on?

Options:

A.

242

B.

312

C.

416

D.

514

Question 100

Which of the following tool would be considered as Signature Integrity Verifier (SIV)?

Options:

A.

Nmap

B.

SNORT

C.

VirusSCAN

D.

Tripwire

Question 101

You receive an e-mail with the following text message.

"Microsoft and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible."

You launch your antivirus software and scan the suspicious looking file hidserv.exe located in c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legitimate Windows system file "Human Interface Device Service".

What category of virus is this?

Options:

A.

Virus hoax

B.

Spooky Virus

C.

Stealth Virus

D.

Polymorphic Virus

Question 102

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization's Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

Options:

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

Question 103

Which is the right sequence of packets sent during the initial TCP three way handshake?

Options:

A.

FIN, FIN-ACK, ACK

B.

SYN, URG, ACK

C.

SYN, ACK, SYN-ACK

D.

SYN, SYN-ACK, ACK

Question 104

ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?

Options:

A.

Create a SYN flood

B.

Create a network tunnel

C.

Create multiple false positives

D.

Create a ping flood

Question 105

If you perform a port scan with a TCP ACK packet, what should an OPEN port return?

Options:

A.

RST

B.

No Reply

C.

SYN/ACK

D.

FIN

Question 106

If you send a SYN to an open port, what is the correct response?(Choose all correct answers.

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

Question 107

Which of the following is the best way an attacker can passively learn about technologies used in an organization?

Options:

A.

By sending web bugs to key personnel

B.

By webcrawling the organization web site

C.

By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization

D.

By performing a port scan on the organization's web site

Question 108

What do you call a system where users need to remember only one username and password, and be authenticated for multiple services?

Options:

A.

Simple Sign-on

B.

Unique Sign-on

C.

Single Sign-on

D.

Digital Certificate

Question 109

Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?

Options:

A.

Smurf

B.

Bubonic

C.

SYN Flood

D.

Ping of Death

Question 110

802.11b is considered a ____________ protocol.

Options:

A.

Connectionless

B.

Secure

C.

Unsecure

D.

Token ring based

E.

Unreliable

Question 111

Look at the following SQL query.

SELECT * FROM product WHERE PCategory='computers' or 1=1--'

What will it return? Select the best answer.

Options:

A.

All computers and all 1's

B.

All computers

C.

All computers and everything else

D.

Everything except computers

Question 112

Steven the hacker realizes that the network administrator of XYZ is using syskey to protect organization resources in the Windows 2000 Server. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryption used by syskey before he can attempt to brute force dictionary attacks on the hashes. Steven runs a program called “SysCracker” targeting the Windows 2000 Server machine in attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can launch attach.

How many bits does Syskey use for encryption?

Options:

A.

40 bit

B.

64 bit

C.

256 bit

D.

128 bit

Question 113

Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.)

Options:

A.

Train users in the new policy.

B.

Disable all wireless protocols at the firewall.

C.

Disable SNMP on the network so that wireless devices cannot be configured.

D.

Continuously survey the area for wireless devices.

Question 114

Which of the following is most effective against passwords?

Select the Answer:

Options:

A.

Dictionary Attack

B.

BruteForce attack

C.

Targeted Attack

D.

Manual password Attack

Question 115

You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges?

Options:

A.

Administrator

B.

IUSR_COMPUTERNAME

C.

LOCAL_SYSTEM

D.

Whatever account IIS was installed with

Question 116

What type of attack changes its signature and/or payload to avoid detection by antivirus programs?

Options:

A.

Polymorphic

B.

Rootkit

C.

Boot sector

D.

File infecting

Question 117

Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware?

Options:

A.

System integrity verification tools

B.

Anti-Virus Software

C.

A properly configured gateway

D.

There is no way of finding out until a new updated signature file is released

Question 118

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:

What can you infer from the exploit given?

Options:

A.

It is a local exploit where the attacker logs in using username johna2k.

B.

There are two attackers on the system – johna2k and haxedj00.

C.

The attack is a remote exploit and the hacker downloads three files.

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

Question 119

What is a sheepdip?

Options:

A.

It is another name for Honeynet

B.

It is a machine used to coordinate honeynets

C.

It is the process of checking physical media for virus before they are used in a computer

D.

None of the above

Question 120

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

Options:

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

Question 121

According to the CEH methodology, what is the next step to be performed after footprinting?

Options:

A.

Enumeration

B.

Scanning

C.

System Hacking

D.

Social Engineering

E.

Expanding Influence

Question 122

What are two things that are possible when scanning UDP ports? (Choose two.

Options:

A.

A reset will be returned

B.

An ICMP message will be returned

C.

The four-way handshake will not be completed

D.

An RFC 1294 message will be returned

E.

Nothing

Question 123

John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately.

What would you suggest to John to help identify the OS that is being used on the remote web server?

Options:

A.

Connect to the web server with a browser and look at the web page.

B.

Connect to the web server with an FTP client.

C.

Telnet to port 8080 on the web server and look at the default page code.

D.

Telnet to an open port and grab the banner.

Question 124

While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out.

What is the most likely cause behind this response?

Options:

A.

The firewall is dropping the packets.

B.

An in-line IDS is dropping the packets.

C.

A router is blocking ICMP.

D.

The host does not respond to ICMP packets.

Question 125

SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts.

Which of the following features makes this possible? (Choose two)

Options:

A.

It used TCP as the underlying protocol.

B.

It uses community string that is transmitted in clear text.

C.

It is susceptible to sniffing.

D.

It is used by all network devices on the market.

Question 126

What is the proper response for a X-MAS scan if the port is closed?

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Question 127

What is the proper response for a NULL scan if the port is closed?

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Question 128

Which of the following LM hashes represents a password of less than 8 characters?

Options:

A.

0182BD0BD4444BF836077A718CCDF409

B.

44EFCE164AB921CQAAD3B435B51404EE

C.

BA810DBA98995F1817306D272A9441BB

D.

CEC52EB9C8E3455DC2265B23734E0DAC

E.

B757BF5C0D87772FAAD3B435B51404EE

F.

E52CAC67419A9A224A3B108F3FA6CB6D

Question 129

What type of port scan is shown below?

Options:

A.

Idle Scan

B.

Windows Scan

C.

XMAS Scan

D.

SYN Stealth Scan

Question 130

Use the traceroute results shown above to answer the following question:

The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out.

Options:

A.

True

B.

False

Question 131

Which Type of scan sends a packets with no flags set? Select the Answer

Options:

A.

Open Scan

B.

Null Scan

C.

Xmas Scan

D.

Half-Open Scan

Demo: 131 questions
Total 878 questions