Independence Day Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

Ethical Hacking and Countermeasures V8 Question and Answers

Ethical Hacking and Countermeasures V8

Last Update Jul 15, 2024
Total Questions : 878

We are offering FREE EC0-350 ECCouncil exam questions. All you do is to just go and sign up. Give your details, prepare EC0-350 free exam questions and then go for complete pool of Ethical Hacking and Countermeasures V8 test questions that will help you more.

EC0-350 pdf

EC0-350 PDF

$35  $99.99
EC0-350 Engine

EC0-350 Testing Engine

$42  $119.99
EC0-350 PDF + Engine

EC0-350 PDF + Testing Engine

$56  $159.99
Questions 1

Study the log below and identify the scan type.

Options:

A.  

nmap -sR 192.168.1.10

B.  

nmap -sS 192.168.1.10

C.  

nmap -sV 192.168.1.10

D.  

nmap -sO -T 192.168.1.10

Discussion 0
Questions 2

One of your team members has asked you to analyze the following SOA record. What is the version?

Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600

3600 604800 2400.

Options:

A.  

200303028

B.  

3600

C.  

604800

D.  

2400

E.  

60

F.  

4800

Discussion 0
Questions 3

You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.

Which one of the following statements is probably true?

Options:

A.  

The systems have all ports open.

B.  

The systems are running a host based IDS.

C.  

The systems are web servers.

D.  

The systems are running Windows.

Discussion 0
Questions 4

Which definition among those given below best describes a covert channel?

Options:

A.  

A server program using a port that is not well known.

B.  

Making use of a protocol in a way it is not intended to be used.

C.  

It is the multiplexing taking place on a communication link.

D.  

It is one of the weak channels used by WEP which makes it insecure.

Discussion 0
Questions 5

A file integrity program such as Tripwire protects against Trojan horse attacks by:

Options:

A.  

Automatically deleting Trojan horse programs

B.  

Rejecting packets generated by Trojan horse programs

C.  

Using programming hooks to inform the kernel of Trojan horse behavior

D.  

Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

Discussion 0
Questions 6

You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open.

What is the next step you would do?

Options:

A.  

Re-install the operating system.

B.  

Re-run anti-virus software.

C.  

Install and run Trojan removal software.

D.  

Run utility fport and look for the application executable that listens on port 6666.

Discussion 0
Questions 7

Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniffer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniffer was not working because the agency's network is a switched network, which cannot be sniffed by some programs without some tweaking. What technique could Harold use to sniff his agency's switched network?

Options:

A.  

ARP spoof the default gateway

B.  

Conduct MiTM against the switch

C.  

Launch smurf attack against the switch

D.  

Flood the switch with ICMP packets

Discussion 0
Questions 8

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?

Options:

A.  

The packets were sent by a worm spoofing the IP addresses of 47 infected sites

B.  

ICMP ID and Seq numbers were most likely set by a tool and not by the operating system

C.  

All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number

D.  

13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0

Discussion 0
Questions 9

Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.

Options:

A.  

UDP is filtered by a gateway

B.  

The packet TTL value is too low and cannot reach the target

C.  

The host might be down

D.  

The destination network might be down

E.  

The TCP windows size does not match

F.  

ICMP is filtered by a gateway

Discussion 0
Questions 10

Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point.

Which of the following type of scans would be the most accurate and reliable option?

Options:

A.  

A half-scan

B.  

A UDP scan

C.  

A TCP Connect scan

D.  

A FIN scan

Discussion 0
Questions 11

According to the CEH methodology, what is the next step to be performed after footprinting?

Options:

A.  

Enumeration

B.  

Scanning

C.  

System Hacking

D.  

Social Engineering

E.  

Expanding Influence

Discussion 0
Questions 12

Why would an attacker want to perform a scan on port 137?

Options:

A.  

To discover proxy servers on a network

B.  

To disrupt the NetBIOS SMB service on the target host

C.  

To check for file and print sharing on Windows systems

D.  

To discover information about a target host using NBTSTAT

Discussion 0
Questions 13

Network Administrator Patricia is doing an audit of the network. Below are some of her findings concerning DNS. Which of these would be a cause for alarm?

Select the best answer.

Options:

A.  

There are two external DNS Servers for Internet domains. Both are AD integrated.

B.  

All external DNS is done by an ISP.

C.  

Internal AD Integrated DNS servers are using private DNS names that are

D.  

unregistered.

E.  

Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server.

Discussion 0
Questions 14

You have initiated an active operating system fingerprinting attempt with nmap against a target system:

What operating system is the target host running based on the open ports shown above?

Options:

A.  

Windows XP

B.  

Windows 98 SE

C.  

Windows NT4 Server

D.  

Windows 2000 Server

Discussion 0
Questions 15

What is "Hacktivism"?

Options:

A.  

Hacking for a cause

B.  

Hacking ruthlessly

C.  

An association which groups activists

D.  

None of the above

Discussion 0
Questions 16

Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply)

Options:

A.  

CHAT rooms

B.  

WHOIS database

C.  

News groups

D.  

Web sites

E.  

Search engines

F.  

Organization’s own web site

Discussion 0
Questions 17

What type of session hijacking attack is shown in the exhibit?

Options:

A.  

Cross-site scripting Attack

B.  

SQL Injection Attack

C.  

Token sniffing Attack

D.  

Session Fixation Attack

Discussion 0
Questions 18

TCP SYN Flood attack uses the three-way handshake mechanism.

1. An attacker at system A sends a SYN packet to victim at system B.

2. System B sends a SYN/ACK packet to victim A.

3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.

This status of client B is called _________________

Options:

A.  

"half-closed"

B.  

"half open"

C.  

"full-open"

D.  

"xmas-open"

Discussion 0
Questions 19

Tess King is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication?

Options:

A.  

Basic authentication is broken

B.  

The password is never sent in clear text over the network

C.  

The password sent in clear text over the network is never reused.

D.  

It is based on Kerberos authentication protocol

Discussion 0
Questions 20

Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges?

Options:

A.  

Give users tokens

B.  

Give user the least amount of privileges

C.  

Give users two passwords

D.  

Give users a strong policy document

Discussion 0
Questions 21

An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS?

Select the best answer.

Options:

A.  

Firewalk

B.  

Manhunt

C.  

Fragrouter

D.  

Fragids

Discussion 0
Questions 22

In which of the following should be performed first in any penetration test?

Options:

A.  

System identification

B.  

Intrusion Detection System testing

C.  

Passive information gathering

D.  

Firewall testing

Discussion 0
Questions 23

Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.)

Options:

A.  

Train users in the new policy.

B.  

Disable all wireless protocols at the firewall.

C.  

Disable SNMP on the network so that wireless devices cannot be configured.

D.  

Continuously survey the area for wireless devices.

Discussion 0
Questions 24

What is a primary advantage a hacker gains by using encryption or programs such as Loki?

Options:

A.  

It allows an easy way to gain administrator rights

B.  

It is effective against Windows computers

C.  

It slows down the effective response of an IDS

D.  

IDS systems are unable to decrypt it

E.  

Traffic will not be modified in transit

Discussion 0
Questions 25

You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as?

Options:

A.  

Footprinting

B.  

Firewalking

C.  

Enumeration

D.  

Idle scanning

Discussion 0
Questions 26

Exhibit

Study the log given in the exhibit,

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

Options:

A.  

Disallow UDP 53 in from outside to DNS server

B.  

Allow UDP 53 in from DNS server to outside

C.  

Disallow TCP 53 in form secondaries or ISP server to DNS server

D.  

Block all UDP traffic

Discussion 0
Questions 27

Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using?

Options:

A.  

Henry is executing commands or viewing data outside the intended target path

B.  

Henry is using a denial of service attack which is a valid threat used by an attacker

C.  

Henry is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege

D.  

Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

Discussion 0
Questions 28

If you come across a sheepdip machaine at your client site, what would you infer?

Options:

A.  

A sheepdip computer is used only for virus checking.

B.  

A sheepdip computer is another name for honeypop.

C.  

A sheepdip coordinates several honeypots.

D.  

A sheepdip computer defers a denial of service attack.

Discussion 0
Questions 29

Pandora is used to attack __________ network operating systems.

Options:

A.  

Windows

B.  

UNIX

C.  

Linux

D.  

Netware

E.  

MAC OS

Discussion 0
Questions 30

John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong.

In the context of Session hijacking why would you consider this as a false sense of security?

Options:

A.  

The token based security cannot be easily defeated.

B.  

The connection can be taken over after authentication.

C.  

A token is not considered strong authentication.

D.  

Token security is not widely used in the industry.

Discussion 0
Questions 31

Samantha was hired to perform an internal security test of XYZ. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing.

Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two)

Options:

A.  

Ethernet Zapping

B.  

MAC Flooding

C.  

Sniffing in promiscuous mode

D.  

ARP Spoofing

Discussion 0
Questions 32

You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming.

Which command would you execute to extract the Trojan to a standalone file?

Options:

A.  

c:\> type readme.txt:virus.exe > virus.exe

B.  

c:\> more readme.txt | virus.exe > virus.exe

C.  

c:\> cat readme.txt:virus.exe > virus.exe

D.  

c:\> list redme.txt$virus.exe > virus.exe

Discussion 0
Questions 33

After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem?

Options:

A.  

Install pactehs

B.  

Setup a backdoor

C.  

Cover your tracks

D.  

Install a zombie for DDOS

Discussion 0
Questions 34

Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site.

One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!

From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith.

After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

H@cker Mess@ge:

Y0u @re De@d! Fre@ks!

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact.

How did the attacker accomplish this hack?

Options:

A.  

ARP spoofing

B.  

SQL injection

C.  

DNS poisoning

D.  

Routing table injection

Discussion 0
Questions 35

What is GINA?

Options:

A.  

Gateway Interface Network Application

B.  

GUI Installed Network Application CLASS

C.  

Global Internet National Authority (G-USA)

D.  

Graphical Identification and Authentication DLL

Discussion 0
Questions 36

You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption.

What encryption algorithm will you be decrypting?

Options:

A.  

MD4

B.  

DES

C.  

SHA

D.  

SSL

Discussion 0
Questions 37

Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command prompt, she types the following command.

For /f "tokens=1 %%a in (hackfile.txt) do net use * \\10.1.2.3\c$ /user:"Administrator" %%a

What is Eve trying to do?

Options:

A.  

Eve is trying to connect as an user with Administrator privileges

B.  

Eve is trying to enumerate all users with Administrative privileges

C.  

Eve is trying to carry out a password crack for user Administrator

D.  

Eve is trying to escalate privilege of the null user to that of Administrator

Discussion 0
Questions 38

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.

John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

What kind of attack did the Hacker attempt to carry out at the bank?

Options:

A.  

Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.

B.  

The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C.  

The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.

D.  

The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.

Discussion 0
Questions 39

SOAP services use which technology to format information?

Options:

A.  

SATA

B.  

PCI

C.  

XML

D.  

ISDN

Discussion 0
Questions 40

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

Options:

A.  

Host

B.  

Stateful

C.  

Stateless

D.  

Application

Discussion 0
Questions 41

A company has made the decision to host their own email and basic web services. The administrator needs to set up the external firewall to limit what protocols should be allowed to get to the public part of the company's network. Which ports should the administrator open? (Choose three.)

Options:

A.  

Port 22

B.  

Port 23

C.  

Port 25

D.  

Port 53

E.  

Port 80

F.  

Port 139

G.  

Port 445

Discussion 0
Questions 42

What do you call a pre-computed hash?

Options:

A.  

Sun tables

B.  

Apple tables

C.  

Rainbow tables

D.  

Moon tables

Discussion 0
Questions 43

You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session.

Here is the captured data in tcpdump.

What are the next sequence and acknowledgement numbers that the router will send to the victim machine?

Options:

A.  

Sequence number: 82980070 Acknowledgement number: 17768885

A.  

B.  

Sequence number: 17768729 Acknowledgement number: 82980070

B.  

C.  

Sequence number: 87000070 Acknowledgement number: 85320085

C.  

D.  

Sequence number: 82980010 Acknowledgement number: 17768885

D.  

Discussion 0
Questions 44

John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

Options:

A.  

The hacker is attempting to compromise more machines on the network

B.  

The hacker is planting a rootkit

C.  

The hacker is running a buffer overflow exploit to lock down the system

D.  

The hacker is trying to cover his tracks

Discussion 0
Questions 45

Which of the following identifies the three modes in which Snort can be configured to run?

Options:

A.  

Sniffer, Packet Logger, and Network Intrusion Detection System

B.  

Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System

C.  

Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System

D.  

Sniffer, Packet Logger, and Host Intrusion Prevention System

Discussion 0
Questions 46

Which tool would be used to collect wireless packet data?

Options:

A.  

NetStumbler

B.  

John the Ripper

C.  

Nessus

D.  

Netcat

Discussion 0
Questions 47

A covert channel is a channel that

Options:

A.  

transfers information over, within a computer system, or network that is outside of the security policy.

B.  

transfers information over, within a computer system, or network that is within the security policy.

C.  

transfers information via a communication path within a computer system, or network for transfer of data.

D.  

transfers information over, within a computer system, or network that is encrypted.

Discussion 0
Questions 48

The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this:

https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234

The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?

Options:

A.  

Never include sensitive information in a script

B.  

Use HTTPS SSLv3 to send the data instead of plain HTTPS

C.  

Replace the GET with POST method when sending data

D.  

Encrypt the data before you send using GET method

Discussion 0
Questions 49

Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)

Options:

A.  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

B.  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run

C.  

HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run

D.  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Discussion 0
Questions 50

Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field:

SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%'

What will the SQL statement accomplish?

Options:

A.  

If the page is susceptible to SQL injection, it will look in the Users table for usernames of admin

B.  

This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com

C.  

This Select SQL statement will log James in if there are any users with NULL passwords

D.  

James will be able to see if there are any default user accounts in the SQL database

Discussion 0
Questions 51

What command would you type to OS fingerprint a server using the command line?

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Questions 52

Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin &Smith=121%22 Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy &Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy's mailbox?

Options:

A.  

This type of attempt is called URL obfuscation when someone manually changes a URL to try and gain unauthorized access

B.  

By changing the mailbox's name in the URL, Kevin is attempting directory transversal

C.  

Kevin is trying to utilize query string manipulation to gain access to her email account

D.  

He is attempting a path-string attack to gain access to her mailbox

Discussion 0
Questions 53

What type of port scan is shown below?

Options:

A.  

Idle Scan

B.  

Windows Scan

C.  

XMAS Scan

D.  

SYN Stealth Scan

Discussion 0
Questions 54

What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = 'someone@somewhere.com'; DROP TABLE members; --'

Options:

A.  

This code will insert the someone@somewhere.com email address into the members table.

B.  

This command will delete the entire members table.

C.  

It retrieves the password for the first user in the members table.

D.  

This command will not produce anything since the syntax is incorrect.

Discussion 0
Questions 55

Within the context of Computer Security, which of the following statements describes Social Engineering best?

Options:

A.  

Social Engineering is the act of publicly disclosing information

B.  

Social Engineering is the means put in place by human resource to perform time accounting

C.  

Social Engineering is the act of getting needed information from a person rather than breaking into a system

D.  

Social Engineering is a training program within sociology studies

Discussion 0
Questions 56

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

Options:

A.  

Use the Cisco's TFTP default password to connect and download the configuration file

B.  

Run a network sniffer and capture the returned traffic with the configuration file from the router

C.  

Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

D.  

Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

Discussion 0
Questions 57

When writing shellcodes, you must avoid ____________ because these will end the string.

Options:

A.  

Root bytes

B.  

Null bytes

C.  

Char bytes

D.  

Unicode bytes

Discussion 0
Questions 58

Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald's attacker used to cover their tracks?

Options:

A.  

ISA proxy

B.  

IAS proxy

C.  

TOR proxy

D.  

Cheops proxy

Discussion 0
Questions 59

Study the snort rule given below and interpret the rule.

alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msG. "mountd access";)

Options:

A.  

An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

B.  

An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

C.  

An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

D.  

An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Discussion 0
Questions 60

Which of the following is NOT part of CEH Scanning Methodology?

Options:

A.  

Check for Live systems

B.  

Check for Open Ports

C.  

Banner Grabbing

D.  

Prepare Proxies

E.  

Social Engineering attacks

F.  

Scan for Vulnerabilities

G.  

Draw Network Diagrams

Discussion 0
Questions 61

The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.

Options:

A.  

false

B.  

true

Discussion 0
Questions 62

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

Options:

A.  

Token Injection Replay attacks

B.  

Shoulder surfing attack

C.  

Rainbow and Hash generation attack

D.  

Dumpster diving attack

Discussion 0
Questions 63

What type of session hijacking attack is shown in the exhibit?

Options:

A.  

Session Sniffing Attack

B.  

Cross-site scripting Attack

C.  

SQL Injection Attack

D.  

Token sniffing Attack

Discussion 0
Questions 64

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Options:

A.  

Attacker generates TCP SYN packets with random destination addresses towards a victim host

B.  

Attacker floods TCP SYN packets with random source addresses towards a victim host

C.  

Attacker generates TCP ACK packets with random source addresses towards a victim host

D.  

Attacker generates TCP RST packets with random source addresses towards a victim host

Discussion 0
Questions 65

You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place.

  • DNS query is sent to the DNS server to resolve www.google.com
  • DNS server replies with the IP address for Google?
  • SYN packet is sent to Google.
  • Google sends back a SYN/ACK packet
  • Your computer completes the handshake by sending an ACK
  • The connection is established and the transfer of data commences

Which of the following packets represent completion of the 3-way handshake?

Options:

A.  

4th packet

B.  

3rdpacket

C.  

6th packet

D.  

5th packet

Discussion 0
Questions 66

Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?

Options:

A.  

Configure the Web Server to deny requests involving "hex encoded" characters

B.  

Create rules in IDS to alert on strange Unicode requests

C.  

Use SSL authentication on Web Servers

D.  

Enable Active Scripts Detection at the firewall and routers

Discussion 0
Questions 67

LAN Manager Passwords are concatenated to 14 bytes, and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:

Options:

A.  

0xAAD3B435B51404EE

B.  

0xAAD3B435B51404AA

C.  

0xAAD3B435B51404BB

D.  

0xAAD3B435B51404CC

Discussion 0
Questions 68

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.

Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.

How was Bill able to get Internet access without using an agency laptop?

Options:

A.  

Bill spoofed the MAC address of Dell laptop

B.  

Bill connected to a Rogue access point

C.  

Toshiba and Dell laptops share the same hardware address

D.  

Bill brute forced the Mac address ACLs

Discussion 0
Questions 69

E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient.

Select a feature, which you will NOT be able to accomplish with this probe?

Options:

A.  

When the e-mail was received and read

B.  

Send destructive e-mails

C.  

GPS location and map of the recipient

D.  

Time spent on reading the e-mails

E.  

Whether or not the recipient visited any links sent to them

F.  

Track PDF and other types of attachments

G.  

Set messages to expire after specified time

Discussion 0
Questions 70

You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next?

Options:

A.  

Run NULL TCP hping2 against 192.168.1.10

B.  

Run nmap XMAS scan against 192.168.1.10

C.  

The firewall is blocking all the scans to 192.168.1.10

D.  

Use NetScan Tools Pro to conduct the scan

Discussion 0
Questions 71

A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system.

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software.

What is Rogue security software?

Options:

A.  

A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites

B.  

A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software.

C.  

Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites

D.  

This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker

Discussion 0
Questions 72

The use of technologies like IPSec can help guarantee the followinG. authenticity, integrity, confidentiality and

Options:

A.  

non-repudiation.

B.  

operability.

C.  

security.

D.  

usability.

Discussion 0
Questions 73

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

Options:

A.  

Timing options to slow the speed that the port scan is conducted

B.  

Fingerprinting to identify which operating systems are running on the network

C.  

ICMP ping sweep to determine which hosts on the network are not available

D.  

Traceroute to control the path of the packets sent during the scan

Discussion 0
Questions 74

Which of the following problems can be solved by using Wireshark?

Options:

A.  

Tracking version changes of source code

B.  

Checking creation dates on all webpages on a server

C.  

Resetting the administrator password on multiple systems

D.  

Troubleshooting communication resets between two systems

Discussion 0
Questions 75

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Options:

A.  

True negatives

B.  

False negatives

C.  

True positives

D.  

False positives

Discussion 0
Questions 76

Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next?

Options:

A.  

Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.

B.  

Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.

C.  

Configure the firewall to allow traffic on TCP port 53.

D.  

Configure the firewall to allow traffic on TCP port 8080.

Discussion 0
Questions 77

An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file?

Options:

A.  

Timing attack

B.  

Replay attack

C.  

Memory trade-off attack

D.  

Chosen plain-text attack

Discussion 0
Questions 78

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

Options:

A.  

Multiple keys for non-repudiation of bulk data

B.  

Different keys on both ends of the transport medium

C.  

Bulk encryption for data transmission over fiber

D.  

The same key on each end of the transmission medium

Discussion 0
Questions 79

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

Starting NMAP 5.21 at 2011-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open  ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

Options:

A.  

The host is likely a Windows machine.

B.  

The host is likely a Linux machine.

C.  

The host is likely a router.

D.  

The host is likely a printer.

Discussion 0
Questions 80

A security administrator notices that the log file of the company`s webserver contains suspicious entries:

Based on source code analysis, the analyst concludes that the login.php script is vulnerable to

Options:

A.  

command injection.

B.  

SQL injection.

C.  

directory traversal.

D.  

LDAP injection.

Discussion 0
Questions 81

Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?

Options:

A.  

Netstat WMI Scan

B.  

Silent Dependencies

C.  

Consider unscanned ports as closed

D.  

Reduce parallel connections on congestion

Discussion 0
Questions 82

Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows products?

Options:

A.  

Microsoft Security Baseline Analyzer

B.  

Retina  

C.  

Core Impact

D.  

Microsoft Baseline Security Analyzer

Discussion 0
Questions 83

A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service.

Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus.

Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments.

Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail.

How do you ensure if the e-mail is authentic and sent from fedex.com?

Options:

A.  

Verify the digital signature attached with the mail, the fake mail will not have Digital ID at all

B.  

Check the Sender ID against the National Spam Database (NSD)

C.  

Fake mail will have spelling/grammatical errors

D.  

Fake mail uses extensive images, animation and flash content

Discussion 0
Questions 84

More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. This is a technique common among virus writers ?it basically hides the true nature of the shellcode in different disguises.

How does a polymorphic shellcode work?

Options:

A.  

They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode

B.  

They convert the shellcode into Unicode, using loader to convert back to machine code then executing them

C.  

They reverse the working instructions into opposite order by masking the IDS signatures

D.  

They compress shellcode into normal instructions, uncompress the shellcode using loader code and then executing the shellcode

Discussion 0
Questions 85

Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company.

She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture.

What technique was used by the Kiley Innovators employee to send information to the rival marketing company?

Options:

A.  

The Kiley Innovators employee used cryptography to hide the information in the emails sent

B.  

The method used by the employee to hide the information was logical watermarking

C.  

The employee used steganography to hide information in the picture attachments

D.  

By using the pictures to hide information, the employee utilized picture fuzzing

Discussion 0
Questions 86

Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this?

Options:

A.  

Jayden can use the commanD. ip binding set.

B.  

Jayden can use the commanD. no ip spoofing.

C.  

She should use the commanD. no dhcp spoofing.

D.  

She can use the comman

D.  

ip dhcp snooping binding.

Discussion 0
Questions 87

What does ICMP (type 11, code 0) denote?

Options:

A.  

Source Quench

B.  

Destination Unreachable

C.  

Time Exceeded

D.  

Unknown Type

Discussion 0
Questions 88

What is the problem with this ASP script (login.asp)?

Options:

A.  

The ASP script is vulnerable to Cross Site Scripting attack

B.  

The ASP script is vulnerable to Session Splice attack

C.  

The ASP script is vulnerable to XSS attack

D.  

The ASP script is vulnerable to SQL Injection attack

Discussion 0
Questions 89

In Trojan terminology, what is required to create the executable file chess.exe as shown below?

Options:

A.  

Mixer

B.  

Converter

C.  

Wrapper

D.  

Zipper

Discussion 0
Questions 90

This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site.

Options:

A.  

Wiresharp attack

B.  

Switch and bait attack

C.  

Phishing attack

D.  

Man-in-the-Middle attack

Discussion 0
Questions 91

Consider the following code:

URL:http://www.certified.com/search.pl?

text=

If an attacker can trick a victim user to click a link like this, and the Web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting the user to another Web site.

What is the countermeasure against XSS scripting?

Options:

A.  

Create an IP access list and restrict connections based on port number

B.  

Replace "<" and ">" characters with "& l t;" and "& g t;" using server scripts

C.  

Disable Javascript in IE and Firefox browsers

D.  

Connect to the server using HTTPS protocol instead of HTTP

Discussion 0
Questions 92

SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains:

Options:

A.  

The source and destination address having the same value

B.  

A large number of SYN packets appearing on a network without the corresponding reply packets

C.  

The source and destination port numbers having the same value

D.  

A large number of SYN packets appearing on a network with the corresponding reply packets

Discussion 0
Questions 93

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization's Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

Options:

A.  

1

B.  

2

C.  

3

D.  

4

E.  

5

F.  

6

Discussion 0
Questions 94

Shayla is an IT security consultant, specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security.

No employees for the company, other than the IT director, know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics offices.

What type of insider threat would Shayla be considered?

Options:

A.  

She would be considered an Insider Affiliate

B.  

Because she does not have any legal access herself, Shayla would be considered an Outside Affiliate

C.  

Shayla is an Insider Associate since she has befriended an actual employee

D.  

Since Shayla obtained access with a legitimate company badge; she would be considered a Pure Insider

Discussion 0
Questions 95

Which of the following type of scanning utilizes automated process of proactively identifying vulnerabilities of the computing systems present on a network?

Options:

A.  

Port Scanning

B.  

Single Scanning

C.  

External Scanning

D.  

Vulnerability Scanning

Discussion 0
Questions 96

What type of Trojan is this?

Options:

A.  

RAT Trojan

B.  

E-Mail Trojan

C.  

Defacement Trojan

D.  

Destructing Trojan

E.  

Denial of Service Trojan

Discussion 0
Questions 97

What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected?

Options:

A.  

nc -port 56 -s cmd.exe

B.  

nc -p 56 -p -e shell.exe

C.  

nc -r 56 -c cmd.exe

D.  

nc -L 56 -t -e cmd.exe

Discussion 0
Questions 98

Which of the following statements best describes the term Vulnerability?

Options:

A.  

A weakness or error that can lead to a compromise

B.  

An agent that has the potential to take advantage of a weakness

C.  

An action or event that might prejudice security

D.  

The loss potential of a threat.

Discussion 0
Questions 99

To scan a host downstream from a security gateway, Firewalking:

Options:

A.  

Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets

B.  

Uses the TTL function to send packets with a TTL value set to expire one hop past the identified security gateway

C.  

Sends an ICMP ''administratively prohibited'' packet to determine if the gateway will drop the packet without comment.

D.  

Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway

Discussion 0
Questions 100

You are gathering competitive intelligence on XYZ.com. You notice that they have jobs listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization?

Options:

A.  

The IP range used by the target network

B.  

An understanding of the number of employees in the company

C.  

How strong the corporate security policy is

D.  

The types of operating systems and applications being used.

Discussion 0
Questions 101

When referring to the Domain Name Service, what is denoted by a ‘zone’?

Options:

A.  

It is the first domain that belongs to a company.

B.  

It is a collection of resource records.

C.  

It is the first resource record type in the SOA.

D.  

It is a collection of domains.

Discussion 0
Questions 102

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

Options:

A.  

They are using UDP that is always authorized at the firewall

B.  

They are using an older version of Internet Explorer that allow them to bypass the proxy server

C.  

They have been able to compromise the firewall, modify the rules, and give themselves proper access

D.  

They are using tunneling software that allows them to communicate with protocols in a way it was not intended

Discussion 0
Questions 103

Which element of Public Key Infrastructure (PKI) verifies the applicant?

Options:

A.  

Certificate authority

B.  

Validation authority

C.  

Registration authority

D.  

Verification authority

Discussion 0
Questions 104

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

Options:

A.  

NMAP -PN -A -O -sS 192.168.2.0/24

B.  

NMAP -P0 -A -O -p1-65535 192.168.0/24

C.  

NMAP -P0 -A -sT -p0-65535 192.168.0/16

D.  

NMAP -PN -O -sS -p 1-1024 192.168.0/8

Discussion 0
Questions 105

A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

Options:

A.  

Implementing server-side PKI certificates for all connections

B.  

Mandating only client-side PKI certificates for all connections

C.  

Requiring client and server PKI certificates for all connections

D.  

Requiring strong authentication for all DNS queries

Discussion 0
Questions 106

Which type of scan is used on the eye to measure the layer of blood vessels?

Options:

A.  

Facial recognition scan

B.  

Retinal scan

C.  

Iris scan

D.  

Signature kinetics scan

Discussion 0
Questions 107

A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50 characters.  What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field?

Options:

A.  

if (billingAddress = 50) {update field} else exit

B.  

if (billingAddress != 50) {update field} else exit

C.  

if (billingAddress >= 50) {update field} else exit

D.  

if (billingAddress <= 50) {update field} else exit

Discussion 0
Questions 108

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this?

Options:

A.  

False positive 

B.  

False negative

C.  

True positve

D.  

True negative

Discussion 0
Questions 109

A denial of Service (DoS) attack works on the following principle:

Options:

A.  

MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily.

B.  

All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily.

C.  

Overloaded buffer systems can easily address error conditions and respond appropriately.

D.  

Host systems cannot respond to real traffic, if they have an overwhelming number of incomplete connections (SYN/RCVD State).

E.  

A server stops accepting connections from certain networks one those network become flooded.

Discussion 0
Questions 110

Which of the following is the primary objective of a rootkit?

Options:

A.  

It opens a port to provide an unauthorized service

B.  

It creates a buffer overflow

C.  

It replaces legitimate programs

D.  

It provides an undocumented opening in a program

Discussion 0
Questions 111

Exhibit:

Study the following log extract and identify the attack.

Options:

A.  

Hexcode Attack

B.  

Cross Site Scripting

C.  

Multiple Domain Traversal Attack

D.  

Unicode Directory Traversal Attack

Discussion 0
Questions 112

Which of the following tools are used for enumeration? (Choose three.)

Options:

A.  

SolarWinds

B.  

USER2SID

C.  

Cheops

D.  

SID2USER

E.  

DumpSec

Discussion 0
Questions 113

What tool can crack Windows SMB passwords simply by listening to network traffic?

Select the best answer.

Options:

A.  

This is not possible

B.  

Netbus

C.  

NTFSDOS

D.  

L0phtcrack

Discussion 0
Questions 114

What did the following commands determine?

C: user2sid \earth guest

S-1-5-21-343818398-789336058-1343024091-501

C:sid2user 5 21 343818398 789336058 1343024091 500

Name is Joe

Domain is EARTH

Options:

A.  

That the Joe account has a SID of 500

B.  

These commands demonstrate that the guest account has NOT been disabled

C.  

These commands demonstrate that the guest account has been disabled

D.  

That the true administrator is Joe

E.  

Issued alone, these commands prove nothing

Discussion 0
Questions 115

John wishes to install a new application onto his Windows 2000 server.

He wants to ensure that any application he uses has not been Trojaned.

What can he do to help ensure this?

Options:

A.  

Compare the file's MD5 signature with the one published on the distribution media

B.  

Obtain the application via SSL

C.  

Compare the file's virus signature with the one published on the distribution media

D.  

Obtain the application from a CD-ROM disc

Discussion 0
Questions 116

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

Options:

A.  

SYN scan

B.  

ACK scan

C.  

RST scan

D.  

Connect scan

E.  

FIN scan

Discussion 0
Questions 117

Your lab partner is trying to find out more information about a competitors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first?

Options:

A.  

LACNIC

B.  

ARIN

C.  

APNIC

D.  

RIPE

E.  

AfriNIC

Discussion 0
Questions 118

Which of the following ICMP message types are used for destinations unreachables?

Options:

A.  

0

B.  

3

C.  

11

D.  

13

E.  

17

Discussion 0
Questions 119

Name two software tools used for OS guessing? (Choose two.

Options:

A.  

Nmap

B.  

Snadboy

C.  

Queso

D.  

UserInfo

E.  

NetBus

Discussion 0
Questions 120

While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server.  What specific octet within the subnet does the technician see?

Options:

A.  

10.10.10.10

B.  

127.0.0.1

C.  

192.168.1.1

D.  

192.168.168.168

Discussion 0
Questions 121

Which of the following is a client-server tool utilized to evade firewall inspection?

Options:

A.  

tcp-over-dns

B.  

kismet

C.  

nikto

D.  

hping

Discussion 0
Questions 122

Which of the following techniques will identify if computer files have been changed?

Options:

A.  

Network sniffing

B.  

Permission sets

C.  

Integrity checking hashes

D.  

Firewall alerts

Discussion 0
Questions 123

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

Options:

A.  

Fast processor to help with network traffic analysis

B.  

They must be dual-homed

C.  

Similar RAM requirements

D.  

Fast network interface cards

Discussion 0
Questions 124

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

Options:

A.  

CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

B.  

CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals travelling abroad.

C.  

CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multi-national corporations.

D.  

CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.

Discussion 0
Questions 125

Which property ensures that a hash function will not produce the same hashed value for two different messages?

Options:

A.  

Collision resistance

B.  

Bit length

C.  

Key strength

D.  

Entropy

Discussion 0
Questions 126

Which of the following does proper basic configuration of snort as a network intrusion detection system require?

Options:

A.  

Limit the packets captured to the snort configuration file.

B.  

Capture every packet on the network segment.

C.  

Limit the packets captured to a single segment.

D.  

Limit the packets captured to the /var/log/snort directory.

Discussion 0
Questions 127

Which of the following is a strong post designed to stop a car?

Options:

A.  

Gate

B.  

Fence

C.  

Bollard

D.  

Reinforced rebar

Discussion 0
Questions 128

Pentest results indicate that voice over IP traffic is traversing a network.  Which of the following tools will decode a packet capture and extract the voice conversations?

Options:

A.  

Cain

B.  

John the Ripper

C.  

Nikto

D.  

Hping

Discussion 0
Questions 129

A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location.

During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis.

Which of the following is an issue with the situation?

Options:

A.  

Segregation of duties

B.  

Undue influence

C.  

Lack of experience

D.  

Inadequate disaster recovery plan

Discussion 0
Questions 130

Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?

Options:

A.  

MD5

B.  

SHA-1

C.  

RC4

D.  

MD4

Discussion 0
Questions 131

Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP?

Options:

A.  

Metasploit scripting engine

B.  

Nessus scripting engine

C.  

NMAP scripting engine

D.  

SAINT scripting engine

Discussion 0