1. A Certified Ethical Hacker follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?
A. Scanning
B. Enumeration
C. Reconnaissance
D. Application attack
A. CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks. While you may be groaning about scanning and enumeration both appearing as answers, they’re placed here this way on purpose. This exam is not only testing your rote memorization of the methodology, but how the methodology actually works. Remember, after scoping out the recon on your target, your very next step is to scan it. After all, you have to know what targets are there first before enumerating information about them.
B is incorrect because, although it is mentioned as part of step 2, it’s actually secondary to scanning. Enumerating is used to gather more in-depth information about a target you already discovered by scanning. Things you might discover in scanning are IPs that respond to a ping. In enumerating each “live” IP, you might find open shares, user account information, and other goodies.
C is incorrect because reconnaissance and footprinting are interchangeable in CEH parlance. An argument can be made that footprinting is a specific portion of an overall recon effort; however, in all CEH documentation these terms are used interchangeably.
D is incorrect because it references an attack. As usual, there’s almost always one answer you can throw out right away, and this is a prime example. We’re talking about step 2 in the methodology, where we’re still figuring out what targets are there and what vulnerabilities they may have. Attacking, at this point, is folly.
2. You’ve been hired as part of a pen test team. During the in-brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?
A. White box
B. Gray box
C. Black box
D. Hybrid
B. A gray box test is designed to replicate an inside attacker. Otherwise, known as the partial knowledge attack (don’t forget this term), the idea is to simulate a user on the inside who might know a little about the network, directory structure, and other goodies in your enterprise. You’ll probably find this one to be the most enlightening attack in out-briefing your clients in the real world—it’s amazing what you can get to when you’re a trusted, inside user. As an aside, you’ll often find in the real world that “gray box” testing can also refer to a test where any inside information is given to a pen tester—you don’t necessarily need to be a fully knowledgeable inside user. In other words, if you have useable information handed to you about your client, you’re gray box testing.
A is incorrect because a white box test provides all knowledge to the pen tester up front, and is designed to simulate an admin on your network who, for whatever reason, decides to go on the attack. For most pen testers, this test is really just unfair. It’s tantamount to sending him into the Roman Coliseum armed with a .50 Caliber automatic weapon to battle a gladiator who is holding a knife.
C is incorrect because black box testing indicates no knowledge at all. And if you think about it, the name is easy to correlate and remember: black = no light. Therefore, you can’t “see” anything. This is the test most people think about when it comes to hacking. You know nothing and are (usually) attacking from the outside.
D is incorrect because, as far as I can tell from the EC Council’s documentation, there is no terminology for a “hybrid box” test. This is a little tricky because the term hybrid is used elsewhere—for attacks and other things. If you apply a little common sense here, this answer is easy to throw out. If you know everything about the target, it’s white. If you know nothing, it’s black. If you’re in the middle, it’s gray. See?
3. Which of the following is true regarding an ethical hacker?
A. The ethical hacker points out vulnerabilities, but does not exploit them.
B. The ethical hacker has authorization to proceed from the target owner.
C. The ethical hacker does not use the same tools as unauthorized attackers in the wild.
D. The ethical hacker provides reports on vulnerabilities publicly.
B. This question will be asked multiple times and in numerous ways to reinforce a simple concept: The main difference between a CEH and a cracker is permission. Ethical hackers will take advantage of every tool and technique in the book to break into a target. They’ll be just as ruthless and cunning as the people trying to break in illegally. They’ll lie, cheat, steal, sneak around, and try to use every opportunity available to get in. The only difference is, they don’t do any of it without the owner of the target(s) knowing about and approving everything up front.
A is incorrect because an ethical hacker on a pen test team is paid to exploit vulnerabilities—unless, of course, the scope of the test prevents this in the first place. Usually speaking, if a pen tester can find a way in, he’ll exploit it all the way up to the line drawn in the scope agreement, to prove security problems exist. Do not fall into the trap that pen testers are nice people during a test. We’re not, and we’re not paid to be.
C is incorrect because pen testers are merciless, cold-blooded mercenaries paid to use every single tool and technique the bad guys have at their disposal. The only thing keeping them at bay is a signed agreement allowing them to go forth and conquer, within and agreed-upon scope. If, as a pen tester, you do not avail yourself of everything the bad guy might be using, you’re doing yourself and your client a disservice. The point of an ethical hacker is to show what a bad guy can do so that preventative measures can be put in place, and you can’t do that by playing nice.
D is incorrect because the statement is blatantly silly. The thought that any business owner would want a group of professional digital ninjas to come into his network and then post everything that’s wrong about it on Yahoo! News is preposterous. Yes, the team will out-brief the client to let him know what they found, but trust me, this info won’t leave the room for anyone else to know. It is okay, however, for you to post details of how you succeeded in any given attack, so long as the information on who you attacked and when you attacked them as part of the pen test is removed. For example, if you used a tactic against ACME, Inc., and are giving a presentation at a conference, it’s okay to mention details of how that attack was successful, so long as no one can tie it to that particular pen test or client.
4. You begin your first pen-test assignment by checking out IP address ranges owned by the target as well as details of their domain name registration. Additionally, you visit job boards and financial websites to gather any technical information online. What activity are you performing?
A. Security assessments
B. Vulnerability assessment
C. Active footprinting
D. Passive footprinting
D. This question is another potential stumbling block on the test. The desire is to look at the question and think, “Wow, I’m typing things and using the Internet to gather information, so I’m actively working on the target.” The key when it comes to active versus passive recon is to think of your probability of being caught doing it. For example, the activities of checking Internet pages, performing Google searches, and looking up DNS entries aren’t going to alert anyone. These are things everyone does everyday anyway. Walking into the offices and checking locked doors, or trying to elicit information from people out in the parking lot probably will get you caught. Two other things on this topic you’ll need to keep in mind are social engineering and what you’re actually touching during your information gathering.
Social engineering can be tricky, because it can be both passive and active recon. Dumpster diving is considered passive, whereas walking in and talking to users can be considered active. Pay attention to the circumstances on these types of questions.
What’s more, when it comes to active and passive recon, sometimes a question can be answered based on the target network itself: If you touch it, you’re active; if you don’t, you’re passive. Think of it this way: Imagine the network you’re paid to examine is actually a big wire that’s electrified with 10,000 volts. If you walk around it, look over the fence, and take pictures, you’re passively gathering information. Touch that wire, though, and you become active. Real active. Active footprinting involves touching the target network, and it can bleed over into the scanning and enumeration phase.
A is incorrect because security assessments is a broad term that can indicate actual pen tests or basic security audits. Pen tests are designed to discover, exploit, and report on security vulnerabilities within a target. A security audit doesn’t necessarily intentionally exploit any vulnerability—it just finds them and points them out.
B is incorrect because it has nothing to do with what is being described in the question. A vulnerability assessment lists potential vulnerabilities and considers the potential impact of loss from a successful attack against any of them. In CEH parlance—and on your test—this term is more often than not used as a distractor. If you do see it on an exam, remember it is designed as more of a measurement technique and not an attack vector.
C is incorrect because active footprinting indicates you’re touching the target network itself. In the question, you (as the attacker) never actually touch the target. You are availing yourself of all that competitive intelligence lying around. Remember, competitive intelligence is freely available for anyone to get, and is often used by competitors seeking an advantage in the marketplace. It’s not only legal to pull and analyze this information, it’s expected, and it does not require any active reconnaissance at all to acquire.
5. You send a message across a network and are primarily concerned that it is not altered during transit. Which security element ensures a message arrives at its destination with no alteration?
A. Confidentiality
B. Authentication
C. Integrity
D. Availability
C. You have to think about the security triad very carefully for your exam. Remember, integrity refers to the methods and actions taken to protect the information from unauthorized alteration or revision—regardless of whether the data is at rest or in transit. The key words in any question on your exam involving integrity will be alter, change, and so on. Another thing to look for is the use of a hash for verification, because this is primarily an integrity control method. The good news is, when it comes to the triad, integrity questions are usually pretty easy to discern.
A is incorrect because confidentiality keeps the wrong eyes from seeing the data. Confidentiality addresses the secrecy and privacy of information, and refers to the measures taken to prevent disclosure of information or data to unauthorized individuals or systems. Your key words on this are usually secrecy, privacy, and authentication. Additionally, remember the use of passwords as an authentication/confidentiality control—authentication is the measure; confidentiality is the control.
B is incorrect for a couple of reasons. First, authentication is used as a distractor here because it’s not a control listed in the security triad (confidentiality, integrity, and availability). Second, the question does not refer to any method of determining who the sender or recipient is—only that the data is protected from tampering during transit. That’s the type of pseudo-critical thinking you’ll need for these types of questions. Remember, identifying who the recipient is (authentication) doesn’t have anything to do with whether or not the data arrives unaltered.
D is incorrect because availability refers to the communications systems and data being ready for use when legitimate users need them, and has nothing to do with the actual data itself. Availability is all about maintaining the access channels to the data, not what state the data is in. For example, I can boastfully proclaim my availability is covered by providing plenty of bandwidth and an open, unrestricted path to the data share for you; however, if I don’t have integrity measures in place, the data sitting there may be useless.
6. An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements are true?
A. A white hat is attempting a black box test.
B. A white hat is attempting a white box test.
C. A black hat is attempting a black box test.
D. A black hat is attempting a gray box test.
A. I love these types of questions. Not only is this a two-for-one question, but it involves identical, but confusing descriptors, causing all sorts of havoc. The answer to attacking such questions—and you will see them, by the way—is to take each section one at a time. Start with what kind of hacker he is. He’s hired under a specific agreement, with full knowledge and consent of the target, thus making him a white hat. That eliminates C and D right off the bat. Second, to address what kind of test he’s performing, simply look at what he knows about the system. In this instance, he has no prior knowledge at all, thus making it a black box test.
B is incorrect because although the attacker is one of the good guys (a white hat, proceeding with permission and an agreement in place), he is not provided with full knowledge of the system. In fact, it’s quite the opposite—according to the question he knows absolutely nothing about it, making this particular “box” as black as it can be. A white box target indicates one that the attacker already knows everything about. It’s lit up and wide open.
C is incorrect right off the bat because it references a black hat. Black hat attackers are the bad guys—the ones proceeding without the target’s knowledge or permission. They usually don’t have inside knowledge of their target, so their attacks often start “black box.”
D is incorrect for the same reason just listed—this attacker has permission to proceed and is operating under an agreement; therefore, he can’t be a black box attacker. Additionally, this answer went the extra mile to convince you it was wrong—and missed on both swings. Not only is this a white hat attacker, but the attack itself is black box. A gray box attack indicates at least some inside knowledge of the target.
7. Which of the following attacks is considered an integrity attack, where the attacker is not concerned with deciphering the entirety of a plaintext message?
A. Social engineering
B. Denial of service
C. Shrink wrap
D. Bit flipping
E. Spoofing
D. This one is cut and dry, and right out of the book (not just mine, by the way). Integrity attacks are designed to alter or change data at rest or in transit. They’re normally not necessarily designed to make all the data readable to the attacker (although it’s very easy to surmise that in order to change the price of the doodad you ordered from $300 to $3, you’d need to first be able to read the price column, or at least know where it is). Of the choices listed, only bit flipping matches this definition. In bit flipping, the attacker isn’t interested in learning the entirety of the plaintext message. Instead, bits are manipulated in the ciphertext itself to generate a predictable outcome in the plaintext once it is decrypted.
A is incorrect because social engineering in and of itself is not considered an integrity attack. Sure, you can affect data as a by-product of a successful social engineering attack, but that’s not what it’s designed for. Social engineering refers to that joyful portion of nontechnical hacking involving actual human interaction—the art of simply asking people for and getting their security credentials without hardly any effort at all.
B is incorrect because any denial of service attack (DoS) is all about affecting availability, not integrity. DoS attacks are designed either to take the resource itself down or to restrict or close all access to it. The integrity of the data isn’t the point of these attacks—it’s the availability they’re out to affect.
C is incorrect because shrink-wrap attacks aren’t necessarily related to data integrity. A shrink-wrap attack takes advantage of the built-in code and scripts that most off-the-shelf applications come with. These portions of shrink-wrapped scripts and code pieces are designed to make installation and administration easier, but can lead to vulnerabilities if not managed appropriately.
E is incorrect because spoofing doesn’t refer to data integrity at all. Spoofing is all about pretending to be something you’re not. Spoofing a MAC address to get past switch port access controls, for instance, or spoofing an IP to convince other machines you’re the server doesn’t have anything to do with data integrity, but it has lots to do with affecting confidentiality and availability.
8. As part of a pen test on a U.S. Government system, you discover files containing social security numbers and other PII sensitive information. You are asked about controls placed on dissemination of this information. Which of the following acts should you check?
A. FISMA
B. Privacy Act
C. PATRIOT Act
D. Freedom of Information Act
B. The Privacy Act protects information of a personal nature, including social security numbers. The Privacy Act defines exactly what “personal information” is, and it states that government agencies cannot disclose any personal information about an individual without that person’s consent. It also lists 12 exemptions for the release of this information (for example, information that is part of a law enforcement issue may be released). In other questions you see, keep in mind that the Privacy Act generally will define the information that is not available to you in and after a test. Dissemination and storage of privacy information needs to be very closely controlled to keep you out of hot water.
A is incorrect because FISMA isn’t designed to control dissemination of PII or sensitive data. Its primary goal is to ensure the security of government systems by promoting a standardized approach to security controls, implementation, and testing. The act requires government agencies to create a security plan for their systems and to have it “accredited” at least once every three years.
C is incorrect because the USA PATRIOT Act is not an effort to control personal information. Its purpose is to aid the United States government in preventing terrorism by increasing the government’s ability to monitor, intercept, and maintain records on almost every imaginable form of communication. As a side effect, it has also served to increase observation and prevention of hacking attempts on many systems.
D is incorrect because the Freedom of Information Act wasn’t designed to tell you what to do with information. Its goal is to define how you can get information—specifically information regarding how your governments work. It doesn’t necessarily help you in hacking, but it does provide a cover for a lot of information. Anything you uncover that could have been gathered through FoIA is considered legal, and should be part of your overall test.
9. Joe has spent a large amount of time learning hacking tools and techniques, and has even passed certification exams to promote himself in the ethical hacking field. Joe uses his talents during the election season to deface websites and launch denial of service attacks against opponents of his candidate. Which answer most closely correlates with Joe’s actions?
A. Hactivism
B. Black box attacks
C. Black hat hacking
D. Cracking
A. So called “hactivists” are hackers who use their skills and talents to forward a cause or a political agenda. The key in hactivism is that it doesn’t really matter if you feel like the political cause or the hacker himself is attempting to do good. If the attacks in question forward a political agenda, it’s hactivism.
B is incorrect because, although the attacks carried out by Joe may very well have come from black box efforts (that is, Joe knows nothing about his target to start with), his efforts are all due to a political agenda. The key here isn’t the methods or what he actually did, it’s why he did it.
C is incorrect, but just barely so. Without question, what Joe is doing can be categorized as “black hat.” He’s not operating under any agreed-upon scope, and isn’t paid to share security shortcomings with the owners of his targets. He’s attacking from the outside, without permission, in an attempt to do harm. However, the reason behind his actions is political in nature and represents a cause or ideology, thus making this a “less correct” response.
D is incorrect; however, just like answer C, it’s not incorrect by much. Although it is true Joe fits the definition of a cracker (using his skills, tools, and techniques for either personal gain or destructive purposes, or to achieve a goal outside the interest of the system owner), again we have to fall back on the reason why he’s doing this.
10. A hacker is attempting to gain access to a target inside a business. After trying several methods, he gets frustrated and starts a denial of service attack against a server attached to the target. Which security control is the hacker affecting?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
C. Denial of service attacks are always attacks against the availability of the system. Regardless of whatever else the hacker has tried to accomplish against the machine, a successful DoS attack removes the availability of the machine. Remember, availability refers to the communications systems and data being ready for use when legitimate users need them. Many methods are used for availability, depending on whether the discussion is about a system, network resource, or the data itself. However, they all attempt to ensure one thing: When the system or data is needed, it can be accessed by the appropriate personnel. Attacks against availability always fall into the denial of service realm.
A is incorrect because the attacker is not affecting the machine’s ability to discern his true identity. As a matter of fact, it seems the confidentiality controls in place on the machine are working well. Remember, confidentiality addresses the secrecy and privacy of information, and refers to the measures taken to prevent disclosure of information or data to unauthorized individuals or systems.
B is incorrect because the attacker didn’t get frustrated and attempt to change or alter any data—he simply decided to cut off access to it. Remember, integrity refers to the methods and actions taken to protect the information from unauthorized alteration or revision—whether the data is at rest or in transit.
D is incorrect because the hacker appears to be having problems authenticating at the machine—which boasts well for the security personnel devoted to protecting it. Authentication is a subset of the larger confidentiality factor.
11. The security, functionality, and ease of use (SFE) triangle states which of the following as true?
A. As security increases, ease of use decreases and functionality decreases.
B. As security increases, ease of use increases and functionality increases.
C. A decrease of security has no effect on ease of use or functionality.
D. An increase of security has no effect on ease of use or functionality.
A. The SFE triangle is a simple line chart depicting something that should be common sense for most people: As you apply more security controls, the system gets harder to use and has less functionality. If you’ve worked in security for any length of time, you know this to be true. Machines and networks that are wide open allow users to do all sorts of productive (and not so productive) things. The drawback is that the system is more open to attack as well. The key is to find a good balance between implementing controls to protect your resources and personnel, and leaving the system usable enough for people to get their jobs done.
B is incorrect because increasing security on a system decreases ease of use. Don’t believe me? If you have kids, try this at home: Open Tools, Internet Options in Internet Explorer on your Windows machine, and go to Content. Enable the Content Advisor and set a password access control on websites you know your kids go to. A security measure is in place, and your kids will definitely notice IE is not as easy to use now.
C is incorrect because decreasing security directly increases the ease of use and functionality of the system. Security, functionality, and ease of use are all connected. Most security practitioners think of these on a line instead of in a triangle—as you move along the line away from security, you move closer to usability.
D is incorrect because increasing security directly decreases the ease of use and functionality of the system. As stated previously, security, functionality, and ease of use are all connected. If you move along the line closer to security, you move further away from usability.
12. In which phase of the ethical hacking methodology would a hacker discover available targets on a network?
A. Reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Maintaining access
E. Covering tracks
B. The scanning and enumeration phase is where you’ll use things such as ping sweeps to discover available targets on the network. This step occurs after reconnaissance. In this step, tools and techniques are actively applied to information gathered during recon to gather more in-depth information on the targets. For example, reconnaissance may show a network subnet to have 500 or so machines connected inside a single building, whereas scanning and enumeration would discover which ones are Windows machines and which ones are running FTP.
A is incorrect because the reconnaissance phase is nothing more than the steps taken to gather evidence and information on the targets you wish to attack. Activities that occur in this phase include dumpster diving and social engineering. Another valuable tool in recon is the Internet. Look for any of these items as key words in answers on your exam.
C is incorrect because the gaining access phase is all about attacking the machines themselves. You’ve already figured out background information on the client and have enumerated the potential vulnerabilities and security flaws on each target. In this phase, you break out the big guns and start firing away. Key words you’re looking for here are the attacks themselves: Accessing an open and nonsecured wireless access point, manipulating network devices, writing and delivering a buffer overflow, and performing SQL injection against a web application are all examples.
D is incorrect because this phase is all about back doors and the steps taken to ensure you have a way back in. For the savvy readers out there who noticed we skipped a step here (escalating privileges), well done. Key words you’ll look for on this phase (maintaining access) are back doors, zombies, and rootkits.
E is incorrect because this phase is all about cleaning up when you’re done and making sure no one can see where you’ve been. Clearing tracks involves steps to conceal success and avoid detection by security professionals. Steps taken here consist of removing or altering log files, hiding files with hidden attributes or directories, and even using tunneling protocols to communicate with the system.
13. Which of the following are potential drawbacks to a black box test? (Choose all that apply.)
A. The client does not get a focused picture of an external attacker dedicated on their systems.
B. The client does not get a focused picture of an internal attacker dedicated on their systems.
C. This test takes the longest amount of time to complete.
D. This test takes the shortest amount of time to complete.
B and C. Black box tests are conducted to simulate an outside attacker. The problem with this test, if done solely on its own, is two-fold. First, it concentrates solely on what most people think of as the biggest threat—an outside attacker. You know—some guy in a dark room surrounded by green tinted monitors who has decided to break into the enterprise network. This totally ignores one of the biggest threats to the network in the first place—the disgruntled insider. Additionally, because of its very nature, a black box test takes longer than any other type to complete. If you think about it, this makes sense.
A is incorrect because the point of the black box test is to simulate the external attacker. It’s designed to simulate an outside, unknown attacker, takes the most amount of time to complete, and is usually (by far) the most expensive option.
D is incorrect because black box testing takes the longest amount of time to complete. The reason for this is obvious: With white or gray box testing, you’ve already got a leg up on your black box brethren, in that you already have some insider information. With black box testing, you need to go through all the phases of the CEH methodology.
14. In which phase of a penetration test would an ethical hacker perform footprinting?
A. Preparation
B. Assessment
C. Conclusion
D. Reconnaissance
E. Scanning and enumeration
B. Oh, I can hear you all the way from down here in Florida, screaming and hollering that footprinting occurs as part of reconnaissance. And I absolutely agree with you—it certainly does. However, this question asked what stage of a penetration test it occurs in. In the CEH world, pen tests have three phases—preparation, assessment, and conclusion. Reconnaissance is one of the five stages of an actual attack. Be sure to keep the two separate in your head, or you’ll miss this easy question on the test.
A is incorrect because the preparation phase of a pen test is where all the agreements are hammered out. The preparation phase defines that time period where you meet with clients and agree upon the actual contract. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon in this phase.
C is incorrect because the conclusion phase happens after all the activity and tests are complete. The conclusion phase constitutes the time when final reports are prepared for the customer. These reports detail the findings of the tests (including the types of tests performed) and sometimes even provide recommendations to improve security. This phase is sometimes referred to as the post-assessment phase, but you’ll probably see it as the conclusion phase on the test.
D is incorrect because reconnaissance is one of the attack phases. Although it’s certainly true that footprinting occurs here, you’re going to have to be very careful about understanding what the question is asking you for. Pen tests have three phases, and during the assessment phase are the five steps in the attack.
E is incorrect because scanning and enumeration is an attack step, not a phase of the penetration test. Savvy test takers will have picked this out quickly and eliminated it as an answer right off the bat. If, however, you missed the pen-test-versus-attack-phase link, you should note that this answer is also wrong because footprinting doesn’t occur in the scanning and enumeration phase. This answer is incorrect on both fronts.
15. Which of the following would not be considered passive reconnaissance?
A. Dumpster diving for valuable, discarded information
B. Thoroughly examining financial sites for clues on target inventory and other useful information
C. Ping sweeping a range of IP addresses found through a DNS lookup
D. Using a search engine to discover competitive intelligence on the organization
C. When it comes to active versus passive recon, remember the two golden rules. First rule: If it’s something that exposes you to more risk in being caught, the recon is active. Second rule: If you touch the target, the recon is active. For example, walking up to locked doors and checking them or going into the building to attempt social engineering on the user are both active measures. Dumpster diving, “quiet” social engineering, and using Google to find information on the target are all examples of passive reconnaissance (a.k.a., passive footprinting). And lastly, ping sweeping is done in the scanning and enumeration phase, not during reconnaissance, so this answer should have been an easy one for you eliminate.
A is incorrect because dumpster diving is one of the prime examples of passive recon. It’s simple, easy, and doesn’t expose you to very much risk of being caught. It also doesn’t require you to interact with your target at all.
B is incorrect because examining competitive intelligence is free, readily available, and should be gathered as part of your passive reconnaissance. Other avenues for this type of recon include job boards, social networking sites, and the company’s own website. Pull a copy down and explore it. You’ll be amazed what you can find passively.
D is incorrect because this is also a prime example of passive reconnaissance. During passive recon, you are expected to use all avenues of the Internet to find information on your target. In addition to the other avenues mentioned here, don’t neglect the blogosphere—that wonderful world of blogging that has sprung up over the past few years. Sometimes people post the strangest stuff on their blogs, and sometimes that posted material is just the ticket you need to successfully complete your task.
16. As part of the preparation phase for a pen test that you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about external threats and do not mention internal threats at all. When defining scope, the threat of internal users is not added as part of the test. Which test is this client ignoring?
A. Gray box
B. Black box
C. White hat
D. Black hat
A. Once again, this is a play on words the exam will throw at you. Note the question is asking about a test type, not the attacker. Reviewing CEH documentation, you’ll see there are three types of tests—white, black, and gray—with each designed to test a specific threat. White tests the internal threat of a knowledgeable systems administrator or an otherwise elevated privilege level user. Black tests external threats with no knowledge of the target. Gray tests the average internal user threat, to expose potential security problems inside the network.
B is incorrect because black box testing is designed to simulate the external threat, which is exactly what this client is asking for. Black box testing takes the most amount of time to complete because it means a thorough romp through the five stages of an attack (and removes any preconceived notions of what to look for) and is usually the most expensive option. Another drawback to this type of test is that it focuses solely on the threat outside the organization and does not take into account any trusted users on the inside.
C is incorrect because a hat color refers to the attacker himself. True, the client is hiring a white hat in this instance to perform the test; however, the hat does not equate to the test. White hats are the “good guys”—ethical hackers hired by a customer for the specific goal of testing and improving security. White hats don’t use their knowledge and skills without prior consent.
D is incorrect because this question refers to the test itself, not the type of attacker. Black hats are the “bad guys” and are otherwise known as crackers. They illegally use their skills for either personal gain or for malicious intent, seeking to steal or destroy data, or to deny access to resources and systems. Black hats do not ask for permission or consent.
17. In which phase of an attack would vulnerability mapping occur?
A. Assessment
B. Active reconnaissance
C. Scanning and enumeration
D. Fingerprinting
C. This is a textbook definition of an activity occurring in the scanning and enumeration phase. Sure, this would also occur in the assessment phase of the pen test, but the question did not reference that: It specifically mentioned the attack phase. Attack phases are reconnaissance, scanning and enumeration, gaining access, elevating privileges, maintaining access, and covering tracks. Commit this to memory for your exam.
A is incorrect because, although this activity definitely occurs in the assessment phase of a pen test, the question is referencing the attack phase itself. Remember that all the attack phases occur during the assessment portion of the pen test. The preparation phase gets you an agreement and a scope, and the conclusion phase is your chance to present all your findings to the client. The assessment phase is where all the action happens.
B is incorrect because active reconnaissance is something that occurs before scanning and enumeration. During reconnaissance, you’re gathering the high-level information you’re going to need to make the rest of your test easy and smooth. Scanning devices for vulnerabilities is far removed from this.
D is incorrect because fingerprinting is another term for enumeration, but is not associated as a phase in the attack cycle. Most people associate the term fingerprinting with the operating system on the device—figuring out what the box is running and what ports are open on the machine. Several tools have been developed for fingerprinting, including SolarWinds, Queso, and Cheops.
18. While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?
A. Application level
B. Operating system
C. Shrink wrap
D. Social engineering
E. Misconfiguration
B. Operating system (OS) attacks target common mistakes many people make when installing operating systems—accepting and leaving all the defaults. Examples usually include things such as administrator accounts with no passwords, ports left open, and guest accounts left behind. Another OS attack you may be asked about deals with versioning. Operating systems are never released fully secure and are consistently upgraded with hotfixes, security patches, and full releases. The potential for an old vulnerability within the enterprise is always high.
A is incorrect because application-level attacks are centered on the actual programming codes of an application. These attacks are usually very successful in an overall pen test because many people simply discount the applications running on their OS and network, preferring to spend their time hardening the OS’s and network devices. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built in.
C is incorrect because shrink-wrap attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. These attacks allow hackers to take advantage of the very things designed to make installation and administration easier. These shrink-wrapped snippets make life easier for installation and administration, but they also make it easier for attackers to get in.
D is incorrect because social engineering isn’t relevant at all in this question. There is no human element here, so this one can be thrown out.
E is incorrect because misconfiguration attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. For example, suppose an administrator wants to make things as easy as possible for the users and, in keeping with security and usability being on opposite ends of the spectrum, leaves security settings at the lowest possible level, enabling services, opening firewall ports, and providing administrative privileges to all users. It’s easier for the users, but creates a target-rich environment for the hacker.
19. A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)
A. An external vulnerability can take advantage of the misconfigured X-server threat.
B. An external threat can take advantage of the misconfigured X-server vulnerability.
C. An internal vulnerability can take advantage of the misconfigured X-server threat.
D. An internal threat can take advantage of the misconfigured X-server vulnerability.
B and D. This is an easy one because all you have to understand are the definitions of threat and vulnerability. A threat is any agent, circumstance, or situation that could potentiality cause harm or loss to an IT asset. In this case, the implication is the threat is an individual (hacker) either inside or outside the network. A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset. In both these answers, the vulnerability—the access controls on X-server are not in place—can be exploited by the threat, whether internal or external.
A and C are both incorrect because they list the terms backward. Threats take advantage of vulnerabilities and exploit them, not the other way around.
20. You are examining security logs snapshotted during a prior attack against the target. The target’s IP address is 135.17.22.15, and the attack originated from 216.88.76.5. Which of the following correctly characterizes this attack?
A. Inside attack
B. Outside attack
C. Black box attack
D. Spoofing
B. This is an example of one of those little definition questions you’ll see on the exam and will be thankful for. An inside attack generates from inside the network boundary, whereas an outside attack comes from outside the border. Granted, anyone with any networking knowledge at all knows it’s impossible to tell, solely from an IP address, whether one is inside or outside a company’s network boundary. All sorts of things, such as VPNs, multiple nets, and subsidiaries, could make life miserable in figuring out where the inside versus outside line is. When faced with this on the exam, though, just take it at face value. Simple and easy.
A is incorrect because the attack came from a different network—fully outside the enterprise’s virtual walls. The only time this can become a tricky question is when subnetting is involved, in which case the question will have to point out where the enterprise network footprint stops.
C is incorrect because we simply have no idea what type of attack—black, gray, or white—this is. True, it’s starting from outside the network, leading us to believe it a black box attack, but that’s not necessarily true, and there certainly isn’t enough information here to make that call.
D is incorrect because spoofing has to do with an attempt to fake a machine’s identity (usually through MAC or IP). The question doesn’t specify whether or not this is in play, so it can’t be the answer we’re looking for.
21. An ethical hacker needs to be aware of a variety of laws. What do Sections 1029 and 1030 of United States Code Title 18 specify?
A. They criminalize the collection of personal information.
B. They provide guidance on the right to obtain information from governmental agencies.
C. They increase the government’s ability to monitor communications.
D. They define most of the U.S. laws concerning hacking and computer crime.
D. Title 18, “Crimes and Criminal Procedure,” Part 1, “Crimes,” Chapter 47, “Fraud and false statements,” Sections 1029 and 1030 address hacking and hacking-related criminal activity within the U.S. Section 1029 is titled “Fraud and related activity in connection with access devices,” and Section 1030 is titled “Fraud and related activity in connection with computers.” You’ll need to know these.
A is incorrect because this is in reference to the Spy Act (2007), which makes it unlawful for “any person who is not the owner, or authorized user, of a computer used for a financial institution, the U.S. Government, or in any interstate or foreign commerce or communication to engage in unfair or deceptive acts.”
B is incorrect because this is in reference to the Freedom of Information Act (1966), which doesn’t actually state what information an individual is allowed to get, but rather states the nine instances in which one can’t ask for it. These instances are generally things such as military, law enforcement, and classified secrets as well as information pertaining to trade secrets and interagency litigation.
C is incorrect because this is in reference to the USA PATRIOT Act, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism act, which is designed to aid the United States Government in preventing terrorism by increasing the government’s ability to monitor, intercept, and maintain records on almost every imaginable form of communication (telephone, networking, e-mail as well as medical and financial records are all addressed).
22. Which of the following should a security professional use as a possible means to verify the integrity of a data message from sender to receiver?
A. Strong password requirements for encryption of the file
B. Access controls on all network devices
C. Hash algorithm
D. Strong password requirements on operating system login
C. A hash is the preferred method most in use for verifying the integrity of a file. Basically, before you send the file, you run it through a hash algorithm (such as MD5 or SHA-1) that generates a number. When it’s received, you do the same. If the numbers match, voilà!
A is incorrect because it’s referencing confidentiality controls. Almost every time you see password referenced, you should think confidentiality, not integrity.
B is incorrect because it’s also referencing confidentiality controls. Access controls are exactly what they sound like: controls put in place to control access to something. In the context of network devices, they control things such as administrative access to the IOS.
D is incorrect because it’s also referencing confidentiality controls. Once again, passwords equate to confidentiality controls.
23. Which of the following describes activities taken in the conclusion phase of a penetration test?
A. Reports are prepared detailing security deficiencies.
B. Vulnerability assessment is conducted.
C. Security control audits are performed.
D. Contract and scope agreement is created.
A. Pen tests consist of three major phases: preparation, assessment, and conclusion. The conclusion phase is where you wrap everything up and present your findings to the customer. The only tricky thing about this question is overthinking it. While you’re testing and discovering things, you’re documenting everything that’s happening. Therefore, you could easily make an argument that, in a way, you’re preparing reports during the assessment phase. Don’t overthink this one—reports are done in the conclusion phase.
B is incorrect because vulnerability assessment and all attacks and audits occur during the assessment phase of a pen test.
C is incorrect because security control audits occur during the assessment phase of a pen test. Remember, all the action occurs in the middle, surrounding by planning for the action (preparation phase) and presenting it to the customer (conclusion phase).
D is incorrect because contract and scope agreement are hammered out in the preparation phase. This is where you determine how far you can go, what the client actually wants to find out, and where they don’t want you to be.
24. Which of the following best describes an ethical hacker?
A. An ethical hacker never knowingly or unknowingly exceeds the boundaries of the scope agreement.
B. An ethical hacker never performs a denial of service attack on a target machine.
C. An ethical hacker never proceeds with an audit or test without written permission.
D. An ethical hacker never performs social engineering on unsuspecting members of the target organization.
C. I know you’re tired of seeing this question. I’m tired of asking it. But you get the point now, right? This is important and you will see it on the exam. The only real difference between those bad guy crackers out there and us, the ethical hackers, is written permission. Bad guys want to steal and destroy stuff. They don’t care about rules and don’t bother to ask for permission. They will ruthlessly attack every avenue they can possibly think of in order to break into the target, and they don’t care how far down the rabbit hole it takes them. The only difference between them and us is that we agree to do it only under certain controlled circumstances and guidelines. If, for one second, you think an ethical hacker won’t take advantage of every single tool, loophole, loose lip, or technique available without regard to how bad it makes someone in the target organization feel, you are in the wrong field. We’re just as dirty as the other guys; we just do it with permission.
A is incorrect because, although the ethical hacker shouldn’t ever knowingly exceed the scope or boundaries of his test, it’s sometimes done unknowingly. Heck, sometimes there’s almost no way around it, and it often occurs without the tester knowing about it until later. In several famous cases a pen test has gone awry and hit things outside the target organization. This doesn’t mean the tester was unethical, however. It just happens.
B is incorrect because your client may specifically ask you to perform a DoS attack. Oftentimes, they’ll explicitly ask you not to perform a DoS attack, but the point is the same regardless: We will test everything we’re told to, just as a bad guy would do in trying to affect or gain access to a resource.
D is incorrect because social engineering is a big part of a true pen test. After all, the users are the weakest link in the chain, right? If you don’t test them, you’re not performing a full test. Because social engineering is on the table for the bad guys, it’s on the table for us, too.
25. In which phase of the attack would a hacker set up and configure “zombie” machines?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
D. Zombies are basically machines the hacker has confiscated to do his work for him. If the attacker is really good, the owners of the zombie machines don’t even know their machines have been drafted into the war.
A is incorrect because the reconnaissance phase is all about gaining knowledge and information on a target. In reconnaissance you’re learning about the target itself—what system types they may have in use, what operating hours they run, whether or not they use a shredder, and what personal information about their employees is available are all examples. Think of reconnaissance as the background information on a good character in a novel; it may not be completely necessary to know before you read the action scenes, but it sure makes it easier to understand why the character behaves in a certain manner during the conflict phase of the book. Setting up zombie systems goes far beyond the boundaries of gathering information.
B is incorrect because this phase is where attackers attempt to conceal their success and avoid detection by security professionals. This can involve removing or altering log files, hiding files with hidden attributes or directories, and using tunneling protocols to communicate with the system.
C is incorrect because in this phase attacks are leveled against the targets enumerated during the scanning and enumeration phase. Key words to look for in identifying this phase are the attacks themselves (such as buffer overflow and SQL injection). Finally, be careful about questions relating to elevating privileges. Sometimes this is counted as its own phase, so pay very close attention to the question’s wording in choosing your answer.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.