1. The result of a “whois” search on a target is listed here:
Which of the following is a true statement regarding this output?
A. Anybusiness.com was registered using GoDaddy.com.
B. The technical contact for this website may have entered personal information at registration.
C. There is no information within this output useful for a zone transfer.
D. The administrative and technical contacts are the same.
B. The Technical Contact listing displays the technical contact’s name as well as what may be their personal phone number. The address? Probably where they work, but you never know. This could turn out to be nothing, but it might provide you with an “in” for social engineering efforts later.
A is incorrect because the registrant is clearly listed as anybusiness.com. You’ll find these whois searches to be hit and miss sometimes. Every once in a while you’ll find tons of information. Other times, it’s bare-bones basics. Had this site been registered with GoDaddy.com, it would look something like this:
C is incorrect because the target’s DNS servers are listed right at the bottom. If you’re going to pull a zone transfer, you’ll need to know the DNS servers holding the proper information.
D is incorrect because these two contacts are clearly different. The administrative contact is listed as a business name (smart idea). The technical contact, however, may be personal in nature.
2. Your client’s business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information?
A. APNIC
B. RIPE
C. ASIANIC
D. ARIN
E. LACNIC
A. This one is easy as pie, and should be a freebie if you see it on the test. Five regional Internet registries provide overall management of public IP address space within a given geographic region. APNIC handles the Asia and Pacific realms.
B is incorrect because RIPE handles Europe, Middle East, and parts of Central Asia/Northern Africa. If you’re wondering, the name is French and stands for Réseaux IP Européens.
C is incorrect because ASIANIC is not a regional registry. It’s purely a distractor in this case.
D is incorrect because the ARIN service region includes Canada, many Caribbean and North Atlantic islands, and the United States. Caribbean islands falling under ARIN include Puerto Rico, the Bahamas, Antigua, American and British Virgin Islands, Turks and Caicos Islands, and the Cayman Islands (among others).
E is incorrect because LACNIC handles Latin America and some of the Caribbean. It stands for Latin America and Caribbean Network Information Center. LACNIC coverage includes most of South America, Guatemala, French Guiana, the Dominican Republic, and Cuba (among others). This one and ARIN most often get confused.
3. Which of the following are footprinting tools? (Choose all that apply.)
A. Sam Spade
B. Nslookup
C. Traceroute
D. NetCraft
E. Nessus
A, B, C, and D. Although Sam Spade is, for all intents and purposes, defunct, it’s still listed as a DNS footprinting tool within the CEH exam. Nslookup is a command that’s part of virtually every operating system in the world, and provides a means to query DNS servers for information. NetCraft is one of those neat little tools to help you find internal links within a site, which may provide information on employees and business partners. Traceroute (syntax on Windows systems is tracert host name) is a command-line tool that tracks a packet across the Internet and provides a route path and transit times. Speaking of traceroute, it’s important for you to remember that the Windows and Linux versions are different animals. The Windows version is ICMP based, whereas the Linux/UNIX version is, by default, a UDP-based tool that manipulates TTL to elicit an ICMP response. This makes the Linux/UNIX version a valuable tool in trying to get into places that might block all external-to-internal ICMP.
E is incorrect because Nessus isn’t considered a part of footprinting, per se. It is an integral part of vulnerability management, but we’re not talking about finding a vulnerability on the target you’ve already footprinted and enumerated in this scenario. That comes much later in the phases of hacking. Don’t confuse vulnerability research (gaining knowledge on what vulnerabilities exist by using hackerstorm, secunia, and so on) with footprinting tools. Yes, you need to keep up to speed with what vulnerabilities are present in the networking world, but using Nessus to discover which ones are present on a particular machine isn’t footprinting.
4. You are looking for files with the terms “Apache” and “Version” in their titles. Which Google hack is the appropriate one?
A. inurl:apacheinurl:version
B. allintitle:apache version
C. intitle:apacheinurl:version
D. allinurl:apache version
B. The Google search operator allintitle searches for pages that contain the string, or strings, you specify. It also allows for the combination of strings in the title, so you can search for more than one term within the title of a page.
A is incorrect because the operator inurl only looks in the URL of the site, not the page title. In this example, the search might bring you to a page such as http://anyplace.com/apache_Version/pdfs.html.
C is incorrect because the apacheinurl operator doesn’t exist. The legitimate operator for searching in a URL would be “inurl”. Yes, you can combine operators, but the two used here just won’t get the job done—even if the correct version of URL lookup was used.
D is incorrect because allinurl does not look at page titles—it’s only concerned with the URL itself. As with the title searches, the allinurl operator allows you to combine search strings.
5. You’ve just kicked off a penetration test against a target organization and have decided to perform a little passive footprinting. One of the first sites you visit are job boards, where the company has listed various openings. What is the primary useful footprinting information to be gained through this particular search?
A. Insight into the HR processes of the company
B. Insight into the operating systems, hardware, and applications in use
C. Insight into corporate security policy
D. None of the above
B. Jobs boards are great sources of information. You probably wouldn’t get much of a response if you called the business up and said, “Hi! I’ll be attempting a hack into your network. Would you be so kind as to tell me your server infrastructure and whether you’re using Microsoft Exchange for your e-mail?” However, go out to a job board, and the listing will provide all that information for you anyway. If they’re asking for system administrator experience on Linux RHEL 8, you’re already ahead of the game. Job postings list the set of skills, technical knowledge, and system experience required, so why not use them in preparation?
A is incorrect because although the HR processes may be useable in a long-term attack—for social engineering purposes—you’re probably not going to get too much actual policy/process information here. And, frankly, that’s not what you’d be looking for.
C is incorrect because corporate security policy information simply isn’t provided in a job listing. If it is, they’ve got serious problems a pen test isn’t going to fix.
D is incorrect because ignoring job listings as part of your reconnaissance efforts is folly. Why ignore such a gold mine of easily obtainable information? Depending on how deeply they go into describing job duties and knowledge requirement, you might be able to build a pretty good picture of your attack before you even leave the living room (or wherever you do your recon from).
6. Which of the following activities is not considered passive footprinting?
A. Dumpster diving
B. Reviewing financial sites for company information
C. Clicking links within the company’s public website
D. Calling the company’s help desk line
D. So this one may be a little tricky, but it’s really pretty easy when you think about it. Remember, active and passive footprinting can be defined by two things: what you touch and how much discovery risk you put yourself in. Social engineering in and of itself is not all passive or active in nature. Dumpster diving, for example, is considered passive. Pick up a phone and call someone inside the company, or talk to people in the parking lot, however, and you’ve exposed yourself to discovery and are now practicing active footprinting.
A is incorrect because digging through the trash for useful information is passive footprinting defined: According to the EC Council and this exam, your discovery risk is negligible and you’re not touching the company’s network or personnel. Now, in the real world rummaging through someone’s trash on private property with no authorization and in full view of security personnel is probably going to get you caught, and is about as passive as a Tasmanian Devil; however, for your exam, ditch your hold on the real world and please remember that dumpster diving is passive.
B is incorrect because reviewing financial sites for company information is a method of gaining competitive intelligence. As you know, competitive intelligence refers to the information gathered by a business entity about their competitor’s customers, products, and marketing. Most of this information is readily available and can be acquired through a host of different means.
C is incorrect because although you are actively participating in moving around inside the company’s website, you are not necessarily putting yourself at discovery risk, nor are you touching anything the company doesn’t want you to. The public website is put in place for people to use, and the odds of someone picking up your click-throughs out of the thousands they receive every day are minimal. Granted, if you keep digging through their site and get deep enough (for example, you dig your way to an admin portal on a SAP site), you can, and should, be detected.
7. As fate would have it, you are contracted to pen test an organization you are already familiar with. You start your passive reconnaissance by perusing the company website. Several months ago, the public-facing website had a listing of all staff members, including phone numbers, e-mail addresses, and other useful information. Since that time, the listing has been removed from the website. Which of the following is the best option to provide access to the listing?
A. Use a tool such as BlackWidow or Wget.
B. Perform Google hack incache:staff.
C. Use whois to discover the information.
D. Use Google Cache.
E. Use www.archive.org.
E. Archive.org keeps archival copies of web pages. If information relevant to your efforts was posted on the site at some point in the past but has since been updated or removed, and the change was not recent, using Archive.org is your best option.
A is incorrect because BlackWidow and Wget are tools used to pull a full copy of the current version of the site to your machine for analysis. Sure, this provides great insight into buried links and other hidden information, but it’s not going to pull any information that has been removed.
B is incorrect because although a Google hack may be a good option to locate this information (maybe search for the company name+staff+listing and so on), it’s not apropos in this scenario. The question clearly points to an archival copy of the site. Additionally, “incache” is not a Google hack operator that I’m aware of.
C is incorrect because whois doesn’t provide this type of information. If you want registration information on the site, whois is your vector, but it’s not going to help in this scenario.
D is incorrect because although Google Cache does provide an archival copy of the site, it’s not a very old copy. From Goggle’s description, “Google takes a snapshot of each page it examines and caches (stores) that version as a back-up. The cached version is what Google uses to judge if a page is a good match for your query.” In other words, a cache of the page is taken repeatedly throughout the day, not stored for months on end.
8. You are footprinting information for a pen test. Social engineering is part of your reconnaissance efforts, and some of it will be active in nature. You take steps to ensure that if the social engineering efforts are discovered at this early stage, any trace efforts point to another organization. Which of the following terms best describes what you are participating in?
A. Anonymous footprinting
B. Pseudonymous footprinting
C. Passive footprinting
D. Redirective footprinting
B. Pseudonymous footprinting is a relatively new term in the CEH realm, so you’ll probably see it on your exam. It refers to obfuscating your footprinting efforts in such a way that anyone trying to trace things back to you would instead be pointed to a different person (usually to look like a competitor’s business). I understand there’s probably a large segment of readers (like my tech editor) screaming that this term sounds fabricated and shouldn’t be here. I won’t argue for or against it. All I’ll say is that this term is on your exam, so you better memorize it. As a side note for those of you getting ready for a real-world job in pen testing, the scenario presented here may sound like a great idea, but you better be very, very careful in practicing it. In many ways, this could be illegal: pointing to another organization without authorization could make you liable both criminally and civilly.
A is incorrect because anonymous footprinting refers to footprinting efforts that can’t be traced back to you. These don’t redirect a search to someone else; they’re just efforts to hide your footprinting in the first place.
C is incorrect because passive footprinting is generally gathering competitive intelligence and doesn’t put you at risk of discovery anyway.
D is incorrect because the term redirective footprinting is made up. It’s here purely as a distractor.
9. You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You wish to advertise both services for this machine. Which DNS record type would you use to accomplish this?
A. CNAME
B. SOA
C. MX
D. PTR
E. NS
A. You know—or should know by now—that a host name can be mapped to an IP using an “A” record within DNS. CNAME records provide for aliases within the zone on that name. For instance, your server might be named mattserver1.matt.com. A sample DNS zone entry to provide HTTP and FTP access might look like this:
B is incorrect because the SOA (Start of Authority) entry identifies the primary name server for the zone. The SOA record contains the host name of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
C is incorrect because the MX (Mail Exchange) record identifies the e-mail servers within your domain.
D is incorrect because a PTR (Pointer Record) works the opposite of an A record. The pointer maps an IP address to a host name, and is generally used for reverse lookups.
E is incorrect because an NS (Name Server) record shows the name servers within your zone. These servers are the ones that respond to your client’s requests for name resolution.
10. You are shoulder-surfing one of your team members. You see him type in the following:
What is being accomplished here?
A. He is attempted DNS poisoning.
B. He is attempting DNS spoofing.
C. He is attempting a zone transfer.
D. He is resetting the DNS cache.
C. DNS records are maintained and managed by the authoritative server for your namespace (the SOA), which shares them with your other DNS servers (name servers) so your clients can perform lookups and name resolutions. The process of replicating all these records is known as a zone transfer. Nslookup is a really cool tool that lets you peruse the DNS system, and to sometimes ask for a zone transfer to you—even though you’re not a name server within the zone. This effectively gives you a map of the network. A quick note, to dash the hopes of those who think this stuff is going to be super easy: Zone transfers are rarely, if ever, successful from outside of an organization. Also, there has been at least one court case where the judge ruled that a zone transfer constituted hacking. So although nslookup can be used for all sorts of things, including sometimes asking a server for a zone transfer, don’t sit at home and try it on a whim—you may find yourself in hot water.
A is incorrect because DNS poisoning is not accomplished with this command string. DNS poisoning refers to information introduced into a name server’s cache to purposefully reroute a request. This causes the NS to return an incorrect IP address, which diverts traffic to another system—usually the hacker’s machine.
B is incorrect for the same reason. DNS spoofing is another term used interchangeably with DNS poisoning, although they can sometimes refer to different attacks. In general, DNS poisoning refers to server attacks—altering the cache on a name server and such—whereas DNS spoofing can refer to all sorts of shenanigans involving the clients.
D is incorrect because there is no alteration of any records here. Your team member is simply using nslookup to ask for all records in the zone to be dumped here, so he can go through them and plan out an attack.
11. Within the DNS system, a primary server (SOA) holds and maintains all records for the zone. Secondary servers will periodically ask the primary whether there have been any updates. If updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will a secondary name server request a zone transfer from a primary?
A. When the primary SOA record serial number is higher that the secondary’s
B. When the secondary SOA record serial number is higher that the primary’s
C. Only when the secondary reboots or restarts services
D. Only when manually prompted to do so
A. Occasionally you’ll get a question that’s not necessarily hacking in nature, but more about how the DNS system works in general. The serial number on an SOA is incremented each time the zone file is changed. So, when the secondary checks in with the primary, if the serial number is higher than its own, the secondary knows there has been a change and asks for a full zone transfer.
B is incorrect because the serial number increments with each change, not decrements. If the secondary checked in and the numbers were reversed—that is, the secondary had a serial number higher than the primary—it would either leave its own record unchanged or most likely dump the zone altogether.
C is incorrect because a zone transfer does not occur on startup. Additionally—and this is a free test-taking tip here—any time you see the word only in an answer, that answer is usually wrong. In this case, that’s definitely true, because the servers are configured to check in with each other on occasion to ensure the zone is consistent across the enterprise.
D is incorrect because this is just a ridiculous answer. Could you imagine having to manually update every DNS server? I can think of worse jobs, but this one would definitely stink.
12. Examine the following SOA record:
If a secondary server in the enterprise is unable to check in for a zone update within an hour, what happens to the zone copy on the secondary?
A. The zone copy is dumped.
B. The zone copy is unchanged.
C. The serial number of the zone copy is decremented.
D. The serial number of the zone copy is incremented.
B. You will definitely see questions about the SOA record. In this question, the key portion you’re looking for is the TTL at the bottom, currently set to 2 hours (7,200 seconds). This sets the time a secondary server has to verify its records are good. If it can’t check in, this Time to Live for zone records will expire, and they’ll all be dumped. Considering, though, that this TTL is set to 2 hours and the question states it has only been 1 hour since the update, the zone copy on the secondary will remain unchanged.
A is incorrect because the secondary is still well within its window for verifying the zone copy it holds. It only dumps the records when TTL is exceeded.
C is incorrect because serial numbers are never decremented; they’re always incremented. Also, the serial number of the zone copy is only changed when a connection to the primary occurs and a copy is updated.
D is incorrect because although serial numbers are incremented upon changes (secondary copies number from the primary’s copy when records are transferred), the serial number of the zone copy is only changed when a connection to the primary occurs and a copy is updated. That has not occurred in this case.
13. Which of the following footprinting tools uses ICMP to provide information on network pathways?
A. Whois
B. Sam Spade
C. Nmap
D. Traceroute
E. AngryIP
D. Traceroute is a command-line tool that tracks a packet across the Internet and provides route path and transit times. It accomplishes this by using ICMP ECHO packets to report information on each “hop” (router) from the source to destination. The TTL on each packet increments by one after each hop is hit and, ensuring the response comes back explicitly from that hop, returns its name and IP address.
A is incorrect because this tool doesn’t work that way and isn’t used for that purpose. Whois originally started in Unix, but has become ubiquitous in operating systems everywhere. It has generated any number of websites set up specifically for the purpose of gathering registration information. It queries the registries and returns all sorts of information, including domain ownership, addresses, locations, and phone numbers.
B is incorrect because Sam Spade is a DNS enumeration tool—not a path determination.
C is incorrect because nmap is a scanning and enumeration tool. It isn’t used in the same manner as traceroute. It is one of the more widely used tools that CEH covers, so you’ll need to know it very well.
E is incorrect because although AngryIP does use ICMP, it’s not used for path determination. It provides a very quick method to scan a subnet and see what hosts are “alive.”
14. Examine the following command-line entry:
Which two statements are true regarding this command sequence?
A. Nslookup is in noninteractive mode.
B. Nslookup is in interactive mode.
C. The output will show all mail servers in the zone somewhere.com.
D. The output will show all name servers in the zone somewhere.com.
B and C. Nslookup runs in one of two modes: interactive or noninteractive. Noninteractive mode is simply the use of the command followed by an output: For example, nslookup will return the IP address your server can find for Google. Interactive mode is started by simply typing nslookup and pressing ENTER. Your default server name will display, along with its IP address, and a carrot (>) will await entry of your next command. In this scenario, we’ve entered interactive mode and set the type to MX, which we all know means, “Please provide me with all the mail exchange servers you know about.”
A is incorrect because we are definitely in interactive mode.
D is incorrect because the type was set to MX, not NS.
15. Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site contained disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site: No files have been changed, and when the site is accessed from their terminals (inside the company) it appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue?
A. DNS poisoning
B. Route poisoning
C. SQL injection
D. ARP poisoning
A. DNS poisoning makes the most sense here. Joe’s connection from home uses a different DNS server for lookups than that of the business network. It’s entirely possible someone has changed the cache entries in his local server to point to a different IP than the one hosting the real website—one that the hackers have set up to provide the defaced version. The fact the web files haven’t changed and the site seems to be displaying just fine from inside the network also bears this out. What’s more, for those of you paying close attention, in a case like this, it’s important to note VPN access. If it turns out Joe’s DNS modification is the only one in place, there is a strong likelihood that Joe is being specifically targeted for exploitation—something Joe should take very seriously.
B is incorrect because route poisoning has nothing to do with this scenario. Route poisoning is used in distance vector routing protocols to prevent route loops in routing tables.
C is incorrect because although SQL injection is indeed a hacking attack, it’s not relevant here. The fact the website files remain intact and unchanged prove that access to the site through a SQL weakness isn’t what occurred here.
D is incorrect because ARP poisoning is relevant inside a particular subnet, not outside it (granted, you can have ARP forwarded by a router configured to do so, but that simply isn’t the case for this question). ARP poisoning will redirect a request from one machine to another inside the same subnet, and has little to do with the scenario described here.
16. One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they’re updated. Which DNS record type allows you to set this restriction?
A. NS
B. PTR
C. MX
D. CNAME
E. SOA
E. The SOA record holds all sorts of information, and when it comes to DNS poisoning, the TTL is of primary interest. The shorter the TTL, the less time records are held in cache. Although it won’t prevent DNS poisoning altogether, it can limit the problems a successful cache poisoning attack causes.
A is incorrect because an NS record shows the name server(s) found in the domain.
B is incorrect because a PTR record provides for reverse lookup capability—an IP-address-to-host-name mapping.
C is incorrect because an MX record shows the mail exchange server(s) in the zone.
D is incorrect because a CNAME record is used to provide alias entries for your zone (usually for multiple services or sites on one IP address).
17. You are gathering reconnaissance on your target organization whose website has a .com extension. With no other information to go on, which regional Internet registry would be the best place to begin your search?
A. ARIN
B. APNIC
C. LACNIC
D. RIPE
E. AfriNIC
A. I knew as soon as I typed this that it would be the one question in this chapter you would all lose your minds over. And trust me, I do understand it may seem totally without merit. But I promise you it’s legitimate. Most (not all, but most) .com registries occur in North America. For loads of reasons, registrations from other areas of the world tend to use their country designator. Because this one is a .com, we can reasonably assume it was registered in North America and, as we all know, ARIN takes care of registries for North America. In some instances a site will show “com.au” or something similar, but the country designator should be a dead giveaway in such as case. In short, .com without the country designator is ARIN controlled.
B is incorrect because APNIC handles registries for Asia and Pacific areas.
C is incorrect because LACNIC handles registries for Latin America and some of the Caribbean.
D is incorrect because RIPE handles registries for Europe (and some of central Asia).
E is incorrect because AfriNIC handles registries for Africa.
18. Which of the following is a good footprinting tool for discovering information on a company’s founding, history, and financial status?
A. SpiderFoot
B. EDGAR database
C. Sam Spade
D. Pipl.com
B. The EDGAR database—www.sec.gov/edgar.shtml—holds all sorts of competitive intelligence information on businesses. The following is from the website: “All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can access and download this information for free. Here you’ll find links to a complete list of filings available through EDGAR and instructions for searching the EDGAR database.” Note that EDGAR and the SEC only have purview over publicly traded companies. Privately held companies are not regulated or obligated to put information in EDGAR. Additionally, even publicly traded companies might not provide information about privately owned subsidiaries, so be careful and diligent.
A is incorrect because SpiderFoot is a free, open-source, domain-footprinting tool. According to the SpiderFoot website, SpiderFoot scrapes the websites on a domain, as well as searches Google, NetCraft, whois, and DNS, to collect information.
C is incorrect because Sam Spade is a DNS footprinting tool.
D is incorrect because pipl.com is a site used for “people search.” When footprinting, pipl.com can employ so-called “deep web searching” for loads of information you can use. According to the website, the term deep web (or invisible web) “refers to a vast repository of underlying content, such as documents in online databases, that general-purpose web crawlers cannot reach. The deep web content is estimated at 500 times that of the surface web, yet has remained mostly untapped due to the limitations of traditional search engines.”
19. How does traceroute map the routes traveled by a packet?
A. By carrying a hello packet in the payload, forcing the host to respond
B. By using DNS queries at each hop
C. By manipulating the time to live (TTL) parameter
D. Using ICMP type 5, code 0 packets
C. Traceroute tracks a packet across the Internet by incrementing the TTL on each packet it sends by one after each hop is hit and returns, thus ensuring the response comes back explicitly from that hop and returns its name and IP address. This provides route path and transit times. It accomplishes this by using ICMP ECHO packets to report information on each hop (router) from the source to destination.
A is incorrect because ICMP simply doesn’t work that way. A hello packet is generally used between clients and servers as a check-in/health mechanism—not a route-tracing method.
B is incorrect because a DNS lookup at each hop is pointless and does you no good. DNS isn’t for route tracing; it’s for matching host names and IP addresses.
D is incorrect because an ICMP type 5, code 0 packet is all about message redirection and not about a ping request (type 8).
20. You are footprinting a target headquartered in the Dominican Republic. You have gathered some competitive intelligence and have engaged in both passive and active reconnaissance. Your next step is to define the network range this organization uses. What is the best way to accomplish this?
A. Call the company help desk and ask them
B. Use the EDGAR database
C. Use LACNIC to look up the company range
D. Use ARIN to look up the company range
C. LACNIC covers Latin America, Cuba, and some Caribbean islands. The regional registry can provide all sorts of information, and chief among all that data is the IP address range owned by the organization.
A is incorrect, but only because LACNIC can provide the information passively. Otherwise, you’d be surprised what kind of information you can get by simply calling and asking. I’d like to say the technician on the other end of the line would either hang up or alert security to try and catch you, but I’d bet at least some technicians would go try and look it up for you.
B is incorrect because the EDGAR database, managed within the Security and Exchange Commission (SEC), doesn’t hold this information. It’s great for all sorts of other competitive intelligence (financial info, company data, and so on), but it doesn’t provide network ranges.
D is incorrect because ARIN doesn’t cover the Dominican Republic—it covers North America and several Caribbean islands.
21. A zone file consists of which types of records? (Choose all that apply.)
A. PTR
B. MX
C. SN
D. SOA
E. DNS
F. A
G. AX
A, B, D, and F. A zone file contains a list of all the resource records in the namespace zone. Here are the valid resource records:
C, E, and G are incorrect because these are not valid DNS resource records.
22. Examine the following SOA record:
How long will the secondary server wait before asking for an update to the zone file?
A. One hour
B. Two hours
C. Ten minutes
D. One day
A. The refresh interval defines the amount of time a secondary will wait before checking in to see if it needs a zone update.
B is incorrect because the refresh interval is set to 3,600 seconds (one hour). If you chose this answer because the TTL interval appealed to you, note that the TTL interval is the minimum time to live for all records in the zone (if not updated by a zone transfer, they will perish).
C is incorrect because the refresh interval is set to 3,600 seconds (one hour). If you chose this answer because the retry interval appealed to you, note that the retry interval is the amount of time a secondary server will wait to retry if the zone transfer fails.
D is incorrect because the refresh interval is set to 3,600 seconds (one hour). If you chose this answer because the expire interval appealed to you, note that the expire interval is the maximum amount of time a secondary server will spend trying to complete a zone transfer.
23. A colleague enters the following into a Google search string:
Which of the following statements is most correct concerning this attempt?
A. The search engine will not respond with any result because you cannot combine Google hacks on one line.
B. The search engine will respond with all pages having “intranet” in their title and “human resources” in the URL.
C. The search engine will respond with all pages having “intranet” in the title and in the URL.
D. The search engine will respond with only pages having “intranet” in the title and URL and with “human resources” in the text.
D. This is a great Google hack that’s listed on several websites providing Google hacking examples. Think about what your colleague is looking for here—an internal page (intranet in title and URL) possibly containing finance data. Don’t you think that would be valuable? This example shows the beauty of combining Google hacks to really burrow down to what you want to grab. Granted, an intranet being available from the Internet, indexed by Google, and open enough for your colleague to touch it is unlikely, but these are questions concerning syntax, not reality.
A is incorrect because Google hack operators can be combined. As a matter of fact, once you get used to them, you’ll spend more time combining them to narrow an attack than launching them one by one.
B is incorrect because the operator does not say to look for “human resources” in the URL. It specifically states this should be looked for in the text of the page.
C is incorrect because there is more to the operation string than just “intranet” in the URL and title. Don’t just glaze over the intext:“human resources” operator—it makes answer D more correct.
24. A good footprinting method is to track e-mail messages and see what kind of information you can pull back. Which tool is useful in this scenario?
A. Nmap
B. BlackWidow
C. Snow
D. eMailTrackerPro
E. MailMan
D. eMailTrackerPro, from Visualware, is an e-mail-tracking application that displays all sorts of information on where an e-mail originated from, where it’s going, and how it will get there. It can track origin, misdirection detection, whois, and IP data as well as abuse.
A is incorrect because nmap is not an e-mail-tracking tool. However, it’s a tool you’ll really need to know well for the scanning and enumeration phase.
B is incorrect because BlackWidow is a website-copying tool designed to pull a full copy of a site to your machine so you can analyze it at your leisure.
C is incorrect because snow is a steganography tool.
E is incorrect because MailMan isn’t an e-mail-tracking tool. It is included here solely as a distractor.
25. You are footprinting DNS information using dig. What command syntax should be used to discover all name servers listed by DNS server 202.55.77.12 in the anybiz.com namespace?
A. dig @www.anybiz.com NS 202.55.77.12
B. dig NS @www.anybiz.com 202.55.77.12
C. dig NS @202.55.77.12 www.anybiz.com
D. dig @202.55.77.12 www.anybiz.com NS
D. Dig syntax is dig @server name type (where server is the name or IP of the DNS name server, name is the name of the resource you’re looking for, and type is the type of record you wish to pull). In this case, the server IP is 202.55.77.12, the resource is www.anybiz.com, and the type is NS.
A, B, and C are incorrect because the syntax does not match the command usage.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.