1. What would you expect to find in a final report from a full penetration test? (Choose all that apply.)
A. Names of all the participants
B. A list of findings from the assessment(s)
C. An executive summary of the assessment(s)
D. A list of vulnerabilities that were patched by the team
A, B, and C. It seems fairly obvious that if you hire someone to perform a security audit of your organization that you would expect a report at the end of it. Pen tests vary from company to company, and test to test, but some basics are part of every pen test final report to the customer. The basics that are part of every report are listed here:
• An executive summary of the organization’s overall security posture (if testing under the auspices of FISMA, DIACAP, HIPAA, or other standard, this will be tailored to the standard)
• Names of all participants as well as dates of all tests
• A list of findings, usually presented in order of highest risk
• An analysis of each finding as well as recommended mitigation steps (if available)
• Log files and other evidence from your toolset
D is incorrect because a pen test is not designed to repair or mitigate security problems as they are discovered. The point of a pen test is to identify these potential security shortcomings so the organization can make a determination on repair or mitigation: There may be an acceptable level of risk versus the cost to fix for certain findings that the customer is perfectly comfortable with. Something that may seem to you, the pen tester, as a glaring security hole dooming the organization to certain virtual death simply may not matter to the client—no matter how clearly and forcefully you try to stress that point.
2. A team is starting a security assessment. The target organization has provided a system on an internal subnet, but no other previous knowledge of any pertinent information has been given. Which type of test will the team be performing?
A. Internal, white box
B. Internal, black box
C. External, white box
D. External, black box
B. EC Council defines two types of penetration tests: external and internal. An external assessment analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter—usually from the Internet. An internal assessment, as you might imagine, is performed from within the organization, from various network access points. On your exam, just as it is here, this pure definition term may be combined with the white, gray, and black box testing terms you’re already familiar with.
A is incorrect because although the test is indeed internal, it is not a white box test—where the team would be provided with all knowledge of the inner workings of the system.
C and D are incorrect because this is not an external test.
3. Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)
A. Metasploit
B. Nessus
C. Core Impact
D. CANVAS
E. SAINT
F. GFI Languard
A, C, and D. Automated tool suites for pen testing can be viewed as a means to save time and money by the client’s management, but (in my opinion, at least) these do not provide the same quality results as a test performed by security professionals. Automated tools can provide a lot of genuinely good information, but are also susceptible to false positives and false negatives, and don’t necessarily care what your agreed-upon scope says is your stopping point. Metasploit has a free, open source version and an insanely expensive “Pro” version for developing and executing exploit code against a remote target machine. Metasploit offers a module called “autopwn,” which can automate the exploitation phase of a penetration test.
Core Impact is probably the best-known, all-inclusive automated testing framework. From their website (www.coresecurity.com/content/core-impact-overview), Core Impact “takes security testing to the next level by safely replicating a broad range of threats to the organization’s sensitive data and mission-critical infrastructure—providing extensive visibility into the cause, effect and prevention of data breaches.” Core Impact tests everything from web applications and individual systems to network devices and wireless.
Per the Immunity Security website (www.immunitysec.com), CANVAS “makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals.” Additionally, the company claims CANVAS’s Reference Implementation (CRI) is “the industry’s first open platform for IDS and IPS testing.”
For you real-world purists out there, of the three, only Core Impact provides an actual, true, one-step automated pen-test result feature. Metasploit offers “autopwn,” and CANVAS has a similar “run everything” mode; however, both lack the true, solid result and report features of IMPACT. In the true sense of “automated pen test,” only IMPACT does this, but for your exam stick with all of them.
B, E, and F are incorrect for the same reason: These are all vulnerability assessment tool suites, not automated pen test frameworks. Nessus is probably the most recognizable of the three, but SAINT and GFI Languard are both still listed as top vulnerability assessment applications.
4. An assessment against a network segment tests for existing vulnerabilities, but does not attempt to exploit any of them. What is this called?
A. Penetration test
B. Partial penetration test
C. Vulnerability assessment
D. Security scan
C. A vulnerability assessment is exactly what it sounds like: the search for, and identification of, potentially exploitable vulnerabilities on a system or network. These vulnerabilities can be poor security configurations, missing patches, or any number of other weaknesses a bad guy might exploit. The two keys to a vulnerability assessment are that the vulnerabilities are identified, not exploited, and the report is simply a snapshot in time. The organization will need to make the determination how often they want to run a vulnerability assessment.
A is incorrect because team members on a pen test not only discover vulnerabilities, they actively exploit them (within the scope of their prearranged agreement, of course).
B and D are incorrect because they are not valid terms associated with assessment types, and are included as distractors.
5. You are reviewing recent security breaches against an organization. In one case, a spouse of an employee illegally used the employee’s credentials to gain access and then carried out an attack. Which of the following best defines the attacker?
A. Outside affiliate
B. Outside associate
C. Insider affiliate
D. Insider associate
C. There are few truisms in life, but this is one of them: You will need to memorize certain terms that are very important for the exam you are taking, but probably don’t amount to a hill of skittles in the real world (and this memorization will infuriate and frustrate you to no end). This is a prime example. In the CEH world, you can define attackers by a lot of different criteria (for example, white hat versus black hat). When it comes to these terms, you differentiate attackers by who they are in relation to the company, and how they gain access.
Defining inside versus outside may seem simple, but you’ve got to be careful. It has nothing to do with where the attack is coming from, but everything to do with the person’s relationship to the company. All company employees (including contractors) are considered “inside.” Anyone who is not an employee is considered “outside,” with one notable exception: an inside affiliate is a spouse, friend, or acquaintance of an employee that makes use of the employee’s credentials to gain access and cause havoc. It’s a tricky little differentiation that you’ll definitely see on your test somewhere. For memorization purposes:
• Insiders are employees and contractors of the organization.
• Outsiders are everyone else attempting to get in (hackers and so on).
• Affiliate deals with the credentials used in the attack: insider affiliate is the employee’s credentials (most often used by a spouse, friend, or client) and outsider affiliate is the use of open access (such as open wireless).
• Insider associates are contractors, janitors, and so on, who may have limited access to resources. This authorized access isn’t necessarily to IT resources, but it does allow the attacker to roam freely into and out of organization offices and buildings—which makes things such as social engineering attacks easier.
A is incorrect because an outside affiliate is someone who is not employed with the company in any way (a hacker or maybe a corporate spy) and makes use of open access to the organization’s network. For example, a corporate spy may park his car close to a building and tie in to an unsecured WAP to look for information on the network.
B is incorrect because “outside associate” isn’t a term EC Council defines.
D is incorrect because an insider associate is someone who has limited access to resources, such as a guard or a contractor.
6. In which phase of a pen test is scanning performed?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
A. I know you’re sick of CEH definitions, terms, and phases of attacks, but this is another one you’ll just need to commit to memory. Per EC Council, there are three phases of a pen test: pre-attack, attack, and post-attack. The pre-attack phase is where you’d find scanning and other reconnaissance (competitive intelligence, website crawling, and so on).
B is incorrect because scanning is completed in the pre-attack phase. The attack phase holds four areas of work: penetrate the perimeter, acquire targets, execute attack, and escalate privileges.
C is incorrect because scanning is completed long before the post-attack phase. Actions accomplished in post-attack include removal of all uploaded files and tools, restoration (if needed) to original state, analyzing results, and preparing reports for the customer.
D is incorrect because reconnaissance is not a phase of pen testing.
7. An organization wants a security test but is concerned about time and cost. Which of the following tests is generally faster and costs less than a manual pen test?
A. Automatic
B. Internal
C. Black box
D. External
A. Automated tests—using tools such as CANVAS and Core Impact—are generally faster and cheaper than manual pen testing, which involve a professional team and a predefined scope/agreement. These automated tests are more susceptible to false positives and false negatives. Perhaps more importantly, though, they also don’t necessarily care about any scope or test boundary. With a manual pen test, you have a predetermined scope and agreement in place. With an automated tool, you run a risk of it running past the boundary of your test. It’s difficult to negotiate with a piece of software. Additionally, automated pen tests suffer the same flaw as most virus scanners: They rarely find anything a real hacker would use. Automated tools are dependent on the same signature-based mindset of most of the AVs out there, so if you really want to know whether your custom application, your complex architecture, your websites, and your users are vulnerable, you should hire a professional.
B is incorrect because this definition doesn’t match an internal test. Internal testing is performed from inside the organization’s network boundary. Internal testing can be announced (IT staff know it’s going on) or unannounced (IT staff is kept in the dark and only management knows the test is being performed).
C is incorrect because black box doesn’t necessarily have anything to do with cost. It generally takes longer than, say, white box testing, but it doesn’t fit this question.
D is incorrect because this definition doesn’t match external testing. External testing is all about publicly available information, and attempts to enumerate targets and other goodies from outside the network boundary.
8. The most dangerous threat to an organization is a disgruntled insider. Which of the following best defines a disgruntled employee’s (a normal user inside the network) attack against the organization?
A. External black box
B. Internal gray box
C. Internal announced
D. External white box
B. I understand some of you are going to try arguing semantics with me on this one, but trust me, the “best” designator in this question covers me here. Most employees are going to have at least some idea of internal networks or operations within the company—even if it’s just the domain to log into, password policy, or lockout policy. The internal gray box test best describes this: an attack inside the network by someone who has some information or knowledge about the network and resources being attacked.
A is incorrect because a disgruntled employee would not need to perform an external test—much less a black box (no knowledge) one. Is it possible a disgruntled employee wouldn’t take advantage of his internal knowledge? Is it possible he would ignore the built-in advantage of already being on the network and having login credentials there? Sure it is—it’s just not likely.
C is incorrect because the attack most certainly will not be announced (that is, the IT Security staff notified it is being conducted). It’s highly unlikely the disgruntled employee will want to assist the IT Security team in noting and patching security problems within the network.
D is incorrect, but just barely so. It is possible that this particular employee has all knowledge of the network segment he’s attacking. And it’s plausible he may even decide to run an attack externally. However, ignoring the advantage of being inside the network to launch an attack—even if it’s simply to set up a listening port to be used from a remote location—is highly unlikely. This choice simply isn’t the best description of the disgruntled employee attack.
9. Joe is part of an environmental group protesting AnyBiz, Inc., for the company’s stance on a variety of issues. Frustrated by the failure of multiple attempts to raise awareness of his cause, Joe launches sophisticated web defacement and denial of service attacks against the company, without attempting to hide the attack source and with no regard to being caught. Which of the following best defines Joe?
A. Hactivism
B. Ethical hacker
C. Script kiddie
D. Suicide hacker
D. This is another definition term from EC Council you’ll see on your exam. And, much like in this question, you’ll almost always see it paired with “hactivism” as an answer. A suicide hacker is an attacker who is so wrapped up in promoting their cause they do not care about the consequences of their actions. If defacing a website or blowing up a company server results in 30 years of prison time, so be it: as long as the cause has been promoted. In some instances (I’ve seen this in practice test exams before) the suicide hacker even wants to be caught—to serve as a martyr for the cause.
A is incorrect because hactivism refers to the act, not the attacker. Hactivism is the act of hacking for a cause, but those participating may very well want to avoid jail time. Suicide hackers don’t care.
B is incorrect for obvious reasons. As a matter of fact, if you chose this answer, stop right now and go back to page one—you need to start the whole thing over again. An ethical hacker is employed as part of a team of security professionals, and works under strict guidelines and agreed-upon scope.
C is incorrect because a script kiddie is a point-and-shoot type of “hacker” who simply pulls information off the Internet and fires away.
10. A security team has been hired by upper management to assess the organization’s security. The assessment is designed to emulate an Internet hacker and to test the behavior of the security devices and policies in place as well as the IT Security staff. Which of the following best describes this test? (Choose all that apply.)
A. Internal
B. External
C. Announced
D. Unannounced
B and D. An external test is designed to mirror steps a hacker might take from outside the company perimeter. The team will start, of course, with publicly available information and ratchet up attempts from there. Because the question states it’s testing security devices, policies, and the IT staff, the indication is this is an unannounced test. After all, if the IT staff knew the attack was going to occur in advance, it wouldn’t be a true test of their ability to detect and react to an actual, real attack.
A and C are incorrect because this attack is not internal to the organization’s network perimeter, nor has it been announced to the IT staff.
11. In which phase of a pen test will the team penetrate the perimeter and acquire targets?
A. Pre-attack
B. Attack
C. Post-attack
D. None of the above
B. EC Council splits a pen test into three different phases: pre-attack, attack, and post-attack. In the attack phase, the team will attempt to penetrate the network perimeter, acquire targets, execute attacks, and elevate privileges. Getting past the perimeter might take into account things such as verifying ACLs by crafting packets as well as checking the use of any covert tunnels inside the organization. Attacks such as XSS, buffer overflows, and SQL injections will be used on web-facing applications and sites. After acquiring specific targets, password cracking, privilege escalation, and a host of other attacks will be carried out.
A is incorrect because these actions do not occur in the pre-attack phase. Per EC Council, pre-attack includes planning, reconnaissance, scanning, and gathering competitive intelligence.
C is incorrect because these actions do not occur in the post-attack phase. Per EC Council, post-attack includes removing all files, uploaded tools, registry entries, and other items installed during testing from the target(s). Additionally, your analysis of findings and creation of the pen test report will occur here.
D is incorrect because there is an answer for the question listed.
12. Which of the following test types presents a higher probability of encountering problems and takes the most amount of time?
A. Black box
B. Grey box
C. White box
D. Internal
A. Tests can be internal or external, announced or unannounced, and can be classified by the knowledge the team has before the test occurs. A black box test, whether internal or external, is designed to simulate a hacker’s attempts at gaining entry into the organization. Obviously this usually starts as an external test, but can become internal as time progresses (depending on the pen test team’s scope and agreement). Because it’s a test with no prior knowledge to simulate that true outsider threat, black box testing provides more opportunity for problems along the way and takes the most amount of time. External, black box testing takes the longest because the tester has to plan higher-risk activities.
B and C are incorrect for the same reason: In both cases, the information provided to the team greatly reduces the amount of time and effort needed to gain entry.
D is incorrect because there is no reference in the question to where this attack is actually taking place. As an aside, an internal test, where the team is given a network access point inside the network to start with, should obviously provide a leg up in both time and effort compared to an external one.
13. Which of the following best describes the difference between a professional pen test team member and a hacker?
A. Ethical hackers are paid for their time.
B. Ethical hackers never exploit vulnerabilities; they only point out their existence.
C. Ethical hackers do not use the same tools and actions as hackers.
D. Ethical hackers hold a predefined scope and agreement from the system owner.
D. This one is a blast from the book’s past, and will pop up a couple of times on your exam. The only true difference between a professional pen test team member (an ethical hacker) and the hackers of the world is the existence of the formally approved, agreed-upon scope and contract before any attacks begin.
A is incorrect because although professional ethical hackers are paid for their efforts during the pen test, it’s not necessarily a delineation between the two (ethical and non-ethical). Some hackers may be paid for a variety of illicit activities. For one example, maybe a company wants to cause harm to a competitor, so they hire a hacker to perform attacks.
B and C are incorrect for the same reason. If a pen test team member did not ever exploit an opportunity and refused to use the same tools and techniques that the hackers of the world have at their collective fingertips, what would be the point of an assessment? A pen test is designed to show true security weaknesses and flaws, and the only way to do that is to attack it just as a hacker would.
14. Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the system(s). Which type of test is Sally performing?
A. External, white box
B. External, black box
C. Internal, white box
D. Internal, black box
D. Sally was provided a network drop inside the organization’s network, so we know it’s an internal test. Additionally, no information of any sort was provided—from what we can gather she knows nothing of the inner workings, logins, network design, and so on. Therefore, this is a black box test—an internal, black box test.
A and B are incorrect because this is an internal test, not an external one.
C is incorrect because a white box test would have included all the information Sally wanted about the network—designed to simulate a disgruntled internal network or system administrator.
15. Joe is part of a pen test team that has been hired by AnyBiz to perform testing under a contract. As part of the defined scope and activities, no IT employees within AnyBiz know about the test. After some initial information gathering, Joe strikes up a conversation with an employee in the cafeteria and steals the employee’s access badge. Joe then uses this badge to gain entry to secured areas of AnyBiz’s office space. Which of the following best defines Joe in this scenario?
A. Outside affiliate
B. Outside associate
C. Insider affiliate
D. Insider associate
C. You had to know I would check to see if you’re paying attention, right? Otherwise there would be no explanation for asking nearly the same question twice within one chapter. Unless, of course, I was trying to make a point about how important these definitions are. Remember, an insider affiliate is someone—a spouse, friend, or acquaintance—that uses the employee’s access credentials to further their attack.
A is incorrect because an outside affiliate is someone who is not employed with the company that makes use of open access (such as unsecured wireless) to the organization’s network.
B is incorrect because “outside associate” isn’t a term within CEH study.
D is incorrect because an insider associate is a member of the organization—such as a guard or a subcontractor—that has limited access to resources.
16. In which phase of a penetration test would you compile a list of vulnerabilities found?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconciliation
C. Another simple definition question you’re sure to see covered on the exam. You compile the results of all testing in the post-attack phase of a pen test, so you can create and deliver the final report to the customer.
A and B are incorrect because this action does not occur in the pre-attack or attack phase.
D is incorrect because “reconciliation” is not a phase of a pen test, as defined by EC Council.
17. Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?
A. Nessus
B. Hping
C. LOIC
D. SNMPUtil
A. Nessus is probably the best-known, most-utilized vulnerability assessment tool on the planet—even though it’s not necessarily free anymore. Nessus works on a server/client basis and provides “plug-ins” to test everything from Cisco devices, Mac OS, and Windows machines to SCADA devices, SNMP, and VMWare ESX (you can find a list of plug-in families here: www.tenable.com/plugins/index.php?view=all). It’s a part of virtually every security team’s portfolio, and you should definitely spend some time learning how to use it.
As an aside—not necessarily because it has anything to do with your test, but because I am all about informing you to become a good pen tester—Openvas (www.openvas.org) is the open source community’s attempt to have a free vulnerability scanner. Nessus was a free scanner for the longest time. However, once purchased by Tenable Network Security, it, for lack of a better term, angered a lot of people in the security community because it became a for-profit entity instead of a for-security one. Don’t get me wrong, Nessus is outstanding in what it does—it just costs you money. Openvas is attempting to do the same thing for free, because the community wants security over profit.
B is incorrect because Hping is not a vulnerability assessment tool. Per Hping’s website (www.hping.org), it is “a command-line-oriented TCP/ IP packet assembler/analyzer” used to test firewalls, fingerprint operating systems, and even to perform MITM (man-in-the-middle) attacks.
C is incorrect because LOIC (Low Orbit Ion Cannon) is a distributed interface denial of service tool. It’s open source and can be used, supposedly legitimately, to test “network stress levels.”
D is incorrect because SNMPUtil is an SNMP security verification and assessment tool.
18. Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?
A. Covering tracks
B. Pre-attack
C. Attack
D. Post-attack
D. Cleanup of all your efforts occurs in the post-attack phase, alongside analysis of findings and generation of the final report. The goal is to put things back exactly how they were before the assessment.
A is incorrect because covering tracks is part of the phases defining a hacking attack, not a phase of a pen test.
B and C are incorrect because these steps do not occur in the pre-attack or attack phase.
19. Jake, an employee of AnyBiz, Inc., parks his vehicle outside the corporate offices of SomeBiz, Inc. He turns on a laptop and connects to an open wireless access point internal to SomeBiz’s network. Which of the following best defines Jake?
A. Outside affiliate
B. Outside associate
C. Insider affiliate
D. Insider associate
A. Here we are again, back at a pure memorization question you’re sure to see on your exam. EC Council defines four different types of attackers in this scenario: a pure insider (easy enough to figure out), an insider associate, an insider affiliate, and an outside affiliate. In this example, Jake best fits outside affiliate. He is a nontrusted outsider: He’s not an employee or employed contractor, and he’s not using credentials stolen from one. His access is from an unsecured, open access point (usually wireless, but doesn’t have to be).
B is incorrect because EC Council does not define an “outside associate.”
C is incorrect because an insider affiliate is someone who does not have actual, authorized, direct access to the company’s network, but they use credentials they’ve stolen from a pure insider to gain entry and launch attacks.
D is incorrect because an insider associate is defined as someone that has limited access (to the network or to the facility itself) and uses that access to elevate privileges and launch attacks. The most common examples of this you’ll see are subcontractors, janitors, and guards.
20. Which of the following are true regarding a pen test? (Choose all that apply.)
A. Pen tests do not include social engineering.
B. Pen tests may include unannounced attacks against the network.
C. During a pen test, the security professionals can carry out any attack they choose.
D. Pen tests always have a scope.
E. A list of all personnel involved in the test is not included in the final report.
B and D. Pen tests are carried out by security professionals who are bound by a specific scope and rules of engagement, which must be carefully crafted, reviewed, and agreed on before the assessment begins. This agreement can allow for unannounced testing, should upper management of the organization decide to test their IT Security staff’s reaction times and methods.
A, C, and E are incorrect because these are false statements concerning a pen test. Unless expressly forbidden in the scope agreement, social engineering is a big part of any true pen test. The scope agreement usually defines how far a pen tester can go—for example, no intentional denial of service attacks and so on. Clients are provided a list of discovered vulnerabilities after the test, even if the team did not exploit them: There’s not always time to crack into every security flaw during an assessment, but that’s no reason to hide it from the customer. Lastly, the final report does include a list of all personnel taking part in the test.
21. Which of the following is a potential cause of a security breach?
A. Vulnerability
B. Threat
C. Exploit
D. Zero day
B. A threat is something that could potentially take advantage of an existing vulnerability. Threats can be intentional, accidental, human, or even an “act of God.” A hacker is a threat to take advantage of an open port on a system and/or poor password policy. A thunderstorm is a threat to exploit a tear in the roof, leaking down to your systems. Heck, a rhinoceros is a threat to bust down the door and destroy all the equipment in the room. Whether those threats have intent, are viable, and are willing/able to take up the vulnerability is a matter for risk assessment to decide; they’ll probably beef up password policy and fix the roof, but I doubt much will be done on the rhino front.
A is incorrect because a vulnerability is a weakness in security. A vulnerability may or may not necessarily be a problem. For example, your system may have horribly weak password policy, or even a missing security patch, but if it’s never on the network and is locked in a guarded room accessible by only three people who must navigate a biometric system to even open the door, the existence of those vulnerabilities is moot.
C is incorrect because an exploit is what is or actually can be done by a threat agent to utilize the vulnerability. Exploits can be local or remote, a piece of software, a series of commands, or anything that actually uses the vulnerability to gain access to, or otherwise affect, the target.
D is incorrect because a zero-day exploit is simply an exploit that most of us don’t really know much about at the time of its use. For instance, a couple years back some bad guys discovered a flaw in Adobe Reader and developed an exploit for it. From the time the exploit was created to the time Adobe finally recognized its existence and built a fix action to mitigate against it, the exploit was referred to as zero day.
22. Which Metasploit payload type operates via DLL injection and is very difficult for AV software to pick up?
A. Inline
B. Meterpreter
C. Staged
D. Remote
B. For those of you panicking over this question, relax—it’s not that bad. You do not have to know all the inner workings of Metasploit, but it does appear—from the variety of study materials available for the version 7 exam—that EC Council does want you to know some basics, and this question falls in that category. There are a bunch of different payload types within Metasploit, and meterpreter (short for Meta-Interpreter) is one of them. The following is from Metasploit’s website: “Meterpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard anti-virus detection.”
A is incorrect because inline payloads are single payloads that contain the full exploit and shell code for the designed task. They may be more stable than other payloads, but they’re easier to detect and, because of their size, may not be viable for many attacks.
C is incorrect because staged payloads establish a connection between the attacking machine and the victim. They then will read in a payload to execute on the remote machine.
D is incorrect because “remote” isn’t a recognized payload type.
23. Metasploit is a framework allowing for the development and execution of exploit code against a remote host, and is designed for use in pen testing. The framework is made of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework?
A. MSF Core
B. MSF Base
C. MSF interfaces
D. Rex
D. Once again, this is another one of those weird questions you may see (involving any of the framework components) on your exam. It’s included here so you’re not caught off guard in the actual exam room and freak out over not hearing it before. Don’t worry about learning all the nuances of Metasploit and its architecture before the exam—just concentrate on memorizing the basics of the framework (key words for each area will assist with this) and you’ll be fine.
Metasploit, as you know, is an open source framework allowing all sorts of automated (point-and-shoot) pen test methods. The framework is designed in a modular fashion, with each library and component responsible for its own function. The following is from the Metasploit’s development guide (http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide#12-Design-and-Architecture): “The most fundamental piece of the architecture is the Rex library, which is short for the Ruby Extension Library. Some of the components provided by Rex include a wrapper socket subsystem, implementations of protocol clients and servers, a logging subsystem, exploitation utility classes, and a number of other useful classes.” Rex provides critical services to the entire framework.
A is incorrect because the MSF Core “is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins.” It interfaces directly with Rex.
B is incorrect because the MSF Base “is designed to provide simpler wrapper routines for dealing with the framework core as well as providing utility classes for dealing with different aspects of the framework, such as serializing module state to different output formats.” The Base is an extension of the Core.
C is incorrect because the MSF interfaces are the means by which you (the user) interact with the framework. Interfaces for Metasploit include Console, CLI, Web, and GUI.
24. EC Council defines six stages of scanning methodology. Which of the following correctly lists the six steps?
A. Scan for vulnerabilities, check for live systems, check for open ports, banner grabbing, draw network diagrams, prepare proxies.
B. Banner grabbing, check for live systems, check for open ports, scan for vulnerabilities, draw network diagrams, prepare proxies.
C. Check for live systems, check for open ports, banner grabbing, scan for vulnerabilities, draw network diagrams, prepare proxies.
D. Prepare proxies, check for live systems, check for open ports, banner grabbing, scan for vulnerabilities, draw network diagrams.
C. I can hear the complaints now: “You mean to tell me I have yet another list of steps to remember? Another methodology I’ve got to commit to memory?” Unfortunately, the answer to that question is yes, dear reader. I would apologize, but you’re probably used to at least a little bit of CEH madness by now.
EC Council defines the process of scanning by splitting it into six steps. First, you determine which hosts are alive on the network, followed by a check to see which ports they may have open. Next, a little banner grabbing will help in identifying operating systems and such. In step four, you’ll turn your attention to vulnerabilities which may be present on these systems.
Next (and the step I, personally, find very humorous to be involved in this particular methodology), you’ll put all this together in a neat little network drawing, for future reference. Lastly (in another step I find, personally, to be a weird addition), you’ll start preparing proxies from which you will launch attacks later.
These six steps are outlined in EC Council’s official study preparation for the exam. Get to know them, because you’ll see a question like this somewhere on your exam.
A, B, and D are all incorrect because they do not list the correct steps in order.
25. Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.)
A. Enforce elevated privilege control.
B. Secure all dumpsters and shred collection boxes.
C. Enforce good physical security practice and policy.
D. Perform background checks on all employees.
A, B, C, and D. All of the answers are correct. Admittedly there’s nothing you can really do to completely prevent an inside attack. There’s simply no way to ensure every single employee is going to remain happy and satisfied, just as there’s no way to tell when somebody might just up and decide to turn to crime. It happens all the time, in and out of Corporate America, so the best you can do is, of course, the best you can do.
Enforcing elevated privilege control (that is, ensuring users have only the amount of access, rights, and privileges to get their job done, and no more) seems like a common-sense thing, but it’s amazing how many enterprise networks simply ignore this, and a disgruntled employee with administrator rights on his machine can certainly do more damage than one with just plain user rights. Securing dumpsters and practicing good physical security should help protect against an insider who wants to come back after hours and snoop around. And background checks on employees, although by no means a silver bullet in this situation, can certainly help to ensure you’re hiring the right people in the first place (in many companies a background check is a requirement of law). Other steps include, but are not limited to, the following:
• Monitor user network behavior.
• Monitor user computer behavior.
• Disable remote access.
• Disable removable drive use on all systems (USB drives and so on).
• Shred all discarded paperwork.
• Conduct user education and training programs.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.