Questions
. Which of the following correctly lists the CEH hacking methodology?
A. Reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks
B. Scanning and enumeration, reconnaissance (footprinting), gaining access, escalating privileges, maintaining access, and covering tracks
C. Reconnaissance (footprinting), scanning and enumeration, escalating privileges, gaining access, maintaining access, and covering tracks
D. Reconnaissance (footprinting), gaining access, scanning and enumeration, escalating privileges, maintaining access, and covering tracks
Hint: Everything has an order. This one is easy if you think about the steps you’ll need to take.
Objective: Five stages of ethical hacking
. Hacker Joe performs a DoS against a network resource. Which security element is being compromised?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
Hint: Key words will help you on CIA triangle questions.
Objective: Identifying basic elements of information security
Q3: Security and Functionality
. Per the Security, Functionality, and Ease of Use Triangle, as security in the enterprise decreases, which of the following is expected to occur?
A. Ease of use increases and functionality decreases
B. Functionality increases and ease of use decreases
C. Ease of use increases and functionality increases
D. Functionality decreases and ease of use decreases
Hint: Security, functionality, and ease of use are displayed in a triangle, so moving away from the center will give you your answer.
Objective: Understanding security, functionality, and ease of use
. A client wishes the pen-test attack to simulate an inside user who finds ways to elevate privileges and create attacks. Which test type does the client want?
A. White box
B. Gray box
C. Black box
D. Hybrid
Hint: If you think about what an average user knows about their system and network, this one is easy.
Objective: Defining classifications of hackers and terms associated with hacking
Q5: Defining Ethical Hacking
. Which of the following best defines an ethical hacker?
A. The ethical hacker does not exploit vulnerabilities.
B. The ethical hacker proceeds only with authorization from the target owner.
C. The ethical hacker does not use the same tools as unauthorized attackers.
D. The ethical hacker will never perform a DoS against a target.
Hint: You’ve got to know what makes us ethical hackers.
Objective: Defining classifications of hackers and terms associated with hacking
. A pen-test member verifies the entire IP address range owned by the target, discovers details of their domain name registration, and visits job boards and financial websites regarding the target. What activity is being performed?
A. Passive footprinting
B. Vulnerability assessment
C. Active footprinting
D. Security assessment
Hint: Is the attacker actually touching anything that anyone else couldn’t get to?
Objective: The five stages of ethical hacking
. Which security element is of primary concern when you wish to ensure a message is not altered during transit?
A. Confidentiality
B. Integrity
C. Authentication
D. Availability
Hint: Basic CIA definition you should know, given the key words in the question.
Objective: Identifying basic elements of information security
. IDS picks up an attack against a target that originates from an unrecognized address: 212.77.88.54. The network range owned by the organization is a class C: 194.55.6.X. Which of the following best categorizes this attack?
A. Inside attack
B. Outside attack
C. White hat attack
D. Black box attack
E. Announced
Hint: Sometimes these terms need to be taken at face value.
Objective: Defining the types of system attacks
. Which of the following is the best means to verify the integrity of a message?
A. The use of a digital signature
B. The enforcement of good password policy
C. Strong authentication methods for access control
D. The use of a hash algorithm
Hint: If you know integrity, and what it means, this is an easy one.
Objective: Identifying basic elements of information security
10. In which attack phase would an attacker set up and make use of a zombie machine?
A. Covering tracks
B. Gaining access
C. Maintaining access
D. Reconnaissance
Hint: Zombie systems sit and wait for your bidding.
Objective: The five stages of ethical hacking
11. Which of the following are considered passive reconnaissance? (Choose all that apply.)
A. Dumpster diving
B. Crawling financial sites associated with the target
C. Ping sweeping a network range found through a DNS lookup
D. Searching for competitive intelligence on the organization using an Internet search engine
Hint: Which action(s) put you at risk of discovery?
Objective: Defining classifications of hackers and terms associated with hacking
12. A client wants the pen test to best simulate an outside attacker who takes an interest in the organization. Which of the following best describes the test they want?
A. Gray box
B. Black box
C. Announced
D. Security assessment
Hint: This test is simulating an external attacker who has nothing to go on.
Objective: Defining classifications of hackers and terms associated with hacking
13. During which phase of an attack would vulnerability mapping occur?
A. Scanning and enumeration
B. Fingerprinting
C. Active reconnaissance
D. Pre-attack
Hint: First, make sure you’re considering the right set of steps—these are “attack” phases, not pen test phases.
Objective: The five stages of ethical hacking
14. Which attacks take advantage of built-in code and scripts that most off-the-shelf applications come with?
A. Bit-flipping
B. Cavity
C. Shrink wrap
D. Misconfiguration
Hint: Built-in code and scripts are already nicely packaged up for us, wouldn’t you say?
Objective: Defining the types of system attacks
15. Which of the following is a true statement regarding encryption?
A. Symmetric encryption scales easily and provides for nonrepudiation.
B. Symmetric encryption does not scale easily and does not provide for nonrepudiation.
C. Symmetric encryption is not suited for bulk encryption.
D. Symmetric encryption is slower than asymmetric encryption.
Hint: You’ll need to be able to read an SOA record.
Objective: Overview of cryptography and encryption techniques
16. What is the length of a DES encryption key?
A. 32 bits
B. 56 bits
C. 128 bits
D. 256 bits
Hint: You must know the key lengths for major algorithms.
Objective: Overview of MD5, SHA, RC4, RC5, and Blowfish algorithms
17. Which of the following best describes substitution?
A. Changing the order of bits
B. Replacing or changing bits
C. Replacing the algorithm
D. Man in the middle
Hint: This is exactly what it sounds like.
Objective: Overview of cryptography and encryption techniques
18. Which tool takes advantage of white space within files in order to hide messages?
A. Snow
B. GifIt
C. ImageHide
D. Cavity
Hint: White spaces, white spaces, white spaces
Objective: Describe steganography tools and techniques
19. Which trust model prescribes a CA at the top that creates and issues certificates that users rely on to trust each other with?
A. Single authority
B. Web of trust
C. Hierarchical trust
D. Standalone CA
Hint: Remember there are three valid trust models for PKI.
Objective: Understand public key infrastructure (PKI)
20. Two bits are set at 1 and 0, respectively, and are then run through an XOR operation. Which of the following will be the output?
A. 0
B. 1
C. Depends on the encryption algorithm used
D. None of the above
Hint: Think about the port number you’d use for a web server.
Objective: Overview of cryptography and encryption techniques
21. Which of the following is a true statement?
A. Jack can be sure a message came from Jill by using his public key to decrypt it.
B. Jack can be sure a message came from Jill by using his private key to decrypt it.
C. Jack can be sure a message is from Jill by using her private key to decrypt the digital signature.
D. Jack can be sure a message is from Jill by using her public key to decrypt the digital signature.
Hint: Usually this key isn’t used this way.
Objective: Method and application of digital signature technology
22. Which is the best choice for fast, strong, bulk encryption?
A. MD5
B. RSA
C. AES
D. ECC
Hint: Symmetric vs. asymmetric
Objective: Identify encryption algorithms
23. Which of the following provides for the distribution of public keys in an orderly, controlled fashion, so the users can be sure of the sender’s identity?
A. Encryption algorithm
B. Hash value
C. Digital certificate
D. Private key
E. Digital signature
Hint: You just have to remember what happens within the PKI system and which of these applies.
Objective: Understand public key infrastructure (PKI)
24. When two or more plaintext entries are found to produce the same fixed-value result, what has occurred?
A. Collision
B. Replay attack
C. Compromise
D. Chosen plaintext
Hint: How does a modem work?
Objective: Understand hashing algorithms
25. What is the standard format for a digital certificate?
A. X.25
B. XOR
C. X.500
D. X.509
Hint: Think about the packets having to be routed to the same destination
Objective: Understand public key infrastructure (PKI)
26. Which of the following best describes the session key creation during the setup of an SSL session?
A. The server creates the key after verifying the client’s identity.
B. The server creates the key immediately upon client connection.
C. The client creates the key using the server’s public key.
D. The client creates the key after verifying the server’s identity.
Hint: There are six steps in the SSL process—know them and this is a piece of cake.
Objective: Describe SSL (Secure Sockets Layer)
Q27: Encryption Algorithms
27. Which hash algorithm was developed by the NSA and produces output values up to 512 bits?
A. MD5
B. SHA-1
C. SHA-2
D. SSL
Hint: You simply must memorize the basics of each algorithm.
Objective: Understand encryption algorithms
28. If you are using pure symmetric encryption with seven clients, how many keys are required?
A. 28
B. 21
C. 14
D. 7
E. 49
Hint: There is an easy formula for calculating this: Remember, each person will need a key for every other person.
Objective: Overview of cryptography and encryption techniques
29. Which regional registry would be the best option to begin looking for information on a website ending with .com?
A. AfriNIC
B. LACNIC
C. ARIN
D. RIP NCC
Hint: The extension is very recognizable here.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understanding the use of whois, ARIN, and nslookup
30. Which of the following are tools used in footprinting? (Choose all that apply.)
A. NeoTrace
B. Nmap
C. Netcat
D. Dig
E. Google
F. Nslookup
Hint: SSID and security?
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Identify wireless network architecture and terminology
31. Which of the following are good choices in footprinting using e-mail? (Choose all that apply.)
A. BlackWidow
B. eMailTrackerPro
C. Whois
D. Mailtracking
E. SMTP_Util
Hint: COTS applications, but referenced within EC Council’s guides.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Describing information gathering methodology
32. What command syntax should be used in dig to discover all name servers listed by DNS server 177.15.22.174 in the anybiz.com namespace?
Hint: Dig syntax will be referenced somewhere on the exam.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Describing information gathering methodology
33. Examine the following command-line entry:
nslookup
> server 135.16.205.22
> set type = any
> ls -d AnyBiz.com
What is the attacker attempting?
A. DNS route poisoning
B. Planting a Linux rootkit
C. DNS zone transfer
D. DNS cache poisoning
Hint: Nslookup syntax is fairly easy, and you should already know what the tool is used for.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Describing information gathering methodology
34. Examine the SOA record:
@ IN SOARTDNSRV1.anybiz.com. postmaster anybiz.com. (
200408097 ; serial number
3600 ; refresh [1h]
600 ; retry [10m]
86400 ; expire [1d]
7200 ; min TTL [2h]
If a zone transfer fails, how long will the secondary server wait before attempting another one?
A. One hour
B. Ten minutes
C. One day
D. Two hours
Hint: SOA records include TTL, retry, refresh, and expire information for secondary servers. You just have to know what each of them means.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Learn different types of DNS records
35. Which of the following record types may appear in a zone file? (Choose all that apply.)
A. MX
B. SOA
C. DNS
D. AX
E. SRV
F. SA
G. PTR
Hint: A zone file is a copy of all records from the server, so any valid DNS record types may appear.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Learn different types of DNS records
36. You start traceroute from your system to a remote machine. Which of the following is true regarding your attempt?
A. The first ICMP packet leaving your machine has a hop count of 0.
B. The first ICMP packet leaving your machine has a hop count of 1.
C. The first ICMP packet leaving your machine has an unlimited hop count.
D. The first ICMP packet leaving your machine carries a hello packet in the payload.
Hint: Traceroute stops at each hop along the way to gather information and bring it back.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand how traceroute is used in footprinting
37. A user accesses the company website www.somebiz.com from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site—no files have been changed and when accessed from their terminals (inside the company) the site appears normally. The user connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue?
A. Web poisoning
B. SQL injection
C. ARP poisoning
D. DNS poisoning
Hint: When the user is at home and types the URL, how does his system gather the IP address to the site in order to pass the request on?
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Learn the areas and information that hackers seek
38. When will a secondary server within a namespace ask for a zone transfer from the primary?
A. Once every hour
B. Only when the secondary reboots
C. Only when manually prompted to do so
D. When its serial number is lower than the primary’s
E. When its serial number is higher than the primary’s
Hint: Secondaries must keep an up-to-date copy of the zone; otherwise, DNS fails internally by sending false information.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand DNS enumeration
39. Which of the following are examples of passive footprinting? (Choose all that apply.)
A. Crawling the company website
B. Checking job sites for IT listings from the target
C. Calling the reception desk to inquire about employees
D. Sending DNS requests to discover target systems
Hint: Passive versus active comes down to two things: what you are connecting to and what the chances are you’re going to be caught in the act.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand competitive intelligence and its need
40. What does the Google hack “intitle:login” attempt to accomplish?
A. Display all login file types.
B. Display all pages with “login” in the title of the page.
C. Display all pages with “login” in the URL.
D. None of the above.
Hint: Google hack operators generally do exactly what they say.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand Google hacking and its tools
41. Which Google operator will display pages for a specific website or domain holding the search term?
A. inurl:<string>
B. intitle:<string>
C. related:<webpagename>
D. site:<domain string>
Hint: Once again, don’t read too much into a Google hack.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand Google hacking and its tools
42. An attacker enters the following into a Google search window: cache:www.anybiz.com. What will this result in?
A. The result will display Google’s cache version of the website.
B. The result will provide a copy of the website for download to your machine.
C. The result will provide display cached visitor lists for the website.
D. None of the above. The syntax is incorrect.
Hint: Google hacks are straightforward.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand Google hacking and its tools
43. Which port is used for DNS zone transfers?
A. 161
B. 22
C. 53 UDP
D. 53 TCP
Hint: Port number knowledge is essential.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand DNS enumeration
44. Which DNS record type indicates the organization’s dedicated DNS servers, used to answer DNS lookup requests from clients?
A. PTR
B. SOA
C. MX
D. NS
Hint: Memorize the DNS record types.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Describe DNS record types
45. You are footprinting information on an organization located in Brazil. Which regional Internet registry would you go to for information?
A. APNIC
B. LACNIC
C. ARIN
D. RIPE NCC
Hint: The registries tell you where they are located.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understanding the use of whois, ARIN, and nslookup
46. What are the four regional Internet registries?
A. APNIC, PICNIC, ARIN, LACNIC
B. RIPE NCC, NANIC, ARIN, APNIC
C. RIPE NCC, ARIN, APNIC, LATNIC
D. RIPE NCC, LACNIC, ARIN, APNIC
Hint: Basic memorization is all that’s required here.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understanding the use of whois, ARIN, and nslookup
Q47: DNS Record Types Again
47. You have an FTP service and a HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
A. NS
B. SOA
C. CNAME
D. PTR
Hint: You’re trying to get a name for two services at one location, so something has to be aliased.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Understand DNS record types
48. Which footprinting tool or technique can be used to find names and addresses of employees or technical points of contact?
A. Whois
B. Nslookup
C. Dig
D. Traceroute
Hint: An RID is part of an SID and identifies user accounts.
Reference: Chapter 3: Reconnaissance: Information Gathering for the Ethical Hacker
Objective: Gain knowledge on information-gathering tools and methodology
49. What does no response on a port during a null scan indicate?
A. The port is open.
B. The port is closed.
C. The scan has failed to reach the target.
D. None of the above.
Hint: Port responses on scans are pure memorization.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand the scan types, such as ping sweep, SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP Connect, Full Open, and UDP
50. What does no response from a port during a FIN scan indicate?
A. The port is open.
B. The port is closed.
C. The scan has failed to reach the target.
D. None of the above.
Hint: A FIN scan sends a FIN packet to each port.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand the scan types, such as ping sweep, SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP Connect, Full Open, and UDP
51. Which of the following best describes a null user?
A. In Windows, a pseudo account with no username or password
B. In Windows, a pseudo account manually created for administrative purposes
C. In Windows, a suspended account
D. In Windows, a locked account
Hint: The establishment steps for a null session may be helpful.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand port-scanning methods
52. What does ICMP Type 11, Code 0 indicate?
A. Redirect
B. Time exceeded
C. ECHO request
D. ECHO return
Hint: You must know the ICMP message types and codes.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand ICMP messaging
53. What is the MAC address in broadcast frames?
A. AA:AA:AA:AA:AA:AA
B. 11:11:11:11:11:11
C. FF:FF:FF:FF:FF:FF
D. 99:99:99:99:99:99
Hint: Turn everything on to scream at everyone.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand network communication
54. Which of the following nmap scans would be the least detectable?
A. nmap -sF -P0 -O <ip address>
B. nmap -sF -PT -PI -O <ip address>
C. nmap -sO -PT -O -C5 <ip address>
D. nmap -sS -PT -PI -O -T1 <ip address>
Hint: Flags in nmap syntax tell the story.
Reference: Chapter 4: Scanning and Enumeration
Objective: Describe the use of various scanning and enumeration tools
55. Which of the following are true statements regarding SNMPv2? (Choose all that apply.)
A. SNMP uses TCP for transport.
B. SNMP uses UDP for transport.
C. SNMP is susceptible to sniffing.
D. SNMP is not susceptible to sniffing.
E. SNMP sends community strings in plaintext.
F. SNMP encrypts community strings.
Hint: SNMP is a great tool, but is easily hacked.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand TCP communication
Q56: Scanning and Enumeration
56. You are scanning a network subnet with nmap and want the most reliable results possible, regardless of stealth or speed concerns. Which scan type should you choose?
A. XMAS
B. Stealth
C. Connect
D. T5
Hint: Usually the most reliable results will come from a polite, complete connection attempt.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand the scan types, such as ping sweep, SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP Connect, Full Open, and UDP
57. What does the following command attempt to accomplish?
root@mybox: # hping3 –A 192.168.2.x –p 80
A. An ACK scan using hping3 on port 80 for a single address
B. An ACK scan using hping3 on port 80 for a group of addresses
C. Address validation using hping3 on port 80 for a single address
D. Address validation using hping3 on port 80 for a group of addresses.
Hint: Hping syntax will be tested, so learn it well.
Reference: Chapter 4: Trojans and Other Attacks
Objective: Understand scanning tools
58. Which tool would be a good choice in banner grabbing?
A. Nslookup
B. Traceroute
C. AngryIP
D. Telnet
E. Silica
Hint: Banners are easy to grab—they’re supposed to be there.
Reference: Chapter 4: Scanning and Enumeration
Objective: Describe OS fingerprinting through banner grabbing
59. What can be assumed when a response from a port on an XMAS scan is RST/ACK?
A. The port is open.
B. The port is closed.
C. The port is listening.
D. None of the above.
Hint: Port scan responses are crucial to this exam—you just have to memorize them.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand scanning tools
60. You run a null scan against two active machines. Machine A returns RST/ACK on some ports, and no response from others. Machine B returns no response for any port. Which of the following statements are true? (Choose all that apply.)
A. Ports on machine A returning RST/ACK are open.
B. Ports on machine A with no response are open.
C. Machine B is most likely a Unix/Linux system.
D. Machine B is most likely a Windows system.
Hint: Null scans don’t work against one type of OS.
Reference: Chapter 4: Scanning and Enumeration
Objective: Describe scan types, such as ping sweep, SYN, Stealth, XMAS, and NULL
61. A standard ping sweep using ICMP over TCP attempts to identify live hosts on the network. Which of the following provides an explanation for no response from a ping request?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. TTL value is too low.
D. The destination network might be down.
E. All of the above.
Hint: A ping requests asks a host to return a packet or two to signify it’s alive.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand TCP communication
62. Which of the following best describes the ToneLoc tool?
A. It is a password cracker.
B. It is used for sniffing traffic.
C. It is a wireless discovery tool.
D. It is a war-dialing tool.
Hint: As far as tool knowledge questions go, the tone of this one should give it away.
Reference: Chapter 4: Scanning and Enumeration
Objective: Gain knowledge on war-dialing techniques
63. An ACK scan from an external location produces responses from machines inside the target network. Which of the following best describes the circumstances?
A. The IDS is not functioning for the DMZ subnet.
B. The systems are Unix machines.
C. The systems are Windows based.
D. The external firewall is not performing stateful inspection.
Hint: If you know the three-step handshake, this one is easy.
Objective: Understand firewall types, use, and placement
64. A pen tester connects a laptop to a switch port and enables promiscuous mode on the NIC. He then turns on Wireshark and leaves for the day, hoping to catch interesting traffic over the next few hours. Which of the following is true regarding this scenario? (Choose all that apply.)
A. The packet capture will provide the MAC addresses of other machines connected to the switch.
B. The packet capture will only provide the MAC addresses of the laptop and the default gateway.
C. The packet capture will display all traffic intended for the laptop.
D. The packet capture will display all traffic intended for the default gateway.
Hint: Switches behave differently than hubs.
Objective: Understand sniffing and protocols vulnerable to it
65. You receive an alert from an IDS on a spike in network traffic. Which type of IDS is in place?
A. Stateful
B. Signature based
C. Anomaly based
D. Packet filtering
Hint: Identifying an IDS type comes down to what it looks at.
Objective: Understand intrusion detection systems (IDS)
A. Driving around looking for wireless access points.
B. Walking around looking for wireless access points.
C. Scanning to map the location of all firewalls in the network.
D. A technique to discern the rules configured on a firewall.
Hint: This has nothing to do with hot coals, Hawaiian music, and daredevils.
Objective: Describe firewall-hacking tools and techniques
67. Which Wireshark filter is the best choice for examining all three-way handshakes originating from 202.99.58.3?
A. ip == 202.99.58.3 and tcp.syn
B. ip.addr = 202.99.58.3 and syn = 1
C. ip.addr==202.99.58.3 and tcp.flags.syn
D. ip.equals 202.99.58.3 and syn.equals on
Hint: Wireshark uses double equals signs.
Objective: Know various sniffing tools
68. In what modes can Snort operate? (Choose all that apply.)
A. IDS
B. Packet sniffer
C. Packet analyzer
D. Packet logger
Hint: Snort operates in one of three modes.
Objective: Understand intrusion detection system types, uses, and placement
69. All communication between two subnets is encrypted via SSL. The security staff is concerned about possible nefarious activity and places an IDS between the two segments. Which of the following is most correct, given the circumstances?
A. The IDS is blind to SSL traffic.
B. SSL generates too many false negatives for IDS to be effective.
C. SSL generates too many false positives for IDS to be effective.
D. The IDS breaks SSL communication and will prevent traffic flow.
Hint: IDS systems are passive and only watch what they see.
Objective: Understand intrusion detection system types, uses, and placement
70. A client you are advising is concerned about intrusion detection. They don’t want a system that simply matches predefined patterns in packets. Rather, they desire a system that dynamically learns traffic patterns over time and develops alerts on abnormal traffic. Which IDS would you recommend?
A. Anomaly based
B. Traffic based
C. Signature based
D. Pattern based
Hint: This IDS takes a while to learn what is normal and what is not.
Objective: Understand intrusion detection system types, uses, and placement
71. Within a full Wireshark capture file, you want to filter traffic to show packets with an IP address of 202.32.5.88 that contain the string “admin.” Which of the following filters would accomplish this task?
A. ip.addr==64.83.15.18 202.32.5.88 && tcp contains HR_admin
B. ip.addr 202.32.5.88 64.83.15.18 && “HR_admin”
C. ip.addr 202.32.5.88 64.83.15.18 && tcp string ==HR_admin
D. ip.addr==202.32.5.88 64.83.15.18 + tcp contains tide
Hint: When you combine filters in one search, use the && designator.
Objective: Know various sniffing tools
Q72: Protocols and sniffing
72. Which of the following protocols are considered susceptible to sniffing? (Choose all that apply.)
A. FTP
B. IMAP
C. Telnet
D. POP
E. SMTP
F. SSH
Hint: Some protocols transfer data in cleartext.
Objective: Understand sniffing and protocols vulnerable to it
Q73: EC Council Vocabulary
73. Within the confines of the lawful intercept, what is defined by EC Council as a third-party provision accomplishing most of the processing of the information?
A. IAP
B. Collection function
C. Wiretap
D. Mediation device
Hint: EC Council defines several terms and options as a part of a lawful intercept, and you’ll have to memorize them.
Objective: Identify sniffing detection and defensive techniques
74. A pen tester sends broadcast messages to Host A showing the pen tester’s MAC address as belonging to Host B. Simultaneously, he also sends messages to Host B showing the same MAC address as belonging to Host A. What is being accomplished here?
A. ARP poisoning, allowing all messages from both sides to be seen by the tester without interrupting their communications process
B. ARP poisoning, allowing the tester to see all messages sent between Host A and Host B
C. ARP poisoning, allowing the tester to see all messages from Host A destined to any address
D. ARP poisoning, allowing the tester to see all messages from Host B destined to any address
Hint: MAC addresses are used inside your subnet for frame delivery.
Objective: Understand ARP poisoning
75. What does the following Snort rule accomplish?
alert tcp any any -> any 23(msg: “Telnet Connection Attempt”)
A. The rule logs any Telnet attempt over port 23 to any internal client.
B. The rule logs any Telnet attempt over port 23 leaving the internal network.
C. The rule alerts the monitor of any Telnet attempt to an internal client.
D. The rule alerts the monitor of any Telnet attempt leaving the internal network.
Hint: If you follow the rule from start to finish, this one should be easy.
Objective: Describe signature analysis within Snort
76. If you are attempting to install and use a network sniffer, such as Wireshark, on a Windows machine, which of the following is required to be installed first?
A. LibPcap
B. WinPcap
C. Promiscuous mode
D. Sniffing mode
Hint: NICs usually only bring in traffic addressed for them.
Objective: Identify sniffing detection and defensive techniques
77. Which of the following nmap syntax entries is in the correct format and would be the least detectable?
A. nmap -sF -P0 -O <ip address>
B. nmap -sF -PT -PI -O <ip address>
C. nmap -sO -PT -O -C5 <ip address>
D. nmap -sS -PT -PI -O -T1 <ip address>
Hint: Nmap syntax is very important. Pay attention to the switches.
Objective: Describe the use of various scanning and enumeration tools
78. Snort can perform as an:
A. IDS, sniffer, and proxy
B. IDS, firewall, and sniffer
C. IDS, packet logger, and sniffer
D. IDS, sniffer, and forensic packet analyzer
Hint: Think about what Snort does and where it sits.
Objective: Understand intrusion detection system types, uses, and placement
79. What file-hiding technique is found in NTFS-formatted disks?
A. ADS
B. NetBIOS
C. EFS
D. Steganography
Hint: This provides the ability to fork file data into other existing files without affecting functionality or size.
Objective: Describe file-hiding methods, alternate data streams, and evidence erasure
80. Which type of keylogger is most likely undetectable by antivirus software?
A. Polymorphic
B. Heuristic
C. Hardware
D. Software
Hint: AV software checks system files based on a signature file.
Objective: Identify keylogger types
81. How many bits does Syskey use for encryption?
A. 40
B. 64
C. 128
D. 256
Hint: Simple memorization is required for this one.
Objective: Understand Windows architecture
82. Which of the following tools would be a good choice to clear Windows logs after an attack?
A. Cain
B. Elsave
C. Auditpol
D. Pwdump
Hint: Check the tool listings for evasion and hiding evidence.
Objective: Describe file-hiding methods, alternate data streams, and evidence erasure
83. The result of a user2sid \202.15.6.33 3 “domain users” command reveals SIDs. A sid2user \201.15.6.33 5 21 334913988 132044091 500 command is then run, and the result displays a name of Joe and Domain of NETHER. Which of the following is true?
A. The NETHER account is the true administrator account.
B. The Joe account is the true administrator account.
C. The administrator account has been disabled.
D. The Joe account is not an administrator on the machine.
Hint: An RID is part of an SID and identifies user accounts.
Objective: Understand Windows architecture
84. Which of the following is true regarding LM hashes?
A. If the left side of the hash begins with 1404EE, the password is less than eight characters.
B. If the right side of the hash ends with 1404EE, the password is less than eight characters.
C. There is no way to tell if passwords are less than eight characters, because hashes are not reversible.
D. There is no way to tell if passwords are less than eight characters, because each hash is always 32 characters long.
Hint: LM hashing splits into two sections before hashing.
Objective: Understand Microsoft Authentication mechanisms
85. Which of the following is the best choice for quickly cracking a password hash?
A. Use a rainbow table.
B. Reverse the hash algorithm.
C. Use User2SID.
D. Use SID2User.
E. Use John the Ripper.
Hint: All password cracking takes time—this method makes use of someone else’s work, though.
Objective: Identify the different types of password attacks
86. Which scan or attack produces output similar to the output listed here?
….
system.sysUpTime.0 : Timesticks: (136589017) 13 days, 14:47:30
system.sysContact.0 : DISPLAY STRING- (ascii) :
system.sysName.0 : DISPLAY STRING- (ascii): Router1
system.sysLocation.0 : DISPLAY STRING- (ascii) :
…
A. SNMP Walk
B. Hping session hijacking
C. SID2User
D. MIP Walk
Hint: Pay attention to the code listing. It appears to be asking questions about the device itself—one question at a time.
Objective: Understand system enumeration
87. Which of the following is considered the most secure password?
A. Ireallyhateshortpasswords
B. Apassword123
C. CEHPassw)rd
D. Ap@ssw0rd123
Hint: Go with what EC Council says, not with reality or your opinion.
Objective: Understand the different types of passwords
88. Which of the following are required for compiling and installing most Linux applications? (Choose all that apply.)
A. ./gcc
B. ./configure
C. make
D. make install
E. install
Hint: Compiling Linux applications usually requires three steps.
Objective: Describe how to install, configure, and compile a Linux kernel, kernel patches, and LKM modules
89. In a Linux system, the following command is entered: chmod 464 file1. What does this command accomplish?
A. Sets file1 permissions to: -w-rw--w-.
B. Sets file1 permissions to: --xrw---x.
C. Sets file1 permissions to: rwxr--rwx.
D. Sets file1 permissions to: r--rw-r--.
Hint: Linux uses binary to represent file permissions (read, write, and execute).
Objective: Understand basic Linux file structure, directories, and commands
90. Which of the following are components of a Kerberos system? (Choose all that apply.)
A. KDC
B. AS
C. PKI
D. TGS
E. TGT
F. ADS
G. EFS
Hint: You won’t need detailed information about Kerberos to pass this exam, but you should be able to pick out which acronyms don’t belong in the system.
Objective: Understand Microsoft Authentication mechanism
Q91: Location Is Everything
91. You are attempting an attack on a Windows XP machine. Where would you find the SAM file?
A. etcpasswd
B. etcshadow
C. c:windowssystem32config
D. c:winntconfig
Hint: Whereas two of these are easy to throw out (or should be), the remaining two come down to your knowledge of Windows system folder structure.
Objective: Understand Microsoft Authentication mechanisms
92. A pen-test team member pulls a list of popular passwords and begins randomly attempting them against network resources. What kind of attack is in progress?
A. Active online
B. Passive online
C. Offline
D. Non-electronic
Hint: This is pure CEH definition time, and has to do with what is being touched and what isn’t.
Objective: Understand the different types of passwords, password attacks, and password-cracking techniques
93. What does the following command attempt to accomplish?
net use 200.221.34.89IPC$ ““ /u: ““
A. Create a listening port on 200.221.34.89
B. A denial-of-service attack on 200.221.34.89
C. Establish a null session for 200.221.34.89
D. Establish a share on a Linux machine
Hint: This is a basic question: You should have this command syntax already memorized.
Objective: Understand Microsoft Authentication mechanisms
Q94: Physical Security Measures
94. Which of the following represent measures taken to ensure physical security? (Choose all that apply.)
A. Technical
B. Computer based
C. Physical
D. Human based
E. Operational
F. Policy based
Hint: There are three categories of measures taken to implement physical security.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe physical security measures
95. Which of the following represents the highest risk to an organization?
A. Government-sponsored hackers
B. Social engineering
C. Disgruntled employee
D. Script kiddies
Hint: Every organization has these, at some point.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Understand security threats and risks
Q96: Physical security terms
96. Which of the following are true regarding the security concerns of environment and equipment maintenance? (Choose all that apply.)
A. The higher the MTBF, the better.
B. The lower the MTBF, the better.
C. The higher the MTTR, the better.
D. The lower the MTTR, the better.
Hint: Mean time between failure and mean time to repair are definitely considerations for an organization and its equipment maintenance planning.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe physical security measures
97. Jack uses a PIV card to log into his machine every morning. He inserts the card, types in his PIN, and is granted access to the OS. Which of the following is true regarding Jack’s authentication measures?
A. Jack is using single-factor authentication.
B. Jack is using dual-factor authentication.
C. Jack is using multifactor authentication.
D. None of the above.
Hint: Single means one, dual means two, and multi means more.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Understand authentication measures
Q98: Transmission Channels
98. Which of the following describes a transmission channel that is being used in a manner in which it was not intended?
A. Hidden channel
B. Covert channel
C. Overt channel
D. Wrappers
Hint: A pure definition term that sounds like something out of a Bond movie.
Objective: Describe file-hiding techniques
99. In the Search box of a web applications, an attacker inserts <script>alert(‘It Worked!’’)</script>. After entering this, the attacker clicks the Search button, and a pop-up appears stating “It Worked!” Which attack took place?
A. SQL injection
B. XSS
C. Buffer overflow
D. Directory traversal
Hint: There’s a dead giveaway between the brackets.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Describe web server and web application attacks
100. Which of the following represents knowledge given to a pen-test team prior to a black box test?
A. Internal network mapping and diagrams
B. IP address range(s)
C. Operating systems and patch levels
D. Organization’s name
Hint: Boxes are boxes, but I wonder what you can see from a black one?
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Understand basic terminology about penetration testing
101. An attacker has successfully grabbed copies of an organization’s password policies. Through additional means, the attacker also understands the user naming convention within the organization is last name, followed by first name and middle initials. Which of the following tests would be the best choice for the quickest results?
A. Brute force
B. Dictionary
C. Encryption
D. Hybrid
Hint: Sometimes two are better than one
Objective: Understand password attacks
Q102: Reverse Social Engineering Steps
102. What are the three steps in reverse social engineering?
A. Technical support, marketing, sabotage
B. Sabotage, marketing, technical support
C. Marketing, technical support, sabotage
D. Marketing, sabotage, technical support
Hint: In this attack, you want to get the user to call you.
Objective: Chapter 7: Social Engineering and Physical Security
Q103: Vulnerability Scanning
103. Which tool has a database containing thousands of signatures used to detect hundreds of vulnerabilities in multiple operating systems?
A. Nmap
B. Nessus
C. Hping
D. Netcat
Hint: This would be a vulnerability assessment tool.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe vulnerability assessments
Q104: Social Engineering Attacks
104. Which type of social engineering attack uses phishing, pop-ups, and IRC channel?
A. Human based
B. Computer based
C. Technical
D. Physical
Hint: There are two types of social engineering types, and they’re blatant.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe the different types of social-engineering attacks
105. An attacker drives around the organization’s campus with a high gain antenna attached to a laptop searching for open wireless network hotspots. What attack is she performing?
A. War chalking
B. War driving
C. War stalking
D. War sighting
Hint: Sometimes wireless hacking is really just this easy.
Reference: Chapter 9: Wireless Network Hacking
Objective: Identify wireless hacking methods and tools
106. Which of the following defines the percentage of time a biometric authentication system incorrectly identifies an unauthorized user and grants them access?
A. False acceptance rate (FAR)
B. False rejection rate (FRR)
C. Crossover error rate (CER)
D. None of the above
Hint: The system is identifying an unknown person as a known entity, allowing them access.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe physical security measures
Q107: Wireless Architecture
107. Which of the following are true regarding wireless security? (Choose all that apply.)
A. WPA-2 is the best available encryption security for the system.
B. WEP is the best encryption security for the system.
C. Regardless of encryption, turning off SSID broadcast protects the system.
D. SSIDs do not provide any effective security measures for a wireless network.
Hint: Knowing the wireless encryption standards is the key here.
Reference: Chapter 9: Wireless Network Hacking
Objective: Identify wireless network types and forms of authentication
108. A user receives an e-mail that appears to be from an online shopping site. A link inside the e-mail is provided to allow the user to log into the site again, to view current orders and shipments. The user input authentication information; however, the site presented a “failed to load” error. Which attack did the user fall victim to?
A. Impersonation
B. Phishing
C. SQL injection
D. None of the above
Hint: This is a special attack using e-mail.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe the different types of social engineering attacks
109. Which social engineering attack is in use when a pen tester stands just outside a cubicle wall opening and watches the onscreen activity of a user?
A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking
Hint: This is an old term that’s not always associated with pen testing or “hacking.”
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe the different types of social engineering attacks
110. The entry to a facility requires personnel to enter through a one-way door, which closes behind, sealing them in an interior room. The person must then validate their identity using a smart card and a password to open the door to the inside. What is this physical security measure known as?
A. Turnstile
B. Piggyback
C. Impersonation
D. Mantrap
Hint: Physical security methods
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe physical security measures
111. You are attempting attacks on a machine verified to be running SMTP services and Telnet. You attempt to telnet to a system on port 25 and receive no response. You then attempt to telnet to port 23 and again, get a blank screen in response. What is the most likely explanation?
A. Telnet and SMTP have crashed due to the Telnet request.
B. The target is a honeypot.
C. The target has been unknowingly affected with malware.
D. The target’s services are protected by TCP wrappers.
Hint: Assuming some sort of gray box test, and that you can be 100-percent sure it is running the services mentioned, one of these answers is the only one that makes sense.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Understand covert channels
112. An attacker calls the help desk and asks for a password reset on a user ID he has obtained information on. Which type of social engineering attack is this?
A. Impersonation
B. Technical support
C. Spoofing
D. Reverse engineering
Hint: Sometimes the blatantly obvious answer causes you to pause, but don’t worry about that on this one.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Describe the different types of social engineering attacks
113. What is considered the best defense against social engineering?
A. User education and training
B. Strong security policy and procedure
C. Clear operational guidelines
D. Proper classification of information and individuals’ access to that information
Hint: Social engineering requires little-to-no technical skill and relies on the targets being susceptible.
Reference: Chapter 7: Social Engineering and Physical Security
Objective: Identify social engineering countermeasures
114. Which of the following may be effective countermeasures against an inside attacker?
A. Enforce elevated privilege control.
B. Secure all dumpsters and shred collection boxes.
C. Enforce good physical security practice and policy.
D. Perform background checks on all employees.
E. All of the above.
F. None of the above.
Hint: There’s no foolproof method to prevent damage from an insider, but there are steps you can take.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
115. The purchase price of items listed for sale on an organization’s website appear to be altered to be much lower, based on a review of sales over the past month. Site administrators verify the server and SQL database do not appear to have been compromised directly. What is the mostly likely method used by the attacker to modify prices?
A. SQL tampering
B. Cross-site scripting
C. Changing hidden form values from a downloaded page and submitting them back to the website
D. Directory traversal
Hint: This is very easy, and very prevalent.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities
116. The price of an item for sale on a website is listed at $150. The sales receipt shows an order paying only $15. Which attack may be inferred from the following URL?
A. A parameter-manipulation attack attempt
B. A cross-site scripting attack attempt
C. A SQL injection attempt
D. A directory traversal attempt
Hint: The syntax of the URL can usually provide the answer—in this case, it’s quite literally right in front of you.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Describe web server and web application attacks
Which attack was used?
A. An offline attack attempt
B. A cross-site scripting attack attempt
C. A SQL injection attempt
D. A directory traversal attempt
Hint: Pay attention to the URL syntax. The answer is easy to see.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Describe web server and web application attacks
118. An employee’s cell phone begins receiving unsolicited messages. Which Bluetooth attack is being exploited?
A. BlueSmacking
B. Bluejacking
C. BlueSniffing
D. BlueScarfing
Hint: Know the “Blue” attacks.
Reference: Chapter 9: Wireless Network Hacking
Objective: Define Bluetooth hacking methods
119. A senior pen-test member explains that the fgets() and gets() in the source code of a network application do not check input bounds. What kind of attack would this software potentially susceptible to?
A. DoS
B. Active online
C. Hybrid
D. Buffer overflow
Hint: Bounds define stopping points for input.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities
120. Which Bluetooth attack is used in an attempt to steal data from the device?
A. BlueSmacking
B. Bluejacking
C. BlueSniffing
D. BlueScarfing
Hint: The “Blue” attacks are fairly straightforward.
Reference: Chapter 9: Wireless Network Hacking
Objective: Define Bluetooth hacking methods
121. What OSI layer does SSL work in?
A. Layer 7
B. Layer 4
C. Layer 3
D. Layer 2
Hint: SSL in used across Internet links and is negotiated up front.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify features of common web server architecture
122. Which of the following is a passive wireless discovery tool?
A. NetStumbler
B. Aircrack
C. Kismet
D. Netsniff
Hint: Tool knowledge is essential, and this tool doesn’t need to interject packets.
Reference: Chapter 9: Wireless Network Hacking
Objective: Identify wireless hacking methods and tools
123. There are many different types of viruses. Which type was the Melissa virus?
A. Macro
B. Named
C. Stealth
D. Multipartite
Hint: Melissa spread through Microsoft Excel spreadsheets, mostly.
Objective: Define common DoS attack types
124. Which port does BackOrifice use by default?
A. 666
B. 777
C. 31337
D. 31338
Hint: BackOrifice was elite during its day.
Objective: Identify common Trojan ports
125. Which of the following are session hijack tools? (Choose all that apply.)
A. Paros
B. Tini
C. Hunt
D. T-sight
Hint: Session hijacking is fairly complicated, but tools make it a lot easier.
Objective: Describe session hijacking and sequence prediction
126. What is considered the best option against session hijacking?
A. Use only nonroutable protocols.
B. Use unpredictable sequence numbers.
C. Use a file-verification application such as Tripwire.
D. Use good password policy.
Hint: The mitigation is as tough as the attack.
Objective: Describe session hijacking and sequence prediction
127. When is session hijacking carried out?
A. Before the three-step handshake
B. During the three-step handshake
C. After the three-step handshake
D. After a FIN packet
Hint: If you think about what session hijacking is and how it’s carried out, the answer is obvious.
Objective: Describe session hijacking and sequence prediction
128. In regard to Trojans, what is a wrapper?
A. The legitimate file the Trojan is attached to.
B. A program used to bind the Trojan to a legitimate file.
C. Encryption methods used for a Trojan.
D. Polymorphic code used to avoid detection by an antivirus program.
Hint: Something has to hide the Trojan.
Objective: Identify Trojan deployment methods
129. During a TCP data exchange, the client has offered a sequence number of 200, and the server has offered 700. During acknowledgements, the packet shows 201 and 701, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session?
A. 202 through 204
B. 202 through 501
C. 202 through 502
D. Anything above 501
Hint: Remember sequence numbers follow in line and are predictable.
Objective: Describe session hijacking and sequence prediction
130. Which of the following is true regarding WEP cracking?
A. Initialization Vectors are small, get reused frequently, and are sent in cleartext.
B. Initialization Vectors are small, get reused frequently, but are encrypted during transmission.
C. Initialization Vectors are large, get reused frequently, and are sent in cleartext.
D. Initialization Vectors are large, get reused frequently, but are encrypted during transmission.
Hint: WEP knowledge is essential to this exam.
Reference: Chapter 9: Wireless Network Hacking
Objective: Describe WEP and WPA wireless encryption
131. Which of the following tools can be used for remote password cracking of web servers? (Choose all that apply.)
A. Brutus
B. Nikto
C. THC-Hydra
D. BlackWidow
Hint: These tools are designed for offline cracking purposes.
Reference: Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Describe web server and web application attacks
132. What assessment against a network segment tests for existing vulnerabilities but does not attempt to exploit any of them?
A. Penetration test
B. Partial penetration test
C. Vulnerability assessment
D. Security scan
Hint: There are more security assessments than just a pen test.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
133. A friend of an employee illegally uses the employee’s credentials to gain access and then carries out an attack. Which of the following best defines the attacker?
A. Outside affiliate
B. Outside associate
C. Insider affiliate
D. Insider associate
Hint: Affiliates aren’t employees.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
134. Which character is the best choice to start a SQL injection attempt?
A. Colon
B. Semicolon
C. Double quote
D. Single quote
Hint: SQL injection can run through many commands, but this single character is the best test to see if everything is working in the first place.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
135. An organization has hired a pen-test team and provides a system on an internal subnet. No other previous knowledge of any pertinent information has been given. Which type of test will the team be performing?
A. Internal, white box
B. Internal, black box
C. External, white box
D. External, black box
Hint: Remember where this test is taking place and that it requires the team to put the most time and effort into it, given what they have to start with.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
136. What are the three phases of a pen test? (Choose all that apply.)
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
E. Footprinting
F. Covering tracks
Hint: Pen-test steps are different from the five hacking steps.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
137. Scanning is performed in which phase of a pen test?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
Hint: There are only three phases in a pen test.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
138. This security assessment notifies the client of potential vulnerabilities but does not actually exploit them.
A. Vulnerability assessment
B. Scanning assessment
C. Penetration test
D. None of the above
Hint: Basically, there are two types of security assessments.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
139. An organization wishes to save on time and decides to go with an automated approach to pen testing. Which of the following tools provide pen-test-like results for organizations? (Choose two.)
A. Core Impact
B. Netcat
C. Cheops
D. CANVAS
E. Nmap
Hint: Know the tools and what they are used for.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
140. Which pen-test phase encompasses penetrating the perimeter and acquiring targets?
A. Pre-attack
B. Attack
C. Post-attack
D. None of the above
Hint: This one should be clear as day—it’s that obvious.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
141. What would you expect to find in a final report from a full penetration test? (Choose all that apply.)
A. Names of all the participants
B. A list of findings from the assessment(s)
C. An executive summary of the assessment(s)
D. A list of vulnerabilities that were patched by the team
Hint: The final report is a complete, conclusive wrap-up of all the events.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Describe penetration testing, security assessments, and risk management
142. Which of the following is the best choice for discovering potential vulnerabilities on a web server?
A. BlackWidow
B. Httrack
C. BurpSuite
D. Nessus
Hint: Knowledge of tools in every facet of pen testing is vital.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities
143. You are assaulting a web front end with a variety of tools and techniques. Using the cookie editor plug-in on an older version of Firefox, you find this inside a cookie from the site:
lang=en-us; ADMIN=no; y=1; time=13:27GMT
Based solely on the information provided, which of the following statements is most likely to be true?
A. The site is most likely vulnerable to SQL injection.
B. The site is not likely to be vulnerable to SQL injection.
C. The site is vulnerable to parameter tampering.
D. None of the above.
Hint: The details of the cookie provide all you need.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities
144. You are examining an ongoing attack against a subnet. An IP address in the subnet has been sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway?
A. ICMP flood
B. Ping of death
C. SYN flood
D. Smurf
E. Fraggle
Hint: This attack may be an older one, but it’s still important to know.
Objective: Define common DoS attack types
145. While gathering information on a web target, you receive the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e08’ [Microsoft]{OBDC SQL Server Driver}
Which of the following best describes the error message?
A. The site is may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. This site may be vulnerable to a malware injection.
Hint: Every once in a while the answer is really this obvious.
Reference: Chapter 8: Web Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities
146. Which of the following are true regarding a pen test? (Choose all that apply.)
A. Pen tests do not include social engineering.
B. Pen tests may include unannounced attacks against the network.
C. During a pen test, the security professionals can carry out any attack they choose.
D. Pen tests always have a scope.
E. The client is not notified of the vulnerabilities the team chooses to exploit.
Hint: Pen tests are carried out by ethical hackers, following a specific agreement with the target.
Reference: Chapter 4: Scanning and Enumeration
Objective: Understand the scan types, such as ping sweep, SYN, Stealth, XMAS, NULL, IDLE, FIN, ICMP Echo, List, TCP Connect, Full Open, and UDP
147. A pen tester types the following commands into a Linux console:
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:AB:CD:1A:2B:3C
ifconfig wlan0 up
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity to the access point.
Hint: Simple Linux commands that should point to the obvious answer.
Reference: Chapter 9: Wireless Network Hacking
Objective: Identify wireless hacking methods and tools
148. Metasploit operates with multiple payload types. Which Metasploit payload type operates via DLL injection and is very difficult for AV software to pick up?
A. Inline
B. Meterpreter
C. Staged
D. Remote
Hint: Metasploit payloads contain the actual executable(s) for the attack.
Reference: Chapter 11: The Pen Test: Putting It All Together
Objective: Define automatic and manual testing
149. A pen test team member wishes to clone a website to an offline copy, for further screening and examination later. Which of the following tools is the best choice for this purpose?
A. BurpSuite
B. NetCraft
C. HttpRecon
D. BlackWidow
Hint: This is a tool Sir Walter Scott would be proud of.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web application hacking tools
150. Which buffer overflow attacks memory that remains in use while a program is running?
A. Stack
B. Heap
C. Active
D. Permanent
Hint: Buffer overflows take advantage of the buffer area, but exactly where they attack is key—top or bottom is important here.
Reference: Chapter 8: Web-Based Hacking: Servers and Applications
Objective: Identify web server and application vulnerabilities