Answers
1. A. CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks.
B, C, and D are incorrect. These answers have the methodology in incorrect order.
2. C. The security element of availability, obviously, is all about maintaining the availability of the resource to authorized individuals.
A, B, and D are incorrect. Confidentiality keeps the wrong eyes from seeing the data, and integrity ensures message data is not changed. Authentication is a distracter.
3. C. Using the Security, Functionality, and Ease of Use triangle, if you move from the middle of the triangle to any of the points, you are moving away from the other two. Therefore as one increases, the other two decrease.
A, B, and D are incorrect. Each part of the triangle increases as the others decrease.
4. B. Gray box tests are indicative of those where some knowledge is given of the target, and are designed to replicate an inside attacker.
A, C, and D are incorrect. A white box test includes all knowledge about the target and replicates an inside system administrator or IT employee. Black box simulates an external attacker, with no knowledge provided. Hybrid is included as a distractor.
5. B. Ethical hackers proceed only after an agreement is in place—to protect both parties.
A, C, and D are incorrect. Ethical hackers perform the same functions and activities, and use the same methods, as their unethical brethren—they just do it under an agreement.
6. A. Passive footprinting is all about things that are publicly available, and that don’t expose you to great risk of discovery.
B, C, and D are incorrect. A vulnerability assessment touches each system looking for open vulnerabilities that can be exploited. Active footprinting puts you at greater risk of discovery (network sniffing and social engineering, for example). Security assessment is a term associated with an overall penetration test.
7. B. Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
A, C, and D are incorrect. Confidentiality is protecting the message from unauthorized access. Availability is all about making sure authorized users can get to it when they need it. Authentication is included as a distractor.
8. B. Outside attacks originate outside the target’s network boundaries.
A, C, D, and E are incorrect, because none of these answer correctly describe the origination of the attack.
9. D. Any time you see the word “hash,” you can immediately equate it with integrity. The one-way hash algorithm provides a way to prove the message hasn’t been changed.
A, B, and C are incorrect. A digital signature does nothing for integrity (it may prove repudiation, but not integrity). Password policy and authentication methods also have nothing to do with integrity controls (confidentiality, perhaps).
10. C. Zombie computers are set up to be used at a later date when needed. They are created in an effort to maintain access.
A, B, and D are incorrect. Creation of zombie systems does not make sense in the other phases.
11. A, B, and D. These are all examples of low-risk activities against information that is readily available for the public to view anyway.
C is incorrect. A ping sweep definitely touches clients on the target and opens you up for discovery.
12. B. Black box means no information is provided, and it simulates an Internet attacker.
A, C, and D are incorrect. Gray box simulates in inside user. Announced is an attack the IT Staff is made aware of beforehand. Security assessment is included as a distractor.
13. A. The scanning and enumeration phase takes vulnerability assessment into its fold.
B, C, and D are incorrect. Fingerprinting refers to discovering the operating system and open ports. Active reconnaissance and pre-attack are included as distractors.
14. C. The entire reason it’s referred to as a “shrink wrap” attack is because the code used to pull it off is already packaged neatly for you by the COTS developer.
A, B, and D are incorrect. These do not describe attacks using built-in code and scripts.
15. B. The simplicity of symmetric encryption is its greatest asset: The use of one key makes things very easy, very fast, and well suited for bulk encryption. However, key distribution and management in this type of system is difficult, so scalability suffers.
A, C, and D are incorrect. Symmetric works well for bulk encryption, is faster than asymmetric, and does not provide for nonrepudiation (no second, private, key).
16. B. DES uses a 56-bit key (with 8 bits reserved for parity).
A, C, and D are incorrect. None of these key lengths match DES.
17. B. In cryptography, encryption of bits takes one of two different forms: Substitution is replacing or changing bits, whereas transposition changes their order altogether.
A, C, and D are incorrect. Transposition would be changing the order of the bits. Changing an algorithm isn’t relevant, and man in the middle refers to an attack, not an encryption method.
18. A. Steganography is the practice of concealing a message inside another medium (such as another file or an image) in such a way that only the sender and recipient even know of its existence. Snow is one steganography tool that hides information in the “white space” of a file.
B, C, and D are incorrect. GifIt and ImageHide are steganography tools that make use of image files. Cavity refers to a virus type that hides in empty spaces within a file.
19. A. A single authority system has a CA at the top that creates and issues certs. Users trust each other based on the CA itself.
B, C, and D are incorrect. A hierarchical trust system also has a CA at the top (which is known as the root CA), but makes use of one or more intermediate CAs underneath it—known as RAs—to issue and manage certificates. A web of trust has multiple entities sign certificates for one another. Standalone CA is a distractor.
20. B. An XOR operation requires two inputs. If the bits match, the output is a 0; if they don’t, it’s a 1.
A, C, and D are incorrect. The output is a 0 only when the bits match. The other answers are distractors.
21. D. In general, public keys encrypt and private keys decrypt. However, a digital signature—used to absolutely prove identity—works the other way: A hash is encrypted with the sender’s private key so that anyone decrypting it with the sender’s public key will have proof of identity.
A, B, and C are incorrect. These are not proper descriptions of the use of public and private keys within a PKI system using digital certificates.
22. C. Of the choices available, AES is the only symmetric algorithm listed.
A, B, and D are incorrect. MD5 is a hash algorithm. RSA and ECC are asymmetric.
23. C. A digital certificate holds all sorts of entries, including the sender’s public key. Other entries include Version, Serial, Subject, Algorithm, Issuer, Valid Dates, and Key Usage.
A, B, D, and E are incorrect. These do not provide for the issuance of public keys.
24. A. A collision occurs when two or more files fed into a hash algorithm create the same output.
B, C, and D are incorrect. An attacker resending authentication information is an example of a replay attack. Chosen plaintext is an encryption attack where the attacker encrypts multiple plaintext copies himself in order to gain the key. Compromise is a distractor.
25. D. X.509 is an ITU-T standard for digital certificates.
A, B, and C are incorrect. X.25 is an ITU-T standard for WNA communication. XOR is a commonly used mathematical computation. X.500 is a standard for directory services.
26. D. SSL steps are Client Hello, Server Hello and certificate, Server Hello done message, client verifies server identity and sends Client Key Exchange message, client sends Change Cipher Spec and Finish message, and server responds with Change Cipher Spec and Finish message. The session key is created by the client after it verifies the server identity (using the certificate provided in step 2).
A, B, and C are incorrect. In SSL, the client creates keys and must verify the identity of a server before determining that it can be trusted.
27. C. SHA-2 was developed to rectify shortcomings of its predecessor and is capable of producing outputs of 224, 256, 384, and 512 bits.
A, B, and D are incorrect. MD5 produces a 128-bit output, and SHA-1 a 160-bit output. SSL is not a hashing algorithm.
28. B. The formula for calculating how many key pairs you will need in symmetric systems is N(N–1)/2. Plugging in 7, you get 7(6)/2, which equals 21.
A, C, and D are incorrect. These answers do not match the formula for key pairs within symmetric systems.
29. C. A .com namespace indicates that ARIN (North America’s registry) is a good place to start.
A, B, and D are incorrect. Most dot-com addresses are located in North America, so the remaining choices would not be valid.
30. A, D, E, and F. NeoTrace is a packet-tracking application (like Telnet with pictures). Dig and nslookup are DNS tools. And anyone looking up information on a target that doesn’t use Google should probably take up a different career.
B and C are incorrect. Nmap is a scanning tool, and netcat is classified as a Trojan (for setting up listening ports on a target machine, among other things).
31. B and D. eMailTracker Pro and Mailtracking are both methods used to track how an email gets from sender to recipient.
A, C, and E are incorrect. BlackWidow is used for cloning a copy of a website for your perusal. Whois is a method for looking up all sorts of registry information about a site. SMTP_Util is not a tool and is included as a distractor.
32. D. Dig syntax is dig @<server> <name> <type> (where <server> is the name or IP of the DNS name server, <name> is the name of the resource you’re looking for, and <type> is the type of record you wish to pull).
A, B, and C are incorrect. The syntax in these answers is incorrect.
33. C. Nslookup is a tool that is designed to provide lookups and other functions with DNS. If the servers are designed to allow it, nslookup can be used to pull a copy of “all” records from the namespace, which is known as a zone transfer.
A, B, and D are incorrect. This is clearly nslookup syntax used for a zone transfer.
34. B. The retry interval determines how long a secondary will wait to try again, should a zone transfer not work. In this SOA record, it is set to 600 seconds (10 minutes).
A, C, and D are incorrect. Refresh interval defines the amount of time a secondary will wait before checking in to see if it needs a zone update. Expire determines the maximum amount of time a secondary server will spend trying to “complete” a zone transfer. TTL is minimum time to live for all records in the zone.
35. A, B, E, and G. A zone file contains a list of all the resource records in the namespace zone. Valid records you may see are SOA, SRV, PTR, NS, MX, CNAME, and A.
C, D, and F are incorrect. These are not valid DNS records.
36. B. Traceroute works by incrementing the TTL on each packet it sends by 1 after each hop is hit and returns, thus ensuring the response comes back explicitly from that hop and returns its name and IP address. Thus, TTL is set to 1 for the first round, then incremented to 2 for the next, and so on.
A, C, and D are incorrect. These answers do not represent how traceroute works.
37. D. Good example of DNS poisoning—the DNS server responding to the user’s home computer is poisoned and is sending him to a fake site. The fact that others can see the site cleanly from inside the corporate network proves it wasn’t defaced and points to DNS poisoning as an explanation.
A, B, and C are incorrect. Web poisoning is included as a distractor (not a valid term), ARP poisoning wouldn’t be relevant outside the subnet, and SQL injection has nothing to do with this scenario.
38. D. Every time the primary updates the zone, it increments the serial number. When the secondary checks in, if its serial number is lower than the primary’s, then it knows a change has occurred and asks for a zone transfer.
A, B, and C are incorrect. Zone transfers aren’t accomplished on a given timeframe (although the SOA can define check-in times for this, the zone transfer won’t occur every time) or only when the server reboots. If the serial number of the secondary is higher, it does nothing.
39. A, B, and D. Passive footprinting is activity that won’t get you caught. Gathering competitive intelligence—information freely available to the world, but that could be used against the company—is considered passive. Crawling websites, checking job listings, and checking DNS records are all examples.
C is incorrect. Calling a reception desk and inquiring about employee records most definitely puts you at risk of discovery
40. B. The “intitle:<string>“ Google hack operator searches for any page with the string listed in the title of the page.
A, C, and D are incorrect. File type lookups are done with the “filetype:<type>“ operator. URL lookups are done with the “inurl:<string>“ operator.
41. D. The site operator lets you specify a domain (or a website) and pull pages matching a given string. For example, “site:anywhere.com passwds” would display all pages with the text “passwds” in the site anywhere.com
A, B, and C are incorrect. The inurl operator looks in the URL only, and the intitle operator only looks at page titles. The related operator shows web pages similar to “webpagename.”
42. A. The cache operator will display a link to Google cached version of the website. This is very useful for earlier “mistakes” a web admin may have left on the site but has since removed.
B, C, and D are incorrect. Tools such as BlackWidow are used to clone a copy of the website for your machine. This operator does not provide a visitors list to a site.
43. D. TCP port 53 is used for DNS zone transfers, and is usually open on firewalls (although not for that purpose, necessarily).
A, B, and C are incorrect. UDP port 53 is used for DNS lookups—not zone transfers. 161 is an SNMP port, and 22 is for SSH.
44. D. Name servers answer DNS requests about the namespace (NS).
A, B, and C are incorrect. PTR is a pointer record (reverse lookups), SOA is the Start of Authority record, and MX stands for Mail Exchanger.
45. B. LACNIC serves the Latin America region.
A, C, and D are incorrect. APNIC is Asia-Pacific, ARIN is North America, and RIPE NCC handles Europe.
46. D. The four regional Internet registries are RIPE NCC, LACNIC, ARIN, and APNIC.
A, B, and C are incorrect. PICNIC, NANIC, and LATNIC are not regional registries.
47. C. CNAME (Canonical Name) records provide for aliases within the zone.
A, B, and D are incorrect. NS records represent Name Servers. SOA is the Start of Authority record. PTR records map an IP address to a host name (providing for reverse DNS lookups).
48. A. A whois lookup can provide all sorts of information about the registration of the site.
B, C, and D are incorrect. None of the remaining tools can provide this output.
49. A. No response from a port during a null scan indicates an open port.
B, C, and D are incorrect. An RST/ACK would indicate a closed port.
50. A. No response from a port during a FIN scan indicates it is open.
B, C, and D are incorrect. An RST/ACK would indicate a closed port.
51. A. During a so-called “null” session, no username or password is in use. The “account” being used has no user ID and password in Windows, but can still be used to access resources.
B, C, and D are incorrect. Null accounts are not suspended, locked, or manually created.
52. B. Type 11, Code 0 is used for “time exceeded” messages. These are usually generated by a gateway along the way to let the sender know the time to live field has reached zero.
A, C, and D are incorrect. ECHO request and ECHO return are 8 and 0, respectively. Redirect is a Type 5.
53. C. The MAC address for broadcast frames is made up of all F’s. If you’re wondering, the F in hex code is all 1’s turned on: 1111.
A, B, and D are incorrect. None of the remaining MAC addresses fit the question.
54. D. The T switch indicates the speed at which the scan runs—higher is faster. The T1 switch slows the scan down tremendously.
A, B, and C are incorrect. The remaining scans either have poor syntax (C5 switch) or do not address speed/stealth.
55. B, C, and E. SNMP uses UDP for transport, is susceptible to sniffing, and sends community strings in plaintext.
A, D, and F are incorrect. SNMP does not use TCP, nor does it protect its community strings.
56. C. A Connect (TCP Connect or Full Connect) scan runs through the entire three-way handshake on each port. It’s slow and noisy, but gets you the best results.
A, B, and D are incorrect. Neither XMAS nor Stealth scans produce results more reliably than a Connect scan. T5 is an nmap switch for speed (Insane).
57. B. Hping here is performing a basic ACK scan (the –A switch) using port 80 (-p 80) on an entire Class C subnet (the “x” in the address runs through all 254 possibilities).
A, C, and D are incorrect. The hping syntax doesn’t match these answers.
58. D. Banner grabbing is one of the easiest enumerating methods to use and involves sending an unsolicited request to an open port to see what, if any, default message (banner) is returned. Telnet provides a very easy way to accomplish this. Most other scanning tools (netcat, nmap, and so on) can also provide banner grabbing.
A, B, C, and E are incorrect. Nslookup is for DNS queries, traceroute is for path mapping, AngryIP is a host discovery tool, and Silica is used for wireless discovery.
59. B. A RST/ACK on an XMAS scan indicates a closed port.
A, C, and D are incorrect. There is no response from an open port.
60. B and D. A Null scan sends a packet with no flags set. Although responses can vary on some OSs, most will respond with an RST/ACK on a closed port, and not provide anything on an open one. Null scans do not work against Windows machines.
A and C are incorrect. RST/ACK responses indicate a closed port. Null scans were created for Unix boxes.
61. E. Ping basically asks a host to return the packet sent. It’s used mainly to identify live hosts and to help in troubleshooting. If the host isn’t available—because it’s turned off or ICMP is being filtered by an external (or internal) device—then it cannot respond (almost like yelling to your kids who can’t hear you due to the loud music in the room). The TTL value tells the ping packet when to “die” and is decremented after passing through a router (hop). If it isn’t high enough to reach the host system, there will be no reply.
A, B, C and D are all correct responses, thus making E the appropriate choice.
62. D. The “tone” portion of the ToneLoc tool gives this one away—it refers to a dial tone. Along with THC-Scan and WarVox, ToneLoc is used as a war-dialing application.
A, B, and C are incorrect. The remaining answers do not describe ToneLoc.
63. D. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence.
A, B, and C are incorrect. IDS is passive and reactive, so it would not prevent the packet flow. There is no way to tell, from the information provided, what OS the systems are.
64. A and C. Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC, only to that port which holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machine’s ARP messages would be viewable.
B and D are incorrect. The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.
65. C. Anomaly based IDS study traffic patterns and, over time, can determine what is normal and what is malicious.
A, B, and D are incorrect. Stateful and packet filtering are firewall types. A signature based IDS only compares traffic to a signature file, and would not care about the amount of traffic passing at any given point.
66. D. Firewalking is the process of testing, one by one, all ports on the firewall to see which are allowed to pass and which are filtered.
A, B, and C are incorrect. Answer A is known as war driving. Answers B and C are irrelevant.
67. C. Wireshark syntax uses double equals signs. Before the test, review the syntax items in Wireshark—it’ll pay off.
A, B, and D are incorrect. These answers are not in correct syntax.
68. A, B, and D. Snort can operate as an IDS, a sniffer, or a logger.
C is incorrect. Snort is not a forensics packet analyzer. Yes, you can see some details in the logs, but that is not the design of the product or one of the operating modes of Snort.
69. A. An IDS doesn’t have any means to break encryption on the fly. As a matter of fact, encrypted traffic presents one of the best ways to defeat an IDS. Encryption is the nemesis of an IDS because it cannot see the traffic.
B, C, and D are incorrect. SSL does not affect false positives or negatives, and does not fail due to passive sniffing.
70. A. Anomaly-based (also known as behavior-based) systems learn what is considered “normal” traffic over time. Once enough time has passed for a good sampling of what “normal” traffic is discovered to be, the system will alert on anything falling outside the determined norm.
B, C, and D are incorrect. Signatures-based systems match traffic patterns to signatures. The other two answers are not IDS types.
71. A. This is the only answer in Wireshark syntax. Definitely know the ip.addr, ip.src, and ip.dst filters—and the tcp contains filter is another favorite of test question writers.
B, C, and D are incorrect. These answers are incorrect syntax for Wireshark filters. A good way to learn the syntax of these filters is to use the expression builder directly beside the filter entry box.
72. A, B, C, D and E. All the protocols listed here transfer data—including passwords—in cleartext.
F is incorrect. SSH can be thought of as an encrypted version of Telnet.
73. D. This is a question right out of EC Council. A lawful intercept is a process allowing an LEA to sniff traffic based on a judicial order. A lawful intercept needs a judicial order allowing it, a tap (usually the service provider allows a port opening for this), something to process all the data (the mediation device), and a collection area where everything is stored and parsed/processed further. A helpful hint in this craziness is the key word “third party”—a mediation device is usually provided by a third party, whereas the tap and the collection are not.
A, B, and C are incorrect. IAP (intercept access point) is the device providing all the raw data (the tap), and the collection function is an application that stores and parses the information gleaned from the tap and mediation devices.
74. B. In this example, Host A and Host B have been given bogus MAC addresses for each other: The pen tester sent his own MAC to each of them. Now when either crafts a message for the other, it will erroneously address the message to the pen tester’s machine.
A, C, and D are incorrect. This ARP poisoning only affects traffic between the two hosts.
75. C. This rule alerts on Telnet in only one direction—into the internal network. It states that any IP address on any port attempting to connect to an internal client will generate the message “Telnet Connection Attempt.”
A, B, and D are incorrect. A and B are incorrect because they reference log-only rules. D is incorrect because the arrow is only in one direction.
76. B. A NIC must be put into promiscuous mode in order to bring in all packets passing by and not just those addressed for the host’s MAC address. WinPcap allows for the capture of data on a NIC (promiscuous mode).
A, C, and D are incorrect. LibPcap is for Unix/Linux machines, and the “mode” answers are pure distractors.
77. D. The T1 switch slows the scan down tremendously.
A, B, and C are incorrect. The remaining scans either have poor syntax (C5 switch) or do not address speed/stealth.
78. C. Snort can act as a packet sniffer, packet logger, and an IDS.
A, B, and D are incorrect. Snort is not a firewall, proxy, or forensic analyzer.
79. A. Alternative Data Streaming (ADS), also known as NTFS file streaming, is a feature of the Windows-native NTFS file systems. It has been around ever since the NT days, and still works on Windows 7 machines (although it doesn’t appear to work on Vista systems). NTFS file steaming allows you to hide virtually any file behind any other file, rendering it invisible to directory searches.
B, C, and D are incorrect. NetBIOS provides session-layer services over (usually) a TCP/IP intranet. Encrypting File System (EFS) is a feature introduced in NTFS that provides file-level encryption. Steganography is included as a distractor.
80. C. Hardware keyloggers are the highest risk, because they are almost impossible to detect.
A, B, and D are incorrect. AV systems easily catch most software-based keyloggers. Polymorphic is not a keylogger type. Heuristic reflects to the method in which an AV functions, not how a keylogger works.
81. C. Syskey uses 128-bit encryption.
A, B, and D are incorrect. Syskey does not use 40-, 64-, or 256-bit encryption.
82. B. Elsave is a “public domain” executable that can be used to clear Windows logs.
A, C, and D are incorrect. Cain is a password cracker/sniffer, Auditpol is used to disable auditing, and Pwdump is used to extract password hash values.
83. B. As you should know by now, the RID ending in 500 represents the true administrator account for the device. After seeing the list displayed by User2SID, running SID2User on the one ending in 500 will reveal the admin account.
A, C, and D are incorrect. NETHER is the domain name. The other two answers are simply false.
84. B. LM hashes will always have the right side of the hash the same, ending in 1404EE, due to the method by which LM performs the hash.
A, C, and D are incorrect. The left side of each hash will always be different, and indicates nothing. Answers C and D are incorrect because the hash value can tell you password length.
85. A. Rainbow tables were created specifically for this purpose. If you have a password hash offline, running it against rainbow tables can a very quick way to obtain the password that created it.
B, C, and D are incorrect. You cannot reverse a hash: It’s one-way. User2SID and SID2User are used for enumeration purposes. John the Ripper is a password-cracking tool, but it’s largely brute force and takes time to complete.
86. A. Even though this is just a small sample of the overall results, you can plainly see MIB entries (sys_fill-in-the-blank) being queried one at a time. This indicates SNMP Walk as the appropriate choice.
B, C and D are incorrect. None of the remaining answers fit the result listing.
87. D. EC Council cares nothing about the actual length of the password. On this exam, complexity trumps all.
A, B, and C are incorrect. These passwords do not hold all three elements of complexity.
88. B, C, and D. Most Linux installations require ./configure, make, and make install.
A and E are incorrect. These answers are illegitimate.
89. A. The chmod command makes use of the binary equivalents—which equate to read (4), write (2), and execute (1)—for the user, then the group, and then everyone else. When rights are added, the numbers increase (read + write = 6, for example). In this case, 4 equates to read, 6 equates to read and write, and 4 equates to read.
B, C, and D are incorrect. These answers do not reflect the 4-6-4 stipulation.
90. A, B, D, and E. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process is made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS), and the Ticket Granting Ticket (TGT).
C, F, and G are incorrect. PKI should be obvious because it represents a key/certificate exchange encryption system. ADS is Alternative Data Streaming and EFS is Encrypting File Services.
91. C. Knowing what SAM is and what you can do with it, given the right toolset, it is irrelevant if you can’t find it on the system. On an XP machine, you can find the SAM file in c:windowssystem32config. And if for some reason you can’t find it there, try a backup copy from the c:windows
epair folder.
A, B, and D are incorrect. The /etc answers are obviously Linux folders. Winntconfig is not a correct location for the SAM.
92. A. Active online attacks occur when the attacker begins simply trying passwords. Active online attacks take a much longer time than passive attacks, and are also much easier to detect. These attacks try to take advantage of bad passwords and security practices by individuals on a network. Not very efficient, but they work sometimes.
B, C, and D are incorrect. A passive online attack amounts to sniffing a wire in hopes of intercepting a password. Offline attacks occur on a copy of the hash offline. Non-electronic occurs offline.
93. C. This syntax is used to establish a null session—most likely for enumeration purposes. Combined with tools such as NetBIOS Auditing Tool (NAT) and Legion, you can automate the testing of user IDs and passwords, along with all sorts of other naughtiness.
A, B, and D are incorrect. These answers do not match the syntax for this command.
94. A, C, and E. Physical measures are all the things you can touch, taste, smell, or get shocked by. Technical measures are those using technology to protect explicitly at the physical level. Operational measures are the policies and procedures you set up to enforce a security-minded operation.
B, D, and F are incorrect. Computer based and human based are social engineering attack types, and policy based is a distractor.
95. C. A disgruntled employee can cause all sorts of havoc for your security team. The main reason is location: The employee is already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent.
A, B, and D are incorrect. Although these very well may represent clear threats willing to take advantage of your organization, they all pale in comparison to an internal, knowledgeable user with an axe to grind.
96. A and D. Mean time between failure references the amount of time a piece of equipment can be expected to last. The higher this number, the longer the equipment is expected to perform. The mean time to repair is an estimate of how long it will take to fix a potential problem with the equipment: The lower the time it takes to repair, the better.
B and C are incorrect. These are the opposite of where you want the numbers to be.
97. B. Jack is using something he “knows” (a PIN) along with something he “has” (a PIV card).
A, C, and D are incorrect. Single factor would only require one of the three. Multifactor requires all three (including something Jack “is”).
98. B. A covert channel is a transmission method used in a way for which it was not intended—generally for the purposes of hiding data transmissions and/or violating security policy.
A, C, and D are incorrect. An overt channel is used as designed and within policy. A wrapper refers to the application used to hide a Trojan (bind to a legitimate file). Hidden is included as a distractor.
99. B. This is a classic (albeit simple) demonstration of a cross-site scripting (XSS) attack.
A, C, and D are incorrect. The actions taken do not indicate SQL injection (which would have shown query language), buffer overflow (which would be blatantly obvious from the entry field), or directory traversal (which uses the URL and the “dot-slash” method).
100. D. A black box test simulates an outsider attack with no previous knowledge of the organization. After agreeing on scope (and so on) before the test, all the tester is given is the organization’s name.
A, B, and C are incorrect. This information would be reserved for white box testers.
101. D. The problem with password cracking is always time, and the longer the password length you have to work with, the longer cracking it takes. If you know information up front, though, in general the hybrid attack is always fastest.
A, B, and C are incorrect. Brute force is always the longest, and dictionary would not be beneficial in this scenario. Encryption is not a password-cracking technique.
102. D. In reverse social engineering, the attacker first markets his skills, position, and an impending problem. Next, the attacker performs sabotage against the user or network segment. Lastly, the attacker provides “technical support” to the users calling in for assistance.
A, B, and C are incorrect. If not carried out in the correct manner, this attack wouldn’t (shouldn’t) work.
103. B. This is a straightforward question with a straightforward answer. Nessus is a well-known vulnerability scanner.
A, C, and D are incorrect. Nmap is a port scanner, netcat is used for a variety of other purposes, and hping is used for session hijacking.
104. B. There are two types of social engineering attacks: human based and computer based. All of the mentioned attacks make use of computers; therefore, the answer is computer based.
A, C, and D are incorrect. Human-based social engineering uses face-to-face or telephone contact. Technical and physical are distracters.
105. B. When it comes to attacks, there are several “war” variants: war dialing, war walking, and war driving. War driving involves driving around looking for open access points.
A, C, and D are incorrect. War chalking involves drawing symbols to notify others of access point availability and information. The other two answers are invalid.
106. A. The false acceptance rate is the term for the percentage of time an unauthorized user is granted access by the biometric system. Obviously the lower this number, the better.
B, C, and D are incorrect. The false rejection rate is the percentage of time an authorized user will be rejected by a biometric system. The crossover error rate is the intersection of the FAR and FRR—the lower the score, the better.
107. A and D. WPA-2 is the latest encryption standard for wireless. SSIDs do nothing for security other than frustrate casual (lazy) attackers. It’s not the intent of an SSID to do anything other than identify a network.
B and C are incorrect. WEP is poor encryption (and never the correct answer on this exam for security purposes) and SSID broadcast is nearly irrelevant to security.
108. B. A phishing attack is an e-mail crafted to appear legitimate, but in fact contains links to fake websites or to downloadable malicious content. The e-mail can appear to come from a bank, credit card company, utility company, or any number of legitimate business interests a person might work with. The links contained within the e-mail lead the user to a fake web form in which the information entered is saved off for the hacker’s use.
A, C, and D are incorrect. Impersonation occurs when an attacker pretends to be a person of authority. SQL injection is not a social engineering attack.
109. C. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity.
A, B, and D are incorrect. Eavesdropping refers to overhearing sensitive information from employee conversations. Tailgating and piggybacking are methods to gain entry to a facility.
110. D. A mantrap is created by two doors, which seal simultaneously. The door to the controlled area is only opened when proper authentication is met. Mantrap rooms are usually a glass (or clear plastic) walled room that locks the exterior door as soon as you enter, only releasing it when proper authentication is presented, or by a guard coming to haul you away.
A, B, and C are incorrect. None of these answers matches the description.
111. D. TCP wrappers work like a host-based IDS or filtering system. They’re used for controlling network access to TCP services (such as Telnet) on Linux. TCP wrappers would definitely display this type of response. If you are assured the services are available and running, this is the most likely answer.
A, B, and C are incorrect. Because both services are verified to be running (maybe the client is providing this information?), answer A is incorrect. A honeypot system generally lures an attacker in, so it’s unlikely to show no response. Although it’s possible malware is involved, it’s unlikely to be affecting both services—possible, but unlikely. TCP wrappers is the most likely explanation.
112. B. A technical support attack is one in which the attacker calls a support desk in an effort to gain a password reset or other useful information. This is a very valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.
A, C, and D are incorrect. Impersonation occurs when an attacker pretends to be a person of authority. Reverse social engineering occurs when the user calls the attacker for assistance. Spoofing is not a social-engineering attack.
113. A. Of the answers provided, user education makes the most sense. An educated user should be able to spot social engineering attempts—of any form.
B, C, and D are incorrect. Proper security policies and procedures are great, but only if the user is educated on why they’re in place, what they mean, and how to abide by them. Classification of information is also an effective social engineering defense, limiting (hopefully) any loss or destruction, but on its own won’t do much.
114. E. Enforcing elevated privilege control is a common sense step because a disgruntled employee with administrator rights on his machine can certainly do more damage than one with just plain user rights. Securing dumpsters and practicing good physical security should help protect against an insider who wants to come back after hours and snoop around. Background checks on employees are by no means a silver bullet, but can certainly help to ensure you’re hiring the right people in the first place
A, B, C, D, and F are incorrect. Answers A, B, C, and D are all valid; therefore, all the above is the correct choice. Answer F is incorrect because there is a valid answer.
115. C. On some websites, you can simply copy the source code to the local machine. Then open it up in a text editor and navigate to the hidden fields (noted with a <hidden> tag) and update the pricing. Then simply reload the page with the local HTML copy and voilà!
A, B, and D are incorrect. The fact there was no direct compromise of the server or SQL DB indicates neither SQL tampering nor cross-site scripting was used. Directory traversal is used to maneuver to different folder locations on the target machine.
116. A. Parameter tampering or parameter manipulation (a.k.a. URL tampering) is an attack where the hacker searches a URL string for parameters that can be adjusted. These entries are then manipulated within the URL string in hopes of modifying data, such as permissions and elevation of privilege, prices and quantities of goods, and credentials. On your exam, this will show when an attacker simply changes some of the entries on the URL itself, and will most often be a price or an account. In this example, it appears the attacker may be attempting to change a price.
B, C, and D are incorrect. There is no indication of cross-site scripting (which would be inside the form, anyway) or SQL injection (no query language). No directory traversal appears either (the dot-slash would be a giveaway).
117. D. The “dot-dot-slash” is a dead giveaway on directory traversal (in this case, attempting to view the system.ini file). The idea in this attack is to travel the directory structure back to the root, then on to a location known to contain an executable of use to the attacker.
A, B, and C are incorrect. The URL does not indicate XSS or SQL injection. Offline attacks deal with the theft of passwords and the attempt to crack them offline.
118. B. Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
A, C, and D are incorrect. BlueSmacking is a DoS attack. BlueSniffing is an effort to sniff data from Bluetooth exchanges. BlueScarfing is the actual theft of data from a Bluetooth device.
119. D. The source code entries do not keep check on bounds, making the application vulnerable to buffer overflow. Buffer overflow simply takes advantage of those vulnerabilities by overfilling a buffer to inject new code.
A, B, and C are incorrect. These answers are false choices for this scenario.
120. C. BlueSniffing is an effort to sniff data from Bluetooth exchanges.
A, B, and D are incorrect. BlueSmacking is a DoS attack. BlueScarfing is the actual theft of data from a Bluetooth device. Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
121. B. SSL is a transport layer (layer 4) encryption method/protocol.
A, C, and D are incorrect. SSL does not work in these layers.
122. C. Per EC Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever. Kismet will work with any wireless card that supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also works by “channel hopping” to discover as many networks as possible and also has the ability to sniff packets and save them to a log file, readable by Wireshark or TCPDump.
A, B, and D are incorrect. NetStumbler is an Active Discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.
123. A. Melissa (a famous virus attacking Microsoft Excel 1997) is a classic example of a macro virus.
B, C, and D are incorrect. Melissa was a macro virus, not any of the other choices.
124. C. 31337 is the default port for BackOrifice (“elite” spelled out in numbers), although it has been used on many other ports. In the real world, you’ll almost never see this port used—for this or anything else.
A, B, and D are incorrect. 666 is the default port for several different malware applications. Doom, Cain and Abel, NokNok and Attack FTP are all examples. The other ports do not match BackOrifice.
125. A, C, and D. Hunt and T-sight are probably the two best known MITM tools, and the two you’ll probably see referenced on the exam, but they’re by no means your only options. Hunt can sniff, hijack, and reset connections at will whereas T-sight (commercially available) can easily hijack sessions as well as monitor additional network connections. Paros is a well-known proxy MITM session hijacking tool, and includes such goodies as vulnerability scanning and spidering.
B is incorrect. Tini is a backdoor tool.
126. B. Session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. Using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: Use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete.
A, C, and D are incorrect. These choices would do nothing to stop session hijacking.
127. C. Session hijacking occurs after the three-step handshake. As a matter of fact, you’ll probably need to wait quite a bit after the three-way handshake so that everything on the session can be set up—authentication and all that nonsense should be taken care of before you jump in and take over.
A, B, and D are incorrect. Session hijacking occurs after a session is already established, and the three-step handshake must obviously occur first for this to be true. The FIN packet brings an orderly “close” to the TCP session.
128. B. Wrappers are programs that allow you to bind an executable of your choice (Trojan) to an innocent file your target won’t mind opening. For example, you might use a program such as EliteWrap.
A, C, and D are incorrect. The wrapper is used to bind the Trojan to the legitimate file, and has nothing to do with encryption of the Trojan itself. Polymorphic code deals with a type of virus that changes its code to avoid detection by signature-based antivirus programs.
129. B. Starting with the acknowledged sequence number of 201, the server will accept packets between 202 and 206 before sending an acknowledgement. The window size is at 5, so the five outstanding, before an ACK required, are 202, 203, 204, 205, and 206.
A, C, and D are incorrect. These answers do not fit with the window size or sequence numbers.
130. A. An Initialization Vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA-2). Initialization vectors in WEP are small, get reused frequently, and are sent in cleartext.
B, C, and D are incorrect. The other answers do not match the truth regarding IVs.
131. A and C. Brutus is a fast, flexible remote password cracker. It was originally invented to help its creator check routers and network devices for default and common passwords, but has since grown and evolved into much more, and it’s among the more popular security tools available for remote password cracking. THC-Hydra is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.
B and D are incorrect. Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items. BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.
132. C. A vulnerability assessment is exactly what it sounds like: the search for, and identification of, potentially exploitable vulnerabilities on a system or network. The two keys to a vulnerability assessment are that the vulnerabilities are identified, not exploited, and the report is simply a snapshot in time.
A, B, and D are incorrect. Pen-test team members definitely exploit vulnerabilities as they find them—that’s their job. The other answers are distractors.
133. C. EC Council differentiates attackers by who they are in relation to the company and how they gain access. Defining inside versus outside has nothing to do with where the attack is coming from, but everything to do with the person’s relationship to the company. All company employees (including contractors) are considered “inside.” Anyone who is not an employee is considered “outside,” with one notable exception: an inside affiliate is a spouse, friend, or acquaintance of an employee who makes use of the employee’s credentials to gain access and cause havoc.
A, B, and D are incorrect. The attacker is not “outside,” as the credentials used are internal, and the attacker is not an employee.
134. D. In SQL, a single quote is used to indicate an upcoming character string. Once SQL sees that open quote, it starts parsing everything behind it as string input. If there’s no close quote, an error occurs because SQL doesn’t know what to do with the input. If configured poorly, that error will return to you and let you know it’s time to start injecting SQL commands.
A, B, and C are incorrect. The other choices do not start SQL injection attacks.
135. B. EC Council defines two types of penetration tests: external and internal. An external assessment analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter. An internal assessment is performed from within the organization, from various network access points. Black box testing assumes no prior knowledge.
A, C, and D are incorrect. White box testers have knowledge of the internal workings and have a generally easier task, and this is obviously occurring inside the network boundary.
136. A, B, and C. Sometimes questions just involve easy memorization: The pen-test phases are pre-attack, attack, and post-attack.
D, E, and F are incorrect. These are all steps of ethical hacking.
137. A. The pre-attack phase is where you’d find scanning and other reconnaissance (competitive intelligence, website crawling, and so on).
B, C, and D are incorrect. Scanning does not take place in attack or post-attack. The Attack phase holds four areas of work: penetrate the perimeter, acquire targets, execute attack, and escalate privileges. Actions accomplished in post-attack include removal of all uploaded files and tools, restoration (if needed) to original state, analyzing results, and preparing reports for the customer.
138. A. A vulnerability assessment only points out potential problems to the client.
B, C, and D are incorrect. These choices do not comply with what the question is asking. Pen testers will definitely take advantage of open vulnerabilities (provided they’re within the boundaries of the test scope). Scanning assessment is not a valid term.
139. A and D. Both Core Impact and CANVAS are automated pen-test application suites. Automated tests—using a tool such as CANVAS or Core Impact—are generally faster and cheaper than manual pen testing, which involves a professional team and a predefined scope/agreement. They are more susceptible to false positives and false negatives, and they also don’t necessarily care about any scope or test boundary
B, C, and E are incorrect. Netcat is a multipurpose scanner and backdoor (sometimes labeled as a Trojan). Nmap is a port scanner. Cheops is an older tool used for network mapping.
140. B. In the attack phase, the team will attempt to penetrate the network perimeter, acquire targets, execute attacks, and elevate privileges. Getting past the perimeter might take into account things such as verifying ACLs by crafting packets and checking the use of any covert tunnels inside the organization. Attacks such as XSS, buffer overflows, and SQL injections will be used on web-facing applications and sites. After acquiring specific targets, password cracking, privilege escalation, and a host of other attacks will be carried out.
A, C, and D are incorrect. These phases do not include the attacks listed.
141. A, B, and C. Final reports include an executive summary of the organization’s overall security posture (if testing under the auspices of FISMA, DIACAP, HIPAA, or some other standard, this will be tailored to the standard), names of all participants, dates of all tests, a list of findings (usually presented in order of highest risk), an analysis of each finding, recommended mitigation steps (if available), and log files and other evidence from your toolset.
D is incorrect. Pen tests do not fix vulnerabilities discovered. A pen test is not designed to repair or mitigate security problems as they are discovered.
142. D. Nessus is perhaps the best-known vulnerability assessment tool available. It is highly customizable and can check for everything from missing patches and misconfiguration settings to default or overly common passwords in use.
A, B, and C are incorrect. BlackWidow is a web assessment/copying tool but is not the best choice here. Httrack and BurpSuite are not vulnerability assessment tools.
143. C. Cookie manipulation is, sometimes, an easy and overlooked method of gaining access or elevating privileges. In this example, the parameter “ADMIN=no” is an obvious candidate.
A, B, and D are incorrect. This cookie does not indicate anything about SQL injection.
144. D. A Smurf attack is a generic denial of service (DoS) attack against a target machine. The idea is simple: Have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, each and every one of the machines will respond to the request, effectively crushing the target’s network resources.
A, B, and C are incorrect. An ICMP flood occurs when the hacker sends ICMP ECHO packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent. A Ping of Death fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system. A SYN flood takes place when an attacker sends multiple SYN packets to a target without provided an acknowledgement to the returned SYN/ACK. This is an attack that does not necessarily work on modern systems. A Fraggle attack uses UDP packets.
145. C. The error message clearly displays a SQL error, showing there’s an underlying SQL database to contend with and it’s most likely not configured correctly.
A, B, and D are incorrect. The error message doesn’t provide enough information to indicate cross-site scripting or buffer overflow. Malware may be a possibility, but that can’t be determined from this output.
146. B and D. The pen test agreement can allow for unannounced testing, should upper management of the organization decide to test their IT Security staff’s reaction times and methods. Additionally, pen tests always have a scope, defining the beginning and end of the test—both in time and where the team is allowed to go (not to mention which attacks they’re allowed to use along the way).
A, C, and E are incorrect. Unless expressly forbidden in the scope agreement, social engineering is a big part of any true pen test. The scope agreement usually defines how far a pen tester can go (that is, no intentional denial of service attacks and so on). Clients are provided a list of discovered vulnerabilities after the test, even if the team did not exploit them.
147. C. The sequence of commands indicates the MAC address is being changed on the interface (WLAN 0). The attacker brings down the wireless interface, changes its hardware address, and then brings it back up. The most likely reason for this is MAC filtering is enabled on the AP, restricting access to only those machines the administrator wants connecting to the wireless network. The attacker simply sniffs traffic to find an allowed user and spoofs their address.
A, B, and D are incorrect. Port security isn’t an option on wireless access points. SSID cloaking has nothing to do with this scenario. Weak signal strength has nothing to do with this scenario either.
148. B. Meterpreter, short for Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection.
A, C, and D are incorrect. Inline payloads are single payloads that contain the full exploit and shell code for the designed task. They are easier to detect and, because of their size, may not be viable for many attacks. Staged payloads establish a connection between the attacking machine and the victim. They then read in a payload to execute on the remote machine. Finally, “remote” isn’t a recognized payload type.
149. D. BlackWidow can download a clone of a website for scanning and vulnerability discovery at your leisure. It can download an entire website or download portions of a site, and it can build a site structure
A, B, and C are incorrect. BurpSuite isn’t designed to pull an entire copy of a website externally and run through tests. It is an integrated platform for performing security testing of web applications. NetCraft isn’t a tool to be used for this purpose. It provides all sorts of security tools aimed at the web sector—among them, phishing protection and identification. HttpRecon isn’t used in this manner. It is known as a web server fingerprinting tool.
150. B. Buffer overflows input more information into a buffer area in order to write code to a different area of memory so it can be executed. A “heap” buffer attack takes advantage of the memory space set aside for the program itself. Heap is the memory area immediately “on top of” the program and is not temporary. Pages in the heap can be read from and written to, which is what the attacker will be trying to exploit.
A, C, and D are incorrect. Whereas heap is memory set aside in the application and is not “temporary,” the stack is designed where each task is added on top of the previous tasks and is executed in order. The other answers are added as distractors.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.