Chapter 17: CEH Exam Practice Questions

In this chapter, I have provided some questions to help you further prepare for the Certified Ethical Hacker (CEH) exam. These questions will help you prepare and test your knowledge of the necessary skills to be an effective information technology (IT) security professional and ethical hacker.

Exam questions

Please choose the best answer to the following questions. Some questions may have more than one possible answer, as indicated in the question:

1. When is it appropriate to test another person's system?
   1. If you've been given permission or have been invited to do so
   2. If you believe the system has been hacked
   3. When you've discovered a vulnerability in the system
   4. If you believe the system is valuable
2. If you were using the Shodan web service, which device would you use?
   1. Web servers
   2. IoT
   3. Mobile
   4. Cloud storage servers
3. Which type of scanning is a packet with all flags set?
   1. SYN scan
   2. TCP connect
   3. Full open scan
   4. XMAS scan
4. Which of the following best describes enumeration?
   1. User and machine name identification
   2. Identifying the network's active systems
   3. Password cracking
   4. Router and firewall identification
5. To find a vulnerability, an attacker sends probes and forged requests to a target. Which kind of scan is being performed?
   1. Active
   2. Passive
   3. Flooding
   4. MiTM
6. Which hashing mechanism is disabled on newer versions of Windows?
   1. NTLM
   2. Kerberos
   3. NTLMv2
   4. LM
7. All of the following can be used in social engineering except __________.
   1. Mobile phones
   2. Viruses
   3. Instant messaging
   4. Trojan horses
8. Which of the following propagates without human interaction?
   1. Trojan
   2. Worm
   3. MITM
   4. Virus
9. A switch port is connected to a target system (with a media access control (MAC) address of 12:34:56:AB:CD:EF). An attacker (with a MAC address of 78:91:00:ED:BC:A1) is connected to a different port on the same switch and is capturing packets. There are no port spanning or port security measures in effect. The target machine sends out two packets. The destination MAC address for message 1 is E1:22:BA:87:AC:12. Message 2's target MAC address is FF:FF:FF:FF:FF:FF. Which of the following claims about the communications being sent is correct?
   1. The attacker will see neither message.
   2. The attacker will see message 1.
   3. The attacker will see message 2.
   4. The attacker will see both messages.
10. Which of the following statements is correct? (Select all options that apply)
    1. WPA2 encrypts with TKIP and the AES.
    2. WEP employs RC4-based shared key encryption.
    3. WEP employs TKIP's shared key encryption.
    4. WPA2 employs RC4-based shared key encryption.
11. Which kind of access does rooting an Android device give you?
    1. Domain-level access
    2. Admin/root access with privileges
    3. Root access at the lowest level 
    4. Root access at the highest level 
12. Which kind of attack can be used to hijack an existing session?
    1. Session hijacking
    2. Cookie snooping
    3. Session sniffing
    4. Cookie hijacking
13. An attacker determines that a company's facility controls such as temperature monitors are somewhat insecure and manages to break into the system, enabling them to attack the local network remotely. Which of the following attacks would this be regarded as?
    1. Exploiting the HVAC
    2. BlueBorne attack
    3. DDoS attack
    4. Rolling code attack
14. Which of the following can be used to secure cloud-based data?
    1. SSL
    2. Harvesting
    3. Drive encryption
    4. Transport encryption
15. _________ is another name for symmetric cryptography.
    1. Steganography
    2. Hashing
    3. Shared key cryptography
    4. Public key cryptography
16. Regarding digital certificates, which of the following manages them?
    1. Hub
    2. CA
    3. Key
    4. Public key
17. What is the purpose of Simple Object Access Protocol (SOAP)?
    1. Transports data
    2. Makes it possible for applications to communicate with one another
    3. Encrypts information
    4. Wraps data
18. Which of the following technologies is the most widely used short-range communication in IoT devices?
    1. RFID
    2. LiFi
    3. Zigbee
    4. QR code
19. What is a method for storing session data?
    1. Directory
    2. Cookie
    3. File
    4. Snoop
20. Which of the following is the most accurate description of a web application?
    1. Code that's intended to be run on a client
    2. Targets web services
    3. Code that's intended to be run on a server
    4. SQL code for databases
21. What is the purpose of rooting a device?
    1. Updates are removed from a system
    2. Removes a user's access
    3. Allows a user on a system to have root access
    4. Increases the device's security
22. SSID broadcasting has been disabled, MAC filtering has been activated, and wireless encryption has been implemented by Alan. He spots someone using an HP laptop, although the company only buys Dell computers. Alan decides that there are no rogue access points after reviewing access logs and site survey data, and all wireless connection attempts appear to be valid. With an HP laptop, how did the user gain access to the network?
    1. It doesn't matter whose laptop you use if the OUI is the same.
    2. Encryption has been brute-forced by the employee.
    3. An attack by an evil twin is underway.
    4. A legitimate MAC address has been faked by the employee.
23. You make the decision to intercept communications between two hosts. You start by broadcasting messages to Host A, indicating that your MAC address belongs to Host B. You send messages to Host B at the same time, indicating that your MAC address belongs to Host A. What exactly is going on here?
    1. ARP poisoning, which allows you to see all messages from both sides without interfering with their communications
    2. ARP poisoning, which allows you to view messages from Host A destined for any address
    3. ARP poisoning, which allows you to see messages from Host A to Host B and vice versa
    4. Failed ARP poisoning, which prevents you from seeing any traffic
    5. ARP poisoning, which allows you to see messages from Host B destined for any address
24. Which of the following is a legal and common mode of communication?
    1. Session hijacking
    2. Covert channel
    3. Overt channel
    4. Backdoor channel
25. The goal of social engineering is to __________.
    1. Infect a system
    2. Manipulate human behavior
    3. Get a physical advantage
    4. Create distrustful people
26. Phishing can be mitigated using __________.
    1. Anti-malware
    2. A spam filter
    3. Education
    4. Anti-virus
27. What benefit does NTLM provide versus what LM offers?
    1. SSL
    2. Performance
    3. Mutual authentication
    4. Security
28. When using a brute-force attack, how is it performed?
    1. By trying all possible characters and combinations
    2. By comparing hashes
    3. By trying dictionary lists
    4. By capturing hashes and trying those against a rainbow table
29. Which metric on a CVSS score covers elements that change over the course of a vulnerability's lifetime?
    1. Follow the white rabbit
    2. Base
    3. Temporal
    4. Environmental
30. To find hosts and vulnerabilities, which assessment type would you use?
    1. Automated
    2. Passive
    3. Active
    4. Distributed
31. Which of the following is a command-line tool used to look up a username from an SID?
    1. UsertoSID
    2. PsGetSid
    3. GetAcct
    4. Userenum
32. Which tool can be used to perform a DNS zone transfer on Windows?
    1. NSlookup
    2. Whois
    3. DNSlookup
    4. Ipconfig
33. Why would you be concerned about a system with ports 135 to 139 being open?
    1. The system is vulnerable to null sessions since SMB is enabled.
    2. Windows RPC is turned on, and the machine is vulnerable to remote Windows DCOM sessions.
    3. For unauthenticated connections, a secure FTP service is enabled.
    4. SMB is disabled, making the system vulnerable to null sessions.
34. Which tool is used to conduct passive reconnaissance?
    1. Host scanning
    2. A ping sweep
    3. WHOIS
    4. Traceroute
35. You stumble across a vulnerability on a network beyond the scope of the engagement while testing. What should you do?
    1. Notify your company right away.
    2. Determine the extent to which you can penetrate the network.
    3. Analyze IDS logs to identify misconfigurations.
    4. Return to your task and add the vulnerability to your discovery work.
36. Which kind of hacker's work is for the general good?
    1. White hat
    2. Black hat
    3. Grey hat
    4. Red hat
37. What is the correct command to run a 5-minute nmap SYN scan?
    1. nmap -sS -sneaky
    2. nmap -ss -t5000
    3. nmap -sS -paranoid
    4. nmap -sS -fast
38. What is an SNMP enumeration countermeasure?
    1. Ports 135 and 139 shut down at the firewall.
    2. Ports 80 and 443 shut down at the firewall.
    3. Remove the SNMP agent from the device.
    4. SNMP read-only security on the agent device is enabled.
39. SNMP is a protocol for controlling network infrastructure devices. What is the role of the read/write SNMP community?
    1. Changing configuration information
    2. Managing the SNMP management station
    3. Viewing configuration information
    4. Checking for problems on devices
40. Which assessment method is described as evaluating both client and server applications at the same time?
    1. Distributed
    2. Active
    3. Automated
    4. Passive
41. Which of the following would be considered an offline attack?
    1. Cracking
    2. Rainbow attack
    3. PtH
    4. Birthday attack
42. When targeting an individual, which influencing technique can be used?
    1. Training
    2. Means of dress or appearance
    3. Physical controls
    4. Technological controls
43. Which of the following steps in recovering from a malware infection is not recommended?
    1. Make a backup of your hard drive.
    2. Reinstall from the original installation media.
    3. Disconnect the computer from the network.
    4. Remove any system restore points that have been created.
44. In IPv6, which of the following is a loopback address?
    1. fe80::/10
    2. ::1
    3. fc00::/7
    4. fec0::/10
45. To obtain access to the network, an attacker is attempting to crack the WEP code. They type aireplay-ng -0 0 -a after enabling monitor mode on wlan0 and create a monitoring interface (mon 0) by typing -c mon0 0A:00:2B:15:22:AC 0A:00:2B:15:22:AC 0A:00:2B:15:22:AC. What is the attacker's goal?
    1. To examine the answer to deauthentication packets that contain the WEP code, to obtain the WEP access code
    2. To determine the access point's BSSID
    3. To generate a lot of network traffic with deauthentication packets
    4. To determine the network's disguised SSID
46. What can a business do to protect itself against data loss if a phone is stolen? (Select all options that apply)
    1. Use passwords.
    2. Deploy patching.
    3. Perform a remote wipe.
    4. Use encryption.
47. A client-side scripting language is __________.
    1. ASP.NET
    2. PHP
    3. JavaScript
    4. ASP
48. A server-side scripting language is defined as which of the following?
    1. PHP
    2. JavaScript
    3. HTML
    4. SQL
49. Which of the following is used to access content that is not located in a website's root directory?
    1. Port scanning
    2. Brute force
    3. Directory traversal
    4. SQL injection
50. Which of the following is a radio with advanced hardware and software that is used for IoT security testing?
    1. Fluke
    2. Alfa AWUS036NH
    3. Raspberry Pi
    4. HackRF One
51. To set up a view list on their television, a homeowner uses an app on their phone. In this case, which IoT communication model is in use?
    1. Device-to-cloud
    2. Device-to-gateway
    3. Backend data sharing
    4. Device-to-device
52. Which attack modifies data as it travels through the cloud?
    1. MITM
    2. Packet sniffing
    3. Port scanning
    4. Encryption
53. What can changing a packet's checksum be used for?
    1. Sending URG
    2. Sending RST
    3. Evading NIDS
    4. Resetting a connection
54. Which of the following is another name for asymmetric encryption?
    1. Public key
    2. Shared key
    3. Block
    4. Hash
55. Which of the following is the most accurate description of hashing?
    1. Non-reversible
    2. An algorithm
    3. A cryptosystem
    4. A cipher
56. Which kind of algorithm produces a message digest?
    1. Steganography
    2. Symmetric
    3. Asymmetric
    4. Hashing
57. What is the main goal of the DMCA?
    1. To provide guidance for security control systems
    2. To secure credit card processing transmission
    3. To prevent technology protections from being circumvented
    4. To develop a framework for purpose limitations
58. Which Act improves the accuracy and dependability of company disclosures, thereby protecting the public and investors?
    1. DPA
    2. DMCA
    3. GDPR
    4. SOX
59. Which form of social engineering attack can be classified as dumpster diving?
    1. Physical-based
    2. Paper-based
    3. Computer-based
    4. Human-based
60. Why is it not a good idea to scan using ICMP queries?
    1. Firewalls may prevent a response.
    2. The ICMP protocol is unreliable.
    3. The port may or may not be available at any given time.
    4. ICMP may not be running on the system.
61. TCP provides all but which of the following functions?
    1. In-order delivery
    2. Error detection
    3. Delivery acknowledgments
    4. Connectionless delivery
62. FTP uses which port number?
    1. 23
    2. 21
    3. 25
    4. 80
63. Which kind of assessment is described as determining the likelihood of network attacks?
    1. Credentialed
    2. Network-based
    3. Automated
    4. Host-based
64. An attacker uses what to return to a target system?
    1. Spyware
    2. Cracker
    3. Backdoor
    4. Service
65. Which file contains usernames and passwords in a domain environment?
    1. ntds.dit
    2. SAM
    3. Passwd
    4. Shadow
66. Abby receives an email claiming that her bank account has been compromised and that she needs to click a link and change her password for security purposes. Which type of attack is she being targeted with?
    1. Spam
    2. Phishing
    3. Vishing
    4. Whaling
67. To prevent potential social engineering attacks, which of the following options would help the most?
    1. Training
    2. Technology
    3. Physical controls
    4. Policies
68. Which virus kind is only executed when a specific condition is met?
    1. Multipartite
    2. Metamorphic
    3. Cavity
    4. Sparse infector
69. Bill's credit card statement shows some questionable charges. Which kind of attack has Bill been subjected to?
    1. Phishing
    2. Social engineering
    3. Bad luck
    4. Identity theft
70. A security camera captures a non-company employee trailing closely behind an employee as they approach the premises. Which kind of attack is going on?
    1. Walking
    2. Phishing
    3. Tailgating
    4. Gate running
71. Which of the following malware components is a piece of software that prevents malware from being reverse engineered or analyzed, making it difficult for security systems to detect?
    1. Dropper
    2. Payload
    3. Obfuscator
    4. Crypter
72. Which of the following could be a good way to protect yourself from ARP spoofing? (Select all options that apply)
    1. Set all NICs to promiscuous mode.
    2. Use ARPWALL.
    3. Use private VLANs.
    4. Use static ARP entries.
73. You have a Windows laptop and want to start sniffing. You download and install Wireshark, but soon realize that your NIC must be set to promiscuous mode. What gives you the ability to set your NIC to promiscuous mode?
    1. Installing lmpcap
    2. Installing libPcap
    3. Installing winPcap
    4. Installing npcap
74. Which of the following claims about TKIP is correct? (Select all options that apply)
    1. WEP includes TKIP.
    2. Every 10,000 packets, TKIP mandates a key change.
    3. WPA includes TKIP.
    4. TKIP prevents keys from changing during a session.
75. Which of the following statements about wireless network architecture is correct?
    1. A BSSID is a service area supplied by a single access point.
    2. An ESS is a service area supplied by a single AP.
    3. An ESS is a service area offered by many APs functioning within the same network.
    4. An ESSID is a service area supplied by numerous APs acting within the same network.
76. Which method would you use to install software that isn't available on Google Play?
    1. Install sources that are not signed.
    2. Install from an unidentified source.
    3. Install from a service that isn't signed.
    4. Install from unidentified sources.
77. Which technology can prevent session hijacking?
    1. UDP
    2. IPsec
    3. IDS
    4. TCP
78. Which of the following can prevent bad data from being entered into a form and being presented to an application?
    1. Directory traversing
    2. Input validation
    3. Request filtering
    4. Input scanning
79. A web server can be identified using __________.
    1. A banner grab
    2. Session hijacking
    3. Header analysis
    4. Traversal
80. The notion of DiD in the world of IT security refers to layering multiple controls on top of each other. Why would this be useful in defending against a session hijacking system?
    1. To improve logging capacity
    2. To satisfy auditors
    3. To give a superior defense
    4. To create interdependence between layers
81. Vehicles appear to be in numerous places at once in this VANET attack, generating traffic congestion and severely limiting data usage. Which of the following statements most accurately describes this attack?
    1. Rolling code
    2. Sybil
    3. BlueBorne
    4. Side-channel
82. Cloud technologies are used to accomplish which of the following?
    1. Increase management options
    2. Transfer legal responsibility of data to a third party
    3. Offload operations onto a third party
    4. Cut costs
83. Which kind of cloud service would host email and provide related security services?
    1. SaaS
    2. PaaS
    3. SSaS
    4. IaaS
84. Who is legally liable for data stored on the cloud?
    1. The CSP
    2. The client
    3. The IT department of the client
    4. The consumer
85. Why would someone not develop their own private cloud?
    1. To maintain universal access
    2. To offload technical support
    3. To increase availability
    4. To reduce costs
86. Which of the following services would be offered as a SaaS?
    1. Firewalls
    2. Email
    3. Applications
    4. AD
87. Which kind of algorithm produces a message digest?
    1. Steganography
    2. Symmetric
    3. Asymmetric
    4. Hashing
88. The owner of a public key keeps it in a _________ on their local computer.
    1. Private key
    2. Hash
    3. PKI system
    4. Smart card
89. Because of __________, symmetric key systems face key distribution issues.
    1. The type of data
    2. The number of keys
    3. Generation of key pairs
    4. The amount of data
90. Which of the following is the most accurate description of PGP?
    1. A symmetric algorithm
    2. A way of encrypting data in a reversible method
    3. A type of key
    4. A key escrow system
91. Which kind of cloud service might be used to create an application?
    1. BaaS
    2. PaaS
    3. SaaS
    4. IaaS
92. Which of the following would be a compelling incentive to migrate to a cloud-based environment?
    1. Reduced costs
    2. Improved performance
    3. Easier forensics
    4. Increased redundancy
93. To set permissions on content on a website, which of the following is used?
    1. HIDS
    2. ACE
    3. ALS
    4. ACL
94. On a web server or application, what could be utilized to monitor application problems and violations?
    1. NIDS
    2. HIDS
    3. HIPS
    4. Logs
95. Which of the following is a cookie security attribute?
    1. Encrypt
    2. Secure
    3. HttpOnly
    4. Domain
96. What does a POODLE assault aim for?
    1. TLS
    2. SSL
    3. AES
    4. VPN
97. What is the purpose of remote wipes?
    1. To reset a device to its factory settings
    2. To wipe a device's data completely
    3. To remove sensitive information from a remote system, such as contacts
    4. To place cookies and gadgets on your computer
98. You're looking at the physical configuration of a target's wireless network. On the site survey, you observe omnidirectional antenna access ports in the building's corners. Which of the following statements about this setup is correct? (Select all options that apply)
    1. The deployment of dipole antennas could increase the site's security.
    2. Sniffing from outside the building could make the place vulnerable.
    3. The usage of directional antennas may help to increase the site's security.
    4. Sniffing from outside the building does not pose a threat to the site.
99. You're attempting to deliver a payload to an internal target, but it's protected by an IDS. You're concerned about completing your assignment without arousing the attention of the IDS monitoring crew. Which of the following methods could be used? (Select two)
    1. Session splicing
    2. Overwhelming the network with bogus attacks
    3. Session hijacking
    4. Ensuring that traffic between you and the host is encrypted
100. Which malware evolves with each infection?
     1. Cavity
     2. Metamorphic
     3. Polymorphic
     4. Stealth
101. What benefits does a vulnerability scan aim to deliver to people who run it?
     1. A process to expose vulnerabilities
     2. An opportunity to find open ports
     3. A means to diagram a network
     4. A proxy attack
102. A proxy is used to __________ in social engineering.
     1. Assist in scanning
     2. Perform a scan
     3. Keep an attacker's origin concealed
     4. Automate the detection of vulnerabilities
103. Email campaigns known as _________ can be carried out using social engineering.
     1. Splashing
     2. Spamming
     3. Phishing
     4. Vishing
104. If you were trying to locate where the SAM database was stored, where would you locate it?
     1. C:ProgramDataSAM
     2. C:WindowsSystem32Config
     3. C:WindowsSAM
     4. ./root/shadow
105. What is the term for hiding secret information within (or even on top of) a non-secret document or another medium to prevent detection?
     1. Symbolic links
     2. Rootkit
     3. Steganography
     4. Hidden attributes
106. If you use precomputed hashes to make an attack, what is the attack called?
     1. Rainbow tables
     2. PtH
     3. NetBIOS
     4. ADS
107. Which vulnerability assessment solution is said to be installed in the resources of the organization?
     1. Product-based
     2. Inference-based
     3. Service-based
     4. Tree-based
108. Which vulnerability assessment method is provided by third parties?
     1. Service-based
     2. Internal-based
     3. Tree-based
     4. External-based
109. Which kind of tool for assessment is used to focus on web servers and databases?
     1. Host-based
     2. Application layer-based
     3. Scope-based
     4. Depth-based
110. For SNMP to function, which ports does it use?
     1. 389 and 160
     2. 160 and 161
     3. 161 and 162
     4. 160 and 162
111. Which function is performed by SMTP?
     1. File transfers
     2. Monitoring network equipment
     3. Sending email messages
     4. Status information transmission
112. To view NetBIOS information, which command should you use?
     1. nbtstat
     2. netstat
     3. nmap
     4. telnet
113. A network's clocks are synchronized using __________.
     1. FTP
     2. NetBIOS
     3. SAM
     4. NTP
114. When using the nmap -sP command, what does it mean?
     1. The most popular ports are scanned.
     2. A port redirect attack is being simulated.
     3. A ping sweep is being used to scan.
     4. Private IP addresses are scanned.
115. If a target responds with an RST flag to a half-open scan, then...
     1. A Linux system is the target.
     2. A Windows system is the target.
     3. An open port is the target.
     4. A closed port is the target.
116. Which law mandates the use of a common national number by all providers, plans, and employees?
     1. The FISMA
     2. The HIPAA
     3. DPA
     4. GDPR
117. Which hacking step or phase follows reconnaissance?
     1. Maintaining access
     2. Gaining access
     3. Clearing tracks
     4. Scanning
118. Which kind of hacker is regarded as one who hacks without fear of legal repercussions?
     1. Suicide hacker
     2. Black hat
     3. Gray hat
     4. Script kiddie
119. Which form of attack was the 2021 SolarWinds attack, in which attackers were able to infect software that was then sold to customers?
     1. Insider
     2. Close-in
     3. Passive
     4. Active
     5. Distributed
120. Which answer best describes how Traceroute works?
     1. It determines the location of said router using a protocol that is refused by the gateway.
     2. It determines the number of hops from the sender to the router using the TTL value in an ICMP message.
     3. It sends a specially constructed IP packet to a router to find out how many hops there are between the sender and the destination network.
     4. It learns the name of a router and OS by sending an ICMP destination unreachable message.
121. Which are the four regional internet registries?
     1. APNIC, MOSTNIC, ARIN, RIPE NCC
     2. APNIC, LACNIC, ARIN, RIPE NCC
     3. APNIC, PICNIC, NANIC, ARIN
     4. APNIC, PICNIC, NANIC, RIPE NCC
122. It would be what kind of tool if an assessment tool is focused on OSs and apps?
     1. Application layer-based
     2. Host-based
     3. Depth-based
     4. Scope-based
123. Which type of scanner is used when the location and data from a scan are stored on a single system?
     1. Cluster-based
     2. Agent-based
     3. Network-based
     4. Proxy-based
124. Within your infrastructure, you install a new switch. What should be your initial step in securing this system?
     1. Uplink port disabled
     2. Broadcast storm protection enabled
     3. Default password changed
     4. Serial port disabled
125. You create a password based on an Avengers character. It has been discovered that your account has been hacked. Which kind of attack did you most likely face?
     1. Rule-based
     2. Brute-force
     3. Syllable
     4. Dictionary
126. The tendency of humans to behave in set patterns is known as __________.
     1. Habits
     2. Repetition
     3. Piggybacking
     4. Primacy
127. Using _________ when speaking with a victim can make an attack simpler.
     1. Keywords
     2. Eye contact
     3. Threats
     4. Jargon
128. Which tactic might an attacker employ to sway a victim?
     1. Tailgating
     2. Acting as tech support
     3. Piggybacking
     4. Name-dropping
129. The following Wireshark filter is used: tcp.srcport == 80 &&ipc.src == 192.168.1.1

Which of the following statements about the capture filter is correct?

1. All traffic from 192.168.1.1 intended for port 80 will be displayed in the results.
2. All HTTP traffic to 192.168.1.1 will be displayed in the results.
3. All HTTP traffic from 192.168.1.1 will be displayed in the results.
4. Because of the incorrect syntax, no results will be displayed.

130. Lois tries to make a phone call on her cell phone, but it is unresponsive. She switches it off and on again after a few minutes of effort. The phone disconnects and becomes unresponsive again during her next call. Which Bluetooth attack is currently active?
     1. Bluejacking
     2. Bluesniffing
     3. Bluesmacking
     4. Bluesnarfing
131. Which of the following can be used to thwart a malware-delivered MITB attack?
     1. Rooting a device
     2. Anti-spyware
     3. Anti-virus
     4. Using Firefox
132. Which command would you use to get banner data from a website on port 80?
     1. nc 192.168.10.27 –p –l 80
     2. nc 192.168.10.27 80
     3. nc 192.168.19.27 443
     4. nc 192.168.10.27 –p 80
133. How does a brute-force attack work?
     1. Uses hashes as a comparison
     2. Attempts all possible character combinations
     3. Attempts words from the dictionary
     4. Captures hashes
134. What is the Telnet command for retrieving header information from a web server?
     1. telnet < website name > –port:443
     2. telnet < website name > 80
     3. telnet < website name > 443
     4. telnet < website name > –port:80
135. What kind of information about a web application could be viewed using the Wayback Machine?
     1. Where you can find job posts
     2. Websites
     3. Websites that have been archived
     4. Websites' backup copies
136. What may be useful in preventing unauthorized personnel from viewing content on a web server?
     1. Redirection
     2. Encryption
     3. Permissions
     4. Firewalls
137. _________ is a popular attack against web servers and web applications.
     1. Input validation
     2. Banner grab
     3. Buffer overflow
     4. Buffer validations
138. In a cloud-based firewall, which port is normally open for HTTPS?
     1. 110
     2. 25
     3. 80
     4. 443
139. Which system is employed as a traffic bottleneck and may be offered as IaaS?
     1. Bastion host
     2. IDS
     3. SNMP host
     4. DMZ
140. At which layer of the OSI model do you think a cloud-based solution would work?
     1. Layer 1
     2. Layer 2
     3. Layer 3
     4. Layer 4
141. Which kind of firewall analyzes traffic and would be included in an IaaS solution?
     1. Circuit-level
     2. Packet filtering
     3. Stateful inspection
     4. NIDS
142. What may be used in place of a URL to get around some of the firewalls that protect cloud-based online applications?
     1. Encryption
     2. Stateful inspection
     3. NIDS
     4. IP address
143. In which phase of the Cyber Kill Chain methodology do attackers construct a path through which they can connect and send data back and forth?
     1. Command and control (C&C)
     2. Delivery
     3. Weaponization
     4. Actions on objectives
144. Which OS does SSL rely on?
     1. AES
     2. PKI
     3. Data Encryption Standard (DES)
     4. Triple DES (3DES)
145. Encryption and other procedures in IPsec take place at which layer of the OSI model?
     1. Level 1
     2. Level 2
     3. Level 3
     4. Level 4
146. What does the AH protocol perform in IPsec?
     1. Encryption
     2. Data security
     3. Authentication services
     4. Header security
147. When should SSL be used to secure data?
     1. On a flash drive
     2. On a hard drive
     3. On Bluetooth
     4. During transmission
148. IPsec employs which of the following?
     1. PKI
     2. SSL
     3. AES
     4. DES

Answer key

This answer key has been provided to help you confirm the answers to the test questions:

1. A – If you've been given permission or have been invited to do so
2. B – IoT
3. D – XMAS scan
4. A – User and machine name identification
5. A – Active
6. D – LM
7. B – Viruses
8. B – Worm
9. C – The attacker will see message 2
10. A; D – WPA2 encrypts with TKIP and AES; WEP employs RC4-based shared key encryption
11. B – Admin/root access with privileges
12. A – Session hijacking
13. A – Exploiting the HVAC
14. C – Drive encryption
15. C – Shared key cryptography
16. B – CA
17. B – Makes it possible for applications to communicate with one another
18. B – Li-Fi
19. B – Cookie
20. C – Code that's intended to be run on a server
21. C – Allows a user on a system to have root access
22. D – A legitimate MAC address has been faked by the employee
23. C – ARP poisoning to allow you to see messages from Host A to Host B and vice versa
24. C – Overt channel
25. B – Manipulate human behavior
26. B – A spam filter
27. D – Security
28. A – By trying all possible characters and combinations
29. C – Temporal
30. C – Active
31. B – PsGetSid
32. A – NSlookup
33. A – The system is vulnerable to null sessions since SMB is enabled
34. C – WHOIS
35. A – Notify your company right away
36. A – White hat
37. C – nmap -sS -paranoid
38. C – Remove the SNMP agent from the device
39. A – Changing the configuration information
40. A – Distributed
41. B – Rainbow attack
42. B – Means of dress or appearance
43. A – Make a backup of your hard drive
44. B – ::1
45. C – To generate a lot of network traffic with deauthentication packets
46. A; C; D – Use passwords; Perform a remote wipe; Use encryption
47. C – JavaScript
48. A – PHP
49. C – Directory traversal
50. D – HackRF One
51. B – Device-to-gateway
52. A – MITM
53. C – Evading an NIDS
54. A – Public key
55. A – Non-reversible
56. D – Hashing
57. C – Prevent technology protections from being circumvented
58. D – SOX
59. D – Human-based
60. B – The ICMP protocol is unreliable
61. D – Connectionless delivery
62. B – 21
63. B – Network-based
64. C – Backdoor
65. A – ntds.dit
66. B – Phishing
67. A – Training
68. D – Sparse infector
69. D – Identity theft
70. C – Tailgating
71. A – Dropper
72. B; C; D – Use ARPWALL; Use Private VLANs; Use static ARP entries
73. C – Installing winPcap
74. A – WEP includes TKIP
75. B; D – An ESS is a service area supplied by a single AP; An ESSID is a service area supplied by numerous APs acting within the same network
76. B – Install from an unidentified source
77. B – IPsec
78. B – Input validation
79. A – A banner grab
80. C – To give a superior defense
81. B – Sybil
82. A; C; D – Increase management options; Offload operations onto a third party; Cut costs
83. A – SaaS
84. B – The client
85. D – To reduce costs
86. B – Email
87. D – Hashing
88. C – PKI system
89. B – The number of keys
90. B – A way of encrypting data in a reversible method
91. B – PaaS
92. A; B; D – Reduced costs; Improved performance; Increased redundancy
93. D – ACL
94. D – Logs
95. B; C; D – Secure; HttpOnly; Domain
96. B – SSL
97. B – Wipe a device's data completely
98. A – The deployment of dipole antennas could increase the site's security
99. A; D – Session splicing; Ensuring that traffic between you and the host is encrypted
100. B – Metamorphic
101. A – A process to expose vulnerabilities
102. C – Keep an attacker's origin concealed
103. C – Phishing
104. B – C:WindowsSystem32Config
105. C – Steganography
106. A – Rainbow tables
107. A – Product-based
108. A – Service-based
109. B – Application layer-based
110. C – 161 and 162
111. C – Sending email messages
112. A – nbtstat
113. D – NTP
114. C – A ping sweep is being used to scan
115. D – A closed port is the target
116. B – HIPAA
117. D – Scanning
118. A – Suicide hacker
119. E – Distributed
120. B – It determines the number of hops from the sender to the router using the TTL value in an ICMP message
121. B – APNIC, LACNIC, ARIN, RIPE NCC
122. D – Scope-based
123. B – Agent-based
124. C – Default password changed
125. D – Dictionary
126. A – Habits
127. A – Keywords
128. D – Name-dropping
129. C – All HTTP traffic from 192.168.1.1 will be displayed in the results
130. C; D – Bluesmacking; Bluesnarfing
131. C – Anti-virus
132. B – nc 192.168.10.27 80
133. B – Attempts all possible character combinations
134. B – telnet < website name > 80
135. C – Websites that have been archived
136. B – Encryption
137. C – Buffer overflow
138. D – 443
139. A – Bastion host
140. C; D – Layer 3; Layer 4
141. C – Stateful inspection
142. D – IP address
143. A – C&C
144. B – PKI
145. C – Level 3
146. C – Authentication services
147. D – During transmission
148. A – PKI

I hope you feel more prepared for the CEH exam having now worked through all these questions. Review ones you may have missed and use them as a launching point to further study and understand the concepts being taught.