1. What is the second step in the TCP three-way handshake?
A. SYN
B. ACK
C. SYN/ACK
D. ACK-SYN
E. FIN
C. Admittedly, this is an easy one, but I’d bet dollars to doughnuts you see it in some form on your exam. It’s such an important part of scanning and enumeration because, without understanding this basic principle of communication channel setup, you’re almost doomed to failure. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.
A is incorrect because SYN is the first step (flag set) in the three-way handshake.
B is incorrect because ACK is the last step (flag set) in the three-way handshake.
D is incorrect because of the order listed. True, both these flags are the flags set in the three-way handshake. However in discussion of this step-by-step process, it’s SYN/ACK, not the other way around. And, yes, this distractor, in some form, will most likely be on your exam.
E is incorrect because the FIN flag brings an orderly close to a communication session.
2. You wish to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?
A.
nmap 192.168.1.0/24
B.
nmap -sT 192.168.1.0/24
C.
nmap –sP 192.168.1.0/24
D.
nmap –P0 192.168.1.0/24
C. The –sP switch within nmap is designed for a ping sweep. Nmap syntax is fairly straightforward: nmap<scan options><target>. If you don’t define a switch, nmap performs a basic enumeration scan of the target(s). The switches, though, provide the real power with this tool.
A is incorrect because this syntax will not perform a ping sweep. This syntax will run a basic scan against the entire subnet.
B is incorrect because the –sT switch does not run a ping sweep. It stands for a TCP Connect scan, which is the slowest—but most productive and loud—scan option.
D is incorrect because this syntax will not perform a ping sweep. The –P0 switch actually runs the scan without ping (ICMP). This is a good switch to use when you don’t seem to be getting responses from your target(s). It forces nmap to start the scan even if it thinks that the target doesn’t exist (useful if the computer is blocked by a firewall).
3. Which of the following TCP flags is used to reset a connection?
A. SYN
B. ACK
C. PSH
D. URG
E. FIN
F. RST
F. The RST flag, when set, indicates to both parties that communications need to be closed and restarted. It forces a termination of communications in both directions, and is used to reset a connection.
A is incorrect because the SYN flag is used to initiate a connection between hosts. The synchronize flag is set during initial communication establishment and indicates negotiation of parameters and sequence numbers.
B is incorrect because the ACK flag is used to acknowledge receipt of a packet. It is set as an acknowledgement to SYN flags, and is set on all segments after the initial SYN flag.
C is incorrect because the PSH flag is used to instruct the sender to immediately send all buffered data: It forces delivery of data without concern for any buffering.
D is incorrect because the URG flag is used to indicate a packet that needs to be processed immediately. When this flag is set, it indicates the data inside is being sent out of band.
E is incorrect because the FIN flag is used to tell the recipient there will be no more traffic. It signifies an ordered close to communications.
4. A pen test team member is attempting to enumerate a Windows machine and uses a tool called enum to enumerate user accounts on the device. Doubtful this can be done, a junior team member is shocked to see the local users enumerated. The output of his enum use is provided here:
The junior team member asks what type of connection is used by this tool to accomplish its task and is told it requires a “null session” to be established first. If the machine allows null connections, which of the following command strings will successfully connect?
A.
net use "" /u: \192.169.5.12share ""
B.
net use \192.168.5.12c$ /u:""
C.
net use \192.168.5.12share "" /u:""
D.
net use \192.168.5.12c$ /u:""
C. You will definitely be asked about null sessions on the exam, and will need to know the syntax very well. A null session occurs when you log into a system with no user ID and password at all. This type of connection can’t be made to a regular share, but it can be done to the Interprocess Communication (IPC) administrative share, which is used by Windows processes uses the SYSTEM username to communicate with other processes across the network. Some tools that make use of the null session are enum, SuperScan, User2SID, and SID2User. net use \IPAddressshare "" /u: "" is the correct syntax for establishing a null session.
A is incorrect because the correct syntax is not used.
B is incorrect because the correct syntax is not used. Additionally, see the C$ entry there? That’s a dead giveaway, and CEH test question writers love using it to confuse you—especially if the question has something about “a null session to exploit an administrative share.” This, of course, is referencing the IPC$, but some candidates immediately see that term and go for C$ every time. Don’t fall for it—remember, null sessions = IPC$ share.
D is incorrect because the correct syntax is not used.
5. A colleague enters the following command:
What is being attempted here?
A. An ACK scan using hping3 on port 80 for a single address
B. An ACK scan using hping3 on port 80 for a group of addresses
C. Address validation using hping3 on port 80 for a single address
D. Address validation using hping3 on port 80 for a group of addresses
B. Hping is a great tool providing all sorts of options. You can craft packets with it, audit and test firewalls, and do all sorts of crazy man-in-the-middle stuff with it. In this example, you’re simply performing a basic ACK scan (the –A switch) using port 80 (–p 80) on an entire Class C subnet (the “x” in the address runs through all 254 possibilities). Hping3, the latest version, is scriptable (TCL language) and implements an engine that allows human-readable description of TCP/IP packets.
A is incorrect because the syntax is for an entire subnet (or, I guess to be technically specific, all 254 addresses that all start with 192.168.2). The “x” in the last octet tells hping to fire away at all those available addresses.
C and D are both incorrect because “address validation” is not a scan type.
6. You are examining traffic between hosts and note the following exchange:
Which of the following statements are true regarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
B and C. The exam will ask you to define scan types in many, many ways. It may be a simple definition match; sometimes it’ll be some crazy Wireshark or tcpdump listing. In this example, you see a cleaned-up traffic exchange showing packets from one host being sent one after another to the second host, indicating a scan attempt. The packets have the FIN, URG, and PSH flags all set, which tells you it’s an XMAS scan. If the destination port is open, you should receive an RST/ACK response—if it’s closed, we get nothing. This tells us port 4083 looks like it’s open. As an addendum, did you know there are two reasons why it’s called an XMAS scan? The first is because it lights up an IDS like a Christmas tree, and the second is because the flags themselves are all lit.
A is incorrect because there is no indication this is an ACK scan. An ACK scan has only the ACK flag set, and is generally used in firewall filter tests: No response means a firewall is present, and RST means the firewall is not there (or the port is not filtered).
D is incorrect because you did receive an answer from the port (a RST/ACK was sent in the fourth line of the capture).
7. You are examining traffic and notice an ICMP type 3, code 13 response. What does this normally indicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to this host.
D. A firewall is prohibiting connection.
D. ICMP types will be covered in depth on your exam, so know them well. Type 3 messages are all about “destination unreachable,” and the code in each packet tells you why it’s unreachable. A code 13 indicates “communication administratively prohibited,” which indicates a firewall filtering traffic. Granted, this only occurs when a network designer is nice enough to configure the device to respond in such a way, and you’ll probably never get that nicety in the real world, but the definition of what the “type” and “code” mean are relevant here.
A is incorrect because “network unreachable” is type 3, code 0. It’s generated by a router to inform the source that the destination address is unreachable, that is, it does not have an entry in the route table to send the message to.
B is incorrect because “host unknown” is type 3, code 7. There’s a route to the network the router knows about, but that host is not there (this sometimes refers to a naming or DNS issue).
C is incorrect because “congestion control” ICMP messaging is type 4.
8. You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
A. Your IDLE scan results will not be useful to you.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between you and the zombie machine.
D. This is an expected result during an IDLE scan.
A. An IDLE scan makes use of a zombie machine and IP’s knack for incrementing fragment identifiers (IPIDs). However, it is absolutely essential the zombie remain idle to all other traffic during the scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s very probable your zombie is not, in fact, idle, and your results are moot. See, if it’s not idle, it’s going to increment haphazardly, as communications from the device will be shooting hither and yon with wild abandon. You’re banking on the fact the machine is quietly doing your bidding—and nothing else.
B is incorrect because there is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a “honeypot.”
C is incorrect because a firewall between you and the zombie won’t have any effect at all on the zombie’s IPIDs.
D is incorrect because this is definitely not expected behavior during an IDLE scan. Expected behavior is for the IPID to increase regularly. With each discovered open port; not randomly, as occurs with traffic on an active system.
9. As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D. The servers are Linux based and do not respond to ping requests.
B. Admittedly, this one is a little tricky, and, yes, I purposefully wrote it this way (mainly because I’ve seen questions like this before). The key here is the “most likely” designator. It’s entirely possible—dare I say, even expected—that the Systems Administrator on those two very important machines would turn off ICMP. Of the choices provided, this one is the most likely explanation.
A is incorrect, but only because there is a better answer. This is a major firm that undoubtedly does business at all times of day and with customers and employees around the world (the question did state it was an international business). Is it possible that both these servers are down? Sure, you might have timed your ping sweep so poorly that you happened to hit a maintenance window or something, but it’s highly unlikely.
C is incorrect because, frankly, the odds of an entire DMZ subnet being down while you’re pen testing are very slim. And I can promise you if the subnet did drop while you were testing, your test is over.
D is incorrect because this is simply not true.
10. Which of the following tools is not a good choice for determining possible vulnerabilities on live targets you have identified?
A. SAINT
B. Nmap
C. Nessus
D. Retina
B. Nmap is a great scanning tool, providing all sorts of options for you. It can do a great job of identifying “live” machines and letting you know what ports a machine has open—not to mention helping you to identify the operating system in use on the machine. But when it comes to identifying actual vulnerabilities the machine may be open to, other tools are designed for that purpose.
A is incorrect because SAINT (Security Administrator’s Integrated Network Tool) is a vulnerability-scanning tool. It’s now commercially available (used to be free and open source, but no longer) and runs on Linux and Mac OS X. SAINT is one of the few scanners that doesn’t provide a Windows version at all.
C is incorrect because Nessus is a very well-known and popular vulnerability assessment scanner. Also once free and open source, Nessus can now be purchased commercially. It is continually updated and has thousands of “plug-ins” available for almost any usage you can think of.
D is incorrect because Retina is a vulnerability-scanning application. Owned by eEye, Retina is a popular choice on Department of Defense (DoD) and government networks.
11. Which of the following tools can be used for operating system prediction? (Choose all that apply.)
A. Nmap
B. Whois
C. Queso
D. ToneLoc
E. MBSA
A and C. Operating system guessing—also known as fingerprinting, or if you’re really trying to impress someone, stack fingerprinting—can be accomplished by either nmap or Queso. Granted, Queso is an older tool, but it’s still a staple of this certification.
B is incorrect because whois is used to look up registrar information for a web registration.
D is incorrect because ToneLoc is a war dialing tool used to look for open modems on an enterprise.
E is incorrect because MBSA (Microsoft Baseline Security Advisor) is a tool for examining the security posture of a Windows machine. MBSA can provide vulnerability information on the host, locally or remotely.
12. You are in training for your new pen test assignment. Your trainer enters the following command:
After typing the command, he hits ENTER a few times. What is being attempted?
A. A DoS attack against a web server
B. A zone transfer
C. Banner grabbing
D. Configuring a port to “listening” state
C. Banner grabbing is a great enumerating method. The tactic involves sending an unsolicited request to an open port to see what, if any, default message is returned. The returned banner can provide all sorts of details, depending on what application is actually on the port. Things such as error messages, HTTP headers, and login messages can indicate potential vulnerabilities. There are lots of ways to accomplish this. For example, with netcat you can use the following command:
However, telnet (to a port other than 23) is one of the easiest methods for accomplishing the task.
A is incorrect because the worse that can happen on this attempt is a closed session with no banner return. Nothing about this will create or bolster a DoS attack.
B is incorrect because this attempt is clearly not a zone transfer (accomplished on command line using nslookup or dig).
D is incorrect because telnet is not used in this fashion.
13. What is being attempted with the following command:
A. A full connect scan on ports 1-1024 for a single address
B. A full connect scan on ports 1-1024 for a subnet
C. A HDP port scan of ports 1-1024 on a single address
D. A HDP scan of ports 1-1024 on a subnet
C. In this example, netcat is being used to run a scan on UDP ports (the –u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are –v (for verbose) and –w2 (defines the two-second timeout for connection, where netcat will wait for a response).
A is incorrect because the –u switch shows this as a UDP scan. By default (that is, no switch in place), netcat runs in TCP.
B is incorrect because the –u switch shows this as a UDP scan. Additionally, this is aimed at a single address, not a subnet.
D is incorrect because this is aimed at a single address, not a subnet.
14. You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you key your search on?
A. TCP 22
B. TCP 53
C. UDP 22
D. UDP 53
B. DNS uses port 53 in both UDP and TCP. Port 53 over UDP is used for DNS lookups. Zone transfers are accomplished using port 53 over TCP. Considering the reliability and error correction available with TCP, this makes perfect sense.
A is incorrect because TCP port 22 is for SSH, not DNS.
C is incorrect because UDP port 22 simply doesn’t exist (SSH is TCP based).
D is incorrect because UDP port 53 is used for DNS lookups. Because lookups are generally a packet or two, and we’re concerned with speed on a lookup, UDP’s fire-and-forget speed advantage is put to use here.
15. In the scanning and enumeration phase of your attack, you put tools such as ToneLoc, THC-Scan, and WarVox to use. What are you attempting to accomplish?
A. War dialing
B. War driving
C. Proxy discovery
D. Ping sweeping
A. ToneLoc, THC-Scan, and WarVox are all war-dialing applications. In war dialing, the attacker dials an entire set of phone numbers looking for an open modem. Modems are designed to answer the call, and despite the fact they are for the most part outdated, they can easily provide backdoor access to a system otherwise completely secured from attack.
B is incorrect because war driving refers to a method of discovering wireless access points. Although you may not need a vehicle any longer to do so, war driving used to refer to, quite literally, driving around in a car looking for open access points. In the ethical hacking realm, it still indicates a search for open WAPs.
C is incorrect because the tools listed here have nothing to do with locating and identifying proxies.
D is incorrect because the tools listed here have nothing to do with ping sweeping. Tools such as Angry IP, nmap, Solar Winds, and PingScannerPro are ping sweepers.
16. Which of the following are SNMP enumeration tools? (Choose all that apply.)
A. Nmap
B. SNMPUtil
C. ToneLoc
D. OpUtils
E. Solar Winds
F. NSAuditor
B, D, E, and F. SNMP (in all its versions) is a great protocol designed to help network managers get the most out of their devices and nets. Unfortunately, it’s so powerful and easy to use that hackers abuse it frequently, leading to many administrators simply turning it off. Enumerating a device using SNMP—crawling the Management Information Base (MIB) for the device—is relatively easy. SNMPUtil, Solar Winds, and OpUtils are probably the most well-known of this group. NSAuditor is probably better known for its vulnerability-scanning features, but it is listed by CEH as an SNMP enumerator.
A is incorrect because nmap is not an SNMP enumerator—it’s a scanning tool.
C is incorrect because ToneLoc is a war-dialing tool used for discovering open modems.
17. The following results are from an nmap scan:
Which of the following is the best option to assist in identifying the operating system?
A. Attempt an ACK scan
B. Traceroute to the system
C. Run the same nmap scan with the
-vv option
D. Attempt banner grabbing
D. Of the options presented, banner grabbing is probably your best bet. In fact, it’s a good start for operating system fingerprinting. You can telnet to any of these active ports or run an nmap banner grab. Either way, the returning banner may help in identifying the OS.
A is incorrect because an ACK scan isn’t necessarily going to help here. For that matter, it may have already been run.
B is incorrect because traceroute does not provide any information on fingerprinting. It will show you a network map, hop by hop, to the target, but it won’t help tell you whether it’s a Windows machine.
C is incorrect because the –vv switch only provides more (verbose) information on what namp already has. Note that the original run presented this message on the OS fingerprinting effort: “Remote operating system guess: Too many signatures match to reliably guess the OS.”
18. You wish to run a scan against a target network. You’re concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?
A.
nmap –sN targetIPaddress
B.
nmap –sO targetIPaddress
C.
nmap –sS targetIPaddress
D.
nmap –sT targetIPaddress
C. A half-open scan, as defined by this nmap command line, is the best option in this case. The SYN scan was created with stealth in mind, because the full connect scan was simply too noisy (or created more entries in an application-level logging system, whichever your preference). Granted, most IDSs can pick it up; however, if you go slow enough, it is almost invisible.
A is incorrect because a null scan may not provide the reliability you’re looking for. Remember, this scan won’t work on a Windows host at all.
B is incorrect because the –sO switch tells you this is a operating system scan. Fingerprinting scans are not stealthy by anyone’s imagination, and they won’t provide the full information you’re looking for here.
D is incorrect because the –sT option indicates a full connect scan. Although this is very reliable, it is very noisy, and you will most likely be discovered during the scan.
19. Which of the following ports are required for a null session connection? (Choose all that apply.)
A. 135
B. 137
C. 139
D. 161
E. 443
F. 445
A, B, C, and F. Null sessions have been virtually eliminated from the hacking arsenal since Windows XP was released; however, many machine are still vulnerable to this attack and—more importantly to you—the CEH test loves covering it. Null session connections make use of TCP ports 135, 137, 139, and 445.
D is incorrect because port 161 is used for SNMP, which has nothing to do with null session connections.
E is incorrect because port 443 is used for SSL connections, and has nothing to do with null sessions.
20. You are enumerating a subnet. Examining message traffic you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?
A. Public (read-only) and Private (read/write)
B. Private (read-only) and Public (read/write)
C. Read (read-only) and Write (read/write)
D. Default (both read and read/write)
A. SNMP uses a community string as a form of a password. The read-only version of the community string allows a requester to read virtually anything SNMP can drag out of the device, whereas the read/write version is used to control access for the SNMP SET requests. The read-only default community string is public, whereas the read/write string is private. If you happen upon a network segment using SNMPv3, though, keep in mind that SNMPv3 can use a hashed form of the password in transit versus the clear text.
B is incorrect because the community strings are listed in reverse here.
C is incorrect because “Read” and “Write” are not community strings.
D is incorrect because “Default” is not a community string in SNMP.
21. Nmap is a powerful scanning and enumeration tool. What does this nmap command attempt to accomplish?
A. A serial, slow operating system discovery scan of a Class C subnet
B. A parallel, fast operating system discovery scan of a Class C subnet
C. A serial, slow ACK scan of a Class C subnet
D. A parallel, fast ACK scan of a Class C subnet
D. You are going to need to know nmap switches very well for your exam. In this example, the –A switch indicates an ACK scan (the only scan that returns no response on a closed port), and the –T4 switch indicates an “aggressive” scan, which runs fast and in parallel.
A is incorrect because a slow, serial scan would use the –T, -TO, or –T! switch. Additionally, the OS detection switch is –O, not -A.
B is incorrect because although this answer got the speed of the scan correct, the operating system detection portion is off.
C is incorrect because although this answer correctly identified the ACK scan switch, the –T4 switch was incorrectly identified.
22. You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set, in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)
A. The host will be attempting to retrieve an HTML file.
B. The source port field on this packet can be any number between 1023 and 65535.
C. The first packet from the destination in answer back to this host will have the SYN and ACK flags set.
D. The packet returned in answer to this SYN request will acknowledge the sequence number by returning “10.”
A and D. Yes, it is true that port 80 traffic is HTTP; however, there are two problems with this statement. The first is all that is happening here is an arbitrary connection to something on port 80. For all we know, it’s a listener, telnet connection, or anything at all. Second, assuming it’s actually an HTTP server, the sequence described here would do nothing but make a connection—not necessarily transfer anything. Sure, this is picky, but it’s the truth. Next, sequence numbers are acknowledged between systems during the three-way handshake by incrementing by 1. In this example, the source sent an opening sequence number of “10” to the recipient. The recipient, in crafting the SYN/ACK response, will first acknowledge the opening sequence number by incrementing it to 11. After this, it will add its own sequence number to the packet (a random number it will pick) and send both off.
B is incorrect because it’s a true statement. Source port fields are dynamically assigned using anything other than the “well-known” port range (0–1023). IANA has defined the following port number ranges: Ports 1024 to 49151 are the registered ports (assigned by IANA for specific service upon application by a requesting entity) and ports 49152 to 65535 are dynamic or private ports that cannot be registered with IANA.
C incorrect because it’s a true statement. The requesting machine has sent the first packet in the three-way handshake exchange—a SYN packet. The recipient will respond with a SYN/ACK and wait patiently for the last step—the ACK packet.
23. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
A. URG
B. PSH
C. RST
D. BUF
B. This answer normally gets mixed up with the URG flag, because we all read it as urgent. However, just remember the key word with PSH is “buffering.” In TCP, buffering is used to maintain a steady, harmonious flow of traffic. Every so often, though, the buffer itself becomes a problem, slowing things down. A PSH flag tells the recipient stack that the data should be pushed up to the receiving application immediately.
A is incorrect because the URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized. As an aside, URG isn’t used very much by modern protocols.
C is incorrect the RST flag forces a termination of communications (in both directions).
D is incorrect because BUF isn’t a TCP flag at all.
24. You receive a RST-ACK from a port during a SYN scan. What is the state of the port?
A. Open
B. Closed
C. Filtered
D. Unknown
B. Remember, a SYN scan occurs when you send a SYN packet to all open ports. If the port is open, you’ll obviously get a SYN/ACK back. However, if the port is closed, you’ll get a RST-ACK.
A is incorrect because an open port would respond differently (SYN/ACK).
C is incorrect because a filtered port would likely not respond at all. (The firewall wouldn’t allow the packet through, so no response would be generated.)
D is incorrect because you know exactly what state the port is in, due to the RST-ACK response.
25. Which port-scanning method presents the most risk of discovery, but provides the most reliable results?
A. Full-connect
B. Half-open
C. Null scan
D. XMAS scan
A. Full-connect scan runs through an entire TCP three-way handshake on all ports you aim at. It’s loud and easy to see happening, but the results are indisputable. As an aside, the –sT switch in nmap runs a full-connect scan (you should go ahead and memorize that one).
B is incorrect because a half-open scan involves sending only the SYN packet and watching for responses. It is designed for stealth, but may be picked up on IDS sensors (both network and most host-based IDSs).
C is incorrect because a null scan sends packets with no flags set at all. Responses will vary, depending on the OS and version, so reliability is spotty. As an aside, null scans are designed for UNIX/Linux machines and don’t work on Windows systems.
D is incorrect because although an XMAS scan is very easily detectable (as our celebrated technical editor put it, “a fairly well-trained monkey would see it”), the results are oftentimes sketchy. The XMAS scan is great for test questions, but won’t result in much more than a derisive snort and an immediate disconnection in the real world.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.