Midterm Ethical Hacking Ch 1-6

Which of the following would be the best example of a deterrent control?

A. A log aggregation system

B. Hidden cameras onsite

C. A guard posted outside the door

D. Backup recovery systems

C

Enacted in 2002, this U.S. law requires every federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition?

A. FISMA

B. HIPAA

C. NIST 800-53

D. OSSTMM

A

Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with?

A. $2075

B. $207.50

C. $120

D. $1200

B

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement?

A. A white hat is attempting a black-box test.

B. A white hat is attempting a white-box test.

C. A black hat is attempting a black-box test.

D. A black hat is attempting a gray-box test.

A

When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following?

A. Black-hat hacking

B. Gray-box attacks

C. Gray-hat attacks

D. Hacktivism

D

Two hackers attempt to crack a company's network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"?

A. The cracker always attempts white-box testing.

B. The ethical hacker always attempts black-box testing.

C. The cracker posts results to the Internet.

D. The ethical hacker always obtains written permission before testing.

D

In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets?

A. Active reconnaissance

B. Scanning and enumeration

C. Gaining access

D. Passive reconnaissance

B

Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources?

A. Gray box

B. White box

C. Black box

D. Active reconnaissance

B

Which of the following Common Criteria processes refers to the system or product being tested?

A. ST

B. PP

C. EAL

D. TOE

D

Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy?

A. Information Security Policy

B. Special Access Policy

C. Information Audit Policy

D. Network Connection Policy

A

Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. In what phase of the pen test is Sally working?

A. Preparation

B. Assessment

C. Conclusion

D. Reconnaissance

B

Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be?

A. Hacktivist

B. Suicide hacker

C. Black hat

D. Script kiddie

B

Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity?

A. Encryption

B. UPS

C. Hashing

D. Passwords

C

Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization?

A. BCP

B. BIA

C. MTD

D. DRP

B

Which of the following would be the best choice for footprinting restricted URLs and OS information from a target?

A. www.archive.org

B. www.alexa.com

C. Netcraft

D. Yesware

C

Which of the following consists of a publicly available set of databases that contain domain name registration contact information?

A. IETF

B. IANA

C. Whois

D. OSRF

C

Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides?

A. Vulnerability measurement and assessments for the U.S. Department of Defense

B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security

C. Incident response services for all Internet providers

D. Pen test registration for public and private sector

B

An SOA record gathered from a zone transfer is shown here: What is the name of the authoritative DNS server for the domain, and how often will secondary servers check in for updates?

A. DNSRV1.anycomp.com, every 3600 seconds

B. DNSRV1.anycomp.com, every 600 seconds

C. DNSRV1.anycomp.com, every 4 seconds

D. postmaster.anycomp.com, every 600 seconds

A

A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened?

A. The attacker took advantage of a zero-day vulnerability on the machine.

B. The attacker performed a full rebuild of the machine after he was done.

C. The attacker performed a denial-of-service attack. D. Security measures on the device were completely disabled before the attack began.

A

Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact?

A. whois

B. nslookup

C. dig

D. traceroute

A

Which of the following are passive footprinting methods? (Choose all that apply.)

A. Checking DNS replies for network mapping purposes

B. Collecting information through publicly accessible sources

C. Performing a ping sweep against the network range

D. Sniffing network traffic through a network tap

A,B

Which OSRF application checks to see if a username has been registered in up to 22 different e-mail providers?

A. mailfy.py

B. usufy.py

C. entify.py

D. searchfy.py

A

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?

A. NS

B. SOA

C. CNAME

D. PTR

C

A pen tester is attempting to use nslookup and has the tool in interactive mode for the search. Which command should be used to request the appropriate records?

A. request type=ns

B. transfer type=ns

C. locate type=ns

D. set type=ns

D

Which Google hack would display all pages that have the words SQL and Version in their titles?

A. inurl:SQL inurl:version

B. allinurl:SQL version

C. intitle:SQL inurl:version

D. allintitle:SQL version

D

As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization's website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing?

A. Active

B. Passive

C. Reconnaissance

D. None of the above

B

A member of your team enters the following command: Which of the following Nmap commands performs the same task?

nmap -sV -sC -O -traceroute IPAddress

A. nmap -A IPAddress

B. nmap -all IPAddress

C. nmap -Os IPAddress

D. nmap -aA IPAddress

A

You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.)

A. telnet 168.15.22.4 80

B. telnet 80 168.15.22.4

C. nc -v -n 168.15.22.4 80

D. nc -v -n 80 168.15.22.4

A,C

You've decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets?

A. Fragmenting

B. IP spoofing

C. Proxy scanning

D. Anonymizer

A

One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted?

A. Online OS fingerprinting

B. Passive OS fingerprinting

C. Aggressive OS fingerprinting

D. Active OS fingerprinting

B

What flag or flags are sent in the segment during the second step of the TCP three-way handshake?

A. SYN

B. ACK

C. SYN/ACK

D. ACK/FIN

C

You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true?

A. The response indicates an open port.

B. The response indicates a closed port.

C. The response indicates a Windows machine with a nonstandard TCP/IP stack.

D. ICMP is filtered on the machine.

A

An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate?

A. The port is filtered at the firewall.

B. The port is not filtered at the firewall.

C. The firewall allows the packet, but the device has the port closed.

D. It is impossible to determine any port status from this response.

A

Which flag forces a termination of communications in both directions?

A. RST

B. FIN

C. ACK

D. PSH

A

You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet?

A. 52.93.24.255

B. 52.93.0.255

C. 52.93.32.255

D. 52.93.31.255

E. 52.93.255.255

D

Which port number is used by default for syslog?

A. 21

B. 23

C. 69

D. 514

D

Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all that apply.)

A. nmap -A 172.17.24.17

B. nmap -O 172.17.24.0/24

C. nmap -sn 172.17.24.0/24

D. nmap -PI 172.17.24.0/24

C,D

You're running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?

A. Open

B. Closed

C. Unknown

D. None of the above

B

Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its time to live?

A. Type 11

B. Type 3, Code 1

C. Type 0

D. Type 8

A

. An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this?

A. Ping sweep

B. XMAS

C. Stealth

D. Full

C

Which of the following statements is true regarding port scanning?

A. Port scanning's primary goal is to identify live targets on a network.

B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed.

C. Port scanning is designed as a method to view all traffic to and from a system.

D. Port scanning is used to identify potential vulnerabilities on a target system.

D

Which of the following best describes a honeypot? A. It is used to filter traffic from screened subnets.

B. It is used to gather information about potential network attackers.

C. It is used to analyze traffic for detection signatures.

D. Its primary function involves malware and virus protection.

B

Which of the following Wireshark filters would display all traffic sent from, or destined to, systems on the 172.17.15.0/24 subnet? (Choose all that apply.) A. ip.addr == 172.17.15.0/24

B. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

C. ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24

D. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

A,C

Which of the following best describes active sniffing? (Choose all that apply.)

A. Active sniffing is usually required when hubs are in place.

B. Active sniffing is usually required when switches are in place.

C. Active sniffing is harder to detect than passive sniffing.

D. Active sniffing is easier to detect than passive sniffing.

B,D

Your client tells you they know beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn't appear to be alerting on the traffic. Which of the following is most likely true?

A. The attacker is sending messages over an SSL tunnel.

B. The attacker has corrupted ACLs on every router in the network.

C. The attacker has set up port security on network switches.

D. The attacker has configured a trunk port on a switch.

A

Which display filter for Wireshark shows all TCP packets containing the word facebook?

A. content==facebook

B. tcp contains facebook

C. display==facebook

D. tcp.all contains ==facebook

B

You are configuring rules for your Snort installation and want to have an alert message of "Attempted FTP" on any FTP packet coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation?

A. alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Attempted FTP")

B. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Attempted FTP")

C. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Attempted FTP")

D. alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"Attempted FTP")

C

What occurs when an IDS does not properly identify a malicious packet entering the network?

A. False negative

B. False positive

C. True negative

D. True positive

A

Machine A (with MAC address 00-01-02-AA-BBCC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01- 02-CC-DD-EE, is on a different subnet. While the attacker is sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary?

A. The ARP cache of the router would need to be poisoned, changing the entry for Machine A to 00-01-02-CC-DD-EE.

B. The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.

C. The ARP cache of Machine C would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.

D. The ARP cache of Machine A would need to be poisoned, changing the entry for Machine C to 00-01-02-BB-CC-DD.

B

An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place? A. Stateful

B. Signature based

C. Anomaly based

D. Packet filtering

C

In what situation would you employ a proxy server? (Choose the best answer.)

A. You wish to share files inside the corporate network.

B. You want to allow outside customers into a corporate website.

C. You want to filter Internet traffic for internal systems.

D. You want to provide IP addresses to internal hosts.

C

An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true? (Choose all that apply.)

A. The packet capture will provide the MAC addresses of other machines connected to the switch.

B. The packet capture will provide only the MAC addresses of the laptop and the default gateway.

C. The packet capture will display all traffic intended for the laptop.

D. The packet capture will display all traffic intended for the default gateway.

A,C

Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.)

A. ARP poisoning

B. MAC flooding

C. SYN flooding

D. Birthday attack

A. Firewalking

A,B

A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode?

B. libpcap

C. winprom

D. winpcap

A. promsw

D

Which of the following works at Layer 5 of the OSI model?

B. Stateful firewall

C. Packet-filtering firewall

D. Circuit-level firewall

A. Application-level firewall

D

Which of the following best defines steganography? A. Steganography is used to hide information within existing files.

B. Steganography is used to create hash values of data files.

C. Steganography is used to encrypt data communications, allowing files to be passed unseen. D. Steganography is used to create multimedia communication files.

A

Which encryption standard is used by LM?

A. MD5

B. SHA-1

C. DES

D. SHA-2

E. 3DES

C

Which of the following would be considered a passive online password attack?

A. Guessing passwords against an IPC$ share

B. Sniffing subnet traffic to intercept a password

C. Running John the Ripper on a stolen copy of the SAM

D. Sending a specially crafted PDF to a user for that user to open

B

A user on Joe's network does not need to remember a long password. Users on Joe's network log in using a token and a four-digit PIN. Which authentication measure best describes this?

A. Multifactor authentication

B. Three-factor authentication

C. Two-factor authentication

D. Token authentication

C

Which of the following best defines a hybrid attack? A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked.

B. The attack tries random combinations of characters until the password is cracked.

C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked.

D. The attack use rainbow tables, randomly attempting hash values throughout the list until the password is cracked.

C

While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures?

A. Yes, the hash shows a 14-character, complex password.

B. No, the hash shows a 14-character password; however, it is not complex.

C. No, the hash reveals a 7-character-or-less password has been used.

D. It is impossible to determine simply by looking at the hash.

C

Where is the SAM file stored on a Windows 7 system?

A. /etc/

B. C:\Windows\System32\etc\

C. C:\Windows\System32\Config\

D. C:\Windows\System32\Drivers\Config

C

Examining a database server during routine maintenance, you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation?

A. The log file is simply corrupted.

B. The server was compromised by an attacker.

C. The server was rebooted.

D. No activity occurred during the hour time frame

B

Which of the following can migrate the machine's actual operating system into a virtual machine?

A. Hypervisor-level rootkit

B. Kernel-level rootkit

C. Virtual rootkit

D. Library-level rootkit

A

After gaining access to a Windows machine, you see the last command executed on the box looks like this: Assuming the user had appropriate credentials, which of the following are true? (Choose all that apply.)

net use F: \\MATTBOX\BankFiles /persistent:yes

A. In Windows Explorer, a folder will appear under the root directory named BankFiles.

B. In Windows Explorer, a drive will appear denoted as BankFiles (\\MATTBOX) (F:).

C. The mapped drive will remain mapped after a reboot.

D. The mapped drive will not remain mapped after a reboot.

B,C

An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file?

A. start readme.txt>badfile.exe

B. start readme.txt:badfile.exe

C. start badfile.exe > readme.txt

D. start badfile.exe | readme.txt

B

You see the following command in a Linux history file review: Which of the following best describe the command result? (Choose two.)

someproc &

A. The process "someproc" will stop when the user logs out.

B. The process "someproc" will continue to run when the user logs out.

C. The process "someproc" will run as a background task.

D. The process "someproc" will prompt the user when logging off.

A,C

You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such: What type of attack is in use?

http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exe

A. SQL injection

B. Unicode parameter tampering

C. Directory traversal

D. Cross-site scripting

C

The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromised. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?

A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items.

B. The attacker has used SQL injection to update the database to reflect new prices for the items.

C. The attacker has taken advantage of a serverside include that altered the price.

D. The attacker used Metasploit to take control of the web application

A

A pen test team member uses the following entry at the command line: Which of the following is true regarding the intent of the command?

nmap --script http-methods --script-args somesystem.com

A. The team member is attempting to see which HTTP methods are supported by somesystem.com.

B. The team member is attempting XSS against somesystem.com.

C. The team member is attempting HTTP response splitting against somesystem.com.

D. The team member is attempting to site-mirror somesystem.com.

A

You are examining IDS logs and come across the following entry: What can you infer from this log entry?

Mar 30 10:31:07 [1123]: IDS1661/NOPS-x86: 64.118.55.64:1146->192.168.119.56:33

A. The attacker, using address 192.168.119.56, is attempting to connect to 64.118.55.64 using a DNS port.

B. The attacker, using address 64.118.55.64, is attempting a directory traversal attack.

C. The attacker is attempting a known SQL attack against 192.168.119.56.

D. The attacker is attempting a buffer overflow against 192.168.119.56.

D

Which of the following would be the best protection against XSS attacks?

A. Invest in top-of-the-line firewalls.

B. Perform vulnerability scans against your systems. C. Configure input validation on your systems.

D. Have a pen test performed against your systems.

C

Which of the following is true regarding n-tier architecture?

A. Each tier must communicate openly with every other tier.

B. N-tier always consists of presentation, logic, and data tiers.

C. N-tier is usually implemented on one server.

D. N-tier allows each tier to be configured and modified independently.

D

Which character is the best choice to start a SQL injection attempt?

A. Colon

B. Semicolon

C. Double quote

D. Single quote

D

Which of the following is a true statement?

A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks.

B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks.

C. Configuring the web server to send random challenge tokens is the best mitigation for parameter manipulation attacks.

D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.

D

Which of the following is a true statement?

A. SOAP cannot bypass a firewall.

B. SOAP encrypts messages using HTTP methods.

C. SOAP is compatible with HTTP and SMTP.

D. SOAP messages are usually bidirectional.

C

An attacker inputs the following into the Search text box on an entry form: The attacker then clicks the Search button and a pop-up appears stating, "It Worked." What can you infer from this?

Javascripting

A. The site is vulnerable to buffer overflow.

B. The site is vulnerable to SQL injection.

C. The site is vulnerable to parameter tampering.

D. The site is vulnerable to XSS.

D

SOAP is used to package and exchange information for web services. What does SOAP use to format this information?

A. XML

B. HTML

C. HTTP

D. Unicode

A

A security administrator monitoring logs comes across a user login attempt that reads UserJoe) (&). What can you infer from this username login attempt?

A. The attacker is attempting SQL injection.

B. The attacker is attempting LDAP injection.

C. The attacker is attempting SOAP injection.

D. The attacker is attempting directory traversal.

B

A security administrator sets the HttpOnly flag in cookies. Which of the following is he most likely attempting to mitigate against?

A. CSRF

B. CSSP

C. XSS

D. Buffer overflow

E. SQL injection

C

Your organization is deploying a new web-based software package requiring application and database support. The department has agreed on a three-server approach to make the service accessible from the Internet. Of the following choices, which would be the best option for server placement?

A. A web, application, and database server on the internal network only

B. A web, application, and database server facing the Internet

C. A web server facing the Internet, and application and database server on the internal network

D. An application and database server facing the Internet, with a web server internal

C