CEH Quiz (201 - 261)

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Porterwb

Porterwb

Community Contributor

Quizzes Created: 2 | Total Attempts: 1,084

Questions: 61 | Attempts: 446 | Updated: Mar 21, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

This is your description.

Questions and Answers

1.

Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would like to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link?
- A.
  
  MD5
- B.
  
  PGP
- C.
  
  RSA
- D.
  
  SSH
Correct Answer
D. SSH

Explanation
SSH (Secure Shell) can be used to protect the link. SSH is a cryptographic network protocol that provides secure communication over an insecure network. It encrypts the data being transmitted, preventing adversaries from intercepting and inspecting the traffic. By using SSH, Jane can tunnel the X-Windows and POP3 traffic to the remote host securely, even without VPN capabilities.

Rate this question:
2.

Type question hereNTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms. Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks. These protocols tag their communications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date. One can circumvent this tagging, if the clock can be set back to the time the communication was recorded. An attacker attempts to try corrupting the clocks on devices on your network. You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network. What port number you should enable in Wireshark display filter to view NTP packets?
- A.
  
  TCP Port 124
- B.
  
  UDP Port 125
- C.
  
  UDP Port 123
- D.
  
  TCP Port 126
Correct Answer
C. UDP Port 123

Explanation
NTP (Network Time Protocol) is used to synchronize the clocks on systems accurately. In this scenario, the user is running Wireshark to detect any irregularities in NTP traffic on the network. To view NTP packets, they should enable UDP Port 123 in the Wireshark display filter. NTP uses UDP (User Datagram Protocol) as its transport protocol, and Port 123 is the designated port for NTP traffic. By enabling this port in Wireshark, the user will be able to capture and analyze NTP packets for any signs of irregularities or attacks on the network.

Rate this question:
3.

Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?
- A.
  
  Bill can use the command: ip dhcp snooping.
- B.
  
  Bill can use the command:no ip snoop.
- C.
  
  Bill could use the command: ip arp no flood.
- D.
  
  He could use the command: ip arp no snoop.
Correct Answer
A. Bill can use the command: ip dhcp snooping.

Explanation
Bill can use the command "ip dhcp snooping" to ensure that all switches are safe from ARP poisoning. This command enables the switch to validate DHCP messages received from untrusted sources and ensure that only valid DHCP messages are allowed. By enabling DHCP snooping, Bill can prevent unauthorized DHCP servers from distributing incorrect IP addresses and protect against ARP poisoning attacks.

Rate this question:
4.

You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons? What is the length of the MD5 hash?
- A.
  
  32 char
- B.
  
  64 byte
- C.
  
  48 char
- D.
  
  128 byte
Correct Answer(s)
A. 32 char
D. 128 byte

Explanation
The length of the MD5 hash is 32 characters or 128 bytes. The MD5 algorithm generates a fixed-length hash value of 128 bits, which is then represented as a string of 32 hexadecimal characters. Each character in the hash represents 4 bits, resulting in a total of 32 characters. Alternatively, since each hexadecimal character represents 4 bits, multiplying 32 characters by 4 gives a total of 128 bits or 16 bytes.

Rate this question:
5.

Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?
- A.
  
  Dictionary attack
- B.
  
  Brute forcing attack
- C.
  
  Hybrid attack
- D.
  
  Syllable attack
- E.
  
  Rule-based attack
Correct Answer
C. Hybrid attack

Explanation
A hybrid attack is a type of password cracking technique that combines elements of a dictionary attack and a brute force attack. It starts with a dictionary of common words and then adds numbers and symbols to those words to create variations. These variations are then used to try and crack the password. This technique is effective because it takes advantage of the fact that many people use common words as their passwords, but also adds complexity by incorporating numbers and symbols.

Rate this question:
6.

What command would you type to OS fingerprint a server using the command line?
- A.
  
  Option A
- B.
  
  Option B
- C.
  
  Option C
- D.
  
  Option D
Correct Answer
C. Option C

Explanation
To OS fingerprint a server using the command line, you would type the command specified in Option C.

Rate this question:
7.

What do you call a pre-computed hash?
- A.
  
  Sun tables
- B.
  
  Apple tables
- C.
  
  Rainbow tables
- D.
  
  Moon tables
Correct Answer
C. Rainbow tables

Explanation
A pre-computed hash is commonly referred to as a "Rainbow table". Rainbow tables are used in cryptography to speed up the process of cracking hashed passwords by storing pre-computed hash chains. These tables contain a list of possible plaintext passwords and their corresponding hash values, allowing for quick lookup and comparison to the target hash. By using rainbow tables, attackers can significantly reduce the time and computational resources required to crack hashed passwords.

Rate this question:
8.

Why attackers use proxy servers?
- A.
  
  To ensure theexploits used in the attacks always flip reverse vectors
- B.
  
  Faster bandwidth performance and increase in attack speed
- C.
  
  Interrupt the remote victim's network traffic and reroute the packets to attackers machine
- D.
  
  To hide the source IP address so that anattacker can hack without any legal corollary
Correct Answer
D. To hide the source IP address so that anattacker can hack without any legal corollary

Explanation
Attackers use proxy servers to hide their source IP address so that they can carry out their hacking activities without facing any legal consequences. By routing their network traffic through a proxy server, the attacker's true IP address is masked, making it difficult for authorities to trace back the attack to its source. This anonymity provides a layer of protection for the attacker and allows them to operate without being easily identified or held accountable for their actions.

Rate this question:
9.

The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)
- A.
  
  Enable SNMPv3 whichencrypts username/password authentication
- B.
  
  Use your company name as the public community string replacing the default 'public'
- C.
  
  Enable IP filtering to limit access to SNMP device
- D.
  
  The default configuration provided by device vendors is highly secureand you don't need to change anything
Correct Answer(s)
A. Enable SNMPv3 whichencrypts username/password authentication
C. Enable IP filtering to limit access to SNMP device

Explanation
To keep intruders from getting sensitive information regarding the network devices using SNMP, enabling SNMPv3 which encrypts username/password authentication is important. SNMPv3 provides secure access to devices by encrypting the authentication credentials. Additionally, enabling IP filtering to limit access to SNMP devices adds an extra layer of security by allowing only specific IP addresses to access the devices. This helps to prevent unauthorized access and protect sensitive information.

Rate this question:
10.

You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack?
- A.
  
  Configure routers to restrict the responses to Footprinting requests
- B.
  
  Configure Web Servers to avoid information leakage and disable unwanted protocols
- C.
  
  Lock the ports with suitable Firewall configuration
- D.
  
  Use an IDS that can be configured to refusesuspicious traffic and pick up Footprinting patterns
- E.
  
  Evaluate the information before publishing it on the Website/Intranet
- F.
  
  Monitor every employee computer with Spy cameras, keyloggers and spy on them
- G.
  
  Perform Footprinting techniques and remove anysensitive information found on DMZ sites
- H.
  
  Prevent search engines from caching a Webpage and use anonymous registration services
- I.
  
  Disable directory and use split-DNS
Correct Answer
F. Monitor every employee computer with Spy cameras, keyloggers and spy on them
11.

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser. John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: What kind of attack did the Hacker attempt to carry out at the bank?
- A.
  
  Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.
- B.
  
  The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.
- C.
  
  The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.
- D.
  
  The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.
Correct Answer
D. The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.

Explanation
The correct answer is that the hacker first attempted logins with suspected usernames, then used SQL injection to gain access to valid bank login IDs. This is evident from the statement that the account balances of many customers were changed and money was transferred between accounts. SQL injection is a common attack technique where malicious SQL statements are inserted into an entry field, allowing the attacker to manipulate the database. In this case, the hacker likely used SQL injection to bypass the login system and gain access to valid login IDs, which they then used to transfer money between accounts.

Rate this question:
12.

WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?
- A.
  
  Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled
- B.
  
  Place authentication on root directories that will prevent crawling from these spiders
- C.
  
  Nable SSL on the restricted directories which will block these spiders from crawling
- D.
  
  Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index
Correct Answer
A. Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled
13.

You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session. Here is the captured data in tcpdump. What are the next sequence and acknowledgement numbers that the router will send to the victim machine?
- A.
  
  Sequence number: 82980070 Acknowledgement number: 17768885A.
- B.
  
  Sequence number: 17768729 Acknowledgement number: 82980070B.
- C.
  
  Sequence number: 87000070 Acknowledgement number: 85320085C.
- D.
  
  Sequence number: 82980010 Acknowledgement number: 17768885D.
Correct Answer
A. Sequence number: 82980070 Acknowledgement number: 17768885A.
14.

Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?
- A.
  
  Hayden is attempting to find live hosts on her company's network byusing an XMAS scan
- B.
  
  She is utilizing a SYN scan to find live hosts that are listening on her network
- C.
  
  The type of scan, she is using is called a NULL scan
- D.
  
  Hayden is using a half-open scan to find live hosts on her network
Correct Answer
D. Hayden is using a half-open scan to find live hosts on her network

Explanation
Hayden is using a half-open scan to find live hosts on her network. In a half-open scan, Hayden sends SYN packets to an IP range and receives SYN/ACK responses from the hosts that are listening. However, before the connection is fully established, she sends RST packets to stop the session. This allows her to see how her intrusion detection system will log the traffic and identify any potential security vulnerabilities or threats on the network.

Rate this question:
15.

Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation?
- A.
  
  Lack of proper security policy, procedures and maintenance
- B.
  
  Bugs in server software, OS and web applications
- C.
  
  Installing the server with default settings
- D.
  
  Unpatched security flaws in the server software, OS and applications
Correct Answer
C. Installing the server with default settings

Explanation
Installing the server with default settings can be a correct statement related to the above web server installation. This is because using default settings may leave the server vulnerable to attacks as it may not have the necessary security configurations in place. It is important to customize the server settings and apply security measures to protect against potential exploits.

Rate this question:
16.

If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?
- A.
  
  The zombie computer will respond with an IPID of 24334.
- B.
  
  The zombie computer will respond with an IPID of 24333.
- C.
  
  The zombie computer will notsend a response.
- D.
  
  The zombie computer will respond with an IPID of 24335.
Correct Answer
A. The zombie computer will respond with an IPID of 24334.

Explanation
When an attacker's computer sends an IPID of 24333 to a zombie computer on a closed port using Idle Scanning, the zombie computer will respond with an IPID of 24334. This is because Idle Scanning involves sending a spoofed packet to the zombie computer, which then sends a response to the victim's IP address. The IPID of the response packet is typically incremented by 1 compared to the IPID of the packet sent by the attacker. Therefore, the correct answer is that the zombie computer will respond with an IPID of 24334.

Rate this question:
17.

Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?
- A.
  
  Jacob is seeing a Smurf attack.
- B.
  
  Jacob is seeing a SYN flood.
- C.
  
  He is seeing a SYN/ACK attack.
- D.
  
  He has found evidence of an ACK flood.
Correct Answer
B. Jacob is seeing a SYN flood.

Explanation
Jacob is seeing a SYN flood. A SYN flood is a type of denial-of-service (DoS) attack where an attacker sends a large number of SYN requests to a target computer in order to overwhelm its resources and make it unable to respond to legitimate requests. In this case, Jacob has identified that the SYN requests are coming from a spoofed IP address, indicating that the attacker is disguising their identity.

Rate this question:
18.

Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)
- A.
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- B.
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run
- C.
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run
- D.
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Correct Answer(s)
A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Explanation
A Trojan adds entries to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location to make it persistent on Windows 7. This registry location contains a list of programs that are automatically executed when the computer starts up. By adding an entry to this location, the Trojan ensures that it will be launched every time the computer is turned on. Additionally, the Trojan may also add entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry location, which contains a list of programs that are automatically executed when a user logs into their account. By adding an entry to this location, the Trojan ensures that it will be launched every time the user logs in.

Rate this question:
19.

Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.
- A.
  
  Hping3 -T 10.8.8.8 -S netbios -c 2 -p 80
- B.
  
  Hping3 -Y 10.8.8.8 -S windows -c 2 -p 80
- C.
  
  Hping3 -O 10.8.8.8 -S server -c 2 -p 80
- D.
  
  Hping3 -a 10.8.8.8 -S springfield -c 2 -p 80
Correct Answer
D. Hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

Explanation
The correct answer is hping3 -a 10.8.8.8 -S springfield -c 2 -p 80. This command will spoof the source IP address as 10.8.8.8 and the source port as "springfield". By sending packets with these spoofed values, it will appear as if the packets are originating from the system at 10.8.8.8. This allows for testing whether the firewall is allowing or blocking these packets, helping to determine if random packets are being allowed in or out of the network.

Rate this question:
20.

The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?
- A.
  
  Never include sensitive information in a script
- B.
  
  Use HTTPS SSLv3 to send the data instead of plain HTTPS
- C.
  
  Replace the GET with POST method when sending data
- D.
  
  Encrypt the data before you send using GET method
Correct Answer
C. Replace the GET with POST method when sending data

Explanation
Using the GET method to send sensitive data such as credit card information is not secure because the data is appended to the URL and can be logged by servers. To protect against this type of attack, the best approach is to replace the GET method with the POST method when sending data. Unlike GET, the POST method sends data in the body of the HTTP request rather than appending it to the URL, making it more secure and less prone to interception or logging.

Rate this question:
21.

Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers)
- A.
  
  Alternate between typing the login credentials and typing characters somewhere else in the focus window
- B.
  
  Type a wrong password first, later type the correct password on the login page defeating the keylogger recording
- C.
  
  Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.
- D.
  
  The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"
- E.
  
  The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"
Correct Answer(s)
A. Alternate between typing the login credentials and typing characters somewhere else in the focus window
C. Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.
D. The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"
E. The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"

Explanation
The correct answers provide strategies to defend against hardware keyloggers when using public computers and Internet kiosks. Alternating between typing the login credentials and typing characters somewhere else in the focus window can confuse the keylogger by mixing the actual password with random keystrokes. Typing a password beginning with the last letter and using the mouse to move the cursor for each subsequent letter can also confuse the keylogger as the recorded keystrokes will not match the actual password. Additionally, the technique of replacing selected text with dummy keys and then typing the actual password can further confuse the keylogger by recording incorrect information.

Rate this question:
22.

Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses?
- A.
  
  Only Windows systems will reply to this scan.
- B.
  
  A switched network will not respond to packets sent tothe broadcast address.
- C.
  
  Only Linux and Unix-like (Non-Windows) systems will reply to this scan.
- D.
  
  Only servers will reply to this scan.
Correct Answer
C. Only Linux and Unix-like (Non-Windows) systems will reply to this scan.

Explanation
This ping sweep only produced a few responses because only Linux and Unix-like systems will reply to this scan. Windows systems and servers will not respond, and a switched network will also not respond to packets sent to the broadcast address. Therefore, the majority of the 500 computers in the network are likely running Windows or are servers, which is why only a few hosts responded to the ping sweep.

Rate this question:
23.

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?
- A.
  
  The initial traffic from 192.168.12.35 was being spoofed.
- B.
  
  The traffic from 192.168.12.25 is from a Linux computer.
- C.
  
  The TTL of 21 means that the client computer ison wireless.
- D.
  
  The client computer at 192.168.12.35 is a zombie computer.
Correct Answer
A. The initial traffic from 192.168.12.35 was being spoofed.

Explanation
Wayne can infer that the initial traffic from 192.168.12.35 was being spoofed. This is because the TTL (Time to Live) value of the packets originating from 192.168.12.35 is lower (15) than the TTL value of the response received from the same IP address (21). A lower TTL value indicates that the packets have traveled a shorter distance, suggesting that the source IP address was likely forged or spoofed to make it appear as if it originated from the internal network.

Rate this question:
24.

What type of port scan is shown below?
- A.
  
  Idle Scan
- B.
  
  Windows Scan
- C.
  
  XMAS Scan
- D.
  
  SYN Stealth Scan
Correct Answer
C. XMAS Scan

Explanation
The correct answer is XMAS Scan. An XMAS Scan is a type of port scan where a packet with the FIN, URG, and PSH flags set is sent to the target system. This scan is used to determine if a port is open, closed, or filtered by the firewall. If the target system responds with a RST packet, the port is closed. If there is no response, the port is open. This scan is called XMAS Scan because the combination of the FIN, URG, and PSH flags resembles the blinking lights of a Christmas tree.

Rate this question:
25.

Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. What is the correct syntax?
- A.
  
  Option A
- B.
  
  Option B
- C.
  
  Option C
- D.
  
  Option D
Correct Answer
A. Option A
26.

How do you defend against ARP Poisoning attack? (Select 2 answers)
- A.
  
  Enable DHCP Snooping Binding Table
- B.
  
  Restrict ARP Duplicates
- C.
  
  Enable Dynamic ARP Inspection
- D.
  
  Enable MAC snooping Table
Correct Answer(s)
A. Enable DHCP Snooping Binding Table
C. Enable Dynamic ARP Inspection

Explanation
To defend against ARP Poisoning attacks, enabling DHCP Snooping Binding Table and Dynamic ARP Inspection are effective measures. Enabling DHCP Snooping Binding Table allows the network to verify the legitimacy of DHCP messages, preventing attackers from spoofing IP addresses. Dynamic ARP Inspection, on the other hand, validates ARP packets by comparing them with the DHCP Snooping Binding Table, ensuring that only legitimate ARP requests are allowed. These two measures combined help in mitigating the risk of ARP Poisoning attacks by securing the network against unauthorized IP and MAC address spoofing.

Rate this question:
27.

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?
- A.
  
  There is no way to completely block tracerouting into this area
- B.
  
  Block UDP at the firewall
- C.
  
  Block TCP at the firewall
- D.
  
  Block ICMP at the firewall
Correct Answer
A. There is no way to completely block tracerouting into this area

Explanation
Blocking UDP, TCP, or ICMP at the firewall can help to prevent traceroute to some extent, but it cannot completely block tracerouting into the DMZ area. Traceroute uses a combination of ICMP, UDP, and TCP packets to determine the network path to a destination. By blocking these protocols, the firewall can make it more difficult for attackers to perform traceroute, but determined attackers may still find ways to bypass these restrictions. Therefore, there is no foolproof way to completely block tracerouting into the DMZ area.

Rate this question:
28.

Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here?
- A.
  
  Neil has used a tailgating social engineering attack to gain access to the offices
- B.
  
  He has used a piggybacking technique to gain unauthorized access
- C.
  
  This type of social engineering attack is called man trapping
- D.
  
  Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics
Correct Answer
A. Neil has used a tailgating social engineering attack to gain access to the offices

Explanation
Neil has used a tailgating social engineering attack to gain access to the offices. Tailgating refers to the act of following someone who has legitimate access into a secure area without proper authorization. In this case, Neil used a fake company ID badge and uniform to blend in and gain entry by following an employee who used their valid access card. This type of attack exploits the trust and natural tendency of people to hold doors open for others, allowing unauthorized individuals to gain entry.

Rate this question:
29.

After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?
- A.
  
  Denial of Service attacks
- B.
  
  Session Hijacking attacks
- C.
  
  Web page defacement attacks
- D.
  
  IP spoofing attacks
Correct Answer
B. Session Hijacking attacks

Explanation
By recording the sequence number chosen by the server and then opening a second connection from a forged IP address, an attacker can successfully launch Session Hijacking attacks. In this type of attack, the attacker can impersonate the legitimate client by guessing the correct responses and gain unauthorized access to the server. This allows the attacker to hijack the established session and potentially perform malicious actions on behalf of the legitimate client.

Rate this question:
30.

Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get off early because they were not too busy. When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to. What kind of software could Harold use to accomplish this?
- A.
  
  Install hardware Keylogger on her computer
- B.
  
  Install screen capturing Spyware on her computer
- C.
  
  Enable Remote Desktop on her computer
- D.
  
  Install VNC on her computer
Correct Answer
B. Install screen capturing Spyware on her computer

Explanation
Harold can use screen capturing spyware to track his daughter's online activities. This software will capture screenshots of her computer screen at regular intervals, allowing Harold to see what she has been doing online. By installing this spyware, Harold can monitor his daughter's activities without her knowledge or alerting her to his intentions. This will help him ensure her safety and protect her from potential online predators.

Rate this question:
31.

You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?
- A.
  
  Stealth scan
- B.
  
  Connect scan
- C.
  
  Fragmented packet scan
- D.
  
  XMAS scan
Correct Answer
B. Connect scan

Explanation
A connect scan is the most reliable type of scan to use in this scenario. It establishes a full TCP connection with the target host, which allows for more accurate results. This scan sends a SYN packet to the target host and waits for a response. If the target responds with a SYN/ACK packet, it means the port is open. If the target responds with a RST packet, it means the port is closed. This method is more reliable because it completes the full TCP handshake, ensuring that the results are accurate.

Rate this question:
32.

Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case. What can Blane use to accomplish this?
- A.
  
  He can use a split-DNS service to ensure the email is not forwarded on.
- B.
  
  A service such as HTTrack would accomplish this.
- C.
  
  Blanecould use MetaGoofil tracking tool.
- D.
  
  Blane can use a service such as ReadNotify tracking tool.
Correct Answer
D. Blane can use a service such as ReadNotify tracking tool.

Explanation
Blane can use a service such as ReadNotify tracking tool to accomplish this. This tool allows the sender to track the email and receive notifications when it is opened, forwarded, or printed. By using ReadNotify, Blane can monitor if the email is forwarded to any other recipients, ensuring compliance with the lawyer's and client's agreement.

Rate this question:
33.

You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?
- A.
  
  Ping packets cannot bypass firewalls
- B.
  
  You must use ping 10.2.3.4 switch
- C.
  
  Hping2 uses stealth TCP packets to connect
- D.
  
  Hping2 uses TCP instead of ICMP by default
Correct Answer
D. Hping2 uses TCP instead of ICMP by default

Explanation
Hping2 uses TCP instead of ICMP by default, which allows it to bypass the firewall that may be blocking ICMP packets. While ping packets use ICMP, which can be blocked by firewalls, hping2's use of TCP packets enables it to establish a connection with the target host and receive a response even if ICMP is blocked.

Rate this question:
34.

John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?
- A.
  
  The hacker is attempting to compromise more machines on the network
- B.
  
  The hacker is planting a rootkit
- C.
  
  The hacker is running a buffer overflow exploit to lock down the system
- D.
  
  The hacker is trying to cover his tracks
Correct Answer
D. The hacker is trying to cover his tracks

Explanation
The given log file snippet suggests that the hacker is trying to cover his tracks. This can be inferred from the fact that the hacker has compromised a Linux machine and is likely attempting to erase any evidence of their presence or actions on the compromised system.

Rate this question:
35.

Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems, and disabled all unnecessary services on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about this since telnet can be a very large security risk in an organization. Blake is concerned about how this particular server might look to an outside attacker so he decides to perform some footprinting, scanning, and penetration tests on the server. Blake telnets into the server using Port 80 and types in the following command: HEAD / HTTP/1.0 After pressing enter twice, Blake gets the following results: What has Blake just accomplished?
- A.
  
  Downloaded a file to his local computer
- B.
  
  Submitted a remote command to crash the server
- C.
  
  Poisoned the local DNS cache of the server
- D.
  
  Grabbed the Operating System banner
Correct Answer
D. Grabbed the Operating System banner

Explanation
By typing the command "HEAD / HTTP/1.0" and receiving the results, Blake has successfully grabbed the Operating System banner. The command is commonly used to retrieve information about the web server, including the version and type of operating system it is running on. This information can be useful for an attacker to identify vulnerabilities and plan further attacks.

Rate this question:
36.

You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks?
- A.
  
  System services
- B.
  
  EXEC master access
- C.
  
  Xp_cmdshell
- D.
  
  RDC
Correct Answer
C. Xp_cmdshell

Explanation
In order to perform advanced SQL Injection attacks on a vulnerable website without being able to perform command shell hacks on the server, the xp_cmdshell feature must be enabled in SQL Server. This feature allows the execution of command shell commands from within SQL Server, providing the attacker with the ability to execute arbitrary commands on the server. By enabling xp_cmdshell, the attacker can gain further control and exploit the vulnerabilities in the website.

Rate this question:
37.

Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22 Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy's mailbox?
- A.
  
  This type of attempt is called URL obfuscation when someone manually changes aURL to try and gain unauthorized access
- B.
  
  By changing the mailbox's name in the URL, Kevin is attempting directory transversal
- C.
  
  Kevin is trying to utilize query string manipulation to gain access to her email account
- D.
  
  He is attempting a path-string attack to gain access to her mailbox
Correct Answer
C. Kevin is trying to utilize query string manipulation to gain access to her email account

Explanation
Kevin is attempting to gain unauthorized access to Katy's email account by manipulating the query string in the URL. The query string manipulation involves changing the parameters in the URL to try and bypass authentication and gain access to the desired mailbox. This type of attack is known as query string manipulation and is a common method used by attackers to exploit vulnerabilities in web applications.

Rate this question:
38.

A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider?
- A.
  
  A competitor to the company because they can directly benefit from the publicity generated by making such an attack
- B.
  
  Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants
- C.
  
  The CEO of the company because he has access to all of the computer systems
- D.
  
  A government agency since they know the company's computer system strengths and weaknesses
Correct Answer
B. Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants

Explanation
Insiders refer to individuals who have direct access to a company's computer system as part of their job function or a business relationship. This includes disgruntled employees, customers, suppliers, vendors, business partners, contractors, temps, and consultants. These individuals have the potential to carry out attacks due to their knowledge of the system and their proximity to sensitive information.

Rate this question:
39.

Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%' What will the SQL statement accomplish?
- A.
  
  If the page is susceptible to SQL injection, it will look in theUsers table for usernames of admin
- B.
  
  This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com
- C.
  
  This Select SQL statement will log James in if there are any users with NULL passwords
- D.
  
  James will be able to see if there are any default user accounts in the SQL database
Correct Answer
B. This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com

Explanation
The SQL statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com. This implies that James is attempting to exploit a potential vulnerability in the login page by using SQL injection. By inputting this statement, James is trying to retrieve information from the Users table that matches the specified conditions.

Rate this question:
40.

An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. What could be the reason?
- A.
  
  The firewall is blocking port 23 to that system
- B.
  
  He needs to use an automated tool to telnet in
- C.
  
  He cannot spoof hisIP and successfully use TCP
- D.
  
  He is attacking an operating system that does not reply to telnet even when open
Correct Answer
C. He cannot spoof hisIP and successfully use TCP

Explanation
The reason could be that he cannot successfully spoof his IP and use TCP. Spoofing his IP address means that he is altering the source IP address in the packets he sends to make it appear as if they are coming from a different IP address. However, TCP uses a three-way handshake process, which requires the attacker to receive a response from the target system in order to establish a connection. Since the attacker is spoofing his IP, the response from the target system will be sent to the spoofed IP address, not to the attacker's actual IP address. This means that the attacker will not receive the response and the connection will not be established.

Rate this question:
41.

If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response?
- A.
  
  31400
- B.
  
  31402
- C.
  
  The zombie will not send a response
- D.
  
  31401
Correct Answer
B. 31402

Explanation
When an attacker's computer sends an IPID of 31400 to a zombie computer on an open port using Idle Scanning technique, the response from the zombie computer will be 31402.

Rate this question:
42.

Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer?
- A.
  
  IRC (Internet Relay Chat)
- B.
  
  Legitimate "shrink-wrapped" software packaged by a disgruntled employee
- C.
  
  NetBIOS (File Sharing)
- D.
  
  Downloading files, games and screensavers from Internet sites
Correct Answer
B. Legitimate "shrink-wrapped" software packaged by a disgruntled employee

Explanation
The easiest and most convincing way to infect a computer with a Trojan horse is through legitimate "shrink-wrapped" software packaged by a disgruntled employee. This method is effective because the software appears legitimate and trustworthy, making it easier to convince users to install it on their systems. Once installed, the Trojan can execute its malicious activities without the user suspecting any foul play.

Rate this question:
43.

SSL has been seen as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?
- A.
  
  SSL is redundant if you already have IDS's in place
- B.
  
  SSL will trigger rules at regular interval and force the administrator to turn them off
- C.
  
  SSL will slow down the IDS while it is breaking the encryption to see the packet content
- D.
  
  SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them
Correct Answer
D. SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them

Explanation
SSL encrypts the communication between point A and B, making it difficult for an Intrusion Detection System (IDS) to analyze the packet content. The IDS relies on inspecting the packet content to detect any malicious activity or potential threats. However, when SSL is used, the content of the packets becomes obscured, and the IDS is unable to effectively analyze them. This can result in the IDS failing to detect any intrusions or security threats, making SSL a bad idea in this scenario.

Rate this question:
44.

June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?
- A.
  
  Yes. June can use an antivirus program since it compares the parity bitof executable files to the database of known check sum counts and it is effective on a polymorphic virus
- B.
  
  Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus
- C.
  
  No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program
- D.
  
  No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus
Correct Answer
C. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program

Explanation
The correct answer states that June cannot use an antivirus program because it compares the signatures of executable files to the database of known viral signatures, and in the case of polymorphic viruses, they cannot be detected by a signature-based antivirus program. Polymorphic viruses have the ability to mutate and change their known viral signature, making it difficult for signature-based antivirus programs to identify and detect them. Therefore, using an antivirus program that relies on signature matching would not be effective against polymorphic viruses.

Rate this question:
45.

Which of the following Exclusive OR transforms bits is NOT correct?
- A.
  
  0 xor 0 = 0
- B.
  
  1 xor 0 = 1
- C.
  
  1 xor 1 = 1
- D.
  
  0 xor 1 = 1
Correct Answer
C. 1 xor 1 = 1

Explanation
The given XOR transforms for bits are all correct except for "1 xor 1 = 1". The XOR operation returns 1 only when the two input bits are different, but in the case of "1 xor 1", both bits are the same (both are 1), so the correct result should be 0.

Rate this question:
46.

The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination. The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. How would you overcome the Firewall restriction on ICMP ECHO packets?
- A.
  
  Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
- B.
  
  Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
- C.
  
  Firewalls will permit inbound UDP packets to specific portsthat hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
- D.
  
  Do not use traceroute command to determine the path packets taketo reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command
- E.
  
  \> JOHNTHETRACER www.eccouncil.org -F -evade
Correct Answer
A. Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

Explanation
By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. Firewalls typically permit inbound TCP packets to specific ports that hosts behind the firewall are listening for connections. Therefore, by using TCP SYN packets, which are typically used to establish a TCP connection, traceroute can mimic legitimate traffic and bypass the firewall restrictions on ICMP ECHO packets. This allows traceroute to successfully trace the path packets take to reach the destination, even in the presence of firewalls.

Rate this question:
47.

Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert
- A.
  
  The payload of 485 is what this Snort signature will look for.
- B.
  
  Snort will look for 0d0a5b52504c5d3030320d0a in the payload.
- C.
  
  Packets that contain the payload of BACKDOOR SIG -SubSseven 22 will be flagged.
- D.
  
  From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.
Correct Answer
B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

Explanation
This Snort signature is designed to look for the hexadecimal string "0d0a5b52504c5d3030320d0a" in the payload of the suspected packets. If this string is found in the payload, Snort will flag the packets as potentially containing the "BACKDOOR SIG - SubSseven 22" backdoor signature.

Rate this question:
48.

You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner?
- A.
  
  Convert the Trojan.exe file extension to Trojan.txt disguising as text file
- B.
  
  Break the Trojan into multiple smaller files and zip the individual pieces
- C.
  
  Change the content of the Trojan using hex editor and modify the checksum
- D.
  
  Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1
Correct Answer
A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file

Explanation
Converting the Trojan.exe file extension to Trojan.txt will not be effective in evading the Anti-Virus scanner. Although changing the file extension may make it appear as a text file, Anti-Virus software is designed to analyze the content of the file rather than just relying on the file extension. The scanner will still be able to detect the malicious code within the file, regardless of the file extension.

Rate this question:
49.

What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --'
- A.
  
  This code will insert the [email protected] email address into the members table.
- B.
  
  This command will delete the entire members table.
- C.
  
  It retrieves the password for the first user in the members table.
- D.
  
  This command will not produce anything since the syntax is incorrect.
Correct Answer
B. This command will delete the entire members table.

Explanation
The given command is a SQL injection attack that aims to delete the entire members table. The command starts with a SELECT statement to retrieve the email, password, login ID, and full name from the members table where the email is equal to '[email protected]'. However, the command is maliciously crafted to include a DROP TABLE statement, which will delete the members table. The semicolon and double hyphen at the end are used to comment out the rest of the command, making it effective in deleting the table.

Rate this question:
50.

Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?
- A.
  
  CI Gathering
- B.
  
  Scanning
- C.
  
  Dumpster Diving
- D.
  
  Garbage Scooping
Correct Answer
C. Dumpster Diving

Explanation
Dumpster diving refers to the activity of searching through someone's trash or garbage in order to find useful or valuable information. In this case, Oregon Corp has hired a private investigative agency to search through Scamster Inc's garbage and other rubbish at their office site to gather relevant information for their litigation suit. Dumpster diving is a common practice used by investigators to obtain evidence or gather intelligence.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 21, 2023

Quiz Edited by
ProProfs Editorial Team
Oct 28, 2013

Quiz Created by
Porterwb

CEH Quiz (201 - 261)

Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?

You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons? What is the length of the MD5 hash?

Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

What command would you type to OS fingerprint a server using the command line?

What do you call a pre-computed hash?

Why attackers use proxy servers?

You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack?

WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?

Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation?

If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)

What type of port scan is shown below?

Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. What is the correct syntax?

How do you defend against ARP Poisoning attack? (Select 2 answers)

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?

John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks?

A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider?

If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response?

Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer?

June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

Which of the following Exclusive OR transforms bits is NOT correct?

You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner?

What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --'

Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?