CEH Quiz (101-200) Take This Quiz

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Porterwb

Porterwb

Community Contributor

Quizzes Created: 2 | Total Attempts: 1,084

Questions: 100 | Attempts: 657 | Updated: Mar 22, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

CEH Quiz (101-200) Take This Quiz - Quiz

This is your description.

Questions and Answers

1.

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?
- A.
  
  Visit Google's search engine and view the cached copy
- B.
  
  Crawl the entire website and store them into your computer
- C.
  
  Visit Archive.org web site to retrieve the Internet archive of the company's website
- D.
  
  Visit the company's partners and customers website for this information
Correct Answer
C. Visit Archive.org web site to retrieve the Internet archive of the company's website

Explanation
The Archive.org website is known for its Wayback Machine feature, which allows users to view archived versions of websites from the past. By visiting the Archive.org website, you can access the Internet archive of the company's website and retrieve the information that was previously listed, including the staff directory and contact information. This can be a useful method to retrieve outdated information from a website that no longer has it listed.

Rate this question:
2.

You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7. Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online. What built-in Windows feature could you have implemented to protect the sensitive information on these laptops?
- A.
  
  You should have used 3DES which is built into Windows
- B.
  
  If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out
- C.
  
  You should have utilized the built-in feature of Distributed File System (DFS) to protect the sensitive information on the laptops
- D.
  
  You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops
Correct Answer
D. You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops

Explanation
The correct answer suggests that implementing Encrypted File System (EFS) could have protected the sensitive information on the stolen laptops. EFS is a built-in Windows feature that allows users to encrypt individual files and folders, providing an additional layer of security. By encrypting the sensitive files on the laptops, even if the laptops are stolen, the information would remain encrypted and inaccessible to unauthorized users. This would help prevent the leakage of sensitive information in case of theft or unauthorized access to the laptops.

Rate this question:
3.

A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. What is Rogue security software?
- A.
  
  A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites
- B.
  
  A Fake AV program that claims to rid a computer of malware, but instead installsspyware or other malware onto the computer. This kind of software is known as rogue security software.
- C.
  
  Rogue security software is basedon social engineering technique in which the attackers lures victim to visit spear phishing websites
- D.
  
  This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker
Correct Answer
C. Rogue security software is basedon social engineering technique in which the attackers lures victim to visit spear phishing websites
4.

Which of the following is NOT part of CEH Scanning Methodology?
- A.
  
  Check for Live systems
- B.
  
  Check for Open Ports
- C.
  
  Banner Grabbing
- D.
  
  Prepare Proxies
- E.
  
  Social Engineering attacks
- F.
  
  Scan for Vulnerabilities
- G.
  
  Draw Network Diagrams
Correct Answer
E. Social Engineering attacks

Explanation
Social Engineering attacks are not part of CEH Scanning Methodology. CEH Scanning Methodology involves checking for live systems, checking for open ports, banner grabbing, preparing proxies, scanning for vulnerabilities, and drawing network diagrams. Social Engineering attacks, on the other hand, involve manipulating individuals to gain unauthorized access to systems or information, which is not directly related to scanning networks for vulnerabilities.

Rate this question:
5.

Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here?
- A.
  
  Lee is seeing activity indicative of a Smurf attack.
- B.
  
  Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing.
- C.
  
  Lee is seeing a Ping of death attack.
- D.
  
  This is not unusual traffic, ICMP packets can be of any size.
Correct Answer
C. Lee is seeing a Ping of death attack.

Explanation
Lee is seeing a Ping of death attack. This is indicated by the large size of the ICMP packets, which are around 65,536 bytes. A Ping of death attack involves sending oversized ICMP packets to a target's IP address, causing the target system to crash or become unresponsive.

Rate this question:
6.

This method is used to determine the Operating system and version running on a remote target system. What is it called?
- A.
  
  Service Degradation
- B.
  
  OS Fingerprinting
- C.
  
  Manual Target System
- D.
  
  Identification Scanning
Correct Answer
B. OS Fingerprinting

Explanation
OS fingerprinting is a method used to determine the operating system and version running on a remote target system. This technique involves analyzing network packets or responses from the target system to identify specific characteristics or behaviors that are unique to different operating systems. By analyzing these fingerprints, security professionals can gain valuable information about the target system, which can be used for vulnerability assessment or penetration testing purposes.

Rate this question:
7.

William has received a Chess game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Chess. After William installs the game, he plays it for a couple of hours. The next day, William plays the Chess game again and notices that his machine has begun to slow down. He brings up his Task Manager and sees the following programs running:
- A.
  
  Zombie Zapper (ZoZ)
- B.
  
  Remote Access Trojan (RAT)
- C.
  
  Bot IRC Tunnel (BIT)
- D.
  
  Root Digger (RD)
Correct Answer
B. Remote Access Trojan (RAT)

Explanation
The correct answer is Remote Access Trojan (RAT). A RAT is a type of malware that allows an attacker to remotely control a victim's computer. In this scenario, William's computer has been infected with a RAT after installing the Chess game. This explains why his machine has started to slow down and why he sees the RAT program running in his Task Manager. The RAT is likely responsible for the decrease in performance and may also be compromising William's privacy and security by allowing the attacker to access and control his computer remotely.

Rate this question:
8.

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?
- A.
  
  0xFFFFFFFFFFFF
- B.
  
  0xDDDDDDDDDDDD
- C.
  
  0xAAAAAAAAAAAA
- D.
  
  0xBBBBBBBBBBBB
Correct Answer
A. 0xFFFFFFFFFFFF

Explanation
The destination MAC address of a broadcast frame is 0xFFFFFFFFFFFF. In Ethernet, a broadcast frame is sent to all devices on the network, so the destination MAC address is set to the broadcast address, which is represented by all Fs in hexadecimal notation.

Rate this question:
9.

You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization?
- A.
  
  To learn about the IP range used by the target network
- B.
  
  To identify thenumber of employees working for the company
- C.
  
  To test the limits of the corporate security policy enforced in the company
- D.
  
  To learn about the operating systems, services and applications used on the network
Correct Answer
D. To learn about the operating systems, services and applications used on the network

Explanation
By observing the job listings for network and system administrators, one can infer the specific operating systems, services, and applications that are being used by the organization. This information can be valuable for foot printing the organization as it provides insight into the technology infrastructure and potential vulnerabilities that may exist.

Rate this question:
10.

TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set?
- A.
  
  SYN flag
- B.
  
  ACK flag
- C.
  
  FIN flag
- D.
  
  XMAS flag
Correct Answer
B. ACK flag

Explanation
After the initial three-way handshake in TCP, the ACK flag is set in the packets transmitted in either direction. The ACK flag is used to acknowledge the receipt of data and to confirm that the previous segment was received successfully. It is important for ensuring reliable data transmission and flow control in TCP.

Rate this question:
11.

The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line in the source code that might lead to buffer overflow?
- A.
  
  9
- B.
  
  17
- C.
  
  20
- D.
  
  32
- E.
  
  35
Correct Answer
B. 17

Explanation
Line 17 in the source code might lead to buffer overflow because the C++ functions at that line do not check bounds, which means that they do not verify if the data being written to the buffer exceeds its allocated size. This can result in writing data beyond the buffer's boundaries, causing a buffer overflow vulnerability.

Rate this question:
12.

What framework architecture is shown in this exhibit?
- A.
  
  Core Impact
- B.
  
  Metaspolit
- C.
  
  Immunity Canvas
- D.
  
  Nessus
Correct Answer
B. Metaspolit

Explanation
The correct answer is Metasploit. Metasploit is a framework that provides information about security vulnerabilities and aids in penetration testing. It allows users to exploit vulnerabilities in systems and gain unauthorized access. The exhibit likely shows the architecture of the Metasploit framework, which includes various components and modules used for scanning, exploiting, and post-exploitation activities.

Rate this question:
13.

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?
- A.
  
  Image Hide
- B.
  
  Snow
- C.
  
  Gif-it-up
- D.
  
  NiceText
Correct Answer
B. Snow

Explanation
Snow is a steganography utility that exploits the nature of white space and allows the user to conceal information in these white spaces.

Rate this question:
14.

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?
- A.
  
  16 million years
- B.
  
  5 minutes
- C.
  
  23 days
- D.
  
  200 years
Correct Answer
B. 5 minutes

Explanation
The given answer suggests that it will take an attacker only 5 minutes to crack a 22 character word password. This implies that the password is not strong enough and can be easily guessed or hacked using various methods such as brute force attacks or dictionary attacks. A strong password should ideally be longer and include a combination of uppercase and lowercase letters, numbers, and special characters to make it more secure and difficult to crack.

Rate this question:
15.

While testing web applications, you attempt to insert the following test script into the search area on the company's web site: <script>alert('Testing Testing Testing')</script> Later, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?
- A.
  
  Cross Site Scripting
- B.
  
  Password attacks
- C.
  
  A Buffer Overflow
- D.
  
  A hybrid attack
Correct Answer
A. Cross Site Scripting

Explanation
The vulnerability detected in the web application in this scenario is Cross Site Scripting (XSS). This is evident from the fact that when the test script is inserted into the search area and the search button is pressed, a pop-up box appears on the screen with the text "Testing Testing Testing". This indicates that the web application is not properly sanitizing or validating user input, allowing the execution of malicious scripts.

Rate this question:
16.

What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)
- A.
  
  Use fragmented IP packets
- B.
  
  Spoof your IP address when launching attacks and sniff responses from the server
- C.
  
  Overload the IDS with Junk traffic to mask your scan
- D.
  
  Use source routing (if possible)
- E.
  
  Connect to proxy servers or compromised Trojaned machines to launch attacks
Correct Answer(s)
A. Use fragmented IP packets
B. Spoof your IP address when launching attacks and sniff responses from the server
D. Use source routing (if possible)
E. Connect to proxy servers or compromised Trojaned machines to launch attacks

Explanation
To evade IDS during a Port Scan, one can use the following techniques:
- Using fragmented IP packets: By splitting the packets, it becomes difficult for the IDS to detect the malicious activity.
- Spoofing IP address and sniffing responses: By disguising the source IP address, it becomes challenging for the IDS to track the attacker. Sniffing responses allows the attacker to gather information without being detected.
- Overloading IDS with junk traffic: By flooding the IDS with irrelevant traffic, the actual scan can be masked.
- Using source routing: If available, source routing can be used to bypass the IDS and hide the true source of the attack.
- Connecting to proxy servers or compromised machines: By using these intermediaries, the attacker can launch the scan without being directly traced.

Rate this question:
17.

Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it. What kind of Denial of Service attack was best illustrated in the scenario above?
- A.
  
  Simple DDoS attack
- B.
  
  DoS attacks which involves flooding a network or system
- C.
  
  DoS attacks which involves crashing a network or system
- D.
  
  DoS attacks which is done accidentally or deliberately
Correct Answer
C. DoS attacks which involves crashing a network or system

Explanation
The scenario described in the question involves Bob launching an attack that results in serious financial losses for Brownies Inc. The attack causes their main financial transaction server to crash, requiring human interaction to fix it and rendering the company's resources inaccessible. This aligns with the definition of a Denial of Service (DoS) attack, specifically one that involves crashing a network or system.

Rate this question:
18.

Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the Department of Defense's front end Exchange Server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. What tool would be best used to accomplish this?
- A.
  
  SMBCrack
- B.
  
  SmurfCrack
- C.
  
  PSCrack
- D.
  
  RainbowTables
Correct Answer
D. RainbowTables

Explanation
RainbowTables would be the best tool to accomplish this task because it already has the precomputed LM hashes for all possible permutations of the administrator password. This means that Johnny can quickly compare the LM hash of the target password with the precomputed hashes in the RainbowTables to find a match, significantly reducing the time required to crack the password.

Rate this question:
19.

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.
- A.
  
  Token Injection Replay attacks
- B.
  
  Shoulder surfing attack
- C.
  
  Rainbow and Hash generation attack
- D.
  
  Dumpster diving attack
Correct Answer
A. Token Injection Replay attacks

Explanation
In a Token Injection Replay attack, the attacker captures packets and authentication tokens using a sniffer. They then extract the relevant information and place the tokens back on the network to gain access. This allows the attacker to impersonate a legitimate user and bypass authentication measures.

Rate this question:
20.

The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.
- A.
  
  False
- B.
  
  True
Correct Answer
B. True

Explanation
The explanation for the given correct answer is that the FIN flag is indeed set and sent from host A to host B when host A has no more data to transmit and wants to close the TCP connection. This flag is used to release the connection resources. However, even after sending the FIN flag, host A can still receive data as long as the SYN sequence numbers of the transmitted packets from host B are lower than the packet segment containing the set FIN flag. Therefore, the statement is true.

Rate this question:
21.

Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network. He receives the following SMS message during the weekend. An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command. Which of the following hping2 command is responsible for the above snort alert?
- A.
  
  Chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118
- B.
  
  Chenrocks:/home/siew # hping -F -Q -J -A -C -W 192.168.2.56 -p 22 -c 5 -t 118
- C.
  
  Chenrocks:/home/siew # hping -D -V -R -S -Z -Y 192.168.2.56 -p 22 -c 5 -t 118
- D.
  
  Chenrocks:/home/siew # hping -G -T -H -S -L -W 192.168.2.56 -p 22 -c 5 -t 118
Correct Answer
A. Chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118

Explanation
The hping2 command responsible for the above snort alert is "hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118". This command includes various flags that indicate different types of TCP/IP packets being sent to the target IP address and port. The flags -S, -R, -P, -A, -F, and -U represent SYN, RST, PUSH, ACK, FIN, and UDP packets respectively. The fact that these flags are included in the command indicates that the attacker is attempting to perform a remote scan on Jason's network.

Rate this question:
22.

Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. What Google search will accomplish this?
- A.
  
  Related:intranet allinurl:intranet:"human resources"
- B.
  
  Cache:"human resources" inurl:intranet(SharePoint)
- C.
  
  Intitle:intranet inurl:intranet+intext:"human resources"
- D.
  
  Site:"human resources"+intext:intranet intitle:intranet
Correct Answer
C. Intitle:intranet inurl:intranet+intext:"human resources"

Explanation
The correct answer, "intitle:intranet inurl:intranet+intext:"human resources"", will accomplish the desired Google search. This search uses the "intitle" operator to search for webpages with "intranet" in the title, the "inurl" operator to search for webpages with "intranet" in the URL, and the "intext" operator to search for webpages with "human resources" in the page content. This combination of operators will help Leesa find webpages that contain the desired keywords and meet her requirements for the company's intranet.

Rate this question:
23.

Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?
- A.
  
  Semi Column
- B.
  
  Double Quote
- C.
  
  Single Quote
- D.
  
  Exclamation Mark
Correct Answer
C. Single Quote

Explanation
Bob should use the single quote character to attempt breaking a valid SQL request because it is commonly used in SQL injection attacks to manipulate the structure of the SQL query and potentially gain unauthorized access to the database. By injecting a single quote, Bob can test if the application is vulnerable to SQL injection by observing any error messages or unexpected behavior from the application.

Rate this question:
24.

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network. Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building. How was Bill able to get Internet access without using an agency laptop?
- A.
  
  Bill spoofed the MAC address of Dell laptop
- B.
  
  Bill connected to a Rogue access point
- C.
  
  Toshiba and Dell laptops share the same hardware address
- D.
  
  Bill brute forced the Mac address ACLs
Correct Answer
A. Bill spoofed the MAC address of Dell laptop

Explanation
Bill was able to get Internet access without using an agency laptop because he spoofed the MAC address of a Dell laptop. This means that he changed the MAC address of his Toshiba laptop to match the MAC address of a Dell laptop that was allowed to access the wireless network. By doing this, Bill was able to bypass the MAC address filtering implemented by Hampton and gain unauthorized access to the network.

Rate this question:
25.

LAN Manager Passwords are concatenated to 14 bytes, and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:
- A.
  
  0xAAD3B435B51404EE
- B.
  
  0xAAD3B435B51404AA
- C.
  
  0xAAD3B435B51404BB
- D.
  
  0xAAD3B435B51404CC
Correct Answer
A. 0xAAD3B435B51404EE

Explanation
The given answer, 0xAAD3B435B51404EE, is the second half of the hash when the password is 7 characters or less. This suggests that the password provided is 7 characters or less, and the second half of the hash is always the same for such passwords. The first half of the hash is not provided, but it can be assumed that it would be different for each password.

Rate this question:
26.

When writing shellcodes, you must avoid ____________ because these will end the string.
- A.
  
  Root bytes
- B.
  
  Null bytes
- C.
  
  Char bytes
- D.
  
  Unicode bytes
Correct Answer
B. Null bytes

Explanation
When writing shellcodes, null bytes must be avoided because they act as string terminators. This means that any characters or instructions after a null byte will not be processed or executed. Therefore, including null bytes in a shellcode can cause it to be truncated or rendered ineffective.

Rate this question:
27.

Jess the hacker runs L0phtCrack's built-in sniffer utility that grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashes from the network. Why?
- A.
  
  The network protocol is configured to use SMB Signing
- B.
  
  The physical network wire is on fibre optic cable
- C.
  
  The network protocol is configured to use IPSEC
- D.
  
  L0phtCrack SMB sniffing only works through Switches andnot Hubs
Correct Answer
A. The network protocol is configured to use SMB Signing

Explanation
When SMB signing is enabled, it adds a digital signature to the SMB packets, ensuring the integrity and authenticity of the data being transmitted. This prevents unauthorized access or tampering with the data, including password hashes. Therefore, Jess is not able to pick up the hashes from the network because they are protected by SMB signing.

Rate this question:
28.

Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has created a security policy requiring all employees to use complex 14 character passwords. Unfortunately, the members of management do not want to have to use such long complicated passwords so they tell Harold's boss this new password policy should not apply to them. To comply with the management's wishes, the IT department creates another Windows domain and moves all the management users to that domain. This new domain has a password policy only requiring 8 characters. Harold is concerned about having to accommodate the managers, but cannot do anything about it. Harold is also concerned about using LanManager security on his network instead of NTLM or NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain using Pwdump6. Harold uses the password cracking software John the Ripper to crack users' passwords to make sure they are strong enough. Harold expects that the users' passwords in the original domain will take much longer to crack than the management's passwords in the new domain. After running the software, Harold discovers that the 14 character passwords only took a short time longer to crack than the 8 character passwords. Why did the 14 character passwords not take much longer to crack than the 8 character passwords?
- A.
  
  Harold should have used Dumpsec instead of Pwdump6
- B.
  
  Harold's dictionary file was not large enough
- C.
  
  Harold should use LC4 instead of John the Ripper
- D.
  
  LanManger hashes are broken up into two 7 character fields
Correct Answer
D. LanManger hashes are broken up into two 7 character fields

Explanation
The reason why the 14 character passwords did not take much longer to crack than the 8 character passwords is because LanManager hashes, which are used in the original domain, are broken up into two 7 character fields. This means that even though the passwords are longer, they are still split into two parts, making it easier for password cracking software like John the Ripper to crack them. Therefore, the length of the password does not significantly increase the time it takes to crack it in this case.

Rate this question:
29.

You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place. - DNS query is sent to the DNS server to resolve www.google.com - DNS server replies with the IP address for Google? - SYN packet is sentto Google. - Google sends back a SYN/ACK packet - Your computer completes the handshake by sending an ACK - The connection is established and the transfer of data commences Which of the following packets represent completion of the 3-way handshake?
- A.
  
  4th packet
- B.
  
  3rd packet
- C.
  
  6th packet
- D.
  
  5th packet
Correct Answer
D. 5th packet

Explanation
The 5th packet represents the completion of the 3-way handshake. This is because the 3rd packet is the SYN packet sent by the client, the 4th packet is the SYN/ACK packet sent by the server, and the 5th packet is the ACK packet sent by the client to acknowledge the SYN/ACK packet. The ACK packet completes the handshake and establishes the connection.

Rate this question:
30.

E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient. Select a feature, which you will NOT be able to accomplish with this probe?
- A.
  
  When the e-mail was received and read
- B.
  
  Send destructive e-mails
- C.
  
  GPS location and map of the recipient
- D.
  
  Time spent on reading the e-mails
- E.
  
  Whether or not the recipient visited any links sent to them
- F.
  
  Track PDF and other types of attachments
- G.
  
  Set messages to expire after specified time
- H.
  
  Remote control the User's E-mail client application and hijack the traffic
Correct Answer
H. Remote control the User's E-mail client application and hijack the traffic

Explanation
E-mail tracking allows monitoring and spying on delivered e-mails, but it does not provide the capability to remotely control the user's e-mail client application and hijack the traffic. This feature goes beyond the scope of e-mail tracking and involves unauthorized access and control of the recipient's device.

Rate this question:
31.

Which of the following Trojans would be considered 'Botnet Command Control Center'?
- A.
  
  YouKill DOOM
- B.
  
  Damen Rock
- C.
  
  Poison Ivy
- D.
  
  Matten Kit
Correct Answer
C. Poison Ivy

Explanation
Poison Ivy is considered a 'Botnet Command Control Center' because it is a remote administration tool (RAT) that allows an attacker to control compromised computers remotely. It provides full control over the infected machines, allowing the attacker to execute commands, steal information, and monitor activities. This makes Poison Ivy a powerful tool for managing a botnet, which is a network of compromised computers controlled by a central command center.

Rate this question:
32.

What type of Virus is shown here?
- A.
  
  Macro Virus
- B.
  
  Cavity Virus
- C.
  
  Boot Sector Virus
- D.
  
  Metamorphic Virus
- E.
  
  Sparse Infector Virus
Correct Answer
B. Cavity Virus

Explanation
A cavity virus is a type of virus that infects executable files by inserting its code into empty spaces within the file. This allows the virus to hide and avoid detection. In this case, the given answer suggests that the virus shown is a cavity virus, indicating that it infects files by occupying empty spaces within them.

Rate this question:
33.

John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool?
- A.
  
  Hping2
- B.
  
  Nessus
- C.
  
  Nmap
- D.
  
  Make
Correct Answer
B. Nessus

Explanation
Nessus is the correct answer because it is a popular and widely used vulnerability scanning tool for Linux platforms. It has a comprehensive database of signatures that can detect various vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Additionally, Nessus is capable of detecting DDoS zombies and Trojans, making it a versatile tool for security professionals.

Rate this question:
34.

Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean?
- A.
  
  This response means the port he is scanning is open.
- B.
  
  The RST/ACK response means the port Fred is scanning is disabled.
- C.
  
  This means the port he is scanning is half open.
- D.
  
  This means that the port he is scanning on the host is closed.
Correct Answer
D. This means that the port he is scanning on the host is closed.

Explanation
The RST/ACK response indicates that the port Fred is scanning on the host is closed. When Fred sends a TCP probe packet with a FIN flag, he expects to receive a response indicating whether the port is open or closed. In this case, the RST/ACK response indicates that the port is closed and not accepting any incoming connections. This suggests that the network is secure because the closed port is not vulnerable to unauthorized access or attacks.

Rate this question:
35.

_____________ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length.
- A.
  
  Stream Cipher
- B.
  
  Block Cipher
- C.
  
  Bit Cipher
- D.
  
  Hash Cipher
Correct Answer
B. Block Cipher

Explanation
A block cipher is a type of symmetric-key encryption algorithm that operates on fixed-length blocks of plaintext data. It transforms each block of plaintext into a block of ciphertext of the same length using a specific encryption algorithm and a secret key. Unlike stream ciphers that encrypt data bit by bit or byte by byte, block ciphers encrypt data in fixed-sized blocks, providing a higher level of security. The ciphertext produced by a block cipher is also of the same length as the plaintext, making it suitable for applications that require fixed-length data encryption.

Rate this question:
36.

Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this?
- A.
  
  Use HTTP Tunneling
- B.
  
  Use Proxy Chaining
- C.
  
  Use TOR Network
- D.
  
  Use Reverse Chaining
Correct Answer
A. Use HTTP Tunneling

Explanation
HTTP Tunneling allows you to encapsulate FTP traffic within HTTP requests, which are allowed through the firewall via port 80/443. This enables you to bypass the port restrictions and establish an FTP connection to the remote server.

Rate this question:
37.

You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable auditing from the cmd?
- A.
  
  Stoplog stoplog ?
- B.
  
  EnterPol /nolog
- C.
  
  EventViewer o service
- D.
  
  Auditpol.exe /disable
Correct Answer
D. Auditpol.exe /disable

Explanation
To disable auditing from the command prompt after gaining access to a victim's computer using the Windows 2003 Server SMB Vulnerability, the command that should be run is "auditpol.exe /disable". This command will disable auditing on the system, preventing any further logging or tracking of activities.

Rate this question:
38.

How do you defend against MAC attacks on a switch?
- A.
  
  Disable SPAN port on the switch
- B.
  
  Enable SNMP Trap on the switch
- C.
  
  Configure IP security on the switch
- D.
  
  Enable Port Security on the switch
Correct Answer
D. Enable Port Security on the switch

Explanation
Enabling port security on a switch is an effective way to defend against MAC attacks. Port security allows the switch to restrict the number of MAC addresses that can be learned on a specific port. This prevents attackers from flooding the switch with fake MAC addresses or attempting to overload the switch's MAC address table. By limiting the number of MAC addresses, port security ensures that only trusted devices are allowed to connect to the network, thereby protecting against unauthorized access and MAC attacks.

Rate this question:
39.

In which location, SAM hash passwords are stored in Windows 7?
- A.
  
  C:\windows\system32\config\SAM
- B.
  
  C:\winnt\system32\machine\SAM
- C.
  
  C:\windows\etc\drivers\SAM
- D.
  
  C:\windows\config\etc\SAM
Correct Answer
A. C:\windows\system32\config\SAM

Explanation
SAM hash passwords in Windows 7 are stored in the c:\windows\system32\config\SAM location.

Rate this question:
40.

File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?
- A.
  
  Use disable-eXchange
- B.
  
  Use mod_negotiation
- C.
  
  Use Stop_Files
- D.
  
  Use Lib_exchanges
Correct Answer
B. Use mod_negotiation

Explanation
To disable file extensions in Apache servers, you would use mod_negotiation. This module allows you to control the content negotiation process, which includes handling file extensions. By disabling file extensions, you can prevent attackers from gathering information about the server technology and reduce the risk of vulnerability searches and attacks.

Rate this question:
41.

Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats, but it does not secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it cannot mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns?
- A.
  
  Bob can explain that using a weak key management technique is a form of programming error
- B.
  
  Bob can explain that using passwords to derive cryptographic keys is a form of a programming error
- C.
  
  Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique
- D.
  
  Bob can explain that a random number generator can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error
Correct Answer
A. Bob can explain that using a weak key management technique is a form of programming error

Explanation
Using a weak key management technique is a form of programming error because it can compromise the security of the encryption. Even if encryption is implemented correctly, if the keys used for encryption are weak or easily guessable, it can be exploited by attackers. Weak key management techniques include using short or common passwords, not regularly changing encryption keys, or storing keys insecurely. These practices can undermine the effectiveness of encryption and leave the data vulnerable to unauthorized access. Therefore, Bob can explain to the management that encryption alone cannot address all security concerns if weak key management techniques are used.

Rate this question:
42.

Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy task for hackers. They use tools such as arhontus or brutus to break into remote servers. A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with a list of passwords and a single login name: linksys. Many FTP-specific password-guessing tools are also available from major security sites. What defensive measures will you take to protect your network from these attacks?
- A.
  
  Never leave a default password
- B.
  
  Never use a password that can be found in a dictionary
- C.
  
  Never use a password related to your hobbies, pets, relatives, or date of birth.
- D.
  
  Use a word that has more than 21 characters from a dictionary as the password
- E.
  
  Never use a password related to the hostname, domain name, or anything else that can be found with whois
Correct Answer(s)
A. Never leave a default password
B. Never use a password that can be found in a dictionary
C. Never use a password related to your hobbies, pets, relatives, or date of birth.
E. Never use a password related to the hostname, domain name, or anything else that can be found with whois

Explanation
The correct answer is a combination of several defensive measures to protect the network from dictionary and brute force attacks. By never leaving a default password, the network eliminates the risk of hackers easily guessing the password. Additionally, by avoiding passwords that can be found in a dictionary and ones related to personal information such as hobbies, pets, relatives, or date of birth, the network increases the complexity of the password, making it harder to crack. Furthermore, using a password that is not related to the hostname, domain name, or any other information that can be found with whois adds another layer of security. By implementing these measures, the network reduces the vulnerability to dictionary and brute force attacks.

Rate this question:
43.

One of the most common and the best way of cracking RSA encryption is to begin to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _____________ process, then the private key can be derived.
- A.
  
  Factorization
- B.
  
  Prime Detection
- C.
  
  Hashing
- D.
  
  Brute-forcing
Correct Answer
A. Factorization

Explanation
Factorization is the process of finding the prime factors of a number. In the context of RSA encryption, if an attacker is able to factorize the modulus (which is the product of the two prime numbers p and q), they can easily calculate the private key. This is because the private key is derived from the prime factors of the modulus. Therefore, factorization is the most common and effective way to crack RSA encryption.

Rate this question:
44.

Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.
- A.
  
  True
- B.
  
  False
Correct Answer
A. True

Explanation
When Basic Authentication is configured on web servers, data is sent over the network as clear text, meaning it is not encrypted. This means that anyone who intercepts the data can easily read and understand its contents. This lack of encryption can pose a security risk, as sensitive information such as passwords or personal data can be easily accessed by unauthorized individuals. Therefore, it is important to use additional security measures, such as SSL/TLS encryption, to protect data when Basic Authentication is used.

Rate this question:
45.

NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use?
- A.
  
  443
- B.
  
  139
- C.
  
  179
- D.
  
  445
Correct Answer
D. 445

Explanation
SMB (Server Message Block) over TCP/IP uses port 445. By sniffing the wire, the attacker can intercept the traffic between the victim machine and the corporate network printer. Port 445 is the correct answer because it is the port used by SMB, which is responsible for file and printer sharing over the network.

Rate this question:
46.

One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP address. You send a ping request to the broadcast address 192.168.5.255. There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why?
- A.
  
  Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.
- B.
  
  Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.
- C.
  
  You should send a ping request with this command ping ? 192.168.5.0-255
- D.
  
  You cannot ping a broadcast address. The above scenario is wrong.
Correct Answer
A. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

Explanation
Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. This is why only 13 hosts out of the 40 computers on the target network send a reply, while the others do not.

Rate this question:
47.

Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to attempt this task?
- A.
  
  Charlie can use the command: ping -l 56550 172.16.0.45 -t.
- B.
  
  Charlie can try using the command: ping 56550 172.16.0.45.
- C.
  
  By using the command ping 172.16.0.45 Charlie would be able to lockup the router
- D.
  
  He could use the command: ping -4 56550 172.16.0.45.
Correct Answer
A. Charlie can use the command: ping -l 56550 172.16.0.45 -t.

Explanation
Charlie can use the command "ping -l 56550 172.16.0.45 -t" to attempt to test the capabilities of the new Cisco router and see if it is susceptible to a DoS attack resulting in its locking up.

Rate this question:
48.

What type of encryption does WPA2 use?
- A.
  
  DES 64 bit
- B.
  
  AES-CCMP 128 bit
- C.
  
  MD5 48 bit
- D.
  
  SHA 160 bit
Correct Answer
B. AES-CCMP 128 bit

Explanation
WPA2 (Wi-Fi Protected Access 2) uses AES-CCMP (Advanced Encryption Standard - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) with a key length of 128 bits. AES is a symmetric encryption algorithm widely used for securing sensitive data. CCMP is a cryptographic protocol that provides data confidentiality, integrity, and authentication. The combination of AES and CCMP ensures a high level of security for wireless networks.

Rate this question:
49.

Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?
- A.
  
  RST flag scanning
- B.
  
  FIN flag scanning
- C.
  
  SYN flag scanning
- D.
  
  ACK flag scanning
Correct Answer
D. ACK flag scanning

Explanation
This type of port scanning is called ACK flag scanning. In this method, the attacker sends an ACK probe packet with a random sequence number. If there is no response, it indicates that the port is filtered, which means a stateful firewall is present. If a RST (reset) response is received, it means the port is not filtered.

Rate this question:
50.

What is the command used to create a binary log file using tcpdump?
- A.
  
  Tcpdump -w ./log
- B.
  
  Tcpdump -r log
- C.
  
  Tcpdump -vde logtcpdump -vde ? log
- D.
  
  Tcpdump -l /var/log/
Correct Answer
A. Tcpdump -w ./log

Explanation
The command "tcpdump -w ./log" is used to create a binary log file using tcpdump. The "-w" option specifies the file name and location for the log file. In this case, the log file will be created in the current directory with the name "log".

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 22, 2023

Quiz Edited by
ProProfs Editorial Team
Oct 27, 2013

Quiz Created by
Porterwb

CEH Quiz (101-200) Take This Quiz

Which of the following is NOT part of CEH Scanning Methodology?

Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here?

This method is used to determine the Operating system and version running on a remote target system. What is it called?

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?

You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization?

TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set?

What framework architecture is shown in this exhibit?

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?

What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)

In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?

LAN Manager Passwords are concatenated to 14 bytes, and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:

When writing shellcodes, you must avoid ____________ because these will end the string.

E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient. Select a feature, which you will NOT be able to accomplish with this probe?

Which of the following Trojans would be considered 'Botnet Command Control Center'?

What type of Virus is shown here?

Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean?

_____________ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length.

Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this?

You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable auditing from the cmd?

How do you defend against MAC attacks on a switch?

In which location, SAM hash passwords are stored in Windows 7?

File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?

One of the most common and the best way of cracking RSA encryption is to begin to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _____________ process, then the private key can be derived.

Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

What type of encryption does WPA2 use?

Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

What is the command used to create a binary log file using tcpdump?