CEH Quiz (201 - 261)

61 Questions | By Porterwb | Updated: Mar 21, 2022 | Attempts: 414

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

This is your description.

Questions and Answers

1.

Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would like to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link?
- A.
  
  MD5
- B.
  
  PGP
- C.
  
  RSA
- D.
  
  SSH
2.

Type question hereNTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms. Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks. These protocols tag their communications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date. One can circumvent this tagging, if the clock can be set back to the time the communication was recorded. An attacker attempts to try corrupting the clocks on devices on your network. You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network. What port number you should enable in Wireshark display filter to view NTP packets?
- A.
  
  TCP Port 124
- B.
  
  UDP Port 125
- C.
  
  UDP Port 123
- D.
  
  TCP Port 126
3.

Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?
- A.
  
  Bill can use the command: ip dhcp snooping.
- B.
  
  Bill can use the command:no ip snoop.
- C.
  
  Bill could use the command: ip arp no flood.
- D.
  
  He could use the command: ip arp no snoop.
4.

You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons? What is the length of the MD5 hash?
- A.
  
  32 char
- B.
  
  64 byte
- C.
  
  48 char
- D.
  
  128 byte
5.

Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?
- A.
  
  Dictionary attack
- B.
  
  Brute forcing attack
- C.
  
  Hybrid attack
- D.
  
  Syllable attack
- E.
  
  Rule-based attack
6.

What command would you type to OS fingerprint a server using the command line?
- A.
  
  Option A
- B.
  
  Option B
- C.
  
  Option C
- D.
  
  Option D
7.

What do you call a pre-computed hash?
- A.
  
  Sun tables
- B.
  
  Apple tables
- C.
  
  Rainbow tables
- D.
  
  Moon tables
8.

Why attackers use proxy servers?
- A.
  
  To ensure theexploits used in the attacks always flip reverse vectors
- B.
  
  Faster bandwidth performance and increase in attack speed
- C.
  
  Interrupt the remote victim's network traffic and reroute the packets to attackers machine
- D.
  
  To hide the source IP address so that anattacker can hack without any legal corollary
9.

The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)
- A.
  
  Enable SNMPv3 whichencrypts username/password authentication
- B.
  
  Use your company name as the public community string replacing the default 'public'
- C.
  
  Enable IP filtering to limit access to SNMP device
- D.
  
  The default configuration provided by device vendors is highly secureand you don't need to change anything
10.

You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack?
- A.
  
  Configure routers to restrict the responses to Footprinting requests
- B.
  
  Configure Web Servers to avoid information leakage and disable unwanted protocols
- C.
  
  Lock the ports with suitable Firewall configuration
- D.
  
  Use an IDS that can be configured to refusesuspicious traffic and pick up Footprinting patterns
- E.
  
  Evaluate the information before publishing it on the Website/Intranet
- F.
  
  Monitor every employee computer with Spy cameras, keyloggers and spy on them
- G.
  
  Perform Footprinting techniques and remove anysensitive information found on DMZ sites
- H.
  
  Prevent search engines from caching a Webpage and use anonymous registration services
- I.
  
  Disable directory and use split-DNS
11.

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser. John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: What kind of attack did the Hacker attempt to carry out at the bank?
- A.
  
  Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.
- B.
  
  The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.
- C.
  
  The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.
- D.
  
  The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.
12.

WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?
- A.
  
  Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled
- B.
  
  Place authentication on root directories that will prevent crawling from these spiders
- C.
  
  Nable SSL on the restricted directories which will block these spiders from crawling
- D.
  
  Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index
13.

You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session. Here is the captured data in tcpdump. What are the next sequence and acknowledgement numbers that the router will send to the victim machine?
- A.
  
  Sequence number: 82980070 Acknowledgement number: 17768885A.
- B.
  
  Sequence number: 17768729 Acknowledgement number: 82980070B.
- C.
  
  Sequence number: 87000070 Acknowledgement number: 85320085C.
- D.
  
  Sequence number: 82980010 Acknowledgement number: 17768885D.
14.

Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?
- A.
  
  Hayden is attempting to find live hosts on her company's network byusing an XMAS scan
- B.
  
  She is utilizing a SYN scan to find live hosts that are listening on her network
- C.
  
  The type of scan, she is using is called a NULL scan
- D.
  
  Hayden is using a half-open scan to find live hosts on her network
15.

Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation?
- A.
  
  Lack of proper security policy, procedures and maintenance
- B.
  
  Bugs in server software, OS and web applications
- C.
  
  Installing the server with default settings
- D.
  
  Unpatched security flaws in the server software, OS and applications
16.

If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?
- A.
  
  The zombie computer will respond with an IPID of 24334.
- B.
  
  The zombie computer will respond with an IPID of 24333.
- C.
  
  The zombie computer will notsend a response.
- D.
  
  The zombie computer will respond with an IPID of 24335.
17.

Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?
- A.
  
  Jacob is seeing a Smurf attack.
- B.
  
  Jacob is seeing a SYN flood.
- C.
  
  He is seeing a SYN/ACK attack.
- D.
  
  He has found evidence of an ACK flood.
18.

Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)
- A.
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- B.
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run
- C.
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run
- D.
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
19.

Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.
- A.
  
  Hping3 -T 10.8.8.8 -S netbios -c 2 -p 80
- B.
  
  Hping3 -Y 10.8.8.8 -S windows -c 2 -p 80
- C.
  
  Hping3 -O 10.8.8.8 -S server -c 2 -p 80
- D.
  
  Hping3 -a 10.8.8.8 -S springfield -c 2 -p 80
20.

The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?
- A.
  
  Never include sensitive information in a script
- B.
  
  Use HTTPS SSLv3 to send the data instead of plain HTTPS
- C.
  
  Replace the GET with POST method when sending data
- D.
  
  Encrypt the data before you send using GET method
21.

Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers)
- A.
  
  Alternate between typing the login credentials and typing characters somewhere else in the focus window
- B.
  
  Type a wrong password first, later type the correct password on the login page defeating the keylogger recording
- C.
  
  Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.
- D.
  
  The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"
- E.
  
  The next key typed replaces selected text portion. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd"
22.

Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses?
- A.
  
  Only Windows systems will reply to this scan.
- B.
  
  A switched network will not respond to packets sent tothe broadcast address.
- C.
  
  Only Linux and Unix-like (Non-Windows) systems will reply to this scan.
- D.
  
  Only servers will reply to this scan.
23.

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?
- A.
  
  The initial traffic from 192.168.12.35 was being spoofed.
- B.
  
  The traffic from 192.168.12.25 is from a Linux computer.
- C.
  
  The TTL of 21 means that the client computer ison wireless.
- D.
  
  The client computer at 192.168.12.35 is a zombie computer.
24.

What type of port scan is shown below?
- A.
  
  Idle Scan
- B.
  
  Windows Scan
- C.
  
  XMAS Scan
- D.
  
  SYN Stealth Scan
25.

Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. What is the correct syntax?
- A.
  
  Option A
- B.
  
  Option B
- C.
  
  Option C
- D.
  
  Option D