CEH Quiz (201 - 261)

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Porterwb
P
Porterwb
Community Contributor
Quizzes Created: 2 | Total Attempts: 1,173
| Attempts: 466
Quiz Flashcard
SettingsSettings
Please wait...
  • 1/61 Questions

    A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider?

    • A competitor to the company because they can directly benefit from the publicity generated by making such an attack
    • Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants
    • The CEO of the company because he has access to all of the computer systems
    • A government agency since they know the company's computer system strengths and weaknesses
Please wait...
CEH Quiz (201 - 261) - Quiz
About This Quiz

This CEH Quiz (201-261) assesses knowledge on securing network communications, handling cryptographic protocols, and preventing common cyber attacks. It is designed for professionals aiming to validate their ethical hacking skills and improve security measures.

Quiz Preview

  • 2. 

    What do you call a pre-computed hash?

    • Sun tables

    • Apple tables

    • Rainbow tables

    • Moon tables

    Correct Answer
    A. Rainbow tables
    Explanation
    A pre-computed hash is commonly referred to as a "Rainbow table". Rainbow tables are used in cryptography to speed up the process of cracking hashed passwords by storing pre-computed hash chains. These tables contain a list of possible plaintext passwords and their corresponding hash values, allowing for quick lookup and comparison to the target hash. By using rainbow tables, attackers can significantly reduce the time and computational resources required to crack hashed passwords.

    Rate this question:

  • 3. 

    Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?

    • CI Gathering

    • Scanning

    • Dumpster Diving

    • Garbage Scooping

    Correct Answer
    A. Dumpster Diving
    Explanation
    Dumpster diving refers to the activity of searching through someone's trash or garbage in order to find useful or valuable information. In this case, Oregon Corp has hired a private investigative agency to search through Scamster Inc's garbage and other rubbish at their office site to gather relevant information for their litigation suit. Dumpster diving is a common practice used by investigators to obtain evidence or gather intelligence.

    Rate this question:

  • 4. 

    Why attackers use proxy servers?

    • To ensure theexploits used in the attacks always flip reverse vectors

    • Faster bandwidth performance and increase in attack speed

    • Interrupt the remote victim's network traffic and reroute the packets to attackers machine

    • To hide the source IP address so that anattacker can hack without any legal corollary

    Correct Answer
    A. To hide the source IP address so that anattacker can hack without any legal corollary
    Explanation
    Attackers use proxy servers to hide their source IP address so that they can carry out their hacking activities without facing any legal consequences. By routing their network traffic through a proxy server, the attacker's true IP address is masked, making it difficult for authorities to trace back the attack to its source. This anonymity provides a layer of protection for the attacker and allows them to operate without being easily identified or held accountable for their actions.

    Rate this question:

  • 5. 

    Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here?

    • MAC spoofing

    • Macof

    • ARP spoofing

    • DNS spoofing

    Correct Answer
    A. MAC spoofing
    Explanation
    Paul is experiencing MAC spoofing. MAC spoofing is a technique where an attacker changes their device's MAC address to match the MAC address of another device on the network, in this case, Paul's laptop. This allows the attacker to impersonate Paul's laptop and gain unauthorized access to the network. This can explain why Paul is seeing a machine with an unfamiliar name connected to his wireless network and why the speed of his connection varies.

    Rate this question:

  • 6. 

    Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would like to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link?

    • MD5

    • PGP

    • RSA

    • SSH

    Correct Answer
    A. SSH
    Explanation
    SSH (Secure Shell) can be used to protect the link. SSH is a cryptographic network protocol that provides secure communication over an insecure network. It encrypts the data being transmitted, preventing adversaries from intercepting and inspecting the traffic. By using SSH, Jane can tunnel the X-Windows and POP3 traffic to the remote host securely, even without VPN capabilities.

    Rate this question:

  • 7. 

    You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner?

    • Convert the Trojan.exe file extension to Trojan.txt disguising as text file

    • Break the Trojan into multiple smaller files and zip the individual pieces

    • Change the content of the Trojan using hex editor and modify the checksum

    • Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1

    Correct Answer
    A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file
    Explanation
    Converting the Trojan.exe file extension to Trojan.txt will not be effective in evading the Anti-Virus scanner. Although changing the file extension may make it appear as a text file, Anti-Virus software is designed to analyze the content of the file rather than just relying on the file extension. The scanner will still be able to detect the malicious code within the file, regardless of the file extension.

    Rate this question:

  • 8. 

    Type question hereNTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms.  Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks. These protocols tag their communications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date. One can circumvent this tagging, if the clock can be set back to the time the communication was recorded. An attacker attempts to try corrupting the clocks on devices on your network. You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network. What port number you should enable in Wireshark display filter to view NTP packets?

    • TCP Port 124

    • UDP Port 125

    • UDP Port 123

    • TCP Port 126

    Correct Answer
    A. UDP Port 123
    Explanation
    NTP (Network Time Protocol) is used to synchronize the clocks on systems accurately. In this scenario, the user is running Wireshark to detect any irregularities in NTP traffic on the network. To view NTP packets, they should enable UDP Port 123 in the Wireshark display filter. NTP uses UDP (User Datagram Protocol) as its transport protocol, and Port 123 is the designated port for NTP traffic. By enabling this port in Wireshark, the user will be able to capture and analyze NTP packets for any signs of irregularities or attacks on the network.

    Rate this question:

  • 9. 

    The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)

    • Enable SNMPv3 whichencrypts username/password authentication

    • Use your company name as the public community string replacing the default 'public'

    • Enable IP filtering to limit access to SNMP device

    • The default configuration provided by device vendors is highly secureand you don't need to change anything

    Correct Answer(s)
    A. Enable SNMPv3 whichencrypts username/password authentication
    A. Enable IP filtering to limit access to SNMP device
    Explanation
    To keep intruders from getting sensitive information regarding the network devices using SNMP, enabling SNMPv3 which encrypts username/password authentication is important. SNMPv3 provides secure access to devices by encrypting the authentication credentials. Additionally, enabling IP filtering to limit access to SNMP devices adds an extra layer of security by allowing only specific IP addresses to access the devices. This helps to prevent unauthorized access and protect sensitive information.

    Rate this question:

  • 10. 

    Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here?

    • Neil has used a tailgating social engineering attack to gain access to the offices

    • He has used a piggybacking technique to gain unauthorized access

    • This type of social engineering attack is called man trapping

    • Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics

    Correct Answer
    A. Neil has used a tailgating social engineering attack to gain access to the offices
    Explanation
    Neil has used a tailgating social engineering attack to gain access to the offices. Tailgating refers to the act of following someone who has legitimate access into a secure area without proper authorization. In this case, Neil used a fake company ID badge and uniform to blend in and gain entry by following an employee who used their valid access card. This type of attack exploits the trust and natural tendency of people to hold doors open for others, allowing unauthorized individuals to gain entry.

    Rate this question:

  • 11. 
    What command would you type to OS fingerprint a server using the command line?   - ProProfs

    What command would you type to OS fingerprint a server using the command line?  

    • Option A

    • Option B

    • Option C

    • Option D

    Correct Answer
    A. Option C
    Explanation
    To OS fingerprint a server using the command line, you would type the command specified in Option C.

    Rate this question:

  • 12. 

    WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?

    • Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled

    • Place authentication on root directories that will prevent crawling from these spiders

    • Nable SSL on the restricted directories which will block these spiders from crawling

    • Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index

    Correct Answer
    A. Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled
  • 13. 

    Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites.  Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website.  James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%' What will the SQL statement accomplish?

    • If the page is susceptible to SQL injection, it will look in theUsers table for usernames of admin

    • This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com

    • This Select SQL statement will log James in if there are any users with NULL passwords

    • James will be able to see if there are any default user accounts in the SQL database

    Correct Answer
    A. This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com
    Explanation
    The SQL statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com. This implies that James is attempting to exploit a potential vulnerability in the login page by using SQL injection. By inputting this statement, James is trying to retrieve information from the Users table that matches the specified conditions.

    Rate this question:

  • 14. 

    Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

    • The initial traffic from 192.168.12.35 was being spoofed.

    • The traffic from 192.168.12.25 is from a Linux computer.

    • The TTL of 21 means that the client computer ison wireless.

    • The client computer at 192.168.12.35 is a zombie computer.

    Correct Answer
    A. The initial traffic from 192.168.12.35 was being spoofed.
    Explanation
    Wayne can infer that the initial traffic from 192.168.12.35 was being spoofed. This is because the TTL (Time to Live) value of the packets originating from 192.168.12.35 is lower (15) than the TTL value of the response received from the same IP address (21). A lower TTL value indicates that the packets have traveled a shorter distance, suggesting that the source IP address was likely forged or spoofed to make it appear as if it originated from the internal network.

    Rate this question:

  • 15. 

    After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server.  What attacks can you successfully launch against a server using the above technique?

    • Denial of Service attacks

    • Session Hijacking attacks

    • Web page defacement attacks

    • IP spoofing attacks

    Correct Answer
    A. Session Hijacking attacks
    Explanation
    By recording the sequence number chosen by the server and then opening a second connection from a forged IP address, an attacker can successfully launch Session Hijacking attacks. In this type of attack, the attacker can impersonate the legitimate client by guessing the correct responses and gain unauthorized access to the server. This allows the attacker to hijack the established session and potentially perform malicious actions on behalf of the legitimate client.

    Rate this question:

  • 16. 

    You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks?

    • System services

    • EXEC master access

    • Xp_cmdshell

    • RDC

    Correct Answer
    A. Xp_cmdshell
    Explanation
    In order to perform advanced SQL Injection attacks on a vulnerable website without being able to perform command shell hacks on the server, the xp_cmdshell feature must be enabled in SQL Server. This feature allows the execution of command shell commands from within SQL Server, providing the attacker with the ability to execute arbitrary commands on the server. By enabling xp_cmdshell, the attacker can gain further control and exploit the vulnerabilities in the website.

    Rate this question:

  • 17. 

    The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination.  The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. How would you overcome the Firewall restriction on ICMP ECHO packets?

    • Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

    • Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

    • Firewalls will permit inbound UDP packets to specific portsthat hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

    • Do not use traceroute command to determine the path packets taketo reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command

    • \> JOHNTHETRACER www.eccouncil.org -F -evade

    Correct Answer
    A. Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
    Explanation
    By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. Firewalls typically permit inbound TCP packets to specific ports that hosts behind the firewall are listening for connections. Therefore, by using TCP SYN packets, which are typically used to establish a TCP connection, traceroute can mimic legitimate traffic and bypass the firewall restrictions on ICMP ECHO packets. This allows traceroute to successfully trace the path packets take to reach the destination, even in the presence of firewalls.

    Rate this question:

  • 18. 

    A company is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. This could lead to prosecution for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism. You can always defend yourself by "ignorance of the law" clause.

    • True

    • False

    Correct Answer
    A. False
    Explanation
    A company is not legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. However, if outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism, the sender and the company's directors could still face prosecution. The "ignorance of the law" clause cannot be used as a defense in this situation. Therefore, the statement is false.

    Rate this question:

  • 19. 

    What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --'

    • This code will insert the [email protected] email address into the members table.

    • This command will delete the entire members table.

    • It retrieves the password for the first user in the members table.

    • This command will not produce anything since the syntax is incorrect.

    Correct Answer
    A. This command will delete the entire members table.
    Explanation
    The given command is a SQL injection attack that aims to delete the entire members table. The command starts with a SELECT statement to retrieve the email, password, login ID, and full name from the members table where the email is equal to '[email protected]'. However, the command is maliciously crafted to include a DROP TABLE statement, which will delete the members table. The semicolon and double hyphen at the end are used to comment out the rest of the command, making it effective in deleting the table.

    Rate this question:

  • 20. 

    Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

    • Dictionary attack

    • Brute forcing attack

    • Hybrid attack

    • Syllable attack

    • Rule-based attack

    Correct Answer
    A. Hybrid attack
    Explanation
    A hybrid attack is a type of password cracking technique that combines elements of a dictionary attack and a brute force attack. It starts with a dictionary of common words and then adds numbers and symbols to those words to create variations. These variations are then used to try and crack the password. This technique is effective because it takes advantage of the fact that many people use common words as their passwords, but also adds complexity by incorporating numbers and symbols.

    Rate this question:

  • 21. 
    Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation? - ProProfs

    Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access. Identify the correct statement related to the above Web Server installation?

    • Lack of proper security policy, procedures and maintenance

    • Bugs in server software, OS and web applications

    • Installing the server with default settings

    • Unpatched security flaws in the server software, OS and applications

    Correct Answer
    A. Installing the server with default settings
    Explanation
    Installing the server with default settings can be a correct statement related to the above web server installation. This is because using default settings may leave the server vulnerable to attacks as it may not have the necessary security configurations in place. It is important to customize the server settings and apply security measures to protect against potential exploits.

    Rate this question:

  • 22. 
    John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here? - ProProfs

    John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

    • The hacker is attempting to compromise more machines on the network

    • The hacker is planting a rootkit

    • The hacker is running a buffer overflow exploit to lock down the system

    • The hacker is trying to cover his tracks

    Correct Answer
    A. The hacker is trying to cover his tracks
    Explanation
    The given log file snippet suggests that the hacker is trying to cover his tracks. This can be inferred from the fact that the hacker has compromised a Linux machine and is likely attempting to erase any evidence of their presence or actions on the compromised system.

    Rate this question:

  • 23. 
    Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems, and disabled all unnecessary services on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about this since telnet can be a very large security risk in an organization. Blake is concerned about how this particular server might look to an outside attacker so he decides to perform some footprinting, scanning, and penetration tests on the server. Blake telnets into the server using Port 80 and types in the following command: HEAD / HTTP/1.0 After pressing enter twice, Blake gets the following results: What has Blake just accomplished? - ProProfs

    Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems, and disabled all unnecessary services on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about this since telnet can be a very large security risk in an organization. Blake is concerned about how this particular server might look to an outside attacker so he decides to perform some footprinting, scanning, and penetration tests on the server. Blake telnets into the server using Port 80 and types in the following command: HEAD / HTTP/1.0 After pressing enter twice, Blake gets the following results: What has Blake just accomplished?

    • Downloaded a file to his local computer

    • Submitted a remote command to crash the server

    • Poisoned the local DNS cache of the server

    • Grabbed the Operating System banner

    Correct Answer
    A. Grabbed the Operating System banner
    Explanation
    By typing the command "HEAD / HTTP/1.0" and receiving the results, Blake has successfully grabbed the Operating System banner. The command is commonly used to retrieve information about the web server, including the version and type of operating system it is running on. This information can be useful for an attacker to identify vulnerabilities and plan further attacks.

    Rate this question:

  • 24. 

    Which of the following Exclusive OR transforms bits is NOT correct?

    • 0 xor 0 = 0

    • 1 xor 0 = 1

    • 1 xor 1 = 1

    • 0 xor 1 = 1

    Correct Answer
    A. 1 xor 1 = 1
    Explanation
    The given XOR transforms for bits are all correct except for "1 xor 1 = 1". The XOR operation returns 1 only when the two input bits are different, but in the case of "1 xor 1", both bits are the same (both are 1), so the correct result should be 0.

    Rate this question:

  • 25. 
    Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.   John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: What kind of attack did the Hacker attempt to carry out at the bank? - ProProfs

    Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.   John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries: What kind of attack did the Hacker attempt to carry out at the bank?

    • Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.

    • The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

    • The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.

    • The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.

    Correct Answer
    A. The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.
    Explanation
    The correct answer is that the hacker first attempted logins with suspected usernames, then used SQL injection to gain access to valid bank login IDs. This is evident from the statement that the account balances of many customers were changed and money was transferred between accounts. SQL injection is a common attack technique where malicious SQL statements are inserted into an entry field, allowing the attacker to manipulate the database. In this case, the hacker likely used SQL injection to bypass the login system and gain access to valid login IDs, which they then used to transfer money between accounts.

    Rate this question:

  • 26. 

    June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

    • Yes. June can use an antivirus program since it compares the parity bitof executable files to the database of known check sum counts and it is effective on a polymorphic virus

    • Yes. June can use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and it is very effective against a polymorphic virus

    • No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program

    • No. June can't use an antivirus program since it compares the size of executable files to the database of known viral signatures and it is effective on a polymorphic virus

    Correct Answer
    A. No. June can't use an antivirus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based anti-virus program
    Explanation
    The correct answer states that June cannot use an antivirus program because it compares the signatures of executable files to the database of known viral signatures, and in the case of polymorphic viruses, they cannot be detected by a signature-based antivirus program. Polymorphic viruses have the ability to mutate and change their known viral signature, making it difficult for signature-based antivirus programs to identify and detect them. Therefore, using an antivirus program that relies on signature matching would not be effective against polymorphic viruses.

    Rate this question:

  • 27. 
    What type of port scan is represented here? - ProProfs

    What type of port scan is represented here?

    • Stealth Scan

    • Full Scan

    • XMAS Scan

    • FIN Scan

    Correct Answer
    A. Stealth Scan
    Explanation
    A stealth scan is a type of port scan where the attacker tries to hide their presence and avoid detection. They do this by sending packets to the target system without completing the full TCP handshake. In a stealth scan, the attacker sends SYN packets to the target, but does not send the final ACK packet to complete the handshake. This allows them to gather information about open ports without alerting the target system's security measures.

    Rate this question:

  • 28. 

    Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case. What can Blane use to accomplish this?

    • He can use a split-DNS service to ensure the email is not forwarded on.

    • A service such as HTTrack would accomplish this.

    • Blanecould use MetaGoofil tracking tool.

    • Blane can use a service such as ReadNotify tracking tool.

    Correct Answer
    A. Blane can use a service such as ReadNotify tracking tool.
    Explanation
    Blane can use a service such as ReadNotify tracking tool to accomplish this. This tool allows the sender to track the email and receive notifications when it is opened, forwarded, or printed. By using ReadNotify, Blane can monitor if the email is forwarded to any other recipients, ensuring compliance with the lawyer's and client's agreement.

    Rate this question:

  • 29. 

    Which of the following LM hashes represents a password of less than 8 characters?

    • 0182BD0BD4444BF836077A718CCDF409

    • 44EFCE164AB921CQAAD3B435B51404EE

    • BA810DBA98995F1817306D272A9441BB

    • CEC52EB9C8E3455DC2265B23734E0DAC

    • B757BF5C0D87772FAAD3B435B51404EE

    • E52CAC67419A9A224A3B108F3FA6CB6D

    Correct Answer(s)
    A. 44EFCE164AB921CQAAD3B435B51404EE
    A. B757BF5C0D87772FAAD3B435B51404EE
    Explanation
    The LM hash is a password hashing algorithm used in older versions of Windows operating systems. It breaks the password into two 7-character halves and hashes them separately. Therefore, any LM hash that has less than 8 characters represents a password of less than 8 characters. In this case, the hashes "44EFCE164AB921CQAAD3B435B51404EE" and "B757BF5C0D87772FAAD3B435B51404EE" both have 7 characters, indicating passwords of less than 8 characters.

    Rate this question:

  • 30. 

    Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniffer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniffer was not working because the agency's network is a switched network, which cannot be sniffed by some programs without some tweaking. What technique could Harold use to sniff his agency's switched network?

    • ARP spoof the default gateway

    • Conduct MiTM against the switch

    • Launch smurf attack against the switch

    • Flood the switch with ICMP packets

    Correct Answer
    A. ARP spoof the default gateway
    Explanation
    Harold can use the technique of ARP spoofing the default gateway to sniff his agency's switched network. By ARP spoofing, Harold can trick the network into sending all the traffic to his machine instead of the actual default gateway. This way, he can capture and analyze the network traffic using the Sniffer program. ARP spoofing involves manipulating the ARP (Address Resolution Protocol) tables to associate his machine's MAC address with the IP address of the default gateway. This allows Harold to intercept and analyze the network traffic passing through the switched network.

    Rate this question:

  • 31. 

    Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

    • Jacob is seeing a Smurf attack.

    • Jacob is seeing a SYN flood.

    • He is seeing a SYN/ACK attack.

    • He has found evidence of an ACK flood.

    Correct Answer
    A. Jacob is seeing a SYN flood.
    Explanation
    Jacob is seeing a SYN flood. A SYN flood is a type of denial-of-service (DoS) attack where an attacker sends a large number of SYN requests to a target computer in order to overwhelm its resources and make it unable to respond to legitimate requests. In this case, Jacob has identified that the SYN requests are coming from a spoofed IP address, indicating that the attacker is disguising their identity.

    Rate this question:

  • 32. 

    The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?

    • Never include sensitive information in a script

    • Use HTTPS SSLv3 to send the data instead of plain HTTPS

    • Replace the GET with POST method when sending data

    • Encrypt the data before you send using GET method

    Correct Answer
    A. Replace the GET with POST method when sending data
    Explanation
    Using the GET method to send sensitive data such as credit card information is not secure because the data is appended to the URL and can be logged by servers. To protect against this type of attack, the best approach is to replace the GET method with the POST method when sending data. Unlike GET, the POST method sends data in the body of the HTTP request rather than appending it to the URL, making it more secure and less prone to interception or logging.

    Rate this question:

  • 33. 

    You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?

    • Ping packets cannot bypass firewalls

    • You must use ping 10.2.3.4 switch

    • Hping2 uses stealth TCP packets to connect

    • Hping2 uses TCP instead of ICMP by default

    Correct Answer
    A. Hping2 uses TCP instead of ICMP by default
    Explanation
    Hping2 uses TCP instead of ICMP by default, which allows it to bypass the firewall that may be blocking ICMP packets. While ping packets use ICMP, which can be blocked by firewalls, hping2's use of TCP packets enables it to establish a connection with the target host and receive a response even if ICMP is blocked.

    Rate this question:

  • 34. 

    Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?

    • Bill can use the command: ip dhcp snooping.

    • Bill can use the command:no ip snoop.

    • Bill could use the command: ip arp no flood.

    • He could use the command: ip arp no snoop.

    Correct Answer
    A. Bill can use the command: ip dhcp snooping.
    Explanation
    Bill can use the command "ip dhcp snooping" to ensure that all switches are safe from ARP poisoning. This command enables the switch to validate DHCP messages received from untrusted sources and ensure that only valid DHCP messages are allowed. By enabling DHCP snooping, Bill can prevent unauthorized DHCP servers from distributing incorrect IP addresses and protect against ARP poisoning attacks.

    Rate this question:

  • 35. 

    You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

    • Stealth scan

    • Connect scan

    • Fragmented packet scan

    • XMAS scan

    Correct Answer
    A. Connect scan
    Explanation
    A connect scan is the most reliable type of scan to use in this scenario. It establishes a full TCP connection with the target host, which allows for more accurate results. This scan sends a SYN packet to the target host and waits for a response. If the target responds with a SYN/ACK packet, it means the port is open. If the target responds with a RST packet, it means the port is closed. This method is more reliable because it completes the full TCP handshake, ensuring that the results are accurate.

    Rate this question:

  • 36. 

    SSL has been seen as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

    • SSL is redundant if you already have IDS's in place

    • SSL will trigger rules at regular interval and force the administrator to turn them off

    • SSL will slow down the IDS while it is breaking the encryption to see the packet content

    • SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them

    Correct Answer
    A. SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them
    Explanation
    SSL encrypts the communication between point A and B, making it difficult for an Intrusion Detection System (IDS) to analyze the packet content. The IDS relies on inspecting the packet content to detect any malicious activity or potential threats. However, when SSL is used, the content of the packets becomes obscured, and the IDS is unable to effectively analyze them. This can result in the IDS failing to detect any intrusions or security threats, making SSL a bad idea in this scenario.

    Rate this question:

  • 37. 

    Botnets are networks of compromised computers that are controlled remotely and surreptitiously by one or more cyber criminals. How do cyber criminals infect a victim's computer with bots? (Select 4 answers)

    • Attackers physically visit every victim's computer to infect them with malicious software

    • Home computers that have security vulnerabilities are prime targets for botnets

    • Spammers scan the Internet looking for computers that are unprotected and use these "open- doors" to install malicious software

    • Attackers use phishing or spam emails that contain links or attachments

    • Attackers use websites to host the bots utilizing Web Browser vulnerabilities

    Correct Answer(s)
    A. Home computers that have security vulnerabilities are prime targets for botnets
    A. Spammers scan the Internet looking for computers that are unprotected and use these "open- doors" to install malicious software
    A. Attackers use phishing or spam emails that contain links or attachments
    A. Attackers use websites to host the bots utilizing Web Browser vulnerabilities
    Explanation
    Cyber criminals infect a victim's computer with bots by targeting home computers that have security vulnerabilities, scanning the internet for unprotected computers and using them as entry points to install malicious software. They also use phishing or spam emails that contain links or attachments to trick users into downloading malware. Additionally, attackers exploit web browser vulnerabilities by hosting the bots on websites, allowing them to infect computers when users visit these compromised sites.

    Rate this question:

  • 38. 
    What type of port scan is shown below? - ProProfs

    What type of port scan is shown below?

    • Idle Scan

    • Windows Scan

    • XMAS Scan

    • SYN Stealth Scan

    Correct Answer
    A. XMAS Scan
    Explanation
    The correct answer is XMAS Scan. An XMAS Scan is a type of port scan where a packet with the FIN, URG, and PSH flags set is sent to the target system. This scan is used to determine if a port is open, closed, or filtered by the firewall. If the target system responds with a RST packet, the port is closed. If there is no response, the port is open. This scan is called XMAS Scan because the combination of the FIN, URG, and PSH flags resembles the blinking lights of a Christmas tree.

    Rate this question:

  • 39. 
    Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique.  What is the correct syntax? - ProProfs

    Here is the ASCII Sheet. You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique.  What is the correct syntax?

    • Option A

    • Option B

    • Option C

    • Option D

    Correct Answer
    A. Option A
  • 40. 

    Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get off early because they were not too busy. When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to. What kind of software could Harold use to accomplish this?

    • Install hardware Keylogger on her computer

    • Install screen capturing Spyware on her computer

    • Enable Remote Desktop on her computer

    • Install VNC on her computer

    Correct Answer
    A. Install screen capturing Spyware on her computer
    Explanation
    Harold can use screen capturing spyware to track his daughter's online activities. This software will capture screenshots of her computer screen at regular intervals, allowing Harold to see what she has been doing online. By installing this spyware, Harold can monitor his daughter's activities without her knowledge or alerting her to his intentions. This will help him ensure her safety and protect her from potential online predators.

    Rate this question:

  • 41. 

    Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session.  She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

    • Hayden is attempting to find live hosts on her company's network byusing an XMAS scan

    • She is utilizing a SYN scan to find live hosts that are listening on her network

    • The type of scan, she is using is called a NULL scan

    • Hayden is using a half-open scan to find live hosts on her network

    Correct Answer
    A. Hayden is using a half-open scan to find live hosts on her network
    Explanation
    Hayden is using a half-open scan to find live hosts on her network. In a half-open scan, Hayden sends SYN packets to an IP range and receives SYN/ACK responses from the hosts that are listening. However, before the connection is fully established, she sends RST packets to stop the session. This allows her to see how her intrusion detection system will log the traffic and identify any potential security vulnerabilities or threats on the network.

    Rate this question:

  • 42. 
    While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when he opens it, he finds the following: What can he infer from this file? - ProProfs

    While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when he opens it, he finds the following: What can he infer from this file?

    • A picture that has been renamed with a .txt extension

    • An encrypted file

    • An encoded file

    • A buffer overflow

    Correct Answer
    A. A buffer overflow
    Explanation
    The investigator can infer that the file is a buffer overflow. This is because a buffer overflow occurs when a program or process tries to store more data in a buffer than it can hold, causing the excess data to overflow into adjacent memory. In this case, the file may have been given a .txt extension to make it appear as a harmless text file, but its contents are actually causing a buffer overflow. This suggests that the suspect may be attempting to exploit a vulnerability in a program or system.

    Rate this question:

  • 43. 
    You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session.  Here is the captured data in tcpdump. What are the next sequence and acknowledgement numbers that the router will send to the victim machine? - ProProfs

    You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session.  Here is the captured data in tcpdump. What are the next sequence and acknowledgement numbers that the router will send to the victim machine?

    • Sequence number: 82980070 Acknowledgement number: 17768885A.

    • Sequence number: 17768729 Acknowledgement number: 82980070B.

    • Sequence number: 87000070 Acknowledgement number: 85320085C.

    • Sequence number: 82980010 Acknowledgement number: 17768885D.

    Correct Answer
    A. Sequence number: 82980070 Acknowledgement number: 17768885A.
  • 44. 

    You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

    • There is no way to completely block tracerouting into this area

    • Block UDP at the firewall

    • Block TCP at the firewall

    • Block ICMP at the firewall

    Correct Answer
    A. There is no way to completely block tracerouting into this area
    Explanation
    Blocking UDP, TCP, or ICMP at the firewall can help to prevent traceroute to some extent, but it cannot completely block tracerouting into the DMZ area. Traceroute uses a combination of ICMP, UDP, and TCP packets to determine the network path to a destination. By blocking these protocols, the firewall can make it more difficult for attackers to perform traceroute, but determined attackers may still find ways to bypass these restrictions. Therefore, there is no foolproof way to completely block tracerouting into the DMZ area.

    Rate this question:

  • 45. 

    Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami.  Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22  Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy's mailbox?

    • This type of attempt is called URL obfuscation when someone manually changes aURL to try and gain unauthorized access

    • By changing the mailbox's name in the URL, Kevin is attempting directory transversal

    • Kevin is trying to utilize query string manipulation to gain access to her email account

    • He is attempting a path-string attack to gain access to her mailbox

    Correct Answer
    A. Kevin is trying to utilize query string manipulation to gain access to her email account
    Explanation
    Kevin is attempting to gain unauthorized access to Katy's email account by manipulating the query string in the URL. The query string manipulation involves changing the parameters in the URL to try and bypass authentication and gain access to the desired mailbox. This type of attack is known as query string manipulation and is a common method used by attackers to exploit vulnerabilities in web applications.

    Rate this question:

  • 46. 

    Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert

    • The payload of 485 is what this Snort signature will look for.

    • Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

    • Packets that contain the payload of BACKDOOR SIG -SubSseven 22 will be flagged.

    • From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

    Correct Answer
    A. Snort will look for 0d0a5b52504c5d3030320d0a in the payload.
    Explanation
    This Snort signature is designed to look for the hexadecimal string "0d0a5b52504c5d3030320d0a" in the payload of the suspected packets. If this string is found in the payload, Snort will flag the packets as potentially containing the "BACKDOOR SIG - SubSseven 22" backdoor signature.

    Rate this question:

  • 47. 

    __________ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.

    • Alternate Data Streams

    • Merge Streams

    • Steganography

    • NetBIOS vulnerability

    Correct Answer
    A. Alternate Data Streams
    Explanation
    Alternate Data Streams is a feature found in all versions of NTFS that allows file data to be forked into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. This means that additional data can be stored within a file without altering its appearance or behavior, making it a useful tool for hiding information or adding metadata to files.

    Rate this question:

  • 48. 

    Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?

    • Signverif.exe

    • Sigverif.exe

    • Msverif.exe

    • Verifier.exe

    Correct Answer
    A. Sigverif.exe
    Explanation
    Sigverif.exe is a Windows system tool that checks the integrity of critical files that have been digitally signed by Microsoft. It verifies the digital signatures of these files to ensure that they have not been tampered with or modified in any way, providing an added layer of security and ensuring the trustworthiness of these files. This tool is commonly used to detect any unauthorized changes to system files, helping to maintain the overall stability and security of the Windows operating system.

    Rate this question:

  • 49. 

    If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

    • The zombie computer will respond with an IPID of 24334.

    • The zombie computer will respond with an IPID of 24333.

    • The zombie computer will notsend a response.

    • The zombie computer will respond with an IPID of 24335.

    Correct Answer
    A. The zombie computer will respond with an IPID of 24334.
    Explanation
    When an attacker's computer sends an IPID of 24333 to a zombie computer on a closed port using Idle Scanning, the zombie computer will respond with an IPID of 24334. This is because Idle Scanning involves sending a spoofed packet to the zombie computer, which then sends a response to the victim's IP address. The IPID of the response packet is typically incremented by 1 compared to the IPID of the packet sent by the attacker. Therefore, the correct answer is that the zombie computer will respond with an IPID of 24334.

    Rate this question:

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Oct 28, 2013
    Quiz Created by
    Porterwb

Recent Quizzes

CEH Quiz (101-200) Take this quiz CEH Quiz (101-200) Take this quiz
CEH and Countermeasures v7 Version 4.2 CEH and Countermeasures v7 Version 4.2
CEH quick pop quiz CEH quick pop quiz
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.