CEH Preperation test

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

 
 
 
 

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

 
 
 
 

Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?

 
 
 
 

Look at the following output. What did the hacker accomplish?

 
 
 
 

Which of the following guidelines or standards is associated with the credit card industry?

 
 
 
 

Jack was attempting to fingerprint all machines in the network using the following Nmap syntax: invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24 TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! Obviously, it is not going through. What is the issue here?

 
 
 
 

What is the purpose of a demilitarized zone on a network?

 
 
 
 

A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.

 
 
 
 
 

What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?

 
 
 
 

When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?

 
 
 
 

An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack ofmanagement or control packets?

 
 
 
 

In which of the following cryptography attack methods, the attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions?

 
 
 
 

A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0. How can NMAP be used to scan these adjacent Class C networks?

 
 
 
 

A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform?

 
 
 
 

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

 
 
 
 

SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts. Which of the following features makes this possible? (Choose two.)

 
 
 
 

Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate CPU and memory activities. Which type of virus detection method did Chandler use in this context?

 
 
 
 

Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS?

 
 
 
 

_________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types.

 
 
 
 

Risks = Threats x Vulnerabilities is referred to as the:

 
 
 
 

Low humidity in a data center can cause which of the following problems?

 
 
 
 

The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company’s external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?

 
 
 
 

Which of the statements concerning proxy firewalls is correct? client.

 
 
 
 

Which of the following Nmap commands would be used to perform a stack fingerprinting?

 
 
 
 
 

An attacker has been successfully modifying the purchase price of items purchased on the company’s web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?

 
 
 
 

A penetration tester is hired to do a risk assessment of a company’s DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed?

 
 
 
 

It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection. Which of the following terms best matches the definition?

 
 
 
 

If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?

 
 
 
 

Which of the following is considered an acceptable option when managing a risk?

 
 
 
 

Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

 
 
 
 

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

 
 
 
 

In Trojan terminology, what is a covert channel? policy connections

 
 
 
 

What type of malware is it that restricts access to a computer system that it infects and demands that the user pay a certain amount of money, cryptocurrency, etc. to the operators of the malware to remove the restriction?

 
 
 
 

Why should the security analyst disable/remove unnecessary ISAPI filters?

 
 
 
 

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes unsanitized user-provided data. What is this attack?

 
 
 
 
 

Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next?

 
 
 
 

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

 
 
 
 

Study the log below and identify the scan type.

 
 
 
 

E-mail scams and mail fraud are regulated by which of the following? Communication

 
 
 
 
 

Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

 
 
 
 

One of your team members has asked you to analyze the following SOA record. What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

 
 
 
 
 
 

Which specific element of security testing is being assured by using hash?

 
 
 
 

What is not a PCI compliance recommendation?

 
 
 
 

Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?

 
 
 
 

When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What nmap script will help you with this task?

 
 
 
 

A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network?

 
 
 
 

Which of the following program infects the system boot sector and the executable files at the same time?

 
 
 
 

For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key?

 
 
 
 

A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host junk mails. What type of Trojan did the hacker use?

 
 
 
 

What is the benefit of performing an unannounced Penetration Testing?

 
 
 
 

Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for? mail

 
 
 
 
 

The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520. What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?

 
 
 
 

Which of the following examples best represents a logical or technical control?

 
 
 
 

Which of the following cryptography attack is an understatement for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by a coercion or torture?

 
 
 
 

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company’s Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion? innocent looking email or file transfer using Steganography techniques

 
 
 
 

Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP?

 
 
 
 

Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?

 
 
 
 

Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide? the Department of Homeland Security decommissions old Internet infrastructure sectors Department, as well as private sectors

 
 
 
 

Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a benign user Ned. Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

 
 
 
 

Company XYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of Company XYZ. The employee of Company XYZ is aware of your test. Your email message looks like this: From: jim_miller@companyxyz.com To: michelle_saunders@companyxyz.com Subject: Test message Date: 4/3/2017 14:37 The employee of Company XYZ receives your email message. This proves that Company XYZ’s email gateway doesn’t prevent what?

 
 
 
 

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

 
 
 
 
 

Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within what phase of the Incident Handling Process?

 
 
 
 

Using Windows CMD, how would an attacker list all the shares to which the current user context has access?

 
 
 
 

You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries? collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

 
 
 
 

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing “server publishing”?

 
 
 
 

Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

 
 
 
 

One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers. edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)

 
 
 
 
 
 

Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7 He receives this output: What is his conclusion?

 
 
 
 

Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called?

 
 
 
 

Which of the following is a client-server tool utilized to evade firewall inspection?

 
 
 
 

A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application’s search form and introduces the following code in the search input field: When the analyst submits the form, the browser returns a pop-up window that says “Vulnerable”. Which web applications vulnerability did the analyst discover?

 
 
 
 

A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed?

 
 
 
 

Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches’ ARP cache is successfully flooded, what will be the result? packets to the nearest switch.

 
 
 
 

When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement?

 
 
 
 

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

 
 
 
 

It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?

 
 
 
 

If the final set of security controls does not eliminate all risk in a system, what could be done next?

 
 
 
 

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

 
 
 
 
 

When discussing passwords, what is considered a brute force attack?

 
 
 
 
 

Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms?

 
 
 
 

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack?

 
 
 
 

Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intend?

 
 
 
 

Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn’t log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons. Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand to importance of keeping confidential information a secret?

 
 
 
 

An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key?

 
 
 
 

You perform a scan of your company’s network and discover that TCP port 123 is open. What services by default run on TCP port 123?

 
 
 
 

During the process of encryption and decryption, what keys are shared? During the process of encryption and decryption, what keys are shared?

 
 
 
 

Which tier in the N-tier application architecture is responsible for moving and processing data between the tiers?

 
 
 
 

During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

 
 
 
 

The company ABC recently discovered that their new product was released by the opposition before their premiere. They contract an investigator who discovered that the maid threw away papers with confidential information about the new product and the opposition found it in the garbage. What is the name of the technique used by the opposition?

 
 
 
 

Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the best protection that will work for her?

 
 
 
 

Which of the following is a passive wireless packet analyzer that works on Linux-based systems?

 
 
 
 

A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?

 
 
 
 

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

 
 
 
 

You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach? Systems.

 
 
 
 

The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP’s Top Ten Project Most Critical Web Application Security Risks?

 
 
 
 

What is the main security service a cryptographic hash provides?

 
 
 
 

You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting?

 
 
 
 

Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened?

 
 
 
 

An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gains access to the DNS server and redirects the direction www.google.com to his own IP address. Now when the employees of the office want to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?

 
 
 
 

It is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. This protocol is specifically designed for transporting event messages. Which of the following is being described?

 
 
 
 

A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend?

 
 
 
 

WPA2 uses AES for wireless data encryption at which of the following encryption levels?

 
 
 
 

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

 
 
 
 

You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company’s network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of “weakest link” in the security chain. What is Peter Smith talking about? attacks to detect these attacks techniques to bypass the filters in your gateway

 
 
 
 

Which of these is capable of searching for and locating rogue access points?

 
 
 
 

What is the best defense against privilege escalation vulnerability?

 
 
 
 

While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you tried to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is being allowed. What type of firewall is being utilized for the outbound traffic?

 
 
 
 

A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can he use it?

 
 
 
 

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

 
 
 
 

What information should an IT system analysis provide to the risk assessor?

 
 
 
 

While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

 
 
 
 
 

Destination unreachable administratively prohibited messages can inform the hacker to what?

 
 
 
 
 

The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?

 
 
 
 

The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of control bjectives. Each objective contains one or more requirements, which must be followed in order to achieve compliance.Which of the following requirements would best fit under the objective, “Implement strong access control measures”?

 
 
 
 

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs: From the above list identify the user account with System Administrator privileges. G. Micah

 
 
 
 
 

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?

 
 
 
 

Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing backup tapes?

 
 
 
 

Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?

 
 
 

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

 
 
 
 

An attacker scans a host with the below command. Which three flags are set? (Choose three.) #nmap sX host.domain.com

 
 
 
 

During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key? obtain the key.

 
 
 
 

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the “TCP three-way handshake.” While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

 
 
 
 

Which of the following programming languages is most vulnerable to buffer overflow attacks?

 
 
 
 

Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company’s email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?

 
 
 
 

Under the “Post-attack Phase and Activities”, it is the responsibility of the tester to restore the systems to a pretest state. Which of the following activities should not be included in this phase? (see exhibit) Exhibit: