Ceh Certification Exam Questions

A Certified Ethical Hacker follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?

You've been hired as part of a pen test team. During the in brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?

Which of the following is true regarding an ethical hacker?

You begin your first pen-test assignment by checking out IP address ranges owned by the target as well as details of their domain name registration. Additionally, you visit job boards and financial websites to gather any technical information online. What activity are you performing?

You send a message across a network and are primarily concerned that it is not altered during transit. Which security element ensures a message arrives at its destination with no alteration?

An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements are true?

Which of the following attacks is considered an integrity attack, where the attacker is not concerned with deciphering the entirety of a plaintext message?

As part of a pen test on a U.S. Government system, you discover files containing social security numbers and other PII (Personally Identifiable Information) sensitive information. You are asked about controls placed on dissemination of this information. Which of the following acts should you check?

Joe has spent a large amount of time learning hacking tools and techniques, and has even passed certification exams to promote himself in the ethical hacking field. Joe uses his talents during the election season to deface websites and launch denial of service attacks against opponents of his candidate. Which answer most closely correlates with Joe's actions?

A hacker is attempting to gain access to a target inside a business. After trying several methods, he gets frustrated and starts a denial of service attack against a server attached to the target. Which security control is the hacker affecting?

The security, functionality, and ease of use (SFE) triangle states which of the following as true?

In which phase of the ethical hacking methodology would a hacker discover available targets on a network?

Which of the following are potential drawbacks to a black box test? (Choose all that apply.)

In which phase of a penetration test would an ethical hacker perform footprinting?

Which of the following would not be considered passive reconnaissance?

As part of the preparation phase for a pen test that you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about external threats and do not mention internal threats at all. When defining scope, the threat of internal users is not added as part of the test. Which test is this client ignoring?

In which phase of an attack would vulnerability mapping occur?

While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?

A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.) A. An external vulnerability can take advantage of the misconfigured X-server threat.

You are examining security logs snapshotted during a prior attack against the target. The target's IP address is 135.17.22.15, and the attack originated from 216.88.76.5. Which of the following correctly characterizes this attack?

An ethical hacker needs to be aware of a variety of laws. What do Sections 1029 and 1030 of United States Code Title 18 specify?

Which of the following should a security professional use as a possible means to verify the integrity of a data message from sender to receiver?

Which of the following describes activities taken in the conclusion phase of a penetration test?

Which of the following best describes an ethical hacker?

In which phase of the attack would a hacker set up and configure "zombie" machines?

Which of the following is a true statement concerning cryptography?

Which of the following would be the best choice to guarantee the integrity of messages in transit or storage?

Which of the following encryption algorithms is your best choice if your primary need is bulk encryption, and you need fast, strong encryption?

You're describing a basic PKI system to a new member of the team. He asks how the public key can be distributed within the system in an orderly, controlled fashion so that the users can be sure of the sender's identity. Which of the following would be your answer?

You are discussing hash values with a CEH instructor. Immediately after telling you the hash is a one-way algorithm and cannot be reversed, he explains that you can still discover the value entered into the hash, given enough time and resources. Which of the following hash anomalies might allow this?

What is the standard format for digital certificates?

You're discussing cryptography and determine you need to ensure messages are safe from unauthorized observation. Also, you want to provide a way to ensure the identity of the sender and receiver during the communications process. Which of the following best suits your needs?

A hacker has gained access to several files. Many are encrypted, but one is not. Which of the following is the best choice for possibly providing a successful break into the encrypted files?

You are discussing a steganography tool that takes advantage of the nature of "white space" to conceal information. Which tool are you discussing?

At the basic core of encryption approaches, two main methods are in play: substitution and transposition. Which of the following best describes transposition?

Jack and Jill work in an organization that has a PKI system in place for securing messaging. Jack encrypts a message for Jill and sends it on. Jill receives the message and decrypts it. Within a PKI system, which of the following statements is true?

Which of the following would you find in an X.509 digital certificate? (Choose all that apply.)

Which of the following is a secure substitute for telnet?

An SSL session requires a client and a server to handshake information between each other and agree on a secured channel. Which of the following best describes the session key creation during the setup of an SSL session?

Which encryption algorithm uses variable block sizes (from 32 to 128 bits)?

Which hash algorithm was developed by the NSA and produces output values up to 512 bits?

A hacker is attempting to uncover the key used in a cryptographic encryption scheme. Which attack vector is the most resource intensive and usually takes the longest amount of time?

In a discussion on symmetric encryption, a friend mentions that one of the drawbacks with this system is scalability. He goes on to say that for every person you add to the mix, the number of keys goes up exponentially. If seven people are in a symmetric encryption pool, how many keys are necessary?

Which of the following is a true statement?

The PKI system you are auditing has a Certificate Authority (CA) at the top that creates and issues certificates. Users trust each other based on the CA itself. Which trust model is in use here?

Two bit strings are run through an XOR operation. Which of the following is a true statement for each bit pair regarding this function?

Which of the following attacks attempts to re-send a portion of a cryptographic exchange in hopes of setting up a communications channel?

Within a PKI system, which of the following is an accurate statement?

One use of hash algorithms is for the secure storage of passwords: The password is run through a one-way hash, and the value is stored instead of the plaintext version. If a hacker gains access to these hash values, and knows the hash algorithm used to create them, which of the following could be used to speed up his effort in cracking them?

Your client's business is headquartered in Japan. Which regional registry would be the best place to look for footprinting information?

Which of the following are footprinting tools? (Choose all that apply.)

You are looking for files with the terms "Apache" and "Version" in their titles. Which Google hack is the appropriate one?

You've just kicked off a penetration test against a target organization and have decided to perform a little passive footprinting. One of the first sites you visit are job boards, where the company has listed various openings. What is the primary useful footprinting information to be gained through this particular search?

Which of the following activities is not considered passive footprinting?

As fate would have it, you are contracted to pen test an organization you are already familiar with. You start your passive reconnaissance by perusing the company website. Several months ago, the public-facing website had a listing of all staff members, including phone numbers, e-mail addresses, and other useful information. Since that time, the listing has been removed from the website. Which of the following is the best option to provide access to the listing?

You are footprinting information for a pen test. Social engineering is part of your reconnaissance efforts, and some of it will be active in nature. You take steps to ensure that if the social engineering efforts are discovered at this early stage, any trace efforts point to another organization. Which of the following terms best describes what you are participating in?

You are setting up DNS for your enterprise. Server A is both a web server and an FTP server. You wish to advertise both services for this machine. Which DNS record type would you use to accomplish this?

Within the DNS system, a primary server (SOA) holds and maintains all records for the zone. Secondary servers will periodically ask the primary whether there have been any updates. If updates have occurred, they will ask for a zone transfer to update their own copies. Under what conditions will a secondary name server request a zone transfer from a primary?

Which of the following footprinting tools uses ICMP to provide information on network pathways?

Joe accesses the company website, www.anybusi.com, from his home computer and is presented with a defaced site contained disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site: No files have been changed, and when the site is accessed from their terminals (inside the company) it appears normally. Joe connects over VPN into the company website and notices the site appears normally. Which of the following might explain the issue?

One way to mitigate against DNS poisoning is to restrict or limit the amount of time records can stay in cache before they're updated. Which DNS record type allows you to set this restriction?

You are gathering reconnaissance on your target organization whose website has a .com extension. With no other information to go on, which regional Internet registry would be the best place to begin your search?

Which of the following is a good footprinting tool for discovering information on a company's founding, history, and financial status?

How does traceroute map the routes traveled by a packet?

You are footprinting a target headquartered in the Dominican Republic. You have gathered some competitive intelligence and have engaged in both passive and active reconnaissance. Your next step is to define the network range this organization uses. What is the best way to accomplish this?

A zone file consists of which types of records? (Choose all that apply.)

A good footprinting method is to track e-mail messages and see what kind of information you can pull back. Which tool is useful in this scenario?

You are footprinting DNS information using dig. What command syntax should be used to discover all name servers listed by DNS server 202.55.77.12 in the anybiz.com namespace?

What is the second step in the TCP three-way handshake?

You wish to perform a ping sweep of a subnet within your target organization. Which of the following nmap command lines is your best option?

Which of the following TCP flags is used to reset a connection?

You are examining traffic and notice an ICMP type 3, code 13 response. What does this normally indicate?

You have a zombie system ready and begin an IDLE scan. As the scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

As a pen test on a major international business moves along, a colleague discovers an IIS server and a mail exchange server on a DMZ subnet. You review a ping sweep accomplished earlier in the day on that subnet and note neither machine responded to the ping. What is the most likely reason for the lack of response?

Which of the following tools is not a good choice for determining possible vulnerabilities on live targets you have identified?

Which of the following tools can be used for operating system prediction? (Choose all that apply.)

You are in training for your new pen test assignment. Your trainer enters the following command: telnet 192.168.12.5 80 After typing the command, he hits ENTER a few times. What is being attempted?

What is being attempted with the following command: nc -u -v -w2 192.168.1.100 1-1024

You are told to monitor a packet capture for any attempted DNS zone transfer. Which port should you key your search on?

In the scanning and enumeration phase of your attack, you put tools such as ToneLoc, THC-Scan, and WarVox to use. What are you attempting to accomplish?

Which of the following are SNMP enumeration tools? (Choose all that apply.)

You wish to run a scan against a target network. You're concerned about it being a reliable scan, with legitimate results, but want to take steps to ensure it is as stealthy as possible. Which scan type is best in this situation?

Which of the following ports are required for a null session connection? (Choose all that apply.)

You are enumerating a subnet. Examining message traffic you discover SNMP is enabled on multiple targets. If you assume default settings in setting up enumeration tools to use SNMP, which community strings should you use?

Nmap is a powerful scanning and enumeration tool. What does this nmap command attempt to accomplish? nmap -sA -T4 192.168.15.0/24

You are examining a packet capture of all traffic from a host on the subnet. The host sends a segment with the SYN flag set, in order to set up a TCP communications channel. The destination port is 80, and the sequence number is set to 10. Which of the following statements are not true regarding this communications channel? (Choose all that apply.)

Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

You receive a RST-ACK from a port during a SYN scan. What is the state of the port?

Which port-scanning method presents the most risk of discovery, but provides the most reliable results?

A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF: FF: FF: FF: FF: FF. Which of the following statements is true regarding the messages being sent?

You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?

Sniffing network traffic can sometimes be a function of an investigation run by a law enforcement agency (LEA). Within the confines of the lawful intercept, what provides most of the processing of the information and is usually provided by a third party?

An attacker has successfully tapped into a network segment and has configured port spanning for his connection, which allows him to see all traffic passing through the switch. Which of the following protocols protects any sensitive data from being seen by this attacker?

You have a large packet capture file in Wireshark to review. You wish to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?

Which of the following is a tool used for MAC spoofing?

You are attempting to sniff traffic on a switch. Which of the following is a good method to ensure you are successful? (Choose all that apply.)

Which of the following are modes Snort can operate in? (Choose all that apply.)

You wish to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark, but quickly discover your NIC needs to be in "promiscuous mode." What allows you to put your NIC into promiscuous mode?

You are attempting to deliver a payload to a target inside the organization; however, it is behind an IDS. You are concerned about successfully accomplishing your task without alerting the IDS monitoring team. Which of the following methods are possible options? (Choose all that apply.)

A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?

What does this line from the Snort configuration file indicate? var RULE_PATH c:\etc\snort\rules

As part of a security monitoring team, Joe is reacting to an incursion into the network. The attacker successfully exploited a vulnerability on an internal machine, and Joe is examining how the attacker succeeded. He reviews the IDS logs but sees no alerts for the time period; however, there is definitive proof of the attack. Which IDS shortcoming does this refer to?

Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?

You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet, but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?

You are separated from your target subnet by a firewall. The firewall is correctly configured and only allows requests through to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?

Which of the following tools are useful in identifying potential honeypots on a subnet? (Choose all that apply.)

Examine the Wireshark filter shown here: ip.src == 192.168.1.1 &&tcp.srcport == 80 Which of the following correctly describes the capture filter?

You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

Which of the following tools can assist with IDS evasion? (Choose all that apply.)

Which command puts Snort into packet logger mode?

Examine the following password hashes obtained from a Windows XP machine using LM hashing: B757BF5C0D87772FAAD3B435B51404EE BA810DBA98995F1817306D272A9441BB E52CAC67419A9A224A3B108F3FA6CB6D 0182BD0BD4444BF836077A718CCDF409 CEC52EB9C8E3455DC2265B23734E0DAC Which of the following is true regarding the hashes listed?

Which of the following correctly describes brute-force password attacks?

Which password theft method is almost always successful, requires little technical knowledge, and is nearly impossible to detect?

Which of the following will extract an executable file from NTFS streaming?

Which command is used to allow all privileges to the user, read-only to the group and read-only for all others to a particular file, on a Linux machine?

You are attempting to hack a Windows machine and wish to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)

Which of the following statements are true concerning Kerberos? (Choose all that apply.)

What is the difference between a dictionary attack and a hybrid attack?

Which of the following SIDs indicates the true administrator account?

You have obtained a password hash and wish to quickly determine the associated plaintext password. Which of the following is the best choice?

You are monitoring traffic between two systems communicating over SSL. Which of the following techniques is your best bet in gaining access?

Which password would be considered the most secure?

Your client makes use of Sigverif on his servers. What functionality does this tool provide?

Which of the following are considered offline password attacks? (Choose all that apply.)

You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

Which rootkit type makes use of system-level calls to hide their existence?

Which folder in Linux holds administrative commands and daemons?

What are the three commands necessary to install an application in Linux?

You are examining files on a Windows machine and note one file's attributes include "h." What does this indicate?

You have gained access to a SAM file from an older Windows machine and are preparing to run a Syskey cracker against it. How many bits are used for Syskey encryption?

Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

You are testing physical security measures as part of a pen test team. Upon entering the lobby of the building, you see the entrance has a guard posted at the lone entrance. A door leads into a smaller room with a second door heading into the interior of the building. Which physical security measure is in place?

In your social engineering efforts you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?

Your client is considering a biometric system for access to a controlled location. Which of the following is a true statement regarding his decision?

A pen tester sends an unsolicited e-mail to several users on the target organization. The e-mail is well crafted and appears to be from the company's help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event they are adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?

A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?

You are interviewing an incident response team member of an organization you're working with. He relates an incident where a user received an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?

Which type of social engineering attacks use phishing, pop-ups, and IRC?

An e-mail sent from an attacker to a known hacking group contains a reference stating, "Rebecca works for the finance department at _business-name_ and is the administrative assistant to the chief. She can be reached at _phone-number_." What is most likely being communicated here?

What are the three categories of measures taken to ensure physical security?

After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?

An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred?

Which threat presents the highest risk to an organization's resources?

Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)

Which of the following are indicators of a phishing e-mail? (Choose all that apply.)

You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measure is being discussed?

Which of the following resources can assist in combating phishing in your organization? (Choose all that apply.)

In order, what are the three steps in a reverse social engineering attack?

Which type of social engineering makes use of impersonation, dumpster diving, shoulder surfing, and tailgating?

What is considered the best defense against social engineering?

Which anti-phishing method makes use of a secret message or image referenced on the communication?

Which of the following should be in place to assist as a social engineering countermeasure? (Choose all that apply.)

Joe uses a user ID and password to log into the system every day. Jill uses a PIV card and a pin number. Which of the following are true?

A system owner has implemented a retinal scanner at the entryway to the data floor. Which type of physical security measure is this?

Physical security also includes the maintenance of the environment and equipment for your data floor. Which of the following are true statements regarding this equipment? (Choose all that apply.)

Which fire extinguisher type is the best choice for an electrical system fire?

You are examining connection logs from a client machine and come across this entry: http://www.business123.com/../../../../../Windows/system.ini. Which attack does this most likely indicate?

A hacker is looking at a publicly facing web front end. One of the pages provides an entry box with the heading "Forgot password? Enter your email address." In the entry, he types anything' OR '1'='1. A message appears stating, "Your login information has been sent to a_username@emailaddress.target.com." Which of the following is true?