CPEH-001 Certified Professional Ethical Hacker Exam Free Questions

11. Jack was attempting to fingerprint all machines in the network using the following Nmap syntax:

invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24

TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!

Obviously, it is not going through.

What is the issue here?

12. While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone.

What Web browser-based security vulnerability got exploited by the hacker?

13. A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials.

This exploitation is an example of what Software design flaw?

14. Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big business expansion and it requires that your network authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.

Which AAA protocol would you implement?

15. Which type of cryptography does SSL, IKE and PGP belongs to?

16. A recent security audit revealed that there were indeed several occasions that the company’s network was breached. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed.

What type of alert is the IDS giving?

17. What are two things that are possible when scanning UDP ports? (Choose two.)

18. What does a type 3 code 13 represent? (Choose two.)

19. Destination unreachable administratively prohibited messages can inform the hacker to what?

20. Which of the following Nmap commands would be used to perform a stack fingerprinting?

21. (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network.

On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?

What is odd about this attack? Choose the best answer.

22. Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

23. Name two software tools used for OS guessing? (Choose two.)

24. Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle database server has been compromised and customer information along with financial data has been stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of competitors. Sandra wants to report this crime to the law enforcement agencies immediately.

Which organization coordinates computer crime investigations throughout the United States?

25. While reviewing the result of scanning run against a target network you come across the following:





Which among the following can be used to get this output?

26. You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value.

Why do you think this occurs?

27. While performing ping scans into a target network you get a frantic call from the organization's security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization's IDS monitor.

How can you modify your scan to prevent triggering this event in the IDS?

28. Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

29. A distributed port scan operates by:

30. An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

31. A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.

77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0.

What can you infer from this information?

32. Which of the following commands runs snort in packet logger mode?

33. You have initiated an active operating system fingerprinting attempt with nmap against a target system:





What operating system is the target host running based on the open ports shown above?

34. Study the log below and identify the scan type.

35. Which of the following command line switch would you use for OS detection in Nmap?

36. Why would an attacker want to perform a scan on port 137?

37. Which Type of scan sends a packets with no flags set?

38. Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test.

While conducting a port scan she notices open ports in the range of 135 to 139.

What protocol is most likely to be listening on those ports?

39. SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts.

Which of the following features makes this possible? (Choose two.)

40. Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.

Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well.

In this context, what would be the most effective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer.)

41. Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor".

Here is the output of the SIDs:





From the above list identify the user account with System Administrator privileges.

42. Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?

43. What is the following command used for?

net use targetipc$ "" /u:""

44. What is the proper response for a NULL scan if the port is closed?

45. One of your team members has asked you to analyze the following SOA record.

What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

46. One of your team members has asked you to analyze the following SOA record.

What is the version?

Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)

47. MX record priority increases as the number increases. (True/False.)

48. Which of the following tools can be used to perform a zone transfer?

49. Under what conditions does a secondary name server request a zone transfer from a primary name server?

50. What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?

51. What is a NULL scan?

52. What is the proper response for a NULL scan if the port is open?

53. Which of the following statements about a zone transfer is correct? (Choose three.)

54. You have the SOA presented below in your Zone.

Your secondary servers have not been able to contact your primary server to synchronize information.

How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?

collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

55. Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain.

What do you think Tess King is trying to accomplish? Select the best answer.

56. A zone file consists of which of the following Resource Records (RRs)?

57. Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B.

How do you prevent DNS spoofing?

58. Which DNS resource record can indicate how long any "DNS poisoning" could last?

59. Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!” From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.

No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith.

After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:





After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact.

How did the attacker accomplish this hack?

60. Which of the following tools are used for enumeration? (Choose three.)

61. What did the following commands determine?

62. Which definition among those given below best describes a covert channel?

63. Susan has attached to her company's network. She has managed to synchronize her boss's sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory.

What kind of attack is Susan carrying on?

64. Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two.

What would you call this attack?

65. Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command prompt, she types the following command.





What is Eve trying to do?

66. Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

67. Study the following log extract and identify the attack.

68. Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system.

Which TCP and UDP ports must you filter to check null sessions on your network?

69. The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack.

You also notice "/bin/sh" in the ASCII part of the output.

As an analyst what would you conclude about the attack?

70. Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

71. As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

72. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?

73. What tool can crack Windows SMB passwords simply by listening to network traffic?

74. A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.

What are some things he can do to prevent it? Select the best answers.

75. Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network.

Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.

76. If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

77. Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and key loggers.

Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers?

78. Study the snort rule given below:





From the options below, choose the exploit against which this rule applies.

79. Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored?

80. A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.

However, he is unable to capture any logons though he knows that other users are logging in.

What do you think is the most likely reason behind this?

81. You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption.

What encryption algorithm will you be decrypting?

82. In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?

83. What is the algorithm used by LM for Windows2000 SAM?

84. E-mail scams and mail fraud are regulated by which of the following?

85. Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)

86. Which of the following is the primary objective of a rootkit?

87. This kind of password cracking method uses word lists in combination with numbers and special characters:

88. _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

89. What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

90. What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

91. How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?

92. When discussing passwords, what is considered a brute force attack?

93. Which of the following are well known password-cracking programs?

94. Password cracking programs reverse the hashing process to recover passwords. (True/False.)

95. While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

96. Windows LAN Manager (LM) hashes are known to be weak.

Which of the following are known weaknesses of LM? (Choose three.)

97. You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

98. An attacker runs netcat tool to transfer a secret file between two hosts.





He is worried about information being sniffed on the network.

How would the attacker use netcat to encrypt the information before transmitting onto the wire?

99. What is GINA?

100. Fingerprinting an Operating System helps a cracker because:

101. In the context of Windows Security, what is a 'null' user?

102. What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

103. What hacking attack is challenge/response authentication used to prevent?

104. In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam.

Which of the following statement is incorrect related to this attack?

105. Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network.

What is Bob supposed to do next?

106. ViruXine.W32 virus hides their presence by changing the underlying executable code.

This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.





Here is a section of the Virus code:





What is this technique called?

107. Identify the correct terminology that defines the above statement.

108. Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches.

If these switches' ARP cache is successfully flooded, what will be the result?

109. You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c





What is the hexadecimal value of NOP instruction?

110. This TCP flag instructs the sending system to transmit all buffered data immediately.

111. The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network.

You successfully brute-force the SNMP community string using a SNMP crack tool.

The access-list configured at the router prevents you from establishing a successful connection.

You want to retrieve the Cisco configuration from the router.

How would you proceed?

112. You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet.

How will you achieve this without raising suspicion?

113. Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111

(content:"|00 01 86 a5|"; msG. "mountd access";)

114. What port number is used by LDAP protocol?

115. Fred is the network administrator for his company. Fred is testing an internal switch.

From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer.

How can Fred accomplish this?

116. Within the context of Computer Security, which of the following statements describes Social Engineering best?

117. In Trojan terminology, what is a covert channel?

118. When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.

How would an attacker exploit this design by launching TCP SYN attack?

119. Yancey is a network security administrator for a large electric company. This company provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him.

What would Yancey be considered?

120. You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.

Dear valued customers,

We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats.

Simply visit the link below and enter your antivirus code:





or you may contact us at the following address:

Media Internet Consultants, Edif. Neptuno, Planta

Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama

How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

121. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms.

What is this document called?

122. Take a look at the following attack on a Web Server using obstructed URL:





How would you protect from these attacks?

123. Which type of sniffing technique is generally referred as MiTM attack?

124. Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.





In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports.

What happens when the CAM table becomes full?

125. You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place.

Your peer, Peter Smith who works at the same department disagrees with you.

He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain.

What is Peter Smith talking about?

126. How does a denial-of-service attack work?

127. You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles.

You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems.

In other words, you are trying to penetrate an otherwise impenetrable system.

How would you proceed?

128. This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.





What is this attack?

129. Which utility will tell you in real time which ports are listening or in another state?

130. During an Xmas scan what indicates a port is closed?

131. Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501.

What needs to happen before Matthew has full administrator access?

132. An LDAP directory can be used to store information similar to a SQL database. LDAP uses a _____ database structure instead of SQL’s _____ structure. Because of this, LDAP has difficulty representing many-to-one relationships.

133. Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful.

What type of SQL injection is Elliot most likely performing?

134. John is an incident handler at a financial institution. His steps in a recent incident are not up to the standards of the company. John frequently forgets some steps and procedures while handling responses as they are very stressful to perform.

Which of the following actions should John take to overcome this problem with the least administrative effort?

135. You are performing a penetration test for a client and have gained shell access to a Windows machine on the internal network.

You intend to retrieve all DNS records for the internal domain, if the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer?

136. OpenSSL on Linux servers includes a command line tool for testing TLS.

What is the name of the tool and the correct syntax to connect to a web server?

137. What is the purpose of DNS AAAA record?

138. Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company.

He is looking for an IDS with the following characteristics:

- Verifies success or failure of an attack

- Monitors system activities Detects attacks that a network-based IDS fails to detect

- Near real-time detection and response

- Does not require additional hardware

- Lower entry cost

Which type of IDS is best suited for Tremp's requirements?

139. What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the premiers environment-

140. Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions.

Which of the following tools is he most likely using?

141. Which of the following statements is FALSE with respect to Intrusion Detection Systems?

142. While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then decided to conduct: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com. kiosk.adobe.com is the host with incremental IP ID sequence.

What is the purpose of using "-si" with Nmap?

143. Which command can be used to show the current TCP/IP connections?

144. You are analysing traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs - 192.168.8.0/24.

What command you would use?

145. You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet to. 1.4.0/23.

Which of the following IP addresses could be teased as a result of the new configuration?

146. You have successfully logged on a Linux system. You want to now cover your trade Your login attempt may be logged on several files located in /var/log.

Which file does NOT belongs to the list:

147. The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

148. Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted.

What is the name of the command used by SMTP to transmit email over TLS?

149. Developers at your company are creating a web application which will be available for use by anyone on the Internet, the developers have taken the approach of implementing a Three-Tier Architecture for the web application.

The developers are now asking you which network should the Presentation Tier (front- end web server) be placed in?

150. Your business has decided to add credit card numbers to the data it backs up to tape.

Which of the following represents the best practice your business should observe?

151. What is the main security service a cryptographic hash provides?

152. A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscuous mode?

153. What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

154. When a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline?

155. Why containers are less secure that virtual machines?

156. These hackers have limited or no training and know how to use only basic techniques or tools.

What kind of hackers are we talking about?

157. Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days. Bob denies that he had ever sent a mail.

What do you want to ""know"" to prove yourself that it was Bob who had send a mail?

158. In the field of cryptanalysis, what is meant by a “rubber-hose" attack?

159. What type of analysis is performed when an attacker has partial knowledge of inner-workings of the application?

160. Which of the following steps for risk assessment methodology refers to vulnerability identification?

161. Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours.

What protocol used on Linux servers to synchronize the time has stopped working?

162. What is the minimum number of network connections in a multi homed firewall?

163. Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server?

The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.

164. During the process of encryption and decryption, what keys are shared?

165. You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity, what tool would you most likely select?

166. How is the public key distributed in an orderly, controlled fashion so that the users can be sure of the sender’s identity?

167. The network team has well-established procedures to follow for creating new rules on the firewall. This includes having approval from a manager prior to implementing any new rules. While reviewing the firewall configuration, you notice a recently implemented rule but cannot locate manager approval for it.

What would be a good step to have in the procedures for a situation like this?

168. The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of control objectives. Each objective contains one or more requirements, which must be followed in order to achieve compliance.

Which of the following requirements would best fit under the objective, "Implement strong access control measures"?

169. Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address.

What is the first thing that Nedved needs to do before contacting the incident response team?

170. Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn’t log out from emails or other social media accounts, and etc.

After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons.

Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand to importance of keeping confidential information a secret?

171. A company's policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department.

Using Wire shark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers?

172. DHCP snooping is a great solution to prevent rogue DHCP servers on your network.

Which security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks?

173. Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious Java scripts. After opening one of them, he noticed that it is very hard to understand the code and that all codes differ from the typical Java script.

What is the name of this technique to hide the code and extend analysis time?

174. What does the -oX flag do in an Nmap scan?

175. Company XYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of Company XYZ. The employee of Company XYZ is aware of your test.

Your email message looks like this:

From: jim_miller@companyxyz.com

To: michelle_saunders@companyxyz.com

Subject: Test message

Date: 4/3/2017 14:37

The employee of Company XYZ receives your email message.

This proves that Company XYZ's email gateway doesn't prevent what?

176. Darius is analysing logs from IDS. He want to understand what have triggered one alert and verify if it's true positive or false positive.

Looking at the logs he copy and paste basic details like below:

source IP: 192.168.21.100

source port: 80

destination IP: 192.168.10.23

destination port: 63221

What is the most proper answer?

177. Darius is analysing IDS logs. During the investigation, he noticed that there was nothing suspicious found and an alert was triggered on normal web application traffic.

He can mark this alert as:

178. Trinity needs to scan all hosts on a /16 network for TCP port 445 only.

What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.

179. You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8.

While monitoring the data, you find a high number of outbound connections. You see that IP’s owned by XYZ (Internal) and private IP’s are communicating to a Single Public IP. Therefore, the Internal IP’s are sending data to the Public IP.

After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices are compromised.

What kind of attack does the above scenario depict?

180. A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer's software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes.

Which of the following class of hacker refers to an individual who works both offensively and defensively at various times?

181. Which of the below hashing functions are not recommended for use?

182. An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush.

What type of breach has the individual just performed?

183. Which of the following is the best countermeasure to encrypting ransomwares?

184. If an attacker uses the command SELECT*FROM user WHERE name = ‘x’ AND userid IS NULL; --‘; which type of SQL injection attack is the attacker performing?

185. Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

186. Which of the following act requires employer’s standard national numbers to identify them on standard transactions?

187. In Wireshark, the packet bytes panes show the data of the current packet in which format?

188. Which of the following is considered as one of the most reliable forms of TCP scanning?

189. Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?

190. What is the purpose of a demilitarized zone on a network?

191. You need to deploy a ned needs to be available on the Internet.

What is the recommended architecture in terms of server placement?

192. The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot access the Internet.

According to the next configuration, what is happening in the network?

193. When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network.

Which of the following cannot be performed by the passive network sniffing?

194. Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key.

Suppose a malicious user Rob tries to get access to the account of a benign user Ned.

Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

195. What type of vulnerability/attack is it when the malicious person forces the user’s browser to send an authenticated request to a server?

196. From the following table, identify the wrong answer in terms of Range (ft).

197. What would you enter, if you wanted to perform a stealth scan using Nmap?

198. Steve, a scientist who works in a governmental security agency, developed a technological solution to identify people based on walking patterns and implemented this approach to a physical control access.

A camera captures people walking and identifies the individuals using Steve’s approach.

After that, people must approximate their RFID badges. Both the identifications are required to open the door.

In this case, we can say:

199. Which protocol is used for setting up secure channels between two devices, typically in VPNs?

200. Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a message with a maximum length of (264-1) bits and resembles the MD5 algorithm?

201. Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access?

202. Identify the web application attack where the attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users.

203. You are attempting to run an Nmap port scan on a web server.

Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?

204. Code injection is a form of attack in which a malicious user:

205. The collection of potentially actionable, overt, and publicly available information is known as

206. Which one of the following Google advanced search operators allows an attacker to restrict the results to those websites in the given domain?

207. Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules.

Which of the following types of firewalls can protect against SQL injection attacks?

208. In which of the following cryptography attack methods, the attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions?

209. Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intend?

210. Which is the first step followed by Vulnerability Scanners for scanning a network?

211. Alice encrypts her data using her public key PK and stores the encrypted data in the cloud.

Which of the following attack scenarios will compromise the privacy of her data?

212. A hacker named Jack is trying to compromise a bank’s computer system. He needs to know the operating system of that computer to launch further attacks.

What process would help him?

213. Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students.

He identified this when the IDS alerted for malware activities in the network.

What should Bob do to avoid this problem?

214. Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without the recipient’s consent, similar to email spamming?

215. Which of the following program infects the system boot sector and the executable files at the same time?

216. You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for.

Which of the below scanning technique will you use?

217. You perform a scan of your company’s network and discover that TCP port 123 is open.

What services by default run on TCP port 123?

218. Based on the below log, which of the following sentences are true?

Mar 1, 2016, 7:33:28 AM 10.240.250.23 C 54373 10.249.253.15 C 22 tcp_ip

219. DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed.

What command is used to determine if the entry is present in DNS cache?

220. Which of the following is an adaptive SQL Injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output?

221. Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning.

What should Bob recommend to deal with such a threat?

222. In which of the following password protection technique, random strings of characters are added to the password before calculating their hashes?

223. Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?

224. Which of the following provides a security professional with most information about the system’s security posture?

225. Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate CPU and memory activities.

Which type of virus detection method did Chandler use in this context?

226. An attacker scans a host with the below command.

Which three flags are set? (Choose three.)

#nmap CsX host.domain.com

227. Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets?

228. An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections.

When users accessed any page, the applet ran and exploited many machines.

Which one of the following tools the hacker probably used to inject HTML code?

229. You find that it is a CnC communication.

Which of the following solution will you suggest?

230. Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy, Information Security Policy, network Security Policy, Physical Security Policy, Remote Access Policy, and User Account Policy.

What is the main theme of the sub-policies for Information Technologies?

231. Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

232. Why should the security analyst disable/remove unnecessary ISAPI filters?

233. If you want only to scan fewer ports than the default scan using Nmap tool, which option would you use?

234. Which of the following statements is TRUE?

235. What is the least important information when you analyze a public IP address in a security alert?

236. You are the Network Admin, and you get a compliant that some of the websites are no longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL.

What may be the problem?

237. On performing a risk assessment, you need to determine the potential impacts when some of the critical business process of the company interrupt its service.

What is the name of the process by which you can determine those critical business?

238. Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide. All the developed components are reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in JavaScript and can track the customer’s activity on the site. These tools are located on the servers of the marketing company.

What is the main security risk associated with this scenario?

239. Bob finished a C programming course and created a small C application to monitor the network traffic and produce alerts when any origin sends “many” IP packets, based on the average number of packets sent by all origins and using some thresholds.

In concept, the solution developed by Bob is actually:

240. When tuning security alerts, what is the best approach?

241. You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are staring an investigation to roughly analyze the severity of the situation.

Which of the following is appropriate to analyze?