Massive Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

ECCouncil EC0-350 Ethical Hacking and Countermeasures V8 Exam Practice Test

Demo: 131 questions
Total 878 questions

Ethical Hacking and Countermeasures V8 Questions and Answers

Question 1

Which of the following problems can be solved by using Wireshark?

Options:

A.

Tracking version changes of source code

B.

Checking creation dates on all webpages on a server

C.

Resetting the administrator password on multiple systems

D.

Troubleshooting communication resets between two systems

Question 2

Which of the following programs is usually targeted at Microsoft Office products?

Options:

A.

Polymorphic virus

B.

Multipart virus

C.

Macro virus

D.

Stealth virus

Question 3

Which command line switch would be used in NMAP to perform operating system detection?

Options:

A.

-OS

B.

-sO

C.

-sP

D.

-O

Question 4

Which of the following is an example of two factor authentication?

Options:

A.

PIN Number and Birth Date

B.

Username and Password

C.

Digital Certificate and Hardware Token

D.

Fingerprint and Smartcard ID

Question 5

Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?

Options:

A.

Penetration testing

B.

Social engineering

C.

Vulnerability scanning

D.

Access control list reviews

Question 6

A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

Starting NMAP 5.21 at 2011-03-15 11:06

NMAP scan report for 172.16.40.65

Host is up (1.00s latency).

Not shown: 993 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open  ipp

9100/tcp open

MAC Address: 00:00:48:0D:EE:89

Options:

A.

The host is likely a Windows machine.

B.

The host is likely a Linux machine.

C.

The host is likely a router.

D.

The host is likely a printer.

Question 7

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash.  The technician researches the bug and discovers that no one else experienced the problem.  What is the appropriate next step?

Options:

A.

Ignore the problem completely and let someone else deal with it.

B.

Create a document that will crash the computer when opened and send it to friends.

C.

Find an underground bulletin board and attempt to sell the bug to the highest bidder.

D.

Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

Question 8

Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

Options:

A.

Certificate issuance

B.

Certificate validation

C.

Certificate cryptography

D.

Certificate revocation

Question 9

Which of the following is an example of an asymmetric encryption implementation?

Options:

A.

SHA1

B.

PGP

C.

3DES

D.

MD5

Question 10

There is a WEP encrypted wireless access point (AP) with no clients connected. In order to crack the WEP key, a fake authentication needs to be performed. What information is needed when performing fake authentication to an AP? (Choose two.)

Options:

A.

The IP address of the AP

B.

The MAC address of the AP

C.

The SSID of the wireless network

D.

A failed authentication packet

Question 11

When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

Options:

A.

Network tap

B.

Layer 3 switch

C.

Network bridge

D.

Application firewall

Question 12

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Options:

A.

True negatives

B.

False negatives

C.

True positives

D.

False positives

Question 13

Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?

Options:

A.

They provide a repeatable framework.

B.

Anyone can run the command line scripts.

C.

They are available at low cost.

D.

They are subject to government regulation.

Question 14

Which of the following guidelines or standards is associated with the credit card industry?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Sarbanes-Oxley Act (SOX)

C.

Health Insurance Portability and Accountability Act (HIPAA)

D.

Payment Card Industry Data Security Standards (PCI DSS)

Question 15

What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?

Options:

A.

 Passive

B.

 Reflective

C.

Active

D.

Distributive

Question 16

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

Options:

A.

NMAP -PN -A -O -sS 192.168.2.0/24

B.

NMAP -P0 -A -O -p1-65535 192.168.0/24

C.

NMAP -P0 -A -sT -p0-65535 192.168.0/16

D.

NMAP -PN -O -sS -p 1-1024 192.168.0/8

Question 17

An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file?

Options:

A.

Timing attack

B.

Replay attack

C.

Memory trade-off attack

D.

Chosen plain-text attack

Question 18

Which set of access control solutions implements two-factor authentication?

Options:

A.

USB token and PIN

B.

Fingerprint scanner and retina scanner

C.

Password and PIN

D.

Account and password

Question 19

A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of attack did the consultant perform?

Options:

A.

Man trap

B.

Tailgating

C.

Shoulder surfing

D.

Social engineering

Question 20

An NMAP scan of a server shows port 25 is open.  What risk could this pose?

Options:

A.

Open printer sharing

B.

Web portal data leak

C.

Clear text authentication

D.

Active mail relay

Question 21

What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data?

Options:

A.

Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication.

B.

To get messaging programs to function with this algorithm requires complex configurations.

C.

It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.

D.

It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.

Question 22

Which of the following is a preventive control?

Options:

A.

Smart card authentication

B.

Security policy

C.

Audit trail

D.

Continuity of operations plan

Question 23

What is the best defense against privilege escalation vulnerability?

Options:

A.

Patch systems regularly and upgrade interactive login privileges at the system administrator level.

B.

Run administrator and applications on least privileges and use a content registry for tracking.

C.

Run services with least privileged accounts and implement multi-factor authentication and authorization.

D.

Review user roles and administrator privileges for maximum utilization of automation services.

Question 24

What are common signs that a system has been compromised or hacked? (Choose three.)

Options:

A.

Increased amount of failed logon events

B.

Patterns in time gaps in system and/or event logs

C.

New user accounts created

D.

Consistency in usage baselines

E.

Partitions are encrypted

F.

Server hard drives become fragmented

Question 25

Which of the following is a component of a risk assessment?

Options:

A.

Physical security

B.

Administrative safeguards

C.

DMZ

D.

Logical interface

Question 26

Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?

Options:

A.

Truecrypt

B.

Sub7

C.

Nessus

D.

Clamwin

Question 27

A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?

Options:

A.

Paros Proxy

B.

BBProxy

C.

BBCrack

D.

Blooover

Question 28

An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?

Options:

A.

The wireless card was not turned on.

B.

The wrong network card drivers were in use by Wireshark.

C.

On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.

D.

Certain operating systems and adapters do not collect the management or control packets.

Question 29

Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

Options:

A.

Teardrop

B.

SYN flood

C.

Smurf attack

D.

Ping of death

Question 30

A penetration tester is hired to do a risk assessment of a company's DMZ.  The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems.  What kind of test is being performed?

Options:

A.

white box

B.

grey box

C.

red box

D.

black box

Question 31

Which system consists of a publicly available set of databases that contain domain name registration contact information?

Options:

A.

WHOIS

B.

IANA 

C.

CAPTCHA

D.

IETF

Question 32

Which statement is TRUE regarding network firewalls preventing Web Application attacks?

Options:

A.

Network firewalls can prevent attacks because they can detect malicious HTTP traffic.

B.

Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.

C.

Network firewalls can prevent attacks if they are properly configured.

D.

Network firewalls cannot prevent attacks because they are too complex to configure.

Question 33

Which of the following open source tools would be the best choice to scan a network for potential targets?

Options:

A.

NMAP

B.

NIKTO

C.

CAIN

D.

John the Ripper

Question 34

Which of the following techniques will identify if computer files have been changed?

Options:

A.

Network sniffing

B.

Permission sets

C.

Integrity checking hashes

D.

Firewall alerts

Question 35

Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

Options:

A.

Jacob is seeing a Smurf attack.

B.

Jacob is seeing a SYN flood.

C.

He is seeing a SYN/ACK attack.

D.

He has found evidence of an ACK flood.

Question 36

Which of the following are password cracking tools? (Choose three.)

Options:

A.

BTCrack

B.

John the Ripper

C.

KerbCrack

D.

Nikto

E.

Cain and Abel

F.

Havij

Question 37

A company has made the decision to host their own email and basic web services. The administrator needs to set up the external firewall to limit what protocols should be allowed to get to the public part of the company's network. Which ports should the administrator open? (Choose three.)

Options:

A.

Port 22

B.

Port 23

C.

Port 25

D.

Port 53

E.

Port 80

F.

Port 139

G.

Port 445

Question 38

When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?

Options:

A.

Vulnerability scanning

B.

Social engineering

C.

Application security testing

D.

Network sniffing

Question 39

Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

Options:

A.

Key registry

B.

Recovery agent

C.

Directory

D.

Key escrow

Question 40

What is the main disadvantage of the scripting languages as opposed to compiled programming languages?

Options:

A.

Scripting languages are hard to learn.

B.

Scripting languages are not object-oriented.

C.

Scripting languages cannot be used to create graphical user interfaces.

D.

Scripting languages are slower because they require an interpreter to run the code.

Question 41

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

Options:

A.

Drops the packet and moves on to the next one

B.

Continues to evaluate the packet until all rules are checked

C.

Stops checking rules, sends an alert, and lets the packet continue

D.

Blocks the connection with the source IP address in the packet

Question 42

Least privilege is a security concept that requires that a user is

Options:

A.

limited to those functions required to do the job.

B.

given root or administrative privileges.

C.

trusted to keep all data and access to that data under their sole control.

D.

given privileges equal to everyone else in the department.

Question 43

Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would like to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link?

Options:

A.

MD5

B.

PGP

C.

RSA

D.

SSH

Question 44

SOAP services use which technology to format information?

Options:

A.

SATA

B.

PCI

C.

XML

D.

ISDN

Question 45

What is the main reason the use of a stored biometric is vulnerable to an attack?

Options:

A.

The digital representation of the biometric might not be unique, even if the physical characteristic is unique.

B.

Authentication using a stored biometric compares a copy to a copy instead of the original to a copy.

C.

A stored biometric is no longer "something you are" and instead becomes "something you have".

D.

A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric.

Question 46

Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case. What can Blane use to accomplish this?

Options:

A.

He can use a split-DNS service to ensure the email is not forwarded on.

B.

A service such as HTTrack would accomplish this.

C.

Blane could use MetaGoofil tracking tool.

D.

Blane can use a service such as ReadNotify tracking tool.

Question 47

An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key?

Options:

A.

Birthday attack

B.

Plaintext attack

C.

Meet in the middle attack

D.

Chosen ciphertext attack

Question 48

A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider?

Options:

A.

A competitor to the company because they can directly benefit from the publicity generated by making such an attack

B.

Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants

C.

The CEO of the company because he has access to all of the computer systems

D.

A government agency since they know the company's computer system strengths and weaknesses

Question 49

Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?

Options:

A.

SHA-1

B.

MD5

C.

HAVAL

D.

MD4

Question 50

Which type of antenna is used in wireless communication?

Options:

A.

Omnidirectional

B.

Parabolic

C.

Uni-directional

D.

Bi-directional

Question 51

Which of the following is a common Service Oriented Architecture (SOA) vulnerability?

Options:

A.

Cross-site scripting

B.

SQL injection

C.

VPath injection

D.

XML denial of service issues

Question 52

Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?

Options:

A.

Image Hide

B.

Snow

C.

Gif-It-Up

D.

NiceText

Question 53

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?

Options:

A.

Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account

B.

Package the Sales.xls using Trojan wrappers and telnet them back your home computer

C.

You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques

D.

Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Question 54

While testing web applications, you attempt to insert the following test script into the search area on the company's web site:

Later, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?

Options:

A.

Cross Site Scripting

B.

Password attacks

C.

A Buffer Overflow

D.

A hybrid attack

Question 55

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

Options:

A.

Visit Google's search engine and view the cached copy

B.

Crawl the entire website and store them into your computer

C.

Visit Archive.org web site to retrieve the Internet archive of the company's website

D.

Visit the company's partners and customers website for this information

Question 56

You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.

Dear valued customers,

We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:

Antivirus code: 5014

http://www.juggyboy/virus/virus.html

Thank you for choosing us, the worldwide leader Antivirus solutions.

Mike Robertson

PDF Reader Support

Copyright Antivirus 2010 ?All rights reserved

If you want to stop receiving mail, please go to:

http://www.juggyboy.com

or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama

How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

Options:

A.

Look at the website design, if it looks professional then it is a Real Anti-Virus website

B.

Connect to the site using SSL, if you are successful then the website is genuine

C.

Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site

D.

Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

E.

Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

Question 57

Steve scans the network for SNMP enabled devices. Which port number Steve should scan?

Options:

A.

150

B.

161

C.

169

D.

69

Question 58

Finding tools to run dictionary and brute forcing attacks against FTP and Web servers is an easy task for hackers. They use tools such as arhontus or brutus to break into remote servers.

A command such as this, will attack a given 10.0.0.34 FTP and Telnet servers simultaneously with a list of passwords and a single login namE. linksys. Many FTP-specific password-guessing tools are also available from major security sites.

What defensive measures will you take to protect your network from these attacks?

Options:

A.

Never leave a default password

B.

Never use a password that can be found in a dictionary

C.

Never use a password related to your hobbies, pets, relatives, or date of birth.

D.

Use a word that has more than 21 characters from a dictionary as the password

E.

Never use a password related to the hostname, domain name, or anything else that can be found with whois

Question 59

This method is used to determine the Operating system and version running on a remote target system. What is it called?

Options:

A.

Service Degradation

B.

OS Fingerprinting

C.

Manual Target System

D.

Identification Scanning

Question 60

John the hacker is sniffing the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM attack. What is the destination MAC address of a broadcast frame?

Options:

A.

0xFFFFFFFFFFFF

B.

0xDDDDDDDDDDDD

C.

0xAAAAAAAAAAAA

D.

0xBBBBBBBBBBBB

Question 61

Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network.

He receives the following SMS message during the weekend.

An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command.

Which of the following hping2 command is responsible for the above snort alert?

Options:

A.

chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118

B.

chenrocks:/home/siew # hping -F -Q -J -A -C -W 192.168.2.56 -p 22 -c 5 -t 118

C.

chenrocks:/home/siew # hping -D -V -R -S -Z -Y 192.168.2.56 -p 22 -c 5 -t 118

D.

chenrocks:/home/siew # hping -G -T -H -S -L -W 192.168.2.56 -p 22 -c 5 -t 118

Question 62

In which location, SAM hash passwords are stored in Windows 7?

Options:

A.

c:\windows\system32\config\SAM

B.

c:\winnt\system32\machine\SAM

C.

c:\windows\etc\drivers\SAM

D.

c:\windows\config\etc\SAM

Question 63

Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

Options:

A.

These ports are open because they do not illicit a response.

B.

He can tell that these ports are in stealth mode.

C.

If a port does not respond to an XMAS scan using NMAP, that port is closed.

D.

The scan was not performed correctly using NMAP since all ports, no matter what their state, will illicit some sort of response from an XMAS scan.

Question 64

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js%22%3E%3C/script%3E ">See foobar

What is this attack?

Options:

A.

Cross-site-scripting attack

B.

SQL Injection

C.

URL Traversal attack

D.

Buffer Overflow attack

Question 65

TCP packets transmitted in either direction after the initial three-way handshake will have which of the following bit set?

Options:

A.

SYN flag

B.

ACK flag

C.

FIN flag

D.

XMAS flag

Question 66

Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?

Options:

A.

Semi Column

B.

Double Quote

C.

Single Quote

D.

Exclamation Mark

Question 67

William has received a Chess game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Chess.

After William installs the game, he plays it for a couple of hours. The next day, William plays the Chess game again and notices that his machine has begun to slow down. He brings up his Task Manager and sees the following programs running:

What has William just installed?

Options:

A.

Zombie Zapper (ZoZ)

B.

Remote Access Trojan (RAT)

C.

Bot IRC Tunnel (BIT)

D.

Root Digger (RD)

Question 68

In which step Steganography fits in CEH System Hacking Cycle (SHC)

Options:

A.

Step 2: Crack the password

B.

Step 1: Enumerate users

C.

Step 3: Escalate privileges

D.

Step 4: Execute applications

E.

Step 5: Hide files

F.

Step 6: Cover your tracks

Question 69

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.

What do you think is the most likely reason behind this?

Options:

A.

There is a NIDS present on that segment.

B.

Kerberos is preventing it.

C.

Windows logons cannot be sniffed.

D.

L0phtcrack only sniffs logons to web servers.

Question 70

Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt.

$ nc -l -p 1026 -u -v

In response, he sees the following message.

cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 47 Critical Errors.

To fix the errors please do the following:

1. Download Registry Repair from: www.reg-patch.com

2. Install Registry Repair

3. Run Registry Repair

4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

What would you infer from this alert?

Options:

A.

The machine is redirecting traffic to www.reg-patch.com using adware

B.

It is a genuine fault of windows registry and the registry needs to be backed up

C.

An attacker has compromised the machine and backdoored ports 1026 and 1027

D.

It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legitimate utilities

Question 71

You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the information in and where?

Select the best answer.

Options:

A.

%windir%\\etc\\services

B.

system32\\drivers\\etc\\services

C.

%windir%\\system32\\drivers\\etc\\services

D.

/etc/services

E.

%windir%/system32/drivers/etc/services

Question 72

Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of attack is Susan carrying on?

Options:

A.

A sniffing attack

B.

A spoofing attack

C.

A man in the middle attack

D.

A denial of service attack

Question 73

In the following example, which of these is the "exploit"?

Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites.

Select the best answer.

Options:

A.

Microsoft Corporation is the exploit.

B.

The security "hole" in the product is the exploit.

C.

Windows 2003 Server

D.

The exploit is the hacker that would use this vulnerability.

E.

The documented method of how to use the vulnerability to gain unprivileged access.

Question 74

What hacking attack is challenge/response authentication used to prevent?

Options:

A.

Replay attacks

B.

Scanning attacks

C.

Session hijacking attacks

D.

Password cracking attacks

Question 75

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for?

Select the best answers.

Options:

A.

SNMPUtil

B.

SNScan

C.

SNMPScan

D.

Solarwinds IP Network Browser

E.

NMap

Question 76

What is the goal of a Denial of Service Attack?

Options:

A.

Capture files from a remote computer.

B.

Render a network or computer incapable of providing normal service.

C.

Exploit a weakness in the TCP stack.

D.

Execute service at PS 1009.

Question 77

What is GINA?

Options:

A.

Gateway Interface Network Application

B.

GUI Installed Network Application CLASS

C.

Global Internet National Authority (G-USA)

D.

Graphical Identification and Authentication DLL

Question 78

Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Tess King is trying to accomplish? Select the best answer.

Options:

A.

A zone harvesting

B.

A zone transfer

C.

A zone update

D.

A zone estimate

Question 79

Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack?

Options:

A.

Timestamps

B.

SMB Signing

C.

File permissions

D.

Sequence numbers monitoring

Question 80

You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize information. How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?

collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

Options:

A.

One day

B.

One hour

C.

One week

D.

One month

Question 81

What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

Options:

A.

logs the incoming connections to /etc/passwd file

B.

loads the /etc/passwd file to the UDP port 55555

C.

grabs the /etc/passwd file when connected to UDP port 55555

D.

deletes the /etc/passwd file when connected to the UDP port 55555

Question 82

E-mail scams and mail fraud are regulated by which of the following?

Options:

A.

18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers

B.

18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices

C.

18 U.S.C. par. 1362 Communication Lines, Stations, or Systems

D.

18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

Question 83

In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration.

If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?

Options:

A.

Full Blown

B.

Thorough

C.

Hybrid

D.

BruteDics

Question 84

Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?

Options:

A.

Snort

B.

argus

C.

TCPflow

D.

Tcpdump

Question 85

What tool can crack Windows SMB passwords simply by listening to network traffic?

Select the best answer.

Options:

A.

This is not possible

B.

Netbus

C.

NTFSDOS

D.

L0phtcrack

Question 86

WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use?

Options:

A.

LibPcap

B.

WinPcap

C.

Wincap

D.

None of the above

Question 87

While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the intrusion?

Options:

A.

192.10.25.9

B.

10.0.3.4

C.

203.20.4.5

D.

222.273.290.239

Question 88

Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACL’s (access control lists) to files or folders and also one that can be used within batch files.

Which of the following tools can be used for that purpose? (Choose the best answer)

Options:

A.

PERM.exe

B.

CACLS.exe

C.

CLACS.exe

D.

NTPERM.exe

Question 89

What is a primary advantage a hacker gains by using encryption or programs such as Loki?

Options:

A.

It allows an easy way to gain administrator rights

B.

It is effective against Windows computers

C.

It slows down the effective response of an IDS

D.

IDS systems are unable to decrypt it

E.

Traffic will not be modified in transit

Question 90

Exhibit:

Given the following extract from the snort log on a honeypot, what service is being exploited? :

Options:

A.

FTP

B.

SSH

C.

Telnet

D.

SMTP

Question 91

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces?

Options:

A.

Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

B.

Send your attack traffic and look for it to be dropped by the IDS.

C.

Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network.

D.

The sniffing interface cannot be detected.

Question 92

What are the three phases involved in security testing?

Options:

A.

Reconnaissance, Conduct, Report

B.

Reconnaissance, Scanning, Conclusion

C.

Preparation, Conduct, Conclusion

D.

Preparation, Conduct, Billing

Question 93

Jim is having no luck performing a penetration test in XYZ’s network. He is running the tests from home and has downloaded every security scanner that he could lay his hands on. Despite knowing the IP range of all the systems, and the exact network configuration, Jim is unable to get any useful results.

Why is Jim having these problems?

Options:

A.

Security scanners are not designed to do testing through a firewall.

B.

Security scanners cannot perform vulnerability linkage.

C.

Security scanners are only as smart as their database and cannot find unpublished vulnerabilities.

D.

All of the above.

Question 94

Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as?

Options:

A.

Symmetric system

B.

Combined system

C.

Hybrid system

D.

Asymmetric system

Question 95

Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

Options:

A.

A new port was opened

B.

A new user id was created

C.

The exploit was successful

D.

The exploit was not successful

Question 96

Which of the following is not an effective countermeasure against replay attacks?

Options:

A.

Digital signatures

B.

Time Stamps

C.

System identification

D.

Sequence numbers

Question 97

Which of the following is most effective against passwords?

Select the Answer:

Options:

A.

Dictionary Attack

B.

BruteForce attack

C.

Targeted Attack

D.

Manual password Attack

Question 98

If you send a SYN to an open port, what is the correct response?(Choose all correct answers.

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

Question 99

What type of cookies can be generated while visiting different web sites on the Internet?

Options:

A.

Permanent and long term cookies.

B.

Session and permanent cookies.

C.

Session and external cookies.

D.

Cookies are all the same, there is no such thing as different type of cookies.

Question 100

Windump is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library.

What is the name of this library?

Options:

A.

NTPCAP

B.

LibPCAP

C.

WinPCAP

D.

PCAP

Question 101

You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250.

Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server?

Options:

A.

200-250

B.

121-371

C.

120-321

D.

121-231

E.

120-370

Question 102

What do you conclude from the nmap results below?

Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/)

(The 1592 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

25/tcp open smtp

80/tcp open http

443/tcp open https

Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed – 1 IP address (1 host up) scanned in 91.66 seconds

Options:

A.

The system is a Windows Domain Controller.

B.

The system is not firewalled.

C.

The system is not running Linux or Solaris.

D.

The system is not properly patched.

Question 103

John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately.

What would you suggest to John to help identify the OS that is being used on the remote web server?

Options:

A.

Connect to the web server with a browser and look at the web page.

B.

Connect to the web server with an FTP client.

C.

Telnet to port 8080 on the web server and look at the default page code.

D.

Telnet to an open port and grab the banner.

Question 104

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

Options:

A.

SYN scan

B.

ACK scan

C.

RST scan

D.

Connect scan

E.

FIN scan

Question 105

You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.

What should be the next logical step that should be performed?

Options:

A.

Connect to open ports to discover applications.

B.

Perform a ping sweep to identify any additional systems that might be up.

C.

Perform a SYN scan on port 21 to identify any additional systems that might be up.

D.

Rescan every computer to verify the results.

Question 106

Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point.

Which of the following type of scans would be the most accurate and reliable option?

Options:

A.

A half-scan

B.

A UDP scan

C.

A TCP Connect scan

D.

A FIN scan

Question 107

Study the log below and identify the scan type.

Options:

A.

nmap -sR 192.168.1.10

B.

nmap -sS 192.168.1.10

C.

nmap -sV 192.168.1.10

D.

nmap -sO -T 192.168.1.10

Question 108

Bob has been hired to perform a penetration test on XYZ.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online.

Within the context of penetration testing methodology, what phase is Bob involved with?

Options:

A.

Passive information gathering

B.

Active information gathering

C.

Attack phase

D.

Vulnerability Mapping

Question 109

Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here?

Options:

A.

MAC spoofing

B.

Macof

C.

ARP spoofing

D.

DNS spoofing

Question 110

Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply)

Options:

A.

CHAT rooms

B.

WHOIS database

C.

News groups

D.

Web sites

E.

Search engines

F.

Organization’s own web site

Question 111

Which of the following command line switch would you use for OS detection in Nmap?

Options:

A.

-D

B.

-O

C.

-P

D.

-X

Question 112

Which of the following tools are used for footprinting? (Choose four)

Options:

A.

Sam Spade

B.

NSLookup

C.

Traceroute

D.

Neotrace

E.

Cheops

Question 113

Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?

Options:

A.

Finger

B.

FTP

C.

Samba

D.

SMB

Question 114

John is using a special tool on his Linux platform that has a signature database and is therefore able to detect hundred of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts. Additionally, the database detects DDoS zombies and Trojans. What would be the name of this multifunctional tool?

Options:

A.

nmap

B.

hping

C.

nessus

D.

make

Question 115

_________ is one of the programs used to wardial.

Options:

A.

DialIT

B.

Netstumbler

C.

TooPac

D.

Kismet

E.

ToneLoc

Question 116

When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device?

Options:

A.

ICMP ECHO_REQUEST & TCP SYN

B.

ICMP ECHO_REQUEST & TCP ACK

C.

ICMP ECHO_REPLY & TFP RST

D.

ICMP ECHO_REPLY & TCP FIN

Question 117

What two things will happen if a router receives an ICMP packet, which has a TTL value of 1, and the destination host is several hops away? (Select 2 answers)

Options:

A.

The router will discard the packet

B.

The router will decrement the TTL value and forward the packet to the next router on the path to the destination host

C.

The router will send a time exceeded message to the source host

D.

The router will increment the TTL value and forward the packet to the next router on the path to the destination host.

E.

The router will send an ICMP Redirect Message to the source host

Question 118

What does a type 3 code 13 represent?(Choose two.

Options:

A.

Echo request

B.

Destination unreachable

C.

Network unreachable

D.

Administratively prohibited

E.

Port unreachable

F.

Time exceeded

Question 119

Exhibit

Joe Hacker runs the hping2 hacking tool to predict the target host’s sequence numbers in one of the hacking session.

What does the first and second column mean? Select two.

Options:

A.

The first column reports the sequence number

B.

The second column reports the difference between the current and last sequence number

C.

The second column reports the next sequence number

D.

The first column reports the difference between current and last sequence number

Question 120

Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered?

Options:

A.

Ursula would be considered a gray hat since she is performing an act against illegal activities.

B.

She would be considered a suicide hacker.

C.

She would be called a cracker.

D.

Ursula would be considered a black hat.

Question 121

An attacker has successfully compromised a remote computer. Which of the following comes as one of the last steps that should be taken to ensure that the compromise cannot be traced back to the source of the problem?

Options:

A.

Install patches

B.

Setup a backdoor

C.

Install a zombie for DDOS

D.

Cover your tracks

Question 122

Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers)

Options:

A.

Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address

B.

The ICMP packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network

C.

ECHO packets are flooded on the network saturating the bandwidth of the subnet causing denial of service

D.

A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system.

Question 123

In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary combined together to have variations of words, what would you call such an attack?

Options:

A.

Full Blown Attack

B.

Thorough Attack

C.

Hybrid Attack

D.

BruteDict Attack

Question 124

Which of the following tool would be considered as Signature Integrity Verifier (SIV)?

Options:

A.

Nmap

B.

SNORT

C.

VirusSCAN

D.

Tripwire

Question 125

SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains:

Options:

A.

The source and destination address having the same value

B.

A large number of SYN packets appearing on a network without the corresponding reply packets

C.

The source and destination port numbers having the same value

D.

A large number of SYN packets appearing on a network with the corresponding reply packets

Question 126

What type of port scan is shown below?

Options:

A.

Idle Scan

B.

FIN Scan

C.

XMAS Scan

D.

Windows Scan

Question 127

This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker.

Options:

A.

Unique SQL Injection

B.

Blind SQL Injection

C.

Generic SQL Injection

D.

Double SQL Injection

Question 128

You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached cell phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation?

Options:

A.

Reconfigure the firewall

B.

Enforce the corporate security policy

C.

Install a network-based IDS

D.

Conduct a needs analysis

Question 129

What does FIN in TCP flag define?

Options:

A.

Used to abort a TCP connection abruptly

B.

Used to close a TCP connection

C.

Used to acknowledge receipt of a previous packet or transmission

D.

Used to indicate the beginning of a TCP connection

Question 130

Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system.

Which of the following is NOT an example of default installation?

Options:

A.

Many systems come with default user accounts with well-known passwords that administrators forget to change

B.

Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system

C.

Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services

D.

Enabling firewall and anti-virus software on the local system

Question 131

What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected?

Options:

A.

nc -port 56 -s cmd.exe

B.

nc -p 56 -p -e shell.exe

C.

nc -r 56 -c cmd.exe

D.

nc -L 56 -t -e cmd.exe

Demo: 131 questions
Total 878 questions