Independence Day Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

ECCouncil EC0-350 Ethical Hacking and Countermeasures V8 Exam Practice Test

Page: 1 / 88
Total 878 questions

Ethical Hacking and Countermeasures V8 Questions and Answers

Question 1

What is the proper response for a NULL scan if the port is closed?

Options:

A.

SYN

B.

ACK

C.

FIN

D.

PSH

E.

RST

F.

No response

Question 2

Which of the following systems would not respond correctly to an nmap XMAS scan?

Options:

A.

Windows 2000 Server running IIS 5

B.

Any Solaris version running SAMBA Server

C.

Any version of IRIX

D.

RedHat Linux 8.0 running Apache Web Server

Question 3

Name two software tools used for OS guessing? (Choose two.

Options:

A.

Nmap

B.

Snadboy

C.

Queso

D.

UserInfo

E.

NetBus

Question 4

Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?

Options:

A.

signverif.exe

B.

sigverif.exe

C.

msverif.exe

D.

verifier.exe

Question 5

The following excerpt is taken from a honeyput log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. Study the log given below and answer the following question:

(Note: The objective of this questions is to test whether the student has learnt about passive OS fingerprinting (which should tell them the OS from log captures): can they tell a SQL injection attack signature; can they infer if a user ID has been created by an attacker and whether they can read plain source – destination entries from log entries.)

What can you infer from the above log?

Options:

A.

The system is a windows system which is being scanned unsuccessfully.

B.

The system is a web application server compromised through SQL injection.

C.

The system has been compromised and backdoored by the attacker.

D.

The actual IP of the successful attacker is 24.9.255.53.

Question 6

What does a type 3 code 13 represent?(Choose two.

Options:

A.

Echo request

B.

Destination unreachable

C.

Network unreachable

D.

Administratively prohibited

E.

Port unreachable

F.

Time exceeded

Question 7

While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

Options:

A.

Scan more slowly.

B.

Do not scan the broadcast IP.

C.

Spoof the source IP address.

D.

Only scan the Windows systems.

Question 8

_________ is one of the programs used to wardial.

Options:

A.

DialIT

B.

Netstumbler

C.

TooPac

D.

Kismet

E.

ToneLoc

Question 9

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

Options:

A.

John

B.

Rebecca

C.

Sheela

D.

Shawn

E.

Somia

F.

Chang

G.

Micah

Question 10

A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend?

Options:

A.

IP Security (IPSEC)

B.

Multipurpose Internet Mail Extensions (MIME)

C.

Pretty Good Privacy (PGP)

D.

Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

Question 11

Which of the following commands runs snort in packet logger mode?

Options:

A.

./snort -dev -h ./log

B.

./snort -dev -l ./log

C.

./snort -dev -o ./log

D.

./snort -dev -p ./log

Question 12

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

Options:

A.

The zombie you are using is not truly idle.

B.

A stateful inspection firewall is resetting your queries.

C.

Hping2 cannot be used for idle scanning.

D.

These ports are actually open on the target system.

Question 13

A very useful resource for passively gathering information about a target company is:

Options:

A.

Host scanning

B.

Whois search

C.

Traceroute

D.

Ping sweep

Question 14

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

Options:

A.

An attacker, working slowly enough, can evade detection by the IDS.

B.

Network packets are dropped if the volume exceeds the threshold.

C.

Thresholding interferes with the IDS’ ability to reassemble fragmented packets.

D.

The IDS will not distinguish among packets originating from different sources.

Question 15

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?

Options:

A.

The packets were sent by a worm spoofing the IP addresses of 47 infected sites

B.

ICMP ID and Seq numbers were most likely set by a tool and not by the operating system

C.

All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number

D.

13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0

Question 16

You have initiated an active operating system fingerprinting attempt with nmap against a target system:

What operating system is the target host running based on the open ports shown above?

Options:

A.

Windows XP

B.

Windows 98 SE

C.

Windows NT4 Server

D.

Windows 2000 Server

Question 17

Use the traceroute results shown above to answer the following question:

The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out.

Options:

A.

True

B.

False

Question 18

Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler?

Select the best answer.

Options:

A.

GPSDrive

B.

GPSMap

C.

WinPcap

D.

Microsoft Mappoint

Question 19

What do you call a system where users need to remember only one username and password, and be authenticated for multiple services?

Options:

A.

Simple Sign-on

B.

Unique Sign-on

C.

Single Sign-on

D.

Digital Certificate

Question 20

Tess King is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication?

Options:

A.

Basic authentication is broken

B.

The password is never sent in clear text over the network

C.

The password sent in clear text over the network is never reused.

D.

It is based on Kerberos authentication protocol

Question 21

A program that defends against a port scanner will attempt to:

Options:

A.

Sends back bogus data to the port scanner

B.

Log a violation and recommend use of security-auditing tools

C.

Limit access by the scanning system to publicly available ports only

D.

Update a firewall rule in real time to prevent the port scan from being completed

Question 22

Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools?

Options:

A.

Ensure all files have at least a 755 or more restrictive permissions.

B.

Configure rules using ipchains.

C.

Configure and enable portsentry on his server.

D.

Install an intrusion detection system on her computer such as Snort.

Question 23

Vulnerability mapping occurs after which phase of a penetration test?

Options:

A.

Host scanning

B.

Passive information gathering

C.

Analysis of host scanning

D.

Network level discovery

Question 24

The following exploit code is extracted from what kind of attack?

Options:

A.

Remote password cracking attack

B.

SQL Injection

C.

Distributed Denial of Service

D.

Cross Site Scripting

E.

Buffer Overflow

Question 25

Which of the following is not an effective countermeasure against replay attacks?

Options:

A.

Digital signatures

B.

Time Stamps

C.

System identification

D.

Sequence numbers

Question 26

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network.

How can you achieve this?

Options:

A.

Block ICMP at the firewall.

B.

Block UDP at the firewall.

C.

Both A and B.

D.

There is no way to completely block doing a trace route into this area.

Question 27

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold.

What is the most common cause of buffer overflow in software today?

Options:

A.

Bad permissions on files.

B.

High bandwidth and large number of users.

C.

Usage of non standard programming languages.

D.

Bad quality assurance on software produced.

Question 28

You visit a website to retrieve the listing of a company's staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website?

Options:

A.

Through Google searching cached files

B.

Through Archive.org

C.

Download the website and crawl it

D.

Visit customers' and prtners' websites

Question 29

Exhibit

Study the log given in the exhibit,

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

Options:

A.

Disallow UDP 53 in from outside to DNS server

B.

Allow UDP 53 in from DNS server to outside

C.

Disallow TCP 53 in form secondaries or ISP server to DNS server

D.

Block all UDP traffic

Question 30

Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack?

Select the best answer.

Options:

A.

He should disable unicast on all routers

B.

Disable multicast on the router

C.

Turn off fragmentation on his router

D.

Make sure all anti-virus protection is updated on all systems

E.

Make sure his router won't take a directed broadcast

Question 31

Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state.

From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised.

Options:

A.

53

B.

110

C.

25

D.

69

Question 32

Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP?

Select the best answer.

Options:

A.

Stands for Wireless Encryption Protocol

B.

It makes a WLAN as secure as a LAN

C.

Stands for Wired Equivalent Privacy

D.

It offers end to end security

Question 33

You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Anyway you are unable to connect. Why?

Options:

A.

A firewall is blocking port 23

B.

You cannot spoof + TCP

C.

You need an automated telnet tool

D.

The OS does not reply to telnet even if port 23 is open

Question 34

The Slammer Worm exploits a stack-based overflow that occurs in a DLL implementing the Resolution Service.

Which of the following Database Server was targeted by the slammer worm?

Options:

A.

Oracle

B.

MSSQL

C.

MySQL

D.

Sybase

E.

DB2

Question 35

Which of the following statements are true regarding N-tier architecture? (Choose two.)

Options:

A.

Each layer must be able to exist on a physically independent system.

B.

The N-tier architecture must have at least one logical layer.

C.

Each layer should exchange information only with the layers above and below it. 

D.

When a layer is changed or updated, the other layers must also be recompiled or modified.

Question 36

Which of the following is a hashing algorithm?

Options:

A.

MD5

B.

PGP

C.

DES

D.

ROT13

Question 37

What type of port scan is represented here.

Options:

A.

Stealth Scan

B.

Full Scan

C.

XMAS Scan

D.

FIN Scan

Question 38

After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?

Options:

A.

Denial of Service attacks

B.

Session Hijacking attacks

C.

Web page defacement attacks

D.

IP spoofing attacks

Question 39

Which of the following are valid types of rootkits? (Choose three.)

Options:

A.

Hypervisor level

B.

Network level

C.

Kernel level

D.

Application level

E.

Physical level

F.

Data access level

Question 40

Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?

Options:

A.

SHA-1

B.

MD5

C.

HAVAL

D.

MD4

Question 41

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.

John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

What kind of attack did the Hacker attempt to carry out at the bank?

Options:

A.

Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.

B.

The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.

C.

The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.

D.

The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.

Question 42

Which of the following represent weak password? (Select 2 answers)

Options:

A.

Passwords that contain letters, special characters, and numbers ExamplE. ap1$%##f@52

B.

Passwords that contain only numbers ExamplE. 23698217

C.

Passwords that contain only special characters ExamplE. &*#@!(%)

D.

Passwords that contain letters and numbers ExamplE. meerdfget123

E.

Passwords that contain only letters ExamplE. QWERTYKLRTY

F.

Passwords that contain only special characters and numbers ExamplE. 123@$45

G.

Passwords that contain only letters and special characters ExamplE. bob@&ba

Question 43

Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?

Options:

A.

CI Gathering

B.

Scanning

C.

Dumpster Diving

D.

Garbage Scooping

Question 44

What command would you type to OS fingerprint a server using the command line?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 45

Which of the following are password cracking tools? (Choose three.)

Options:

A.

BTCrack

B.

John the Ripper

C.

KerbCrack

D.

Nikto

E.

Cain and Abel

F.

Havij

Question 46

How do you defend against ARP Poisoning attack? (Select 2 answers)

Options:

A.

Enable DHCP Snooping Binding Table

B.

Restrict ARP Duplicates

C.

Enable Dynamic ARP Inspection

D.

Enable MAC snooping Table

Question 47

Here is the ASCII Sheet.

You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique.

What is the correct syntax?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 48

John runs a Web server, IDS and firewall on his network. Recently his Web server has been under constant hacking attacks. He looks up the IDS log files and sees no intrusion attempts but the Web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. John becomes suspicious and views the Firewall logs and he notices huge SSL connections constantly hitting his Web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and that was the reason the IDS did not detect the intrusions. How would John protect his network from these types of attacks?

Options:

A.

Install a proxy server and terminate SSL at the proxy

B.

Enable the IDS to filter encrypted HTTPS traffic

C.

Install a hardware SSL "accelerator" and terminate SSL at this layer

D.

Enable the Firewall to filter encrypted HTTPS traffic

Question 49

Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here?

Options:

A.

Neil has used a tailgating social engineering attack to gain access to the offices

B.

He has used a piggybacking technique to gain unauthorized access

C.

This type of social engineering attack is called man trapping

D.

Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics

Question 50

A covert channel is a channel that

Options:

A.

transfers information over, within a computer system, or network that is outside of the security policy.

B.

transfers information over, within a computer system, or network that is within the security policy.

C.

transfers information via a communication path within a computer system, or network for transfer of data.

D.

transfers information over, within a computer system, or network that is encrypted.

Question 51

Passive reconnaissance involves collecting information through which of the following?

Options:

A.

Social engineering

B.

Network traffic sniffing

C.

Man in the middle attacks

D.

Publicly accessible sources

Question 52

What is GINA?

Options:

A.

Gateway Interface Network Application

B.

GUI Installed Network Application CLASS

C.

Global Internet National Authority (G-USA)

D.

Graphical Identification and Authentication DLL

Question 53

What is the algorithm used by LM for Windows2000 SAM?

Options:

A.

MD4

B.

DES

C.

SHA

D.

SSL

Question 54

What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

Options:

A.

All are hacking tools developed by the legion of doom

B.

All are tools that can be used not only by hackers, but also security personnel

C.

All are DDOS tools

D.

All are tools that are only effective against Windows

E.

All are tools that are only effective against Linux

Question 55

Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site.

One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!

From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith.

After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

H@cker Mess@ge:

Y0u @re De@d! Fre@ks!

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact.

How did the attacker accomplish this hack?

Options:

A.

ARP spoofing

B.

SQL injection

C.

DNS poisoning

D.

Routing table injection

Question 56

Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack?

Options:

A.

Timestamps

B.

SMB Signing

C.

File permissions

D.

Sequence numbers monitoring

Question 57

LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user's password. How do you disable LM authentication in Windows XP?

Options:

A.

Stop the LM service in Windows XP

B.

Disable LSASS service in Windows XP

C.

Disable LM authentication in the registry

D.

Download and install LMSHUT.EXE tool from Microsoft website

Question 58

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

Options:

A.

Copy the system files from a known good system

B.

Perform a trap and trace

C.

Delete the files and try to determine the source

D.

Reload from a previous backup

E.

Reload from known good media

Question 59

Global deployment of RFC 2827 would help mitigate what classification of attack?

Options:

A.

Sniffing attack

B.

Denial of service attack

C.

Spoofing attack

D.

Reconnaissance attack

E.

Prot Scan attack

Question 60

Which of the following tools are used for enumeration? (Choose three.)

Options:

A.

SolarWinds

B.

USER2SID

C.

Cheops

D.

SID2USER

E.

DumpSec

Question 61

_________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

Options:

A.

Trojan

B.

RootKit

C.

DoS tool

D.

Scanner

E.

Backdoor

Question 62

What happens when one experiences a ping of death?

Options:

A.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply).

B.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535.

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

C.

This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address.

D.

This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).

Question 63

In the context of Windows Security, what is a 'null' user?

Options:

A.

A user that has no skills

B.

An account that has been suspended by the admin

C.

A pseudo account that has no username and password

D.

A pseudo account that was created for security administration purpose

Question 64

A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (multiple answer)

Options:

A.

Invalid Username

B.

Invalid Password

C.

Authentication Failure

D.

Login Attempt Failed

E.

Access Denied

Question 65

Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three)

Options:

A.

Converts passwords to uppercase.

B.

Hashes are sent in clear text over the network.

C.

Makes use of only 32 bit encryption.

D.

Effective length is 7 characters.

Question 66

What is a NULL scan?

Options:

A.

A scan in which all flags are turned off

B.

A scan in which certain flags are off

C.

A scan in which all flags are on

D.

A scan in which the packet size is set to zero

E.

A scan with a illegal packet size

Question 67

ARP poisoning is achieved in _____ steps

Options:

A.

1

B.

2

C.

3

D.

4

Question 68

Exhibit:

ettercap –NCLzs --quiet

What does the command in the exhibit do in “Ettercap”?

Options:

A.

This command will provide you the entire list of hosts in the LAN

B.

This command will check if someone is poisoning you and will report its IP.

C.

This command will detach from console and log all the collected passwords from the network to a file.

D.

This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

Question 69

Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?

Options:

A.

Penetration testing

B.

Social engineering

C.

Vulnerability scanning

D.

Access control list reviews

Question 70

Which type of scan is used on the eye to measure the layer of blood vessels?

Options:

A.

Facial recognition scan

B.

Retinal scan

C.

Iris scan

D.

Signature kinetics scan

Question 71

Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?

Options:

A.

They provide a repeatable framework.

B.

Anyone can run the command line scripts.

C.

They are available at low cost.

D.

They are subject to government regulation.

Question 72

Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

Options:

A.

Firewall

B.

Honeypot

C.

Core server

D.

Layer 4 switch

Question 73

A security administrator notices that the log file of the company`s webserver contains suspicious entries:

Based on source code analysis, the analyst concludes that the login.php script is vulnerable to

Options:

A.

command injection.

B.

SQL injection.

C.

directory traversal.

D.

LDAP injection.

Question 74

Which of the following is a characteristic of Public Key Infrastructure (PKI)?

Options:

A.

Public-key cryptosystems are faster than symmetric-key cryptosystems.

B.

Public-key cryptosystems distribute public-keys within digital signatures.

C.

Public-key cryptosystems do not require a secure key distribution channel.

D.

Public-key cryptosystems do not provide technical non-repudiation via digital signatures.

Question 75

A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture.  During the security testing, the consultant comes across child pornography on the V.P.'s computer.  What is the consultant's obligation to the financial organization?

Options:

A.

Say nothing and continue with the security testing.

B.

Stop work immediately and contact the authorities.

C.

Delete the pornography, say nothing, and continue security testing.

D.

Bring the discovery to the financial organization's human resource department.

Question 76

How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Options:

A.

Defeating the scanner from detecting any code change at the kernel

B.

Replacing patch system calls with its own version that hides the rootkit (attacker's) actions

C.

Performing common services for the application process and replacing real applications with fake ones

D.

Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Question 77

A corporation hired an ethical hacker to test if it is possible to obtain users' login credentials using methods other than social engineering. Access to offices and to a network node is granted.  Results from server scanning indicate all are adequately patched and physical access is denied, thus, administrators have access only through Remote Desktop. Which technique could be used to obtain login credentials?

Options:

A.

Capture every users' traffic with Ettercap.

B.

Capture LANMAN Hashes and crack them with LC6.

C.

Guess passwords using Medusa or Hydra against a network service.

D.

Capture administrators RDP traffic and decode it with Cain and Abel.

Question 78

The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers.  What should the security team do to determine which alerts to check first?

Options:

A.

Investigate based on the maintenance schedule of the affected systems.

B.

Investigate based on the service level agreements of the systems.

C.

Investigate based on the potential effect of the incident.

D.

Investigate based on the order that the alerts arrived in.

Question 79

Which of the following items is unique to the N-tier architecture method of designing software applications?

Options:

A.

Application layers can be separated, allowing each layer to be upgraded independently from other layers.

B.

It is compatible with various databases including Access, Oracle, and SQL.

C.

Data security is tied into each layer and must be updated for all layers when any upgrade is performed.

D.

Application layers can be written in C, ASP.NET, or Delphi without any performance loss.

Question 80

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Options:

A.

True negatives

B.

False negatives

C.

True positives

D.

False positives

Question 81

How do employers protect assets with security policies pertaining to employee surveillance activities?

Options:

A.

Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness.

B.

Employers use informal verbal communication channels to explain employee monitoring activities to employees.

C.

Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes.

D.

Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.

Question 82

What statement is true regarding LM hashes?

Options:

A.

LM hashes consist in 48 hexadecimal characters.

B.

LM hashes are based on AES128 cryptographic standard.

C.

Uppercase characters in the password are converted to lowercase.

D.

LM hashes are not generated when the password length exceeds 15 characters.

Question 83

Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

Options:

A.

NMAP -PN -A -O -sS 192.168.2.0/24

B.

NMAP -P0 -A -O -p1-65535 192.168.0/24

C.

NMAP -P0 -A -sT -p0-65535 192.168.0/16

D.

NMAP -PN -O -sS -p 1-1024 192.168.0/8

Question 84

Which of the following parameters enables NMAP's operating system detection feature?

Options:

A.

NMAP -sV

B.

NMAP -oS

C.

NMAP -sR

D.

NMAP -O

Question 85

Which of the following guidelines or standards is associated with the credit card industry?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Sarbanes-Oxley Act (SOX)

C.

Health Insurance Portability and Accountability Act (HIPAA)

D.

Payment Card Industry Data Security Standards (PCI DSS)

Question 86

This tool is widely used for ARP Poisoning attack. Name the tool.

Options:

A.

Cain and Able

B.

Beat Infector

C.

Poison Ivy

D.

Webarp Infector

Question 87

Which of the following tool would be considered as Signature Integrity Verifier (SIV)?

Options:

A.

Nmap

B.

SNORT

C.

VirusSCAN

D.

Tripwire

Question 88

If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.

How would you prevent such type of attacks?

Options:

A.

It is impossible to block these attacks

B.

Hire the people through third-party job agencies who will vet them for you

C.

Conduct thorough background checks before you engage them

D.

Investigate their social networking profiles

Question 89

What file system vulnerability does the following command take advantage of?

type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe

Options:

A.

HFS

B.

Backdoor access

C.

XFS

D.

ADS

Question 90

You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this?

Options:

A.

copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt

B.

copy secret.txt c:\windows\system32\tcpip.dll:secret.txt

C.

copy secret.txt c:\windows\system32\tcpip.dll |secret.txt

D.

copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt

Question 91

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago'

How will you delete the OrdersTable from the database using SQL Injection?

Options:

A.

Chicago'; drop table OrdersTable --

B.

Delete table'blah'; OrdersTable --

C.

EXEC; SELECT * OrdersTable > DROP --

D.

cmdshell'; 'del c:\sql\mydb\OrdersTable' //

Question 92

What does ICMP (type 11, code 0) denote?

Options:

A.

Source Quench

B.

Destination Unreachable

C.

Time Exceeded

D.

Unknown Type

Question 93

You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has attached cell phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation?

Options:

A.

Reconfigure the firewall

B.

Enforce the corporate security policy

C.

Install a network-based IDS

D.

Conduct a needs analysis

Question 94

Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context?

Options:

A.

Smooth Talking

B.

Swipe Gating

C.

Tailgating

D.

Trailing

Question 95

A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites, UPS, FEDEX, CITIBANK or a major provider of a common service.

Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus.

Vendors send e-mails like this to their customers advising them not to open any files attached with the mail, as they do not include attachments.

Fraudulent e-mail and legit e-mail that arrives in your inbox contain the fedex.com as the sender of the mail.

How do you ensure if the e-mail is authentic and sent from fedex.com?

Options:

A.

Verify the digital signature attached with the mail, the fake mail will not have Digital ID at all

B.

Check the Sender ID against the National Spam Database (NSD)

C.

Fake mail will have spelling/grammatical errors

D.

Fake mail uses extensive images, animation and flash content

Question 96

What is a sniffing performed on a switched network called?

Options:

A.

Spoofed sniffing

B.

Passive sniffing

C.

Direct sniffing

D.

Active sniffing

Question 97

Which type of hacker represents the highest risk to your network?

Options:

A.

black hat hackers

B.

grey hat hackers

C.

disgruntled employees

D.

script kiddies

Question 98

BankerFox is a Trojan that is designed to steal users' banking data related to certain banking entities.

When they access any website of the affected banks through the vulnerable Firefox 3.5 browser, the Trojan is activated and logs the information entered by the user. All the information entered in that website will be logged by the Trojan and transmitted to the attacker's machine using covert channel.

BankerFox does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer.

What is the most efficient way an attacker located in remote location to infect this banking Trojan on a victim's machine?

Options:

A.

Physical access - the attacker can simply copy a Trojan horse to a victim's hard disk infecting the machine via Firefox add-on extensions

B.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

C.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

D.

Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

E.

Downloading software from a website? An attacker can offer free software, such as shareware programs and pirated mp3 files

Question 99

Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company.

She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture.

What technique was used by the Kiley Innovators employee to send information to the rival marketing company?

Options:

A.

The Kiley Innovators employee used cryptography to hide the information in the emails sent

B.

The method used by the employee to hide the information was logical watermarking

C.

The employee used steganography to hide information in the picture attachments

D.

By using the pictures to hide information, the employee utilized picture fuzzing

Question 100

In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:

FIN = 1

SYN = 2

RST = 4

PSH = 8

ACK = 16

URG = 32

ECE = 64

CWR = 128

Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters.

What is Jason trying to accomplish here?

Options:

A.

SYN, FIN, URG and PSH

B.

SYN, SYN/ACK, ACK

C.

RST, PSH/URG, FIN

D.

ACK, ACK, SYN, URG

Question 101

In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code?

Options:

A.

EEP

B.

ESP

C.

EAP

D.

EIP

Question 102

What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected?

Options:

A.

nc -port 56 -s cmd.exe

B.

nc -p 56 -p -e shell.exe

C.

nc -r 56 -c cmd.exe

D.

nc -L 56 -t -e cmd.exe

Question 103

What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

Options:

A.

Blue Book

B.

ISO 26029

C.

Common Criteria

D.

The Wassenaar Agreement

Question 104

Which of the following open source tools would be the best choice to scan a network for potential targets?

Options:

A.

NMAP

B.

NIKTO

C.

CAIN

D.

John the Ripper

Question 105

Information gathered from social networking websites such as Facebook, Twitter and LinkedIn can be used to launch which of the following types of attacks? (Choose two.)

Options:

A.

Smurf attack

B.

Social engineering attack

C.

SQL injection attack

D.

Phishing attack

E.

Fraggle attack

F.

Distributed denial of service attack

Question 106

An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?

Options:

A.

The wireless card was not turned on.

B.

The wrong network card drivers were in use by Wireshark.

C.

On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.

D.

Certain operating systems and adapters do not collect the management or control packets.

Question 107

The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing which one of the following services?

Options:

A.

An extensible security framework named COBIT

B.

A list of flaws and how to fix them

C.

Web application patches

D.

A security certification for hardened web applications

Question 108

Which of the following is a component of a risk assessment?

Options:

A.

Physical security

B.

Administrative safeguards

C.

DMZ

D.

Logical interface

Question 109

Which statement best describes a server type under an N-tier architecture?

Options:

A.

A group of servers at a specific layer

B.

A single server with a specific role

C.

A group of servers with a unique role

D.

A single server at a specific layer

Question 110

A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use?

Options:

A.

-sO

B.

-sP

C.

-sS

D.

-sU

Question 111

What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data?

Options:

A.

Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication.

B.

To get messaging programs to function with this algorithm requires complex configurations.

C.

It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.

D.

It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.

Question 112

Which of the following cryptography attack methods is usually performed without the use of a computer?

Options:

A.

Ciphertext-only attack

B.

Chosen key attack

C.

Rubber hose attack

D.

Rainbow table attack

Question 113

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the Source IP address and Destination IP address are the same. There have been no alerts sent via email or logged in the IDS. Which type of an alert is this?

Options:

A.

False positive

B.

False negative

C.

True positive

D.

True negative

Question 114

During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

Options:

A.

The web application does not have the secure flag set.

B.

The session cookies do not have the HttpOnly flag set.

C.

The victim user should not have an endpoint security solution.

D.

The victim's browser must have ActiveX technology enabled.

Question 115

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

Options:

A.

CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

B.

CSIRT provides a computer security surveillance service to supply a government with important intelligence information on individuals travelling abroad.

C.

CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by individuals and multi-national corporations.

D.

CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.

Question 116

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

Options:

A.

Fast processor to help with network traffic analysis

B.

They must be dual-homed

C.

Similar RAM requirements

D.

Fast network interface cards

Question 117

An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor.  What should the hacker's next step be before starting work on this job?

Options:

A.

Start by foot printing the network and mapping out a plan of attack.

B.

Ask the employer for authorization to perform the work outside the company.

C.

Begin the reconnaissance phase with passive information gathering and then move into active information gathering.

D.

Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack.

Question 118

Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP?

Options:

A.

Metasploit scripting engine

B.

Nessus scripting engine

C.

NMAP scripting engine

D.

SAINT scripting engine

Question 119

A botnet can be managed through which of the following?

Options:

A.

IRC

B.

E-Mail

C.

Linkedin and Facebook

D.

A vulnerable FTP server

Question 120

You are footprinting an organization and gathering competitive intelligence. You visit the company's website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

Options:

A.

Visit Google's search engine and view the cached copy

B.

Crawl the entire website and store them into your computer

C.

Visit Archive.org web site to retrieve the Internet archive of the company's website

D.

Visit the company's partners and customers website for this information

Question 121

You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place.

  • DNS query is sent to the DNS server to resolve www.google.com
  • DNS server replies with the IP address for Google?
  • SYN packet is sent to Google.
  • Google sends back a SYN/ACK packet
  • Your computer completes the handshake by sending an ACK
  • The connection is established and the transfer of data commences

Which of the following packets represent completion of the 3-way handshake?

Options:

A.

4th packet

B.

3rdpacket

C.

6th packet

D.

5th packet

Question 122

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

Options:

A.

They are using UDP that is always authorized at the firewall

B.

They are using HTTP tunneling software that allows them to communicate with protocols in a way it was not intended

C.

They have been able to compromise the firewall, modify the rules, and give themselves proper access

D.

They are using an older version of Internet Explorer that allow them to bypass the proxy server

Question 123

Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet:

How can you protect/fix the problem of your application as shown above?

Options:

A.

Because the counter starts with 0, we would stop when the counter is less than 200

B.

Because the counter starts with 0, we would stop when the counter is more than 200

C.

Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data

D.

Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data

Question 124

Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network.

He receives the following SMS message during the weekend.

An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command.

Which of the following hping2 command is responsible for the above snort alert?

Options:

A.

chenrocks:/home/siew # hping -S -R -P -A -F -U 192.168.2.56 -p 22 -c 5 -t 118

B.

chenrocks:/home/siew # hping -F -Q -J -A -C -W 192.168.2.56 -p 22 -c 5 -t 118

C.

chenrocks:/home/siew # hping -D -V -R -S -Z -Y 192.168.2.56 -p 22 -c 5 -t 118

D.

chenrocks:/home/siew # hping -G -T -H -S -L -W 192.168.2.56 -p 22 -c 5 -t 118

Question 125

ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.

Here is a section of the Virus code:

What is this technique called?

Options:

A.

Polymorphic Virus

B.

Metamorphic Virus

C.

Dravidic Virus

D.

Stealth Virus

Question 126

You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c

What is the hexadecimal value of NOP instruction?

Options:

A.

0x60

B.

0x80

C.

0x70

D.

0x90

Question 127

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.

Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.

How was Bill able to get Internet access without using an agency laptop?

Options:

A.

Bill spoofed the MAC address of Dell laptop

B.

Bill connected to a Rogue access point

C.

Toshiba and Dell laptops share the same hardware address

D.

Bill brute forced the Mac address ACLs

Question 128

Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean?

Options:

A.

This response means the port he is scanning is open.

B.

The RST/ACK response means the port Fred is scanning is disabled.

C.

This means the port he is scanning is half open.

D.

This means that the port he is scanning on the host is closed.

Question 129

E-mail tracking is a method to monitor and spy the delivered e-mails to the intended recipient.

Select a feature, which you will NOT be able to accomplish with this probe?

Options:

A.

When the e-mail was received and read

B.

Send destructive e-mails

C.

GPS location and map of the recipient

D.

Time spent on reading the e-mails

E.

Whether or not the recipient visited any links sent to them

F.

Track PDF and other types of attachments

G.

Set messages to expire after specified time

Question 130

The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line in the source code that might lead to buffer overflow?

Options:

A.

9A.9

B.

17B.17

C.

20C.20

D.

32D.32

E.

35E.35

Question 131

You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about?

Options:

A.

Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain

B.

"zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks

C.

"Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks

D.

Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway

Page: 1 / 88
Total 878 questions