Correct Answer:
tcp.dstport==514 && ip.dst==192.168.15.90 is correct.
The port number for syslog (514) traffic is intended to be called out in tcp.dstport (destination port), and the destination IP (192.168.15.90) is called out by ip.dst (IP destination). 
Incorrect Answers: 
tcp.dstport==514 && ip.dst==192.168.15.12, tcp.srcport==514 && ip.src==192.168.15.90, and tcp.srcport==514 && ip.src==192.168.15.12 are incorrect.
These answers do not match the correct syntax.

Correct Answer: 
All the above is correct.
“Common Criteria” is an international standard (ISO/IEC 15408) for computer security certification that provides a framework for computer system users to specify their security functional and assurance requirements (SFRs and SARs, respectively). Vendors can implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine whether they actually meet the claims. There are four aspects to the test—a target of evaluation (TOE, the system being tested), a security target (ST, the documentation describing the TOE and requirements), protection profile (PP, the requirements for the type of product being tested), and the evaluation assurance level (EAL, the rating level, ranked from 1 to 7). 
Incorrect Answers: 
TOE, ST, PP, and EAL are incorrect.
These answers on their own are not sufficient because they all belong.

Correct Answer:
Asymmetric encryption is correct.
Asymmetric encryption protects the data as well as provides for nonrepudiation. 
Incorrect Answers:
Steganography allows you to hide messages, and symmetric encryption allows you to hide communications, but neither provides for nonrepudiation.
Hash is incorrect because this is not the function of a hash.

Correct answer:
Implement split-horizon operation and Restrict zone transfers are correct.
Split-horizon DNS (also known as split-view or split DNS) is a method of providing different answers to DNS queries based on the source address of the DNS request. It can be accomplished with hardware or software solutions and provides one more step of separation between you and the bad guys.
Restricting zone transfers to only those systems you desire to have them is always a good idea. 
Incorrect answers:
Obfuscate DNS by using the same server for other applications and functions and, Block all access to the server on port 53 are incorrect.
You generally should not put DNS services on a machine performing other tasks with other applications.
Restricting all port 53 access to the server means it’s not acting as a DNS server anymore: no one can query for name lookups, and no zone transfers are going to happen.

Correct Answer:
Enable DHCP snooping on the switch and Use port security on the switch are correct.
DHCP snooping on a Cisco switch (using the “ip dhcp snooping” command) creates a whitelist of machines that are allowed to pull a DHCP address. Port security can be a means of defense, too, by limiting the number of MACs associated with a port as well as whitelisting which specific MACs can address it. 
Incorrect Answers:
Block all UDP port 67 and port 68 traffic and Configure DHCP filters on the switch are incorrect.
Blocking all UDP 67 and 68 traffic would render the entire DHCP system moot because no one could pull an address, and DHCP filtering (whitelisting clients) is done on the server and not the switch.

Correct Answer:
PGP is correct.
Pretty Good Privacy is used for signing, compressing, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.
Incorrect Answers:
SSL is technology for establishing an encrypted link between a web server and a browser.
Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks (VPNs).
S/MIME is associated with protection of e-mail, but it’s a protocol, not an application.

Correct Answer:
Macro is correct.
Macro viruses attack the built-in features of applications such as Microsoft Excel and Word to cause all sorts of havoc on the system. 
Incorrect Answers:
Polymorphic code deals with a type of virus that changes its code to avoid detection by signature-based antivirus programs.
Cavity viruses write themselves into unused space within a file (attempting to maintain the file’s size).
Multipartite viruses attempt to infect and spread in multiple ways and try to infect files and the boot sector at the same time. They can spread quickly and are notoriously hard to clean.

Correct Answer:
tcpdump is correct.
Tcpdump is a well-known sniffer that has been around forever. GUI-based sniffers—like Wireshark—are all the rage, but tcpdump has survived the test of time and still has a place in your toolset. 
Incorrect Answers:
Nessus is a vulnerability scanner, netstat will display port information on your system, and netcat is used for maintaining access on a system (along with other things).

Correct Answer:
%windir%\system32\drivers\etc\services is correct.
If you happen to be out on your real job and completely forget every well-known port number, you’d probably just look up the list on an Internet search. If you’re bored or really nerdy, though, you can pull up a list of them by visiting the “services” file. It’s sitting right there beside the “hosts” and “lmhosts” files.
Incorrect answers:
%windir%\etc\lists, %windir%\system32\drivers\etc\lmhosts, and %windir%\system32\drivers\etc\hosts are incorrect.
These locations do not hold the “services” file.

Correct Answer:
ZitMo is correct.
ZitMo (ZeuS-in-the-Mobile) was designed to capture the phone itself, ensuring the one-time passwords also belonged to the bad guys. The target would log on to their bank account and see a message telling them to download an application to their phone in order to receive security messages. Thinking they were installing a security measure, victims instead were installing the means for the attacker to have access to their credentials, not to mention the second authentication factor (usually sent only to the victim via text).
Incorrect Answers:
POODLE is a TLS vulnerability attack.
Melissa was a worm, and SocAndroid is not valid.

Correct Answer: 
The Matt account is the true administrator account is correct. The administrator account always has the RID of 500; therefore, running sid2user on the SID will reveal the correct administrator account name (in this case, Matt). 
Incorrect Answers: 
The Walker account is the true administrator account, The administrator account has been disabled, and None of the above are incorrect. Walker is the name of the domain, and the other two answers are false.

Correct Answer:
Multiple intermediary machines send the attack at the behest of the attacker is correct.
The distributed reflection denial-of-service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out attacks so the attacker remains hidden. 
Incorrect Answers:
The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address, The attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets, and The attack involves sending a large number of garbled IP fragments with overlapping, oversized payloads to the target machine are incorrect.
These attacks do not reflect a DRDoS attack.

Correct answer:
grep is correct.
Per grep’s man page, grep searches a file for lines containing a match to a given pattern. By default, grep prints the matching lines. In addition, two variant programs are available: egrep is the same as grep -E (interprets the pattern as an extended regular expression) and fgrep is the same as grep -F (allows you to use a list of fixed strings—any of which will be matched). Direct invocation as either egrep or fgrep is deprecated but is provided to allow historical applications that rely on them to run unmodified. 
Incorrect answers:
cat reads a file to screen (or output to whatever you want) and chmod changes permissions.
search does not exist.

BIA is correct.
Business impact analysis best matches this description. A BIA is the actual process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, and it identifies the critical systems that would be affected by them.
Incorrect Answers:
BCP, MTD, and DRP are incorrect. Business continuity plans are procedures for maintaining businesses during any event.
Maximum tolerable downtime is how much time an asset can be down or unavailable.
Disaster recovery plan is exactly what it sounds like.

Correct Answer:
A UDP port scan of ports 1–1024 on a single address is correct.
Netcat is being used to run a scan on UDP ports (the -u switch gives this away) from 1 to 1024. The address provided is a single address, not a subnet. Other switches in use here are -v (for verbose) and -w2 (defines the two-second timeout for connection, where netcat will wait for a response).
Incorrect Answers:
A full connect scan on ports 1–1024 for a single address, A full connect scan on ports 1–1024 for a subnet, and A UDP scan of ports 1–1024 on a subnet are incorrect.
The switches in the command line show a UDP scan against a single address.

Correct Answer:
All the above is correct.
All of the registry keys listed here are common locations to find malware. The key is that, from any of these locations, the malware is continually launched. 
Incorrect Answers:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce are incorrect as individual choices because they are all viable registry locales.

Correct Answer: 
Risk assessment is correct.
A risk assessment, part of overall rick management, is an evaluation process where everything is looked at through the prism of “what vulnerabilities does this asset add to my environment?” Risk assessors should consider security and administrative safeguards in place and evaluate how likely each system is to be compromised. From this analysis, companies can decide to accept, mitigate, transfer, or avoid the risk.
Incorrect Answers: 
Vulnerability scanning, Pen test, and Security analysis are incorrect. Vulnerability scanning is simply identifying vulnerabilities in your network. The other answers are distractors.

Correct Answer:
CloudInspect is correct.
Per Core’s website, CloudInspect is “a tool that profits from the Core Impact & Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users.” It’s designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription (in other words, you can poke around the boxes you own all you like, but the behind-the-scenes stuff provided by Amazon is a no-touch zone). 
Incorrect Answers:
Per the CloudPassage website, CloudPassage Halo “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds.”
Metasploit is a framework for delivering exploits.
AWSExploit is not a legitimate tool.

Correct Answer:
UTF-8 is correct.
In 1992, lots of work started on streamlining Unicode transmission, since Unicode needed to be compatible with ASCII for transmission over the Internet. In January of 1993, UTF-8 was presented officially at the USENIX conference in San Diego to solve this problem. It was developed to encode UTF characters in a way that could be accepted and decoded by ASCII systems. Per Google, UTF-8 is the dominant character encoding on the Web. 
Incorrect Answers: 
XOR, EBCDIC, and UTF-16 are incorrect.
XOR is a logic gate comparing two inputs.
EBCDIC (Extended Binary Coded Decimal Interchange Code) is a binary code for alphabetic and numeric characters.
UTF-16 is a distractor.

Correct Answer:
It is a Layer 2 protocol is correct. Spanning Tree Protocol is considered a Layer 2 protocol. It prevents switching loops (sending packets whizzing about forever in a perpetual broadcast loop) by killing connecting ports along the way. 
Incorrect Answer:
It is a Layer 7 protocol, It is a Layer 5 protocol, and It is a Layer 4 protocol are incorrect. These statements are not true regarding STP.

Correct answer:
Promiscuous mode is correct.
Promiscuous mode allows a NIC to pass all packets received instead of only those addressed to the system. Ordinarily, the NIC will only pass unicast messages directly addressed to the host, multicast messages the host is capable of receiving, and any broadcast messages.
Incorrect answers:
Link-local and global are IPv6 address types, and multicast is an IPv4 address type.

Correct Answer:
Contain is correct. The incident handling (or incident response) steps generally include identification (sometimes also called discovery), containment, eradication, recovery, and lessons learned. In this example, the IR team is quite clearly containing the issue. Finally, as an aside, IR teams also take great pains to ensure evidence is preserved as best as possible. I’d assume in this scenario the IR person _already_ took steps to retain memory-resident artifacts and such before shutting things down. The important aspect of this question, however, is to know which IR steps goes where.
Incorrect answers:
Recovery, Eradicate, and Identify are incorrect.
Each of these is a valid step in the process, but none equates to the action described.

Correct Answer:
Wrapping attack is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate. 
Incorrect Answers:
CSRF, CR SOAP, and Side channel are incorrect.
These attacks do not involve SOAP messaging.

Correct Answers:
The SYN and ACK flags will be set and The source port will be 80 are correct.
By default, web page requests use TCP and ask for port 80 (HTTP traffic) from the server. Because the second step of the three-way handshake is a SYN/ACK, the response packet will include that. The originating system will assign a dynamic source port and use the well-known port for the destination. Therefore, the server will respond with a source port matching the dynamic port assigned by the originator. In other words, Host A might have sent source port 2200, destination port 80, while the response from Server B would reverse them: source port 80, destination port 2200. 
Incorrect Answers: 
The ACK flag only will be set and The source port will be anything over 1024 are incorrect.
The SYN flag will also be set, and the source port will match the destination port from the originator (in this case, 80).

Correct Answer: 
Administratively prohibited is correct.
ICMP type 3, code 13 messages indicate the packet could not be routed because it was administratively prohibited (due to a firewall or router ACL). 
Incorrect Answers: 
TTL failure, ICMP redirect, and Host not found are incorrect.
ICMP type 3 indicates unreachable, not TTL expiration (type 7) or redirect (type 5). Answer C is irrelevant.

Correct answer:
Shellshock is correct.
Shellshock (a.k.a. Bashdoor) is a Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands. Bash is a common shell in many versions of Linux and Unix, and acts as a command language interpreter. In Bash, an attacker can add malicious code to environment variable commands, which will run once the variable is received. In this example, the bad guy is trying to write the contents of the passwd file to the screen. 
Incorrect answers:
Brute force and input validation have nothing to do with this.
Heartbleed is an OpenSSL vulnerability.

Correct answer:
A return of “State: NOT VULNERABLE” on systems protected against Heartbleed is correct.
You can use the nmap command “nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]” to search for the vulnerability; the return will say “State: NOT VULNERABLE” if you’re good to go. 
Incorrect answers:
An error response because the syntax and script are invalid, A list of SSL versions within the scan scope, and None of the above are incorrect.
These answers do not match the command provided.

Correct Answer:
It substitutes numbers and characters in words to discover a password is correct. Usually a hybrid attack involves a list of passwords that get altered along the way in order to guess the password. For example, if your list contained the word “Fishing,” a hybrid attack would start substituting numbers and characters: f1$hing, Fi$H1n6, and so on. 
Incorrect Answers: 
It uses a dictionary file to crack the password, It uses a combination of letters, numbers, and special characters in random order to crack the password, and It uses a rainbow table to crack the password are incorrect. These do not describe a hybrid attack.

Correct Answer:
Smishing is correct.
Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. 
Incorrect Answers:
Vishing refers to using a phone in social engineering, and phishing uses e-mail.
Text attack is not a valid term.

Correct Answer: 
3DES is correct.
3DES is a symmetric encryption algorithm. 
Incorrect Answers:
ECC and RSA are asymmetric in nature.
PKI isn’t an encryption algorithm at all.

Correct answer:
traceroute is correct.
Traceroute is a good tool to show a packet’s path to its destination. On a Windows machine, the command is tracert, and the tool uses TTL to map each hop along the way. On virtually everything else (including Linux and most Cisco devices), the command is traceroute, and the tool uses UDP instead. 
Incorrect answers:
Ping sends an echo request, and ipconfig displays NIC information.
Tracert is the command to use on a Windows machine.
These are not the correct tools to use.

Correct Answer:
Mobile based is correct.
Mobile-based social engineering uses mobile device technology. 
Incorrect Answers:
Technology based is not a valid term.
The other two methods are human based and computer based.

Correct Answer:
Tailgating is correct. The whole idea of a man trap is to have a single person’s credentials and authorization to proceed verified before she can enter the building. No one can tailgate a man trap because only one person at a time is allowed in.
Incorrect Answers:
Dumpster diving, Shoulder surfing, and Eavesdropping are incorrect.
Dumpster diving has nothing to do with a man trap.
Shoulder surfing and eavesdropping are done once you’re already inside the building.

Correct Answer: 
SYN, SYN/ACK, ACK is correct.
Wireshark has the ability to filter based on a decimal numbering system assigned to TCP flags (basically the flag’s binary value assigned to the bit representing it in the header). The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding flag numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For instance, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (in the case presented in the question, the filter will display all SYN packets, all SYN/ACK packets, and all ACK packets). 
Incorrect Answers:
SYN, FIN, URG, and PSH, ACK, ACK, SYN, URG, and SYN/ACK only are incorrect.
These flags do not represent the values in the Wireshark filter.

Correct Answer:
Delegate is correct.
The five risk responses are accept, avoid, monitor (or prepare), mitigate, and transfer. 
Incorrect Answers:
Accept, Avoid, and Mitigate are incorrect.
These are all risk responses.

Correct answer:
Something you have is correct.
There are three main types of authentication: something you know, something you have, and something you are. When we see “biometric,” we instantly want to click “something you are” and move on. But in this case it’s asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have. 
Incorrect answers:
Something you know, Something you are, and Something you require are incorrect.
These do not match the authentication type.

Correct Answer: 
VANET is correct. The Vehicle Ad Hoc Network (VANET) is the communications network used by our vehicles. It refers to the spontaneous creation of a wireless network for vehicle-to-vehicle (V2V) data exchange. 
Incorrect Answers: 
Device to gateway, Edge networks, and IoV are incorrect.
Device to gateway is an IoT communication model, and edge networking is not correct.
IoV is not a recognized term in CEHv10.

Correct Answers:
Aircrack can use a dictionary list to crack WEP keys, Aircrack can use PTW to crack WEP keys, and Aircrack can use Korek to crack WEP keys are correct.
Aircrack-ng can make use of dictionary lists. It uses something called the Pyshkin, Tews, Weinmann (PTW) technique by default, but can also use the Fluhrer, Mantin, Shamir (FMS) technique or the Korek technique to crack WEP.
When it comes to WPA or WPA2, it uses dictionary lists only.
Incorrect Answers:
Rainbow tables are used in password cracking but not in wireless key cracking. Wrong place, wrong tool.

Correct Answer: 
WEP is correct.
WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option. 
Incorrect Answers: 
WAP, WPA, WPA2 , and All of the above are incorrect.
WAP is a wireless access point. WPA and WPA2 do not use RC4.

Correct Answer:
WPA2 is the best encryption security for the system and SSIDs do not provide security measures for a wireless network are correct.
WPA2 is the latest encryption standard for wireless, and SSIDs do nothing for security; it’s not their intent. 
Incorrect Answers:
WEP is the best encryption security for the system and Regardless of encryption, turning off SSID broadcast protects the system are incorrect.
WEP is poor encryption, and SSID broadcast is irrelevant to security.

Correct answer:
Kismet is correct.
Per EC-Council, Kismet works as a true passive network discovery tool, with no packet interjection whatsoever. Kismet will work with any wireless card that supports raw monitoring (rfmon) mode, and (with appropriate hardware) it can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also works by “channel hopping” to discover as many networks as possible and also has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Incorrect answers:
NetStumbler is an Active Discovery tool.
Aircrack is a WEP-cracking program.
Netsniff is a false choice.

Correct Answer:
Python is correct.
Python is free to use, even for commercial products, because of its OSI-approved open source license, and is commonly used for simple items such as kicking off scans.
Incorrect Answers:
ASP.NET and PHP are designed for web development to produce dynamic web pages.
C# is included as a distractor.

Correct Answer:
The host is most likely a printer or has a printer installed is correct.
Port 515 is generally used for printing services (as a listening port). 
Incorrect answers:
The host is most likely a router or has routing enabled, The host is definitely a Windows server, and The host is definitely a Linux server are incorrect.
There’s not enough information to definitively identify any of the remaining answers.

Correct Answer:
Public is correct.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren’t a major issue.
Incorrect Answers: 
Private, Community, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.

Correct Answer:
MX record priority increases as the preference number decreases is correct.
MX records have a preference number to tell the SMTP client to try (and retry) each of the relevant addresses in the list in order, until a delivery attempt succeeds. The smallest preference number has the highest priority, and any server with the smallest preference number must be tried first. If there is more than one MX record with the same preference number, all of them must be tried before the client can move on to lower-priority entries. 
Incorrect answers:
MX records require an accompanying CNAME record, MX records point to name servers, and MX record entries are required for every namespace are incorrect.
MX records do not require an alias (CNAME), they do not point to name servers, and not every namespace absolutely requires an e-mail server.

Correct answer:
Purple team is correct.
Red and blue teams are pretty well known. Red teams are on offense, employed to go on the attack, simulating the bad guys out in the world by trying to exploit anything they can find, and blue teams are the security professionals trying to defend the network. They are often merged into “purple” teams in the real world to better test and secure environments.
Incorrect answers:
The team is performing both red and blue team duties, making Red team and Blue team incorrect choices.
Gray team is included as a distractor.

Correct Answer: 
Public is correct. A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren’t a major issue. 
Incorrect Answers: 
Private, Community, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.

Correct Answer: 
SaaS is correct. Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. 
Incorrect Answers: 
Iaas, Paas, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).

Correct Answer:
220.200.100.254. is correct. E-mail headers are packed with information, showing the entire route the message has taken. Thankfully, on your exam you’ll most likely be asked to identify the true originator: the machine (person) who sent it in the first place. This is clearly displayed in line 9, shown here: Received: from SOMEONEComputer [220.200.100.254] (helo=[SOMEONEcomputer]).
Incorrect Answers:
215.90.50.254., 220.15.10.254. , and The e-mail header does not show this information are incorrect. These answers do not reflect the address of the true originator.

Correct Answer: 
False negative is correct. The IPS saw the traffic, obviously, but made a decision it was good traffic when it was indeed naughty. It should have triggered as a positive hit, but instead allowed the traffic to pass with no action. This is known as a “false negative.” 
Incorrect Answers:
False positive, True negative, and True positive are incorrect. A false positive occurs when the IPS sees traffic as naughty when it is actually okay. The other two answers are distractors.

Correct answer:
ip.addr==202.99.58.3 and tcp.flags.syn is correct.
Wireshark syntax uses double equals signs. Before the test, review the syntax items in Wireshark—it’ll pay off. 
Incorrect answers:
ip == 202.99.58.3 and tcp.syn, ip.addr = 202.99.58.3 and syn = 1, and ip.equals 202.99.58.3 and syn.equals on are incorrect.
These answers are not in correct syntax.

Correct Answer:
You will see a list of connected resources is correct.
The net use command issued without any parameters will show you a list of connected resources and logged-in user accounts. 
Incorrect answers:
You will be disconnected from all shared resources, You will be prompted to enter credentials to connect to a resource, and You will be connected to a resource in a persistent state are incorrect.
These do not match the outcome from a “net use” command issuance.

Correct Answer: 
Security team members attacking a network is correct.
The team simulating an attacking force is considered to be red. In a traditional war game scenario, the red team is attacking “black box” style, given little to no information to start things off.
Incorrect Answers:
Security team members defending a network, Security team members with full knowledge of the internal network, and Outside attackers are incorrect.
Blue teams are defensive-oriented. They concentrate on preventing and mitigating the attacks and efforts of the red team/bad guys, and operate with full knowledge of internal networking.
Outside attackers is irrelevant here.

Correct Answer:
Foren6 is correct.
Foren6 “leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world Internet of Things applications where other means of debug (cabled or network-based monitoring) are too costly or impractical.” 
Incorrect Answers:
Firmalyzer performs security assessments in IoT networks, Attify Zigbee provides a toolset for Zigbee devices, and Nessus is a vulnerability scanner.

Correct Answer: 
Discretionary access control is correct.
Discretionary access control (DAC) allows the data owner, the user, to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit. 
Incorrect Answers: 
Mandatory access control (MAC) assigns sensitivity labels to data, and it controls access by matching the user’s security level to the resource label.
Role-based access control (RBAC) can use either DAC or MAC to get the job done. The goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles).
Authorized access control does not exist.

Correct Answer:
The hacker should’ve used nmap -O host.domain.com is correct.
The -sV option is for standard service version detection, in this case on port 80. The response shows Apache but nothing else: no banner, no version, no nothing. An -O scan may provide even more detail than would otherwise be gleaned from a simple banner grab. 
Incorrect answers:
The hacker successfully completed the banner grabbing, The hacker failed to do banner grabbing because he didn’t get the version of the Apache web server, and Nmap can’t retrieve the version number of any running remote service are incorrect.
The remaining answers do not match what was returned from the command syntax.

Correct Answer: 
Vulnerability assessment is correct.
A vulnerability assessment only points out potential problems to the client. 
Incorrect Answers:
Scanning assessment, Penetration test, and None of the above are incorrect.
The other choices do not comply with what the question is asking.

Correct Answer:
Information gathering is correct.
The steps within EC-Council’s IoT hacking methodology are information gathering, vulnerability scanning, launching attacks, gaining access, and maintaining access. Shodan is a search engine tailor-made for IoT type information gathering. 
Incorrect answers:
Vulnerability scanning, Gaining access, and Maintaining access are incorrect.
Shodan is used in the information gathering stage.

Correct Answer:
Shodan is correct.
Shodan allows users to search for very specific types of hosts, which can be very helpful to attackers—ethical or not. 
Incorrect Answers:
Whois provides registrar and technical POC information.
Nslookup is a command-line tool for DNS lookups.
Burp Suite is a website/application hacking tool.

Correct Answer:
Port: is correct.
Shodan is an extremely useful tool for the ethical hacker, and you’ll definitely see filter questions on your exam. The curriculum calls out several filters of note, but—as always—potential candidates are expected to use and learn the tool themselves. In this case, the Port: filter is called out explicitly as an option for an attacker to learn open ports on a target. 
Incorrect answers:
The open: filter is included as a distractor.
OS: and geo: are used for the operating system and geographic locations, respectively.

Correct Answer:
The public key is distributed within digital signatures is correct.
The digital signature, validating the true identity of the sender, contains a copy of the public key. 
Incorrect Answers:
Public key is faster than symmetric key, PKI does not use keys for encryption or decryption, and PKI does not provide for nonrepudiation are incorrect.
PKI is asymmetric, making it slower than symmetric encryption. It definitely uses keys for encryption and decryption, and it provides for nonrepudiation.

Correct Answer:
1. Create a hash of the message. 2. Encrypt the hash with your private key. 3. Encrypt the message with the recipient’s public key is correct.
A digital signature is a hash of the message signed with your private key—which is a little different because we all know only your public key is used to encrypt. In this case, the use of the private key is designed to prove you are who you say you are. 
Incorrect Answers:
1. Create a hash of the message. 2. Encrypt the hash with the recipient’s private key. 3. Encrypt the message using the recipient’s public key, 1. Encrypt the message with your private key. 2. Create a hash of the message. 3. Encrypt the hash with your private key, and None of the above are incorrect.
These do not match the correct steps for signing and encrypting a message.

Correct Answer: 
Windows is correct.
For whatever reason, many wireless NICs don’t have good support for monitor mode in Windows. They seem to be okay catching general traffic, but the control packets are hard to come by.
Incorrect Answers:
macOS, Linux, and FreeBSD 5.2 are incorrect.
Linux variants and macOS wireless NICs provide better support for monitor mode.

Correct Answer: 
Auditory alarms set on doorways and Audit logs are correct.
Detective controls are in place to let you know when something has happened or is happening. 
Incorrect Answers:
System backups and Authentication badges are incorrect.
A system backup does a great job of fixing things after everything is over (a corrective control), and authentication badges are used to keep bad guys from getting in to begin with (preventive control), but neither is a detective control.

Correct Answer:
SMB is correct.
Also known as Common Internet File System (CIFS), SMB can run directly over port 445 but also uses 137 and 138 in UDP and uses 137 and 139 in TCP.
Incorrect Answers: 
Telnet, Kerberos, and SNMP are incorrect.
Telnet uses 23. Kerberos uses 88. SNMP uses 161.

Correct Answer:
Security tokens is correct.
Of the answers provided, security tokens are the only example of a logical (technical) control. 
Incorrect Answers:
Security policy, Guards, and Fire alarms are incorrect.
The remaining answers are not technical controls.

Correct Answer:
intitle: is correct.
Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things—from legitimate descriptions of the page or author information, to a list of words useful for a search engine. 
Incorrect Answers:
The intext: operator looks for pages that contain a specific string in the text of the page body.
The inurl: operator looks for a specific string within the URL.
The site: operator limits the current search to only the specified site (instead of the entire Internet).

Correct Answer:
The user will see a list of connected resources is correct.
The net use command issued without any parameters will show you a list of connected resources and logged-in user accounts. 
Incorrect Answers:
The user will be disconnected from all shared resources, The user will be prompted to enter credentials to connect to a resource, and The user will be connected to a resource in a persistent state are incorrect.
These do not match the output from a “net use” command issuance.

Correct Answer:
$566 is correct.
ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence, in this case 0.2, or 1 failure / 5 years = 20 percent) by the amount of cost incurred from a single failure (single loss expectancy [in this case, $80 for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 [replacement of the server] = $2830). ALE = 0.2 × $2830, so the ALE in this case is $566. 
Incorrect Answers:
20 percent is the ARO for this scenario (1 failure / 5 years).
$2830 is the SLE for this scenario (repair guy cost + lost work from accounting guys + replacement of server, or $80 + $250 + $2500).
$500 would be the ALE if you did not take into account the technician and lost work production.

Correct Answer: 
Sparse infector is correct.
Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution. 
Incorrect Answers: 
Multipartite viruses attempt to infect both files and the boot sector at the same time.
Metamorphic viruses rewrite themselves each time they infect a new file.
Cavity viruses overwrite unused portions of a file without changing its size.

Correct Answer:
Pre-attack, Attack, and Post-attack are correct.
Sometimes questions just involve easy memorization: the pen test phases are pre-attack, attack, and post-attack. 
Incorrect answers:
Reconnaissance, Footprinting, and Covering tracks are incorrect.
These are all steps of ethical hacking

Correct answer:
Cloud computing is correct.
As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity that is accountable for the data itself, while the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that.
Incorrect answers:
DAR and WDE do a great job protecting data against loss or theft but have nothing to do with separation of duties.
Virtual machines play a role in the cloud, obviously, but in and of themselves do not provide separation of duties.

Correct Answer:
C:\Windows\System32\Config\ is correct.
The SAM file is stored in the same folder on most Windows machines (including Windows 10 boxes): C:\Windows\System32\Config\. You might also find a copy in backups (c:\windows\repair\sam). 
Incorrect Answers:
/etc/, C:\Windows\System32\etc\, and C:\Windows\System32\Drivers\Config are incorrect.
These are not SAM file storage locations.

Correct Answer:
Use wget to download all pages locally is correct.
Wget is a utility that can be used for mirroring websites, and running through local copies is always faster.
Incorrect answers:
get* doesn’t work as shown, and get() is not proper syntax.
mget is a command used inside FTP itself.

Correct Answer:
Symmetric uses the same key on each end of the transmission is correct.
Symmetric encryption uses the same key on both sides of the transmission. This generally works faster; however, the secure transmission of the keys can be an issue. 
Incorrect Answers: 
Symmetric uses multiple keys for nonrepudiation, Symmetric uses different keys on both ends of the transport medium, and Symmetric is the only choice for bulk encryption for data transmission are incorrect.
These statements are not true regarding symmetric encryption.

Correct answer:
Your target machine is not an IDLE zombie; it is active on the network with other tasks is correct. An IDLE scan makes use of a zombie system that is inactive on the network, using the resulting IPID numbers for scan results. If the numbers increment randomly, then the zombie is not truly idle. 
Incorrect answers:
All other answers are incorrect. The results have nothing to do with a firewall, this scan cannot tell you which OS is running, and this is not the expected behavior from an idle zombie.

Correct Answer:
Cloud broker is correct.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. Per NIST SP 500-292, the broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well.” 
Incorrect Answers:
The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud auditor is the independent assessor of cloud service and security controls.

Correct Answer:
; is correct.
The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered “; Integrated Security=true” as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated by treating semicolons as data instead of characters.
Incorrect Answers:
‘ , +, and @ are incorrect.
The single quote is generally associated with SQL injection efforts. The + and @ signs are not applicable here.

Correct Answer: 
MITM is correct.
The original variant of POODLE was a man-in-the-middle attack, where the bad guy exploits vulnerabilities in the TLS security protocol fallback mechanism. 
Incorrect Answers:
DoS, DDoS, and XXS are incorrect.
POODLE is not a denial-of-service attack of any kind, and cross-site scripting has nothing to do with it.