You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 4 "
0 of 80 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Answered
Review
Question 1 of 80
1. Question
Which step comes right after footprinting?
Correct
Correct Answer:
Scanning is correct.
The step following footprinting is scanning: reconnaissance, scanning, gaining access, maintaining access, and clearing tracks.
Incorrect Answers:
Privilege escalation, Gaining access, and System attacks are incorrect.
These steps do not reflect the methodology.
Incorrect
Correct Answer:
Scanning is correct.
The step following footprinting is scanning: reconnaissance, scanning, gaining access, maintaining access, and clearing tracks.
Incorrect Answers:
Privilege escalation, Gaining access, and System attacks are incorrect.
These steps do not reflect the methodology.
Unattempted
Correct Answer:
Scanning is correct.
The step following footprinting is scanning: reconnaissance, scanning, gaining access, maintaining access, and clearing tracks.
Incorrect Answers:
Privilege escalation, Gaining access, and System attacks are incorrect.
These steps do not reflect the methodology.
Question 2 of 80
2. Question
Which of the following are advantages to a single sign-on system? (Choose two.)
Correct
Correct Answers:
Many user authentication problems can be resolved at a central location and Users do not need to memorize multiple passwords are correct.
Single sign-on is a great thing for users (remember, one password instead of many) and provides some great benefits for administrators as well. Because users are on one password, most authentication issues can be handled with that one password, at the SSO point.
Incorrect Answers:
Attacks can occur only at the SSO point and Centralized recording of all monitoring events at the SSO point makes for a more secure environment are incorrect.
Whether you’re using SSO or not, attacks can, and do, occur at every point. SSO implementation has nothing to do with logging.
Incorrect
Correct Answers:
Many user authentication problems can be resolved at a central location and Users do not need to memorize multiple passwords are correct.
Single sign-on is a great thing for users (remember, one password instead of many) and provides some great benefits for administrators as well. Because users are on one password, most authentication issues can be handled with that one password, at the SSO point.
Incorrect Answers:
Attacks can occur only at the SSO point and Centralized recording of all monitoring events at the SSO point makes for a more secure environment are incorrect.
Whether you’re using SSO or not, attacks can, and do, occur at every point. SSO implementation has nothing to do with logging.
Unattempted
Correct Answers:
Many user authentication problems can be resolved at a central location and Users do not need to memorize multiple passwords are correct.
Single sign-on is a great thing for users (remember, one password instead of many) and provides some great benefits for administrators as well. Because users are on one password, most authentication issues can be handled with that one password, at the SSO point.
Incorrect Answers:
Attacks can occur only at the SSO point and Centralized recording of all monitoring events at the SSO point makes for a more secure environment are incorrect.
Whether you’re using SSO or not, attacks can, and do, occur at every point. SSO implementation has nothing to do with logging.
Question 3 of 80
3. Question
Which of the following provides specific services to untrusted networks or hosts?
Correct
Correct Answer:
Bastion host is correct.
Bastion hosts are deliberately placed on the edge of the network—that is, public facing—to handle external requests for . They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect Answers:
Proxy firewall, Packet-filtering firewall, and Stateful firewall are incorrect.
Proxy firewalls are designed primarily to hide networks. Packet filtering is exactly what it sounds like, and stateful firewalls are used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed but externally sourced is not).
Incorrect
Correct Answer:
Bastion host is correct.
Bastion hosts are deliberately placed on the edge of the network—that is, public facing—to handle external requests for . They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect Answers:
Proxy firewall, Packet-filtering firewall, and Stateful firewall are incorrect.
Proxy firewalls are designed primarily to hide networks. Packet filtering is exactly what it sounds like, and stateful firewalls are used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed but externally sourced is not).
Unattempted
Correct Answer:
Bastion host is correct.
Bastion hosts are deliberately placed on the edge of the network—that is, public facing—to handle external requests for . They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect Answers:
Proxy firewall, Packet-filtering firewall, and Stateful firewall are incorrect.
Proxy firewalls are designed primarily to hide networks. Packet filtering is exactly what it sounds like, and stateful firewalls are used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed but externally sourced is not).
Question 4 of 80
4. Question
Joe sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a contact number to call. Joe then performs a denial of service on several systems. He then receives phone calls from users asking for assistance. Which social engineering practice is in play here?
Correct
Correct Answer:
Reverse social engineering is correct.
Reverse social engineering occurs when you get the targets to call you.
Incorrect Answers:
Phishing is an e-mail social engineering attack.
Impersonation and technical support are both similar attacks where the attacker calls the target.
Incorrect
Correct Answer:
Reverse social engineering is correct.
Reverse social engineering occurs when you get the targets to call you.
Incorrect Answers:
Phishing is an e-mail social engineering attack.
Impersonation and technical support are both similar attacks where the attacker calls the target.
Unattempted
Correct Answer:
Reverse social engineering is correct.
Reverse social engineering occurs when you get the targets to call you.
Incorrect Answers:
Phishing is an e-mail social engineering attack.
Impersonation and technical support are both similar attacks where the attacker calls the target.
Question 5 of 80
5. Question
In the Search box of a web application, an attacker inserts. After entering this, the attacker clicks the Search button, and a pop-up appears stating “It Worked!” Which attack took place?
Correct
Correct Answer:
XSS is correct.
This is a classic (albeit simple) demonstration of a cross-site scripting (XSS) attack.
Incorrect Answers:
The actions taken do not indicate SQL injection (which would have shown query language), buffer overflow (which would be blatantly obvious from the entry field), or directory traversal (which uses the URL and the “dot-slash” method).
Incorrect
Correct Answer:
XSS is correct.
This is a classic (albeit simple) demonstration of a cross-site scripting (XSS) attack.
Incorrect Answers:
The actions taken do not indicate SQL injection (which would have shown query language), buffer overflow (which would be blatantly obvious from the entry field), or directory traversal (which uses the URL and the “dot-slash” method).
Unattempted
Correct Answer:
XSS is correct.
This is a classic (albeit simple) demonstration of a cross-site scripting (XSS) attack.
Incorrect Answers:
The actions taken do not indicate SQL injection (which would have shown query language), buffer overflow (which would be blatantly obvious from the entry field), or directory traversal (which uses the URL and the “dot-slash” method).
Question 6 of 80
6. Question
Examine the following nmap output: “` PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80 /tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tec open ipp 9100/ tcp open MAC Address: 01:2A:48:0B:AA:81 “` Which of the following is true regarding this output?
Correct
Correct answer:
The host is most likely a printer or has a printer installed is correct. Port 515 is generally used for printing services (as a listening port).
Incorrect answers:
The host is most likely a router or has routing enabled, The host is definitely a Windows server, and The host is definitely a Linux server are incorrect.
There’s not enough information to definitively identify any of the remaining answers.
Incorrect
Correct answer:
The host is most likely a printer or has a printer installed is correct. Port 515 is generally used for printing services (as a listening port).
Incorrect answers:
The host is most likely a router or has routing enabled, The host is definitely a Windows server, and The host is definitely a Linux server are incorrect.
There’s not enough information to definitively identify any of the remaining answers.
Unattempted
Correct answer:
The host is most likely a printer or has a printer installed is correct. Port 515 is generally used for printing services (as a listening port).
Incorrect answers:
The host is most likely a router or has routing enabled, The host is definitely a Windows server, and The host is definitely a Linux server are incorrect.
There’s not enough information to definitively identify any of the remaining answers.
Question 7 of 80
7. Question
In which step of EC-Council’s hacking methodology would you expect to use remote execution tools and spyware?
Correct
Correct Answer:
Escalating privileges is correct.
Executing applications is just what it sounds like—you have access and now want to execute applications to do your dirty work. In addition to those things that may seem obvious for this step in the methodology (such as remote tools and spyware), you may also see keyloggers mentioned as being used in this step.
Incorrect Answers:
Cracking passwords, Escalating privileges, and Hiding files are incorrect.
The steps are truly self-evident because they are exactly what they sound like. Crack a password? Well, that’s in the cracking passwords step. Run NTFS file streaming to hide files? That’s in the hiding files step. Escalate privileges? That’s in the escalating privileges step.
Incorrect
Correct Answer:
Escalating privileges is correct.
Executing applications is just what it sounds like—you have access and now want to execute applications to do your dirty work. In addition to those things that may seem obvious for this step in the methodology (such as remote tools and spyware), you may also see keyloggers mentioned as being used in this step.
Incorrect Answers:
Cracking passwords, Escalating privileges, and Hiding files are incorrect.
The steps are truly self-evident because they are exactly what they sound like. Crack a password? Well, that’s in the cracking passwords step. Run NTFS file streaming to hide files? That’s in the hiding files step. Escalate privileges? That’s in the escalating privileges step.
Unattempted
Correct Answer:
Escalating privileges is correct.
Executing applications is just what it sounds like—you have access and now want to execute applications to do your dirty work. In addition to those things that may seem obvious for this step in the methodology (such as remote tools and spyware), you may also see keyloggers mentioned as being used in this step.
Incorrect Answers:
Cracking passwords, Escalating privileges, and Hiding files are incorrect.
The steps are truly self-evident because they are exactly what they sound like. Crack a password? Well, that’s in the cracking passwords step. Run NTFS file streaming to hide files? That’s in the hiding files step. Escalate privileges? That’s in the escalating privileges step.
Question 8 of 80
8. Question
A team member enters the following nmap command: “` nmap –script http-methods –script-args one.two.sample.com “` When the command executes, the following appears: “` PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-methods: |_ Supported Methods: GET PUT HEAD POST OPTIONS
Correct
Correct Answer:
PUT is correct.
The http-methods script will report whether the HTTP GET, PUT, HEAD, POST, and OPTIONS methods are supported by the target system. Of the available options, however, PUT will most likely be marked as potentially risky. HTTP PUT permits HTTP clients to update or upload files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE.
Incorrect Answers:
GET, HEAD, and POST are not considered risky by the script.
Incorrect
Correct Answer:
PUT is correct.
The http-methods script will report whether the HTTP GET, PUT, HEAD, POST, and OPTIONS methods are supported by the target system. Of the available options, however, PUT will most likely be marked as potentially risky. HTTP PUT permits HTTP clients to update or upload files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE.
Incorrect Answers:
GET, HEAD, and POST are not considered risky by the script.
Unattempted
Correct Answer:
PUT is correct.
The http-methods script will report whether the HTTP GET, PUT, HEAD, POST, and OPTIONS methods are supported by the target system. Of the available options, however, PUT will most likely be marked as potentially risky. HTTP PUT permits HTTP clients to update or upload files on a target system, which could allow naughty uploads. Other HTTP methods that the http-method script will consider potentially risky are DELETE, CONNECT, and TRACE.
Incorrect Answers:
GET, HEAD, and POST are not considered risky by the script.
Question 9 of 80
9. Question
Which Trojan presents various exploitation techniques, creating arbitrary transfer channels in authorized network access control system data streams?
Correct
Correct Answer:
CCTT is correct.
A Covert Channel Tunneling Trojan (CCTT) enables attackers to gain shell interfaces into and out of a network using authorized channels covertly. It involves the use of a CCTT box acting as an internal server communicating with a CCTT client externally using allowed channels—like an HTTP tunnel, for instance.
Incorrect Answers:
Ransomware is a Trojan that locks access to the operating system until the victim pays a ransom (usually in bitcoin).
E-banking Trojans deal with online banking, and remote access Trojans are designed to open a direct channel between attacker and victim.
Incorrect
Correct Answer:
CCTT is correct.
A Covert Channel Tunneling Trojan (CCTT) enables attackers to gain shell interfaces into and out of a network using authorized channels covertly. It involves the use of a CCTT box acting as an internal server communicating with a CCTT client externally using allowed channels—like an HTTP tunnel, for instance.
Incorrect Answers:
Ransomware is a Trojan that locks access to the operating system until the victim pays a ransom (usually in bitcoin).
E-banking Trojans deal with online banking, and remote access Trojans are designed to open a direct channel between attacker and victim.
Unattempted
Correct Answer:
CCTT is correct.
A Covert Channel Tunneling Trojan (CCTT) enables attackers to gain shell interfaces into and out of a network using authorized channels covertly. It involves the use of a CCTT box acting as an internal server communicating with a CCTT client externally using allowed channels—like an HTTP tunnel, for instance.
Incorrect Answers:
Ransomware is a Trojan that locks access to the operating system until the victim pays a ransom (usually in bitcoin).
E-banking Trojans deal with online banking, and remote access Trojans are designed to open a direct channel between attacker and victim.
Question 10 of 80
10. Question
Amazon’s EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service?
Correct
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match Amazon EC2 service description.
Incorrect
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match Amazon EC2 service description.
Unattempted
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match Amazon EC2 service description.
Question 11 of 80
11. Question
In which phase of a pen test is scanning performed?
Correct
Correct answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Incorrect
Correct answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Unattempted
Correct answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Question 12 of 80
12. Question
A web server sits behind a firewall and offers HTTP and HTTPS access to a website and web applications. External users access the server for various web applications. Which of the following statements is true regarding the protection offered by the firewall?
Correct
Correct answer:
The question states that users are accessing the server over HTTP and HTTPS. This indicates the standard ports 80 and 443 must be open on the firewall. Of course, as we all know, there is nothing restricting the use of any port for any purpose—port 80 can carry anything an attacker wants it to carry—but standard port numbering and purposes can be used on most of your exam.
Incorrect answers:
Firewalls aren’t designed to discern whether traffic is malicious or not: they either allow or block traffic. Firewalls are most definitely not the only security requirement for any system, and there are no authentication mechanisms to go through; either traffic is allowed or it is not.
Incorrect
Correct answer:
The question states that users are accessing the server over HTTP and HTTPS. This indicates the standard ports 80 and 443 must be open on the firewall. Of course, as we all know, there is nothing restricting the use of any port for any purpose—port 80 can carry anything an attacker wants it to carry—but standard port numbering and purposes can be used on most of your exam.
Incorrect answers:
Firewalls aren’t designed to discern whether traffic is malicious or not: they either allow or block traffic. Firewalls are most definitely not the only security requirement for any system, and there are no authentication mechanisms to go through; either traffic is allowed or it is not.
Unattempted
Correct answer:
The question states that users are accessing the server over HTTP and HTTPS. This indicates the standard ports 80 and 443 must be open on the firewall. Of course, as we all know, there is nothing restricting the use of any port for any purpose—port 80 can carry anything an attacker wants it to carry—but standard port numbering and purposes can be used on most of your exam.
Incorrect answers:
Firewalls aren’t designed to discern whether traffic is malicious or not: they either allow or block traffic. Firewalls are most definitely not the only security requirement for any system, and there are no authentication mechanisms to go through; either traffic is allowed or it is not.
Question 13 of 80
13. Question
Which Google operator will display pages for a specific website or domain holding the search term?
Correct
Correct answer:
site: is correct.
The site operator lets you specify a domain (or a website) and pull pages matching a given string. For example, “site:anywhere.com passwds” would display all pages with the text “passwds” in the site anywhere.com.
Incorrect answers:
The inurl operator looks in the URL only, and the intitle operator only looks at page titles. The related operator shows web pages similar to “webpagename.”
Incorrect
Correct answer:
site: is correct.
The site operator lets you specify a domain (or a website) and pull pages matching a given string. For example, “site:anywhere.com passwds” would display all pages with the text “passwds” in the site anywhere.com.
Incorrect answers:
The inurl operator looks in the URL only, and the intitle operator only looks at page titles. The related operator shows web pages similar to “webpagename.”
Unattempted
Correct answer:
site: is correct.
The site operator lets you specify a domain (or a website) and pull pages matching a given string. For example, “site:anywhere.com passwds” would display all pages with the text “passwds” in the site anywhere.com.
Incorrect answers:
The inurl operator looks in the URL only, and the intitle operator only looks at page titles. The related operator shows web pages similar to “webpagename.”
Question 14 of 80
14. Question
Which of the following protects against MITM attacks in WPA?
Correct
Correct answer:
MIC is correct.
Message integrity check (MIC) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Incorrect
Correct answer:
MIC is correct.
Message integrity check (MIC) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Unattempted
Correct answer:
MIC is correct.
Message integrity check (MIC) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Question 15 of 80
15. Question
An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used?
Correct
Correct answer:
Heartbleed is correct.
Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack. Basically the attacker sends a single byte of data while telling the server it sent 64KB of data. The server will then send back 64KB of random data from its memory.
Incorrect answers:
POODLE exploits the TLS handshake to revert connections back to insecure SSL versions.
FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade of RSA keys to weaker lengths.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications.
Incorrect
Correct answer:
Heartbleed is correct.
Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack. Basically the attacker sends a single byte of data while telling the server it sent 64KB of data. The server will then send back 64KB of random data from its memory.
Incorrect answers:
POODLE exploits the TLS handshake to revert connections back to insecure SSL versions.
FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade of RSA keys to weaker lengths.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications.
Unattempted
Correct answer:
Heartbleed is correct.
Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack. Basically the attacker sends a single byte of data while telling the server it sent 64KB of data. The server will then send back 64KB of random data from its memory.
Incorrect answers:
POODLE exploits the TLS handshake to revert connections back to insecure SSL versions.
FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade of RSA keys to weaker lengths.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers to break SSLv2 encryption (left on sites for backward compatibility) and read or steal sensitive communications.
Question 16 of 80
16. Question
What is being attempted by the following command? “` aireplay –ng -0 0 –a 0B:11:EB:17:44:80 –c mon0 “`
Correct
Correct answer:
To use deauthentication packets to generate lots of network traffic is correct.
To crack wireless encryption, you need lots of packets to compare, and one of the easiest ways to generate lots of traffic is to deauthenticate a client. This abruptly shoos the client off the access point, forcing it to reconnect, and the aireplay command shown here is designed for this purpose.
Incorrect answers:
These answers do not reflect the intent of the command. The WEP code is not revealed in deauth packets, and the BSSID and SSID are already known.
Incorrect
Correct answer:
To use deauthentication packets to generate lots of network traffic is correct.
To crack wireless encryption, you need lots of packets to compare, and one of the easiest ways to generate lots of traffic is to deauthenticate a client. This abruptly shoos the client off the access point, forcing it to reconnect, and the aireplay command shown here is designed for this purpose.
Incorrect answers:
These answers do not reflect the intent of the command. The WEP code is not revealed in deauth packets, and the BSSID and SSID are already known.
Unattempted
Correct answer:
To use deauthentication packets to generate lots of network traffic is correct.
To crack wireless encryption, you need lots of packets to compare, and one of the easiest ways to generate lots of traffic is to deauthenticate a client. This abruptly shoos the client off the access point, forcing it to reconnect, and the aireplay command shown here is designed for this purpose.
Incorrect answers:
These answers do not reflect the intent of the command. The WEP code is not revealed in deauth packets, and the BSSID and SSID are already known.
Question 17 of 80
17. Question
Which of the following methods correctly performs banner grabbing on a Windows system?
Correct
Correct answer:
`telnet 80` is correct.
Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.
Incorrect answers:
These are all bad syntax for telnet.
Incorrect
Correct answer:
`telnet 80` is correct.
Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.
Incorrect answers:
These are all bad syntax for telnet.
Unattempted
Correct answer:
`telnet 80` is correct.
Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.
Incorrect answers:
These are all bad syntax for telnet.
Question 18 of 80
18. Question
Your team is testing a server that serves PHP pages for the Shellshock vulnerability. Which of the following actions should you take?
Correct
Correct answer:
Send specially created environment variables and trailing commands is correct.
Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
These answers do not match the Shellshock vulnerability.
Incorrect
Correct answer:
Send specially created environment variables and trailing commands is correct.
Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
These answers do not match the Shellshock vulnerability.
Unattempted
Correct answer:
Send specially created environment variables and trailing commands is correct.
Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
These answers do not match the Shellshock vulnerability.
Question 19 of 80
19. Question
Which virus type is only executed when a specific condition is met?
Correct
Correct answer:
Sparse infector is correct.
Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.
Incorrect answers:
Multipartite viruses attempt to infect both files and the boot sector at the same time.
Metamorphic viruses rewrite themselves each time they infect a new file.
Cavity viruses overwrite unused portions of a file, not change its size.
Incorrect
Correct answer:
Sparse infector is correct.
Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.
Incorrect answers:
Multipartite viruses attempt to infect both files and the boot sector at the same time.
Metamorphic viruses rewrite themselves each time they infect a new file.
Cavity viruses overwrite unused portions of a file, not change its size.
Unattempted
Correct answer:
Sparse infector is correct.
Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.
Incorrect answers:
Multipartite viruses attempt to infect both files and the boot sector at the same time.
Metamorphic viruses rewrite themselves each time they infect a new file.
Cavity viruses overwrite unused portions of a file, not change its size.
Question 20 of 80
20. Question
Which of the following is incorrect regarding ethical hacking?
Correct
Correct answer:
All of the above is correct.
Ethical hackers act exactly like their black hat, bad guy counterparts, using the same exploits, tools, and activities they do, with one major difference: ethical hackers _only_ work with _permission_ from the organization. Granted, a strong ROE (rules of engagement) up front may limit what the ethical hackers are allowed to employ and how far they are to proceed in a test, but in general, and for a legitimate pen test, if it’s fair for the bad guys it should be fair for the ethical hackers.
Incorrect answers:
These are all incorrect statements regarding ethical hackers; therefore, “All of the above” is the appropriate choice.
Incorrect
Correct answer:
All of the above is correct.
Ethical hackers act exactly like their black hat, bad guy counterparts, using the same exploits, tools, and activities they do, with one major difference: ethical hackers _only_ work with _permission_ from the organization. Granted, a strong ROE (rules of engagement) up front may limit what the ethical hackers are allowed to employ and how far they are to proceed in a test, but in general, and for a legitimate pen test, if it’s fair for the bad guys it should be fair for the ethical hackers.
Incorrect answers:
These are all incorrect statements regarding ethical hackers; therefore, “All of the above” is the appropriate choice.
Unattempted
Correct answer:
All of the above is correct.
Ethical hackers act exactly like their black hat, bad guy counterparts, using the same exploits, tools, and activities they do, with one major difference: ethical hackers _only_ work with _permission_ from the organization. Granted, a strong ROE (rules of engagement) up front may limit what the ethical hackers are allowed to employ and how far they are to proceed in a test, but in general, and for a legitimate pen test, if it’s fair for the bad guys it should be fair for the ethical hackers.
Incorrect answers:
These are all incorrect statements regarding ethical hackers; therefore, “All of the above” is the appropriate choice.
Question 21 of 80
21. Question
You’ve discovered a certain application in your environment that has proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
Correct
Correct answer:
Removing the software from the environment is correct.
Removing the software or service that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (I don’t care what the publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
Incorrect
Correct answer:
Removing the software from the environment is correct.
Removing the software or service that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (I don’t care what the publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
Unattempted
Correct answer:
Removing the software from the environment is correct.
Removing the software or service that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (I don’t care what the publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
Question 22 of 80
22. Question
Which of the following best describes a Window Update Packet?
Correct
Correct answer:
The window size constantly updates during a data exchange. After all, the sender wants to get as much data out as possible, as quickly as possible, without over-taxing the recipient. Conversely, the recipient wants to receive as much data as possible as quickly as possible so it can put it all together and do something with it. The window size is a field where both parties can make sure the maximum amount of data is exchanged without any real buffer issues.
Incorrect answers:
These packets have nothing to do with window sizing.
Incorrect
Correct answer:
The window size constantly updates during a data exchange. After all, the sender wants to get as much data out as possible, as quickly as possible, without over-taxing the recipient. Conversely, the recipient wants to receive as much data as possible as quickly as possible so it can put it all together and do something with it. The window size is a field where both parties can make sure the maximum amount of data is exchanged without any real buffer issues.
Incorrect answers:
These packets have nothing to do with window sizing.
Unattempted
Correct answer:
The window size constantly updates during a data exchange. After all, the sender wants to get as much data out as possible, as quickly as possible, without over-taxing the recipient. Conversely, the recipient wants to receive as much data as possible as quickly as possible so it can put it all together and do something with it. The window size is a field where both parties can make sure the maximum amount of data is exchanged without any real buffer issues.
Incorrect answers:
These packets have nothing to do with window sizing.
Question 23 of 80
23. Question
A security tester wants to see what can be found from the company’s public-facing web servers. He enters the command nc 187.55.66.77 80. The returned output reads as follows: “` HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Apr 2016 01:41:33 GMT Date: Mon, 16 Apr 2016 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2015 15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369 “` Which of the following is an example of what the engineer performed?
Correct
Correct answer:
Banner grabbing is correct.
You can easily perform banner grabbing with netcat.
Incorrect answers:
Netcat isn’t used to query whois (registration information) or to perform SQL injection or XSS.
Incorrect
Correct answer:
Banner grabbing is correct.
You can easily perform banner grabbing with netcat.
Incorrect answers:
Netcat isn’t used to query whois (registration information) or to perform SQL injection or XSS.
Unattempted
Correct answer:
Banner grabbing is correct.
You can easily perform banner grabbing with netcat.
Incorrect answers:
Netcat isn’t used to query whois (registration information) or to perform SQL injection or XSS.
Question 24 of 80
24. Question
Which of the following refers to monitoring security configuration changes over time?
Correct
Correct answer:
Baselining is correct.
To develop a baseline, you take a snapshot of the current system’s security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren’t are cut.
Incorrect answers:
Patch and vulnerability management supervise patching and the tracking of vulnerabilities, respectively.
Change management deals with controlling changes to systems in the environment.
Incorrect
Correct answer:
Baselining is correct.
To develop a baseline, you take a snapshot of the current system’s security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren’t are cut.
Incorrect answers:
Patch and vulnerability management supervise patching and the tracking of vulnerabilities, respectively.
Change management deals with controlling changes to systems in the environment.
Unattempted
Correct answer:
Baselining is correct.
To develop a baseline, you take a snapshot of the current system’s security controls and configuration settings. This can be compared to future states (monitored over time) to see what security and configuration changes have been made. Those that are valid go into the new baseline, and those that aren’t are cut.
Incorrect answers:
Patch and vulnerability management supervise patching and the tracking of vulnerabilities, respectively.
Change management deals with controlling changes to systems in the environment.
Question 25 of 80
25. Question
WPA2 makes use of several protocols and technologies. What provides the integrity method for WPA2?
Correct
Correct answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect answers:
RC4 and AES are encryption algorithms (AES is used in WPA, by the way).
802.1x is the standards family wireless comes from.
Incorrect
Correct answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect answers:
RC4 and AES are encryption algorithms (AES is used in WPA, by the way).
802.1x is the standards family wireless comes from.
Unattempted
Correct answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect answers:
RC4 and AES are encryption algorithms (AES is used in WPA, by the way).
802.1x is the standards family wireless comes from.
Question 26 of 80
26. Question
Which Google operator is the best choice in searching for a particular string in the website’s title?
Correct
Correct answer:
intitle: is correct.
Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things, from legitimate descriptions of the page or author information to a list of words useful for a search engine.
Incorrect answers:
The intext: operator looks for pages that contain a specific string in the text of the page body.
The inurl: operator looks for a specific string within the URL.
The site: operator limits the current search to only the specified site (instead of the entire Internet).
Incorrect
Correct answer:
intitle: is correct.
Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things, from legitimate descriptions of the page or author information to a list of words useful for a search engine.
Incorrect answers:
The intext: operator looks for pages that contain a specific string in the text of the page body.
The inurl: operator looks for a specific string within the URL.
The site: operator limits the current search to only the specified site (instead of the entire Internet).
Unattempted
Correct answer:
intitle: is correct.
Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things, from legitimate descriptions of the page or author information to a list of words useful for a search engine.
Incorrect answers:
The intext: operator looks for pages that contain a specific string in the text of the page body.
The inurl: operator looks for a specific string within the URL.
The site: operator limits the current search to only the specified site (instead of the entire Internet).
Question 27 of 80
27. Question
Which of the following is a true statement regarding phishing and pharming?
Correct
Correct answer:
Pharming redirects victims by modifying the host configuration or DNS, while phishing redirects by providing the user a malicious URL similar to the legitimate one is correct.
Pharming requires the attacker to either adjust the user’s hosts file or to redirect DNS queries to a fake location. Phishing is simply providing a URL (or clickable link) that looks similar to a legitimate one.
Incorrect answers:
Phishing is most definitely a social engineering attack, and both are not identical.
Incorrect
Correct answer:
Pharming redirects victims by modifying the host configuration or DNS, while phishing redirects by providing the user a malicious URL similar to the legitimate one is correct.
Pharming requires the attacker to either adjust the user’s hosts file or to redirect DNS queries to a fake location. Phishing is simply providing a URL (or clickable link) that looks similar to a legitimate one.
Incorrect answers:
Phishing is most definitely a social engineering attack, and both are not identical.
Unattempted
Correct answer:
Pharming redirects victims by modifying the host configuration or DNS, while phishing redirects by providing the user a malicious URL similar to the legitimate one is correct.
Pharming requires the attacker to either adjust the user’s hosts file or to redirect DNS queries to a fake location. Phishing is simply providing a URL (or clickable link) that looks similar to a legitimate one.
Incorrect answers:
Phishing is most definitely a social engineering attack, and both are not identical.
Question 28 of 80
28. Question
You are examining malware code and discover that a particular piece copies itself into the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What is the purpose of this?
Correct
Correct answer:
This key indicates an application that should run as soon as the user logs in to the system.
Incorrect answers:
An application found in this key does not run at every boot, and an entry here does nothing to hide it from antivirus software on the system.
All applications do not need to appear in this registry key.
Incorrect
Correct answer:
This key indicates an application that should run as soon as the user logs in to the system.
Incorrect answers:
An application found in this key does not run at every boot, and an entry here does nothing to hide it from antivirus software on the system.
All applications do not need to appear in this registry key.
Unattempted
Correct answer:
This key indicates an application that should run as soon as the user logs in to the system.
Incorrect answers:
An application found in this key does not run at every boot, and an entry here does nothing to hide it from antivirus software on the system.
All applications do not need to appear in this registry key.
Question 29 of 80
29. Question
Metasploit operates with multiple payload types. Which Metasploit payload type operates via DLL injection and is very difficult for AV software to pick up?
Correct
Correct answer:
Meterpreter is correct.
Meterpreter, short for meta-interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection.
Incorrect answers:
Inline payloads are single payloads that contain the full exploit and shell code for the designed task. They are easier to detect and, because of their size, may not be viable for many attacks.
Staged payloads establish a connection between the attacking machine and the victim. They then read in a payload to execute on the remote machine.
Finally, “remote” isn’t a recognized payload type.
Incorrect
Correct answer:
Meterpreter is correct.
Meterpreter, short for meta-interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection.
Incorrect answers:
Inline payloads are single payloads that contain the full exploit and shell code for the designed task. They are easier to detect and, because of their size, may not be viable for many attacks.
Staged payloads establish a connection between the attacking machine and the victim. They then read in a payload to execute on the remote machine.
Finally, “remote” isn’t a recognized payload type.
Unattempted
Correct answer:
Meterpreter is correct.
Meterpreter, short for meta-interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection.
Incorrect answers:
Inline payloads are single payloads that contain the full exploit and shell code for the designed task. They are easier to detect and, because of their size, may not be viable for many attacks.
Staged payloads establish a connection between the attacking machine and the victim. They then read in a payload to execute on the remote machine.
Finally, “remote” isn’t a recognized payload type.
Question 30 of 80
30. Question
Which of the following best represents SOA?
Correct
Correct answer:
Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect answers:
These statements do not describe SOA.
Incorrect
Correct answer:
Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect answers:
These statements do not describe SOA.
Unattempted
Correct answer:
Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect answers:
These statements do not describe SOA.
Question 31 of 80
31. Question
Which of the following attacks an already-authenticated connection?
Correct
Correct answer:
Session hijacking takes advantage of connections already in place and already authenticated. The attacker then monitors sequence numbers and, if he guesses correctly, jumps right into the conversation.
Incorrect answers:
Smurf is a DoS attack using ICMP (in a broadcast PING attack).
A denial of service is just what it sounds like.
Phishing is a social engineering effort.
Incorrect
Correct answer:
Session hijacking takes advantage of connections already in place and already authenticated. The attacker then monitors sequence numbers and, if he guesses correctly, jumps right into the conversation.
Incorrect answers:
Smurf is a DoS attack using ICMP (in a broadcast PING attack).
A denial of service is just what it sounds like.
Phishing is a social engineering effort.
Unattempted
Correct answer:
Session hijacking takes advantage of connections already in place and already authenticated. The attacker then monitors sequence numbers and, if he guesses correctly, jumps right into the conversation.
Incorrect answers:
Smurf is a DoS attack using ICMP (in a broadcast PING attack).
A denial of service is just what it sounds like.
Phishing is a social engineering effort.
Question 32 of 80
32. Question
Which of the following is a design pattern where services are provided to other components by specific application components?
Correct
Correct answer:
Service-Oriented Architecture is correct.
First termed “Service-Based Architecture” in 1998, Service-Oriented Architecture is based on distinct pieces of software providing application functionality as service to other applications. Service-Oriented Architecture principles are vendor-neutral. A service is defined as a discrete unit of functionality that can be accessed remotely and acted upon or updated independently.
Incorrect answers:
These answers do not correctly reflect the definition provided.
Object-Oriented Architecture is regarding software development, but it is a design architecture based on the division of responsibilities for an application or system into individual reusable and self-sufficient objects.
Lean code and agile delivery do not apply here.
Incorrect
Correct answer:
Service-Oriented Architecture is correct.
First termed “Service-Based Architecture” in 1998, Service-Oriented Architecture is based on distinct pieces of software providing application functionality as service to other applications. Service-Oriented Architecture principles are vendor-neutral. A service is defined as a discrete unit of functionality that can be accessed remotely and acted upon or updated independently.
Incorrect answers:
These answers do not correctly reflect the definition provided.
Object-Oriented Architecture is regarding software development, but it is a design architecture based on the division of responsibilities for an application or system into individual reusable and self-sufficient objects.
Lean code and agile delivery do not apply here.
Unattempted
Correct answer:
Service-Oriented Architecture is correct.
First termed “Service-Based Architecture” in 1998, Service-Oriented Architecture is based on distinct pieces of software providing application functionality as service to other applications. Service-Oriented Architecture principles are vendor-neutral. A service is defined as a discrete unit of functionality that can be accessed remotely and acted upon or updated independently.
Incorrect answers:
These answers do not correctly reflect the definition provided.
Object-Oriented Architecture is regarding software development, but it is a design architecture based on the division of responsibilities for an application or system into individual reusable and self-sufficient objects.
Lean code and agile delivery do not apply here.
Question 33 of 80
33. Question
A network admin advises the security staff that it appears there is a larger-than-normal traffic hit on a particular wireless access point on the weekends. Which tool would be the best choice to investigate the issue?
Correct
Correct answer;
Wireshark is correct.
Wireshark is the only tool listed that could be used to watch the traffic to and from the WAP.
Incorrect answers:
Netcat is a great method for maintaining access to a system (among other things) but not necessarily the best choice for sniffing traffic.
Nessus will perform a vulnerability scan but won’t necessarily help in this situation.
Nslookup is an absurd choice here.
Incorrect
Correct answer;
Wireshark is correct.
Wireshark is the only tool listed that could be used to watch the traffic to and from the WAP.
Incorrect answers:
Netcat is a great method for maintaining access to a system (among other things) but not necessarily the best choice for sniffing traffic.
Nessus will perform a vulnerability scan but won’t necessarily help in this situation.
Nslookup is an absurd choice here.
Unattempted
Correct answer;
Wireshark is correct.
Wireshark is the only tool listed that could be used to watch the traffic to and from the WAP.
Incorrect answers:
Netcat is a great method for maintaining access to a system (among other things) but not necessarily the best choice for sniffing traffic.
Nessus will perform a vulnerability scan but won’t necessarily help in this situation.
Nslookup is an absurd choice here.
Question 34 of 80
34. Question
Which of the following best describes a wrapping attack?
Correct
Correct answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect answers:
These do not reflect a wrapping attack.
Incorrect
Correct answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect answers:
These do not reflect a wrapping attack.
Unattempted
Correct answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect answers:
These do not reflect a wrapping attack.
Question 35 of 80
35. Question
Which of the following is true regarding LM hashes?
Correct
Correct answer:
If the right side of the hash ends with 1404EE, the password is less than eight characters is correct.
When passwords are less than eight characters, LM hashes will always have the right side of the hash the same, ending in 1404EE, due to the method by which LM performs the hash.
Incorrect answers:
The left side of each hash will always be different, and it indicates nothing.
Answers There is no way to tell if passwords are less than eight characters because hashes are not reversible and There is no way to tell if passwords are less than eight characters because each hash is always 32 characters long are incorrect because the hash value can tell you password length.
Incorrect
Correct answer:
If the right side of the hash ends with 1404EE, the password is less than eight characters is correct.
When passwords are less than eight characters, LM hashes will always have the right side of the hash the same, ending in 1404EE, due to the method by which LM performs the hash.
Incorrect answers:
The left side of each hash will always be different, and it indicates nothing.
Answers There is no way to tell if passwords are less than eight characters because hashes are not reversible and There is no way to tell if passwords are less than eight characters because each hash is always 32 characters long are incorrect because the hash value can tell you password length.
Unattempted
Correct answer:
If the right side of the hash ends with 1404EE, the password is less than eight characters is correct.
When passwords are less than eight characters, LM hashes will always have the right side of the hash the same, ending in 1404EE, due to the method by which LM performs the hash.
Incorrect answers:
The left side of each hash will always be different, and it indicates nothing.
Answers There is no way to tell if passwords are less than eight characters because hashes are not reversible and There is no way to tell if passwords are less than eight characters because each hash is always 32 characters long are incorrect because the hash value can tell you password length.
Question 36 of 80
36. Question
What does SOAP use to package and exchange information for web services?
Correct
Correct answer:
SOAP formats its information exchange in XML.
Incorrect answers:
SOAP does not use any of these for communication exchange.
Incorrect
Correct answer:
SOAP formats its information exchange in XML.
Incorrect answers:
SOAP does not use any of these for communication exchange.
Unattempted
Correct answer:
SOAP formats its information exchange in XML.
Incorrect answers:
SOAP does not use any of these for communication exchange.
Question 37 of 80
37. Question
A new employee is attempting to connect to wireless. Her hardware is the same as most others on the floor, and other users are connecting fine. The client can see the wireless network, but packet captures show the WAP is not responding to association requests. Which of the following best describes the issue?
Correct
Correct answer:
The simplest, most logical explanation is the WAP simply doesn’t recognize the MAC attempting to connect to it and refuses to even acknowledge the attempts.
Incorrect answers:
The client can see the network; therefore, SSID and DHCP are out. While it is possible explicit channel configuration may cause issues, it’s not relevant for this scenario.
Incorrect
Correct answer:
The simplest, most logical explanation is the WAP simply doesn’t recognize the MAC attempting to connect to it and refuses to even acknowledge the attempts.
Incorrect answers:
The client can see the network; therefore, SSID and DHCP are out. While it is possible explicit channel configuration may cause issues, it’s not relevant for this scenario.
Unattempted
Correct answer:
The simplest, most logical explanation is the WAP simply doesn’t recognize the MAC attempting to connect to it and refuses to even acknowledge the attempts.
Incorrect answers:
The client can see the network; therefore, SSID and DHCP are out. While it is possible explicit channel configuration may cause issues, it’s not relevant for this scenario.
Question 38 of 80
38. Question
All communication between two subnets is encrypted via SSL. The security staff is concerned about possible nefarious activity and places an IDS between the two segments. Which of the following statements is most correct, given the circumstances?
Correct
Correct answer:
The IDS is blind to SSL traffic is correct.
An IDS doesn’t have any means to break encryption on the fly. As a matter of fact, encrypted traffic presents one of the best ways to defeat an IDS. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
SSL does not affect false positives or negatives, and it does not fail due to passive sniffing.
Incorrect
Correct answer:
The IDS is blind to SSL traffic is correct.
An IDS doesn’t have any means to break encryption on the fly. As a matter of fact, encrypted traffic presents one of the best ways to defeat an IDS. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
SSL does not affect false positives or negatives, and it does not fail due to passive sniffing.
Unattempted
Correct answer:
The IDS is blind to SSL traffic is correct.
An IDS doesn’t have any means to break encryption on the fly. As a matter of fact, encrypted traffic presents one of the best ways to defeat an IDS. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
SSL does not affect false positives or negatives, and it does not fail due to passive sniffing.
Question 39 of 80
39. Question
Which of the following is a command-line packet analyzer?
Correct
Correct answer:
Tcpdump is correct.
Tcpdump is a free command-line packet analyzer, much like Wireshark. Another free tool, tcptrace can be used to help analyze tcpdump files (along with lots of other tool outputs).
Incorrect answers:
Nessus is a vulnerability scanner.
Netcat is a backdoor tool (which provides a lot of other features as well).
Ethereal is the old name for Wireshark.
Incorrect
Correct answer:
Tcpdump is correct.
Tcpdump is a free command-line packet analyzer, much like Wireshark. Another free tool, tcptrace can be used to help analyze tcpdump files (along with lots of other tool outputs).
Incorrect answers:
Nessus is a vulnerability scanner.
Netcat is a backdoor tool (which provides a lot of other features as well).
Ethereal is the old name for Wireshark.
Unattempted
Correct answer:
Tcpdump is correct.
Tcpdump is a free command-line packet analyzer, much like Wireshark. Another free tool, tcptrace can be used to help analyze tcpdump files (along with lots of other tool outputs).
Incorrect answers:
Nessus is a vulnerability scanner.
Netcat is a backdoor tool (which provides a lot of other features as well).
Ethereal is the old name for Wireshark.
Question 40 of 80
40. Question
Which of the following best describes a biometric passport?
Correct
Correct answer:
Something you have is correct.
There are three main types of authentication: something you know, something you have, and something you are. When you see “biometric,” you might instantly want to click “something you are” and move on. But in this case it’s asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.
Incorrect answers:
These descriptions do not match the authentication type.
Incorrect
Correct answer:
Something you have is correct.
There are three main types of authentication: something you know, something you have, and something you are. When you see “biometric,” you might instantly want to click “something you are” and move on. But in this case it’s asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.
Incorrect answers:
These descriptions do not match the authentication type.
Unattempted
Correct answer:
Something you have is correct.
There are three main types of authentication: something you know, something you have, and something you are. When you see “biometric,” you might instantly want to click “something you are” and move on. But in this case it’s asking about a biometric passport, which is actually biometric information stored on a chip. The biometric passport is a physical object; therefore, this is something you have.
Incorrect answers:
These descriptions do not match the authentication type.
Question 41 of 80
41. Question
Amanda is a pen test team member scanning systems on an event. She notices a system using port 445, which is active and listening. Amanda issues the following command: “` for /f “tokens=1 %%a in (myfile.txt) do net use * \\192.168.1.3\c$ /user.”administrator” %%a “` Which of the following best describes what Amanda is trying to accomplish?
Correct
Correct answer:
Amanda is attempting to successfully log in to the user account called “administrator” using a list of passwords in the myfile.txt file. Port 445 is for Microsoft-DS SMB file sharing.
Incorrect answer:
Although the admin account may get locked out eventually, it’s not the purpose of this script to accomplish that. It is also not enumerating users or elevating a privilege for another account.
Incorrect
Correct answer:
Amanda is attempting to successfully log in to the user account called “administrator” using a list of passwords in the myfile.txt file. Port 445 is for Microsoft-DS SMB file sharing.
Incorrect answer:
Although the admin account may get locked out eventually, it’s not the purpose of this script to accomplish that. It is also not enumerating users or elevating a privilege for another account.
Unattempted
Correct answer:
Amanda is attempting to successfully log in to the user account called “administrator” using a list of passwords in the myfile.txt file. Port 445 is for Microsoft-DS SMB file sharing.
Incorrect answer:
Although the admin account may get locked out eventually, it’s not the purpose of this script to accomplish that. It is also not enumerating users or elevating a privilege for another account.
Question 42 of 80
42. Question
Which one of the following tools can be used for passive OS fingerprinting?
Correct
Correct answer:
nmap is correct.
Nmap has all sorts of switches that allow you to search for nearly everything. For example, the -O switch would come in handy here.
Incorrect answers:
The remaining answers make no sense at all here.
Incorrect
Correct answer:
nmap is correct.
Nmap has all sorts of switches that allow you to search for nearly everything. For example, the -O switch would come in handy here.
Incorrect answers:
The remaining answers make no sense at all here.
Unattempted
Correct answer:
nmap is correct.
Nmap has all sorts of switches that allow you to search for nearly everything. For example, the -O switch would come in handy here.
Incorrect answers:
The remaining answers make no sense at all here.
Question 43 of 80
43. Question
A vendor is alerted of a newly discovered flaw in their software that present a major vulnerability to systems. While working to prepare a fix action, the vendor releases a notice alerting the community of the discovered flaw and providing best practices to follow until the patch is available. Which of the following best describes the discovered flaw?
Correct
Correct answer:
Zero day is correct.
“Zero day” means there has been no time to work on a solution. The bad thing is the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up; it means it has been there without the good guys’ knowledge and could have already been exploited.
Incorrect answers:
Input validation refers to verifying that a user’s entry into a form or field matches what the form or field was designed to accept. The terms “shrink-wrap vulnerability” and “insider vulnerability” are not valid so far as your exam is concerned.
Incorrect
Correct answer:
Zero day is correct.
“Zero day” means there has been no time to work on a solution. The bad thing is the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up; it means it has been there without the good guys’ knowledge and could have already been exploited.
Incorrect answers:
Input validation refers to verifying that a user’s entry into a form or field matches what the form or field was designed to accept. The terms “shrink-wrap vulnerability” and “insider vulnerability” are not valid so far as your exam is concerned.
Unattempted
Correct answer:
Zero day is correct.
“Zero day” means there has been no time to work on a solution. The bad thing is the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up; it means it has been there without the good guys’ knowledge and could have already been exploited.
Incorrect answers:
Input validation refers to verifying that a user’s entry into a form or field matches what the form or field was designed to accept. The terms “shrink-wrap vulnerability” and “insider vulnerability” are not valid so far as your exam is concerned.
Question 44 of 80
44. Question
Which of the following statements is true?
Correct
Correct answer:
Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks is correct.
A CSRF attack occurs when the attacker takes one session while you’re connected on a legitimate one and sends messages as if they’re from you. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Incorrect answers:
XSS, buffer overflows, and parameter manipulation are not stopped by random challenges.
Incorrect
Correct answer:
Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks is correct.
A CSRF attack occurs when the attacker takes one session while you’re connected on a legitimate one and sends messages as if they’re from you. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Incorrect answers:
XSS, buffer overflows, and parameter manipulation are not stopped by random challenges.
Unattempted
Correct answer:
Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks is correct.
A CSRF attack occurs when the attacker takes one session while you’re connected on a legitimate one and sends messages as if they’re from you. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Incorrect answers:
XSS, buffer overflows, and parameter manipulation are not stopped by random challenges.
Question 45 of 80
45. Question
Which command displays all connections and listening ports in numerical form?
Correct
Correct answer:
netstat -an is correct.
Netstat provides all sorts of good information on your machine. The -a option is for all connections and listening ports. The -n option puts them in numerical order.
Incorrect answers:
“netstat -a localhost -n” is incorrect syntax.
“netstat -r” displays the route table.
“netstat -s” displays per-protocol statistics.
Incorrect
Correct answer:
netstat -an is correct.
Netstat provides all sorts of good information on your machine. The -a option is for all connections and listening ports. The -n option puts them in numerical order.
Incorrect answers:
“netstat -a localhost -n” is incorrect syntax.
“netstat -r” displays the route table.
“netstat -s” displays per-protocol statistics.
Unattempted
Correct answer:
netstat -an is correct.
Netstat provides all sorts of good information on your machine. The -a option is for all connections and listening ports. The -n option puts them in numerical order.
Incorrect answers:
“netstat -a localhost -n” is incorrect syntax.
“netstat -r” displays the route table.
“netstat -s” displays per-protocol statistics.
Question 46 of 80
46. Question
A user accesses the company website http://www.somebiz.com from his home computer and is presented with a defaced site containing disturbing images. He calls the IT department to report the website hack and is told they do not see any problem with the site—no files have been changed, and when accessed from their terminals (inside the company) the site appears normal. The user connects over VPN into the company website and notices the site appears normal. Which of the following might explain the issue?
Correct
Correct answer:
DNS poisoning is correct.
This is an example of DNS poisoning—the DNS server responding to the user’s home computer is poisoned and is sending him to a fake site. The fact that others can see the site cleanly from inside the corporate network proves it wasn’t defaced and points to DNS poisoning as a possible explanation.
Incorrect answers:
Web poisoning is included as a distractor (not a valid term), ARP poisoning wouldn’t be relevant outside the subnet, and SQL injection has nothing to do with this scenario.
Incorrect
Correct answer:
DNS poisoning is correct.
This is an example of DNS poisoning—the DNS server responding to the user’s home computer is poisoned and is sending him to a fake site. The fact that others can see the site cleanly from inside the corporate network proves it wasn’t defaced and points to DNS poisoning as a possible explanation.
Incorrect answers:
Web poisoning is included as a distractor (not a valid term), ARP poisoning wouldn’t be relevant outside the subnet, and SQL injection has nothing to do with this scenario.
Unattempted
Correct answer:
DNS poisoning is correct.
This is an example of DNS poisoning—the DNS server responding to the user’s home computer is poisoned and is sending him to a fake site. The fact that others can see the site cleanly from inside the corporate network proves it wasn’t defaced and points to DNS poisoning as a possible explanation.
Incorrect answers:
Web poisoning is included as a distractor (not a valid term), ARP poisoning wouldn’t be relevant outside the subnet, and SQL injection has nothing to do with this scenario.
Question 47 of 80
47. Question
You’re using nmap to run port scans. What syntax will attempt a half-open scan as stealthy as possible?
Correct
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The syntax nmap -sS 192.168.1.0/24 -T0 runs a SYN (half-open) scan against the subnet 192.168.1.0 (.1 through .254) in “paranoid” mode.
Incorrect answers:
The syntax for each is incorrect.
Incorrect
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The syntax nmap -sS 192.168.1.0/24 -T0 runs a SYN (half-open) scan against the subnet 192.168.1.0 (.1 through .254) in “paranoid” mode.
Incorrect answers:
The syntax for each is incorrect.
Unattempted
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The syntax nmap -sS 192.168.1.0/24 -T0 runs a SYN (half-open) scan against the subnet 192.168.1.0 (.1 through .254) in “paranoid” mode.
Incorrect answers:
The syntax for each is incorrect.
Question 48 of 80
48. Question
Which of the following best describe crypters?
Correct
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus is correct.
“Crypters” are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn naughty after installation.
Steganography tools hide data in existing image, video, or audio files.
Incorrect
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus is correct.
“Crypters” are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn naughty after installation.
Steganography tools hide data in existing image, video, or audio files.
Unattempted
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus is correct.
“Crypters” are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn naughty after installation.
Steganography tools hide data in existing image, video, or audio files.
Question 49 of 80
49. Question
Which of the following are true statements regarding SMB? (Choose all that apply.)
Correct
Correct answer:
SMB uses port 445 and SMB can use TCP or UDP are correct.
Server Message Block (SMB) is an application-level protocol that is used mainly for shared resource access (such as file and print sharing). It runs over port 445 on either TCP or UDP, depending on the usage.
Incorrect answers:
SMB is not malware, nor is it an authentication protocol.
Incorrect
Correct answer:
SMB uses port 445 and SMB can use TCP or UDP are correct.
Server Message Block (SMB) is an application-level protocol that is used mainly for shared resource access (such as file and print sharing). It runs over port 445 on either TCP or UDP, depending on the usage.
Incorrect answers:
SMB is not malware, nor is it an authentication protocol.
Unattempted
Correct answer:
SMB uses port 445 and SMB can use TCP or UDP are correct.
Server Message Block (SMB) is an application-level protocol that is used mainly for shared resource access (such as file and print sharing). It runs over port 445 on either TCP or UDP, depending on the usage.
Incorrect answers:
SMB is not malware, nor is it an authentication protocol.
Question 50 of 80
50. Question
You want to separate data ownership from data custodian duties. Which of the following should be implemented to carry this out?
Correct
Correct answer:
Cloud computing is correct.
As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity accountable for the data itself, whereas the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that.
Incorrect answers:
DAR protection and WDE do a great job protecting data against loss or theft but have nothing to do with separation of duties.
Virtual machines play a role in the cloud, obviously, but in and of themselves do not provide separation of duties.
Incorrect
Correct answer:
Cloud computing is correct.
As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity accountable for the data itself, whereas the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that.
Incorrect answers:
DAR protection and WDE do a great job protecting data against loss or theft but have nothing to do with separation of duties.
Virtual machines play a role in the cloud, obviously, but in and of themselves do not provide separation of duties.
Unattempted
Correct answer:
Cloud computing is correct.
As far as ECC is concerned, cloud computing is the ultimate in separation of duties. The data owner is the entity accountable for the data itself, whereas the data custodian is the entity responsible for access to the data. When a single individual becomes both the data owner and the data custodian, security issues can arise. Because cloud computing offers some separation of duties, ECC wants you to know the cloud can help with that.
Incorrect answers:
DAR protection and WDE do a great job protecting data against loss or theft but have nothing to do with separation of duties.
Virtual machines play a role in the cloud, obviously, but in and of themselves do not provide separation of duties.
Question 51 of 80
51. Question
Which of the following is a password-cracking tool?
Correct
Correct answer:
THC Hydra is correct.
THC Hydra uses dictionary methods for password cracking. Per the site, “When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.”
Incorrect answers:
Hping is a powerful network scanner, and Wireshark is a standard in sniffing traffic.
PackETH is a packet crafter.
Incorrect
Correct answer:
THC Hydra is correct.
THC Hydra uses dictionary methods for password cracking. Per the site, “When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.”
Incorrect answers:
Hping is a powerful network scanner, and Wireshark is a standard in sniffing traffic.
PackETH is a packet crafter.
Unattempted
Correct answer:
THC Hydra is correct.
THC Hydra uses dictionary methods for password cracking. Per the site, “When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.”
Incorrect answers:
Hping is a powerful network scanner, and Wireshark is a standard in sniffing traffic.
PackETH is a packet crafter.
Question 52 of 80
52. Question
Which tool can be used to extract application layer data from TCP connections captured in a log file into separate files?
Correct
Correct answer:
TCPflow is correct.
TCPflow isn’t better or worse than anything else out there—it’s just one EC-Council wants you to know. It stores data in a way that makes it convenient for debugging and analysis. It’s a lot like tcpdump; however, separate files for each direction are created, making things easier to read.
Incorrect answers:
Snort does not accomplish this goal, and netcat and tcpdump do not create separate files for analysis.
Incorrect
Correct answer:
TCPflow is correct.
TCPflow isn’t better or worse than anything else out there—it’s just one EC-Council wants you to know. It stores data in a way that makes it convenient for debugging and analysis. It’s a lot like tcpdump; however, separate files for each direction are created, making things easier to read.
Incorrect answers:
Snort does not accomplish this goal, and netcat and tcpdump do not create separate files for analysis.
Unattempted
Correct answer:
TCPflow is correct.
TCPflow isn’t better or worse than anything else out there—it’s just one EC-Council wants you to know. It stores data in a way that makes it convenient for debugging and analysis. It’s a lot like tcpdump; however, separate files for each direction are created, making things easier to read.
Incorrect answers:
Snort does not accomplish this goal, and netcat and tcpdump do not create separate files for analysis.
Question 53 of 80
53. Question
Here is the result of a whois search on a target: “` Registrant: AnyBusiness Inc. 1377 somewhere street New York, NY 10013 US Phone: +13219667786 Email: [email protected] Domain Name: anybusiness.com Created on…………..: Mon, Jul 07, 1997 Expires on…………..: Sat, Jul 06, 2019 Record last updated on..: Mon, Jul 02, 2018 Administrative Contact: anybusiness.com P. O. Box 8799 615 N. Riverside Dr Somewhere, FL 32903 US Phone: +1.3215550587 Email: [email protected] Technical Contact: Mark Sensei 187 Someplace drive Indialantic, FL 32903 US Phone: +1.3215550879 Email: [email protected] DNS Servers: ns2.anybus.com ns1.anybus.com “` Which of the following is a true statement regarding this output?
Correct
Correct answer:
The technical contact for this website may have entered personal information at registration is correct.
The Technical Contact listing displays the technical contact’s name, as well as what may be their personal phone number. The address? It’s probably where they work, but you never know. This could turn out to be nothing, but it might provide you with an “in” for social engineering efforts later.
Incorrect answers:
The registrant is clearly listed as anybusiness.com, and the target’s DNS servers are listed right there at the bottom.
The administrative contact is listed as a business name—smart idea.
Incorrect
Correct answer:
The technical contact for this website may have entered personal information at registration is correct.
The Technical Contact listing displays the technical contact’s name, as well as what may be their personal phone number. The address? It’s probably where they work, but you never know. This could turn out to be nothing, but it might provide you with an “in” for social engineering efforts later.
Incorrect answers:
The registrant is clearly listed as anybusiness.com, and the target’s DNS servers are listed right there at the bottom.
The administrative contact is listed as a business name—smart idea.
Unattempted
Correct answer:
The technical contact for this website may have entered personal information at registration is correct.
The Technical Contact listing displays the technical contact’s name, as well as what may be their personal phone number. The address? It’s probably where they work, but you never know. This could turn out to be nothing, but it might provide you with an “in” for social engineering efforts later.
Incorrect answers:
The registrant is clearly listed as anybusiness.com, and the target’s DNS servers are listed right there at the bottom.
The administrative contact is listed as a business name—smart idea.
Question 54 of 80
54. Question
Which attack falsifies a broadcast ICMP echo request and includes a primary victim and a secondary victim?
Correct
Correct answer:
Smurf is correct.
A smurf attack involves spoofing a ping request to the broadcast address of the subnet. The ping request is altered so that it appears to come from another host. This target host is then pummeled with ping responses from every other machine on the network.
Incorrect answers:
Fraggle (named after another horrible 1980s kid’s show because the attack is so similar) makes use of UDP in much the same fashion.
A man-in-the-middle attack is not carried out in this fashion and does not seek to perform a denial-of-service attack on the target.
Teardrop refers to an attack focusing on reassembly within the TCP/IP stack.
Incorrect
Correct answer:
Smurf is correct.
A smurf attack involves spoofing a ping request to the broadcast address of the subnet. The ping request is altered so that it appears to come from another host. This target host is then pummeled with ping responses from every other machine on the network.
Incorrect answers:
Fraggle (named after another horrible 1980s kid’s show because the attack is so similar) makes use of UDP in much the same fashion.
A man-in-the-middle attack is not carried out in this fashion and does not seek to perform a denial-of-service attack on the target.
Teardrop refers to an attack focusing on reassembly within the TCP/IP stack.
Unattempted
Correct answer:
Smurf is correct.
A smurf attack involves spoofing a ping request to the broadcast address of the subnet. The ping request is altered so that it appears to come from another host. This target host is then pummeled with ping responses from every other machine on the network.
Incorrect answers:
Fraggle (named after another horrible 1980s kid’s show because the attack is so similar) makes use of UDP in much the same fashion.
A man-in-the-middle attack is not carried out in this fashion and does not seek to perform a denial-of-service attack on the target.
Teardrop refers to an attack focusing on reassembly within the TCP/IP stack.
Question 55 of 80
55. Question
Your organization uses a cloud computing model that shares cloud infrastructure for data and services. Which deployment model matches this description?
Correct
Correct answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect answers:
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Incorrect
Correct answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect answers:
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Unattempted
Correct answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect answers:
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Question 56 of 80
56. Question
You are concerned about static electricity problems in your data center. Which of the following will not assist you in dealing with the problem?
Correct
Correct answer:
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else.
More humidity equals less static electricity, so a humidity system is an absolute requirement.
Incorrect
Correct answer:
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else.
More humidity equals less static electricity, so a humidity system is an absolute requirement.
Unattempted
Correct answer:
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else.
More humidity equals less static electricity, so a humidity system is an absolute requirement.
Question 57 of 80
57. Question
What is the purpose of an ICMP Type 3, Code 13 packet?
Correct
Correct answer:
Administratively prohibited is correct.
ICMP Type 3, Code 13 messages indicate the packet could not be routed because it was administratively prohibited (firewall or router ACL).
Incorrect answers:
ICMP 3 indicates unreachable, not TTL expiration (Type 7) or redirect (Type 5).
“Host not found” is irrelevant.
Incorrect
Correct answer:
Administratively prohibited is correct.
ICMP Type 3, Code 13 messages indicate the packet could not be routed because it was administratively prohibited (firewall or router ACL).
Incorrect answers:
ICMP 3 indicates unreachable, not TTL expiration (Type 7) or redirect (Type 5).
“Host not found” is irrelevant.
Unattempted
Correct answer:
Administratively prohibited is correct.
ICMP Type 3, Code 13 messages indicate the packet could not be routed because it was administratively prohibited (firewall or router ACL).
Incorrect answers:
ICMP 3 indicates unreachable, not TTL expiration (Type 7) or redirect (Type 5).
“Host not found” is irrelevant.
Question 58 of 80
58. Question
Which of the following is a valid Google Search entry for searching for spreadsheet files possibly containing passwords?
Correct
Correct answer:
site:sample.com filetype:xls username password is correct.
Of the answers provided, this matches the correct syntax of what is being searched for.
Incorrect answers:
The remaining answers do not match the syntax required for the search.
Incorrect
Correct answer:
site:sample.com filetype:xls username password is correct.
Of the answers provided, this matches the correct syntax of what is being searched for.
Incorrect answers:
The remaining answers do not match the syntax required for the search.
Unattempted
Correct answer:
site:sample.com filetype:xls username password is correct.
Of the answers provided, this matches the correct syntax of what is being searched for.
Incorrect answers:
The remaining answers do not match the syntax required for the search.
Question 59 of 80
59. Question
Which of the following is an attempt to resolve computer security problems through hardware enhancements and associated software modifications?
Correct
Correct answer:
Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system (OS).
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers that cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Incorrect
Correct answer:
Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system (OS).
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers that cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Unattempted
Correct answer:
Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system (OS).
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers that cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Question 60 of 80
60. Question
Which of the following is the crucial architecture layer within the IoT, allowing all communication?
Correct
Correct answer:
Internet layer is correct.
Of the five layers, the Internet layer is considered the most crucial, as it serves as the main component to allow all communication.
Incorrect answers:
The Middleware layer sits between the Application and Hardware layer, and handles data and device management, data analysis, and aggregation.
First, data handling takes place in the Access Gateway layer, with message identification and routing occurring there.
The Edge Technology layer consists of sensors, RFID tags, readers, and the devices themselves.
Incorrect
Correct answer:
Internet layer is correct.
Of the five layers, the Internet layer is considered the most crucial, as it serves as the main component to allow all communication.
Incorrect answers:
The Middleware layer sits between the Application and Hardware layer, and handles data and device management, data analysis, and aggregation.
First, data handling takes place in the Access Gateway layer, with message identification and routing occurring there.
The Edge Technology layer consists of sensors, RFID tags, readers, and the devices themselves.
Unattempted
Correct answer:
Internet layer is correct.
Of the five layers, the Internet layer is considered the most crucial, as it serves as the main component to allow all communication.
Incorrect answers:
The Middleware layer sits between the Application and Hardware layer, and handles data and device management, data analysis, and aggregation.
First, data handling takes place in the Access Gateway layer, with message identification and routing occurring there.
The Edge Technology layer consists of sensors, RFID tags, readers, and the devices themselves.
Question 61 of 80
61. Question
Which of the following is the proper syntax on Windows systems for spawning a command shell on port 8080 using Netcat?
Correct
Correct answer:
nc -L 56 -t -e cmd.exe is correct.
This is the correct syntax on Windows for using Netcat to leave a command shell open on port 8080.
Incorrect answers:
None of these is the proper syntax.
Incorrect
Correct answer:
nc -L 56 -t -e cmd.exe is correct.
This is the correct syntax on Windows for using Netcat to leave a command shell open on port 8080.
Incorrect answers:
None of these is the proper syntax.
Unattempted
Correct answer:
nc -L 56 -t -e cmd.exe is correct.
This is the correct syntax on Windows for using Netcat to leave a command shell open on port 8080.
Incorrect answers:
None of these is the proper syntax.
Question 62 of 80
62. Question
What are the phases of a pen test? (Choose three.)
Correct
Correct answer:
Pre-attack, Attack, and Post-attack are correct.
The pen test phases are pre-attack, attack, and post-attack.
Incorrect answers:
These are all steps of ethical hacking.
Incorrect
Correct answer:
Pre-attack, Attack, and Post-attack are correct.
The pen test phases are pre-attack, attack, and post-attack.
Incorrect answers:
These are all steps of ethical hacking.
Unattempted
Correct answer:
Pre-attack, Attack, and Post-attack are correct.
The pen test phases are pre-attack, attack, and post-attack.
Incorrect answers:
These are all steps of ethical hacking.
Question 63 of 80
63. Question
Which of the following would most likely be used in a CSPP attack?
Correct
Correct answer:
; is correct.
The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered “; Integrated Security=true” as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated against by treating semicolons as data instead of characters.
Incorrect answers:
The single quote is generally associated with SQL injection efforts.
The + and @ signs are not applicable here.
Incorrect
Correct answer:
; is correct.
The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered “; Integrated Security=true” as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated against by treating semicolons as data instead of characters.
Incorrect answers:
The single quote is generally associated with SQL injection efforts.
The + and @ signs are not applicable here.
Unattempted
Correct answer:
; is correct.
The entire attack is based on the use of semicolons by web applications in communicating with databases. Suppose, for example, an attacker entered “; Integrated Security=true” as a password. Because the semicolon closes the password parameter, the rest of the command dictates the web app should connect to the database using the system account instead of a user one. CSPP attacks can be mitigated against by treating semicolons as data instead of characters.
Incorrect answers:
The single quote is generally associated with SQL injection efforts.
The + and @ signs are not applicable here.
Question 64 of 80
64. Question
Which of the following best defines a logical or technical control?
Correct
Correct answer:
Security tokens is correct.
A security token (such as RSA’s SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication, or it may provide a built-in number on a USB device that must be attached during authentication.
Incorrect answers:
Air conditioning and fire alarms handle aspects of physical security. Security policy is not a logical or technical control.
Incorrect
Correct answer:
Security tokens is correct.
A security token (such as RSA’s SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication, or it may provide a built-in number on a USB device that must be attached during authentication.
Incorrect answers:
Air conditioning and fire alarms handle aspects of physical security. Security policy is not a logical or technical control.
Unattempted
Correct answer:
Security tokens is correct.
A security token (such as RSA’s SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication, or it may provide a built-in number on a USB device that must be attached during authentication.
Incorrect answers:
Air conditioning and fire alarms handle aspects of physical security. Security policy is not a logical or technical control.
Question 65 of 80
65. Question
Which of the following best describes a primary security principle that cloud computing can provide?
Correct
Correct answer:
Separation of duties is correct.
Of the choices available, separation of duties makes the most sense. Cloud computing moves computing processes from internal to external. It also separates the role of data owner from the role of data custodian.
Incorrect answers:
Need to know, least privilege, and job rotation really aren’t affected by cloud computing one way or another.
Incorrect
Correct answer:
Separation of duties is correct.
Of the choices available, separation of duties makes the most sense. Cloud computing moves computing processes from internal to external. It also separates the role of data owner from the role of data custodian.
Incorrect answers:
Need to know, least privilege, and job rotation really aren’t affected by cloud computing one way or another.
Unattempted
Correct answer:
Separation of duties is correct.
Of the choices available, separation of duties makes the most sense. Cloud computing moves computing processes from internal to external. It also separates the role of data owner from the role of data custodian.
Incorrect answers:
Need to know, least privilege, and job rotation really aren’t affected by cloud computing one way or another.
Question 66 of 80
66. Question
You are hired as an independent assessor to verify security controls within a cloud environment. Which NIST cloud architecture role are you performing?
Correct
Correct answer:
Cloud auditor is correct.
The cloud auditor is the independent assessor of cloud service and security controls. Per NIST SP 500-292, the auditor “provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services.”
Incorrect answers:
The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Incorrect
Correct answer:
Cloud auditor is correct.
The cloud auditor is the independent assessor of cloud service and security controls. Per NIST SP 500-292, the auditor “provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services.”
Incorrect answers:
The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Unattempted
Correct answer:
Cloud auditor is correct.
The cloud auditor is the independent assessor of cloud service and security controls. Per NIST SP 500-292, the auditor “provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services.”
Incorrect answers:
The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Question 67 of 80
67. Question
Which of the following is not part of the ransomware family?
Correct
Correct answer:
B is correct. Zeus is an e-banking Trojan for stealing bank and credit card information, not ransomware.
Incorrect answers:
The ransomware family is composed of Cryptobit, Cryptolocker, Cryptodefense, Cryptowall, and police-themed ransomware.
Incorrect
Correct answer:
B is correct. Zeus is an e-banking Trojan for stealing bank and credit card information, not ransomware.
Incorrect answers:
The ransomware family is composed of Cryptobit, Cryptolocker, Cryptodefense, Cryptowall, and police-themed ransomware.
Unattempted
Correct answer:
B is correct. Zeus is an e-banking Trojan for stealing bank and credit card information, not ransomware.
Incorrect answers:
The ransomware family is composed of Cryptobit, Cryptolocker, Cryptodefense, Cryptowall, and police-themed ransomware.
Question 68 of 80
68. Question
An attacker wants to verify live targets on a network, but no ICMP packets seem to successfully do the job. Which of the following options might work in this situation?
Correct
Correct Answers:
TCP ping is correct.
A single target not responding doesn’t necessarily means it’s not “awake”—there could be several reasons it’s not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can’t ping over TCP, so you may have to use tcping.exe (or another comparable tool).
Incorrect Answers:
Traceroute, Nslookup, and Broadcast ping are incorrect.
Traceroute is designed to display path information and relies on ICMP and TTL flags for answers.
Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can’t tell you what’s necessarily alive.
A broadcast ping is simply ICMP sent to the broadcast address in the subnet.
Incorrect
Correct Answers:
TCP ping is correct.
A single target not responding doesn’t necessarily means it’s not “awake”—there could be several reasons it’s not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can’t ping over TCP, so you may have to use tcping.exe (or another comparable tool).
Incorrect Answers:
Traceroute, Nslookup, and Broadcast ping are incorrect.
Traceroute is designed to display path information and relies on ICMP and TTL flags for answers.
Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can’t tell you what’s necessarily alive.
A broadcast ping is simply ICMP sent to the broadcast address in the subnet.
Unattempted
Correct Answers:
TCP ping is correct.
A single target not responding doesn’t necessarily means it’s not “awake”—there could be several reasons it’s not providing any answer. If you suspect ICMP is blocked, try a TCP ping. The integrated Windows ping utility can’t ping over TCP, so you may have to use tcping.exe (or another comparable tool).
Incorrect Answers:
Traceroute, Nslookup, and Broadcast ping are incorrect.
Traceroute is designed to display path information and relies on ICMP and TTL flags for answers.
Nslookup might work in a zone transfer to tell you what systems DNS knows about, but it can’t tell you what’s necessarily alive.
A broadcast ping is simply ICMP sent to the broadcast address in the subnet.
Question 69 of 80
69. Question
A pen test team member wants to clone a website to an offline copy, for further screening and examination later. Which of the following tools is the best choice for this purpose?
Correct
Correct answer:
BlackWidow is correct.
BlackWidow can download a clone of a website for scanning and vulnerability discovery at your leisure. It can download an entire website or download portions of a site, and it can build a site structure.
Incorrect answers:
Burp Suite isn’t designed to pull an entire copy of a website externally and run through tests. It is an integrated platform for performing security testing of web applications.
NetCraft isn’t a tool to be used for this purpose. It provides security tools aimed at the web sector—among them, phishing protection and identification.
HttpRecon isn’t used in this manner. It is known as a web server fingerprinting tool.
Incorrect
Correct answer:
BlackWidow is correct.
BlackWidow can download a clone of a website for scanning and vulnerability discovery at your leisure. It can download an entire website or download portions of a site, and it can build a site structure.
Incorrect answers:
Burp Suite isn’t designed to pull an entire copy of a website externally and run through tests. It is an integrated platform for performing security testing of web applications.
NetCraft isn’t a tool to be used for this purpose. It provides security tools aimed at the web sector—among them, phishing protection and identification.
HttpRecon isn’t used in this manner. It is known as a web server fingerprinting tool.
Unattempted
Correct answer:
BlackWidow is correct.
BlackWidow can download a clone of a website for scanning and vulnerability discovery at your leisure. It can download an entire website or download portions of a site, and it can build a site structure.
Incorrect answers:
Burp Suite isn’t designed to pull an entire copy of a website externally and run through tests. It is an integrated platform for performing security testing of web applications.
NetCraft isn’t a tool to be used for this purpose. It provides security tools aimed at the web sector—among them, phishing protection and identification.
HttpRecon isn’t used in this manner. It is known as a web server fingerprinting tool.
Question 70 of 80
70. Question
A victim is directed to a website an attacker has modified: the attacker has created a transparent frame in front of the Click Here To Login button. When the victim clicks to log in to the site, they are redirected instead to a URL the attacker owns. Which of the following best describes the attack?
Correct
Correct answer:
Clickjacking is correct.
Clickjacking is exactly what it sounds like—stealing the “click” a user intended for one thing and using it for another.
Incorrect answers:
None of these attacks describe the actions taken.
Incorrect
Correct answer:
Clickjacking is correct.
Clickjacking is exactly what it sounds like—stealing the “click” a user intended for one thing and using it for another.
Incorrect answers:
None of these attacks describe the actions taken.
Unattempted
Correct answer:
Clickjacking is correct.
Clickjacking is exactly what it sounds like—stealing the “click” a user intended for one thing and using it for another.
Incorrect answers:
None of these attacks describe the actions taken.
Question 71 of 80
71. Question
Which of the following provides specific services to untrusted networks or hosts?
Correct
Correct answer:
Bastion host is correct. Bastion hosts are deliberately placed on the edge of the network—publicly facing—to handle external requests for whatever service you can think of. They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect answers:
Proxy firewalls are designed primarily to hide networks.
A packet-filtering firewall is exactly what it sounds like, and a stateful firewall is used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed, but externally sourced is not).
Incorrect
Correct answer:
Bastion host is correct. Bastion hosts are deliberately placed on the edge of the network—publicly facing—to handle external requests for whatever service you can think of. They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect answers:
Proxy firewalls are designed primarily to hide networks.
A packet-filtering firewall is exactly what it sounds like, and a stateful firewall is used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed, but externally sourced is not).
Unattempted
Correct answer:
Bastion host is correct. Bastion hosts are deliberately placed on the edge of the network—publicly facing—to handle external requests for whatever service you can think of. They must be hardened and protected, for obvious reasons, but are designed to protect the internal network.
Incorrect answers:
Proxy firewalls are designed primarily to hide networks.
A packet-filtering firewall is exactly what it sounds like, and a stateful firewall is used to ensure traffic is legitimate based on source, direction, and session information (that is, internally sourced is allowed, but externally sourced is not).
Question 72 of 80
72. Question
A pen tester is using Metasploit to attack an FTP server. He wants the attack to use the FTP server as a launching point to “pivot” to an internal LAN segment. Which of the following should be accomplished to perform the attack?
Correct
Correct answer:
Create a route statement within the meterpreter is correct.
The meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Adding a route statement allows for the “pivot” action.
Incorrect answers:
These steps will not assist in pivoting.
Incorrect
Correct answer:
Create a route statement within the meterpreter is correct.
The meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Adding a route statement allows for the “pivot” action.
Incorrect answers:
These steps will not assist in pivoting.
Unattempted
Correct answer:
Create a route statement within the meterpreter is correct.
The meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Adding a route statement allows for the “pivot” action.
Incorrect answers:
These steps will not assist in pivoting.
Question 73 of 80
73. Question
Which of the following statements is true regarding normal TCP communications?
Correct
Correct answer:
The reset flag is there for just such an emergency—something bad has happened.
Incorrect answers:
SYN flags start conversations and synchronize things along the way.
ACK flags acknowledge receipt but are not set in every segment.
FIN flags do bring things to an orderly close, but not a rapid abort.
Incorrect
Correct answer:
The reset flag is there for just such an emergency—something bad has happened.
Incorrect answers:
SYN flags start conversations and synchronize things along the way.
ACK flags acknowledge receipt but are not set in every segment.
FIN flags do bring things to an orderly close, but not a rapid abort.
Unattempted
Correct answer:
The reset flag is there for just such an emergency—something bad has happened.
Incorrect answers:
SYN flags start conversations and synchronize things along the way.
ACK flags acknowledge receipt but are not set in every segment.
FIN flags do bring things to an orderly close, but not a rapid abort.
Question 74 of 80
74. Question
Which of the following commands lists the running services on a Windows machine?
Correct
Correct answer:
sc query is correct.
The built-in sc command provides all sorts of information about running services on a Windows machine.
Incorrect answers:
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer.
Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 statistics.
Wmic provides the ability to take advantage of a host of Windows management information tie-ins but is not applicable here (not to mention the syntax is invalid).
Incorrect
Correct answer:
sc query is correct.
The built-in sc command provides all sorts of information about running services on a Windows machine.
Incorrect answers:
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer.
Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 statistics.
Wmic provides the ability to take advantage of a host of Windows management information tie-ins but is not applicable here (not to mention the syntax is invalid).
Unattempted
Correct answer:
sc query is correct.
The built-in sc command provides all sorts of information about running services on a Windows machine.
Incorrect answers:
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer.
Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 statistics.
Wmic provides the ability to take advantage of a host of Windows management information tie-ins but is not applicable here (not to mention the syntax is invalid).
Question 75 of 80
75. Question
Which of the following statements best describes a teardrop attack?
Correct
Correct answer:
The attacker sends several overlapping, extremely large IP fragments is correct.
In a teardrop attack, the reassembly of fragments takes down the target.
Incorrect answers:
These do not reflect a teardrop attack. Fraggle uses UDP.
LAND attacks use the same source IP and destination.
Smurf makes use of broadcast pings.
Incorrect
Correct answer:
The attacker sends several overlapping, extremely large IP fragments is correct.
In a teardrop attack, the reassembly of fragments takes down the target.
Incorrect answers:
These do not reflect a teardrop attack. Fraggle uses UDP.
LAND attacks use the same source IP and destination.
Smurf makes use of broadcast pings.
Unattempted
Correct answer:
The attacker sends several overlapping, extremely large IP fragments is correct.
In a teardrop attack, the reassembly of fragments takes down the target.
Incorrect answers:
These do not reflect a teardrop attack. Fraggle uses UDP.
LAND attacks use the same source IP and destination.
Smurf makes use of broadcast pings.
Question 76 of 80
76. Question
How would OSSTMM categorize PCI DSS?
Correct
Correct answer:
Contractual is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) defines three types of compliance: contractual, legislative, and standards based.
Contractual deals with requirements enforced by an industry or non-government group.
Incorrect answers:
Legislative deals with regulations enforced by the government.
Standards based deals with actions that are recommended and must be adhered to in order to be certified by a group.
Technology based doesn’t exist.
Incorrect
Correct answer:
Contractual is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) defines three types of compliance: contractual, legislative, and standards based.
Contractual deals with requirements enforced by an industry or non-government group.
Incorrect answers:
Legislative deals with regulations enforced by the government.
Standards based deals with actions that are recommended and must be adhered to in order to be certified by a group.
Technology based doesn’t exist.
Unattempted
Correct answer:
Contractual is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) defines three types of compliance: contractual, legislative, and standards based.
Contractual deals with requirements enforced by an industry or non-government group.
Incorrect answers:
Legislative deals with regulations enforced by the government.
Standards based deals with actions that are recommended and must be adhered to in order to be certified by a group.
Technology based doesn’t exist.
Question 77 of 80
77. Question
Which of the following statements is true?
Correct
Correct answer:
\WebGoat has 30 or so “lessons” embedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
Incorrect answers:
These statements are not true regarding WebGoat.
Incorrect
Correct answer:
\WebGoat has 30 or so “lessons” embedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
Incorrect answers:
These statements are not true regarding WebGoat.
Unattempted
Correct answer:
\WebGoat has 30 or so “lessons” embedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
Incorrect answers:
These statements are not true regarding WebGoat.
Question 78 of 80
78. Question
Which of the following represents the XOR from 01110011 and 11010101?
Correct
Correct answer:
XOR gates compare two inputs—if the two match, the output is a zero (0); if they don’t, it’s a one (1).
Incorrect answers:
These answers do not match the XOR for the two inputs.
Incorrect
Correct answer:
XOR gates compare two inputs—if the two match, the output is a zero (0); if they don’t, it’s a one (1).
Incorrect answers:
These answers do not match the XOR for the two inputs.
Unattempted
Correct answer:
XOR gates compare two inputs—if the two match, the output is a zero (0); if they don’t, it’s a one (1).
Incorrect answers:
These answers do not match the XOR for the two inputs.
Question 79 of 80
79. Question
Which of the following are true statements regarding wireless security? (Choose all that apply.)
Correct
Correct answer:
WPA-2 is the best available encryption security for the system and SSIDs do not provide any effective security measures for a wireless network are correct.
WPA-2 is the latest encryption standard for wireless. SSIDs do nothing for security other than frustrate casual (lazy) attackers. It’s not the intent of an SSID to do anything other than identify a network.
Incorrect answers:
WEP is poor encryption (and never the correct answer on this exam for security purposes), and SSID broadcast is nearly irrelevant to security.
Incorrect
Correct answer:
WPA-2 is the best available encryption security for the system and SSIDs do not provide any effective security measures for a wireless network are correct.
WPA-2 is the latest encryption standard for wireless. SSIDs do nothing for security other than frustrate casual (lazy) attackers. It’s not the intent of an SSID to do anything other than identify a network.
Incorrect answers:
WEP is poor encryption (and never the correct answer on this exam for security purposes), and SSID broadcast is nearly irrelevant to security.
Unattempted
Correct answer:
WPA-2 is the best available encryption security for the system and SSIDs do not provide any effective security measures for a wireless network are correct.
WPA-2 is the latest encryption standard for wireless. SSIDs do nothing for security other than frustrate casual (lazy) attackers. It’s not the intent of an SSID to do anything other than identify a network.
Incorrect answers:
WEP is poor encryption (and never the correct answer on this exam for security purposes), and SSID broadcast is nearly irrelevant to security.
Question 80 of 80
80. Question
Which security effort protects system folders, files, and the MBR until valid credentials are provided at pre-boot?
Correct
Correct answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect answers:
These answers do not protect system folders, files, and MBR until valid credentials are provided at pre-boot.
Incorrect
Correct answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect answers:
These answers do not protect system folders, files, and MBR until valid credentials are provided at pre-boot.
Unattempted
Correct answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect answers:
These answers do not protect system folders, files, and MBR until valid credentials are provided at pre-boot.
X
Use Page numbers below to navigate to other practice tests