ceh certified ethical hacker practice exams, fourth
TRANSCRIPT
Contents1. Cover2. About the Author3. Title Page4. Copyright Page5. Dedication6. Contents7. Acknowledgments8. Introduction9. Chapter 1 Getting Started: Essential Knowledge
1. Questions2. Quick Answer Key3. Answers
10. Chapter 2 Reconnaissance: Information Gathering for the EthicalHacker
1. Questions2. Quick Answer Key3. Answers
11. Chapter 3 Scanning and Enumeration
1. Questions2. Quick Answer Key3. Answers
12. Chapter 4 Sniffing and Evasion
||||||||||||||||||||
||||||||||||||||||||
1. Questions2. Quick Answer Key3. Answers
13. Chapter 5 Attacking a System
1. Questions2. Quick Answer Key3. Answers
14. Chapter 6 Web-Based Hacking: Servers and Applications
1. Questions2. Quick Answer Key3. Answers
15. Chapter 7 Wireless Network Hacking
1. Questions2. Quick Answer Key3. Answers
16. Chapter 8 Mobile Communications and the IoT
1. Questions2. Quick Answer Key3. Answers
17. Chapter 9 Security in Cloud Computing
1. Questions2. Quick Answer Key3. Answers
||||||||||||||||||||
||||||||||||||||||||
18. Chapter 10 Trojans and Other Attacks
1. Questions2. Quick Answer Key3. Answers
19. Chapter 11 Cryptography 101
1. Questions2. Quick Answer Key3. Answers
20. Chapter 12 Low Tech: Social Engineering and Physical Security
1. Questions2. Quick Answer Key3. Answers
21. Chapter 13 The Pen Test: Putting It All Together
1. Questions2. Quick Answer Key3. Answers
22. Appendix A Pre-assessment Test
1. Questions2. Quick Answer Key3. Answers4. Analyzing Your Results
23. Appendix B About the Online Content
1. System Requirements
||||||||||||||||||||
||||||||||||||||||||
2. Your Total Seminars Training Hub Account3. Single User License Terms and Conditions4. TotalTester Online5. Technical Support
Guide1. Cover2. Title Page3. CEH™ Certified Ethical Hacker Practice Exams, Fourth Edition
||||||||||||||||||||
||||||||||||||||||||
ABOUT THE AUTHOR
Matt Walker is currently working as a member of theCyber Defense and Security Strategy team withPerspecta. An IT security and education professional formore than 20 years, he has served as the director of theNetwork Training Center and a curriculum lead/seniorinstructor for Cisco Networking Academy on RamsteinAB, Germany, and as a network engineer for NASA’sSecure Network Systems (NSS), designing andmaintaining secured data, voice, and video networkingfor the agency. Matt also worked as an instructorsupervisor and senior instructor at Dynetics, Inc., inHuntsville, Alabama, providing on-site certification-awarding classes for (ISC) , Cisco, and CompTIA, andafter two years came right back to NASA as an ITsecurity manager for UNITeS, SAIC, at Marshall SpaceFlight Center. He has written and contributed tonumerous technical training books for NASA, AirEducation and Training Command, and the U.S. AirForce, as well as commercially, and he continues to trainand write certification and college-level IT and IA
2
||||||||||||||||||||
||||||||||||||||||||
security courses.
ABOUT THE TECHNICAL EDITORBrad Horton currently works as an intelligencespecialist with the U.S. Department of Defense. Brad hasworked as a security engineer, commercial securityconsultant, penetration tester, and information systemsresearcher in both the private and public sectors. Thishas included work with several defense contractors,including General Dynamics C4S, SAIC, and Dynetics,Inc. Brad currently holds the Certified InformationSystems Security Professional (CISSP), the CISSP –Information Systems Security ManagementProfessional (CISSP-ISSMP), the Certified EthicalHacker (CEH), and the Certified Information SystemsAuditor (CISA) trade certifications. Brad holds abachelor’s degree in Commerce and BusinessAdministration from the University of Alabama, amaster’s degree in Management of Information Systemsfrom the University of Alabama in Huntsville (UAH),and a graduate certificate in Information Assurancefrom UAH. When not hacking, Brad can be found athome with his family or on a local golf course.
||||||||||||||||||||
||||||||||||||||||||
Copyright © 2019 by McGraw-Hill Education. All rightsreserved. Except as permitted under the United StatesCopyright Act of 1976, no part of this publication may bereproduced or distributed in any form or by any means,or stored in a database or retrieval system, without theprior written permission of the publisher, with theexception that the program listings may be entered,stored, and executed in a computer system, but theymay not be reproduced for publication.
ISBN: 978-1-26-045509-0MHID: 1-26-045509-2
The material in this eBook also appears in the printversion of this title: ISBN: 978-1-26-045508-3, MHID: 1-26-045508-4.
eBook conversion by codeMantraVersion 1.0
All trademarks are trademarks of their respectiveowners. Rather than put a trademark symbol after everyoccurrence of a trademarked name, we use names in aneditorial fashion only, and to the benefit of thetrademark owner, with no intention of infringement ofthe trademark. Where such designations appear in thisbook, they have been printed with initial caps.
||||||||||||||||||||
||||||||||||||||||||
McGraw-Hill Education eBooks are available at specialquantity discounts to use as premiums and salespromotions or for use in corporate training programs.To contact a representative, please visit the Contact Uspage at www.mhprofessional.com.
Information has been obtained by McGraw-HillEducation from sources believed to be reliable.However, because of the possibility of human ormechanical error by our sources, McGraw-HillEducation, or others, McGraw-Hill Education does notguarantee the accuracy, adequacy, or completeness ofany information and is not responsible for any errors oromissions or the results obtained from the use of suchinformation.
The views and opinions expressed in all portions of thispublication belong solely to the author and/or editorand do not necessarily state or reflect those of theDepartment of Defense or the United StatesGovernment. References within this publication to anyspecific commercial product, process, or service by tradename, trademark, manufacturer, or otherwise, do notnecessarily constitute or imply its endorsement,recommendation, or favoring by the United StatesGovernment.
TERMS OF USE
||||||||||||||||||||
||||||||||||||||||||
This is a copyrighted work and McGraw-Hill Educationand its licensors reserve all rights in and to the work.Use of this work is subject to these terms. Except aspermitted under the Copyright Act of 1976 and the rightto store and retrieve one copy of the work, you may notdecompile, disassemble, reverse engineer, reproduce,modify, create derivative works based upon, transmit,distribute, disseminate, sell, publish or sublicense thework or any part of it without McGraw-Hill Education’sprior consent. You may use the work for your ownnoncommercial and personal use; any other use of thework is strictly prohibited. Your right to use the workmay be terminated if you fail to comply with theseterms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILLEDUCATION AND ITS LICENSORS MAKE NOGUARANTEES OR WARRANTIES AS TO THEACCURACY, ADEQUACY OR COMPLETENESS OF ORRESULTS TO BE OBTAINED FROM USING THEWORK, INCLUDING ANY INFORMATION THAT CANBE ACCESSED THROUGH THE WORK VIAHYPERLINK OR OTHERWISE, AND EXPRESSLYDISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. McGraw-HillEducation and its licensors do not warrant or guarantee
||||||||||||||||||||
||||||||||||||||||||
that the functions contained in the work will meet yourrequirements or that its operation will be uninterruptedor error free. Neither McGraw-Hill Education nor itslicensors shall be liable to you or anyone else for anyinaccuracy, error or omission, regardless of cause, in thework or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content ofany information accessed through the work. Under nocircumstances shall McGraw-Hill Education and/or itslicensors be liable for any indirect, incidental, special,punitive, consequential or similar damages that resultfrom the use of or inability to use the work, even if anyof them has been advised of the possibility of suchdamages. This limitation of liability shall apply to anyclaim or cause whatsoever whether such claim or causearises in contract, tort or otherwise.
||||||||||||||||||||
||||||||||||||||||||
This book is dedicated to my lovely and talentedwife, Angela Walker.
||||||||||||||||||||
||||||||||||||||||||
CONTENTS
AcknowledgmentsIntroduction
Chapter 1 Getting Started: Essential Knowledge
QuestionsQuick Answer KeyAnswers
Chapter 2 Reconnaissance: Information Gatheringfor the Ethical Hacker
QuestionsQuick Answer KeyAnswers
Chapter 3 Scanning and Enumeration
QuestionsQuick Answer KeyAnswers
Chapter 4 Sniffing and Evasion
Questions
||||||||||||||||||||
||||||||||||||||||||
Quick Answer KeyAnswers
Chapter 5 Attacking a System
QuestionsQuick Answer KeyAnswers
Chapter 6 Web-Based Hacking: Servers andApplications
QuestionsQuick Answer KeyAnswers
Chapter 7 Wireless Network Hacking
QuestionsQuick Answer KeyAnswers
Chapter 8 Mobile Communications and the IoT
QuestionsQuick Answer KeyAnswers
Chapter 9 Security in Cloud Computing
QuestionsQuick Answer KeyAnswers
||||||||||||||||||||
||||||||||||||||||||
Chapter 10 Trojans and Other Attacks
QuestionsQuick Answer KeyAnswers
Chapter 11 Cryptography 101
QuestionsQuick Answer KeyAnswers
Chapter 12 Low Tech: Social Engineering andPhysical Security
QuestionsQuick Answer KeyAnswers
Chapter 13 The Pen Test: Putting It All Together
QuestionsQuick Answer KeyAnswers
Appendix A Pre-assessment Test
QuestionsQuick Answer KeyAnswersAnalyzing Your Results
Appendix B About the Online Content
System Requirements
||||||||||||||||||||
||||||||||||||||||||
Your Total Seminars Training Hub AccountSingle User License Terms and ConditionsTotalTester OnlineTechnical Support
||||||||||||||||||||
||||||||||||||||||||
ACKNOWLEDGMENTS
I, like most of you, hardly ever read theacknowledgment portion of a book. When I bought abook, I just wanted to get to the meat of the thing andsee what I could drag out of it—either intellectually orentertainment-wise—and couldn’t give a care aboutwhat the author thought about those who helped put itall together. Then, of all things, I wrote a book.
Now, I read the acknowledgments section of everybook I purchase. Why? Because having gone throughthe trials and tribulations of writing, editing, arguing,planning, researching, rewriting, screaming at amonitor, and restarting the whole thing all over again, Iunderstand why it’s so important. I know what it meanswhen the writer says they “couldn’t have done it withoutfill-in-the-blank.” Trust me, if it’s written there, then theauthor truly means they couldn’t have done it withoutthem. My fill-in-the-blanks deserve more than just amention in an acknowledgments section, though,because they really did make it all possible, and I mostassuredly couldn’t have done it without them.
||||||||||||||||||||
||||||||||||||||||||
My undying gratitude and heartfelt thanks go out tothe entire team at McGraw-Hill Education. Tim Greenoriginally roped me into this a few years back, andwithout him I would have never even thought of it. AmyGray provided the rubber-hose beating that every authorneeds to finish a product like this (okay, maybe notevery author, but I sure need it) and had a great sense ofhumor during the whole ordeal. Claire Yee, GarimaPoddar, Bart Reed, Janet Walden, and I’m sure a bunchmore all deserve a vacation somewhere warm andbeachy—I’ll get the first round of cold adult beverages.Once again, they all provided me with the chance to dosomething I dearly love and were very patient with mein putting this all together.
Lastly, I can’t thank the technical editor, BradHorton, enough. Brad makes a difficult process—technically scrubbing everything to make sure it’s all ingood order—not only bearable but downright fun. Hisedits were spot on and were always designed to makethis project the absolute best it could be. He not onlypointed out corrections when I messed something upbut added immeasurably to the real-world aspects ofthis book. I simply could not, would not, have done thiswithout him. It’s an honor to work with him and a greatblessing in my life to call him a friend.
||||||||||||||||||||
||||||||||||||||||||
INTRODUCTION
Hello and welcome to the practice exams for CertifiedEthical Hacker (CEH), now in version 10. If you’re theproud owner of previous editions of this book or itscompanion book, CEH™ Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition, welcome back! If notand you’re just picking this book up for the first time tosee whether it’s for you, settle in for a moment and let’scover a few really important items.
Some of you may be curious about what a “hacking”study guide looks like, or you may be thinking aboutattempting a new certification or career choice. Some ofyou may have already taken that decisive leap andstarted down the path, and are now looking for the nextresource to help you along the journey. And some of youreading this may even be simply looking for somecredentials for your career—most in this group are trueprofessionals who already know how to do this job andare just finally ready to get the certification knocked out,while a small few are simply looking for a résumé bullet(one more certification you can put on your e-mail
||||||||||||||||||||
||||||||||||||||||||
signature line to impress others).Regardless of where you stand in your career or your
desire for this certification, there are a couple of things Ineed to clear the air about—right up front before youcommit to purchasing and reading this book. First(before I get to the bad stuff), I firmly believe this bookwill assist you in attaining your CEH certification. Theentire team involved in this effort has spent a lot oftime, energy, thought, research, and bourbon onproducing what we think is the best companion resourceguide on the market. I’m proud of it and proud to havebeen associated with the professionals who helped put ittogether.
That said, if you’re looking for a silver bullet—avirtual copy of the exam so you can simply memorize, gotake the test, and forget about it—please stop readingnow and go take your chances elsewhere. Part of theethics of attaining, and maintaining, a CEH credential isthe nondisclosure agreement all candidates sign beforeattempting the exam. I, and everyone else involved inthis project, have taken great pains to provide you withexamples of questions designed to test your knowledgeof the subject at hand, not to provide you with questionsto memorize. Those who are looking for that, and usethat method to attain the certification, belittle andcheapen the hard work the community puts into this,and I would be sickened to know of anyone using this
||||||||||||||||||||
||||||||||||||||||||
work for that purpose.If you want to pass this exam and have the respect
and benefits that come along with holding thecertification, then you damn well better know how to dothe job. The memorization/test-taking junkies out theremay get an interview or two with this certification ontheir résumé, but trust me—they’ll be discovered asfrauds before they ever get to round 2. This communityknows the difference between a contender and apretender, so don’t try to take shortcuts. Learn thematerial. Become an expert in it. Then go take the exam.If you’re not willing to put in the effort, maybe youshould pick up another line of work—like professionaldodge ball player or pharmaceutical test subject. Toquote a really bad but totally awesome 1980stestosterone movie, “There’s always barber college.”
With all that out of the way—and now that I’mtalking to the real candidates for this certification—onceagain I firmly believe this book will help you in yourattempt to attain the certification. As always, however, Imust provide a word of caution: relying on a single book—any single book—to pass this exam is a recipe fordisaster. Yes, this is a great resource, and you shoulddefinitely buy it (right now—don’t wait!). However, yousimply will not pass this exam without the time andbenefit that can come only from experience. As a matterof fact, EC-Council requires candidates sitting for the
||||||||||||||||||||
||||||||||||||||||||
exam to have at least two years of IT security–relatedexperience. Bolster your study in this book withpractice, practice, and more practice. You’ll thank me forit later.
Lastly, keep in mind this certification isn’t a walk inthe park. CEH didn’t gain the reputation and value it hasby being easy to attain. Its worth has elevated it as oneof the top certifications a technician can attain and isnow part of DoD 8570’s call for certification on DoDnetworks. In short, this certification actually meanssomething to employers because they know the effort ittakes to attain it.
The exam itself is a four-hour, 125-question gruelingmarathon that will leave you exhausted when you clickthe Finish button. EC-Council has provided a handbookon the certification and exam (as of this writing, locatedat https://s3-us-west-2.amazonaws.com/edm-image/documents/CEH-Handbook-v2.2.pdf) thatprovides all you’ll need to know about qualifications,content, and other information about the exam andcertification. I’ve included some highlights in thefollowing sections, detailing the exam and what you’llneed.
TRAINING AND PREPARATIONThere are two ways for a candidate to attain CEHcertification: with training or using only self-study. Per
||||||||||||||||||||
||||||||||||||||||||
the site (https://iclass.eccouncil.org/learning-options/),training options include the following:
• Live, online, instructor-led These courses areoffered by many affiliates EC-Council hascertified to provide the training. They offer theofficial courseware in one of two methods: astandard classroom setting or via an “online-live”training class you can view from anywhere. Bothofferings have an ECC-certified instructor leadingthe way, provide the official courseware via Aspen(https://aspen.eccouncil.org/mycourses), andcome with a hefty price tag.
• Private group training EC-Council can alsoarrange for a class at your location, providedyou’re willing to pay for it, of course. Costs forthat depend on your organization.
As for doing it on your own, there are a couplemethods available:
• Self-paced Directly from the site, this solution is“an asynchronous, self-study environment whichdelivers EC-Council’s sought after IT Securitytraining courses, such as CEH, in a streamingvideo format. All lectures are delivered by aprofessional practitioner to assure a real-worldperspective on the course concepts…and provides
||||||||||||||||||||
||||||||||||||||||||
the benefits of classroom training at your ownpace.” This also comes with the officialcourseware via Aspen as well as six months accessto iLabs (EC-Council’s virtual lab platform).
• Self-study If you want to study on your own anddon’t care about the class at all (that is, you’vebeen doing this for a while and don’t see the valueof going to a class to have someone teach youwhat you already know), you can simply buy thecourseware (for nearly $900 as of this writing)and study on your own. There are all thenecessary hoops and hurdles to step through toqualify for the exam, but EC-Council is certainlyhappy to sell you their official curriculum and letyou take your own chances.
THE EXAMINATIONFor version 10, EC-Council has changed the examscoring methods and mechanisms(https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/). The content itself hasn’t changed much,other than new content in IoT and other areas; however,the method to tabulate whether or not you pass theexam definitely has.
The exam is a four-hour, computer-based proctoredtest (in other words, it’s taken in person at anauthorized testing facility) that allows you to skip and
||||||||||||||||||||
||||||||||||||||||||
mark questions to revisit at the end of each section.FAQs regarding the exam itself are updated continuallyand are located at https://cert.eccouncil.org/faq.html.Your exam score is tabulated immediately aftercompletion, so be sure to review everything beforeclicking Finish. Unlike previous versions, however,there is no cut-and-dry number of questions you need toget right and no score you need to attain. Whereas inversions previous you needed to answer 70% of thequestions correctly, you now need to attain theappropriate “cut score” for your particular test bank. Iknow, I know—you’re wondering what that means. I did,too, so I read up on it for you (you’re welcome).
CEH is provided to candidates as a series of multipletest question blocks—in other words, a candidate sittingon the left side of the room would get questions fromblock 1 while someone on the right side would getquestions from block 2 (or 7, or 20…). EC-Council refersto these question banks as “forms” and has calculated apassing score based on the difficulty rating of eachblock. Should you sit down and randomly get assignedan easy form, you’ll have to score upward of 85% topass; a hard one, and you’ll only need 60%. See? Isn’tthat fun and easy?
Lastly, I found this little nugget of information veryenlightening and wanted to include it here both toinform you and to validate something I’ve been saying
||||||||||||||||||||
||||||||||||||||||||
for years now (in previous versions of these books, aswell as in this one): EC-Council openly admits theirexam content and creation are performed separatelyfrom course and curriculum content creation. Thismeans the people creating the test questions don’tnecessarily use the official course curriculum. In otherwords, you can and will see questions on your exam thataren’t even mentioned in the courseware or in yourclassroom—or, dare I say, in the study material you’relooking at here.
To some of us, myself included, this seems odd. Imean, if you require folks to purchase your coursewareand/or sit for your specific training classes, you’dassume those would be the key study materials forsuccess on the exam—designed supposedly to validateyour knowledge and skills from aforementionedcurriculum and training. EC-Council states it this way,however: “All learning materials related to examsincluding EC-Council official courseware and trainingsare developed independently of exam content. This isbecause the exams are created to assess competencewhen using the skills and knowledge, not theeffectiveness of a specific courseware or training.”
I include this here not to scare you off or to give youthe impression that the courseware, classrooms, orstudy guides aren’t valid, but to remind you, as I’ve saidseemingly a billion times now, not to rely on one source
Technet24||||||||||||||||||||
||||||||||||||||||||
for your study. Build a lab. Practice. Get together withlike-minded folks and talk out issues you find inpracticing with tools or taking practice exams. Trust me,you’ll be better off for it.
Best of luck to you, dear reader. I sincerely hope yourexam goes well for you and your career is filled withgreat experiences. Be honest, do a good job, and makeevery day and action work toward a better world.
IN THIS BOOKI’ve organized this book so that each chapter consists ofa battery of practice exam questions representing part ofthe knowledge and skills you need to know to pass theCertified Ethical Hacker exam. This book was designedto mirror the organization of CEH Certified EthicalHacker All-in-One Exam Guide, Fourth Edition, and itserves as an excellent companion.
Pre-assessment TestThis book features a pre-assessment test as Appendix A.The pre-assessment test will gauge your areas ofstrength and weakness and allow you to tailor yourstudies based on your needs. I recommend you take thispre-assessment test before starting the questions inChapter 1.
||||||||||||||||||||
||||||||||||||||||||
Practice ExamsIn addition to the practice questions included in thisbook, 300 practice questions are provided in anelectronic test engine. You can create custom exams bychapter, or you can take multiple timed, full-lengthpractice exams. For more information, please seeAppendix B.
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 1Getting Started: EssentialKnowledge
This chapter includes questions from the followingtopics:
• Identify components of TCP/IP computernetworking
• Understand basic elements of information security• Understand incident management steps• Identify fundamentals of security policies• Identify essential terminology associated with
ethical hacking• Define ethical hacker and classifications of hackers• Describe the five stages of ethical hacking• Define the types of system attacks• Identify laws, acts, and standards affecting IT
security
In one of my earliest memories, I’m sitting at the tableon Thanksgiving, staring lovingly at a hot apple piebeing sliced into pieces and doled out onto plates. I
||||||||||||||||||||
||||||||||||||||||||
remember watching an ice cream bowl chase the pieslices around the table, and each person scooping outdelicious vanilla goodness for the top of their pie. And Iremember looking at that flaky crust and the sugary,syrupy insides and thinking how great it was going to bewhen I got mine. But then I remember my mom lookingright at me and saying, “Looks good, doesn’t it? Allyou’ve got to do is finish your vegetables and you canhave some.”
I dearly love apple pie à la mode. It’s my favoritedessert on the planet—my ambrosia, if you will. I love itso much that aggressively displacing toddlers out of myway to get to dessert nirvana isn’t out of the question(okay, maybe just sternly threatening them, but you getthe idea). But I absolutely despised most of the veggies Iwas forced to eat as a kid. Greens, peas, carrots,asparagus? Might as well have been kryptonite forSuperman. Why not just ask me to stab my eyes outwith a fork—or, worse yet, ask me to wear Auburncolors, Mom?
But when push came to shove, I ate the vegetables.Not because I liked them or because I wanted to, butbecause I had to in order to get what I really wanted.
Welcome to your veggie plate, dear reader. No, it’snot the exciting dessert you’re drooling over—all thosedelicious hacking questions come later—but this is stuff
Technet24||||||||||||||||||||
||||||||||||||||||||
you just have to get out of the way first. The good newswith this part of your exam is that this is the easy stuff.It’s almost pure memorization and definitions—with nowacky formulas or script nuances to figure out. Anddon’t worry, it’s not nearly as bad as you think it’s goingto be. At least I’m not making you put on blue andorange.
STUDY TIPS When it comes to study ing this chapter, where mostlydefinitions and rote memorization are all that is required for the exam,repetition is the key . Tables with words on one side and correspondingdefinitions on the other can be pretty effectiv e—and don’t discount old-school flash cards either. When study ing, try to find some key words ineach definition y ou can associate with the term. That way , wheny ou’re looking at a weird test question on the exam, a key word willpop out and help prov ide the answer for y ou. And for goodness sake,please try not to confuse the real world with the exam—trust what y ouget out of this book and y our other study material, and don’t read toomuch into the questions.
Some of the most confusing questions for you in thissection will probably come from security policies, lawsand standards, and security control mechanisms. Allthese questions can get really weird, and I’d love to offerhelp with them, but I can’t—you just have to memorizethe data. Especially when it comes to laws and standardsquestions—they will sometimes be maddening. My bestadvice is to concentrate on key words and rememberthat the process of elimination can sometimes be more
||||||||||||||||||||
||||||||||||||||||||
helpful in narrowing the options down to the correctanswer than trying to memorize everything in the firstplace.
Also, and at the risk of generating derision from the“Thank you, Captain Obvious” crowd, here’s anotherpiece of advice I have for you: spend your time on thethings you don’t already know (trust me, I’m on tosomething here). Many exam prospects and studentsspend way too much valuable time repeating portionsthey already know instead of concentrating on thethings they don’t. If you understand the definitionsregarding white hat and black hat, don’t botherreviewing them. Instead, spend your time concentratingon areas that aren’t so “common sense” to you.
And, finally, keep in mind that this certification isprovided by an international organization. Therefore,you will sometimes see some fairly atrocious grammaron test questions here and there, especially in thissection of the exam. Don’t worry about it—just keepfocused on the main point of the question and look foryour key words.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. A security team is implementing various security
controls across the organization. After severalconfigurations and applications, a final agreed-onset of security controls is put into place; however,not all risks are mitigated by the controls. Of thefollowing, which is the next best step?
A. Continue applying controls until all risk iseliminated.
B. Ignore any remaining risk as “best effortcontrolled.”
C. Ensure that any remaining risk is residual orlow and accept the risk.
D. Remove all controls.
2. A Certified Ethical Hacker (CEH) follows aspecific methodology for testing a system. Whichstep comes after footprinting in the CEHmethodology?
A. Scanning
B. Enumeration
C. Reconnaissance
D. Application attack
3. Your organization is planning for the future and isidentifying the systems and processes critical for
||||||||||||||||||||
||||||||||||||||||||
their continued operation. Which of the followingbest describes this effort?
A. BCP
B. BIA
C. DRP
D. ALE
4. Which incident response (IR) phase is responsiblefor setting rules, identifying the workforce androles, and creating backup and test plans for theorganization?
A. Preparation
B. Identification
C. Containment
D. Recovery
5. You’ve been hired as part of a pen test team.During the brief, you learn the client wants thepen test attack to simulate a normal user whofinds ways to elevate privileges and create attacks.Which test type does the client want?
A. White box
B. Gray box
C. Black box
D. Hybrid
6. Which of the following is defined as ensuring the
Technet24||||||||||||||||||||
||||||||||||||||||||
enforcement of organizational security policy doesnot rely on voluntary user compliance by assigningsensitivity labels on information and comparingthis to the level of security a user is operating at?
A. Mandatory access control
B. Authorized access control
C. Role-based access control
D. Discretionary access control
7. Which of the following statements is trueregarding the TCP three-way handshake?
A. The recipient sets the initial sequence numberin the second step.
B. The sender sets the initial sequence number inthe third step.
C. When accepting the communications request,the recipient responds with anacknowledgement and a randomly generatedsequence number in the second step.
D. When accepting the communications request,the recipient responds with anacknowledgement and a randomly generatedsequence number in the third step.
8. Your network contains certain servers thattypically fail once every five years. The total cost ofone of these servers is $1000. Server technicians
||||||||||||||||||||
||||||||||||||||||||
are paid $40 per hour, and a typical replacementrequires two hours. Ten employees, earning anaverage of $20 per hour, rely on these servers, andeven one of them going down puts the wholegroup in a wait state until it’s brought back up.Which of the following represents the ARO for aserver?
A. $296
B. $1480
C. $1000
D. 0.20
9. An ethical hacker is given no prior knowledge ofthe network and has a specific framework in whichto work. The agreement specifies boundaries,nondisclosure agreements, and a completion datedefinition. Which of the following statements istrue?
A. A white hat is attempting a black-box test.
B. A white hat is attempting a white-box test.
C. A black hat is attempting a black-box test.
D. A black hat is attempting a gray-box test.
10. Which of the following is a detective control?
A. Audit trail
B. CONOPS
Technet24||||||||||||||||||||
||||||||||||||||||||
C. Procedure
D. Smartcard authentication
E. Process
11. As part of a pen test on a U.S. government system,you discover files containing Social Securitynumbers and other sensitive personallyidentifiable information (PII). You are asked aboutcontrols placed on the dissemination of thisinformation. Which of the following acts shouldyou check?
A. FISMA
B. Privacy Act
C. PATRIOT Act
D. Freedom of Information Act
12. Four terms make up the Common Criteriaprocess. Which of the following contains sevenlevels used to rate the target?
A. TOE
B. ST
C. PP
D. EAL
13. An organization’s leadership is concerned aboutsocial engineering and hires a company to providetraining for all employees. How is the organization
||||||||||||||||||||
||||||||||||||||||||
handling the risk associated with socialengineering?
A. They are accepting the risk.
B. They are avoiding the risk.
C. They are mitigating the risk.
D. They are transferring the risk.
14. In which phase of the ethical hackingmethodology would a hacker be expected todiscover available targets on a network?
A. Reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Maintaining access
E. Covering tracks
15. Which of the following was created to protectshareholders and the general public fromcorporate accounting errors and fraudulentpractices, and to improve the accuracy of corporatedisclosures?
A. GLBA
B. HIPAA
C. SOX
D. FITARA
16. Which of the following best defines a logical or
Technet24||||||||||||||||||||
||||||||||||||||||||
technical control?
A. Air conditioning
B. Security tokens
C. Fire alarms
D. Security policy
17. Which of the following was created to protectcredit card data at rest and in transit in an effort toreduce fraud?
A. TCSEC
B. Common Criteria
C. ISO 27002
D. PCI-DSS
18. As part of the preparation phase for a pen test youare participating in, the client relays their intent todiscover security flaws and possible remediation.They seem particularly concerned about internalthreats from the user base. Which of the followingbest describes the test type the client is lookingfor?
A. Gray box
B. Black box
C. White hat
D. Black hat
19. In which phase of the attack would a hacker set
||||||||||||||||||||
||||||||||||||||||||
up and configure “zombie” machines?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
20. Which of the following should not be included ina security policy?
A. Policy exceptions
B. Details on noncompliance disciplinary actions
C. Technical details and procedures
D. Supporting document references
21. Which of the following is best defined as a set ofprocesses used to identify, analyze, prioritize, andresolve security incidents?
A. Incident management
B. Vulnerability management
C. Change management
D. Patch management
22. During an assessment, your pen test teamdiscovers child porn on a system. Which of thefollowing is the appropriate response?
A. Continue testing and report findings at theout-brief.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Continue testing but report findings to thebusiness owners.
C. Cease testing immediately and refuse tocontinue work for the client.
D. Cease testing immediately and contactauthorities.
23. Which of the following best describes an intranetzone?
A. It has few heavy security restrictions.
B. A highly secured zone, usually employingVLANs and encrypted communicationchannels.
C. A controlled buffer network between publicand private networks.
D. A very restricted zone with no users.
24. A machine in your environment uses an open X-server to allow remote access. The X-server accesscontrol is disabled, allowing connections fromalmost anywhere and with little to noauthentication measures. Which of the followingare true statements regarding this situation?(Choose all that apply.)
A. An external vulnerability can take advantageof the misconfigured X-server threat.
B. An external threat can take advantage of the
||||||||||||||||||||
||||||||||||||||||||
misconfigured X-server vulnerability.
C. An internal vulnerability can take advantage ofthe misconfigured X-server threat.
D. An internal threat can take advantage of themisconfigured X-server vulnerability.
25. While performing a pen test, you find success inexploiting a machine. Your attack vector tookadvantage of a common mistake—the Windows 7installer script used to load the machine left theadministrative account with a default password.Which attack did you successfully execute?
A. Application level
B. Operating system
C. Shrink wrap
D. Social engineering
E. Misconfiguration
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. A
3. B
4. A
5. B
6. A
7. C
8. D
9. A
10. A
11. B
12. D
13. C
14. B
15. C
16. B
17. D
18. A
19. D
||||||||||||||||||||
||||||||||||||||||||
20. C
21. A
22. D
23. A
24. B, D
25. B
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. A security team is implementing various security
controls across the organization. After severalconfigurations and applications, a final agreed-onset of security controls is put into place; however,not all risks are mitigated by the controls. Of thefollowing, which is the next best step?
A. Continue applying controls until all risk iseliminated.
B. Ignore any remaining risk as “best effortcontrolled.”
C. Ensure that any remaining risk is residual orlow and accept the risk.
D. Remove all controls.
C. Remember at the beginning of this chapterwhen I said the process of elimination may beyour best bet in some cases? Well, even if youaren’t well-versed in risk management andsecurity control efforts, you could narrow thisdown to the correct answer. It is impossible toremove all risk from any system and still haveit usable. I’m certain there are exceptions tothis rule (maybe super-secret machines inunderground vaults buried deep within theearth, running on geothermal-powered
||||||||||||||||||||
||||||||||||||||||||
batteries, without any network access at alland controlled by a single operator who hasn’tseen daylight in many years), but in generalthe goal of security teams has always been toreduce risk to an acceptable level.
A is incorrect because, as I just mentioned, it’simpossible to reduce risk to absolute zero andstill have a functional system. CEH CertifiedEthical Hacker All-in-One Exam Guide,Fourth Edition, discusses the Security,Functionality, and Usability triangle, where asyou move toward more security, you movefurther away from functionality and usability.
B is incorrect because it’s just silly. If you’re asecurity professional and your response to arisk—any risk—is to ignore it, I can promiseyou won’t be employed for long. Sure, you canpoint out that it’s low or residual and that thechance for actual exploitation is next tononexistent, but you can’t ignore it. Besteffort is for kindergarten trophies and IPpacket delivery.
D is incorrect because removing all controls isworse than ignoring the risk. If you removeeverything, then all risks remain. Remember,the objective is to balance your security
Technet24||||||||||||||||||||
||||||||||||||||||||
controls to cover as much risk as possiblewhile leaving the system as usable andfunctional as possible.
2. A Certified Ethical Hacker (CEH) follows aspecific methodology for testing a system. Whichstep comes after footprinting in the CEHmethodology?
A. Scanning
B. Enumeration
C. Reconnaissance
D. Application attack
A. CEH methodology is laid out this way:reconnaissance (footprinting), scanning andenumeration, gaining access, escalatingprivileges, maintaining access, and coveringtracks. While you may be groaning aboutscanning and enumeration both appearing asanswers, they’re placed here in this way onpurpose. This exam is not only testing yourrote memorization of the methodology butalso how the methodology actually works.Remember, after scoping out the recon onyour target, your next step is to scan it. Afterall, you have to know what targets are therefirst before enumerating information aboutthem.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because, although it ismentioned as part of step 2, it’s actuallysecondary to scanning. Enumerating is usedto gather more in-depth information about atarget you already discovered by scanning.Things you might discover in scanning are IPsthat respond to a ping. In enumerating each“live” IP, you might find open shares, useraccount information, and other goodies.
C is incorrect because reconnaissance andfootprinting are interchangeable in CEHparlance. An argument can be made thatfootprinting is a specific portion of an overallrecon effort; however, in all CEHdocumentation, these terms are usedinterchangeably.
D is incorrect because it references an attack.As usual, there’s almost always one answeryou can throw out right away, and this is aprime example. We’re talking about step 2 inthe methodology, where we’re still figuringout what targets are there and whatvulnerabilities they may have. Attacking, atthis point, is folly.
3. Your organization is planning for the future and isidentifying the systems and processes critical for
Technet24||||||||||||||||||||
||||||||||||||||||||
their continued operation. Which of the followingbest describes this effort?
A. BCP
B. BIA
C. DRP
D. ALE
B. A business impact analysis (BIA) bestmatches this description. In a BIA, theorganization looks at all the systems andprocesses in use and determines which onesare absolutely critical to continued operation.Additionally, the assessor (the person orcompany conducting the analysis) will look atall the existing security architecture and makean evaluation on the likelihood of any systemor resource being compromised. Part of this isassigning values to systems and services,determining the maximum tolerabledowntime (MTD) for any, and identifying anyoverlooked vulnerabilities.
A is incorrect because a business continuityplan (BCP) contains all the procedures thatshould be followed in the event of anorganizational outage—such as a naturaldisaster or a cyberattack. BCPs include theorder in which steps should be taken and
||||||||||||||||||||
||||||||||||||||||||
which system should be returned to servicefirst. BCPs include DRPs (disaster recoveryplans).
C is incorrect because a disaster recovery plan(DRP) contains steps and procedures forrestoring a specific resource (service, system,and so on) after an outage. Usually DRPs arepart of a larger BCP.
D is incorrect because the annualized lossexpectancy (ALE) is a mathematicalmeasurement of the cost of replacing orrepairing a specific resource. ALE is calculatedby multiplying the single loss expectancy(SLE) by the annualized rate of occurrence(ARO). For example, if the total cost of asingle loss of a resource is calculated at $1000and you calculate there is a 10 percent chanceit will fail in any given year, your ALE wouldbe $100.
4. Which incident response (IR) phase is responsiblefor setting rules, identifying the workforce androles, and creating backup and test plans for theorganization?
A. Preparation
B. Identification
C. Containment
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Recovery
A. So even if you weren’t aware of incidentresponse phases, this one should’ve been arather easy guess. In the preparation phase,your IR (incident response) team should bepreparing for an incident. Preparationincludes lots of things—some of which arementioned here. But virtually anything youcan think of that does not involve actionstaken during the incident belongs here.Training, exercises, and policies are allexamples.
As an aside, IR phases can be differentdepending on whom you ask and what themoon phase is, but generally IR is brokendown into six phases: preparation,identification, containment, eradication,recovery, and lessons learned. Preparation wealready covered. Identification refers to thesteps taken to verify it’s actually an incident,and all the information surrounding that—source, destination(s), exploit used, malwareused, and so on. Containment is the step usedto cordon off the infected system(s) and toprevent any further spread of infection orattack. Eradication refers to steps taken to
||||||||||||||||||||
||||||||||||||||||||
remove the malware (or other attack-relatedresiduals, such as backdoors). Recoveryinvolves the steps taken to rebuild and restorethe system(s) and network to pre-attackstatus (with better security, I might add).Finally, lessons learned is exactly what itsounds like, and should feed right back intoyour organization’s preparation phase.
B is incorrect because the identification phaserefers to the steps taken to verify thelegitimacy of an active incident, as well as togather information on the details of theattack.
C is incorrect because the containment phasedeals with steps taken to reduce or preventthe spread of the infection or attack inside thenetwork.
D is incorrect because the recovery phasedeals with steps taken to restore and replaceany resources damaged or affected by theattack footprint.
5. You’ve been hired as part of a pen test team.During the brief, you learn the client wants thepen test attack to simulate a normal user whofinds ways to elevate privileges and create attacks.Which test type does the client want?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. White box
B. Gray box
C. Black box
D. Hybrid
B. A gray-box test is designed to replicate aninside attacker. Otherwise known as thepartial knowledge attack (don’t forget thisterm), the idea is to simulate a user on theinside who might know a little about thenetwork, directory structure, and otherresources in your enterprise. You’ll probablyfind this one to be the most enlighteningattack in out-briefing your clients in the realworld—it’s amazing what you can get to whenyou’re a trusted, inside user. As an aside,you’ll often find in the real world that gray-box testing can also refer to a test where anyinside information is given to a pen tester—you don’t necessarily need to be a fullyknowledgeable inside user. In other words, ifyou have usable information handed to youabout your client, you’re performing gray-boxtesting.
A is incorrect because a white-box testprovides all knowledge to the pen tester upfront and is designed to simulate an admin on
||||||||||||||||||||
||||||||||||||||||||
your network who, for whatever reason,decides to go on the attack. For most pentesters, this test is really just unfair. It’stantamount to sending him into the RomanColosseum armed with a .50-caliberautomatic weapon to battle a gladiator who isholding a knife.
C is incorrect because black-box testingindicates no knowledge at all. And if you thinkabout it, the name is easy to correlate andremember: black = no light. Therefore, youcan’t “see” anything. This is the test mostpeople think about when it comes to hacking.You know nothing and are (usually) attackingfrom the outside.
D is incorrect because, as far as I can tell fromthe EC-Council’s documentation, there is noterminology for a “hybrid-box” test. This is alittle tricky because the term hybrid is usedelsewhere—for attacks and other things. Ifyou apply a little common sense here, thisanswer is easy to throw out. If you knoweverything about the target, it’s white. If youknow nothing, it’s black. If you’re in themiddle, it’s gray. See?
6. Which of the following is defined as ensuring that
Technet24||||||||||||||||||||
||||||||||||||||||||
the enforcement of organizational security policydoes not rely on voluntary user compliance byassigning sensitivity labels on information andcomparing this to the level of security a user isoperating at?
A. Mandatory access control
B. Authorized access control
C. Role-based access control
D. Discretionary access control
A. Access control is defined as the selectiverestraint of access to a resource, and there areseveral overall mechanisms to accomplish thisgoal. Mandatory access control (MAC) is onetype that constrains the ability of a subject toaccess or perform an operation on an objectby assigning and comparing “sensitivitylabels.” Suppose a person (or a process)attempts to access or edit a file. With MAC, alabel is placed on the file indicating itssecurity level. If the entity attempting toaccess it does not have that level, or higher,then access is denied. With mandatory accesscontrol, security is centrally controlled by asecurity policy administrator, and users do nothave the ability to override security settings.
This should not be confused with role-based
||||||||||||||||||||
||||||||||||||||||||
access control (RBAC) systems, which mayactually use MAC to get the job done. Thedifference is in whether the information itselfhas a labeled description or whether theperson accessing it has their own label. Forexample, in a classified area, the informationclassified as Top Secret will have a label on itidentifying it as such, while you, as an auditor,will have your own clearance and need-to-know label allowing you to access certaininformation. MAC is a property of an object;RBAC is a property of someone accessing anobject.
B is incorrect because while authorized accesscontrol may sound great, it’s not a valid term.
C is incorrect because role-based accesscontrol can use MAC or discretionary accesscontrol to get the job done. With RBAC, thegoal is to assign a role, and any entity holdingthat role can perform the duties associatedwith it. Users are not assigned permissionsdirectly; they acquire them through their role(or roles). The roles are assigned to the user’saccount, and each additional role provides itsown unique set of permissions and rights.
D is incorrect because discretionary access
Technet24||||||||||||||||||||
||||||||||||||||||||
control (DAC) allows the data owner, the user,to set security permissions for the object. Ifyou’re on a Windows machine right now, youcan create files and folders and then setsharing and permissions on them as you seefit. MAC administrators in the Department ofDefense are shuddering at that thought rightnow.
7. Which of the following statements is trueregarding the TCP three-way handshake?
A. The recipient sets the initial sequence numberin the second step.
B. The sender sets the initial sequence number inthe third step.
C. When accepting the communications request,the recipient responds with anacknowledgement and a randomly generatedsequence number in the second step.
D. When accepting the communications request,the recipient responds with anacknowledgement and a randomly generatedsequence number in the third step.
C. The three-way handshake will definitelyshow up on your exam, and in much trickierwording than this. It’s easy enough tomemorize “SYN, SYN/ACK, ACK,” but you’ll
||||||||||||||||||||
||||||||||||||||||||
need more than that for the exam.
In step 1, the host sends a segment to theserver, indicating it wants to open acommunications session. Inside this segment,the host turns on the SYN flag and sets aninitial sequence number (any random 32-bitnumber). When the recipient gets thesegment, it crafts a segment in response to letthe host know it’s open and ready for thecommunications session. It does this byturning on the SYN and ACK flags,acknowledging the initial sequence number byincrementing it, and adding its own uniquesequence number. Lastly, when the host getsthis response back, it sends one more segmentbefore the comm channel opens. In thissegment, it sets the ACK flag andacknowledges the other’s sequence number byincrementing it.
For example, suppose Host A is trying to opena channel with Server B. In this example, HostA likes the sequence number 2000, whileServer B likes 5000. The first segment wouldlook like this: SYN=1, ACK=0, ISN=2000. Theresponse segment would look like this:SYN=1, ACK=1, ISN=5000, ACK NO=2001.The third and final segment would appear this
Technet24||||||||||||||||||||
||||||||||||||||||||
way: SYN=0, ACK=1, SEQ NO=2001, ACKNO=5001.
A is incorrect because the initial sequencenumber is set in the first step.
B is incorrect for the same reason—the ISN isset in the first step.
D is incorrect because this activity occurs inthe second step.
8. Your network contains certain servers thattypically fail once every five years. The total cost ofone of these servers is $1000. Server techniciansare paid $40 per hour, and a typical replacementrequires two hours. Ten employees, earning anaverage of $20 per hour, rely on these servers, andeven one of them going down puts the wholegroup in a wait state until it’s brought back up.Which of the following represents the ARO for aserver?
A. $296
B. $1480
C. $1000
D. 0.20
D. When performing business impact analysis(or any other value analysis for that matter),
||||||||||||||||||||
||||||||||||||||||||
the annualized loss expectancy (ALE) is animportant measurement for every asset. Tocompute the ALE, multiply the annualizedrate of occurrence (ARO) by the single lossexpectancy (SLE). The ARO is the frequencyat which a failure occurs on an annual basis.In this example, servers fail once every fiveyears, so the ARO would be 1 failure / 5 years= 20 percent.
A is incorrect because this value equates tothe ALE for the example. ALE = ARO × SLE.In this example, the ARO is 20 percent andthe SLE is $1480: cost of a server ($1000)plus the cost of technician work to replace it($80) plus lost time for workers (10employees × 2 hours × $20 an hour, whichworks out to $400). Therefore, ALE = 20percent × $1480, or $296.
B is incorrect because this value correspondsto the SLE for this scenario. The SLE is thetotal cost for a single loss, so we need to countthe cost of the server, plus the cost of thetechnician’s hours, plus any downtimemeasurements for other workers. In this case,SLE = $1000 (cost of server) + $80 (servertech hours) + $400 (10 employees × 2 hours× $20 an hour), or $1480.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because this number doesn’tmatch the ARO for the example.
9. An ethical hacker is given no prior knowledge ofthe network and has a specific framework in whichto work. The agreement specifies boundaries,nondisclosure agreements, and a completion datedefinition. Which of the following statements istrue?
A. A white hat is attempting a black-box test.
B. A white hat is attempting a white-box test.
C. A black hat is attempting a black-box test.
D. A black hat is attempting a gray-box test.
A. I love these types of questions. Not only isthis a two-for-one question, but it involvesidentical but confusing descriptors, causing allsorts of havoc. The answer to attacking suchquestions—and you will see them, by the way—is to take each section one at a time. Startwith what kind of hacker he is. He’s hiredunder a specific agreement, with fullknowledge and consent of the target, thusmaking him a white hat. That eliminates Cand D right off the bat. Second, to addresswhat kind of test he’s performing, simply lookat what he knows about the system. In thisinstance, he has no prior knowledge at all
||||||||||||||||||||
||||||||||||||||||||
(apart from the agreement), thus making it ablack-box test.
B is incorrect because although the attacker isone of the good guys (a white hat, proceedingwith permission and an agreement in place),he is not provided with full knowledge of thesystem. In fact, it’s quite the opposite—according to the question he knows absolutelynothing about the system, making thisparticular “box” as black as it can be. A white-box target indicates one that the attackeralready knows everything about. It’s lit up andwide open.
C is incorrect right off the bat because itreferences a black hat. Black-hat attackers arethe bad guys—the ones proceeding withoutthe target’s knowledge or permission. Theyusually don’t have inside knowledge of theirtarget, so their attacks often start “black box.”
D is incorrect for the same reason just listed:because this attacker has permission toproceed and is operating under an agreement,he can’t be a black-box attacker. Additionally,this answer went the extra mile to convinceyou it was wrong—and missed on both swings.Not only is this a white-hat attacker, but the
Technet24||||||||||||||||||||
||||||||||||||||||||
attack itself is black box. A gray-box attackindicates at least some inside knowledge ofthe target.
10. Which of the following is a detective control?
A. Audit trail
B. CONOPS
C. Procedure
D. Smartcard authentication
E. Process
A. A detective control is an effort used toidentify problems, errors, or (in the case ofpost-attack discovery) cause or evidence of anexploited vulnerability—and an audit log ortrail is a perfect example. Ideally, detectivecontrols should be in place and working suchthat errors can be corrected as quickly aspossible. Many compliance laws andstandards (the Sarbanes-Oxley Act of 2002 isone example) mandate the use of detectivecontrols.
B is incorrect because a concept of operations(CONOPS) isn’t detective in nature. ACONOPS defines what a system is and how itis supposed to be used.
C is incorrect because a procedure is a
||||||||||||||||||||
||||||||||||||||||||
document the spells out specific step-by-stepinstructions for a given situation or process.
D is incorrect because smartcardauthentication is a preventive control, not adetective one. It’s designed to provide strongauthentication, ideally preventing a problemin the first place.
E is incorrect because a process can refer to alot of different things, depending on yourdefinition and viewpoint, but is not detectivein nature as a control. A process, in general,refers to a set of steps or actions directed ataccomplishing a goal.
11. As part of a pen test on a U.S. government system,you discover files containing Social Securitynumbers and other sensitive personallyidentifiable information (PII). You are asked aboutcontrols placed on the dissemination of thisinformation. Which of the following acts shouldyou check?
A. FISMA
B. Privacy Act
C. PATRIOT Act
D. Freedom of Information Act
B. The Privacy Act of 1974 protects
Technet24||||||||||||||||||||
||||||||||||||||||||
information of a personal nature, includingSocial Security numbers. The Privacy Actdefines exactly what “personal information”is, and it states that government agenciescannot disclose any personal informationabout an individual without that person’sconsent. It also lists 12 exemptions for therelease of this information (for example,information that is part of a law enforcementissue may be released). In other questions yousee, keep in mind that the Privacy Actgenerally will define the information that isnot available to you in and after a test.Dissemination and storage of privacyinformation needs to be closely controlled tokeep you out of hot water. As a side note, howyou obtain PII is oftentimes just as importantas how you protect it once discovered. In yourreal-world adventures, keep the Wiretap Act(18 U.S. Code Chapter 119—Wire andElectronic Communications Interception andInterception of Oral Communications) andothers like it in mind.
A is incorrect because the Federal InformationSecurity Management Act (FISMA) isn’tdesigned to control the dissemination of PIIor sensitive data. Its primary goal is to ensure
||||||||||||||||||||
||||||||||||||||||||
the security of government systems bypromoting a standardized approach to securitycontrols, implementation, and testing. The actrequires government agencies to create asecurity plan for their systems and to have it“accredited” at least once every three years.
C is incorrect because the PATRIOT Act is notan effort to control personal information. Itspurpose is to aid the U.S. government inpreventing terrorism by increasing thegovernment’s ability to monitor, intercept,and maintain records on almost everyimaginable form of communication. As a sideeffect, it has also served to increaseobservation and prevention of hackingattempts on many systems.
D is incorrect because the Freedom ofInformation Act wasn’t designed to tell youwhat to do with information. Its goal is todefine how you can get information—specifically information regarding how yourgovernments work. It doesn’t necessarily helpyou in hacking, but it does provide a cover fora lot of information. Anything you uncoverthat could have been gathered through theFreedom of Information Act is consideredlegal and should be part of your overall test.
Technet24||||||||||||||||||||
||||||||||||||||||||
12. Four terms make up the Common Criteriaprocess. Which of the following contains sevenlevels used to rate the target?
A. TOE
B. ST
C. PP
D. EAL
D. Common Criteria is an internationalstandard of evaluation of InformationTechnology (IT) products. Per the website(https://www.commoncriteriaportal.org/),Common Criteria ensures evaluations andratings “are performed to high and consistentstandards and are seen to contributesignificantly to confidence in the security ofthose products and profiles.”
Four terms within Common Criteria make upthe process. The EAL (Evaluation AssuranceLevel) is made up of seven levels, which areused to rate a product after it has been tested.The current EAL levels are as follows:
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and
||||||||||||||||||||
||||||||||||||||||||
reviewed
• EAL5: Semi-formally designed and tested
• EAL6: Semi-formally verified, designed,and tested
• EAL7: Formally verified, designed, andtested
A is incorrect because TOE is the target ofevaluation—the system or product actuallybeing tested.
B is incorrect because ST is the security target—the documentation describing the target ofevaluation and any security requirements.
C is incorrect because PP is the protectionprofile—a set of security requirements for theproduct type being tested.
13. An organization’s leadership is concerned aboutsocial engineering and hires a company to providetraining for all employees. How is the organizationhandling the risk associated with socialengineering?
A. They are accepting the risk.
B. They are avoiding the risk.
C. They are mitigating the risk.
D. They are transferring the risk.
Technet24||||||||||||||||||||
||||||||||||||||||||
C. When it comes to risks, there are fourdifferent methods of attempting to deal withthem. In risk mitigation, steps are taken toreduce the chance that the risk even willoccur, and in this example that’s exactlywhat’s happening. Training on socialengineering should help reduce the likelihoodan employee will fall victim (real-life concernson this notwithstanding—we are talking abouttest questions here).
A is incorrect because the acceptance of riskmeans the organization understands the riskis there, but they don’t do anything about it.Why would a company take this action?Perhaps the chance a threat agent will (oreven can) exploit the risk is so low it makesthe effort to mitigate it pointless. Or it couldbe the cost to mitigate simply costs more thanany damage or recovery from exploitation inthe first place. In any case, if the organizationdoes nothing, they’re accepting risk.
B is incorrect because avoidance of risk meansthe organization takes steps to eliminate theservice, action, or technology altogether. Inother words, the risk is deemed so great thecompany would rather do without the asset orservice in the first place. In the case of social
||||||||||||||||||||
||||||||||||||||||||
engineering, unless the organization can workwithout employees, avoiding this risk is nearlyimpossible.
D is incorrect because transferring risk occurswhen the organization puts the burden of riskon another party. For example, the companymight hire an insurance company to pay off inthe event a risk is exploited.
14. In which phase of the ethical hackingmethodology would a hacker be expected todiscover available targets on a network?
A. Reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Maintaining access
E. Covering tracks
B. The scanning and enumeration phase iswhere you’ll use things such as ping sweeps todiscover available targets on the network. Thisstep occurs after reconnaissance. In this step,tools and techniques are actively applied toinformation gathered during recon to obtainmore in-depth information on the targets. Forexample, reconnaissance may show a networksubnet to have 500 or so machines connected
Technet24||||||||||||||||||||
||||||||||||||||||||
inside a single building, whereas scanning andenumeration would discover which ones areWindows machines and which ones arerunning FTP.
A is incorrect because the reconnaissancephase is nothing more than the steps taken togather evidence and information on thetargets you want to attack. Activities thatoccur in this phase include dumpster divingand social engineering. Another valuable toolin recon is the Internet. Look for any of theseitems as key words in answers on your exam.Of course, in the real world you may actuallygather so much information in your reconyou’ll already be way ahead of the game inidentifying targets and whatnot, but when itcomes to the exam, stick with the hard-and-fast boundaries they want you to rememberand move on.
C is incorrect because the gaining access phaseis all about attacking the machinesthemselves. You’ve already figured outbackground information on the client andhave enumerated the potential vulnerabilitiesand security flaws on each target. In thisphase, you break out the big guns and startfiring away. Key words you’re looking for here
||||||||||||||||||||
||||||||||||||||||||
are the attacks themselves: accessing an openand unsecured wireless access point,manipulating network devices, writing anddelivering a buffer overflow, and performingSQL injection against a web application are allexamples.
D is incorrect because this phase is all aboutbackdoors and the steps taken to ensure youhave a way back in. For the savvy readers outthere who noticed I skipped a step here(escalating privileges), well done. Key wordsyou’ll look for on this phase (maintainingaccess) are backdoors, zombies, and rootkits.
E is incorrect because this phase is all aboutcleaning up when you’re done and makingsure no one can see where you’ve been.Clearing tracks involves steps to concealsuccess and avoid detection by securityprofessionals. Steps taken here consist ofremoving or altering log files, concealing filesvia hidden attributes or directories, and evenusing tunneling protocols to communicatewith the system.
15. Which of the following was created to protectshareholders and the general public fromcorporate accounting errors and fraudulent
Technet24||||||||||||||||||||
||||||||||||||||||||
practices, and to improve the accuracy of corporatedisclosures?
A. GLBA
B. HIPAA
C. SOX
D. FITARA
C. The Sarbanes-Oxley Act (SOX;https://www.sec.gov/about/laws.shtml#sox2002) introduced major changes to theregulation of financial practice and corporategovernance in 2002 and is arranged into 11titles. SOX mandated a number of reforms toenhance corporate responsibility, enhancefinancial disclosures, and combat corporateand accounting fraud, and it created the“Public Company Accounting OversightBoard,” also known as the PCAOB, to overseethe activities of the auditing profession.
A is incorrect because the Gramm-Leach-Bliley Act (GLBA; https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act) requiresfinancial institutions—companies that offerconsumers financial products or services suchas loans, financial or investment advice, orinsurance—to explain their information-
||||||||||||||||||||
||||||||||||||||||||
sharing practices to their customers and tosafeguard sensitive data. Under theSafeguards Rule, financial institutions mustprotect the consumer information theycollect. GLBA protects the confidentiality andintegrity of personal information collected byfinancial institutions.
B is incorrect because the Health InsurancePortability and Accountability Act (HIPAA;www.hhs.gov/hipaa/) was designed to protectthe confidentiality of private healthinformation. HIPAA contains privacy andsecurity requirements, and provides steps andprocedures for handling and protecting privatehealth data.
D is incorrect because the FederalInformation Technology Acquisition ReformAct (FITARA;https://www.congress.gov/bill/113th-congress/house-bill/1232) didn’t actually passin full, but did contain sections that wereeventually added as part of the NationalDefense Authorization Act (NDAA) for fiscalyear 2015.
16. Which of the following best defines a logical ortechnical control?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Air conditioning
B. Security tokens
C. Fire alarms
D. Security policy
B. A logical (or technical) control is one usedfor identification, authentication, andauthorization. It can be embedded inside anoperating system, application, or databasemanagement system. A security token (suchas RSA’s SecureID) can provide a number thatchanges on a recurring basis that a user mustprovide during authentication, or it mayprovide a built-in number on a USB devicethat must be attached during authentication.A physical control is something, well, physicalin nature, such as a lock or key or maybe aguard.
A and C are incorrect because air conditioningand fire alarms both fall into the category ofphysical control.
D is incorrect because a security policy isn’t alogical or technical control.
17. Which of the following was created to protectcredit card data at rest and in transit in an effort toreduce fraud?
||||||||||||||||||||
||||||||||||||||||||
A. TCSEC
B. Common Criteria
C. ISO 27002
D. PCI-DSS
D. The Payment Card Industry Data SecurityStandard (PCI-DSS) is a security standard fororganizations that handle credit cards. Acouncil including American Express, JCB,Discover, MasterCard, and Visa developedstandards for the protection and transmissionof card data to reduce credit card fraud. It’sadministered by the Payment Card IndustrySecurity Standards Council. Validation ofcompliance is performed annually. Thestandard is composed of 12 requirements:
• Requirement 1: Install and maintainfirewall configuration to protect data.
• Requirement 2: Remove vendor-supplieddefault passwords and other defaultsecurity features.
• Requirement 3: Protect stored data.
• Requirement 4: Encrypt transmission ofcardholder data.
• Requirement 5: Install, use, and update AV(antivirus).
Technet24||||||||||||||||||||
||||||||||||||||||||
• Requirement 6: Develop secure systemsand applications.
• Requirement 7: Use “need to know” as aguideline to restrict access to data.
• Requirement 8: Assign a unique ID to eachstakeholder in the process (with computeraccess).
• Requirement 9: Restrict any physical accessto the data.
• Requirement 10: Monitor all access to dataand network resources holding,transmitting, or protecting it.
• Requirement 11: Test security proceduresand systems regularly.
• Requirement 12: Create and maintain aninformation security policy.
A is incorrect because the Trusted ComputerSystem Evaluation Criteria (TCSEC), alsoknown as the Orange Book, was created by theDepartment of Defense (DoD) and definesand provides guidance on evaluating accesscontrols within a system. TCSEC defines fourlevels of validation: verified protection,mandatory protection, discretionaryprotection, and minimal protection.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because Common Criteria(www.commoncriteriaportal.org/) is aninternational standard to test and evaluate ITproducts. Per the website, CC is a “frameworkin which computer system users can specifytheir security requirements through the use ofProtection Profiles (PPs), vendors can thenimplement and/or make claims about thesecurity attributes of their products, andtesting laboratories can evaluate the productsto determine if they actually meet the claims.In other words, Common Criteria providesassurance that the process of specification,implementation and evaluation of a computersecurity product has been conducted in arigorous and standard and repeatable mannerat a level that is commensurate with the targetenvironment for use.”
C is incorrect because ISO 27002(www.iso27001security.com/html/27002.html) is an “information security standardpublished by ISO and the InternationalElectrotechnical Commission (IEC) thatrecommends security controls based onindustry best practices.” This standardincludes 13 objectives, ranging from structure,risk assessment, and policy to access controls,
Technet24||||||||||||||||||||
||||||||||||||||||||
human resources security, and compliance.
18. As part of the preparation phase for a pen test youare participating in, the client relays their intent todiscover security flaws and possible remediation.They seem particularly concerned about internalthreats from the user base. Which of the followingbest describes the test type the client is lookingfor?
A. Gray box
B. Black box
C. White hat
D. Black hat
A. Once again, this is a play on words theexam will throw at you. Note the question isasking about a test type, not the attacker.Reviewing CEH documentation, you’ll seethere are three types of tests—white, black,and gray—with each designed to test a specificthreat. White tests the internal threat of aknowledgeable systems administrator or anotherwise elevated privilege level user. Blacktests external threats with no knowledge ofthe target. Gray tests the average internal userthreat to expose potential security problemsinside the network.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because black-box testing isdesigned to simulate the external threat.Black-box testing takes the most amount oftime to complete because it means a thoroughromp through the five stages of an attack (andremoves any preconceived notions of what tolook for) and is usually the most expensiveoption. Another drawback to this type of testis that it focuses solely on the threat outsidethe organization and does not take intoaccount any trusted users on the inside.
C is incorrect because a hat color refers to theattacker himself. True, the client is hiring awhite hat in this instance to perform the test;however, the hat does not equate to the test.White hats are the “good guys”—ethicalhackers hired by a customer for the specificgoal of testing and improving security. Whitehats don’t use their knowledge and skillswithout prior consent.
D is incorrect because this question refers tothe test itself, not the type of attacker. Blackhats are the “bad guys” and are otherwiseknown as crackers. They illegally use theirskills either for personal gain or for maliciousintent, seeking to steal or destroy data or todeny access to resources and systems. Black
Technet24||||||||||||||||||||
||||||||||||||||||||
hats do not ask for permission or consent.
19. In which phase of the attack would a hacker setup and configure “zombie” machines?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
D. Zombies are basically machines the hackerhas commandeered to do his work for him. Ifthe attacker is really good, the owners of thezombie machines don’t even know theirmachines have been drafted into the war.There are a bajillion methods for maintainingaccess on a machine you’ve alreadycompromised, and maintaining that accessdoes not necessarily mean the system will beused as a zombie—you could, for example,simply want to check in from time to time tosee what new juicy information the user hasdecided to leave in a file or folder for you, orto check on new logins, credentials, and so on.However, configuring zombie systemsdefinitely belongs in this phase.
A is incorrect because the reconnaissancephase is all about gaining knowledge and
||||||||||||||||||||
||||||||||||||||||||
information on a target. In reconnaissance,you’re learning about the target itself—forexample, what system types they may have inuse, what their operating hours are, whetherthey use a shredder, and what personalinformation about their employees isavailable. Think of reconnaissance as thebackground information on a good characterin a novel; it may not be completely necessaryto know before you read the action scenes, butit sure makes it easier to understand why thecharacter behaves in a certain manner duringthe conflict phase of the book. Setting upzombie systems goes far beyond theboundaries of gathering information.
B is incorrect because this phase is whereattackers attempt to conceal their success andavoid detection by security professionals. Thiscan involve removing or altering log files,concealing files with via hidden attributes ordirectories, and using tunneling protocols tocommunicate with the system.
C is incorrect because in this phase attacks areleveled against the targets identified duringthe scanning and enumeration phase. Keywords to look for in identifying this phase arethe attacks themselves (such as buffer
Technet24||||||||||||||||||||
||||||||||||||||||||
overflow and SQL injection). Finally, becareful about questions relating to elevatingprivileges. Sometimes this is counted as itsown phase, so pay close attention to thequestion’s wording in choosing your answer.
20. Which of the following should not be included ina security policy?
A. Policy exceptions
B. Details on noncompliance disciplinary actions
C. Technical details and procedures
D. Supporting document references
C. The wholepolicy/standard/procedure/guideline thingcan get confusing sometimes. Policy is a high-level document that doesn’t get down anddirty into technical details/specifications andis intended to improve awareness. Policies aremandatory, generally short, and easy tounderstand, providing everyone with the rulesof the road. Standards are mandatory rulesdesigned to support a policy, and they mustinclude one or more specifications forhardware, software, or behavior. Proceduresare step-by-step instructions for completing atask. Guidelines are not mandatory, but ratherare recommendations for accomplishing a
||||||||||||||||||||
||||||||||||||||||||
goal or on how to act in a given situation.
A, B, and D are incorrect because all these areperfectly acceptable security policy entries.Exceptions to the policy and what happens toyou should you decide not to follow the policyare expected entries. And supportingdocuments—such as various procedures,standards, and guidelines—are alwaysreferenced in the policy.
21. Which of the following is best defined as a set ofprocesses used to identify, analyze, prioritize, andresolve security incidents?
A. Incident management
B. Vulnerability management
C. Change management
D. Patch management
A. Admittedly, this one is fairly easy—or atleast it should be. Incident management is theprocess of dealing with incidents andgenerally always has the same features/steps—identify the problem or root cause, analyzeand research the issue, contain the maliciouseffort, eradicate the effort, and resolve anydamage caused. ECC defines the process ashaving eight steps: 1. Preparation, 2. Detection
Technet24||||||||||||||||||||
||||||||||||||||||||
and Analysis, 3. Classification/Prioritization,4. Notification, 5. Containment, 6. ForensicInvestigation, 7. Eradication and Recovery,and 8. Post-incident Activities. The incidentresponse team (IRT) is charged with handlingthis process.
B is incorrect because vulnerabilitymanagement isn’t about responding toincidents; it’s about identifying anderadicating vulnerabilities before an incidentcan occur.
C is incorrect because change managementinvolves implementing procedures ortechnologies to identify and implementrequired changes within a computer system.
D is incorrect because patch management isdesigned to manage the identification,installations, and tracking of security patchesnecessary within the environment.
22. During an assessment, your pen test teamdiscovers child porn on a system. Which of thefollowing is the appropriate response?
A. Continue testing and report findings at theout-brief.
B. Continue testing but report findings to the
||||||||||||||||||||
||||||||||||||||||||
business owners.
C. Cease testing immediately and refuse tocontinue work for the client.
D. Cease testing immediately and contactauthorities.
D. I hesitated to add this question, for reasonsthat are obvious and some that aren’t, but inthe interest of covering everything, I felt Imust. First and foremost, in the real world,discovery of something that you think mightbe illegal activity puts you and your team in avery, very tricky spot. Should you accuse fill-in-the-blank of a crime and involve theauthorities, you could be setting yourself upfor lawsuits and all sorts of trouble. On theother hand, if you ignore it, you might befound complicit, or at the very least negligent.In the real world, the answer is to make sureyour scope agreement advises you and theclient of your duty regarding potentialcriminal activity found during the scope ofyour investigation. No guessing is allowed—itbetter be iron-clad evidence, obvious to all, oryou’re in a world of hurt. Lastly, whatpotentially illegal activity you discover maydetermine your response regardless of ROE
Technet24||||||||||||||||||||
||||||||||||||||||||
(Rules of Engagement). If you discover childporn, you could be guilty of a crime for notreporting it, which isn’t necessarily true formany other crimes. For example, if youwitness someone breaking into a house acrossyour street, or were performing a pen test andreasonably suspected someone had alreadycompromised the network, you are notcompelled by law, in most states, to notifyauthorities. However, if you witness bodilyharm, you likely would be compelled by law inmost states. Speaking purely academically, it’sfairly clear cut and will be so on your exam. Inthe real world the true answer is to know thelaws regarding your testing very well, andmake sure your team has a good lawyer.
In this example, however, the choices presentmake this relatively easy. ECC wants ethicalhackers to report any illegal activity they find.Period. Possession of child porn is a crime nomatter what, so again in this particular case,stop your testing and report it to theauthorities.
A and B are incorrect because regardless ofreporting, you should immediately stoptesting. Anything you do after discovery notonly could destroy evidence but actually put
||||||||||||||||||||
||||||||||||||||||||
you at risk. Who’s to say you didn’t put theitem in question on the system, or by youraction cause it to be there? Rest assured thedefense attorney will posit that argument,should it come to that.
C is incorrect because you’ve already agreed toperform this work, and refusing to speak withthe client isn’t helping anything at all. Again,this needs to be addressed in the scopeagreement up front, so there should be nosurprises. It may well be that Employee Joehas illegal stuff on his system, but thatdoesn’t necessarily mean the organization iscomplicit.
23. Which of the following best describes an intranetzone?
A. It has few heavy security restrictions.
B. A highly secured zone, usually employingVLANs and encrypted communicationchannels.
C. A controlled buffer network between publicand private.
D. A very restricted zone with no users.
A. An intranet can be thought of, for testingpurposes, as your own happy little networking
Technet24||||||||||||||||||||
||||||||||||||||||||
safe space. It’s protected from outside attacksand interference by the DMZ and all the layersof security on the outside. Internally, youdon’t assign loads of heavy securityrestrictions, because, as explained in thesecurity versus usability discussion in theCEH All-in-One Exam Guide, Fourth Edition,as security increases, usability andfunctionality decrease. If your organization’susers are on the intranet, you want them asproductive as possible, right?
B is incorrect because this describes themanagement network zone. This zone isusually cordoned off specifically forinfrastructure and management traffic. Forobvious reasons, it’s highly secured. Look for“VLAN” and “IPSec” as keywords for this zone.
C is incorrect because this describes the DMZ.The demilitarized zone in military parlancerefers to a section of land between twoadversarial parties where there are noweapons and no fighting. The idea is youcould see an adversary coming across andhave time to work up a defense. Innetworking, the idea is the same: it’s acontrolled, buffer network between you andthe uncontrolled chaos of the Internet. And
||||||||||||||||||||
||||||||||||||||||||
keep in mind DMZs aren’t just between theInternet and a network; they can be anywherean organization decides they want or need abuffer—inside or outside various inter andintra nets. DMZ networks provide greatopportunity for good security measures, butcan also sometimes become an Achilles’ heelwhen too much trust is put into their creationand maintenance.
D is incorrect because this describes theproduction network zone (PNZ). The PNZ is avery restricted zone that strictly controlsdirect access from uncontrolled zones. ThePNZ supports functions and actions that musthave strict access control. As an aside, thePNZ is not designed to hold users.
24. A machine in your environment uses an open X-server to allow remote access. The X-server accesscontrol is disabled, allowing connections fromalmost anywhere and with little to noauthentication measures. Which of the followingare true statements regarding this situation?(Choose all that apply.)
A. An external vulnerability can take advantageof the misconfigured X-server threat.
B. An external threat can take advantage of the
Technet24||||||||||||||||||||
||||||||||||||||||||
misconfigured X-server vulnerability.
C. An internal vulnerability can take advantage ofthe misconfigured X-server threat.
D. An internal threat can take advantage of themisconfigured X-server vulnerability.
B, D. This is an easy one because all you haveto understand are the definitions of threat andvulnerability. A threat is any agent,circumstance, or situation that couldpotentiality cause harm or loss to an IT asset.In this case, the implication is the threat is anindividual (hacker) either inside or outsidethe network. A vulnerability is any weakness,such as a software flaw or logic design, thatcould be exploited by a threat to cause damageto an asset. In both these answers, thevulnerability—the access controls on the X-server are not in place—can be exploited bythe threat, whether internal or external.
A and C are both incorrect because they listthe terms backward. Threats take advantage ofvulnerabilities and exploit them, not the otherway around.
25. While performing a pen test, you find success inexploiting a machine. Your attack vector tookadvantage of a common mistake—the Windows 7
||||||||||||||||||||
||||||||||||||||||||
installer script used to load the machine left theadministrative account with a default password.Which attack did you successfully execute?
A. Application level
B. Operating system
C. Shrink wrap
D. Social engineering
E. Misconfiguration
B. Operating system (OS) attacks targetcommon mistakes many people make wheninstalling operating systems (for instance,accepting and leaving all the defaults).Examples usually include things such asadministrator accounts with no passwords,ports left open, and guest accounts leftbehind. Another OS attack you may be askedabout deals with versioning. Operatingsystems are never released fully secure andare consistently upgraded with hotfixes,security patches, and full releases. Thepotential for an old vulnerability within theenterprise is always high.
A is incorrect because application-level attacksare centered on the actual programming codeof an application. These attacks are usually
Technet24||||||||||||||||||||
||||||||||||||||||||
successful in an overall pen test because manypeople simply discount the applicationsrunning on their OS and network, preferringto spend their time hardening the OSs andnetwork devices. Many applications on anetwork aren’t tested for vulnerabilities aspart of their creation and, therefore, havemany vulnerabilities built in.
C is incorrect because shrink-wrap attackstake advantage of the built-in code and scriptsmost off-the-shelf applications come with.These attacks allow hackers to take advantageof the very things designed to makeinstallation and administration easier. Theseshrink-wrapped snippets make life easier forinstallation and administration, but they alsomake it easier for attackers to get in.
D is incorrect because social engineering isn’trelevant at all in this question. There is nohuman element here, so this one can bethrown out.
E is incorrect because misconfigurationattacks take advantage of systems that are, onpurpose or by accident, not configuredappropriately for security. For example,suppose an administrator wants to make
||||||||||||||||||||
||||||||||||||||||||
things as easy as possible for the users and, inkeeping with security and usability being onopposite ends of the spectrum, leaves securitysettings at the lowest possible level, enablingservices, opening firewall ports, and providingadministrative privileges to all users. It’seasier for the users but creates a target-richenvironment for the hacker.
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 2Reconnaissance: InformationGathering for the EthicalHacker
This chapter includes questions from the followingtopics:
• Define active and passive footprinting• Identify methods and procedures in information
gathering• Understand the use of social networking, search
engines, and Google hacking in informationgathering
• Understand the use of whois, ARIN, and nslookupin information gathering
• Describe DNS record types
Criminology (the study of the nature, causes, control,and prevention of criminal behavior) is a fascinatingsubject, and although we’re concentrating on the virtualworld in this book, it’s amazing how much footprintingis done in the physical criminal world as well. Most of
||||||||||||||||||||
||||||||||||||||||||
us have already heard a million times the standardthings we’re supposed to do to make our homes lessdesirable as a target for the bad guys. Things such askeeping the house well lit, installing timers on lightsand TVs to make the house appear “lived in” all thetime, and installing a good alarm system are so commonin these discussions that we tend to nod off in boredomwhen a security expert starts talking about them. Butdid you know most common burglars prefer to workduring the daytime, when it’s most likely you’re not athome at all? Did you know most don’t give a rip aboutyour alarm system because they plan on being inside foreight to ten minutes or less? And did you further knowthat most timer systems for lights don’t change a thingin the bad guy’s mind because there’s usually soundassociated with people being home?
For the sake of example, take an imaginary ride withme around my subdivision, and we’ll try thinking like acriminal footprinting a neighborhood for targets. Maybewe’ll start by just driving around the neighborhood toascertain who the nosy neighbors are and what housesmake the most promising opportunities. This house onour right is in a cul-de-sac and provides more privacyand less police patrol traffic than those on the maindrag. Oh, what about that house over there? Yeah, itlooks like the yard hasn’t been mowed for a while, somaybe they aren’t home—or they just don’t pay as close
Technet24||||||||||||||||||||
||||||||||||||||||||
attention to home details as the other homeowners do.The owners of that two-story over there have a dog, sowe’ll probably avoid that one. But look just there: thathouse has a giant box leaning against the garbage canfor the brand-new 82-inch QLED TV the owner justpurchased. We should probably write this address downfor a closer look later. And the house across the pondthere with the sliding glass door? It definitely haspotential.
As fascinating as footprinting a building might seem,were you aware that you, as a person, could befootprinted in the physical world as well? According toseveral studies on the matter, criminals are good atsensing weakness based just on the way you walk. Inone such study, 47 inmates at a maximum-securityprison were surveyed, and the findings showed thatsocial predators are very good at picking victims basedon their gait, posture, and stride. The study provided theinmates with a film of 12 people (eight women and fourmen, some of whom had been attacked before) walkingdown a street and asked them to rate each person as apotential victim. The ratings were then comparedagainst each person’s actual history. Surprisingly (ormaybe not so surprisingly), the people who thecriminals picked as likely victims were usually the sameones who had been victimized in the past. Inmatesdescribed the men and women they saw as targets as
||||||||||||||||||||
||||||||||||||||||||
“walking like an easy target... slow, with short strides.”What distinguished the likely victims from the rest ofthe pedestrians? Things such as posture, body language,pace, length of stride, and awareness of theirenvironment. Nonverbal communication workswonderfully well, and a person’s level of self-confidencecan be identified just by the style of walk. Walk withyour head down at a slow or unorganized, meanderingpace, and you’re screaming to the world you lack self-confidence. Walk fast, fluidly, and with a purpose, andyou’re less likely to be a target.
I could go on and on here (I really like this subjectand could chat about it forever), but this book is aboutthe virtual world, and I’m prepping you to be an ethicalhacker, not a policeman working a beat. This chapter isalso all about reconnaissance and footprinting—in thevirtual world—and is all about the methods and toolsused to gather information about your targets beforeyou even try to attack them.
STUDY TIPS There will be plenty of questions from this particularsegment of hacking, mainly because it’s so important to gather goodintelligence before starting an attack. Sure, y ou can sometimes getlucky and strike quickly , but often, putting in the work duringfootprinting reaps the biggest rewards.
What will be the biggest area of focus you’ll see on
Technet24||||||||||||||||||||
||||||||||||||||||||
your actual exam? A couple of versions ago, it was allthings DNS, but now it’s much more varied. You are justas likely to see questions on active versus passivereconnaissance as you are Google hacking, OSfingerprinting, and DNS subtleties. EC-Council hasdefinitely broadened the horizons when it comes torecon and footprinting questions so, while I hate to saymemorize everything, memorize everything.
Tips on the tricky questions here are the same asyou’ll hear me say in every other chapter—they’re nit-picky, in-the-weeds, specific-knowledge questionsdesigned to trip you up. Know your e-mail headers andDNS records, of course, but you’ll also see questions onspecific tools and how they act. And by all means startpracticing your Google hacking right now—you’lldefinitely need it since most Google hacking questionswill require you to know exact syntax.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. You are attempting to find out the operating
system and CPU type of systems in your targetorganization. The DNS server you want to use forlookup is named ADNS_Server, and the targetmachine you want the information on isATARGET_SYSTEM. Which of the followingnslookup command series is the best choice fordiscovering this information? (The output of thecommands is redacted.)
A.
B.
C.
D.
Technet24||||||||||||||||||||
||||||||||||||||||||
2. A pen test team member sends an e-mail to anaddress that she knows is not valid inside anorganization. Which of the following is the bestexplanation for why she took this action?
A. To possibly gather information about internalhosts used in the organization’s e-mail system
B. To start a denial-of-service attack
C. To determine an e-mail administrator’scontact information
D. To gather information about how e-mailsystems deal with invalidly addressedmessages
3. From the partial e-mail header provided, which ofthe following represents the true originator of thee-mail message?
Return-path: <[email protected]>Delivery-date: Tue, 12 Mar 2019 00:31:13 +0200Received: frommailexchanger.anotherbiz.com([220.15.10.254])by mailserver.anotherbiz.com running ExIMwith esmtpid xxxxxx-xxxxxx-xxx; Tue, 12 Mar 2019 01:39:23
||||||||||||||||||||
||||||||||||||||||||
+0200Received: from mailserver.anybiz.com([158.190.50.254] helo=mailserver.anybiz.com)by mailexchanger.anotherbiz.com with esmtp idxxxxxx-xxxxxx-xxfor [email protected]; Tue, 12 Mar2019 01:39:23 +0200Received: from SOMEONEComputer[217.88.53.154] (helo=[SOMEONEcomputer])by mailserver.anybiz.com with esmtpa (Eximx.xx)(envelope-from <[email protected]) idxxxxx-xxxxxx-xxxxfor [email protected]; Mon, 11 Mar2019 20:36:08 -0100Message-ID: <[email protected]>Date: Mon, 11 Mar 2019 20:36:01 -0100X-Mailer: Mail ClientFrom: SOMEONE Name<[email protected]>To: USERJOE Name<[email protected]>Subject: Something to consider…
A. 220.15.10.254
B. 158.190.50.254
C. 217.88.53.154
Technet24||||||||||||||||||||
||||||||||||||||||||
D. The e-mail header does not show thisinformation.
4. You are looking for pages with the terms CEH andV10 in their title. Which Google hack is theappropriate one?
A. inurl:CEHinurl:V10
B. allintitle:CEH V10
C. intitle:CEHinurl:V10
D. allinurl:CEH V10
5. You are on a Cisco router and want to identify thepath a packet travels to a specific IP. Which of thefollowing is the best command choice for this?
A. ping
B. ifconfig
C. tracert
D. traceroute
6. Which of the following activities are notconsidered passive footprinting? (Choose two.)
A. Dumpster diving
B. Reviewing financial sites for companyinformation
C. Clicking links within the company’s publicwebsite
D. Calling the company’s help desk line
||||||||||||||||||||
||||||||||||||||||||
C. Employing passive sniffing
7. Examine the following command sequence:
Which of the following statements best describesthe intent of the command sequence?
A. The operator is enumerating a system namedsomeserver.
B. The operator is attempting DNS poisoning.
C. The operator is attempting a zone transfer.
D. The operator is attempting to find a nameserver.
8. An organization has a DNS server located in theDMZ and other DNS servers located on theintranet. What is this implementation commonlycalled?
A. Dynamic DNS
B. DNSSEC
C. Split DNS
D. Auto DNS
Technet24||||||||||||||||||||
||||||||||||||||||||
9. You are setting up DNS for your enterprise. ServerA is both a web server and an FTP server. You wantto advertise both services for this machine asname references your customers can use. WhichDNS record type would you use to accomplishthis?
A. NS
B. SOA
C. MX
D. PTR
E. CNAME
10. A company has a public-facing web application.Its internal intranet-facing servers are separatedand protected by a firewall. Which of the followingchoices would be helpful in protecting againstunwanted enumeration?
A. Allowing zone transfers to ANY
B. Ensuring there are no A records for internalhosts on the public-facing name server
C. Changing the preference number on all MXrecords to zero
D. Not allowing any DNS query to the public-facing name server
11. An ethical hacker searches for IP ranges owned bythe client, reads news articles, observes when bank
||||||||||||||||||||
||||||||||||||||||||
employees arrive and leave from work, searchesthe client’s job postings, and visits the client’sdumpster. Which of the following is a truestatement?
A. All of the actions are active footprinting.
B. All of the actions are passive footprinting.
C. The ethical hacker is in the system attackphase.
D. The ethical hacker is acting as a black-hatattacker.
12. Examine the following SOA record:
If a secondary server in the enterprise is unable tocheck in for a zone update within an hour, whathappens to the zone copy on the secondary?
A. The zone copy is dumped.
B. The zone copy is unchanged.
C. The serial number of the zone copy isdecremented.
D. The serial number of the zone copy isincremented.
Technet24||||||||||||||||||||
||||||||||||||||||||
13. Which protocol and port number combination isused by default for DNS zone transfers?
A. UDP 53
B. UDP 161
C. TCP 53
D. TCP 22
14. Examine the following command-line entry:
Which statements are true regarding thiscommand sequence? (Choose two.)
A. Nslookup is in noninteractive mode.
B. Nslookup is in interactive mode.
C. The output will show all mail servers in thezone somewhere.com.
D. The output will show all name servers in thezone somewhere.com.
15. Joe accesses the company website,www.anybusi.com, from his home computer and ispresented with a defaced site containing disturbingimages. He calls the IT department to report thewebsite hack and is told they do not see anyproblem with the site—no files have been changed,
||||||||||||||||||||
||||||||||||||||||||
and when accessed from their terminals (insidethe company), the site appears normally. Joeconnects over VPN into the company website andnotices the site appears normally. Which of thefollowing might explain the issue?
A. DNS poisoning
B. Route poisoning
C. SQL injection
D. ARP poisoning
16. One way to mitigate against DNS poisoning is torestrict or limit the amount of time records canstay in cache before they’re updated. Which DNSrecord type allows you to set this restriction?
A. NS
B. PTR
C. MX
D. CNAME
E. SOA
17. Which of the following may be a security concernfor an organization?
A. The internal network uses private IP addressesregistered to an Active Directory–integratedDNS server.
B. An external DNS server is Active Directory
Technet24||||||||||||||||||||
||||||||||||||||||||
integrated.
C. All external name resolution requests areaccomplished by an ISP.
D. None of the above.
18. Which of the following is a good footprinting toolfor discovering information on a publicly tradedcompany’s founding, history, and financial status?
A. SpiderFoot
B. EDGAR Database
C. Sam Spade
D. Pipl.com
19. What method does traceroute use to map routestraveled by a packet?
A. By carrying a hello packet in the payload,forcing the host to respond
B. By using DNS queries at each hop
C. By manipulating the Time-To-Live (TTL)parameter
D. By using ICMP Type 5, Code 0 packets
20. Brad is auditing an organization and is asked toprovide suggestions on improving DNS security.Which of the following would be valid options torecommend? (Choose all that apply.)
A. Implementing a split-horizon operation
||||||||||||||||||||
||||||||||||||||||||
B. Restricting zone transfers
C. Obfuscating DNS by using the same server forother applications and functions
D. Blocking all access to the server on port 53
21. A zone file consists of which records? (Choose allthat apply.)
A. PTR
B. MX
C. SN
D. SOA
E. DNS
F. A
G. AX
22. Within the OSRFramework, which tool verifies ifa username/profile exists in up to 306 differentplatforms?
A. domainfy.py
B. mailfy.py
C. searchfy.py
D. usufy.py
23. A colleague enters the following into a Googlesearch string:
intitle:intranet inurl:intranet
Technet24||||||||||||||||||||
||||||||||||||||||||
intext:"finance"
Which of the following statements is most correctconcerning this attempt?
A. The search engine will not respond with anyresult because you cannot combine Googlehacks in one line.
B. The search engine will respond with all pageshaving the word intranet in their title andfinance in the URL.
C. The search engine will respond with all pageshaving the word intranet in the title and in theURL.
D. The search engine will respond with onlythose pages having the word intranet in thetitle and URL and with finance in the text.
24. Amanda works as senior security analyst andoverhears a colleague discussing confidentialcorporate information being posted on an externalwebsite. When questioned on it, he claims about amonth ago he tried random URLs on thecompany’s website and found confidentialinformation. Amanda visits the same URLs butfinds nothing. Where can Amanda go to see pastversions and pages of a website?
A. Search.com
||||||||||||||||||||
||||||||||||||||||||
B. Google cache
C. Pasthash.com
D. Archive.org
25. Which of the following is a primary service of theU.S. Computer Security Incident Response Team(CSIRT)?
A. CSIRT provides an incident response serviceto enable a reliable and trusted single point ofcontact for reporting computer securityincidents worldwide.
B. CSIRT provides a computer securitysurveillance service to supply the governmentwith important intelligence information onindividuals traveling abroad.
C. CSIRT provides a penetration testing service tosupport exception reporting on incidentsworldwide by individuals and multinationalcorporations.
D. CSIRT provides a vulnerability assessmentservice to assist law enforcement agencieswith profiling an individual’s property orcompany’s asset.
26. Your client’s business is headquartered in Japan.Which regional registry would be the best place tolook for footprinting information?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. APNIC
B. RIPE
C. ASIANIC
D. ARIN
E. LACNIC
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. A
2. A
3. C
4. B
5. D
6. D, E
7. A
8. C
9. E
10. B
11. B
12. B
13. C
14. B, C
15. A
16. E
17. B
18. B
19. C
Technet24||||||||||||||||||||
||||||||||||||||||||
20. A, B
21. A, B, D, F
22. D
23. D
24. D
25. A
26. A
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. You are attempting to find out the operating
system and CPU type of systems in your targetorganization. The DNS server you want to use forlookup is named ADNS_Server, and the targetmachine you want the information on isATARGET_SYSTEM. Which of the followingnslookup command series is the best choice fordiscovering this information? (The output of thecommands is redacted.)
A.
B.
C.
D.
Technet24||||||||||||||||||||
||||||||||||||||||||
A. This question gets you on two fronts. Oneregards knowledge on HINFO, and the otheris nslookup use. First, the DNS record HINFO(per RFC 1035) is a resource type thatidentifies values for CPU type and operatingsystem. Are you absolutely required to includean HINFO record for each host in yournetwork? No, not at all. Should you? I’m surethere’s some reason, somewhere andsometime, that adding HINFO makes sense,but I certainly can’t think of one. In otherwords, this is a great record type to rememberfor your exam, but your chances of seeing it inuse in the real world rank somewherebetween seeing Lobster on the menu atMcDonald’s and catching a Leprechaun ridinga unicorn through your backyard.
Nslookup syntax is the second portion of thisquestion, and you’ll definitely need to know it.The syntax for the tool is fairly simple:
nslookup [-options] {hostname | [-
server]}
The command can be run as a single instance,
||||||||||||||||||||
||||||||||||||||||||
providing information based on the optionsyou choose, or you can run it in interactivemode, where the command runs as a tool,awaiting input from you. For example, on aMicrosoft Windows machine, if you simplytype nslookup at the prompt, you’ll see adisplay showing your default DNS server andits associated IP address. From there,nslookup sits patiently, waiting for you to askwhatever you want (as an aside, this is knownas interactive mode). Typing a question markshows all the options and switches you haveavailable.
B, C, and D are incorrect because the syntaxdoes not match.
2. A pen test team member sends an e-mail to anaddress that she knows is not valid inside anorganization. Which of the following is the bestexplanation for why she took this action?
A. To possibly gather information about internalhosts used in the organization’s e-mail system
B. To start a denial-of-service attack
C. To determine an e-mail administrator’scontact information
D. To gather information about how e-mailsystems deal with invalidly addressed
Technet24||||||||||||||||||||
||||||||||||||||||||
messages
A. The thought process behind this is a lot likebanner grabbing or any of a hundred differentforced-error situations in hacking: lots ofinformation can be gleaned from responses toan error situation. A bogus internal addresshas the potential to provide more informationabout the internal servers used in theorganization, including IP addresses and otherpertinent details.
B is incorrect because a bogus e-mail doesn’tnecessarily indicate the beginning of a DoSattack.
C is incorrect because the e-mailadministrator’s contact information is notsent on invalid e-mail responses.
D is incorrect because the pen tester wouldalready know how systems deal with bogus e-mail addresses—what she wouldn’t know iswhat servers inside this particularorganization carry out those steps.
3. From the partial e-mail header provided, which ofthe following represents the true originator of thee-mail message?
Return-path: <[email protected]>
||||||||||||||||||||
||||||||||||||||||||
Delivery-date: Tue, 12 Mar 2019 00:31:13 +0200Received: frommailexchanger.anotherbiz.com([220.15.10.254])by mailserver.anotherbiz.com running ExIMwith esmtpid xxxxxx-xxxxxx-xxx; Tue, 12 Mar 2019 01:39:23+0200Received: from mailserver.anybiz.com([158.190.50.254] helo=mailserver.anybiz.com)by mailexchanger.anotherbiz.com with esmtp idxxxxxx-xxxxxx-xxfor [email protected]; Tue, 12 Mar2019 01:39:23 +0200Received: from SOMEONEComputer[217.88.53.154] (helo=[SOMEONEcomputer])by mailserver.anybiz.com with esmtpa (Eximx.xx)(envelope-from <[email protected]) idxxxxx-xxxxxx-xxxxfor [email protected]; Mon, 11 Mar2019 20:36:08 -0100Message-ID: <[email protected]>Date: Mon, 11 Mar 2019 20:36:01 -0100X-Mailer: Mail ClientFrom: SOMEONE Name<[email protected]>To: USERJOE Name
Technet24||||||||||||||||||||
||||||||||||||||||||
<[email protected]>Subject: Something to consider…
A. 220.15.10.254
B. 158.190.50.254
C. 217.88.53.154
D. The e-mail header does not show thisinformation.
C. E-mail headers are packed with informationshowing the entire route the message hastaken, and I can guarantee you’ll see at leastone question on your exam about them. You’llmost likely be asked to identify the trueoriginator—the machine (person) who sentthe e-mail in the first place (even though inthe real world with proxies and whatnot tohide behind, it may be impossible). This isclearly shown in line 9: Received: fromSOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]). But don’t just studyand rely on that one section. Watch the entiretrek the message takes and make note of theIPs along the way.
A and B are incorrect because these IPs do notrepresent the true originator of the message.They show e-mail servers that are
||||||||||||||||||||
||||||||||||||||||||
passing/handling the message.
D is incorrect because the e-mail headerdefinitely shows the true originator.
4. You are looking for pages with the terms CEH andV10 in their title. Which Google hack is theappropriate one?
A. inurl:CEHinurl:V10
B. allintitle:CEH V10
C. intitle:CEHinurl:V10
D. allinurl:CEH V10
B. The Google search operator allintitlesearches for pages that contain the string, orstrings, you specify. It also allows for thecombination of strings in the title, so you cansearch for more than one term within the titleof a page.
A is incorrect because the operator inurl looksonly in the URL of the site, not the page title.In this example, the search might bring you toa page like this:http://anyplace.com/apache_Version/pdfs.html.
C is incorrect because the inurl operator isn’tlooking in the page title. Yes, you can combine
Technet24||||||||||||||||||||
||||||||||||||||||||
operators, but these two just won’t get this jobdone.
D is incorrect because allinurl does not look atpage titles; it’s concerned only with the URLitself. As with the title searches, this allinurloperator allows you to combine search strings.
5. You are on a Cisco router and want to identify thepath a packet travels to a specific IP. Which of thefollowing is the best command choice for this?
A. ping
B. ifconfig
C. tracert
D. traceroute
D. You probably knew, right up front, this wasa traceroute question, but the kicker comeswhen deciding which traceroute command touse. Traceroute, of course, uses ICMP packetsand the TTL (Time-To-Live) value to map outa path between originator and destination.The first packet sent uses a TTL of 1, to showthe first hop. The next packet sets it to 2, andso on, and so on, until the destination isfound. Each ICMP response providesinformation on the current hop (unless ICMPis being filtered). On a Windows machine,
||||||||||||||||||||
||||||||||||||||||||
you’d use the command tracert. On Linux(and Cisco for that matter), you’d usetraceroute.
A is incorrect because the ping commandsimply tests for connectivity and to see if thesystem is “live.” ICMP Echo Request packetsare sent to the destination, and ICMP EchoReply packets are returned with informationon the system. Of course, ICMP is oftenfiltered at the host (or firewall) level, so anegative ping response doesn’t necessarilymean the system is down.
B is incorrect because the ifconfig command isused in Linux systems to display informationabout the system’s network interfaces.Ifconfig allows for configuring, controlling,and querying TCP/IP network interfaceparameters—for example, setting the IPaddress and subnet mask (netmask) on a NIC.
C is incorrect because the tracert commandwill work on a Windows system, but not on aCisco device.
6. Which of the following activities are notconsidered passive footprinting? (Choose two.)
A. Dumpster diving
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Reviewing financial sites for companyinformation
C. Clicking links within the company’s publicwebsite
D. Calling the company’s help desk line
E. Employing passive sniffing
D, E. This one may be a little tricky, but onlybecause we live and work in the real worldand this is an exam question. EC-Council hasseveral questionable takes on things regardingreal-world application and what they say youshould remember for your exam, and this isone of those examples. Just remember ECCwants you to know active and passivefootprinting can be defined by two things:what you touch and how much discovery riskyou put yourself in. Social engineering in andof itself is not all passive or active in nature.In the case of dumpster diving, it’s alsoconsidered passive (despite the real-world riskof discovery and the action you have to take topull it off) according to ECC.
However, pick up a phone and call someoneinside the company or talk to people in theparking lot, and you’ve exposed yourself todiscovery and are now practicing active
||||||||||||||||||||
||||||||||||||||||||
footprinting. As far as “passive” sniffing goes,sniffing isn’t a footprinting action at all. Theterm “passive sniffing” concerns the act ofsimply plugging in and watching what comesby, without any packet interjection or otheraction required on your part.
A, B, and C are incorrect because these are allexamples of passive reconnaissance. Otherexamples might include checking out DNSrecords (DNS is publicly available and, perECC, you can passively footprint anorganization by using freely available DNSrecords) and checking job listings for thecompany.
7. Examine the following command sequence:
Which of the following statements best describesthe intent of the command sequence?
A. The operator is enumerating a system namedsomeserver.
B. The operator is attempting DNS poisoning.
Technet24||||||||||||||||||||
||||||||||||||||||||
C. The operator is attempting a zone transfer.
D. The operator is attempting to find a nameserver.
A. The HINFO record type is one of thosereally great ideas that was designed to makelife easier on everyone yet turned out to be ahorrible idea. Defined in RFC 1035, HostInformation (HINFO) DNS records wereoriginally intended to provide the type ofcomputer and operating system a host uses(back in the day, you could also put things likeroom numbers and other descriptions in therecord). However, to avoid publiclyadvertising that information (for obviousreasons), this record type simply is not usedmuch anymore. And if you find one on apublic-facing machine, it’s a sure sign ofincompetence on the part of the serveradministrators. In this example, the type is setto HINFO, and a machine name—someserver—is provided. The attacker can use theinformation contained in the record as anenumeration source.
B is incorrect because DNS poisoning is notcarried out this way. In this commandsequence, the operator is asking for
||||||||||||||||||||
||||||||||||||||||||
information, not pushing up false entries to aname server.
C is incorrect because this is not hownslookup is used to perform a zone transfer.To do that, you would use the set type=anycommand and then ls -d anybiz.com. You’llmore than likely see that on your exam, too.
D is incorrect because checking for nameservers in the domain would require the settype=NS command.
8. An organization has a DNS server located in theDMZ and other DNS servers located on theintranet. What is this implementation commonlycalled?
A. Dynamic DNS
B. DNSSEC
C. Split DNS
D. Auto DNS
C. The idea behind split DNS is pretty simple:create two zones for the same domain, withone just for the internal network while theother is used by any external networks.Internal hosts are directed to the internaldomain name server. Separating the domainservers greatly restricts the footprinting an
Technet24||||||||||||||||||||
||||||||||||||||||||
attacker can perform from the outside.
A is incorrect because dynamic DNS doesn’twork this way. In “regular” DNS, a name istied to a static IP address; however, for anynumber of reasons, a hosted device may needto change its IP address often. In dynamicDNS, a service provider uses a program thatruns on the system, contacting the DNSservice each time the IP address changes andsubsequently updating the DNS database toreflect the change in IP address. That way,even though a domain name’s IP addresschanges, users don’t have to do anything outof the ordinary to continue service—thedynamic DNS service will ensure they’repointed in the right direction.
B is incorrect because Domain Name SystemSecurity Extensions (DNSSEC) is a suite ofIETF specifications for securing certain kindsof information provided by DNS. DanKaminsky made DNS vulnerabilities widelyknown back around 2010, and most serviceproviders roll this out to ensure that DNSresults are cryptographically protected. It’sdesigned to provide origin authentication ofDNS data and data integrity.
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because this term simplydoesn’t exist. It’s here purely as a distractor.
9. You are setting up DNS for your enterprise. ServerA is both a web server and an FTP server. You wantto advertise both services for this machine asname references your customers can use. WhichDNS record type would you use to accomplishthis?
A. NS
B. SOA
C. MX
D. PTR
E. CNAME
E. We all know—or should know by now—thata hostname can be mapped to an IP using anA record within DNS. CNAME records providefor aliases within the zone on that name. Forinstance, your server might be namedmattserver1.matt.com. A sample DNS zoneentry to provide HTTP and FTP access mightlook like this:
Technet24||||||||||||||||||||
||||||||||||||||||||
A is incorrect because a Name Server (NS)record shows the name servers within yourzone. These servers are the ones that respondto your client’s requests for name resolution.
B is incorrect because the Start of Authority(SOA) entry identifies the primary nameserver for the zone. The SOA record containsthe hostname of the server responsible for allDNS records within the namespace, as well asthe basic properties of the domain.
C is incorrect because the Mail Exchange(MX) record identifies the e-mail serverswithin your domain.
D is incorrect because a Pointer (PTR) recordworks the opposite to an A record. The pointermaps an IP address to a hostname and isgenerally used for reverse lookups.
10. A company has a public-facing web application.Its internal intranet-facing servers are separatedand protected by a firewall. Which of the followingchoices would be helpful in protecting againstunwanted enumeration?
A. Allowing zone transfers to ANY
B. Ensuring there are no A records for internalhosts on the public-facing name server
||||||||||||||||||||
||||||||||||||||||||
C. Changing the preference number on all MXrecords to zero
D. Not allowing any DNS query to the public-facing name server
B. If your company has a publicly facingwebsite, it follows that a name serversomewhere has to answer lookups in order foryour customers to find the site. That nameserver, however, does not need to providelookup information to internal machines. Ofthe choices provided, as silly as it seems topoint out, ensuring there are no A records(those used to map hostnames to an IPaddress) on the external name server is a goodstart.
A is incorrect because allowing a zone transferto anyone asking for it is just plain dumb. Itmay or may not help an attacker enumerateyour internal network (maybe you don’t haveanything in there to worry about), but it’s justa horrendously bad idea.
C is incorrect because changing the preferencenumber on an MX record doesn’t have a thingto do with enumeration. The preferencenumber (a lower number means first used)determines only which server handles e-mail
Technet24||||||||||||||||||||
||||||||||||||||||||
first.
D is incorrect because if your customers can’tquery for the IP associated with thehostname, how are they supposed to find yourwebsite?
11. An ethical hacker searches for IP ranges owned bythe client, reads news articles, observes when bankemployees arrive and leave from work, searchesthe client’s job postings, and visits the client’sdumpster. Which of the following is a truestatement?
A. All of the actions are active footprinting.
B. All of the actions are passive footprinting.
C. The ethical hacker is in the system attackphase.
D. The ethical hacker is acting as a black-hatattacker.
B. I know, I know—I can hear youprofessional test takers screaming at mealready: “Any answer that starts with ‘all’ canbe eliminated!” And, normally, I’d agree withyou, but it’s precisely why I added it here.Each and every example in this questionhappens to be an example of passivefootprinting.
||||||||||||||||||||
||||||||||||||||||||
A is incorrect because none of these actionsare active footprinting. An active footprintingeffort is one that requires the attacker totouch the device, network, or resource,whereas passive footprinting refers tomeasures to collect information from publiclyaccessible sources.
C is incorrect because the attacker is in thereconnaissance phase.
D is incorrect because there is no indicationwhich “hat” the attacker is acting as, althoughas an ethical hacker, it should be as a whitehat.
12. Examine the following SOA record:
If a secondary server in the enterprise is unable tocheck in for a zone update within an hour, whathappens to the zone copy on the secondary?
A. The zone copy is dumped.
B. The zone copy is unchanged.
C. The serial number of the zone copy isdecremented.
Technet24||||||||||||||||||||
||||||||||||||||||||
D. The serial number of the zone copy isincremented.
B. You will definitely see questions about theSOA record. In this question, the key portionyou’re looking for is the TTL (Time-To-Live)value at the bottom, which is currently twohours (7200 seconds). This sets the time asecondary server has to verify its records aregood. If it can’t check in, this TTL for zonerecords will expire, and they’ll all be dumped.Considering, though, this TTL is set to twohours and the question states it has been onlyone hour since update, the zone copy on thesecondary will remain unchanged.
A is incorrect because the secondary is stillwell within its window for verifying the zonecopy it holds. It dumps the records only whenTTL is exceeded.
C is incorrect because, first, serial numbersare never decremented; they’re alwaysincremented. Second, the serial number of thezone copy is changed only when a connectionto the primary occurs and a copy is updated.
D is incorrect because while serial numbersare incremented on changes (the secondarycopies the number from the primary’s copy
||||||||||||||||||||
||||||||||||||||||||
when transferring records), the serial numberof the zone copy is changed only when aconnection to the primary occurs and a copy isupdated. That has not occurred here.
13. Which protocol and port number combination isused by default for DNS zone transfers?
A. UDP 53
B. UDP 161
C. TCP 53
D. TCP 22
C. TCP 53 is the default protocol and portnumber for zone transfers. DNS actually usesboth TCP and UDP to get its job done, and ifyou think about what it’s doing, they makesense in particular circumstances. A nameresolution request and reply? Small and quick,so use port 53 on UDP. A zone transfer, whichcould potentially be large and requires someinsurance it all gets there? Port 53 on TCP isthe answer.
A, B, and D are incorrect because they do notrepresent the default port and protocolcombination for a zone transfer.
14. Examine the following command-line entry:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which statements are true regarding thiscommand sequence? (Choose two.)
A. Nslookup is in noninteractive mode.
B. Nslookup is in interactive mode.
C. The output will show all mail servers in thezone somewhere.com.
D. The output will show all name servers in thezone somewhere.com.
B, C. Nslookup runs in one of two modes—interactive and noninteractive. Noninteractivemode is simply the use of the commandfollowed by an output. For example,nslookup www.google.com will return theIP address your server can find for Google.Interactive mode is started by simply typingnslookup and pressing ENTER. Your defaultserver name will display, along with its IPaddress, and a caret (>) will await entry ofyour next command. In this scenario, we’veentered interactive mode and set the type toMX, which we all know means “Please provideme with all the mail exchange servers you
||||||||||||||||||||
||||||||||||||||||||
know about.”
A is incorrect because we are definitely ininteractive mode.
D is incorrect because type was set to MX, notNS.
15. Joe accesses the company website,www.anybusi.com, from his home computer and ispresented with a defaced site containing disturbingimages. He calls the IT department to report thewebsite hack and is told they do not see anyproblem with the site—no files have been changed,and when accessed from their terminals (insidethe company), the site appears normally. Joeconnects over VPN into the company website andnotices the site appears normally. Which of thefollowing might explain the issue?
A. DNS poisoning
B. Route poisoning
C. SQL injection
D. ARP poisoning
A. DNS poisoning makes the most sense here.In many cases (such as mine right here in myown work-from-home office), a VPNconnection back to the company forces you touse the company DNS instead of your local
Technet24||||||||||||||||||||
||||||||||||||||||||
resolution. In this example, Joe’s connectionfrom home uses a different DNS server forlookups than that of the business network.It’s entirely possible someone has changedthe cache entries in his local server to point toa different IP than the one hosting the realwebsite—one that the hackers have set up toprovide the defaced version. The fact the webfiles haven’t changed and it seems to bedisplaying just fine from inside the networkalso bears this out. If it turns out Joe’s DNSmodification is the only one in place, there isa strong likelihood that Joe is beingspecifically targeted for exploitation—something Joe should take very seriously.Lastly, the HOSTS and LMHOSTS files canalso play a big role in this kind of scenario—however, if an attacker already has that kindof access to Joe’s computer, he has biggerproblems than the corporate website.
B is incorrect because route poisoning hasnothing to do with this. Route poisoning isused in distance vector routing protocols toprevent route loops in routing tables.
C is incorrect because although SQL injectionis, indeed, a hacking attack, it’s not relevanthere. The fact the website files remain intact
||||||||||||||||||||
||||||||||||||||||||
and unchanged prove that access to the sitethrough an SQL weakness isn’t what occurredhere.
D is incorrect because ARP poisoning isrelevant inside a particular subnet, notoutside it (granted, you can have ARPforwarded by a router configured to do so, butit simply isn’t the case for this question). ARPpoisoning will redirect a request from onemachine to another inside the same subnetand has little to do with the scenario describedhere.
16. One way to mitigate against DNS poisoning is torestrict or limit the amount of time records canstay in cache before they’re updated. Which DNSrecord type allows you to set this restriction?
A. NS
B. PTR
C. MX
D. CNAME
E. SOA
E. The SOA record holds all sorts ofinformation, and when it comes to DNSpoisoning, the TTL is of primary interest. Theshorter the TTL, the less time records are held
Technet24||||||||||||||||||||
||||||||||||||||||||
in cache. While it won’t prevent DNSpoisoning altogether, it can limit the problemsa successful cache poisoning attack causes.
A is incorrect because an NS record shows thename servers found in the domain.
B is incorrect because a PTR record providesfor reverse lookup capability—an IP-address-to-hostname mapping.
C is incorrect because an MX record shows themail exchange servers in the zone.
D is incorrect because a CNAME record isused to provide alias entries for your zone(usually for multiple services or sites on oneIP address).
17. Which of the following may be a security concernfor an organization?
A. The internal network uses private IP addressesregistered to an Active Directory–integratedDNS server.
B. An external DNS server is Active Directoryintegrated.
C. All external name resolution requests areaccomplished by an ISP.
D. None of the above.
||||||||||||||||||||
||||||||||||||||||||
B. If you have a Windows Active Directory(AD) network, having AD-integrated DNSservers has some great advantages. Forexample (and directly from Microsoft, I mightadd), “with directory-integrated storage,dynamic updates to DNS are conducted basedupon a multimaster update model. In thismodel, any authoritative DNS server, such asa domain controller running a DNS server, isdesignated as a primary source for the zone.Because the master copy of the zone ismaintained in the Active Directory database,which is fully replicated to all domaincontrollers, the zone can be updated by theDNS servers operating at any domaincontroller for the domain.” Zones are alsoreplicated and synchronized to new domaincontrollers automatically whenever a new oneis added to an Active Directory domain, anddirectory replication is faster and moreefficient than standard DNS replication. Buthaving an Active Directory server facingexternally is a horrible idea.
A is incorrect because having AD-integratedDNS servers inside your network, with allprivate IP addresses, is just fine. Actually, it’sa pretty good idea if you think about it for a
Technet24||||||||||||||||||||
||||||||||||||||||||
bit.
C is incorrect because having an external ISPanswer all name resolution requests for yourpublic-facing servers isn’t a bad idea at all.Even if the ISP’s DNS is subject to attack,nothing is there but the public-facing hostsanyway.
D is incorrect because there is a correctanswer provided.
18. Which of the following is a good footprinting toolfor discovering information on a publicly tradedcompany’s founding, history, and financial status?
A. SpiderFoot
B. EDGAR Database
C. Sam Spade
D. Pipl.com
B. The EDGAR Database—https://www.sec.gov/edgar.shtml —holdsvarious competitive intelligence informationon businesses and is an old favorite of EC-Council. Per the website, “All companies,foreign and domestic, are required to fileregistration statements, periodic reports, andother forms electronically through EDGAR.Anyone can access and download this
||||||||||||||||||||
||||||||||||||||||||
information for free. Here you’ll find links toa complete list of filings available throughEDGAR and instructions for searching theEDGAR database.” Finally, one more note onEDGAR and the SEC: They have purview onlyover publicly traded companies. Privately heldcompanies are not regulated or obligated toput information in EDGAR. Additionally, evenpublicly traded companies might not provideinformation about privately ownedsubsidiaries, so be careful and diligent.
A is incorrect because SpiderFoot is a free,open source, domain footprinting tool.According to the site, “it will scrape thewebsites on that domain, as well as searchGoogle, Netcraft, Whois and DNS to build upinformation.”
C is incorrect because Sam Spade is a DNSfootprinting tool.
D is incorrect because pipl.com is a site usedfor “people search.” For footprinting, pipl.comcan use so-called “deep web searching” forloads of information you can use. Thefollowing is from the site: “Also known as‘invisible web,’ the term ‘deep web’ refers to avast repository of underlying content, such as
Technet24||||||||||||||||||||
||||||||||||||||||||
documents in online databases that general-purpose web crawlers cannot reach. The deepweb content is estimated at 500 times that ofthe surface web, yet has remained mostlyuntapped due to the limitations of traditionalsearch engines.”
19. What method does traceroute use to map routestraveled by a packet?
A. By carrying a hello packet in the payload,forcing the host to respond
B. By using DNS queries at each hop
C. By manipulating the Time-To-Live (TTL)parameter
D. By using ICMP Type 5, Code 0 packets
C. Traceroute (at least on Windows machines)tracks a packet across the Internet byincrementing the TTL on each packet it sendsby one after each hop is hit and returns,ensuring the response comes back explicitlyfrom that hop and returns its name and IPaddress. This provides route path and transittimes. It accomplishes this by using ICMPECHO packets to report information on each“hop” (router) from the source to destination.As an aside, Linux machines use a series ofUDP packets by default to carry out the same
||||||||||||||||||||
||||||||||||||||||||
function in traceroute.
A is incorrect because ICMP simply doesn’twork that way. A hello packet is generallyused between clients and servers as a check-in/health mechanism, not a route-tracingmethod.
B is incorrect because a DNS lookup at eachhop is pointless and does you no good. DNSisn’t for route tracing; it’s for matchinghostnames and IP addresses.
D is incorrect because an ICMP Type 5, Code 0packet is all about message redirection andnot about a ping request (Type 8).
20. Brad is auditing an organization and is asked toprovide suggestions on improving DNS security.Which of the following would be valid options torecommend? (Choose all that apply.)
A. Implementing a split-horizon operation
B. Restricting zone transfers
C. Obfuscating DNS by using the same server forother applications and functions
D. Blocking all access to the server on port 53
A, B. Split-horizon DNS (also known as split-view or split DNS) is a method of providing
Technet24||||||||||||||||||||
||||||||||||||||||||
different answers to DNS queries based on thesource address of the DNS request. It can beaccomplished with hardware or softwaresolutions and provides one more step ofseparation between you and the bad guys.Restricting zone transfers to only thosesystems you desire to have them is always agood idea. If you leave it open for anyone tograb, you’re just asking for trouble. DNSSECshould also be included, but isn’t an optionlisted.
C is incorrect because you generally shouldnot put DNS services on a machineperforming other tasks or applications. Does ithappen in the real world? Sure it does, andjust like it’s not too far-fetched to find a strayWindows 2000 machine in any givenorganization’s network, it’s probably morecommon than we’d like to guess.
D is incorrect because restricting all port 53access to the server means it’s not acting as aDNS server anymore: no one can query forname lookups, and no zone transfers aregoing to happen. I guess in some weird waythe DNS side of it is really secure, but itsfunctionality has dropped to nothing.
||||||||||||||||||||
||||||||||||||||||||
21. A zone file consists of which records? (Choose allthat apply.)
A. PTR
B. MX
C. SN
D. SOA
E. DNS
F. A
G. AX
A, B, D, F. A zone file contains a list of all theresource records in the namespace zone. Validresource records are as follows:
Technet24||||||||||||||||||||
||||||||||||||||||||
C, E, and G are incorrect because they are notvalid DNS resource records.
22. Within the OSRFramework, which tool verifies ifa username/profile exists in up to 306 differentplatforms?
A. domainfy.py
B. mailfy.py
C. searchfy.py
D. usufy.py
D. The OSRFramework
||||||||||||||||||||
||||||||||||||||||||
(https://github.com/i3visio/osrframework) isan open source research framework in Pythonthat helps you in the task of user profiling bymaking use of different open sourceintelligence (OSINT) tools. The frameworkdesign itself is reminiscent of the Metasploitframework. It also has a web-based GUI thatdoes the work for you if you like to workwithout the command line. In other words,it’s a set of libraries used to perform OSINTtasks, helping you gather more, and moreaccurate, data using multiple applications inone easy-to-use package. Usufy.py is but oneof the tools in the framework, and it verifies ifa username/profile exists in up to 306different platforms.
A is incorrect because this tool verifies theexistence of a given domain (per the site, inup to 1567 different registries).
B is incorrect because this tool checks if ausername (e-mail) has been registered in e-mail providers.
C is incorrect because this tool looks forprofiles using full names and other info in upto seven platforms. As an aside, ECC wordsthis differently by saying the tool queries the
Technet24||||||||||||||||||||
||||||||||||||||||||
OSRFramework platform itself.
23. A colleague enters the following into a Googlesearch string:
intitle:intranet inurl:intranet
intext:"finance"
Which of the following statements is most correctconcerning this attempt?
A. The search engine will not respond with anyresult because you cannot combine Googlehacks in one line.
B. The search engine will respond with all pageshaving the word intranet in their title andfinance in the URL.
C. The search engine will respond with all pageshaving the word intranet in the title and in theURL.
D. The search engine will respond with onlythose pages having the word intranet in thetitle and URL and with finance in the text.
D. This is a great Google hack that’s listed onseveral websites providing Google hackingexamples. Think about what you’re lookingfor here—an internal page (intranet in titleand URL) possibly containing finance data.Don’t you think that would be valuable? This
||||||||||||||||||||
||||||||||||||||||||
example shows the beauty of combiningGoogle hacks to really burrow down to whatyou want to grab. Granted, an intranet beingavailable from the Internet, indexed by Googleand open enough for you to touch it, isunlikely, but these are questions concerningsyntax, not reality.
A is incorrect because Google hack operatorscan be combined. In fact, once you get used tothem, you’ll spend more time combining themto narrow the focus of an attack thanlaunching them one by one.
B is incorrect because the operator does notsay to look for finance in the URL. Itspecifically states that should be looked for inthe text of the page.
C is incorrect because there is more to theoperation string than just intranet in the URLand title. Don’t just skim over theintext:"finance" operator—it makes AnswerD more correct.
24. Amanda works as senior security analyst andoverhears a colleague discussing confidentialcorporate information being posted on an externalwebsite. When questioned on it, he claims about amonth ago he tried random URLs on the
Technet24||||||||||||||||||||
||||||||||||||||||||
company’s website and found confidentialinformation. Amanda visits the same URLs butfinds nothing. Where can Amanda go to see pastversions and pages of a website?
A. Search.com
B. Google cache
C. Pasthash.com
D. Archive.org
D. The Internet Archive (http://archive.org) isa nonprofit organization “dedicated to buildan Internet library. Its purposes includeoffering permanent access for researchers,historians, scholars, people with disabilities,and the general public to historical collectionsthat exist in digital format.” The good-oldWayback Machine has been used for a longtime to pull up old copies of websites, for goodand maybe not-so-good purposes. Archive.orgincludes “snapshots of the World Wide Web,”which are archived copies of pages taken atvarious points in time dating back to 1996. Asan additional note, Archive.org is only going topull and store pages that were linked, shared,or commonly available, so don’t assume everypage ever put up by anyone anywhere willalways be available.
||||||||||||||||||||
||||||||||||||||||||
A is incorrect because Search.com is simplyanother search engine at your disposal. It doesnot hold archived copies.
B is incorrect because Google cache holds acopy of the site only from the latest “crawl”—usually nothing older than a couple to a fewdays.
C is incorrect because, as far as I know,Pasthash.com doesn’t even exist.
25. Which of the following is a primary service of theU.S. Computer Security Incident Response Team(CSIRT)?
A. CSIRT provides an incident response serviceto enable a reliable and trusted single point ofcontact for reporting computer securityincidents worldwide.
B. CSIRT provides a computer securitysurveillance service to supply the governmentwith important intelligence information onindividuals traveling abroad.
C. CSIRT provides a penetration testing service tosupport exception reporting on incidentsworldwide by individuals and multinationalcorporations.
D. CSIRT provides a vulnerability assessment
Technet24||||||||||||||||||||
||||||||||||||||||||
service to assist law enforcement agencieswith profiling an individual’s property orcompany’s asset.
A. EC-Council loves CSIRT, and I promiseyou’ll see it mentioned somewhere on theexam. Per its website (www.csirt.org/), theComputer Security Incident Response Team(CSIRT) “provides 24x7 Computer SecurityIncident Response Services to any user,company, government agency or organization.CSIRT provides a reliable and trusted singlepoint of contact for reporting computersecurity incidents worldwide. CSIRT providesthe means for reporting incidents and fordisseminating important incident-relatedinformation.” A privately held company thatstarted in 2001, CSIRT seeks “to raiseawareness among its customers of computersecurity issues, and provides information forsecure protection of critical computinginfrastructure and equipment againstpotential organized computer attacks.”
B, C, and D are incorrect because thesestatements do not match CSIRT’s purpose oractions.
26. Your client’s business is headquartered in Japan.
||||||||||||||||||||
||||||||||||||||||||
Which regional registry would be the best place tolook for footprinting information?
A. APNIC
B. RIPE
C. ASIANIC
D. ARIN
E. LACNIC
A. This one is easy as pie and should be afreebie if you see it on the test. There are fiveregional Internet registries that provideoverall management of the public IP addressspace within a given geographic region. APNIChandles the Asia and Pacific realms.
B is incorrect because RIPE handles Europe,Middle East, and parts of CentralAsia/Northern Africa. If you’re wondering, thename is French and stands for Réseaux IPEuropéens.
C is incorrect because ASIANIC is not aregional registry. It’s purely a distractor here.
D is incorrect because the ARIN service regionincludes Canada, many Caribbean and NorthAtlantic islands, and the United States.Caribbean islands falling under ARIN includePuerto Rico, the Bahamas, Antigua, American
Technet24||||||||||||||||||||
||||||||||||||||||||
and British Virgin Islands, Turks and CaicosIslands, and the Cayman Islands (amongothers).
E is incorrect because LACNIC handles LatinAmerica and parts of the Caribbean. It standsfor Latin America and Caribbean NetworkInformation Center. LACNIC coverageincludes most of South America, Guatemala,French Guiana, Dominican Republic, andCuba (among others). Exam takers most oftenget this one and ARIN confused.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 3Scanning and Enumeration
This chapter includes questions from the followingtopics:
• Understand EC-Council’s scanning methodology• Describe scan types and the objectives of scanning• Understand the use of various scanning and
enumeration tools• Describe TCP communication (three-way
handshake and flag types)• Understand basic subnetting• Understand enumeration and enumeration
techniques• Describe vulnerability scanning concepts and
actions• Describe the steps involved in performing
enumeration
I love fishing. Scratch that—a better statement is that Iam addicted to fishing. I dream about it. I think about itduring my workday, I plan my weekends around it—heck, I even decorated my office with fishing
Technet24||||||||||||||||||||
||||||||||||||||||||
paraphernalia, and occasionally catch myself staring atthat sea trout picture over there to my right and sighingmournfully. And, on days like today where the lakebehind my house looks like a mirror that God is using tocomb his hair in as He looks down from above, it’s all Ican do not to grab the rods and race out of the house.Instead, I’m sitting here in my little home officededicating my morning to you and your needs, dearreader. You’re welcome.
All fishing is good, and I’ve tried most of it. I’m notreally wild about catching fish with my hands (thosenoodling guys don’t have all the cheese on theircrackers), and ice fishing isn’t a favorite of mine becauseI hate the cold—not to mention it just seems so dangboring, sitting there looking at a little hole and hopingyou’ve drilled in just the right spot—but I love kayakfishing. Don’t get me wrong—I still really enjoy goingout on a deep-sea boat or riding along in someone’s bassboat, flying across the top of the water, but being in akayak just seems more personal. Sitting right on top ofthe water, sneaking up to fish, and watching them eatthe bait is just short of a religious experience, and itcannot be beat.
Now you can certainly catch fish just by paddlingaround and casting blindly all around you. But if youwant to catch good fish and catch them with more
||||||||||||||||||||
||||||||||||||||||||
regularity, you have to learn how to read the water, andsince I can’t take you all there and paddle around to givea hands-on lesson, we’ll have to run a little thoughtexperiment instead. Sit back in our little virtual kayak,and we’ll paddle around to see what we can find. Lookaround in your mind’s eye with me and scan the wateraround us. See that little ripple over there? Those aremullet swimming around in lazy circles. Nothing is afterthem, or they’d be darting and running into theshallows, so there’s no point in paddling that way yet.That heavy wake over there that kind of looks like asmall submarine underwater? That’s a redfish, and he’sdefinitely after something. We should definitely take ashot his way. And those things that look like tinybrooms poking out of the water over there? Yeah, that’sa bunch of redfish, nosed down into the muck eatingcrabs or shrimp. If we watch the school for a bit, it’llmake it easier to map out an approach and figure outthe best casting opportunities without spooking them.
Much like the signs we can see by scanning thesurface of the water on the flats, your scanning andenumeration efforts in the virtual world will point youin the right direction and, once you get some experiencewith what you’re looking at, will improve your hook-uppercentage. As stated in the companion book to thisstudy guide, CEH Certified Ethical Hacker All-in-OneExam Guide, Fourth Edition, you know how to footprint
Technet24||||||||||||||||||||
||||||||||||||||||||
your client; now it’s time to learn how to dig aroundwhat you found for relevant, salient information. Afterfootprinting, you’ll need to scan for basics; then whenyou find a machine up and about, you’ll need to get toknow it really well, asking some rather personalquestions.
STUDY TIPS First and foremost, get y our network knowledge downpat. Know y our port numbers, protocols, and communicationshandshakes like the back of y our hand. Learn how routing/switchingbasics can affect y our efforts: for example, knowing that a routingprotocol (such as OSPF or BGP) determines how routers communicatewith each other and make decisions on mov ing packets, and thatrouted protocols (such as IP) are the ones prov iding network lay eraddressing, will help y ou out. There won’t be a ton of them, butquestions on subnetting will make an appearance, so know y our mathwell.
When it comes to scanning, know your scanning toolsvery well. EC-Council absolutely adores nmap, so knowsyntax, responses, results, switches… all of it. You’ll bequizzed on use, output, syntax, and lots of scanningtools, so prep by practicing—it’s the absolute best way toprepare for this exam.
Lastly, Windows and Linux architecture basics aren’tgoing to make up the majority of your exam, but restassured you will be tested on them—especially onanything that’s different between the two. For example,some tools will work with and on Windows, but not on
||||||||||||||||||||
||||||||||||||||||||
Linux, and vice versa. Each architecture has built-intools and services (for example, know net commandusage in Windows very well) that may work differentlyon the other, so be sure to focus on those for study.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Your team is hired to test a business named Matt’s
Bait’n’ Tackle Shop (domain namemattsBTshop.com). A team member runs thefollowing command:
Which of the following best describes what theteam member is attempting to do?
A. Extracting metadata info from web pages inmattsBTshop.com, outputting results inMicrosoft Word format
B. Extracting metadata info from the results.htmlpage in mattsBTshop.com, outputting resultsin Microsoft Word format
C. Extracting metadata info from Microsoft Worddocuments found in mattsBTshop.com,outputting results in an HTML file
D. Uploading results.html as a macro attachmentto any Microsoft Word documents found inmattsBTshop.com
2. Which of the following statements is trueregarding the p0f tool?
A. It is an active OS fingerprinting tool.
B. It is a passive OS fingerprinting tool.
||||||||||||||||||||
||||||||||||||||||||
C. It is designed to extract metadata for Microsoftfiles.
D. It is designed for remote access.
3. You have a zombie system ready and begin anIDLE scan. As the scan moves along, you noticethat fragment identification numbers gleanedfrom the zombie machine are incrementingrandomly. What does this mean?
A. Your IDLE scan results will not be useful toyou.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between youand the zombie machine.
D. This is an expected result during an IDLEscan.
4. You want to perform a ping sweep of a subnetwithin your target organization. Which of thefollowing nmap command lines is your bestoption?
A. nmap 192.168.1.0/24
B. nmap -sT 192.168.1.0/24
C. nmap -sP 192.168.1.0/24
D. nmap -P0 192.168.1.0/24
5. A pen tester is performing banner grabbing and
Technet24||||||||||||||||||||
||||||||||||||||||||
executes the following command:
Which of the following is a true statement?
A. Nmap can’t perform banner grabbing, as itcannot retrieve the version number of anyrunning remote service.
B. The pen tester was successful in bannergrabbing.
C. Using nmap -O host.domain.com wouldhave been a better choice for banner grabbing.
D. Banner grabbing failed because the result didnot return the version of the Apache webserver.
6. You are examining traffic to see if there are anynetwork-enabled printers on the subnet. Which ofthe following ports should you be monitoring for?
A. 53
||||||||||||||||||||
||||||||||||||||||||
B. 88
C. 445
D. 514
E. 631
7. A colleague enters the following command:
What is being attempted here?
A. An ACK scan using hping3 on port 80 for asingle address
B. An ACK scan using hping3 on port 80 for agroup of addresses
C. Address validation using hping3 on port 80 fora single address
D. Address validation using hping3 on port 80 fora group of addresses
8. You are examining traffic between hosts and notethe following exchange:
Which of the following statements are trueregarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
9. You are examining traffic and notice an ICMPType 3, Code 13 response. What does this normallyindicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to thishost.
D. A firewall is prohibiting connection.
10. Which port-scanning method presents the mostrisk of discovery but provides the most reliableresults?
A. Full-connect
B. Half-open
C. Null scan
D. XMAS scan
11. As a pen test on a major international businessmoves along, a colleague discovers an IIS serverand a mail exchange server on a DMZ subnet. Youreview a ping sweep accomplished earlier in theday on that subnet and note neither machineresponded to the ping. What is the most likely
||||||||||||||||||||
||||||||||||||||||||
reason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
C. The destination network might be down.
D. The servers are Linux based and do notrespond to ping requests.
12. A team member is using nmap and asks about the“scripting engine” in the tool. Which optionswitches can be used to invoke the nmap scriptingengine? (Choose two.)
A. --script
B. -z
C. -sA
D. -sC
13. Which of the following commands is the bestchoice to use on a Linux machine when attemptingto list processes and the UIDs associated withthem in a reliable manner?
A. ls
B. chmod
C. pwd
D. lsof
14. You want to display active and inactive services ona Windows Server machine. Which of the
Technet24||||||||||||||||||||
||||||||||||||||||||
following commands best performs this service?
A. sc query
B. sc query type=all
C. sc query type=service
D. sc query state= all
15. An administrator enters the following commandon a Linux system:
iptables -t nat -L
Which of the following best describes the intent ofthe command entered?
A. The administrator is attempting a port scan.
B. The administrator is configuring IPmasquerading.
C. The administrator is preparing to flood aswitch.
D. The administrator is preparing a DoS attack.
16. What is being attempted with the followingcommand?
nc -u -v -w2 192.168.1.100 1-1024
A. A full connect scan on ports 1–1024 for asingle address
B. A full connect scan on ports 1–1024 for asubnet
||||||||||||||||||||
||||||||||||||||||||
C. A UDP port scan of ports 1–1024 on a singleaddress
D. A UDP scan of ports 1–1024 on a subnet
17. You are told to monitor a packet capture for anyattempted DNS zone transfer. Which port shouldyou focus your search on?
A. TCP 22
B. TCP 53
C. UDP 22
D. UDP 53
18. A team member issues the nbtstat.exe -ccommand. Which of the following best representsthe intent of the command?
A. It displays the IP route table for the machine.
B. It displays the NetBIOS name cache.
C. It displays active and inactive services.
D. It puts a NIC into promiscuous mode forsniffing.
19. Consider the ports shown in the nmap outputreturned on an IP scanned during footprinting:
Which of the following is true regarding theoutput?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. The host is most likely a router or has routingenabled.
B. The host is most likely a printer or has aprinter installed.
C. The host is definitely a Windows server.
D. The host is definitely a Linux server.
20. The following results are from an nmap scan:
Which of the following is the best option to assistin identifying the operating system?
A. Attempt an ACK scan.
B. Traceroute to the system.
C. Run the same nmap scan with the -vv option.
D. Attempt banner grabbing.
21. You want to run a scan against a target network.You’re concerned about it being a reliable scan,
||||||||||||||||||||
||||||||||||||||||||
with legitimate results, but want to take steps toensure it is as stealthy as possible. Which scantype is best in this situation?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
22. What is the second step in the TCP three-wayhandshake?
A. SYN
B. ACK
C. SYN/ACK
D. ACK-SYN
E. FIN
23. You are enumerating a subnet. While examiningmessage traffic, you discover SNMP is enabled onmultiple targets. If you assume default settings insetting up enumeration tools to use SNMP, whichcommunity strings should you use?
A. Public (read-only) and Private (read/write)
B. Private (read-only) and Public (read/write)
C. Read (read-only) and Write (read/write)
D. Default (both read and read/write)
24. Nmap is a powerful scanning and enumeration
Technet24||||||||||||||||||||
||||||||||||||||||||
tool. What does the following nmap commandattempt to accomplish?
nmap -sA -T4 192.168.15.0/24
A. A serial, slow operating system discovery scanof a Class C subnet
B. A parallel, fast operating system discoveryscan of a Class C subnet
C. A serial, slow ACK scan of a Class C subnet
D. A parallel, fast ACK scan of a Class C subnet
25. You are examining a packet capture of all trafficfrom a host on the subnet. The host sends asegment with the SYN flag set in order to set up aTCP communications channel. The destinationport is 80, and the sequence number is set to 10.Which of the following statements are not trueregarding this communications channel? (Chooseall that apply.)
A. The host will be attempting to retrieve anHTML file.
B. The source port field on this packet can be anynumber between 1024 and 65,535.
C. The first packet from the destination inresponse to this host will have the SYN andACK flags set.
D. The packet returned in answer to this SYN
||||||||||||||||||||
||||||||||||||||||||
request will acknowledge the sequencenumber by returning 10.
26. Which TCP flag instructs the recipient to ignorebuffering constraints and immediately send alldata?
A. URG
B. PSH
C. RST
D. BUF
27. You receive a RST-ACK from a port during a SYNscan. What is the state of the port?
A. Open
B. Closed
C. Filtered
D. Unknown
28. A penetration tester is examining the followingNMAP result:
Which of the following is a true statement?
A. The host is likely a printer.
B. The host is likely a Windows machine.
Technet24||||||||||||||||||||
||||||||||||||||||||
C. The host is likely a Linux machine.
D. The host is likely a router.
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. B
3. A
4. C
5. B
6. E
7. B
8. B, D
9. D
10. A
11. B
12. A, D
13. D
14. D
15. B
16. C
17. B
18. B
19. B
Technet24||||||||||||||||||||
||||||||||||||||||||
20. D
21. C
22. C
23. A
24. D
25. A, D
26. B
27. B
28. A
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Your team is hired to test a business named Matt’s
Bait’n’ Tackle Shop (domain namemattsBTshop.com). A team member runs thefollowing command:
metagoofil -d mattsBTshop.com -t
doc,docx -l 50 -n 20 -f results.html
Which of the following best describes what theteam member is attempting to do?
A. Extracting metadata info from web pages inmattsBTshop.com, outputting results inMicrosoft Word format
B. Extracting metadata info from the results.htmlpage in mattsBTshop.com, outputting resultsin Microsoft Word format
C. Extracting metadata info from Microsoft Worddocuments found in mattsBTshop.com,outputting results in an HTML file
D. Uploading results.html as a macro attachmentto any Microsoft Word documents found inmattsBTshop.com
C. This is an example of good tool knowledgeand use. Metgoofil, per www.edge-security.com/metagoofil.php, “is an
Technet24||||||||||||||||||||
||||||||||||||||||||
information gathering tool designed forextracting metadata of public documents(.pdf, .doc, .xls, .ppt, .docx, .pptx, .xlsx)belonging to a target company. It performs asearch in Google to identify and download thedocuments to local disk and then will extractthe metadata with different libraries likeHachoir, PdfMiner and others. With theresults it will generate a report withusernames, software versions and servers ormachine names that will help Penetrationtesters in the information gathering phase.”
In the syntax given, metagoofil will searchmattsBTshop.com for up to 50 results (the -lswitch determines the number of results) ofany Microsoft Word documents (in both docand .docx format) it can find. It will thenattempt to download the first 20 found (the -nswitch handles that), and the -f switch willsend the results where you want (in this case,to an HTML file).
And just what will those results be? Wellthat’s where the fun comes in. Remember,metagoofil tries to extract metadata frompublicly available Microsoft Word documentsavailable on the site. You might find e-mailaddresses, document paths, software versions,
||||||||||||||||||||
||||||||||||||||||||
and even usernames in the results.
A, B, and D are incorrect because they do notmatch the syntax provided.
2. Which of the following statements is trueregarding the p0f tool?
A. It is an active OS fingerprinting tool.
B. It is a passive OS fingerprinting tool.
C. It is designed to extract metadata for Microsoftfiles.
D. It is designed for remote access.
B. p0f, per http://lcamtuf.coredump.cx/p0f3/,“is a tool that utilizes an array ofsophisticated, purely passive trafficfingerprinting mechanisms to identify theplayers behind any incidental TCP/IPcommunications (often as little as a singlenormal SYN) without interfering in any way.The tool can be operated in the foreground oras a daemon, and offers a simple real-timeAPI for third-party components that wish toobtain additional information about the actorsthey are talking to. Common uses for p0finclude reconnaissance during penetrationtests; routine network monitoring; detectionof unauthorized network interconnects in
Technet24||||||||||||||||||||
||||||||||||||||||||
corporate environments; providing signals forabuse-prevention tools; and miscellaneousforensics.”
When nmap scanning is blocked or otherwiseunreliable, p0f can make use of a “vanilla”TCP connection to passively fingerprint. It canprovide measurement of system uptime andnetwork hookup, distance (including topologybehind NAT or packet filters), and userlanguage preferences. It also providesautomated detection of connection sharing(NAT), load balancing, and application-levelproxying setups.
A, C, and D are incorrect because these do notdescribe p0f. Active fingerprinting involvessending traffic in an effort to read responsesand determine open ports and other goodies(like nmap does). p0f does not read metadatafrom available files for information purposes(like metagoofil does), and it’s definitely not aremote access tool (like netcat).
3. You have a zombie system ready and begin anIDLE scan. As the scan moves along, you noticethat fragment identification numbers gleanedfrom the zombie machine are incrementingrandomly. What does this mean?
||||||||||||||||||||
||||||||||||||||||||
A. Your IDLE scan results will not be useful toyou.
B. The zombie system is a honeypot.
C. There is a misbehaving firewall between youand the zombie machine.
D. This is an expected result during an IDLEscan.
A. An IDLE scan makes use of a zombiemachine and IP’s knack for incrementingfragment identifiers (IPIDs). However, it isabsolutely essential the zombie remain idle toall other traffic during the scan. The attackerwill send packets to the target with the(spoofed) source address of the zombie. If theport is open, the target will respond to theSYN packet with a SYN/ACK, but this will besent to the zombie. The zombie system willthen craft a RST packet in answer to theunsolicited SYN/ACK, and the IPID willincrease. If this occurs randomly, then it’sprobable your zombie is not, in fact, idle, andyour results are moot. See, if it’s not idle, it’sgoing to increment haphazardly becausecommunications from the device will beshooting hither and yon with wild abandon.You’re banking on the fact the machine is
Technet24||||||||||||||||||||
||||||||||||||||||||
quietly doing your bidding—and nothing else.
B is incorrect because there is not enoughinformation here to identify the zombiemachine as anything at all—much less amachine set up as a “honeypot.”
C is incorrect because a firewall between youand the zombie won’t have any effect at all onthe zombie’s IPIDs.
D is incorrect because this is definitely notexpected behavior during an IDLE scan.Expected behavior is for the IPID to increaseregularly with each discovered open port, notrandomly, as occurs with traffic on an activesystem.
4. You want to perform a ping sweep of a subnetwithin your target organization. Which of thefollowing nmap command lines is your bestoption?
A. nmap 192.168.1.0/24
B. nmap -sT 192.168.1.0/24
C. nmap -sP 192.168.1.0/24
D. nmap -P0 192.168.1.0/24
C. The -sP switch within nmap is designed fora ping sweep. Nmap syntax is fairly
||||||||||||||||||||
||||||||||||||||||||
straightforward: nmap<scan options><target>. If you don’t define a switch, nmapperforms a basic enumeration scan of thetargets. The switches, though, provide the realpower with this tool.
A is incorrect because this syntax will notperform a ping sweep. This syntax will run abasic scan against the entire subnet.
B is incorrect because the -sT switch does notrun a ping sweep. It stands for a TCP Connectscan, which is the slowest—but mostproductive and loud—scan option.
D is incorrect because this syntax will notperform a ping sweep. The -P0 switch actuallyruns the scan without ping (ICMP). This is agood switch to use when you don’t seem to begetting responses from your targets. It forcesnmap to start the scan even if it thinks thatthe target doesn’t exist (which is useful if thecomputer is blocked by a firewall).
5. A pen tester is performing banner grabbing andexecutes the following command:
$ nmap -sV host.domain.com -p 80
He gets the following output:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following is a true statement?
A. Nmap can’t perform banner grabbing, as itcannot retrieve the version number of anyrunning remote service.
B. The pen tester was successful in bannergrabbing.
C. Using nmap -O host.domain.com wouldhave been a better choice for banner grabbing.
D. Banner grabbing failed because the result didnot return the version of the Apache webserver.
B. You can expect a few versions of this typeof question on your exam. Not only are therebunches of ways to do banner grabbing, butthe outputs of each method are different. Inthis case, the nmap attempt was successful inidentifying it as an Apache server.
A is incorrect because nmap can mostcertainly perform banner grabbing.
||||||||||||||||||||
||||||||||||||||||||
C is incorrect because the -O flag enables OSdetection.
D is incorrect because the lack of a versionnumber is irrelevant (oftentimes Apacheboxes won’t respond with version number,even when the banner grab is correctlyaccomplished).
6. You are examining traffic to see if there are anynetwork-enabled printers on the subnet. Which ofthe following ports should you be monitoring for?
A. 53
B. 88
C. 445
D. 514
E. 631
E. You will probably see three to fivequestions on port numbering alone. So justexactly how do you commit 1024 portnumbers (0–1023 is the well-known range) tomemory when you have all this other stuff tokeep track of? You probably won’t, and maybeyou can’t. The best advice I can give you is tomemorize the really important ones—the onesyou know beyond a shadow of a doubt you’llsee on the exam somewhere—and then use
Technet24||||||||||||||||||||
||||||||||||||||||||
the process of elimination to get to the rightanswer.
For example, suppose you had no idea thatTCP port 631 was used by the InternetPrinting Protocol (IPP), but you did knowwhat 53, 88, and 445 were for. Suddenly it’snot that difficult (now down to a 50/50chance). By the way, 631 won’t be the onlything you’ll be monitoring for, but of theanswers provided, it is the best choice.
A is incorrect because 53 is the port numberused by DNS (TCP and UDP). The TCP sidewill be used for across-Internet traffic, wherethe loss of speed due to connection-orientedtraffic is worth it to ensure delivery, and UDPwill be mostly internal.
B is incorrect because 88 is the port numberused by Kerberos.
C is incorrect because 445 is used forMicrosoft SMB file sharing. You’ll definitelysee SMB file sharing and this port somewhereon the exam, usually as part of a scenario likethe one in this question.
D is incorrect because 514 is the (UDP) portnumber used by syslog—and trust me, youneed to know this one. EC Council loves
||||||||||||||||||||
||||||||||||||||||||
syslog. You’ll definitely see it a couple oftimes on the exam.
7. A colleague enters the following command:
root@mybox: # hping3 -A 192.168.2.x -
p 80
What is being attempted here?
A. An ACK scan using hping3 on port 80 for asingle address
B. An ACK scan using hping3 on port 80 for agroup of addresses
C. Address validation using hping3 on port 80 fora single address
D. Address validation using hping3 on port 80 fora group of addresses
B. Hping is a great tool that provides a varietyof options. You can craft packets with it, auditand test firewalls, and do all sorts of crazyman-in-the-middle stuff with it. In thisexample, you’re simply performing a basicACK scan (the -A switch) using port 80 (-p80) on an entire Class C subnet (the x in theaddress runs through all 254 possibilities).Hping3, the latest version, is scriptable (TCLlanguage) and implements an engine thatallows a human-readable description of
Technet24||||||||||||||||||||
||||||||||||||||||||
TCP/IP packets.
A is incorrect because the syntax is for anentire subnet (or, I guess to be technicallyspecific, all 254 addresses that start with192.168.2). The x in the last octet tells hpingto fire away at all those available addresses.
C and D are both incorrect because “addressvalidation” is not a scan type.
8. You are examining traffic between hosts and notethe following exchange:
Which of the following statements are trueregarding this traffic? (Choose all that apply.)
A. It appears to be part of an ACK scan.
B. It appears to be part of an XMAS scan.
C. It appears port 4083 is open.
D. It appears port 4083 is closed.
B, D. The exam will ask you to define scantypes in many, many ways. It may be a simpledefinition match; sometimes it’ll be somecrazy Wireshark or tcpdump listing. In this
||||||||||||||||||||
||||||||||||||||||||
example, you see a cleaned-up trafficexchange showing packets from one hostbeing sent one after another to the secondhost, indicating a scan attempt. The packetshave the FIN, URG, and PSH flags all set,which tells you it’s an XMAS scan. If thedestination port is open, you won’t receiveanything back; if it’s closed, you’ll see aRST/ACK. This tells you port 4083 looks likeit’s open. As an addendum, did you knowthere are two reasons why it’s called an XMASscan? The first is because it lights up an IDSlike a Christmas tree, and the second isbecause the flags themselves are all lit. As anaside, you probably won’t see this much out inthe real world because it just really doesn’thave much applicability. But on your exam?Oh yes—it’ll be there.
A is incorrect because there is no indicationthis is an ACK scan. An ACK scan has only theACK flag set and is generally used in firewallfilter tests: no response means a firewall ispresent, and RST means the firewall is notthere (or the port is not filtered).
C is incorrect because you did receive ananswer from the port (a RST/ACK was sent inthe fourth line of the capture).
Technet24||||||||||||||||||||
||||||||||||||||||||
9. You are examining traffic and notice an ICMPType 3, Code 13 response. What does this normallyindicate?
A. The network is unreachable.
B. The host is unknown.
C. Congestion control is enacted for traffic to thishost.
D. A firewall is prohibiting connection.
D. ICMP types will be covered in depth onyour exam, so know them well. Type 3messages are all about “destinationunreachable,” and the code in each packettells you why it’s unreachable. Code 13indicates “communication administrativelyprohibited,” which indicates a firewall filteringtraffic. Granted, this occurs only when anetwork designer is nice enough to configurethe device to respond in such a way, and you’llprobably never get that nicety in the realworld, but the definitions of what the “type”and “code” mean are relevant here.
A is incorrect because “network unreachable”is Type 3, Code 0. It’s generated by a router toinform the source that the destination addressis unreachable; that is, it does not have anentry in the route table to send the message
||||||||||||||||||||
||||||||||||||||||||
to.
B is incorrect because “host unknown” is Type3, Code 7. There’s a route to the network therouter knows about, but that host is not there(this sometimes refers to a naming or DNSissue).
C is incorrect because “congestion control”ICMP messaging is Type 4.
10. Which port-scanning method presents the mostrisk of discovery but provides the most reliableresults?
A. Full-connect
B. Half-open
C. Null scan
D. XMAS scan
A. A full-connect scan runs through an entireTCP three-way handshake on all ports youaim at. It’s loud and easy to see happening,but the results are indisputable. As an aside,the -sT switch in nmap runs a full-connectscan (you should go ahead and memorize thatone).
B is incorrect because a half-open scaninvolves sending only the SYN packet and
Technet24||||||||||||||||||||
||||||||||||||||||||
watching for responses. It is designed forstealth but may be picked up on IDS sensors(both network and most host-based IDSs).
C is incorrect because a null scan sendspackets with no flags set at all. Responses willvary, depending on the OS and version, soreliability is spotty. As an aside, null scans aredesigned for Unix/Linux machines and don’twork on Windows systems.
D is incorrect because although an XMAS scanis easily detectable (as our celebratedtechnical editor put it, “a fairly well-trainedmonkey would see it”), the results areoftentimes sketchy. The XMAS scan is greatfor test questions but won’t result in muchmore than a derisive snort and an immediatedisconnection in the real world.
11. As a pen test on a major international businessmoves along, a colleague discovers an IIS serverand a mail exchange server on a DMZ subnet. Youreview a ping sweep accomplished earlier in theday on that subnet and note neither machineresponded to the ping. What is the most likelyreason for the lack of response?
A. The hosts might be turned off or disconnected.
B. ICMP is being filtered.
||||||||||||||||||||
||||||||||||||||||||
C. The destination network might be down.
D. The servers are Linux based and do notrespond to ping requests.
B. Admittedly, this one is a little tricky, and,yes, I purposefully wrote it this way (mainlybecause I’ve seen questions like this before).The key here is the “most likely” designator.It’s entirely possible—dare I say, evenexpected—that the systems administrator forthose two important machines would turn offICMP. Of the choices provided, this one is themost likely explanation.
A is incorrect, but only because there is abetter answer. This is a major firm thatundoubtedly does business at all times of dayand with customers and employees aroundthe world (the question did state it was aninternational business). Is it possible thatboth these servers are down? Sure, you mighthave timed your ping sweep so poorly that youhappened to hit a maintenance window orsomething, but it’s highly unlikely.
C is incorrect because, frankly, the odds of anentire DMZ subnet being down while you’repen testing are very slim. And I can promiseyou if the subnet did drop while you were
Technet24||||||||||||||||||||
||||||||||||||||||||
testing, your test is over.
D is incorrect because this is simply not true.
12. A team member is using nmap and asks about the“scripting engine” in the tool. Which optionswitches can be used to invoke the nmap scriptingengine? (Choose two.)
A. --script
B. -z
C. -sA
D. -sC
A, D. Nmap is a great scanning tool, providingnumerous options, and you’ll need to knowthe syntax very well. The NSE (NmapScripting Engine) is a portion of the tool thatallows the use of scripts in scanning. Directlyfrom nmap’s site(https://nmap.org/book/nse.html), “NSE isactivated with the -sC option (or --script if youwish to specify a custom set of scripts) andresults are integrated into Nmap normal andXML output.”
I’ve seen mentioned in other study materialthat the -A switch is also considered as anNSE function. -A turns on “aggressive”scanning, which reports on version detection,
||||||||||||||||||||
||||||||||||||||||||
operating system fingerprinting, and a varietyof other activities. A pretty good wrap-up ofnmap switches can be found onlinuxcommand.org(http://linuxcommand.org/man_pages/nmap1.html).
B is incorrect because -z isn’t an nmap switch.
C is incorrect because the -sA switch runs anACK scan (ACK segments are sent to ports todetermine their state).
13. Which of the following commands is the bestchoice to use on a Linux machine when attemptingto list processes and the UIDs associated withthem in a reliable manner?
A. ls
B. chmod
C. pwd
D. lsof
D. Supported in most Unix-like flavors, the“list open files” command (lsof) provides a listof all open files and the processes that openedthem. The lsof command describes, amongother things, the identification number of theprocess (PID) that has opened the file, thecommand the process is executing, and the
Technet24||||||||||||||||||||
||||||||||||||||||||
owner of the process. With optional switches,you can also receive all kinds of additionalinformation. As an aside, the command ps (forprocess status) is probably an even betterchoice for the task listed.
A is incorrect because ls (list) simply displaysall the files and folders in your currentdirectory. Its counterpart in the PC world isdir.
B is incorrect because chmod is used to setpermissions on files and objects in Linux.
C is incorrect because pwd (print workingdirectory) is a command used to display thedirectory you are currently working in.
14. You want to display active and inactive services ona Windows Server machine. Which of thefollowing commands best performs this service?
A. sc query
B. sc query type=all
C. sc query type=service
D. sc query state= all
D. The sc command will definitely make anappearance or two somewhere on the exam.Per Microsoft, SC.exe retrieves and sets
||||||||||||||||||||
||||||||||||||||||||
control information about services. You canuse SC.exe for testing and debugging serviceprograms. Service properties stored in theregistry can be set to control how serviceapplications are started at boot time and runas background processes. SC.exe parameterscan configure a specific service, retrieve thecurrent status of a service, as well as stop andstart a service.
A sampling of uses for the sc commandfollows:
• sc config Determines the status of aservice at system startup, and sets a serviceto run automatically, manually, or not atall.
• sc query Displays information aboutservices, drivers, and types of both.Without parameters, it returns a list of allrunning services and associatedinformation. To create a list of all services,use sc query state= all.
• sc start Starts a service that is notrunning.
• sc stop Stops a running service.
• sc pause Pauses a service.
Technet24||||||||||||||||||||
||||||||||||||||||||
• sc continue Resumes a paused service.
• sc enumdepend Lists the services thatcannot run unless the specified service isrunning.
• sc qc Displays the configuration of aparticular service.
And finally, one more quick note: Rememberthere is always a space after the equals sign(and not one before). Syntax is important, andECC will probably spring that on you.
A, B, and C all use incorrect syntax for thequestion asked.
15. An administrator enters the following commandon a Linux system:
iptables -t nat -L
Which of the following best describes the intent ofthe command entered?
A. The administrator is attempting a port scan.
B. The administrator is configuring IPmasquerading.
C. The administrator is preparing to flood aswitch.
D. The administrator is preparing a DoS attack.
B. Do you remember network address
||||||||||||||||||||
||||||||||||||||||||
translation? It’s a neat little technology thatallows lots of internal hosts, usingnonroutable private addressing, to access theInternet by borrowing and using a singleaddress (or a group of addresses) managed bya router or other system. IP masquerading ismuch the same thing; it’s just accomplishedthrough a Linux host. In short, a Linuxmachine can act as a NAT translator byemploying proper routing configuration, usingone NIC to communicate with the internalnetwork and one for the external, andenabling IP masquerading.
Looking over the man page for the command(one copy can be found athttp://ipset.netfilter.org/iptables.man.html),we see that iptables is an administration toolfor IPv4 packet filtering and NAT. Per the manpage, “Iptables is used to set up, maintain, andinspect the tables of IPv4 packet filter rules inthe Linux kernel. Several different tables maybe defined. Each table contains a number ofbuilt-in chains and may be enabled byiptables -t tablename -switch, wheretablename is filter, nat, mangle, raw, orsecurity, and switch equates to the option youwish to enable. For example, -A appends rules,
Technet24||||||||||||||||||||
||||||||||||||||||||
-D deletes rules, and -R replaces rules.
A, C, and D are incorrect because they do notaccurately represent what is being attempted.
16. What is being attempted with the followingcommand?
nc -u -v -w2 192.168.1.100 1-1024
A. A full connect scan on ports 1–1024 for asingle address
B. A full connect scan on ports 1–1024 for asubnet
C. A UDP port scan of ports 1–1024 on a singleaddress
D. A UDP scan of ports 1–1024 on a subnet
C. In this example, netcat is being used to runa scan on UDP ports (the -u switch gives thisaway) from 1 to 1024. The address provided isa single address, not a subnet. Other switchesin use here are -v (for verbose) and -w2(defines the two-second timeout forconnection, where netcat will wait for aresponse).
A is incorrect because the -u switch shows thisas a UDP scan. By default (that is, no switch inplace), netcat runs in TCP.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because the -u switch shows thisas a UDP scan. Additionally, this is aimed at asingle address, not a subnet.
D is incorrect because this is aimed at a singleaddress, not a subnet.
17. You are told to monitor a packet capture for anyattempted DNS zone transfer. Which port shouldyou focus your search on?
A. TCP 22
B. TCP 53
C. UDP 22
D. UDP 53
B. DNS uses port 53 in both UDP and TCP.Port 53 over UDP is used for DNS lookups.Zone transfers are accomplished using port 53over TCP. Considering the reliability and errorcorrection available with TCP, this makesperfect sense.
A is incorrect because TCP port 22 is for SSH,not DNS.
C is incorrect because UDP port 22 simplydoesn’t exist (SSH is TCP based).
D is incorrect because UDP port 53 is used forDNS lookups. Because lookups are generally a
Technet24||||||||||||||||||||
||||||||||||||||||||
packet or two and we’re concerned with speedon a lookup, UDP’s fire-and-forget speedadvantage is put to use here.
18. A team member issues the nbtstat.exe -ccommand. Which of the following best representsthe intent of the command?
A. It displays the IP route table for the machine.
B. It displays the NetBIOS name cache.
C. It displays active and inactive services.
D. It puts a NIC into promiscuous mode forsniffing.
B. Per Microsoft, regarding the nbtstatcommand: “Nbtstat is designed to helptroubleshoot NetBIOS name resolutionproblems. When a network is functioningnormally, NetBIOS over TCP/IP (NetBT)resolves NetBIOS names to IP addresses. Itdoes this through several options for NetBIOSname resolution, including local cache lookup,WINS server query, broadcast, LMHOSTSlookup, Hosts lookup, and DNS server query.The nbtstat command removes and correctspreloaded entries using a number of case-sensitive switches.” Syntax for the commandincludes the following:
||||||||||||||||||||
||||||||||||||||||||
• nbtstat - a <name> Performs a NetBIOSadapter status command on the computername specified by <name>. The adapterstatus command returns the local NetBIOSname table for that computer as well as theMAC address of the adapter card.
• nbtstat -A <IP address> Performs thesame function as the -a switch, but using atarget IP address rather than a name.
• nbtstat - c Shows the contents of theNetBIOS name cache, which containsNetBIOS-name-to-IP-address mappings.
• nbtstat -n Displays the names that havebeen registered locally on the system byNetBIOS applications such as the serverand redirector.
• nbtstat -r Displays the count of allNetBIOS names resolved by broadcast andby querying a WINS server.
• nbtstat -R Purges the name cache andreloads all #PRE entries from theLMHOSTS file (#PRE entries are theLMHOSTS name entries that are preloadedinto the cache).
• nbtstat -RR Sends name release packets
Technet24||||||||||||||||||||
||||||||||||||||||||
to the WINS server and starts a refresh,thus re-registering all names with the nameserver without a reboot being required.
• nbtstat -S Lists current NetBIOS sessionsand their status, including statistics.
A, C, and D are incorrect because they do notmatch the command usage. If you wish to seethe route table on a Windows system, use theroute print command. The sc query state=all command will show all the active andinactive services on the system. To put theNIC in promiscuous mode, you’d need theWinPcap driver installed.
19. Consider the ports shown in the nmap outputreturned on an IP scanned during footprinting:
PORT STATE SERVICE 21/tcp open ftp
23/tcp open telnet 80/tcp open http
139/tcp open netbios-ssn 515/tcp open
631/tcp open ipp 9100/tcp
open MAC Address: 01:2A:48:0B:AA:81
Which of the following is true regarding theoutput?
A. The host is most likely a router or has routingenabled.
B. The host is most likely a printer or has a
||||||||||||||||||||
||||||||||||||||||||
printer installed.
C. The host is definitely a Windows server.
D. The host is definitely a Linux server.
B. So this output is pretty interesting, huh?There’s some FTP, Telnet, and HTTP open,and a little NetBIOS action going on there,too. The TCP ports 515 and 631, however, arethe ones to note here. 515 corresponds to theLine Printer Daemon protocol/Line PrinterRemote protocol (or LPD/LPR), which is usedfor submitting print jobs to a remote printer.Port 631 corresponds to the Internet PrintingProtocol (IPP). Both of which point toprinting. A final note on this: in our modernworld the definition of what constitutes aserver and what does not is a blurred line. Ifyour printer allows Telnet access to aterminal, is it really just a printer? For thatmatter, many printers actually work off of anembedded operating system. In other words,in real-world testing, your printer mayactually be a Linux OS server of sorts. Yourexam will stick with the academicmemorization and evaluation of portnumbers, but things are much more entangledin the real world.
Technet24||||||||||||||||||||
||||||||||||||||||||
A is incorrect because none of these portsshow anything related to routing.
C and D are incorrect because there is simplynot enough information to definitivelyidentify the operating system in use. Yes, it istrue that the Line Printer Daemon protocolwas originally in the BSD UNIX operatingsystem; however, it is used regardless of OS.
20. The following results are from an nmap scan:
Which of the following is the best option to assistin identifying the operating system?
A. Attempt an ACK scan.
B. Traceroute to the system.
C. Run the same nmap scan with the -vv option.
D. Attempt banner grabbing.
||||||||||||||||||||
||||||||||||||||||||
D. Of the options presented, banner grabbingis probably your best bet. In fact, it’s a goodstart for operating system fingerprinting. Youcan telnet to any of these active ports or runan nmap banner grab. Either way, thereturning banner may help in identifying theOS.
A is incorrect because an ACK scan isn’tnecessarily going to help here. For thatmatter, it may have already been run.
B is incorrect because traceroute does notprovide any information on fingerprinting. Itwill show you a network map, hop by hop, tothe target, but it won’t help tell you whetherit’s a Windows machine.
C is incorrect because the -vv switch providesonly more (verbose) information on whatnmap already has. Note that the original runpresented this message on the OSfingerprinting effort: “Remote operatingsystem guess: Too many signatures match toreliably guess the OS.”
21. You want to run a scan against a target network.You’re concerned about it being a reliable scan,with legitimate results, but want to take steps toensure it is as stealthy as possible. Which scan
Technet24||||||||||||||||||||
||||||||||||||||||||
type is best in this situation?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
C. A half-open scan, as defined by this nmapcommand line, is the best option in this case.The SYN scan was created with stealth inmind because the full connect scan wassimply too noisy (or created more entries inan application-level logging system, whicheveryour preference). As far as the real world isconcerned, it’s a fact that most IDSs can pickup a SYN scan just as easily as a full connect,but if you go slow enough, both a SYN and afull connect can be almost invisible. A connectscan is indistinguishable from a realconnection, whereas a SYN scan can be. Inother words, the full connect will look like anyother conversation—just bunches of them allat once—where a SYN scan will show a lot ofsystems answering a conversation starter onlyto be met with rude silence. The lesson is anyscan can and probably will be seen in the realworld by a monitoring IDS; however, theslower you go, the less chance you’ll have of
||||||||||||||||||||
||||||||||||||||||||
being seen, all things being equal.
A is incorrect because a null scan may notprovide the reliability you’re looking for.Remember, this scan won’t work on aWindows host at all.
B is incorrect because the -sO switch tells youthis is an operating system scan.Fingerprinting scans are not stealthy byanyone’s imagination, and they won’t providethe full information you’re looking for here.
D is incorrect because the -sT option indicatesa full connect scan. Although this is reliable, itis noisy, and you will most likely bediscovered during the scan.
22. What is the second step in the TCP three-wayhandshake?
A. SYN
B. ACK
C. SYN/ACK
D. ACK-SYN
E. FIN
C. Admittedly, this is an easy one, but I’d betdollars to doughnuts you will see it in someform on your exam. It’s such an important
Technet24||||||||||||||||||||
||||||||||||||||||||
part of scanning and enumeration because,without understanding this basic principle ofcommunication channel setup, you’re almostdoomed to failure. A three-way TCPhandshake has the originator forward a SYN.The recipient, in step 2, sends a SYN and anACK. In step 3, the originator responds withan ACK. The steps are referred to as SYN,SYN/ACK, ACK.
A is incorrect because SYN is the first step(flag set) in the three-way handshake.
B is incorrect because ACK is the last step(flag set) in the three-way handshake.
D is incorrect because of the order listed.True, both these flags are the ones set in thethree-way handshake. However, in thediscussion of this step-by-step process, atleast as far as your exam is concerned, it’sSYN/ACK, not the other way around. And, yes,this distractor, in some form, will most likelybe on your exam. You won’t care about theorder in the real world since flags are amathematical property of the packet and notsome ridiculous order, but for your examyou’ll need to know it this way.
E is incorrect because the FIN flag brings an
||||||||||||||||||||
||||||||||||||||||||
orderly close to a communication session.
23. You are enumerating a subnet. While examiningmessage traffic, you discover SNMP is enabled onmultiple targets. If you assume default settings insetting up enumeration tools to use SNMP, whichcommunity strings should you use?
A. Public (read-only) and Private (read/write)
B. Private (read-only) and Public (read/write)
C. Read (read-only) and Write (read/write)
D. Default (both read and read/write)
A. SNMP uses a community string as a formof a password. The read-only version of thecommunity string allows a requester to readvirtually anything SNMP can drag out of thedevice, whereas the read/write version is usedto control access for the SNMP SET requests.The read-only default community string isPublic, whereas the read/write string isPrivate. If you happen upon a networksegment using SNMPv3, though, keep in mindthat SNMPv3 can use a hashed form of thepassword in transit versus the clear text.
B is incorrect because the community stringsare listed in reverse here.
C is incorrect because Read and Write are not
Technet24||||||||||||||||||||
||||||||||||||||||||
community strings.
D is incorrect because Default is not acommunity string in SNMP.
24. Nmap is a powerful scanning and enumerationtool. What does the following nmap commandattempt to accomplish?
nmap -sA -T4 192.168.15.0/24
A. A serial, slow operating system discovery scanof a Class C subnet
B. A parallel, fast operating system discoveryscan of a Class C subnet
C. A serial, slow ACK scan of a Class C subnet
D. A parallel, fast ACK scan of a Class C subnet
D. You are going to need to know nmapswitches well for your exam. In this example,the -A switch indicates an ACK scan, and the -T4 switch indicates an “aggressive” scan,which runs fast and in parallel.
A is incorrect because a slow, serial scanwould use the -T, -T0, or -T! switch.Additionally, the OS detection switch is -O,not -A.
B is incorrect because although this answergot the speed of the scan correct, the
||||||||||||||||||||
||||||||||||||||||||
operating system detection portion is off.
C is incorrect because although this answercorrectly identified the ACK scan switch, the -T4 switch was incorrectly identified.
25. You are examining a packet capture of all trafficfrom a host on the subnet. The host sends asegment with the SYN flag set in order to set up aTCP communications channel. The destinationport is 80, and the sequence number is set to 10.Which of the following statements are not trueregarding this communications channel? (Chooseall that apply.)
A. The host will be attempting to retrieve anHTML file.
B. The source port field on this packet can be anynumber between 1024 and 65,535.
C. The first packet from the destination inresponse to this host will have the SYN andACK flags set.
D. The packet returned in answer to this SYNrequest will acknowledge the sequencenumber by returning 10.
A, D. Yes, it is true that port 80 traffic isgenerally HTTP; however, there are twoproblems with this statement. The first is all
Technet24||||||||||||||||||||
||||||||||||||||||||
that is happening here is an arbitraryconnection to something on port 80. For allwe know, it’s a listener, Telnet connection, oranything at all. Second, assuming it’s actuallyan HTTP server, the sequence described herewould do nothing but make a connection—notnecessarily transfer anything. Sure, this ispicky, but it’s the truth. Next, sequencenumbers are acknowledged between systemsduring the three-way handshake byincrementing by 1. In this example, the sourcesent an opening sequence number of 10 to therecipient. The recipient, in crafting theSYN/ACK response, will first acknowledge theopening sequence number by incrementing itto 11. After this, it will add its own sequencenumber to the packet (a random number itwill pick) and send both off.
B is incorrect because it’s a true statement.Source port fields are dynamically assignedusing anything other than the “well-known”port range (0–1023). IANA has defined thefollowing port number ranges: ports 1024 to49,151 are the registered ports (assigned byIANA for specific service upon application by arequesting entity), and ports 49,152 to 65,535are dynamic or private ports that cannot be
||||||||||||||||||||
||||||||||||||||||||
registered with IANA.
C is incorrect because it’s a true statement.The requesting machine has sent the firstpacket in the three-way handshake exchange—a SYN packet. The recipient will respondwith a SYN/ACK and wait patiently for the laststep—the ACK packet.
D is incorrect because the sequence numberwould not stay the same—it needs toincrement.
26. Which TCP flag instructs the recipient to ignorebuffering constraints and immediately send alldata?
A. URG
B. PSH
C. RST
D. BUF
B. This answer normally gets mixed up withthe URG flag because we all read it as urgent.However, just remember the key word withPSH is “buffering.” In TCP, buffering is usedto maintain a steady, harmonious flow oftraffic. Every so often, though, the buffer itselfbecomes a problem, slowing things down. APSH flag tells the recipient stack that the data
Technet24||||||||||||||||||||
||||||||||||||||||||
should be pushed up to the receivingapplication immediately.
A is incorrect because the URG flag is used toinform the receiving stack that certain datawithin a segment is urgent and should beprioritized. As an aside, URG isn’t used muchby modern protocols.
C is incorrect because the RST flag forces atermination of communications (in bothdirections).
D is incorrect because BUF isn’t a TCP flag atall.
27. You receive a RST-ACK from a port during a SYNscan. What is the state of the port?
A. Open
B. Closed
C. Filtered
D. Unknown
B. Remember, a SYN scan occurs when yousend a SYN packet to all open ports. If the portis open, you’ll obviously get a SYN/ACK back.However, if the port is closed, you’ll get aRST-ACK.
A is incorrect because an open port would
||||||||||||||||||||
||||||||||||||||||||
respond differently (SYN/ACK).
C is incorrect because a filtered port wouldlikely not respond at all. (The firewallwouldn’t allow the packet through, so noresponse would be generated.)
D is incorrect because you know exactly whatstate the port is in because of the RST-ACKresponse.
28. A penetration tester is examining the followingNMAP result:
Which of the following is a true statement?
A. The host is likely a printer.
B. The host is likely a Windows machine.
C. The host is likely a Linux machine.
D. The host is likely a router.
A. Honestly there’s not a lot to go on here, sowe take a look at the port numbers: 21, 23,and 80 don’t really tell us much, becauseloads of hosts can run FTP, Telnet, and HTTP,but 515 and 631? Those have printer writtenall over them: 515 is a well-known printer
Technet24||||||||||||||||||||
||||||||||||||||||||
spooler port (and is often used by malware),and 631 is the Internet Printing Protocol (IPP)port.
B, C, and D are incorrect because there is noindication from this result the host is any ofthese.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 4Sniffing and Evasion
This chapter includes questions from the followingtopics:
• Describe sniffing concepts, including active andpassive sniffing and protocols susceptible tosniffing
• Describe ethical hacking techniques for Layer 2traffic
• Describe sniffing tools and understand theiroutput
• Describe sniffing countermeasures• Learn about intrusion detection system (IDS),
firewall, and honeypot types, use, and placement• Describe IDS, firewall, and honeypot evasion
techniques
Overhearing a conversation, whether intentionally orvia eavesdropping, is just part of our daily lives.Sometimes we sniff conversations without evenmeaning or trying to—it just happens. Anyone who hasworked in a cube-farm office environment knows how
Technet24||||||||||||||||||||
||||||||||||||||||||
easy it is to overhear conversations even when we don’twant to. Or, if you have kids in your house who don’t yetunderstand that sound travels, eavesdropping is aconstant part of your day.
Sometimes our very nature makes it impossible notto listen in. A study in Psychological Science explored a“paradox of eavesdropping”: it’s harder to not listen to aconversation when someone is talking on the phone (wehear only one side of the dialogue) than when twophysically present people are talking to each other.Although the phone conversation contains much lessinformation, we’re much more curious about what’sbeing said. That means we’re hardwired to want to listenin. We can’t help it.
But come on, admit it—you enjoy it sometimes, too.Overhearing a juicy piece of information just makes ushappy and, for the gossip crowd, provides lots ofammunition for the next water-cooler session. And weall really like secrets. In fact, I think the thrill oflearning and knowing a secret is matched only by theoverwhelming desire to share it. For those working inthe classified arena, this paradox of human nature issomething that has to be guarded against every singleday of their working lives.
Eavesdropping in the virtual world is almost alwaysnot accidental—there’s purpose involved. You don’t
||||||||||||||||||||
||||||||||||||||||||
necessarily need to put a whole lot of effort into it, but italmost never happens on its own without yourpurposeful manipulation of something. Sniffingprovides a variety of information to the ethical hackerand is a skill all should be intimately familiar with. Justknow that the secrets you overhear on your job as a pentester might be really exciting, and you might reallywant to tell somebody about them, but you may findyourself really in jail over it too.
STUDY TIPS The good news is, there hasn’t been v ery muchupdated from prev ious v ersions regarding sniffing and ev asion—so anystudy y ou’v e put in prev iously will still apply . The bad news is, it’sstill tough stuff, and sometimes picky questioning. Just as withev ery thing else, rev iew y our basic network knowledge thoroughly .You’ll see lots of questions designed to test y our knowledge on hownetworking dev ices handle traffic, how addressing affects packet flow,what lay ers sniffing concentrates in (Lay er 2, and sometimes 3), andwhich protocols are more susceptible to sniffing than others.
Additionally, learn Wireshark very well. Payparticular attention to filters within Wireshark—how toset them up and what syntax they follow—and how toread a capture (not to mention the “follow TCP stream”option). If you haven’t already, download Wireshark andstart playing with it—right now, before you even readthe questions that follow. On any exam questions thatshow a Wireshark screen capture, pay close attention tothe flags set in the segment, the source and destination
Technet24||||||||||||||||||||
||||||||||||||||||||
addresses, and the protocols listed. These items are easyto pick out for almost anyone who can spell and willanswer many of the questions you’ll see.
IDS types and ways to get around them won’t makeup a gigantic portion of your test, but they’ll definitelybe there. These will most likely come in the form ofscenario questions, as opposed to straight definitions.While ECC loves fragmentation, session splicing (withsomething like Whisker), and tunneling (HTTP or evenTCP over DNS), just remember there are other ways toget around an IDS, including generating “cover fire”(that is, tons of false positives) and, of course, theultimate in evasion—encryption. If the traffic isencrypted, the IDS sees nothing.
Lastly, don’t forget your firewall types—you won’t seemany questions on identifying a definition, but you’llprobably see at least a couple of scenario questionswhere this knowledge comes in handy—in particular,how stateful firewalls work and what they do.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Given the following Wireshark filter, what is the
attacker attempting to view?
A. SYN, SYN/ACK, ACK
B. SYN, FIN, URG, and PSH
C. ACK, ACK, SYN, URG
D. SYN/ACK only
2. A target machine (with a MAC of12:34:56:AB:CD:EF) is connected to a switch port.An attacker (with a MAC of 78:91:00:ED:BC:A1) isattached to a separate port on the same switchwith a packet capture running. There is nospanning of ports or port security in place. Twopackets leave the target machine. Message 1 has adestination MAC of E1:22:BA:87:AC:12. Message 2has a destination MAC of FF:FF:FF:FF:FF:FF.Which of the following statements is trueregarding the messages being sent?
A. The attacker will see message 1.
B. The attacker will see message 2.
C. The attacker will see both messages.
D. The attacker will see neither message.
Technet24||||||||||||||||||||
||||||||||||||||||||
3. You have tapped into a network subnet of yourtarget organization. You begin an attack bylearning all significant MAC addresses on thesubnet. After some time, you decide to interceptmessages between two hosts. You begin bysending broadcast messages to Host A showingyour MAC address as belonging to Host B, whilealso sending messages to Host B showing yourMAC address as belonging to Host A. What isbeing accomplished here?
A. ARP poisoning to allow you to see allmessages from either host withoutinterrupting their communications process
B. ARP poisoning to allow you to see messagesfrom Host A to Host B
C. ARP poisoning to allow you to see messagesfrom Host B to Host A
D. ARP poisoning to allow you to see messagesfrom Host A destined to any address
E. ARP poisoning to allow you to see messagesfrom Host B destined to any address
4. Your target subnet is protected by a firewalledDMZ. Reconnaissance shows the external firewallpasses some traffic from external to internal, butblocks most communications. HTTP traffic to aweb server in the DMZ, which answers to
||||||||||||||||||||
||||||||||||||||||||
www.somebiz.com, is allowed, along with standardtraffic such as DNS queries. Which of thefollowing may provide a method to evade thefirewall’s protection?
A. An ACK scan
B. Firewalking
C. False positive flooding
D. TCP over DNS
5. Which of the following is the best choice insetting an NIDS tap?
A. Connect directly to a server inside the DMZ.
B. Connect directly to a server in the intranet.
C. Connect to a SPAN port on a switch.
D. Connect to the console port of a router.
6. You have a large packet capture file in Wiresharkto review. You want to filter traffic to show allpackets with an IP address of 192.168.22.5 thatcontain the string HR_admin. Which of thefollowing filters would accomplish this task?
A. ip.addr==192.168.22.5 &&tcp containsHR_admin
B. ip.addr 192.168.22.5 && “HR_admin”
C. ip.addr 192.168.22.5 &&tcp string==HR_admin
Technet24||||||||||||||||||||
||||||||||||||||||||
D. ip.addr==192.168.22.5 + tcp contains tide
7. Which of the following techniques can be used togather information from a fully switched networkor to disable some of the traffic isolation featuresof a switch? (Choose two.)
A. DHCP starvation
B. MAC flooding
C. Promiscuous mode
D. ARP spoofing
8. Which of the following statements is trueregarding the discovery of sniffers on a network?
A. To discover the sniffer, ping all addresses andexamine latency in responses.
B. To discover the sniffer, send ARP messages toall systems and watch for NOARP responses.
C. To discover the sniffer, configure the IDS towatch for NICs in promiscuous mode.
D. It is almost impossible to discover the snifferon the network.
9. Which of the following could provide usefuldefense against ARP spoofing? (Choose all thatapply.)
A. Use ARPWALL.
B. Set all NICs to promiscuous mode.
||||||||||||||||||||
||||||||||||||||||||
C. Use private VLANs.
D. Use static ARP entries.
10. Examine the following Snort rule:
Which of the following statements are trueregarding the rule? (Choose all that apply.)
A. This rule will alert on packets coming from thedesignated home network.
B. This rule will alert on packets coming fromoutside the designated home address.
C. This rule will alert on packets designated forany port, from port 23, containing the “admin”string.
D. This rule will alert on packets designated onport 23, from any port, containing the “admin”string.
11. You want to begin sniffing, and you have aWindows 7 laptop. You download and installWireshark but quickly discover your NIC needs tobe in “promiscuous mode.” What allows you to putyour NIC into promiscuous mode?
A. Installing lmpcap
B. Installing npcap
C. Installing WinPcap
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Installing libPcap
E. Manipulating the NIC properties throughControl Panel | Network and Internet |Change Adapter Settings
12. A network and security administrator installs anNIDS. After a few weeks, a successful intrusioninto the network occurs and a check of the NIDSduring the timeframe of the attack shows noalerts. An investigation shows the NIDS was notconfigured correctly and therefore did not triggeron what should have been attack alert signatures.Which of the following best describes the actionsof the NIDS?
A. False positives
B. False negatives
C. True positives
D. True negatives
13. A pen test member has gained access to an openswitch port. He configures his NIC forpromiscuous mode and sets up a sniffer, plugginghis laptop directly into the switch port. He watchestraffic as it arrives at the system, looking forspecific information to possibly use later. Whattype of sniffing is being practiced?
A. Active
||||||||||||||||||||
||||||||||||||||||||
B. Promiscuous
C. Blind
D. Passive
E. Session
14. Which of the following are the best preventivemeasures to take against DHCP starvation attacks?(Choose two.)
A. Block all UDP port 67 and 68 traffic.
B. Enable DHCP snooping on the switch.
C. Use port security on the switch.
D. Configure DHCP filters on the switch.
15. Which of the following tools is the best choice toassist in evading an IDS?
A. Nessus
B. Nikto
C. Libwhisker
D. Snort
16. Examine the Snort output shown here:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following statements is trueregarding the packet capture?
A. The capture indicates a NOP sled attack.
B. The capture shows step 2 of a TCP handshake.
C. The packet source is 213.132.44.56.
D. The packet capture shows an SSH sessionattempt.
17. Your IDS sits on the network perimeter and hasbeen analyzing traffic for a couple of weeks. Onarrival one morning, you find the IDS has alertedon a spike in network traffic late the previousevening. Which type of IDS are you using?
A. Stateful
B. Snort
C. Passive
D. Signature based
E. Anomaly based
18. You are performing an ACK scan against a target
||||||||||||||||||||
||||||||||||||||||||
subnet. You previously verified connectivity toseveral hosts within the subnet but want to verifyall live hosts on the subnet. Your scan, however, isnot receiving any replies. Which type of firewall ismost likely in use at your location?
A. Packet filtering
B. IPS
C. Stateful
D. Active
19. You are separated from your target subnet by afirewall. The firewall is correctly configured andallows requests only to ports opened by theadministrator. In firewalking the device, you findthat port 80 is open. Which technique could youemploy to send data and commands to or from thetarget system?
A. Encrypt the data to hide it from the firewall.
B. Use session splicing.
C. Use MAC flooding.
D. Use HTTP tunneling.
20. Which of the following tools can be used toextract application layer data from TCPconnections captured in a log file into separatefiles?
A. Snort
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Netcat
C. TCPflow
D. Tcpdump
21. Examine the Wireshark filter shown here:
ip.src == 192.168.1.1 &&tcp.srcport
== 80
Which of the following correctly describes thecapture filter?
A. The results will display all traffic from192.168.1.1 destined for port 80.
B. The results will display all HTTP traffic to192.168.1.1.
C. The results will display all HTTP traffic from192.168.1.1.
D. No results will display because of invalidsyntax.
22. You need to put the NIC into listening mode onyour Linux box, capture packets, and write theresults to a log file named my.log. How do youaccomplish this with tcpdump?
A. tcpdump -i eth0 -w my.log
B. tcpdump -l eth0 -c my.log
C. tcpdump /i eth0 /w my.log
D. tcpdump /l eth0 /c my.log
||||||||||||||||||||
||||||||||||||||||||
23. Which of the following tools can assist with IDSevasion? (Choose all that apply.)
A. Whisker
B. Fragroute
C. Capsa
D. Wireshark
E. ADMmutate
F. Inundator
24. A security administrator is attempting to “lockdown” her network and blocks access frominternal to external on all external firewall portsexcept for TCP 80 and TCP 443. An internal userwants to make use of other protocols to accessservices on remote systems (FTP, as well as somenonstandard port numbers). Which of thefollowing is the most likely choice the user couldattempt to communicate with the remote systemsover the protocol of her choice?
A. Use HTTP tunneling.
B. Send all traffic over UDP instead of TCP.
C. Crack the firewall and open the ports requiredfor communication.
D. MAC flood the switch connected to thefirewall.
Technet24||||||||||||||||||||
||||||||||||||||||||
25. An ethical hacker is assigned to scan a server andwants to avoid IDS detection. She uses a tacticwherein the TCP header is split into many packets,making it difficult to detect what the packets areintended for. Which of the following best describesthe technique employed?
A. TCP scanning
B. IP fragment scanning
C. ACK scanning
D. Inverse TCP scanning
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. A
2. B
3. B
4. D
5. C
6. A
7. B, D
8. D
9. A, C, D
10. B, D
11. C
12. B
13. D
14. B, C
15. C
16. B
17. E
18. C
19. D
Technet24||||||||||||||||||||
||||||||||||||||||||
20. C
21. C
22. A
23. A, B, E, F
24. A
25. B
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Given the following Wireshark filter, what is the
attacker attempting to view?
A. SYN, SYN/ACK, ACK
B. SYN, FIN, URG, and PSH
C. ACK, ACK, SYN, URG
D. SYN/ACK only
A. You’ll see bunches of Wireshark questionson your exam—it’s probably the subject EC-Council loves the most regarding this chapter—and syntax will be the key to answering allof them. For this particular question subject,remember Wireshark has the ability to filterbased on a decimal numbering systemassigned to TCP flags. The assigned flagdecimal numbers are FIN = 1, SYN = 2, RST =4, PSH = 8, ACK = 16, and URG = 32. Addingthese numbers together (for example, SYN +ACK = 18) allows you to simplify a Wiresharkfilter. For example, tcp.flags == 0x2 looksfor SYN packets, tcp.flags == 0x16 looks forACK packets, and tcp.flags == 0x18 looksfor both (the attacker here will see all SYN
Technet24||||||||||||||||||||
||||||||||||||||||||
packets, all SYN/ACK packets, and all ACKpackets). In this example, the decimalnumbers were used, just not in a simplifiedmanner.
As far as the rest of Wireshark filtering syntaxgoes, there are a couple key points toremember. First, be sure to remember it usesdouble “equals” signs (==) in the expression(ip.addr = 10.10.10.0/24 won’t work, butip addr == 10.10.10.0/24 will). Next, knowthe difference between the definitions for“and” and “or.” An “and” in the filter meansboth expressions will be queried anddisplayed, but only if both are true. (In otherwords, “show me all packets containing thissource address and headed toward thisdestination IP. If it’s from this source butgoing somewhere else, ignore it. If it’s headedto this destination but is not from this source,ignore it.”) An “or” in the filter means eitherof the expressions can be true (that is, “showme all packets containing this source addressand any packets going to this destination IP,no matter the destination or source address,respectively, for the two”).
B, C, and D are incorrect because these do notmatch the decimal numbers provided in the
||||||||||||||||||||
||||||||||||||||||||
capture (2 for SYN, 18 for SYN/ACK, and 16for ACK).
2. A target machine (with a MAC of12:34:56:AB:CD:EF) is connected to a switch port.An attacker (with a MAC of 78:91:00:ED:BC:A1) isattached to a separate port on the same switchwith a packet capture running. There is nospanning of ports or port security in place. Twopackets leave the target machine. Message 1 has adestination MAC of E1:22:BA:87:AC:12. Message 2has a destination MAC of FF:FF:FF:FF:FF:FF.Which of the following statements is trueregarding the messages being sent?
A. The attacker will see message 1.
B. The attacker will see message 2.
C. The attacker will see both messages.
D. The attacker will see neither message.
B. This question is all about how a switchworks, with a little MAC knowledge thrownin. Remember that switches are designed tofilter unicast messages but to flood multicastand broadcast messages (filtering goes to onlyone port, whereas flooding sends to all).Broadcast MAC addresses in the frame areeasy to spot—they’re always all Fs, indicatingall 48 bits turned on in the address. In this
Technet24||||||||||||||||||||
||||||||||||||||||||
case, message 1 is a unicast address and wentoff to its destination, whereas message 2 isclearly a broadcast message, which the switchwill gladly flood to all ports, including theattacker’s.
Other versions of this same question willcenter on the efforts an attacker can use to seethat packet. Should the attacker desire to seeall messages, a MAC flood could turn theswitch into a hub, effectively flooding allpackets to all ports. Another option is to spana port (break into the configuration of theswitch and tell it to send all traffic destinedfor a specific port to that port and to theattacker’s). Lastly, port stealing (a new andtotally fun memorization term from EC-Council) allows an attacker to take advantageof the “race condition” (where the switch isconstantly updating MAC address bindings forports) during a MAC flood attempt toeffectively steal a port and sniff all trafficaimed for the target machine.
A is incorrect because the unicast destinationMAC does not match the attacker’s machine.When the frame is read by the switch andcompared to the internal address list (CAMtable), it will be filtered and sent to the
||||||||||||||||||||
||||||||||||||||||||
appropriate destination port.
C is incorrect because the switch will not floodboth messages to the attacker’s port—it floodsonly broadcast and multicast.
D is incorrect because the broadcast addresswill definitely be seen by the attacker.
3. You have tapped into a network subnet of yourtarget organization. You begin an attack bylearning all significant MAC addresses on thesubnet. After some time, you decide to interceptmessages between two hosts. You begin bysending broadcast messages to Host A showingyour MAC address as belonging to Host B, whilealso sending messages to Host B showing yourMAC address as belonging to Host A. What isbeing accomplished here?
A. ARP poisoning to allow you to see allmessages from either host withoutinterrupting their communications process
B. ARP poisoning to allow you to see messagesfrom Host A to Host B
C. ARP poisoning to allow you to see messagesfrom Host B to Host A
D. ARP poisoning to allow you to see messagesfrom Host A destined to any address
Technet24||||||||||||||||||||
||||||||||||||||||||
E. ARP poisoning to allow you to see messagesfrom Host B destined to any address
B. ARP poisoning is a relatively simple way toplace yourself as the “man in the middle” andspy on traffic (by the way, be careful with theterm man in the middle because it usuallyrefers to a position where you are notinterrupting traffic). The ARP cache isupdated whenever your machine does a namelookup or when ARP (a broadcast protocol)receives an unsolicited message advertising aMAC-to-IP match. In this example, you’ve toldHost A that you hold the MAC address forHost B. Host A will update its cache, and whena message is being crafted by the OS, it willhappily put the spoofed address in its place.Just remember that ARP poisoning isoftentimes noisy and may be easy to discoverif port security is enabled: depending onimplementation, the port will lock (or amberin nerd terminology) when an incorrect MACtries to use it or when multiple broadcastsclaiming different MACs are seen.Additionally, watch out for denial-of-serviceside effects of attempting ARP poisoning—youmay well bring down a target without eventrying to, not to mention Host B is eventually
||||||||||||||||||||
||||||||||||||||||||
going to find out it’s not receiving anythingfrom Host A. As a side note, detection of ARPpoisoning can be done with a tool called xARP(www.chrismc.de).
A is incorrect for a couple reasons. First, youwon’t receive messages from each hostaddressed to anywhere in the world—you’llonly receive messages addressed from Host Ato Host B. Second, the communications flowbetween the two hosts will be affected by this.As a matter of fact, Host A can never talk toHost B: the ARP poisoning has all messagesgoing to you, the hacker.
C is incorrect because you didn’t poison HostB’s cache—Host A was the target.
D is incorrect because you didn’t poison HostA’s mapping to the default gateway oranything like that—you will only receivemessages intended for Host B.
E is incorrect because you did not poison HostB at all.
4. Your target subnet is protected by a firewalledDMZ. Reconnaissance shows the external firewallpasses some traffic from external to internal, butblocks most communications. HTTP traffic to aweb server in the DMZ, which answers to
Technet24||||||||||||||||||||
||||||||||||||||||||
www.somebiz.com, is allowed, along with standardtraffic such as DNS queries. Which of thefollowing may provide a method to evade thefirewall’s protection?
A. An ACK scan
B. Firewalking
C. False positive flooding
D. TCP over DNS
D. Of the choices provided, TCP over DNS isthe only one that makes any sense. TCP overDNS is exactly what it sounds like—sendingTCP traffic that would otherwise use adifferent port number in packets using port53. Because the firewall usually allows DNSrequests to pass, hiding traffic under port 53is convenient and fairly easy. The whole thingdoes require a special DNS server and DNSclient setup, but the steps to pull it off aren’trocket science. While TCP over DNS will allowyou to evade the firewall and send trafficinternally, it will not provide you instantaccess to machines or anything like that—itsimply allows you to send traffic unnoticedthrough a firewall. TCP over DNS toolsinclude Iodine (http://code.kryo.se/iodine/),DNS Tunnel (http://dnstunnel.de), and
||||||||||||||||||||
||||||||||||||||||||
Netcross(https://soureforge.net/projects/netcross).
Another very common option for passingtraffic through a firewall is HTTP tunneling.The same principle applies, except in HTTPtunneling you abuse port 80 instead of port53. HTTP tunneling tools include HTTPort(www.targeted.org), SuperNetwork Tunnel(www.networktunnel.net), and HTTP-Tunnel(www.http-tunnel.com).
A is incorrect because an ACK scan doesnothing to hide traffic or evade the firewall.The scan itself would be loud and noisy, andwould not affect the firewall at all.
B is incorrect because firewalking is a greattechnique to discover which ports are open(that is, which ports the firewall is allowing topass) and which are closed. However, it doesnothing to hide traffic or evade any suspicion.
C is incorrect because while false positiveflooding does provide good “cover fire” for anattacker in an IDS, it does nothing to affectthe firewall in any way—traffic to other portswill be blocked because that’s just what afirewall does.
5. Which of the following is the best choice in
Technet24||||||||||||||||||||
||||||||||||||||||||
setting an NIDS tap?
A. Connect directly to a server inside the DMZ.
B. Connect directly to a server in the intranet.
C. Connect to a SPAN port on a switch.
D. Connect to the console port of a router.
C. A network intrusion detection system(NIDS) only works well if it can see all thenetwork traffic, and placement obviouslymakes a huge difference. One commonimplementation is to connect via a SPAN(Switched Port Analyzer) port on a switch. Theconfiguration for a SPAN port ensures alltraffic from a defined range of ports is alsosent to the SPAN port. This makes the bestoption for your NIDS tap, at least as far as thisquestion goes: in the real world, you wouldmost likely set up a passive tap, positioned inthe correct location to see everything comingacross the wire.
A is incorrect because connecting directly to asingle server would give you only the trafficsent to that server (or that server’s subnet,provided the server is watching promiscuouslyand is configured appropriately). In this case,the DMZ’s traffic is all you’d see.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because connecting directly to asingle server would give you only the trafficsent to that server (or that server’s subnet,provided the server is watching promiscuouslyand is configured appropriately). In this case,the intranet’s traffic is all you’d see.
D is incorrect because connecting to theconsole port on a router would provide accessto no traffic at all. The console port on therouter is used specifically for configurationand management of the router.
6. You have a large packet capture file in Wiresharkto review. You want to filter traffic to show allpackets with an IP address of 192.168.22.5 thatcontain the string HR_admin. Which of thefollowing filters would accomplish this task?
A. ip.addr==192.168.22.5 &&tcp containsHR_admin
B. ip.addr 192.168.22.5 && “HR_admin”
C. ip.addr 192.168.22.5 &&tcp string==HR_admin
D. ip.addr==192.168.22.5 + tcp contains tide
A. This is a perfect example of a typicalquestion on your exam regarding Wiresharksyntax. Answer A is the only one that sticks to
Technet24||||||||||||||||||||
||||||||||||||||||||
Wireshark filter syntax. Definitely know theip.addr, ip.src, and ip.dst filters; the “tcpcontains” filter is another favorite of testquestion writers. When you combine filters inone search, use the && designator, and don’tforget the use of double equals signs. Anotherfun version of this same question involvesreading the output from Wireshark. A toolthat can help you out with the raw files—including output from other tools liketcpdump—is tcptrace (www.tcptrace.org/).
B, C, and D are all incorrect because thesyntax is wrong for Wireshark filters. As anaside, a great way to learn the syntax of thesefilters is to use the expression builder directlybeside the filter entry box. It’s self-explanatory and contains thousands ofpossible expression builds.
7. Which of the following techniques can be used togather information from a fully switched networkor to disable some of the traffic isolation featuresof a switch? (Choose two.)
A. DHCP starvation
B. MAC flooding
C. Promiscuous mode
D. ARP spoofing
||||||||||||||||||||
||||||||||||||||||||
B, D. Switches filter all traffic—unless you tellthem otherwise, make them behavedifferently, or the traffic is broadcast ormulticast. If you can gain administrativeaccess to the IOS, you can tell it to behaveotherwise by configuring a span port (whichsends copies of messages from all ports toyours). Legitimate span ports are designed forthings such as network IDS. To make theswitch behave differently (at least on olderswitches, because newer ones don’t allow thismuch anymore), send more MAC addresses tothe switch than it can handle. This fills theCAM and turns the switch, effectively, into ahub (sometimes called a fail open state).Using a tool such as MacOF or Yersinia, youcan send thousands and thousands of fakeMAC addresses to the switch’s CAM table.ARP spoofing doesn’t really involve the switchmuch at all—it continues to act and filtertraffic just as it was designed to do. The onlydifference is you’ve lied to it by faking a MACaddress on a connected port. The poor switch,believing those happy little ARP messages,will forward all packets destined for that MACaddress to you instead of the intendedrecipient. How fun!
Technet24||||||||||||||||||||
||||||||||||||||||||
A is incorrect because DHCP starvation is aform of a DoS attack, where the attacker“steals” all the available IP addresses from theDHCP server, which prevents legitimate usersfrom connecting.
C is incorrect because the term promiscuousapplies to the way a NIC processes messages.Instead of tossing aside all messages that arenot addressed specifically for the machine (orbroadcast/multicast), promiscuous modesays, “Bring’em all in so we can take a look atthem using our handy sniffing application.”
8. Which of the following statements is trueregarding the discovery of sniffers on a network?
A. To discover the sniffer, ping all addresses andexamine latency in responses.
B. To discover the sniffer, send ARP messages toall systems and watch for NOARP responses.
C. To discover the sniffer, configure the IDS towatch for NICs in promiscuous mode.
D. It is almost impossible to discover the snifferon the network.
D. This question is more about active versuspassive sniffing than anything else. I’m notsaying it’s impossible, because almost nothing
||||||||||||||||||||
||||||||||||||||||||
is, but discovering a passive sniffer on yournetwork is very difficult. When a NIC is set topromiscuous mode, it just blindly accepts anypacket coming by and sends it up the layersfor further processing (which is what allowsWireshark and other sniffers to analyze thetraffic). Because sniffers are sitting therepulling traffic and not sending anything inorder to get it, they’re difficult to detect.Active sniffing is another thing altogether. If amachine is ARP spoofing or MAC flooding inorder to pull off sniffing, it’s much easier tospot it.
A is incorrect because the premise isabsolutely silly. Thousands of things canaffect latency in response to a ping, butrunning a sniffer on the box isn’t necessarilyone of them, nor is latency an indicator of onebeing present.
B is incorrect because NOARP is a Linuxkernel module that filters and dropsunwanted ARP requests. It’s not a responsepacket we can discover sniffers with.
C is incorrect because it’s impossible to watchfor NICs in promiscuous mode. The NIC issimply doing the same job every other NIC is
Technet24||||||||||||||||||||
||||||||||||||||||||
doing—it’s sitting there pulling traffic. Thenetwork IDS wouldn’t know, or care, about it.
9. Which of the following could provide usefuldefense against ARP spoofing? (Choose all thatapply.)
A. Use ARPWALL.
B. Set all NICs to promiscuous mode.
C. Use private VLANs.
D. Use static ARP entries.
A, C, D. ARPWALL is an application availablefor download from SourceForge(http://sourceforge.net/projects/arpwall/). Itgives an early warning when an ARP attackoccurs and simply blocks the connection.Virtual LANs (VLANs) provide a means tocreate multiple broadcast domains within asingle network. Machines on the same switchare in different networks, and their traffic isisolated. Since ARP works on broadcast, thiscan help prevent large-scale ARP spoofing. Percourseware, static ARP entries are a good ideaand at least one way to fix ARP poisoning,since no matter what is banging around outon the network, the system uses the staticmapping you configured. An IDS may also behelpful in spotting ARP shenanigans, but
||||||||||||||||||||
||||||||||||||||||||
wouldn’t necessarily do anything about it.
B is incorrect because setting NICs topromiscuous mode wouldn’t do a thing toprevent a broadcast message (ARP) frombeing received.
10. Examine the following Snort rule:
Which of the following statements are trueregarding the rule? (Choose all that apply.)
A. This rule will alert on packets coming from thedesignated home network.
B. This rule will alert on packets coming fromoutside the designated home address.
C. This rule will alert on packets designated forany port, from port 23, containing the “admin”string.
D. This rule will alert on packets designated onport 23, from any port, containing the “admin”string.
B, D. Snort rules, logs, entries, andconfiguration files will definitely be part ofyour exam. This particular rule takes intoaccount a lot of things you’ll see. First, notethe exclamation mark (!) just before the
Technet24||||||||||||||||||||
||||||||||||||||||||
HOME_NET variable. Any time you see this,it indicates the opposite of the followingvariable—in this case, any packet from anaddress not in the home network and usingany source port number, intended for anyaddress that is within the home network.Following that variable is a spot for a portnumber, and the word any indicates we don’tcare what the source port is. Next, we spell outthe destination information: anything in thehome network and destined for port 23.Lastly, we add one more little search beforespelling out the message we want to receive:the “content” designator allows us to spell outstrings we’re looking for.
A and C are incorrect because thesestatements are polar opposite to what the ruleis stating.
11. You want to begin sniffing, and you have aWindows 7 laptop. You download and installWireshark but quickly discover your NIC needs tobe in “promiscuous mode.” What allows you to putyour NIC into promiscuous mode?
A. Installing lmpcap
B. Installing npcap
C. Installing WinPcap
||||||||||||||||||||
||||||||||||||||||||
D. Installing libPcap
E. Manipulating the NIC properties throughControl Panel | Network and Internet |Change Adapter Settings
C. To understand this, you have to know howa NIC is designed to work. The NIC “sees” lotsof traffic but pulls in only the traffic it knowsbelongs to you. It does this by comparing theMAC address of each frame against its own: ifthey match, it pulls the frame in and works onit; if they don’t match, the frame is ignored. Ifyou plug a sniffer into a NIC that looks only attraffic designated for the machine you’re on,you’ve kind of missed the point, wouldn’t yousay? Promiscuous mode tells the NIC to pullin everything. This allows you to see all thosepackets moving to and fro inside yourcollision domain. WinPcap is a library thatallows NICs on Windows machines to operatein promiscuous mode.
A is incorrect because lmpcap does not exist.
B is incorrect because npcap does not exist.
D is incorrect because libPcap is used onLinux machines for the same purpose—putting cards into promiscuous mode.
Technet24||||||||||||||||||||
||||||||||||||||||||
E is incorrect because accessing the ChangeAdapter Setting window does not allow you toput the card into promiscuous mode—you stillneed WinPcap for this.
12. A network and security administrator installs anNIDS. After a few weeks, a successful intrusioninto the network occurs and a check of the NIDSduring the timeframe of the attack shows noalerts. An investigation shows the NIDS was notconfigured correctly and therefore did not triggeron what should have been attack alert signatures.Which of the following best describes the actionsof the NIDS?
A. False positives
B. False negatives
C. True positives
D. True negatives
B. When it comes to alerting systems, falsenegatives are much more concerning thanfalse positives. A false negative occurs whenthere is traffic and circumstances in place foran attack signature, but the IDS does nottrigger an alert. In other words, if your systemis firing a lot of false negatives, the securitystaff may feel like they’re secure when, inreality, they’re really under successful attack.
||||||||||||||||||||
||||||||||||||||||||
Keep in mind a false negative is different fromyour IDS simply not seeing the traffic. Forexample, if you tell your IDS to send an alertfor Telnet traffic and it simply didn’t see thosepackets (for whatever reason), that may be afalse negative for exam purposes but in thereal world is probably more of a configurationissue. A better example of a false negative inthe real world would be for the attacker toencrypt a portion of payload so that the IDSdoesn’t recognize it as suspicious. In otherwords, the IDS sees the traffic, it just doesn’trecognize anything bad about it.
A is incorrect because false positives occurwhen legitimate traffic is alerted on as if therewere something wrong with it. Keeping falsepositives to a minimum is a concern whenchoosing and configuring IDS.
C and D are incorrect because these are notlegitimate terms.
13. A pen test member has gained access to an openswitch port. He configures his NIC forpromiscuous mode and sets up a sniffer, plugginghis laptop directly into the switch port. He watchestraffic as it arrives at the system, looking forspecific information to possibly use later. What
Technet24||||||||||||||||||||
||||||||||||||||||||
type of sniffing is being practiced?
A. Active
B. Promiscuous
C. Blind
D. Passive
E. Session
D. This is one of those weird CEH definitionsthat drive us all crazy on the exam. Knowingthe definition of passive versus active isn’treally going to make you a better pen tester,but it may save you a question on the test.When it comes to sniffing, if you are notinjecting packets into the stream, it’s a passiveexercise. Tools such as Wireshark are passivein nature. A tool such as Ettercap, though, hasbuilt-in features to trick switches into sendingall traffic its way, and other sniffing hilarity.This type of sniffing, where you use packetinterjection to force a response, is active innature. As a quick aside here, for you real-world preppers out there, true passive sniffingwith a laptop is pretty difficult to pull off. Assoon as you attach a Windows machine, it’llstart broadcasting all kinds of stuff (ARP andso on), which is, technically, putting packetson the wire. The real point is that passive
||||||||||||||||||||
||||||||||||||||||||
sniffing is a mindset where you are notintentionally putting packets on a wire.
A is incorrect because in the example given,no packet injection is being performed. Thepen tester is simply hooking up a sniffer andwatching what comes by. The only way thiscan be more passive is if he has a hammocknearby.
B is incorrect because the term promiscuousis not a sniffing type. Instead, it refers to theNIC’s ability to pull in frames that are notaddressed specifically for it.
C is incorrect because the term blind is not asniffing type. This is included as a distractor.
E is incorrect because the term session is not asniffing type. This is included as a distractor.
14. Which of the following are the best preventivemeasures to take against DHCP starvation attacks?(Choose two.)
A. Block all UDP port 67 and 68 traffic.
B. Enable DHCP snooping on the switch.
C. Use port security on the switch.
D. Configure DHCP filters on the switch.
B, C. DHCP starvation is a denial-of-service
Technet24||||||||||||||||||||
||||||||||||||||||||
attack EC-Council somehow slipped into thesniffing section. The attack is prettystraightforward: the attacker requests allavailable DHCP addresses from the server, solegitimate users cannot pull an address andconnect or communicate with the networksubnet. DHCP snooping on a Cisco switch(using the ip dhcp snooping command)creates a whitelist of machines that areallowed to pull a DHCP address. Anythingattempting otherwise can be filtered. Portsecurity, while not necessarily directly relatedto the attack, can be a means of defense aswell. By limiting the number of MACsassociated with a port, as well as whitelistingwhich specific MACs can address it, you couldcertainly reduce an attacker’s ability to drainall DHCP addresses.
As a side note, you may also see a questionrelating to how DHCP works in the first place.An easy way to remember it all is the acronymDORA: Discover, Offer, Request, andAcknowledge. Additionally, packets inDHCPv6 have different names than those ofDHCPv4. DHCPDISCOVER, DHCPOFFER,DHCPREQUEST, and DHCPACK are knownas Solicit, Advertise, Request (or
||||||||||||||||||||
||||||||||||||||||||
Confirm/Renew), and Reply, respectively.
A is incorrect because blocking all UDP 67 and68 traffic would render the entire DHCPsystem moot because no one could pull anaddress.
D is incorrect because DHCP filtering is doneon the server and not the switch. DHCPfiltering involves configuring the whitelist onthe server itself.
15. Which of the following tools is the best choice toassist in evading an IDS?
A. Nessus
B. Nikto
C. Libwhisker
D. Snort
C. It’s a hallmark of EC-Council certificationexams to have a few off-the-wall, tool-specificquestions, and this is a great example.Libwhisker(https://sourceforge.net/projects/whisker/) isa full-featured Perl library used for a numberof things, including HTTP-related functions,vulnerability scanning, exploitation, and IDSevasion. In fact, some scanners actually uselibwhisker for session splicing in order to scan
Technet24||||||||||||||||||||
||||||||||||||||||||
without being seen.
A is incorrect because Nessus is avulnerability scanner and, on its own, is notdesigned to evade IDS detection.
B is incorrect because Nikto, like Nessus, is avulnerability scanner and, on its own, is notdesigned to evade IDS detection.
D is incorrect because Snort is an IDS itself.Snort is also a perfectly acceptable sniffer.
16. Examine the Snort output shown here:
Which of the following statements is trueregarding the packet capture?
A. The capture indicates a NOP sled attack.
B. The capture shows step 2 of a TCP handshake.
C. The packet source is 213.132.44.56.
D. The packet capture shows an SSH sessionattempt.
B. You’ll probably see at least one or two Snort
||||||||||||||||||||
||||||||||||||||||||
capture logs on the exam, and most of themare just this easy. If you examine the capturelog, it shows a TCP port 23 packet from190.168.5.12 headed toward 213.132.44.56.The TCP flags are clearly shown in line 5 as***A**S*, indicating the SYN and ACK flagsare set. Because the three-way handshake isSYN, SYN/ACK, and ACK, we’ve solvedanother one!
A is incorrect because this is a single packetthat is not attempting a NOP sled in any shapeor form.
C is incorrect because this answer has it inreverse—the source is 190.168.5.12.
D is incorrect because the port number shownin the capture is 23 (Telnet), not 22 (SSH).
17. Your IDS sits on the network perimeter and hasbeen analyzing traffic for a couple of weeks. Onarrival one morning, you find the IDS has alertedon a spike in network traffic late the previousevening. Which type of IDS are you using?
A. Stateful
B. Snort
C. Passive
D. Signature based
Technet24||||||||||||||||||||
||||||||||||||||||||
E. Anomaly based
E. The scenario described here is preciselywhat an anomaly- or behavior-based system isdesigned for. The system watches traffic and,over time, develops an idea of what “normal”traffic looks like—everything from source anddestinations, ports in use, and times of higherdata flows. In one sense, it’s better than aplain signature-based system because it canfind things heuristically based on behavior;however, anomaly-based systems arenotorious for the number of false positivesthey spin off—especially early on.
A is incorrect because stateful refers to afirewall type, not an IDS.
B is incorrect because Snort is a signature-based IDS.
C is incorrect because the term passive isn’tassociated with IDS. Now, an IDS can react toan alert by taking action to stop or prevent anattack, but this is referred to as an intrusionprevention system (IPS), not active or passive.
D is incorrect because a signature-based IDSisn’t going to care about the amount of trafficgoing by, or what time it occurs. A signature-
||||||||||||||||||||
||||||||||||||||||||
based IDS simply compares each packetagainst a list (signature file) you configure itto look at. If nothing matches in the signaturefile, then no action is taken.
18. You are performing an ACK scan against a targetsubnet. You previously verified connectivity toseveral hosts within the subnet but want to verifyall live hosts on the subnet. Your scan, however, isnot receiving any replies. Which type of firewall ismost likely in use at your location?
A. Packet filtering
B. IPS
C. Stateful
D. Active
C. Most people think of a firewall as a simplepacket filter, examining packets as they arecoming in against an access list—if the port isallowed, let the packet through. However, thestateful inspection firewall has the ability toexamine the session details regarding thepacket and make a determination on its state.For a common (dare I say, textbook) example,if a stateful firewall receives an ACK packet,it’s smart enough to know whether there is anassociated SYN packet that originated frominside the network to go along with it. If there
Technet24||||||||||||||||||||
||||||||||||||||||||
isn’t—that is, if communications did not startfrom inside the subnet—it’ll drop the packet.
A is incorrect because a packet-filteringfirewall wouldn’t bother with the flags. Itwould be concerned about what port thepacket was headed to. If, for instance, youhost a web page out of that subnet but not anFTP server, your firewall should be set up toallow port 80 in but not port 21.
B is incorrect because an intrusion preventionsystem (IPS) isn’t a firewall at all. It’s anetwork-monitoring solution that has thecapability of recognizing malicious traffic andtaking action to prevent or stop the attack.
D is incorrect because the term active is notassociated with a firewall type. This isincluded as a distractor.
19. You are separated from your target subnet by afirewall. The firewall is correctly configured andallows requests only to ports opened by theadministrator. In firewalking the device, you findthat port 80 is open. Which technique could youemploy to send data and commands to or from thetarget system?
A. Encrypt the data to hide it from the firewall.
||||||||||||||||||||
||||||||||||||||||||
B. Use session splicing.
C. Use MAC flooding.
D. Use HTTP tunneling.
D. HTTP tunneling is a successful “hacking”technique. (Microsoft makes use of HTTPtunneling for lots of things, and it has beendoing so for years.) The tactic is fairly simple:because port 80 is almost never filtered by afirewall, you can craft port 80 segments tocarry a payload for protocols the firewall mayhave otherwise blocked. Of course, you’ll needsomething on the other end to pull thepayload out of all those port 80 packets thatIIS is desperately wanting to answer, butthat’s not altogether difficult.
A is incorrect because encryption won’t do athing for you here. The firewall isn’t lookingnecessarily at content/payload—it’s looking atthe packet/frame header and portinformation. Encryption is a good choice toget around an IDS, not a firewall.
B is incorrect because session splicing is atechnique for evading an IDS, not a firewall.Again, the firewall is interested in the packetand frame header, not what fragments of codeyou’ve hidden in the payload.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because MAC flooding is atechnique for sniffing switches. The idea is tofill the CAM table to the brim with thousandsof useless MAC addresses. This effectivelyturns the switch into a hub, because it is tooconfused to filter and just begins flooding alltraffic to all ports.
20. Which of the following tools can be used toextract application layer data from TCPconnections captured in a log file into separatefiles?
A. Snort
B. Netcat
C. TCPflow
D. Tcpdump
C. TCPflow(https://github.com/simsong/tcpflow/wiki/tcpflow-%E2%80%94-A-tcp-ip-session-reassembler) is “a program that captures datatransmitted as part of TCP connections(flows), and stores the data in a way that isconvenient for protocol analysis anddebugging. Each TCP flow is stored in its ownfile. Thus, the typical TCP flow will be storedin two files, one for each direction. tcpflowcan also process stored ‘tcpdump’ packet
||||||||||||||||||||
||||||||||||||||||||
flows. tcpflow is similar to ‘tcpdump’, in thatboth process packets from the wire or from astored file. But it’s different in that itreconstructs the actual data streams andstores each flow in a separate file for lateranalysis.”
A is incorrect because Snort is a great IDS,sniffer, and packet logger, but it isn’t so greatabout separating TCP streams for applicationlayer analysis.
B is incorrect because netcat (the Swiss Armyknife of hacking, as it’s called) isn’t designedfor sniffing and packet analysis.
D is incorrect because tcpdump will certainlypull everything for you but does notreconstruct the actual data streams or storeeach flow in a separate file for later analysis.
21. Examine the Wireshark filter shown here:
ip.src == 192.168.1.1 &&tcp.srcport
== 80
Which of the following correctly describes thecapture filter?
A. The results will display all traffic from192.168.1.1 destined for port 80.
B. The results will display all HTTP traffic to
Technet24||||||||||||||||||||
||||||||||||||||||||
192.168.1.1.
C. The results will display all HTTP traffic from192.168.1.1.
D. No results will display because of invalidsyntax.
C. Wireshark filters will be covered quite a biton your exam, and, as stated earlier, these areeasy questions for you. The preceding syntaxdesignates the source IP and combines it witha source TCP port. This is effectively lookingat answers to port 80 requests by 192.168.1.1.As another important study tip, watch for theperiod (.) between “ip” and “src” on the exambecause they’ll drop it or change it to a dash (-) to trick you. And lastly, for real-worldapplication, it’s important to note thatWireshark considers certain friendly termssuch as HTTP as simple placeholders for theactual port. This means in Wireshark (at leastas far as CEH is concerned), HTTP and 80 aremore or less identical. As a budding ethicalhacker, you should know by now that eventhough something is traveling on port 80, itmay or may not be HTTP traffic.
A is incorrect because port 80 is defined as thesource port, not the destination; 192.168.1.1 is
||||||||||||||||||||
||||||||||||||||||||
answering a request for an HTML page.
B is incorrect because 192.168.1.1 is defined asthe source address, not the destination.
D is incorrect because the syntax is indeedcorrect.
22. You need to put the NIC into listening mode onyour Linux box, capture packets, and write theresults to a log file named my.log. How do youaccomplish this with tcpdump?
A. tcpdump -i eth0 -w my.log
B. tcpdump -l eth0 -c my.log
C. tcpdump /i eth0 /w my.log
D. tcpdump /l eth0 /c my.log
A. Tcpdump syntax is simple: tcpdump flag(s)interface. The -i flag specifies the interface (inthis example, eth0) for tcpdump to listen on,and the -w flag defines where you want yourpacket log to go. For your own study, be awarethat many study references—including EC-Council’s official reference books—state thatthe -i flag “puts the interface into listeningmode.” It doesn’t actually modify the interfaceat all, so this is a little bit of a misnomer—itjust identifies to tcpdump which interface tolisten on for traffic. Lastly, be aware that the -
Technet24||||||||||||||||||||
||||||||||||||||||||
w flag dumps traffic in binary format. If youwant the traffic to be readable, you’ll need tohave it display onscreen. Better yet, you candump it to a file using the | designator and afilename.
B is incorrect because the -l flag does not putthe interface in listening mode; it actually hasto do with line buffering.
C and D are incorrect for the same reason;flags are designated with a dash (-) not a slash(/).
23. Which of the following tools can assist with IDSevasion? (Choose all that apply.)
A. Whisker
B. Fragroute
C. Capsa
D. Wireshark
E. ADMmutate
F. Inundator
A, B, E, F. IDS evasion comes down to a fewmethods: encryption, flooding, andfragmentation (session splicing). Whisker isan HTTP scanning tool but also has the abilityto craft session-splicing fragments. Fragroute
||||||||||||||||||||
||||||||||||||||||||
intercepts, modifies, and rewrites egresstraffic destined for the specified host and canbe used to fragment an attack payload overmultiple packets. ADMmutate can createmultiple scripts that won’t be easilyrecognizable by signature files, and Inundatoris a flooding tool that can help you hide in thecover fire.
C and D are incorrect because both Capsa(Colasoft) and Wireshark are sniffers.
24. A security administrator is attempting to “lockdown” her network and blocks access frominternal to external on all external firewall portsexcept for TCP 80 and TCP 443. An internal userwants to make use of other protocols to accessservices on remote systems (FTP, as well as somenonstandard port numbers). Which of thefollowing is the most likely choice the user couldattempt to communicate with the remote systemsover the protocol of her choice?
A. Use HTTP tunneling.
B. Send all traffic over UDP instead of TCP.
C. Crack the firewall and open the ports requiredfor communication.
D. MAC flood the switch connected to thefirewall.
Technet24||||||||||||||||||||
||||||||||||||||||||
A. If you happen to own CEH Certified EthicalHacker All-in-One Exam Guide, FourthEdition, the companion book to this practiceexams tome, you’re undoubtedly aware bynow I harp on protocols not necessarily beingtied to a given port number in the real world.Sure, FTP is supposed to be on TCP port 21,SMTP is supposed to ride on 25, and Telnet issupposed to be on 23, but the dirty little truthis they don’t have to. An HTTP tunnel is abrilliant example of this. To the firewall andeveryone else watching, traffic from yourmachine is riding harmless little old port 80—nothing to see here folks, just plain-old,regular HTTP traffic. But a peek inside thatharmless little tunnel shows you can runanything you want. Typically you connect toan external server over port 80, and it willunwrap and forward your other protocoltraffic for you, once you’ve gotten it past yourpesky firewall.
B is incorrect because, well, this is just aridiculous answer. UDP ports are filtered by afirewall just like TCP ports, so sending onlyUDP would be useless.
C is incorrect because while it would certainlyallow the communication, it wouldn’t be for
||||||||||||||||||||
||||||||||||||||||||
very long. Every sensor on the network wouldbe screaming, and the happy little securityadmin would lock it back down ASAP. Not tomention, you’d get fired.
D is incorrect because MAC flooding refers toactive sniffing on a switch, not bypassing afirewall.
25. An ethical hacker is assigned to scan a server andwants to avoid IDS detection. She uses a tacticwherein the TCP header is split into many packets,making it difficult to detect what the packets areintended for. Which of the following best describesthe technique employed?
A. TCP scanning
B. IP fragment scanning
C. ACK scanning
D. Inverse TCP scanning
B. There are several methods to attemptevasion of an IDS, and an IP fragmentationscan is but one of them. It works by splittingthe original TCP header into multiple, smallerpackets. Each of those smaller packets, on itsown, means a whole lot of nothing to the IDS,but when reassembled on the destination can,for example, scan traffic (which is this case
Technet24||||||||||||||||||||
||||||||||||||||||||
here). This is not to say it’s always going towork—almost nothing is foolproof—but I canalmost guarantee you’ll see this particularevasion technique on your exam somewhere.
A, C, and D are all incorrect for the samereason: the type of scan being used hasnothing to do with the evasion method askedabout in the question. The evasion method ofsplitting the headers into fragmented packetscan be used regardless of scan type.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 5Attacking a System
This chapter includes questions from the followingtopics:
• Describe the CEH Hacking Methodology andSystem Hacking steps
• Describe methods used to gain access to systems• Describe methods used to escalate privileges• Describe methods used to maintain access to
systems• Describe methods of evidence erasure• Identify rootkit function and types• Identify basics of Windows and Linux file
structure, directories, and commands
I hope nobody reading this will ever find themselves inthis situation, but have you ever given any thought at allto what you would do if challenged to a fight? I’m nottalking about the free-for-all brawls in elementary andmiddle school, surrounded by a circle of cheering, butignorant, children; I’m talking about an actual streetconfrontation you cannot get out of. In almost every
Technet24||||||||||||||||||||
||||||||||||||||||||
situation, most people are taught to leave the situationand protect themselves, and that’s absolutely the rightway to go. But every once in a while, good law-abidingfolks are put in a situation they can’t get out of, and aphysical confrontation is inevitable.
Did you know there’s a science to hand-to-handcombat? Pugilism (pygmachia in Greek, made into anOlympic sport in 688 BC) is the hand-to-hand combatsport better known as boxing. Despite the circus it hasbecome in modern times, boxing was a well-respectedand carefully studied art for thousands of years. It’s notjust simply putting two guys in a ring and having thembeat on each other; it’s about crafting a strategy toaccentuate strengths and exploit weaknesses. Soundfamiliar?
And we’re not talking about just boxing here—hand-to-hand combat takes on many forms. Professionalboxers, for example, might tell you that light punchesare faster, require less energy, and leave you lessvulnerable. They might also advise you that deceptionand speed in combat are much more valuable thanstrength and the “knockout punch.” Self-defense expertsmight point out areas of the human anatomy thatdisable an attacker, providing you a means of escape.They might also point out things like the value of a knifeversus a gun in defense situations and that one cleverly
||||||||||||||||||||
||||||||||||||||||||
executed strike, set up and thrown with quickness(sometimes not even with power), may be all it takes tofrustrate and confuse an attacker. The science ofcarrying out a physical attack on an individual, andprotecting yourself against such an attack, is founded onthe principles of distance, leverage, and timing. It’sfascinating, even if you don’t ever plan on being in asituation requiring the knowledge.
You may be sitting there having no idea what kind ofvirtual damage you can do with the knowledge you’vegained so far. Who knows if, put in the right situation,you’d knock out virtual targets with ease? I can see younow, looking down at your keyboard in awe andanswering the “How did you do that?” question with, “Idon’t know—the training just kicked in.” Granted, westill have a lot of training to do, and I doubt you’ll bepunching any virtual targets outside an agreed-uponscope (after all, you are an ethical hacker, right?).However, this chapter will help hone your skills. Here,we’ll talk all about system attacks and putting to usesome of the training and knowledge you already have inplace.
STUDY TIPS Sy stem attacks come in many forms, but EC-Councilreally likes the password attacks. Know y our password rules, attacks,and tools well. You will definitely see loads of questions about
Technet24||||||||||||||||||||
||||||||||||||||||||
passwords—the use, storage, and hashing of passwords, as well asattacks against them, will be cov ered ad nauseam on y our exam. Pullsome of these tools down and play with them because y ou’ll need toknow what they look like, how they operate, and what capabilitiesthey hav e.
Next, when it comes to this chapter, you really needto get to know Linux better. Questions regarding Linuxwill most likely revolve around kernel modules, filestructures, storage locations, and the command-lineinterface. Again, the easiest way to learn all this is todownload a Linux distro and run it in a VM on yourmachine. Take advantage of the thousands of Linuxhow-to videos and articles you can find on the Internet:it’s one thing to read it in a book, but you’ll learn farmore if you actually perform it yourself.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. You are examining test logs from the day’s pen
test activities and note the following entries on aWindows 10 machine:
Which of the following statements is trueregarding the code listing?
A. The team member added a user account.
B. The team member switched his login to that ofa different user.
C. The team member changed the password of auser.
D. The team member renamed a user account.
2. Amanda works as a security administrator for alarge organization. She discovers some remotetools installed on a server and has no record of achange request asking for them. After someinvestigation, she discovers an unknown IPaddress connection that was able to access thenetwork through a high-level port that was notclosed. The IP address is first traced to a proxy
Technet24||||||||||||||||||||
||||||||||||||||||||
server in Mexico. Further investigation shows theconnection bounced between several proxy serversin many locations. Which of the following is themost likely proxy tool used by the attacker to coverhis tracks?
A. ISA proxy
B. IAS proxy
C. TOR proxy
D. Netcat
3. The following HOSTS file was pulled during anincident response:
||||||||||||||||||||
||||||||||||||||||||
Which of the following statements best describesthe HOSTS file?
A. A user on the machine attempting to go tocheck their bank account at mybank.com willbe directed to a Chinese IP address instead.
B. A user on the machine attempting to go togoogle.com will receive an HTTP return codeof 400.
C. A user on the machine attempting to go togmail.com will redirect to the local host.
D. Any DNS resolution to IP 220.181.0.16 will beredirected to one of the five sites listed inround-robin fashion.
4. Which of the following opens the ComputerManagement MMC in a Windows command line?
A. compmgmt.mmc
B. compmgmt.msc
C. compmgmt.exe
D. computermgmt.exe
5. Which of the following will extract an executablefile from NTFS streaming?
A. c:\> cat file1.txt:hidden.exe > visible.exe
Technet24||||||||||||||||||||
||||||||||||||||||||
B. c:\> more file1.txt | hidden.exe > visible.exe
C. c:\> type notepad.exe > file1.txt:hidden.exe
D. c:\> list file1.txt$hidden.exe > visible.exe
6. Which command is used on a Linux machine toallow all privileges to the user, read-only to thegroup, and read-only for all others to a particularfile?
A. chmod 411 file1
B. chmod 114 file1
C. chmod 117 file1
D. chmod 711 file1
C. chmod 744 file1
7. Examine the following passwd file:
Which of the following statements are trueregarding this passwd file? (Choose all that apply.)
A. None of the user accounts has passwordsassigned.
B. The system makes use of the shadow file.
C. The root account password is root.
D. The root account has a shadowed password.
||||||||||||||||||||
||||||||||||||||||||
E. Files created by Alecia will initially be viewableby Jason.
8. You are attempting to hack a Windows machineand want to gain a copy of the SAM file. Where canyou find it? (Choose all that apply.)
A. /etc/passwd
B. /etc/shadow
C. c:\windows\system32\config
D. c:\winnt\config
E. c:\windows\repair
9. Which of the following statements are trueconcerning Kerberos? (Choose all that apply.)
A. Kerberos uses symmetric encryption.
B. Kerberos uses asymmetric encryption.
C. Clients ask for authentication tickets from theKDC in clear text.
D. KDC responses to clients never include apassword.
E. Clients decrypt a TGT from the server.
10. What is the difference between a dictionary attackand a hybrid attack?
A. Dictionary attacks are based solely on wordlists, whereas hybrid attacks make use of bothword lists and rainbow tables.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Dictionary attacks are based solely on wholeword lists, whereas hybrid attacks can use avariety of letters, numbers, and specialcharacters.
C. Dictionary attacks use predefined word lists,whereas hybrid attacks substitute numbersand symbols within those words.
D. Hybrid and dictionary attacks are the same.
11. Which of the following contains a listing of portnumbers for well-known services defined byIANA?
A. %windir%\etc\lists
B. %windir%\system32\drivers\etc\lmhosts
C. %windir%\system32\drivers\etc\services
D. %windir%\system32\drivers\etc\hosts
12. Which of the following SIDs indicates the trueadministrator account?
A. S-1-5-21-1388762127-2960977290-773940301-1100
B. S-1-5-21-1388762127-2960977290-773940301-1101
C. S-1-5-21-1388762127-2960977290-773940301-500
D. S-1-5-21-1388762127-2960977290-773940301-
||||||||||||||||||||
||||||||||||||||||||
501
13. In which step of EC-Council’s system hackingmethodology would you find steganography?
A. Cracking passwords
B. Escalating privileges
C. Executing applications
D. Hiding files
E. Covering tracks
14. A review of the command history on a Linux boxshows the following command entered:
Which of the following is the best description ofwhat the attacker is attempting to accomplish?
A. Add a user to the system.
B. Elevate current login privileges.
C. Change passwords for users.
D. Display password file contents.
15. You are examining LM password hashes and seethe following:
3A02DF5289CF6EEFAAD3B435B51404EE
Which of the following passwords is most likely tohave created the hash?
A. 123456789
Technet24||||||||||||||||||||
||||||||||||||||||||
B. CEHISHARD
C. c3HisH@RD!
D. CEHhard
16. You are examining history logs on a Linuxmachine and note the attacker added anampersand (&) after a few process commands.Which of the following is true regarding this?
A. The & symbol has no effect on the processcommand.
B. The & symbol runs the process as abackground task and closes it when the userlogs off.
C. The & symbol ensures the process continuesto run after the user logs off.
D. The & symbol concatenates the process tosubsequent commands.
17. Which of the following are considered offlinepassword attacks? (Choose all that apply.)
A. Using a hardware keylogger
B. Brute-force cracking with Cain and Abel on astolen SAM file
C. Using John the Ripper on a stolen passwd file
D. Shoulder surfing
18. If a rootkit is discovered on the system, which of
||||||||||||||||||||
||||||||||||||||||||
the following is the best alternative for recovery?
A. Replacing all data files from a good backup
B. Installing Tripwire
C. Reloading the entire system from known-goodmedia
D. Deleting all data files and rebooting
19. Examine the following portion of a log file,captured during a hacking attempt:
What was the attacker attempting to do?
A. Copy files for later examination
B. Cover his tracks
C. Change the shell to lock out other users
D. Upload a rootkit
20. You suspect a hack has occurred against yourLinux machine. Which command will display allrunning processes for you to review?
A. ls -d
B. ls -l
C. su
D. ps -ef
E. ifconfig
Technet24||||||||||||||||||||
||||||||||||||||||||
21. An organization wants to control network trafficand perform stateful inspection of traffic goinginto and out of its DMZ. Which built-infunctionality of Linux can achieve this?
A. iptables
B. ipchains
C. ipsniffer
D. ipfirewall
22. Which of the following best describes Cygwin?
A. Cygwin is a Unix subsystem running on top ofWindows.
B. Cygwin is a Windows subsystem running ontop of Unix.
C. Cygwin is a C++ compiler.
D. Cygwin is a password-cracking tool.
23. Which folder in Linux holds administrativecommands and daemons?
A. /sbin
B. /bin
C. /dev
D. /mnt
E. /usr
24. Which of the following is the appropriate meansto pivot within a Metasploit attack session?
||||||||||||||||||||
||||||||||||||||||||
A. Use the pivot exploit outside meterpreter.
B. Reconfigure network settings in meterpreter.
C. Set the payload to propagate.
D. Create a route statement in the meterpreter.
25. You are examining files on a Windows machineand note one file’s attributes include “h.” Whatdoes this indicate?
A. The file is flagged for backup.
B. The file is part of the help function.
C. The file is fragmented because of size.
D. The file has been quarantined by an antivirusprogram.
E. The file is hidden.
26. An attacker has gained access to an internalsystem. Using Metasploit, he accesses and attacksother internal systems. Which of the followingterms best describe the action taken?
A. Attack splitting
B. Pivoting
C. Attack swinging
D. Hinging
27. Which of the following tools can assist indiscovering the use of NTFS file streams? (Chooseall that apply.)
Technet24||||||||||||||||||||
||||||||||||||||||||
A. LADS
B. ADS Spy
C. Sfind
D. Snow
28. Which authentication method uses DES forencryption and forces 14-character passwords forhash storage?
A. NTLMv1
B. NTLMv2
C. LAN Manager
D. Kerberos
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. C
3. A
4. B
5. A
6. E
7. B, D, E
8. C, E
9. A, B, C, D, E
10. C
11. C
12. C
13. D
14. D
15. D
16. B
17. A, B, C
18. C
19. B
Technet24||||||||||||||||||||
||||||||||||||||||||
20. D
21. A
22. A
23. A
24. D
25. E
26. B
27. A, B, C
28. C
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. You are examining test logs from the day’s pen
test activities and note the following entries on aWindows 10 machine:
Which of the following statements is trueregarding the code listing?
A. The team member added a user account.
B. The team member switched his login to that ofa different user.
C. The team member changed the password of auser.
D. The team member renamed a user account.
C. The net commands in Windows willdefinitely make an appearance on your exam,and because it’s impossible to tell whichsyntax or command structure they’ll throw atyou, you should learn them all. In thisexample, the net user command lists allusers on the machine. Next, the team member
Technet24||||||||||||||||||||
||||||||||||||||||||
used the net user USERNAMEPASSWORD command—where USERNAMEequates to the user to update and PASSWORDis the password to set for the user. In thisexample, the user—USER1—had his passwordupdated to user2. Other net user optionsinclude ADD, DELETE, TIMES, and ACTIVE.Net commands run in the security context youare logged on as, so ensure you’re actually anadministrator on the machine beforeattempting many of them.
Net commands have many other uses. Forexample, net view will display systems in theworkgroup, net use lets you create, connectto, and display information on sharedresources, net share will list all the sharesthe user has access to, and net start allowsyou to start a service.
A is incorrect because this does not match thesyntax provided. If the team member wantedto add a user, he’d first ensure he hadadministrative privileges and would then usethe net user /ADD USERNAME command(where USERNAME is the name of the user tobe created).
B is incorrect because this command or syntax
||||||||||||||||||||
||||||||||||||||||||
would not accomplish this action.
D is incorrect because this command or syntaxwould not accomplish this action.
2. Amanda works as a security administrator for alarge organization. She discovers some remotetools installed on a server and has no record of achange request asking for them. After someinvestigation, she discovers an unknown IPaddress connection that was able to access thenetwork through a high-level port that was notclosed. The IP address is first traced to a proxyserver in Mexico. Further investigation shows theconnection bounced between several proxy serversin many locations. Which of the following is themost likely proxy tool used by the attacker to coverhis tracks?
A. ISA proxy
B. IAS proxy
C. TOR proxy
D. Netcat
C. I’ve mentioned it before, and I’ll mention itagain here: sometimes the CEH exam and reallife just don’t match up. Yes, this questionmay be, admittedly, a little on the “hokey”side, but it’s valid insofar as EC-Council is
Technet24||||||||||||||||||||
||||||||||||||||||||
concerned. The point here is that TOR (TheOnion Routing; https://www.torproject.org/)provides a quick, easy, and really groovy wayto hide your true identity when performingalmost anything online. According to the site,“Tor protects you by bouncing yourcommunications around a distributednetwork of relays run by volunteers all aroundthe world: it prevents somebody watchingyour Internet connection from learning whatsites you visit, and it prevents the sites youvisit from learning your physical location.”(For the real-world folks out there, just knowthat without law enforcement and someserious network visibility, you’d probably besuccessful in tracking to the first hop, butthat’d be it.) TOR is, by nature, dynamic, and ahacker can simply use a different path foreach attack. Just remember the question isreally about identifying TOR as a means ofcovering tracks and not necessarily a treatiseon how it really works. Were this a discussionbased in reality, we’d be more interested inhow Amanda would determine the connectionwas bouncing around proxies in the firstplace: more realistically, she might detectseveral similar connections leveraging the
||||||||||||||||||||
||||||||||||||||||||
same access that were coming from severaldifferent countries.
A is incorrect because an Internet Security andAcceleration (ISA) server isn’t designed tobounce between multiple proxies to obscurethe original source. Per Microsoft, ISA “is thesuccessor to Microsoft’s Proxy Server 2.0 ...and provides the two basic services of anenterprise firewall and a Web proxy/cacheserver. ISA Server’s firewall screens all packet-level, circuit-level, and application-leveltraffic. The Web cache stores and serves allregularly accessed Web content in order toreduce network traffic and provide fasteraccess to frequently-accessed Web pages. ISAServer also schedules downloads of Web pageupdates for non-peak times.”
B is incorrect because Internet AuthenticationService (IAS) is a component of servers thatallows you to provide a RemoteAuthentication Dial-In User Service(RADIUS) connection to clients. It’s notdesigned as an obfuscating proxy—its purposeis in authentication.
D is incorrect because while you can set up asingle proxy using Netcat, and it may even be
Technet24||||||||||||||||||||
||||||||||||||||||||
possible to chain several together, it’s simplynot designed to work that way (and that’swhat this question was all about to beginwith). You can set up a listening port with it,but it’s not designed to act as a proxy, andsetting one up as a chain of proxies would beinsanely complicated and unnecessary withthe myriad other options available.
3. The following HOSTS file was pulled during anincident response:
Which of the following statements best describes
||||||||||||||||||||
||||||||||||||||||||
the HOSTS file?
A. A user on the machine attempting to go tocheck their bank account at mybank.com willbe directed to a Chinese IP address instead.
B. A user on the machine attempting to go togoogle.com will receive an HTTP return codeof 400.
C. A user on the machine attempting to go togmail.com will redirect to the local host.
D. Any DNS resolution to IP 220.181.0.16 will beredirected to one of the five sites listed inround-robin fashion.
A. The HOSTS file is a thing of beauty or aninstrument of horror and terror, depending onhow you look at it. Before any Windowssystem even bothers to check DNS for an IPmatching a name request, it checks theHOSTS file first. For example, when the usertypes www.mybank.com in their browserand presses ENTER, Windows checks the hostsfile to see if there is a mapping formybank.com. If there is one, that’s where theuser will go. If there’s not, Windows will askDNS for an IP to use. Therefore, if you edityour own HOSTS file, you can save yourselffrom lots of ad stream sites (just redirect
Technet24||||||||||||||||||||
||||||||||||||||||||
them to localhost) and ensure your kids don’taccidentally go somewhere they’re notsupposed to. If you get a hold of your target’sHOSTS file, you can send them anywhere youwant.
In this example, it appears someone hasgotten a hold of this particular machine’sHOSTS file and has edited it to send somecommon URL requests to a Chinese IP.Maybe they’ve set up fake versions of thesesites in order to grab credentials. Or maybethey just want to DoS the user. In any case,any attempt to go to mybank.com, google.com,gmail.com, amazon.com, or facebook.com willimmediately get redirected to the Chinese IPlisted. The only way the user could avoid thisis to use IP addresses instead of named URLs.
B is incorrect because it is impossible to tell ifthe 400 return code (which means the servercannot or will not process the request due toan apparent client error, such as a malformedrequest syntax, invalid request messageframing, or deceptive request routing) wouldappear. If the request is valid (it should be)and the server is capable of registering therequest as valid (again, that depends on whatthe bad guy set up on that particular IP), then
||||||||||||||||||||
||||||||||||||||||||
Code 400 will not be returned.
C and D are incorrect because neither matchesthe action taken in a HOSTS file entry.
4. Which of the following opens the ComputerManagement MMC in a Windows command line?
A. compmgmt.mmc
B. compmgmt.msc
C. compmgmt.exe
D. computermgmt.exe
B. Admittedly this one is an easy pick—assuming, of course, you’ve studied and knowyour MMCs in Windows. You have studiedthem, right? Because if you had, you’d knowthat the Microsoft Management Consoles canbe used for a variety of tasks. Some of theseMMCs include Computer Management,Device Management, Event Viewer, GroupPolicy Editor, and Active Directory Users andComputers. While you can create your owncustom MMC, by typing mmc in thecommand line and then using Add/RemoveSnap in from the menu line, you can also justopen the individual consoles themselves byusing their “msc” command-line option. Forexample, Computer Management can be a
Technet24||||||||||||||||||||
||||||||||||||||||||
snap-in for a custom MMC, or you can open itby itself using the compmgmt.msc command.Others you may want to know for futurereference include AD Users and Computers(dsa.msc), Device Manager (devmgmt.msc),Event Viewer (eventvwr.msc), Local GroupPolicy Editor (gpedit.msc), and Local SecuritySettings Manager (secpol.msc).
A, C, and D are all incorrect because they donot match the syntax for opening ComputerManagement.
5. Which of the following will extract an executablefile from NTFS streaming?
A. c:\> cat file1.txt:hidden.exe > visible.exe
B. c:\> more file1.txt | hidden.exe > visible.exe
C. c:\> type notepad.exe > file1.txt:hidden.exe
D. c:\> list file1.txt$hidden.exe > visible.exe
A. This is the correct syntax. The cat commandwill extract the executable directly into thefolder you execute the command from. NTFSfile steaming allows you to hide virtually anyfile behind any other file, rendering itinvisible to directory searches. The file can bea text file, to remind you of steps to take whenyou return to the target, or even an executable
||||||||||||||||||||
||||||||||||||||||||
file you can run at your leisure later. Alternatedata stream (ADS) in the form of NTFS filestreaming is a feature of the Windows-nativeNTFS to ensure compatibility with Apple filesystems (called HFS). Be careful on the exam—you will see ADS and NTFS file streamingused interchangeably. As an aside, the catcommand isn’t available on Windows 7 andWindows 10 machines (you’ll need a Linuxemulator or something like it to use the catcommand on these). What’s more, you canuse c:\> (more<file1.txt:hidden.exe) >output.txt as another option. This will readthe output of the hidden stream and write it tothe output.txt file without having to use cat.
B is incorrect because this is not the correctsyntax. There is no pipe (|) function inextracting a file, and the more command isused to display the contents of a text file, notextract an executable from ADS.
C is incorrect because this is not the correctsyntax. This option would display the contentsof a hidden text file—maybe one you’vestowed away instructions in for use later.
D is incorrect because the syntax is not correctby any stretch of the imagination. This is
Technet24||||||||||||||||||||
||||||||||||||||||||
included as a distractor.
6. Which command is used on a Linux machine toallow all privileges to the user, read-only to thegroup, and read-only for all others to a particularfile?
A. chmod 411 file1
B. chmod 114 file1
C. chmod 117 file1
D. chmod 711 file1
E. chmod 744 file1
E. You’re going to need to know some basicLinux commands to survive this exam, andone command I can guarantee you’ll see aquestion on is chmod. File permissions inLinux are assigned via the use of the binaryequivalent for each rwx group: read isequivalent to 4, write to 2, and execute to 1. Toaccumulate permissions, you add the number:4 is read-only, 6 is read and write, and addingexecute to the bunch results in 7. As an aside,if you think in binary, the numbers are just aseasy to define: 111 equates to 7 in decimal, andeach bit turned on gives read, write, andexecute. Setting the bits to 101 turns on read,turns off write, and turns on execute; and its
||||||||||||||||||||
||||||||||||||||||||
decimal equivalent is 5.
A, B, C, and D are all incorrect syntax forwhat we’re trying to accomplish here: 411equates to read-only, execute, and execute(with 114 being the reverse of that), and 117equates to execute, execute, full permissions,with 711 being the reverse.
7. Examine the following passwd file:
Which of the following statements are trueregarding this passwd file? (Choose all that apply.)
A. None of the user accounts has passwordsassigned.
B. The system makes use of the shadow file.
C. The root account password is root.
D. The root account has a shadowed password.
E. Files created by Alecia will initially be viewableby Jason.
B, D, E. If there are not two to four questionson your exam regarding the Linux passwd file,I’ll eat my hat. Every exam and practice examI’ve ever taken references this file—a lot—and
Technet24||||||||||||||||||||
||||||||||||||||||||
it’s included here to ensure you pay attention.Fields in the passwd file, from left to right, areas follows:
• User Name This is what the user types inas the login name. Each user name must beunique.
• Password If a shadow file is being used,an x will be displayed here. If not, you’ll seethe password in clear text. As an aside,setting this to an asterisk (*) is a method todeactivate an account.
• UID The user identifier is used by theoperating system for internal purposes. It istypically incremented by 1 for each newuser added.
• GID The group identifier identifies theprimary group of the user. All files that arecreated by this user will normally beaccessible to this group, unless a chmodcommand prevents it (which is the reasonfor the “initial” portion of the question).
• Gecos This is a descriptive field for theuser, generally containing contactinformation separated by commas.
• Home Directory This is the location of
||||||||||||||||||||
||||||||||||||||||||
the user’s home directory.
• Startup Program This is the programthat is started every time the user logs in.It’s usually a shell for the user to interactwith the system.
A is incorrect because the x indicates ashadowed password, not the absence of one.
C is incorrect because the x indicates that rootdoes indeed have a password, but it isshadowed. Could it actually be root? Sure, butthere’s no way to tell that from this listing.
8. You are attempting to hack a Windows machineand want to gain a copy of the SAM file. Where canyou find it? (Choose all that apply.)
A. /etc/passwd
B. /etc/shadow
C. c:\windows\system32\config
D. c:\winnt\config
E. c:\windows\repair
C, E. Per Microsoft’s definition, the SecurityAccount Manager (SAM) is a database thatstores user accounts and security descriptorsfor users on the local computer. The SAM filecan be found in c:\windows\system32\config.
Technet24||||||||||||||||||||
||||||||||||||||||||
If you’re having problems getting there, trypulling a copy from system restore(c:\windows\repair).
A and B are both incorrect because /etc is adead giveaway this is a Linux folder (note theforward slash instead of the Windowsbackward slash). The /etc folder contains allthe administration files and passwords on aLinux system. Both the password and shadowfiles are found here.
D is incorrect because this is not the correctlocation of the SAM. It’s included as adistractor.
9. Which of the following statements are trueconcerning Kerberos? (Choose all that apply.)
A. Kerberos uses symmetric encryption.
B. Kerberos uses asymmetric encryption.
C. Clients ask for authentication tickets from theKDC in clear text.
D. KDC responses to clients never include apassword.
E. Clients decrypt a TGT from the server.
A, B, C, D, E. All answers are correct.Kerberos makes use of both symmetric andasymmetric encryption technologies to
||||||||||||||||||||
||||||||||||||||||||
securely transmit passwords and keys across anetwork. The entire process consists of a keydistribution center (KDC), an authenticationservice (AS), a ticket granting service (TGS),and the ticket granting ticket (TGT). A basicKerberos exchange starts with a client askingthe KDC, which holds the AS and TGS, for aticket, which will be used to authenticatethroughout the network. This request is inclear text. The server will respond with asecret key, which is hashed by the passwordcopy kept on the server (passwords are neversent—only hashes and keys). This is known asthe TGT. The client decrypts the message,since it knows the password, and the TGT issent back to the server requesting a TGSservice ticket. The server responds with theservice ticket, and the client is allowed to logon and access network resources.
10. What is the difference between a dictionary attackand a hybrid attack?
A. Dictionary attacks are based solely on wordlists, whereas hybrid attacks make use of bothword lists and rainbow tables.
B. Dictionary attacks are based solely on wholeword lists, whereas hybrid attacks can use a
Technet24||||||||||||||||||||
||||||||||||||||||||
variety of letters, numbers, and specialcharacters.
C. Dictionary attacks use predefined word lists,whereas hybrid attacks substitute numbersand symbols within those words.
D. Hybrid and dictionary attacks are the same.
C. A hybrid attack is a variant on a dictionaryattack. In this effort, you still have a word list;however, the cracker is smart enough toreplace letters and characters within thosewords. For example, both attacks might use alist containing the word Password. To havemultiple variants on it, the dictionary attackwould need to have each variant added to thelist individually (P@ssword, Pa$$word, and soon). A hybrid attack would require the wordlist only to include Password because it wouldswap out characters and letters to finddifferent versions of the same word.
A is incorrect because hybrid attacks don’t userainbow tables.
B is incorrect because dictionary attacks canuse variants of a whole word; they just need tobe listed separately in the list.
D is incorrect because hybrid and dictionary
||||||||||||||||||||
||||||||||||||||||||
attacks are most definitely different.
11. Which of the following contains a listing of portnumbers for well-known services defined byIANA?
A. %windir%\etc\lists
B. %windir%\system32\drivers\etc\lmhosts
C. %windir%\system32\drivers\etc\services
D. %windir%\system32\drivers\etc\hosts
C. I’ve sat back many times in writing thesebooks struggling to determine why certainspecific but not very useful things seem to beso near and dear to the exam question writers,but I can’t find any particular rhyme orreason. Sometimes you just have to memorizeand move on, and this example is noexception. If you happen to be out on yourreal job and completely forget every well-known port number, you’d probably just lookup the list on an Internet search. If you’rebored or really nerdy, though, you can pull upa list of them by visiting the services file. It’ssitting right there beside the hosts andlmhosts files.
A, B, and D are incorrect because theselocations do not hold the services file.
Technet24||||||||||||||||||||
||||||||||||||||||||
12. Which of the following SIDs indicates the trueadministrator account?
A. S-1-5-21-1388762127-2960977290-773940301-1100
B. S-1-5-21-1388762127-2960977290-773940301-1101
C. S-1-5-21-1388762127-2960977290-773940301-500
D. S-1-5-21-1388762127-2960977290-773940301-501
C. The security identifier (SID) in Windows isused to identify a “security principle.” It’sunique to each account and service and isgood for the life of the principle. Everythingelse associated with the account is simply aproperty of the SID, allowing accounts to berenamed without affecting their securityattributes. In a Windows system, the trueadministrator account always has an RID(relative identifier) of 500.
A and B are incorrect because neither 1100nor 1101 is the RID associated with theadministrator account. RID values between1000 and 1500 indicate a standard useraccount.
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because 501 is the RID for theguest account.
13. In which step of EC-Council’s system hackingmethodology would you find steganography?
A. Cracking passwords
B. Escalating privileges
C. Executing applications
D. Hiding files
E. Covering tracks
D. Yes, sometimes you get a question that’srelatively easy, and this is a prime example.Hiding files is exactly what it sounds like:finding a way to hide files on the system.There are innumerable ways to accomplishthis, but steganography is one method you’llmost likely see referenced on the exam.Steganography hides things such aspasswords, files, malicious code (let’s just sayanything that can be put into a binary format)inside images, video, and such. The other file-hiding technique you’ll most likely seereferenced on the exam is NTFS filestreaming.
A, B, C, and E are incorrect because you donot hide files in these steps. Cracking
Technet24||||||||||||||||||||
||||||||||||||||||||
passwords is self-explanatory. Escalatingprivileges refers to the means taken to elevateaccess to administrator level. Executingapplications is exactly what it sounds like, andyou’ll probably see remote execution toolsreferenced (and, for some bizarre reason,keyloggers and spyware). Covering tracksdeals with proxies, log files, and such.
14. A review of the command history on a Linux boxshows the following command entered:
Which of the following is the best description ofwhat the attacker is attempting to accomplish?
A. Add a user to the system.
B. Elevate current login privileges.
C. Change passwords for users.
D. Display password file contents.
D. Ever heard of Bashdoor (a.k.a. theShellshock vulnerability)? Of course you have,and that’s what’s being attempted here.Vulnerable versions of the Bash shell(commonly used to process requests) allow anattacker to execute arbitrary commandsconcatenated to the end of functiondefinitions stored in environment variables.
||||||||||||||||||||
||||||||||||||||||||
In this case, the attacker is trying to read thecontents of the password file using the catcommand.
A, B, and C are incorrect because they do notmatch the command syntax.
15. You are examining LM password hashes and seethe following:
3A02DF5289CF6EEFAAD3B435B51404EE
Which of the following passwords is most likely tohave created the hash?
A. 123456789
B. CEHISHARD
C. c3HisH@RD!
D. CEHhard
D. You will certainly see LM hashes on yourexam at least once or twice, and usually in thistype of scenario. EC-Council isn’t just going tocome out and ask you if you know that thelast half of the LM hash is always the same ifthe password is seven characters or less—they’re going to throw it in a scenario and seeif you remember it in the stress of test time.For review purposes, LM splits any passwordinto two seven-character pieces and hashes
Technet24||||||||||||||||||||
||||||||||||||||||||
each piece. If the password is seven charactersor less, the last half of the hash is always thevalue of a hash of nothing (which equates toAAD3B435B51404EE, by the way). In thisquestion, apply the LM “splitting” ofpasswords into two separate groups of sevencharacters, and it’s easy to see the answer: thefirst seven characters are CEHhard and thesecond seven do not exist, so the hash ofCEHhard equals 3A02DF5289CF6EEF, andthe hash of the blank characters equalsAAD3B435B51404EE.
On a final note, because it’s related here, don’tget hung up on password complexity unless itis explicitly noted in the question. Mostpeople are in a rush during the exam and maynot read things carefully. Glancing at theanswers, these folks might pick the complexpassword by mistake. Therefore, use cautionin reading the questions—take time to fullyunderstand what they’re asking for before justclicking the choice and moving on.
A is incorrect because this password has ninecharacters; therefore, the second half of thehash would be different (LM would hash1234567 and then 89).
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because this password also hasnine characters; therefore, the second half ofthe hash would be different (LM would hashCEHISHA and then RD).
C is incorrect because this password has tencharacters; therefore, the second half of thehash would be different (LM would hashc3HisH@ and then RD!).
16. You are examining history logs on a Linuxmachine and note the attacker added anampersand (&) after a few process commands.Which of the following is true regarding this?
A. The & symbol has no effect on the processcommand.
B. The & symbol runs the process as abackground task and closes it when the userlogs off.
C. The & symbol ensures the process continuesto run after the user logs off.
D. The & symbol concatenates the process tosubsequent commands.
B. Okay, so this one is a little picky, I admit it,but lots of questions on your exam will bepicky, so I’m not apologizing. The ampersand(&) is not only one of the coolest sounding
Technet24||||||||||||||||||||
||||||||||||||||||||
character symbols of all time, but it’s alsoused in the Linux command line to place aprocess in the background and cause it toclose at user logoff. As an aside, you can usethe bg and fg commands to move processes tothe background and foreground, respectively.
A is incorrect because it does have an effect onthe command.
C is incorrect because the process will notcontinue to run after logoff.
D is incorrect because it does not concatenateanything.
17. Which of the following are considered offlinepassword attacks? (Choose all that apply.)
A. Using a hardware keylogger
B. Brute-force cracking with Cain and Abel on astolen SAM file
C. Using John the Ripper on a stolen passwd file
D. Shoulder surfing
A, B, C. An offline password attack occurswhen you take the password file (or thepasswords themselves) offline for work. Acommon method involves stealing the SAM orpasswd (shadow) file and then running a
||||||||||||||||||||
||||||||||||||||||||
dictionary, hybrid, or brute-force attackagainst it (using a password-cracking toolsuch as Cain and Abel or John the Ripper).Keyloggers are also considered offline attacksbecause you examine the contents offnetwork.
D is incorrect because shoulder surfing isconsidered another form of attack altogether—a nonelectronic attack. No, I’m not makingthis up; it’s actually a term in CEH lingo andrefers to social engineering methods ofobtaining a password. Shoulder surfing isbasically standing behind someone andwatching their keystrokes.
18. If a rootkit is discovered on the system, which ofthe following is the best alternative for recovery?
A. Replacing all data files from a good backup
B. Installing Tripwire
C. Reloading the entire system from known-goodmedia
D. Deleting all data files and rebooting
C. Sometimes a good old wipe and reload isnot only faster than a cleaning effort but isjust flat out better. And when it comes torootkits, it’s really your only option. If it’s an
Technet24||||||||||||||||||||
||||||||||||||||||||
off-the-shelf rootkit that has beendocumented, it’s likely that good instructionson how to fully remove it are availablesomewhere, but remember that while youthink you may have it removed by followingremoval instructions, you know it’s gone ifyou blow the system away and reload it.
A and D are incorrect because nearly anythingyou’re doing with the data files themselvesisn’t going to help in getting rid of a rootkit.The device has been rooted, so all data shouldbe treated as suspect.
B is incorrect because while Tripwire is a greattool, it isn’t really useful to you once themachine has been infected.
19. Examine the following portion of a log file,captured during a hacking attempt:
What was the attacker attempting to do?
A. Copy files for later examination
B. Cover his tracks
C. Change the shell to lock out other users
D. Upload a rootkit
||||||||||||||||||||
||||||||||||||||||||
B. You’ll definitely see basic Linux commandson your test, and this is one example of howyou’ll be asked about them. In this example,the rm command is used to remove (delete)files on a Linux system. Looking at what thehacker is attempting to remove, it seemslogical to assume—even without seeing therest of the log—that the hacker is covering histracks.
A is incorrect because the command for copyin Linux is cp.
C is incorrect because the shell is not beingtampered with. This answer is included as adistractor.
D is incorrect because there is no evidence inthis capture that anything is being uploaded;all commands are for removal of files (usingthe rm command). Granted, it’s highly likelysomething was uploaded before this portion,but we’re not privy to that information here.
20. You suspect a hack has occurred against yourLinux machine. Which command will display allrunning processes for you to review?
A. ls -d
B. ls -l
Technet24||||||||||||||||||||
||||||||||||||||||||
C. su
D. ps -ef
E. ifconfig
D. The ps command is used in Linux todisplay processes. The -e switch selects allprocesses, running or not, and the -f switchprovides a full listing. A couple of otheroptions you might see include -r (restrictoutput to running processes), -u (select byeffective user ID; supports names), and -p(select by process ID).
A and B are incorrect because the ls commandin Linux lists files inside a storage directory. Acouple switches of note include -d (listdirectory entries instead of contents), -h(print sizes in human readable format), -l (usea long listing format), and -p (file type).
C is incorrect because the su command inLinux is for “switch user.” Assuming you havepermission/authentication to do so, thisallows you to change the effective user ID andgroup ID to whatever you want.
E is incorrect because ifconfig is used toconfigure a network interface in Linux. Itlooks, and works, very much like the ipconfig
||||||||||||||||||||
||||||||||||||||||||
command in Windows, which makes it aneasy target for test question writers, so payclose attention to the OS when asked aboutconfiguring your NIC.
21. An organization wants to control network trafficand perform stateful inspection of traffic goinginto and out of its DMZ. Which built-infunctionality of Linux can achieve this?
A. iptables
B. ipchains
C. ipsniffer
D. ipfirewall
A. Iptables is a built-in “user space”application in Linux that allows you toconfigure the tables used by the Linux kernelfirewall. It must be executed with rootprivileges and allows for stateful inspection.On most Linux systems, iptables is installedas /usr/sbin/iptables.
B is incorrect because ipchains won’t allow forstateful inspection.
C and D are incorrect because, as far as Iknow, there’s no such thing as ipsniffer oripfirewall.
Technet24||||||||||||||||||||
||||||||||||||||||||
22. Which of the following best describes Cygwin?
A. Cygwin is a Unix subsystem running on top ofWindows.
B. Cygwin is a Windows subsystem running ontop of Unix.
C. Cygwin is a C++ compiler.
D. Cygwin is a password-cracking tool.
A. Cygwin (www.cygwin.com/) provides aLinux-like environment for Windows. It’s alarge collection of GNU and open source toolsthat provide functionality similar to a Linuxdistribution on Windows, as well as a DLL(cygwin1.dll) that provides substantial POSIXAPI functionality, according to the Cygwinwebsite. The Cygwin DLL currently workswith all recent, commercially released x86 32-bit and 64-bit versions of Windows, startingwith Windows XP SP3.
B, C, and D are incorrect descriptions ofCygwin.
23. Which folder in Linux holds administrativecommands and daemons?
A. /sbin
B. /bin
C. /dev
||||||||||||||||||||
||||||||||||||||||||
D. /mnt
E. /usr
A. The system binaries folder holds mostadministrative commands (/etc holds others)and is the repository for most of the routinesLinux runs (known as daemons).
B is incorrect because this folder holds avariety of basic Linux commands (a lot likethe C:\Windows\System32 folder inWindows).
C is incorrect because this folder contains thepointer locations to the various storage andinput/output systems you will need to mountif you want to use them, such as optical drivesand additional hard drives or partitions. Bythe way, everything in Linux is a file.Everything.
D is incorrect because this folder holds theaccess locations you’ve actually mounted.
E is incorrect because this folder holds mostof the information, commands, and filesunique to the users.
24. Which of the following is the appropriate meansto pivot within a Metasploit attack session?
A. Use the pivot exploit outside meterpreter.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Reconfigure network settings in meterpreter.
C. Set the payload to propagate.
D. Create a route statement in the meterpreter.
D. To answer this, you have to know whatpivot means and what the meterpreter is, andthe best explanations for both are found righton the Offensive Security website(www.offensive-security.com/): “Pivoting isthe unique technique of using an instance(also referred to as a plant or foothold) to beable to ‘move’ around inside a network.Basically using the first compromise to allowand even aid in the compromise of otherotherwise inaccessible systems. Metasploithas an autoroute meterpreter script thatallows an attack into a secondary networkthrough a first compromised machine.Meterpreter is an advanced, dynamicallyextensible payload that uses in-memory DLLinjection stagers and is extended over thenetwork at runtime. Meterpreter residesentirely in memory and writes nothing todisk.” Adding a route statement inside thedynamic meterpreter environment allows theattack to “pivot” to a new target. Neat, eh?
A, B, and C are incorrect because they are
||||||||||||||||||||
||||||||||||||||||||
neither legitimate nor accurate statementsregarding a pivot attack.
25. You are examining files on a Windows machineand note one file’s attributes include “h.” Whatdoes this indicate?
A. The file is flagged for backup.
B. The file is part of the help function.
C. The file is fragmented because of size.
D. The file has been quarantined by an antivirusprogram.
E. The file is hidden.
E. The hidden attribute can be set on any fileto hide it from standard directory searches.You can accomplish this with the commandline
attrib +h filename
or by right-clicking, choosing Properties, andselecting the Hidden attribute check box atthe bottom of the dialog.
A, B, C, and D are all incorrect definitions ofthe hidden attribute.
26. An attacker has gained access to an internalsystem. Using Metasploit, he accesses and attacksother internal systems. Which of the following
Technet24||||||||||||||||||||
||||||||||||||||||||
terms best describe the action taken?
A. Attack splitting
B. Pivoting
C. Attack swinging
D. Hinging
B. I love definition questions on the exam—they’re simple and easy. Pivoting refers toattackers using a compromised system toaccess systems they’d otherwise not be able toget to. You can use the route statementmeterpreter attack session to pivot from thecompromised system onto others. OffensiveSecurity (https://www.offensive-security.com/metasploit-unleashed/pivoting/) has a great write-up onusing the autoroute meterpreter script for thesame purpose.
A, C, and D are incorrect because theseanswers do not match any action taken fromMetasploit.
27. Which of the following tools can assist indiscovering the use of NTFS file streams? (Chooseall that apply.)
A. LADS
B. ADS Spy
||||||||||||||||||||
||||||||||||||||||||
C. Sfind
D. Snow
A, B, C. NTFS streaming (alternate datastreaming) isn’t a huge security problem, butit is something many security administratorsconcern themselves with. If you want to knowwhere it’s going on, you can use any of thesetools: LADS and ADS Spy are freeware toolsthat list all alternate data streams of an NTFSdirectory. ADS Spy can also remove alternatedata streams (ADSs) from NTFSs. Sfind,probably the oldest one here, is a Foundstoneforensic tool you can use for finding ADS. Asan aside, dir /R on Windows systems does agreat job of pointing out alternate datastreams.
D is incorrect because Snow is asteganography tool used to conceal messagesin ASCII text by appending whitespace to theend of lines.
28. Which authentication method uses DES forencryption and forces 14-character passwords forhash storage?
A. NTLMv1
B. NTLMv2
Technet24||||||||||||||||||||
||||||||||||||||||||
C. LAN Manager
D. Kerberos
C. LAN Manager is an older authenticationmodel that burst onto the scene around theWindows 95 launch. It uses DES as anencryption standard (a 56-bit key DES, to betechnical) and, as covered before, has a quirkyhabit of capitalizing passwords and splittingthem into two seven-character halves. Believeit or not, this is still in use in the field. It’smost often found in places where backwardcompatibility was needed for something and,eventually, it was just forgotten or overlooked.
A is incorrect because NTLMv1 (NT LANManager) improved upon LM methods. Itstopped crazy practices such as paddingpasswords to 14 characters, and it supportedstronger encryption.
B is incorrect because NTLMv2 also did notfollow the encryption methods used by LM. Inaddition to the improvements from version 1,NTLMv2 made use of 128-bit MD5 hashing.
D is incorrect because Kerberos is a strongand secure authentication method that doesnot work like LM. Kerberos makes use of a
||||||||||||||||||||
||||||||||||||||||||
key distribution center (KDC) and grantstickets to properly authenticated clients toaccess resources on the network.
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 6Web-Based Hacking: Serversand Applications
This chapter includes questions from the followingtopics:
• Identify features of common web serverarchitecture
• Identify web application function and architecturepoints
• Describe web server and web application attacks• Identify web server and application vulnerabilities• Identify web application hacking tools
In the spring of 1863, a mismatch was shaping up on thebattlefield. General Robert E. Lee and StonewallJackson had amassed a sizeable Confederate force ofaround 60,000 men in and around Chancellorsville,Virginia, after the recent victory in Fredericksburg.Major General Joseph Hooker, however, commanded aUnion army of around 130,000 men and was underdirect orders from President Lincoln to annihilate theConfederate army. He thus decided upon a plan of
||||||||||||||||||||
||||||||||||||||||||
action, well based in current military strategy, to applyhis vastly superior forces and march against the enemy.By any measure, this was shaping up as an easy victoryfor the North.
General Lee, however, wasn’t well known forfollowing strict rules of battle. While Hooker amassedforces for a front-on attack, Lee did something that, atthe time, was considered either the dumbest move inhistory or brilliant strategy: he split his alreadyoutnumbered army into three groups. He left a paltry10,000 men to meet the head-on charge, but sent theother 50,000 men in two groups to surround and flankthe Union troops. Through a series of improbablevictories on the Confederate side and utterly tentativeand puzzling decision making by their Northerncounterparts, the battle became a treatise on victoryagainst all odds, and the power of mind and strategy onthe battlefield.
And what is the relevance here for us, you may ask?By changing the focus of his attack, General Leesucceeded in pulling off one of the most unbelievablemilitary victories in history. You can do the same inyour pen testing by focusing your efforts on those areasthe strong defenses of your target may overlook: theirweb applications and servers (yes, I know it’s corny, justgo with it). Businesses and corporations are like that
Technet24||||||||||||||||||||
||||||||||||||||||||
Union army, with so many defenses arrayed against youthey seem impenetrable. But most of them can beoutflanked, via their public-facing web fronts (whichmay or may not have proper security included) and theircustomized, internal web applications. This chapter is allabout web servers and applications and how you canexploit them. After all, if the target is going to trustthem, why not have a look?
STUDY TIPS Web serv er and web application attack questions are alittle more focused, and difficult, in this v ersion. I wish I could tell y oumemorization of terminology and key words would be enough to makeit through these questions, but that’s simply not the case any more.ECC wants to make sure y ou know web serv ers and applications prettythoroughly , so they ’v e upped the ante in question offerings. Some willbe more in the form of a scenario where y ou may need to pull frommultiple areas of study in order to deriv e the correct answer. A coupleof v ery specific questions may ev en inv olv e scripting and will appearreally difficult; howev er, if y ou simply remember protocols, ports, andbasic networking, y ou can usually work y our way through them.
Know your attacks well, including CSRF, CSPP, HTTPresponse splitting, and of course XSS, SQL injection, andURL tampering (among all the others). Be sure to spendsome time in HTTP, and know it well. Another must-know for the exam is OWASP—know what it is, what itdoes, and its Top 10 lists well.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. In nmap, the http-methods script can be used to
test for potentially risky HTTP options supportedby a target. Which of the following methods wouldbe considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
2. OWASP, an international organization focused onimproving the security of software, produces a listcalled “OWASP Top 10 Most Critical WebApplication Security Risks” for web applications.Which item is the primary concern on the list?
A. XSS
B. Injection Flaws
C. Insufficient Logging and Monitoring
D. Broken Authentication and SessionManagement
3. A web application developer wants to test a newapplication for security flaws. Which of thefollowing is a method of testing input variations byusing randomly generated invalid input in anattempt to crash the program?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
4. Which of the following uses HTML entitiesproperly to represent <script>?
A. <script>
B. (script)
C. &script&
D. "script"
5. An attacker tricks a user into visiting a maliciouswebsite via a phishing e-mail. The user clicks thee-mail link and visits the malicious website whilemaintaining an active, authenticated session withhis bank. The attacker, through the maliciouswebsite, then instructs the user’s web browser tosend requests to the bank website. Which of thefollowing best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
6. Which of the following is used by SOAP servicesto format information?
||||||||||||||||||||
||||||||||||||||||||
A. Unicode
B. HTML entities
C. NTFS
D. XML
7. A web application developer is discussing securityflaws discovered in a new application prior toproduction release. He suggests to the team thatthey modify the software to ensure users are notallowed to enter HTML as input into theapplication. Which of the following is most likelythe vulnerability the developer is attempting tomitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
8. Which of the following is a common SOAvulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
9. The source code of software used by your clientseems to have a large number of gets() alongside
Technet24||||||||||||||||||||
||||||||||||||||||||
sparsely used fgets(). What kind of attack is thissoftware potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
10. Which of the following would be the best choicein the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
11. You are examining log files and come across thisURL:
Which of the following best describes thispotential attack?
A. This is not an attack but a return of SSLhandshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
12. Which MSFconsole command allows you to
||||||||||||||||||||
||||||||||||||||||||
connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
13. Which character is your best option in testing forSQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
14. An angry former employee of the organizationdiscovers a web form vulnerable to SQL injection.Using the injection string SELECT * FROMOrders_Pend WHERE Location_City ='Orlando', he is able to see all pending ordersfrom Orlando. If he wanted to delete theOrders_Pend table altogether, which SQL injectionstring should be used?
A. SELECT * FROM Orders_Pend WHERELocation_City = Orlando';DROP TABLEOrders_Pend --
B. SELECT * FROM Orders_Pend WHERE'Orlando';DROP_TABLE --
Technet24||||||||||||||||||||
||||||||||||||||||||
C. DROP TABLE Orders_Pend WHERE 'Orlando= 1' --
D. WHERE Location_City = Orlando'1 = 1':DROP_TABLE --
15. Efforts to gain information from a target websitehave produced the following error message:
Which of the following best describes the errormessage?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malwareinjection.
16. An attacker discovers a legitimate username(user1) and enters the following into a web formauthentication window:
||||||||||||||||||||
||||||||||||||||||||
Which of the following attacks is most likely beingattempted?
A. SQL injection
B. LDAP injection
C. URL tampering
D. DHCP amplification
17. Which of the following is a standard method forweb servers to pass a user’s request to anapplication and receive data back to forward to theuser?
A. SSI
B. SSL
C. CGI
D. CSI
18. An attacker performs a SQL injection attack butreceives nothing in return. She then proceeds to
Technet24||||||||||||||||||||
||||||||||||||||||||
send multiple SQL queries, soliciting TRUE orFALSE responses. Which attack is being carriedout?
A. Blind SQL injection
B. SQL denial of service
C. SQL code manipulation
D. SQL replay
19. A tester is attempting a CSPP attack. Which of thefollowing is she most likely to use in conjunctionwith the attack?
A. ;
B. :
C. ‘
D. “
E. --
F. ~
20. An attacker is attempting to elevate privileges ona machine by using Java or other functions,through nonvalidated input, to cause the server toexecute a malicious piece of code and providecommand-line access. Which of the following bestdescribes this action?
A. Shell injection
B. File injection
||||||||||||||||||||
||||||||||||||||||||
C. SQL injection
D. URL injection
21. An attacker is successful in using a cookie, stolenduring an XSS attack, during an invalid session onthe server by forcing a web application to act onthe cookie’s contents. How is this possible?
A. A cookie can be replayed at any time, nomatter the circumstances.
B. Encryption was accomplished at theApplication layer, using a single key.
C. Authentication was accomplished using XML.
D. Encryption was accomplished at the Networklayer.
22. HTML forms include several methods fortransferring data back and forth. Inside a form,which of the following encodes the input into theUniform Resource Identifier (URI)?
A. HEAD
B. PUT
C. GET
D. POST
23. An attacker is looking at a target website and isviewing an account from the store on URLhttp://www.anybiz.com/store.php?id=2. He next
Technet24||||||||||||||||||||
||||||||||||||||||||
enters the following URL:
http://www.anybiz.com/store.php?id=2
and 1=1
The web page loads normally. He then enters thefollowing URL:
http://www.anybiz.com/store.php?id=2
and 1=2
A generic page noting “An error has occurred”appears.
Which of the following is a correct statementconcerning these actions?
A. The site is vulnerable to cross-site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
24. Which of the following statements is not trueregarding WebGoat?
A. WebGoat is maintained and made available byOWASP.
B. WebGoat can be installed on Windowssystems only.
C. WebGoat is based on a black-box testingmentality.
D. WebGoat can use Java or .NET.
||||||||||||||||||||
||||||||||||||||||||
25. An attacker is viewing a blog entry showing anews story and asking for comments. In thecomment field, the attacker enters the following:
Nice post and a fun read
<script>onload=window.location='http:
//www.badsite.com'</script>
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’sunderlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
26. Which of the following is one of the mostcommon methods for an attacker to exploit theShellshock vulnerability?
A. SSH brute force
B. CSRF
C. Form field entry manipulation
D. Through web servers utilizing CGI (CommonGateway Interface)
27. You are examining website files and find thefollowing text file:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following is a true statementconcerning this file?
A. All web crawlers are prevented from indexingthe listing.html page.
B. All web crawlers are prevented from indexingall pages on the site.
C. The Googlebot crawler is allowed to indexpages starting with /tmp/.
D. The Googlebot crawler can access and indexeverything on the site except for pages startingwith /tmp/.
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. A
2. B
3. D
4. A
5. C
6. D
7. A
8. C
9. B
10. C
11. B
12. B
13. D
14. A
15. C
16. B
17. C
18. A
19. A
Technet24||||||||||||||||||||
||||||||||||||||||||
20. A
21. B
22. C
23. B
24. B
25. B
26. D
27. D
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. In nmap, the http-methods script can be used to
test for potentially risky HTTP options supportedby a target. Which of the following methods wouldbe considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A. The http-methods script usage syntax isnmap --script http-methods <target>,where <target> is the IP of the system you’reafter. Per nmap’s support pages(https://nmap.org/nsedoc/scripts/http-methods.html), this script “finds out whatoptions are supported by an HTTP server bysending an OPTIONS request and listspotentially risky methods. It tests thosemethods not mentioned in the OPTIONSheaders individually and sees if they areimplemented. Any output other than 501/405suggests that the method is not in the range400 to 600. If the response falls under thatrange then it is compared to the responsefrom a randomly generated method. In this
Technet24||||||||||||||||||||
||||||||||||||||||||
script, ‘potentially risky’ methods are anythingexcept GET, HEAD, POST, and OPTIONS. Ifthe script reports potentially risky methods,they may not all be security risks, but youshould check to make sure.” You can also useadditional parameters, such as url-path, tofurther hone your results. For example,output from the preceding syntax showingPUT as a risky method might look like this:
Quite obviously, there is a lot of informationtested in this one question—and many, manyways you might see it on the exam. The HTTPoptions themselves will show up somewhere,so knowing the difference, for example,between HTTP POST (submits data to beprocessed, normally allowable) and HTTPPUT (allows a client to upload new files on theweb server, which normally shouldn’t beallowed) will become very important to yoursuccess. From OWASP(https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29), thefollowing options are important to know:
||||||||||||||||||||
||||||||||||||||||||
• PUT This method allows a client toupload new files on the web server. Anattacker can exploit it by uploadingmalicious files (for example, an .asp filethat executes commands by invokingcmd.exe) or by simply using the victim’sserver as a file repository.
• DELETE This method allows a client todelete a file on the web server. An attackercan exploit it as a very simple and directway to deface a website or to mount a DoSattack.
• CONNECT This method could allow aclient to use the web server as a proxy.
• TRACE This method simply echoes backto the client whatever string has been sentto the server, and it’s used mainly fordebugging purposes. This method,originally assumed harmless, can be usedto mount an attack known as cross-sitetracing.
B, C, and D are incorrect because these arenot considered “risky” options.
2. OWASP, an international organization focused onimproving the security of software, produces a listcalled “OWASP Top 10 Most Critical Web
Technet24||||||||||||||||||||
||||||||||||||||||||
Application Security Risks” for web applications.Which item is the primary concern on the list?
A. XSS
B. Injection Flaws
C. Insufficient Logging and Monitoring
D. Broken Authentication and SessionManagement
B. I know you’re thinking there is no waysomething this specific and picky will be onthe exam, but I promise you will seesomething like this on your exam (notverbatim, of course, but you get my drift). Themost current version (as of this writing) ofOWASP’s Top 10 Most Critical WebApplication Security Risks can be found onthe OWASP site(https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), and ECC loves it.If nothing else, memorize the top five itemson the list:
A1 – Injection Flaws Injection flaws,such as SQL, OS, and LDAP injection, occurwhen untrusted data is sent to aninterpreter as part of a command or query.The attacker’s hostile data can trick theinterpreter into executing unintended
||||||||||||||||||||
||||||||||||||||||||
commands or accessing data without properauthorization. (Position on previous/lastyear’s list: #1.)
A2 – Broken Authentication andSession Management Applicationfunctions related to authentication andsession management are often notimplemented correctly, allowing attackersto compromise passwords, keys, or sessiontokens, or to exploit other implementationflaws to assume other users’ identities.(Position on previous/last year’s list: #2.)
A3 – Sensitive Data Exposure Manyweb applications do not properly protectsensitive data, such as credit cards, tax IDs,and authentication credentials. Attackersmay steal or modify such weakly protecteddata to conduct credit card fraud, identitytheft, or other crimes. Sensitive datadeserves extra protection, such asencryption at rest or in transit, as well asspecial precautions when exchanged withthe browser. (Position on previous/lastyear’s list: #6.)
A4 – XML External Entities (XXE) Anew addition for the 2017 list. Attackers can
Technet24||||||||||||||||||||
||||||||||||||||||||
exploit vulnerable XML processors if theycan upload XML or include hostile contentin an XML document, exploiting vulnerablecode, dependencies, or integrations. Bydefault, many older XML processors allowspecification of an external entity, a URIthat is dereferenced and evaluated duringXML processing. These flaws can be used toextract data, execute a remote request fromthe server, scan internal systems, perform adenial-of-service attack, as well as executeother attacks.
A5 – Broken Access Control A newaddition for the 2017 list. Exploitation ofaccess control is a core skill of attackers.SAST and DAST tools can detect the absenceof access control but cannot verify if it isfunctional when it is present. Access controlis detectable using manual means, orpossibly through automation for theabsence of access controls in certainframeworks. Access control weaknesses arecommon due to the lack of automateddetection and the lack of effectivefunctional testing by application developers.Access control detection is not typicallyamenable to automated static or dynamic
||||||||||||||||||||
||||||||||||||||||||
testing. Manual testing is the best way todetect missing or ineffective access control,including HTTP method (GET vs. PUT andso on), controller, direct object references,and so on.
A is incorrect because XSS is currentlynumber 7 on the list.
C is incorrect because Insufficient Loggingand Monitoring comes in at number 10.
D is incorrect because Broken Authenticationand Session Management is number 2 on thelist.
3. A web application developer wants to test a newapplication for security flaws. Which of thefollowing is a method of testing input variations byusing randomly generated invalid input in anattempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D. Even if you didn’t know what “fuzzing”meant, you probably could’ve whittled thisdown by eliminating the known wrong
Technet24||||||||||||||||||||
||||||||||||||||||||
answers. Per OWASP(https://www.owasp.org/index.php/Fuzzing),“Fuzz testing or fuzzing is a Black Boxsoftware testing technique, which basicallyconsists in finding implementation bugs usingmalformed/semi-malformed data injection inan automated fashion.” In other words,fuzzing sends tons of weird inputs into fieldsto see what the application will do.
As an aside, you would find fuzzing in theVerification phase of Microsoft’s SecurityDevelopment Lifecycle (SDL). The entire SDLconsists of training, requirements, design,implementation, verification, release, andresponse.
A, B, and C are incorrect because none ofthese are legitimate terms as far as testing isconcerned. Insploit and Metasplation are notreal terms. Finglonger isn’t either, but it didmake an appearance in a fantastic episode ofFuturama.
4. Which of the following uses HTML entitiesproperly to represent <script>?
A. <script>
B. (script)
C. &script&
||||||||||||||||||||
||||||||||||||||||||
D. "script"
A. Cross-site scripting generally relies on webpages not properly validating user input, andHTML entities can be used to take the place ofcertain characters. In this case, the less-thansign (<) and the greater-than sign (>)surround the word script. Respectively, theappropriate HTML entities are < and >(the lt and gt should give this away).
B is incorrect because ( and ) standfor the open and close parentheses,respectively. For example, (hello) would read(hello) using HTML entities.
C is incorrect because & stands for theampersand character (&).
D is incorrect because " stands for thequote character (“).
5. An attacker tricks a user into visiting a maliciouswebsite via a phishing e-mail. The user clicks thee-mail link and visits the malicious website whilemaintaining an active, authenticated session withhis bank. The attacker, through the maliciouswebsite, then instructs the user’s web browser tosend requests to the bank website. Which of thefollowing best describes this attack?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
C. There are few truisms in life, but here’sone: you will definitely be asked about CSRFon your exam. Cross-site request forgery(CSRF) attacks are exactly what’s beingdescribed here—an attacker takes advantageof an open, active, authenticated sessionbetween the victim and a trusted site, sendingmessage requests to the trusted site as if theyare from the victim’s own browser. Usuallythis involves phishing, or maybe anadvertisement, but the principle is always thesame. CSRF attacks can be prevented byconfiguring random challenge tokens, whichallow the server to verify user requests.
As an aside, a similar attack is known assession fixation. The attacker logs in to alegitimate site, pulls a session ID, and thensends an e-mail with a link containing the fixsession ID. When the user clicks it and logs into the same legitimate site, the hacker thenlogs in and runs with the user’s credentials.
||||||||||||||||||||
||||||||||||||||||||
A is incorrect because this does not describe aCSPP attack. A connection string parameterpollution attack exploits web applications thatuse semicolons to separate parameters duringcommunications.
B is incorrect because this does not describe across-site scripting attack. An XSS attackattempts to interject a script into input fields.
D is incorrect because a hidden form fieldattack occurs when an attacker manipulatesthe values of a hidden form field andresubmits to the server.
6. Which of the following is used by SOAP servicesto format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
D. Simple Object Access Protocol (SOAP) is aprotocol designed for exchanging structuredinformation within web services acrossmultiple variant systems. In other words, it’s away for a program running in one kind ofoperating system (let’s say Windows Server2008) to communicate with a program on
Technet24||||||||||||||||||||
||||||||||||||||||||
another (such as Linux). It uses HTTP andXML to exchange information and specifieshow to encode HTTP headers and XML filesso that applications can talk to each other.One great advantage to this is also a greatdetriment, security-wise: because HTTP isgenerally allowed through most firewalls,applications using SOAP can generallycommunicate at will throughout networks.
SOAP injection attacks allow you to injectmalicious query strings (much like SQLinjection, as a matter of fact) that might giveyou the means to bypass authentication andaccess databases behind the scenes. SOAP iscompatible with HTTP and SMTP, andmessages are typically one-way in nature.
A is incorrect because Unicode is not used bySOAP in this manner. It’s a standard forrepresenting text in computing.
B is incorrect because HTML entities are notused by SOAP in this manner. They’re used torepresent characters in HTML code.
C is incorrect because NTFS is a file systemand has nothing to do with SOAP.
7. A web application developer is discussing securityflaws discovered in a new application prior to
||||||||||||||||||||
||||||||||||||||||||
production release. He suggests to the team thatthey modify the software to ensure users are notallowed to enter HTML as input into theapplication. Which of the following is most likelythe vulnerability the developer is attempting tomitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A. XSS flaws occur whenever an applicationtakes untrusted data and sends it to a webbrowser without proper validation orescaping. The basics of this attack revolvearound website design (or web applicationdesign on that site), dynamic content, andinvalidated input data. Usually when a webform pops up, the user inputs something, andthen some script dynamically changes theappearance or behavior of the website basedon what has been entered. XSS occurs whenthe bad guys take advantage of that scripting(Java, for instance) and have it performsomething other than the intended response.For example, suppose instead of enteringwhat you’re supposed to enter in a form field,
Technet24||||||||||||||||||||
||||||||||||||||||||
you enter an actual script. The server thendoes what it’s supposed to—it processes thecode sent from an authorized user. The bestdefense against this is proper design and goodinput validation before the app ever seesproduction in the first place.
B is incorrect because the fix action beingsuggested would not necessarily affect CSRFattacks. In CSRF, an attacker takes advantageof an open, active, authenticated sessionbetween the victim and a trusted site, sendingmessage requests to the trusted site as if theyare from the victim’s own browser.
C is incorrect because the fix action beingsuggested would not necessarily affect CSPPattacks. A connection string parameterpollution attack exploits web applications thatuse semicolons to separate parameters duringcommunications.
D is incorrect because the fix action beingrecommended would not necessarily affectany social engineering effort.
8. Which of the following is a common SOAvulnerability?
A. SQL injection
||||||||||||||||||||
||||||||||||||||||||
B. XSS
C. XML denial of service
D. CGI manipulation
C. Service-oriented architecture (SOA) is asoftware design idea that is based on specificpieces of software providing functionality asservices between applications. The idea is todefine how two applications can interact sothat one can perform a piece of work for theother (better said, on behalf of the other).Each interaction is independent of any otherand is self-contained. SOA programmers makeextensive use of XML to carry all this out, andthat leaves the application vulnerable to craftyXML tampering. If an attacker can somehowpass an XML message with a large payload, orany of a number of other bad content, theycan perform an XML denial-of-service attackon an SOA application. This isn’t to imply it’sthe only type of DoS available or that SOA isuniquely vulnerable (for instance, the onlything a specifically crafted XML attack canaffect). It’s just a question, so don’t read toomuch into it.
A, B, and D are incorrect because theseattacks don’t necessarily apply with SOA in
Technet24||||||||||||||||||||
||||||||||||||||||||
this context.
9. The source code of software used by your clientseems to have a large number of gets() alongsidesparsely used fgets(). What kind of attack is thissoftware potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to writemore data into an application’s prebuilt bufferarea in order to overwrite adjacent memory,execute code, or crash a system (application).By inputting more data than the buffer isallocated to hold, you may be able to crash theapplication or machine or alter theapplication’s data pointers. gets() is acommon source of buffer overflowvulnerabilities because it reads a line fromstandard input into a buffer until aterminating EOF is found. It performs nocheck for buffer overrun and is largelyreplaced by fgets().
A is incorrect because SQL injection hasnothing to do with this scenario. No evidence
||||||||||||||||||||
||||||||||||||||||||
is presented that this software even interactswith a database.
C is incorrect because parameter tamperingdeals with manipulating a URL.
D is incorrect because cookie manipulationhas nothing to do with this software. A cookieis a small file used to provide a moreconsistent web experience for a web visitor.Because it holds various information, though,it can be manipulated for nefarious purposes(using the Firefox add-on Cookie Editor, forinstance).
10. Which of the following would be the best choicein the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C. In addition to input validation controls(always good for bunches of vulnerabilitymitigations), setting the HttpOnly flag incookies can be used in mitigation againstsome XSS attacks. Cross-site scripting occurswhen an attacker interjects code into a webpage form field that does not have appropriate
Technet24||||||||||||||||||||
||||||||||||||||||||
input validation configured. The HttpOnlycookie flag can stop any injected code frombeing accessible by a client-side script.
Per OWASP, if the HttpOnly flag is included inthe HTTP response header, the cookie cannotbe accessed through client-side script. As aresult, even if a cross-site scripting flaw exists,and a user accidentally accesses a link thatexploits this flaw, the browser (primarilyInternet Explorer) will not reveal the cookieto a third party.
A is incorrect because challenge tokens areused in mitigation of CSRF.
B is incorrect because memory use controlconfigurations wouldn’t necessarily affect XSSvulnerabilities at all.
D is incorrect because removing hidden formfields would not necessarily do anything tomitigate XSS.
11. You are examining log files and come across thisURL:
http://www.example.com/script.ext?
template%2e%2e%2e%2e%2e%2f%2e%2f%65%7
4%63%2f%70%61%73%73%77%64
Which of the following best describes this
||||||||||||||||||||
||||||||||||||||||||
potential attack?
A. This is not an attack but a return of SSLhandshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B. Unicode is just another way to representtext, so why not use it to try to get past anIDS? Of course, in the real world every IDSwould probably be looking for weird Unicoderequests anyway (it isn’t ciphered orencrypted and really does nothing more thanprovide a cursory obfuscation), but let’s juststick with EC-Council and the CEH exam herefor now. This request appears to beattempting a grab of some passwords:
A, C, and D are all incorrect because this URLdoes not necessarily indicate any of theseattacks and is quite clearly a Unicode attempt.
12. Which MSFconsole command allows you toconnect to a host from within the console?
A. pivot
Technet24||||||||||||||||||||
||||||||||||||||||||
B. connect
C. get
D. route
B. Questions on Metasploit can be verygeneralized or—like this question—pretty darnspecific. MSFconsole, opened with themsfconsole command, is a common methodof interfacing with Metasploit. As put byOffensive Security, it provides an “all-in-one”centralized console and allows you efficientaccess to virtually all of the options availablein the MSF, and is the only supported way toaccess most of the features within Metasploit.Commands used in the interface are listed anddiscussed pretty well on Offensive Security’ssite (https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/). Theconnect command acts like a miniature netcatclone, supporting SSL, proxies, pivoting, andfile sends. By issuing the connect commandwith an IP address and port number, you canconnect to a remote host from withinMSFconsole the same as you would withnetcat or telnet.
In addition to MSFconsole, you should also
||||||||||||||||||||
||||||||||||||||||||
know that the Metasploit architecture holdsfive modules: Exploits, Payloads, Encoders,NOPS, and Auxiliary. Exploits is the basicmodule, used to encapsulate (and configurebehaviors for) an exploit. Payloads establishesa communication channel between Metasploitand the target. Auxiliary is used to run thingslike port scanning and fuzzing.
A is incorrect because there is no pivotcommand in MSFconsole. Pivoting does referto connecting to other machines from acompromised system, but is not accomplishedwith a pivot command.
C is incorrect because the get command getsthe value of a context-specific variable.
D is incorrect because the route command isused to route traffic through a session (and isgenerally seen, question-wise, in regard topivoting).
13. Which character is your best option in testing forSQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
Technet24||||||||||||||||||||
||||||||||||||||||||
D. SQL injection is all about entering queriesand commands into a form field (or URL) toelicit a response, gain information, ormanipulate data. On a web page, many timesentries into a form field are inserted into aSQL command. When you enter yourusername and information into the fields andclick the button, the SQL command in thebackground might read something like this:
SELECT OrderID, FirstName,
Lastname FROM Orders
In SQL, a single quote is used to indicate anupcoming character string. Once SQL seesthat open quote, it starts parsing everythingafter it as string input. If there’s no closequote, an error occurs because SQL doesn’tknow what to do with the submittedcharacters. If the web page is configuredpoorly, that error will return to you and letyou know it’s time to start injecting SQLcommands.
A, B, and C are incorrect characters to use aspart of a SQL injection test. The @ symbol isused to designate a variable in SQL (you’llneed to define the variable, of course). The +sign is used to combine strings (as in
||||||||||||||||||||
||||||||||||||||||||
Matt+Walker). A double dash indicates anupcoming comment in the line.
14. An angry former employee of the organizationdiscovers a web form vulnerable to SQL injection.Using the injection string SELECT * FROMOrders_Pend WHERE Location_City ='Orlando', he is able to see all pending ordersfrom Orlando. If he wanted to delete theOrders_Pend table altogether, which SQL injectionstring should be used?
A. SELECT * FROM Orders_Pend WHERELocation_City = Orlando';DROP TABLEOrders_Pend --
B. SELECT * FROM Orders_Pend WHERE'Orlando';DROP_TABLE --
C. DROP TABLE Orders_Pend WHERE 'Orlando= 1' --
D. WHERE Location_City = Orlando'1 = 1':DROP_TABLE --
A. SQL queries usually read prettystraightforward, although they can getcomplicated rather quickly. In this case,you’re telling the database, “Can you checkthe table Orders_Pend and see whetherthere’s a city called Orlando? Oh, by the way,since you’re executing any command I send
Technet24||||||||||||||||||||
||||||||||||||||||||
anyway, just go ahead and drop the tablecalled Orders_Pend while you’re at it.” Theonly thing missing from SQL queries is athank-you at the end. As an aside, you caneasily restrict which SQL verbs any user canmake use of (through DDL and DMALstatements), and you should. Allowing allusers to drop tables and the like is akin tomaking your standard user a domainadministrator; it’s a rather dumb idea!
B, C, and D are incorrect because they do nothave proper syntax.
15. Efforts to gain information from a target websitehave produced the following error message:
Which of the following best describes the errormessage?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malwareinjection.
C. Once again, you will get a few “gimme”questions on the exam. The error message
||||||||||||||||||||
||||||||||||||||||||
clearly displays a SQL error, telling us there’san underlying SQL database to contend withand it’s most likely not configured correctly(or we wouldn’t be getting an error messagelike this—through a web interface and tellingus exactly what’s there—in the first place).
A, B, and D are all incorrect for the samereason: the error message simply doesn’tprovide enough information to make theseleaps. There is nothing here indicating cross-site scripting or buffer overflow on either sideof the ledger. Although it’s true the error mayindicate which kinds of malware may increaseyour odds of success, there’s nothing there toindicate, by itself, that the site is vulnerable.
16. An attacker discovers a legitimate username(user1) and enters the following into a web formauthentication window:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following attacks is most likely beingattempted?
A. SQL injection
B. LDAP injection
C. URL tampering
D. DHCP amplification
B. LDAP injection works a lot like SQLinjection—you enter code that is passed by theapplication to something behind it forprocessing. With LDAP injection, if the inputis not validated, you can enter direct LDAPqueries into the form and watch for results. Inthis case, the attacker logs in without anypassword. The actual LDAP query from alegitimate login would have appeared likethis: (&(user=user1)(password=meh)).
||||||||||||||||||||
||||||||||||||||||||
The addition of the )(&) characters turns theexpression to (&(user=user1)(&))(password=meh)), which processes onlythe username portion of the query. And sincethat’s always true, the attacker is in.
LDAP injection questions may also center onthe Boolean operators used in syntax. Theoperators to remember are summarized in thefollowing table:
A is incorrect because this does not indicate aSQL injection attack. SQL injection attemptsmake use of the open quote and SQLstatements—for example, test ‘) ;DROPTABLE Users;--.
C is incorrect because this does not show aURL tampering attack.
Technet24||||||||||||||||||||
||||||||||||||||||||
D is incorrect because this does not show aDHCP amplification attack.
17. Which of the following is a standard method forweb servers to pass a user’s request to anapplication and receive data back to forward to theuser?
A. SSI
B. SSL
C. CGI
D. CSI
C. Common Gateway Interface (CGI) is astandardized method for transferringinformation between a web server and anexecutable (a CGI script is designed toperform some task with the data). CGI isconsidered a server-side solution becauseprocessing is done on the web server and notthe client. Because CGI scripts can runessentially arbitrary commands on yoursystem with the permissions of the web serveruser and because they are almost alwayswrapped so that a script will execute as theowner of the script, they can be extremelydangerous if not carefully checked.Additionally, all CGI scripts on the server willrun as the same user, so they have the
||||||||||||||||||||
||||||||||||||||||||
potential to conflict (accidentally ordeliberately) with other scripts (an attackercould, for example, write a CGI script todestroy all other attached databases).
A is incorrect because server-side includes(SSIs) are directives placed in HTML pagesand evaluated on the server while the pagesare being served. They let you add dynamicallygenerated content to an existing HTML page,without having to serve the entire page via aCGI program or other dynamic technology.
B and D are incorrect because both areincluded as distractors. By now you’recertainly familiar with Secure Sockets Layer(SSL) and its value as an encryption method.CSI? Well, that’s just good television. Or itused to be, anyway.
18. An attacker performs a SQL injection attack butreceives nothing in return. She then proceeds tosend multiple SQL queries, soliciting TRUE orFALSE responses. Which attack is being carriedout?
A. Blind SQL injection
B. SQL denial of service
C. SQL code manipulation
Technet24||||||||||||||||||||
||||||||||||||||||||
D. SQL replay
A. Blind SQL injection is really kinda neat,even if you’re not a nerd. Sometimes asecurity admin does just enough to frustrateefforts, and you don’t receive the errormessages or returned information youoriginally counted on. So, to pull out the infoyou want, you start asking it (the SQLdatabase) a lot of true or false questions. Forexample, you could ask the database, “True orfalse—you have a table called USERS?” If youget a TRUE, then you know the table nameand can start asking questions about it. Forexample, “Hey, database, got an entry in yourUSERS table named admin?” (SELECT *from USERS where name='admin' and1=1;#';). Blind SQL injection is a long,laborious effort, but it can be done.
B, C, and D are all incorrect because, so far asI know, none of them is a recognized attack byEC-Council. I’m sure you can find ways toperform a DoS on a SQL database, and we’remanipulating SQL all over the place in theseinjection attacks, but these terms just aren’trecognized on your exam and are here solelyas distractors.
||||||||||||||||||||
||||||||||||||||||||
19. A tester is attempting a CSPP attack. Which of thefollowing is she most likely to use in conjunctionwith the attack?
A. ;
B. :
C. ‘
D. “
E. --
D. ~
A. CSPP (connection string parameterpollution attack) is another form of injectionattack. In many web applications,communications with back-end databasesmake use of the semicolon to separateparameter requests. Much as with URLtampering, in CSPP you just change thecommunication string and see what happens:add a semicolon, type in your request, andwatch to see if it was successful.
B, C, D, E, and F are incorrect because thesecharacters do not correspond to a CSPP attack.The single quote is most often tied to a SQLinjection attempt. The other characters mayshow up in scripts strings and whatnot, butdon’t let them fool you—they’re simply
Technet24||||||||||||||||||||
||||||||||||||||||||
distractors.
20. An attacker is attempting to elevate privileges ona machine by using Java or other functions,through nonvalidated input, to cause the server toexecute a malicious piece of code and providecommand-line access. Which of the following bestdescribes this action?
A. Shell injection
B. File injection
C. SQL injection
D. URL injection
A. When it comes to web application attacks,there are many vectors and avenues to take.One of the more common is injectingsomething into an input string to exploit poorcode. EC-Council defines these attacks inmany ways. Also known as commandinjection, shell injection is defined as anattempt to gain shell access using Java orother functions. In short, the attacker willpass commands through a form input (orother avenue) in order to elevate privilegesand open a shell for further malicious actions.It occurs when commands are entered intoform fields instead of the expected entry.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because the EC-Council definesa file injection attack as one where theattacker injects a pointer in the web forminput to an exploit hosted on a remote site.Sure, this may accomplish the same thing, butit’s not the best choice in this case.
C is incorrect because SQL injection attacksinvolve using SQL queries and commands toelicit a response or action.
D is incorrect because URL injection is not anattack type and is included here as adistractor.
21. An attacker is successful in using a cookie, stolenduring an XSS attack, during an invalid session onthe server by forcing a web application to act onthe cookie’s contents. How is this possible?
A. A cookie can be replayed at any time, nomatter the circumstances.
B. Encryption was accomplished at theApplication layer, using a single key.
C. Authentication was accomplished using XML.
D. Encryption was accomplished at the Networklayer.
B. Cookies can be used for many things. If youcan grab all user cookies, you can see what
Technet24||||||||||||||||||||
||||||||||||||||||||
they visited and sometimes even how longthey’ve been there. Cookies can also holdpasswords—and because most people use thesame password on multiple sites, this can be agold mine for the attacker. In this scenario,the cookie is being replayed by an attacker togain access. If a single key is used inencryption, a replay attack is possible, becausecookie authentication is carried out at theApplication layer. It is for this reason someorganizations require browsers toautomatically delete cookies on termination.
A is incorrect because a replay attack ofanything—cookie, stolen authenticationstream, and so on—can’t necessarily be carriedout at any time. Replay attacks requireplanning and proper setup.
C is incorrect because XML has nothing to dowith this.
D is incorrect because encryption is notcarried out at the Network layer in this case.
22. HTML forms include several methods fortransferring data back and forth. Inside a form,which of the following encodes the input into theUniform Resource Identifier (URI)?
A. HEAD
||||||||||||||||||||
||||||||||||||||||||
B. PUT
C. GET
D. POST
C. An HTTP GET is a method for returningdata from a form that “encodes” the form datato the end of the URI (a character string thatidentifies a resource on the Web, such as apage of text, a video clip, an image, or anapplication). For example, if you were to entera credit card number in a form using GET, theresulting URL might look something likehttps://somesite.com/creditcard.asp?c#=4013229567852219, where the longnumber is obviously a credit card number justsitting there waiting for anyone to use.
Generally speaking, a POST is “more secure”than a GET, although they both have theiruses. If you’re wondering when a GET shouldbe used as opposed to a POST, the answer hasto do with a vocabulary lesson: defining theterm idempotent. Thrown about with HTTPGET, idempotent is a mathematical conceptabout an operation property: if the operationcan be performed without changing results,even if it is run multiple times, it’s consideredidempotent. Therefore, if the input return is
Technet24||||||||||||||||||||
||||||||||||||||||||
assured of having no lasting effect on the stateof the form in total, then using a GET isperfectly reasonable. Also, a GET can usuallytransfer only up to 8KB, whereas a POST canusually handle up to 2GB. However, keep inmind it may wind up including sensitiveinformation in that URI. Suppose your formreturns a credit card number and a bad guy islogging URIs: if HTTP GET is in place, theattacker may be able to derive theinformation. In short, users can manipulateboth GET and POST, but GET is simply morevisible because of its reliance on somethingthat browsers render to the screen in aneditable field. A POST is meant for pushingdata directly, and a GET is used when theserver is expected to pull something from thedata submitted in the URL.
A is incorrect because, although HEAD andGET are similar, HEAD is not used in forms.It’s usually used to pull header informationfrom a web server (for example, bannergrabbing) and to test links.
B is incorrect because HTTP PUT is not usedin forms. It’s used to transfer files to a webserver.
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because POST does not includethe form data in the URI request. According tothe World Wide Web Consortium(www.w3.org/), HTML specifications definethe difference between GET and POST. GETmeans that form data will be encoded by abrowser into a URL, whereas POST means theform data is to appear within the messagebody. In short, a GET can be used for basic,simple retrieval of data, and a POST should beused for most everything else (such assending an e-mail, updating data on adatabase, and ordering an item).
23. An attacker is looking at a target website and isviewing an account from the store on URLhttp://www.anybiz.com/store.php?id=2. He nextenters the following URL:
http://www.anybiz.com/store.php?id=2
and 1=1
The web page loads normally. He then enters thefollowing URL:
http://www.anybiz.com/store.php?id=2
and 1=2
A generic page noting “An error has occurred”appears.
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following is a correct statementconcerning these actions?
A. The site is vulnerable to cross-site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
B. The URLs shown here are attempting topass a SQL query through to see what may begoing on in the background. Notice the firstURL entered added and 1=1. Because thiswas a true statement, the page loaded withoutproblem. However, changing that to a falsestatement (and 1=2) caused the database toreturn an error. This would now be considered“blind” SQL injection because the actual errorwas not returned to the attacker (instead, hegot a generic page most likely configured bythe database administrator). As an aside,sometimes the attacker won’t receive theerror message or error page at all, but the sitewill be displayed differently—images out ofplace, text messed up, and so on—which alsoindicates blind SQL may be in order.
A and C are incorrect because neither thisattack nor the results have anything to dowith cross-site scripting or buffer overflows.
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because the results indicate SQLinjection is possible. Granted, it will takelonger, because the attacker can’t see errormessaging, and will require lots of guessworkand trial and error, but the site is susceptible.
24. Which of the following statements is not trueregarding WebGoat?
A. WebGoat is maintained and made available byOWASP.
B. WebGoat can be installed on Windowssystems only.
C. WebGoat is based on a black-box testingmentality.
D. WebGoat can use Java or .NET.
B. WebGoat, now in version 7(https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project), is a deliberatelyinsecure web application maintained byOWASP designed to teach web applicationsecurity lessons. In each lesson, users mustdemonstrate their understanding of a securityissue by exploiting a real vulnerability in theWebGoat application. It’s designed to teachfrom a black-box mentality (that is, learnersaren’t provided with all information up frontand must discover what they need to know to
Technet24||||||||||||||||||||
||||||||||||||||||||
figure out each lesson, just as they’d have todo in the real world), can be installed onvirtually anything, and makes use of Java and.NET.
A, C, and D are incorrect because they are alltrue statements regarding WebGoat.
25. An attacker is viewing a blog entry showing anews story and asking for comments. In thecomment field, the attacker enters the following:
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’sunderlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
B. This is a classic (albeit overly simplified)example of cross-site scripting. In a blog, thepost entry field is intended to take text entryfrom a visitor and copy it to a database in thebackground. What’s being attempted here isto have more than just the text copied—the<script> indicator is adding a nice littlepointer to a malicious website. If it works, the
||||||||||||||||||||
||||||||||||||||||||
next visitor to the site who clicks that newsstory will be redirected to the bad sitelocation.
A, C, and D are all incorrect because thisexample contains nothing to indicate a SQLinjection or a buffer overflow. Additionally,the idea here is not to perform a denial ofservice. Actually, it’s quite the opposite: theattacker wants the site up and operational somore and more users can be sent tobadsite.com.
26. Which of the following is one of the mostcommon methods for an attacker to exploit theShellshock vulnerability?
A. SSH brute force
B. CSRF
C. Form field entry manipulation
D. Through web servers utilizing CGI (CommonGateway Interface)
D. I would bet very large sums of cash you willsee Shellshock on your exam—maybe even acouple of times. Shellshock (also known asBashdoor) exploits a feature in the bash shelldesigned to allow environmental variablesetting configuration. Basically, someone was
Technet24||||||||||||||||||||
||||||||||||||||||||
playing around in bash back in 2014 andfigured out they could add arbitrarycommands to environmental variableconfiguration command-line submissions. Ifan attacker input something like
env val='() [ :;}; echo
BADCOMMAND' bash -c "echo
REALCOMMAND"
on a vulnerable system, BADCOMMANDwould be executed before the real command.
Per Symantec(www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability), “The most likely route of attackis through Web servers utilizing CGI(Common Gateway Interface), the widelyused system for generating dynamic Webcontent. An attacker can potentially use CGIto send a malformed environment variable toa vulnerable Web server. Because the serveruses Bash to interpret the variable, it will alsorun any malicious command tacked on to it.”Other avenues for Shellshock exploitationinclude the following:
• OpenSSH The “force command” function(where a fixed command is run when a user
||||||||||||||||||||
||||||||||||||||||||
logs on, even if the user requested adifferent command) can be exploited inShellshock.
• DHCP Some DHCP clients have thecapability of passing commands to the bashshell—for example, during connection to aWi-Fi network. This can be exploited inShellshock.
• Qmail If bash is used to process e-mailmessaging, the server processes externalinput in a way that can be exploited in bash.
A is incorrect because brute-forcing an SSHsession login has nothing to do withShellshock.
B is incorrect because cross-site requestforgery is a different vulnerability altogether,dealing with web browser hijacking.
C is incorrect because form field manipulationhas nothing to do with Shellshock.
27. You are examining website files and find thefollowing text file:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following is a true statementconcerning this file?
A. All web crawlers are prevented from indexingthe listing.html page.
B. All web crawlers are prevented from indexingall pages on the site.
C. The Googlebot crawler is allowed to indexpages starting with /tmp/.
D. The Googlebot crawler can access and indexeverything on the site except for pages startingwith /tmp/.
D. The robots.txt file was created to allow webdesigners to control index access to their sites.There are a couple of things you need to knowabout this file—for your exam and the realworld. The first is, no matter what therobots.txt file says, attackers using a crawlerto index your site are going to ignore itanyway: it’s valid only for “good-guy”crawlers. After that, the rest is easy: robots.txtis stored on the root, is available to anyone
||||||||||||||||||||
||||||||||||||||||||
(by design), and is read in order from top tobottom, much like an ACL on a router. Theformat is simple: define the crawler (User-agent :name_of_crawler) and then definewhat it does not have access to. Most robot.txtfiles will make use of the * variable to signifyall crawlers, but you can certainly get specificwith who is allowed in and what they can see.
In this example, from top to bottom, theGooglebot crawler is defined and restrictedfrom seeing /tmp/ pages—no otherrestrictions are listed. After that, all othercrawlers (User-agent: *) are restricted fromseeing any page (Disallow: /). The last twolines are truly irrelevant because thecondition to ignore all pages has been read.
For additional information here, if you thinkabout what a robots.txt file does, you couldconsider it a pointer to pages you, as anattacker, really want to see. After all, if thesecurity person on the site didn’t want Googleindexing it, useful information probablyresides there. On the flip side, a security-minded person may get a little snippy withrobots.txt and have a little fun, sending you tosome truly terrible Internet locations shouldyou try to access one of the pages listed there.
Technet24||||||||||||||||||||
||||||||||||||||||||
A and B are incorrect because the Googlebotcrawler is allowed to crawl the site.
C is incorrect because Googlebot is instructedto ignore all /tmp/ pages.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 7Wireless Network Hacking
This chapter includes questions from the followingtopics:
• Describe wireless network architecture andterminology
• Identify wireless network types and forms ofauthentication
• Describe wireless encryption algorithms• Identify wireless hacking methods and tools
Wireless networking icons usually show some sort ofbeacon with circles (or half circles) emanating outward,like the waves of an ocean continuing out into theatmosphere to lap onto shores unseen. And that’sentirely appropriate, since the whole thing started inHawaii. Well, at least the wireless data networking we’rediscussing, anyway. The real story started way back in1888.
While competing for the “Berlin Prize,” proposed as achallenge to prove James Clerk Maxwell’s
Technet24||||||||||||||||||||
||||||||||||||||||||
electromagnetic theory of light, a German physicistnamed Heinrich Rudolf Hertz proved the existence ofthe radio wave (and managed to create the first man-made ones in the process). In just six years, his radiowave production exploded onto the scene as a new formof communication, the telegraph, and wires startedpopping up everywhere for its point-to-point use.Shortly thereafter, an Italian inventor named MarcheseGuglielmo Marconi started playing with the radio waveitself and discovered he could expand the signal, free itfrom the telegraph wire, and use it to send sound. The“Father of Radio” quickly took his demonstration from ashort two-mile radius to communicating across theEnglish Channel and, eventually, the Atlantic Oceanitself.
While World War II saw the United States usingradio waves for data transmission—a first of its kind atthat time—the wireless data networks of the modern agesprung out of speculation after the war that radio wavescould be used for something bigger. In 1971, NormanAbramson and a group of researchers at the Universityof Hawaii started looking for an answer to a big questionin radio transmission: Could you use a radiotransmission to communicate data between multiplenodes while providing an orderly means for the nodes totake turns when sending data? Data seemed easyenough, relatively speaking, but if several nodes have
||||||||||||||||||||
||||||||||||||||||||
data to send at the same time, how would they taketurns and avoid a bunch of garbled mess on thereceiving end?
Thus was born “ALOHAnet,” the very first packet-switched, random access network in history—with orwithout wires, I might add. ALOHAnet originallyconsisted of seven computers and became the firstWLAN (wireless LAN) the world had ever seen. Humbleand small in origin, after connecting to ARPANET in1972, ALOHAnet heralded a new horizon in networking,and has definitively changed the world.
So the next time somebody visits your home andasks, “Hey man, what’s your Wi-Fi password?”, handthem a lei and tell them, 'A'ole pilikia. After all, if you’regoing to be nice enough to share, you may as well say“You’re welcome” in the language of wireless.
STUDY TIPS Questions regarding wireless technology range fromthe simplistic all the way to the inane minutia that driv es test takerscrazy .
You’ll see questions focused on encryption protocols,SSIDs, and architecture that will seem prettystraightforward, followed immediately by weirdquestions on encoding methods, channel interference,and things of that nature. Be sure you know tools used
Technet24||||||||||||||||||||
||||||||||||||||||||
in hacking wireless backward and forward—in particularaircrack, as you will no doubt see screenshots of it andbe asked to explain its use.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Which of the following is a true statement?
A. Kismet can be installed on Windows, but noton Linux.
B. NetStumbler can be installed on Linux, butnot on Windows.
C. Kismet cannot monitor traffic on 802.11nnetworks.
D. NetStumbler cannot monitor traffic on802.11n networks.
2. Which of the following use a 48-bit initializationvector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
3. Which of the following are true statements?(Choose all that apply.)
A. WEP uses shared-key encryption with TKIP.
B. WEP uses shared-key encryption with RC4.
C. WPA2 uses shared-key encryption with RC4.
D. WPA uses TKIP and AES encryption.
4. Which of the following would you recommend as
Technet24||||||||||||||||||||
||||||||||||||||||||
a means to deny network access by unauthorizedwireless devices to network assets?
A. Wireless access control list
B. Wireless jammer
C. Wireless analyzer
D. Wireless access point
5. While on vacation, Joe receives a phone call fromhis identity alert service notifying him that two ofhis accounts have been accessed in the past hour.Earlier in the day, he did connect a laptop to awireless hotspot at McDonald’s and accessed thetwo accounts in question. Which of the followingis the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
6. An attacker is attempting to crack a WEP code togain access to the network. After enabling monitormode on wlan0 and creating a monitoringinterface (mon 0), she types this command:
aireplay –ng -0 0 –a
0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
||||||||||||||||||||
||||||||||||||||||||
A. To gain access to the WEP access code byexamining the response to deauthenticationpackets, which contain the WEP code
B. To use deauthentication packets to generatelots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
7. Which wireless standard works at 54 Mbps on afrequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
8. The team has discovered an access pointconfigured with WEP encryption. What is neededto perform a fake authentication to the AP in aneffort to crack WEP? (Choose all that apply.)
A. A captured authentication packet
B. The IP address of the AP
C. The MAC address of the AP
D. The SSID
9. Which of the tools listed here is a passivediscovery tool?
A. Aircrack
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Kismet
C. NetStumbler
D. Netsniff
10. You have discovered an access point using WEPfor encryption purposes. Which of the following isthe best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
11. Which of the following statements are trueregarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a keychange every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keysdo not change during a session.
C. Temporal Key Integrity Protocol is an integralpart of WEP.
D. Temporal Key Integrity Protocol is an integralpart of WPA.
12. Regarding SSIDs, which of the following are truestatements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
||||||||||||||||||||
||||||||||||||||||||
C. Turning off broadcasting prevents discovery ofthe SSID.
D. SSIDs are part of every packet header from theAP.
E. SSIDs provide important security for thenetwork.
F. Multiple SSIDs are needed to move betweenAPs within an ESS.
13. You are discussing WEP cracking with a juniorpen test team member. Which of the following aretrue statements regarding the initializationvectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
14. A pen test member has configured a wirelessaccess point with the same SSID as the targetorganization’s SSID and has set it up inside acloset in the building. After some time, clientsbegin connecting to his access point. Which of thefollowing statements are true regarding thisattack? (Choose all that apply.)
Technet24||||||||||||||||||||
||||||||||||||||||||
A. The rogue access point may be discovered bysecurity personnel using NetStumbler.
B. The rogue access point may be discovered bysecurity personnel using NetSurveyor.
C. The rogue access point may be discovered bysecurity personnel using Kismet.
D. The rogue access point may be discovered bysecurity personnel using Aircrack.
E. The rogue access point may be discovered bysecurity personnel using ToneLoc.
15. A pen test member is running the Airsnarf toolfrom a Linux laptop. What is she attempting?
A. MAC flooding against an AP on the network
B. Denial-of-service attacks against APs on thenetwork
C. Cracking network encryption codes from theWEP AP
D. Stealing usernames and passwords from anAP
16. What is the integrity check mechanism forWPA2?
A. CBC-MAC
B. CCMP
C. RC4
||||||||||||||||||||
||||||||||||||||||||
D. TKIP
17. Which of the following is a true statementregarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. By cloaking the SSID and implementing MACfiltering, you can eliminate the need forencryption.
D. Increasing the length of the SSID to itsmaximum increases security for the system.
18. A pen test colleague is attempting to use awireless connection inside the target’s building.On his Linux laptop he types the followingcommands:
ifconfig wlan0 down
ifconfig wlan0 hw ether
0A:0B:0C:1A:1B:1C
ifconfig wlan0 up
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity tothe access point.
Technet24||||||||||||||||||||
||||||||||||||||||||
19. An attacker successfully configured and set up arogue wireless AP inside his target. As individualsconnected to various areas, he performed a MITMattack and injected a malicious applet in some ofthe HTTP connections. This rerouted user requestsfor certain pages to pages controlled by theattacker. Which of the following tools was mostlikely used by the attacker to inject the HTMLcode?
A. Aircrack-ng
B. KISMET
C. Ettercap
D. Honeypot
20. Which of the following is the best choice insearching for and locating rogue access points?
A. WIPS
B. Dipole antenna
C. WACL
D. HIDS
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. D
2. B, C
3. B, D
4. A
5. B
6. B
7. C
8. C, D
9. B
10. B
11. A, D
12. B, D
13. B, C, D
14. A, B, C
15. D
16. A
17. A
18. C
19. C
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Which of the following is a true statement?
A. Kismet can be installed on Windows, but noton Linux.
B. NetStumbler can be installed on Linux, butnot on Windows.
C. Kismet cannot monitor traffic on 802.11nnetworks.
D. NetStumbler cannot monitor traffic on802.11n networks.
D. Not only is this question overly confusingand very tool specific, it’s pretty much exactlythe type of question you’ll see on your exam.Kismet and NetStumbler are both wirelessmonitoring tools with detection and sniffingcapabilities. NetStumbler is Windows specific,whereas Kismet can be installed on virtuallyanything. Both do a great job of monitoring802.11a, b, and g networks, but NetStumblercan’t handle 802.11n. Kismet can even be usedas an IDS for your wireless network!
One last fun fact to know in relation to thisquestion—Kismet does a better job of pullingmanagement packets. A lot of wireless cardson Windows systems don’t support monitor
Technet24||||||||||||||||||||
||||||||||||||||||||
mode and have a difficult time pullingmanagement and control packets.
A, B, and C are incorrect statements. Kismetcan be installed on anything, NetStumbler isWindows specific and not available on Linux,and Kismet can monitor 802.11n networks.
2. Which of the following use a 48-bit initializationvector? (Choose all that apply.)
A. WEP
B. WPA
C. WPA2
D. WEP2
B, C. One of the improvements from WEP toWPA involved extending the initializationvector (IV) to 48 bits from 24 bits. An IVprovides for confidentiality and integrity.Wireless encryption algorithms use it tocalculate an integrity check value (ICV),appending it to the end of the data payload.The IV is then combined with a key to beinput into an algorithm (RC4 for WEP, AESfor WPA2). Therefore, because the length ofan IV determines the total number ofpotential random values that can possibly becreated for encryption purposes, doubling to
||||||||||||||||||||
||||||||||||||||||||
48 bits increased overall security. By itself,this didn’t answer all security problems—itonly meant it took a little longer to captureenough IV packets to crack the code. However,combined with other steps, it did provide forbetter security.
A is incorrect because WEP uses a 24-bit IV.In WEP, this meant there were approximately16 million unique IV values. Although thismay seem like a large number, it’s really not—a determined hacker can capture enough IVsin a brute-force attack in a matter of hours tocrack the key.
D is incorrect because there is no such thingas WEP2.
3. Which of the following are true statements?(Choose all that apply.)
A. WEP uses shared-key encryption with TKIP.
B. WEP uses shared-key encryption with RC4.
C. WPA2 uses shared-key encryption with RC4.
D. WPA uses TKIP and AES encryption.
B, D. WEP uses a 24-bit initialization vectorand RC4 to “encrypt” data transmissions,although saying that makes me shake indisgust because it’s really a misnomer. WEP
Technet24||||||||||||||||||||
||||||||||||||||||||
was designed as basic encryption merely tosimulate the “security” of being on a wirednetwork—hence, the “Equivalent” part inWired Equivalent Privacy. It was neverintended as true encryption protection. WPAwas an improvement on two fronts. First, theshared key portion of encryption was greatlyenhanced by the use of Temporal KeyIntegrity Protocol (TKIP). In short, the keyused to encrypt data was made temporary innature and is swapped out every 10,000packets or so. Additionally, WPA2 uses NIST-approved encryption with AES as thealgorithm of choice.
A is incorrect because WEP does not useTKIP. Along with the same key being used toencrypt and decrypt (shared key), it’s notchanged and remains throughout thecommunication process—which is part of thereason it’s so easy to crack.
C is incorrect because WPA2 does not use RC4as an encryption algorithm.
4. Which of the following would you recommend asa means to deny network access by unauthorizedwireless devices to network assets?
A. Wireless access control list
||||||||||||||||||||
||||||||||||||||||||
B. Wireless jammer
C. Wireless analyzer
D. Wireless access point
A. Of the choices provided, the access list isthe only one that makes sense. It’s exactlywhat an access list is designed for: by makingsure only devices that are authorized canconnect, you ensure unauthorized devicescannot connect (or at least take steps to avoidtheir connection). As a side note here, becareful not to confuse a wireless intrusionprevention system (WIPS) with the ACL. AWIPS will monitor your traffic and, just likethe better-known network intrusionprevention system, will take steps to preventintrusion based on traffic analysis, thresholds,and alerts. Lastly, on questions like this, theprocess of elimination can help you discernthe answer pretty easily.
B is incorrect for what should be obviousreasons. Yes, you would prevent unauthorizedconnections, but you’d also prevent allconnections—even those from authorizeddevices. If that’s the case, why have wirelessturned on at all? Now, I can hear some of youscreaming that jamming could be used in
Technet24||||||||||||||||||||
||||||||||||||||||||
restricted geographical spaces to controlaccess, but trust me, ECC sees jammers as anattack tool knocking everything off. You’rebetter off seeing it the same way for yourexam.
C is incorrect because an analyzer doesn’taffect access one way or another.
D is incorrect because that’s not the intent ofa WAP. Sure you can configure certain thingson the device (like, dare I say, an ACL), butthe device itself is designed as the accesspoint.
5. While on vacation, Joe receives a phone call fromhis identity alert service notifying him that two ofhis accounts have been accessed in the past hour.Earlier in the day, he did connect a laptop to awireless hotspot at McDonald’s and accessed thetwo accounts in question. Which of the followingis the most likely attack used against Joe?
A. Unauthorized association
B. Honeyspot access point
C. Rogue access point
D. Jamming signal
B. Sometimes EC-Council creates and usesredundant terminology, so don’t blame me for
||||||||||||||||||||
||||||||||||||||||||
this insanely annoying jewel. In this case, Joemost likely connected to what he thought wasthe legitimate McDonald’s free Wi-Fi while hewas getting his morning coffee and checkedthe accounts in question. However, anattacker in (or close to) the restaurant had setup another wireless network using the sameSSID as the restaurant’s. This practice isknown as the honeyspot attack.
A is incorrect because the unauthorizedassociation attack exploits so-called softaccess points—embedded wireless LAN radiosin some mobile devices that can be launchedinadvertently and used by the attacker foraccess to the enterprise network.
C is incorrect, but just barely so. The wholeidea of a honeyspot attack is predicated on theidea that the attacker has some kind of rogueaccess point set up to trick people intoconnecting. However, this is a case of oneanswer being more correct than the other.Honeyspot attacks are explicitly called out as aseparate type of rogue attack by EC-Council,so you’ll need to remember it that way.
D is incorrect because a jamming attack seeksto DoS the entire signal, not necessarily to
Technet24||||||||||||||||||||
||||||||||||||||||||
steal anything from it.
6. An attacker is attempting to crack a WEP code togain access to the network. After enabling monitormode on wlan0 and creating a monitoringinterface (mon 0), she types this command:
aireplay –ng -0 0 –a
0A:00:2B:40:70:80 –c mon0
What is she trying to accomplish?
A. To gain access to the WEP access code byexamining the response to deauthenticationpackets, which contain the WEP code
B. To use deauthentication packets to generatelots of network traffic
C. To determine the BSSID of the access point
D. To discover the cloaked SSID of the network
B. Within 802.11 standards, there are severaldifferent management-type frames in use:everything from a beacon and associationrequest to something called (and I’m notmaking this up) a probe request. One of thesemanagement frames is a deauthenticationpacket, which basically shuts off a client fromthe network. The client then has to reconnect—and will do so quickly. The idea behind thiskind of activity is to generate lots of traffic to
||||||||||||||||||||
||||||||||||||||||||
capture in order to discern the WEP accesscode (from clients trying to reassociate to allthe new ARP packets that will come flyingaround, since many machines will dump theirARP cache after being shut off the network).Remember that the initialization vectorswithin WEP are relatively short (24 bits) andare reused frequently, so any attempt to crackthe code requires, in general, around 15,000or so packets. You can certainly gather theseover time, but generating traffic canaccomplish it much faster. One final note onthis must be brought up: this type of attackcan just as easily result in a denial-of-serviceattack against hosts and the AP in question, sobe careful.
A is incorrect because the response to adeauth packet does not contain the WEPaccess code in the clear. If it did, the attackerwouldn’t need to bother with all this trafficgeneration in the first place—one simplepacket would be enough to crack all security.
C is incorrect because the basic service setidentifier (BSSID) is the MAC address of theAP. It’s usually easy enough to gain from anynumber of methods (using airodump, forinstance) and isn’t a reason for sending
Technet24||||||||||||||||||||
||||||||||||||||||||
multiple deauth packets. There are networkswhere the BSSID is hidden (referred to ascloaking), but other tools (airmon andairodump) can help with that.
D is incorrect because even if an SSID is“cloaked,” that doesn’t mean it’s actuallyhidden; all it means is that it is not broadcast.The SSID is still contained in every singlepacket sent from the AP, and discovering it iseasy enough.
7. Which wireless standard works at 54 Mbps on afrequency range of 2.4 GHz?
A. 802.11a
B. 802.11b
C. 802.11g
D. 802.11n
C. The 802.11 series of standards identifies avariety of wireless issues, such as the orderimposed on how clients communicate, rulesfor authentication, data transfer, size ofpackets, how the messages are encoded intothe signal, and so on. 802.11g combines theadvantages of both the “a” and “b” standardswithout as many of the drawbacks. It’s fast (at54 Mbps), is backward compatible with
||||||||||||||||||||
||||||||||||||||||||
802.11b clients, and doesn’t suffer from thecoverage area restrictions 802.11a has tocontend with. Considering it operates in the2.4 GHz range, however, there may be someinterference issues to deal with. Not only is aplethora of competing networks blasting theirsignals (sometimes on the same channel)near and around your network, but you alsohave to consider Bluetooth devices, cordlessphones, and even baby monitors that maycause disruption (due to interference) ofwireless signals. And microwave ovenshappen to run at 2.45 GHz—right smack dabin the middle of the range.
A is incorrect because 802.11a operates at 54Mbps but uses the 5 GHz frequency range.The big drawback to 802.11a was thefrequency range itself—because of the higherfrequency, network range was limited.Whereas 802.11b clients could be spreadacross a relative large distance, 802.11a clientscould communicate much faster but had to becloser together. Combined with the increasedcost of equipment, this contributed to 802.11anot being fully accepted as a de facto standard.That said, for security purposes, it may not bea bad choice. Not as many people use it, or
Technet24||||||||||||||||||||
||||||||||||||||||||
even look for it, and its smaller range maywork to assist you in preventing spillageoutside your building. Lastly, it’s notnecessarily the higher frequency itself thatcauses the distance limitation; instead, it’show common building materials andpropagation issues interact with it. It’s overlycomplicated, but if you are of a mind to do soand have some time to kill, you’ll find thistopic fascinating to read about.
B is incorrect because 802.11b operates at 11Mbps on the 2.4 GHz frequency range. It’sslower than “a” and “g,” but soon after itsrelease it became the de facto standard forwireless. Price and network range contributedto this.
D is incorrect because 802.11n works at 100Mbps (+) in frequency ranges from 2.4 to 5GHz. It achieves this rate using multiple in,multiple out (MIMO) antennas.
8. The team has discovered an access pointconfigured with WEP encryption. What is neededto perform a fake authentication to the AP in aneffort to crack WEP? (Choose all that apply.)
A. A captured authentication packet
B. The IP address of the AP
||||||||||||||||||||
||||||||||||||||||||
C. The MAC address of the AP
D. The SSID
C, D. Cracking WEP generally comes down tocapturing a whole bunch of packets andrunning a little math magic to crack the key. Ifyou want to generate traffic by sending fakeauthentication packets to the AP, you need theAP’s MAC address and the SSID to make theattempt.
A and B are incorrect because thisinformation is not needed for a fakeauthentication packet. Sure, you can captureand replay an entire authentication packet,but it won’t do much good, and the IP is notneeded at all.
9. Which of the tools listed here is a passivediscovery tool?
A. Aircrack
B. Kismet
C. NetStumbler
D. Netsniff
B. A question like this one can be a littletricky, depending on its wording; however, perthe EC-Council, Kismet works as a true
Technet24||||||||||||||||||||
||||||||||||||||||||
passive network discovery tool, with no packetinterjection whatsoever. The following is fromwww.kismetwireless.net: “Kismet is an 802.11layer 2 wireless network detector, sniffer, andintrusion detection system. Kismet will workwith any wireless card which supports rawmonitoring (rfmon) mode, and (withappropriate hardware) can sniff 802.11b,802.11a, 802.11g, and 802.11n traffic. Kismetalso supports plugins which allow sniffingother media.” You might also see two otherinteresting notables about Kismet on yourexam: First, it works by channel hopping,attempting to discover as many networks aspossible. Second, it has the ability to sniffpackets and save them to a log file, readableby Wireshark or tcpdump.
A is incorrect because Aircrack is “an 802.11WEP and WPA-PSK keys cracking programthat can recover keys once enough datapackets have been captured. It implementsthe standard FMS attack along with someoptimizations like KoreK attacks, as well asthe all-new PTW attack” (www.aircrack-ng.org).
C is incorrect because NetStumbler isconsidered an active network discovery
||||||||||||||||||||
||||||||||||||||||||
application. NetStumbler is among the mostpopular wireless tools you might see inanyone’s arsenal.
D is incorrect because Netsniff is included as adistractor and is not a valid tool.
10. You have discovered an access point using WEPfor encryption purposes. Which of the following isthe best choice for uncovering the network key?
A. NetStumbler
B. Aircrack
C. John the Ripper
D. Kismet
B. Aircrack is a fast tool for cracking WEP.You’ll need to gather a lot of packets(assuming you’ve collected at least 50,000packets or so, it’ll work swimmingly fast)using another toolset, but once you have themtogether, Aircrack does a wonderful jobcracking the key. One method Aircrack usesthat you may see referenced on the exam isKoreK implementation, which basicallyinvolves slicing bits out of packets andreplacing them with guesses—the more this isdone, the better the guessing and, eventually,the faster the key is recovered. Other tools for
Technet24||||||||||||||||||||
||||||||||||||||||||
cracking WEP include Cain (which can alsouse KoreK), KisMac, WEPCrack, andElcomsoft’s Wireless Security Auditor tool.
A is incorrect because NetStumbler is anetwork discovery tool. It can also be used toidentify rogue access points and interferenceand is also useful in measuring signalstrength (for aiming antennas and such).
C is incorrect because John the Ripper is aLinux-based password-cracking tool, not awireless key discovery one.
D is incorrect because Kismet is a passivenetwork discovery (and other auditing) toolbut does not perform key cracking.
11. Which of the following statements are trueregarding TKIP? (Choose all that apply.)
A. Temporal Key Integrity Protocol forces a keychange every 10,000 packets.
B. Temporal Key Integrity Protocol ensures keysdo not change during a session.
C. Temporal Key Integrity Protocol is an integralpart of WEP.
D. Temporal Key Integrity Protocol is an integralpart of WPA.
||||||||||||||||||||
||||||||||||||||||||
A, D. TKIP is a significant step forward inwireless security. Instead of sticking with onekey throughout a session with a client andreusing it, as occurred in WEP, Temporal KeyIntegrity Protocol changes the key out every10,000 packets or so. Additionally, the keysare transferred back and forth during anExtensible Authentication Protocol (EAP)authentication session, which makes use of afour-step handshake process in proving theclient belongs to the AP, and vice versa. TKIPcame about in WPA.
B and C are simply incorrect statements. TKIPdoes not maintain a single key (it changes thekey frequently), and it is part of WPA (andWPA2), not WEP.
12. Regarding SSIDs, which of the following are truestatements? (Choose all that apply.)
A. SSIDs are always 32 characters in length.
B. SSIDs can be up to 32 characters in length.
C. Turning off broadcasting prevents discovery ofthe SSID.
D. SSIDs are part of every packet header from theAP.
E. SSIDs provide important security for thenetwork.
Technet24||||||||||||||||||||
||||||||||||||||||||
F. Multiple SSIDs are needed to move betweenAPs within an ESS.
B, D. Service set identifiers have only one realfunction in life, so far as you’re concerned onthis exam: identification. They are not asecurity feature in any way, shape, or form,and they are designed solely to identify oneaccess point’s network from another’s—whichis part of the reason they’re carried in allpackets. SSIDs can be up to 32 characters inlength but don’t have to be that long (in fact,you’ll probably discover most of them arenot).
A is incorrect because SSIDs do not have to be32 characters in length. They can be, but theydo not have to fill 32 characters of space.
C is incorrect because “cloaking” the SSIDreally doesn’t do much at all. It’s still part ofevery packet header, so discovery is relativelyeasy.
E is incorrect because SSIDs are notconsidered a security feature for wirelessnetworks.
F is incorrect because an extended service set(ESS, an enterprise-wide wireless network
||||||||||||||||||||
||||||||||||||||||||
consisting of multiple APs) requires only asingle SSID that all APs work with.
13. You are discussing WEP cracking with a juniorpen test team member. Which of the following aretrue statements regarding the initializationvectors? (Choose all that apply.)
A. IVs are 32 bits in length.
B. IVs are 24 bits in length.
C. IVs get reused frequently.
D. IVs are sent in clear text.
E. IVs are encrypted during transmission.
F. IVs are used once per encryption session.
B, C, D. Weak initialization vectors and poorencryption are part of the reason WEPimplementation is not encouraged as a truesecurity measure on wireless networks. And,let’s be fair here, it was never truly designedto be, which is why it’s named WiredEquivalent Privacy instead of WirelessEncryption Protocol (as some haveerroneously tried to name it). IVs are 24 bitsin length, are sent in clear text, and are reuseda lot. Capture enough packets, and you caneasily crack the code.
A, E, and F are incorrect statements. IVs are
Technet24||||||||||||||||||||
||||||||||||||||||||
not 32 bits in length, are not encryptedthemselves, and are definitely not used onceper session (that would be even worse thanbeing reused).
14. A pen test member has configured a wirelessaccess point with the same SSID as the targetorganization’s SSID and has set it up inside acloset in the building. After some time, clientsbegin connecting to his access point. Which of thefollowing statements are true regarding thisattack? (Choose all that apply.)
A. The rogue access point may be discovered bysecurity personnel using NetStumbler.
B. The rogue access point may be discovered bysecurity personnel using NetSurveyor.
C. The rogue access point may be discovered bysecurity personnel using Kismet.
D. The rogue access point may be discovered bysecurity personnel using Aircrack.
E. The rogue access point may be discovered bysecurity personnel using ToneLoc.
A, B, C. Rogue access points (sometimescalled evil twin attacks) can provide an easyway to gain useful information from cluelessusers on a target network. However, be
||||||||||||||||||||
||||||||||||||||||||
forewarned: security personnel can usemultiple tools and techniques to discoverrogue APs. NetStumbler is one of the morepopular, and useful, tools available. It’s a greatnetwork discovery tool that can also be usedto identify rogue access points, networkinterference, and signal strength. Kismet,another popular tool, provides many of thesame features and is noted as a “passive”network discovery tool. NetSurveyor is a free,easy-to-use Windows-based tool that providesmany of the same features as NetStumblerand Kismet and works with virtually everywireless NIC in modern existence. A“professional” version of NetSurveyor is nowavailable (you get ten uses of it before you’rerequired to buy a license). Lastly, identifying arogue access point requires the security staffto have knowledge of every access pointowned—and its MAC. If it’s known there areten APs in the network and suddenly an 11thappears, that alone won’t help find and disablethe bad one. It takes some level oforganization to find these things, and thatplays into your hands as an ethical hacker.The longer your evil twin is left sitting there,the better chance it will be found, so keep it
Technet24||||||||||||||||||||
||||||||||||||||||||
short and sweet.
D is incorrect because Aircrack is used tocrack network encryption codes, not toidentify rogue access points.
E is incorrect because ToneLoc is a tool usedfor war dialing (identifying open modemswithin a block of phone numbers). As anaside, this was also the moniker for a 1980stwo-hit-wonder rapper, although I canpromise that won’t be on your exam.
15. A pen test member is running the Airsnarf toolfrom a Linux laptop. What is she attempting?
A. MAC flooding against an AP on the network
B. Denial-of-service attacks against APs on thenetwork
C. Cracking network encryption codes from theWEP AP
D. Stealing usernames and passwords from anAP
D. Identifying tools and what they do is a bigpart of the exam—which is easy enoughbecause it’s pure memorization, and this is aprime example. Per the tool’s website(http://airsnarf.shmoo.com/), “Airsnarf is asimple rogue wireless access point setup
||||||||||||||||||||
||||||||||||||||||||
utility designed to demonstrate how a rogueAP can steal usernames and passwords frompublic wireless hotspots. Airsnarf wasdeveloped and released to demonstrate aninherent vulnerability of public 802.11bhotspots—snarfing usernames and passwordsby confusing users with DNS and HTTPredirects from a competing AP.” It basicallyturns your laptop into a competing AP in thelocal area and confuses client requests intobeing sent your way.
A is incorrect because Airsnarf does notprovide MAC flooding. You may want to MACflood a network switch for easier sniffing, butthat doesn’t work the same way for an accesspoint on a wireless network.
B is incorrect because Airsnarf is not a DoStool. You can make an argument the clientsthemselves are denied service while they’reerroneously communicating with the Airsnarflaptop, but it’s not the intent of theapplication to perform a DoS attack on thenetwork. Quite the opposite: the longer thingsstay up and running, the more usernames andpasswords that can be gathered.
C is incorrect because Airsnarf is not an
Technet24||||||||||||||||||||
||||||||||||||||||||
encryption-cracking tool. It reads a lot like“Aircrack,” so don’t get confused (these willbe used as distractors for one another on yourexam).
16. What is the integrity check mechanism forWPA2?
A. CBC-MAC
B. CCMP
C. RC4
D. TKIP
A. If you’ve not done your reading and study,this one could be quite tricky. WPA2 usesCCMP as its encryption protocol, and CCMPuses CBC-MAC for authentication andintegrity. Counter Mode CBC-MAC Protocol isan encryption protocol specifically designedfor 802.11i wireless networking. CCMP usesCBC-MAC for authentication and integrity. Asfor how it exactly provides for integrity, thetrue technobabble answer is very long andconfusing, but the short of it is this: themessage is encrypted with a block cipher, andthe encryption of each block in the chain isdependent on the encryption value of theblock in front of it. In other words, if block 2is altered in any way, then decryption of
||||||||||||||||||||
||||||||||||||||||||
blocks 3, 4, and so on, becomes impossible.One final note on CCMP for your study andmemorization: CCMP is based on AESprocessing and uses a 128-bit key and a 128-bit block size, and ECC sometimes refers to itas AES-CCMP.
B is incorrect because CCMP is the encryptionprotocol that makes use of CBC-MAC.
C is incorrect because RC4 is an encryptionalgorithm used by WEP.
D is incorrect because Temporal Key IntegrityProtocol is used in WPA.
17. Which of the following is a true statementregarding wireless security?
A. WPA2 is a better encryption choice than WEP.
B. WEP is a better encryption choice than WPA2.
C. By cloaking the SSID and implementing MACfiltering, you can eliminate the need forencryption.
D. Increasing the length of the SSID to itsmaximum increases security for the system.
A. WPA2 is, by far, a better security choice foryour system. It makes use of TKIP, changingout the keys every 10,000 packets instead of
Technet24||||||||||||||||||||
||||||||||||||||||||
using one for the entire session (as in WEP).Additionally, WPA2 uses AES for encryptionand a 128-bit encryption key, as opposed toRC4 and 24-bit IVs in WEP.
B is incorrect because WEP only provides theequivalent privacy of being on a wirednetwork. Its “encryption” is ridiculously easyto crack and is not considered a valid securitymeasure. It’s perfectly reasonable to use it ifyour goal is just to frustrate causal surfersfrom connecting to your network (such asyour neighbors), but it’s not a valid encryptionmethod.
C is incorrect because these two options donothing to protect the actual data beingtransmitted. SSID cloaking is somewhatpointless, given that SSIDs are included inevery header of every packet (not to mentionthat SSIDs aren’t designed for security). MACfiltering will frustrate casual observers;however, spoofing a MAC address on thenetwork is relatively easy and eliminates thisas a foolproof security method.
D is incorrect because the length of an SSIDhas nothing whatsoever to do with securityand encryption. Increasing the length of the
||||||||||||||||||||
||||||||||||||||||||
SSID does not increase network security.
18. A pen test colleague is attempting to use awireless connection inside the target’s building.On his Linux laptop he types the followingcommands:
ifconfig wlan0 down
ifconfig wlan0 hw ether
0A:0B:0C:1A:1B:1C
ifconfig wlan0 up
What is the most likely reason for this action?
A. Port security is enabled on the access point.
B. The SSID is cloaked from the access point.
C. MAC filtering is enabled on the access point.
D. Weak signaling is frustrating connectivity tothe access point.
C. The sequence of the preceding commandshas the attacker bringing the wirelessinterface down, changing its hardwareaddress, and then bringing it back up. Themost likely reason for this is MAC filtering isenabled on the AP, which is restricting accessto only those machines the administratorwants connecting to the wireless network. Theeasy way around this is to watch traffic andcopy one of the MAC addresses. With a quick
Technet24||||||||||||||||||||
||||||||||||||||||||
spoof on your own hardware, you’reconnected. As an aside, MAC spoofing isn’tjust for the wireless world. The commandwould be slightly different (wlan0 refers to awireless NIC; eth0 would be an example of awired port), but the idea is the same.
A is incorrect because port security isn’t anoption on wireless access points. Were thisattacker connecting to a switch, this might bevalid, but not on a wireless connection.
B is incorrect because SSID cloaking hasnothing to do with this scenario. Thecommands are adjusting a MAC address.
D is incorrect because weak signal strengthhas nothing to do with this scenario. Thecommands are adjusting a MAC address.
19. An attacker successfully configured and set up arogue wireless AP inside his target. As individualsconnected to various areas, he performed a MITMattack and injected a malicious applet in some ofthe HTTP connections. This rerouted user requestsfor certain pages to pages controlled by theattacker. Which of the following tools was mostlikely used by the attacker to inject the HTMLcode?
A. Aircrack-ng
||||||||||||||||||||
||||||||||||||||||||
B. KISMET
C. Ettercap
D. Honeypot
C. Go ahead, get it out of your system. I knowyou’re sitting there screaming, “What doesEttercap and MITM have to do with wireless?”That’s precisely why this question is here.You’ll see this technique employed within theexam in multiple facets. See, by starting outhighlighting the attacker’s use of the evil twinattack, you get lulled into thinking this is awireless issue. In reality, the question hasnothing to do with the wireless aspect;instead, the MITM portion is what reallymatters. So while you were ready to pounceon a wireless tool, and aircrack-ng reallyjumped out at you, the MITM attack tool—Ettercap—was really where your attentionshould’ve been.
A and B are incorrect for the same reason—they’re wireless tools with specific functionswithin wireless, but they’re not MITM tools.
D is incorrect because a honeypot hasabsolutely nothing to do with this scenario.
20. Which of the following is the best choice in
Technet24||||||||||||||||||||
||||||||||||||||||||
searching for and locating rogue access points?
A. WIPS
B. Dipole antenna
C. WACL
D. HIDS
A. Of the choices provided, the wirelessintrusion prevention system is the bestchoice. A WIPS is a network device that,among other things, monitors wireless trafficfor the presence of unauthorized access pointsand then takes countermeasures againstthem.
B is incorrect because the type of antennaused has nothing to do with this scenario.
C is incorrect because a wireless access controllist will help control access to the network butdoesn’t go out and search for anything.
D is incorrect because it’s not the purpose of ahost-based intrusion detection system tosearch for rogue wireless access points.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 8Mobile Communications andthe IoT
This chapter includes questions from the followingtopics:
• Describe mobile platform attacks• Identify Mobile Device Management• Identify mobile platforms vulnerabilities and
attack vectors• Identify IoT security threats and attacks• List IoT security and hacking tools• List IoT hacking methodology
I grew up in a time when television had only threechannels, the music industry was all up in arms becauseof the new technology allowing anyone to tape their ownmusic (cassette tapes), and if you needed to talk tosomeone about something, you had to either meet themface to face or call them on their one and only homephone (and hope they were there). Oh, sure, the ultra-rich had phones built into their limos (not really much
Technet24||||||||||||||||||||
||||||||||||||||||||
more than glorified CB radio devices actually), but theidea of a cell phone didn’t really hit the publicconsciousness until sometime in the early 1980s. Infact, the first real foray into the technology came in1973, when a Motorola researcher created somethingcalled a “mobile phone.” The handset came in at astealthy 8 by 5 inches, weighing approximately 2½pounds, and offered a whopping 30 minutes of talktime.
After a decade or so of further research and attemptsat bringing the technology to market, the first analogcellular network (Advanced Mobile Phone Service[AMPS]) hit the United States, and a company calledDynaTAC released a device that has been ridiculed intechnology circles for decades now—the bag phone.Despite the weight and bulkiness of the system, and thefact that it provided only a half hour of talk time whiletaking nearly 10 hours to charge, demand for the thingwas incredible, and people signed up on waiting lists bythe thousands.
I remember quite clearly how jealous I felt seeingpeople driving around with those ultra-cool giant-battery phones that they could use anywhere. I evenlooked into buying one and can remember the first timeI slung that big old bag over my head to rest the strap onmy shoulder so I could heft the cord-connected handset
||||||||||||||||||||
||||||||||||||||||||
and dial home. Looking back, it seems really silly, butthat strong desire by the consumer population fueled anexplosion in mobile device technology that changed theworld. See, once folks figured there was money to bemade in them thar wireless hills, mobile phone researchand technology hit a fever pitch that continues to thisday. However, not all virtual eyes remained solely on thehumble phone. Suddenly all that groovy stuff we saw onStar Trek seemed not only possible, but probable.
In 1989 John Romkey, developer of the first TCP/IPstack for the IBM PC back in 1983, was asked to wowthe crowd at that year’s INTEROP conference. As wellknown and respected as he was, the scope of topics werealmost unending, and Dan Lynch, president ofINTEROP, surely expected something mind blowing. So,Romkey created a toaster that could be turned on andoff via the Internet. Yes. You read that right. A toasteryou could connect to your network.
It was unheard of—connecting an appliance to anetwork? Impossible, and definitely not whatnetworking was designed for. The very idea seemedalmost sacrilegious...until it worked. The stainless-steelbeauty—a Sunbeam Deluxe Automatic Radiant ControlToaster—indeed connected to the Internet, and anSNMP MIB was created to turn it on and off. It was thestar attraction of the conference, and by all accounts thevery first thing on the Internet of Things (IoT). And
Technet24||||||||||||||||||||
||||||||||||||||||||
wow did it kick off a future no one could have imagined.The IoT is here to stay, and it’s growing exponentially
every single minute of every single day. The sheernumber of devices that touch our networks now is mindboggling, and I nearly go catatonic at the thought oftrying to secure the whole thing. Our wirelesstechnologies and appliances are now as much part of lifeas the light switch on the wall—we wouldn’t know whatto do without them, and we all just expect it all to work.Hence the problem.
I’ve said repeatedly that almost every technologicalimplementation designed to make our lives easier andbetter can be, and usually has already been, corrupted bythe bad guys, and mobile communication and the IoTare no exceptions. Wireless networks are everywhere,broadcasting information across the air that anyone canpick up, and we’re adding everything from toasters tolight bulbs to them by the day. Cellular devices arecalled smartphones, even though the users of thedevices aren’t, and mobile malware is as common andubiquitous as teenagers texting during family dinner.And the opportunity for co-opting wireless signals thatcontrol everything else, such as your car’s built-incomputer functions, your refrigerator, and maybe theturbine control at the local power plant? Let’s just saythat while all this mobile technology is really cool andoffers us a lot of benefits, we better all pay attention to
||||||||||||||||||||
||||||||||||||||||||
the security side of the whole thing. I don’t want to facea board of directors for my company and have to explainhow my systems and networks were secure, but theInternet-enabled soap dispenser in the bathroom wasthe key to our downfall.
STUDY TIPS Depending on the pool of test questions the sy stempulls for y our exam, y ou’ll either grow to lov e the test y ou’re taking orhate it with a fiery passion. Questions on mobile platforms are usuallyfairly easy and shouldn’t bother y ou too much. Except for the onesthat aren’t—those will driv e y ou insane.
Whereas EC-Council once seemed to focus on WEP,SSIDs, and weird questions on encoding methods,channel interference, and things of that nature, nowthey’re much more focused on the mobile world. Yes,you will still see questions on wireless networkingbasics—tools used in hacking wireless, encryptionstandards, and so on—but be prepared to see much moreof a mobile-device-centric layout now. Make sure youknow Bluetooth well, and check out any and all mobiledevice tools you can find—there will likely be a coupleoff-the-wall mobile tool questions along the way, and Ican’t possibly put them all in here. Mobile DeviceManagement (MDM), BYOD, rooting, and jailbreakingare all topics you’ll need to read up on and know well.
As for IoT questions, again, it all depends on the pool
Technet24||||||||||||||||||||
||||||||||||||||||||
of test questions you pull. It’s a new chapter, and ifhistory is to be studied here, ECC will have loads of newquestions to validate over several months. The goodnews is, most of the IoT material is actually informationyou already know. The hacking methodology, forinstance, is the same. DDoS means the same thing hereas it does everywhere else, and countermeasures for thisattack are nearly identical to those you already know.Put a little time in memorizing basic details ofcommunication models and a few tools, and you’ll befine.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. A company hires you as part of its security team.
The company is implementing new policies andprocedures regarding mobile devices in thenetwork. Which of the following would not be arecommended practice?
A. Create a BYOD policy and ensure allemployees are educated about and made awareof it.
B. Whitelist applications and ensure allemployees are educated about and made awareof them.
C. Allow jailbroken and rooted devices on thenetwork, as long as employees have signed thepolicy.
D. Implement MDM.
2. Which of the following tools would be used in ablackjacking attack?
A. Aircrack
B. BBCrack
C. BBProxy
D. Paros Proxy
3. Which of the following tools is a vulnerabilityscanner for Android devices?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. X-ray
B. evasi0n7
C. Pangu
D. DroidSheep Guard
4. Which type of jailbreaking allows user-levelaccess but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. userland
D. iRoot
5. Jack receives a text message on his phoneadvising him of a major attack at his bank. Themessage includes a link to check his accounts.After he clicks the link, an attacker takes control ofhis accounts in the background. Which of thefollowing attacks is Jack facing?
A. Phishing
B. Smishing
C. Vishing
D. App sandboxing
6. Which of the following allows an Android user toattain privileged control of the device?
A. DroidSheep
B. SuperOneClick
||||||||||||||||||||
||||||||||||||||||||
C. Faceniff
D. ZitMo
7. An individual attempts to make a call using hiscell phone; however, it seems unresponsive. Aftera few minutes of effort, he turns it off and turns iton again. During his next phone call, the phonedisconnects and becomes unresponsive again.Which Bluetooth attack is underway?
A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing
8. Which of the following is a pairing mode inBluetooth that rejects every pairing request?
A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack
9. An attacker is using Shodan to search for deviceson a target. She types the following as the searchstring: webcam geo:“-85.97,31.81”. Which ofthe following correctly describes this action?
A. The search string syntax is incorrect.
B. The attacker is searching for webcams with
Technet24||||||||||||||||||||
||||||||||||||||||||
serial numbers starting between 3181 and8597.
C. The attacker is searching for webcammanufacturers starting with “geo.”
D. The attacker is searching for webcams in thegeographic location -31.80, 85.95 (longitudeand latitude).
10. Which of the following is the most popular short-range communication technology for IoT devices?
A. RFID
B. Zigbee
C. QR codes
D. LiFi
11. Within IoT architecture, which of the followingcarries out message routing and identification?
A. Edge Technology layer
B. Access Gateway layer
C. Internet layer
D. Middleware layer
12. A homeowner accesses an app on his cell phone toset up a view list on his television. Which IoTcommunication model is in play here?
A. Device-to-Gateway
B. Back-End Data-Sharing
||||||||||||||||||||
||||||||||||||||||||
C. Device-to-Cloud
D. Device-to-Device
13. In this attack on VANET, vehicles appear to be inmultiple places at once, causing congestion andseverely impairing the use of data. Which of thefollowing best describes this attack?
A. Rolling code
B. BlueBorne
C. Side channel
D. Sybil
14. Of the tools listed, which is the best choice forquickly discovering IP addresses of IoT devices onyour network?
A. IoTInspector
B. MultiPing
C. Z-Wave Sniffer
D. beSTORM
15. In October of 2016, a DDoS attack involvingmillions of IoT devices caused a disruption ofservice to large numbers of users in North Americaand Europe. Which of the following malware wasused in the attack?
A. WannaCry
B. Cryptolocker
Technet24||||||||||||||||||||
||||||||||||||||||||
C. Locky
D. Mirai
16. Which of the following are valid countermeasuresin the prevention of IoT hacking? (Choose all thatapply.)
A. Disable guest and demo accounts.
B. Enable lockout features for excessive loginattempts.
C. Disable telnet.
D. Implement patch management and ensuredevice firmware is up to date.
17. Within the Attify Zigbee Framework, which of thefollowing is used to discover target devices withinrange?
A. zbstumbler
B. zbdump
C. zbreplay
D. zbassoc/flood
18. Which of the following is an advanced hardware-and software-designed radio used for securitytesting in IoT?
A. Fluke
B. Raspberry Pi
C. HackRF One
||||||||||||||||||||
||||||||||||||||||||
D. Alfa AWUS036NH
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. C
3. A
4. C
5. B
6. B
7. A
8. A
9. D
10. B
11. B
12. A
13. D
14. B
15. D
16. A, B, C, D
17. A
18. C
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. A company hires you as part of its security team.
The company is implementing new policies andprocedures regarding mobile devices in thenetwork. Which of the following would not be arecommended practice?
A. Create a BYOD policy and ensure allemployees are educated about and made awareof it.
B. Whitelist applications and ensure allemployees are educated about and made awareof them.
C. Allow jailbroken and rooted devices on thenetwork, as long as employees have signed thepolicy.
D. Implement MDM.
C. Bring Your Own Device (BYOD) and MobileDevice Management (MDM) are becomingmore and more of a headache for securityadministrators. BYOD is the idea thatemployees can bring their own smartphones,tablets, and mobile devices to the workplaceand use them as part of the enterprisenetwork. Mobile Device Management (oftenimplemented with the use of a third-party
Technet24||||||||||||||||||||
||||||||||||||||||||
product containing management features formobile device vendors) is an effort toadministrate and secure mobile device usewithin the organization.
Obviously having mobile devices roaming inand out of a network can cause a variety ofsecurity issues, and there are lots ofcommonsense steps that can be taken.Allowing rooted and jailbroken devices—essentially devices that could have anynumber of installed (knowingly or not) issueson them—is not among the good steps to take.
A, B, and D are incorrect choices becausethese are all good ideas regarding mobiledevice use and management. Other good ideasinclude ensuring all devices have a screenlockout code enabled, using encryption (intransit and for data-at-rest concerns), makingsure there are clear delineations betweenbusiness and personal data, implementingantivirus, and making sure the OS andpatching are up to date.
2. Which of the following tools would be used in ablackjacking attack?
A. Aircrack
B. BBCrack
||||||||||||||||||||
||||||||||||||||||||
C. BBProxy
D. Paros Proxy
C. This is another tool-specific question, butone that should be relatively easy.Blackjacking and BBProxy were exposed atDefcon several years ago, so this isn’tanything new in terms of an attack. In short, aBlackberry device is, in effect, part of theinternal network, and configuring an attackproperly on the handset may provide access toresources on the internal network. BBProxy isused in part of this attack, and you can see thewhole thing pulled off at the following linkfrom the original presentation in 2006:
www.praetoriang.net/presentations/blackjack.html
A, B, and D are incorrect because these toolsaren’t used in blackjacking attempts. Aircrackis used in wireless network encryptioncracking, and Paros is a proxy service, butneither is used in blackjacking. BBCrackdoesn’t exist.
3. Which of the following tools is a vulnerabilityscanner for Android devices?
A. X-ray
Technet24||||||||||||||||||||
||||||||||||||||||||
B. evasi0n7
C. Pangu
D. DroidSheep Guard
A. Mobile tools will pop up all over the placeon your exam, so do your best to get as muchexposure to as many of them as possible. X-ray is an Android vulnerability scannerexplicitly called out by EC-Council. It searchesout unpatched vulnerabilities andautomatically updates for new vulnerabilitysignatures as they are discovered.
B and C are incorrect because both arejailbreaking applications for iOS devices.
D is incorrect because DroidSheep Guard is atool that monitors the ARP table on yourphone, alerting on suspicious entries anddisabling shady Wi-Fi connections.
4. Which type of jailbreaking allows user-levelaccess but does not allow iBoot-level access?
A. iBoot
B. Bootrom
C. userland
D. iRoot
C. I don’t own an iPhone, iPod, or iAnything,
||||||||||||||||||||
||||||||||||||||||||
and have no desire to. However, since iOS isone of the most popular mobile deviceoperating systems, I have to have at leastsome working knowledge of it. And you do,too, if you want to be a CEH. Jailbreaking aniPhone is the process of removing thesoftware restrictions imposed by Apple so youcan install a modified set of kernel patches,thereby allowing you to run whateversoftware or updates you want. EC-Councillists three main methods of jailbreaking, twoof which (iBoot and Bootrom) allowsomething called iBoot access. iBoot accessbasically refers to the ability to affect thefirmware itself.
Userland is a term referring to the softwarerunning on the iOS device after the kernel hasloaded. Therefore, a userland jailbreak, beingentirely software based, can be patched byApple after the effort. Userland jailbreaksinclude JailbreakMe Star, Saffron, Spirit,Absinthe, evasi0n, and Pangu.
A and B are incorrect because bothjailbreaking efforts allow iBoot access. Inother words, each method allows for bootchain-of-trust and firmware update.
Technet24||||||||||||||||||||
||||||||||||||||||||
D is incorrect because this is not a type ofjailbreaking.
5. Jack receives a text message on his phoneadvising him of a major attack at his bank. Themessage includes a link to check his accounts.After he clicks the link, an attacker takes control ofhis accounts in the background. Which of thefollowing attacks is Jack facing?
A. Phishing
B. Smishing
C. Vishing
D. App sandboxing
B. Smishing is the term given to a mobiledevice attack whereby an attacker sends anSMS text message to a target with anembedded link. If the user clicks themalicious link, the attacker gains valuableinformation and control. These attacks aresuccessful for largely the same reasonsphishing is so effective in the e-mail world—people just click through sometimes withoutpausing to think about it. Users who wouldotherwise ignore an e-mail with a link in itfrom an unknown (or even known) sourcesometimes don’t think twice when the link isin a text message.
||||||||||||||||||||
||||||||||||||||||||
A is incorrect because the term phishingrefers to e-mail messaging and works in muchthe same way as smishing.
C is incorrect because vishing is a termreferring to the use of phone calls and voicemessaging to carry out an attack.
D is incorrect because app sandboxing is notan attack on its own: it’s a security measuredesigned to limit resources an application canaccess on a mobile device.
6. Which of the following allows an Android user toattain privileged control of the device?
A. DroidSheep
B. SuperOneClick
C. Faceniff
D. ZitMo
B. Rooting of an Android device is the sameidea as jailbreaking an iOS one: allowing theuser total control over the device to addapplications, modify system files and actions,and (in some cases and usually riskingsecurity to do so) improve performance.Rooting can be done in a variety of methods,but some tools you can use areSuperOneClick, Superboot, One Click Root,
Technet24||||||||||||||||||||
||||||||||||||||||||
and Kingo. In SuperOneClick, you simplyconnect the phone to a system over USB(ensuring it’s in charge mode only), enableUSB Debugging, and run the application.
A is incorrect because DroidSheep is a toolused for session hijacking on Android devices.It can extract session IDs and sidejack onWEP, WPA, and WPA2 networks.
C is incorrect because Faceniff is a sniffer forAndroid, designed to sniff and intercept webprofiles.
D is incorrect because ZitMo (Zeus-in-the-Mobile) is a banking Trojan. ZitMo can evenenable bot-like command and control forattackers over the infected device.
7. An individual attempts to make a call using hiscell phone; however, it seems unresponsive. Aftera few minutes of effort, he turns it off and turns iton again. During his next phone call, the phonedisconnects and becomes unresponsive again.Which Bluetooth attack is underway?
A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing
||||||||||||||||||||
||||||||||||||||||||
A. From the description, it appears the phoneis either defective or—since it’s spelled out sonicely in the question for you—there is adenial-of-service attack against the phone.Bluesmacking is a denial-of-service attack ona Bluetooth device. An attacker somewherenearby (within ten meters or, for the real badguys, farther away using a big enoughtransmitter, amplifier, and antenna) is usingsomething like the Linux Bluez packages(www.bluez.org) to carry out a DoS againstthe phone.
B is incorrect because Bluejacking involvessending unsolicited messages—much likespam—to a Bluetooth device.
C is incorrect because Bluesniffing is a basicsniffing attempt, where the device’stransmissions are sniffed for usefulinformation.
D is incorrect because Bluesnarfing refers tothe actual theft of data directly from thedevice. This takes advantage of the “pairing”feature of most Bluetooth devices, willinglyseeking out other devices to link up with.
8. Which of the following is a pairing mode inBluetooth that rejects every pairing request?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Non-pairing
B. Non-discoverable
C. Promiscuous
D. Bluejack
A. When you get a simple question on theexam, celebrate. Bluetooth has two pairingmodes and three discovery modes. Pairing—the decision to pair with another devicerequesting it—is either turned on (pairingmode, where every request is accepted) or off(non-pairing mode, where every request isrejected). Discovery—the decision to respondto search requests and let the inquiry knowthe device is live and available—can be fullyon (discoverable mode, responding toeverything from everyone), partially on(limited-discoverable mode, responding onlyduring a short time span), or off altogether(non-discoverable mode, never answering aninquiry).
B is incorrect because non-discoverable is adiscovery mode, not a pairing one.
C is incorrect because promiscuous has nomeaning in this context.
D is incorrect because Bluejack refers to a
||||||||||||||||||||
||||||||||||||||||||
Bluetooth attack where an attacker canleverage the target phone’s contacts, resultingin anonymous, unsolicited messagetransmission to targets.
9. An attacker is using Shodan to search for deviceson a target. She types the following as the searchstring: webcam geo:“-85.97,31.81”. Which ofthe following correctly describes this action?
A. The search string syntax is incorrect.
B. The attacker is searching for webcams withserial numbers starting between 3181 and8597.
C. The attacker is searching for webcammanufacturers starting with “geo.”
D. The attacker is searching for webcams in thegeographic location -31.80, 85.95 (longitudeand latitude).
D. While Google and other search enginesindex the web, Shodan(https://www.shodan.io) indexes everythingconnected to the Internet. It’s an incrediblesearch engine tool for, well, everything. Wantto find Samsung wearables in a specific city?Grab a model number and use the city:argument. How about IIS servers on a specificsubnet? Try iis net:xxx.xxx.xxx.xxx/yy (where
Technet24||||||||||||||||||||
||||||||||||||||||||
the x’s are your subnet and yy is your CIDRnotation). If you want to get really specific onyour location, you can use the geo: argument,along with latitude and longitude coordinates.The Shodan geo: argument actually acceptsbetween two and four coordinate parameters.The example used two, showing alatitude/longitude pair. If the example usedthree coordinates, they would representlatitude, longitude, and range. Add a fourthargument, and you create a geographic box tosearch in: top-left latitude, top-left longitude,bottom-right latitude, bottom-right longitude.
A is incorrect because there’s nothing wrongwith the syntax. As a matter of fact, Shodanwill accept almost anything you type as asearch string, which can sometimes get yousome really weird responses.
B is incorrect because this syntax has nothingto do with serial numbers.
C is incorrect because this syntax has nothingto do with manufacturer names.
10. Which of the following is the most popular short-range communication technology for IoT devices?
A. RFID
||||||||||||||||||||
||||||||||||||||||||
B. Zigbee
C. QR codes
D. LiFi
B. IoT devices make use of many wirelesscommunications technologies, and some ofthem have fairly weird names. Zigbee(https://www.zigbee.org/what-is-zigbee/) is,according to EC-Council, the world’s mostpopular IoT device communicationtechnology. As a result, you should that it isbased on the IEEE 203.15.4 standard, and youcan use tools like KillerBee to attack devicesusing it. Yes, I know this is a weird thing toask a question about. No, I didn’t do itbecause I’m a sadist. Know Zigbee. Learn itwell. You’ll thank me later.
A, C, and D are all incorrect for the samereason—they’re not the most popularcommunication technology for IoT devicesaccording to CEH material. But I thought I’dinclude some information on each of them foryour study purposes, in case you seesomething weird on the exam about them.
RFID is probably the most familiar toeveryone, as it has been around and in thepublic eye longer than most everything else. I
Technet24||||||||||||||||||||
||||||||||||||||||||
mean, who hasn’t heard of an RFID-blockingwallet? QR codes are those scannable,readable tags that hold information about adevice, product, or item. If you’ve flownanywhere lately, I’m sure you’ve seen folksusing their phone as their boarding pass,scanning the QR code to go sit in a metal tubeas soon as possible.
LiFi is possibly the weirdest item on this list,and one I had honestly never heard of untilprepping for this edition. LiFi is sort of likeWi-Fi in the same sense that a Lamborghini islike a Chevy Uplander minivan. Sure, packetsare encoded and used much the same way, butLiFi uses light from LED bulbs to get it done.Because it uses light, speeds are incredible —up to 224 Gbps—and the interference you dealwith in wireless signal communications isnonexistent, but for now it’s simply in itsinfancy. That said, invest in LED bulbs foryour home soon—LiFi may be your next bignetworking adventure.
11. Within IoT architecture, which of the followingcarries out message routing and identification?
A. Edge Technology layer
B. Access Gateway layer
||||||||||||||||||||
||||||||||||||||||||
C. Internet layer
D. Middleware layer
B. IoT architecture, laid out by EC-Council,includes the Edge Technology, AccessGateway, Internet, Middleware, andApplication layers. Each of these hasinformation worth remembering for yourexam, and in this case we’re talking about theAccess Gateway layer. Here, we find the gapbetween the device and the client, and thefirst data handling occurs in this layer.Message routing, identification, andsubscribing occurs here.
A, C, and D are all incorrect for the samereason—these layers provide different servicesthan what is being asked about. The EdgeTechnology layer holds technologies likeRFID tags and other readers that monitor,sense, and report on the environment. Themain function of this layer is data collectionand connection of devices within the network.The Internet layer is probably the one thattripped you up here, but there’s a very goodexplanation—or at least an explanation. Thequestion is asking about IoT architecture, notwhat you know to be real-world networking.
Technet24||||||||||||||||||||
||||||||||||||||||||
In IoT architecture, the Internet layer isreferred to as the crucial one, serving as themain component carrying out communicationin each of the IoT data models. Lastly, theMiddleware layer is exactly what it soundslike—the layer sitting in the middle, behavingas an interface for data and devicemanagement.
12. A homeowner accesses an app on his cell phone toset up a view list on his television. Which IoTcommunication model is in play here?
A. Device-to-Gateway
B. Back-End Data-Sharing
C. Device-to-Cloud
D. Device-to-Device
A. IoT communication models seem prettystraightforward, but there are some weirdone-off comparisons here and there. In thiscase, the smartphone—more appropriately,the app on the smartphone used by the owner—acts as the gateway and the TV is the device.In Device-to-Gateway, the IoT devicecommunicates with an intermediary—agateway—which in turn communicates withthe cloud service. As an aside, and a goodstudy/memorization tip, the gateway is almost
||||||||||||||||||||
||||||||||||||||||||
always an app on a smartphone.
B is incorrect because this does not describethe Back-End Data-Sharing communicationsmodel. Back-End Data Sharing extends theconnectivity of the cloud (from the device or agateway) to a third party.
C is incorrect because this does not describeDevice-to-Cloud. IoT devices communicatedirectly with the cloud instead of with theclient in this model. A prime example of thiswould be a security camera you accessremotely. The camera, which is the IoT device,doesn’t communicate directly with you, theclient. It instead uploads to the cloud and youinteract there for the data—after inputtingcorrect credentials, of course.
D is incorrect because this doesn’t describeDevice-to-Device. Popular with wearables andsmart home devices (light bulbs andthermostats come to mind), thiscommunication model sees the IoT devicescommunicating directly with one another overWi-Fi (or other technologies like Zigbee orBluetooth).
13. In this attack on VANET, vehicles appear to be inmultiple places at once, causing congestion and
Technet24||||||||||||||||||||
||||||||||||||||||||
severely impairing the use of data. Which of thefollowing best describes this attack?
A. Rolling code
B. BlueBorne
C. Side channel
D. Sybil
D. As with every other area in computing, IoThas loads of attacks and vulnerabilities to talkabout. In this particular example, called theSybil Attack, a thing (the vehicle or device)creates the illusion of another identity (in thisexample, being in more than one place at atime), causing congestion and the associatedinsanity that goes along with it. When itcomes to VANET (vehicular ad-hoc network),this could be particularly dangerous. On astandard network, it can cause numerousDDoS problems.
A is incorrect because this does not describethe rolling code attack. In rolling code, theattacker jams the signal and then sniffs thecode used to lock and unlock a vehicle.
B is incorrect because this does not describethe BlueBorne attack. BlueBorne refers to aneffort that attacks nearby Bluetooth-enabled
||||||||||||||||||||
||||||||||||||||||||
devices, which are then leveraged (usingBluetooth vulnerabilities) to launch furtherattacks.
C is incorrect because this does not describethe side channel attack. In a side channelattack, information on encryption keys isextracted from different IoT signal emissions.
14. Of the tools listed, which is the best choice forquickly discovering IP addresses of IoT devices onyour network?
A. IoTInspector
B. MultiPing
C. Z-Wave Sniffer
D. beSTORM
B. Many of the tools you already know aboutwill work just as well in IoT land, andMultiPing (https://www.multiping.com/) is agood example. MultiPing has been around fora while and is a quick-and-dirty way to quicklydiscover systems hanging out on yournetwork. Even those pesky IoT devices can befound using it. Is MultiPing the absolute bestway to discover you IoT devices? Probably not.Will it work quickly, as described in thisquestion? Absolutely.
Technet24||||||||||||||||||||
||||||||||||||||||||
A and D are incorrect for the same reason—both of these are vulnerability scanners forIoT devices.
C is incorrect because Z-Wave Sniffer is a toolfor sniffing IoT traffic.
15. In October of 2016, a DDoS attack involvingmillions of IoT devices caused a disruption ofservice to large numbers of users in North Americaand Europe. Which of the following malware wasused in the attack?
A. WannaCry
B. Cryptolocker
C. Locky
D. Mirai
D. It’s hard to believe something as simple asa baby monitor can be leveraged as an attackplatform, but in the fall of 2016 that’s exactlywhat happened. The Mirai malware, created todeliberately find IoT devices to infect, createda botnet of immense proportions. This wasthen leveraged in a series of distributeddenial-of-service attacks against systemsoperated by the DNS provider Dyn (sinceacquired by Oracle). The attack caused majordisruptions across North America and Europe
||||||||||||||||||||
||||||||||||||||||||
and serves as a lasting reminder that securityfor IoT is sorely lacking.
A, B, and C are all incorrect because none ofthese had anything to do with the famous Dynattack. WannaCry was a ransomware attackstarting in May of 2017 that leveraged missingMicrosoft patches as its vector. BothCryptolocker and Locky were alsoransomware attacks, in 2013 and 2016,respectively.
16. Which of the following are valid countermeasuresin the prevention of IoT hacking? (Choose all thatapply.)
A. Disable guest and demo accounts.
B. Enable lockout features for excessive loginattempts.
C. Disable telnet.
D. Implement patch management and ensuredevice firmware is up to date.
A, B, C, D. I was going to say that securingIoT is the same as securing everything else,but that wouldn’t be wholly true. It’s not thatthe same countermeasures shouldn’t be used—of course the same basic-level approachapplies across the board. Disabling unused
Technet24||||||||||||||||||||
||||||||||||||||||||
services, ports, and built-in accounts,changing default passwords, enabling lockoutmechanisms, and making sure your patchlevels are current are all basic items ofsecurity note no matter what you’re talkingabout. It’s not the measures themselves thatmake securing IoT so difficult—the rub iskeeping up with them.
As discussed in the companion book, CEHCertified Ethical Hacker All-in-One ExamGuide, Fourth Edition, IoT is expanding bythe day, and a semi-secured network todaymight be blown wide open by the addition ofsomeone’s BYOD Internet-enabled underweartomorrow (don’t laugh, it’s actually a thingnow). Countermeasures for securing IoT arethe same as you’d see anywhere else, with afew additional CEH items thrown in for goodmeasure (for example, ECC recommends youmonitor port 48101 well, since IoT malwarehas been known to spread using it). Questionsregarding this topic should be of thecommonsense variety for you, so prepping foryour exam in this arena is relatively easy.However, in the real world, vigilance—unending, tiring, monotonous, Sisyphus-levelvigilance—is really going to be your only hope.
||||||||||||||||||||
||||||||||||||||||||
17. Within the Attify Zigbee Framework, which of thefollowing is used to discover target devices withinrange?
A. zbstumbler
B. zbdump
C. zbreplay
D. zbassoc/flood
A. Let’s play a little Q&A game, shall we? I’llintroduce you to a collection of tools,presented by Attify in its Zigbee Framework,and then ask you to identify what each doeswithout you ever seeing the tool, based solelyon the knowledge you have from studying therest of your CEH material. Ready? Here wego: Identify zbstumbler. Identify zbdump.Now identify zbreplay. See a pattern yet?These are all the same names and functionsyou’ve seen in other toolsets, except thesestart with zb. In this case, zbstumbler is a lotlike NetStumbler, allowing you to ID deviceswithin range.
Now before anyone gets all preachy on me, Iam not advising you to ignore the frameworkand just memorize terms for an exam. Indeed,it’s quite the opposite—I want you to actuallyknow how to do use these tools, so when you
Technet24||||||||||||||||||||
||||||||||||||||||||
pass your exam the certification will matter.Go grab the framework(https://github.com/attify/Attify-Zigbee-Framework) and practice. Find a light bulb inyour house and attack it (you can watchsomeone do it herehttps://www.youtube.com/watch?v=uivlSdqWS48). When you see identificationquestions like this on the exam, just usecommon sense.
B is incorrect because zbdump acts as thepacket capture tool for the framework.
C is incorrect because zbreplay allows you toreplay portions of a packet capture to force thedevice to do your bidding.
D is incorrect because zbassoc/flood is a DDoSfunction within the framework.
18. Which of the following is an advanced hardware-and software-designed radio used for securitytesting in IoT?
A. Fluke
B. Raspberry Pi
C. HackRF One
D. Alfa AWUS036NH
||||||||||||||||||||
||||||||||||||||||||
C. There are few certainties in life—the risingand setting of the sun every day, lovebugsmaking life miserable for a couple monthseach year in the South, and ever-increasingtaxes on everything from income to gas. Oneyou can add to your list is HackRF One beingon your CEH exam. This handy little piece ofhardware exploded onto the scene in aKickstarter campaign in 2014. Its creator,Michael Ossmann, called it Project Jawboneback then, and its open source natureattracted a lot of attention. On the good side,information security folks saw a great tool tohelp in testing their wireless offerings. On thebad side, hackers immediately saw a quick andeasy way to jam, disrupt, and hack IoT deviceseverywhere.
For the just under $300, you too can own aHackRF One device(https://greatscottgadgets.com/hackrf/).According to the website, HackRF One was“designed to enable test and development ofmodern and next generation radiotechnologies...and is an open source hardwareplatform that can be used as a USB peripheralor programmed for stand-alone operation.”What’s really interesting (and quite humorous
Technet24||||||||||||||||||||
||||||||||||||||||||
to me), however, is the very next statement:“HackRF One is test equipment for RFsystems. It has not been tested for compliancewith regulations governing transmission ofradio signals. You are responsible for usingyour HackRF One legally.”
HackRF One is capable of receiving andtransmitting on a frequency range of 1 MHz to6 GHz, and it transmits and receives half-duplex. It has become a valuable and prizedhacking tool due to its ease of use. Just becareful, though. Remember, you areresponsible for its legal use.
A, C, and D are all incorrect because thesehardware devices and terms do not match thecapability noted in the question. Fluke is amanufacturer that creates, among otherthings, spectrum analyzers and packetcapturing/analysis devices. Raspberry Pi is asmall, single-board computer system designedto teach programming and computer scienceconcepts. The Alfa AWUS036NH is a small,powerful antenna used in wireless hacking.
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 9Security in Cloud Computing
This chapter includes questions from the followingtopics:
• Identify cloud computing concepts• Understand basic elements of cloud security• Identify cloud security tools
A few years back my television exploded. Not like in afiery, Michael Bay–type movie scene explosion(although that would have provided a great story andbeen much more entertaining than the show I waswatching), but in a soft whimper of electronic death. Iwas immediately filled with two separate but equallystrong emotional sentiments. First, that I was going tobe out a lot of cash and would have a lot of hassle aheadof me. The second, though, was much moreexhilarating: I was going to get to buy a new television.
Have you ever seen a perpetually tired, beaten-downparent get to go to an electronics store to actually buysomething? It’s like watching a teenage rock fan
Technet24||||||||||||||||||||
||||||||||||||||||||
stepping behind the curtain for backstage access. Nominivans, no diapers, no recitals—nothing but pure,unadulterated fun. I couldn’t wait. When I got to thestore, the sales staff must have immediately recognizedthe glow of purchase-ready rapture on my face, becausethey descended upon me in droves. I was advised aboutpixels, hues, sound digitalization efforts, somethingcalled “true” black, white balance, and refresh rate.Before I knew what was happening, I was standing infront of a $3000 TV that looked so clear and large Icould just step into it. It was beyond HD, crystal clear,and according to the salesman not only “smart” but alsocapable of 3D! For a brief moment, my eyes glazed overand I thought, “Yeah, this makes sense!”
Thankfully my phone rang and woke me from myhypnotic stance. Did I need a TV that big? Where wouldI even put it? And what 3D programming is actuallyavailable to see in the first place? I stepped aside,cleared my head…and wound up buying a smart-enabled, 3D TV. Not because I even had any idea whatthe technology was, but I knew it was cool and brandnew. And I wanted it.
Cloud computing isn’t anywhere near as exciting astelevisions (have you seen the QLED screens availablenow?), but it is simultaneously a big draw to thosesearching for enterprise growth and largelymisunderstood by a lot of people. EC-Council added a
||||||||||||||||||||
||||||||||||||||||||
brand-new chapter on the subject in their officialcourseware in its previous version (9) and seemed toput a lot of focus on it. In this particular version, cloudis still important, and an area of study focus for you, butit appears to my reading it simply isn’t as focused a topicas it was before. This chapter captures the examinformation you’ll need to know regarding cloudcomputing and security.
STUDY TIPS EC-Council tends to focus on lists, categories, and in-the-weeds specificity in other topics, and cloud computing is nodifferent. Know the ty pes and deploy ment models v ery well, andcompletely memorize NIST’s reference architecture on cloud. Most ofthe attacks and threats in cloud computing are similar to ev ery thingelse, but a couple are v ery specific, and those will likely find their wayonto y our exam. Lastly , there aren’t a whole lot of cloud-specific toolsto know, but y ou will definitely need to be familiar with them.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Which of the following statements is true
regarding cloud computing?
A. In IaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
B. In PaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
C. In SaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
D. None of the above.
2. Which of the following is a government-wideprogram that provides a standardized approach tosecurity assessment, authorization, andcontinuous monitoring for cloud products andservices?
A. NIST Cloud Architecture
B. FedRAMP
C. PCI-DSS Cloud Special Interest Group
D. Cloud Security Alliance
3. A business owner is advised that inventory,storage, sales, and backup online services can be
||||||||||||||||||||
||||||||||||||||||||
provided less expensively and more securely via acloud service. After investigating the options, thebusiness owner determines the best cloud serviceprovider for his needs also happens to be theprovider for several of his competitors. Should hedecide to engage the same provider, which cloudservice deployment model will be used?
A. Private
B. IaaS
C. Community
D. Public
4. In “NIST Cloud Computing ReferenceArchitecture,” which of the following is theintermediary for providing connectivity betweenthe cloud and the subscriber?
A. Cloud provider
B. Cloud carrier
C. Cloud broker
D. Cloud auditor
5. A company relies on a private cloud solution formost of its internal computing needs. Afterexpanding into more online retailing, it relies on aportion of a public cloud for external sales and e-commerce offerings. Which of the following bestdescribes the cloud deployment type in use?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Private
B. Public
C. Hybrid
D. Community
6. Cloud computing would be best suited for whichof the following businesses?
A. A medical practice
B. An established rural general sales store
C. A law enforcement agency
D. A Christmas supply store
7. A software company has decided to build and testweb applications in a cloud computingenvironment. Which of the following cloudcomputing types best describes this effort?
A. IaaS
B. PaaS
C. SaaS
D. Community
8. Which of the following statements is not true?
A. Private cloud is operated solely for a singleorganization.
B. Public cloud makes use of virtualized servers.
C. Public cloud is operated over an intranet.
||||||||||||||||||||
||||||||||||||||||||
D. Private cloud makes use of virtualized servers.
9. A company relies solely on Google Docs, GoogleSheets, and other cloud-based provisions for itsoffice documentation software needs. Which ofthe following cloud computing types best describesthis?
A. SaaS
B. PaaS
C. IaaS
D. Public
10. A subscriber purchases machine virtualizationand hosting through Amazon EC2. Which of thefollowing cloud computing types does thisdescribe?
A. IaaS
B. PaaS
C. SaaS
D. Hybrid
11. Cloud computing faces many of the same securityconcerns as traditional network implementations.Which of the following are considered threats tocloud computing?
A. Data breach or loss
B. Abuse of services
Technet24||||||||||||||||||||
||||||||||||||||||||
C. Insecure interfaces
D. Shared technology issues
E. All of the above
12. Which of the following attacks occurs during thetranslation of SOAP messages?
A. Wrapping attack
B. Cross-guest VM
C. Side channel
D. Session riding
13. Which of the following is an architectural patternin computer software design in which applicationcomponents provide services to other componentsvia a communications protocol, typically over anetwork?
A. API
B. SOA
C. EC2
D. IaaS
14. In “NIST Cloud Computing ReferenceArchitecture,” which entity manages cloud servicesand maintains the relationship between cloudproviders and subscribers?
A. Cloud broker
B. Cloud auditor
||||||||||||||||||||
||||||||||||||||||||
C. Cloud carrier
D. Cloud consumer
15. Which of the following is not a benefit ofvirtualization?
A. It allows for more efficient backup, dataprotection, and disaster recovery.
B. It reduces system administration work.
C. It improves operational efficiency.
D. It locks individual hardware to each individualvirtual machine.
16. A company acquires a cloud environment formuch of its business IT needs. The environment isused and operated solely for the singleorganization. Which of the following representsthe cloud deployment model in question?
A. Public
B. IaaS
C. Sole-source
D. Private
17. Which of the following statements is trueregarding cloud computing?
A. Security in the cloud is the responsibility ofthe provider only.
B. Security in the cloud is the responsibility of
Technet24||||||||||||||||||||
||||||||||||||||||||
the consumer only.
C. Security in the cloud is the responsibility ofboth the consumer and the provider.
D. None of the above.
18. Which tool offers penetration-test-like servicesfor Amazon EC2 customers?
A. CloudPassage Halo
B. Core Cloud
C. CloudInspect
D. Panda Cloud Office Protection
19. An attacker sets up a VM on the same physicalcloud host as the target’s VM. He then takesadvantage of the shared physical resources to stealdata. Which of the following describes this attack?
A. Side channel
B. VM flood
C. Session riding
D. Cybersquatting
20. In the trusted computing model, what is a set offunctions called that’s always trusted by thecomputer’s operating system?
A. SOA
B. RoT
C. TCG
||||||||||||||||||||
||||||||||||||||||||
D. VM
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. B
3. C
4. B
5. C
6. D
7. B
8. C
9. A
10. A
11. E
12. A
13. B
14. A
15. D
16. D
17. C
18. C
19. A
||||||||||||||||||||
||||||||||||||||||||
20. B
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Which of the following statements is true
regarding cloud computing?
A. In IaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
B. In PaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
C. In SaaS, applications, data, middleware,virtualization, and servers are part of theservice provision.
D. None of the above.
C. So there are several things EC-Council isvery concerned that you know regarding cloudcomputing, but two in particular are right atthe top of the list. The concepts of separationof duties and separation of responsibility—both of which are key aims and benefits ofcloud computing—keep popping up over andover again in study materials and will be keyto your success. Separation of duties is aprovision of all cloud computing types, butonly one of the three takes care of everything.In Software as a Service (SaaS), the service
||||||||||||||||||||
||||||||||||||||||||
provider delivers the entirety of the span ofresponsibility. Everything from applicationsand data through middleware and OS, all theway down to the networking itself, is providedby the service provisioner. For comparisonsake, in Platform as a Service (PaaS), theservice provider takes care of everythingexcept the applications and data. InInfrastructure as a Service (IaaS), the clientholds the applications, data, runtime,middleware, and OS, while the provider takescare of everything else—virtualization,servers, storage, and networking.
A, B, and D are incorrect because these arenot true statements. In IaaS, the subscriberholds applications, data, and middleware butnot virtualization and servers. In PaaS, theclient only holds the applications and data.
2. Which of the following is a government-wideprogram that provides a standardized approach tosecurity assessment, authorization, andcontinuous monitoring for cloud products andservices?
A. NIST Cloud Architecture
B. FedRAMP
C. PCI-DSS Cloud Special Interest Group
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Cloud Security Alliance
B. EC-Council, at least as of this writing,doesn’t mention one single regulatory effortin cloud computing at all, outside of NIST’sreference architecture, in their officialcourseware. This does not mean you will notsee any cloud computing regulatory efforts onyour exam. I’m willing to bet you’ll see moreand more of them as time goes on, andFedRAMP is the 800-pound gorilla of cloudcomputing regulatory efforts you absolutelyneed to know about.
The Federal Risk and AuthorizationManagement Program (FedRAMP;www.fedramp.gov/) is a government-wideprogram that provides a standardizedapproach to security assessment,authorization, and continuous monitoring forcloud products and services. It not onlyprovides an auditable framework for ensuringbasic security controls for any governmentcloud effort, but FedRAMP also offers weeklytips for security and configuration and evenhas free training available on the site.FedRAMP is the result of close collaborationwith cybersecurity and cloud experts from the
||||||||||||||||||||
||||||||||||||||||||
General Services Administration (GSA),National Institute of Standards andTechnology (NIST), Department of HomelandSecurity (DHS), Department of Defense(DOD), National Security Agency (NSA),Office of Management and Budget (OMB), theFederal Chief Information Officer (CIO)Council and its working groups, as well asprivate industry.
A is incorrect because the definition provideddoes not match the NIST Cloud ComputingReference Architecture. NIST (NationalInstitutes of Standards and Technology)released Special Publication 500-292, “NISTCloud Computing Reference Architecture,” in2011 to provide a “fundamental referencepoint to describe an overall framework thatcan be used government wide”(www.nist.gov/customcf/get_pdf.cfm?pub_id=909505).
C is incorrect because the definition provideddoes not match the PCI Data SecurityStandard (PCI-DSS) Cloud Special InterestGroup. PCI is not a federal governmentregulatory body.
D is incorrect because the definition provided
Technet24||||||||||||||||||||
||||||||||||||||||||
does not match the Cloud Security Alliance(CSA). CSA is the leading professionalorganization devoted to promoting cloudsecurity best practices and organizing cloudsecurity professionals.
3. A business owner is advised that inventory,storage, sales, and backup online services can beprovided less expensively and more securely via acloud service. After investigating the options, thebusiness owner determines the best cloud serviceprovider for his needs also happens to be theprovider for several of his competitors. Should hedecide to engage the same provider, which cloudservice deployment model will be used?
A. Private
B. IaaS
C. Community
D. Public
C. In most circumstances, it doesn’t matterwho else uses the cloud provider you want touse—what matters is the services provided,the costs, and the available security. Acommunity cloud model is one where theinfrastructure is shared by severalorganizations, usually with the same policyand compliance considerations. For example,
||||||||||||||||||||
||||||||||||||||||||
multiple different state-level organizationsmay get together and take advantage of acommunity cloud for services they require.Or, in this case, even adversarial competitorsmay make use of the same services from thesame cloud provider.
A is incorrect because a private cloud model is,not surprisingly, private in nature. The cloudis operated solely for a single organization(a.k.a. single-tenant environment) and isusually not a pay-as-you-go type of operation.
B is incorrect because Infrastructure as aService is a type of cloud computing, not adeployment model.
D is incorrect because a public cloud model isone where services are provided over anetwork that is open for public use (like theInternet). Public cloud is generally used whensecurity and compliance requirements foundin large organizations aren’t a major issue.
4. In “NIST Cloud Computing ReferenceArchitecture,” which of the following is theintermediary for providing connectivity betweenthe cloud and the subscriber?
A. Cloud provider
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Cloud carrier
C. Cloud broker
D. Cloud auditor
B. I can guarantee you’ll see several questionsfrom the cloud world on your exam, and manyof those questions will be simply identifyingportions of “NIST Cloud Computing ReferenceArchitecture.” The cloud carrier is defined inthe architecture as the organization with theresponsibility of transferring the data—akin tothe power distributor for the electric grid. Thecloud carrier is the intermediary forconnectivity and transport between thesubscriber and provider.
A is incorrect because the cloud provider is thepurveyor of products and services.
C is incorrect because the cloud broker acts tomanage the use, performance, and delivery ofcloud services as well as the relationshipsbetween providers and subscribers. Thebroker “acts as the intermediate betweenconsumer and provider and will helpconsumers through the complexity of cloudservice offerings and may also create value-added cloud services as well.”
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because the cloud auditor is theindependent assessor of cloud service andsecurity controls.
5. A company relies on a private cloud solution formost of its internal computing needs. Afterexpanding into more online retailing, it relies on aportion of a public cloud for external sales and e-commerce offerings. Which of the following bestdescribes the cloud deployment type in use?
A. Private
B. Public
C. Hybrid
D. Community
C. A hybrid cloud deployment is exactly whatis sounds like—a combination of two or moredeployment types together.
A is incorrect because a private clouddeployment is operated solely for a singleorganization (a.k.a. single-tenantenvironment).
B is incorrect because a public clouddeployment model is one where services areprovided over a network that is open forpublic use (like the Internet).
Technet24||||||||||||||||||||
||||||||||||||||||||
D is incorrect because a community clouddeployment model is one where theinfrastructure is shared by severalorganizations, usually with the same policyand compliance considerations.
6. Cloud computing would be best suited for whichof the following businesses?
A. A medical practice
B. An established rural general sales store
C. A law enforcement agency
D. A Christmas supply store
D. Scenario questions like this will bepeppered throughout your exam on multipletopics, and cloud computing is no different. Inthis case, the Christmas supply store is, by itsvery nature, seasonal. This means instead of asteady flow of business and computingresources, it will need much more supportduring the last couple months of the year thanit would in, say, July. Cloud computingprovides the elasticity (another term you maysee pop up) of adding or removing computingresources as you need them, which could verywell save the company money.
A is incorrect. Of the choices provided, a
||||||||||||||||||||
||||||||||||||||||||
medical practice would not be the best choicebecause of the sensitive data it holds (not tomention the federally mandated protectionsthe practice would have to have in place forthose records).
B is incorrect because an establishedstorefront with steady sales and employeestaff doesn’t necessarily need cloud services.
C is incorrect because law enforcementagencies also deal with highly sensitiveinformation. Therefore, of the choicesprovided, this is not the best one.
7. A software company has decided to build and testweb applications in a cloud computingenvironment. Which of the following cloudcomputing types best describes this effort?
A. IaaS
B. PaaS
C. SaaS
D. Community
B. This scenario is tailor-made for Platform asa Service (PaaS). Despite also being a namebrand recognized mostly during Easter forcoloring eggs, PaaS is geared toward softwaredevelopment, as it provides a platform that
Technet24||||||||||||||||||||
||||||||||||||||||||
allows subscribers to create applicationswithout building the infrastructure it wouldnormally take to develop and launch software.Hardware and software are hosted by theprovider on its own infrastructure, socustomers do not have to install or buildhomegrown hardware and software fordevelopment work. PaaS doesn’t usuallyreplace an organization’s actualinfrastructure; instead, it just offers keyservices the organization may not have onsite.
A is incorrect because this does not describeInfrastructure as a Service. IaaS providesvirtualized computing resources over theInternet. A third-party provider hostsinfrastructure components, applications, andservices on behalf of its subscribers, with ahypervisor (such as VMware, OracleVirtualBox, Xen, or KVM) running the virtualmachines as guests.
C is incorrect because this does not describeSoftware as a Service. SaaS is simply asoftware distribution model—the provideroffers on-demand applications to subscribersover the Internet.
D is incorrect because community refers to
||||||||||||||||||||
||||||||||||||||||||
the cloud deployment model, not the type.
8. Which of the following statements is not true?
A. Private cloud is operated solely for a singleorganization.
B. Public cloud makes use of virtualized servers.
C. Public cloud is operated over an intranet.
D. Private cloud makes use of virtualized servers.
C. Most of the time I deplore the “not”questions—they seem designed to tripcandidates up more than to test theirknowledge—but EC-Council (and, notsurprisingly, virtually every other certificationprovider) makes use of them often. In thiscase, a private cloud is, of course, operatedsolely for one organization, and virtualizationis used in all cloud deployment models. Apublic cloud, however, explicitly providesservices on a network that is open for publicuse (like the Internet).
A, B, and D are incorrect because these aretrue statements.
9. A company relies solely on Google Docs, GoogleSheets, and other cloud-based provisions for itsoffice documentation software needs. Which ofthe following cloud computing types best describes
Technet24||||||||||||||||||||
||||||||||||||||||||
this?
A. SaaS
B. PaaS
C. IaaS
D. Public
A. This scenario aptly describes Software as aService. SaaS is a software distribution model—the provider offers on-demand applicationsto subscribers over the Internet. Google Docsand Google Sheets, where word processingand spreadsheet software actions are providedonline, are perfect examples. Microsoft is alsobig in the SaaS game, and Office 365 isseemingly taking over for the traditionalMicrosoft Office suite. Instead of installing iton your system or buying it preinstalled atBest Buy (or whatever vendor you use), youcan “rent” Office 365—get what you need foras long as you need. Given that Office is theworld’s leading office productivity software, itshouldn’t come as a surprise that Office 365 isa big hit. The U.S. Air Force, for one example,moved over half a million e-mail accounts toOffice 365 in January of 2019.
B is incorrect because Platform as a Service isa great choice for software development, but
||||||||||||||||||||
||||||||||||||||||||
is not designed to provide software services inthis manner.
C is incorrect because Infrastructure as aService is not designed to provide softwareservices like those described.
D is incorrect because public refers to thedeployment model.
10. A subscriber purchases machine virtualizationand hosting through Amazon EC2. Which of thefollowing cloud computing types does thisdescribe?
A. IaaS
B. PaaS
C. SaaS
D. Hybrid
A. There are three types of cloud computingimplementation: IaaS, PaaS, and SaaS. In thecase of Amazon EC2, Infrastructure as aService best matches the description. IaaSbasically provides virtualized computingresources over the Internet. A third-partyprovider hosts infrastructure components,applications, and services on behalf of itssubscribers, with a hypervisor (such asVMware, Oracle VirtualBox, Xen, or KVM)
Technet24||||||||||||||||||||
||||||||||||||||||||
running the virtual machines as guests.Collections of hypervisors within the cloudprovider exponentially increase the virtualizedresources available and provide scalability ofservice to subscribers. As a result, IaaS is agood choice, not just for day-to-dayinfrastructure service, but also for temporaryor experimental workloads that may changeunexpectedly. IaaS subscribers typically payon a per-use basis (within a certaintimeframe, for instance) or sometimes by theamount of virtual machine space used.
B is incorrect because Platform as a Servicedoes not best match this description. PaaS isgeared toward software development, as itprovides a development platform that allowssubscribers to develop applications withoutbuilding the infrastructure it would normallytake to develop and launch software.
C is incorrect because Software as a Servicedoes not best match this description. SaaS isprobably the simplest and easiest to thinkabout. It is simply a software distributionmodel—the provider offers on-demandapplications to subscribers over the Internet.
D is incorrect because hybrid does not best
||||||||||||||||||||
||||||||||||||||||||
match this description. The term “hybrid”deals with the deployment method of thecloud (for example, if you had a cloudenvironment that was both “public” and“community” in nature, it would be referred toas hybrid).
11. Cloud computing faces many of the same securityconcerns as traditional network implementations.Which of the following are considered threats tocloud computing?
A. Data breach or loss
B. Abuse of services
C. Insecure interfaces
D. Shared technology issues
E. All of the above
E. EC-Council dedicated a lot of real estate intheir past official courseware to cloud threats,even though much of it is the same as itwould be in traditional networking, and in thisversion, it’s more of the same. In a blast fromthe past (as in this comes straight out of theCloud Security Alliance’s “The NotoriousNine: Cloud Computing Top Threats in 2013”publication(https://downloads.cloudsecurityalliance.org/
Technet24||||||||||||||||||||
||||||||||||||||||||
initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf, which is no longer referenced in the coursematerial but obviously still used as areference), the top three listed are data breachand loss, abuse of cloud services, and insecureinterfaces/APIs. Each is exactly what itsounds like and doesn’t require much in theway of explanation. However, the followingexplanations are for the sake of your exam:
• Data breach and loss In addition to dataerasure, theft, and/or modification, thisalso deals with loss of encryption keys andmisuse of the data by the cloud securityprovider itself.
• Abuse of cloud services This occurswhen the bad guys create anonymousaccess to cloud services and use the cloud’sresources to carry out their activities. Whydo password cracking, host exploits, ormalware on your own machine when youcan do it all in the cloud?
• Insecure interfaces/APIs These allowthe bad guys to circumvent user-definedpolicies and perhaps reuse passwords ortokens.
||||||||||||||||||||
||||||||||||||||||||
Pages and pages of cloud computing threatsare mentioned in the official courseware—everything from insufficient due diligence,shared technology issues, and inadequateplanning, through supply chain failure,management interface compromise, andhardware failures. It’s impossible to coverthem all here, but they’re all prettystraightforward. On your exam, you’reprobably more likely to have to identify whichthreats aren’t specific to cloud, and thatshould be a piece of cake for you.
Here is the full list of cloud threats ECC wantsyou to know about, as of the date I sit down towrite this:
• Data breach/loss
• Abuse and nefarious use of cloud services
• Insecure interfaces and APIs
• Insufficient due diligence
• Shared technology issues
• Unknown risk profiles
• Unsynchronized system clocks
• Inadequate infrastructure design andplanning
• Client hardening procedures and cloud
Technet24||||||||||||||||||||
||||||||||||||||||||
environment conflicts
• Loss of operational and security logs
• Malicious insiders
• Illegal access
• Privilege escalation
• Natural disasters
• Hardware failures
• Supply chain failures
• Modifying network traffic
• Isolation failure
• Cloud provider acquisition
• Management interface compromise
• Network management failure
• Authentication attacks
• VM-level attacks
• Licensing
• Lock-in
• Loss of governance
• Loss of encryption keys
• Changes in jurisdiction
• Malicious probes/scans
• Cloud service termination
• Subpoena
||||||||||||||||||||
||||||||||||||||||||
• Improper data handling
• Loss of backup data
• Compliance
• Economic denial of sustainability (EDoS)
Lastly, I must point out the original CloudSecurity Alliance publication (“The NotoriousNine: Cloud Computing Top Threats in 2013”)has been updated. It’s now “The Dirty Dozen:12 Top Cloud Security Threats,” also referredto as “The Treacherous 12,”(https://www.csoonline.com/article/3043030/12-top-cloud-security-threats-for-2018.html)and while it’s very, very similar to the original,there are a few differences. for example,perusing the list you may notice “Abuse ofCloud Services” is now listed as “Abuse ofCloud Resources.” Because you may seequestions from both lists on your exam, I’veleft the original noted, but what I’ve listedshould provide all you need for memorizationpurposes. Just use your common sense onthese questions and you should be fine.
A, B, C, and D are incorrect because they’reall cloud computing threats.
12. Which of the following attacks occurs during thetranslation of SOAP messages?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Wrapping attack
B. Cross-guest VM
C. Side channel
D. Session riding
A. Attacks aren’t necessarily specific to cloudcomputing, but EC-Council covers wrappingattacks here, so we’ll follow suit. In awrapping attack, the user sends a request tothe server, but the SOAP response isintercepted by the attacker. He thenduplicates the original message and sends itas if he is the user. In short, to pull this off,you just intercept the response, change thedata in the SOAP envelope, and replay.
B and C are incorrect because this does notdescribe cross-guest VM attacks, which arealso known as side channel attacks and dealwith virtualization itself. If an attacker cansomehow gain control of an existing VM (orplace his own) on the same physical host asthe target, he may be able to pull off lots ofmalicious activities.
D is incorrect because this does not describe asession riding attack. Session riding is, ineffect, simply CSRF under a different name
||||||||||||||||||||
||||||||||||||||||||
and deals with cloud services instead oftraditional data centers.
13. Which of the following is an architectural patternin computer software design in which applicationcomponents provide services to other componentsvia a communications protocol, typically over anetwork?
A. API
B. SOA
C. EC2
D. IaaS
B. In Service-Oriented Architecture (SOA),software is designed where each of itsindividual components works andcommunicates with components on differentsystems across the network. Each computercan run any of the services in the software,and each individual component is built so thatit can exchange information with any otherservice in the network, without interaction orthe need to make changes to the software. Forexample, someone might create an API thatprovides access to a database, which thenallows third-party vendors to create their ownapplications to take advantage of it.
Technet24||||||||||||||||||||
||||||||||||||||||||
A is incorrect because this does not define anapplication programming interface. APIs aresets of protocols and tools for buildingapplications.
C is incorrect because EC2 is a cloud serviceoffering from Amazon.
D is incorrect because IaaS is a cloud type.
14. In “NIST Cloud Computing ReferenceArchitecture,” which entity manages cloud servicesand maintains the relationship between cloudproviders and subscribers?
A. Cloud broker
B. Cloud auditor
C. Cloud carrier
D. Cloud consumer
A. “NIST Cloud Computing ReferenceArchitecture” defines the cloud broker as theentity that acts to manage the use,performance, and delivery of cloud services, aswell as the relationships between providersand subscribers. The broker “acts as theintermediate between consumer and providerand will help consumers through thecomplexity of cloud service offerings and mayalso create value-added cloud services as
||||||||||||||||||||
||||||||||||||||||||
well.”
B is incorrect because the cloud auditor is theindependent assessor of the cloud serviceprovider’s security controls.
C is incorrect because the cloud carrier is theorganization that has the responsibility oftransferring the data between the providerand subscriber.
D is incorrect because the cloud consumer isthe individual or organization that acquiresand uses cloud products and services.
15. Which of the following is not a benefit ofvirtualization?
A. It allows for more efficient backup, dataprotection, and disaster recovery.
B. It reduces system administration work.
C. It improves operational efficiency.
D. It locks individual hardware to each individualvirtual machine.
D. Some of you may actually work with and ina cloud, and you may disagree with at leastone of the benefits listed here. However, whilethere may be differences between the realworld and your CEH exam, for your test you
Technet24||||||||||||||||||||
||||||||||||||||||||
really need to know virtualization’s benefits.The idea itself is great—run one or moreoperating systems simultaneously on thesame physical box by virtualizing thehardware to each OS. Multiple companies(such as VMware, Oracle VirtualBox, and Xen)provide the hypervisor (a.k.a. virtual machinemonitor, or VMM, which is an application orhardware that creates and runs virtualmachines) that allows multiple OSs to sharethe same physical machine hardware.Virtualizing your server can improveoperational efficiency, provide for moreefficient backups, offer disaster recovery anddata protection, and reduce administrativework. Additionally, virtualization may have apositive effect on ensuring control andcompliance throughout the network, as wellas reduce overall costs.
A, B, and C are incorrect because these are allbenefits of the virtualization of servers.
16. A company acquires a cloud environment formuch of its business IT needs. The environment isused and operated solely for the singleorganization. Which of the following representsthe cloud deployment model in question?
||||||||||||||||||||
||||||||||||||||||||
A. Public
B. IaaS
C. Sole-source
D. Private
D. In a private cloud model, the cloud isoperated solely for a single organization (a.k.a.single-tenant environment) and is usually nota type of pay-as-you-go operation. Privateclouds are usually preferred by largerorganizations, because the hardware isdedicated and security and compliancerequirements can be more easily met.
A is incorrect because a public cloud is for useby anyone and everyone.
B is incorrect because IaaS is a cloud typeproviding virtualized computing resourcesover the Internet. A third-party provider hostsinfrastructure components, applications, andservices on behalf of its subscribers, with ahypervisor running the virtual machines asguests. IaaS is a good choice for day-to-dayinfrastructure service and temporary orexperimental workloads that may changeunexpectedly. IaaS subscribers typically payon a per-use basis (within a certain
Technet24||||||||||||||||||||
||||||||||||||||||||
timeframe, for instance) or sometimes by theamount of virtual machine space used.
C is incorrect because sole-source is not adeployment method.
17. Which of the following statements is trueregarding cloud computing?
A. Security in the cloud is the responsibility ofthe provider only.
B. Security in the cloud is the responsibility ofthe consumer only.
C. Security in the cloud is the responsibility ofboth the consumer and the provider.
D. None of the above.
C. One of the biggest misconceptions aboutcloud computing seems to be where the linesof responsibility are drawn. However, itshould come as no surprise that security iseveryone’s responsibility, and that absolutelyextends to the cloud. The provider mustprotect the hardware, virtualization, VMs, andnetwork connectivity. The consumer mustprotect their virtual systems (OSs,applications, and data). Sometimes this is achallenge in the real world. Where does yourtesting start and end? If your entire system
||||||||||||||||||||
||||||||||||||||||||
relies on a cloud provider to remain up andsecure, can you test all of it? And whathappens if your resources are comingledsomewhere inside all that cloud secret sauce?Can you really trust they’re on top of things,security-wise? Should you? Can you?
A, B, and D are all incorrect statements.
18. Which tool offers penetration-test-like servicesfor Amazon EC2 customers?
A. CloudPassage Halo
B. Core Cloud
C. CloudInspect
D. Panda Cloud Office Protection
C. CloudInspect(www.coresecurity.com/corelabs-research/projects/core-cloudinspect) is “a toolthat profits from the Core Impact & CoreInsight technologies to offer penetration-testing as a service from Amazon WebServices for EC2 users.” It’s obviouslydesigned for AWS cloud subscribers and runsas an automated, all-in-one testing suitespecifically for your cloud subscription.
A is incorrect because CloudPassage Halo(www.cloudpassage.com) “provides instant
Technet24||||||||||||||||||||
||||||||||||||||||||
visibility and continuous protection forservers in any combination of data centers,private clouds and public clouds. The Haloplatform is delivered as a service, so it deploysin minutes and scales on-demand. Halo usesminimal system resources, so layered securitycan be deployed where it counts, right at everyworkload—servers, instances and containers.”Other tools for cloud pen testing you shouldknow for your exam include Dell CloudManager and Parasoft SOAtest.
B is incorrect because there is no such tool.
D is incorrect because Panda Cloud OfficeProtection is not an automated pen test toolsuite.
19. An attacker sets up a VM on the same physicalcloud host as the target’s VM. He then takesadvantage of the shared physical resources to stealdata. Which of the following describes this attack?
A. Side channel
B. VM flood
C. Session riding
D. Cybersquatting
A. The side-channel attack, also known as across-guest VM breach, occurs when a bad guy
||||||||||||||||||||
||||||||||||||||||||
gets a virtual machine on the same host as thetarget. Through a variety of means for takingadvantage of vulnerabilities in some sharedtechnologies, the attacker then uses theshared physical resources to pilfer data.Providers can mitigate these attacks by usingan up-to-date hypervisor provision,implementing strong virtual firewalls betweenguest OSs, and enforcing the use ofencryption. Subscribers can help by lockingdown (hardening) their OSs and using goodcoding in their applications (especially when itcomes to accessing resources such asmemory). As a fun aside, these types ofattacks are categorized by people who actuallypen test for a living as a unicorn attack—sinceyou’ll have as good a chance seeing a unicornas you will actually performing this attack.
B is incorrect because, although VM flood maysound cool, it is not a legitimate attack term.
C is incorrect because session riding is a CSRFattack inside the cloud.
D is incorrect because cybersquatting hasnothing to do with this attack.
20. In the trusted computing model, what is a set offunctions called that’s always trusted by the
Technet24||||||||||||||||||||
||||||||||||||||||||
computer’s operating system?
A. SOA
B. RoT
C. TCG
D. VM
B. Trusted computing is a simple idea: resolvea lot of computing problems throughhardware enhancements and softwaremodifications. Several vendors got together,calling themselves the Trusted ComputingGroup (TCG), and worked out specifications,proposals, and technologies to help protectsystem resources. Within all this work is theidea of Roots of Trust (RoT), which is a set offunctions always trusted by the operatingsystem. It provides a lot of the functionalitythe rest of the model is built on, such as real-time encryption, rootkit detection, memorycurtailing, digital rights management (DRM)through hardware, and more.
A is incorrect because this does not describeService-Oriented Architecture. SOA is anarchitectural design effort in computersoftware where application componentscommunicate with, and provide services to,other components via a network.
||||||||||||||||||||
||||||||||||||||||||
C is incorrect because this does not describethe Trusted Computing Group.
D is incorrect because this does not describe avirtual machine.
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 10Trojans and Other Attacks
This chapter includes questions from the followingtopics:
• Describe malware types and their purpose• Identify malware deployment methods• Describe the malware analysis process• Identify malware countermeasures• Describe DoS attacks and techniques• Identify DoS detection and countermeasure
actions• Describe session hijacking and sequence
prediction
Every new hobby and activity ends up with a hugelearning curve, with all sorts of lingo and terminology tofigure out. And, usually, it winds up costing a lot ofmoney. For example, suppose you decide to get intophotography. All of a sudden you’re learning about ISOratings and saturation—and buying insanely expensivecameras and lenses because you need them. What if youdecide to take up shooting? Well, now you’re learning
||||||||||||||||||||
||||||||||||||||||||
about calibers, double versus single action, trigger pull,and IWB versus OWB—and you’ll wind up purchasingmultiple weapons of different action and caliber. Andbass fishing? Oh, now we’re talking about some seriousaddictions.
Braid versus monofilament line? Fluorocarbon getsmy vote for leader material, but braid’s great for theback end. Baitcast versus spinning reel? I’d say thatdepends on the situation, but unless you can figure outthe centrifugal braking systems and tension settings,with plenty of time to practice, spinning may be yourbest bet. Rod material and makeup? Hook style? Knotsto use? And don’t get me started on electronics for yourboat!
And as we also know with every hobby, there arerules and expectations for the use of everything you buy.The people who have been engaging in it for a long timeusually look at newcomers with a bemused derision,mocking the misuse of tools and techniques until theyget with the program and do what everyone else isdoing. In bass fishing, this idea kept loads of peoplefrom catching lots of fish.
For decades, the use of a particular bait known as ajig was relegated by those who knew everything to onemethod of presentation: flip the jig directly into reallyheavy cover (bushes, sticks, lily pads, and so on) and
Technet24||||||||||||||||||||
||||||||||||||||||||
gently pop it around the bottom until a fish bites. In1996, a bass professional named Bill Lowen was fishinga tournament with a jig the same way everyone else hadbeen using it since the dawn of artificial bait fishing. Hehad tossed it in a tree that had fallen over into the water,and was slowly working it back. Deciding to move toanother place, he started reeling the jig back to him and—whammo—fish on! At the next spot, he started fishingagain, but decided to try reeling the jig back to him,instead of using it like everyone else did. Whammo!—another fish on. He wound up winning that tournament,and in doing so created a brand-new technique called“swimming” a jig.
Why all this about bass fishing and techniques?Because it’s applicable to our work here as ethicalhackers. See, there are two ways to catch fish on anygiven lure—first, by using the lure the way it wasdesigned, and, second, by using it in whatever way itcatches fish. Whether the technique is “dead-sticking” aworm or, believe it or not, using a wrench as a lure(don’t laugh—I’ve seen it with my own eyes), whateverworks to catch fish is what should be used, right? Inethical hacking, the same thing applies. Malwarecertainly won’t ever be confused with a “good-guy” tool,but maybe you can use it in a different way than it wasintended. Your pen test tool set can be augmented byvisiting the dark side yourself, wielding tools and
||||||||||||||||||||
||||||||||||||||||||
actions that may seem a bit unsavory to you and in waysyou just haven’t thought about.
STUDY TIPS There hasn’t been a whole lot of change in v ersion 1 0when it comes to malware and other attacks. Most of the questionsfrom the malware sections—especially those designed to trip y ou up—still will be of the pure memorization ty pe. Stick with key words foreach definition (it’ll help y ou in separating good answers from badones), especially for the v irus ty pes. Don’t miss an easy point on theexam because y ou forgot the difference between poly morphic andmultipartite or why a worm is different from a v irus. Toolidentification should also be relativ ely straightforward (assuming y oucommit all those port numbers to memory , like I told y ou to do).
Finally, as always, get rid of the answers you know tobe wrong in the first place. It’s actually easiersometimes to identify the ones you downright knowaren’t relevant to the question. Then, from theremainder, you can scratch your gray matter for the keyword that will shed light on the answer.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Bart receives an e-mail that appears to be from his
lawyer containing a ZIP file named Courtdoc.zip.Bart double-clicks the ZIP file to open it, and amessage stating “This word document is corrupt”appears. In the background, a file namedCourtdoc.doc.exe runs and copies itself to the localAPPDATA directory. It then begins beaconing to anexternal server. Which of the following bestdescribes the malware Bart installed?
A. Worm
B. Virus
C. Trojan
D. Macro
2. You have established a Netcat connection to atarget machine. Which flag can be used to launch aprogram?
A. -p
B. -a
C. -l
D. -e
3. Claire is surfing the Web and, after some time, amessage pops up stating her system has beeninfected by malware and offering a button to click
||||||||||||||||||||
||||||||||||||||||||
for removal of the virus. After she clicks thebutton, another message window appears statingthe system has been quarantined due to the natureof the infection and provides a link withinstructions to pay in order to regain control andto clear the virus. Which of the following bestdescribes this infection?
A. Spyware
B. Ransomware
C. Trojan
D. Adware
4. Matty is examining malware as part of a securityeffort. She performs analysis of the malwareexecutable without running or installing it.Instead, she examines source and binary code tofind data structures, function calls, and otherindicators of malicious behavior. Which of thefollowing best describes the type of malwareanalysis Matty is performing?
A. Static
B. Dynamic
C. File fingerprinting
D. Code emulation
5. Pen test team member Amy attempts to guess theISN for a TCP session. Which attack is she most
Technet24||||||||||||||||||||
||||||||||||||||||||
likely carrying out?
A. XSS
B. Session splicing
C. Session hijacking
D. Multipartite attack
6. An attacker wants to make his malware asstealthy and undetectable as possible. He employsan effort that uses compression to reduce the filesize of the malware. Which of the following bestdescribes this?
A. Crypter
B. Wrapper
C. Packer
D. Compressor
7. An attacker is attempting a DoS attack against amachine. She first spoofs the target’s IP addressand then begins sending large amounts of ICMPpackets containing the MAC addressFF:FF:FF:FF:FF:FF. What attack is underway?
A. ICMP flood
B. Ping of death
C. SYN flood
D. Smurf
E. Fraggle
||||||||||||||||||||
||||||||||||||||||||
8. An attacker makes use of the Beacon implant on atarget system to hijack a browser session. Whichof the following best describes this attack?
A. Man in the browser
B. Man in the middle
C. Man in the pivot
D. IE hijacking
9. Claire’s Windows system at work beginsdisplaying strange activity, and she places a call tothe IT staff. On investigation, it appears Claire’ssystem is infected with several viruses. The ITstaff removes the viruses, deleting several file andfolder locations and using an AV tool, and themachine is reconnected to the network. Later inthe day, Claire’s system again displays strangeactivity and the IT staff is called once again. Whichof the following are likely causes of the re-infection? (Choose all that apply.)
A. Claire revisits a malicious website.
B. Claire opens her Microsoft Outlook e-mailclient and newly received e-mail is loaded toher local folder (.pst file).
C. Claire uses a system restore point to regainaccess to deleted files and folders.
D. Claire uses the organization’s backup
Technet24||||||||||||||||||||
||||||||||||||||||||
application to restore files and folders.
10. In regard to Trojans, which of the following bestdescribes a wrapper?
A. The legitimate file the Trojan is attached to
B. A program used to bind the Trojan to alegitimate file
C. A method of obfuscation using compression
D. A software tool that uses encryption and codemanipulation to hide malware
11. In May of 2017, this ransomware took advantageof a Windows SMB vulnerability known as theEternal Blue exploit and spread worldwide in amatter of hours. A hidden kill switch inside thecoding was quickly discovered, halting its spread.Which of the following best fits this description?
A. Petya
B. WannaCry
C. Zeus
D. Botnet
12. Which of the following is a legitimatecommunication path for the transfer of data?
A. Overt
B. Covert
C. Authentic
||||||||||||||||||||
||||||||||||||||||||
D. Imitation
E. Actual
13. In what layer of the OSI reference model issession hijacking carried out?
A. Data Link layer
B. Transport layer
C. Network layer
D. Physical layer
14. A pen test team member types the followingcommand:
nc222.15.66.78 –p 8765
Which of the following statements is trueregarding this attempt?
A. The attacker is attempting to connect to anestablished listening port on a remotecomputer.
B. The attacker is establishing a listening port onhis machine for later use.
C. The attacker is attempting a DoS against aremote computer.
D. The attacker is attempting to kill a service on aremote machine.
15. Examine the partial command-line output listedhere:
Technet24||||||||||||||||||||
||||||||||||||||||||
Which of the following is a true statementregarding the output?
A. This is output from a netstat -an command.
B. This is output from a netstat -b command.
C. This is output from a netstat -e command.
D. This is output from a netstat -r command.
16. You are discussing malware with a new pen testmember who asks about restarting executables.Which registry keys within Windowsautomatically run executables and instructions?(Choose all that apply.)
A. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
||||||||||||||||||||
||||||||||||||||||||
C. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
D. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
17. Which of the following is a true statement?
A. Sequence prediction attacks are specific toTCP.
B. Using a protocol in a way it is not intended tobe used is an example of an overt channel.
C. All DoS and DDoS attacks are specific to TCP.
D. Fraggle is a TCP-based attack.
18. Which denial-of-service attack involves usingmultiple intermediary and secondary machines tocontribute to the DoS effort?
A. SYN flood
B. DRDoS
C. Application-level flood
D. LOIC
19. Which of the following takes advantage ofweaknesses in the fragment reassemblyfunctionality of TCP/IP?
A. Teardrop
B. SYN flood
C. Smurf attack
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Ping of death
20. IPSec is an effective preventative measure againstsession hijacking. Which IPSec mode encryptsonly the data payload?
A. Transport
B. Tunnel
C. Protected
D. Spoofed
21. What provides for both authentication andconfidentiality in IPSec?
A. AH
B. IKE
C. OAKLEY
D. ESP
22. Which of the following statements best describesthe comparison between spoofing and sessionhijacking?
A. Spoofing and session hijacking are the samething.
B. Spoofing interrupts a client’s communication,whereas hijacking does not.
C. Hijacking interrupts a client’s communication,whereas spoofing does not.
D. Hijacking emulates a foreign IP address,
||||||||||||||||||||
||||||||||||||||||||
whereas spoofing refers to MAC addresses.
23. Which of the following is an effective deterrentagainst TCP session hijacking?
A. Install and use an HIDS on the system.
B. Install and use Tripwire on the system.
C. Enforce good password policy.
D. Use unpredictable sequence numbers.
24. Which of the following is a group of Internetcomputers set up to forward transmissions toother computers on the Internet without theowner’s knowledge or permission?
A. Botnet
B. Zombie
C. Honeypot
D. DDoS
25. Within a TCP packet dump, a packet is noted withthe SYN flag set and a sequence number set atA13F. What should the acknowledgment numberin the return SYN/ACK packet be?
A. A131
B. A130
C. A140
D. A14F
Technet24||||||||||||||||||||
||||||||||||||||||||
26. When is session hijacking performed?
A. Before the three-step handshake
B. During the three-step handshake
C. After the three-step handshake
D. After a FIN packet
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. D
3. B
4. A
5. C
6. C
7. D
8. A
9. A, C, D
10. B
11. B
12. A
13. B
14. A
15. A
16. A, B, C, D
17. A
18. B
19. A
Technet24||||||||||||||||||||
||||||||||||||||||||
20. A
21. D
22. C
23. D
24. A
25. C
26. C
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Bart receives an e-mail that appears to be from his
lawyer containing a ZIP file named Courtdoc.zip.Bart double-clicks the ZIP file to open it, and amessage stating “This word document is corrupt”appears. In the background, a file namedCourtdoc.doc.exe runs and copies itself to the localAPPDATA directory. It then begins beaconing to anexternal server. Which of the following bestdescribes the malware Bart installed?
A. Worm
B. Virus
C. Trojan
D. Macro
C. The definition of a Trojan is a non-self-replicating program that appears to have auseful purpose but in reality has a different,malicious purpose. In other words, it looksharmless but, when activated, is not. This isprecisely what is going on in this example. E-mail is not the only method to spread aTrojan, but phishing certainly does seem towork well.
A is incorrect because this does not describe a
Technet24||||||||||||||||||||
||||||||||||||||||||
worm. A worm is a self-replicating, self-propagating, self-contained program that usesnetworking mechanisms to spread itself.
B is incorrect because this does not describe avirus. A virus is a malicious computerprogram with self-replication capabilities thatattaches to another file and moves with thehost from one computer to another.
D is incorrect because this does not describe amacro. A macro is a single instruction thatexpands automatically into severalinstructions to perform a specific task(usually associated with Microsoft Officeproducts, as far as your exam is concerned).
2. You have established a Netcat connection to atarget machine. Which flag can be used to launch aprogram?
A. -p
B. -a
C. -l
D. -e
D. Netcat is often referred to as the SwissArmy knife of hacking efforts. You can use itto set up a listening port on target machinesthat you can then revisit to wreak all sorts of
||||||||||||||||||||
||||||||||||||||||||
havoc. The flag associated with launching aprogram is -e. For example, issuing thecommand
nc –L –p 12657 –t –e cmd.exe
will open a Windows command shell on thetarget machine; the -t flag sets up a Telnetconnection over the port you defined with the-p flag (12657).
A is incorrect because the -p flag indicates theprotocol port you want to use for your session.
B is incorrect because -a is not a recognizedNetcat flag.
C is incorrect because the -l flag indicatesNetcat should open the port for listening. Asan aside, the -L flag does the same thing;however, it restarts listening after theinbound session completes.
3. Claire is surfing the Web and, after some time, amessage pops up stating her system has beeninfected by malware and offering a button to clickfor removal of the virus. After she clicks thebutton, another message window appears statingthe system has been quarantined due to the natureof the infection and provides a link withinstructions to pay in order to regain control and
Technet24||||||||||||||||||||
||||||||||||||||||||
to clear the virus. Which of the following bestdescribes this infection?
A. Spyware
B. Ransomware
C. Trojan
D. Adware
B. Ransomware isn’t anything new, but it surehas attracted new attention from EC-Council.The name itself gives away its purpose: themalware infects your system and thenrestricts access to your files and folders,demanding a ransom payment to get controlback. ECC lists five different ransomwarefamilies: Cryptorbit, Cryptolocker,Cryptodefense, Cryptowall, and police-themed. Usually the online payment involvesbitcoin, but can take other avenues. In anycase, never pay off the attacker—you’re onlysigning yourself up for future terror. Cleaningoff ransomware may involve booting into SafeMode, or even using a system restore onWindows systems. You may even get awaywith an external AV scan as a fix action, but besure to scrub the system for hidden files andfolders the ransomware may have left behind.Lastly, I can’t overstate enough the value of
||||||||||||||||||||
||||||||||||||||||||
good, solid, dependable backups. Even ifyou’re foolish enough to pay the ransom,there is no guarantee any of your files willremain accessible after the “unlock”—andcould you trust them anyway? Invest in goodbackups and run them religiously.
A is incorrect because this does not describespyware. Spyware is type of malware thatcovertly collects information about a user.
C is incorrect because this does not describe aTrojan. A Trojan is a non-self-replicatingprogram that appears to have a useful purposebut in reality has a different, maliciouspurpose.
D is incorrect because this does not describeadware. Adware is software that hasadvertisements embedded within it. Itgenerally displays ads in the form of pop-ups.
4. Matty is examining malware as part of a securityeffort. She performs analysis of the malwareexecutable without running or installing it.Instead, she examines source and binary code tofind data structures, function calls, and otherindicators of malicious behavior. Which of thefollowing best describes the type of malwareanalysis Matty is performing?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Static
B. Dynamic
C. File fingerprinting
D. Code emulation
A. EC-Council defines two main types ofmalware analysis—static and dynamic. Instatic analysis, the examiner never actuallyinstalls or executes the malware. It’sconsidered a “safe” analysis, as the suspect fileisn’t installed or allowed to execute; however,as this is obviously a touchy area, it’s always abest and recommended practice to performanalysis in a closed environment. This islargely a manual process, but there are staticanalysis tools that can assist.
B is incorrect because dynamic analysis is theprocess of examining malware behavior byactually installing and running it in amonitored environment.
C is incorrect because file fingerprintinginvolves computing a hash value for a givenbinary code.
D is incorrect because code emulation is adetection method where antivirus executesthe malicious codes on a virtual machine to
||||||||||||||||||||
||||||||||||||||||||
simulate CPU and memory activities.
5. Pen test team member Amy attempts to guess theISN for a TCP session. Which attack is she mostlikely carrying out?
A. XSS
B. Session splicing
C. Session hijacking
D. Multipartite attack
C. The idea behind session hijacking is fairlysimple: the attacker waits for a session tobegin and, after all the pesky authenticationgets done, jumps in to steal the session forherself. In practice, it’s a little harder andmore complicated than that, but the key to thewhole attack is in determining the initialsequence number (ISN) used for the session.The ISN is sent by the initiator of the sessionin the first step (SYN). This is acknowledgedin the second step of the handshake(SYN/ACK) by incrementing that ISN by 1,and then another ISN is generated by therecipient. This second number isacknowledged by the initiator in the third step(ACK), and from there on out communicationcan occur. Per EC-Council, the following stepsdescribe the session hijack:
Technet24||||||||||||||||||||
||||||||||||||||||||
1. Sniff the traffic between the client andthe server.
2. Monitor the traffic and predict thesequence numbering.
3. Desynchronize the session with theclient.
4. Predict the session token and take overthe session.
5. Inject packets to the target server.
For what it’s worth, pulling this attack off viaEC-Council’s take on the whole matterrequires you to do some fairly significanttraffic sniffing. And if you’re alreadypositioned to sniff the traffic in the first place,wouldn’t the whole scenario possibly be amoot point? You need to know it for the exam,but real-world application may be rare.
A is incorrect because cross-site scripting is aweb application attack.
B is incorrect because session splicing is anIDS evasion method. The attacker delivers apayload that the IDS would have otherwiseseen by “slicing” it over multiple packets. Thepayload can be spread out over a long periodof time.
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because multipartite refers to avirus type, not an attack that requires ISNdetermination.
6. An attacker wants to make his malware asstealthy and undetectable as possible. He employsan effort that uses compression to reduce the filesize of the malware. Which of the following bestdescribes this?
A. Crypter
B. Wrapper
C. Packer
D. Compressor
C. A packer uses compression to pack themalware executable into a smaller size. Notonly does this reduce the file size, but it servesto make the malware harder to detect forsome antivirus engines. It works much like aZIP file, except that the extraction occurs inmemory and not on the disk.
A is incorrect because a crypter is a softwaretool that uses a combination of encryptionand code manipulation to render malwareundetectable to AV and other securitymonitoring products (in Internet lingo, it’sreferred to as fud, for “fully undetectable”).
Technet24||||||||||||||||||||
||||||||||||||||||||
B is incorrect because a wrapper is used tobind a Trojan and a legitimate programtogether so the Trojan will be installed whenthe legitimate program is executed.
D is included merely as a distractor and is nota legitimate term.
7. An attacker is attempting a DoS attack against amachine. She first spoofs the target’s IP addressand then begins sending large amounts of ICMPpackets containing the MAC addressFF:FF:FF:FF:FF:FF. What attack is underway?
A. ICMP flood
B. Ping of death
C. SYN flood
D. Smurf
E. Fraggle
D. A smurf attack is a generic denial-of-service(DoS) attack against a target machine. Theidea is simple: have so many ICMP requestsgoing to the target that all its resources aretaken up. To accomplish this, the attackerspoofs the target’s IP address and then sendsthousands of ping requests from that spoofedIP to the subnet’s broadcast address. This, ineffect, pings every machine on the subnet.
||||||||||||||||||||
||||||||||||||||||||
Assuming it’s configured to do so, everymachine will respond to the request,effectively crushing the target’s networkresources.
A is incorrect because an ICMP flood does notact this way. In this attack, the hacker sendsICMP Echo packets to the target with aspoofed (fake) source address. The targetcontinues to respond to an address thatdoesn’t exist and eventually reaches a limit ofpackets per second sent.
B is incorrect because a ping of death does notact this way. It’s not a valid attack withmodern systems because of preventativemeasures in the OS; in the ping of death, anattacker fragments an ICMP message to sendto a target. When the fragments arereassembled, the resulting ICMP packet islarger than the maximum size and crashes thesystem. As an aside, each OS has its ownmethod of dealing with network protocols,and the implementation of dealing withparticular protocols opens up hacking (DDoSand otherwise) options like this.
C is incorrect because a SYN flood takes placewhen an attacker sends multiple SYN packets
Technet24||||||||||||||||||||
||||||||||||||||||||
to a target without providing anacknowledgment to the returned SYN/ACK.This is another attack that does notnecessarily work on modern systems.
E is incorrect because in a fraggle attack, UDPpackets are used. The same principle applies—spoofed IP and Echo requests sent to thebroadcast address—but it’s just with UDP.
8. An attacker makes use of the Beacon implant on atarget system to hijack a browser session. Whichof the following best describes this attack?
A. Man in the browser
B. Man in the middle
C. Man in the pivot
D. IE hijacking
A. Most have heard of session hijacking andman in the middle, but what about man in thebrowser? A man-in-the-browser (MITB)attack occurs when the hacker sends a Trojanto intercept browser calls. The Trojan basicallysits between the browser and libraries,allowing a hacker to watch, and interactwithin, a browser session. Cobalt Strikecreator Peiter C. Zatko added this feature acouple years back
||||||||||||||||||||
||||||||||||||||||||
(www.advancedpentest.com/help-browser-pivoting). If you have his Beacon (the name ofhis implant) on a box, you can “browser pivot”such that all of the target’s active sessionsbecome your own. All of them. It effectivelysets up a local proxy port so you can pointyour browser to it, and it directs all yourrequests through the Beacon on the targetmachine. Now you’re browsing in your ownbrowser as the target, without them evenknowing it.
B is incorrect because this does notnecessarily describe a man-in-the-middle(MITM) attack, which is an attack where thehacker positions himself between the clientand the server to intercept (and sometimesalter) data traveling between the two.
C and D are incorrect because these are notlegitimate terms.
9. Claire’s Windows system at work beginsdisplaying strange activity, and she places a call tothe IT staff. On investigation, it appears Claire’ssystem is infected with several viruses. The ITstaff removes the viruses, deleting several file andfolder locations and using an AV tool, and themachine is reconnected to the network. Later in
Technet24||||||||||||||||||||
||||||||||||||||||||
the day, Claire’s system again displays strangeactivity and the IT staff is called once again. Whichof the following are likely causes of the re-infection? (Choose all that apply.)
A. Claire revisits a malicious website.
B. Claire opens her Microsoft Outlook e-mailclient and newly received e-mail is loaded toher local folder (.pst file).
C. Claire uses a system restore point to regainaccess to deleted files and folders.
D. Claire uses the organization’s backupapplication to restore files and folders.
A, C, D. Virus removal can be tricky,especially if nobody knows how and when thevirus got on the system in the first place. As amatter of fact, in many places I’ve worked,discovering the source of the virus is asimportant as cleaning the system in the firstplace. Cleaning a virus off the system usuallyinvolves scrubbing the Microsoft registry,deleting files and folders (don’t forget tocheck for hidden ones), and a host of otherdetails and actions. Sometimes AV removalapplications can help with this process, butsometimes it’s an involved, manual process.
Even with tools to help in removal,
||||||||||||||||||||
||||||||||||||||||||
administrators can’t afford to overlook systemrestore points, backups, and user behavior. Ifa virus is on a system during a system restorecopy action, then any restoration of that pointwill reinstall the virus. The same thing goesfor data backups themselves—it should followthat an infected file while being backed up willremain infected during the restore action. Asfor user behavior, if the user is re-infectedimmediately following a specific website visit,or after using a USB (or other removablemedia), at least you can pinpoint the sourceand hopefully stop it from happening again.
B is incorrect because new e-mail from theserver wouldn’t necessarily be the cause of theoriginal infection.
10. In regard to Trojans, which of the following bestdescribes a wrapper?
A. The legitimate file the Trojan is attached to
B. A program used to bind the Trojan to alegitimate file
C. A method of obfuscation using compression
D. A software tool that uses encryption and codemanipulation to hide malware
B. Wrappers are programs that allow you to
Technet24||||||||||||||||||||
||||||||||||||||||||
bind an executable of your choice (Trojan) toan innocent file your target won’t mindopening. For example, you might use aprogram such as EliteWrap to embed abackdoor application with a game file (.exe). Auser on your target machine then opens thelatest game file (maybe to play a hand of cardsagainst the computer or to fling a bird atpyramids built by pigs) while your backdoor isinstalling and sits there waiting for your uselater. As an aside, many wrappers themselvesare considered malicious and will show up onany up-to-date virus signature list.
A is incorrect because the wrapper is not thelegitimate file the malware is bound to.
C is incorrect because this describes a packer.
D is incorrect because this describes a crypter.
11. In May of 2017, this ransomware took advantageof a Windows SMB vulnerability known as theEternal Blue exploit and spread worldwide in amatter of hours. A hidden kill switch inside thecoding was quickly discovered, halting its spread.Which of the following best fits this description?
A. Petya
B. WannaCry
||||||||||||||||||||
||||||||||||||||||||
C. Zeus
D. Botnet
B. WannaCry was one of the fastest spreading,most dangerous ransomware variants of alltime. Taking advantage of Eternal Blue(interestingly enough, an exploit discoveredby and shared from the NSA), WannaCryspread to systems worldwide in a matter ofhours, demanding ransom payment in bitcoin.Despite patching being available, due to manyand varied reasons, multiple millions ofsystems were unpatched and unprepared forthe attack. A built-in kill switch—sending areply packet to a nonexistent domain, whichwas registered by a researcher to stop thespread—was discovered within days.
A is incorrect because Petya—while alsoexploiting Eternal Blue—had a few differenceswith its WannaCry sibling. Petya, in largemeasure, appeared to be ransomware youcouldn’t pay off. Given its release, appearance,and general exclusivity (at least initially) inUkraine, speculation was that it was more of apolitically motivated and destructive type ofmalware than a legitimate ransomware effort.
C is incorrect because Zeus is a banking
Technet24||||||||||||||||||||
||||||||||||||||||||
Trojan.
D is incorrect because a botnet refers to agroup of zombie systems controlled by anattacker.
12. Which of the following is a legitimatecommunication path for the transfer of data?
A. Overt
B. Covert
C. Authentic
D. Imitation
E. Actual
A. This is another one of those easy, pure-definition questions you simply can’t miss onyour exam. Whether it’s inside a computer,between systems, or across the Internet, anylegitimate channel used for communicationsand data exchange is known as an overtchannel. And don’t let the inherit risk withany channel itself make the decision for you—even if the channel itself is a risky endeavor, ifit is being used for its intended purpose, it’sstill overt. For example, an IRC or a gaminglink is still an overt channel, so long as theapplications making use of it are legitimate.Overt channels are legitimate communication
||||||||||||||||||||
||||||||||||||||||||
channels used by programs across a system ora network, whereas covert channels are usedto transport data in ways they were notintended for.
B is incorrect because a covert channel, perEC-Council’s own definition, is “a channelthat transfers information within a computersystem or network in a way that violatessecurity policy.” For example, a Trojan mightcreate a channel for stealing passwords ordownloading sensitive data from the machine.
C, D, and E are incorrect because none ofthese is a term for the communicationschannel; they are included here as distractors.
13. In what layer of the OSI reference model issession hijacking carried out?
A. Data Link layer
B. Transport layer
C. Network layer
D. Physical layer
B. If you think about a session hijack, thismakes sense. Authentication has alreadyoccurred, so we know both computers havealready found each other. Therefore, thePhysical, Data Link, and Network layers have
Technet24||||||||||||||||||||
||||||||||||||||||||
already been eclipsed. And what is beingaltered and played with in these hijackingattempts? Why, the sequence numbers, ofcourse, and sequencing occurs at theTransport layer. Now, for all you real-worldfolks out there screaming thatcommunications can be, and truly are,hijacked at every level, let me caution youroutrage with something I’ve said repeatedlythroughout this book: sometimes the examand reality are two different things, and if youwant to pass the test, you’ll need to memorizethis the way EC-Council wants you to. Sessionhijacking is taught in CEH circles as ameasure of guessing sequence numbers, andthat’s a Transport layer entity. In the realworld, your Physical layer interception of atarget would result in access to everythingabove, but on the exam just stick with“session hijacking = Transport layer.”
A, C, and D are incorrect because these layersare not where a session hijack attack is carriedout.
14. A pen test team member types the followingcommand:
nc222.15.66.78 –p 8765
||||||||||||||||||||
||||||||||||||||||||
Which of the following statements is trueregarding this attempt?
A. The attacker is attempting to connect to anestablished listening port on a remotecomputer.
B. The attacker is establishing a listening port onhis machine for later use.
C. The attacker is attempting a DoS against aremote computer.
D. The attacker is attempting to kill a service on aremote machine.
A. As stated earlier, Netcat is a wonderful toolthat allows remote access wizardry on amachine, and you’ll need to be able torecognize the basics of the syntax. In thecommand example, Netcat is being told,“Please attempt a connection to the machinewith the IP address of 222.15.66.78 on port8765; I believe you’ll find the port in alistening state, waiting for our arrival.”Obviously at some point previous to issuingthis command on his local machine, the pentester planted the Netcat Trojan on the remotesystem (222.15.66.78) and set it up in alistening state. He may have set it up withcommand-shell access (allowing a Telnet-like
Technet24||||||||||||||||||||
||||||||||||||||||||
connection to issue commands at will) usingthe following command:
nc –L –p 8765 –t –e cmd.exe
B is incorrect because this command is issuedon the client side of the setup, not the serverside. At some point previously, the port wasset to a listening state, and this Netcatcommand will access it.
C is incorrect because this command is notattempting a denial of service against thetarget machine. It’s included here as adistractor.
D is incorrect because this command is notattempting to kill a process or service on theremote machine. It’s included here as adistractor.
15. Examine the partial command-line output listedhere:
||||||||||||||||||||
||||||||||||||||||||
Which of the following is a true statementregarding the output?
A. This is output from a netstat -an command.
B. This is output from a netstat -b command.
C. This is output from a netstat -e command.
D. This is output from a netstat -r command.
A. You’ll need to get to know Netstat beforeyour exam. It’s not a huge thing, and youwon’t get bogged down in minutiae, but youdo need to know the basics. Netstat is a greatcommand-line tool built into every Microsoftoperating system. From Microsoft’s owndescription, Netstat “displays active TCPconnections, ports on which the computer islistening, Ethernet statistics, the IP routingtable, IPv4 statistics (for the IP, ICMP, TCP,
Technet24||||||||||||||||||||
||||||||||||||||||||
and UDP protocols), and IPv6 statistics (forthe IPv6, ICMPv6, TCP over IPv6, and UDPover IPv6 protocols).” It’s a great, easy way tosee which ports you have open on yoursystem, helping you to identify any Trojansthat may be hanging around. A netstat -ancommand will show all connections andlistening ports in numerical form.
B is incorrect because the -b option displaysthe executable involved in creating eachconnection or listening port. Its outputappears something like this:
C is incorrect because the -e flag displaysEthernet statistics for the system. The outputappears something like this:
||||||||||||||||||||
||||||||||||||||||||
D is incorrect because the -r flag displays theroute table for the system. Here’s a samplingof the output:
16. You are discussing malware with a new pen testmember who asks about restarting executables.Which registry keys within Windowsautomatically run executables and instructions?(Choose all that apply.)
A. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
C. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
D. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
A, B, C, D. Creating malware and infecting amachine with it is accomplishing only thebasics. Getting it to hang around by having it
Technet24||||||||||||||||||||
||||||||||||||||||||
restart when the user reboots the machine?Now we’re talking. The Run, RunOnce,RunServices, and RunServicesOnce registrykeys within the HKEY_LOCAL_MACHINEhive are great places to stick executables.Because of this, it’s helpful to run registrymonitoring on occasion to check for anythingsuspicious. Sys Analyzer, Regshot, andTinyWatcher are all options for this.
17. Which of the following is a true statement?
A. Sequence prediction attacks are specific toTCP.
B. Using a protocol in a way it is not intended tobe used is an example of an overt channel.
C. All DoS and DDoS attacks are specific to TCP.
D. Fraggle is a TCP-based attack.
A. Sequence prediction attacks are specific toTCP because TCP uses sequence numbers.Unlike the fire-and-forget method employedby UDP, TCP uses sequence numbers andwindowing to keep track of conversations.Sequence prediction is a session hijackingprocedure where the attacker guesses the nextsequence number and launches himself intothe data connection between client and server.
||||||||||||||||||||
||||||||||||||||||||
B is incorrect because this is an example of acovert channel.
C is incorrect because not all DoS and DDoSattacks are TCP based.
D is incorrect because fraggle is a UDP-basedDoS attack.
18. Which denial-of-service attack involves usingmultiple intermediary and secondary machines tocontribute to the DoS effort?
A. SYN flood
B. DRDoS
C. Application-level flood
D. LOIC
B. A distributed reflection denial-of-service(DRDoS) attack is also known as a “spoofed”attack and makes use of multipleintermediary and secondary machines. Thebad guy sends attack information to theintermediary machines, which, in turn, sendthe messages out to the secondary machines.This makes tracking the real source of theattack very difficult to determine (theinvestigators will see and react to thesecondaries, not the originator).
Technet24||||||||||||||||||||
||||||||||||||||||||
A is incorrect because a SYN flood takesadvantage of tons of half-open connectionsand does not use intermediary systems.
C is incorrect because an application-levelflood is a DoS action that floods applicationsor disrupts application-databasecommunications.
D is incorrect because Low Orbit Ion Cannon(LOIC) is a simple-to-use DDoS tool thatfloods a target with TCP, UDP, or HTTPrequests. It was originally written as opensource to attack various Scientology websitesbut has since had many people voluntarilyjoining a botnet to support a variety of attacks.LOIC was once used in a coordinated attackagainst Sony’s PlayStation network, and thetool has a track record of other successfulhits: the Recording Industry Association ofAmerica, PayPal, MasterCard, and severalother companies have all fallen victim toLOIC.
19. Which of the following takes advantage ofweaknesses in the fragment reassemblyfunctionality of TCP/IP?
A. Teardrop
B. SYN flood
||||||||||||||||||||
||||||||||||||||||||
C. Smurf attack
D. Ping of death
A. ECC can be rather capricious in their choiceof which malware to test and which not to,and sometimes they look far into the past forquestion material. In a teardrop attack,overlapping, mangled packet fragments aresent in an effort to confuse a target system,causing it to reboot or crash. Teardrop attacksexploit an overlapping IP fragment bugpresent in Windows 95, Windows NT, andWindows 3.1 machines, as well as some earlyversions of Linux—all more than ten yearsold. The attack was really more of anannoyance than anything because a rebootclears it all up; however, anything that wasopen and altered, sitting unsaved on thedevice, would be lost. In modern systems,finding this attack in use is virtuallyimpossible.
B is incorrect because a SYN flood attackexhausts connections on a device by floodingit with thousands of open SYN packets, neversending any acknowledgments to the returnSYN/ACKs.
C is incorrect because a smurf attack involves
Technet24||||||||||||||||||||
||||||||||||||||||||
spoofing the target’s address and then pingingthe broadcast address with it. The resultingresponses of thousands of ICMP packets killthe machine.
D is incorrect because the ping of death attackinvolves sending a ping request with anunusually large payload. The ping would befragmented and, when put together, would killthe target machine.
20. IPSec is an effective preventative measure againstsession hijacking. Which IPSec mode encryptsonly the data payload?
A. Transport
B. Tunnel
C. Protected
D. Spoofed
A. IPSec is a wonderful encryption mechanismthat can rather easily be set up between twoendpoints or even across your entire subnet ifyou configure the hosts appropriately. Youwon’t need to know all the bells and whistleswith IPSec (and thank goodness, becausethere’s a lot to write about), but you do needthe basics. Transport mode does not affect theheader of the packet at all and encrypts only
||||||||||||||||||||
||||||||||||||||||||
the payload. It’s typically used as a securedconnection between two endpoints, whereasTunnel mode creates a VPN-like connectionprotecting the entire session. Additionally,Transport mode is compatible withconventional network address translation(NAT).
B is incorrect because Tunnel modeencapsulates the entire packet, including theheader. This is typically used to form a VPNconnection, where the tunnel is used acrossan untrusted network (such as the Internet).For pretty obvious reasons, it’s not compatiblewith conventional NAT; when the packet goesthrough the router (or whatever is performingNAT for you), the source address in the packetchanges because of Tunnel mode and,therefore, invalidates the packet for thereceiving end. There are workarounds for this,generally lumped together as NAT traversal(NAT-t). Many home routers take advantageof something referred to as IPSec passthroughto allow just this.
C and D are incorrect because they are invalidterms involving IPSec.
21. What provides for both authentication and
Technet24||||||||||||||||||||
||||||||||||||||||||
confidentiality in IPSec?
A. AH
B. IKE
C. OAKLEY
D. ESP
D. Encapsulation Security Payload (ESP) is amember of the IPSec protocol suite, and itprovides data authentication (proving the datais actually from who it’s supposed to be from)and confidentiality (by encrypting the data).In Transport mode, ESP doesn’t provideintegrity and authentication for the entirety ofthe packet, but it does in Tunnel mode(excluding the outer IP header, of course).
A is incorrect because Authentication Header(AH) provides authentication but notencryption.
B is incorrect because Internet Key Exchange(IKE) is a protocol that produces the securitykeys.
C is incorrect because OAKLEY is a protocolused to create a master key as well as a keyspecific to each session in the data transfer. Itmakes use of the Diffie-Hellman algorithmfor this process.
||||||||||||||||||||
||||||||||||||||||||
22. Which of the following statements best describesthe comparison between spoofing and sessionhijacking?
A. Spoofing and session hijacking are the samething.
B. Spoofing interrupts a client’s communication,whereas hijacking does not.
C. Hijacking interrupts a client’s communication,whereas spoofing does not.
D. Hijacking emulates a foreign IP address,whereas spoofing refers to MAC addresses.
C. Hijacking and spoofing can sometimes beconfused with each other, although they reallyshouldn’t be. Spoofing refers to a processwhere the attacking machine pretends to besomething it is not. Whether by faking a MACaddress or an IP address, the idea is that othersystems on the network will communicatewith your machine (that is, set up and teardown sessions) as if it’s the target system.Generally this is used to benefit sniffingefforts. Hijacking is a totally different animal.In hijacking, the attacker jumps into analready existing session, knocking the clientout of it and fooling the server into continuingthe exchange. In many cases, the client will
Technet24||||||||||||||||||||
||||||||||||||||||||
simply reconnect to the server over a differentsession, with no one the wiser: the server isn’teven aware of what happened, and the clientsimply connects again in a different session.As an aside, EC-Council describes the sessionhijack in these steps:
1. Sniff the traffic between the client andthe server.
2. Monitor the traffic and predict thesequence numbering.
3. Desynchronize the session with theclient.
4. Predict the session token and take overthe session.
5. Inject packets to the target server.
A is incorrect because spoofing and hijackingare different. An argument can be made thathijacking makes use of some spoofing, but thetwo attacks are separate entities: spoofingpretends to be another machine, eliciting (orsetting up) sessions for sniffing purposes,whereas hijacking takes advantage of existingcommunications sessions.
B is incorrect because spoofing doesn’tinterrupt a client’s existing session at all; it’sdesigned to sniff traffic and/or set up its own
||||||||||||||||||||
||||||||||||||||||||
sessions.
D is incorrect because spoofing isn’t relegatedto MAC addresses only. You can spoof almostanything, from MAC and IP addresses tosystem names and services.
23. Which of the following is an effective deterrentagainst TCP session hijacking?
A. Install and use an HIDS on the system.
B. Install and use Tripwire on the system.
C. Enforce good password policy.
D. Use unpredictable sequence numbers.
D. As noted already, session hijacking requiresthe attacker to guess the proper upcomingsequence number(s) to pull off the attack,pushing the original client out of the session.Using unpredictable session IDs (or, betterstated in the real world, using a modernoperating system with less predictablesequence numbers) in the first place protectsagainst this. Other countermeasures forsession hijacking are fairly common sense:use encryption to protect the channel, limitincoming connections, minimize remoteaccess, and regenerate the session key afterauthentication is complete. And, lastly, don’t
Technet24||||||||||||||||||||
||||||||||||||||||||
forget user education: if the users don’t knowany better, they might not think twice aboutclicking past the security certificate warningor reconnecting after being suddenly shutdown.
A is incorrect because a host-based intrusiondetection system may not deter sessionhijacking at all.
B is incorrect because Tripwire is a fileintegrity application and won’t do a thing forsession hijacking prevention.
C is incorrect because system passwords havenothing to do with session hijacking.
24. Which of the following is a group of Internetcomputers set up to forward transmissions toother computers on the Internet without theowner’s knowledge or permission?
A. Botnet
B. Zombie
C. Honeypot
D. DDoS
A. A botnet is a group of systems an attackerhas control over, without the owner’sknowledge or permission. Each zombie
||||||||||||||||||||
||||||||||||||||||||
system in the network sends messages anddata transmissions for the botnet controller—everything from spam and e-mail to virusesand ads. Although they are probably bestknown for their roles in distributed denial-of-service attacks, botnets can be used for avariety of activities. As an aside, ECCmaintains that botnets are most commonlycontrolled via IRC (Internet Relay Chat), butin the real world they can be controlled by ahost of methods.
B is incorrect because while a botnet is madeup of zombie computers, a single zombie doesnot make up a botnet.
C is incorrect because a honeypot is a systemset up specifically to be hacked, so securitystaff can watch what an attacker is doing.
D is incorrect because a distributed denial-of-service attack may be carried out by a botnet,but it does not define one.
25. Within a TCP packet dump, a packet is noted withthe SYN flag set and a sequence number set atA13F. What should the acknowledgment numberin the return SYN/ACK packet be?
A. A131
Technet24||||||||||||||||||||
||||||||||||||||||||
B. A130
C. A140
D. A14F
C. We’ve been over the need for predictingsequence numbers before, so I won’t bore youwith it again other than to restate the salientpoint here: the ISN is incremented by 1 in theSYN/ACK return packet. Because these valueswere given in hex instead of decimal, all youneed to know is what the next hex value afterA13F is. You could split it out into binary(each hex digit is 4 bits, so this would equateto 1010000100111111) and then pick the nextavailable number (1010000101000000) andsplit it back into hex (1010 = A, 0001 = 1, 0100= 4, and 0000 = 0). Alternatively, you couldconvert directly to decimal (41279), add 1, andthen convert back to hex. And, yes, you doneed to know number conversion fromdecimal to binary to hex, so stop complaining.
A, B, and D are incorrect hex equivalents fordecimal 41280 (the next numberacknowledgment for the ISN).
26. When is session hijacking performed?
A. Before the three-step handshake
||||||||||||||||||||
||||||||||||||||||||
B. During the three-step handshake
C. After the three-step handshake
D. After a FIN packet
C. This question should be an easy one foryou, but it’s included here to reinforce thepoint that you need to understand sessionhijacking steps well for the exam. Of course,session hijacking should occur after the three-step handshake. As a matter of fact, you’llprobably need to wait quite a bit after thethree-step handshake so that everything onthe session can be set up—authentication andall that nonsense should be taken care ofbefore you jump in and take over.
A and B are incorrect because sessionhijacking occurs after a session is alreadyestablished, and the three-step handshakemust obviously occur first for this to be true.
D is incorrect because the FIN packet bringsan orderly close to the TCP session. Why onEarth would you wait until the session is overto start trying to hijack it?
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 11Cryptography 101
This chapter includes questions from the followingtopics:
• Describe cryptography and encryption techniques• Define cryptographic algorithms• Describe public and private keys generation
concepts• Describe digital signature components and use• Describe cryptanalysis and code-breaking tools and
methodologies• List cryptography attacks
I’ve lived in four different states and two foreigncountries, and each stop along the way in my life offeredsomething irreplaceable, unique, and downright cool.And almost without fail, I didn’t appreciate thatirreplaceable, unique, and cool thing until I left for anew locale. Maybe it’s just human nature to lookbackward and romanticize what is no longer yours, but Ithink it’s valuable to pause where you’re at right nowand take stock of the things you do have available to you
||||||||||||||||||||
||||||||||||||||||||
and to sometimes marvel at how everything is puttogether.
Technology is no different, and we’re all guilty oftaking it for granted. When you examine how nearlyanything in technology works, though, it’s almost amiracle to behold and something definitely not to betaken lightly or just accepted as a given, like gravity orrain. Cryptography is a prime example.
Consider the document I am typing right now. It’smade up of a bunch of 1s and 0s arranged in such a wayas to present the text in a readable format on the screen—not to mention all the font formats, bolding, spacing,and other goodies I type in here to make the text morepleasing to the eye. Just pause for a moment andconsider the simple act of typing this sentence and howmany bits it takes, properly formatted to display the textonscreen or to save and transport it. Then imaginefiguring out a way to encrypt the text, also using a bunchof 1s and 0s.
The entire concept is mind-boggling if you reallythink about it, and it’s something we should all begrateful for. I mean, replacing a letter with a differentone based on a number wheel as you write is one thing,and maybe replacing characters with symbols as you jotthem down on a sheet of paper doesn’t seem so excitingto you. But consider how this document’s 1s and 0s can
Technet24||||||||||||||||||||
||||||||||||||||||||
be altered in such a way that they make no sense to anoutsider but are perfectly readable for anyone I providethe key to. It’s downright magical, I tell you.Cryptography and cryptanalysis are big parts of thesecurity world and have been ever since the earliestknown communication between people. If you’re goingto be an ethical hacker, you’re going to have to at leastknow the basics. The good news is, you are not requiredto break down the mathematics behind the algorithms.The bad news, though, is that you need to know prettymuch everything else about them.
STUDY TIPS Although y ou’ll still see a few questions peppered aboutregarding the minutiae of cry ptography —things like key lengths,categories of cry pto sy stems (block and stream, sy mmetric andasy mmetric, and so on), and components of cry pto sy stems that onlyrequired rote memorization—y ou’ll find the majority of questions nowconcentrate on the application of cry ptography . And for that, EC-Council deserv es a round of applause.
I’m not saying ignore the detail-orientedmemorization stuff (you still have to knowcharacteristics of algorithms and key lengths, forexample), far from it. For example, PKI is always goingto be high on the testing list, and simply rememberingthat you encrypt with a public key and decrypt with aprivate key will nab you a couple questions without fail.However, you’ll definitely need to have a solid
||||||||||||||||||||
||||||||||||||||||||
understanding of the entire system and what makes it:questions on certificate authorities, trust systems, andcross-certification will undoubtedly show up. And, forgoodness sake, be sure to know the difference between adigital certificate and a digital signature.
Scenario-based questioning will be more the norm,and while these questions may seem fairlystraightforward, you’ll still need to pay close attention.Know your cryptographic attacks very well—you’lldefinitely see things like Heartbleed, POODLE,Shellshock, DROWN, and others on your exam.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. An attacker employs a Metasploit auxiliary
module that exploits a built-in feature of OpenSSL.In the effort, the attacker’s system sends a singlebyte of data representing it has received 64KB. Thetarget responds by sending back 64KB of data fromits memory. Which of the following attacks isbeing described?
A. POODLE
B. FREAK
C. Heartbleed
D. DROWN
2. Which of the following statements is trueregarding digital signatures?
A. Digital signatures are issued once per user, tobe used on all documents until they expire.
B. A digital signature is a plain hash of thedocument contents.
C. Digitals signatures are issued per file type,allowing each to be used on multiple files untilthey expire.
D. A digital signature cannot be moved from onedocument to another.
3. Which of the following statements are true
||||||||||||||||||||
||||||||||||||||||||
regarding a PKI system? (Choose two.)
A. The CA encrypts all messages.
B. The CA is the trusted root that issuescertificates.
C. The CA is the recovery agent for lostcertificates.
D. The RA verifies an applicant to the system.
E. The RA issues all certificates.
F. The RA encrypt all messages.
4. A person approaches a network administrator andwants advice on how to send encrypted e-mailfrom home. The end user does not want to have topay for any license fees or manage server services.Which of the following offers a method forsending encrypted e-mail without having to pay forlicense fees or manage a server?
A. IP Security (IPSec)
B. Multipurpose Internet Mail Extensions(MIME)
C. Pretty Good Privacy (PGP)
D. Hypertext Transfer Protocol with SecureSocket Layer (HTTPS)
5. Which of the following is best defined as anencryption protocol commonly used for e-mail
Technet24||||||||||||||||||||
||||||||||||||||||||
security?
A. PGP
B. Keyczar
C. RSA
D. MD5
6. You’re describing a basic PKI system to a newmember of the team. He asks how the public keycan be distributed within the system in an orderly,controlled fashion so that the users can be sure ofthe sender’s identity. Which of the followingwould be your answer?
A. Digital signature
B. Hash value
C. Private key
D. Digital certificate
E. Nonrepudiation
7. After TLS had largely replaced SSL for securecommunications, many browsers retainedbackward compatibility to SSL 3.0. Whichvulnerability takes advantage of the degradation ofservice down to SSL 3.0 in the TLS handshake?
A. Heartbleed
B. FREAK
C. DROWN
||||||||||||||||||||
||||||||||||||||||||
D. POODLE
8. Which mode of IPSec is most often chosen forinternal communications?
A. AH
B. ESP
C. Tunnel
D. Transport
9. An organization is concerned about corporateespionage and has evidence suggesting an internalemployee has been communicating trade secretsto a competitor. After some investigation, theemployee leaking secrets was identified.Monitoring of the employee’s previouscommunications outside the company revealednothing out of the ordinary, save for some largeunencrypted e-mails containing image files ofhumorous pictures to external addresses. Which ofthe following is the most logical conclusion basedon these facts?
A. E-mail encryption allowed the user to hidefiles.
B. The user hid information in the image filesusing steganography.
C. Logical watermarking of images and e-mailsfed the sensitive files piece by piece to the
Technet24||||||||||||||||||||
||||||||||||||||||||
competitor.
D. SMTP transport fuzzing was used.
10. A hacker has gained access to several files. Manyare encrypted, but one is not, and it happens to bean unencrypted version of an encrypted file.Which of the following is the best choice forpossibly providing a successful break into theencrypted files?
A. Cipher text only
B. Known plain text
C. Chosen cipher text
D. Replay
11. Which of the following methods should be used tocheck for the Heartbleed vulnerability?
A. Use the ssl-heartbleed script in nmap.
B. Connect via TLS to each system and examinethe response handshake.
C. Use ping -ssl and examine the responses.
D. Use Tripwire.
12. What is the XOR output of 01010101 and11001100?
A. 01100110
B. 10101010
C. 10011001
||||||||||||||||||||
||||||||||||||||||||
D. 00110011
13. Amy and Claire work in an organization that has aPKI system in place for securing messaging. Amyencrypts a message for Claire and sends it on.Claire receives the message and decrypts it. Withina PKI system, which of the following statements istrue?
A. Amy encrypts with her private key. Clairedecrypts with her private key.
B. Amy encrypts with her public key. Clairedecrypts with her public key.
C. Amy encrypts with Claire’s private key. Clairedecrypts with her public key.
D. Amy encrypts with Claire’s public key. Clairedecrypts with her private key.
14. Hope works on a security team, and her laptopcontains many confidential files. Which of thefollowing is the best choice for protection of thosefiles from loss or theft of the laptop?
A. Set a BIOS password
B. Create hidden folders to store the files in
C. Password protect the files
D. Install Full Disk Encryption
15. Which of the following statements is not trueregarding steganography?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Steganography can use least significant bitinsertion, masking, and filtering as techniquesto hide messaging.
B. Steganography only works on color images.
C. Image files embedded with steganography maybe larger in size and display strange colorpalettes.
D. Character positioning, text patterns, unusualblank spaces, and language anomalies can allbe symptoms of a text file embedded withsteganography.
16. An SSL session requires a client and a server topass information between each other via ahandshake and to agree on a secured channel.Which of the following best describes the sessionkey creation during the setup of an SSL session?
A. The server creates the key after verifying theclient’s identity.
B. The server creates the key immediately on theclient connection.
C. The client creates the key using the server’spublic key.
D. The client creates the key after verifying theserver’s identity.
17. Which encryption algorithm uses variable block
||||||||||||||||||||
||||||||||||||||||||
sizes (from 32 to 128 bits)?
A. SHA-1
B. RC5
C. 3DES
D. AES
18. Which hash algorithm was developed by the NSAand produces output values up to 512 bits?
A. MD5
B. SHA-1
C. SHA-2
D. SSL
19. You are concerned about protecting data on yourorganization’s laptops from loss or theft. Which ofthe following technologies best accomplishes thisgoal?
A. Single sign-on
B. Cloud computing
C. IPSec Tunnel mode
D. Full disk encryption
20. In a discussion on symmetric encryption, a friendmentions that one of the drawbacks with thissystem is scalability. He goes on to say that forevery person you add to the mix, the number ofkeys increases dramatically. If seven people are in
Technet24||||||||||||||||||||
||||||||||||||||||||
a symmetric encryption pool, how many keys arenecessary?
A. 7
B. 14
C. 21
D. 28
21. Which of the following is a true statement?
A. Symmetric encryption scales easily andprovides for nonrepudiation.
B. Symmetric encryption does not scale easilyand does not provide for nonrepudiation.
C. Symmetric encryption is not suited for bulkencryption.
D. Symmetric encryption is slower thanasymmetric encryption.
22. The PKI system you are auditing has a certificateauthority (CA) at the top that creates and issuescertificates. Users trust each other based on theCA. Which trust model is in use here?
A. Stand-alone CA
B. Web of trust
C. Single authority
D. Hierarchical trust
23. A portion of a digital certificate is shown here:
||||||||||||||||||||
||||||||||||||||||||
Which of the following statements is true?
A. The hash created for the digital signatureholds 160 bits.
B. The hash created for the digital signatureholds 2048 bits.
C. RSA is the hash algorithm used for the digitalsignature.
D. This certificate contains a private key.
24. Bit streams are run through an XOR operation.Which of the following is a true statement for eachbit pair regarding this function?
A. If the first value is 0 and the second value is 1,then the output is 0.
B. If the first value is 1 and the second value is 0,then the output is 0.
C. If the first value is 0 and the second value is 0,then the output is 1.
D. If the first value is 1 and the second value is 1,
Technet24||||||||||||||||||||
||||||||||||||||||||
then the output is 0.
25. Which of the following attacks attempts to re-send a portion of a cryptographic exchange inhopes of setting up a communications channel?
A. Known plain text
B. Chosen plain text
C. Man in the middle
D. Replay
26. Within a PKI system, which of the following is anaccurate statement?
A. Bill can be sure a message came from Sue byusing his public key to decrypt it.
B. Bill can be sure a message came from Sue byusing his private key to decrypt it.
C. Bill can be sure a message came from Sue byusing her private key to decrypt the digitalsignature.
D. Bill can be sure a message came from Sue byusing her public key to decrypt the digitalsignature.
27. A systems administrator is applying digitalcertificates for authentication and verificationservices inside his network. He creates public andprivate key pairs using Apple’s Keychain and usesthe public key to sign documents that are used
||||||||||||||||||||
||||||||||||||||||||
throughout the network. Which of the followingcertificate types is in use?
A. Public
B. Private
C. Signed
D. Self-signed
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. D
3. B, D
4. C
5. A
6. D
7. D
8. D
9. B
10. B
11. A
12. C
13. D
14. D
15. B
16. D
17. B
18. C
19. D
||||||||||||||||||||
||||||||||||||||||||
20. C
21. B
22. C
23. A
24. D
25. D
26. D
27. D
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. An attacker employs a Metasploit auxiliary
module that exploits a built-in feature of OpenSSL.In the effort, the attacker’s system sends a singlebyte of data representing it has received 64KB. Thetarget responds by sending back 64KB of data fromits memory. Which of the following attacks isbeing described?
A. POODLE
B. FREAK
C. Heartbleed
D. DROWN
C. Back when it was discovered in March of2014, Heartbleed was described as the worstvulnerability found (at least in terms of itspotential impact) since commercial trafficbegan to flow on the Internet. Heartbleedexploits a small feature in OpenSSL thatturned out to present a very big problem.OpenSSL uses a heartbeat during an opensession to verify that data was receivedcorrectly, and it does this by “echoing” databack to the other system. Basically one systemtells the other, “I received what you sent andit’s all good. Go ahead and send more.” In
||||||||||||||||||||
||||||||||||||||||||
Heartbleed, an attacker sends a single byte ofdata while telling the server it sent 64KB ofdata. The server will then send back 64KB ofrandom data from its memory. Items such asusernames and passwords, private keys(which is exceptionally troubling, since futurecommunication could be decrypted), cookies,and a host of other nifty bits of informationcould be easily stolen.
A is incorrect because this does not describePOODLE. POODLE (Padding Oracle OnDowngraded Legacy Encryption) is avulnerability in the backward-compatibilitysteps taken by TLS clients.
B is incorrect because this does not describeFREAK. Factoring Attack on RSA-EPORT Keys(FREAK) is a man-in-the-middle attack thatforces a downgrade of an RSA key to a weakerlength. The attacker forces the use of a weakerencryption key length, enabling successfulbrute-force attacks.
D is incorrect because this does not describeDROWN. DROWN (Decrypting RSA withObsolete and Weakened eNcryption) is aserious vulnerability that affects HTTPS andother services that rely on SSL and TLS (in
Technet24||||||||||||||||||||
||||||||||||||||||||
particular, SSLv2 connections).
2. Which of the following statements is trueregarding digital signatures?
A. Digital signatures are issued once per user, tobe used on all documents until they expire.
B. A digital signature is a plain hash of thedocument contents.
C. Digitals signatures are issued per file type,allowing each to be used on multiple files untilthey expire.
D. A digital signature cannot be moved from onedocument to another.
D. If you know how a digital signature iscreated, this one is easy. The signature isnothing more than a hash of the documentcontents—making sure the contents don’tchange between sender and receiver—encrypted with the sender’s private key. Byusing the private key, anyone holding thesender’s public key (sent from the CA) candecrypt said hash of document contents,ensuring the sender’s identity and comparingthe hash to ensure document authenticity.
A and C are both incorrect for the same reason—digital signatures aren’t used across
||||||||||||||||||||
||||||||||||||||||||
documents; they are explicitly created onceper document.
B is incorrect because a hash of the documentis but one portion of the digital signature.
3. Which of the following statements are trueregarding a PKI system? (Choose two.)
A. The CA encrypts all messages.
B. The CA is the trusted root that issuescertificates.
C. The CA is the recovery agent for lostcertificates.
D. The RA verifies an applicant to the system.
E. The RA issues all certificates.
F. The RA encrypt all messages.
B, D. A PKI system consists of a bunch ofparts, but the certificate authority is right atthe top. The CA issues, maintains, andprotects all the certificates for the system andmaintains the certificate revocation list (CRL).It is the one place everything in the systemcan go to for protected data. The registrationauthority (RA) does several functions to takethe load off the CA, and verifying the identityof an applicant wanting to use the system isone of the major tasks.
Technet24||||||||||||||||||||
||||||||||||||||||||
A, C, E, and F are all incorrect because theydo not correctly describe a PKI environment.The CA does not encrypt messages and is nota recovery agent for lost ones. The RA doesnot issue certificates or encrypt messages.
4. A person approaches a network administrator andwants advice on how to send encrypted e-mailfrom home. The end user does not want to have topay for any license fees or manage server services.Which of the following offers a method forsending encrypted e-mail without having to pay forlicense fees or manage a server?
A. IP Security (IPSec)
B. Multipurpose Internet Mail Extensions(MIME)
C. Pretty Good Privacy (PGP)
D. Hypertext Transfer Protocol with SecureSocket Layer (HTTPS)
C. I’m pretty sure you understand thiscomment already, but I’ll say it again here toreinforce it: sometimes things on your CEHexam simply don’t match up with reality. Thisquestion is a prime example. EC-Council, andtheir documentation up through version 8,defines Pretty Good Privacy (PGP) as a free,open source, e-mail encryption method
||||||||||||||||||||
||||||||||||||||||||
available for all to use. In truth, PGP is nowsynonymous with a single company’s offering,based on the original PGP. The true opensource, free side of it now is known more asOpenPGP (www.openpgp.org/). OpenPGPuses a decentralized system of trustedintroducers that act in the same way as acertificate authority. Basically, in this web-of-trust relationship, if User A signs User B’scertificate, then anyone who trusts User A willalso trust User B. You can find downloads forsoftware still using the free, open PGP atwww.pgpi.org/.
A is incorrect because IPSec is not intended asan e-mail encryption standard; it createstunnels for the secure exchange of data fromone system to another.
B is incorrect because MIME is an Internetstandard that allows the text-only protocolSMTP to transport nontext entities, such aspictures and non-ASCII character sets.
D is incorrect because HTTPS is not intendedas an e-mail encryption standard. It sets up asecured means of transporting data within asession and is usually associated with webtraffic.
Technet24||||||||||||||||||||
||||||||||||||||||||
5. Which of the following is best defined as anencryption protocol commonly used for e-mailsecurity?
A. PGP
B. Keyczar
C. RSA
D. MD5
A. Even though it’s probably best known as ane-mail security protocol/application, PrettyGood Privacy (PGP) can be used for a varietyof purposes. PGP is used for encryption anddecryption of messaging (including e-mail),data compression, digital signing, and evenwhole disk encryption. It providesauthentication and privacy as well ascombines conventional and public-keycryptography.
Don’t get this confused with S/MIME.Secure/Multipurpose Internet MailExtensions (S/MIME) is a standards-basedprotocol that can also encrypt messages;however, it does not provide many of theother features PGP offers (most importantly,whole disk encryption).
B is incorrect because Keyczar is an open
||||||||||||||||||||
||||||||||||||||||||
source cryptographic toolkit designed to helpdevelopers to use cryptography in theirapplications.
C is incorrect because RSA is an asymmetricencryption algorithm that makes use of twolarge prime numbers. Factoring thesenumbers creates key sizes up to 4096 bits.RSA can be used for encryption and digitalsignatures, and it’s the modern de factostandard for those purposes.
D is incorrect because MD5 is a hashalgorithm, and as we all know, hashalgorithms don’t encrypt anything. Sure,they’re great at integrity checks, and, yes, youcan pass a hash of something in place of theoriginal (sending a hash of a stored password,for instance, instead of the password itself).However, this is not true encryption.
6. You’re describing a basic PKI system to a newmember of the team. He asks how the public keycan be distributed within the system in an orderly,controlled fashion so that the users can be sure ofthe sender’s identity. Which of the followingwould be your answer?
A. Digital signature
B. Hash value
Technet24||||||||||||||||||||
||||||||||||||||||||
C. Private key
D. Digital certificate
E. Nonrepudiation
D. This one is actually easy, yet it is confusingto a lot of folks. You have to remember thegoal of this little portion of a PKI system—how does one know this public key reallybelongs to User Joe and not User Mike, andhow can it be delivered safely to everyone? Adigital certificate is the answer because itcontains the sender’s public key and can beused to identify the sender. Because the CAprovides the certificate and key (public), theuser can be certain the public key actuallybelongs to the intended recipient. Thissimplifies distribution of keys as well, becauseusers can go to a central authority—a keystore, if you will—instead of directly to eachuser in the organization. Without centralcontrol and digital certificates, it would be amadhouse, with everyone chucking publickeys at one another with wild abandon. AndPKI is no place for Mardi Gras, my friend.
A is incorrect because although a digitalsignature does provide a means for verifyingan identity (encryption with your private key,
||||||||||||||||||||
||||||||||||||||||||
which can be decrypted only with yourcorresponding public key, proves you areindeed you), it doesn’t provide any means ofsending keys anywhere. A digital signature isnothing more than an algorithmic output thatis designed to ensure the authenticity (andintegrity) of the sender. You need it to proveyour certificate’s authenticity, but you needthe certificate in order to send keys around.
B is incorrect because a hash value hasnothing to do with sending public keys aroundanywhere. Yes, hash values are “signed” toverify authenticity, but that’s it. There is notransport capability in a hash. It’s just anumber and, in this case, a distractor answer.
C is incorrect for a number of reasons, but oneshould be screaming at you from the pageright now: you never, never send a private keyanywhere. If you did send your private key off,it wouldn’t be private anymore, now would it?The private key is simply the part of the pairused for encryption. It is never shared withanyone.
E is incorrect because nonrepudiation is adefinition term and has nothing to do with thetransport of keys. Nonrepudiation is the
Technet24||||||||||||||||||||
||||||||||||||||||||
means by which a recipient can ensure theidentity of the sender, and neither party candeny having sent or received the message.
7. After TLS had largely replaced SSL for securecommunications, many browsers retainedbackward compatibility to SSL 3.0. Whichvulnerability takes advantage of the degradation ofservice down to SSL 3.0 in the TLS handshake?
A. Heartbleed
B. FREAK
C. DROWN
D. POODLE
D. POODLE (Padding Oracle On DowngradedLegacy Encryption) was discovered byGoogle’s security team and announced to thepublic on October 14, 2014. This time it was acase of backward compatibility being aproblem. Many browsers would revert to SSL3.0 when a TLS connection was unavailable,and because TLS performs a handshake effortdesigned to degrade service until somethingacceptable (i.e., a degraded encryption bothsides can use) is found, if a hacker could jumpin the connection between client and server,he could interfere with these handshakes,making them all fail. This would result in the
||||||||||||||||||||
||||||||||||||||||||
client dropping all the way to SSL 3.0.
SSL 3.0 has a design flaw that allows thepadding data at the end of a block cipher to bechanged so that the encryption cipherbecomes less secure each time it is passed. Ifthe same secret—let’s say a password—is sentover several sessions, more and moreinformation about it will leak. Eventually theconnection may as well be plain text, and theattacker sitting in the middle can seeeverything. Mitigation for POODLE is simple—don’t use SSL 3.0 anywhere.
A is incorrect because Heartbleed exploits theheartbeat function in OpenSSL, which allows64KB of random memory to be transferred tothe attacker.
B is incorrect because Factoring Attack onRSA-EPORT Keys (FREAK) is a man-in-the-middle attack that forces a downgrade of anRSA key to a weaker length.
C is incorrect because DROWN (DecryptingRSA with Obsolete and WeakenedeNcryption) is a serious vulnerability thataffects HTTPS and other services that rely onSSL and TLS (in particular, SSLv2connections).
Technet24||||||||||||||||||||
||||||||||||||||||||
8. Which mode of IPSec is most often chosen forinternal communications?
A. AH
B. ESP
C. Tunnel
D. Transport
D. IPSec is a Network layer encryptionprotocol that can be used in two modes:Tunnel and Transport. In Transport mode, thedata payload is encrypted but the rest of thepacket (the IP header in particular) is nottouched. This works well internally, betweenend stations, or between an end station and agateway, if the gateway is being treated as ahost. NAT is not supported by Transportmode, although it can be combined with othertunneling protocols.
A is incorrect because the AuthenticationHeader (AH) is a protocol in the IPSec suite,verifying an IP packet’s integrity anddetermining the validity of its source.
B is incorrect because Encapsulating SecurityPayload (ESP) is another protocol in the IPSecsuite, and it actually encrypts each packet.
C is incorrect because Tunnel mode encrypts
||||||||||||||||||||
||||||||||||||||||||
the entire packet, including the headers. It’snot that you can’t use Tunnel mode inside thenetwork; it’s just not common orrecommended.
9. An organization is concerned about corporateespionage and has evidence suggesting an internalemployee has been communicating trade secretsto a competitor. After some investigation, theemployee leaking secrets was identified.Monitoring of the employee’s previouscommunications outside the company revealednothing out of the ordinary, save for some largeunencrypted e-mails containing image files ofhumorous pictures to external addresses. Which ofthe following is the most logical conclusion basedon these facts?
A. E-mail encryption allowed the user to hidefiles.
B. The user hid information in the image filesusing steganography.
C. Logical watermarking of images and e-mailsfed the sensitive files piece by piece to thecompetitor.
D. SMTP transport fuzzing was used.
B. In this circumstance, you know theemployee has been sending sensitive
Technet24||||||||||||||||||||
||||||||||||||||||||
documents out of the network. IDS obviouslyhasn’t picked up on anything, and there wasnothing overtly done to give away the intent.The only thing out of the ordinary turned outto be large e-mail files holding nothing butimages. Given the answers provided,steganography is the most logical choice, andthe user simply folded the sensitive data intothe latest joke image he found and sent it onits merry way.
A is incorrect because e-mail encryption isn’tin place—it’s specifically called out in thequestion and wouldn’t necessarily allowexternal encryption or hide the informationfrom later forensics examinations.
C and D are incorrect because logicalwatermarking and SMTP transport fuzzing, asfar as I know, don’t even exist. They soundcool and may appear legitimate, but they’redefinitely not the answer you’re looking for.
10. A hacker has gained access to several files. Manyare encrypted, but one is not, and it happens to bean unencrypted version of an encrypted file.Which of the following is the best choice forpossibly providing a successful break into theencrypted files?
||||||||||||||||||||
||||||||||||||||||||
A. Cipher text only
B. Known plain text
C. Chosen cipher text
D. Replay
B. There is definitely some room for argumenton this question: Who’s to say all the fileswere encrypted in the same way? However, ofthe options presented, known plain text is theone that makes the most sense. In this attack,the hacker has both plain-text and cipher-textmessages. Plain-text copies are scanned forrepeatable sequences, which are thencompared to the cipher-text versions. Overtime, and with effort, this can be used todecipher the key.
A is incorrect, but just barely so. I’m certainsome of you are arguing that a cipher-text-only attack could also be used here because inthat attack several messages encrypted in thesame way are run through statistical analysisto eventually reveal repeating code, whichmay be used to decode messages later. Sure,an attacker might just ignore the plain-textcopy in there, but the inference in thequestion is that he’d use both. You’ll often seequestions like this where you’ll need to take
Technet24||||||||||||||||||||
||||||||||||||||||||
into account the inference withoutoverthinking the question.
C is incorrect because chosen cipher textworks almost exactly like a cipher-text-onlyattack. Statistical analysis without a plain-textversion for comparison can be performed, butit’s only for portions of gained cipher text.That’s the key word to look for. As an aside,RSA is susceptible to this attack in particular(an attacker can use a user’s public key toencrypt plain text and then decrypt the resultto find patterns for exploitation).
D is incorrect because it’s irrelevant to thisscenario. Replay attacks catch streams of dataand replay them to the intended recipientfrom another sender.
11. Which of the following methods should be used tocheck for the Heartbleed vulnerability?
A. Use the ssl-heartbleed script in nmap.
B. Connect via TLS to each system and examinethe response handshake.
C. Use ping -ssl and examine the responses.
D. Use Tripwire.
A. An nmap scan can show you a variety ofinformation, and thankfully it also provides a
||||||||||||||||||||
||||||||||||||||||||
quick means to check for Heartbleed. Usingthe ssl-heartbleed script will return “NOTVULNERABLE” on systems without thevulnerability. Syntax for the script use isnmap -d -script ssl-hearbleed -script-args vulns.showall -sV IPADDRESS(where IPADDRESS is the host, or range, youare testing).
B is incorrect because Heartbleed has nothingto do with TLS.
C is incorrect because there is no such thing asthe ping -ssl command.
D is incorrect because Tripwire is aconglomeration of tool actions that performthe overall IT security efforts for anenterprise. Tripwire provides for integritychecks, regulatory compliance, configurationmanagement, among other things, but notHeartbleed scans.
12. What is the XOR output of 01010101 and11001100?
A. 01100110
B. 10101010
C. 10011001
D. 00110011
Technet24||||||||||||||||||||
||||||||||||||||||||
C. XOR operations are used a lot in variousencryption efforts (in addition to many otheruses). In an XOR operation, two bits arecompared. If the bits match, the output is azero. If they don’t, the output is a 1. In thisexample, put 01010101 on top of 11001100and compare each bit, one by one. The first bitin each set is 0 and 1, respectively, so the XORoutput is 1. The second bit in each set is 1 and1, respectively. Therefore, since they match,the output is 0. Continuing bit by bit, theoutput would be 10011001.
A, B, and D are incorrect because these do notrepresent the output of an XOR on these twoinputs.
13. Amy and Claire work in an organization that has aPKI system in place for securing messaging. Amyencrypts a message for Claire and sends it on.Claire receives the message and decrypts it. Withina PKI system, which of the following statements istrue?
A. Amy encrypts with her private key. Clairedecrypts with her private key.
B. Amy encrypts with her public key. Clairedecrypts with her public key.
C. Amy encrypts with Claire’s private key. Claire
||||||||||||||||||||
||||||||||||||||||||
decrypts with her public key.
D. Amy encrypts with Claire’s public key. Clairedecrypts with her private key.
D. When it comes to PKI encryptionquestions, remember the golden rule: encryptwith public, decrypt with private. In thisinstance, Amy wants to send a message toClaire. She will use Claire’s public key—whicheveryone can get—to encrypt the message,knowing that only Claire, with hercorresponding private key, can decrypt it.
A is incorrect because you do not encrypt witha private key in a PKI system. Yes, you canencrypt with it, but what would be the point?Anyone with your public key—which everyonehas—could decrypt it! Remember, private =decrypt, public = encrypt.
B is incorrect because, in this case, Amy hasgotten her end of the bargain correct, butClaire doesn’t seem to know what she’s doing.PKI encryption is done in key pairs—what onekey encrypts, the other decrypts. So, her use ofher own public key to decrypt somethingencrypted with Amy’s key—a key from acompletely different pair—is baffling.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because there is no way Amyshould have anyone’s private key, other thanher own. That’s kind of the point of a privatekey—you keep it to yourself and don’t share itwith anyone. As a note here, the stated stepswould actually work—that is, one keyencrypts, so the other decrypts—but it’scompletely backward for how the system issupposed to work. It’s an abomination tosecurity, if you will.
14. Hope works on a security team, and her laptopcontains many confidential files. Which of thefollowing is the best choice for protection of thosefiles from loss or theft of the laptop?
A. Set a BIOS password
B. Create hidden folders to store the files in
C. Password protect the files
D. Install Full Disk Encryption
D. Full disk encryption (FDE), otherwiseknown as data-at-rest protection, is designedexplicitly for this purpose. In an enterprise-level system, each laptop (or other portablesystem) disk is encrypted and assigned apassword (PIN) only the owner knows and ameans to generate and use a recovery key. Atboot, the owner enters the key and the disk is
||||||||||||||||||||
||||||||||||||||||||
unlocked for use. If the password is forgotten,the recovery key can be generated and used tounlock the drive. This protects the data fromloss or theft of the system itself.
A is incorrect because while setting a BIOSpassword isn’t necessarily a bad idea, it’s not afoolproof way to protect the data. The driveitself can simply be pulled out of the drive andforensically examined for data extraction.
B is incorrect because “hidden” folders won’tprovide any protection at all.
C is incorrect because, although passwordprotecting the files isn’t necessarily a bad idea,it doesn’t provide for protection of the data. Aswe’ve discussed on multiple occasions in thisand the companion book, passwords can bebroken, and usually fairly easily—especiallywith physical access to the drive.
15. Which of the following statements is not trueregarding steganography?
A. Steganography can use least significant bitinsertion, masking, and filtering as techniquesto hide messaging.
B. Steganography only works on color images.
C. Image files embedded with steganography may
Technet24||||||||||||||||||||
||||||||||||||||||||
be larger in size and display strange colorpalettes.
D. Character positioning, text patterns, unusualblank spaces, and language anomalies can allbe symptoms of a text file embedded withsteganography.
B. Steganography is the practice of concealinga message inside another medium (such asanother file or an image) in such a way thatonly the sender and recipient even know of itsexistence, let alone the manner in which todecipher it. It can be as simple as hiding themessage in the text of a writtencorrespondence or as complex as changingbits within a huge media file to carry amessage. Steganography can be embedded incolor or grayscale images, text files, audiofiles, and even in video. In grayscale images,steganography is usually implemented viamasking (also known as filtering, which hidesthe data in much the same way as awatermark on a document).
A, C, and D are incorrect because these aretrue statements regarding steganography.
16. An SSL session requires a client and a server topass information between each other via a
||||||||||||||||||||
||||||||||||||||||||
handshake and to agree on a secured channel.Which of the following best describes the sessionkey creation during the setup of an SSL session?
A. The server creates the key after verifying theclient’s identity.
B. The server creates the key immediately on theclient connection.
C. The client creates the key using the server’spublic key.
D. The client creates the key after verifying theserver’s identity.
D. In the CEH world, SSL has six major steps(others claim seven or more, but we’restudying for the CEH certification here, sowe’ll stick with theirs). The six steps are (1)client hello, (2) server hello and certificate,(3) server hello done message, (4) clientverifies server identity and sends Client KeyExchange message, (5) client sends ChangeCipher Spec and Finish message, and (6)server responds with Change Cipher Spec andFinish message. The session key is created bythe client after it verifies the server’s identity(using the certificate provided in step 2).
A is incorrect because the server does notcreate the session key.
Technet24||||||||||||||||||||
||||||||||||||||||||
B is incorrect for the same reason—the clientcreates the key, not the server.
C is incorrect because the client does not use a“public key” for an SSL session. It’s a greatdistractor, trying to confuse you with PKIterms in an SSL question.
17. Which encryption algorithm uses variable blocksizes (from 32 to 128 bits)?
A. SHA-1
B. RC5
C. 3DES
D. AES
B. Questions on identifying encryptionalgorithms really come down to memorizationof some key terms. Rivest Cipher (RC)encompasses several versions, from RC2through RC6. It is an asymmetric block cipherthat uses a variable key length up to 2040 bits.RC6, the latest version, uses 128-bit blocks,whereas RC5 uses variable block sizes (32, 64,or 128).
A is incorrect because SHA-1 is a hashalgorithm, not an encryption algorithm. If thisquestion were about verifying integrity, thiswould be a good choice. However, in this case,
||||||||||||||||||||
||||||||||||||||||||
it is a distractor.
C is incorrect because, although 3DES is asymmetric block cipher, it does not usevariable block sizes. 3DES (called triple DES)uses a 168-bit key and can use up to threekeys in a multiple-encryption method. It’smuch more effective than DES but is muchslower.
D is incorrect because AES, anothersymmetric block cipher, uses key lengths of128, 192, or 256 bits. It effectively replacesDES and is much faster than either DES or itstriplicate cousin (3DES).
18. Which hash algorithm was developed by the NSAand produces output values up to 512 bits?
A. MD5
B. SHA-1
C. SHA-2
D. SSL
C. Both SHA-1 and SHA-2 were developed bythe NSA; however, SHA-1 produced only a160-bit output value. SHA-2 was developed torectify the shortcomings of its predecessorand is capable of producing outputs of 224,256, 384, and 512 bits. Although it was
Technet24||||||||||||||||||||
||||||||||||||||||||
designed as a replacement for SHA-1 (whichwas supposed to have been phased out in2010), SHA-2 is still not as widely used. As anaside, SHA-3 can produce 512-bit keys as well.
A is incorrect because MD5 produces 128-bitoutput. It was created by Ronald Rivest forensuring file integrity; however, serious flawsin the algorithm, and the advancement ofother hashes, have resulted in this hash beingrendered obsolete (U.S. CERT, August 2010).Despite this, you’ll find MD5 is still used forfile verification on downloads and, in manycases, to store passwords.
B is incorrect because SHA-1 produces a 160-bit value output. It was created by NSA andused to be required by law for use in U.S.government applications. However, seriousflaws became apparent in late 2005, and theU.S. government began recommending thereplacement of SHA-1 with SHA-2 after 2010(see FIPS PUB 180-1).
D is incorrect because SSL isn’t even a hashalgorithm. If you picked this one, you havesome serious studying to do.
19. You are concerned about protecting data on yourorganization’s laptops from loss or theft. Which of
||||||||||||||||||||
||||||||||||||||||||
the following technologies best accomplishes thisgoal?
A. Single sign-on
B. Cloud computing
C. IPSec Tunnel mode
D. Full disk encryption
D. Data-at-rest (DAR) protection is a securitytechnology tailor-made for loss and theftprotection, with one tiny little catch: full diskencryption in DAR sets up a preboot sessionthat requires valid credentials to unlock themachine. However, it’s important to note thepreboot session will only engage after a fullsystem power down. If the user just closes thelid and puts the machine into sleep mode,DAR protection does nothing. Assuming theuser does power off the machine before takingit on a trip, preboot protects everything—including the Master Boot Record—andensures that even if the laptop is stolen orlost, the data inside is protected. If the userdoesn’t power off, then DAR is just anothersecurity tool that provides the illusion ofsecurity—which may be even worse thanhaving nothing at all.
A is incorrect because single sign-on—a
Technet24||||||||||||||||||||
||||||||||||||||||||
method of authentication allowing a user toaccess multiple resources with one set ofcredentials—has nothing to do with loss ortheft protection.
B is incorrect because while cloud computingmay provide some data storage and protectionefforts, it does nothing to protect against lossor theft of the laptop, and leaves everythingon it vulnerable.
C is incorrect because, although IPSec Tunnelmode will protect data in transit from thelaptop back into the remote network, itdoesn’t provide any protection for the laptopitself.
20. In a discussion on symmetric encryption, a friendmentions that one of the drawbacks with thissystem is scalability. He goes on to say that forevery person you add to the mix, the number ofkeys increases dramatically. If seven people are ina symmetric encryption pool, how many keys arenecessary?
A. 7
B. 14
C. 21
D. 28
||||||||||||||||||||
||||||||||||||||||||
C. Symmetric encryption is really fast andworks great with bulk encryption; however,scalability and key exchange are hugedrawbacks. To determine the number of keysyou need, use the formula N(N – 1)/2.Plugging 7 into this, we have 7(7 – 1)/2 = 21.
A is incorrect because, although symmetricencryption does use the same key forencryption and decryption, each new noderequires a different key. Seven keys simplyisn’t enough.
B is incorrect because 14 keys isn’t enough.
D is incorrect because 28 keys is too many.Stick with the formula N(N – 1)/2.
21. Which of the following is a true statement?
A. Symmetric encryption scales easily andprovides for nonrepudiation.
B. Symmetric encryption does not scale easilyand does not provide for nonrepudiation.
C. Symmetric encryption is not suited for bulkencryption.
D. Symmetric encryption is slower thanasymmetric encryption.
B. Symmetric encryption has always been
Technet24||||||||||||||||||||
||||||||||||||||||||
known for strength and speed; however,scalability and key exchange are bigdrawbacks. Additionally, there is no way toprovide for nonrepudiation (within theconfines of the encryption system).Symmetric encryption is good for a greatmany things when you don’t want all theoverhead of key management.
A is incorrect because symmetric encryptiondoes not scale easily and does not provide fornonrepudiation. The single key used for eachchannel makes scalability an issue.Remember, the formula for number of keys isN(N – 1)/2.
C is incorrect because symmetric encryption isperfectly designed for bulk encryption.Assuming you can find a way to ensure thekey exchange is protected, speed makes thisthe best choice.
D is incorrect because one of the benefits ofsymmetric encryption is its speed. It is muchfaster than asymmetric encryption but doesn’tprovide some of the benefits asymmetricprovides us (scalability, nonrepudiation, andso on).
22. The PKI system you are auditing has a certificate
||||||||||||||||||||
||||||||||||||||||||
authority (CA) at the top that creates and issuescertificates. Users trust each other based on theCA. Which trust model is in use here?
A. Stand-alone CA
B. Web of trust
C. Single authority
D. Hierarchical trust
C. Trust models within PKI systems provide astandardized method for certificate and keyexchanges. The valid trust models include webof trust, single authority, and hierarchical. Thesingle authority system has a CA at the topthat creates and issues certs. Users then trusteach other based on the CA at the topvouching for them. Assuming a singleauthority model is used, it’s of vitalimportance to protect it. After all, if it iscompromised, your whole system is kaput.
A is incorrect because stand-alone CA doesn’trefer to a trust model. It instead defines asingle CA that is usually set up as a trustedoffline root in a hierarchy or when extranetsand the Internet are involved.
B is incorrect because web of trust refers to amodel where users create and manage their
Technet24||||||||||||||||||||
||||||||||||||||||||
own certificates and key exchange, andmultiple entities sign certificates for oneanother. In other words, users within thissystem trust each other based on certificatesthey receive from other users on the samesystem.
D is incorrect because, although a hierarchicaltrust system also has a CA at the top (which isknown as the root CA), it makes use of one ormore intermediate CAs underneath it—knownas RAs—to issue and manage certificates. Thissystem is the most secure because users cantrack the certificate back to the root to ensureauthenticity without a single point of failure.
23. A portion of a digital certificate is shown here:
Which of the following statements is true?
A. The hash created for the digital signatureholds 160 bits.
B. The hash created for the digital signature
||||||||||||||||||||
||||||||||||||||||||
holds 2048 bits.
C. RSA is the hash algorithm used for the digitalsignature.
D. This certificate contains a private key.
A. Questions on the digital certificate areusually easy enough, and this is no exception.The algorithm used to create the hash isclearly defined as Signature Hash Algorithm(SHA-1), and, as we already know, SHA-1creates a 160-bit hash output. This will thenbe encrypted by the sender’s private key anddecrypted on the recipient’s end with thepublic key, thus verifying identity.
B is incorrect because it is a distractor: theRSA key size of 2048 is listed in the public keysection of the certificate.
C incorrect because RSA is not a hashalgorithm. It is, without doubt, used as anencryption algorithm with this certificate (anduses a 2048-bit key to do so) but does nothash anything.
D is incorrect because (as I’m certain you arealready aware) a private key is never shared.The public key is retained for recipients to useif they want to encrypt something to send
Technet24||||||||||||||||||||
||||||||||||||||||||
back to the originator, but the private key isnever shared.
24. Bit streams are run through an XOR operation.Which of the following is a true statement for eachbit pair regarding this function?
A. If the first value is 0 and the second value is 1,then the output is 0.
B. If the first value is 1 and the second value is 0,then the output is 0.
C. If the first value is 0 and the second value is 0,then the output is 1.
D. If the first value is 1 and the second value is 1,then the output is 0.
D. An XOR operation requires two inputs, andin the case of encryption algorithms, thiswould be the data bits and the key bits. Eachbit is fed into the operation—one from thedata, the next from the key—and then XORmakes a determination: if the bits match, theoutput is 0; if they don’t, it’s 1.
A is incorrect because the two values beingcompared are different; therefore, the outputwould be 1.
B is incorrect because the two values beingcompared are different; therefore, the output
||||||||||||||||||||
||||||||||||||||||||
would be 1.
C is incorrect because the two values beingcompared are the same; therefore, the outputshould be 0.
25. Which of the following attacks attempts to re-send a portion of a cryptographic exchange inhopes of setting up a communications channel?
A. Known plain text
B. Chosen plain text
C. Man in the middle
D. Replay
D. Replay attacks are most often performedwithin the context of a man-in-the-middleattack and not necessarily just forcommunications channel setup. They’re alsoused for DoS attacks against a system, to feedbad data in hopes of corrupting a system, totry to overflow a buffer (send more encrypteddata than expected), and so on. The hackerrepeats a portion of a cryptographic exchangein hopes of fooling the system into setting upa communications channel. The attackerdoesn’t really have to know the actual data(such as the password) being exchanged; hejust has to get the timing right in copying and
Technet24||||||||||||||||||||
||||||||||||||||||||
then replaying the bit stream. Session tokenscan be used in the communications process tocombat this attack.
A is incorrect because known plain textdoesn’t really have anything to do with thisscenario. Known plain text refers to havingboth plain-text and corresponding cipher-textmessages, which are scanned for repeatablesequences and then compared to the cipher-text versions.
B is incorrect because it simply doesn’t applyto this scenario. In a chosen plain-text attack,a hacker puts several encrypted messagesthrough statistical analysis to determinerepeating code.
C is incorrect because, in this instance, replayrefers to the attack being described in thequestion, not man in the middle. I know youthink this is confusing, and I do understand.However, this is an example of the CEHwordplay you’ll need to be familiar with. Manin the middle is usually listed as an attack byevery security guide; however, within thecontext of the exam, it may also refer solely towhere the attacker has positioned himself.From this location, he can launch a variety of
||||||||||||||||||||
||||||||||||||||||||
attacks—replay being one of them.
26. Within a PKI system, which of the following is anaccurate statement?
A. Bill can be sure a message came from Sue byusing his public key to decrypt it.
B. Bill can be sure a message came from Sue byusing his private key to decrypt it.
C. Bill can be sure a message came from Sue byusing her private key to decrypt the digitalsignature.
D. Bill can be sure a message came from Sue byusing her public key to decrypt the digitalsignature.
D. Remember, a digital signature is a hashvalue that is encrypted with the user’s privatekey. Because the corresponding public key candecrypt it, this provides the nonrepudiationfeature we’re looking for. This is the onlyinstance on the exam where the private key isused for encryption. In general, publicencrypts, and private decrypts. The steps forcreating an encrypted message with a digitalsignature are as follows:
1. Create a hash of the body of the message.
2. Encrypt that hash with your private key
Technet24||||||||||||||||||||
||||||||||||||||||||
(adding it to the message as yoursignature).
3. Encrypt the entire message with thepublic key of the recipient.
A is incorrect because not only does this havenothing to do with proving identity, but it alsocannot work. Bill can’t use his own public keyto decrypt a message sent to him. The keyswork in pairs—if the message is encryptedwith his public key, only his private key candecrypt it.
B is incorrect because this has nothing to dowith proving Sue’s identity. Sure, Bill will beusing his own private key to decrypt messagessent to him by other users; however, it doesn’tprovide any help in proving identity.
C is incorrect because there is no way Billshould have Sue’s private key. Remember,private keys are not shared with anyone, forany reason. This is why encrypting a hashwith one works so well for the digital-signingprocess.
27. A systems administrator is applying digitalcertificates for authentication and verificationservices inside his network. He creates public and
||||||||||||||||||||
||||||||||||||||||||
private key pairs using Apple’s Keychain and usesthe public key to sign documents that are usedthroughout the network. Which of the followingcertificate types is in use?
A. Public
B. Private
C. Signed
D. Self-signed
D. Security certificates have many uses innetworking: for example, applications andnetwork services might use them forauthentication. If you are doing businessacross the Internet, your clients will want toensure a trusted third party signs yourcertificates, so they can verify you are indeedlegitimate. Internally, though, due to cost andspeed of deployment/maintenance, self-signed certificates are the way to go. A self-signed certificate is simply one that is signedby the same entity that created it. Becausemost of your internal certificate needs can beserved without going to an external CA toverify identity, using self-signed certificatesmay be the best bet.
A and B are incorrect because these are notcertificate types.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because regular signedcertificates are signed and verified by a third-party certificate authority (CA).
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 12Low Tech: Social Engineeringand Physical Security
This chapter includes questions from the followingtopics:
• Define social engineering• Describe different types of social engineering
techniques and attacks• Describe identity theft• List social engineering countermeasures• Describe physical security measures
I know a lot of people will pick up a book like this in aneffort to train themselves to be a “hacker,” but I’ve gotsome news for you: you were already partway there.You’re a born social engineer, and you’ve most likelybeen doing some of this stuff since you could walk. Infact, I’ll bet serious cash you’ll probably employ at leastsome manipulation of your fellow human beings today,maybe without even thinking about it.
Don’t believe me? I guarantee if you search your
Technet24||||||||||||||||||||
||||||||||||||||||||
memory banks there was at least once in your childhoodwhen you talked your way into another piece of candy orfew minutes playing with a toy, just because you werecute. If you had siblings, I bet all of you conspired—atleast once—to cover up something bad or to convinceMom you really needed more ice cream. And thetechnique of employing “Well, Dad said it was okay,”pitting Mom against Dad? Oldest trick in the book.
We all work the system every day because it’s how weare wired, and there’s not a person reading this bookwho doesn’t try to influence and manipulate the peoplearound them to gain an advantage or accomplish a goal.You’ve been doing it since you were born, and you willcontinue to do so until you shuffle off this mortal coil.All we’re doing with pen testing and ethical hacking isbringing those same thoughts and actions to influenceour virtual workplace and adding one slight twist: whilemost of your manipulation of others isn’t consciouslypurposeful, it has to be in the virtual world. There’s a lotof acting, a lot of intuition, and a lot of lying involved,and to be successful in this area you have to beconvincing to pull it off.
The entire subject is fascinating, and there areendless articles, studies, and books devoted to it. AKaspersky blog dubbed it “Hacking the Human OS,”which is about as apt a description as I could ever comeup with myself. Social engineering and physical security
||||||||||||||||||||
||||||||||||||||||||
measures are those obvious and simple solutions youmay accidentally overlook. Why spend all the effort tohack into a system and crack passwords offline whenyou can just call someone up and ask for them? Whybother with trying to steal sensitive businessinformation from encrypted shares when you can walkinto the building and sit in on a sales presentation?Sure, you occasionally almost get arrested diggingaround in a dumpster for good information, and youmight even get the pleasure of seeing how powerful adog handler is, as he keeps the vicious, barking animalheld tight on the leash while you cower in the corner,but a lot of social engineering is just worth it. It’s easy,simple, and effective, and not an area of your pen testingyou can afford to ignore.
STUDY TIPS There hasn’t been a lot of change between prev iousv ersions to the current one: most questions y ou’ll see about socialengineering and phy sical security are of the straightforward,definition-based v ariety , and they cov er the same areas and topicsy ou’d think would be part of this discussion. Areas of focus will stillinclude v arious social engineering attacks (shoulder surfing, dumpsterdiv ing, impersonation, and so on), security controls (phy sical,operational, and technical), and biometrics. Any thing new in thissection will probably be in the mobile realm (using SMS texting andcell phones for social engineering, for example), but should be just aseasy to discern as before.
One note of caution, though: be careful with thewording in some of these questions. For example,
Technet24||||||||||||||||||||
||||||||||||||||||||
tailgating and piggybacking mean the same thing to usin the real world, but there’s a significant differencewhen it comes to your exam. It’s true that most of theseare fairly easy to decipher, but EC-Council sometimeslikes to focus on minutiae.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. While observing a target organization’s building,
you note the lone entrance has a guard posted justinside the door. After entering the external door,you note the lobby of the building is separatedfrom the external door by a small glass-paneledroom, with a closed door facing the exterior and aclosed door to the interior. There appears to be anRFID scanning device and a small keyboard withvideo display in the room. Which of the followingbest defines this physical security control?
A. Guard shack
B. Turnstile
C. Man shack
D. Man trap
2. In your social engineering efforts, you call thecompany help desk and pose as a user who hasforgotten a password. You ask the technician tohelp you reset your password, which they happilycomply with. Which social engineering attack is inuse here?
A. Piggybacking
B. Reverse social engineering
C. Technical support
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Halo effect
3. Which of the following is a true statementregarding biometric systems?
A. The lower the CER, the better the biometricsystem.
B. The higher the CER, the better the biometricsystem.
C. The higher the FRR, the better the biometricsystem.
D. The higher the FAR, the better the biometricsystem.
4. A pen tester sends an unsolicited e-mail to severalusers in the target organization. The e-mail is wellcrafted and appears to be from the company’s helpdesk, advising users of potential networkproblems. The e-mail provides a contact number tocall in the event a user is adversely affected. Thepen tester then performs a denial of service onseveral systems and receives phone calls fromusers asking for assistance. Which socialengineering practice is in play here?
A. Technical support
B. Impersonation
C. Phishing
D. Reverse social engineering
||||||||||||||||||||
||||||||||||||||||||
5. A pen test member has gained access to a buildingand is observing activity as he wanders around. Inone room of the building, he stands just outside acubicle wall opening and watches the onscreenactivity of a user. Which social engineering attackis in use here?
A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking
6. A recent incident investigated by the local IR teaminvolved a user receiving an e-mail that appearedto be from the U.S. Postal Service, notifying her ofa package headed her way and providing a link fortracking the package. The link provided took theuser to what appeared to be the USPS site, whereshe input her user information to learn about thelatest shipment headed her way. Which attack didthe user fall victim to?
A. Phishing
B. Internet level
C. Reverse social engineering
D. Impersonation
7. Which type of social engineering attack usesphishing, pop-ups, and IRC channels?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Technical
B. Computer based
C. Human based
D. Physical
8. An attacker identifies a potential target andspends some time profiling her. After gainingsome information, the attacker sends a text to thetarget’s cell phone. The text appears to be from herbank and advises her to call a provided phonenumber immediately regarding her accountinformation. She dials the number and providessensitive information to the attacker, who isposing as a bank employee. Which of the followingbest defines this attack?
A. Vishing
B. Smishing
C. Phishing
D. Tishing
9. Which of the following constitutes the highestrisk to the organization?
A. Black-hat hacker
B. White-hat hacker
C. Gray-hat hacker
D. Disgruntled employee
||||||||||||||||||||
||||||||||||||||||||
10. After observing a target organization for severaldays, you discover that finance and HR records arebagged up and placed in an outside storage bin forlater shredding/recycling. One day you simplywalk to the bin and place one of the bags in yourvehicle, with plans to rifle through it later. Whichsocial engineering attack was used here?
A. Offline
B. Physical
C. Piggybacking
D. Dumpster diving
11. An attacker waits outside the entry to a securedfacility. After a few minutes an authorized userappears with an entry badge displayed. He swipes akey card and unlocks the door. The attacker, withno display badge, follows him inside. Which socialengineering attack just occurred?
A. Tailgating
B. Piggybacking
C. Identity theft
D. Impersonation
12. Tim is part of a pen test team and is attempting togain access to a secured area of the campus. Hestands outside a badged entry gate and pretends tobe engaged in a contentious cell phone
Technet24||||||||||||||||||||
||||||||||||||||||||
conversation. An organization employee walkspast and badges the gate open. Tim asks theemployee to hold the gate while flashing a fake IDbadge and continuing his phone conversation. Hethen follows the employee through the gate.Which of the following best defines this effort?
A. Shoulder surfing
B. Piggybacking
C. Tailgating
D. Drafting
13. Which of the following may be effectivecountermeasures against social engineering?(Choose all that apply.)
A. Security policies
B. Operational guidelines
C. Appropriately configured IDS
D. User education and training
E. Strong firewall configuration
14. Which of the following are indicators of aphishing e-mail? (Choose all that apply.)
A. It does not reference you by name.
B. It contains misspelled words or grammaticalerrors.
C. It contains spoofed links.
||||||||||||||||||||
||||||||||||||||||||
D. It comes from an unverified source.
15. You are discussing physical security measures andare covering background checks on employees andpolicies regarding key management and storage.Which type of physical security measures arebeing discussed?
A. Physical
B. Technical
C. Operational
D. Practical
16. Which of the following resources can assist incombating phishing in your organization? (Chooseall that apply.)
A. Phishkill
B. Netcraft
C. Phishtank
D. IDA Pro
17. An attacker targets a specific group inside theorganization. After some time profiling the group,she notes several websites the individual membersof the group all visit on a regular basis. She spendstime inserting various malware and maliciouscodes into some of the more susceptible websites.Within a matter of days, one of the groupmember’s system installs the malware from an
Technet24||||||||||||||||||||
||||||||||||||||||||
infected site, and the attacker uses the infectedmachine as a pivot point inside the network.Which of the following best defines this attack?
A. Spear phishing
B. Whaling
C. Web-ishing
D. Watering hole attack
18. Which type of social engineering makes use ofimpersonation, dumpster diving, shoulder surfing,and tailgating?
A. Physical
B. Technical
C. Human based
D. Computer based
19. In examining the About Us link in the menu of atarget organization’s website, an attacker discoversseveral different individual contacts within thecompany. To one of these contacts, she crafts an e-mail asking for information that appears to comefrom an individual within the company who wouldbe expected to make such a request. The e-mailprovides a link to click, which then prompts for thecontact’s user ID and password. Which of thefollowing best describes this attack?
A. Trojan e-mailing
||||||||||||||||||||
||||||||||||||||||||
B. Spear phishing
C. Social networking
D. Operational engineering
20. A security admin has a control in place thatembeds a unique image into e-mails on specifictopics in order to verify the message as authenticand trusted. Which anti-phishing method is beingused?
A. Steganography
B. Sign-in seal
C. PKI
D. CAPTCHA
21. Which of the following should be in place to assistas a social engineering countermeasure? (Chooseall that apply.)
A. Classification of information
B. Strong security policy
C. User education
D. Strong change management process
22. Joe uses a user ID and password to log in to thesystem every day. Jill uses a PIV card and a PIN.Which of the following statements is true?
A. Joe and Jill are using single-factorauthentication.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Joe and Jill are using two-factorauthentication.
C. Joe is using two-factor authentication.
D. Jill is using two-factor authentication.
23. A system owner has implemented a retinalscanner at the entryway to the data floor. Whichtype of physical security measure is this?
A. Technical
B. Single factor
C. Computer based
D. Operational
24. Which of the following is the best representationof a technical control?
A. Air conditioning
B. Security tokens
C. Automated humidity control
D. Fire alarms
E. Security policy
25. Which of the following best describes pharming?
A. An attacker redirects victims to a maliciouswebsite by sending an e-mail that provides aURL that appears to be legitimate.
B. An attacker redirects victims to a maliciouswebsite by modifying their host configuration
||||||||||||||||||||
||||||||||||||||||||
file or by exploiting vulnerabilities in DNS.
C. An attacker targets specific members of anorganization based on their duties, roles, orresponsibilities.
D. An attacker inserts malicious code andmalware into sites employees visit on a regularbasis.
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. D
2. C
3. A
4. D
5. C
6. A
7. B
8. B
9. D
10. D
11. B
12. C
13. A, B, D
14. A, B, C, D
15. C
16. B, C
17. D
18. C
19. B
||||||||||||||||||||
||||||||||||||||||||
20. B
21. A, B, C, D
22. D
23. A
24. B
25. B
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. While observing a target organization’s building,
you note the lone entrance has a guard posted justinside the door. After entering the external door,you note the lobby of the building is separatedfrom the external door by a small glass-paneledroom, with a closed door facing the exterior and aclosed door to the interior. There appears to be anRFID scanning device and a small keyboard withvideo display in the room. Which of the followingbest defines this physical security control?
A. Guard shack
B. Turnstile
C. Man shack
D. Man trap
D. If you took a test on college footballhistory, you know it would contain a questionabout Alabama. If you took one on trumpetplayers, there’d be one about Dizzy Gillespie.And if you take a test on physical securitymeasures for Certified Ethical Hacker, you’regoing to be asked about the man trap. EC-Council loves it that much.
A man trap is nothing more than a lockedspace you can hold someone in while verifying
||||||||||||||||||||
||||||||||||||||||||
their right to proceed into the secured area.It’s usually a glass (or clear plastic) walledroom that locks the exterior door as soon asthe person enters. Then there is some sort ofauthentication mechanism, such as asmartcard with a PIN or a biometric system.Assuming the authentication is successful, thesecond door leading to the interior of thebuilding will unlock, and the person is allowedto proceed. If it’s not successful, the doors willremain locked until the guard can checkthings out. As an aside, in addition toauthentication, some man traps add otherchecks, such as measuring the person’s weightto see if they’ve mysteriously gained or lost 20pounds since Friday.
A few other notes here may be of use to you:First, I’ve seen a man trap defined as eithermanual or automatic, where manual has aguard locking and unlocking the doors, andautomatic has the locks tied to theauthentication system, as describedpreviously. Second, a man trap is also referredto in some definitions as an air lock. Shouldyou see that term on the exam, know that it isreferring to the man trap. Lastly, man traps inthe real world can sometimes come in the
Technet24||||||||||||||||||||
||||||||||||||||||||
form of a rotating door or turnstile, lockingpartway around if the person doesn’tauthenticate properly. And, on some of thereally fancy ones, sensors will lock the mantrap if two people are trying to get through atthe same time.
A is incorrect because this question is notdescribing a small location at a gate whereguards are stationed. Traditionally, guardshacks are positioned at gates to the exteriorwall or the gate of the facility, where guardscan verify identity before allowing peoplethrough to the parking lot.
B is incorrect because a turnstile is not beingdescribed here, and, frankly, it does absolutelynothing for physical security. Anyone who hasspent any time in subway systems knows thisis true: watching people jump the turnstiles isa great spectator sport.
C is incorrect because, so far as I know, manshack is not a physical security term withinCEH. It’s maybe the title of a 1970s disco hit,but not a physical security term you’ll need toknow for the exam.
2. In your social engineering efforts, you call thecompany help desk and pose as a user who has
||||||||||||||||||||
||||||||||||||||||||
forgotten a password. You ask the technician tohelp you reset your password, which they happilycomply with. Which social engineering attack is inuse here?
A. Piggybacking
B. Reverse social engineering
C. Technical support
D. Halo effect
C. Although it may seem silly to label socialengineering attacks (because many of themcontain the same steps and bleed over intoone another), you’ll need to memorize themfor your exam. A technical support attack isone in which the attacker calls the supportdesk in an effort to gain a password reset orother useful information. This is a valuablemethod because if you get the right help deskperson (that is, someone susceptible to asmooth-talking social engineer), you can getthe keys to the kingdom.
A is incorrect because piggybacking refers to amethod to gain entrance to a facility—not togain passwords or other information.Piggybacking is a tactic whereby the attackerfollows authorized users through an opendoor without any visible authorization badge
Technet24||||||||||||||||||||
||||||||||||||||||||
at all.
B is incorrect because reverse socialengineering refers to a method where anattacker convinces a target to call him withinformation. The method involves marketingservices (providing the target with your phonenumber or e-mail address in the event of aproblem), sabotaging the device, and thenawaiting for a phone call from the user.
D is incorrect because halo effect refers to apsychological principle that states a person’soverall impression (appearance orpleasantness) can impact another person’sjudgment of them. For example, a good-looking, pleasant person will be judged asmore competent and knowledgeable simplybecause of their appearance. The lesson hereis to look good and act nice while you’re tryingto steal all the target’s information.
3. Which of the following is a true statementregarding biometric systems?
A. The lower the CER, the better the biometricsystem.
B. The higher the CER, the better the biometricsystem.
C. The higher the FRR, the better the biometric
||||||||||||||||||||
||||||||||||||||||||
system.
D. The higher the FAR, the better the biometricsystem.
A. The crossover error rate (CER) is the pointon a chart where the false acceptance rate(FAR) and false rejection rate (FRR) meet,and the lower the number, the better thesystem. It’s a means by which biometricsystems are calibrated—getting the FAR andFRR the same. All that said, though, keep inmind that in certain circumstances a clientmay be more interested in a lower FAR thanFRR, or vice versa, and therefore the CER isn’tas much a concern. For example, a bank maybe far more interested in preventing falseacceptance than it is in preventing falserejection. In other words, so what if a user isupset they can’t log on, so long as their moneyis safe from a false acceptance?
B is incorrect because this is exactly theopposite of what you want. A high CERindicates a system that more commonlyallows unauthorized users through and rejectstruly authorized people from access.
C is incorrect because the false rejection rateneeds to be as low as possible. The FRR
Technet24||||||||||||||||||||
||||||||||||||||||||
represents the amount of time a true,legitimate user is denied access by thebiometric system.
D is incorrect because the false acceptancerate needs to be as low as possible. The FARrepresents the amount of time anunauthorized user is allowed access to thesystem.
4. A pen tester sends an unsolicited e-mail to severalusers in the target organization. The e-mail is wellcrafted and appears to be from the company’s helpdesk, advising users of potential networkproblems. The e-mail provides a contact number tocall in the event a user is adversely affected. Thepen tester then performs a denial of service onseveral systems and receives phone calls fromusers asking for assistance. Which socialengineering practice is in play here?
A. Technical support
B. Impersonation
C. Phishing
D. Reverse social engineering
D. This may turn out to be a somewhatconfusing question for some folks, but it’sactually pretty easy. Reverse social
||||||||||||||||||||
||||||||||||||||||||
engineering involves three steps. First, in themarketing phase, an attacker advertiseshimself as a technical point of contact forproblems that may be occurring soon. Second,in the sabotage phase, the attacker performs adenial of service or other attack on the user.Third, in the tech support phase, the user callsthe attacker and freely hands overinformation, thinking they are being assistedby company’s technical support team.
As an aside, there are two things to rememberabout employing this social engineeringpractice in the real world. First, be sure tomarket to the appropriate audience:attempting this against IT staff probably won’twork as well as the “average” user and may getyou caught. Second, and perhaps moreimportant, you’ll need to remember that themore lies you tell, the more things you have tomake true. Complexity is risky, and reversesocial engineering involves a lot ofcomplexity. It’s best used in special cases, andthen only if you can’t find something else todo.
A is incorrect because a technical supportattack involves the attacker calling a technicalsupport help desk, not having the user calling
Technet24||||||||||||||||||||
||||||||||||||||||||
back with information.
B is incorrect because this is not justimpersonation—the attack described in thequestion revolves around the user contactingthe attacker, not the other way around.Impersonation can cover anybody, from a“normal” user to a company executive. Andimpersonating a technical support person canresult in excellent results; just remember ifyou’re going through steps to have the usercall you back, you’ve moved into reverse socialengineering.
C is incorrect because a phishing attack is ane-mail crafted to appear legitimate but in factcontains links to fake websites or to downloadmalicious content. In this example, there is nolink to click—just a phone number to call incase of trouble. Oddly enough, in myexperience, people will question a link in an e-mail far more than just a phone number.
5. A pen test member has gained access to a buildingand is observing activity as he wanders around. Inone room of the building, he stands just outside acubicle wall opening and watches the onscreenactivity of a user. Which social engineering attackis in use here?
||||||||||||||||||||
||||||||||||||||||||
A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking
C. This one is so easy I hope you maintainyour composure and stifle the urge to whoopand yell in the test room. Shoulder surfingdoesn’t necessarily require you to actually beon the victim’s shoulder—you just have to beable to watch their onscreen activity. I onceshoulder surfed in front of someone (a mirrorbehind her showed her screen clear as day).You don’t even really need to be close to thevictim—there are plenty of optics that canzoom in a field of vision from a very longdistance away. As an aside, in the real world, ifyou are close enough to see someone’s screen,you’re probably close enough to listen to themas well. EC-Council puts the emphasis ofshoulder surfing on the visual aspect—eavesdropping would be auditory.
A is incorrect because eavesdropping is asocial engineering method where the attackersimply remains close enough to targets tooverhear conversations. Although it’s doubtfulusers will stand around shouting passwords at
Technet24||||||||||||||||||||
||||||||||||||||||||
each other, you’d be surprised how muchuseful information can be gleaned by justlistening in on conversations.
B is incorrect because tailgating is a methodfor gaining entrance to a facility by flashing afake badge and following an authorized userthrough an open door.
D is incorrect because piggybacking isanother method to gain entrance to a facility.In this effort, though, you don’t have a badgeat all; you just follow people through the door.
6. A recent incident investigated by the local IR teaminvolved a user receiving an e-mail that appearedto be from the U.S. Postal Service, notifying her ofa package headed her way and providing a link fortracking the package. The link provided took theuser to what appeared to be the USPS site, whereshe input her user information to learn about thelatest shipment headed her way. Which attack didthe user fall victim to?
A. Phishing
B. Internet level
C. Reverse social engineering
D. Impersonation
A. Phishing is one of the most pervasive and
||||||||||||||||||||
||||||||||||||||||||
effective social engineering attacks on theplanet. It’s successful because crafting alegitimate-looking e-mail that links a user toan illegitimate site or malware package is easyto do. What’s more, the e-mail is easy tospread, and it preys on our human nature totrust. If the source of the e-mail lookslegitimate or the layout looks legitimate, mostpeople will click away without even thinkingabout it. Phishing e-mails can often includepictures lifted directly off the legitimatewebsite and use creative means of spellingthat aren’t easy to spot: www.regions.com is alegitimate bank website that could be spelledin a phishing e-mail as www.regi0ns.com.
When it comes to real-world use of phishingby ethical hackers and pen testers, there are acouple items of note: First, phishing has anextreme liability aspect to it when spoofing alegitimate business. If you’re pen testing anorganization and phish using a variant of areal business name, you could be openingyourself up to some serious costs: the firsttime someone calls the real Regions bank tocomplain is the moment that the attacker justbecame liable for the costs associated with theattack. Second is the risk involved with people
Technet24||||||||||||||||||||
||||||||||||||||||||
simply forwarding your phishing attempt torecipients you never intended, allowing it totake on a life of its own. In short, the pentester will certainly limit the bait (malware orwebsite link embedded in the phishingattempt), but they will have no control overwhat a user decides to do with the e-mail.Suppose the pen tester doesn’t know the exactIP range or makes a simple mistake in theconfiguration of the malware, and a usersends it home. Or to a banking friend. Or tothe FBI. Or to a friend who works on a DoDsystem. Now you’ve not only hooked thewrong fish, but maybe infected something inthe government. That’s nothing to joke about,and it may be a lot worse than a simplemistake. The bottom line is, in the real world,phishing is dangerous if not planned andimplemented almost perfectly, and pen testteams need to use extreme caution inimplementing it.
B is incorrect because Internet level is not arecognized form of social engineering attackby this exam. It’s included here as a distractor.
C is incorrect because reverse socialengineering is an attack where the attackercons the target into calling back with useful
||||||||||||||||||||
||||||||||||||||||||
information.
D is incorrect because this particulardescription does not cover impersonation.Impersonation is an attack where a socialengineer pretends to be an employee, a validuser, or even an executive (or other VIP).Generally speaking, when it comes to theexam, any impersonation question willrevolve around an in-person visit or atelephone call.
7. Which type of social engineering attack usesphishing, pop-ups, and IRC channels?
A. Technical
B. Computer based
C. Human based
D. Physical
B. All social engineering attacks fall into oneof two categories: human based or computerbased. Computer-based attacks are thosecarried out with the use of a computer orother data-processing device. Some examplesare fake pop-up windows, SMS texts, e-mails,and chat rooms or services. Social media sites(such as Facebook and LinkedIn) areconsistent examples as well, and spoofing
Technet24||||||||||||||||||||
||||||||||||||||||||
entire websites isn’t out of the realm hereeither.
A is incorrect because technical is not a socialengineering attack type and is included hereas a distractor.
C is incorrect because human-based socialengineering involves the art of humaninteraction for information gathering.Human-based social engineering usesinteraction in conversation or othercircumstances between people to gatheruseful information.
D is incorrect because physical is not a socialengineering attack type and is included hereas a distractor.
8. An attacker identifies a potential target andspends some time profiling her. After gainingsome information, the attacker sends a text to thetarget’s cell phone. The text appears to be from herbank and advises her to call a provided phonenumber immediately regarding her accountinformation. She dials the number and providessensitive information to the attacker, who isposing as a bank employee. Which of the followingbest defines this attack?
A. Vishing
||||||||||||||||||||
||||||||||||||||||||
B. Smishing
C. Phishing
D. Tishing
B. Aren’t you excited to have anothermemorization term added to your CEHvocabulary? In smishing (for SMS text-basedphishing), the attacker sends SMS textmessages crafted to appear as legitimatesecurity notifications, with a phone numberprovided. The user unwittingly calls thenumber and provides sensitive data inresponse.
A is incorrect because vishing is an attackusing a phone call or voice message. Invishing, the attacker calls the target or leavesthem a voicemail with instructions to follow.
C is incorrect because phishing makes use ofspecially crafted e-mails to elicit responsesand actions.
D is incorrect because this term does not exist.
9. Which of the following constitutes the highestrisk to the organization?
A. Black-hat hacker
B. White-hat hacker
Technet24||||||||||||||||||||
||||||||||||||||||||
C. Gray-hat hacker
D. Disgruntled employee
D. When we consider security measures, mostof our attention is usually aimed outside thecompany, because that’s where all the badguys are, right? Unfortunately, this line ofthinking leads to all sorts of exposure, formany reasons, and it’s more common thanyou might think. A disgruntled employee isstill an employee, after all, which leads to themain reason they’re so dangerous: location.They are already inside the network. Insideattacks are generally easier to launch, aremore successful, and are harder to prevent.When you add the human element of havingan axe to grind, this can boil over quickly—whether or not the employee has the technicalknowledge to pull off the attack. The idea thatsomeone wanting to do harm to ourorganization’s network not only already hasthe access to do so but has it because we gaveit to them and we’re not watching themshould be frightening to us all.
A is incorrect because black-hat hackers aren’tnecessarily already inside the network. Theyhave a lot of work to do in getting access and a
||||||||||||||||||||
||||||||||||||||||||
lot of security levels to wade through to do it.
B is incorrect because a white-hat hacker isone of the good guys—an ethical hacker, hiredfor a specific purpose.
C is incorrect because a gray-hat hacker fallssomewhere between white and black. Theymay be hacking without express consent, butdoing so with good intentions (not that goodintentions will keep one out of jail).Supposedly they’re not hacking for personalgain; they just don’t bother to get permissionand occasionally dance on the dark side oflegality.
10. After observing a target organization for severaldays, you discover that finance and HR records arebagged up and placed in an outside storage bin forlater shredding/recycling. One day you simplywalk to the bin and place one of the bags in yourvehicle, with plans to rifle through it later. Whichsocial engineering attack was used here?
A. Offline
B. Physical
C. Piggybacking
D. Dumpster diving
D. Dumpster diving doesn’t necessarily mean
Technet24||||||||||||||||||||
||||||||||||||||||||
you’re actually taking a header into adumpster outside. It could be any wastecanister, in any location, and you don’t evenhave to place any more of your body in thecanister than you need to extract the oldpaperwork with. And you’d be amazed whatpeople just throw away without thinkingabout it: password lists, network diagrams,employee name and number listings, andfinancial documents are all examples. Lastly,don’t forget that EC-Council defines this as apassive activity. Sure, in the real world, yourun a real risk of discovery and questioning byany number of the organization’s staff, but onyour exam it’s considered passive.
A is incorrect because offline is not a socialengineering attack and is used here as adistractor.
B is incorrect because physical is not a socialengineering attack type.
C is incorrect because piggybacking is a socialengineering attack that allows entry into afacility and has nothing to do with diggingthrough trash for information.
11. An attacker waits outside the entry to a securedfacility. After a few minutes an authorized user
||||||||||||||||||||
||||||||||||||||||||
appears with an entry badge displayed. He swipes akey card and unlocks the door. The attacker, withno display badge, follows him inside. Which socialengineering attack just occurred?
A. Tailgating
B. Piggybacking
C. Identity theft
D. Impersonation
B. This is one of those questions that justdrives everyone batty—especially people whoactually perform pen tests for a living. Doesknowing that gaining entry without flashing afake ID badge of any kind is calledpiggybacking make it any easier or harder topull off? I submit having two terms for whatis essentially the same attack, separated byone small detail, is a bit unfair, but there’s nota whole lot we can do about it. If it makes iteasier to memorize, just keep in mind thatpigs wouldn’t wear a badge—they don’t haveany clothes to attach it to.
A is incorrect because a tailgating attackrequires the attacker to be holding a fakebadge of some sort. I know it’s silly, but that’sthe only differentiation between these twoitems: tailgaters have badges, piggybackers do
Technet24||||||||||||||||||||
||||||||||||||||||||
not. If it makes it any easier, just keep in minda lot of tailgaters at a football game shouldhave a badge on them—to prove they are oflegal drinking age.
C is incorrect because this attack has nothingto do with identity theft. Identity theft occurswhen an attacker uses personal informationgained on an individual to assume thatperson’s identity. Although this is normallythought of in the context of the criminal world(stealing credit cards, money, and so on), ithas its uses elsewhere.
D is incorrect because impersonation is not inplay here. The attacker isn’t pretending to beanyone else at all—he’s just followingsomeone through an open door.
12. Tim is part of a pen test team and is attempting togain access to a secured area of the campus. Hestands outside a badged entry gate and pretends tobe engaged in a contentious cell phoneconversation. An organization employee walkspast and badges the gate open. Tim asks theemployee to hold the gate while flashing a fake IDbadge and continuing his phone conversation. Hethen follows the employee through the gate.Which of the following best defines this effort?
||||||||||||||||||||
||||||||||||||||||||
A. Shoulder surfing
B. Piggybacking
C. Tailgating
D. Drafting
C. This type of question is so annoying I addedit twice, back to back, in this chapter—almostas if I was nearly certain you’ll see it on yourexam. Tailgating involves following someonethrough an open door or gate just likepiggybacking does; however, in tailgating, afake identification badge of some sort is used.As an aside, if your exam question does notinclude both terms—tailgating andpiggybacking—but the effort is the same (anattacker following a badged employee througha gate or door), you won’t have to choosebetween them. Usually, in this case, tailgatingwill be used more frequently thanpiggybacking.
A is incorrect because shoulder surfing isn’tabout following someone anywhere; instead,it’s about positioning yourself in such a wayas to be able to observe the keystrokes andactivities of someone at their system.
B is incorrect because piggybacking does not
Technet24||||||||||||||||||||
||||||||||||||||||||
involve the use of a badge or identification ofany sort.
D is incorrect because drafting is a cool termused in NASCAR, but has nothing to do withphysical pen testing.
13. Which of the following may be effectivecountermeasures against social engineering?(Choose all that apply.)
A. Security policies
B. Operational guidelines
C. Appropriately configured IDS
D. User education and training
E. Strong firewall configuration
A, B, D. ECC identifies severalcountermeasures against social engineering,but in the real world none of them, bythemselves or grouped, is really the key. Theproblem with most countermeasures againstsocial engineering is they’re almost totally outof your control. Sure you can draft strongpolicy requiring users to comply with securitymeasures, implement guidelines oneverything imaginable to reduce risks andstreamline efficiency, and hold educationalbriefings and training sessions for each and
||||||||||||||||||||
||||||||||||||||||||
every user in your organization, but when itcomes down to it, it’s the user who has to dothe right thing. All countermeasures for socialengineering have something to do with theusers themselves because they are the weaklink here.
C and E are both incorrect for the samereason: a social engineering attack doesn’ttarget the network or its defenses; instead, ittargets the users. Many a strongly defendednetwork has been compromised because auser inside was charmed by a successful socialengineer.
14. Which of the following are indicators of aphishing e-mail? (Choose all that apply.)
A. It does not reference you by name.
B. It contains misspelled words or grammaticalerrors.
C. It contains spoofed links.
D. It comes from an unverified source.
A, B, C, D. One of the objectives EC-Councilhas kept around in its many CEH versions is,and I quote, to “understand phishing attacks.”Part of the official curriculum to study for theexam covers detecting phishing e-mail in
Technet24||||||||||||||||||||
||||||||||||||||||||
depth, and all of these answers are indicatorsan e-mail might not be legitimate. First, mostcompanies now sending e-mail to customerswill reference you by name and sometimes byaccount number. An e-mail starting with“Dear Customer” or something to that effectmay be an indicator something is amiss.Misspellings and grammatical errors from abusiness are usually dead giveaways becausecompanies do their best to proofread itemsbefore they are released. There are,occasionally, some slipups (Internet searchsome of these; they’re truly funny), but thoseare definitely the exception and not the rule.Spoofed links can be found by hovering amouse over them (or by looking at theirproperties). The link text may readwww.yourbank.com, but the hyperlinkproperties will be sending you to some IPaddress you don’t want to go to.
As an aside, while these are all great answersto a question on an exam, don’t let themdictate your day-to-day Internet life outside ofyour exam. A perfectly written, grammaticallycorrect e-mail containing real links andoriginating from someone you trust could stillbe part of a phishing campaign. Never click a
||||||||||||||||||||
||||||||||||||||||||
link in an e-mail without knowing exactlywhat it is and where it’s taking you—nomatter who you think the message is from orhow well written it is. Finally, if you get aphishing e-mail that is accurate, referencesyou by name, has real links, and truly appearsto be accurate, you probably have a realproblem on your hands. Everyone gets theannoying “spam” e-mails with “Click here forfree stuff.” However, if you get one that isdelivered to you, with your name andidentifying details in it, you have someonewho spent the time to target you specifically,not randomly.
15. You are discussing physical security measures andare covering background checks on employees andpolicies regarding key management and storage.Which type of physical security measures arebeing discussed?
A. Physical
B. Technical
C. Operational
D. Practical
C. Physical security has three major facets:physical measures, technical measures, andoperational measures. Operational measures
Technet24||||||||||||||||||||
||||||||||||||||||||
(sometimes referred to as proceduralcontrols) are the policies and procedures youput into place to assist with security.Background checks on employees and anykind of written policy for operationalbehaviors are prime examples.
A is incorrect because physical measures canbe seen or touched. Examples include guards(although you’d probably want to be carefultouching one of them), fences, and lockeddoors.
B is incorrect because technical measuresinclude authentication systems (biometricsanyone?) and specific permissions you assignto resources.
D is incorrect because, although these mayseem like practical measures to put into place,there is simply no category named as such.It’s included here as a distractor, nothingmore.
16. Which of the following resources can assist incombating phishing in your organization? (Chooseall that apply.)
A. Phishkill
B. Netcraft
||||||||||||||||||||
||||||||||||||||||||
C. Phishtank
D. IDA Pro
B, C. For obvious reasons, there are not a lotof questions from these objectives concerningtools—mainly because social engineering is allabout the human side of things, notnecessarily using technology or tools.However, you can put into place more than afew protective applications to help stem thetide. There are innumerable e-mail-filteringapplications and appliances you can put on ane-mail network boundary to cut down on thevast amount of traffic (spam or otherwise)headed to your network. Additionally,Netcraft’s phishing toolbar and Phishtank aretwo client-side, host-based options you canuse (there are others, but these are pointedout specifically in EC-Council’s officialcourseware).
Netcraft’s (http://toolbar.netcraft.com/) andPhishtank’s (www.phishtank.com/) toolbarsare like neighborhood watches on virtualsteroids, where eagle-eyed neighbors can seesuspicious traffic and alert everyone else. Thefollowing is from the Netcraft site: “Once thefirst recipients of a phishing mail have
Technet24||||||||||||||||||||
||||||||||||||||||||
reported the target URL, it is blocked forcommunity members as they subsequentlyaccess the URL.”
These tools, although useful, are not designedto completely protect against phishing. Muchlike antivirus software, they will act onattempts that match a signature file. This,sometimes, makes it even easier on theattacker—because they know which phishingwill not work right off the bat.
A is incorrect because Phishkill is not an anti-phishing application.
D is incorrect because IDA Pro is a debuggertool you can use to analyze malware (viruses).
17. An attacker targets a specific group inside theorganization. After some time profiling the group,she notes several websites the individual membersof the group all visit on a regular basis. She spendstime inserting various malware and maliciouscodes into some of the more susceptible websites.Within a matter of days, one of the groupmember’s system installs the malware from aninfected site, and the attacker uses the infectedmachine as a pivot point inside the network.Which of the following best defines this attack?
A. Spear phishing
||||||||||||||||||||
||||||||||||||||||||
B. Whaling
C. Web-ishing
D. Watering hole attack
D. Have you ever watched naturedocumentaries on the Discovery Channel? Itseems predators frequently hang out in placeswhere the prey tends to show up. Forexample, a pride of lions might just hang outnear a watering hole—knowing full well theirprey will eventually just come to them. Thisattack uses the same principle, except we’retalking about the virtual world. And none ofus are lions (at least not outside ourimaginations, anyway).
In a watering hole attack, the bad guy spendsa lot of time profiling the group that is beingtargeted (note the key wording in this is that agroup is targeted, not an individual). Theattacker can observe or even guess websitesthe group would visit, and then infect thosesites with some sort of malware or maliciouscode. Eventually someone from the group willvisit the virtual watering hole and—voilà—success.
A is incorrect because spear phishing involvesphishing (sending specially crafted e-mails
Technet24||||||||||||||||||||
||||||||||||||||||||
that include links to malicious code) targetedat a specific group of people. In this question,there was no phishing involved.
B is incorrect because whaling is a special typeof spear phishing targeting high-levelemployees.
C is incorrect because this is not a valid term.
18. Which type of social engineering makes use ofimpersonation, dumpster diving, shoulder surfing,and tailgating?
A. Physical
B. Technical
C. Human based
D. Computer based
C. Once again, we’re back to the two majorforms of social engineering: human based andcomputer based. Human-based attacksinclude all the attacks mentioned here and afew more. Human-based social engineeringuses interaction in conversation or othercircumstances between people to gatheruseful information. This can be as blatant assimply asking someone for their password orpretending to be a known entity (authorizeduser, tech support, or company executive) in
||||||||||||||||||||
||||||||||||||||||||
order to gain information.
A is incorrect because social engineeringattacks do not fall into a physical category.
B is incorrect because social engineeringattacks do not fall into a technical category.
D is incorrect because computer-based socialengineering attacks are carried out with theuse of a computer or other data-processingdevice. These attacks can include everythingfrom specially crafted pop-up windows fortricking the user into clicking through to afake website, to SMS texts that provide falsetechnical support messages and dial-ininformation to a user.
19. In examining the About Us link in the menu of atarget organization’s website, an attacker discoversseveral different individual contacts within thecompany. To one of these contacts, she crafts an e-mail asking for information that appears to comefrom an individual within the company who wouldbe expected to make such a request. The e-mailprovides a link to click, which then prompts for thecontact’s user ID and password. Which of thefollowing best describes this attack?
A. Trojan e-mailing
Technet24||||||||||||||||||||
||||||||||||||||||||
B. Spear phishing
C. Social networking
D. Operational engineering
B. Yes, sometimes you’ll get an easy one.Phishing is using e-mail to accomplish thesocial engineering task. Spear phishing isactually targeting those e-mails to specificindividuals or groups within an organization.This usually has a much higher success ratethan just a blind-fire phishing effort.
A, C, and D are incorrect because they are alladded as distractors and do not match thecircumstances listed. Trojan e-mailing andoperational engineering aren’t valid terms inregard to social engineering attacks. A socialnetworking attack, per EC-Council, is one thatinvolves using Facebook, LinkedIn, Twitter, orsome other social media to elicit informationor credentials from a target.
20. A security admin has a control in place thatembeds a unique image into e-mails on specifictopics in order to verify the message as authenticand trusted. Which anti-phishing method is beingused?
A. Steganography
||||||||||||||||||||
||||||||||||||||||||
B. Sign-in seal
C. PKI
D. CAPTCHA
B. Sign-in seal is an e-mail protection methodin use at a variety of business locations. Thepractice is to use a secret message or imagethat can be referenced on any officialcommunication with the site. If you receive ane-mail purportedly from the business but itdoes not include the image or message, you’reaware it’s probably a phishing attempt. Thissign-in seal is kept locally on your computer,so the theory is that no one can copy or spoofit.
A is incorrect because steganography is notused for this purpose. As you know,steganography is a method of hidinginformation inside another file—usually animage file.
C is incorrect because PKI refers to anencryption system using public and privatekeys for security of information betweenmembers of an organization.
D is incorrect because a CAPTCHA is anauthentication test of sorts, which I am sure
Technet24||||||||||||||||||||
||||||||||||||||||||
you’ve seen hundreds of times already.CAPTCHA (actually an acronym meaningCompletely Automated Public Turing test totell Computers and Humans Apart) is a typeof challenge-response method where an imageis shown, and the client is required to type theword from the image into a challenge box. Anexample is on a contest entry form—you typein your information at the top and then see animage with a word (or two) in a crazy font atthe bottom. If you type the correct word in,it’s somewhat reasonable for the page toassume you’re a human (as opposed to ascript), and the request is sent forward.
21. Which of the following should be in place to assistas a social engineering countermeasure? (Chooseall that apply.)
A. Classification of information
B. Strong security policy
C. User education
D. Strong change management process
A, B, C, D. All of the answers are correct, butlet’s get this out of the way up front: you’llnever be able to put anything whatsoever intoplace that will effectively render all socialengineering attacks moot. You can do some
||||||||||||||||||||
||||||||||||||||||||
things to limit them, and those on this list candefinitely help in that regard, but anorganization that responds to socialengineering concerns with “We have a strongsecurity policy and great user education” isprobably one that’ll see a high turnover rate.
Classification of information is seen as astrong countermeasure because theinformation—and access to it—is stored andprocessed according to strict definitions ofsensitivity. In the government/DoD world,you’d see labels such as Confidential, Secret,and Top Secret. In the commercial world, youmight see Public, Sensitive, and Confidential.I could write an entire chapter on thedifference between DoD and commerciallabels and argue the finer points of variousaccess control methods, but we’ll stick just tothis chapter and what you need here. As a sidenote, classification of information won’t doyou a bit of good if the enforcement of accessto that information, and the protection of it instorage or transit, is lax.
Strong security policy has been covered earlierin the chapter, so I won’t waste much printspace here on it. You must have a good one inplace to help prevent a variety of security
Technet24||||||||||||||||||||
||||||||||||||||||||
failures; however, you can’t rely on it as acountermeasure on its own.
According to EC-Council, user education isnot only a viable social engineeringcountermeasure but it’s the best measure youcan take. Anyone reading this book who hasspent any time at all trying to educate userson a production, enterprise-level network isprobably yelling right now because results cansometimes be spotty at best. However, theweak point in the chain is the user, so wemust do our best to educate users on what tolook for and what to do when they see it.There simply is no better defense than a well-educated user (and by “well-educated” I meana user who absolutely refuses to participate ina social engineering attempt). There’s just notthat many of them out there.
A change management process helps toorganize alterations to a system ororganization by providing a standardized,reviewable process to any major change. Inother words, if you allow changes to yourfinancial system, IT services, or HR processeswithout any review or control process, you’rebasically opening Pandora’s box. Change canbe made on a whim (sometimes at the behest
||||||||||||||||||||
||||||||||||||||||||
of a social engineer, maybe?), and there’s nocontrol or tracking of it.
22. Joe uses a user ID and password to log in to thesystem every day. Jill uses a PIV card and a PIN.Which of the following statements is true?
A. Joe and Jill are using single-factorauthentication.
B. Joe and Jill are using two-factorauthentication.
C. Joe is using two-factor authentication.
D. Jill is using two-factor authentication.
D. When it comes to authentication systems,you can use three factors to prove youridentity: something you know, something youhave, and something you are. An item youknow is, basically, a password or PIN.Something you have is a physical token ofsome sort—usually a smartcard—that ispresented as part of the authenticationprocess. Something you are relates tobiometrics—a fingerprint or retinal scan, forinstance. Generally speaking, the more factorsyou have in place, the better (more secure)the authentication system. In this example,Joe is using only something he knows,whereas Jill is using something she has (PIV
Technet24||||||||||||||||||||
||||||||||||||||||||
card) and something she knows (PIN).
A is incorrect because Jill is using two-factorauthentication.
B is incorrect because Joe is using single-factor authentication.
C is incorrect because Joe is using single-factor authentication.
23. A system owner has implemented a retinalscanner at the entryway to the data floor. Whichtype of physical security measure is this?
A. Technical
B. Single factor
C. Computer based
D. Operational
A. Physical security measures arecharacterized as physical (door locks andguards), operational (policies andprocedures), and technical (authenticationssystems and permissions). This example fallsinto the technical security measure category.Sure, the door itself is physical, but thequestion centers on the biometric system,which is clearly technical in origin.
B is incorrect because single factor refers to
||||||||||||||||||||
||||||||||||||||||||
the method the authentication system uses,not the physical security measure itself. Inthis case, the authentication is using the“something you are” factor—a biometricretinal scan.
C is incorrect because computer based refersto a social engineering attack type, not aphysical security measure.
D is incorrect because an operational physicalsecurity measure deals with policy andprocedure.
24. Which of the following is the best representationof a technical control?
A. Air conditioning
B. Security tokens
C. Automated humidity control
D. Fire alarms
E. Security policy
B. All security controls are put into place tominimize, or to avoid altogether, theprobability of a successful exploitation of arisk or vulnerability. Logical controls (logicalis the other term used for technical ) do thisthrough technical, system-driven means.Examples include security tokens,
Technet24||||||||||||||||||||
||||||||||||||||||||
authentication mechanisms, and antivirussoftware.
A, C, D, and E are incorrect because they arenot logical (technical) controls. Airconditioning, fire alarms, and a humiditycontrol fall under physical controls. A policywould fall under procedural controls.
25. Which of the following best describes pharming?
A. An attacker redirects victims to a maliciouswebsite by sending an e-mail that provides aURL that appears to be legitimate.
B. An attacker redirects victims to a maliciouswebsite by modifying their host configurationfile or by exploiting vulnerabilities in DNS.
C. An attacker targets specific members of anorganization based on their duties, roles, orresponsibilities.
D. An attacker inserts malicious code andmalware into sites employees visit on a regularbasis.
B. I’m convinced there are folks who sitaround doing nothing more than dreaming upnew terminology, acronyms, and slang for allof us to remember, and pharming falls intothis category. Pharming has the same end goal
||||||||||||||||||||
||||||||||||||||||||
as most other attacks—redirecting folks tomalicious websites in hopes of stealingsomething from them. The method in whichit’s done involves updating hosts files andmanipulating DNS to point them to amalicious site.
A is incorrect because this describes phishing.
C is incorrect because this describes spearphishing (and/or whaling, depending on thegroup being targeted).
D is incorrect because this describes awatering hole attack.
Technet24||||||||||||||||||||
||||||||||||||||||||
CHAPTER 13The Pen Test: Putting It AllTogether
This chapter includes questions from the followingtopics:
• Describe penetration testing, security assessments,and risk management
• Define automatic and manual testing• List pen test methodology and deliverables
I’ve been exceedingly blessed in my life, in a great manyways I don’t have the time or print space here to cover. Ihave had opportunities to travel the world andexperience things many people just flat out don’t get to.In one of my travels I wound up in Florence, Italy, anddecided to go see the statue of David. Even if you’re notfamiliar with the background of this sculpture, I’ll betyou’ve seen a replica of it somewhere—from garden artre-creations and store displays to one very cool episodeof SpongeBob SquarePants, where he had to “BE themarble!” David was carved by Michelangelo sometimebetween 1501 and 1504 and is universally acclaimed as
||||||||||||||||||||
||||||||||||||||||||
one of the greatest sculptures of all time. The statuenow sits in a domed atrium within the Galleriadell’Accademia in Florence. Seeing this work of art,displayed in all its glory in a perfect setting within abeautiful gallery, is truly an unbelievable experience andis definitely a highlight of any visit to Florence.
What made as big an impression on me, though, werethe other, unfinished works of art from Michelangeloyou had to pass by in order to get to the statue of David.There’s a giant hallway leading to the atrium that isliterally packed, on the right and left, with sculptures hestarted but, for whatever reason, never finished.Walking down the hallway (at least in your imaginationanyway), we’re surrounded by stonework that is simplyamazing. Here, on the right, is a giant marble stone withhalf a man sticking out of the left side and chisel marksleading downward to something as yet unfinished. Onthe left we see the front half of a horse exploding out ofa rough-hewn block of granite; the rest of the beautifulanimal still buried in the story Michelangelo never gotto finish telling with the sculpture. Traveling down thislong hallway, we see other works—a battle raging in oneboulder, a face clearly defined and nearly expressionlesslooking out of a little, almost leftover piece of rock—alldisplayed left and right for us to gape at.
These unfinished works weren’t crude by any means;
Technet24||||||||||||||||||||
||||||||||||||||||||
quite the opposite. I stood there among the crowdsracing to get a glimpse of monumental talent, marvelingat how a man could take a big chunk of rock and shapeand smooth it into something that looked so real. Butthese pieces weren’t finished, and it showed. There weregiant scratch marks over areas that should have beensmooth, and a few sculptures simply broke off becausethe rock itself cracked in two.
What has this got to do with this book, you may beasking? The answer is that we’ve all put a lot of workinto this. We’ve chipped away at giant boulders ofknowledge and are on the verge of finishing. No, I’m notmaking some crazed corollary to this book being somework of art (as anyone who really knows me can attest,that’s not my bag, baby), but I am saying we, you and I,are on the verge of something good here. Keep hackingaway at that stone. Keep sanding and polishing. Sooneror later you’ll finish and have your statue to display—just don’t forget all the work you put into it, and don’tthrow any of it away. I promise, you’ll want to go back,sometime later, and walk through your own hallway ofwork to see how far you’ve come.
The questions and answers in this chapter are easier(if memorizing terms is easy for you, that is), and theexplanations of what’s correct and what’s incorrect willreflect that as well. Sure, I might sneak in a questionfrom earlier in the book—just to see if you’re paying
||||||||||||||||||||
||||||||||||||||||||
attention, and to wrap up terms EC-Council throws intothis section—but these questions are all supposed to beabout the pen test itself. We’ve already covered the nutsand bolts, so now we’re going to spend some time on thefinished product. And, of course, you will see most ofthis material on your exam. I just hope you’ll be soready for it by then it’ll be like Michelangelo wiping thedust off his last polishing of the statue of David.
STUDY TIPS This chapter is, by design, a little bit of a wrap-up.There are things here that just don’t seem to fit elsewhere, or thatneeded special attention, away from the clutter of the original EC-Council chapter they were stuck in. Most of this generally boils downto basic memorization. While that may sound easy enough to y ou, Ithink y ou’ll find that some of these terms are so closely related thatquestions on the exam referencing them will be confusing at the v eryleast—and most likely rage-inducing by the time the exam ends. Payclose attention to risk management terminology —y ou’ll definitely seea few questions on it in y our exam. Another area y ou’ll probably see atleast a couple questions on is the ethics of being a professional, ethicalhacker. Admittedly , some of these will be tough to answer, as real-world and EC-Council CEH definitions don’t alway s coincide, buthopefully we’ll hav e enough information here to get y ou through.
Lastly, as I’ve said before, it’s sometimes easier toeliminate wrong answers than it is to choose the correctone. When you’re looking at one of these questions thatseems totally out of left field, spend your timeeliminating the choices you know aren’t correct.Eventually all that’s left must be the correct answer.After all, the mechanism scoring the test doesn’t care
Technet24||||||||||||||||||||
||||||||||||||||||||
how you got to the answer, only that the right one ischosen.
||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. Incident response (IR) is an important part of
organizational security. In what step of theincident-handling process would IR teammembers disable or delete user accounts andchange firewall rules?
A. Detection and analysis
B. Classification and prioritization
C. Containment
D. Forensic investigation
2. A software company puts an application throughstringent testing and, on the date of release, isconfident the software is free of knownvulnerabilities. An organization named BigBizpurchases the software at a premium cost, with aguarantee of service, maintenance, and liability.Which risk management method is in use by theBigBiz organization?
A. Accept
B. Transfer
C. Avoid
D. Mitigate
3. Which of the following provide automated pentest–like results for an organization? (Choose all
Technet24||||||||||||||||||||
||||||||||||||||||||
that apply.)
A. Metasploit
B. Nessus
C. Core Impact
D. CANVAS
E. SAINT
F. GFI LanGuard
4. Which of the following best describes anassessment against a network segment that testsfor existing vulnerabilities but does not attempt toexploit any of them?
A. Penetration test
B. Partial penetration test
C. Vulnerability assessment
D. Security audit
5. You are a member of a pen test team conductingtests. Your team has all necessary scope, terms ofengagement, and nondisclosure and service levelagreements in place. You gain access to anemployee’s system and during further testingdiscover child pornography on a hidden drivefolder. Which of the following is the best course ofaction for the ethical hacker?
A. Continue testing without notification to
||||||||||||||||||||
||||||||||||||||||||
anyone, but ensure the information isincluded in the final out-brief report.
B. Continue testing without interruption, butcompletely remove all hidden files and thefolder containing the pornography.
C. Stop testing and notify law enforcementauthorities immediately.
D. Stop testing and remove all evidence ofintrusion into the machine.
6. In which phase of a pen test is scanningperformed?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
7. Which of the following describes risk that remainsafter all security controls have been implementedto the best of one’s ability?
A. Residual
B. Inherent
C. Deferred
D. Remaining
8. Which of the following statements are trueregarding OSSTMM? (Choose all that apply.)
Technet24||||||||||||||||||||
||||||||||||||||||||
A. OSSTMM is a nonprofit, internationalresearch initiative dedicated to definingstandards in security testing and businessintegrity testing.
B. OSSTMM recognizes ten types of controls,which are divided into two classes.
C. ISECOM maintains the OSSTMM.
D. OSSTMM defines three types of compliance.
9. Which of the following is an open source projectproduced by OISSG (Open Information SystemsSecurity Group) intended to provide securitytesting assistance?
A. OSSTMM
B. OWASP
C. COBIT
D. ISSAF
10. NIST SP 800-30 defines steps for conducting arisk assessment. Which of the followingstatements is true regarding the process?
A. Threats are identified before vulnerabilities.
B. Determining the magnitude of impact is thefirst step.
C. Likelihood is determined after the riskassessment is complete.
||||||||||||||||||||
||||||||||||||||||||
D. Risk assessment is not a recurring process.
11. In which phase of a pen test will the teampenetrate the perimeter and acquire targets?
A. Pre-attack
B. Attack
C. Post-attack
D. None of the above
12. An organization participates in a real-worldexercise designed to test all facets of its securitysystems. An independent group is hired to assistthe organization’s security groups, assisting in thedefense of assets against the attacks from theattacking group. Which of the followingstatements is true?
A. The group assisting in the defense of thesystems is referred to as a blue team.
B. The group assisting in the defense of thesystems is referred to as a red team.
C. The group assisting in the defense of thesystems is known as a white-hat group.
D. The team attacking the systems must provideall details of any planned attack with thedefense group before launching to ensuresecurity measures are tested appropriately.
13. Which of the following best describes the
Technet24||||||||||||||||||||
||||||||||||||||||||
difference between a professional pen test teammember and a hacker?
A. Ethical hackers are paid for their time.
B. Ethical hackers never exploit vulnerabilities;they only point out their existence.
C. Ethical hackers do not use the same tools andactions as hackers.
D. Ethical hackers hold a predefined scope andagreement from the system owner.
14. Sally is part of a penetration test team and isstarting a test. The client has provided a networkdrop on one of their subnets for Sally to launchher attacks from. However, they did not provideany authentication information, networkdiagrams, or other notable data concerning thesystems. Which type of test is Sally performing?
A. External, white box
B. External, black box
C. Internal, white box
D. Internal, black box
15. Your pen test team is discussing services with apotential client. The client indicates they do notsee the value in penetration testing. Which of thefollowing is the correct response from your team?
A. Run a few tests and display the results to the
||||||||||||||||||||
||||||||||||||||||||
client to prove the value of penetration testing.
B. Provide detailed results from other customersyou’ve tested, displaying the value of plannedtesting and security deficiency discovery.
C. Provide information and statistics regardingpen testing and security vulnerabilities fromreliable sources.
D. Perform the penetration test anyway in casethey change their mind.
16. In which phase of a penetration test would youcompile a list of vulnerabilities found?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconciliation
17. Which of the following has a database containingthousands of signatures used to detectvulnerabilities in multiple operating systems?
A. Nessus
B. Hping
C. LOIC
D. SNMPUtil
18. Cleaning registry entries and removing uploadedfiles and tools are part of which phase of a pen
Technet24||||||||||||||||||||
||||||||||||||||||||
test?
A. Covering tracks
B. Pre-attack
C. Attack
D. Post-attack
19. Which of the following are true statementsregarding a pen test? (Choose all that apply.)
A. Pen tests do not include social engineering.
B. Pen tests may include unannounced attacksagainst the network.
C. During a pen test, the security professionalscan carry out any attack they choose.
D. Pen tests always have a scope.
E. A list of all personnel involved in the test isnot included in the final report.
20. Which of the following causes a potential securitybreach?
A. Vulnerability
B. Threat
C. Exploit
D. Zero day
21. Which Metasploit payload type operates via DLLinjection and is difficult for antivirus software topick up?
||||||||||||||||||||
||||||||||||||||||||
A. Inline
B. Meterpreter
C. Staged
D. Remote
22. Metasploit is a framework allowing for thedevelopment and execution of exploit code againsta remote host and is designed for use in pentesting. The framework consists of severallibraries, each performing a specific task and set offunctions. Which library is considered the mostfundamental component of the Metasploitframework?
A. MSF Core
B. MSF Base
C. MSF interfaces
D. Rex
23. Which of the following may be effectivecountermeasures against an inside attacker?(Choose all that apply.)
A. Enforce elevated privilege control.
B. Secure all dumpsters and shred collectionboxes.
C. Enforce good physical security practice andpolicy.
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Perform background checks on all employees.
||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. C
2. B
3. A, C, D
4. C
5. C
6. A
7. A
8. B, C, D
9. D
10. A
11. B
12. A
13. D
14. D
15. C
16. C
17. A
18. D
19. B, D
Technet24||||||||||||||||||||
||||||||||||||||||||
20. B
21. B
22. D
23. A, B, C, D
||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. Incident response (IR) is an important part of
organizational security. In what step of theincident-handling process would IR teammembers disable or delete user accounts andchange firewall rules?
A. Detection and analysis
B. Classification and prioritization
C. Containment
D. Forensic investigation
C. In a refrain you’ve heard over and overagain throughout this book, sometimes reallife and EC-Council don’t see eye to eye.However, when it comes to IR, ECC kind ofgets it right. Almost. Lots of organizationsdefine the incident-handling response indifferent ways, with different phases foractions taken. Generally speaking, though, allincident handling falls into four sets ofactions: identify, contain, eradicate, andrecover. Most organizations will define apreparation phase beforehand and a lessonslearned phase at the end for a full incidentprocess. ECC defines eight phases:
• Preparation Defining rules, processes,
Technet24||||||||||||||||||||
||||||||||||||||||||
and toolsets and then testing them (usuallywith some regularly scheduled exercises, ata minimum) occur in this phase.
• Detection and analysis This is wherealerting functions (toolsets, IDS, IPS, usersnotifying of strange events, and so on) andinitial research into the event take place.
• Classification andprioritization Decision making onwhether to elevate as an incident and atwhat level to elevate is made here (rampingup an IR event for a false alarm serves noone). Levels of categorization vary fromorganization to organization, but usuallyassign response time frames to levels.
• Notification Alerting appropriate teamsand organizations to assist in the eventoccurs here.
• Containment Steps to contain theincident occur here. These may includesteps to revoke or suspend user accountsand blocking system or even subnet accessvia a firewall or other method.
• Forensic investigation In this stage, ifpossible, live memory and disk captures arepulled for evaluation and analysis. This
||||||||||||||||||||
||||||||||||||||||||
does not have to wait until the conclusionof the event, but, depending on the assetsinvolved and the nature of the incident,forensics may have to wait.
• Eradication and recovery This phaseencompasses all the steps taken to removethe incident cause (malware, maliciouscode, backdoors, rootkits, viruses, and soon) and to return the assets involved tobaseline standards before putting themback into production.
• Post-incident This is where reporting,follow-up analysis, and lessons learned areput together. Evaluation from this step isfed into the preparation phase for the nextevent.
Questions on incident response and incidenthandling can be pretty vague. For the mostpart, common sense should guide you onanything truly weird, but most questions willbe like this one—fairly easy to figure out onyour own. One last note here: the four phaseslisted at the beginning of this answerdescription will more than likely be whatyou’ll see on the exam, so when in doubt, Iwould stick with them.
Technet24||||||||||||||||||||
||||||||||||||||||||
B, C, and D are incorrect because the actionslisted in the question do not occur in theseincident-handling phases.
2. A software company puts an application throughstringent testing and, on the date of release, isconfident the software is free of knownvulnerabilities. An organization named BigBizpurchases the software at a premium cost, with aguarantee of service, maintenance, and liability.Which risk management method is in use by theBigBiz organization?
A. Accept
B. Transfer
C. Avoid
D. Mitigate
B. Depending on who you talk to, there are asmany as seven different methods in riskmanagement. Of primary concern for you andEC-Council, however, are these four: accept,avoid, transfer, and mitigate. In this example,the organization has paid a cost to thesoftware developer, trusting them that they’vetested the software and that they will assumeresponsibility and liability for it. In effect, theorganization has transferred the risk to thesoftware company for this application.
||||||||||||||||||||
||||||||||||||||||||
Transferring risk is all about finding adifferent entity to take responsibility formanaging the risk, as well as accepting theliability of an exploitation or loss resultingfrom the risk.
A is incorrect because this does not describeacceptance. Acceptance of a risk means theorganization is aware a risk is present but dueto a variety of reasons (such as cost ofmitigation or the unlikeliness the risk canever be exploited) decides to do nothing aboutit. Basically, the owner decides they will justdeal with the fallout if the risk is ever realized.
C is incorrect because this does not describerisk avoidance. In risk avoidance, theorganization recognizes the risk andeliminates anything and everything that hasto do with it. If a particular service,application, or technology is useful to anorganization but the cost and effort to dealwith the risks involved in its use are too high,the organization can simply choose to not usethe service or application altogether.
D is incorrect because this does not describemitigation. Risk mitigation is exactly what itsounds like: the organization needs the
Technet24||||||||||||||||||||
||||||||||||||||||||
technology or service despite the riskinvolved, so it takes all steps necessary tolower the chance the risk will ever beexploited. Purchasing and using antivirus andpracticing strong patch management areexamples.
3. Which of the following provide automated pentest–like results for an organization? (Choose allthat apply.)
A. Metasploit
B. Nessus
C. Core Impact
D. CANVAS
E. SAINT
F. GFI LanGuard
A, C, D. Automated tool suites for pen testingcan be viewed as a means to save time andmoney by the client’s management, but (inmy opinion and in the real world, at least)these tools don’t do either. They do notprovide the same quality results as a testperformed by security professionals, and theyare extremely expensive. Automated tools canprovide a lot of genuinely good informationbut are also susceptible to false positives and
||||||||||||||||||||
||||||||||||||||||||
false negatives and don’t necessarily care whatyour agreed-upon scope says is your stoppingpoint. Metasploit has a free, open sourceversion and an insanely expensive “Pro”version for developing and executing exploitcode against a remote target machine—stillworlds cheaper than Core Impact, butexpensive nonetheless. Metasploit offers anautopwn module that can automate theexploitation phase of a penetration test.
Core Impact is probably the best-known, all-inclusive automated testing framework. Perits website(https://www.coresecurity.com/core-impact),Core Impact “takes security testing to the nextlevel by safely replicating a broad range ofthreats to the organization’s sensitive dataand mission-critical infrastructure—providingextensive visibility into the cause, effect, andprevention of data breaches.” Core Impacttests everything from web applications andindividual systems to network devices andwireless.
Per the Immunity Security website(www.immunitysec.com), CANVAS “makesavailable hundreds of exploits, an automatedexploitation system, and a comprehensive,
Technet24||||||||||||||||||||
||||||||||||||||||||
reliable exploit development framework topenetration testers and securityprofessionals.” Additionally, the companyclaims CANVAS’s Reference Implementation(CRI) is “the industry’s first open platform forIDS and IPS testing.”
For you real-world purists out there and forthose who don’t have any experience with anyof this just quite yet, it’s important to notethat no automated testing suite providesanything close to the results you’d gain from areal pen test. Core Impact provides a one-stepautomated pen test result feature (andprobably offers the best result and reportfeatures), Metasploit offers autopwn, andCANVAS has a similar “run everything” mode;however, all lack the ability to provide resultsthat a true pen test would provide. In thetruest sense of “automated pen testing,” yousimply can’t do it in the real world (for yourexam, stick with the three listed here).
B, E, and F are incorrect for the same reason:they are all vulnerability assessment toolsuites, not automated pen test frameworks.Nessus is probably the most recognizable ofthe three, but SAINT and GFI LanGuard areboth still listed as top vulnerability
||||||||||||||||||||
||||||||||||||||||||
assessment applications.
4. Which of the following best describes anassessment against a network segment that testsfor existing vulnerabilities but does not attempt toexploit any of them?
A. Penetration test
B. Partial penetration test
C. Vulnerability assessment
D. Security audit
C. A vulnerability assessment is exactly whatit sounds like: the search for andidentification of potentially exploitablevulnerabilities on a system or network. Thesevulnerabilities can be poor securityconfigurations, missing patches, or anynumber of other weaknesses a bad guy mightexploit. The two keys to a vulnerabilityassessment are that the vulnerabilities areidentified, not exploited, and the report issimply a snapshot in time. The organizationwill need to determine how often it wants torun a vulnerability assessment. Lastly, it’simportant to note that there are somevulnerabilities that simply can’t be confirmedwithout exploiting them. For example, the actof infecting SQL statements to expose a SQL
Technet24||||||||||||||||||||
||||||||||||||||||||
injection vulnerability may very wellconstitute an exploit action, but it’s the onlyway to prove it exists. For your exam, though,stick with no exploitation during thisassessment and move on with your life.
A is incorrect because team members on a pentest not only discover vulnerabilities but alsoactively exploit them (within the scope oftheir prearranged agreement, of course).
B is incorrect because this is not a valid termassociated with assessment types and isincluded as a distractor.
D is incorrect because a security audit isdesigned to test the organization’s securitypolicy itself. It should go without saying theorganization must have a security policy inplace to begin with before a security audit cantake place.
5. You are a member of a pen test team conductingtests. Your team has all necessary scope, terms ofengagement, and nondisclosure and service levelagreements in place. You gain access to anemployee’s system and during further testingdiscover child pornography on a hidden drivefolder. Which of the following is the best course ofaction for the ethical hacker?
||||||||||||||||||||
||||||||||||||||||||
A. Continue testing without notification toanyone, but ensure the information isincluded in the final out-brief report.
B. Continue testing without interruption, butcompletely remove all hidden files and thefolder containing the pornography.
C. Stop testing and notify law enforcementauthorities immediately.
D. Stop testing and remove all evidence ofintrusion into the machine.
C. If you’ve ever taken any philosophy classesin high school or college, you’ve undoubtedlyread some of the ethical dilemmas presentedto challenge black-and-white thinking on amatter. For example, theft is undoubtedly badand is recognized as a crime in virtually everylaw system on the planet, but what if it’s theonly way to save a child’s life? In ethicalhacking, there are fine lines on actions to takewhen you discover something, and sometimeshard edges where there is no choice in thematter. Possession of child porn is a crime, sothis case would seem relatively easy todiscern. To be fair, and to make theassumption you’ll need to on questions likethis on the exam, your course of action is
Technet24||||||||||||||||||||
||||||||||||||||||||
straightforward and simple: notify theauthorities and let them handle it.
In the real world, things might be a little moredifficult. How do you really know what you’relooking at? Are you positive that what you seeis illegal in nature (regardless of what it is—pornography, documentation, letters, and soon)? If you’re not and you falsely accusesomeone, what kind of liability do you face?What about your team? It’s not an easyquestion to answer when you’re in the heat ofbattle, and you’ll have to largely depend ongood, solid pen test agreements up front. Letthe client know what actions will be takenwhen suspected illegal material is discovered,and agree upon actions both sides will take.Otherwise you, and your client, could be in forvery difficult times.
A is incorrect because the discovery of childporn automatically necessitates ceasing testactivities and contacting the authorities.Waiting until the out-brief is not theappropriate course of action and can get youin hot water.
B is incorrect because this is not onlyunethical behavior and outside the scope and
||||||||||||||||||||
||||||||||||||||||||
test agreement bounds, but it’s against thelaw. You’ve tampered with evidence andobstructed justice, at a minimum.
D is incorrect because removing evidence ofyour actions is not the correct action to takeand is unethical in the least (and can actuallybe considered illegal, depending on thecircumstances).
6. In which phase of a pen test is scanningperformed?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
A. I know you’re sick of CEH definitions,terms, and phases of attacks, but this isanother one you’ll just need to commit tomemory. Per EC-Council, there are threephases of a pen test: pre-attack, attack, andpost-attack. The pre-attack phase is whereyou’d find scanning and other reconnaissanceactivities (gathering competitive intelligence,website crawling, and so on).
B is incorrect because scanning is completedin the pre-attack phase. The attack phase
Technet24||||||||||||||||||||
||||||||||||||||||||
holds four areas of work: penetrate theperimeter, acquire targets, execute attack, andescalate privileges.
C is incorrect because scanning is completedlong before the post-attack phase. Actionsaccomplished in post-attack include removingall uploaded files and tools, restoring (ifneeded) to the original state, analyzingresults, and preparing reports for thecustomer.
D is incorrect because reconnaissance is not aphase of pen testing.
7. Which of the following describes risk that remainsafter all security controls have been implementedto the best of one’s ability?
A. Residual
B. Inherent
C. Deferred
D. Remaining
A. Risk management has a lot of terminologyto remember, and identifying risk before andafter security control implementation is whatthis question is all about. The inherent risk ofthe system is that which is in place if youimplement no security controls whatsoever:
||||||||||||||||||||
||||||||||||||||||||
in other words, there are risks inherent toevery system, application, technology, andservice. After you recognize these inherentrisks and implement security controls, youmay have some residual risks remaining. Inother words, residual risk is what is left in thesystem after you implement security controls.
B is incorrect because inherent risk is whatwas on the system before you startedimplementing security controls.
C and D are incorrect because these terms areincluded merely as distractors.
8. Which of the following statements are trueregarding OSSTMM? (Choose all that apply.)
A. OSSTMM is a nonprofit, internationalresearch initiative dedicated to definingstandards in security testing and businessintegrity testing.
B. OSSTMM recognizes ten types of controls,which are divided into two classes.
C. ISECOM maintains the OSSTMM.
D. OSSTMM defines three types of compliance.
B, C, D. The Open Source Security TestingMethodology Manual (OSSTMM) provides amethodology for a thorough security test (also
Technet24||||||||||||||||||||
||||||||||||||||||||
known as an OSSTMM audit). It’s maintainedby ISECOM (Institute for Security and OpenMethodologies; www.isecom.org/) and is apeer-reviewed manual of security testing andanalysis that results in fact-based actions thatcan be taken by an organization to improvesecurity. OSSTMM recognizes ten types ofcontrols, split into two different classes:
• Class A: Interactive Authentication,indemnification, resilience, subjugation,and continuity
• Class B: Process Nonrepudiation,confidentiality, privacy, integrity, and alarm
An OSSTMM audit tests for three differenttypes of compliance: legislative, contractual,and standards-based compliance.
A is incorrect because this is actually thedescription of ISECOM—the groupresponsible for the creation and maintenanceof OSSTMM.
9. Which of the following is an open source projectproduced by OISSG (Open Information SystemsSecurity Group) intended to provide securitytesting assistance?
A. OSSTMM
||||||||||||||||||||
||||||||||||||||||||
B. OWASP
C. COBIT
D. ISSAF
D. The following is from OISSG’s site: “TheInformation Systems Security AssessmentFramework (ISSAF) is produced by the OpenInformation Systems Security Group, and isintended to comprehensively report on theimplementation of existing controls tosupport IEC/ISO 27001:2005(BS7799),Sarbanes Oxley SOX404, CoBIT, SAS70 andCOSO, thus adding value to the operationalaspects of IT related business transformationprogrammes. It is designed from the groundup to evolve into a comprehensive body ofknowledge for organizations seekingindependence and neutrality in their securityassessment efforts.”
A is incorrect because OSSTMM is a peer-reviewed manual of security testing andanalysis maintained by ISECOM that resultsin fact-based actions that can be taken by anorganization to improve security.
B is incorrect because OWASP (Open WebApplication Security Project) is an opensource web application security project.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because COBIT (ControlObjectives for Information and RelatedTechnologies) is a good-practice governanceframework and supporting toolset created byISACA for information technology (IT)management and governance.
10. NIST SP 800-30 defines steps for conducting arisk assessment. Which of the followingstatements is true regarding the process?
A. Threats are identified before vulnerabilities.
B. Determining the magnitude of impact is thefirst step.
C. Likelihood is determined after the riskassessment is complete.
D. Risk assessment is not a recurring process.
A. NIST SP 800-30: Guide for ConductingRisk Assessments(http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf) describesin detail how to perform a risk assessment.The publication defines four overall steps foran assessment, as shown in the followingillustration.
||||||||||||||||||||
||||||||||||||||||||
Even if you knew nothing about thispublication, though, you could probably workyour way into the correct answer here. Of thechoices provided, only answer A makes anysense.
B is incorrect because you can’t possiblydetermine the magnitude of anything untilyou define what it is.
Technet24||||||||||||||||||||
||||||||||||||||||||
C is incorrect because the likelihood of riskexploitation is a key part of the riskassessment effort and equation.
D is incorrect because assessing your risklevel is a recurring, always ongoing process.
11. In which phase of a pen test will the teampenetrate the perimeter and acquire targets?
A. Pre-attack
B. Attack
C. Post-attack
D. None of the above
B. EC-Council splits a pen test into threephases: pre-attack, attack, and post-attack. Inthe attack phase, the team will attempt topenetrate the network perimeter, acquiretargets, execute attacks, and elevate privileges.Getting past the perimeter might take intoaccount things such as verifying ACLs bycrafting packets as well as checking the use ofany covert tunnels inside the organization.Attacks such as XSS, buffer overflows, andSQL injections will be used on web-facingapplications and sites. After specific targetsare acquired, password cracking, privilegeescalation, and a host of other attacks will be
||||||||||||||||||||
||||||||||||||||||||
carried out.
A is incorrect because these actions do notoccur in the pre-attack phase. Per EC-Council,pre-attack includes planning, reconnaissance,scanning, and gathering competitiveintelligence.
C is incorrect because these actions do notoccur in the post-attack phase. Per EC-Council, post-attack includes removing allfiles, uploaded tools, registry entries, andother items installed during testing of thetargets. Additionally, your analysis of findingsand creation of the pen test report will occurhere.
D is incorrect because there is an answer forthe question listed.
12. An organization participates in a real-worldexercise designed to test all facets of its securitysystems. An independent group is hired to assistthe organization’s security groups, assisting in thedefense of assets against the attacks from theattacking group. Which of the followingstatements is true?
A. The group assisting in the defense of thesystems is referred to as a blue team.
Technet24||||||||||||||||||||
||||||||||||||||||||
B. The group assisting in the defense of thesystems is referred to as a red team.
C. The group assisting in the defense of thesystems is known as a white-hat group.
D. The team attacking the systems must provideall details of any planned attack with thedefense group before launching to ensuresecurity measures are tested appropriately.
A. Many organizations run full “war game”scenarios, which include defense and attackgroups, to test security measures. Generallyspeaking, the group doing the attacking isknown as a red team, while the groupassisting with the defense is known as a blueteam. The red team is the offense-mindedgroup, simulating the bad guys in the world,actively attacking and exploiting everythingthey can find in the environment. In atraditional war game scenario, the red team isattacking “black-box” style, given little to noinformation to start things off. A blue team,on the other hand, is defensive in nature. Themembers of the blue team are not outattacking things; rather, they’re focused onshoring up defenses and making things safe.Unlike red teams, blue teams are responsible
||||||||||||||||||||
||||||||||||||||||||
for defense against the bad guys, so theyusually operate with full knowledge of theinternal environment.
Blue teams are almost always independent interms of the target, but their goal is to assistthe defenders and to do so with whateverinformation is available. The differencebetween blue and red in this scenario is in thecooperative versus adversarial nature: red isthere to be the bad guys, do what they woulddo, look for the impacts they would want tohave, and to test the organization’sdefense/response, whereas blue is there tohelp.
B, C, and D are incorrect because these arenot true statements. The attacking group isknown as a red team. I suppose an argumentcould be made that members of the blue teamare all, in effect, white hats, but there is nosuch term as a “white-hat group.” And ifyou’re really testing the true security of asystem, alerting the defensive teams ofeverything you plan to do and when you planon doing it makes little sense.
13. Which of the following best describes thedifference between a professional pen test team
Technet24||||||||||||||||||||
||||||||||||||||||||
member and a hacker?
A. Ethical hackers are paid for their time.
B. Ethical hackers never exploit vulnerabilities;they only point out their existence.
C. Ethical hackers do not use the same tools andactions as hackers.
D. Ethical hackers hold a predefined scope andagreement from the system owner.
D. This one is a blast from the book’s past andwill pop up a couple of times on your exam.The only true difference between aprofessional pen test team member (anethical hacker) and the hackers of the world isthe existence of the formally approved,agreed-upon scope and contract before anyattacks begin.
A is incorrect because, although professionalethical hackers are paid for their effortsduring the pen test, this is not necessarily adelineation between the two (ethical and non-ethical). Some hackers may be paid for avariety of illicit activities. For one example,maybe a company wants to cause harm to acompetitor, so it hires a hacker to performattacks.
||||||||||||||||||||
||||||||||||||||||||
B and C are incorrect for the same reason. If apen test team member never exploited anopportunity and refused to use the same toolsand techniques that the hackers of the worldhave at their collective fingertips, what wouldbe the point of an assessment? A pen test isdesigned to show true security weaknessesand flaws, and the only way to do that is toattack it just as a hacker would.
14. Sally is part of a penetration test team and isstarting a test. The client has provided a networkdrop on one of their subnets for Sally to launchher attacks from. However, they did not provideany authentication information, networkdiagrams, or other notable data concerning thesystems. Which type of test is Sally performing?
A. External, white box
B. External, black box
C. Internal, white box
D. Internal, black box
D. Sally was provided a network drop insidethe organization’s network, so we know it’s aninternal test. Additionally, no information ofany sort was provided—from what we cangather, she knows nothing of the innerworkings, logins, network design, and so on.
Technet24||||||||||||||||||||
||||||||||||||||||||
Therefore, this is a black-box test—an internalblack-box test.
A and B are incorrect because this is aninternal test, not an external one.
C is incorrect because a white-box test wouldhave included all the information Sallywanted about the network—designed tosimulate a disgruntled internal network orsystem administrator.
15. Your pen test team is discussing services with apotential client. The client indicates they do notsee the value in penetration testing. Which of thefollowing is the correct response from your team?
A. Run a few tests and display the results to theclient to prove the value of penetration testing.
B. Provide detailed results from other customersyou’ve tested, displaying the value of plannedtesting and security deficiency discovery.
C. Provide information and statistics regardingpen testing and security vulnerabilities fromreliable sources.
D. Perform the penetration test anyway in casethey change their mind.
C. Ethical behavior will definitely find its wayto your exam, and this cheesy question is an
||||||||||||||||||||
||||||||||||||||||||
example. Your potential client may or may notbe convinced when presented with theundeniable proof of pen test value fromindustry leaders (and possibly the U.S.government), but as the saying goes, “You canlead a horse to water, but you can’t make himdrink.” An ethical hacker does not proceedwithout authorization, and doing so not onlycalls your integrity into question but alsomakes you a criminal. Documentation for anethical test team will include scope (of whatyou can touch, how far you can go withtesting, and how much time you’ll spenddoing it), terms of engagement,nondisclosure, liability statements, and otherspecifics.
A and D are incorrect because an ethicalhacker does not proceed without prior, writtenpermission.
B is incorrect because ethical hackers do notdisclose findings, procedures, or any otherinformation about a test to anyone notspecified in the agreement withoutauthorization. This is usually covered in thenondisclosure agreement portion of the testteam documentation.
Technet24||||||||||||||||||||
||||||||||||||||||||
16. In which phase of a penetration test would youcompile a list of vulnerabilities found?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconciliation
C. This is another simple definition questionyou’re sure to see covered on the exam. Youcompile the results of all testing in the post-attack phase of a pen test so you can createand deliver the final report to the customer.
A and B are incorrect because this action doesnot occur in the pre-attack or attack phase.
D is incorrect because reconciliation is not aphase of a pen test as defined by EC-Council.
17. Which of the following has a database containingthousands of signatures used to detectvulnerabilities in multiple operating systems?
A. Nessus
B. Hping
C. LOIC
D. SNMPUtil
A. Nessus is probably the best-known, most
||||||||||||||||||||
||||||||||||||||||||
utilized vulnerability assessment tool on theplanet—even though it’s not necessarily freeanymore. Nessus works on a client/serverbasis and provides “plug-ins” to testeverything from Cisco devices, macOS, andWindows machines to SCADA devices, SNMP,and VMware ESX (you can find a list of plug-in families atwww.tenable.com/plugins/index.php?view=all). It’s part of virtually every securityteam’s portfolio, and you should definitelyspend some time learning how to use it.
As an aside—not necessarily because it hasanything to do with your test but because I amall about informing you on how to become agood pen tester—OpenVAS(www.openvas.org) is the open sourcecommunity’s attempt at a free vulnerabilityscanner. Nessus was a free scanner for thelongest time. However, once Nessus waspurchased by Tenable Network Security, it, forlack of a better term, angered a lot of people inthe security community because Nessusbecame a for-profit entity instead of a for-security one. Don’t get me wrong—Nessus isoutstanding in what it does; it just costs youmoney. OpenVAS is attempting to do the same
Technet24||||||||||||||||||||
||||||||||||||||||||
thing for free because the community wantssecurity over profit.
Just keep in mind that most vulnerabilitiesthat are actually capable of causing harm toyour systems probably won’t be found by anyscanner. The recent Heartbleed vulnerability,which takes advantage of an SSL issue, is aprime example: scanners simply can’t findvulnerabilities we don’t already know about.
B is incorrect because Hping is not avulnerability assessment tool. Per Hping’swebsite (www.hping.org), it is “a command-line-oriented TCP/IP packetassembler/analyzer” used to test firewalls, tofingerprint operating systems, and even toperform man-in-the-middle (MITM) attacks.
C is incorrect because Low Orbit Ion Cannon(LOIC) is a distributed interface denial-of-service tool. It’s open source and can be used,supposedly legitimately, to test “networkstress levels.”
D is incorrect because SNMPUtil is an SNMPsecurity verification and assessment tool.
18. Cleaning registry entries and removing uploadedfiles and tools are part of which phase of a pentest?
||||||||||||||||||||
||||||||||||||||||||
A. Covering tracks
B. Pre-attack
C. Attack
D. Post-attack
D. Cleaning up all your efforts occurs in thepost-attack phase, alongside analyzing thefindings and generating the final report. Thegoal is to put things back exactly how theywere before the assessment.
A is incorrect because “covering tracks” is partof the phases defining a hacking attack, not aphase of a pen test.
B and C are incorrect because these steps donot occur in the pre-attack or attack phase.
19. Which of the following are true statementsregarding a pen test? (Choose all that apply.)
A. Pen tests do not include social engineering.
B. Pen tests may include unannounced attacksagainst the network.
C. During a pen test, the security professionalscan carry out any attack they choose.
D. Pen tests always have a scope.
E. A list of all personnel involved in the test isnot included in the final report.
Technet24||||||||||||||||||||
||||||||||||||||||||
B, D. Pen tests are carried out by securityprofessionals who are bound by a specificscope and rules of engagement, which mustbe carefully crafted, reviewed, and agreed onbefore the assessment begins. This agreementcan allow for unannounced testing, shouldupper management of the organization decideto test their IT security staff’s reaction timesand methods.
A, C, and E are incorrect because these arefalse statements concerning a pen test. Unlessexpressly forbidden in the scope agreement,social engineering is a big part of any true pentest. The scope agreement usually defines howfar a pen tester can go—for example, nointentional denial-of-service attacks and thelike. Clients are provided a list of discoveredvulnerabilities after the test, even if the teamdid not exploit them: there’s not always timeto crack into every security flaw during anassessment, but that’s no reason to hide itfrom the customer. Lastly, the final reportincludes a list of all personnel taking part inthe test.
20. Which of the following causes a potential securitybreach?
||||||||||||||||||||
||||||||||||||||||||
A. Vulnerability
B. Threat
C. Exploit
D. Zero day
B. So which came first—the chicken or theegg? This question is right along those samelines and can be really confusing, but if youkey on the “cause” portion of the question,you should be okay. Sure, a vulnerabilitywould need to be present; however, avulnerability on its own doesn’t causeanything. A threat is something that couldpotentially take advantage of an existingvulnerability. Threats can be intentional,accidental, human, or even an “act of God.” Ahacker is a threat to take advantage of an openport on a system and/or poor password policy.A thunderstorm is a threat to exploit a tear inthe roof, leaking down into your systems.Heck, a rhinoceros is a threat to bust downthe door and destroy all the equipment in theroom. Whether those threats have intent, areviable, and are willing/able to take up thevulnerability is a matter for risk assessment todecide; they’ll probably beef up passwordpolicy and fix the roof, but I doubt much will
Technet24||||||||||||||||||||
||||||||||||||||||||
be done on the rhino front.
A is incorrect because a vulnerability is aweakness in security. A vulnerability may ormay not necessarily be a problem. Forexample, your system may have horribly weakpassword policy or even a missing securitypatch, but if it’s never on the network and islocked in a guarded room accessible by onlythree people who must navigate a biometricsystem to even open the door, the existence ofthose vulnerabilities is moot.
C is incorrect because an exploit is what is oractually can be done by a threat agent toutilize the vulnerability. Exploits can be localor remote, a piece of software, a series ofcommands, or anything that actually uses thevulnerability to gain access to, or otherwiseaffect, the target.
D is incorrect because a zero-day exploit issimply an exploit that most of us don’t reallyknow much about at the time of its use. Forinstance, a couple years back some bad guysdiscovered a flaw in Adobe Reader anddeveloped an exploit for it. From the time theexploit was created to the time Adobe finallyrecognized its existence and built a fix action
||||||||||||||||||||
||||||||||||||||||||
to mitigate against it, the exploit was referredto as zero day.
21. Which Metasploit payload type operates via DLLinjection and is difficult for antivirus software topick up?
A. Inline
B. Meterpreter
C. Staged
D. Remote
B. For those of you panicking over thisquestion, relax. You do not have to know allthe inner workings of Metasploit, but it doesappear enough—in the variety of studymaterials available for CEH certification—thatEC-Council wants you to know some basics,and this question falls in that category. Thereare a bunch of different payload types withinMetasploit, and meterpreter (short for meta-interpreter) is one of them. The following isfrom Metasploit’s website: “Meterpreter is anadvanced payload that is included in theMetasploit Framework. Its purpose is toprovide complex and advanced features thatwould otherwise be tedious to implementpurely in assembly. The way that itaccomplishes this is by allowing developers to
Technet24||||||||||||||||||||
||||||||||||||||||||
write their own extensions in the form ofshared object (DLL) files that can be uploadedand injected into a running process on a targetcomputer after exploitation has occurred.Meterpreter and all of the extensions that itloads are executed entirely from memory andnever touch the disk, thus allowing them toexecute under the radar of standard anti-virusdetection.”
A is incorrect because inline payloads aresingle payloads that contain the full exploitand shell code for the designed task. They maybe more stable than other payloads, butthey’re easier to detect and, because of theirsize, may not be viable for many attacks.
C is incorrect because staged payloadsestablish a connection between the attackingmachine and the victim. Once the connectionis established, the payload is revisited toexecute on the remote machine.
D is incorrect because “remote” isn’t arecognized payload type.
22. Metasploit is a framework allowing for thedevelopment and execution of exploit code againsta remote host and is designed for use in pentesting. The framework consists of several
||||||||||||||||||||
||||||||||||||||||||
libraries, each performing a specific task and set offunctions. Which library is considered the mostfundamental component of the Metasploitframework?
A. MSF Core
B. MSF Base
C. MSF interfaces
D. Rex
D. Once again, this is another one of thoseweird questions you may see (involving any ofthe framework components) on your exam.It’s included here so you’re not caught offguard in the actual exam room and freak outover not hearing it before. Don’t worry aboutlearning all the nuances of Metasploit and itsarchitecture before the exam—justconcentrate on memorizing the basics of theframework (key words for each area will assistwith this), and you’ll be fine.
Metasploit, as you know, is an open sourceframework allowing a variety of automated(point-and-shoot) pen test methods. Theframework is designed in a modular fashion,with each library and component responsiblefor its own function. The following is fromMetasploit’s development guide (you can find
Technet24||||||||||||||||||||
||||||||||||||||||||
copies in a variety of places now, just use aGoogle search for msf_dev_guide filetype:pdf): “The most fundamental piece of thearchitecture is the Rex library, which is shortfor the Ruby Extension Library. Some of thecomponents provided by Rex include awrapper socket subsystem, implementationsof protocol clients and servers, a loggingsubsystem, exploitation utility classes, and anumber of other useful classes.” Rex providescritical services to the entire framework.
A is incorrect because the MSF Core “isresponsible for implementing all of therequired interfaces that allow for interactingwith exploit modules, sessions, and plugins.”It interfaces directly with Rex.
B is incorrect because the MSF Base “isdesigned to provide simpler wrapper routinesfor dealing with the framework core as well asproviding utility classes for dealing withdifferent aspects of the framework, such asserializing module state to different outputformats.” The Base is an extension of theCore.
C is incorrect because the MSF interfaces arethe means by which you (the user) interact
||||||||||||||||||||
||||||||||||||||||||
with the framework. Interfaces for Metasploitinclude Console, CLI, Web, and GUI.
23. Which of the following may be effectivecountermeasures against an inside attacker?(Choose all that apply.)
A. Enforce elevated privilege control.
B. Secure all dumpsters and shred collectionboxes.
C. Enforce good physical security practice andpolicy.
D. Perform background checks on all employees.
A, B, C, D. All of the answers are correct.Admittedly, there’s nothing you can really doto completely prevent an inside attack. There’ssimply no way to ensure every singleemployee is going to remain happy andsatisfied, just as there’s no way to tell whensomebody might just up and decide to turn tocrime. It happens all the time, in and out ofCorporate America, so the best you can do is,of course, the best you can do.
Enforcing elevated privilege control (that is,ensuring users have only the amount ofaccess, rights, and privileges to get their jobdone, and no more) seems like a
Technet24||||||||||||||||||||
||||||||||||||||||||
commonsense thing, but it’s amazing howmany enterprise networks simply ignore this.After all, a disgruntled employee withadministrator rights on his machine cancertainly do more damage than one with justplain user rights. Securing dumpsters andpracticing good physical security should helpprotect against an insider who wants to comeback after hours and snoop around. Andperforming background checks on employees,although by no means a silver bullet in thissituation, can certainly help to ensure you’rehiring the right people in the first place (inmany companies a background check is arequirement of law). Here are some of theother steps:
• Monitoring user network behavior
• Monitoring user computer behavior
• Disabling remote access
• Disabling removable drive use on allsystems (USB drives and so on)
• Shredding all discarded paperwork
• Conducting user education and trainingprograms
||||||||||||||||||||
||||||||||||||||||||
Technet24||||||||||||||||||||
||||||||||||||||||||
APPENDIX APre-assessment Test
When we sat down to plan out the last edition of thisbook, Amy Gray, our acquisitions editor, asked me aboutincluding a pre-test. I opposed including one because,frankly, I thought (and still do think, largely) pre-testsstink. I’ve always found them to be misleading at bestand outright damaging at times to real preparation. Iffolks take the pre-test and do well, they believe they’reway ahead in their studies; if they do poorly, then theytend to focus too much time on where the pre-test toldthem to study. Instead of sticking to a well-roundedstudy plan, they gain a false sense of confidence grantedby a couple of questions.
All that said, Amy convinced me otherwise. She has away of doing that. After pointing out some candidates douse pre-assessments accurately—that there is value ingaining some insight into the strengths and weaknessesof the material up front—she reminded me that I wouldhave the opportunity to make sure it’s used the way itshould be.
And she said please.
||||||||||||||||||||
||||||||||||||||||||
So, I present our fourth edition CEH pre-assessmenttest. It includes 60 questions that are similar in styleand format to the questions on the exam, and shouldgive you some insight into how much you really knowabout the material. As I noted, however, I do not wantyou to read too much into it. A couple of questions froman entire chapter of CEH study material are simply notgoing to give you an adequate measurement of whereyou are study-wise.
Take the pre-assessment test and get what you canout of it. Sure, try to learn where you can focus some ofyour study time, but more importantly, at least in myhumble opinion anyway, you should use it to try tosimulate your real exam as closely as possible. Go to aquiet place and be sure that you will not be interruptedfor the full length of time it will take to complete thetest. You should give yourself 1 hour and 45 minutes.Don’t use any reference materials or other assistancewhile taking the pre-assessment. And lastly, of course,complete the entire pre-assessment test before checkingyour results. Don’t cheat on this, or you won’t getanything out of it. It’ll actually hurt you on the realexam if you look at the answers as you go along. Itcreates a crutch you simply won’t have on exam day—and when panic sets in, you’re done. After you havefinished, use both the “Quick Answer Key” and the“Answers” sections to score your test. Use the table in
Technet24||||||||||||||||||||
||||||||||||||||||||
the “Analyzing Your Results” section to determine howwell you performed. Remember, the idea is to use thisas a trial run in order to see how you react and whereyour thoughts run in the middle of a real test.
One last thing, and I promise I’ll shut up and let youget going: any pre-test designed to guide your studies isusually divided up in proportion to the objective ormodule percentages, as described by the governing body.However, with EC-Council and especially in CEHversion 10, that’s all but impossible. Current examcontent is broken down into seven main areas, and, yes,there are percentages assigned to each (covered in thefollowing table, straight from EC-Council). However,guessing which question falls into which domain is hitand miss. Additionally, the exam now uses somethingcalled a “cut score” to determine your passing grade: ifyou get questions pulled from a tough test bank, yourpassing score will be set much lower than a candidatepulling questions from an easier pool. This makes itnearly impossible for the pre-test to look and feel likeyour upcoming exam. Therefore, I should reinforce,once again, what I’ve been saying here the whole time:don’t read too much into this pre-assessment.
||||||||||||||||||||
||||||||||||||||||||
I’m going to do my best to fit questions from ourbook into each domain for you, but don’t get hung up onhow a question is defined and what its objective is—treat each question as the one you’ll need in order topass the exam, and worry about categories and objectivelists later.
Are you ready? Set your clock for 1 hour and 45minutes and begin!
Technet24||||||||||||||||||||
||||||||||||||||||||
QUESTIONS Q1. A vendor is alerted of a newly discovered flaw in
its software that presents a major vulnerability tosystems. While working to prepare a fix action, thevendor releases a notice alerting the community ofthe discovered flaw and providing best practices tofollow until the patch is available. Which of thefollowing best describes the discovered flaw?
A. Input validation flaw
B. Shrink-wrap vulnerability
C. Insider vulnerability
D. Zero day
2. A security professional applies encryptionmethods to communication channels. Whichsecurity control role is she attempting to meet?
A. Preventive
B. Detective
C. Defensive
D. Corrective
3. Bob is working with senior management toidentify the systems and processes that are criticalfor operations. As part of this business impactassessment, he performs calculations on varioussystems to place a value on them. On a certain
||||||||||||||||||||
||||||||||||||||||||
server he discovers the following:
• The server costs $2500 to purchase.
• The server typically fails once every five years.
• The salary for the technician to repair a serverfailure is $40 an hour, and it typically takes twohours to fully restore the server after a failure.
• The accounting group has five employees paidat $25 an hour who are at a standstill during anoutage.
What is the ALE for the server?
A. 20%
B. $2830
C. $566
D. $500
4. You’ve discovered a certain application in yourenvironment that has been proven to containvulnerabilities. Which of the following actions bestdescribes avoiding the risk?
A. Remove the software from the environment.
B. Install all known security patches for theapplication.
C. Install brand-new software guaranteed by thepublisher to be free of vulnerabilities.
D. Leave the software in place.
Technet24||||||||||||||||||||
||||||||||||||||||||
5. James is a member of a pen test team newly hiredto test a bank’s security. He begins searching forIP addresses the bank may own, using publicrecords on the Internet, and he also looks up newsarticles and job postings to discover informationthat may be valuable. In what phase of the pen testis James working?
A. Reconnaissance
B. Pre-attack
C. Assessment
D. Attack
E. Scanning
6. Enacted in 2002, this U.S. law requires everyfederal agency to implement information securityprograms, including significant reporting oncompliance and accreditation. Which of thefollowing is the best choice for this definition?
A. FISMA
B. HIPAA
C. NIST 800-53
D. OSSTMM
7. You are examining a Wireshark capture. Which ofthe following MAC addresses would indicate abroadcast packet?
||||||||||||||||||||
||||||||||||||||||||
A. AA:AA:AA:AA:AA:AA
B. FF:FF:FF:FF:FF:FF
C. 11:11: 11:11: 11:11
D. 99:99: 99:99: 99:99
8. Which Google operator is the best choice insearching for a particular string in the website’stitle?
A. intext:
B. inurl:
C. site:
D. intitle:
9. An ethical hacker begins by visiting the target’swebsite and then peruses social networking sitesand job boards looking for information andbuilding a profile on the organization. Which ofthe following best describes this effort?
A. Active footprinting
B. Passive footprinting
C. Internet footprinting
D. Sniffing
10. Internet attackers—state sponsored or otherwise—often discover vulnerabilities in a service orproduct but keep the information quiet and tothemselves, ensuring the vendor is unaware of the
Technet24||||||||||||||||||||
||||||||||||||||||||
vulnerability, until the attackers are ready tolaunch an exploit. Which of the following bestdescribes this?
A. Zero day
B. Zero hour
C. No day
D. Nada sum
11. The organization has a DNS server out in the DMZand a second one internal to the network. Whichof the following best describes this DNCconfiguration?
A. Schematic DNS
B. Dynamic DNS
C. DNSSEC
D. Split DNS
12. Search engines assist users in finding theinformation they want on the Internet. Which ofthe following is known as the hacker’s searchengine, explicitly allowing you to find specifictypes of computers (for example, routers orservers) connected to the Internet?
A. Whois
B. Shodan
C. Nslookup
||||||||||||||||||||
||||||||||||||||||||
D. Burp Suite
13. Which of the following methods correctlyperforms banner grabbing with telnet on aWindows system?
A. telnet <IPAddress> 80
B. telnet 80 <IPAddress>
C. telnet <IPAddress> 80 -u
D. telnet 80 <IPAddress> -u
14. Which TCP flag instructs the recipient to ignorebuffering constraints and immediately send alldata?
A. URG
B. PSH
C. RST
D. BUF
15. Which of the following correctly describes theTCP three-way handshake?
A. SYN, ACK, SYN/ACK
B. SYN, SYN/ACK, ACK
C. ACK, SYN, ACK/SYN
D. ACK, ACK/SYN, SYN
16. You are examining the results of a SYN scan. Aport returns a RST/ACK. What does this mean?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. The port is open.
B. The port is closed.
C. The port is filtered.
D. Information about this port cannot begathered.
17. You want to run a reliable scan but remain asstealthy as possible. Which of the following nmapcommands best accomplishes your goal?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
18. You are examining a host with an IP address of65.93.24.42/20, and you want to determine thebroadcast address for the subnet. Which of thefollowing is the correct broadcast address for thesubnet?
A. 65.93.24.255
B. 65.93.0.255
C. 65.93.32.255
D. 65.93.31.255
E. 65.93.255.255
19. Angie captures traffic using Wireshark. Whichfilter should she apply to see only packets sent
||||||||||||||||||||
||||||||||||||||||||
from 220.99.88.77?
A. ip = 220.99.88.77
B. ip.src == 220.99.88.77
C. ip.equals 220.99.88.77
D. ip.addr == 220.99.88.77
20. A systems administrator notices log entries froma host named MATTSYS (195.16.88.12) are notshowing up on the syslog server (195.16.88.150).Which of the following Wireshark filters wouldshow any attempted syslog communications fromthe machine to the syslog server?
A. tcp.dstport==514 && ip.dst==195.16.88.150
B. tcp.srcport==514 && ip.src==195.16.88.12
C. tcp.dstport==514 && ip.src==195.16.88.12
D. udp.dstport==514 && ip.src==195.16.88.12
21. Which IoT communication model allows the datafrom IoT devices to be accessed by a third party?
A. Device-to-Device
B. Device-to-Cloud
C. Device-to-Gateway
D. Back-End Data Sharing
22. A pen tester connects a laptop to a switch portand enables promiscuous mode on the NIC. Hethen turns on Wireshark and leaves for the day,
Technet24||||||||||||||||||||
||||||||||||||||||||
hoping to catch interesting traffic over the nextfew hours. Which of the following statements istrue regarding this scenario? (Choose all thatapply.)
A. The packet capture will provide the MACaddresses of other machines connected to theswitch.
B. The packet capture will provide only the MACaddresses of the laptop and the defaultgateway.
C. The packet capture will display all trafficintended for the laptop.
D. The packet capture will display all trafficintended for the default gateway.
23. Which of the following best describes ARPpoisoning?
A. In ARP poisoning, an attacker floods a switchwith thousands of ARP packets.
B. In ARP poisoning, an attacker uses ARP toinsert bad IP mappings into a DNS server.
C. In ARP poisoning, an attacker continuallyinserts forged entries into an ARP cache.
D. In ARP poisoning, an attacker continuallydeletes an ARP cache.
24. Which of the following statements best describes
||||||||||||||||||||
||||||||||||||||||||
port security?
A. It stops traffic sent to a specified MAC addressfrom entering a port.
B. It allows traffic sent to a specific MAC addressto enter a port.
C. It stops traffic from a specific MAC fromentering a port.
D. It allows traffic from a specific MAC addressto enter to a port.
25. Where is the SAM file found on a Windows 10machine?
A. C:\windows\config
B. C:\windows\system32
C. C:\windows\system32\etc
D. C:\windows\system32\config
26. Which of the following commands would beuseful in adjusting settings on the built-in firewallon a Windows machine?
A. netstat
B. netsh
C. sc
D. ntfw
27. Which SID indicates the true administratoraccount on the Windows machine?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. S-1-5-31-1045337334-12924807993-5683276715-1500
B. S-1-5-31-1045337334-12924807993-5683276715-1001
C. S-1-5-31-1045337334-12924807993-5683276715-501
D. S-1-5-31-1045337334-12924807993-5683276715-500
28. Which of the following statements is trueregarding LM hashes?
A. If the left side of the hash begins with 1404EE,the password is less than eight characters.
B. If the right side of the hash ends with 1404EE,the password is less than eight characters.
C. There is no way to tell whether passwords areless than eight characters because hashes arenot reversible.
D. There is no way to tell whether passwords areless than eight characters because each hash isalways 32 characters long.
29. Which password-cracking method usually takesthe most time and uses the most resources?
A. Hybrid
B. Dictionary
||||||||||||||||||||
||||||||||||||||||||
C. Brute force
D. Botnet
30. Which of the following actions is the best choicefor protection against privilege escalationvulnerabilities?
A. Ensure drivers are appropriately signed.
B. Set admin accounts to run on least privilege.
C. Make maximum use of automated services.
D. Ensure services run with least privilege.
31. During a pen test, you notice VoIP traffic istraversing the subnet. Which of the following toolscould be used to decode a packet capture andextract voice conversations?
A. Black Widow
B. Netcat
C. Nmap
D. Cain
32. A pen tester enters the following command on aWindows 7 system:
netsh firewall show config
What should be displayed in return?
A. Settings of the built-in firewall
B. An authentication screen for firewall
Technet24||||||||||||||||||||
||||||||||||||||||||
configuration access
C. Route mapping to the nearest firewall
D. None of the above
33. Which of the following statements is trueregarding Kerberos?
A. Kerberos makes use of UDP as a transportprotocol.
B. Kerberos makes use of TCP as a transportprotocol.
C. Kerberos uses port 88 for the transmission ofdata.
D. Kerberos makes use of both symmetric andasymmetric encryption techniques.
E. All the above.
34. The < character opens an HTML tag, and the >character closes it. In some web forms, inputvalidation may deny these characters to protectagainst XSS. Which of the following represent theHTML entities used in place of these characters?(Choose two.)
A. <
B. >
C. &
D. ®
||||||||||||||||||||
||||||||||||||||||||
E.
35. An attacker discovers a form on a targetorganization’s website. He interjects some simpleJavaScript into one of the form fields instead ofthe username. Which attack is he carrying out?
A. XSS
B. SQL injection
C. Buffer overflow
D. Brute force
36. An attacker enters the following into a web form:‘or 1=1 --. Which attack is being attempted?
A. XSS
B. Brute force
C. Parameter manipulation
D. SQL injection
37. Which OWASP top ten vulnerability for IoT dealswith insecure or weak passwords?
A. Insufficient Authentication/Authorization
B. Insecure Network Services
C. Insecure Cloud Interface
D. Insecure Software/Firmware
38. After a recent attack, log files are reviewed by theIR team to determine the attack scope, success or
Technet24||||||||||||||||||||
||||||||||||||||||||
failure, and lessons learned. Consider thefollowing entry:
SELECT username, password FROM users;
Which of the following statements best describesthe result of this command query?
A. The command deletes username and passwordfields from a table named “users.”
B. The command adds username and passwordfields to a table named “users.”
C. The command displays the contents of theusername and password fields stored in thetable named “users.”
D. The command will not produce any results.
39. Which jailbreaking method does not retain thepatched kernel after reboot but does leave thesoftware on the device, allowing for futurejailbreak activities?
A. Tethered jailbreaking
B. Semi-tethered jailbreaking
C. Untethered jailbreaking
D. Rooting
40. Which of the following statements best definessmishing?
A. It is sending SMS texts to a user in an effort to
||||||||||||||||||||
||||||||||||||||||||
trick them into downloading malicious code.
B. It is sniffing Bluetooth connections.
C. It is hijacking Bluetooth connections to sendtext messages.
D. It is rooting an Android device.
41. XenMobile, MaaS360, AirWatch, andMobiControl are all examples of which kind ofsecurity solution?
A. 802.1x
B. BYOD
C. MDM
D. CCMP
42. Which of the following is a passive wirelessdiscovery tool?
A. NetStumbler
B. Aircrack
C. Kismet
D. Netsniff
43. Which of the following provides the integritymethod for WPA2?
A. RC4
B. CCMP
C. AES
Technet24||||||||||||||||||||
||||||||||||||||||||
D. 802.1x
44. An attacker performs reconnaissance and learnsthe organization’s SSID. He places an access pointinside a closet in order to trick normal users intoconnecting it and then redirect them to malicioussites. Which of the following terms is used todescribe this attack?
A. Replay attack
B. Evil twin attack
C. Closet AP attack
D. WEP nap attack
45. Which attack can be mitigated by configuring theweb server to send random challenge tokens?
A. XSS
B. Buffer overflow
C. CSRF
D. Form field manipulation
46. You deploy cloud services such that they areprovided over a network open for public use.Which of the following best describes your clouddeployment?
A. Private
B. Community
C. Public
||||||||||||||||||||
||||||||||||||||||||
D. Hybrid
47. In NIST cloud architecture, which role acts as theorganization that has the responsibility oftransferring the data?
A. Cloud carrier
B. Cloud consumer
C. Cloud auditor
D. Cloud broker
48. Which of the following provides visibility andsecurity controls for servers in a cloud?
A. CloudPassage Halo
B. Metasploit
C. AWSExploit
D. CloudInspect
49. Which of the following best describes crypters?
A. Software tools that use a combination ofencryption and code manipulation to rendermalware as undetectable to antivirus software
B. Software tools that use compression to packthe malware executable into a smaller size
C. Software that appears to perform a desirablefunction for the user prior to running orinstalling it but instead performs a functionthat steals information or otherwise harms the
Technet24||||||||||||||||||||
||||||||||||||||||||
system
D. Software that hides data in other files
50. Which command displays all connections andlistening ports in numerical form?
A. netstat -a localhost -n
B. netstat -an
C. netstat -r
D. netstat -s
51. Within a biometric system, which of the followingdescribes a circumstance where legitimate usersare denied access to resources due to systemerrors or inaccurate readings?
A. False positive
B. False negative
C. False acceptance rate
D. Crossover error rate
52. Which of the following best matches the POODLEattack?
A. MITM
B. DoS
C. DDoS
D. XSS
53. An attacker uses a Metasploit auxiliary exploit to
||||||||||||||||||||
||||||||||||||||||||
send a series of small messages to a server atregular intervals. The server responds with 64bytes of data from its memory. Which of thefollowing attacks is being described?
A. POODLE
B. Heartbleed
C. FREAK
D. DROWN
54. Which of the following would most likely be usedto encrypt an entire hard drive?
A. PGP
B. TLS
C. SSH
D. SSL
55. Which of the following could be a potentiallyeffective countermeasure against socialengineering?
A. User education and training
B. Strong security policy and procedure
C. Clear operational guidelines
D. Proper classification of information andindividuals’ access to that information
E. All of the above
56. Which of the following represents the highest risk
Technet24||||||||||||||||||||
||||||||||||||||||||
to an organization?
A. Black hat
B. Gray hat
C. White hat
D. Disgruntled employee
57. Jill receives an e-mail that appears legitimate andclicks the included link. She is taken to a maliciouswebsite that steals her login credentials. Which ofthe following best describes this attack?
A. Phishing
B. Javelin
C. Wiresharking
D. Bait and switch
58. Bill is asked to perform an assessment but isprovided with no knowledge of the system otherthan the name of the organization. Which of thefollowing best describes the test he will beperforming?
A. White box
B. Gray box
C. Black box
D. None of the above
59. OWASP provides a testing methodology. In it,which of the following is provided to assist in
||||||||||||||||||||
||||||||||||||||||||
securing web applications?
A. COBIT
B. A list of potential security flaws andmitigations to address them
C. Web application patches
D. Federally recognized security accreditation
60. Which of the following best describes a red team?
A. Security team members defending a network
B. Security team members attacking a network
C. Security team members with full knowledge ofthe internal network
D. Security team members dedicated to policyaudit review
Technet24||||||||||||||||||||
||||||||||||||||||||
QUICK ANSWER KEY
1. D
2. A
3. C
4. A
5. B
6. A
7. B
8. D
9. B
10. A
11. D
12. B
13. A
14. B
15. B
16. B
17. C
18. D
19. B
||||||||||||||||||||
||||||||||||||||||||
20. D
21. D
22. A, C
23. C
24. D
25. D
26. B
27. D
28. B
29. C
30. D
31. D
32. A
33. E
34. A, B
35. A
36. D
37. A
38. C
39. B
Technet24||||||||||||||||||||
||||||||||||||||||||
40. A
41. C
42. C
43. B
44. B
45. C
46. C
47. A
48. A
49. A
50. B
51. B
52. A
53. B
54. A
55. E
56. D
57. A
58. C
59. B
||||||||||||||||||||
||||||||||||||||||||
60. B
Total Score: ______
Technet24||||||||||||||||||||
||||||||||||||||||||
ANSWERS A1. A vendor is alerted of a newly discovered flaw in
its software that presents a major vulnerability tosystems. While working to prepare a fix action, thevendor releases a notice alerting the community ofthe discovered flaw and providing best practices tofollow until the patch is available. Which of thefollowing best describes the discovered flaw?
A. Input validation flaw
B. Shrink-wrap vulnerability
C. Insider vulnerability
D. Zero day
D. Zero day means there has been no time towork on a solution. The bad news is that thediscovery by security personnel of the existingvulnerability doesn’t mean it just magicallypopped up—it means it has been therewithout the good guys’ knowledge and couldhave already been exploited.
A, B, and C are incorrect. A is incorrectbecause input validation refers to verifyingthat a user’s entry into a form or fieldcontains only what the form or field wasdesigned to accept. B and C are incorrect
||||||||||||||||||||
||||||||||||||||||||
because the terms shrink-wrap vulnerabilityand insider vulnerability are not valid so faras your exam is concerned.
2. A security professional applies encryptionmethods to communication channels. Whichsecurity control role is she attempting to meet?
A. Preventive
B. Detective
C. Defensive
D. Corrective
A. Controls fall into three categories:preventive, detective, and corrective. In thisinstance, encryption of data is designed toprevent unauthorized eyes from seeing it.Depending on the encryption used, this canprovide for confidentiality and nonrepudiationand is most definitely preventive in nature.
B, C, and D are incorrect. B is incorrectbecause detective controls are designed towatch for security breaches and detect whenthey occur. C is incorrect because correctivecontrols are designed to fix things after anattack has been discovered and stopped. D isincorrect because defensive is not a controlcategory.
Technet24||||||||||||||||||||
||||||||||||||||||||
3. Bob is working with senior management toidentify the systems and processes that are criticalfor operations. As part of this business impactassessment, he performs calculations on varioussystems to place a value on them. On a certainserver he discovers the following:
• The server costs $2500 to purchase.
• The server typically fails once every five years.
• The salary for the technician to repair a serverfailure is $40 an hour, and it typically takes twohours to fully restore the server after a failure.
• The accounting group has five employees paidat $25 an hour who are at a standstill during anoutage.
What is the ALE for the server?
A. 20%
B. $2830
C. $566
D. $500
C. ALE = ARO × SLE. To find the correctannualized loss expectancy, multiply thepercentage of time it is likely to occurannually (annual rate of occurrence—in thiscase, 0.2 [1 failure / 5 years = 20%]) by theamount of cost incurred from a single failure
||||||||||||||||||||
||||||||||||||||||||
(single loss expectancy—in this case, $80 [forthe repair guy] + $250 [5 employees at $25 anhour for 2 hours] + $2500 (replacement ofserver) = $2830). ALE = 0.2 × $2830, so theALE for this case is $566.
A, B, and D are incorrect. A is incorrectbecause 20% is the ARO for this scenario (1failure / 5 years). B is incorrect because$2830 is the SLE for this scenario (repair guycost + lost work from accounting guys +replacement of server, or $80 + $250 +$2500). D is incorrect because $500 would bethe ALE if you did not take into account thetechnician and lost work production.
4. You’ve discovered a certain application in yourenvironment that has been proven to containvulnerabilities. Which of the following actions bestdescribes avoiding the risk?
A. Remove the software from the environment.
B. Install all known security patches for theapplication.
C. Install brand-new software guaranteed by thepublisher to be free of vulnerabilities.
D. Leave the software in place.
A. Removing the software or service that
Technet24||||||||||||||||||||
||||||||||||||||||||
contains a vulnerability is described asavoiding the risk—if it’s not there to beexploited, there’s no risk.
B, C, and D are incorrect. B is incorrectbecause installing patches (or a new version)is an attempt to mitigate risk. C is incorrectbecause installing different software withoutvulnerabilities is called transferring risk(however, I don’t care what the softwarepublisher says, the community will determineif there are vulnerabilities). D is incorrectbecause leaving the software in place is anexample of accepting the risk: maybe there aresecurity controls in place to where the chanceof the vulnerabilities being exploited is sosmall you’re willing to just accept that theyexist.
5. James is a member of a pen test team newly hiredto test a bank’s security. He begins searching forIP addresses the bank may own, using publicrecords on the Internet, and he also looks up newsarticles and job postings to discover informationthat may be valuable. In what phase of the pen testis James working?
A. Reconnaissance
B. Pre-attack
||||||||||||||||||||
||||||||||||||||||||
C. Assessment
D. Attack
E. Scanning
B. The pre-attack phase (a.k.a. the preparationphase) is where all this activity takes place—including the passive information gatheringperformed by James in this example. Thiswould be followed by the attack and post-attack phases.
A, C, and D are incorrect. A and D areincorrect because reconnaissance andscanning are part of the ethical hackingphases (reconnaissance,scanning/enumeration, gaining access,maintaining access, and clearing tracks). C isincorrect because assessment is akin to theattack phase.
6. Enacted in 2002, this U.S. law requires everyfederal agency to implement information securityprograms, including significant reporting oncompliance and accreditation. Which of thefollowing is the best choice for this definition?
A. FISMA
B. HIPAA
C. NIST 800-53
Technet24||||||||||||||||||||
||||||||||||||||||||
D. OSSTMM
A. FISMA has been around since 2002 andwas updated in 2014. It gave certaininformation security responsibilities to NIST,OMB, and other government agencies, anddeclared the Department of HomelandSecurity (DHS) as the operational lead forbudgets and guidelines on security matters.
B, C, and D are incorrect. These do not matchthe description.
7. You are examining a Wireshark capture. Which ofthe following MAC addresses would indicate abroadcast packet?
A. AA:AA:AA:AA:AA:AA
B. FF:FF:FF:FF:FF:FF
C. 11:11: 11:11: 11:11
D. 99:99: 99:99: 99:99
B. You’ll see a few base-level networkknowledge questions peppered throughoutthe exam, and this is one example. A NICseeing a MAC of FF:FF:FF:FF:FF:FF knowsthe packet is broadcast in nature and passes itup the stack for processing.
A, C, and D are incorrect. These addresses do
||||||||||||||||||||
||||||||||||||||||||
not match broadcast frames.
8. Which Google operator is the best choice insearching for a particular string in the website’stitle?
A. intext:
B. inurl:
C. site:
D. intitle:
D. Google hacking refers to manipulating asearch string with additional specificoperators to search for valuable information.The intitle: operator will return websites witha particular string in their title. Website titlescan contain legitimate descriptions of thepage, author information, or a list of wordsuseful for a search engine.
A, B, and C are incorrect. A is incorrectbecause the intext: operator looks for pagesthat contain a specific string in the text of thepage body. B is incorrect because the inurl:operator looks for a specific string within theURL. C is incorrect because the site: operatorlimits the current search to only the specifiedsite (instead of the entire Internet).
9. An ethical hacker begins by visiting the target’s
Technet24||||||||||||||||||||
||||||||||||||||||||
website and then peruses social networking sitesand job boards looking for information andbuilding a profile on the organization. Which ofthe following best describes this effort?
A. Active footprinting
B. Passive footprinting
C. Internet footprinting
D. Sniffing
B. Footprinting competitive intelligence is apassive effort because of competitiveintelligence being open and accessible toanyone. Passive footprinting is an effort thatdoesn’t usually put you at risk of discovery.
A, C, and D are incorrect. A is incorrectbecause this is not active footprinting,meaning no internal targets have beentouched and there is little to no risk ofdiscovery. C is incorrect because Internetfootprinting isn’t a legitimate term to committo memory. D is incorrect because sniffing isirrelevant to this question.
10. Internet attackers—state sponsored or otherwise—often discover vulnerabilities in a service orproduct but keep the information quiet and tothemselves, ensuring the vendor is unaware of the
||||||||||||||||||||
||||||||||||||||||||
vulnerability, until the attackers are ready tolaunch an exploit. Which of the following bestdescribes this?
A. Zero day
B. Zero hour
C. No day
D. Nada sum
A. A zero-day attack is one carried out on avulnerability the good guys didn’t even knowexisted. The true horror of this attack is thatyou do not know about the vulnerability untilit’s far too late.
B, C, and D are incorrect. These answers arenot legitimate terms.
11. The organization has a DNS server out in the DMZand a second one internal to the network. Whichof the following best describes this DNCconfiguration?
A. Schematic DNS
B. Dynamic DNS
C. DNSSEC
D. Split DNS
D. Split DNS is recommended virtuallyeverywhere. Internal hosts may need to see
Technet24||||||||||||||||||||
||||||||||||||||||||
everything internal, but external hosts do not.Keep internal DNS records split away fromexternal ones, as there is no need for anyoneoutside your organization to see them.
A, B, and C are incorrect. These answers areall distractors.
12. Search engines assist users in finding theinformation they want on the Internet. Which ofthe following is known as the hacker’s searchengine, explicitly allowing you to find specifictypes of computers (for example, routers orservers) connected to the Internet?
A. Whois
B. Shodan
C. Nslookup
D. Burp Suite
B. Shodan allows users to search for veryspecific types of hosts, which can be veryhelpful to attackers—ethical or not.
A, C, and D are incorrect. A is incorrectbecause whois provides registrar and technicalPOC information. C is incorrect becausenslookup is a command-line tool for DNSlookups. D is incorrect because Burp Suite is awebsite/application hacking tool.
||||||||||||||||||||
||||||||||||||||||||
13. Which of the following methods correctlyperforms banner grabbing with telnet on aWindows system?
A. telnet <IPAddress> 80
B. telnet 80 <IPAddress>
C. telnet <IPAddress> 80 -u
D. telnet 80 <IPAddress> -u
A. Telnetting to port 80 will generally pull abanner from a web server. You can telnet toany port you want to check, for that matter,and ideally pull a port; however, port 80 justseems to be the one used on the exam themost.
B, C, and D are incorrect. These are all badsyntax for telnet.
14. Which TCP flag instructs the recipient to ignorebuffering constraints and immediately send alldata?
A. URG
B. PSH
C. RST
D. BUF
B. It may look like an urgent request, butdon’t fall for it—the URG flag isn’t apropos
Technet24||||||||||||||||||||
||||||||||||||||||||
here; the PSH flag is designed for thesescenarios.
A, C, and D are incorrect. A is incorrectbecause the URG flag is used to inform thereceiving stack that certain data within asegment is urgent and should be prioritized(not used much by modern protocols). C isincorrect because the RST flag forces atermination of communications (in bothdirections). D is incorrect because BUF is nota TCP flag.
15. Which of the following correctly describes theTCP three-way handshake?
A. SYN, ACK, SYN/ACK
B. SYN, SYN/ACK, ACK
C. ACK, SYN, ACK/SYN
D. ACK, ACK/SYN, SYN
B. This is bedrock knowledge you shouldalready have memorized from Networking 101classes. TCP starts a communication with asynchronize packet (with the SYN flag set).The recipient acknowledges this by sendingboth the SYN and ACK flags. Finally, theoriginator acknowledges communications canbegin with an ACK packet.
||||||||||||||||||||
||||||||||||||||||||
A, C, and D are incorrect. These answers donot have the correct three-way handshakeorder.
16. You are examining the results of a SYN scan. Aport returns a RST/ACK. What does this mean?
A. The port is open.
B. The port is closed.
C. The port is filtered.
D. Information about this port cannot begathered.
B. Think about a TCP handshake—SYN,SYN/ACK, ACK—and then read this questionagain. Easy, right? In a SYN scan, an open portis going to respond with a SYN/ACK, and aclosed one is going to respond with aRST/ACK.
A, C, and D are incorrect. A is incorrectbecause the return response indicates the portis closed. C is incorrect because a filtered portlikely wouldn’t respond at all. D is incorrectbecause an open port would respond with aSYN/ACK.
17. You want to run a reliable scan but remain asstealthy as possible. Which of the following nmapcommands best accomplishes your goal?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
C. A full-connect scan would probably be best,provided you run it slowly. However, given thechoices, a half-open scan, as defined by thisnmap command line, is the best remainingoption.
A, B, and D are incorrect. A is incorrectbecause a null (-sN) scan probably won’tprovide the reliability asked for because itdoesn’t work on Windows hosts at all. B isincorrect because an operating system (-sO)scan would prove too noisy. D is incorrectbecause a full scan (-sT) would providereliable results, but without a timing modifierto greatly slow it down, it will definitely beseen.
18. You are examining a host with an IP address of65.93.24.42/20, and you want to determine thebroadcast address for the subnet. Which of thefollowing is the correct broadcast address for thesubnet?
A. 65.93.24.255
||||||||||||||||||||
||||||||||||||||||||
B. 65.93.0.255
C. 65.93.32.255
D. 65.93.31.255
E. 65.93.255.255
D. If you view the address 65.93.24.42 inbinary, it looks like this:01000001.01011101.00011000.00101010. Thesubnet mask given (/20) tells you only thefirst 24 bits count as the network ID (whichcannot change if we are to stay in the samesubnet), and the remaining 12 bits belong tothe host. Turning off all the host bits (afterthe 20th bit) gives you your network ID:01000001.01011101.00010000.00000000(52.93.16.0/20). Turning on all the host bitsgives you our broadcast address:01000001.01011101.00011111.11111111(65.93.31.255/20).
A, B, and C are incorrect. These answers donot match the broadcast address for thissubnet.
19. Angie captures traffic using Wireshark. Whichfilter should she apply to see only packets sentfrom 220.99.88.77?
A. ip = 220.99.88.77
Technet24||||||||||||||||||||
||||||||||||||||||||
B. ip.src == 220.99.88.77
C. ip.equals 220.99.88.77
D. ip.addr == 220.99.88.77
B. The ip.src== xxxx filter tells Wireshark todisplay only those packets with the IP addressxxxx in the source field.
A, C, and D are incorrect. These are incorrectWireshark filters.
20. A systems administrator notices log entries froma host named MATTSYS (195.16.88.12) are notshowing up on the syslog server (195.16.88.150).Which of the following Wireshark filters wouldshow any attempted syslog communications fromthe machine to the syslog server?
A. tcp.dstport==514 && ip.dst==195.16.88.150
B. tcp.srcport==514 && ip.src==195.16.88.12
C. tcp.dstport==514 && ip.src==195.16.88.12
D. udp.dstport==514 && ip.src==195.16.88.12
D. This Wireshark filter basically says, “Showall packets with a destination port of 514(generally associated with—and some wouldsay defaulting as—syslog) coming fromMATTSYS (whose IP address is 195.16.88.12).”
A, B, and C are incorrect. They do not match
||||||||||||||||||||
||||||||||||||||||||
the correct syntax.
21. Which IoT communication model allows the datafrom IoT devices to be accessed by a third party?
A. Device-to-Device
B. Device-to-Cloud
C. Device-to-Gateway
D. Back-End Data Sharing
D. In the Back-End Data-Sharing model, athird party is allowed access to data from thedevices. The IoT devices upload data to thecloud, where the third party can collect andanalyze it.
A, B, and C are incorrect. These are all validIoT communication models; however, they donot match the criteria of data sharing withthird parties.
22. A pen tester connects a laptop to a switch portand enables promiscuous mode on the NIC. Hethen turns on Wireshark and leaves for the day,hoping to catch interesting traffic over the nextfew hours. Which of the following statements istrue regarding this scenario? (Choose all thatapply.)
A. The packet capture will provide the MACaddresses of other machines connected to the
Technet24||||||||||||||||||||
||||||||||||||||||||
switch.
B. The packet capture will provide only the MACaddresses of the laptop and the defaultgateway.
C. The packet capture will display all trafficintended for the laptop.
D. The packet capture will display all trafficintended for the default gateway.
A, C. Switches are designed to filter traffic—that is, they send traffic intended for adestination MAC—to only the port that holdsthe MAC address as an attached host. Theexceptions, however, are broadcast andmulticast traffic, which get sent out everyport. Because ARP is broadcast in nature, allmachines’ ARP messages would be viewable.
B and D are incorrect. The switch will filtertraffic to the laptop, and MAC addresses willbe available from the broadcast ARPs.
23. Which of the following best describes ARPpoisoning?
A. In ARP poisoning, an attacker floods a switchwith thousands of ARP packets.
B. In ARP poisoning, an attacker uses ARP toinsert bad IP mappings into a DNS server.
||||||||||||||||||||
||||||||||||||||||||
C. In ARP poisoning, an attacker continuallyinserts forged entries into an ARP cache.
D. In ARP poisoning, an attacker continuallydeletes an ARP cache.
C. In ARP poisoning, the bad guy keepsinjecting a bad IP-to-MAC mapping in order tohave traffic intended for the target gosomewhere else.
A, B, and D are incorrect. None of theseanswers correctly describes ARP poisoning.Yes, it’s true an attacker may be sendingthousands of ARP packets through a switch tothe target, but that in and of itself does notARP poisoning make.
24. Which of the following statements best describesport security?
A. It stops traffic sent to a specified MAC addressfrom entering a port.
B. It allows traffic sent to a specific MAC addressto enter a port.
C. It stops traffic from a specific MAC fromentering a port.
D. It allows traffic from a specific MAC addressto enter to a port.
Technet24||||||||||||||||||||
||||||||||||||||||||
D. This is exceedingly confusing on purpose—because it’s how you’ll see it on the exam.Port security refers to a security feature onswitches that allows an administrator tomanually assign MAC addresses to a specificport; if the machine connecting to the portdoes not use that particular MAC, it isn’tallowed to even connect. Port security workson source addresses, so you’re automaticallylooking at “from,” not “to.” In other words, itis specifically allowing access (entering a port)to a defined MAC address—think of it as awhitelist.
In truth, this type of implementation turnsout to be a bit of a pain for the network staff,so most people don’t use it that way. In mostcases, port security simply restricts thenumber of MAC addresses connected to agiven port. Suppose your Windows 10machine runs six VMs for testing, each withits own MAC. As long as your port securityallows for at least seven MACs on the port,you’re in good shape.
A, B, and C are incorrect. A and B areincorrect because port security works onsource addressing. Answer C is incorrectbecause it’s not stopping a specific MAC from
||||||||||||||||||||
||||||||||||||||||||
connecting; it’s only allowing a specific one todo so.
25. Where is the SAM file found on a Windows 10machine?
A. C:\windows\config
B. C:\windows\system32
C. C:\windows\system32\etc
D. C:\windows\system32\config
D. The SAM file, holding all those wonderfulpassword hashes you want access to, islocated in the C:\windows\system32\configfolder. You may also find a copy sitting inrepair, at c:\windows\repair\sam.
A, B, and C are incorrect. These folders do notcontain the SAM file.
26. Which of the following commands would beuseful in adjusting settings on the built-in firewallon a Windows machine?
A. netstat
B. netsh
C. sc
D. ntfw
B. Netsh is “a command-line scripting utility
Technet24||||||||||||||||||||
||||||||||||||||||||
that allows you to, either locally or remotely,display or modify the network configurationof a computer that is currently running” (KBarticle 947709). Typing netsh at thecommand line then allows you to step intovarious “contexts” for adjusting severalnetwork configuration options, including thefirewall. Typing a question mark shows allavailable commands at the context you are in.You can also execute the command withoutstepping into each context. For example,typing netsh firewall show config on pre-Windows 10 boxes will show theconfiguration of the firewall. Windows 10 hasupdated this command to netsh advfirewallfirewall show.
A, C, and D are incorrect. A is incorrectbecause netstat is a great tool for viewingports and what’s happening to them on thedevice. C is incorrect because sc is servicecontrol. D is incorrect because ntfw isn’t avalid command-line tool.
27. Which SID indicates the true administratoraccount on the Windows machine?
A. S-1-5-31-1045337334-12924807993-5683276715-1500
||||||||||||||||||||
||||||||||||||||||||
B. S-1-5-31-1045337334-12924807993-5683276715-1001
C. S-1-5-31-1045337334-12924807993-5683276715-501
D. S-1-5-31-1045337334-12924807993-5683276715-500
D. A security identifier (SID) has fivecomponents, each one providing specificinformation. The last component—the relativeidentifier (RID)—provides information on thetype of account. The RID 500 indicates thetrue administrator account on the machine.
A, B, and C are incorrect. A and B areincorrect because RID values starting at 1000refer to standard user accounts. C is incorrectbecause the 501 RID indicates the built-inguest account.
28. Which of the following statements is trueregarding LM hashes?
A. If the left side of the hash begins with 1404EE,the password is less than eight characters.
B. If the right side of the hash ends with 1404EE,the password is less than eight characters.
C. There is no way to tell whether passwords areless than eight characters because hashes are
Technet24||||||||||||||||||||
||||||||||||||||||||
not reversible.
D. There is no way to tell whether passwords areless than eight characters because each hash isalways 32 characters long.
B. In a password less than eight characters,LM hashes will always have the right side ofthe hash the same, ending in 1404EE, becauseof the method by which LM performs thehash.
A, C, and D are incorrect. A is incorrectbecause the left side of each hash will alwaysbe different and indicates nothing. Answers Cand D are incorrect because the hash valuecan tell you password length.
29. Which password-cracking method usually takesthe most time and uses the most resources?
A. Hybrid
B. Dictionary
C. Brute force
D. Botnet
C. Brute-force attacks attempt everyconceivable combination of letters, numbers,characters, and length in an attempt to find amatch. Given you’re starting from scratch, it
||||||||||||||||||||
||||||||||||||||||||
follows you’d need a lot of time and a lot ofresources. As an aside, the increase inprocessing power of systems and the ability tocombine multiple systems together to workon problems cuts down on the time portion ofthis cracking technique fairly significantly.
A, B, and D are incorrect. A and B areincorrect because both hybrid and dictionaryattacks have a word list to work with and canrun through it fairly quickly (in computingtime, that is). D is incorrect because a botnetis a series of zombie systems set up by anattacker to carry out duties.
30. Which of the following actions is the best choicefor protection against privilege escalationvulnerabilities?
A. Ensure drivers are appropriately signed.
B. Set admin accounts to run on least privilege.
C. Make maximum use of automated services.
D. Ensure services run with least privilege.
D. Ensuring your services run with leastprivilege (instead of having all services run atadmin level) can help in slowing downprivilege escalation.
A, B, and C are incorrect. A is incorrect
Technet24||||||||||||||||||||
||||||||||||||||||||
because ensuring drivers are in good shape isgood practice but doesn’t have a lot to do withprivilege escalation prevention. B is incorrectbecause admin accounts don’t run with leastprivilege; they’re admin accounts for a reason.C is incorrect because automating servicesmay save time, but it doesn’t slow downhacking efforts.
31. During a pen test, you notice VoIP traffic istraversing the subnet. Which of the following toolscould be used to decode a packet capture andextract voice conversations?
A. Black Widow
B. Netcat
C. Nmap
D. Cain
D. Cain (and Abel) can be used for varioustasks, including extracting voice from VoIPcaptures.
A, B, and C are incorrect. These tools do notperform the task listed. A is incorrect becauseBlack Widow copies websites to your systemfor later review. B is incorrect because netcathas many functions but is mostly known forits use in creating backdoor access to
||||||||||||||||||||
||||||||||||||||||||
compromised systems. C is incorrect becausenmap is probably the best-known port scannerin the world.
32. A pen tester enters the following command on aWindows 7 system:
netsh firewall show config
What should be displayed in return?
A. Settings of the built-in firewall
B. An authentication screen for firewallconfiguration access
C. Route mapping to the nearest firewall
D. None of the above
A. The netsh command can reveal a variety ofinformation. In this example, it is used todisplay the Windows firewall settings. OnWindows 10 systems, the command has beendeprecated. To see firewall ruleset on aWindows 10 box, try netsh advfirewallfirewall show rule name=allstatus=enabled.
B, C, and D are incorrect. These answers donot accurately reflect the command.
33. Which of the following statements is trueregarding Kerberos?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. Kerberos makes use of UDP as a transportprotocol.
B. Kerberos makes use of TCP as a transportprotocol.
C. Kerberos uses port 88 for the transmission ofdata.
D. Kerberos makes use of both symmetric andasymmetric encryption techniques.
E. All the above.
E. Kerberos makes use of both symmetric andasymmetric encryption technologies tosecurely transmit passwords and keys across anetwork. The entire process consists of a keydistribution center (KDC), an authenticationservice (AS), a ticket granting service (TGS),and the ticket granting ticket (TGT). It canmake use of both TCP and UDP and runs overport 88 by default.
A, B, C, and D are incorrect. Because all theseare true statements, none can individually bethe correct answer.
34. The < character opens an HTML tag, and the >character closes it. In some web forms, inputvalidation may deny these characters to protectagainst XSS. Which of the following represent the
||||||||||||||||||||
||||||||||||||||||||
HTML entities used in place of these characters?(Choose two.)
A. <
B. >
C. &
D. ®
E.
A, B. Whether you’re attempting to bypassinput validation or just having things appearthe way you want them to on a web page,HTML entities can be useful. The less-thansign (<) equates to <, whereas the greater-than sign (>) equates to >. You can also usetheir respective numbered equivalents (<and >).
C, D, and E are incorrect. C is incorrectbecause & equates to the ampersand (&)character. D is incorrect because ®equates to the registered symbol, ®. E isincorrect because is a nonbreakingspace.
35. An attacker discovers a form on a targetorganization’s website. He interjects some simpleJavaScript into one of the form fields instead ofthe username. Which attack is he carrying out?
Technet24||||||||||||||||||||
||||||||||||||||||||
A. XSS
B. SQL injection
C. Buffer overflow
D. Brute force
A. Using a script entry in a web form field iscross-site scripting.
B, C, and D are incorrect. B and C areincorrect because this entry does not indicateSQL injection or buffer overflow. D isincorrect because brute force refers to apassword-cracking effort.
36. An attacker enters the following into a web form:‘or 1=1 --. Which attack is being attempted?
A. XSS
B. Brute force
C. Parameter manipulation
D. SQL injection
D. If you missed this one, please considertaking a break or just starting your studyprocess over again—you’re obviously too tiredto concentrate or you’ve never seen thisbefore and are attempting to memorize yourway to exam success. This question displaysthe classic SQL injection example that you’ll
||||||||||||||||||||
||||||||||||||||||||
see on every single practice test you’ll take onthe subject.
A, B, and C are incorrect. A is incorrectbecause XSS is cross-site scripting andinvolves inserting a script into a web formentry field to produce an outcome. B isincorrect because brute force is a password-cracking technique, using all possible variantsto match the encrypted value. C is incorrectbecause parameter manipulation refers to anyparameter within communications beingmanipulated to force a desired outcome and ismost likely displayed on the exam within aURL.
37. Which OWASP top ten vulnerability for IoT dealswith insecure or weak passwords?
A. Insufficient Authentication/Authorization
B. Insecure Network Services
C. Insecure Cloud Interface
D. Insecure Software/Firmware
A. Insufficient Authentication andAuthorization is listed second on OWASP’sIoT vulnerability top ten list. Per the list,“Insufficient Authentication refers to usingweak credentials suck as an insecure or weak
Technet24||||||||||||||||||||
||||||||||||||||||||
password, which offers poor security.”
B, C, and D are incorrect. B is incorrectbecause Insecure Network Services refers tothose services prone to attacks like bufferoverflows. C is incorrect because InsecureCloud Interface refers to things likeinsufficient authentication configuration ofthe cloud interface itself. D is incorrectbecause Insecure Software/Firmware,amazingly enough, refers to the software andfirmware versions, and associated security,themselves.
38. After a recent attack, log files are reviewed by theIR team to determine the attack scope, success orfailure, and lessons learned. Consider thefollowing entry:
SELECT username, password FROM users;
Which of the following statements best describesthe result of this command query?
A. The command deletes username and passwordfields from a table named “users.”
B. The command adds username and passwordfields to a table named “users.”
C. The command displays the contents of theusername and password fields stored in the
||||||||||||||||||||
||||||||||||||||||||
table named “users.”
D. The command will not produce any results.
C. Walking through this command, we seethat SELECT retrieves information from adatabase, and the username and passwordfields are designated as what to select. Then,using the FROM command, the table holdingthe fields is identified.
A, B, and D are incorrect. A is incorrectbecause DROP TABLE would be used to deletean entire table. B is incorrect because ALTERTABLE can add or remove individual fields(columns), among other things. D is incorrectbecause the entry shown is a valid command.
39. Which jailbreaking method does not retain thepatched kernel after reboot but does leave thesoftware on the device, allowing for futurejailbreak activities?
A. Tethered jailbreaking
B. Semi-tethered jailbreaking
C. Untethered jailbreaking
D. Rooting
B. In semi-tethered jailbreaking, a reboot nolonger retains the patched kernel; however,
Technet24||||||||||||||||||||
||||||||||||||||||||
the software has already been added to thedevice. Therefore, if admin privileges arerequired, the installed jailbreaking tool can beused.
A, C, and D are incorrect. A and C areincorrect because a reboot removes alljailbreaking patches in tethered mode, and inuntethered mode, the kernel will remainpatched (that is, jailbroken) after reboot, withor without a system connection. D is incorrectbecause rooting is associated with Androiddevices, not iOS.
40. Which of the following statements best definessmishing?
A. It is sending SMS texts to a user in an effort totrick them into downloading malicious code.
B. It is sniffing Bluetooth connections.
C. It is hijacking Bluetooth connections to sendtext messages.
D. It is rooting an Android device.
A. Smishing comes from cramming SMS(texting) and phishing together. “Smishing,”get it? The idea is the same as with phishing,except you use text messaging to trick usersinto downloading stuff.
||||||||||||||||||||
||||||||||||||||||||
B, C, and D are incorrect. These definitions donot apply to smishing.
41. XenMobile, MaaS360, AirWatch, andMobiControl are all examples of which kind ofsecurity solution?
A. 802.1x
B. BYOD
C. MDM
D. CCMP
C. Mobile Device Management is an effort toprovide at least some organizational securitythought to the maddening problem of mobiledevices on the network. It attempts tomonitor, manage, and secure the mobiledevices (and associated service providers andmobile operating systems) in use in theorganization. Much like group policy and suchin the Microsoft Windows world, MDM helpsin pushing security policies, applicationdeployment, and monitoring of mobiledevices. Solutions include XenMobile,MaaS360, AirWatch, and MobiControl.
A, B, and D are incorrect. A is incorrectbecause 802.1x is the wireless standardsfamily. B is incorrect because, although BYOD
Technet24||||||||||||||||||||
||||||||||||||||||||
sounds like fun, it’s really “Bring Your OwnDevice” (a policy allowing personal mobiledevices on organizational networks). D isincorrect because CCMP is a function insideWPA2.
42. Which of the following is a passive wirelessdiscovery tool?
A. NetStumbler
B. Aircrack
C. Kismet
D. Netsniff
C. Kismet works as a passive networkdiscovery tool, without using packetinterjection to gather information. Kismetalso works by channel hopping to discover asmany networks as possible and has the abilityto sniff packets and save them to a log file,readable by Wireshark or tcpdump.
A, B, and D are incorrect. A is incorrectbecause NetStumbler is an active discoverytool. B is incorrect because Aircrack is a WEP-cracking program. D is incorrect becauseNetsniff is a false term.
43. Which of the following provides the integritymethod for WPA2?
||||||||||||||||||||
||||||||||||||||||||
A. RC4
B. CCMP
C. AES
D. 802.1x
B. As good as WPA was, there were tiny flawsto be exploited in TKIP. Counter Mode withCipher Block Chaining MessageAuthentication Code Protocol (CCMP) wascreated to fix those and is the integritymethod used by Wi-Fi Protected Access 2(WPA2).
A, C, and D are incorrect. A and C areincorrect because RC4 and AES are encryptionalgorithms (AES is used in WPA, by the way).D is incorrect because 802.1x is the standardsfamily wireless comes from.
44. An attacker performs reconnaissance and learnsthe organization’s SSID. He places an access pointinside a closet in order to trick normal users intoconnecting it and then redirect them to malicioussites. Which of the following terms is used todescribe this attack?
A. Replay attack
B. Evil twin attack
C. Closet AP attack
Technet24||||||||||||||||||||
||||||||||||||||||||
D. WEP nap attack
B. A rogue access point is also known as anevil twin. Usually they’re discovered quickly;however, there are lots of organizations thatdon’t regularly scan for them.
A, C, and D are incorrect. A is incorrectbecause a replay attack occurs whencommunications (usually authenticationrelated) are recorded and replayed by theattacker. C and D are incorrect because closetAP and WEP nap aren’t legitimate terms.
45. Which attack can be mitigated by configuring theweb server to send random challenge tokens?
A. XSS
B. Buffer overflow
C. CSRF
D. Form field manipulation
C. In a CSRF attack, a user is already on avalidated session with the target server. Hethen opens a link sent by the attacker to amalicious site. If things are set appropriately,the attacker can then send requests to theuser’s valid server connection. Using randomchallenge tokens ensures each request isactually coming from the user’s already-
||||||||||||||||||||
||||||||||||||||||||
established session.
A, B, and D are incorrect. These attacks willnot be affected by random challenge tokens.
46. You deploy cloud services such that they areprovided over a network open for public use.Which of the following best describes your clouddeployment?
A. Private
B. Community
C. Public
D. Hybrid
C. A public cloud model is one where servicesare provided over a network that is open forpublic use (like the Internet). Public cloud isgenerally used when security and compliancerequirements found in large organizationsaren’t a major issue.
A, B, and D are incorrect. A is incorrectbecause private clouds are…private, and usedfor a single tenant. B is incorrect becausecommunity is a deployment model where theinfrastructure is shared by severalorganizations, usually with the same policyand compliance considerations. D is incorrectbecause hybrid is a deployment model
Technet24||||||||||||||||||||
||||||||||||||||||||
containing two or more methods ofdeployment.
47. In NIST cloud architecture, which role acts as theorganization that has the responsibility oftransferring the data?
A. Cloud carrier
B. Cloud consumer
C. Cloud auditor
D. Cloud broker
A. The cloud carrier is the organization thathas the responsibility of transferring the data,akin to the power distributor for the electricgrid.
B, C, and D are incorrect. B is incorrectbecause the cloud consumer is the individualor organization that acquires and uses cloudproducts and services. C is incorrect becausethe cloud auditor is the independent assessorof cloud service and security controls. D isincorrect because the cloud broker acts tomanage the use, performance, and delivery ofcloud services as well as the relationshipsbetween providers and subscribers.
48. Which of the following provides visibility andsecurity controls for servers in a cloud?
||||||||||||||||||||
||||||||||||||||||||
A. CloudPassage Halo
B. Metasploit
C. AWSExploit
D. CloudInspect
A. CloudPassage Halo(https://www.cloudpassage.com/products/)“provides instant visibility and continuousprotection for servers in any combination ofdata centers, private clouds, and publicclouds.”
B, C, and D are incorrect. B is incorrectbecause Metasploit is a framework fordelivering exploits. C is incorrect becauseAWSExploit is not a legitimate tool. D isincorrect because CloudInspect was designedfor AWS cloud subscribers and runs as anautomated, all-in-one testing suite specificallyfor your cloud subscription.
49. Which of the following best describes crypters?
A. Software tools that use a combination ofencryption and code manipulation to rendermalware as undetectable to antivirus software
B. Software tools that use compression to packthe malware executable into a smaller size
C. Software that appears to perform a desirable
Technet24||||||||||||||||||||
||||||||||||||||||||
function for the user prior to running orinstalling it but instead performs a functionthat steals information or otherwise harms thesystem
D. Software that hides data in other files
A. Crypters are software tools that use acombination of encryption and codemanipulation to render malware asundetectable to AV and other security-monitoring products (in Internet lingo,they’re referred to as fud, for “fullyundetectable”).
B, C, and D are incorrect. B is incorrectbecause packers are a variant of crypters anduse compression to pack the malwareexecutable into a smaller size. C is incorrectbecause Trojans look innocent but turnmalicious after installation. D is incorrectbecause steganography tools hide data inexisting image, video, or audio files.
50. Which command displays all connections andlistening ports in numerical form?
A. netstat -a localhost -n
B. netstat -an
C. netstat -r
||||||||||||||||||||
||||||||||||||||||||
D. netstat -s
B. Netstat provides a lot of good informationon your machine. The -a option is for allconnections and listening ports. The -n optionputs them in numerical order.
A, C, and D are incorrect. A is incorrectbecause netstat -a localhost -n is incorrectsyntax. C is incorrect because netstat -rdisplays the route table. D is incorrect becausenetstat -s displays per-protocol statistics.
51. Within a biometric system, which of the followingdescribes a circumstance where legitimate usersare denied access to resources due to systemerrors or inaccurate readings?
A. False positive
B. False negative
C. False acceptance rate
D. Crossover error rate
B. A false negative occurs when a person isdenied access even though he is a legitimateuser.
A, C, and D are incorrect. A is incorrectbecause a false positive occurs when a user isallowed access when he is not legitimate. C
Technet24||||||||||||||||||||
||||||||||||||||||||
and D are incorrect because false acceptancerate and crossover error rate are bothmeasurements of the overall accuracy ofbiometrics.
52. Which of the following best matches the POODLEattack?
A. MITM
B. DoS
C. DDoS
D. XSS
A. In a POODLE attack, the man in the middleinterrupts all handshake attempts by TLSclients, forcing a degradation to a vulnerableSSL version. Because many browsers wouldrevert back to SSL 3.0 for backwardcompatibility and TLS handshakes “walkeddown” the connection until a usable one wasfound, attackers could interrupt thehandshake and make it go all the way down toSSL 3.0
B, C, and D are incorrect. B and C areincorrect because POODLE is not a denial-of-service attack of any kind. D is incorrectbecause cross-site scripting has nothing to dowith POODLE.
||||||||||||||||||||
||||||||||||||||||||
53. An attacker uses a Metasploit auxiliary exploit tosend a series of small messages to a server atregular intervals. The server responds with 64bytes of data from its memory. Which of thefollowing attacks is being described?
A. POODLE
B. Heartbleed
C. FREAK
D. DROWN
B. Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL.OpenSSL version 1.0.1 through version 1.0.1fare vulnerable to this attack.
A, C, and D are incorrect. A is incorrectbecause the original variant of POODLE was aman-in-the-middle attack, where the bad guyexploits vulnerabilities in the TLS securityprotocol fallback mechanism. C is incorrectbecause FREAK (Factoring Attack on RSA-EXPORT Keys) is a technique used in man-in-the-middle attacks to force the downgrade ofRSA keys to weaker lengths. D is incorrectbecause DROWN (Decrypting RSA withObsolete and Weakened eNcryption) allowsattackers to break SSLv2 encryption (left onsites for backward compatibility) and read or
Technet24||||||||||||||||||||
||||||||||||||||||||
steal sensitive communications.
54. Which of the following would most likely be usedto encrypt an entire hard drive?
A. PGP
B. TLS
C. SSH
D. SSL
A. Pretty Good Privacy (PGP) uses anasymmetric encryption method to encryptinformation. Although generally associatedwith e-mail, it can encrypt virtually anything.PGP uses public/private key encryption.
B, C, and D are incorrect. B and D areincorrect because TLS and SSL are encryptionalgorithms for network traffic. C is incorrectbecause SSH is an encrypted version of telnet.
55. Which of the following could be a potentiallyeffective countermeasure against socialengineering?
A. User education and training
B. Strong security policy and procedure
C. Clear operational guidelines
D. Proper classification of information andindividuals’ access to that information
||||||||||||||||||||
||||||||||||||||||||
E. All of the above
E. Social engineering can’t ever be fullycontained—after all, we’re only human.However, these options present good steps totake in slowing it down. A properly trainedemployee, who not only knows the policiesand guidelines but agrees with and practicesthem, is a tough nut to crack. Assigningclassification levels helps by restricting accessto specific data, thereby limiting (ideally) theamount of damage of a successful socialengineering attack.
A, B, C, and D are incorrect individuallybecause they all apply.
56. Which of the following represents the highest riskto an organization?
A. Black hat
B. Gray hat
C. White hat
D. Disgruntled employee
D. It’s bad enough we have to worry about theexternal hackers trying to break their way intoa network, but what about all the folks wealready let onto it? Disgruntled employees area serious threat because they already have
Technet24||||||||||||||||||||
||||||||||||||||||||
connectivity and, depending on their job, a lotof access to otherwise protected areas.
A, B, and C are incorrect. A is incorrectbecause a black hat is an external, maliciousattacker. B is incorrect because a gray hatdoesn’t work under an agreement but mightnot be malicious. C is incorrect because awhite hat is an ethical hacker.
57. Jill receives an e-mail that appears legitimate andclicks the included link. She is taken to a maliciouswebsite that steals her login credentials. Which ofthe following best describes this attack?
A. Phishing
B. Javelin
C. Wiresharking
D. Bait and switch
A. Phishing is the act of crafting e-mails totrick recipients into behavior they would nototherwise complete. Usually the phishing e-mail contains a link to a malicious site or evenan embedded piece of malware.
B, C, and D are incorrect. These answers arenot legitimate attacks and do not apply here.
58. Bill is asked to perform an assessment but is
||||||||||||||||||||
||||||||||||||||||||
provided with no knowledge of the system otherthan the name of the organization. Which of thefollowing best describes the test he will beperforming?
A. White box
B. Gray box
C. Black box
D. None of the above
C. While there may be some argument aboutthe real-world version of a black-box test, asfar as your exam goes, it is an assessmentwithout any knowledge provided about thetarget.
A, B, and D are incorrect. A and B areincorrect because white-box and gray-boxtests both provide information about thetarget (white is all of it, gray some of it). D isincorrect because C is the correct answer.
59. OWASP provides a testing methodology. In it,which of the following is provided to assist insecuring web applications?
A. COBIT
B. A list of potential security flaws andmitigations to address them
C. Web application patches
Technet24||||||||||||||||||||
||||||||||||||||||||
D. Federally recognized security accreditation
B. OWASP provides an inside look at knownweb application vulnerabilities to assistdevelopers in creating more secureenvironments. The following is from theOWASP website: “Everyone is free toparticipate in OWASP and all of our materialsare available under a free and open softwarelicense. OWASP does not endorse orrecommend commercial products or services,allowing our community to remain vendorneutral with the collective wisdom of the bestminds in software security worldwide.”
A, C, and D are incorrect. A is incorrectbecause COBIT is a framework for ITgovernance and control provided by ISACA.(Previously known as the InformationSystems Audit and Control Association, ISACAnow goes by its acronym only to reflect thebroad range of IT governance professionals itserves.) C and D are incorrect because theseanswers are included as distractors.
60. Which of the following best describes a red team?
A. Security team members defending a network
B. Security team members attacking a network
||||||||||||||||||||
||||||||||||||||||||
C. Security team members with full knowledge ofthe internal network
D. Security team members dedicated to policyaudit review
B. Red teams are on offense. They areemployed to go on the attack, simulating thebad guys out in the world trying to exploitanything they can find. They typically havelittle to no knowledge of the target to startwith.
A, C, and D are incorrect. A and C areincorrect because blue teams work on thedefensive side and have internal knowledge ofthe environment. D is incorrect because policyaudit review is nothing more than a distractorhere.
ANALYZING YOUR RESULTSSo you’ve completed the pre-test and now have yourscoring. You know which questions you knew, whichones looked easy but weren’t, and which ones sent youinto panic mode. But what does it all mean and how canyou use it?
First, consider your overall score, keeping theexhaustive intro to this test in mind. Did you score well,
Technet24||||||||||||||||||||
||||||||||||||||||||
correctly answering 38–55 questions? You may verywell be in a good position to simply brush up on a fewthings (they’ll be self-evident from the questions youmissed) and get ready for your exam. Just keep in mindthis isn’t an all-inclusive measurement of yourreadiness, so make sure you really know the material.
Maybe, though, you scored somewhere in the middle(26–37 correct) or on the low end (25 or below). Don’tfret, as this may actually be a better result for you thanscoring very high. If you didn’t blow this test out of thewater, you know exactly where you stand, and you canprep yourself to be better at it next time.
In either case, there’s some good study material outthere for you. May I humbly recommend CEH CertifiedEthical Hacker All-in-One Exam Guide, Fourth Editionas a solid choice—not to mention this Practice Examsbook you’re holding will also help greatly.
Just don’t get discouraged. Keep fighting. Keeppushing through. Keep practicing, taking sample tests,reading, studying, and practicing some more until younot only know this stuff, you simply can’t get it wrong.
You can do this. I promise.
||||||||||||||||||||
||||||||||||||||||||
APPENDIX BAbout the Online Content
This book comes complete with TotalTester Onlinecustomizable practice exam software containing 300practice exam questions.
SYSTEM REQUIREMENTSThe current and previous major versions of thefollowing desktop browsers are recommended andsupported: Chrome, Microsoft Edge, Firefox, and Safari.These browsers update frequently, and sometimes anupdate may cause compatibility issues with theTotalTester Online or other content hosted on theTraining Hub. If you run into a problem using one ofthese browsers, please try using another until theproblem is resolved.
YOUR TOTAL SEMINARS TRAININGHUB ACCOUNTTo get access to the online content you will need tocreate an account on the Total Seminars Training Hub.
Technet24||||||||||||||||||||
||||||||||||||||||||
Registration is free, and you will be able to track all youronline content using your account. You may also opt inif you wish to receive marketing information fromMcGraw-Hill Education or Total Seminars, but this isnot required for you to gain access to the online content.
Privacy NoticeMcGraw-Hill Education values your privacy. Please besure to read the Privacy Notice available duringregistration to see how the information you haveprovided will be used. You may view our CorporateCustomer Privacy Policy by visiting the McGraw-HillEducation Privacy Center. Visit the mheducation.comsite and click Privacy at the bottom of the page.
SINGLE USER LICENSE TERMS ANDCONDITIONSOnline access to the digital content included with thisbook is governed by the McGraw-Hill Education LicenseAgreement outlined next. By using this digital contentyou agree to the terms of that license.
Access To register and activate your Total SeminarsTraining Hub account, simply follow these easy steps.
1. Go to hub.totalsem.com/mheclaim.
2. To Register and create a new Training Hub
||||||||||||||||||||
||||||||||||||||||||
account, enter your e-mail address, name, andpassword. No further personal information (suchas credit card number) is required to create anaccount.
NOTE If y ou already hav e a Total Seminars Training Hub account,select Log in and enter y our e-mail and password. Otherwise, followthe remaining steps.
3. Enter your Product Key: d5vx-hzn0-xmtx
4. Click to accept the user license terms.
5. Click Register and Claim to create youraccount. You will be taken to the Training Hub andhave access to the content for this book.
Duration of License Access to your online contentthrough the Total Seminars Training Hub will expireone year from the date the publisher declares the bookout of print.
Your purchase of this McGraw-Hill Educationproduct, including its access code, through a retail storeis subject to the refund policy of that store.
The Content is a copyrighted work of McGraw-HillEducation, and McGraw-Hill Education reserves all
Technet24||||||||||||||||||||
||||||||||||||||||||
rights in and to the Content. The Work is © 2019 byMcGraw-Hill Education, LLC.
Restrictions on Transfer The user is receiving onlya limited right to use the Content for the user’s owninternal and personal use, dependent on purchase andcontinued ownership of this book. The user may notreproduce, forward, modify, create derivative worksbased upon, transmit, distribute, disseminate, sell,publish, or sublicense the Content or in any waycommingle the Content with other third-party contentwithout McGraw-Hill Education’s consent.
Limited Warranty The McGraw-Hill EducationContent is provided on an “as is” basis. NeitherMcGraw-Hill Education nor its licensors make anyguarantees or warranties of any kind, either express orimplied, including, but not limited to, impliedwarranties of merchantability or fitness for a particularpurpose or use as to any McGraw-Hill EducationContent or the information therein or any warranties asto the accuracy, completeness, correctness, or results tobe obtained from, accessing or using the McGraw-HillEducation content, or any material referenced in suchcontent or any information entered into licensee’sproduct by users or other persons and/or any materialavailable on or that can be accessed through thelicensee’s product (including via any hyperlink or
||||||||||||||||||||
||||||||||||||||||||
otherwise) or as to non-infringement of third-partyrights. Any warranties of any kind, whether express orimplied, are disclaimed. Any material or data obtainedthrough use of the McGraw-Hill Education content is atyour own discretion and risk and user understands thatit will be solely responsible for any resulting damage toits computer system or loss of data.
Neither McGraw-Hill Education nor its licensorsshall be liable to any subscriber or to any user or anyoneelse for any inaccuracy, delay, interruption in service,error or omission, regardless of cause, or for anydamage resulting therefrom.
In no event will McGraw-Hill Education or itslicensors be liable for any indirect, special orconsequential damages, including but not limited to,lost time, lost money, lost profits or good will, whetherin contract, tort, strict liability or otherwise, andwhether or not such damages are foreseen orunforeseen with respect to any use of the McGraw-HillEducation content.
TOTALTESTER ONLINETotalTester Online provides you with a simulation ofthe CEH v10 exam. Exams can be taken in PracticeMode or Exam Mode. Practice Mode provides anassistance window with hints, references to the book,
Technet24||||||||||||||||||||
||||||||||||||||||||
explanations of the correct and incorrect answers, andthe option to check your answer as you take the test.Exam Mode provides a simulation of the actual exam.The number of questions, the types of questions, andthe time allowed are intended to be an accuraterepresentation of the exam environment. The option tocustomize your quiz allows you to create custom examsfrom selected domains or chapters, and you can furthercustomize the number of questions and time allowed.
To take a test, follow the instructions provided in theprevious section to register and activate your TotalSeminars Training Hub account. When you register youwill be taken to the Total Seminars Training Hub. Fromthe Training Hub Home page, select CEH PracticeExams (CEH v10) TotalTester from the Study drop-down menu at the top of the page, or from the YourTopics list on the Home page. You can then select theoption to customize your quiz and begin testing yourselfin Practice Mode or Exam Mode. All exams provide anoverall grade and a grade broken down by domain.
TECHNICAL SUPPORTFor questions regarding the TotalTester software oroperation of the Training Hub, visitwww.totalsem.com or [email protected].
||||||||||||||||||||
||||||||||||||||||||
For questions regarding book content, [email protected]. Forcustomers outside the United States, [email protected].
Technet24||||||||||||||||||||
||||||||||||||||||||