Test CEH v3

Which protocol is used for network management and can gather statistics and derive a current status from the node that it is operating on?. NTP. SMNP. SSH. SNMP.

Which of the following is part of a DMZ but bridges access from organization to organization?. Internet. Extranet. Intranet. Outernet.

How many subnets can be provided using a /26 Classless Inter-Domain Routing (CIDR) from a /24 allocation?. 1. 2. 3. 4.

In a Linux system, where is the password file stored?. /etc/passwd. /etc/shadow. /etc/user/password. /shadow/etc.

What command can you use to switch to a different user in Linux?. swu. user. sudo. su.

What encryption algorithm is used within TLS for the handshake and key negotiation?. AES. RSA. PGP. ECE.

Prior to deploying an anomaly-based detection system on a network, what must be achieved?. Baseline. Updated file definition. Updated network infrastructure. Patches pushed to clients before installation.

Which of the following records determines a mail server in your domain?. SOA. CNAME. A. MX.

What technique might you use if you had access to a local (physical) network but the network used switches and you wanted to see all the traffic?. DNS poisoning. Phishing. ARP spoofing. Packet fragmentation.

What technique might you be able to use to get around older intrusion detection systems when sending traffic into a network?. Fragmentation. ARP spoofing. DNS hijacking. Phishing.

You are a security administrator for an online dating website. Your logs are showing a lot of obfuscated PowerShell script execution. What do you think may be happening?. Attacker is living off the land. Normal maintenance on servers. PowerShell is supposed to be encrypted. PowerShell is being updated.

The SAM log file entry is located in what part of a Windows Registry system?. HKEY_LOCAL_MACHINE\SAM. HKEY_LOCAL_SAM. HKEY_LOCAL_MACHINE\WINDOWS. HKEY_SYSTEM_MACHINE\SAME.L.

Under which auxiliary in Metasploit can you scan for SNMP configurations?. auxiliary/snmp/scanner. auxiliary/snmp/version. auxiliary/scanner/snmp. auxiliary/scan/snmp.

In Linux, what command is used to search for information inside files?. ser. grep. info >. ls -l.

Which of the following tools is used to encode your payload in Metasploit?. msfconsole. msfpayload. encodesploit. msfencode.

A system is compromised and is able to spawn a connection back to the adversary. What do you call the system or infrastructure the adversary is using to connect back to?. Command and control. Command processor. Shellcode manager. Command manager.

What is a buffer used for?. Dynamic data storage. Static data storage. Data in transit. Processing power.

What type of attack would the following code be vulnerable to? char[5] attacker; strcpy (attacker, "cat /etc/passwd");? s. Buffer overflow. SQL injection. Command injection. Heap spraying.

What is the issue when there is no boundary being checked or validated in programming?. The program will assign its own values. The program does not validate if the input values can be stored without overwriting the next memory segment. The program executes without checking what other programs are open. Memory allocation has already been reserved for a program.

When writing a program, what is one of the fundamental tasks that should be done when declaring a variable?. Assign a random value to it. Do not assign a value because it can corrupt data. Initialize the variable. A variable does not need to be initialized.

What is a heap?. A static allocation of memory. A memory segment located within the CPU. Memory that is swapped to the hard drive. Memory allocation of a size and location that is assigned dynamically.

What is the region in memory that is assigned to a process or a program when it is initiated?. Cluster. Stack. Heap. Pointer.

What strategy does a local, caching DNS server use to look up records when asked?. Recursive. Iterative. Combinatorics. Bistromathics.

What tool could be used to collect information like email addresses from PGP servers, Bing, Google, or LinkedIn?. MegaPing. nbtstat. dig. theHarvester.

What would you use the program packETH for?. Packet crafting. Ethernet testing. Man-in-the-middle attack. IP analysis.

Which of the following must be conducted first in order to hijack a session?. Track the session. Desynchronize the session. Inject the adversary’s packet into the stream. Disrupt the stream first and then inject the adversary’s packet information.

Which standard advocates the Plan, Do, Check, Act process for implementation and validation of security controls?. ISO 27001. ISO 27002. NIST 800-53. NIST 800-161.

Which of the following is used for recording key strokes at a terminal or keyboard using malicious software?. Spyware. Malware. Key logger. Recordware.

Within SNMP, which of the following is used for authentication?. PIN. Asymmetric strings. Community strings. Cryptographic strings.

What is the function of a CNAME record?. Provides authentication to a website. Encrypts DNS zone transfers. Supplements an alias to a domain name. Replaces the MX for security transactions.

Software that creates pop-up advertisement messages while visiting websites is known as what?. Adware. Malware. Pop-up blocker. Freeware.

The ability for information or services that must be accessible at a moment’s notice is called what?. Survivability. Availability. CIA. Redundancy.

What do you call a device that facilitates connections and acts as a middleman between user workstations and servers they communicate with, commonly outside the network?. Firewall. Main in the middle. Gateway. Proxy server.

Which of these programming protocols passes objects between systems?. SunRPC. Portmapper. RMI. Nmap.

Which of the following tools can be used to DDoS a target system?. LOIC. SIMM. Cain & Abel. AOL Punter.

In SQL, which of the following allows an individual to update a table?. DROP. ADD. COPY. UPDATE.

What type of attack would be used to collect authentication data between a station and an access point by forcing reauthentication?. WEP cracking. Rogue access point. Deauthentication. Handshaking attack.

Of the following, which allows you to conduct password cracking?. LOIC. John the Ripper. CPU Dump. Wireshark.

In the TCP/IP model, what is the equivalent of the OSI Network layer?. Network. Internet. Transport. Network Access.

What flag is used to order a connection to terminate?. SYN. FIN. PSH. RST.

Which of the following scanners provides ping sweeps and at times can be very noisy if not properly configured?. Angry IP. Cain & Abel. nmap -sT -T0. Nslookup.

Which of the following is an application that provides ARP spoofing?. Cain & Abel. Evercrack. Kismet. John the Ripper.

Which of these attacks targets the client in a web application?. XML external entity. Cross-site scripting. SQL injection. Command injection.

Which option describes an adversary pretending to be someone else in order to obtain credit or attempt fraud?. Impersonation. Identity theft. Masquerading. Cloning.

Which Linux distribution is best suited to support an attacker by providing the necessary preinstalled tools?. Kali. Security Onion. Mint. Ubuntu.

If you were looking up information about a company in Brazil, which RIR would you be looking in for data?. AFRINIC. RIPE. APNIC. LACNIC.

Which of the following organizations provides government-backed standards?. EC-Council. NIST. CAIN. NITS.

You are performing an assessment on a cloud service that is the backend for a mobile application. What are you most likely to spend time testing?. NoSQL database. Data bus. Microservices. RESTful API.

When you are attacking a web application, what server would you typically need to go through first to get to any programmatic content if the application is designed using a typical n-tier architecture?. Web server. Database server. Logic server. Application server.

What does the Clark-Wilson model use to refer to objects when it is looking at integrity?. UTC and CDI. CDI and CTI. UDI and CDI. UTI and UDI.

Which wireless mode is used when there is a point-to-point connection but no wireless access point involved?. One to one. Synchronization setting. Ad hoc. Clients must access a WAP.

To sniff wireless traffic at layer 2, what must you have set on your wireless adapter?. Transport mode. Promiscuous mode. Transparency mode. Monitor mode.

What is an advantage of a phone call over a phishing email?. You are able to go into more detail with pretexting using a conversation. Phishing attacks are rarely successful. Not everyone has email, but everyone has a phone. Pretexting requires the use of a phone.

Which form of biometrics scans a pattern in the area of the eye around the pupil?. Retinal scanning. Fingerprint scanning. Iris scanning. Uvea scanning.

Your biometric system at the entrance to your facility is having issues with a false failure rate. What is the most likely result of that?. People having to change their password. Authorized people not being allowed in. The mantrap needs to be replaced. People stop using biometrics.

Why would you be most likely to use REST when developing a web application?. HTML is stateless. HTTP is stateless. HTML is stateful. HTTP is stateful.

What steps does the TCP handshake follow as described by the flags that are set?. FIN, ACK, FIN. SYN, SYN, ACK. SYN, ACK, FIN. SYN, SYN/ACK, ACK.

If you were to see the subnet mask 255.255.254.0, what would be the CIDR designation for that network?. /24. /23. /22. /25.

On which port does a standard DNS zone transfer operate?. 53. 80. 8080. 25.

What is the process of sending data to a device over Bluetooth without having to go through the pairing process called?. Bluejacking. Blueboxing. Bluesnarfing. Bluebugging.

What UDP flag forces a connection to terminate at both ends of the circuit?. RST. FIN. None. URG and RST.

What information does the traceroute tool provide?. Username of the person logged in. What links are encrypted on the network. Layer 3 protocol details. Route path information and hop count.

What does the TTL value mean?. The number of hops remaining until the packet times out. The number of hops to the destination. The number of the packets left. The number of routing loops that are permitted.

Which of the following indicates the authoritative DNS server for the zone being requested?. EX. NS. EM. PTR.

Which of the following switches enables an idle scan within the Nmap tool?. -Si. -sI. -Is. None, because Nmap does not support idle scans.

If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use?. MegaPing. Nmap. Nessus. Metasploit.

What layer of the OSI model is the Network layer?. 2. 3. 4. 1.

How does ARP spoofing work?. Sending gratuitous ARP requests. Sending gratuitous ARP responses. Filling up the ARP cache. Flooding a switch.

A key that has to be known ahead of time to be able to encrypt data between two parties is known as what?. Asymmetric encryption. Symmetric encryption. Pre-shared key. Secret key.

If you were to see <!ENTITY xxe SYSTEM in your logs, what would you think may be going on?. XML entity injection. Cross-site scripting. Command injection. Cross-site request forgery.

What tool can be used to spoof a MAC address?. MAC and Cheese. Cheesy MAC. GodSMAC. arpspoof.

Why might you use a phone call for a social engineering attack over a phishing message?. Phishing attacks don’t guarantee success. Pretexting only works over the phone. Pretexting is more detailed on the phone. More people have phones than email.

Which of the following encrypts community strings and provides authentication?. ICMP. SNMPv3. SNMP. IMAP.

A wireless access point that looks like a known and legitimate wireless network may actually be what?. Rogue AP. Man in the middle. Ad hoc solution. Evil twin.

Which of the following malware achieved a historical first by causing physical damage to a nuclear reactor facility?. Stuxnet. Blue’s Revenge. ILOVEYOU virus. BackOrifice.

You have found an SMTP server open. What SMTP command might you be able to use to identify users on that SMTP server?. EXPN. EHLO. VRML. VRFY.

In a SQL injection attack, where does the attack actually execute?. Web server. Application server. Database server. Browser.

What type of attack does POODLE invoke?. Denial of service. Man in the middle. Distributed denial of service. Credential harvesting.

What is another name for Tor?. The other router. The onion router. TLS open router. Tunnel open router.

In Kerberos, which of the following grants access to a service?. Ticket-granting ticket. Ticket authentication service. Ticket-granting service. Ticket granted access.

What must a signature-based IDS have in order to be effective?. An up-to-date set of rules. A baseline. Active rules. Access to update user profiles.

What type of attack is a Fraggle attack?. XML entity. False error. Fragmentation. Amplification.

Who were the first ones to discover the POODLE vulnerability?. Phil Zimmerman. Akodo Toturi. Urza and Mishra. Moller, Duong, and Kotowicz.

How many fields are there in a UDP header?. Two. Three. Four. Six.

Which report would be best given to a client’s senior leadership team?. Analysis report. Project summary report. Executive summary report. Chapter summary report.

What is the security principle that might result in requiring two people to perform a single task?. Least privilege. Two-man source. Biba Model. Separation of duties.

What tactic are you using if you are using the keyword filename:?. Footprinting. Doxing. Google Hacking. IoT device lookup.

Why might you use Metasploit for a port scan over Nmap?. Metasploit supports more port scan types. Metasploit stores results. Metasploit is scriptable. Nmap doesn’t support port scanning.

As a network administrator, your manager instructs you to reduce the organization’s accessibility to the file server. She claims that doing so will aid in preventing company trade secrets from being leaked to the public; however, you understand that doing so will have a negative impact on productivity and aggravate employees. Which part of the confidentiality, integrity, and availability triad is being impacted here?. Integrity. Confidentially. Least privilege/need to know. Availability.

As a CISO, you published a security policy to your organization that a cross-shred shredder must be used to destroy classified documents in a secure manner. What type of security control did you implement?. Technical. Physical. Administrative. Controlled destruction.

Which of the following is the most common network access translation type used?. S-NAT. PAT. Basic NAT. Public NAT.

Due to the ILOVEYOU virus, Microsoft implemented a new business practice in its software to prevent such attacks from occurring again. What was it?. Disabling the macro features in Microsoft Office by default. Disabling the CD-ROM autorun feature. Setting user profiles to disabled. Removing HEKY_LOCAL_MACHINE\USER.

If you needed to generate a message authentication code (MAC), what would you use?. AES. PGP. SHA. MB4.

Which of the following denotes the root directory in a Linux system?. root/. /. home\. \home\.

As the security administrator, you are tasked with implementing an access control strategy that will assign permissions to users based on the roles they will be hired to fill. What type of access control are you being asked to implement for your organization?. RBAC. MAC. DAC. UAC.

As a black hat, you are conducting a reconnaissance operation on a potential target. You gather intelligence by using publicly available information, conducting stakeouts of the facility, and observing workers as they enter and leave the premises from across the street. What phase of the hacking methodologies are you operating within?. Footprinting. Fingerprinting. Enumeration. Passive reconnaissance.

In Snort, which part of the rule dictates the source, destination, rule type, and direction?. Rule body. Rule action. Rule header. Rule connection.

What prevents IP packets from circulating throughout the Internet forever?. TTL. Spanning tree. Broadcast domains. NAT.

As a white hat, you are conducting an audit of your customer’s security policies. You notice that the policies the organization published do not conform to its actual practices. You also note that the security administrators are implementing different corrective actions than what is supposed to be happening according to the policies. What is the correct action to take here?. Inform the security administrators that they need to follow the security policies published by the organization. Recommend a once-a-month meeting that evaluates and make changes to the security policies. Allow the security administrators to tailor their practices as they see fit. Shred the old policies.

As an attacker, you are trying to prevent an IDS from alerting your presence to the network administrators. You determine that the rules that are set in place by the firewall are pretty effective and you dare not risk any more attempts to get past the security appliances. What is one method that may defeat the security policies set in place by the IDS and other security appliances?. Firewalking. Conducting a reverse shell exploit. Session splicing. Using HTTP.

When a layer 2 switch is flooded, what mode does it default to?. Fail open mode, where it mimics a hub. Fail closed, where nothing is passed anymore. Layer 2 switches process IP packets and not datagrams. Layer 2 switches cannot be flooded because they are collision domains.

Using Nmap, what switches allows us to fingerprint an operating system and conduct a port scan?. -sS -sO. -sSO. -O -Ss. -O -sS.

What sort of an attack might you suspect if you had found an access point with the same name as an enterprise SSID?. SSID scanning. Evil twin. Deauthentication. Injection.

If we send an ACK message to a system and there is no response, what can we determine from the port?. ACK does not use a port. The port is open and ready to receive a SYN packet. The port is filtered. A SYN/ACK is returned.

Once the three-way handshake has been completed, in what state would a stateful firewall consider the communication flow to be?. NEW. RELATED. ESTABLISHED. STATELESS.

If you wanted to use a browser plugin to identify technologies used in a website, what might you use?. TamperData. WappAlyzer. GreaseMonkey. Nova.

IPv6 uses IPSec. Which of the following establishes the key agreement?. IKE. ISAKMP. Diffie-Hellman. TLS.

What ICMP type denotes a “Time Exceeded” response?. Type 3. Type 0. Type 5. Type 11.

Which of the following is a lightweight Cisco proprietary protocol for building security tunnels?. EAP. PEAP. CHAP. LEAP.

What three services are usually included with the NetBIOS protocol?. NBT, NetBIOS session, and NetBIOS datagram. NBT, asymmetric session, and NetBIOS datagram. NetBIOS datagram, NBT, and NetBIOS AD. NetBIOS datagram, NBT, and NetBIOS SCP.

What social networking site would likely be most useful for performing reconnaissance against a target?. LinkedIn. WhatsApp. Facebook. Friendster.

What do wireless access points use to advertise their presence?. Beacon frame. Homing beacon. Homing broadcast. Broadcast frame.

As a security administrator, you notice that your users are writing down their login credentials and sticking them on their monitors. What is an effective way of combating this security issue?. Implement a PKI solution. Mandate password changes every 30 days. Set up a user and security awareness training session. Inform users that they need to memorize their credentials.

What does stateful inspection provide to the network administrator?. It tracks all communications streams, and packets are inspected. It provides the administrator with a slower network response. It ensures that communications are terminated. It provides the administrator with reduced admin work.

As a white hat, you’re tasked to identify all vulnerabilities possible on a network segment that your customer provided to you. You are provided nothing but a network identification, including an IP address and subnet mask. What type of assessment are you conducting?. White box. Gray box. Black box. Crystal box.

What security property would you be addressing through the use of AES?. Confidentiality. Integrity. Availability. Non-repudiation.

What type of network topology is being shown in the following diagram?. Token ring topology. Hybrid-mesh topology. Bus topology. Screen subnet.

What type of subnet is being implemented based on this logical diagram?. Dual-homed firewall. Double-screen firewall. Screen subnet. Screen firewall.

What is missing from the TCP segment structure?. Timing. TTL. ICMP. Flags.

What would be the last values to complete the connection?. SEQ: 302 ACK: 200 FLAGS: SYN. SEQ: 302 ACK: 201 FLAGS: ACK. SEQ: 301 ACK: 202 FLAGS: ACK. SEQ: 301 ACK: 244 FLAGS: ACK.

What type of application has impacted Ring 0?. Root access. Malware. Rootkit. Trojan virus.

What Bluetooth attack would allow you to make a call after gaining access to a device for the purpose of surveillance?. BlueSnarf. BlueSurveill. BlueBug. BlueBang.

What type of attack is the adversary conducting in the following diagram?. Smurf attack. Bluesnarfing. Teardrop attack. DoS attack.

What type of attack is the adversary conducting in the following diagram?. Man-in-the-middle attack. Shoulder surfing. Passive reconnaissance. Foot inactive surveillance.

In the following screen shot, why is the packet flag set to “Don’t Fragment”?. The client is trying to establish a TCP handshake. A Hello Server packet has been crafted. The packet does not need to be fragmented. The client is trying to establish an SSL connection.