CEH Prep Guide

(1)

CEH Study Guide

The Certified Ethical Hacker certification exam is a standalone certification from

EC-Council with the exam code 312-50v8. The certification is targeted at Ethical

Hacking professionals involved with hacking fundamentals, footprinting,

scanning. The exam covers hacking skills, Linux System Security, Trojans, Web

server hacking, and Wireless hacking.

(2)

www.trainace.com/security

Mike wants to use NMAP to do basic vulnerability scanning. What does NMAP use for protocols such as FTP and HTTP?

a. NESSUS scripting engine b. Metasploit scripting engine c. SAINT scripting engine d. NMAP scripting engine Answer: D

39. Q: John is a college student. He is interested in computer security. He wants to gain

knowledge about ethical hacking so that he can make information systems secure. In which of the following areas should John acquire expertise in order to fulfill his dream?

Each correct answer represents a complete solution. Choose all that apply.

a. John should have excellent knowledge of computers and their functioning, including programming and networking.

b. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, John must be an expert in dealing with these operating systems.

c. John should be familiar with a number of hardware platforms.

d. John should be an expert in security-related communication and report writing. Explanation: Answer options A, B, C, and D are correct.

According to the scenario, John should have expertise in all the areas listed in the above options. An ethical hacker should have an excellent knowledge of computers and their functioning, including programming and networking. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these operating systems. Ethical hackers should also be familiar with a number of hardware platforms. They should be knowledgeable about security areas and related issues as well.

(3)

www.trainace.com/security

Routers use "routing" protocols. Which of the following would a router use? (Choose 2) a. UDP b. RIP c. TCP d. BGP e. SMTP Answer: B and D

39. Q: Which of the following classes of hackers describes an individual who uses his computer knowledge for breaking security laws, invading privacy, and making information systems insecure?

a. Black Hat b. White Hat c. Gray Hat

d. Security providing organizations Explanation: Answer option A is correct.

A Black Hat Hacker is an individual who uses his computer knowledge for breaking security laws, invading privacy, and making information systems insecure.

(4)

www.trainace.com/security

Hackers are categorized into the following classes:

 Black Hat Hackers (Crackers): These are persons who are computer specialists and use their hacking skills to carry out malicious attacks on information systems.

 Gray Hat Hackers: These are persons who sometimes do not break laws and help to defend a network, but sometimes act as Black Hat Hackers.

 White Hat Hackers (Ethical Hackers): These are persons who have excellent computer skills and use their knowledge to secure information systems.

 Security Providing Organizations: Some organizations and communities also provide security to information systems.

39. Q: Which of the following statements is true of vulnerability?

a. It is a security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation.

b. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome.

c. It is an agent that can take advantage of a weakness.

d. It is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

Explanation: Answer option A is correct.

Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files.

Answer options B, C, and D are incorrect. A threat is an indication of a potential undesirable event. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome Vulnerability is an agent that can take the advantage of the weakness.

5. Q: Maria works as a professional Ethical Hacker. She recently has been assigned a project to test the security of www.we-are-secure.com. The company has provided the following information about the infrastructure of its network:

 Network diagrams of the we-are-secure infrastructure  Source code of the security tools

(5)

www.trainace.com/security

Which of the following testing methodologies is we-are-secure.com using to test the security of its network?

a. Whitebox b. Blackbox c. Graybox d. Alpha testing

According to the scenario, we-are-secure.com is using the whitebox testing technique. Whitebox testing is a testing technique in which an organization provides full knowledge about the

infrastructure to the testing team.

Answer option B is incorrect. Blackbox testing is a technique in which the testing team has no knowledge about the infrastructure of the organization. This testing technique is costly and time consuming.

Answer option C is incorrect. Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs test cases or test data based on system knowledge.

What is the principle that a party cannot deny its role (i.e. sending a document) in an activity? a. Non-repudiation

b. Availability c. Privacy d. Confidentiality Answer: A

Microsoft servers (file and print) are often a target of attackers. What are common vulnerabilities?

a. XSS

b. SQL injection c. missing patches d. weak IVs

(6)

www.trainace.com/security

answer: C

6. Q: Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the security of the we-are-secure server for DoS attacks. She sends a large number of ICMP ECHO packets to the target computer. Which of the following DoS attacking techniques is she using to accomplish her task?

a. Smurf dos attack b. Ping flood attack c. Teardrop attack d. Land attack

Explanation: Answer option B is correct.

According to the scenario, Samantha is using the ping flood attack. In a ping flood attack, an attacker sends a large number of ICMP packets to the target computer.

Answer option A is incorrect. In a smurf DoS attack, the attacker sends a large amount of ICMP echo request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source address of the intended victim.

Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target system with overlapping offset field values. As a result, the target system is unable to reassemble these packets and is forced to crash, hang, or reboot.

Answer option D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target host is filled in both the source and destination fields

Q: Which individuals believe that hacking and defacing web sites can promote social changes?

e. Hactivists f. Crackers g. Script kiddies h. Phreakers

Hactivists are individuals who believe that hacking and defacing web sites can promote social changes.

(7)

www.trainace.com/security

Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A hacktivist uses the same tools and techniques as those used by a hacker.

Answer option B is incorrect. Crackers are individuals who use their skill and knowledge for harmful activities.

Answer option C is incorrect. Script kiddies are individuals who have little or no programming skills and use freely available hacking software.

Answer option D is incorrect. Phreakers are individuals who focus on communication systems to steal information.

To limit the possibility of a system being compromised, also referred to as reducing the attack surface, what should your security team do?

a. Harvesting b. Hardening c. Scanning d. Windowing answer: B

7. Q: Which of the following statements are true about threats? Each correct answer represents a complete solution. Choose all that apply.

a. A threat is a sequence of circumstances and events that allows a human or other agent to cause an information-related misfortune by exploiting vulnerability in an IT product.

b. A threat is a potential for violation of security which exists when there is a

circumstance, capability, action, or event that could breach security and cause harm. c. A threat is a weakness or lack of safeguard that can be exploited by vulnerability,

thus causing harm to the information systems or networks.

d. A threat is any circumstance or event with the potential of causing harm to a system in the form of destruction, disclosure, modification of data, or denial of service. Explanation: Answer options A, B, and D are correct.

A threat is an indication of a potential undesirable event. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome.

(8)

www.trainace.com/security

8. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He knows the steps taken by a malicious hacker to perform hacking. What steps are performed in malicious hacking?

a. Step 1: Reconnaissance: In this phase, the attacker gathers information about the victim.

b. Step 2: Scanning: In this phase, the attacker begins to probe the target for vulnerabilities that can be exploited.

c. Step 3: Gaining Access: In this phase, the attacker exploits a vulnerability to gain access into the system.

d. Step 4: Maintaining Access: In this phase, the attacker maintains access to fulfill his purpose of entering into the network.

e. Step 5:Covering\Clearing Tracks: In this phase, the attacker attempts to cover his tracks so that he cannot be detected or penalized under criminal law.

Explanation: The following are the phases of malicious hacking:

When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

A. Layer 3 switch B. Network tap C. Network bridge D. router answer: B .

(9)

www.trainace.com/security

Q: John is a malicious attacker. He illegally accesses the server of We-are-secure Inc. He then places a backdoor in the We-are-secure server and alters its log files. Which of the following steps of malicious hacking includes altering the server log files?

f. Reconnaissance g. Maintaining access h. Gaining access

i. Covering\Clearing tracks Explanation: Answer option i. is correct.

According to the scenario, John has installed a backdoor on the We-are-secure server so that he can have access whenever he wants to log in. This process comes under the Maintaining access phase of malicious hacking. Further, John alters the server's log files, which could give a clue about his malicious intent to the Network Administrator. This process comes under the Covering tracks phase of malicious hacking.

if two companies merge what must be done so that each company’s Certificate Authority will trust the certificates generated by the other company?

a. Cross-certification b. Federated Identity

c. Public Key Exchange Authorization

d. It cannot be done; a new PKI system will need to be created answer: A

Which system of PKI verifies the applicant? a. Certificate Authority

b. Registration Authority c. Root CA

d. Validation Authority answer: B

(10)

www.trainace.com/security

a. He is an individual who uses hacking programs developed by others to attack information systems and spoil websites.

b. He is an individual who has lost respect and integrity as an employee in any organization.

c. He is an individual who breaks communication systems to perform hacking. d. He is an individual who is an expert in various computer fields, such as operating

systems, networking, hardware, software, etc. and enjoys the mental challenge of decoding computer programs, solving network vulnerabilities and security threats, etc.

Answer option B is incorrect. This option defines a disgruntled employee. A disgruntled employee is an individual who has lost respect and integrity as an employee in an organization. Most of the time, he/she has more knowledge than a script kiddie.

10. Q: Which of the following penetration testing phases involves reconnaissance or data gathering?

a. Pre-attack phase b. Attack phase c. Post-attack phase d. Out-attack phase

The pre-attack phase is the first step for a penetration tester. The pre-attack phase involves reconnaissance or data gathering. It also includes gathering data from Whois, DNS, and network scanning, which help in mapping a target network and provide valuable information regarding the operating system and applications running on the systems

Q: Which of the following policies defines the acceptable methods of remotely connecting a system to the internal network?

e. Remote access policy f. Network security policy g. Computer security policy h. User Account Policy

(11)

www.trainace.com/security

Remote access policy is a document, which outlines and defines acceptable methods of remotely connecting to the internal network

Answer option B is incorrect. A network security policy is a generic document that outlines rules for computer network access. It also determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment

Answer option C is incorrect. A computer security policy defines the goals and elements of the computer systems of an organization. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms.

Answer option D is incorrect. The User Account Policy is a type of document, which focuses on the requirements for requesting and maintaining an account on computer systems or networks within an organization.

Q:Security is a state of well-being of information and infrastructure in which the possibilities of successful yet undetected theft, tampering, and/or disruption of information and services are kept low or tolerable. Which of the following are the elements of security?

Each correct answer represents a complete solution. Choose all that apply. a. Confidentiality

b. Authenticity c. Availability d. Integrity

e. Non-Repudiation

Explanation: Answer options A, B, C, and D are correct. The elements of security are as follows:

1. Confidentiality: It is the concealment of information or resources.

2. Authenticity: It is the identification and assurance of the origin of information.

3. Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper

and unauthorized changes.

4. Availability: It refers to the ability to use the information or resources as desired.

(12)

www.trainace.com/security

Explanation: Answer options B and C are correct.

5. Q: Which of the following is the most common way of performing social engineering attacks?

a. Phone b. Email c. War driving d. Session hijacking

The phone is the most common way of performing social engineering attacks. Social engineering is the art of convincing people and making them disclose useful information such as account names and passwords.

Answer option C is incorrect. War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere.

Answer option D is incorrect. Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

During a wireless penetration test, a tester detects an access point using WPA2, which of the following attacks should she use to obtain the key?

A. The tester must use the tool airodump-ng to crack it using the ESSID of the network. B. The tester must capture the WPA2 authentication handshake and then crack it.

C. The tester must change the MAC address of the wireless network card and then use the AirCrack tool to obtain the key.

D. WPA2 cannot be cracked answer: B

What is the main reason the use of a stored biometric is vulnerable to an attack?

A. The stored biometric data can be stolen and used by an attacker to impersonate the individual identified by the biometric.

(13)

www.trainace.com/security

B. A stored biometric is no longer “something you have” and instead becomes “something you are”. C. Authentication using a stored biometric compares the original to a copy instead of the original to a copy

D. The digital representation of the biometric might not be unique answer: A

Which type of scan measures a person’s external features through a digital video camera? A. Facial recognition scan

B. Retina scan

C. Signature dynamics scan D. Iris scan

answer: A

When creating a new Nessus policy, where would you enable Global Variable Settings? A. Plugins

b. General c. Preferences D. Credentials answer: C

A pentester enters the following command. What type of scan is this? nmap -N -sS -PO -p 123 192.168.2.25 a. Stealth scan b. intense scan c. idle scan d. Fin scan answer: A

(14)

www.trainace.com/security

A hacker has been successfully modifying the purchase price of several items on your client’s web site. What is she using to do this? (The IDS shows no signs of alerts) a. sql injection

b. hidden form fields c. XSS

d. port scanning answer: B

If you are sending specially designed packets to a remote system and analyzing the results what type of scan would this be considered?

a. active b. passive c. directive d. bounce answer: A

6. Q: You run the following command in the command prompt: Telnet <IP Address><Port 80>

HEAD /HTTP/1.0 <Return>

Which of the following types of information gathering techniques are you using? a. Banner grabbing

b. OS fingerprinting c. Dumpster diving d. Port scanning

(15)

www.trainace.com/security

Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network.

Answer option B is incorrect. OS Fingerprinting is the easiest way to detect the Operating System (OS) of a remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting

techniques as follows: 1. Active fingerprinting 2. Passive fingerprinting

In active fingerprinting, ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive

fingerprinting, the number of hops reveals the OS of the remote system.

Answer option C is incorrect. Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information.

Answer option D is incorrect. Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit number called a port.

Q: Which of the following involves changing data prior to or during input to a computer in an effort to commit fraud?

e. Eavesdropping f. Spoofing g. Wiretapping h. Data diddling

Explanation: Answer option D is correct.

Data diddling involves changing data prior to or during input to a computer in an effort to commit fraud. It also refers to the act of intentionally modifying information, programs, or documentations.

(16)

www.trainace.com/security

Answer option A is incorrect. Eavesdropping is the process of listening to private conversations. It also includes attackers listening the network traffic.

Answer option B is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc. In IP

spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected.

Answer option C is incorrect. Wiretapping is an act of monitoring telephone and Internet

conversations by a third party. It is only legal with prior consent. Legalized wiretapping is generally practiced by the police or any other recognized governmental authority.

Q: Maria works as a professional Ethical Hacker. She recently got a project to test the security of www.we-are-secure.com. What are three pre-test phases of the attack to test the security of we-are-secure?



Identifying the active system



Web server hacking



Enumerating the system



Session hijacking



Placing backdoors



Footprinting

Explanation: Following are the three pretest phases of the attack:  Footprinting

 Identifying the active system  Enumerating the system

Placing backdoors, Web server hacking, and session hijacking are the phases of executing attacks. Q: Which of the following tools can a user use to hide his identity?

Each correct answer represents a complete solution. Choose all that apply. a. War dialer

b. Proxy server c. IPchains d. Anonymizer

(17)

www.trainace.com/security

e. Rootkit

Explanation: Answer options B, C, and D are correct.

A user can hide his identity using any firewall (such as IPChains), a proxy server, or an anonymizer. A proxy server hides the identity of a user's system from the outside world. Instead of creating a connection directly with the remote host, the user's system creates a direct connection with the proxy server, and the proxy server establishes a connection with the remote host to which the user wants to connect.

Anonymizers are the services that help make a user's own Web surfing anonymous. An

anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. In this manner, it ensures the privacy of the user.

IPChains is a linux packet filtering firewall that allows a Network Administrator to ACCEPT, DENY, MASQ, or REDIRECT packets. There are three built-in chains in the IPChains firewall as follows: Note: Each packet passing through the forward chain also passes through both the input and output chains.

Answer option A is incorrect. A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems to provide unauthorized access to the system. THC-Scan, ToneLoc, and PhoneSweep are some good examples of war dialer tools. There are various War Dialing tools, such as THC Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools, etc.

Answer option E is incorrect. A rootkit is a set of tools that take Administrative control of a computer system without authorization by the computer owners and/or legitimate managers. A rootkit requires root access to be installed in the Linux operating system, but once installed, the attacker can get root access at any time.

1. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He begins to perform footprinting and scanning. Which of the following steps do footprinting and scanning include?

Each correct answer represents a complete solution. Choose all that apply. a. Information gathering

b. Determining network range c. Identifying active machines

d. Finding open ports and applications e. Enumeration

(18)

www.trainace.com/security

Explanation: Answer options A, B, C, and D are correct.

Fingerprinting services 1. Mapping the network

Answer option E is incorrect. In the enumeration phase, the attacker gathers information, such as the network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. The techniques used in this phase are as follows:

1. Obtaining Active Directory information and identifying vulnerable user accounts 2. Discovering NetBIOS names

3. Employing Windows DNS queries 4. Establishing NULL sessions and queries

4. Q: Which of the following is a passive information gathering tool? a. Nmap

b. Whois c. Snort d. Ettercap

The whois tool is a passive information gathering tool. whois queries are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools, such as WsPingPro and Sam Spade, can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com.

Answer option A is incorrect. Nmap is an active information gathering tool. The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by the administrators to determine which services are available for external users.

Answer option C is incorrect. Snort is an active information gathering tool. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures.

(19)

www.trainace.com/security

 Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.

 Packet logger mode: It logs the packets to the disk.

 Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

Answer option D is incorrect. Ettercap is an active information gathering tool. Ettercap is a UNIX and Windows tool for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active

eavesdropping against a number of common protocols.

Q: You want to retrieve password files (stored in the Web server's index directory) from various Web sites. Which of the following tools can you use to accomplish the task?

e. Google f. Whois g. Sam spade h. Nmap

Explanation: Answer option E is correct.

You can use Google to retrieve password files (stored in the Web server's index directory) from various Web sites. Google allows the search queries that can search information from the Web server's index directory. Such search technique is known as Google hacking.

Q: You see the career section of a company's Web site and analyze the job profile requirements. You conclude that the company wants professionals who have a sharp knowledge of Windows server 2003 and Windows active directory installation and placement. Which of the following steps are you using to perform hacking?

i. Reconnaissance j. Scanning

k. Gaining access l. Covering tracks

(20)

www.trainace.com/security

A. Blocks the connection with the source IP address in the packet B. Stops checking rules, sends an alert, and drops the packet C. Continues to evaluate the packet until all rules are checked D. Drops the packet and moves on to the next one

answer: C

7. Q: Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user

anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers? Each correct answer represents a complete solution. Choose all that apply.

a. Secure protocols b. Plugins

c. ActiveX controls d. Java applications e. JavaScript

Explanation: Answer options A, B, C, D, and E are correct. Anonymizers have the following limitations:

1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs to access the site directly to properly maintain secure encryption.

2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established independent direct connection from the user computer to a remote site.

3. Java: Any Java application accessed through an anonymizer will not be able to bypass the Java security wall.

4. ActiveX: ActiveX applications have almost unlimited access to the user's computer system. 5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

(21)

www.trainace.com/security

Each correct answer represents a complete solution. Choose all that apply.

a. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. b. It provides end-to-end connectivity specifying how data should be formatted,

addressed, transmitted, routed, and received at the destination. c. It is generally described as having five abstraction layers. d. It consists of various protocols present in each layer. Explanation: Answer options A, B, and D are correct.

The TCP/IP model is a description framework for computer network protocols. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed, and received at the destination. Protocols exist for a variety of different types of communication services between computers. The TCP/IP model is sometimes called the Internet Model or the DoD Model.

The TCP/IP model has four unique layers as shown in the image. This layer architecture is often compared with the seven-layer OSI Reference Model. The TCP/IP model and related protocols are maintained by the Internet Engineering Task Force (IETF).

Layer 4 Application

The application layer is where programs communicate. Sometimes called the user interface layer because it is an easy way to think about its purpose. This is where web browsers, file sharing software, email, and other user facing software interacts. Encryption and session details are also handled in this layer.

Layer 3 Transport

In the transport layer, devices negotiate and decide how they will communicate over the network. The devices will decide on communication type (e.g., UDP or TCP), window size, port, error

(22)

www.trainace.com/security

handling, and sequencing. This layer does a large portion of the work in device communications. Layer 2 Internet

IP addressing, internetworking, and path determination happen in the internet layer. Routers communicate at this layer to determine the path that a packet will take through a network. Given multiple possibilities, the protocols at this layer will determine the best way for one host to connect to another.

Layer 1 Link

Based on the type of network in use, the link layer encapsulates the data. For testing purposes this may be in the form of Ethernet, Frame Relay, PPP, HDLC or CDP encapsulation protocols. The protocol selected depends on the physical connection of the devices and the network topology. Answer option C is incorrect. This option is invalid, as TCP/IP model consists of four abstraction layers NOT five.

9. Q: You want to obtain information of a Web server whose IP address range comes in the IP address range used in Brazil. Which of the following registries can be used to get information about Web server IP addresses, reverse DNS, etc?

a. RIPE NCC b. APNIC c. ARIN d. LACNIC

According to the scenario, you have to get information about Web server IP addresses, reverse DNS, etc. of a Web server situated in Brazil. For this, you will search information in Latin American and Caribbean Internet Addresses Registry (LACNIC). LACNIC is the Regional Internet Registry for the Latin American and Caribbean regions. LACNIC provides number resource allocation and registration services that support the global operation of the Internet.

Answer option A is incorrect. The Reseaux IP Europeens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia.

(23)

www.trainace.com/security

Answer option B is incorrect. The Asia Pacific Network Information Centre (APNIC) is the Regional Internet Registry for the Asia Pacific region. APNIC provides number resource allocation and registration services that support the global operation of the Internet

Answer option C is incorrect. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States.

What best defines the principle of least privilege?

A. At a minimum, a manager should have all the privileges of his or her employees.

B. People lower in the organization’s hierarchy should have fewer privileges than people higher in the hierarchy.

C. At a minimum, all users should supply a password before accessing a service.

D. One should have access only to the data and services that are required to perform one’s job. answer: D

10. Q: John works as a System Administrator for uCertify Inc. He is responsible for securing the network of the organization. He is configuring some of the advanced features of the Windows firewall so that he can block a client machine from responding to pings. Which of the

following advanced setting types should John change for accomplishing the task? a. ICMP

b. SMTP c. SNMP d. UDP

According to the scenario, John should change ICMP because it is a protocol that is used when a PING command is issued, received, and responded to. Internet Control Message Protocol (ICMP) is an integral part of IP. It is used to report an error in datagram processing.

Answer option B is incorrect. Simple Mail Transfer Protocol (SMTP-25) is a protocol for sending e-mail messages between servers

Answer option C is incorrect. The Simple Network Management Protocol (SNMP-161) allows a monitored device (for example, a router or a switch) to run an SNMP agent. This protocol is used for

(24)

www.trainace.com/security

managing many network devices remotely.

Answer option D is incorrect. User Datagram Protocol (UDP) is often used for one-to-many

communications, using broadcast or multicast IP datagrams. UDP is a connectionless and unreliable communication protocol. It does not guarantee delivery or verify sequencing for any datagram. UDP provides faster transportation of data between TCP/IP hosts than TCP.

Q: DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received, such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. Which of the following DNS records can indicate the time up to which DNS cache poisoning will be effective?

a. MX b. NS c. PTR d. SOA

What is a start of authority (SOA) record?

A start of authority (SOA) record is information stored in a domain name system (DNS) zone about that zone and about other DNS records. A DNS zone is the part of a domain for which an individual DNS server is responsible. Each zone contains a single SOA record.

DNS cache poisoning attack

DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request.

(25)

www.trainace.com/security

of Domain Name Server (DNS). MX record associates the domain name to a domain name classified in an address record (A record).

Answer option B is incorrect. An NS record or name server record is used to denote the server that is authoritative for a DNS zone.

Answer option C is incorrect. PTR record, also known as pointer record, is a record in the Domain Name System (DNS) database that maps an Internet Protocol (IP) address to a host name in the in-addr.arpa domain. PTR records are used to perform reverse DNS lookups.

Which of following is an example of two factor authentication? a. fingerprint and smartcard

b. username and password c. ID and token

d. Iris scan and fingerprint answer A

What is a successful method for protecting a router from potential smurf attacks?

A. Disabling port forwarding on the router

B. Placing the router in broadcast-only mode

C. Disabling the router from accepting broadcast ping messages

D. Installing the router in the DMZ

answer: C

11. Q: Which of the following tools are used for footprinting?

Each correct answer represents a complete solution. Choose all that apply. a. Traceroute

b. Sam spade c. Brutus d. Whois

(26)

www.trainace.com/security

The traceroute, sam spade, and whois tools are used for footprinting.

What is TRACEROUTE utility?

TRACEROUTE is a route-tracing utility that displays the path an IP packet takes to reach its destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host.

Q: Which information can an attacker get after tracerouting any network? Each correct answer represents a complete solution. Choose all that apply.

a. Network topology b. Trusted routers c. Firewall locations

d. Web administrator email address Explanation: Answer options A, B, and C are correct.

What is Google hacking?

Google hacking is a computer hacking technique that uses Google search and other Google

applications to find security holes in the configuration and computer code that Web sites use. Google hacking involves using advance operators in the Google search engine to locate specific strings of text within search results.

Q: Which of the following is a valid Google searching operator that is used to search a specified file type?

e. filetype f. inurl g. file type h. intitle

The filetype google search query operator is used to search a specified file type. For example, if you want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf

(27)

www.trainace.com/security

hacking.

Answer option B is incorrect. inurl is used to search a specified text in the URL of Web sites. Answer option C is incorrect. file type is not a valid search operator.

Answer option D is incorrect. intitle is used to search a specified text in the title of Web sites. 12. Q: You want to retrieve the default security report of nessus. Which of the following Google

search queries will you use?

a. filetype:pdf "Assessment Report" nessus b. filetype:pdf nessus

c. site:pdf nessus "Assessment report" d. link:pdf nessus "Assessment report" Explanation: Answer option A is correct.

Nessus is a vulnerability scanner. What techniques do vulnerability scanners use? a. Port Scanning

b. banner grabbing

c. analyzing service responses d. malware analysis

answer: C

One way to defeat a multi-level security solution is to leak data via A. asymmetric routing

B. a covert channel. C. steganography. D. an overt channel answer: B

Administrators access their servers through Remote Desktop. How could a hacker exploit this to gain access?

a. Capture the LANMAN hashes and crack them with Cain and Abel b. capture the RDP traffic and decode it with Cain and Abel

c. Use social engineering to get the domain name of the server d. scan the server to see what ports are open

(28)

www.trainace.com/security

What is the best defense against privilege escalation vulnerability?

A. Require all computers and servers to be patched immediately upon release of new updates. B. Run administrator and applications on least privileges and use a content registry for tracking. C. Run services with least privileged accounts and implement multi-factor authentication D. Periodically review user roles and administrator

answer: C

Hardware and software devices have been created to emulate computer services, such as web and mail. These can also be used to capture various information. What is being described?

a. Core Switch b. Honeypot c. Port Scanner d. Router answer: B

1. Q: You are the Security Consultant and have been hired to check security for a client's network. Your client has stated that he has many concerns but the most critical is the

security of Web applications on their Web server. What should be your highest priority now in checking his network?

a. Port scanning b. Setting up IDS

c. Setting up a honey pot d. Vulnerability scanning Explanation: Answer option D is correct.

Q: If you want to know what services are running on a target and the possible entry points to launch an attack, what will you do?

a. Nmap scan b. Ping c. Traceroute d. Banner grabbing

(29)

www.trainace.com/security

In scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered. What type of packet inspection is the firewall using?

a. Stateless b. Proxy c. Deep d. Stateful answer: A

Which of the following are detective controls? (Choose 2) a. audits b. encryption c. DRP d. CCTV e. two-factor authentication answer: A and D

IPSec can provides for which of the following? a. availability

b. non-repudiation c. anti-virus protection d. DDOS protection answer: B

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

A. The IDS will not distinguish among packets originating from different sources. B. An attacker, working slowly enough, may be able to evade detection by the IDS.

(30)

www.trainace.com/security

C. Network packets will be dropped once the volume exceeds the threshold. D. Thresholding disables the IDS’ ability to reassemble fragmented packets. answer A

Q: Which of the following netcat command switches will you use to telnet a remote host? a. nc -t

b. nc -z c. nc -g d. nc -l -p

Netcat is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features:

It provides outbound and inbound connections for TCP and UDP ports.

 It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters.

 It is a good port scanner.

 It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.

 It is an optional RFC854 telnet code parser and responder. The common Netcat switches are as follows:

Command Description

nc -d It is used to detach Netcat from the console.

(31)

www.trainace.com/security

nc -e [program] It is used to redirect stdin/stdout from a program.

nc -z It is used for port scanning.

nc -g or nc -G It is used to specify source routing flags.

nc -t It is used for Telnet negotiation.

nc -w [timeout] It is used to set a timeout before Netcat automatically quits.

nc -v It is used to put Netcat into verbose mode.

Q: You are brought in as an external consultant to review the results of a vulnerability of an internal scan to be run on website hosting servers. All code has been developed in Java and the team wants to test the code for buffer overflow vulnerabilities with the SAINT scanning tool. When the internal team asks for your opinion, you discourage them from starting this exercise. What is the probable reason for your recommendation?

a. An automated vulnerability assessment tool like SAINT is too noisy. b. Java is not vulnerable to buffer overflow attacks.

c. The vulnerability signatures have to be updated prior to running the scan.

d. The SAINT scanner does not incorporate the new OWASP Top 10 web application scanning policy.

Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks. Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpreter itself).

(32)

www.trainace.com/security

www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are connected to the server or not. Which of the following will he use to ping these computers?

a. PING

b. TRACEROUTE c. Ping sweeping d. NETSTAT

Explanation: Answer option C is correct.

The Ping sweeping technique is used to ping a batch of devices and to get the list of active devices. Since it is a time taking and tedious task to ping every address into the network, the ping sweeping technique is used by the attacker.

Answer option A is incorrect. The ping command-line utility is used to test connectivity with a host on a TCP/IP-based network. This is achieved by sending out a series of packets to a specified

destination host.

2. Q: During the attack process, what method is used to discover what rules are configured on a gateway?

a. Firewalking b. Firewalling c. OS Fingerprinting d. Ping Scan

Firewalking is a technique used to discover what rules are configured on a gateway. Usually packets are sent to the remote host with the exact TTL of the target. Hping2 can also be used for firewalking.

What is the process of identifying hosts or services by sending packets into the network perimeter to see which ones get through?

A. firewalking B. Banner Grabbing C. Enumerating D. Trace-configuring

(33)

www.trainace.com/security

answer: A

Answer option B is incorrect. There is no separate term called Firewalling.

Which of the following statements are true regarding N-tier architecture? (Choose two.) A. The N-tier architecture must have at least one logical layer

B. Each layer should exchange information only with the layers above and below it. C. When a layer is changed or updated, the other layers must also be changed D. Each layer must be able to exist on a physically independent system. ANSWER: B, D

Q: Which of the following is a technique used to determine which range of IP addresses is mapped to live hosts?

a. TRACERT utility b. Ping sweep c. KisMAC d. PATHPING

Q: You want to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. You want to map out all intermediate routers or hops between a scanning host and the target host. Based upon the results of the scans, you are going to identify which ports are open. The tool displays "A!" when it determines that the metric host is directly behind the target gateway. Which tool are you using for the scan?

a. Firewalk b. nmap c. hping d. traceroute

(34)

www.trainace.com/security

Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique.

9. Q: You are running an nmap scan to determine which ports are filtered. You send an ACK flag and receive a RST packet for open and closed ports. What kind of nmap scan are you running?

a. Null Scan -sN b. Fin Scan -sF c. XMAS Scan -sX d. TCP ACK scan -sA Explanation: Answer option D is correct.

TCP ACK Scan does not determine open/closed ports; instead it determines which ports are

filtered/unfiltered. When ACK flag is sent, Open/Closed ports will send RST. Ports that do not send a response are considered Filtered.

Answer option A is incorrect. In a NULL Scan, no flags are set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.

Answer option B is incorrect. In Fin Scan, the Fin flag is set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed. Answer option C is incorrect. In XMAS Scan, the FIN, URG, and PSH flags are set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.

Reference: http://nmap.org/

11.

Q: A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the following tools can an attacker use to perform war dialing?

Each correct answer represents a complete solution. Choose two. a. THC-Scan

b. ToneLoc c. NetStumbler

(35)

www.trainace.com/security

d. Wingate

Explanation: Answer options A and B are correct.

THC-Scan and ToneLoc are tools used for war dialing. A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides the attacker unauthorized access to a computer.

Q: Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver?

a. SuperScan b. Nmap c. Netstat d. Hping

SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the host name of the remote system.

Q: Which of the following is the correct sequence of packets to perform the 3-way handshake method?

e. SYN, SYN/ACK, ACK f. SYN, ACK, SYN/ACK g. SYN, ACK, ACK h. SYN, SYN, ACK

The TCP/IP3-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps:

1. In the first step of the three-way handshake method, a SYN message is sent from a client to the server.

2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the client.

3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is sent from the client to the server. At this point, both the client and server have received an acknowledgment of the TCP connection.

(36)

www.trainace.com/security

13. Q: In which of the following scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed?

a. TCP FIN b. FTP bounce c. UDP port d. TCP SYN

In the TCP FIN scanning method, Windows operating systems send only RST packets irrespective of whether the port is open or closed. TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker

Q: Which of the following Nmap commands is used to perform a UDP port scan? e. nmap -sU

f. nmap -sS g. nmap -sF h. nmap -sN

(37)

www.trainace.com/security

The nmap -sU command is used to perform a UDP port scan.

Answer option B is incorrect. The nmap -sS command is used to perform stealth scanning.

Answer option C is incorrect. The nmap -sF command is used to perform FIN scanning.

Answer option D is incorrect. The nmap -sN command is used to perform TCP NULL port scanning.

14. Q: In which of the following scanning methods does an attacker send SYN packets and then a RST packet?

a. TCP FIN scan b. IDLE scan c. TCP SYN scan d. XMAS scan

Explanation: Answer option C is correct.

In a TCP SYN scan, an attacker sends SYN packets and then a RST packet. TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:

1. The attacker sends a SYN packet to the target port.

2. If the port is open, the attacker receives the SYN/ACK message. 3. Now the attacker breaks the connection by sending an RST packet. 4. If the RST packet is received, it indicates that the port is closed. 15.

Answer option D is incorrect. Xmas scanning is just the opposite of null scanning. In Xmas Tree scanning, multiple flags( at least FIN, URG and PSH) are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet

16. Q: In which of the following scanning methods does an attacker send the spoofed IP address to send a SYN packet to the target?

a. IDLE b. NULL c. TCP FIN d. XMAS

(38)

www.trainace.com/security

In the IDLE scan method, an attacker sends the spoofed IP address to send a SYN packet to the target. The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes difficult to detect the hacker.

What is a sequence number?

A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the network, it is broken into fragments (packets) at the source and reassembled at the destination system. Each packet contains a sequence number that is used by the destination system to reassemble the data packets in the correct order. Each time a system boots, it has an initial sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When the system connects to another system and establishes a connection, the ISN is incremented by 64,000. For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the ISN value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.

Conditions Increment in the ISN Value

Transfer of SYN packet 1

Transfer of FIN packet 1

Transfer of ACK packet 0

Transfer of SYN/ACK packet 1

Transfer of FIN/ACK packet 1

Passage of 1 second 128,000

Establishment of one connection 64,000

17. Q: Which of the following scanning methods is most accurate and reliable, although it is easily detectable and hence avoided by a hacker?

(39)

www.trainace.com/security

a. TCP SYN/ACK b. TCP half-open c. TCP FIN d. Xmas Tree

Although the TCP SYN/ACK connection method is most reliable, it can be easily detected. A hacker should avoid this scanning method

Q: Which nmap switch have you used to retrieve as many different protocols as possible being used by the remote host?

e. nmap -sO f. nmap -vO g. nmap -sT h. nmap -sS

Explanation: Answer option E is correct.

the nmap -sO switch, which is used for IP scanning. The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and UDP. It locates uncommon IP protocols that may be in use on a system..

Answer option F is incorrect. Nmap doesn't permit you to combine the verbose and OS scanning options. It produces this error:

Invalid argument to -v: "O"

Answer option G is incorrect. The nmap -sT switch is used to perform a TCP full scan.

Answer option D is incorrect. The nmap -sS is used to perform a TCP half scan. The attacker sends a SYN packet to the target port.

18.

19. Q: Mark is performing a security assessment of a Web server. He wants to identify a cross-site scripting vulnerability also. Which of the following recommendations can Mark give to correct the vulnerability?

a. Inform the Web Administrator to validate all Web application data inputs before processing.

(40)

www.trainace.com/security

b. Inform Website users to ensure that cookies are transferred only over secure connections.

c. Disable ActiveX support within Web browsers. d. Disable Java applet support within Web browsers. Explanation: Answer option A is correct.

The best way to address cross-site scripting vulnerabilities is to validate data input. It will fix

occurrences of cross-site scripting on ActiveX controls and Java applets that are downloaded to the client and any vulnerability located on server-side code within the application.

Answer option B is incorrect. Disabling cookies is not a countermeasure against cross-site scripting. Answer options C and D are incorrect. XSS vulnerabilities can exist within downloaded Java applets or ActiveX controls, but these controls are executed on the client and will not address the server-side cross-site scripting vulnerability.

Q: Which of the following are packet capturing tools?

Each correct answer represents a complete solution. Choose all that apply. a. Aero peek

b. Cain c. Wireshark d. Aircrack-ng

Explanation: Answer options A, B, and C are correct.

Q: Which of the following is a type of stealth scanning through which the attacker sends a FIN packet to the target port?

a. TCP FIN scanning b. TCP FTP proxy scanning c. UDP port scanning d. TCP SYN scanning

Explanation: Answer option A is correct. Port scanning is the process by which an attacker connects to TCP and UDP ports to find the services and applications running on the target system. In port scanning, data packets are sent to a port to gather information about it. The following are Q: You are sending a file to an FTP server. The file will be broken into several pieces of information packets (segments) and will be sent to the server. The file will again be reassembled and

(41)

www.trainace.com/security

reconstructed once the packets reach the FTP server. Which of the following information should be used to maintain the correct order of information packets during the reconstruction of the file?

e. Sequence number f. Acknowledge number g. Checksum

h. TTL

29. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.secure.com. He performs a Teardrop attack on the we-are-secure server and observes that the server has crashed. Which of the following is the most likely cause of this?

a. The we-are-secure server cannot handle the overlapping data fragments. b. Ping requests at the server are too high.

c. The ICMP packet is larger than 65,536 bytes.

d. The spoofed TCP SYN packet containing the IP address of the target is filled in both the source and destination fields.

In such a situation, while performing a Teardrop attack, John sends a series of data packets with overlapping offset field values to the we-are-secure server. As a result, the server is unable to reassemble these packets and is forced to crash, hang, or reboot.

Q: Which of the following techniques uses a modem in order to automatically scan a list of telephone numbers?

e. War dialing f. Warchalking g. War driving h. Warkitting

Explanation: Answer option A is correct. War dialing is a technique of using a modem to

automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for password guessing.

(42)

www.trainace.com/security

Answer option B is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.

Q: You work as a Database Manager for uCertify Inc. Due to a lot of pending work, you decide to install remote control software on your desktop at work, so that you can work from anywhere in the organization. After installing the remote desktop connection, you connect a modem to a fax line that is not being used yet. As you have no authentication to configure a password for host connection of the remote connection, the remote connection is open for anyone to connect to the remotely

controlled host system. Which of the following types of attacks can be performed by an attacker on the remote connection?

i. War dialing j. Warchalking k. War driving l. Zero-day

Q: John works as a contract Ethical Hacker. He has recently got a project to do security checking for www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in the information gathering step. Which of the following commands will he use to accomplish the task? Each correct answer represents a complete solution. Choose two.

m. nmap -v -O 208. 100. 2. 25 n. nc -v -n 208. 100. 2. 25 80 o. nc 208. 100. 2. 25 23

p. nmap -v -O www.we-are-secure.com Explanation: Answer options A and D are correct.

According to the scenario, John will use "nmap -v -O 208. 100. 2. 25" to detect the operating system of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting to guess the remote operating system. John may also use the DNS name of we-are-secure instead of using the IP address of the we-are-secure server. So, he can also use the nmap command "nmap -v -O www.we-are-secure.com ".

(43)

www.trainace.com/security

Each correct answer represents a complete solution. Choose all that apply. a. ICMP error message quoting

b. Sniffing and analyzing packets

c. Sending FIN packets to open ports on the remote system d. Analyzing email headers

Explanation: Answer options B and D are correct.

Sniffing and analyzing packets and analyzing email headers are some of the techniques used to perform passive OS fingerprinting.

What is email header passive OS fingerprinting?

Email header passive OS fingerprinting is a method by which an attacker can use the email header for remote OS detection. The email header is analyzed to get information about the remote OS. Email headers usually give information about the mail daemon of a remote computer. Since a specific mail daemon is usually used for a particular OS, an attacker can easily guess the OS of the remote computer with the help of the mail daemon information.

Answer options A and D are incorrect. ICMP error message quoting and sending FIN packets to open ports on the remote system are some of the techniques used to perform active OS

fingerprinting.

29. Q: You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* What step will you take as a countermeasure against this attack?

a. Clean up your laptop with antivirus. b. Do nothing.

c. Traverse to all of your drives, search new.com files, and delete them. d. Immediately shut down your laptop.

(44)

www.trainace.com/security

When you get the new.com file and execute it, the following error message is displayed: 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

This indicates it might be the EICAR virus, which is a test virus to check whether an antivirus is working or not. The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and antivirus programmers to test their software without having to use a real computer virus that could cause actual damage should the antivirus not respond correctly

30. Q: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

a. nmap -O -p b. nmap -sU -p c. nmap -sS d. nmap -sT

Q: Which of the following tools allow you to perform HTTP tunneling? Each correct answer represents a complete solution. Choose all that apply.

e. HTTPort f. Tunneled g. BackStealth h. Nikto

Explanation: Answer options A, B, and C are correct.

The HTTPort, Tunneled, and BackStealth tools are used to perform HTTP tunneling. Answer option D is incorrect. Nikto is a Web scanner