Question: 101

Bob is acknowledged as a hacker of repute and is popular among visitors of

"underground" sites.
Bob is willing to share his knowledge with those who are willing to learn,
and many have expressed
their interest in learning from him. However, this knowledge has a risk
associated with it, as it can be used for malevolent attacks as well.
In this context, what would be the most effective method to bridge the
knowledge gap between the "black" hats or crackers and the "white" hats
or computer security professionals? (Choose the test answer.)

A. Educate everyone with books, articles and training on risk analysis, vulnerabilities
and safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems
and networks. C. Make obtaining either a computer security certification or
accreditation easier to achieve so more individuals feel that they are a part of
something larger than life.
D. Train more National Guard and reservist in the art of computer security
to help out in times of emergency or crises.

Answer: A
Explanation:

Question: 102

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking
tool "SIDExtractor". Here is the output of the SIDs:
From the above list identify the user account with System Administrator
privileges.

A. John
B. Rebecca
C. Sheela
D. Shawn
E. Somia
F. Chang
G. Micah

Answer: F
Explanation:

Question: 103

Which address translation scheme would allow a single public IP address to

always correspond to a single machine on an internal network, allowing
"server publishing"?

A. Overloading Port Address Translation

B. Dynamic Port Address Translation
C. Dynamic Network Address Translation
D. Static Network Address Translation

Answer: D
Explanation:

Question: 104

What is the following command used for?

net use \targetipc$ "" /u:""

A. Grabbing the etc/passwd file

B. Grabbing the SAM
C. Connecting to a Linux computer through Samba.
D. This command is used to connect as a null session
E. Enumeration of Cisco routers

Answer: D
Explanation:

Question: 105

What is the proper response for a NULL scan if the port is closed?

A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response

Answer: E
Explanation:

Question: 106

One of your team members has asked you to analyze the following SOA
record.
What is the TTL? [Link] [Link] [Link] (200302028 3600
3600 604800 2400.)

A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
 Answer: D
Explanation:

Question: 107

One of your team members has asked you to analyze the following SOA
record. What is the version? [Link] [Link]
[Link] (200302028 3600 3600 604800 2400.) (Choose four.)

A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800

Answer: A
Explanation:

Question: 108

MX record priority increases as the number increases. (True/False.)

A. True
B. False

Answer: B
Explanation:

Question: 109
Which of the following tools can be used to perform a zone transfer?

A. NSLookup
B. Finger
C. Dig
D. Sam Spade
E. Host
F. Netcat
G. Neotrace

Answer: A,C,D,E

Explanation:

Question: 110

Under what conditions does a secondary name server request a zone

transfer from a primary name server?

A. When a primary SOA is higher that a secondary SOA

B. When a secondary SOA is higher that a primary SOA
C. When a primary name server has had its service restarted
D. When a secondary name server has had its service restarted E. When the
TTL falls to zero

Answer: A
Explanation:

Question: 111

What ports should be blocked on the firewall to prevent NetBIOS traffic

from not coming through the firewall if your network is comprised of
Windows NT, 2000, and XP?

A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024
 Answer: B,C,E
Explanation:

Question: 112

What is a NULL scan?

A. A scan in which all flags are turned off

B. A scan in which certain flags are off
C. A scan in which all flags are on
D. A scan in which the packet size is set to zero
E. A scan with an illegal packet size

Answer: A
Explanation:

Question: 113

What is the proper response for a NULL scan if the port is open?

A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response

Answer: F
Explanation:

Question: 114
 Which of the following statements about a zone transfer is correct?
(Choose three.)

A. A zone transfer is accomplished with the DNS

B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53
connections F. Zone transfers cannot occur on the Internet

Answer: A,C,E
Explanation:

Question: 115

You have the SOA presented below in your Zone.

Your secondary servers have not been able to contact your primary
server to synchronize information. How long will the secondary servers
attempt to contact the primary server before it considers that zone is
dead and stops responding to queries?
[Link], [Link] [Link]. (200302028 3600 3600
604800 3600)

A. One day
B. One hour
C. One week
D. One month

Answer: C
Explanation:

Question: 116

Tess King is using the nslookup command to craft queries to list all DNS
information (such as Name Servers, host names, MX records, CNAME
records, glue records (delegation for child Domains), zone serial number,
TimeToLive (TTL) records, etc) for a Domain.

What do you think Tess King is trying to accomplish? Select the best answer.

A. A zone harvesting
B. A zone transfer
C. A zone update
D. A zone estimate

Answer: B
Explanation:

Question: 117

A zone file consists of which of the following Resource Records (RRs)?

A. DNS, NS, AXFR, and MX records

B. DNS, NS, PTR, and MX records
C. SOA, NS, AXFR, and MX records
D. SOA, NS, A, and MX records

Answer: D
Explanation:

Question: 118
Let's imagine three companies (A, B and C), all competing in a challenging
global environment. Company A and B are working together in
developing a product that will generate a major competitive advantage
for them. Company A has a secure DNS server while company B has a
DNS server vulnerable to spoofing. With a spoofing attack on the DNS
server of company B, company C gains access to outgoing e-mails from
company B. How do you prevent DNS spoofing?

A. Install DNS logger and track vulnerable packets

B. Disable DNS timeouts
C. Install DNS Anti-spoofing
D. Disable DNS Zone Transfer

Answer: C
Explanation:

Question: 119

Which DNS resource record can indicate how long any "DNS poisoning"
could last?

A. MX
B. SOA
C. NS
D. TIMEOUT

Answer: B
Explanation:

Question: 120

Joseph was the Web site administrator for the Mason Insurance in New
York, who's main Web site was located at [Link]. Joseph uses
his laptop computer regularly to administer the Web site. One night, Joseph
received an urgent phone call from his friend, Smith. According to Smith, the
main Mason Insurance web site had been vandalized! All of its normal
content was removed and replaced with an attacker's message ''Hacker
Message: You are dead! Freaks!” From his office, which was directly
connected to Mason Insurance's internal network, Joseph surfed to the Web
site using his laptop. In his browser, the Web site looked completely intact.
No changes were apparent. Joseph called a friend of his at his home to help
troubleshoot the problem. The Web site appeared defaced when his friend
visited using his DSL connection. So, while Smith and his friend could see
the defaced page, Joseph saw the intact Mason Insurance web site. To help
make sense of this problem, Joseph decided to access the Web site using
hisdial-up ISP. He disconnected his laptop from the corporate internal
network and used his modem to dial up the same ISP used by Smith. After
his modem connected, he quickly typed [Link] in his browser
to reveal the following web page:

After seeing the defaced Web site, he disconnected his dial-up line,
reconnected to the internal network, and used Secure Shell (SSH) to log in
directly to the Web server. He ran Tripwire against the entire Web site, and
determined that every system file and all the Web content on the server
were intact. How did the attacker accomplish this hack?

A. ARP spoofing
B. SQL injection
C. DNS poisoning
D. Routing table injection

Answer: C
Explanation:

Question: 121

Which of the following tools are used for enumeration? (Choose three.)

A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec

Answer: B,D,E
Explanation:

Question: 122
 What did the following commands determine?

A. That the Joe account has a SID of 500

B. These commands demonstrate that the guest account has NOT been
disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing

Answer: D
Explanation:

Question: 123

Which definition among those given below best describes a covert

channel?

A. A server program using a port that is not well known.

B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure

Answer: B
Explanation:

Question: 124
Susan has attached to her company's network. She has managed to
synchronize her boss's sessions with that of the file server. She then
intercepted his traffic destined for the server, changed it the way she
wanted to and then placed it on the server in his home directory.

What kind of attack is Susan carrying on?

A. A sniffing attack
B. A spoofing attack
C. A man in the middle attack
D. A denial of service attack

Answer: C
Explanation:

Question: 125

Eric has discovered a fantastic package of tools named Dsniff on the

Internet. He has learnt to use these tools in his lab and is now ready for real
world exploitation. He was able to effectively intercept communications
between the two entities and establish credentials with both sides of the
connections. The two remote ends of the communication never notice that
Eric is relaying the information between the two. What would you call this
attack?

A. Interceptor
B. Man-in-the-middle
C. ARP Proxy
D. Poisoning Attack

Answer: B
Explanation: