The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.

2 and
UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the
network and deny all other traffic. After he applied his ACL configuration in the router
no body can access to the ftp and the permitted hosts cannot access to the Internet. Accor-
ding to the next configuration what is happening in the network?
access-list 102 deny tcp any any
access-list 104 permit udp host 10.0.0.3 any
access-list 110 permit tcp host 10.0.0.2 eq www any
access-list 108 permit tcp any eq ftp any

The ACL for FTP must be before the ACL 110

The ACL 110 needs to be changed to port 80

The ACL 104 needs to be first because is UDP

The first ACL is denying all TCP traffic and the other ACLs are being ignored by
the router

When purchasing a biometric system, one of the considerations that should be reviewed
is the processing speed. Which of the following best describes what it is meant by proces-
sing?
The amount of time it takes to be either accepted or rejected from when an in-
dividual provides Identification and authentication information.

How long it takes to setup individual user accounts

The amount of time it takes to convert biometric data into a template on a smart card

The amount of time and resources that are necessary to maintain a biometric system

Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite
provides different functionality. Collective IPSec does everything except.

Authenticate

Work at the Data Link Layer

Encrypt

Protect the payload and the headers

A hacker has successfully infected an internet-facing server which he will then use to
send junk mail, take part in coordinated attacks, or host junk email content.

Which sort of trojan infects this server?

Ransomware Trojans

Banking Trojans

Botnet Trojan

Turtle Trojans
John the Ripper is a technical assessment tool used to test the weakness of which of the
following?

Passwords

File permissions

Firewall rulesets

Usernames
You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC
one of the machines has 2 connections, one wired and the other wireless. When you ve-
rify the configuration of his Windows system you find two static routes:

route add 10.0.0.0 mask 255.0.0.0 10.0.0.1

route add 0.0.0.0 mask 255.0.0.0 199.168.0.1

What is the main purpose of those static routes?

Both static routes indicate that the traffic is external with different gateway

The first static route indicates that the internal traffic will use an external gateway and the
second static route indicates that the traffic will be rerouted

The first static route indicates that the internal addresses are using the internal
gateway and the second static route indicates that all the traffic that is not in-
ternal must go to and external gateway

Both static routes indicate that the traffic is internal with different gateway
Which of these is capable of searching for and locating rogue access points ?

HIDS

NIDS

WISS

WIPS
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s
Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the
OpenSSL implementation of the transport layer security (TLS) protocols defined in
RFC6520.

What type of key does this bug leave exposed to the Internet making exploitation of any
compromised system very easy?

Private

Shared

Public

Root
An attacker with access to the inside network of a small company launches a successful STP ma-
nipulation attack. What will he do next?

He will repeat the same attack against all L2 switches of the network.

He will create a SPAN entry on the spoofed root bridge and redirect traffic to his
computer.

He will repeat this action so that it escalates to a DoS attack.

He will activate OSPF on the spoofed root bridge.

Is a set of extensions to DNS that provide to DNS clients (resolvers) origin authenti-
cation of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types.

Resource transfer

Zone transfer

Resource records

DNSSEC
Rebecca commonly sees an error on her Windows system that states that a Data Execu-
tion Prevention (DEP) error has taken place. Which of the following is most likely taking
place ?
Malicious code is attempting to execute instruction in a non-executable memory
region.

Malware is executing in either ROM or a cache memory area.

A page fault is occurring, which forces the operating system to write data from the hard
drive

A race condition is being exploited, and the operating system is containing the malicious
process
You're doing an internal security audit and you want to find out what ports are open on all the
servers. What is the best way to find out?

Scan servers with Nmap

Scan servers with MBSA

Telnet to every port on each server

Physically go to each server

Bob learned that his username and password for a popular game has been compromised. He
contacts the company and resets all the information. The company suggests he use two-factor
authentication, which option below offers that?

Disable his username and use just a fingerprint scanner.

A fingerprint scanner and his username and password

A new username and password

His username and a stronger password

When analyzing the IDS logs, the system administrator noticed an alert was logged when
the external router was accessed from the administrator's Computer to update the router
configuration. What type of an alert is this?

True negative

False positive

True positive

False negative
Which Intrusion Detection System is best applicable for large environments where critical assets
on the network need extra scrutiny and is ideal for observing sensitive network segments?

Host-based intrusion detection system (HIDS)

Network-based intrusion detection system (NIDS)

Honeypots

Firewalls

Firewalk has just completed the second phase (the scanning phase) and a technician recei-
ves the output shown below. What conclusions can be drawn based on these scan results?
TCP port 21 – no response TCP port 22 – no response TCP port 23 – Time-to-live excee-
ded
The lack of response from ports 21 and 22 indicate that those services are not running on
the destination server

The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of
the target host

The scan on port 23 passed through the filtering device. This indicates that port
23 was not blocked at the firewall

The scan on port 23 was able to make a connection to the destination host prompting the
firewall to respond with a TTL error

The company ABC recently discover that their new product was released by the opposition before
their premiere. They contract and investigator who discovered that the maid threw away papers
with confidential information about the new product and the opposition found it in the garbage.
What is the name of the technique used by the opposition?

Sniffing

Dumpster diving

Hack attack

Spying

A computer science student needs to fill some information into a secured Adobe PDF job
application that was received from a prospective employer. Instead of requesting a new
document that allowed the forms to be completed, the student decides to write a script
that pulls passwords from a list of commonly used passwords to try against the secured
PDF until the correct password is found or the list is exhausted. Which cryptography at-
tack is the student attempting?
 Dictionary attack

Brute-force attack

Man-in-the-middle attack

Session hijacking

An attacker is trying to redirect the traffic of a small office. That office is using their own mail ser-
ver, DNS server and NTP server because of the importance of their job. The attacker gain access
to the DNS server and redirect the direction www.google.com to his own IP address. Now when
the employees of the office wants to go to Google they are being redirected to the attacker ma-
chine. What is the name of this kind of attack?

DNS spoofing

MAC Flooding

ARP Poisoning

Smurf Attack
An attacker changes the profile information of a particular user (victim) on the target
website. The attacker uses this string to update the victim’s profile to a text file and then
submit the data to the attacker’s database.

< iframe src=""http://www.vulnweb.com/updateif.php"" style=""display:none"" >

< /iframe >

What is this type of attack (that can use either HTTP GET or HTTP POST) called?

Browser Hacking

Cross-Site Request Forgery

SQL Injection

Cross-Site Scripting

A penetration tester is conducting a port scan on a specific host. The tester found several ports
opened that were confusing in concluding the Operating System (OS) version installed. Conside-
ring the NMAP result below, which of the following is likely to be installed on the target machine
by the OS? Starting NMAP 5.21 at 2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is
up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp
open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp
open MAC Address: 00:00:48:0D:EE:8
 The host is likely a router.

The host is likely a Windows machine.

The host is likely a printer.

The host is likely a Linux machine.

The establishment of a TCP connection involves a negotiation called 3 way handshake. What type
of message sends the client to the server in order to begin this negotiation?

RST

ACK

SYN

SYN-ACK
Which of the following will perform an Xmas scan using NMAP?

nmap -sP 192.168.1.254

nmap -sA 192.168.1.254

nmap -sX 192.168.1.254

nmap -sV 192.168.1.254

A company's Web development team has become aware of a certain type of security vul-
nerability in their Web software. To mitigate the possibility of this vulnerability being ex-
ploited, the team wants to modify the software requirements to disallow users from en-
tering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?

Cross-site scripting vulnerability

SQL injection vulnerability

Cross-site Request Forgery vulnerability

Session management vulnerability

Craig received a report of all the computers on the network that showed all the missing patches
and weak passwords. What type of software generated this report?

A vulnerability scanner

A virus scanner

A malware scanner

A port scanner
A newly discovered flaw in a software application would be considered which kind of se-
curity vulnerability?

Input validation flaw

HTTP header injection vulnerability

Time-to-check to time-to-use flaw

0-day vulnerability
What is the way to decide how a packet will move from an untrusted outside host to a
protected inside that is behind a firewall, which permits the hacker to determine which
ports are open and if the packets can pass through the packet-filtering of the firewall.

Session hijacking

Network sniffing

Firewalking

Man-in-the-middle attack

A regional bank hires your company to perform a security assessment on their network
after a recent data breach. The attacker was able to steal financial data from the bank by
compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
Place a front-end web server in a demilitarized zone that only handles external
web traffic

Issue new certificates to the web servers from the root certificate authority

Require all employees to change their anti-virus program with a new one.

Move the financial data to another server on the same IP subnet

Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the
zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document.
Upon execution, a window appears stating, “This word document is corrupt.” In the back-
ground, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a
C2 server to download additional malicious binaries.

What type of malware has Jesse encountered?

Key-Logger

Macro Virus

Trojan

Worm

Eve stole a file named secret.txt, transferred it to her computer and she just entered these
commands:

[eve@localhost ~]$ john secret.txt

Loaded 2 password hashes with no different salts (LM [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 3/3 0g/s 86168p/s 86168c/s 172336C/s MERO..SAMPLUI
0g 0:00:00:04 3/3 0g/s 3296Kp/s 3296Kc/s 6592KC/s GOS..KARIS4
0g 0:00:00:07 3/3 0g/s 8154Kp/s 8154Kc/s 16309KC/s NY180K..NY1837
0g 0:00:00:10 3/3 0g/s 7958Kp/s 7958Kc/s 15917KC/s SHAGRN..SHENY9

What is she trying to achieve?

She is encrypting the file.

She is using John the Ripper to crack the passwords in the secret.txt file.

She is using John the Ripper to view the contents of the file.

She is using ftp to transfer the file to another hacker named John.

Seth is starting a penetration test from inside the network. He hasn't been given any infor-
mation about the network. What type of test is he conducting?

External,Blackbox

Internal, Whitebox

External, Whitebox

Internal, Blackbox
Shellshock had the potential for an unauthorized user to gain access to a server. It affec-
ted many internet-facing services, which OS did it not directly affect?

Windows

Unix

OS X

Linux
Websites and web portals that provide web services commonly use the Simple Object Access Pro-
tocol SOAP. Which of the following is an incorrect definition or characteristics in the protocol?

Based on XML

Exchanges data between web services

Provides a structured model for messaging

Only compatible with the application protocol HTTP

In IPv6 what is the major difference concerning application layer vulnerabilities compared to
IPv4?

Implementing IPv4 security in a dual-stack network offers protection from IPv6 atttacks
too.

Due to the extensive security measures built in IPv6, application layer vulnerabilities need
not be addressed

Vulnerabilities in the application layer are greatly different from IPv4

Vulnerabilities in the application layer are independent of the network layer. At-
tacks and mitigation techniques are almost identical.

A technician is resolving an issue where a computer is unable to connect to the Internet

using a wireless access point. The computer is able to transfer files locally to other ma-
chines, but cannot successfully reach the Internet. When the technician examines the IP
address and default gateway they are both on the 192.168.1.0/24. Which of the following
has occurred?

The gateway is not routing to a public IP address

The computer is not using a private IP address

The gateway and the computer are not on the same network

The computer is using an invalid IP address

The following is part of a log file taken from the machine on the network with the IP ad-
dress of 192.168.1.106: Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destina-
tion:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103
Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:19 Port:22
Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:21
Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar
13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106
Protocol:TCP Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destina-
tion:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103
Destination:192.168.1.106 Protocol:TCP What type of activity has been logged?

Teardrop attack targeting 192.168.1.106

Port scan targeting 192.168.1.103

Port scan targeting 192.168.1.106

Denial of service attack targeting 192.168.1.103

Id executives are found liable for not properly protecting their company’s assets and information
systems, what type of law would apply in this situation ?

Civil

Criminal

Common

International

In 2007, this wireless security algorithm was rendered useless by capturing packets and
discovering the passkey in a matter of seconds. This security flaw led to a network inva-
sion of TJ Maxx and data theft through a technique known as wardriving.

Which Algorithm is this referring to?

Temporal Key Integrity Protocol (TKIP)

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Access (WPA)

Wired Equivalent Privacy (WEP)

What mechanism in Windows prevents a user from accidentally executing a potentially malicious
batch (.bat) or PowerShell (.ps1) script?
 Windows firewall

Data Execution Prevention (DEP)

Address Space Layout Randomization (ASLR)

User Access Control (UAC)

Emil uses nmap to scan two hosts using this command:

nmap -sS -T4 -O 192.168.99.1 192.168.99.7

He receives this output:

Nmap scan report for 192.168.99.1

Host is up (0.00082s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp open domain
80/tcp open http
161/tcp closed snmp
MAC Address: B0:75:D5:33:57:74 (ZTE)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

Nmap scan report for 192.168.99.7

Host is up (0.000047s latency).
All 1000 scanned ports on 192.168.99.7 are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops

What is his conclusion?

Host 192.168.99.1 is the host that he launched the scan from

Host 192.168.99.7 is a an iPad.

He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7

Host 192.168.99.7 is down

A large company intends to use Blackberry for corporate mobile phones and a security
analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking
attack method to demonstrate how an attacker could circumvent perimeter defenses and
gain access to the Prometric Online Testing - Reports https://ibt1.prome-
tric.com/users/custom/report_queue/rq_str... corporate network. What tool should the
analyst use to perform a Blackjacking attack?

BBProxy

Paros Proxy

Blooover

BBCrack
What attack is used to crack passwords by using a precomputed table of hashed
passwords?

Rainbow Table Attack

Dictionary Attack

Brute Force Attack

Hybrid Attack
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy
servers, and Intrusion Detection Systems (IDS) on the network of an organization that has
experienced a possible breach of security. When the investigator attempts to correlate the
information in all of the logs, the sequence of many of the logged events do not match up.

What is the most likely cause?

The network devices are not all synchronized.

Proper chain of custody was not observed while collecting the logs.

The attacker altered or erased events from the logs.

The security breach was a false positive.

A bank stores and processes sensitive privacy information related to home loans.
However, auditing has never been enabled on the system. What is the first step that the
bank should take before enabling the audit feature?

Perform a vulnerability scan of the system

 Perform a cost/benefit analysis of the audit feature

Determine the impact of enabling the audit feature

Allocate funds for staffing of audit log review

What is the correct process for the TCP three-way handshake connection establishment and con-
nection termination?

Connection Establishment: SYN, SYN-ACK, ACK

Connection Termination: FIN, ACK-FIN, ACK

Connection Establishment: FIN, ACK-FIN, ACK

Connection Termination: SYN, SYN-ACK, ACK

Connection Establishment: ACK, ACK-SYN, SYN

Connection Termination: FIN, ACK-FIN, ACK

Connection Establishment: SYN, SYN-ACK, ACK

Connection Termination: ACK, ACK-SYN, SYN

A network administrator discovers several unknown files in the root directory of his Li-
nux FTP server. One of the files is a tarball, two are shell script files, and the third is a bi-
nary file is named ""nc."" The FTP server's access logs show that the anonymous user ac-
count logged in to the server, uploaded the files, and extracted the contents of the tarball
and ran the script using a function provided by the FTP server's software. The ps com-
mand shows that the nc file is running as process, and the netstat command shows the nc
process is listening on a network port.

What kind of vulnerability must be present to make this remote attack possible?

File system permissions

Privilege escalation

Brute force login

Directory traversal
Which tier in the N-tier application architecture is responsible for moving and processing data
between the tiers?

Logic tier

Data tier

Application Layer

Presentation tier
Cryptography is the practice and study of techniques for secure communication in the
presence of third parties (called adversaries). More generally, it is about constructing and
analyzing protocols that overcome the influence of adversaries and that are related to va-
rious aspects in information security such as data confidentiality, data integrity, authenti-
cation, and non-repudiation. Modern cryptography intersects the disciplines of mathema-
tics, computer science, and electrical engineering. Applications of cryptography include
ATM cards, computer passwords, and electronic commerce.

Basic example to understand how cryptography works is given below:

SECURE (plain text)
+1 (+1 next letter. for example, the letter ""T"" is used for ""S"" to encrypt.)
TFDVSF (encrypted text)
+ = logic => Algorithm
1 = Factor => Key

Which of the following choices true about cryptography?

Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to
deliver the shared session key and to achieve a communication way.

Symmetric-key algorithms are a class of algorithms for cryptography that use the different
cryptographic keys for both encryption of plaintext and decryption of ciphertext

Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt,
private key is for encrypt.

Algorithm is not the secret, key is the secret.

A large mobile telephony and data network operator has a data center that houses network ele-
ments. These are essentially large computers running on Linux. The perimeter of the data center
is secured with firewalls and IPS systems. What is the best security policy concerning this setup?

The operator knows that attacks and down time are inevitable and should have a backup
site

As long as the physical access to the network elements is restricted, there is no need for
additional measures

There is no need for specific security measures on the network elements as long as firewa-
lls and IPS systems exist.

Network elements must be hardened with user ids and strong passwords. Regu-
lar security tests and audits should be performed.
Which of the following security policies defines the use of VPN for gaining access to an internal
corporate network?

Remote access policy

Information protection policy

 Network security policy

Access control policy

Which service in a PKI will vouch for the identity of an individual or company ?

CR

CBC

KDC

CA
A tester has been hired to do a web application security test. The tester notices that the
site is dynamic and must make use of a back end database. In order for the tester to see if
SQL injection is possible, what is the first character that the tester should use to attempt
breaking a valid SQL request?

Exclamation mark

Semicolon

Single quote

Double quote

When you are testing a web application, it is very useful to employ a proxy tool to save
every request and response. You can manually test every request and analyze the res-
ponse to find vulnerabilities. You can test parameter and headers manually to get more
precise results than if using web vulnerability scanners.
What proxy tool will help you find web vulnerabilities?

Proxychains

Maskgen

Burpsuite

Dimitry
A penetration test was done at a company. After the test, a reportwas written and given to the
company's IT authorities. A section from the report is shown below:

• Access List should be written between VLANs.

• Port security should be enabled for the intranet.
• A security solution which filters data packets should be set between intranet (LAN) and DMZ.
• A WAF should be used in front of the web applications.

According to the section from the report, which of the following choice is true?

MAC Spoof attacks cannot be performed.

Possibility of SQL Injection attack is eliminated.

A stateful firewall can be used between intranet (LAN) and DMZ.

There is access control policy between VLANs.

An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO
wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best op-
tion to do this job?

Use an IDS in the entrance doors and install some of them near the corners

Install a CCTV with cameras pointing to the entrance doors and the street

Use fences in the entrance doors

Use lights in all the entrance doors and along the company's perimeter

In order to have a anonymous Internet surf, which of the following is best choice?

Use Tor network with multi-node

Use shared WiFi

Use public VPN

Use SSL sites when entering personal information

Your next door neighbor, that you do not get along with, is having issues with their
network, so he yells to his spouse the network's SSID and password and you hear
them both clearly. What do you do with this information?

Nothing, but suggest to him to change the network's SSID and

password.

Only use his network when you have large downloads so you don't tax you own
network.
 Sell his SSID and password to friends that come to your house, so it doesn't slow
down your network.

Log onto to his network, after all its his fault that you can get in.

You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?

hping2 -i host.domain.com

hping2 -1 host.domain.com

hping2 --set-ICMP host.domain.com

hping2 host.domain.com

In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure
that no one knows they sent the spam out to thousands of users at a time. Which of the follo-
wing best describes what spammers use to hide the origin of these types of e-mails?

Tools that will reconfigure a mail server’s relay component to send the e-mail back to the
spammers occasionally.

Mail relaying, which is a technique of bouncing e-mail from internal to external

mail servers continuously.

A blacklist of companies that have their mail server relays configured to be wide open.

A blacklist of companies that have their mail server relays configured to allow traffic only to
their specific domain name.

........ is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one
offered on the premises, but actually has been set up to eavesdrop on wireless communi-
cations. It is the wireless version of the phishing scam. An attacker fools wireless users
into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate
provider. This type of attack may be used to steal the passwords of unsuspecting users by
either snooping the communication link or by phishing, which involves setting up a frau-
dulent web site and luring people there.
Fill in the blank with appropriate choice.

Sinkhole Attack

Evil Twin Attack

Signal Jamming Attack

Collision Attack
What is the role of test automation in security testing?
It can accelerate benchmark tests and repeat them with a consistent test setup. But it can-
not replace manual testing completely.

It should be used exclusively. Manual testing is outdated because of low speed and possi-
ble test setup inconsistencies

It is an option but it tends to be very expensive

Test automation is not usable in security due to the complexity of the tests

What is correct about digital signatures?

A digital signature cannot be moved from one signed document to another because it is a
plain hash of the document content.

A digital signature cannot be moved from one signed document to another because it is
the hash of the original document encrypted with the private key of the signing party.

Digital signatures are issued once for each user and can be used everywhere until they ex-
pire.

Digital signatures may be used in different documents of the same type.

An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attem-
pts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site.

Which file does the attacker need to modify?

Hosts

Sudoers

Boot.ini

Networks
Scenario:
1. Victim opens the attacker's web site.
2. Attacker sets up a web site which contains interesting and attractive content like 'Do
you want to make $1000 in a day?'.
3. Victim clicks to the interesting and attractive content url.
4. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click,
so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but
actually he/she clicks to the content or url that exists in the transparent 'iframe' which is
setup by the attacker.
What is the name of the attack which is mentioned in the scenario?

Session Fixation
 HTTP Parameter Pollution

HTML Injection

ClickJacking Attack

What network security concept requires multiple layers of security controls to be placed
through out an IT infrastructure, which improves the security posture of an organization
to defend against malicious attacks or potential vulnerabilities?

Defense in depth

Security through obscurity

Network-Based Intrusion Detection System

Host-Based Intrusion Detection System

A Security Engineer at a medium-sized accounting firm has been tasked with discovering
how much information can be obtained from the firm's public facing web servers. The en-
gineer decides to start by using netcat to port 80. The engineer receives this output:
HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2011 01:41:33 GMT
Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes
Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag: "b0aac0542e25c31:89d" Con-
tent-Length: 7369
Which of the following is an example of what the engineer performed?

SQL injection

Banner grabbing

Whois database query

Cross-site scripting
Which of the following Nmap commands will produce the following output?

Output:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-26 12:50 EDT

Nmap scan report for 192.168.1.1
Host is up (0.00042s latency).
Not shown: 65530 open|filtered ports, 65529 filtered ports
PORT STATE SERVICE
111/tcp open rpcbind
999/tcp open garcon
1017/tcp open unknown
1021/tcp open exp1
1023/tcp open netvenuechat
2049/tcp open nfs
17501/tcp open unknown
111/udp open rpcbind
123/udp open ntp
137/udp open netbios-ns
2049/udp open nfs
5353/udp open zeroconf
17501/udp open|filtered unknown
51857/udp open|filtered unknown
54358/udp open|filtered unknown
56228/udp open|filtered unknown
57598/udp open|filtered unknown
59488/udp open|filtered unknown
60027/udp open|filtered unknown

nmap -sT -sX -Pn -p 1-65535 192.168.1.1

nmap -sS -sU -Pn -p 1-65535 192.168.1.1

nmap -sN -Ps -T4 192.168.1.1

nmap -sS -Pn 192.168.1.1

A security analyst is performing an audit on the network to determine if there are any de-
viations from the security policies in place. The analyst discovers that a user from the IT
department had a dial-out modem installed. Which security policy must the security
analyst check to see if dial-out modems are allowed?

Firewall-management policy

Remote-access policy

Permissive policy

Acceptable-use policy

Which of the following programming languages is most susceptible to buffer overflow

attacks, due to its lack of a built-in bounds checking mechanism?

Code:
#include <string.h>
int main(){
char buffer[8];
strcpy(buffer,""11111111111111111111111111111"");
}
Output:
Segmentation fault

Python

Java

C#

C++
The network in ABC company is using the network address 192.168.1.64 with mask
255.255.255.192. In the network the servers are in the addresses 192.168.1.122,
192.168.1.123 and 192.168.1.124.
An attacker is trying to find those servers but he cannot see them in his scanning. The
command he is using is:
nmap 192.168.1.64/28
Why he cannot see the servers?

He needs to add the command ""ip address"" just before the IP address

He needs to change the address to 192.168.1.0 with the same mask

The network must be down and the nmap command and IP address are ok

He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and

the servers are not in that range
Which of the following incident handling process phases is responsible for defining rules, collabo-
rating human workforce, creating a back-up plan, and testing the plans for an organization?

Containment phase

Recovery phase

Preparation phase

Identification phase
What two conditions must a digital signature meet?

Has to be unforgeable, and has to be authentic.

Must be unique and have special characters.

Has to be the same number of characters as a physical signature and must be unique.
 Has to be legible and neat.

Which of the following programs is usually targeted at Microsoft Office products?

Macro virus

Polymorphic virus

Multipart virus

Stealth virus

Ricardo wants to send secret messages to a competitor company. To secure these mes-
sages, he uses a technique of hiding a secret message within an ordinary message. The te-
chnique provides 'security through obscurity'.

What technique is Ricardo using?

RSA algorithm

Encryption

Public-key cryptography

Steganography
Sophia travels a lot and worries that her laptop containing confidential documents might be sto-
len. What is the best protection that will work for her?

BIOS password

Password protected files

Hidden folders

Full disk encryption

What does a firewall check to prevent particular ports and applications from getting packets into
an organization?

Transport layer port numbers and application layer headers

Network layer headers and the session layer port numbers

Application layer port numbers and the transport layer headers

 Presentation layer headers and the session layer port numbers

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an exter-
nal security assessment through penetration testing.
What document describes the specifics of the testing, the associated violations, and essen-
tially protects both the organization's interest and your liabilities as a tester?

Non-Disclosure Agreement

Service Level Agreement

Project Scope

Which system consists of a publicly available set of databases that contain domain
name registration contact information?

IETF

WHOIS

CAPTCHA

IANA

Which results will be returned with the following Google search query? site:target.com -
site:Marketing.target.com accounting

Results matching all words in the query

Results from matches on the site marketing.target.com that are in the domain target.com
but do not include the word accounting

Results matching “accounting” in domain target.com but not on the site Marke-
ting.target.com

Results for matches on target.com and Marketing.target.com that include the word “ac-
counting”

#!/usr/bin/python
import socket
buffer=[""A""]
counter=50
while len(buffer) <= 100:
buffer.append(""A""*counter)
counter=counter+50
commands=[""HELP"",""STATS ."",""RTIME ."",""LTIME ."",""SRUN ."",""TRUN
."",""GMON ."",""GDOG ."",""KSTET ."",""GTER ."",""HTER ."",""LTER
."",""KSTAN .""]
for command in commands:
for buffstring in buffer:
print ""Exploiting "" +command +"":""+str(len(buffstring))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 9999))
s.recv(50)
s.send(command + buffstring)
s.close()

What is the code written for?

Buffer Overflow

Encryption

Denial-of-service (DoS)

Bruteforce
Which of the following areas is considered a strength of symmetric key cryptography when com-
pared with asymmetric algorithms ?

Key distribution

Speed

Scalability

Security

What is not a PCI compliance recommendation?

Use a firewall between the public network and the payment card data

Use encryption to protect all transmission of card holder data over any public
network.

Rotate employees handling credit card transactions on a yearly basis to different depart-
ments.

Limit access to card holder data to as few individuals as possible.

Which of the following is considered an exploit framework and has the ability to perform automa-
ted attacks on services, ports, applications and unpatched security flaws in a computer system?

Wireshark

Maltego

Nessus

Metasploit

What type of OS fingerprinting technique sends specially crafted packets to the remote
OS and analyzes the received response?

Active

Passive

Reflective

Distributive
In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows
an attacker to authenticate to a remote server/service by using the underlying NTLM
and/or LanMan hash of a user's password, instead of requiring the associated plaintext
password as is normally the case.
Metasploit Framework has a module for this technique; psexec. The psexec module is of-
ten used by penetration testers to obtain access to a given system that you already know
the credentials for. It was written by sysinternals and has been integrated within the fra-
mework. Often as penetration testers, successfully gain ğşaccess to a system through
some exploit, use meterpreter to grab the passwords or other methods like fgdump,
pwdump, or cachedump and then utilize rainbowtables to crack those hash values.
Which of the following is true hash type and sort order that is using in the psexec modu-
le's 'smbpass'

LM:NTLM

NTLM:LM

NT:LM

LM:NT
Which of the following viruses tries to hide from anti-virus programs by actively altering
and corrupting the chosen service call interruptions when they are being run?

Stealth virus
 Cavity virus

Polymorphic virus

Tunneling virus

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation.

What should he do?

Exploit the vulnerability without harming the web site owner so that attention be drawn to
the problem.

Notify the web site owner so that corrective action be taken as soon as possible
to patch the vulnerability.

Try to sell the information to a well-paying party on the dark web.

Ignore it.

There are several ways to gain insight on how a cryptosystem works with the goal of re-
verse engineering the process. A term describes when two pieces of data result in the
same value is ?

Collusion

Escrow

Collision

Polymorphism
The company ABC recently contract a new accountant. The accountant will be working with the
financial statements. Those financial statements need to be approved by the CFO and then they
will be sent to the accountant but the CFO is worried because he wants to be sure that the infor-
mation sent to the accountant was not modified once he approved it. What of the following opti-
ons can be useful to ensure the integrity of the data?

The financial statements can be sent twice, one by email and the other delivered in USB
and the accountant can compare both to be sure is the same document

The CFO can use a hash algorithm in the document once he approved the finan-
cial statements

The document can be sent to the accountant using an exclusive USB for that document

he CFO can use an excel file with a password

A new wireless client is configured to join a 802.11 network. This client uses the same
hardware and software as many of the other clients on the network. The client can see the
network, but cannot connect. A wireless packet sniffer shows that the Wireless Access
Point (WAP) is not responding to the association requests being sent by the wireless
client.

What is a possible source of this problem?

The WAP does not recognize the client’s MAC address

The wireless client is not configured to use DHCP

The client cannot see the SSID of the wireless network

Client is configured for the wrong channel

Which type of security feature stops vehicles from crashing through the doors of a building?

Turnstile

Mantrap

Receptionist

Bollards
It is a regulation that has a set of guidelines, which should be adhered to by anyone who
handles any electronic medical data. These guidelines stipulate that all medical practices
must ensure that all necessary measures are in place while saving, accessing, and sharing
any electronic medical data to keep patient data secure.

Which of the following regulations best matches the description?

COBIT

FISMA

HIPAA

ISO/IEC 27002
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software
library. This weakness allows stealing the information protected, under normal conditions, by the
SSL/TLS encryption used to secure the Internet.

Heartbleed Bug

POODLE

Shellshock
 SSL/TLS Renegotiation Vulnerability

In an internal security audit, the white hat hacker gains control over a user account and attempts
to acquire access to another account's confidential files and information; How can he achieve
this?

Shoulder-Surfing

Hacking Active Directory

Privilege Escalation

Port Scanning

As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and
you need to find and verify just SMTP traffic. What command in Wireshark will help you to find
this kind of traffic?

tcp.port eq 25

tcp.contains port 25

request smtp 25

smtp port

An IT employee got a call from one our best customers. The caller wanted to know about the
company's network infrastructure, systems, and team. New opportunities of integration are in
sight for both company and customer. What should this employee do?

The employee can not provide any information; but, anyway, he/she will provide the name
of the person in charge.

Since the company's policy is all about Customer Service, he/she will provide information.

The employee should not provide any information without previous manage-
ment authorization.

Disregarding the call, the employee should hang up.

An attacker tries to do banner grabbing on a remote web server and executes the follo-
wing command.

$ nmap -sV host.domain.com -p 80

He gets the following output.

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST
Nmap scan report for host.domain.com (108.61.158.211)
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd

Service detection performed. Please report any incorrect results at http://nmap.org/sub-

mit/.
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

What did the hacker accomplish?

The hacker should've used nmap -O host.domain.com

The hacker failed to do banner grabbing as he didn't get the version of the Apache web
server.

The hacker successfully completed the banner grabbing.

nmap can't retrieve the version number of any running remote service.

An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 ad-
dresses.
In which order should he perform these steps?

The sequence does not matter. Both steps have to be performed against all hosts.

First the port scan to identify interesting services and then the ping sweep to find hosts
responding to icmp echo requests.

The port scan alone is adequate. This way he saves time.

First the ping sweep to identify live hosts and then the port scan on the live
hosts. This way he saves time.
In both pharming and phishing attacks an attacker can create websites that look similar to legiti-
mate sites with the intent of collecting personal identifiable information from its victims. What is
the difference between pharming and phishing attacks?

In a phishing attack a victim is redirected to a fake website by modifying their host confi-
guration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provi-
des the victim with a URL that is either misspelled or looks very similar to the actual websi-
tes domain name

In a pharming attack a victim is redirected to a fake website by modifying their

host configuration file or by exploiting vulnerabilities in DNS. In a phishing at-
tack an attacker provides the victim with a URL that is either misspelled or
looks similar to the actual websites domain name
 Both pharming and phishing attacks are identical

Both pharming and phishing attacks are purely technical and are not considered forms of
social engineering

Port scanning can be used as part of a technical assessment to determine network vulnera-
bilities. The TCP XMAS scan is used to identify listening ports on the targeted system.

If a scanned port is open, what happens

The port will send an RST

The port will send an ACK

The port will send a SYN.

The port will ignore the packets.

Jimmy is standing outside a secure entrance to a facility. He is pretending to having a

tense conversation on his cell phone as an authorized employee badges in. Jimmy, while
still on the phone, grabs the door as it begins to close. What just happened?

Tailgating

Phishing

Whaling

Masquerading

Due to a slow down of normal network operations, IT department decided to monitor in-
ternet traffic for all of the employees. From a legal stand point, what would be trouble-
some to take this kind of measure?

The network could still experience traffic slow down.

All of the employees would stop normal work activities

IT department would be telling employees who the boss is

Not informing the employees that they are going to be monitored could be an
invasion of privacy.
Which of the following is a passive wireless packet analyzer that works on Linux-based systems?

OpenVAS

tshark
 Burp Suite

Kismet

You want to analyze packets on your wireless network. Which program would you use?

Airsnort with Airpcap

Ethereal with Winpcap

Wireshark with Winpcap

Wireshark with Airpcap

Attempting an injection attack on a web server based on responses to True/False questions is ca-
lled which of the following?

DMS-specific SQLi

Classic SQLi

Blind SQLi

Compound SQLi

Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from
the Yahoo Bank. Kindly contact me for a vital transaction on: scotts-
[email protected]"". Which statement below is true?

Bob should write to [email protected] to verify the identity of Scott.

This is a scam because Bob does not know Scott

This is a scam as everybody can get a @yahoo address, not the Yahoo customer
service employees.

This is probably a legitimate message as it comes from a respectable organization.

By using a smart card and pin, you are using a two-factor authentication that satisfies

Something you have and something you know

Something you know and something you are

Something you are and something you remember

Something you have and something you are

Sid is a judge for a programming contest. Before the code reaches him it goes through a
restricted OS and is tested there. If it passes, then it moves onto Sid. What is this middle
step called?

Third party running the code

Sandboxing the code

Fuzzy-testing the code

String validating the code

Todd has been asked by the security officer to purchase a counter-based authentication system.
Which of the following best describes this type of system ?

A biometric system that bases authentication decisions on behavioral attributes

An authentication system that creates one-time passwords that are encrypted with secret
keys

A biometric system that bases authentication decisions on physical attributes.

An authentication system that uses passphrases that are converted into virtual
passwords

A hacker has managed to gain access to a Linux host and stolen the password file
from /etc/passwd How can he use it?

The password file does not contain the passwords themselves.

He can open it and read the user ids and corresponding passwords.

He cannot read it because it is encrypted

The file reveals the passwords to the root user only.

You are performing a penetration test. You achieved access via a buffer overflow ex-
ploit and you proceed to find interesting data, such as files with usernames and
passwords. You find a hidden folder that has the administrator's bank account password
and login information for the administrator's bitcoin account.
What should you do?

Do not report it and continue the penetration test

Transfer money from the administrator's account to another account

Report immediately to the administrator.

 Do not transfer the money but steal the bitcoins.

Which access control mechanism allows for multiple systems to use a central authentica-
tion server (CAS) that permits users to authenticate once and gain access to multiple sys-
tems?

Discretionary Access Control (DAC)

Role Based Access Control (RBAC)

Windows authentication

Single sign-on
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot
be used?

TCP SYN

TCP Connect scan

Idle Scan

Spoof Scan

env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd'

What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?

Removes the passwd file

Display passwd content to prompt

Changes all passwords in passwd

Add new user to the passwd file

You have successfully compromised a machine on the network and found a server that is
alive on the same network. You tried to ping it but you didn't get any response back.

What is happening?

TCP/IP doesn't support ICMP.

The ARP is disabled on the target server.

You need to run the ping command with root privileges.

 ICMP could be disabled on the target server.

In which phase of the ethical hacking process can Google hacking be employed? This is a
technique that involves manipulating a search string with specific operators to search for
vulnerabilities.

Example:

allintitle: root passwd

Gaining Access

Maintaining Access

Scanning and Enumeration

Reconnaissance

If a tester is attempting to ping a target that exists but receives no response or a response
that states the destination is unreachable, ICMP may be disabled and the network may be
using TCP. Which other option could the tester use to get a response from a host using
TCP?

Broadcast ping

Traceroute

TCP ping

Hping
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached
to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate ad-
min can mitigate this attack?

Disable all routing protocols and only use static routes

Only using OSPFv3 will mitigate this risk.

Redirection of the traffic cannot happen unless the admin allows it explicitly.

Make sure that legitimate network routers are configured to run routing proto-
cols with authentication.

Look at the following output. What did the hacker accomplish?

; <<>> DiG 9.7.-P1 <<>> axfr domain.com @192.168.1.105

;; global options: +cmd
domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600
86400 3600
domain.com. 600 IN A 192.168.1.102
domain.com. 600 IN A 192.168.1.105
domain.com. 3600 IN NS srv1.domain.com.
domain.com. 3600 IN NS srv2.domain.com.
vpn.domain.com. 3600 IN A 192.168.1.1
server.domain.com. 3600 IN A 192.168.1.3
office.domain.com. 3600 IN A 192.168.1.4
remote.domain.com. 3600 IN A 192.168.1.48
support.domain.com. 3600 IN A 192.168.1.47
ns1.domain.com. 3600 IN A 192.168.1.41
ns2.domain.com. 3600 IN A 192.168.1.42
ns3.domain.com. 3600 IN A 192.168.1.34
ns4.domain.com. 3600 IN A 192.168.1.45
srv1.domain.com. 3600 IN A 192.168.1.102
srv2.domain.com. 1200 IN A 192.168.1.105
domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600
86400 3600
;; Query time: 269 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Sun Aug 11 20:07:59 2013
;; XFR size: 65 records (messages 65, bytes 4501)

The hacker used the ""fierce"" tool to brute force the list of available domains.

The hacker successfully transfered the zone and enumerated the hosts.

The hacker used whois to gather publicly available records for the domain.

The hacker listed DNS records on his own domain

It has been reported to you that someone has caused an information spillage on their com-
puter. You go to the computer, disconnect it from the network, remove the keyboard and
mouse, and power it down. What step in incident handling did you just complete?

Discovery

Recovery

Containment

Eradication
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

msfpayload

msfcli

msfencode

msfd

What is the difference between the AES and RSA algorithms?

Both are asymmetric algorithms, but RSA uses 1024-bit keys.

RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric,
which is used to encrypt data.

Both are symmetric algorithms, but AES uses 256-bit keys.

AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric,
which is used to encrypt data.
How can rainbow tables be defeated?

Password salting

Lockout accounts under brute force password cracking attempts

Use of non-dictionary words

All uppercase character passwords