CPEH-001 Certified Professional Ethical Hacker (CPEH) Question and Answers

Cross-site request forgery involves:

Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning.

What should Bob recommend to deal with such a threat?

Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address.

What is the first thing that Nedved needs to do before contacting the incident response team?

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections.

When users accessed any page, the applet ran and exploited many machines.

Which one of the following tools the hacker probably used to inject HTML code?

What type of vulnerability/attack is it when the malicious person forces the user’s browser to send an authenticated request to a server?

You are monitoring the network of your organizations. You notice that:

1. There are huge outbound connections from your Internal Network to External IPs.

2. On further investigation, you see that the External IPs are blacklisted.

3. Some connections are accepted, and some are dropped.

4. You find that it is a CnC communication.

Which of the following solution will you suggest?

Why containers are less secure that virtual machines?

Which of the following provides a security professional with most information about the system’s security posture?

During the process of encryption and decryption, what keys are shared?

During the process of encryption and decryption, what keys are shared?

Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the following attack scenarios will compromise the privacy of her data?

Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?

Your business has decided to add credit card numbers to the data it backs up to tape. Which of the

following represents the best practice your business should observe?

What would you type on the Windows command line in order to launch the Computer Management Console provided that you are logged in as an admin?

The practical realities facing organizations today make risk response strategies essential. Which of the following is NOT one of the five basic responses to risk?

A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can see the network and it has compatible hardware and software installed. Upon further tests and investigation, it was found out that the Wireless Access Point (WAP) was not responding to the association requests being sent by the wireless client. What MOST likely is the issue on this scenario?

Which of the following BEST describes how Address Resolution Protocol (ARP) works?

While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

Which of the following commands runs snort in packet logger mode?

Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within what phase of the Incident Handling Process?

Which of the following will perform an Xmas scan using NMAP?

Backing up data is a security must. However, it also has certain level of risks when mishandled. Which of the following is the greatest threat posed by backups?

Which specific element of security testing is being assured by using hash?

Study the log below and identify the scan type.

Suppose you’ve gained access to your client’s hybrid network. On which port should you listen to in order to know which Microsoft Windows workstations has its file sharing enabled?

You’ve just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case?

It is a short-range wireless communication technology that allows mobile phones, computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security.

An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

During an Xmas scan what indicates a port is closed?

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

This TCP flag instructs the sending system to transmit all buffered data immediately.

You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet to. 1.4.0/23. Which of the following IP addresses could be teased as a result of the new configuration?

A zone file consists of which of the following Resource Records (RRs)?

Which utility will tell you in real time which ports are listening or in another state?

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

One of your team members has asked you to analyze the following SOA record.

What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack?

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain.

What do you think Tess King is trying to accomplish? Select the best answer.

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?

You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.

Dear valued customers,

We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:

or you may contact us at the following address:

Media Internet Consultants, Edif. Neptuno, Planta

Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama

How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

In the context of Windows Security, what is a 'null' user?

Study the following log extract and identify the attack.

Which of the following are well known password-cracking programs?

During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.

What is this type of DNS configuration commonly called?

When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it.

What should you do?

You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk.

What is one of the first things you should do when given the job?

Which of the following is the greatest threat posed by backups?

You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line.

Which command would you use?

Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?

You are using NMAP to resolve domain names into IP addresses for a ping sweep later.

Which of the following commands looks for IP addresses?

Using Windows CMD, how would an attacker list all the shares to which the current user context has access?

Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name.

What should be the first step in security testing the client?

You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through.

What seems to be wrong?

Which of the following is an extremely common IDS evasion technique in the web world?

You've gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's password or to activate disabled Windows accounts?

Which of the following statements is TRUE?

You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS).

What is the best way to evade the NIDS?

Which of the following describes the characteristics of a Boot Sector Virus?

Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response?

Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?

The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?

Which of the following is an example of IP spoofing?

Which of the following guidelines or standards is associated with the credit card industry?

Which security strategy requires using several, varying methods to protect IT systems against attacks?

Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?

Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true?

Which of the following is a characteristic of Public Key Infrastructure (PKI)?

A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?

Which of the following items is unique to the N-tier architecture method of designing software applications?

The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?

Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

What two conditions must a digital signature meet?

During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?

Risks = Threats x Vulnerabilities is referred to as the:

The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?

Due to a slowdown of normal network operations, IT department decided to monitor internet traffic for all of the employees. From a legal stand point, what would be troublesome to take this kind of measure?

If executives are found liable for not properly protecting their company's assets and information systems, what type of law would apply in this situation?

Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in-bounds checking mechanism?

Output:

Segmentation fault

You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?

A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.

What kind of Web application vulnerability likely exists in their software?

Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?

The "black box testing" methodology enforces which kind of restriction?

Which of the following is a low-tech way of gaining unauthorized access to systems?

An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem?

Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting?

To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?

Craig received a report of all the computers on the network that showed all the missing patches and weak passwords. What type of software generated this report?

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

Which type of access control is used on a router or firewall to limit network activity?

A covert channel is a channel that

What is the outcome of the comm”nc -l -p 2222 | nc 10.1.0.43 1234"?

A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:

The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and

Which tool can be used to silently copy files from USB devices?

Which of the following problems can be solved by using Wireshark?

The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?

What is the best defense against privilege escalation vulnerability?

A security engineer is attempting to map a company’s internal network. The engineer enters in the following NMAP command:

NMAP –n –sS –P0 –p 80 ***.***.**.**

What type of scan is this?