· 6 years ago · Jun 26, 2019, 07:46 PM
1NO.1 Which of the following is a wireless network detector that is commonly found on Linux?
2A. Kismet
3B. Abel
4C. Netstumbler
5D. Nessus
6Answer: A
7
8NO.2 A security consultant decides to use multiple layers of anti-virus defense, such as end user
9desktop anti-virus and E-mail gateway. This approach can be used to mitigate which kind of attack?
10A. Forensic attack
11B. ARP spoofing attack
12C. Social engineering attack
13D. Scanning attack
14Answer: C
15
16NO.3 Code injection is a form of attack in which a malicious user:
17A. Inserts text into a data field that gets interpreted as code
18B. Gets the server to execute arbitrary code using a buffer overflow
19C. Inserts additional code into the JavaScript running in the browser
20D. Gains access to the codebase on the server and inserts new code
21Answer: A
22
23NO.4 Sid is a judge for a programming contest. Before the code reaches him it goes through a
24restricted OS and is tested there. If it passes, then it moves onto Sid. What is this middle step called?
25A. Fuzzy-testing the code
26B. Third party running the code
27C. Sandboxing the code
28D. String validating the code
29Answer: A
30
31NO.5 The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of
32control objectives. Each objective contains one or more requirements, which must be followed in
33order to achieve compliance. Which of the following requirements would best fit under the objective,
34"Implement strong access control measures"?
35A. Regularly test security systems and processes.
36B. Encrypt transmission of cardholder data across open, public networks.
37C. Assign a unique ID to each person with computer access.
38D. Use and regularly update anti-virus software on all systems commonly affected by malware.
39Answer: C
40
41NO.6 Which of the following act requires employer's standard national numbers to identify them on
42standard transactions?
43A. SOX
44
45B. HIPAA
46C. DMCA
47D. PCI-DSS
48Answer: B
49
50NO.7 Which of the following is an NMAP script that could help detect HTTP Methods such as GET,
51POST, HEAD, PUT, DELETE, TRACE?
52A. http-git
53B. http-headers
54C. http enum
55D. http-methods
56Answer: D
57
58NO.8 Fred is the network administrator for his company. Fred is testing an internal switch.
59From an external IP address, Fred wants to try and trick this switch into thinking it already has
60established a session with his computer. How can Fred accomplish this?
61A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of
62his computer.
63B. He can send an IP packet with the SYN bit and the source address of his computer.
64C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
65D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
66Answer: D
67
68NO.9 What is the process of logging, recording, and resolving events that take place in an
69organization?
70A. Incident Management Process
71B. Security Policy
72C. Internal Procedure
73D. Metrics
74Answer: A
75Explanation
76The activities within the incident management process include:
77References:
78https://en.wikipedia.org/wiki/Incident_management_(ITSM)#Incident_management_procedure
79
80NO.10 A hacker has managed to gain access to a Linux host and stolen the password file from
81/etc/passwd. How can he use it?
82A. The password file does
83NO. contain the passwords themselves.
84B. He can open it and read the user ids and corresponding passwords.
85C. The file reveals the passwords to the root user only.
86D. He can
87NO. read it because it is encrypted.
88Answer: A
89
90NO.11 What is the most secure way to mitigate the theft of corporate information from a laptop
91
92that was left in a hotel room?
93A. Set a BIOS password.
94B. Encrypt the data on the hard drive.
95C. Use a strong logon password to the operating system.
96D. Back up everything on the laptop and store the backup in a safe place.
97Answer: B
98
99NO.12 You are manually conducting Idle Scanning using Hping2. During your scanning you
100NO.ice
101that almost every query increments the IPID regardless of the port being queried. One or two of the
102queries cause the IPID to increment by more than one value. Why do you think this occurs?
103A. The zombie you are using is
104NO. truly idle.
105B. A stateful inspection firewall is resetting your queries.
106C. Hping2 can
107NO. be used for idle scanning.
108D. These ports are actually open on the target system.
109Answer: A
110
111NO.13 Darius is analysing IDS logs. During the investigation, he
112NO.iced that there was
113NO.hing
114suspicious found and an alert was triggered on
115NO.mal web application traffic. He can mark this alert
116as:
117A. False-Negative
118B. False-Positive
119C. True-Positive
120D. False-Signature
121Answer: A
122
123NO.14 What is the proper response for a NULL scan if the port is closed?
124A. SYN
125B. ACK
126C. FIN
127D. PSH
128E. RST
129F.
130NO.response
131Answer: E
132
133NO.15 The Open Web Application Security Project (OWASP) is the worldwide
134NO.-for-profit
135charitable organization focused on improving the security of software. What item is the primary
136concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?
137A. Injection
138B. Cross Site Scripting
139C. Cross Site Request Forgery
140D. Path disclosure
141Answer: A
142Explanation
1434
144The top item of the OWASP 2013 OWASP's Top Ten Project Most Critical Web Application Security
145Risks is injection.
146Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an
147interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into
148executing unintended commands or accessing data without proper authorization.
149References: https://www.owasp.org/index.php/Top_10_2013-Top_10
150
151NO.16 A recent security audit revealed that there were indeed several occasions that the company's
152network was breached. After investigating, you discover that your IDS is
153NO. configured properly and
154therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
155A. True Positive
156B. False Negative
157C. False Positive
158D. False Positive
159Answer: B
160Explanation
161New questions
162
163NO.17 A Network Administrator was recently promoted to Chief Security Officer at a local university.
164One of employee's new responsibilities is to manage the implementation of an RFID card access
165system to a new server room on campus. The server room will house student enrollment information
166that is securely backed up to an off-site location.
167During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned
168that the existing security controls have
169NO. been designed properly. Currently, the Network
170Administrator is responsible for approving and issuing RFID card access to the server room, as well as
171reviewing the electronic access logs on a weekly basis.
172Which of the following is an issue with the situation?
173A. Segregation of duties
174B. Undue influence
175C. Lack of experience
176D. Inadequate disaster recovery plan
177Answer: A
178
179NO.18 Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
180A. Incident response services to any user, company, government agency, or organization in
181partnership with the Department of Homeland Security
182B. Maintenance of the nation's Internet infrastructure, builds out new Internet infrastructure, and
183decommissions old Internet infrastructure
184C. Registration of critical penetration testing for the Department of Homeland Security and public
185and private sectors
186D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and
187State Department, as well as private sectors
188Answer: A
1895
190
191NO.19 Which of the following is used to indicate a single-line comment in structured query language
192(SQL)?
193A. --
194B. ||
195C. %%
196D. ''
197Answer: A
198
199NO.20 Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning
200for a big business expansion and it requires that your network authenticate users connecting using
201analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks
202(VPN) over a Frame Relay network. Which AAA protocol would you implement?
203A. TACACS+
204B. DIAMETER
205C. Kerberos
206D. RADIUS
207Answer: D
208
209NO.21 Which of the following lists are valid data-gathering activities associated with a risk
210assessment?
211A. Threat identification, vulnerability identification, control analysis
212B. Threat identification, response identification, mitigation identification
213C. Attack profile, defense profile, loss profile
214D. System profile, vulnerability identification, security determination
215Answer: A
216
217NO.22 Which of the following command line switch would you use for OS detection in Nmap?
218A. -D
219B. -O
220C. -P
221D. -X
222Answer: B
223
224NO.23 A security consultant is trying to bid on a large contract that involves penetration testing and
225reporting. The company accepting bids wants proof of work so the consultant prints out several
226audits that have been performed. Which of the following is likely to occur as a result?
227A. The consultant will ask for money on the bid because of great work.
228B. The consultant may expose vulnerabilities of other companies.
229C. The company accepting bids will want the same type of format of testing.
230D. The company accepting bids will hire the consultant because of the great work performed.
231Answer: B
232
233NO.24 What type of vulnerability/attack is it when the malicious person forces the user's browser to
2346
235send an authenticated request to a server?
236A. Cross-site request forgery
237B. Cross-site scripting
238C. Session hijacking
239D. Server side request forgery
240Answer: A
241
242NO.25 Which of the following is a hashing algorithm?
243A. MD5
244B. PGP
245C. DES
246D. ROT13
247Answer: A
248
249NO.26 A security engineer has been asked to deploy a secure remote access solution that will allow
250employees to connect to the company's internal network. Which of the following can be
251implemented to minimize the opportunity for the man-in-the-middle attack to occur?
252A. SSL
253B. Mutual authentication
254C. IPSec
255D. Static IP addresses
256Answer: C
257
258NO.27 On a Linux device, which of the following commands will start the Nessus client in the
259background so that the Nessus server can be configured?
260A. nessus +
261B. nessus *s
262C. nessus &
263D. nessus -d
264Answer: C
265
266NO.28 If an attacker uses the command SELECT*FROM user WHERE name = 'x' AND userid IS NULL;
267--'; which type of SQL injection attack is the attacker performing?
268A. End of Line Comment
269B. UNION SQL Injection
270C. Illegal/Logically Incorrect Query
271D. Tautology
272Answer: D
273
274NO.29 A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer
275program in a switched environment network. Which attack could the hacker use to sniff all of the
276packets in the network?
277A. Fraggle
2787
279B. MAC Flood
280C. Smurf
281D. Tear Drop
282Answer: B
283
284NO.30 Least privilege is a security concept that requires that a user is
285A. limited to those functions required to do the job.
286B. given root or administrative privileges.
287C. trusted to keep all data and access to that data under their sole control.
288D. given privileges equal to everyone else in the department.
289Answer: A
290
291NO.31 Which DNS resource record can indicate how long any "DNS poisoning" could last?
292A. MX
293B. SOA
294C. NS
295D. TIMEOUT
296Answer: B
297
298NO.32 During the process of encryption and decryption, what keys are shared?
299During the process of encryption and decryption, what keys are shared?
300A. Private keys
301B. User passwords
302C. Public keys
303D. Public and private keys
304Answer: C
305
306NO.33 Using Windows CMD, how would an attacker list all the shares to which the current user
307context has access?
308A. NET USE
309B. NET CONFIG
310C. NET FILE
311D. NET VIEW
312Answer: A
313Explanation
314Connects a computer to or disconnects a computer from a shared resource, or displays information
315about computer connections. The command also controls persistent net connections. Used without
316parameters, net use retrieves a list of network connections.
317References: https://technet.microsoft.com/en-us/library/bb490717.aspx
318
319NO.34 What does the following command in netcat do?
320nc -l -u -p55555 < /etc/passwd
321A. logs the incoming connections to /etc/passwd file
3228
323B. loads the /etc/passwd file to the UDP port 55555
324C. grabs the /etc/passwd file when connected to UDP port 55555
325D. deletes the /etc/passwd file when connected to the UDP port 55555
326Answer: C
327
328NO.35 Sandra is the security administrator of XYZ.com. One day she
329NO.ices that the XYZ.com Oracle
330database server has been compromised and customer information along with financial data has been
331stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of
332competitors. Sandra wants to report this crime to the law enforcement agencies immediately. Which
333organization coordinates computer crime investigations throughout the United States?
334A. NDCA
335B. NICP
336C. CIRP
337D. NPC
338E. CIA
339Answer: D
340
341NO.36 Which of the following is a characteristic of Public Key Infrastructure (PKI)?
342A. Public-key cryptosystems are faster than symmetric-key cryptosystems.
343B. Public-key cryptosystems distribute public-keys within digital signatures.
344C. Public-key cryptosystems do
345NO. require a secure key distribution channel.
346D. Public-key cryptosystems do
347NO. provide technical
348NO.-repudiation via digital signatures.
349Answer: B
350
351NO.37 A network administrator received an administrative alert at 3:00 a.m. from the intrusion
352detection system. The alert was generated because a large number of packets were coming into the
353network over ports 20 and 21.
354During analysis, there were
355NO.signs of attack on the FTP servers. How should the administrator
356classify this situation?
357A. True negatives
358B. False negatives
359C. True positives
360D. False positives
361Answer: D
362
363NO.38 In the OSI model, where does PPTP encryption take place?
364A. Transport layer
365B. Application layer
366C. Data link layer
367D. Network layer
368Answer: C
369
370NO.39 Websites and web portals that provide web services commonly use the Simple Object Access
3719
372Protocol SOAP.
373Which of the following is an incorrect definition or characteristics in the protocol?
374A. Based on XML
375B. Provides a structured model for messaging
376C. Exchanges data between web services
377D. Only compatible with the application protocol HTTP
378Answer: D
379
380NO.40 A common cryptographical tool is the use of XOR. XOR the following binary values:
38110110001
38200111010
383A. 10001011
384B. 11011000
385C. 10011101
386D. 10111100
387Answer: A
388Explanation
389The XOR gate is a digital logic gate that implements an exclusive or; that is, a true output (1/HIGH)
390results if one, and only one, of the inputs to the gate is true. If both inputs are false (0/LOW) or both
391are true, a false output results. XOR represents the inequality function, i.e., the output is true if the
392inputs are
393NO. alike otherwise the output is false. A way to remember XOR is "one or the other but
394
395NO. both".
396References: https://en.wikipedia.org/wiki/XOR_gate
397
398NO.41 Which of the following resources does NMAP need to be used as a basic vulnerability scanner
399covering several vectors like SMB, HTTP and FTP?
400A. Metasploit scripting engine
401B. Nessus scripting engine
402C. NMAP scripting engine
403D. SAINT scripting engine
404Answer: C
405
406NO.42 During a recent security assessment, you discover the organization has one Domain Name
407Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
408What is this type of DNS configuration commonly called?
409A. Split DNS
410B. DNSSEC
411C. DynDNS
412D. DNS Scheme
413Answer: A
414Explanation
415In a split DNS infrastructure, you create two zones for the same domain, one to be used by the
416internal network, the other used by the external network. Split DNS directs internal hosts to an
417internal domain name server for name resolution and external hosts are directed to an external
41810
419domain name server for name resolution.
420References:
421http://www.webopedia.com/TERM/S/split_DNS.html
422
423NO.43 A security administrator
424NO.ices that the log file of the company's webserver contains
425suspicious entries:
426Based on source code analysis, the analyst concludes that the login.php script is vulnerable to
427A. command injection.
428B. SQL injection.
429C. directory traversal.
430D. LDAP injection.
431Answer: B
432
433NO.44 PGP, SSL, and IKE are all examples of which type of cryptography?
434A. Public Key
435B. Secret Key
436C. Hash Algorithm
437D. Digest
438Answer: A
439Explanation
440Public-key algorithms are fundamental security ingredients in cryptosystems, applications and
441protocols. They underpin various Internet standards, such as Secure Sockets Layer (SSL),Transport
442Layer Security (TLS), S/MIME, PGP, Internet Key Exchange (IKE or IKEv2), and GPG.
443References: https://en.wikipedia.org/wiki/Public-key_cryptography
444
445NO.45 Which of the following commands runs s
446NO.t in packet logger mode?
447A. ./s
448NO.t -dev -h ./log
449B. ./s
450NO.t -dev -l ./log
451C. ./s
452NO.t -dev -o ./log
453D. ./s
454NO.t -dev -p ./log
455Answer: B
45611
457
458NO.46 An Internet Service Provider (ISP) has a need to authenticate users connecting using analog
459modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN)
460over a Frame Relay network.
461Which AAA protocol is most likely able to handle this requirement?
462A. RADIUS
463B. DIAMETER
464C. Kerberos
465D. TACACS+
466Answer: A
467Explanation
468Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by
469ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and
470integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs,
471network ports, web servers, etc.
472References: https://en.wikipedia.org/wiki/RADIUS
473
474NO.47 Smart cards use which protocol to transfer the certificate in a secure manner?
475A. Extensible Authentication Protocol (EAP)
476B. Point to Point Protocol (PPP)
477C. Point to Point Tunneling Protocol (PPTP)
478D. Layer 2 Tunneling Protocol (L2TP)
479Answer: A
480
481NO.48 Every company needs a formal written document which spells out to employees precisely
482what they are allowed to use the company's systems for, what is prohibited, and what will happen to
483them if they break the rules. Two printed copies of the policy should be given to every employee as
484soon as possible after they join the organization. The employee should be asked to sign one copy,
485which should be safely filed by the company.
486NO.one should be allowed to use the company's
487computer systems until they have signed the policy in acceptance of its terms.
488What is this document called?
489A. Information Audit Policy (IAP)
490B. Information Security Policy (ISP)
491C. Penetration Testing Policy (PTP)
492D. Company Compliance Policy (CCP)
493Answer: B
494
495NO.49 One way to defeat a multi-level security solution is to leak data via
496A. a bypass regulator.
497B. stega
498NO.raphy.
499C. a covert channel.
500D. asymmetric routing.
501Answer: C
50212
503
504NO.50 Your next door neighbor, that you do
505NO. get along with, is having issues with their network,
506so he yells to his spouse the network's SSID and password and you hear them both clearly. What do
507you do with this information?
508A.
509NO.hing, but suggest to him to change the network's SSID and password.
510B. Sell his SSID and password to friends that come to your house, so it doesn't slow down your
511network.
512C. Log onto to his network, after all it's his fault that you can get in.
513D. Only use his network when you have large downloads so you don't tax your own network.
514Answer: A
515
516NO.51 A security analyst is performing an audit on the network to determine if there are any
517deviations from the security policies in place. The analyst discovers that a user from the IT
518department had a dial-out modem installed. Which security policy must the security analyst check to
519see if dial-out modems are allowed?
520A. Firewall-management policy
521B. Acceptable-use policy
522C. Remote-access policy
523D. Permissive policy
524Answer: C
525
526NO.52 You just set up a security system in your network. In what kind of system would you find the
527following string of characters used as a rule within its configuration?
528alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
529A. An Intrusion Detection System
530B. A firewall IPTable
531C. A Router IPTable
532D. FTP Server rule
533Answer: A
534Explanation
535S
536NO.t is an open source network intrusion detection system (NIDS) for networks .
537S
538NO.t rule example:
539This example is a rule with a generator id of 1000001.
540alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;) References:
541http://manual-s
542NO.t-org.s3-website-us-east-1.amazonaws.com/
543NO.e31.html
544
545NO.53 Which of the following open source tools would be the best choice to scan a network for
546potential targets?
547A. NMAP
548B. NIKTO
549C. CAIN
550D. John the Ripper
551Answer: A
552
553NO.54 Which of the following is the successor of SSL?
55413
555A. TLS
556B. RSA
557C. GRE
558D. IPSec
559Answer: A
560Explanation
561Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are
562frequently referred to as 'SSL', are cryptographic protocols that provide communications security
563over a computer network.
564References: https://en.wikipedia.org/wiki/Transport_Layer_Security
565
566NO.55 Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN
567standards on a linux platform?
568A. Kismet
569B. Nessus
570C. Netstumbler
571D. Abel
572Answer: A
573Explanation
574Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.
575Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a,
576802.11b,
577802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS
578X.
579References: https://en.wikipedia.org/wiki/Kismet_(software)
580
581NO.56 Joseph was the Web site administrator for the Mason Insurance in New York, who's main
582Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to
583administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith.
584According to Smith, the main Mason Insurance web site had been vandalized! All of its
585NO.mal
586content was removed and replaced with an attacker's message ''Hacker Message: You are dead!
587Freaks!" From his office, which was directly connected to Mason Insurance's internal network, Joseph
588surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.
589
590NO.changes were apparent. Joseph called a friend of his at his home to help troubleshoot the
591problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while
592Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To
593help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He
594disconnected his laptop from the corporate internal network and used his modem to dial up the
595same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his
596browser to reveal the following web page:
597After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal
598network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the
59914
600entire Web site, and determined that every system file and all the Web content on the server were
601intact. How did the attacker accomplish this hack?
602A. ARP spoofing
603B. SQL injection
604C. DNS poisoning
605D. Routing table injection
606Answer: C
607
608NO.57 Under what conditions does a secondary name server request a zone transfer from a primary
609name server?
610A. When a primary SOA is higher that a secondary SOA
611B. When a secondary SOA is higher that a primary SOA
612C. When a primary name server has had its service restarted
613D. When a secondary name server has had its service restarted
614E. When the TTL falls to zero
615Answer: A
616
617NO.58 Which of the following can take an arbitrary length of input and produce a message digest
618output of 160 bit?
619A. SHA-1
620B. MD5
621C. HAVAL
622D. MD4
623Answer: A
624
625NO.59 You went to great lengths to install all the necessary tech
626NO.ogies to prevent hacking attacks,
627such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention
628tools in your company's network. You have configured the most secure policies and tightened every
629device on your network. You are confident that hackers will never be able to gain access to your
630network with complex security system in place.
631Your peer, Peter Smith who works at the same department disagrees with you.
632He says even the best network security tech
633NO.ogies can
634NO. prevent hackers gaining access to the
635network because of presence of "weakest link" in the security chain.
636What is Peter Smith talking about?
637A. Untrained staff or ig
638NO.ant computer users who inadvertently become the weakest link in your
639security chain
640B. "zero-day" exploits are the weakest link in the security chain since the IDS will
641NO. be able to
642detect these attacks
643C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will
644
645NO. be able to detect these attacks
646D. Continuous Spam e-mails can
647NO. be blocked by your security system since spammers use different
648techniques to bypass the filters in your gateway
649Answer: A
65015
651
652NO.60 Which of the following types of firewalls ensures that the packets are part of the established
653session?
654A. Stateful inspection firewall
655B. Circuit-level firewall
656C. Application-level firewall
657D. Switch-level firewall
658Answer: A
659Explanation
660A stateful firewall is a network firewall that tracks the operating state and characteristics of network
661connections traversing it. The firewall is configured to distinguish legitimate packets for different
662types of connections. Only packets matching a k
663NO.n active connection (session) are allowed to pass
664the firewall.
665References: https://en.wikipedia.org/wiki/Stateful_firewall
666
667NO.61 You are a Network Security Officer. You have two machines. The first machine (192.168.0.99)
668has s
669NO.t installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a
670syn scan in your network, and you
671NO.ice that kiwi syslog is
672NO. receiving the alert message from
673s
674NO.t. You decide to run wireshark in the s
675NO.t machine to check if the messages are going to the kiwi
676syslog machine.
677What wireshark filter will show the connections from the s
678NO.t machine to kiwi syslog machine?
679A. tcp.dstport==514 && ip.dst==192.168.0.150
680B. tcp.srcport==514 && ip.src==192.168.0.99
681C. tcp.dstport==514 && ip.dst==192.168.0.0/16
682D. tcp.srcport==514 && ip.src==192.168.150
683Answer: A
684Explanation
685We need to configure destination port at destination ip. The destination ip is 192.168.0.150, where
686the kiwi syslog is installed.
687References: https://wiki.wireshark.org/DisplayFilters
688
689NO.62 Which of the following can the administrator do to verify that a tape backup can be
690recovered in its entirety?
691A. Restore a random file.
692B. Perform a full restore.
693C. Read the first 512 bytes of the tape.
694D. Read the last 512 bytes of the tape.
695Answer: B
696Explanation
697A full restore is required.
698
699NO.63 What would you type on the Windows command line in order to launch the Computer
700Management Console provided that you are logged in as an admin?
701A. c:\compmgmt.msc
702B. c:\gpedit
70316
704C. c:\ncpa.cpl
705D. c:\services.msc
706Answer: A
707
708NO.64 What is the role of test automation in security testing?
709A. It can accelerate benchmark tests and repeat them with a consistent test setup. But it can
710NO.
711replace manual testing completely.
712B. It is an option but it tends to be very expensive.
713C. It should be used exclusively. Manual testing is outdated because of low speed and possible test
714setup inconsistencies.
715D. Test automation is
716NO. usable in security due to the complexity of the tests.
717Answer: A
718
719NO.65 Which of the following programming languages is most vulnerable to buffer overflow
720attacks?
721A. Perl
722B. C++
723C. Python
724D. Java
725Answer: B
726
727NO.66 You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
728A. hping2 host.domain.com
729B. hping2 --set-ICMP host.domain.com
730C. hping2 -i host.domain.com
731D. hping2 -1 host.domain.com
732Answer: D
733
734NO.67 Which of the following tools is used to analyze the files produced by several packet-capture
735programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
736A. tcptrace
737B. tcptraceroute
738C. Nessus
739D. OpenVAS
740Answer: A
741Explanation
742tcptrace is a tool for analysis of TCP dump files. It can take as input the files produced by several
743popular packet-capture programs, including tcpdump/WinDump/Wireshark, s
744NO.p, EtherPeek, and
745Agilent NetMetrix.
746References: https://en.wikipedia.org/wiki/Tcptrace
747
748NO.68 Which protocol is used for setting up secured channels between two devices, typically in
749VPNs?
750A. IPSEC
75117
752B. PEM
753C. SET
754D. PPP
755Answer: A
756
757NO.69 What is the approximate cost of replacement and recovery operation per year of a hard drive
758that has a value of $300 given that the technician who charges $10/hr would need 10 hours to
759restore OS and Software and needs further 4 hours to restore the database from the last backup to
760the new hard disk? Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
761A. $440
762B. $100
763C. $1320
764D. $146
765Answer: D
766
767NO.70 A recently hired network security associate at a local bank was given the responsibility to
768perform daily scans of the internal network to look for unauthorized devices. The employee decides
769to write a script that will scan the network for unauthorized devices every morning at 5:00 am.
770Which of the following programming languages would most likely be used?
771A. PHP
772B. C#
773C. Python
774D. ASP.NET
775Answer: C
776
777NO.71 As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external
778security assessment through penetration testing.
779What document describes the specifics of the testing, the associated violations, and essentially
780protects both the organization's interest and your liabilities as a tester?
781A. Terms of Engagement
782B. Project Scope
783C.
784NO.-Disclosure Agreement
785D. Service Level Agreement
786Answer: A
787
788NO.72 When comparing the testing methodologies of Open Web Application Security Project
789(OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
790A. OWASP is for web applications and OSSTMM does
791NO. include web applications.
792B. OSSTMM is gray box testing and OWASP is black box testing.
793C. OWASP addresses controls and OSSTMM does
794NO..
795D. OSSTMM addresses controls and OWASP does
796NO..
797Answer: D
798
799NO.73 Sophia travels a lot and worries that her laptop containing confidential documents might be
80018
801stolen. What is the best protection that will work for her?
802A. Password protected files
803B. Hidden folders
804C. BIOS password
805D. Full disk encryption.
806Answer: D
807
808NO.74 The establishment of a TCP connection involves a negotiation called 3 way handshake. What
809type of message sends the client to the server in order to begin this negotiation?
810A. RST
811B. ACK
812C. SYN-ACK
813D. SYN
814Answer: D
815
816NO.75 Which protocol is used for setting up secure channels between two devices, typically in
817VPNs?
818A. PPP
819B. IPSEC
820C. PEM
821D. SET
822Answer: B
823
824NO.76 What term describes the amount of risk that remains after the vulnerabilities are classified
825and the countermeasures have been deployed?
826A. Residual risk
827B. Inherent risk
828C. Deferred risk
829D. Impact risk
830Answer: A
831Explanation
832The residual risk is the risk or danger of an action or an event, a method or a (technical) process that,
833although being abreast with science, still conceives these dangers, even if all theoretically possible
834safety measures would be applied (scientifically conceivable measures); in other words, the amount
835of risk left over after natural or inherent risks have been reduced by risk controls.
836References: https://en.wikipedia.org/wiki/Residual_risk
837
838NO.77 Peter, a Network Administrator, has come to you looking for advice on a tool that would help
839him perform SNMP enquires over the network.
840Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
841A. SNMPUtil
842B. SNScan
843C. SNMPScan
84419
845D. Solarwinds IP Network Browser
846E. NMap
847Answer: A B D
848
849NO.78 Which of the following represents the initial two commands that an IRC client sends to join an
850IRC network?
851A. USER, NICK
852B. LOGIN, NICK
853C. USER, PASS
854D. LOGIN, USER
855Answer: A
856
857NO.79 An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML
858code to embed a malicious applet in all HTTP connections.
859When users accessed any page, the applet ran and exploited many machines.
860Which one of the following tools the hacker probably used to inject HTML code?
861A. Wireshark
862B. Ettercap
863C. Aircrack-ng
864D. Tcpdump
865Answer: B
866
867NO.80 Craig received a report of all the computers on the network that showed all the missing
868patches and weak passwords. What type of software generated this report?
869A. a port scanner
870B. a vulnerability scanner
871C. a virus scanner
872D. a malware scanner
873Answer: B
874
875NO.81 Which of the following antennas is commonly used in communications for a frequency band
876of 10 MHz to VHF and UHF?
877A. Omnidirectional antenna
878B. Dipole antenna
879C. Yagi antenna
880D. Parabolic grid antenna
881Answer: C
882
883NO.82 What is the name of the international standard that establishes a baseline level of confidence
884in the security functionality of IT products by providing a set of requirements for evaluation?
885A. Blue Book
886B. ISO 26029
887C. Common Criteria
88820
889D. The Wassenaar Agreement
890Answer: C
891
892NO.83 Switches maintain a CAM Table that maps individual MAC addresses on the network to
893physical ports on the switch.
894In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source
895MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC
896addresses to physical ports. What happens when the CAM table becomes full?
897A. Switch then acts as hub by broadcasting packets to all machines on the network
898B. The CAM overflow table will cause the switch to crash causing Denial of Service
899C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
900D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port
901Answer: A
902
903NO.84 A company recently hired your team of Ethical Hackers to test the security of their network
904systems. The company wants to have the attack be as realistic as possible. They did
905NO. provide any
906information besides the name of their company. What phase of security testing would your team
907jump in right away?
908A. Scanning
909B. Reconnaissance
910C. Escalation
911D. Enumeration
912Answer: B
913
914NO.85 Study the s
915NO.t rule given below:
91621
917From the options below, choose the exploit against which this rule applies.
918A. WebDav
919B. SQL Slammer
920C. MS Blaster
921D. MyDoom
922Answer: C
923
924NO.86 Which of the following programming languages is most susceptible to buffer overflow
925attacks, due to its lack of a built-in-bounds checking mechanism?
926Output:
927Segmentation fault
928A. C#
929B. Python
930C. Java
931D. C++
932Answer: D
933
934NO.87 You have compromised a server and successfully gained a root access. You want to pivot and
935pass traffic undetected over the network and evade any possible Intrusion Detection System.
936What is the best approach?
937A. Install Cryptcat and encrypt outgoing packets from this server.
938B. Install and use Telnet to encrypt all outgoing traffic from this server.
939C. Use Alternate Data Streams to hide the outgoing packets from this server.
94022
941D. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
942Detection Systems.
943Answer: A
944Explanation
945Cryptcat enables us to communicate between two systems and encrypts the communication
946between them with twofish.
947References:
948http://null-byte.wonderhowto.com/how-to/hack-like-pro-create-nearly-undetectable-backdoorwith-
949cryptcat-0149
950
951NO.88 If you want only to scan fewer ports than the default scan using Nmap tool, which option
952would you use?
953A. -sP
954B. -P
955C. -r
956D. -F
957Answer: B
958
959NO.89 The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common
960Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation
961of the transport layer security (TLS) protocols defined in RFC6520.
962What type of key does this bug leave exposed to the Internet making exploitation of any
963compromised system very easy?
964A. Private
965B. Public
966C. Shared
967D. Root
968Answer: A
969Explanation
970The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties
971likely to be confidential, including any form post data in users' requests. Moreover, the confidential
972data exposed could include authentication secrets such as session cookies and passwords, which
973might allow attackers to impersonate a user of the service.
974An attack may also reveal private keys of compromised parties.
975References: https://en.wikipedia.org/wiki/Heartbleed
976
977NO.90 Which of the following network attacks relies on sending an ab
978NO.mally large packet size that
979exceeds TCP/IP specifications?
980A. Ping of death
981B. SYN flooding
982C. TCP hijacking
983D. Smurf attack
984Answer: A
98523
986
987NO.91 Which of the following tools can be used for passive OS fingerprinting?
988A. tcpdump
989B. nmap
990C. ping
991D. tracert
992Answer: A
993Explanation
994The passive operating system fingerprinting is a feature built into both the pf and tcpdump tools.
995References:
996http://geek00l.blogspot.se/2007/04/tcpdump-privilege-dropping-passive-os.html
997
998NO.92 Which method can provide a better return on IT security investment and provide a thorough
999and comprehensive assessment of organizational security covering policy, procedure design, and
1000implementation?
1001A. Penetration testing
1002B. Social engineering
1003C. Vulnerability scanning
1004D. Access control list reviews
1005Answer: A
1006
1007NO.93 You receive an e-mail like the one shown below. When you click on the link contained in the
1008mail, you are redirected to a website seeking you to download free Anti-Virus software.
1009Dear valued customers,
1010We are pleased to an
1011NO.nce the newest version of Antivirus 2010 for Windows which will probe you
1012with total security against the latest spyware, malware, viruses, Trojans and other online threats.
1013Simply visit the link below and enter your antivirus code:
1014or you may contact us at the following address:
1015Media Internet Consultants, Edif. Neptu
1016NO. Planta
1017Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
1018How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?
1019A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
1020B. Connect to the site using SSL, if you are successful then the website is genuine
1021C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious
1022warnings against this site
1023D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will
1024prompt you and stop the installation if the downloaded file is a malware
1025E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will
102624
1027prompt you and stop the installation if the downloaded file is a malware
1028Answer: C
1029
1030NO.94 You've gained physical access to a Windows 2008 R2 server which has an accessible disc
1031drive. When you attempt to boot the server and log in, you are unable to guess the password. In your
1032tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any
1033user's password or to activate disabled Windows accounts?
1034A. CHNTPW
1035B. Cain & Abel
1036C. SET
1037D. John the Ripper
1038Answer: A
1039Explanation
1040chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP,
1041Vista,
10427, 8 and 8.1. It does this by editing the SAM database where Windows stores password hashes.
1043References: https://en.wikipedia.org/wiki/Chntpw
1044
1045NO.95 Which protocol and port number might be needed in order to send log messages to a log
1046analysis tool that resides behind a firewall?
1047A. UDP 123
1048B. UDP 541
1049C. UDP 514
1050D. UDP 415
1051Answer: C
1052
1053NO.96 Which of the following tools will scan a network to perform vulnerability checks and
1054compliance auditing?
1055A. NMAP
1056B. Metasploit
1057C. Nessus
1058D. BeEF
1059Answer: C
1060
1061NO.97 Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust
1062relationship exists and that a certificate is still valid for specific operations?
1063A. Certificate issuance
1064B. Certificate validation
1065C. Certificate cryptography
1066D. Certificate revocation
1067Answer: B
1068
1069NO.98 Which of the following describes the characteristics of a Boot Sector Virus?
1070A. Moves the MBR to a
1071NO.her location on the hard disk and copies itself to the original location of
107225
1073the MBR
1074B. Moves the MBR to a
1075NO.her location on the RAM and copies itself to the original location of the
1076MBR
1077C. Modifies directory table entries so that directory entries point to the virus code instead of the
1078actual program
1079D. Overwrites the original MBR and only executes the new virus code
1080Answer: A
1081Explanation
1082A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The
1083virus moves the boot sector to a
1084NO.her location on the hard drive.
1085References: https://www.techopedia.com/definition/26655/boot-sector-virus
1086
1087NO.99 Bob is doing a password assessment for one of his clients. Bob suspects that security policies
1088are
1089NO. in place.
1090He also suspects that weak passwords are probably the
1091NO.m throughout the company he is
1092evaluating. Bob is familiar with password weaknesses and key loggers.
1093Which of the following options best represents the means that Bob can adopt to retrieve passwords
1094from his clients hosts and servers?
1095A. Hardware, Software, and Sniffing.
1096B. Hardware and Software Keyloggers.
1097C. Passwords are always best obtained using Hardware key loggers.
1098D. Software only, they are the most effective.
1099Answer: A
1100
1101NO.100 The chance of a hard drive failure is once every three years. The cost to buy a new hard
1102drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will
1103require a further 4 hours to restore the database from the last backup to the new hard disk. The
1104recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
1105What is the closest approximate cost of this replacement and recovery operation per year?
1106A. $146
1107B. $1320
1108C. $440
1109D. $100
1110Answer: A
1111Explanation
1112The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the
1113single loss expectancy (SLE).
1114Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The
1115single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.
1116In our example the ARO is 33%, and the SLE is 300+14*10 (as EF=1). The ALO is thus:
111733%*(300+14*10) which equals 146.
1118References: https://en.wikipedia.org/wiki/Annualized_loss_expectancy
1119
1120NO.101 You are logged in as a local admin on a Windows 7 system and you need to launch the
1121Computer Management Console from command line.
112226
1123Which command would you use?
1124A. c:\compmgmt.msc
1125B. c:\services.msc
1126C. c:\ncpa.cp
1127D. c:\gpedit
1128Answer: A
1129Explanation
1130To start the Computer Management Console from command line just type compmgmt.msc
1131/computer:computername in your run box or at the command line and it should automatically open
1132the Computer Management console.
1133References:
1134http://www.waynezim.com/tag/compmgmtmsc/
1135
1136NO.102 Which Open Web Application Security Project (OWASP) implements a web application full of
1137k
1138NO.n vulnerabilities?
1139A. WebBugs
1140B. WebGoat
1141C. VULN_HTML
1142D. WebScarab
1143Answer: B
1144
1145NO.103 Identify the web application attack where the attackers exploit vulnerabilities in dynamically
1146generated web pages to inject client-side script into web pages viewed by other users.
1147A. SQL injection attack
1148B. Cross-Site Scripting (XSS)
1149C. LDAP Injection attack
1150D. Cross-Site Request Forgery (CSRF)
1151Answer: B
1152
1153NO.104 You have successfully gained access to a linux server and would like to ensure that the
1154succeeding outgoing traffic from this server will
1155NO. be caught by a Network Based Intrusion
1156Detection Systems (NIDS).
1157What is the best way to evade the NIDS?
1158A. Encryption
1159B. Protocol Isolation
1160C. Alternate Data Streams
1161D. Out of band signalling
1162Answer: A
1163Explanation
1164When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis,
1165since the application layer contents are inaccessible. Given that exploits against today's networks are
1166primarily targeted against network services (application layer entities), packet level analysis ends up
1167doing very little to protect our core business assets.
1168References:
116927
1170http://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/
1171
1172NO.105 What do Tri
1173NO., TFN2k, WinTri
1174NO., T-Sight, and Stracheldraht have in common?
1175A. All are hacking tools developed by the legion of doom
1176B. All are tools that can be used
1177NO. only by hackers, but also security personnel
1178C. All are DDOS tools
1179D. All are tools that are only effective against Windows
1180E. All are tools that are only effective against Linux
1181Answer: C
1182
1183NO.106 The purpose of a __________ is to deny network access to local area networks and other
1184information assets by unauthorized wireless devices.
1185A. Wireless Intrusion Prevention System
1186B. Wireless Access Point
1187C. Wireless Access Control List
1188D. Wireless Analyzer
1189Answer: A
1190Explanation
1191A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum
1192for the presence of unauthorized access points (intrusion detection), and can automatically take
1193countermeasures (intrusion prevention).
1194References: https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system
1195
1196NO.107 An attacker with access to the inside network of a small company launches a successful STP
1197manipulation attack. What will he do next?
1198A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
1199B. He will activate OSPF on the spoofed root bridge.
1200C. He will repeat the same attack against all L2 switches of the network.
1201D. He will repeat this action so that it escalates to a DoS attack.
1202Answer: A
1203
1204NO.108 Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange
1205process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?
1206A. 768 bit key
1207B. 1025 bit key
1208C. 1536 bit key
1209D. 2048 bit key
1210Answer: C
1211
1212NO.109 Which among the following is a Windows command that a hacker can use to list all the
1213shares to which the current user context has access?
1214A. NET FILE
1215B. NET USE
1216C. NET CONFIG
121728
1218D. NET VIEW
1219Answer: B
1220
1221NO.110 If executives are found liable for
1222NO. properly protecting their company's assets and
1223information systems, what type of law would apply in this situation?
1224A. Civil
1225B. International
1226C. Criminal
1227D. Common
1228Answer: A
1229
1230NO.111 What is the following command used for?
1231net use \targetipc$ "" /u:""
1232A. Grabbing the etc/passwd file
1233B. Grabbing the SAM
1234C. Connecting to a Linux computer through Samba.
1235D. This command is used to connect as a null session
1236E. Enumeration of Cisco routers
1237Answer: D
1238
1239NO.112 What hacking attack is challenge/response authentication used to prevent?
1240A. Replay attacks
1241B. Scanning attacks
1242C. Session hijacking attacks
1243D. Password cracking attacks
1244Answer: A
1245
1246NO.113 Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a
1247message with a maximum length of (264-1) bits and resembles the MD5 algorithm?
1248A. SHA-2
1249B. SHA-3
1250C. SHA-1
1251D. SHA-0
1252Answer: C
1253
1254NO.114 In order to show improvement of security over time, what must be developed?
1255A. Reports
1256B. Testing tools
1257C. Metrics
1258D. Taxo
1259NO.y of vulnerabilities
1260Answer: C
1261Explanation
1262Today, management demands metrics to get a clearer view of security.
126329
1264Metrics that measure participation, effectiveness, and window of exposure, however, offer
1265information the organization can use to make plans and improve programs.
1266References:
1267http://www.infoworld.com/article/2974642/security/4-security-metrics-that-matter.html
1268
1269NO.115 Due to a slowdown of
1270NO.mal network operations, IT department decided to monitor
1271internet traffic for all of the employees. From a legal stand point, what would be troublesome to take
1272this kind of measure?
1273A. All of the employees would stop
1274NO.mal work activities
1275B. IT department would be telling employees who the boss is
1276C.
1277NO. informing the employees that they are going to be monitored could be an invasion of privacy.
1278D. The network could still experience traffic slow down.
1279Answer: C
1280
1281NO.116 These hackers have limited or
1282NO.training and k
1283NO. how to use only basic techniques or
1284tools.
1285What kind of hackers are we talking about?
1286A. Black-Hat Hackers A
1287B. Script Kiddies
1288C. White-Hat Hackers
1289D. Gray-Hat Hacker
1290Answer: C
1291
1292NO.117 You are monitoring the network of your organizations. You
1293NO.ice that:
1294Which of the following solution will you suggest?
1295A. Block the Blacklist IP's @ Firewall
1296B. Update the Latest Signatures on your IDS/IPS
1297C. Clean the Malware which are trying to Communicate with the External Blacklist IP's
1298D. Both B and C
1299Answer: D
1300
1301NO.118 What tool and process are you going to use in order to remain undetected by an IDS while
1302pivoting and passing traffic over a server you've compromised and gained root access to?
1303A. Install Cryptcat and encrypt outgoing packets from this server.
1304B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
1305Detection Systems.
1306C. Use Alternate Data Streams to hide the outgoing packets from this server.
1307Answer: B
1308
1309NO.119 When discussing passwords, what is considered a brute force attack?
1310A. You attempt every single possibility until you exhaust all possible combinations or discover the
1311password
1312B. You threaten to use the rubber hose on someone unless they reveal their password
1313C. You load a dictionary of words into your cracking program
131430
1315D. You create hashes of a large number of words and compare it with the encrypted passwords
1316E. You wait until the password expires
1317Answer: A
1318
1319NO.120 Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS)
1320flaws in software applications?
1321A. Validate and escape all information sent to a server
1322B. Use security policies and procedures to define and implement proper security settings
1323C. Verify access right before allowing access to protected information and UI controls
1324D. Use digital certificates to authenticate a server prior to sending data
1325Answer: A
1326Explanation
1327Contextual output encoding/escaping could be used as the primary defense mechanism to stop
1328Cross-site Scripting (XSS) attacks.
1329References:
1330https://en.wikipedia.org/wiki/Crosssite_
1331scripting#Contextual_output_encoding.2Fescaping_of_string_input
1332
1333NO.121 Emil uses nmap to scan two hosts using this command.
1334nmap -sS -T4 -O 192.168.99.1 192.168.99.7
1335He receives this output:
1336What is his conclusion?
1337A. Host 192.168.99.7 is an iPad.
1338B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
1339C. Host 192.168.99.1 is the host that he launched the scan from.
1340D. Host 192.168.99.7 is down.
1341Answer: B
134231
1343
1344NO.122 What is GINA?
1345A. Gateway Interface Network Application
1346B. GUI Installed Network Application CLASS
1347C. Global Internet National Authority (G-USA)
1348D. Graphical Identification and Authentication DLL
1349Answer: D
1350
1351NO.123 After gaining access to the password hashes used to protect access to a web based
1352application, k
1353NO.ledge of which cryptographic algorithms would be useful to gain access to the
1354application?
1355A. SHA1
1356B. Diffie-Helman
1357C. RSA
1358D. AES
1359Answer: A
1360
1361NO.124 A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur
1362on his network.
1363What are some things he can do to prevent it? Select the best answers.
1364A. Use port security on his switches.
1365B. Use a tool like ARPwatch to monitor for strange ARP activity.
1366C. Use a firewall between all LAN segments.
1367D. If you have a small network, use static ARP entries.
1368E. Use only static IP addresses on all PC's.
1369Answer: A B D
1370
1371NO.125 A hacker has successfully infected an internet-facing server which he will then use to send
1372junk mail, take part in coordinated attacks, or host junk email content.
1373Which sort of trojan infects this server?
1374A. Botnet Trojan
1375B. Turtle Trojans
1376C. Banking Trojans
1377D. Ransomware Trojans
1378Answer: A
1379Explanation
1380In computer science, a zombie is a computer connected to the Internet that has been compromised
1381by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or
1382a
1383NO.her under remote direction. Botnets of zombie computers are often used to spread e-mail spam
1384and launch denial-of-service attacks. Most owners of zombie computers are unaware that their
1385system is being used in this way. Because the owner tends to be unaware, these computers are
1386metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also
1387resembles a zombie horde attack.
138832
1389
1390NO.126 You have initiated an active operating system fingerprinting attempt with nmap against a
1391target system:
1392What operating system is the target host running based on the open ports shown above?
1393A. Windows XP
1394B. Windows 98 SE
1395C. Windows NT4 Server
1396D. Windows 2000 Server
1397Answer: D
1398
1399NO.127 In which phase of the ethical hacking process can Google hacking be employed? This is a
1400technique that involves manipulating a search string with specific operators to search for
1401vulnerabilities.
1402Example:
1403allintitle: root passwd
1404A. Maintaining Access
1405B. Gaining Access
1406C. Reconnaissance
1407D. Scanning and Enumeration
1408Answer: C
1409
1410NO.128 A company's security policy states that all Web browsers must automatically delete their
1411HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to
141233
1413mitigate?
1414A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's
1415authentication credentials.
1416B. Attempts by attackers to access the user and password information stored in the company's SQL
1417database.
1418C. Attempts by attackers to access passwords stored on the user's computer without the user's
1419k
1420NO.ledge.
1421D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites
1422were visited and for how long.
1423Answer: A
1424Explanation
1425Cookies can store passwords and form content a user has previously entered, such as a credit card
1426number or an address.
1427Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes
1428advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
1429References: https://en.wikipedia.org/wiki/HTTP_cookie#Cross-site_scripting_.E2.80.93_cookie_theft
1430
1431NO.129 Which of the following are well k
1432NO.n password-cracking programs?
1433A. L0phtcrack
1434B. NetCat
1435C. Jack the Ripper
1436D. Netbus
1437E. John the Ripper
1438Answer: A E
1439
1440NO.130 One of your team members has asked you to analyze the following SOA record. What is the
1441version?
1442Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose
1443four.)
1444A. 200303028
1445B. 3600
1446C. 604800
1447D. 2400
1448E. 60
1449F. 4800
1450Answer: A
1451
1452NO.131 LM hash is a compromised password hashing function. Which of the following parameters
1453describe LM Hash:?
1454I - The maximum password length is 14 characters.
1455II - There are
1456NO.distinctions between uppercase and lowercase.
1457III - It's a simple algorithm, so 10,000,000 hashes can be generated per second.
1458A. I
1459B. I, II, and III
146034
1461C. II
1462D. I and II
1463Answer: B
1464
1465NO.132 Which Nmap option would you use if you were
1466NO. concerned about being detected and
1467wanted to perform a very fast scan?
1468A. -T0
1469B. -T5
1470C. -O
1471D. -A
1472Answer: B
1473
1474NO.133 Which of the following program infects the system boot sector and the executable files at
1475the same time?
1476A. Stealth virus
1477B. Polymorphic virus
1478C. Macro virus
1479D. Multipartite Virus
1480Answer: D
1481
1482NO.134 If you are to determine the attack surface of an organization, which of the following is the
1483BEST thing to do?
1484A. Running a network scan to detect network services in the corporate DMZ
1485B. Reviewing the need for a security clearance for each employee
1486C. Using configuration management to determine when and where to apply security patches
1487D. Training employees on the security policy regarding social engineering
1488Answer: A
1489
1490NO.135 Which is the first step followed by Vulnerability Scanners for scanning a network?
1491A. TCP/UDP Port scanning
1492B. Firewall detection
1493C. OS Detection
1494D. Checking if the remote host is alive
1495Answer: D
1496
1497NO.136 While testing the company's web applications, a tester attempts to insert the following test
1498script into the search area on the company's web site:
1499< script>alert(" Testing Testing Testing ")</script>
1500Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the
1501text:
1502"Testing Testing Testing". Which vulnerability has been detected in the web application?
1503A. Buffer overflow
1504B. Cross-site request forgery
150535
1506C. Distributed denial of service
1507D. Cross-site scripting
1508Answer: D
1509
1510NO.137 Which system consists of a publicly available set of databases that contain domain name
1511registration contact information?
1512A. WHOIS
1513B. IANA
1514C. CAPTCHA
1515D. IETF
1516Answer: A
1517
1518NO.138 A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river
1519and library are required to allow the NIC to work in promiscuous mode?
1520A. Libpcap
1521B. Awinpcap
1522C. Winprom
1523D. Winpcap
1524Answer: D
1525
1526NO.139 You perform a scan of your company's network and discover that TCP port 123 is open.
1527What services by default run on TCP port 123?
1528A. Telnet
1529B. POP3
1530C. Network Time Protocol
1531D. DNS
1532Answer: C
1533
1534NO.140
1535What does the option * indicate?
153636
1537A. s
1538B. t
1539C. n
1540D. a
1541Answer: C
1542
1543NO.141 Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
1544A. tcpdump
1545B. nessus
1546C. etherea
1547D. Jack the ripper
1548Answer: A
1549Explanation
1550tcpdump is a common packet analyzer that runs under the command line. It allows the user to
1551display TCP/IP and other packets being transmitted or received over a network to which the
1552computer is attached.
1553References: https://en.wikipedia.org/wiki/Tcpdump
1554
1555NO.142 Bob, a network administrator at BigUniversity, realized that some students are connecting
1556their
1557NO.ebooks in the wired network to have Internet access. In the university campus, there are
1558many Ethernet ports available for professors and authorized visitors but
1559NO. for students.
1560He identified this when the IDS alerted for malware activities in the network.
1561What should Bob do to avoid this problem?
1562A. Disable unused ports in the switches
1563B. Separate students in a different VLAN
1564C. Use the 802.1x protocol
1565D. Ask students to use the wireless network
1566Answer: C
1567
1568NO.143 While performing ping scans into a target network you get a frantic call from the
1569organization's security team.
1570They report that they are under a denial of service attack. When you stop your scan, the smurf attack
1571event stops showing up on the organization's IDS monitor.
1572How can you modify your scan to prevent triggering this event in the IDS?
1573A. Scan more slowly.
1574B. Do
1575NO. scan the broadcast IP.
1576C. Spoof the source IP address.
1577D. Only scan the Windows systems.
1578Answer: B
1579
1580NO.144 While doing a technical assessment to determine network vulnerabilities, you used the TCP
1581XMAS scan. What would be the response of all open ports?
1582A. The port will send an ACK
1583B. The port will send a SYN
158437
1585C. The port will ig
1586NO.e the packets
1587D. The port will send an RST
1588Answer: C
1589Explanation
1590References:
1591
1592NO.145 Which of the following techniques will identify if computer files have been changed?
1593A. Network sniffing
1594B. Permission sets
1595C. Integrity checking hashes
1596D. Firewall alerts
1597Answer: C
1598
1599NO.146 Which tool would be used to collect wireless packet data?
1600A. NetStumbler
1601B. John the Ripper
1602C. Nessus
1603D. Netcat
1604Answer: A
1605
1606NO.147 You are a security officer of a company. You had an alert from IDS that indicates that one PC
1607on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address
1608was blacklisted just before the alert. You are staring an investigation to roughly analyze the severity
1609of the situation. Which of the following is appropriate to analyze?
1610A. Event logs on the PC
1611B. Internet Firewall/Proxy log
1612C. IDS log
1613D. Event logs on domain controller
1614Answer: B
1615
1616NO.148 The network administrator for a company is setting up a website with e-commerce
1617capabilities. Packet sniffing is a concern because credit card information will be sent electronically
1618over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of
1619certificate is used to encrypt and decrypt the data?
1620A. Asymmetric
1621B. Confidential
1622C. Symmetric
1623D.
1624NO.-confidential
1625Answer: A
1626
1627NO.149 Log monitoring tools performing behavioral analysis have alerted several suspicious logins
1628on a Linux server occurring during
1629NO.-business hours. After further examination of all login
1630activities, it is
1631NO.iced that
1632NO.e of the logins have occurred during typical work hours. A Linux
1633administrator who is investigating this problem realizes the system time on the Linux server is wrong
163438
1635by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped
1636working?
1637A. Time Keeper
1638B. NTP
1639C. PPP
1640D. OSPP
1641Answer: B
1642
1643NO.150 Which command line switch would be used in NMAP to perform operating system
1644detection?
1645A. -OS
1646B. -sO
1647C. -sP
1648D. -O
1649Answer: D
1650
1651NO.151 Which Intrusion Detection System is best applicable for large environments where critical
1652assets on the network need extra security and is ideal for observing sensitive network segments?
1653A. Network-based intrusion detection system (NIDS)
1654B. Host-based intrusion detection system (HIDS)
1655C. Firewalls
1656D. Honeypots
1657Answer: A
1658
1659NO.152 Which tool can be used to silently copy files from USB devices?
1660A. USB Grabber
1661B. USB Dumper
1662C. USB Sniffer
1663D. USB S
1664NO.py
1665Answer: B
1666
1667NO.153 The following is part of a log file taken from the machine on the network with the IP address
1668of
1669192.168.1.106:
167039
1671What type of activity has been logged?
1672A. Port scan targeting 192.168.1.103
1673B. Teardrop attack targeting 192.168.1.106
1674C. Denial of service attack targeting 192.168.1.103
1675D. Port scan targeting 192.168.1.106
1676Answer: D
1677
1678NO.154 How does a denial-of-service attack work?
1679A. A hacker prevents a legitimate user (or group of users) from accessing a service
1680B. A hacker uses every character, word, or letter he or she can think of to defeat authentication
1681C. A hacker tries to decipher a password by using a system, which subsequently crashes the network
1682D. A hacker attempts to imitate a legitimate user by confusing a computer or even a
1683NO.her person
1684Answer: A
1685
1686NO.155 Which type of security document is written with specific step-by-step details?
1687A. Process
1688B. Procedure
1689C. Policy
1690D. Paradigm
1691Answer: B
1692
1693NO.156 On performing a risk assessment, you need to determine the potential impacts when some
1694of the critical business process of the company interrupt its service. What is the name of the process
1695by which you can determine those critical business?
1696A. Risk Mitigation
1697B. Emergency Plan Response (EPR)
1698C. Disaster Recovery Planning (DRP)
1699D. Business Impact Analysis (BIA)
1700Answer: D
170140
1702
1703NO.157 Why would an attacker want to perform a scan on port 137?
1704A. To discover proxy servers on a network
1705B. To disrupt the NetBIOS SMB service on the target host
1706C. To check for file and print sharing on Windows systems
1707D. To discover information about a target host using NBTSTAT
1708Answer: D
1709
1710NO.158 Which of the following is an example of two factor authentication?
1711A. PIN Number and Birth Date
1712B. Username and Password
1713C. Digital Certificate and Hardware Token
1714D. Fingerprint and Smartcard ID
1715Answer: D
1716
1717NO.159 Which of the following is the BEST way to defend against network sniffing?
1718A. Using encryption protocols to secure network communications
1719B. Register all machines MAC Address in a Centralized Database
1720C. Restrict Physical Access to Server Rooms hosting Critical Servers
1721D. Use Static IP Address
1722Answer: A
1723Explanation
1724A way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets
1725Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing
1726source and destination information, but it does encrypt the data packet's payload so that all the
1727sniffer sees is encrypted gibberish.
1728References:
1729http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm
1730
1731NO.160 Bob finished a C programming course and created a small C application to monitor the
1732network traffic and produce alerts when any origin sends "many" IP packets, based on the average
1733number of packets sent by all origins and using some thresholds.
1734In concept, the solution developed by Bob is actually:
1735A. Just a network monitoring tool
1736B. A signature-based IDS
1737C. A hybrid IDS
1738D. A behavior-based IDS
1739Answer: A
1740
1741NO.161 An NMAP scan of a server shows port 25 is open. What risk could this pose?
1742A. Open printer sharing
1743B. Web portal data leak
1744C. Clear text authentication
1745D. Active mail relay
174641
1747Answer: D
1748
1749NO.162 Which of the following problems can be solved by using Wireshark?
1750A. Tracking version changes of source code
1751B. Checking creation dates on all webpages on a server
1752C. Resetting the administrator password on multiple systems
1753D. Troubleshooting communication resets between two systems
1754Answer: D
1755
1756NO.163 What kind of risk will remain even if all theoretically possible safety measures would be
1757applied?
1758A. Residual risk
1759B. Inherent risk
1760C. Impact risk
1761D. Deferred risk
1762Answer: A
1763
1764NO.164 Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool
1765"SIDExtractor". Here is the output of the SIDs:
1766From the above list identify the user account with System Administrator privileges.
1767A. John
1768B. Rebecca
1769C. Sheela
1770D. Shawn
1771E. Somia
1772F. Chang
1773G. Micah
1774Answer: F
1775
1776NO.165 When a
1777NO.mal TCP connection starts, a destination host receives a SYN (synchronize/start)
1778packet from a source host and sends back a SYN/ACK (synchronize ack
1779NO.ledge). The destination
1780host must then hear an ACK (ack
1781NO.ledge) of the SYN/ACK before the connection is established. This
1782is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a
1783connection queue of finite size on the destination host keeps track of connections waiting to be
1784completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds
1785after the SYN ACK.
1786How would an attacker exploit this design by launching TCP SYN attack?
178742
1788A. Attacker generates TCP SYN packets with random destination addresses towards a victim host
1789B. Attacker floods TCP SYN packets with random source addresses towards a victim host
1790C. Attacker generates TCP ACK packets with random source addresses towards a victim host
1791D. Attacker generates TCP RST packets with random source addresses towards a victim host
1792Answer: B
1793
1794NO.166 An NMAP scan of a server shows port 69 is open. What risk could this pose?
1795A. Unauthenticated access
1796B. Weak SSL version
1797C. Cleartext login
1798D. Web portal data leak
1799Answer: A
1800
1801NO.167 Which of the following is the least-likely physical characteristic to be used in biometric
1802control that supports a large company?
1803A. Height and Weight
1804B. Voice
1805C. Fingerprints
1806D. Iris patterns
1807Answer: A
1808Explanation
1809There are two main types of biometric identifiers:
1810Examples of physiological characteristics used for biometric authentication include fingerprints; DNA;
1811face, hand, retina or ear features; and odor. Behavioral characteristics are related to the pattern of
1812the behavior of a person, such as typing rhythm, gait, gestures and voice.
1813References:
1814http://searchsecurity.techtarget.com/definition/biometrics
1815
1816NO.168 Which component of IPsec performs protocol-level functions that are required to encrypt
1817and decrypt the packets?
1818A. Internet Key Exchange (IKE)
1819B. Oakley
1820C. IPsec Policy Agent
1821D. IPsec driver
1822Answer: A
1823
1824NO.169 Your company was hired by a small healthcare provider to perform a technical assessment
1825on the network.
1826What is the best approach for discovering vulnerabilities on a Windows-based computer?
1827A. Use a scan tool like Nessus
1828B. Use the built-in Windows Update tool
1829C. Check MITRE.org for the latest list of CVE findings
1830D. Create a disk image of a clean Windows installation
183143
1832Answer: A
1833Explanation
1834Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and
1835Exposures architecture for easy cross-linking between compliant security tools.
1836The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for Unix- or
1837Windows-based operating systems.
1838
1839NO.e: Significant capabilities of Nessus include:
1840References:
1841http://searchnetworking.techtarget.com/definition/Nessus
1842
1843NO.170 Which mode of IPSec should you use to assure security and confidentiality of data within
1844the same LAN?
1845A. ESP transport mode
1846B. AH permiscuous
1847C. ESP confidential
1848D. AH Tunnel mode
1849Answer: A
1850Explanation
1851When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the
1852protection of an IP payload through an AH or ESP header. Encapsulating Security Payload (ESP)
1853provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP
1854payload.
1855
1856NO.171 Which of the following tools performs comprehensive tests against web servers, including
1857dangerous files and CGIs?
1858A. Nikto
1859B. S
1860NO.t
1861C. John the Ripper
1862D. Dsniff
1863Answer: A
1864Explanation
1865Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web
1866servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated
1867versions of over
18681250 servers, and version specific problems on over 270 servers. It also checks for server
1869configuration items such as the presence of multiple index files, HTTP server options, and will
1870attempt to identify installed web servers and software. Scan items and plugins are frequently
1871updated and can be automatically updated.
1872References: https://en.wikipedia.org/wiki/Nikto_Web_Scanner
1873
1874NO.172 In the context of password security, a simple dictionary attack involves loading a dictionary
1875file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the
1876Ripper, and running it against user accounts located by the application. The larger the word and word
1877fragment selection, the more effective the dictionary attack is. The brute force method is the most
1878inclusive, although slow. It usually tries every possible letter and number combination in its
187944
1880automated exploration. If you would use both brute force and dictionary methods combined
1881together to have variation of words, what would you call such an attack?
1882A. Full Blown
1883B. Thorough
1884C. Hybrid
1885D. BruteDics
1886Answer: C
1887
1888NO.173 A company is using Windows Server 2003 for its Active Directory (AD). What is the most
1889efficient way to crack the passwords for the AD users?
1890A. Perform a dictionary attack.
1891B. Perform a brute force attack.
1892C. Perform an attack with a rainbow table.
1893D. Perform a hybrid attack.
1894Answer: C
1895
1896NO.174 Initiating an attack against targeted businesses and organizations, threat actors compromise
1897a carefully selected website by inserting an exploit resulting in malware infection. The attackers run
1898exploits on well-k
1899NO.n and trusted sites likely to be visited by their targeted victims. Aside from
1900carefully choosing sites to compromise, these attacks are k
1901NO.n to incorporate zero-day exploits that
1902target unpatched vulnerabilities. Thus, the targeted entities are left with little or
1903NO.defense against
1904these exploits.
1905What type of attack is outlined in the scenario?
1906A. Watering Hole Attack
1907B. Heartbleed Attack
1908C. Shellshock Attack
1909D. Spear Phising Attack
1910Answer: A
1911Explanation
1912Watering Hole is a computer attack strategy, in which the victim is a particular group (organization,
1913industry, or region). In this attack, the attacker guesses or observes which websites the group often
1914uses and infects one or more of them with malware. Eventually, some member of the targeted group
1915gets infected.
1916
1917NO.175 Nedved is an IT Security Manager of a bank in his country. One day. he found out that there
1918is a security breach to his company's email server based on analysis of a suspicious connection from
1919the email server to an unk
1920NO.n IP Address.
1921What is the first thing that Nedved needs to do before contacting the incident response team?
1922A. Leave it as it Is and contact the incident response te3m right away
1923B. Block the connection to the suspicious IP Address from the firewall
1924C. Disconnect the email server from the network
1925D. Migrate the connection to the backup email server
1926Answer: C
192745
1928
1929NO.176 A tester has been using the msadc.pl attack script to execute arbitrary commands on a
1930Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended
1931functions. On further research, the tester come across a perl script that runs the following msadc
1932functions:
1933Which exploit is indicated by this script?
1934A. A buffer overflow exploit
1935B. A chained exploit
1936C. A SQL injection exploit
1937D. A denial of service exploit
1938Answer: B
1939
1940NO.177 From the two screenshots below, which of the following is occurring?
1941A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan
194246
1943against
194410.0.0.2.
1945B. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against
194610.0.0.2.
1947C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against
194810.0.0.2.
1949D. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against
195010.0.0.2.
1951Answer: A
1952
1953NO.178 What tool can crack Windows SMB passwords simply by listening to network traffic?
1954A. This is
1955NO. possible
1956B. Netbus
1957C. NTFSDOS
1958D. L0phtcrack
1959Answer: D
1960
1961NO.179 What is the difference between the AES and RSA algorithms?
1962A. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
1963B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is
1964used to encrypt data.
1965C. Both are symmetric algorithms, but AES uses 256-bit keys.
1966D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is
1967used to encrypt data.
1968Answer: B
1969
1970NO.180 What port number is used by LDAP protocol?
1971A. 110
1972B. 389
1973C. 464
1974D. 445
1975Answer: B
1976
1977NO.181 Which of the following types of jailbreaking allows user-level access but does
1978NO. allow
1979iboot-level access?
1980A. Bootrom Exploit
1981B. iBoot Exploit
1982C. Sandbox Exploit
1983D. Userland Exploit
1984Answer: D
1985
1986NO.182 Jack was attempting to fingerprint all machines in the network using the following Nmap
1987syntax:
1988invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24
198947
1990TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
1991Obviously, it is
1992NO. going through. What is the issue here?
1993A. OS Scan requires root privileges
1994B. The nmap syntax is wrong.
1995C. The outgoing TCP/IP fingerprinting is blocked by the host firewall
1996D. This is a common behavior for a corrupted nmap application
1997Answer: A
1998
1999NO.183 What did the following commands determine?
2000A. That the Joe account has a SID of 500
2001B. These commands demonstrate that the guest account has
2002NO. been disabled
2003C. These commands demonstrate that the guest account has been disabled
2004D. That the true administrator is Joe
2005E. Issued alone, these commands prove
2006NO.hing
2007Answer: D
2008
2009NO.184 Todd has been asked by the security officer to purchase a counter-based authentication
2010system. Which of the following best describes this type of system?
2011A. A biometric system that bases authentication decisions on behavioral attributes.
2012B. A biometric system that bases authentication decisions on physical attributes.
2013C. An authentication system that creates one-time passwords that are encrypted with secret keys.
2014D. An authentication system that uses passphrases that are converted into virtual passwords.
2015Answer: C
2016
2017NO.185 WPA2 uses AES for wireless data encryption at which of the following encryption levels?
2018A. 64 bit and CCMP
2019B. 128 bit and CRC
2020C. 128 bit and CCMP
2021D. 128 bit and TKIP
2022Answer: C
2023
2024NO.186 While examining audit logs, you discover that people are able to telnet into the SMTP server
2025on port 25. You would like to block this, though you do
2026NO. see any evidence of an attack or other
2027wrong doing. However, you are concerned about affecting the
2028NO.mal functionality of the email
2029server. From the following options choose how best you can achieve this objective?
2030A. Block port 25 at the firewall.
2031B. Shut off the SMTP service on the server.
2032C. Force all connections to use a username and password.
2033D. Switch from Windows Exchange to UNIX Sendmail.
203448
2035E.
2036NO.e of the above.
2037Answer: E
2038
2039NO.187 You are programming a buffer overflow exploit and you want to create a
2040NO. sled of 200
2041bytes in the program exploit.c
2042What is the hexadecimal value of
2043NO. instruction?
2044A. 0x60
2045B. 0x80
2046C. 0x70
2047D. 0x90
2048Answer: D
2049
2050NO.188 A virus that attempts to install itself inside the file it is infecting is called?
2051A. Tunneling virus
2052B. Cavity virus
2053C. Polymorphic virus
2054D. Stealth virus
2055Answer: B
2056
2057NO.189 Which NMAP command combination would let a tester scan every TCP port from a class C
2058network that is blocking ICMP with fingerprinting and service detection?
2059A. NMAP -PN -A -O -sS 192.168.2.0/24
2060B. NMAP -P0 -A -O -p1-65535 192.168.0/24
2061C. NMAP -P0 -A -sT -p0-65535 192.168.0/16
2062D. NMAP -PN -O -sS -p 1-1024 192.168.0/8
2063Answer: B
2064
2065NO.190 Port scanning can be used as part of a technical assessment to determine network
2066vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system.
2067If a scanned port is open, what happens?
2068A. The port will ig
2069NO.e the packets.
2070B. The port will send an RST.
2071C. The port will send an ACK.
2072D. The port will send a SYN.
2073Answer: A
2074Explanation
2075An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan
207649
2077type is accomplished by sending TCP segments with the all flags sent in the packet header, generating
2078packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment
2079with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags
2080sent to closed ports should be handled with a RST in response. This behavior should allow an attacker
2081to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed
2082by the TCB) and detect closed ports via RST packets.
2083References: https://capec.mitre.org/data/definitions/303.html
2084
2085NO.191 Which type of security feature stops vehicles from crashing through the doors of a building?
2086A. Turnstile
2087B. Bollards
2088C. Mantrap
2089D. Receptionist
2090Answer: B
2091
2092NO.192 Which of the following programs is usually targeted at Microsoft Office products?
2093A. Polymorphic virus
2094B. Multipart virus
2095C. Macro virus
2096D. Stealth virus
2097Answer: C
2098Explanation
2099A macro virus is a virus that is written in a macro language: a programming language which is
2100embedded inside a software application (e.g., word processors and spreadsheet applications). Some
2101applications, such as Microsoft Office, allow macro programs to be embedded in documents such
2102that the macros are run automatically when the document is opened, and this provides a distinct
2103mechanism by which malicious computer instructions can spread.
2104References: https://en.wikipedia.org/wiki/Macro_virus
2105
2106NO.193 An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The
2107engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the
2108engineer use to accomplish this?
2109A. g++ hackersExploit.cpp -o calc.exe
2110B. g++ hackersExploit.py -o calc.exe
2111C. g++ -i hackersExploit.pl -o calc.exe
2112D. g++ --compile -i hackersExploit.cpp -o calc.exe
2113Answer: A
2114
2115NO.194 An Intrusion Detection System (IDS) has alerted the network administrator to a possibly
2116malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic
2117was captured by the IDS and saved to a PCAP file.
2118What type of network tool can be used to determine if these packets are genuinely malicious or
2119simply a false positive?
2120A. Protocol analyzer
212150
2122B. Intrusion Prevention System (IPS)
2123C. Network sniffer
2124D. Vulnerability scanner
2125Answer: A
2126Explanation
2127A packet analyzer (also k
2128NO.n as a network analyzer, protocol analyzer or packet sniffer-or, for
2129particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of
2130computer hardware that can intercept and log traffic that passes over a digital network or part of a
2131network. A packet analyzer can analyze packet traffic saved in a PCAP file.
2132References: https://en.wikipedia.org/wiki/Packet_analyzer
2133
2134NO.195 A server has been infected by a certain type of Trojan. The hacker intended to utilize it to
2135send and host junk mails. What type of Trojan did the hacker use?
2136A. Turtle Trojans
2137B. Ransomware Trojans
2138C. Botnet Trojan
2139D. Banking Trojans
2140Answer: C
2141
2142NO.196 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and
2143UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and
2144deny all other traffic. After he applied his ACL configuration in the router
2145NO.ody can access to the
2146ftp and the permitted hosts can
2147NO. access to the Internet. According to the next configuration what
2148is happening in the network?
2149A. The ACL 110 needs to be changed to port 80
2150B. The ACL for FTP must be before the ACL 110
2151C. The first ACL is denying all TCP traffic and the other ACLs are being ig
2152NO.ed by the router
2153D. The ACL 104 needs to be first because is UDP
2154Answer: C
2155
2156NO.197 What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'?
2157A. A stealth scan, opening port 123 and 153
2158B. A stealth scan, checking open ports 123 to 153
2159C. A stealth scan, checking all open ports excluding ports 123 to 153
2160D. A stealth scan, determine operating system, and scanning ports 123 to 153
2161Answer: D
2162
2163NO.198 What does a type 3 code 13 represent? (Choose two.)
2164A. Echo request
2165B. Destination unreachable
216651
2167C. Network unreachable
2168D. Administratively prohibited
2169E. Port unreachable
2170F. Time exceeded
2171Answer: B D
2172
2173NO.199 Which access control mechanism allows for multiple systems to use a central authentication
2174server (CAS) that permits users to authenticate once and gain access to multiple systems?
2175A. Role Based Access Control (RBAC)
2176B. Discretionary Access Control (DAC)
2177C. Windows authentication
2178D. Single sign-on
2179Answer: D
2180
2181NO.200 A hacker is attempting to see which ports have been left open on a network. Which NMAP
2182switch would the hacker use?
2183A. -sO
2184B. -sP
2185C. -sS
2186D. -sU
2187Answer: A
2188
2189NO.201 The following is a sample of output from a penetration tester's machine targeting a machine
2190with the IP address of 192.168.1.106:
2191What is most likely taking place?
2192A. Ping sweep of the 192.168.1.106 network
2193B. Remote service brute force attempt
2194C. Port scan of 192.168.1.106
2195D. Denial of service attack on 192.168.1.106
2196Answer: B
2197
2198NO.202 Company XYZ has asked you to assess the security of their perimeter email gateway. From
2199your office in New York, you craft a specially formatted email message and send it across the Internet
2200to an employee of Company XYZ. The employee of Company XYZ is aware of your test.
2201Your email message looks like this:
2202From: jim_miller@companyxyz.com
2203To: michelle_saunders@companyxyz.com
220452
2205Subject: Test message
2206Date: 4/3/2017 14:37
2207The employee of Company XYZ receives your email message. This proves that Company XYZ's email
2208gateway doesn't prevent what?
2209A. Email Phishing
2210B. Email Masquerading
2211C. Email Spoofing
2212D. Email Harvesting
2213Answer: C
2214
2215NO.203 Which of the following LM hashes represent a password of less than 8 characters? (Choose
2216two.)
2217A. BA810DBA98995F1817306D272A9441BB
2218B. 44EFCE164AB921CQAAD3B435B51404EE
2219C. 0182BD0BD4444BF836077A718CCDF409
2220D. CEC52EB9C8E3455DC2265B23734E0DAC
2221E. B757BF5C0D87772FAAD3B435B51404EE
2222F. E52CAC67419A9A224A3B108F3FA6CB6D
2223Answer: B E
2224
2225NO.204 A software tester is randomly generating invalid inputs in an attempt to crash the program.
2226Which of the following is a software testing technique used to determine if a software program
2227properly handles a wide range of invalid input?
2228A. Mutating
2229B. Randomizing
2230C. Fuzzing
2231D. Bounding
2232Answer: C
2233
2234NO.205 SOAP services use which tech
2235NO.ogy to format information?
2236A. SATA
2237B. PCI
2238C. XML
2239D. ISDN
2240Answer: C
2241
2242NO.206 Which type of sniffing technique is generally referred as MiTM attack?
224353
2244A. Password Sniffing
2245B. ARP Poisoning
2246C. Mac Flooding
2247D. DHCP Sniffing
2248Answer: B
2249
2250NO.207 When security and confidentiality of data within the same LAN is of utmost priority, which
2251IPSec mode should you implement?
2252A. AH Tunnel mode
2253B. AH promiscuous
2254C. ESP transport mode
2255D. ESP confidential
2256Answer: C
2257
2258NO.208 You're doing an internal security audit and you want to find out what ports are open on all
2259the servers. What is the best way to find out?
2260A. Scan servers with Nmap
2261B. Physically go to each server
2262C. Scan servers with MBSA
2263D. Telent to every port on each server
2264Answer: A
2265
2266NO.209 Session splicing is an IDS evasion technique in which an attacker delivers data in multiple,
2267smallsized packets to the target computer, making it very difficult for an IDS to detect the attack
226854
2269signatures.
2270Which tool can be used to perform session splicing attacks?
2271A. Whisker
2272B. tcpsplice
2273C. Burp
2274D. Hydra
2275Answer: A
2276Explanation
2277One basic technique is to split the attack payload into multiple small packets, so that the IDS must
2278reassemble the packet stream to detect the attack. A simple way of splitting packets is by
2279fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker'
2280evasion tool calls crafting packets with small payloads 'session splicing'.
2281References:
2282https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and
2283_small_packet
2284
2285NO.210 A penetration tester was hired to perform a penetration test for a bank. The tester began
2286searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading
2287news articles online about the bank, watching what times the bank employees come into work and
2288leave from work, searching the bank's job postings (paying special attention to IT related jobs), and
2289visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the
2290tester currently in?
2291A. Information reporting
2292B. Vulnerability assessment
2293C. Active information gathering
2294D. Passive information gathering
2295Answer: D
2296
2297NO.211 Advanced encryption standard is an algorithm used for which of the following?
2298A. Data integrity
2299B. Key discovery
2300C. Bulk data encryption
2301D. Key recovery
2302Answer: C
2303
2304NO.212 Which of the following tools can be used to perform a zone transfer?
2305A. NSLookup
2306B. Finger
2307C. Dig
2308D. Sam Spade
2309E. Host
2310F. Netcat
2311G. Neotrace
231255
2313Answer: A C D E
2314
2315NO.213 By using a smart card and pin, you are using a two-factor authentication that satisfies
2316A. Something you k
2317NO. and something you are
2318B. Something you have and something you k
2319NO.
2320C. Something you have and something you are
2321D. Something you are and something you remember
2322Answer: B
2323
2324NO.214 Your business has decided to add credit card numbers to the data it backs up to tape. Which
2325of the following represents the best practice your business should observe?
2326A. Hire a security consultant to provide direction.
2327B. Do
2328NO. back up cither the credit card numbers or then hashes.
2329C. Back up the hashes of the credit card numbers
2330NO. the actual credit card numbers.
2331D. Encrypt backup tapes that are sent off-site.
2332Answer: A
2333
2334NO.215 You are performing a penetration test. You achieved access via a buffer overflow exploit and
2335you proceed to find interesting data, such as files with usernames and passwords. You find a hidden
2336folder that has the administrator's bank account password and login information for the
2337administrator's bitcoin account.
2338What should you do?
2339A. Report immediately to the administrator
2340B. Do
2341NO. report it and continue the penetration test.
2342C. Transfer money from the administrator's account to a
2343NO.her account.
2344D. Do
2345NO. transfer the money but steal the bitcoins.
2346Answer: A
2347
2348NO.216 A company's policy requires employees to perform file transfers using protocols which
2349encrypt traffic. You suspect some employees are still performing file transfers using unencrypted
2350protocols because the employees do
2351NO. like changes. You have positioned a network sniffer to
2352capture traffic from the laptops used by employees in the data ingest department. Using Wire shark
2353to examine the captured traffic, which command can be used as a display filter to find unencrypted
2354file transfers?
2355A. tcp.port != 21
2356B. tcp.port = 23
2357C. tcp.port ==21
2358D. tcp.port ==21 || tcp.port ==22
2359Answer: D
2360
2361NO.217 Some clients of TPNQM SA were redirected to a malicious site when they tried to access the
2362TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS
2363Cache Poisoning.
2364What should Bob recommend to deal with such a threat?
236556
2366A. The use of security agents in clients' computers
2367B. The use of DNSSEC
2368C. The use of double-factor authentication
2369D. Client awareness
2370Answer: B
2371
2372NO.218 During a security audit of IT processes, an IS auditor found that there were
2373NO.documented
2374security procedures. What should the IS auditor do?
2375A. Identify and evaluate existing practices
2376B. Create a procedures document
2377C. Conduct compliance testing
2378D. Terminate the audit
2379Answer: A
2380Explanation
2381The auditor should first evaluated existing policies and practices to identify problem areas and
2382opportunities.
2383
2384NO.219 A company's Web development team has become aware of a certain type of security
2385vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited,
2386the team wants to modify the software requirements to disallow users from entering HTML as input
2387into their Web application.
2388What kind of Web application vulnerability likely exists in their software?
2389A. Cross-site scripting vulnerability
2390B. Cross-site Request Forgery vulnerability
2391C. SQL injection vulnerability
2392D. Web site defacement vulnerability
2393Answer: A
2394Explanation
2395Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a
2396limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large),
2397output encoding (such as <b>very</b> large) will
2398NO. suffice since the user input needs to
2399be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large").
2400Stopping an XSS attack when accepting HTML input from users is much more complex in this
2401situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it
2402does
2403NO. contain cross-site scripting code.
2404References: https://en.wikipedia.org/wiki/Crosssite_
2405scripting#Safely_validating_untrusted_HTML_input
2406
2407NO.220 Which of the following defines the role of a root Certificate Authority (CA) in a Public Key
2408Infrastructure (PKI)?
2409A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost.
2410B. The root CA stores the user's hash value for safekeeping.
2411C. The CA is the trusted root that issues certificates.
2412D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.
241357
2414Answer: C
2415
2416NO.221 Which service in a PKI will vouch for the identity of an individual or company?
2417A. KDC
2418B. CA
2419C. CR
2420D. CBC
2421Answer: B
2422
2423NO.222 It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives
2424attackers access to run remote commands on a vulnerable system. The malicious software can take
2425control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for
2426other vulnerable devices (including routers).
2427Which of the following vulnerabilities is being described?
2428A. Shellshock
2429B. Rootshock
2430C. Rootshell
2431D. Shellbash
2432Answer: A
2433Explanation
2434Shellshock, also k
2435NO.n as Bashdoor, is a family of security bugs in the widely used Unix Bash shell,
2436the first of which was disclosed on 24 September 2014.
2437References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)
2438
2439NO.223 What is the term coined for logging, recording and resolving events in a company?
2440A. Internal Procedure
2441B. Security Policy
2442C. Incident Management Process
2443D. Metrics
2444Answer: C
2445
2446NO.224 Windows file servers commonly hold sensitive files, databases, passwords and more. Which
2447of the following choices would be a common vulnerability that usually exposes them?
2448A. Cross-site scripting
2449B. SQL injection
2450C. Missing patches
2451D. CRLF injection
2452Answer: C
2453
2454NO.225 Study the following log extract and identify the attack.
245558
2456A. Hexcode Attack
2457B. Cross Site Scripting
2458C. Multiple Domain Traversal Attack
2459D. Unicode Directory Traversal Attack
2460Answer: D
2461
2462NO.226 Password cracking programs reverse the hashing process to recover passwords.
2463(True/False.)
246459
2465A. True
2466B. False
2467Answer: B
2468
2469NO.227 What does a firewall check to prevent particular ports and applications from getting packets
2470into an organization?
2471A. Transport layer port numbers and application layer headers
2472B. Presentation layer headers and the session layer port numbers
2473C. Network layer headers and the session layer port numbers
2474D. Application layer port numbers and the transport layer headers
2475Answer: A
2476Explanation
2477Newer firewalls can filter traffic based on many packet attributes like source IP address, source port,
2478destination IP address or transport layer port, destination service like WWW or FTP. They can filter
2479based on protocols, TTL values, netblock of originator, of the source, and many other attributes.
2480Application layer firewalls are responsible for filtering at 3, 4, 5, 7 layer. Because they analyze the
2481application layer headers, most firewall control and filtering is performed actually in the software.
2482References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters
2483http://howdoesinternetwork.com/2012/application-layer-firewalls
2484
2485NO.228 While reviewing the result of scanning run against a target network you come across the
2486following:
2487Which among the following can be used to get this output?
2488A. A Bo2k system query.
2489B. nmap protocol scan
2490C. A sniffer
2491D. An SNMP walk
2492Answer: D
2493
2494NO.229 _________ is a tool that can hide processes from the process list, can hide files, registry
2495entries, and intercept keystrokes.
249660
2497A. Trojan
2498B. RootKit
2499C. DoS tool
2500D. Scanner
2501E. Backdoor
2502Answer: B
2503
2504NO.230 Which of the following is a client-server tool utilized to evade firewall inspection?
2505A. tcp-over-dns
2506B. kismet
2507C. nikto
2508D. hping
2509Answer: A
2510
2511NO.231 Which of the following scanning tools is specifically designed to find potential exploits in
2512Microsoft Windows products?
2513A. Microsoft Security Baseline Analyzer
2514B. Retina
2515C. Core Impact
2516D. Microsoft Baseline Security Analyzer
2517Answer: D
2518
2519NO.232 Which set of access control solutions implements two-factor authentication?
2520A. USB token and PIN
2521B. Fingerprint scanner and retina scanner
2522C. Password and PIN
2523D. Account and password
2524Answer: A
2525
2526NO.233 An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254
2527addresses.
2528In which order should he perform these steps?
2529A. The sequence does
2530NO. matter. Both steps have to be performed against all hosts.
2531B. First the port scan to identify interesting services and then the ping sweep to find hosts
2532responding to icmp echo requests.
2533C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he
2534saves time.
2535D. The port scan alone is adequate. This way he saves time.
2536Answer: C
2537
2538NO.234 Which type of intrusion detection system can monitor and alert on attacks, but can
2539NO. stop
2540them?
2541A. Detective
254261
2543B. Passive
2544C. Intuitive
2545D. Reactive
2546Answer: B
2547
2548NO.235 In the field of cryptanalysis, what is meant by a "rubber-hose" attack?
2549A. Attempting to decrypt cipher text by making logical assumptions about the contents of the original
2550plain text.
2551B. Extraction of cryptographic secrets through coercion or torture.
2552C. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC.
2553D. A backdoor placed into a cryptographic algorithm by its creator.
2554Answer: B
2555
2556NO.236 An attacker has been successfully modifying the purchase price of items purchased on the
2557company's web site.
2558The security administrators verify the web server and Oracle database have
2559NO. been compromised
2560directly.
2561They have also verified the Intrusion Detection System (IDS) logs and found
2562NO.attacks that could
2563have caused this. What is the mostly likely way the attacker has been able to modify the purchase
2564price?
2565A. By using SQL injection
2566B. By changing hidden form values
2567C. By using cross site scripting
2568D. By utilizing a buffer overflow attack
2569Answer: B
2570
2571NO.237 Which of the following is an extremely common IDS evasion technique in the web world?
2572A. unicode characters
2573B. spyware
2574C. port k
2575NO.king
2576D. subnetting
2577Answer: A
2578Explanation
2579Unicode attacks can be effective against applications that understand it. Unicode is the international
2580standard whose goal is to represent every character needed by every written human language as a
2581single integer number. What is k
2582NO.n as Unicode evasion should more correctly be referenced as
2583UTF-8 evasion. Unicode characters are
2584NO.mally represented with two bytes, but this is impractical in
2585real life.
2586One aspect of UTF-8 encoding causes problems:
2587NO.-Unicode characters can be represented
2588encoded. What is worse is multiple representations of each character can exist.
2589NO.-Unicode
2590character encodings are k
2591NO.n as overlong characters, and may be signs of attempted attack.
2592References:
2593http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect-8.html
259462
2595
2596NO.238 The configuration allows a wired or wireless network interface controller to pass all traffic it
2597receives to the central processing unit (CPU), rather than passing only the frames that the controller
2598is intended to receive.
2599Which of the following is being described?
2600A. promiscuous mode
2601B. port forwarding
2602C. multi-cast mode
2603D. WEM
2604Answer: A
2605Explanation
2606Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface
2607cards (NICs), that allows a NIC to receive all traffic on the network, even if it is
2608NO. addressed to this
2609NIC. By default, a NIC ig
2610NO.es all traffic that is
2611NO. addressed to it, which is done by comparing the
2612destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device.
2613While this makes perfect sense for networking,
2614NO.-promiscuous mode makes it difficult to use
2615network monitoring and analysis software for diag
2616NO.ing connectivity issues or traffic accounting.
2617References: https://www.tamos.com/htmlhelp/monitoring/
2618
2619NO.239 Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is
2620NO. needed if
2621he properly configures the firewall to allow access just to servers/ports, which can have direct
2622internet access, and block the access to workstations.
2623Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is
2624NO. the
2625case of TPNQM SA.
2626In this context, what can you say?
2627A. Bob can be right since DMZ does
2628NO. make sense when combined with stateless firewalls
2629B. Bob is partially right. He does
2630NO. need to separate networks if he can create rules by destination
2631IPs, one by one
2632C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and
2633workstations
2634D. Bob is partially right. DMZ does
2635NO. make sense when a stateless firewall is available
2636Answer: C
2637
2638NO.240 Which address translation scheme would allow a single public IP address to always
2639correspond to a single machine on an internal network, allowing "server publishing"?
2640A. Overloading Port Address Translation
2641B. Dynamic Port Address Translation
2642C. Dynamic Network Address Translation
2643D. Static Network Address Translation
2644Answer: D
2645
2646NO.241 Which of the following is a passive wireless packet analyzer that works on Linux-based
2647systems?
2648A. Burp Suite
2649B. OpenVAS
265063
2651C. tshark
2652D. Kismet
2653Answer: D
2654
2655NO.242 Which of the following is the greatest threat posed by backups?
2656A. A backup is the source of Malware or illicit information.
2657B. A backup is unavailable during disaster recovery.
2658C. A backup is incomplete because
2659NO.verification was performed.
2660D. An un-encrypted backup can be misplaced or stolen.
2661Answer: D
2662Explanation
2663If the data written on the backup media is properly encrypted, it will be useless for anyone without
2664the key.
2665References:
2666http://resources.infosecinstitute.com/backup-media-encryption/
2667
2668NO.243 Which Type of scan sends a packets with
2669NO.flags set?
2670A. Open Scan
2671B. Null Scan
2672C. Xmas Scan
2673D. Half-Open Scan
2674Answer: B
2675
2676NO.244 Ricardo wants to send secret messages to a competitor company. To secure these
2677messages, he uses a technique of hiding a secret message within an ordinary message. The technique
2678provides 'security through obscurity'.
2679What technique is Ricardo using?
2680A. Stega
2681NO.raphy
2682B. Public-key cryptography
2683C. RSA algorithm
2684D. Encryption
2685Answer: A
2686Explanation
2687Stega
2688NO.raphy is the practice of concealing a file, message, image, or video within a
2689NO.her file,
2690message, image, or video.
2691References: https://en.wikipedia.org/wiki/Stega
2692NO.raphy
2693
2694NO.245 Employees in a company are
2695NO.longer able to access Internet web sites on their computers.
2696The network administrator is able to successfully ping IP address of web servers on the Internet and
2697is able to open web sites by using an IP address in place of the URL. The administrator runs the
2698nslookup command for www.eccouncil.org and receives an error message stating there is no
2699response from the server. What should the administrator do next?
2700A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
2701B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
270264
2703C. Configure the firewall to allow traffic on TCP port 53.
2704D. Configure the firewall to allow traffic on TCP port 8080.
2705Answer: A
2706
2707NO.246 Which of the following BEST describes the mechanism of a Boot Sector Virus?
2708A. Moves the MBR to a
2709NO.her location on the hard disk and copies itself to the original location of
2710the MBR
2711B. Moves the MBR to a
2712NO.her location on the RAM and copies itself to the original location of the
2713MBR
2714C. Overwrites the original MBR and only executes the new virus code
2715D. Modifies directory table entries so that directory entries point to the virus code instead of the
2716actual program
2717Answer: A
2718
2719NO.247 You are looking for SQL injection vulnerability by sending a special character to web
2720applications. Which of the following is the most useful for quick validation?
2721A. Double quotation
2722B. Backslash
2723C. Semicolon
2724D. Single quotation
2725Answer: D
2726
2727NO.248 Why should the security analyst disable/remove unnecessary ISAPI filters?
2728A. To defend against social engineering attacks
2729B. To defend against webserver attacks
2730C. To defend against jailbreaking
2731D. To defend against wireless attacks
2732Answer: B
2733
2734NO.249 When a security analyst prepares for the formal security assessment - what of the following
2735should be done in order to determine inconsistencies in the secure assets database and verify that
2736system is compliant to the minimum security baseline?
2737A. Data items and vulnerability scanning
2738B. Interviewing employees and network engineers
2739C. Reviewing the firewalls configuration
2740D. Source code review
2741Answer: A
2742
2743NO.250 It is a regulation that has a set of guidelines, which should be adhered to by anyone who
2744handles any electronic medical data. These guidelines stipulate that all medical practices must ensure
2745that all necessary measures are in place while saving, accessing, and sharing any electronic medical
2746data to keep patient data secure.
2747Which of the following regulations best matches the description?
274865
2749A. HIPAA
2750B. ISO/IEC 27002
2751C. COBIT
2752D. FISMA
2753Answer: A
2754Explanation
2755The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held
2756by
2757"covered entities" (generally, health care clearinghouses, employer sponsored health plans, health
2758insurers, and medical service providers that engage in certain transactions.)[15] By regulation, the
2759Department of Health and Human Services extended the HIPAA privacy rule to independent
2760contractors of covered entities who fit within the definition of "business associates".
2761References:
2762https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule
2763
2764NO.251 Cross-site request forgery involves:
2765A. A request sent by a malicious user from a browser to a server
2766B. Modification of a request by a proxy between client and server
2767C. A browser making a request to a server without the user's k
2768NO.ledge
2769D. A server making a request to a
2770NO.her server without the user's k
2771NO.ledge
2772Answer: C
2773
2774NO.252 Which regulation defines security and privacy controls for Federal information systems and
2775organizations?
2776A. NIST-800-53
2777B. PCI-DSS
2778C. EU Safe Harbor
2779D. HIPAA
2780Answer: A
2781Explanation
2782NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and
2783Organizations," provides a catalog of security controls for all U.S. federal information systems except
2784those related to national security.
2785References: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
2786
2787NO.253 An ethical hacker for a large security research firm performs penetration tests, vulnerability
2788tests, and risk assessments. A friend recently started a company and asks the hacker to perform a
2789penetration test and vulnerability assessment of the new company as a favor. What should the
2790hacker's next step be before starting work on this job?
2791A. Start by foot printing the network and mapping out a plan of attack.
2792B. Ask the employer for authorization to perform the work outside the company.
2793C. Begin the reconnaissance phase with passive information gathering and then move into active
2794information gathering.
2795D. Use social engineering techniques on the friend's employees to help identify areas that may be
279666
2797susceptible to attack.
2798Answer: B
2799
2800NO.254 Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in
2801the systems, he uses a detection method where the anti-virus executes the malicious codes on a
2802virtual machine to simulate CPU and memory activities.
2803Which type of virus detection method did Chandler use in this context?
2804A. Heuristic Analysis
2805B. Code Emulation
2806C. Integrity checking
2807D. Scanning
2808Answer: B
2809
2810NO.255 Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You
2811are requested to accept the offer and you oblige. After 2 days. Bob denies that he had ever sent a
2812mail. What do you want to
2813""k
2814NO."" to prove yourself that it was Bob who had send a mail?
2815A. Authentication
2816B. Confidentiality
2817C. Integrity
2818D.
2819NO.-Repudiation
2820Answer: D
2821
2822NO.256 Which type of scan is used on the eye to measure the layer of blood vessels?
2823A. Facial recognition scan
2824B. Retinal scan
2825C. Iris scan
2826D. Signature kinetics scan
2827Answer: B
2828
2829NO.257 A new wireless client that is 802.11 compliant can
2830NO. connect to a wireless network given
2831that the client can see the network and it has compatible hardware and software installed. Upon
2832further tests and investigation, it was found out that the Wireless Access Point (WAP) was
2833NO.
2834responding to the association requests being sent by the wireless client. What MOST likely is the
2835issue on this scenario?
2836A. The client can
2837NO. see the SSID of the wireless network
2838B. The WAP does
2839NO. recognize the client's MAC address.
2840C. The wireless client is
2841NO. configured to use DHCP.
2842D. Client is configured for the wrong channel
2843Answer: B
2844
2845NO.258 Windows LAN Manager (LM) hashes are k
2846NO.n to be weak.
2847Which of the following are k
2848NO.n weaknesses of LM? (Choose three.)
2849A. Converts passwords to uppercase.
285067
2851B. Hashes are sent in clear text over the network.
2852C. Makes use of only 32-bit encryption.
2853D. Effective length is 7 characters.
2854Answer: A B D
2855
2856NO.259 Which element of Public Key Infrastructure (PKI) verifies the applicant?
2857A. Certificate authority
2858B. Validation authority
2859C. Registration authority
2860D. Verification authority
2861Answer: C
2862
2863NO.260 Which of the following algorithms can be used to guarantee the integrity of messages being
2864sent, in transit, or stored?
2865A. symmetric algorithms
2866B. asymmetric algorithms
2867C. hashing algorithms
2868D. integrity algorithms
2869Answer: C
2870
2871NO.261 It is a widely used standard for message logging. It permits separation of the software that
2872generates messages, the system that stores them, and the software that reports and analyzes them.
2873This protocol is specifically designed for transporting event messages. Which of the following is being
2874described?
2875A. SNMP
2876B. ICMP
2877C. SYSLOG
2878D. SMS
2879Answer: C
2880
2881NO.262 When tuning security alerts, what is the best approach?
2882A. Tune to avoid False positives and False Negatives
2883B. Rise False positives Rise False Negatives
2884C. Decrease the false positives
2885D. Decrease False negatives
2886Answer: A
2887
2888NO.263 What is one of the advantages of using both symmetric and asymmetric cryptography in
2889SSL/TLS?
2890A. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
2891B. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited
2892to securely negotiate keys for use with symmetric cryptography.
2893C. Symmetric encryption allows the server to securely transmit the session keys out-of-band.
289468
2895D. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use
2896symmetric encryption instead.
2897Answer: D
2898
2899NO.264 A newly discovered flaw in a software application would be considered which kind of
2900security vulnerability?
2901A. Input validation flaw
2902B. HTTP header injection vulnerability
2903C. 0-day vulnerability
2904D. Time-to-check to time-to-use flaw
2905Answer: C
2906
2907NO.265 When you are getting information about a web server, it is very important to k
2908NO. the HTTP
2909Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical
2910methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the
2911server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script
2912engine.
2913What nmap script will help you with this task?
2914A. http-methods
2915B. http enum
2916C. http-headers
2917D. http-git
2918Answer: A
2919Explanation
2920You can check HTTP method vulnerability using NMAP.
2921Example: #nmap -script=http-methods.nse 192.168.0.25
2922References:
2923http://solutionsatexperts.com/http-method-vulnerability-check-using-nmap/
2924
2925NO.266 Which of the following options represents a conceptual characteristic of an a
2926NO.aly-based
2927IDS over a signature-based IDS?
2928A. Produces less false positives
2929B. Can identify unk
2930NO.n attacks
2931C. Requires vendor updates for a new threat
2932D. Can
2933NO. deal with encrypted network traffic
2934Answer: B
2935
2936NO.267 TCP/IP stack fingerprinting is the passive collection of configuration attributes from a
2937remote device during standard layer 4 network communications. Which of the following tools can be
2938used for passive OS fingerprinting?
2939A. nmap
2940B. ping
2941C. tracert
2942D. tcpdump
294369
2944Answer: D
2945
2946NO.268 Which of the following is considered the best way to protect Personally Identifiable
2947Information (PII) from Web application vulnerabilities?
2948A. Use cryptographic storage to store all PII
2949B. Use encrypted communications protocols to transmit PII
2950C. Use full disk encryption on all hard drives to protect PII
2951D. Use a security token to log into all Web applications that use PII
2952Answer: A
2953Explanation
2954As a matter of good practice any PII should be protected with strong encryption.
2955References: https://cuit.columbia.edu/cuit/it-security-practices/handling-personally-identifyinginformation
2956
2957NO.269 What network security concept requires multiple layers of security controls to be placed
2958throughout an IT infrastructure, which improves the security posture of an organization to defend
2959against malicious attacks or potential vulnerabilities?
2960What kind of Web application vulnerability likely exists in their software?
2961A. Host-Based Intrusion Detection System
2962B. Security through obscurity
2963C. Defense in depth
2964D. Network-Based Intrusion Detection System
2965Answer: C
2966
2967NO.270 Which of the following levels of algorithms does Public Key Infrastructure (PKI) use?
2968A. RSA 1024 bit strength
2969B. AES 1024 bit strength
2970C. RSA 512 bit strength
2971D. AES 512 bit strength
2972Answer: A
2973
2974NO.271 A hacker is an intelligent individual with excellent computer skills and the ability to explore a
2975computer's software and hardware without the owner's permission. Their intention can either be to
2976simply gain k
2977NO.ledge or to illegally make changes. Which of the following class of hacker refers to
2978an individual who works both offensively and defensively at various times?
2979A. Suicide Hacker
2980B. Black Hat
2981C. White Hat
2982D. Gray Hat
2983Answer: D
2984
2985NO.272 Fingerprinting VPN firewalls is possible with which of the following tools?
2986A. Angry IP
2987B. Nikto
298870
2989C. Ike-scan
2990D. Arp-scan
2991Answer: C
2992
2993NO.273 What is a "Collision attack" in cryptography?
2994A. Collision attacks try to find two inputs producing the same hash.
2995B. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the
2996private key.
2997C. Collision attacks try to get the public key.
2998D. Collision attacks try to break the hash into three parts to get the plaintext value.
2999Answer: A
3000Explanation
3001A Collision Attack is an attempt to find two input strings of a hash function that produce the same
3002hash result.
3003References: https://learncryptography.com/hash-functions/hash-collision-attack
3004
3005NO.274 It is a short-range wireless communication tech
3006NO.ogy intended to replace the cables
3007connecting portable of fixed devices while maintaining high levels of security. It allows mobile
3008phones, computers and other devices to connect and communicate using a short-range wireless
3009connection.
3010Which of the following terms best matches the definition?
3011A. Bluetooth
3012B. Radio-Frequency Identification
3013C. WLAN
3014D. InfraRed
3015Answer: A
3016Explanation
3017Bluetooth is a standard for the short-range wireless interconnection of mobile phones, computers,
3018and other electronic devices.
3019References:
3020http://www.bbc.co.uk/webwise/guides/about-bluetooth
3021
3022NO.275 What is a NULL scan?
3023A. A scan in which all flags are turned off
3024B. A scan in which certain flags are off
3025C. A scan in which all flags are on
3026D. A scan in which the packet size is set to zero
3027E. A scan with an illegal packet size
3028Answer: A
3029
3030NO.276 An attacker runs netcat tool to transfer a secret file between two hosts.
3031He is worried about information being sniffed on the network.
303271
3033How would the attacker use netcat to encrypt the information before transmitting onto the wire?
3034A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234
3035B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234
3036C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 -pw
3037password
3038D. Use cryptcat instead of netcat
3039Answer: D
3040
3041NO.277 This phase will increase the odds of success in later phases of the penetration test. It is also
3042the very first step in Information Gathering, and it will tell you what the "landscape" looks like.
3043What is the most important phase of ethical hacking in which you need to spend a considerable
3044amount of time?
3045A. footprinting
3046B. network mapping
3047C. gaining access
3048D. escalating privileges
3049Answer: A
3050Explanation
3051Footprinting is a first step that a penetration tester used to evaluate the security of any IT
3052infrastructure, footprinting means to gather the maximum information about the computer system
3053or a network and about the devices that are attached to this network.
3054References:
3055http://www.ehacking.net/2011/02/footprinting-first-step-of-ethical.html
3056
3057NO.278 In IPv6 what is the major difference concerning application layer vulnerabilities compared to
3058IPv4?
3059A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
3060B. Vulnerabilities in the application layer are independent of the network layer. Attacks and
3061mitigation techniques are almost identical.
3062C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need
3063NO. be
3064addresses.
3065D. Vulnerabilities in the application layer are greatly different from IPv4.
3066Answer: B
3067
3068NO.279 Pentest results indicate that voice over IP traffic is traversing a network. Which of the
3069following tools will decode a packet capture and extract the voice conversations?
3070A. Cain
3071B. John the Ripper
3072C. Nikto
3073D. Hping
3074Answer: A
3075
3076NO.280 Which initial procedure should an ethical hacker perform after being brought into an
3077organization?
307872
3079A. Begin security testing.
3080B. Turn over deliverables.
3081C. Sign a formal contract with
3082NO.-disclosure.
3083D. Assess what the organization is trying to protect.
3084Answer: C
3085
3086NO.281 What is the main security service a cryptographic hash provides?
3087A. Integrity and ease of computation
3088B. Message authentication and collision resistance
3089C. Integrity and collision resistance
3090D. Integrity and computational in-feasibility
3091Answer: D
3092
3093NO.282 A large company intends to use Blackberry for corporate mobile phones and a security
3094analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack
3095method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the
3096corporate network. What tool should the analyst use to perform a Blackjacking attack?
3097A. Paros Proxy
3098B. BBProxy
3099C. BBCrack
3100D. Blooover
3101Answer: B
3102Explanation
3103Blackberry users warned of hacking tool threat.
3104Users have been warned that the security of Blackberry wireless e-mail devices is at risk due to the
3105availability this week of a new hacking tool. Secure Computing Corporation said businesses that have
3106installed Blackberry servers behind their gateway security devices could be vulnerable to a hacking
3107attack from a tool call BBProxy.
3108References:
3109http://www.computerweekly.com/news/2240062112/Tech
3110NO.ogy-news-in-brief
3111
3112NO.283 Which of the following is a vulnerability in GNU's bash shell (discovered in September of
31132014) that gives attackers access to run remote commands on a vulnerable system?
3114A. Shellshock
3115B. Rootshell
3116C. Rootshock
3117D. Shellbash
3118Answer: A
3119
3120NO.284 You are working as a Security Analyst in a company XYZ that owns the whole subnet range
3121of 23.0.0.0/8 and
3122192.168.0.0/8.
3123While monitoring the data, you find a high number of outbound connections. You see that IP's owned
3124by XYZ (Internal) and private IP's are communicating to a Single Public IP. Therefore, the Internal IP's
312573
3126are sending data to the Public IP.
3127After further analysis, you find out that this Public IP is a blacklisted IP, and the internal
3128communicating devices are compromised.
3129What kind of attack does the above scenario depict?
3130A. Botnet Attack
3131B. Spear Phishing Attack
3132C. Advanced Persistent Threats
3133D. Rootkit Attack
3134Answer: A
3135
3136NO.285 What is the least important information when you analyze a public IP address in a security
3137alert?
3138A. ARP
3139B. Whois
3140C. DNS
3141D. Geolocation
3142Answer: A
3143
3144NO.286 How can telnet be used to fingerprint a web server?
3145A. telnet webserverAddress 80HEAD / HTTP/1.0
3146B. telnet webserverAddress 80PUT / HTTP/1.0
3147C. telnet webserverAddress 80HEAD / HTTP/2.0
3148D. telnet webserverAddress 80PUT / HTTP/2.0
3149Answer: A
3150
3151NO.287 If a tester is attempting to ping a target that exists but receives
3152NO.response or a response
3153that states the destination is unreachable, ICMP may be disabled and the network may be using TCP.
3154Which other option could the tester use to get a response from a host using TCP?
3155A. Hping
3156B. Traceroute
3157C. TCP ping
3158D. Broadcast ping
3159Answer: A
3160
3161NO.288 Which of the following tools would be the best choice for achieving compliance with PCI
3162Requirement 11?
3163A. Truecrypt
3164B. Sub7
3165C. Nessus
3166D. Clamwin
3167Answer: C
3168
3169NO.289 An attacker is trying to redirect the traffic of a small office. That office is using their own
317074
3171mail server, DNS server and NTP server because of the importance of their job. The attacker gains
3172access to the DNS server and redirects the direction www.google.com to his own IP address.
3173NO.
3174when the employees of the office want to go to Google they are being redirected to the attacker
3175machine. What is the name of this kind of attack?
3176A. ARP Poisoning
3177B. Smurf Attack
3178C. DNS spoofing
3179D. MAC Flooding
3180Answer: C
3181
3182NO.290 After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you
3183maintain access, what would you do first?
3184A. Create User Account
3185B. Disable Key Services
3186C. Disable IPTables
3187D. Download and Install Netcat
3188Answer: A
3189
3190NO.291 If an e-commerce site was put into a live environment and the programmers failed to
3191remove the secret entry point that was used during the application development, what is this secret
3192entry point k
3193NO.n as?
3194A. SDLC process
3195B. Honey pot
3196C. SQL injection
3197D. Trap door
3198Answer: D
3199
3200NO.292 The following is an entry captured by a network IDS. You are assigned the task of analyzing
3201this entry. You
3202NO.ice the value 0x90, which is the most common
3203NO.P instruction for the Intel
3204processor. You figure that the attacker is attempting a buffer overflow attack.
3205You also
3206NO.ice "/bin/sh" in the ASCII part of the output.
3207As an analyst what would you conclude about the attack?
320875
3209A. The buffer overflow attack has been neutralized by the IDS
3210B. The attacker is creating a directory on the compromised machine
3211C. The attacker is attempting a buffer overflow attack and has succeeded
3212D. The attacker is attempting an exploit that launches a command-line shell
3213Answer: D
3214
3215NO.293 Security and privacy of/on information systems are two entities that requires lawful
3216regulations. Which of the following regulations defines security and privacy controls for Federal
3217information systems and organizations?
3218A. NIST SP 800-53
3219B. PCI-DSS
3220C. EU Safe Harbor
3221D. HIPAA
3222Answer: A
3223
3224NO.294 A circuit level gateway works at which of the following layers of the OSI Model?
3225A. Layer 5 - Application
3226B. Layer 4 - TCP
3227C. Layer 3 - Internet protocol
3228D. Layer 2 - Data link
3229Answer: B
3230
3231NO.295 You need to deploy a new web-based software package for your organization. The package
3232requires three separate servers and needs to be available on the Internet. What is the recommended
3233architecture in terms of server placement?
323476
3235A. All three servers need to be placed internally
3236B. A web server facing the Internet, an application server on the internal network, a database server
3237on the internal network
3238C. A web server and the database server facing the Internet, an application server on the internal
3239network
3240D. All three servers need to face the Internet so that they can communicate between themselves
3241Answer: B
3242
3243NO.296 What is the purpose of a demilitarized zone on a network?
3244A. To scan all traffic coming through the DMZ to the internal network
3245B. To only provide direct access to the
3246NO.es within the DMZ and protect the network behind it
3247C. To provide a place to put the honeypot
3248D. To contain the network devices you wish to protect
3249Answer: B
3250
3251NO.297 Which of the following areas is considered a strength of symmetric key cryptography when
3252compared with asymmetric algorithms?
3253A. Scalability
3254B. Speed
3255C. Key distribution
3256D. Security
3257Answer: B
3258
3259NO.298 A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a
3260company almost two months ago, but has yet to get paid. The customer is suffering from financial
3261problems, and the CEH is worried that the company will go out of business and end up
3262NO. paying.
3263What actions should the CEH take?
3264A. Threaten to publish the penetration test results if
3265NO. paid.
3266B. Follow proper legal procedures against the company to request payment.
3267C. Tell other customers of the financial problems with payments from this company.
3268D. Exploit some of the vulnerabilities found on the company webserver to deface it.
3269Answer: B
3270
3271NO.299 Which United States legislation mandates that the Chief Executive Officer (CEO) and the
3272Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of
3273financial reports?
3274A. Sarbanes-Oxley Act (SOX)
3275B. Gramm-Leach-Bliley Act (GLBA)
3276C. Fair and Accurate Credit Transactions Act (FACTA)
3277D. Federal Information Security Management Act (FISMA)
3278Answer: A
3279
3280NO.300 Which of the following Nmap commands will produce the following output?
328177
3282Output:
3283A. nmap -sN -Ps -T4 192.168.1.1
3284B. nmap -sT -sX -Pn -p 1-65535 192.168.1.1
3285C. nmap -sS -Pn 192.168.1.1
3286D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1
3287Answer: D
3288
3289NO.301 Developers at your company are creating a web application which will be available for use
3290by anyone on the Internet, The developers have taken the approach of implementing a Three-Tier
3291Architecture for the web application. The developers are
3292NO. asking you which network should the
3293Presentation Tier (front- end web server) be placed in?
3294A. isolated vlan network
3295B. Mesh network
3296C. DMZ network
3297D. Internal network
3298Answer: A
3299
3300NO.302 A medium-sized healthcare IT business decides to implement a risk management strategy.
3301Which of the following is
3302NO. one of the five basic responses to risk?
3303A. Delegate
330478
3305B. Avoid
3306C. Mitigate
3307D. Accept
3308Answer: A
3309Explanation
3310There are five main ways to manage risk: acceptance, avoidance, transference, mitigation or
3311exploitation.
3312References:
3313http://www.dbpmanagement.com/15/5-ways-to-manage-risk
3314
3315NO.303 Which of the following provides a security professional with most information about the
3316system's security posture?
3317A. Wardriving, warchalking, social engineering
3318B. Social engineering, company site browsing, tailgating
3319C. Phishing, spamming, sending trojans
3320D. Port scanning, banner grabbing, service identification
3321Answer: D
3322
3323NO.304 Which of the following steps for risk assessment methodology refers to vulnerability
3324identification?
3325A. Determines if any flaws exist in systems, policies, or procedures
3326B. Assigns values to risk probabilities; Impact values.
3327C. Determines risk probability that vulnerability will be exploited (High. Medium, Low)
3328D. Identifies sources of harm to an IT system. (Natural, Human. Environmental)
3329Answer: C
3330
3331NO.305 The use of tech
3332NO.ogies like IPSec can help guarantee the following: authenticity, integrity,
3333confidentiality and
3334A.
3335NO.-repudiation.
3336B. operability.
3337C. security.
3338D. usability.
3339Answer: A
3340
3341NO.306 A zone file consists of which of the following Resource Records (RRs)?
3342A. DNS, NS, AXFR, and MX records
3343B. DNS, NS, PTR, and MX records
3344C. SOA, NS, AXFR, and MX records
3345D. SOA, NS, A, and MX records
3346Answer: D
3347
3348NO.307 Which of the following is a hardware requirement that either an IDS/IPS system or a proxy
3349server must have in order to properly function?
335079
3351A. Fast processor to help with network traffic analysis
3352B. They must be dual-homed
3353C. Similar RAM requirements
3354D. Fast network interface cards
3355Answer: B
3356Explanation
3357Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network
3358interface, for redundancy purposes, or in firewall tech
3359NO.ogy, dual-homed is one of the firewall
3360architectures, such as an IDS/IPS system, for implementing preventive security.
3361References: https://en.wikipedia.org/wiki/Dual-homed
3362
3363NO.308 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense
3364conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone,
3365grabs the door as it begins to close.
3366What just happened?
3367A. Phishing
3368B. Whaling
3369C. Tailgating
3370D. Masquerading
3371Answer: C
3372
3373NO.309 Which of the following Nmap commands would be used to perform a stack fingerprinting?
3374A. Nmap -O -p80 <host(s.>
3375B. Nmap -hU -Q<host(s.>
3376C. Nmap -sT -p <host(s.>
3377D. Nmap -u -o -w2 <host>
3378E. Nmap -sS -0p targe
3379Answer: B
3380
3381NO.310 An IT security engineer
3382NO.ices that the company's web server is currently being hacked.
3383What should the engineer do next?
3384A. Unplug the network connection on the company's web server.
3385B. Determine the origin of the attack and launch a counterattack.
3386C. Record as much information as possible from the attack.
3387D. Perform a system restart on the company's web server.
3388Answer: C
3389
3390NO.311 Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt
3391to use these tools in his lab and is
3392NO. ready for real world exploitation. He was able to effectively
3393intercept communications between the two entities and establish credentials with both sides of the
3394connections. The two remote ends of the communication never
3395NO.ice that Eric is relaying the
3396information between the two. What would you call this attack?
3397A. Interceptor
3398B. Man-in-the-middle
339980
3400C. ARP Proxy
3401D. Poisoning Attack
3402Answer: B
3403
3404NO.312 Which security control role does encryption meet?
3405A. Preventative
3406B. Detective
3407C. Offensive
3408D. Defensive
3409Answer: A
3410
3411NO.313 Perspective clients want to see sample reports from previous penetration tests.
3412What should you do next?
3413A. Decline but, provide references.
3414B. Share full reports,
3415NO. redacted.
3416C. Share full reports with redactions.
3417D. Share reports, after NDA is signed.
3418Answer: A
3419Explanation
3420Penetration tests data should
3421NO. be disclosed to third parties.
3422
3423NO.314 How is sniffing broadly categorized?
3424A. Active and passive
3425B. Broadcast and unicast
3426C. Unmanaged and managed
3427D. Filtered and unfiltered
3428Answer: A
3429
3430NO.315 To send a PGP encrypted message, which piece of information from the recipient must the
3431sender have before encrypting the message?
3432A. Recipient's private key
3433B. Recipient's public key
3434C. Master encryption key
3435D. Sender's public key
3436Answer: B
3437
3438NO.316 ViruXine.W32 virus hides their presence by changing the underlying executable code.
3439This Virus code mutates while keeping the original algorithm intact, the code changes itself each time
3440it runs, but the function of the code (its semantics) will
3441NO. change at all.
344281
3443Here is a section of the Virus code:
3444What is this technique called?
3445A. Polymorphic Virus
3446B. Metamorphic Virus
344782
3448C. Dravidic Virus
3449D. Stealth Virus
3450Answer: A
3451
3452NO.317 Shellshock had the potential for an unauthorized user to gain access to a server. It affected
3453many internet-facing services, which OS did it
3454NO. directly affect?
3455A. Windows
3456B. Unix
3457C. Linux
3458D. OS X
3459Answer: A
3460
3461NO.318 The Open Web Application Security Project (OWASP) testing methodology addresses the
3462need to secure web applications by providing which one of the following services?
3463A. An extensible security framework named COBIT
3464B. A list of flaws and how to fix them
3465C. Web application patches
3466D. A security certification for hardened web applications
3467Answer: B
3468
3469NO.319 Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP
3470does
3471NO. encrypt email, leaving the information in the message vulnerable to being read by an
3472unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email
3473transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to
3474transmit email over TLS?
3475A. OPPORTUNISTICTLS STARTTLS
3476B. FORCETLS
3477C. UPGRADETLS
3478Answer: B
3479
3480NO.320 Which of the below hashing functions are
3481NO. recommended for use?
3482A. SHA-1.ECC
3483B. MD5, SHA-1
3484C. SHA-2. SHA-3
3485D. MD5. SHA-5
3486Answer: A
3487
3488NO.321 Which solution can be used to emulate computer services, such as mail and ftp, and to
3489capture information related to logins or actions?
3490A. Firewall
3491B. Honeypot
3492C. Core server
3493D. Layer 4 switch
349483
3495Answer: B
3496
3497NO.322 An IT employee got a call from one of our best customers. The caller wanted to k
3498NO. about
3499the company's network infrastructure, systems, and team. New opportunities of integration are in
3500sight for both company and customer. What should this employee do?
3501A. Since the company's policy is all about Customer Service, he/she will provide information.
3502B. Disregarding the call, the employee should hang up.
3503C. The employee should
3504NO. provide any information without previous management authorization.
3505D. The employees can
3506NO. provide any information; but, anyway, he/she will provide the name of the
3507person in charge.
3508Answer: C
3509
3510NO.323 Which of the following items is unique to the N-tier architecture method of designing
3511software applications?
3512A. Application layers can be separated, allowing each layer to be upgraded independently from other
3513layers.
3514B. It is compatible with various databases including Access, Oracle, and SQL.
3515C. Data security is tied into each layer and must be updated for all layers when any upgrade is
3516performed.
3517D. Application layers can be written in C, ASP.NET, or Delphi without any performance loss.
3518Answer: A
3519
3520NO.324 This TCP flag instructs the sending system to transmit all buffered data immediately.
3521A. SYN
3522B. RST
3523C. PSH
3524D. URG
3525E. FIN
3526Answer: C
3527
3528NO.325 Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
3529communication?
3530A. 123
3531B. 161
3532C. 69
3533D. 113
3534Answer: A
3535
3536NO.326 A large mobile telephony and data network operator has a data that houses network
3537elements. These are essentially large computers running on Linux. The perimeter of the data center is
3538secured with firewalls and IPS systems. What is the best security policy concerning this setup?
3539A. Network elements must be hardened with user ids and strong passwords. Regular security tests
3540and audits should be performed.
354184
3542B. As long as the physical access to the network elements is restricted, there is
3543NO.need for additional
3544measures.
3545C. There is
3546NO.need for specific security measures on the network elements as long as firewalls and
3547IPS systems exist.
3548D. The operator k
3549NO.s that attacks and down time are inevitable and should have a backup site.
3550Answer: A
3551
3552NO.327 Which of the following attacks exploits web age vulnerabilities that allow an attacker to
3553force an unsuspecting user's browser to send malicious requests they did
3554NO. intend?
3555A. Command Injection Attacks
3556B. File Injection Attack
3557C. Cross-Site Request Forgery (CSRF)
3558D. Hidden Field Manipulation Attack
3559Answer: C
3560
3561NO.328 The company ABC recently contracted a new accountant. The accountant will be working
3562with the financial statements. Those financial statements need to be approved by the CFO and then
3563they will be sent to the accountant but the CFO is worried because he wants to be sure that the
3564information sent to the accountant was
3565NO. modified once he approved it. What of the following
3566options can be useful to ensure the integrity of the data?
3567A. The document can be sent to the accountant using an exclusive USB for that document.
3568B. The CFO can use a hash algorithm in the document once he approved the financial statements.
3569C. The financial statements can be sent twice, one by email and the other delivered in USB and the
3570accountant can compare both to be sure it is the same document.
3571D. The CFO can use an excel file with a password.
3572Answer: B
3573
3574NO.329 The "black box testing" methodology enforces which kind of restriction?
3575A. Only the external operation of a system is accessible to the tester.
3576B. Only the internal operation of a system is k
3577NO.n to the tester.
3578C. The internal operation of a system is only partly accessible to the tester.
3579D. The internal operation of a system is completely k
3580NO.n to the tester.
3581Answer: A
3582Explanation
3583Black-box testing is a method of software testing that examines the functionality of an application
3584without peering into its internal structures or workings.
3585References: https://en.wikipedia.org/wiki/Black-box_testing
3586
3587NO.330 Which of the following statements is TRUE?
3588A. Sniffers operate on Layer 2 of the OSI model
3589B. Sniffers operate on Layer 3 of the OSI model
3590C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model.
3591D. Sniffers operate on the Layer 1 of the OSI model.
359285
3593Answer: A
3594Explanation
3595The OSI layer 2 is where packet sniffers collect their data.
3596References: https://en.wikipedia.org/wiki/Ethernet_frame
3597
3598NO.331 While performing data validation of web content, a security technician is required to restrict
3599malicious input.
3600Which of the following processes is an efficient way of restricting malicious input?
3601A. Validate web content input for query strings.
3602B. Validate web content input with scanning tools.
3603C. Validate web content input for type, length, and range.
3604D. Validate web content input for extraneous queries.
3605Answer: C
3606
3607NO.332 A bank stores and processes sensitive privacy information related to home loans. However,
3608auditing has never been enabled on the system. What is the first step that the bank should take
3609before enabling the audit feature?
3610A. Perform a vulnerability scan of the system.
3611B. Determine the impact of enabling the audit feature.
3612C. Perform a cost/benefit analysis of the audit feature.
3613D. Allocate funds for staffing of audit log review.
3614Answer: B
3615
3616NO.333 Firewalls are the software or hardware systems that are able to control and monitor the
3617traffic coming in and out the target network based on pre-defined set of rules.
3618Which of the following types of firewalls can protect against SQL injection attacks?
3619A. Data-driven firewall
3620B. Stateful firewall
3621C. Packet firewall
3622D. Web application firewall
3623Answer: D
3624
3625NO.334 Which of these options is the most secure procedure for storing backup tapes?
3626A. In a climate controlled facility offsite
3627B. On a different floor in the same building
3628C. Inside the data center for faster retrieval in a fireproof safe
3629D. In a cool dry environment
3630Answer: A
3631Explanation
3632An effective disaster data recovery strategy should consist of producing backup tapes and housing
3633them in an offsite storage facility. This way the data isn't compromised if a natural disaster affects the
3634business' office. It is highly recommended that the backup tapes be handled properly and stored in a
3635secure, climate controlled facility. This provides peace of mind, and gives the business almost
3636immediate stability after a disaster.
363786
3638References:
3639http://www.entrustrm.com/blog/1132/why-is-offsite-tape-storage-the-best-disaster-recoverystrategy
3640
3641NO.335 Which of the following items of a computer system will an anti-virus program scan for
3642viruses?
3643A. Boot Sector
3644B. Deleted Files
3645C. Windows Process List
3646D. Password Protected Files
3647Answer: A
3648
3649NO.336 When conducting a penetration test, it is crucial to use all means to get all available
3650information about the target network. One of the ways to do that is by sniffing the network. Which of
3651the following can
3652NO. be performed by the passive network sniffing?
3653A. Identifying operating systems, services, protocols and devices
3654B. Modifying and replaying captured network traffic
3655C. Collecting unencrypted information about usernames and passwords
3656D. Capturing a network traffic for further analysis
3657Answer: B
3658
3659NO.337 Passive reconnaissance involves collecting information through which of the following?
3660A. Social engineering
3661B. Network traffic sniffing
3662C. Man in the middle attacks
3663D. Publicly accessible sources
3664Answer: D
3665
3666NO.338 In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an
3667attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan
3668hash of a user's password, instead of requiring the associated plaintext password as is
3669NO.mally the
3670case.
3671Metasploit Framework has a module for this technique: psexec. The psexec module is often used by
3672penetration testers to obtain access to a given system that you already k
3673NO. the credentials for. It
3674was written by sysinternals and has been integrated within the framework. Often as penetration
3675testers, successfully gain access to a system through some exploit, use meterpreter to grab the
3676passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to
3677crack those hash values.
3678Which of the following is true hash type and sort order that is using in the psexec module's
3679'smbpass'?
3680A. NT:LM
3681B. LM:NT
3682C. LM:NTLM
3683D. NTLM:LM
368487
3685Answer: B
3686
3687NO.339 Which of the following descriptions is true about a static NAT?
3688A. A static NAT uses a many-to-many mapping.
3689B. A static NAT uses a one-to-many mapping.
3690C. A static NAT uses a many-to-one mapping.
3691D. A static NAT uses a one-to-one mapping.
3692Answer: D
3693
3694NO.340 Security Policy is a definition of what it means to be secure for a system, organization or
3695other entity. For Information Tech
3696NO.ogies, there are sub-policies like Computer Security Policy,
3697Information Protection Policy, Information Security Policy, network Security Policy, Physical Security
3698Policy, Remote Access Policy, and User Account Policy.
3699What is the main theme of the sub-policies for Information Tech
3700NO.ogies?
3701A. Availability,
3702NO.-repudiation, Confidentiality
3703B. Authenticity, Integrity,
3704NO.-repudiation
3705C. Confidentiality, Integrity, Availability
3706D. Authenticity, Confidentiality, Integrity
3707Answer: C
3708
3709NO.341 What are two things that are possible when scanning UDP ports? (Choose two.)
3710A. A reset will be returned
3711B. An ICMP message will be returned
3712C. The four-way handshake will
3713NO. be completed
3714D. An RFC 1294 message will be returned
3715E.
3716NO.hing
3717Answer: B E
3718
3719NO.342 Based on the following extract from the log of a compromised machine, what is the hacker
3720really trying to steal?
3721A. har.txt
3722B. SAM file
3723C. wwwroot
3724D. Repair file
3725Answer: B
3726
3727NO.343 The precaution of prohibiting employees from bringing personal computing devices into a
3728facility is what type of security control?
3729A. Physical
3730B. Procedural
3731C. Technical
3732D. Compliance
3733Answer: B
373488
3735
3736NO.344 Steve, a scientist who works in a governmental security agency, developed a tech
3737NO.ogical
3738solution to identify people based on walking patterns and implemented this approach to a physical
3739control access.
3740A camera captures people walking and identifies the individuals using Steve's approach.
3741After that, people must approximate their RFID badges. Both the identifications are required to open
3742the door.
3743In this case, we can say:
3744A. Although the approach has two phases, it actually implements just one authentication factor
3745B. The solution implements the two authentication factors: physical object and physical characteristi
3746c
3747C. The solution will have a high level of false positives
3748D. Biological motion can
3749NO. be used to identify people
3750Answer: B
3751
3752NO.345 A pentester gains access to a Windows application server and needs to determine the
3753settings of the built-in Windows firewall. Which command would be used?
3754A. Netsh firewall show config
3755B. WMIC firewall show config
3756C. Net firewall show config
3757D. Ipconfig firewall show config
3758Answer: A
3759
3760NO.346 You need a tool that can do network intrusion prevention and intrusion detection, function
3761as a network sniffer, and record network activity, what tool would you most likely select?
3762A. Nmap
3763B. Cain & Abel
3764C. Nessus
3765D. S
3766NO.t
3767Answer: D
3768
3769NO.347 The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but
3770introduces which of the following vulnerabilities?
3771A. An attacker, working slowly e
3772NO.gh, can evade detection by the IDS.
3773B. Network packets are dropped if the volume exceeds the threshold.
3774C. Thresholding interferes with the IDS' ability to reassemble fragmented packets.
3775D. The IDS will
3776NO. distinguish among packets originating from different sources.
3777Answer: A
3778
3779NO.348 Look at the following output. What did the hacker accomplish?
378089
3781A. The hacker used whois to gather publicly available records for the domain.
3782B. The hacker used the "fierce" tool to brute force the list of available domains.
3783C. The hacker listed DNS records on his own domain.
3784D. The hacker successfully transferred the zone and enumerated the hosts.
3785Answer: D
3786
3787NO.349 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125
3788on port 25?
3789A. tcp.src == 25 and ip.host == 192.168.0.125
3790B. host 192.168.0.125:25
3791C. port 25 and host 192.168.0.125
3792D. tcp.port == 25 and ip.host == 192.168.0.125
3793Answer: D
3794
3795NO.350 A network administrator discovers several unk
3796NO.n files in the root directory of his Linux
3797FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named
3798"nc." The FTP server's access logs show that the a
3799NO.ymous user account logged in to the server,
3800uploaded the files, and extracted the contents of the tarball and ran the script using a function
3801provided by the FTP server's software. The ps command shows that the nc file is running as process,
380290
3803and the netstat command shows the nc process is listening on a network port.
3804What kind of vulnerability must be present to make this remote attack possible?
3805A. File system permissions
3806B. Privilege escalation
3807C. Directory traversal
3808D. Brute force login
3809Answer: A
3810Explanation
3811To upload files the user must have proper write file permissions.
3812References:
3813http://codex.wordpress.org/Hardening_WordPress
3814
3815NO.351 You have compromised a server on a network and successfully opened a shell. You aimed to
3816identify all operating systems running on the network. However, as you attempt to fingerprint all
3817machines in the network using the nmap syntax below, it is
3818NO. going through.
3819What seems to be wrong?
3820A. OS Scan requires root privileges.
3821B. The nmap syntax is wrong.
3822C. This is a common behavior for a corrupted nmap application.
3823D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
3824Answer: A
3825Explanation
3826You requested a scan type which requires root privileges.
3827References:
3828http://askubuntu.com/questions/433062/using-nmap-for-information-regarding-web-host
3829
3830NO.352 A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker
3831uses the nslookup interactive mode for the search. Which command should the hacker type into the
3832command shell to request the appropriate records?
3833A. Locate type=ns
3834B. Request type=ns
3835C. Set type=ns
3836D. Transfer type=ns
3837Answer: C
3838
3839NO.353 Which of the following processes evaluates the adherence of an organization to its stated
3840security policy?
3841A. Vulnerability assessment
3842B. Penetration testing
3843C. Risk assessment
3844D. Security auditing
384591
3846Answer: D
3847
3848NO.354 What is the main reason the use of a stored biometric is vulnerable to an attack?
3849A. The digital representation of the biometric might
3850NO. be unique, even if the physical characteristic
3851is unique.
3852B. Authentication using a stored biometric compares a copy to a copy instead of the original to a
3853copy.
3854C. A stored biometric is
3855NO.longer "something you are" and instead becomes "something you have".
3856D. A stored biometric can be stolen and used by an attacker to impersonate the individual identified
3857by the biometric.
3858Answer: D
3859
3860NO.355 A computer science student needs to fill some information into a secured Adobe PDF job
3861application that was received from a prospective employer. Instead of requesting a new document
3862that allowed the forms to be completed, the student decides to write a script that pulls passwords
3863from a list of commonly used passwords to try against the secured PDF until the correct password is
3864found or the list is exhausted.
3865Which cryptography attack is the student attempting?
3866A. Man-in-the-middle attack
3867B. Brute-force attack
3868C. Dictionary attack
3869D. Session hijacking
3870Answer: C
3871
3872NO.356 Which of the following is the best countermeasure to encrypting ransomwares?
3873A. Use multiple antivirus softwares
3874B. Keep some generation of off-line backup
3875C. Analyze the ransomware to get decryption key of encrypted data
3876D. Pay a ransom
3877Answer: B
3878
3879NO.357 You have successfully compromised a machine on the network and found a server that is
3880alive on the same network. You tried to ping it but you didn't get any response back.
3881What is happening?
3882A. ICMP could be disabled on the target server.
3883B. The ARP is disabled on the target server.
3884C. TCP/IP doesn't support ICMP.
3885D. You need to run the ping command with root privileges.
3886Answer: A
3887Explanation
3888The ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.
3889
3890NO.e: The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet
3891protocol suite. It is used by network devices, like routers, to send error messages indicating, for
3892example, that a requested service is
3893NO. available or that a host or router could
3894NO. be reached.
389592
3896References: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
3897
3898NO.358 Which tool is used to automate SQL injections and exploit a database by forcing a given web
3899application to connect to a
3900NO.her database controlled by a hacker?
3901A. DataThief
3902B. NetCat
3903C. Cain and Abel
3904D. SQLInjector
3905Answer: A
3906
3907NO.359 A security engineer is attempting to map a company's internal network. The engineer enters
3908in the following NMAP command:
3909NMAP -n -sS -P0 -p 80 ***.***.**.**
3910What type of scan is this?
3911A. Quick scan
3912B. Intense scan
3913C. Stealth scan
3914D. Comprehensive scan
3915Answer: C
3916
3917NO.360 Which of the following is an example of an asymmetric encryption implementation?
3918A. SHA1
3919B. PGP
3920C. 3DES
3921D. MD5
3922Answer: B
3923
3924NO.361 Which of the following is the BEST way to protect Personally Identifiable Information (PII)
3925from being exploited due to vulnerabilities of varying web applications?
3926A. Use cryptographic storage to store all PII
3927B. Use full disk encryption on all hard drives to protect PII
3928C. Use encrypted communications protocols to transmit PII
3929D. Use a security token to log into all Web applications that use PII
3930Answer: C
3931
3932NO.362 Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest
3933way she can accomplish this with Nmap? Stealth is
3934NO. a concern.
3935A. nmap -sn -sF 10.1.0.0/16 445
3936B. nmap -p 445 -n -T4 -open 10.1.0.0/16
3937C. nmap -s 445 -sU -T5 10.1.0.0/16
3938D. nmap -p 445 -max -Pn 10.1.0.0/16
3939Answer: B
3940
3941NO.363 It is a kind of malware (malicious software) that criminals install on your computer so they
394293
3943can lock it from a remote location. This malware generates a pop-up window, webpage, or email
3944warning from what looks like an official authority. It explains that your computer has been locked
3945because of possible illegal activities on it and demands payment before you can access your files and
3946programs again.
3947Which of the following terms best matches the definition?
3948A. Ransomware
3949B. Adware
3950C. Spyware
3951D. Riskware
3952Answer: A
3953Explanation
3954Ransomware is a type of malware that can be covertly installed on a computer without k
3955NO.ledge or
3956intention of the user that restricts access to the infected computer system in some way, and
3957demands that the user pay a ransom to the malware operators to remove the restriction. Some
3958forms of ransomware systematically encrypt files on the system's hard drive, which become difficult
3959or impossible to decrypt without paying the ransom for the encryption key, while some may simply
3960lock the system and display messages intended to coax the user into paying. Ransomware typically
3961propagates as a Trojan.
3962References: https://en.wikipedia.org/wiki/Ransomware
3963
3964NO.364 What are the three types of authentication?
3965A. Something you: k
3966NO., remember, prove
3967B. Something you: have, k
3968NO., are
3969C. Something you: show, prove, are
3970D. Something you: show, have, prove
3971Answer: B
3972
3973NO.365 What is the proper response for a NULL scan if the port is open?
3974A. SYN
3975B. ACK
3976C. FIN
3977D. PSH
3978E. RST
3979F.
3980NO.response
3981Answer: F
3982
3983NO.366 An nmap command that includes the host specification of 202.176.56-57.* will scan
3984_______ number of hosts.
3985A. 2
3986B. 256
3987C. 512
3988D. Over 10, 000
3989Answer: C
399094
3991
3992NO.367 What is the code written for?
3993A. Buffer Overflow
3994B. Encryption
3995C. Bruteforce
3996D. Denial-of-service (Dos)
3997Answer: A
3998
3999NO.368 When analyzing the IDS logs, the system administrator
4000NO.iced an alert was logged when
4001the external router was accessed from the administrator's computer to update the router
4002configuration. What type of an alert is this?
4003A. False positive
4004B. False negative
4005C. True positve
4006D. True negative
4007Answer: A
4008
4009NO.369 How does an operating system protect the passwords used for account logins?
4010A. The operating system performs a one-way hash of the passwords.
4011B. The operating system stores the passwords in a secret file that users can
4012NO. find.
4013C. The operating system encrypts the passwords, and decrypts them when needed.
4014D. The operating system stores all passwords in a protected segment of
4015NO.-volatile memory.
4016Answer: A
4017
4018NO.370 What type of analysis is performed when an attacker has partial k
4019NO.ledge of innerworkings
4020of the application?
4021A. Black-box
402295
4023B. An
4024NO.nced
4025C. White-box
4026D. Grey-box
4027Answer: D
4028
4029NO.371 Which of the following settings enables Nessus to detect when it is sending too many
4030packets and the network pipe is approaching capacity?
4031A. Netstat WMI Scan
4032B. Silent Dependencies
4033C. Consider unscanned ports as closed
4034D. Reduce parallel connections on congestion
4035Answer: D
4036
4037NO.372 Name two software tools used for OS guessing? (Choose two.)
4038A. Nmap
4039B. Snadboy
4040C. Queso
4041D. UserInfo
4042E. NetBus
4043Answer: A C
4044
4045NO.373 What is one thing a tester can do to ensure that the software is trusted and is
4046NO. changing
4047or tampering with critical data on the back end of a system it is loaded on?
4048A. Proper testing
4049B. Secure coding principles
4050C. Systems security and architecture review
4051D. Analysis of interrupts within the software
4052Answer: D
4053
4054NO.374 Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the
4055Yahoo Bank.
4056Kindly contact me for a vital transaction on: scottsmelby@yahoo.com"". Which statement below is
4057true?
4058A. This is probably a legitimate message as it comes from a respectable organization.
4059B. Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.
4060C. This is a scam as everybody can get a @yahoo address,
4061NO. the Yahoo customer service
4062employees.
4063D. This is a scam because Bob does
4064NO. k
4065NO. Scott.
4066Answer: C
4067
4068NO.375 You are attempting to run an Nmap port scan on a web server. Which of the following
4069commands would result in a scan of common ports with the least amount of
4070NO.se in order to evade
4071IDS?
407296
4073A. nmap -A - Pn
4074B. nmap -sP -p-65535-T5
4075C. nmap -sT -O -T0
4076D. nmap -A --host-timeout 99-T1
4077Answer: C
4078
4079NO.376 Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?
4080A. Use digital certificates to authenticate a server prior to sending data.
4081B. Verify access right before allowing access to protected information and UI controls.
4082C. Verify access right before allowing access to protected information and UI controls.
4083D. Validate and escape all information sent to a server.
4084Answer: D
4085
4086NO.377 Which of the following is a preventive control?
4087A. Smart card authentication
4088B. Security policy
4089C. Audit trail
4090D. Continuity of operations plan
4091Answer: A
4092
4093NO.378 To determine if a software program properly handles a wide range of invalid input, a form of
4094automated testing can be used to randomly generate invalid input in an attempt to crash the
4095program.
4096What term is commonly used when referring to this type of testing?
4097A. Fuzzing
4098B. Randomizing
4099C. Mutating
4100D. Bounding
4101Answer: A
4102Explanation
4103Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that
4104involves providing invalid, unexpected, or random data to the inputs of a computer program. The
4105program is then monitored for exceptions such as crashes, or failing built-in code assertions or for
4106finding potential memory leaks. Fuzzing is commonly used to test for security problems in software
4107or computer systems. It is a form of random testing which has been used for testing hardware or
4108software.
4109References: https://en.wikipedia.org/wiki/Fuzz_testing
4110
4111NO.379 What is the broadcast address for the subnet 190.86.168.0/22?
4112A. 190.86.168.255
4113B. 190.86.255.255
4114C. 190.86.171.255
4115D. 190.86.169.255
411697
4117Answer: C
4118
4119NO.380 Which of the following security operations is used for determining the attack surface of an
4120organization?
4121A. Running a network scan to detect network services in the corporate DMZ
4122B. Training employees on the security policy regarding social engineering
4123C. Reviewing the need for a security clearance for each employee
4124D. Using configuration management to determine when and where to apply security patches
4125Answer: A
4126Explanation
4127For a network scan the goal is to document the exposed attack surface along with any easily detected
4128vulnerabilities.
4129References:
4130http://meisecurity.com/home/consulting/consulting-network-scanning/
4131
4132NO.381 Which tier in the N-tier application architecture is responsible for moving and processing
4133data between the tiers?
4134A. Application Layer
4135B. Data tier
4136C. Presentation tier
4137D. Logic tier
4138Answer: D
4139
4140NO.382 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and
4141UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and
4142deny all other traffic. After he applied his ACL configuration in the router,
4143NO.ody can access to the
4144ftp, and the permitted hosts can
4145NO. access the Internet. According to the next configuration, what is
4146happening in the network?
4147A. The ACL 104 needs to be first because is UDP
4148B. The ACL 110 needs to be changed to port 80
4149C. The ACL for FTP must be before the ACL 110
4150D. The first ACL is denying all TCP traffic and the other ACLs are being ig
4151NO.ed by the router
4152Answer: D
4153
4154NO.383 How can a policy help improve an employee's security awareness?
4155A. By implementing written security procedures, enabling employee security training, and promoting
4156the benefits of security
4157B. By using informal networks of communication, establishing secret passing procedures, and
4158immediately terminating employees
4159C. By sharing security secrets with employees, enabling employees to share secrets, and establishing
416098
4161a consultative help line
4162D. By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring
4163that managers k
4164NO. employee strengths
4165Answer: A
4166
4167NO.384 Company A and Company B have just merged and each has its own Public Key Infrastructure
4168(PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A
4169and Company B trust one a
4170NO.her and each private PKI can validate digital certificates from the other
4171company?
4172A. Poly key exchange
4173B. Cross certification
4174C. Poly key reference
4175D. Cross-site exchange
4176Answer: B
4177
4178NO.385 Risks = Threats x Vulnerabilities is referred to as the:
4179A. Risk equation
4180B. Threat assessment
4181C. BIA equation
4182D. Disaster recovery formula
4183Answer: A
4184Explanation
4185The most effective way to define risk is with this simple equation:
4186Risk = Threat x Vulnerability x Cost
4187This equation is fundamental to all information security.
4188References:
4189http://www.icharter.org/articles/risk_equation.html
4190
4191NO.386 In 2007, this wireless security algorithm was rendered useless by capturing packets and
4192discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ
4193Maxx and data theft through a technique k
4194NO.n as wardriving.
4195Which Algorithm is this referring to?
4196A. Wired Equivalent Privacy (WEP)
4197B. Wi-Fi Protected Access (WPA)
4198C. Wi-Fi Protected Access 2 (WPA2)
4199D. Temporal Key Integrity Protocol (TKIP)
4200Answer: A
4201Explanation
4202WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or
4203wlans. In
42042007, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the
4205secret key in less than 60 seconds in some cases.
4206
4207NO.e: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle,
4208using a portable computer, smartphone or personal digital assistant (PDA).
420999
4210References: https://events.ccc.de/camp/2007/Fahrplan/events/1943.en.html
4211
4212NO.387 This kind of password cracking method uses word lists in combination with numbers and
4213special characters:
4214A. Hybrid
4215B. Linear
4216C. Symmetric
4217D. Brute Force
4218Answer: A
4219
4220NO.388 Which of the following security policies defines the use of VPN for gaining access to an
4221internal corporate network?
4222A. Network security policy
4223B. Remote access policy
4224C. Information protection policy
4225D. Access control policy
4226Answer: B
4227
4228NO.389 Which of the following ensures that updates to policies, procedures, and configurations are
4229made in a controlled and documented fashion?
4230A. Regulatory compliance
4231B. Peer review
4232C. Change management
4233D. Penetration testing
4234Answer: C
4235
4236NO.390 Within the context of Computer Security, which of the following statements describes Social
4237Engineering best?
4238A. Social Engineering is the act of publicly disclosing information
4239B. Social Engineering is the means put in place by human resource to perform time accounting
4240C. Social Engineering is the act of getting needed information from a person rather than breaking into
4241a system
4242D. Social Engineering is a training program within sociology studies
4243Answer: C
4244
4245NO.391 What is a successful method for protecting a router from potential smurf attacks?
4246A. Placing the router in broadcast mode
4247B. Enabling port forwarding on the router
4248C. Installing the router outside of the network's firewall
4249D. Disabling the router from accepting broadcast ping messages
4250Answer: D
4251
4252NO.392 Attempting an injection attack on a web server based on responses to True/False questions
4253100
4254is called which of the following?
4255A. Blind SQLi
4256B. DMS-specific SQLi
4257C. Classic SQLi
4258D. Compound SQLi
4259Answer: A
4260
4261NO.393 Your company performs penetration tests and security assessments for small and mediumsized
4262business in the local area. During a routine security assessment, you discover information that
4263suggests your client is involved with human trafficking.
4264What should you do?
4265A. Immediately stop work and contact the proper legal authorities.
4266B. Copy the data to removable media and keep it in case you need it.
4267C. Confront the client in a respectful manner and ask her about the data.
4268D. Ig
4269NO.e the data and continue the assessment until completed as agreed.
4270Answer: A
4271
4272NO.394 Which of the following is a serious vulnerability in the popular OpenSSL cryptographic
4273software library? This weakness allows stealing the information protected, under
4274NO.mal conditions,
4275by the SSL/TLS encryption used to secure the Internet.
4276A. Heartbleed Bug
4277B. POODLE
4278C. SSL/TLS Renegotiation Vulnerability
4279D. Shellshock
4280Answer: A
4281
4282NO.395 Which of the following is
4283NO. a Bluetooth attack?
4284A. Bluedriving
4285B. Bluejacking
4286C. Bluesmacking
4287D. Bluesnarfing
4288Answer: A
4289
4290NO.396 Bob learned that his username and password for a popular game has been compromised.
4291He contacts the company and resets all the information. The company suggests he use two-factor
4292authentication, which option below offers that?
4293A. A new username and password
4294B. A fingerprint scanner and his username and password.
4295C. Disable his username and use just a fingerprint scanner.
4296D. His username and a stronger password.
4297Answer: B
4298
4299NO.397 Which of the following is considered an acceptable option when managing a risk?
4300101
4301A. Reject the risk.
4302B. Deny the risk.
4303C. Mitigate the risk.
4304D. Initiate the risk.
4305Answer: C
4306
4307NO.398 Which of the following examples best represents a logical or technical control?
4308A. Security tokens
4309B. Heating and air conditioning
4310C. Smoke and fire alarms
4311D. Corporate security policy
4312Answer: A
4313
4314NO.399 A developer for a company is tasked with creating a program that will allow customers to
4315update their billing and shipping information. The billing address field used is limited to 50
4316characters. What pseudo code would the developer use to avoid a buffer overflow attack on the
4317billing address field?
4318A. if (billingAddress = 50) {update field} else exit
4319B. if (billingAddress != 50) {update field} else exit
4320C. if (billingAddress >= 50) {update field} else exit
4321D. if (billingAddress <= 50) {update field} else exit
4322Answer: D
4323
4324NO.400 A distributed port scan operates by:
4325A. Blocking access to the scanning clients by the targeted host
4326B. Using denial-of-service software against a range of TCP ports
4327C. Blocking access to the targeted host by each of the distributed scanning clients
4328D. Having multiple computers each scan a small number of ports, then correlating the results
4329Answer: D
4330
4331NO.401 The network team has well-established procedures to follow for creating new rules on the
4332firewall. This includes having approval from a manager prior to implementing any new rules. While
4333reviewing the firewall configuration, you
4334NO.ice a recently implemented rule but can
4335NO. locate
4336manager approval for it. What would be a good step to have in the procedures for a situation like
4337this?
4338A. Have the network team document the reason why the rule was implemented without prior
4339manager approval.
4340B. Monitor all traffic using the firewall rule until a manager can approve it.
4341C. Do
4342NO. roll back the firewall rule as the business may be relying upon it, but try to get manager
4343approval as soon as possible.
4344D. Immediately roll back the firewall rule until a manager can approve it
4345Answer: D
4346102
4347
4348NO.402 Sam is working as s pen-tester in an organization in Houston. He performs penetration
4349testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large
4350amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic.
4351What type of method is Sam using to evade IDS?
4352A. Denial-of-Service
4353B. False Positive Generation
4354C. Insertion Attack
4355D. Obfuscating
4356Answer: B
4357
4358NO.403 What is the best defense against privilege escalation vulnerability?
4359A. Patch systems regularly and upgrade interactive login privileges at the system administrator level.
4360B. Run administrator and applications on least privileges and use a content registry for tracking.
4361C. Run services with least privileged accounts and implement multi-factor authentication and
4362authorization.
4363D. Review user roles and administrator privileges for maximum utilization of automation services.
4364Answer: C
4365
4366NO.404 A botnet can be managed through which of the following?
4367A. IRC
4368B. E-Mail
4369C. Linkedin and Facebook
4370D. A vulnerable FTP server
4371Answer: A
4372
4373NO.405 Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore
4374the systems to a pre-test state.
4375Which of the following activities should
4376NO. be included in this phase? (see exhibit) Exhibit:
4377A. III
4378B. IV
4379C. III and IV
4380D. All should be included.
4381Answer: A
4382Explanation
4383The post-attack phase revolves around returning any modified system(s) to the pretest state.
4384103
4385Examples of such activities:
4386References: Computer and Information Security Handbook, John R. Vacca (2012), page 531
4387
4388NO.406 The practical realities facing organizations today make risk response strategies essential.
4389Which of the following is
4390NO. one of the five basic responses to risk?
4391A. Accept
4392B. Mitigate
4393C. Delegate
4394D. Avoid
4395Answer: C
4396
4397NO.407 Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the
4398suite provides different functionality. Collective IPSec does everything except.
4399A. Protect the payload and the headers
4400B. Authenticate
4401C. Encrypt
4402D. Work at the Data Link Layer
4403Answer: D
4404
4405NO.408 A penetration test was done at a company. After the test, a report was written and given to
4406the company's IT authorities. A section from the report is shown below:
4407According to the section from the report, which of the following choice is true?
4408A. MAC Spoof attacks can
4409NO. be performed.
4410B. Possibility of SQL Injection attack is eliminated.
4411C. A stateful firewall can be used between intranet (LAN) and DMZ.
4412D. There is access control policy between VLANs.
4413Answer: C
4414
4415NO.409 You want to analyze packets on your wireless network. Which program would you use?
4416A. Wireshark with Airpcap
4417B. Airs
4418NO.t with Airpcap
4419C. Wireshark with Winpcap
4420D. Ethereal with Winpcap
4421Answer: A
4422
4423NO.410 Bluetooth uses which digital modulation technique to exchange information between paired
4424devices?
4425A. PSK (phase-shift keying)
4426B. FSK (frequency-shift keying)
4427C. ASK (amplitude-shift keying)
4428D. QAM (quadrature amplitude modulation)
4429Answer: A
4430Explanation
4431104
4432Phase shift keying is the form of Bluetooth modulation used to enable the higher data rates
4433achievable with Bluetooth 2 EDR (Enhanced Data Rate). Two forms of PSK are used: /4 DQPSK, and
44348DPSK.
4435References:
4436http://www.radio-electronics.com/info/wireless/bluetooth/radio-interface-modulation.php
4437
4438NO.411 Which of these is capable of searching for and locating rogue access points?
4439A. HIDS
4440B. WISS
4441C. WIPS
4442D. NIDS
4443Answer: C
4444
4445NO.412 Study the s
4446NO.t rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24
4447111 (content:"|00 01 86 a5|"; msG. "mountd access";)
4448A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and
4449destined to any IP on port 111
4450B. An alert is generated when any packet other than a TCP packet is seen on the network and
4451destined for the 192.168.1.0 subnet
4452C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
4453192.168.1.0 subnet
4454D. An alert is generated when a TCP packet originating from any IP address is seen on the network
4455and destined for any IP address on the 192.168.1.0 subnet on port 111
4456Answer: D
4457
4458NO.413 Which type of antenna is used in wireless communication?
4459A. Omnidirectional
4460B. Parabolic
4461C. Uni-directional
4462D. Bi-directional
4463Answer: A
4464
4465NO.414 You are the Network Admin, and you get a compliant that some of the websites are no
4466longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP
4467address and then you try on the browser, and find it to be accessible. But they are
4468NO. accessible
4469when you try using the URL.
4470What may be the problem?
4471A. Traffic is Blocked on UDP Port 53
4472B. Traffic is Blocked on UDP Port 80
4473C. Traffic is Blocked on UDP Port 54
4474D. Traffic is Blocked on UDP Port 80
4475Answer: A
4476
4477NO.415 How is the public key distributed in an orderly, controlled fashion so that the users can be
4478105
4479sure of the sender's identity?
4480A. Hash value
4481B. Private key
4482C. Digital signature
4483D. Digital certificate
4484Answer: D
4485
4486NO.416 What is the BEST alternative if you discover that a rootkit has been installed on one of your
4487computers?
4488A. Copy the system files from a k
4489NO.n good system
4490B. Perform a trap and trace
4491C. Delete the files and try to determine the source
4492D. Reload from a previous backup
4493E. Reload from k
4494NO.n good media
4495Answer: E
4496
4497NO.417 Which of the following is optimized for confidential communications, such as bidirectional
4498voice and video?
4499A. RC4
4500B. RC5
4501C. MD4
4502D. MD5
4503Answer: A
4504
4505NO.418 In the context of Windows Security, what is a 'null' user?
4506A. A user that has
4507NO.skills
4508B. An account that has been suspended by the admin
4509C. A pseudo account that has
4510NO.username and password
4511D. A pseudo account that was created for security administration purpose
4512Answer: C
4513
4514NO.419 A hacker is attempting to see which IP addresses are currently active on a network. Which
4515NMAP switch would the hacker use?
4516A. -sO
4517B. -sP
4518C. -sS
4519D. -sU
4520Answer: B
4521
4522NO.420 In Risk Management, how is the term "likelihood" related to the concept of "threat?"
4523A. Likelihood is the probability that a threat-source will exploit a vulnerability.
4524B. Likelihood is a possible threat-source that may exploit a vulnerability.
4525C. Likelihood is the likely source of a threat that could exploit a vulnerability.
4526106
4527D. Likelihood is the probability that a vulnerability is a threat-source.
4528Answer: A
4529Explanation
4530The ability to analyze the likelihood of threats within the organization is a critical step in building an
4531effective security program. The process of assessing threat probability should be well defined and
4532incorporated into a broader threat analysis process to be effective.
4533References:
4534http://www.mcafee.com/campaign/securitybattleground/resources/chapter5/whitepaper-onassessing-
4535threat-attac
4536
4537NO.421 During a wireless penetration test, a tester detects an access point using WPA2 encryption.
4538Which of the following attacks should be used to obtain the key?
4539A. The tester must capture the WPA2 authentication handshake and then crack it.
4540B. The tester must use the tool inSSIDer to crack it using the ESSID of the network.
4541C. The tester can
4542NO. crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
4543D. The tester must change the MAC address of the wireless network card and then use the AirTraf
4544tool to obtain the key.
4545Answer: A
4546
4547NO.422 What is the main disadvantage of the scripting languages as opposed to compiled
4548programming languages?
4549A. Scripting languages are hard to learn.
4550B. Scripting languages are
4551NO. object-oriented.
4552C. Scripting languages can
4553NO. be used to create graphical user interfaces.
4554D. Scripting languages are slower because they require an interpreter to run the code.
4555Answer: D
4556
4557NO.423 A consultant is hired to do physical penetration testing at a large financial company. In the
4558first day of his assessment, the consultant goes to the company`s building dressed like an electrician
4559and waits in the lobby for an employee to pass through the main access gate, then the consultant
4560follows the employee behind to get into the restricted area. Which type of attack did the consultant
4561perform?
4562A. Man trap
4563B. Tailgating
4564C. Shoulder surfing
4565D. Social engineering
4566Answer: B
4567
4568NO.424 You are about to be hired by a well-k
4569NO.n Bank to perform penetration tests. Which of the
4570following documents describes the specifics of the testing, the associated violations, and essentially
4571protects both the bank's interest and your liabilities as a tester?
4572A. Service Level Agreement
4573B.
4574NO.-Disclosure Agreement
4575C. Terms of Engagement
4576107
4577D. Project Scope
4578Answer: C
4579
4580NO.425 A person approaches a network administrator and wants advice on how to send encrypted
4581email from home.
4582The end user does
4583NO. want to have to pay for any license fees or manage server services. Which of
4584the following is the most secure encryption protocol that the network administrator should
4585recommend?
4586A. IP Security (IPSEC)
4587B. Multipurpose Internet Mail Extensions (MIME)
4588C. Pretty Good Privacy (PGP)
4589D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)
4590Answer: C
4591
4592NO.426 MX record priority increases as the number increases. (True/False.)
4593A. True
4594B. False
4595Answer: B
4596
4597NO.427 Which of the following is a low-tech way of gaining unauthorized access to systems?
4598A. Social Engineering
4599B. Sniffing
4600C. Eavesdropping
4601D. Scanning
4602Answer: A
4603Explanation
4604Social engineering, in the context of information security, refers to psychological manipulation of
4605people into performing actions or divulging confidential information. A type of confidence trick for
4606the purpose of information gathering, fraud, or system access.
4607References: https://en.wikipedia.org/wiki/Social_engineering_(security)
4608
4609NO.428 Bob is ack
4610NO.ledged as a hacker of repute and is popular among visitors of "underground"
4611sites.
4612Bob is willing to share his k
4613NO.ledge with those who are willing to learn, and many have expressed
4614their interest in learning from him. However, this k
4615NO.ledge has a risk associated with it, as it can be
4616used for malevolent attacks as well.
4617In this context, what would be the most effective method to bridge the k
4618NO.ledge gap between the
4619"black" hats or crackers and the "white" hats or computer security professionals? (Choose the test
4620answer.)
4621A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
4622B. Hire more computer security monitoring personnel to monitor computer systems and networks.
4623C. Make obtaining either a computer security certification or accreditation easier to achieve so more
4624individuals feel that they are a part of something larger than life.
4625D. Train more National Guard and reservist in the art of computer security to help out in times of
4626108
4627emergency or crises.
4628Answer: A
4629
4630NO.429 What statement is true regarding LM hashes?
4631A. LM hashes consist in 48 hexadecimal characters.
4632B. LM hashes are based on AES128 cryptographic standard.
4633C. Uppercase characters in the password are converted to lowercase.
4634D. LM hashes are
4635NO. generated when the password length exceeds 15 characters.
4636Answer: D
4637
4638NO.430 What information should an IT system analysis provide to the risk assessor?
4639A. Management buy-in
4640B. Threat statement
4641C. Security architecture
4642D. Impact analysis
4643Answer: C
4644
4645NO.431 An attacker has captured a target file that is encrypted with public key cryptography. Which
4646of the attacks below is likely to be used to crack the target file?
4647A. Timing attack
4648B. Replay attack
4649C. Memory trade-off attack
4650D. Chosen plain-text attack
4651Answer: D
4652
4653NO.432 International Organization for Standardization (ISO) standard 27002 provides guidance for
4654compliance by outlining
4655A. guidelines and practices for security controls.
4656B. financial soundness and business viability metrics.
4657C. standard best practice for configuration management.
4658D. contract agreement writing standards.
4659Answer: A
4660
4661NO.433 Which of the following is the primary objective of a rootkit?
4662A. It opens a port to provide an unauthorized service
4663B. It creates a buffer overflow
4664C. It replaces legitimate programs
4665D. It provides an undocumented opening in a program
4666Answer: C
4667
4668NO.434 The "gray box testing" methodology enforces what kind of restriction?
4669A. The internal operation of a system is only partly accessible to the tester.
4670B. The internal operation of a system is completely k
4671NO.n to the tester.
4672109
4673C. Only the external operation of a system is accessible to the tester.
4674D. Only the internal operation of a system is k
4675NO.n to the tester.
4676Answer: A
4677Explanation
4678A black-box tester is unaware of the internal structure of the application to be tested, while a whitebox
4679tester has access to the internal structure of the application. A gray-box tester partially k
4680NO.s
4681the internal structure, which includes access to the documentation of internal data structures as well
4682as the algorithms used.
4683References: https://en.wikipedia.org/wiki/Gray_box_testing
4684
4685NO.435 An attacker changes the profile information of a particular user (victim) on the target
4686website. The attacker uses this string to update the victim's profile to a text file and then submit the
4687data to the attacker's database.
4688< iframe src="http://www.vulnweb.com/updateif.php" style="display:
4689NO.e"></iframe> What is this
4690type of attack (that can use either HTTP GET or HTTP POST) called?
4691A. Cross-Site Request Forgery
4692B. Cross-Site Scripting
4693C. SQL Injection
4694D. Browser Hacking
4695Answer: A
4696Explanation
4697Cross-site request forgery, also k
4698NO.n as one-click attack or session riding and abbreviated as CSRF
4699(sometimes pro
4700NO.nced sea-surf) or XSRF, is a type of malicious exploit of a website where
4701unauthorized commands are transmitted from a user that the website trusts.
4702Different HTTP request methods, such as GET and POST, have different level of susceptibility to CSRF
4703attacks and require different levels of protection due to their different handling by web browsers.
4704References: https://en.wikipedia.org/wiki/Cross-site_request_forgery
4705
4706NO.436 Which of the following tools are used for enumeration? (Choose three.)
4707A. SolarWinds
4708B. USER2SID
4709C. Cheops
4710D. SID2USER
4711E. DumpSec
4712Answer: B D E
4713
4714NO.437 A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the
4715pentester pivot using Metasploit?
4716A. Issue the pivot exploit and set the meterpreter.
4717B. Reconfigure the network settings in the meterpreter.
4718C. Set the payload to propagate through the meterpreter.
4719D. Create a route statement in the meterpreter.
4720Answer: D
4721110
4722
4723NO.438 Which of the following describes the characteristics of a Boot Sector Virus?
4724A. Moves the MBR to a
4725NO.her location on the RAM and copies itself to the original location of the
4726MBR
4727B. Moves the MBR to a
4728NO.her location on the hard disk and copies itself to the original location of
4729the MBR
4730C. Modifies directory table entries so that directory entries point to the virus code instead of the
4731actual program
4732D. Overwrites the original MBR and only executes the new virus code
4733Answer: B
4734Explanation
4735A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The
4736virus moves the boot sector to a
4737NO.her location on the hard drive.
4738References: https://www.techopedia.com/definition/26655/boot-sector-virus
4739
4740NO.439 In order to have an a
4741NO.ymous Internet surf, which of the following is best choice?
4742A. Use SSL sites when entering personal information
4743B. Use Tor network with multi-
4744NO.e
4745C. Use shared WiFi
4746D. Use public VPN
4747Answer: B
4748
4749NO.440 A security analyst in an insurance company is assigned to test a new web application that
4750will be used by clients to help them choose and apply for an insurance plan. The analyst discovers
4751that the application is developed in ASP scripting language and it uses MSSQL as a database backend.
4752The analyst locates the application's search form and introduces the following code in the search
4753input field:
4754When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".
4755Which web applications vulnerability did the analyst discover?
4756A. Cross-site request forgery
4757B. Command injection
4758C. Cross-site scripting
4759D. SQL injection
4760Answer: C
4761
4762NO.441 You have several plain-text firewall logs that you must review to evaluate network traffic.
4763You k
4764NO. that in order to do fast, efficient searches of the logs you must use regular expressions.
4765Which command-line utility are you most likely to use?
4766A. Grep
4767B.
4768NO.epad
4769C. MS Excel
4770D. Relational Database
4771Answer: A
4772111
4773Explanation
4774grep is a command-line utility for searching plain-text data sets for lines matching a regular
4775expression.
4776References: https://en.wikipedia.org/wiki/Grep
4777
4778NO.442 A computer technician is using a new version of a word processing software package when
4779it is discovered that a special sequence of characters causes the entire computer to crash. The
4780technician researches the bug and discovers that
4781NO.one else experienced the problem. What is the
4782appropriate next step?
4783A. Ig
4784NO.e the problem completely and let someone else deal with it.
4785B. Create a document that will crash the computer when opened and send it to friends.
4786C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
4787D.
4788NO.ify the vendor of the bug and do
4789NO. disclose it until the vendor gets a chance to issue a fix.
4790Answer: D
4791
4792NO.443 Which of the following is an application that requires a host application for replication?
4793A. Micro
4794B. Worm
4795C. Trojan
4796D. Virus
4797Answer: D
4798Explanation
4799Computer viruses infect a variety of different subsystems on their hosts. A computer virus is a
4800malware that, when executed, replicates by reproducing itself or infecting other programs by
4801modifying them. Infecting computer programs can include as well, data files, or the boot sector of the
4802hard drive. When this replication succeeds, the affected areas are then said to be "infected".
4803References: https://en.wikipedia.org/wiki/Computer_virus
4804
4805NO.444 An organization hires a tester to do a wireless penetration test. Previous reports indicate
4806that the last test did
4807NO. contain management or control packets in the submitted traces. Which of
4808the following is the most likely reason for lack of management or control packets?
4809A. The wireless card was
4810NO. turned on.
4811B. The wrong network card drivers were in use by Wireshark.
4812C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
4813D. Certain operating systems and adapters do
4814NO. collect the management or control packets.
4815Answer: D
4816
4817NO.445 An attacker scans a host with the below command. Which three flags are set? (Choose
4818three.)
4819#nmap -sX host.domain.com
4820A. This is ACK scan. ACK flag is set
4821B. This is Xmas scan. SYN and ACK flags are set
4822C. This is Xmas scan. URG, PUSH and FIN are set
4823D. This is SYN scan. SYN flag is set
4824112
4825Answer: C
4826
4827NO.446 You work for Acme Corporation as Sales Manager. The company has tight network security
4828restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer
4829them to your home computer. Your company filters and monitors traffic that leaves from the internal
4830network to the Internet. How will you achieve this without raising suspicion?
4831A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
4832B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
4833C. You can conceal the Sales.xls database in a
4834NO.her file like photo.jpg or other files and send it out in
4835an in
4836NO.ent looking email or file transfer using Stega
4837NO.raphy techniques
4838D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail
4839account
4840Answer: C
4841
4842NO.447 A penetration tester is attempting to scan an internal corporate network from the internet
4843without alerting the border sensor. Which is the most efficient technique should the tester consider
4844using?
4845A. Spoofing an IP address
4846B. Tunneling scan over SSH
4847C. Tunneling over high port numbers
4848D. Scanning using fragmented IP packets
4849Answer: B
4850
4851NO.448 A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may
4852contain connectivity passwords that can be decoded with which of the following?
4853A. Cupp
4854B. Nessus
4855C. Cain and Abel
4856D. John The Ripper Pro
4857Answer: C
4858
4859NO.449 Which of the following is an example of IP spoofing?
4860A. SQL injections
4861B. Man-in-the-middle
4862C. Cross-site scripting
4863D. ARP poisoning
4864Answer: B
4865
4866NO.450 A technician is resolving an issue where a computer is unable to connect to the Internet
4867using a wireless access point. The computer is able to transfer files locally to other machines, but
4868can
4869NO. successfully reach the Internet. When the technician examines the IP address and default
4870gateway they are both on the
4871192.168.1.0/24. Which of the following has occurred?
4872A. The gateway is
4873NO. routing to a public IP address.
4874113
4875B. The computer is using an invalid IP address.
4876C. The gateway and the computer are
4877NO. on the same network.
4878D. The computer is
4879NO. using a private IP address.
4880Answer: A
4881
4882NO.451 A certified ethical hacker (CEH) is approached by a friend who believes her husband is
4883cheating. She offers to pay to break into her husband's email account in order to find proof so she
4884can take him to court. What is the ethical response?
4885A. Say
4886NO. the friend is
4887NO. the owner of the account.
4888B. Say yes; the friend needs help to gather evidence.
4889C. Say yes; do the job for free.
4890D. Say
4891NO. make sure that the friend k
4892NO.s the risk she's asking the CEH to take.
4893Answer: A
4894
4895NO.452 env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd'
4896What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
4897A. Display passwd content to prompt
4898B. Removes the passwd file
4899C. Changes all passwords in passwd
4900D. Add new user to the passwd file
4901Answer: A
4902Explanation
4903To extract private information, attackers are using a couple of techniques. The simplest extraction
4904attacks are in the form:
4905() {:;}; /bin/cat /etc/passwd
4906That reads the password file /etc/passwd, and adds it to the response from the web server. So an
4907attacker injecting this code through the Shellshock vulnerability would see the password file dumped
4908out onto their screen as part of the web page returned.
4909References: https://blog.cloudflare.com/inside-shellshock/
4910
4911NO.453 As a securing consultant, what are some of the things you would recommend to a company
4912to ensure DNS security?
4913A. Use the same machines for DNS and other applications
4914B. Harden DNS servers
4915C. Use split-horizon operation for DNS servers
4916D. Restrict Zone transfers
4917E. Have subnet diversity between DNS servers
4918Answer: B C D E
4919
4920NO.454 Some passwords are stored using specialized encryption algorithms k
4921NO.n as hashes. Why
4922is this an appropriate method?
4923A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
4924B. If a user forgets the password, it can be easily retrieved using the hash key stored by
4925administrators.
4926114
4927C. Hashing is faster compared to more traditional encryption algorithms.
4928D. Passwords stored using hashes are
4929NO.-reversible, making finding the password much more
4930difficult.
4931Answer: D
4932
4933NO.455 A company has publicly hosted web applications and an internal Intranet protected by a
4934firewall. Which technique will help protect against enumeration?
4935A. Reject all invalid email received via SMTP.
4936B. Allow full DNS zone transfers.
4937C. Remove A records for internal hosts.
4938D. Enable null session pipes.
4939Answer: C
4940
4941NO.456 Which of the following incident handling process phases is responsible for defining rules,
4942collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
4943A. Preparation phase
4944B. Containment phase
4945C. Identification phase
4946D. Recovery phase
4947Answer: A
4948Explanation
4949There are several key elements to have implemented in preparation phase in order to help mitigate
4950any potential problems that may hinder one's ability to handle an incident. For the sake of brevity,
4951the following should be performed:
4952References: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-
495333901
4954
4955NO.457 In both pharming and phishing attacks an attacker can create websites that look similar to
4956legitimate sites with the intent of collecting personal identifiable information from its victims. What is
4957the difference between pharming and phishing attacks?
4958A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration
4959file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a
4960URL that is either misspelled or looks similar to the actual websites domain name.
4961B. Both pharming and phishing attacks are purely technical and are
4962NO. considered forms of social
4963engineering.
4964C. Both pharming and phishing attacks are identical.
4965D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration
4966file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a
4967URL that is either misspelled or looks very similar to the actual websites domain name.
4968Answer: A
4969
4970NO.458 While you were gathering information as part of security assessments for one of your
4971clients, you were able to gather data that show your client is involved with fraudulent activities. What
4972should you do?
4973115
4974A. Immediately stop work and contact the proper legal authorities
4975B. Ig
4976NO.e the data and continue the assessment until completed as agreed
4977C. Confront the client in a respectful manner and ask her about the data
4978D. Copy the data to removable media and keep it in case you need it
4979Answer: A
4980
4981NO.459 A tester has been hired to do a web application security test. The tester
4982NO.ices that the site
4983is dynamic and must make use of a back end database.
4984In order for the tester to see if SQL injection is possible, what is the first character that the tester
4985should use to attempt breaking a valid SQL request?
4986A. Semicolon
4987B. Single quote
4988C. Exclamation mark
4989D. Double quote
4990Answer: B
4991
4992NO.460 While
4993using your bank's online servicing you
4994NO.ice the following string in the URL bar:
4995"http://www.MyPersonalBank.com/account?id=368940911028389
4996& Damount=10980&Camount=21"
4997You observe that if you modify the Damount & Camount values and submit the request, that data on
4998the web page reflect the changes.
4999Which type of vulnerability is present on this site?
5000A. Web Parameter Tampering
5001B. Cookie Tampering
5002C. XSS Reflection
5003D. SQL injection
5004Answer: A
5005Explanation
5006The Web Parameter Tampering attack is based on the manipulation of parameters exchanged
5007between client and server in order to modify application data, such as user credentials and
5008permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden
5009form fields, or URL Query Strings, and is used to increase application functionality and control.
5010References: https://www.owasp.org/index.php/Web_Parameter_Tampering
5011
5012NO.461 When does the Payment Card Industry Data Security Standard (PCI-DSS) require
5013organizations to perform external and internal penetration testing?
5014A. At least once a year and after any significant upgrade or modification
5015B. At least once every three years or after any significant upgrade or modification
5016C. At least twice a year or after any significant upgrade or modification
5017D. At least once every two years and after any significant upgrade or modification
5018Answer: A
5019
5020NO.462 A covert channel is a channel that
5021116
5022A. transfers information over, within a computer system, or network that is outside of the security
5023policy.
5024B. transfers information over, within a computer system, or network that is within the security policy
5025.
5026C. transfers information via a communication path within a computer system, or network for transfer
5027of data.
5028D. transfers information over, within a computer system, or network that is encrypted.
5029Answer: A
5030
5031NO.463 Which of the following scanning method splits the TCP header into several packets and
5032makes it difficult for packet filters to detect the purpose of the packet?
5033A. ICMP Echo scanning
5034B. SYN/FIN scanning using IP fragments
5035C. ACK flag probe scanning
5036D. IPID scanning
5037Answer: B
5038
5039NO.464 Which of the following parameters describe LM Hash (see exhibit):
5040Exhibit:
5041A. I, II, and III
5042B. I
5043C. II
5044D. I and II
5045Answer: A
5046Explanation
5047The LM hash is computed as follows:
50481. The user's password is restricted to a maximum of fourteen characters.
50492. The user's password is converted to uppercase.
5050Etc.
505114 character Windows passwords, which are stored with LM Hash, can be cracked in five seconds.
5052References: https://en.wikipedia.org/wiki/LM_hash
5053
5054NO.465 A hacker was able to sniff packets on a company's wireless network. The following
5055information was discovered:
5056Using the Exlcusive OR, what was the original message?
5057A. 00101000 11101110
5058117
5059B. 11010111 00010001
5060C. 00001101 10100100
5061D. 11110010 01011011
5062Answer: B
5063
5064NO.466 Which of the following is a form of penetration testing that relies heavily on human
5065interaction and often involves tricking people into breaking
5066NO.mal security procedures?
5067A. Social Engineering
5068B. Piggybacking
5069C. Tailgating
5070D. Eavesdropping
5071Answer: A
5072
5073NO.467 This asymmetry cipher is based on factoring the product of two large prime numbers.
5074What cipher is described above?
5075A. RSA
5076B. SHA
5077C. RC5
5078D. MD5
5079Answer: A
5080Explanation
5081RSA is based on the practical difficulty of factoring the product of two large prime numbers, the
5082factoring problem.
5083
5084NO.e: A user of RSA creates and then publishes a public key based on two large prime numbers, along
5085with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public key to
5086encrypt a message, but with currently published methods, if the public key is large e
5087NO.gh, only
5088someone with k
5089NO.ledge of the prime numbers can feasibly decode the message.
5090References: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
5091
5092NO.468 Which property ensures that a hash function will
5093NO. produce the same hashed value for
5094two different messages?
5095A. Collision resistance
5096B. Bit length
5097C. Key strength
5098D. Entropy
5099Answer: A
5100
5101NO.469 Assume a business-crucial web-site of some company that is used to sell handsets to the
5102customers worldwide.
5103All the developed components are reviewed by the security team on a monthly basis. In order to
5104drive business further, the web-site developers decided to add some 3rd party marketing tools on it.
5105The tools are written in JavaScript and can track the customer's activity on the site. These tools are
5106located on the servers of the marketing company.
5107What is the main security risk associated with this scenario?
5108118
5109A. External script contents could be maliciously modified without the security team k
5110NO.ledge
5111B. External scripts have direct access to the company servers and can steal the data from there
5112C. There is
5113NO.risk at all as the marketing services are trustworthy
5114D. External scripts increase the outbound company data traffic which leads greater financial losses
5115Answer: A
5116
5117NO.470 What attack is used to crack passwords by using a precomputed table of hashed passwords?
5118A. Brute Force Attack
5119B. Hybrid Attack
5120C. Rainbow Table Attack
5121D. Dictionary Attack
5122Answer: C
5123
5124NO.471 A Security Engineer at a medium-sized accounting firm has been tasked with discovering
5125how much information can be obtained from the firm's public facing web servers. The engineer
5126decides to start by using netcat to port 80.
5127The engineer receives this output:
5128Which of the following is an example of what the engineer performed?
5129A. Cross-site scripting
5130B. Banner grabbing
5131C. SQL injection
5132D. Whois database query
5133Answer: B
5134
5135NO.472 Which of the following is an adaptive SQL Injection testing technique used to discover
5136coding errors by inputting massive amounts of random data and observing the changes in the
5137output?
5138A. Function Testing
5139B. Dynamic Testing
5140C. Static Testing
5141D. Fuzzing Testing
5142Answer: D
5143
5144NO.473 What two conditions must a digital signature meet?
5145A. Has to be unforgeable, and has to be authentic.
5146B. Has to be legible and neat.
5147119
5148C. Must be unique and have special characters.
5149D. Has to be the same number of characters as a physical signature and must be unique.
5150Answer: A
5151
5152NO.474 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense
5153conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone,
5154grabs the door as it begins to close.
5155What just happened?
5156A. Piggybacking
5157B. Masqurading
5158C. Phishing
5159D. Whaling
5160Answer: A
5161Explanation
5162In security, piggybacking refers to when a person tags along with a
5163NO.her person who is authorized to
5164gain entry into a restricted area, or pass a certain checkpoint.
5165References: https://en.wikipedia.org/wiki/Piggybacking_(security)
5166
5167NO.475 You have the SOA presented below in your Zone.
5168Your secondary servers have
5169NO. been able to contact your primary server to synchronize
5170information. How long will the secondary servers attempt to contact the primary server before it
5171considers that zone is dead and stops responding to queries?
5172collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
5173A. One day
5174B. One hour
5175C. One week
5176D. One month
5177Answer: C
5178
5179NO.476 Study the log below and identify the scan type.
5180A. nmap -sR 192.168.1.10
5181B. nmap -sS 192.168.1.10
5182C. nmap -sV 192.168.1.10
5183120
5184D. nmap -sO -T 192.168.1.10
5185Answer: D
5186
5187NO.477 Which technical characteristic do Ethereal/Wireshark, TCPDump, and S
5188NO.t have in
5189common?
5190A. They are written in Java.
5191B. They send alerts to security monitors.
5192C. They use the same packet analysis engine.
5193D. They use the same packet capture utility.
5194Answer: D
5195
5196NO.478 Which of the following is a component of a risk assessment?
5197A. Administrative safeguards
5198B. Physical security
5199C. DMZ
5200D. Logical interface
5201Answer: A
5202Explanation
5203Risk assessment include:
5204References: https://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment
5205
5206NO.479 What is the outcome of the comm"nc -l -p 2222 | nc 10.1.0.43 1234"?
5207A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.
5208B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43
5209port
52101234.
5211C. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to
5212port
52132222.
5214D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.
5215Answer: B
5216
5217NO.480 Which type of cryptography does SSL, IKE and PGP belongs to?
5218A. Secret Key
5219B. Hash Algorithm
5220C. Digest
5221D. Public Key
5222Answer: D
5223
5224NO.481 A regional bank hires your company to perform a security assessment on their network after
5225a recent data breach. The attacker was able to steal financial data from the bank by compromising
5226only a single server.
5227Based on this information, what should be one of your key recommendations to the bank?
5228A. Place a front-end web server in a demilitarized zone that only handles external web traffic
5229121
5230B. Require all employees to change their passwords immediately
5231C. Move the financial data to a
5232NO.her server on the same IP subnet
5233D. Issue new certificates to the web servers from the root certificate authority
5234Answer: A
5235Explanation
5236A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical
5237subnetwork that contains and exposes an organization's external-facing services to a larger and
5238untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of
5239security to an organization's local area network (LAN); an external network
5240NO.e only has direct
5241access to equipment in the DMZ, rather than any other part of the network.
5242References: https://en.wikipedia.org/wiki/DMZ_(computing)
5243
5244NO.482 What ports should be blocked on the firewall to prevent NetBIOS traffic from
5245NO. coming
5246through the firewall if your network is comprised of Windows NT, 2000, and XP?
5247A. 110
5248B. 135
5249C. 139
5250D. 161
5251E. 445
5252F. 1024
5253Answer: B C E
5254
5255NO.483 In Trojan termi
5256NO.ogy, what is a covert channel?
5257A. A channel that transfers information within a computer system or network in a way that violates
5258the security policy
5259B. A legitimate communication path within a computer system or network for transfer of data
5260C. It is a kernel operation that hides boot processes and services to mask detection
5261D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish
5262connections
5263Answer: A
5264
5265NO.484 To reduce the attack surface of a system, administrators should perform which of the
5266following processes to remove unnecessary software, services, and insecure configuration settings?
5267A. Harvesting
5268B. Windowing
5269C. Hardening
5270D. Stealthing
5271122
5272Answer: C
5273
5274NO.485 What tool should you use when you need to analyze extracted metadata from files you
5275collected when you were in the initial stage of penetration test (information gathering)?
5276A. Armitage
5277B. Dimitry
5278C. Metagoofil
5279D. cdpsnarf
5280Answer: C
5281
5282NO.486 While checking the settings on the internet browser, a technician finds that the proxy server
5283settings have been checked and a computer is trying to use itself as a proxy server. What specific
5284octet within the subnet does the technician see?
5285A. 10.10.10.10
5286B. 127.0.0.1
5287C. 192.168.1.1
5288D. 192.168.168.168
5289Answer: B
5290
5291NO.487 Which of the following is
5292NO. an ideal choice for biometric controls?
5293A. Iris patterns
5294B. Fingerprints
5295C. Height and weight
5296D. Voice
5297Answer: C
5298
5299NO.488 In an internal security audit, the white hat hacker gains control over a user account and
5300attempts to acquire access to a
5301NO.her account's confidential files and information. How can he
5302achieve this?
5303A. Port Scanning
5304B. Hacking Active Directory
5305C. Privilege Escalation
5306D. Shoulder-Surfing
5307Answer: C
5308
5309NO.489 Which of the following is designed to verify and authenticate individuals taking part in a
5310data exchange within an enterprise?
5311A. SOA
5312B. Single-Sign On
5313C. PKI
5314D. Biometrics
5315Answer: C
5316123
5317
5318NO.490 One of your team members has asked you to analyze the following SOA record.
5319What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800
53202400.)
5321A. 200303028
5322B. 3600
5323C. 604800
5324D. 2400
5325E. 60
5326F. 4800
5327Answer: D
5328
5329NO.491 Which one of the following Google advanced search operators allows an attacker to restrict
5330the results to those websites in the given domain?
5331A. [cache:]
5332B. [site:]
5333C. [inurl:]
5334D. [link:]
5335Answer: B
5336
5337NO.492 Which of the following is a primary service of the U.S. Computer Security Incident Response
5338Team (CSIRT)?
5339A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact
5340for reporting computer security incidents worldwide.
5341B. CSIRT provides a computer security surveillance service to supply a government with important
5342intelligence information on individuals travelling abroad.
5343C. CSIRT provides a penetration testing service to support exception reporting on incidents
5344worldwide by individuals and multi-national corporations.
5345D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling
5346an individual's property or company's asset.
5347Answer: A
5348
5349NO.493 Which specific element of security testing is being assured by using hash?
5350A. Authentication
5351B. Integrity
5352C. Confidentiality
5353D. Availability
5354Answer: B
5355
5356NO.494 Which of the following Bluetooth hacking techniques does an attacker use to send messages
5357to users without the recipient's consent, similar to email spamming?
5358A. Bluesmacking
5359B. Bluesniffing
5360C. Bluesnarfing
5361124
5362D. Bluejacking
5363Answer: D
5364
5365NO.495 While performing online banking using a Web browser, Kyle receives an email that contains
5366an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and
5367shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle
5368
5369NO.iced that all his funds on the bank was gone. What Web browser-based security vulnerability got
5370exploited by the hacker?
5371A. Clickjacking
5372B. Web Form Input Validation
5373C. Cross-Site Request Forgery
5374D. Cross-Site Scripting
5375Answer: C
5376
5377NO.496 Which of the following is the most important phase of ethical hacking wherein you need to
5378spend considerable amount of time?
5379A. Gaining access
5380B. Escalating privileges
5381C. Network mapping
5382D. Footprinting
5383Answer: D
5384
5385NO.497 Vlady works in a fishing company where the majority of the employees have very little
5386understanding of IT let alone IT Security. Several information security issues that Vlady often found
5387includes, employees sharing password, writing his/her password on a post it
5388NO.e and stick it to
5389his/her desk, leaving the computer unlocked, didn't log out from emails or other social media
5390accounts, and etc.
5391After discussing with his boss, Vlady decided to make some changes to improve the security
5392environment in his company. The first thing that Vlady wanted to do is to make the employees
5393understand the importance of keeping confidential information, such as password, a secret and they
5394should
5395NO. share it with other persons.
5396Which of the following steps should be the first thing that Vlady should do to make the employees in
5397his company understand to importance of keeping confidential information a secret?
5398A. Warning to those who write password on a post it
5399NO.e and put it on his/her desk
5400B. Developing a strict information security policy
5401C. Information security awareness training
5402D. Conducting a one to one discussion with the other employees about the importance of
5403information security
5404Answer: A
5405
5406NO.498 A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
540777 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
5408had an ICMP ID:0 and Seq:0. What can you infer from this information?
5409A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
5410125
5411B. ICMP ID and Seq numbers were most likely set by a tool and
5412NO. by the operating system
5413C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
5414number
5415D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0
5416and Seq 0
5417Answer: B
5418
5419NO.499 XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
5420A. 10111100
5421B. 11011000
5422C. 10011101
5423D. 10001011
5424Answer: D
5425
5426NO.500 During a penetration test, a tester finds that the web application being analyzed is
5427vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this
5428vulnerability?
5429A. The web application does
5430NO. have the secure flag set.
5431B. The session cookies do
5432NO. have the HttpOnly flag set.
5433C. The victim user should
5434NO. have an endpoint security solution.
5435D. The victim's browser must have ActiveX tech
5436NO.ogy enabled.
5437Answer: B
5438
5439NO.501 Cryptography is the practice and study of techniques for secure communication in the
5440presence of third parties (called adversaries.) More generally, it is about constructing and analyzing
5441protocols that overcome the influence of adversaries and that are related to various aspects in
5442information security such as data confidentiality, data integrity, authentication, and
5443NO.-repudiation.
5444Modern cryptography intersects the disciplines of mathematics, computer science, and electrical
5445engineering. Applications of cryptography include ATM cards, computer passwords, and electronic
5446commerce.
5447Basic example to understand how cryptography works is given below:
5448Which of the following choices is true about cryptography?
5449A. Algorithm is
5450NO. the secret, key is the secret.
5451B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different
5452cryptographic keys for both encryption of plaintext and decryption of ciphertext.
5453C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver
5454the shared session key and to achieve a communication way.
5455D. Public-key cryptography, also k
5456NO.n as asymmetric cryptography, public key is for decrypt, private
5457key is for encrypt.
5458126
5459Answer: C
5460
5461NO.502 Which of the following cryptography attack is an understatement for the extraction of
5462cryptographic secrets (e.g. the password to an encrypted file) from a person by a coercion or torture?
5463A. Chosen-Cipher text Attack
5464B. Ciphertext-only Attack
5465C. Timing Attack
5466D. Rubber Hose Attack
5467Answer: D
5468
5469NO.503 Which of the following is a detective control?
5470A. Smart card authentication
5471B. Security policy
5472C. Audit trail
5473D. Continuity of operations plan
5474Answer: C
5475
5476NO.504 Which of the following is a common Service Oriented Architecture (SOA) vulnerability?
5477A. Cross-site scripting
5478B. SQL injection
5479C. VPath injection
5480D. XML denial of service issues
5481Answer: D
5482
5483NO.505 Which of the following is considered as one of the most reliable forms of TCP scanning?
5484A. TCP Connect/Full Open Scan
5485B. Half-open Scan
5486C. NULL Scan
5487D. Xmas Scan
5488Answer: A
5489
5490NO.506 Why would you consider sending an email to an address that you k
5491NO. does
5492NO. exist
5493within the company you are performing a Penetration Test for?
5494A. To determine who is the holder of the root account
5495B. To perform a DoS
5496C. To create needless SPAM
5497D. To illicit a response back that will reveal information about email servers and how they treat
5498undeliverable mail
5499E. To test for virus protection
5500Answer: D
5501
5502NO.507 ........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one
5503offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is
5504127
5505the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
5506mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used
5507to steal the passwords of unsuspecting users by either s
5508NO.ping the communication link or by
5509phishing, which involves setting up a fraudulent web site and luring people there.
5510Fill in the blank with appropriate choice.
5511A. Collision Attack
5512B. Evil Twin Attack
5513C. Sinkhole Attack
5514D. Signal Jamming Attack
5515Answer: B
5516
5517NO.508 Which NMAP feature can a tester implement or adjust while scanning for open ports to
5518avoid detection by the network's IDS?
5519A. Timing options to slow the speed that the port scan is conducted
5520B. Fingerprinting to identify which operating systems are running on the network
5521C. ICMP ping sweep to determine which hosts on the network are
5522NO. available
5523D. Traceroute to control the path of the packets sent during the scan
5524Answer: A
5525
5526NO.509 Susan has attached to her company's network. She has managed to synchronize her boss's
5527sessions with that of the file server. She then intercepted his traffic destined for the server, changed
5528it the way she wanted to and then placed it on the server in his home directory.
5529What kind of attack is Susan carrying on?
5530A. A sniffing attack
5531B. A spoofing attack
5532C. A man in the middle attack
5533D. A denial of service attack
5534Answer: C
5535
5536NO.510 Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file
5537contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew
5538opened the said file.
5539Without his k
5540NO.ledge, the file copies itself to Matthew's APPDATA\IocaI directory and begins to
5541beacon to a Command-and-control server to download additional malicious binaries. What type of
5542malware has Matthew encountered?
5543A. Key-logger
5544B. Trojan
5545C. Worm
5546D. Macro Virus
5547Answer: B
5548
5549NO.511 Nation-state threat actors often discover vulnerabilities and hold on to them until they want
5550to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it
5551used four types of vulnerability.
5552128
5553What is this style of attack called?
5554A. zero-day
5555B. zero-hour
5556C. zero-sum
5557D.
5558NO.day
5559Answer: A
5560Explanation
5561Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon.
5562Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows
5563operating system and networks, then seeking out Siemens Step7 software.
5564References: https://en.wikipedia.org/wiki/Stuxnet
5565
5566NO.512 A network security administrator is worried about potential man-in-the-middle attacks
5567when users access a corporate web site from their workstations. Which of the following is the best
5568remediation against this type of attack?
5569A. Implementing server-side PKI certificates for all connections
5570B. Mandating only client-side PKI certificates for all connections
5571C. Requiring client and server PKI certificates for all connections
5572D. Requiring strong authentication for all DNS queries
5573Answer: C
5574
5575NO.513 What is
5576NO. a PCI compliance recommendation?
5577A. Limit access to card holder data to as few individuals as possible.
5578B. Use encryption to protect all transmission of card holder data over any public network.
5579C. Rotate employees handling credit card transactions on a yearly basis to different departments.
5580D. Use a firewall between the public network and the payment card data.
5581Answer: C
5582
5583NO.514 When you are testing a web application, it is very useful to employ a proxy tool to save
5584every request and response. You can manually test every request and analyze the response to find
5585vulnerabilities. You can test parameter and headers manually to get more precise results than if using
5586web vulnerability scanners.
5587What proxy tool will help you find web vulnerabilities?
5588A. Burpsuite
5589B. Maskgen
5590C. Dimitry
5591D. Proxychains
5592Answer: A
5593Explanation
5594Burp Suite is an integrated platform for performing security testing of web applications. Its various
5595tools work seamlessly together to support the entire testing process, from initial mapping and
5596analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
5597References: https://portswigger.net/burp/
5598129
5599
5600NO.515 Which of the following algorithms provides better protection against brute force attacks by
5601using a 160-bit message digest?
5602A. MD5
5603B. SHA-1
5604C. RC4
5605D. MD4
5606Answer: B
5607
5608NO.516 During a penetration test, the tester conducts an ACK scan using NMAP against the external
5609interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which
5610type of packet inspection is the firewall conducting?
5611A. Host
5612B. Stateful
5613C. Stateless
5614D. Application
5615Answer: C
5616
5617NO.517 Which tool allows analysts and pen testers to examine links between data using graphs and
5618link analysis?
5619A. Maltego
5620B. Cain & Abel
5621C. Metasploit
5622D. Wireshark
5623Answer: A
5624Explanation
5625Maltego is proprietary software used for open-source intelligence and forensics, developed by
5626Paterva.
5627Maltego focuses on providing a library of transforms for discovery of data from open sources, and
5628visualizing that information in a graph format, suitable for link analysis and data mining.
5629References: https://en.wikipedia.org/wiki/Maltego
5630
5631NO.518 This configuration allows NIC to pass all traffic it receives to the Central Processing Unit
5632(CPU), instead of passing only the frames that the controller is intended to receive. Select the option
5633that BEST describes the above statement.
5634A. Multi-cast mode
5635B. WEM
5636C. Promiscuous mode
5637D. Port forwarding
5638Answer: C
5639
5640NO.519 Yancey is a network security administrator for a large electric company. This company
5641provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over
564215 years and has become very successful. One day, Yancey comes in to work and finds out that the
5643company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and
5644130
5645decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the
5646company once he has left. Yancey does
5647NO. care if his actions land him in jail for 30 or more years, he
5648just wants the company to pay for what they are doing to him.
5649What would Yancey be considered?
5650A. Yancey would be considered a Suicide Hacker
5651B. Since he does
5652NO. care about going to jail, he would be considered a Black Hat
5653C. Because Yancey works for the company currently; he would be a White Hat
5654D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
5655Answer: A
5656
5657NO.520 An enterprise recently moved to a new office and the new neighborhood is a little risky. The
5658CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best
5659option to do this job?
5660A. Use fences in the entrance doors.
5661B. Install a CCTV with cameras pointing to the entrance doors and the street.
5662C. Use an IDS in the entrance doors and install some of them near the corners.
5663D. Use lights in all the entrance doors and along the company's perimeter.
5664Answer: B
5665
5666NO.521 What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
5667A. Injecting parameters into a connection string using semicolons as a separator
5668B. Inserting malicious Javascript code into input parameters
5669C. Setting a user's session identifier (SID) to an explicit k
5670NO.n value
5671D. Adding multiple parameters with the same name in HTTP requests
5672Answer: A
5673
5674NO.522 You have successfully comprised a server having an IP address of 10.10.0.5. You would like
5675to enumerate all machines in the same network quickly.
5676What is the best nmap command you will use?
5677A. nmap -T4 -F 10.10.0.0/24
5678B. nmap -T4 -r 10.10.1.0/24
5679C. nmap -T4 -O 10.10.0.0/24
5680D. nmap -T4 -q 10.10.0.0/24
5681Answer: A
5682Explanation
5683command = nmap -T4 -F
5684description = This scan is faster than a
5685NO.mal scan because it uses the aggressive timing template
5686and scans fewer ports.
5687References: https://svn.nmap.org/nmap/zenmap/share/zenmap/config/scan_profile.usp
5688
5689NO.523 Suppose you've gained access to your client's hybrid network. On which port should you
5690listen to in order to k
5691NO. which Microsoft Windows workstations has its file sharing enabled?
5692A. 1433
5693B. 161
5694131
5695C. 445
5696D. 3389
5697Answer: C
5698
5699NO.524 The company ABC recently discovered that their new product was released by the
5700opposition before their premiere. They contract an investigator who discovered that the maid threw
5701away papers with confidential information about the new product and the opposition found it in the
5702garbage. What is the name of the technique used by the opposition?
5703A. Hack attack
5704B. Sniffing
5705C. Dumpster diving
5706D. Spying
5707Answer: C
5708
5709NO.525 When you return to your desk after a lunch break, you
5710NO.ice a strange email in your inbox.
5711The sender is someone you did business with recently, but the subject line has strange characters in
5712it.
5713What should you do?
5714A. Forward the message to your company's security response team and permanently delete the
5715message from your computer.
5716B. Reply to the sender and ask them for more information about the message contents.
5717C. Delete the email and pretend
5718NO.hing happened
5719D. Forward the message to your supervisor and ask for her opinion on how to handle the situation
5720Answer: A
5721Explanation
5722By setting up an email address for your users to forward any suspicious email to, the emails can be
5723automatically scanned and replied to, with security incidents created to follow up on any emails with
5724attached malware or links to k
5725NO.n bad websites.
5726References:
5727https://docs.service
5728NO..com/bundle/helsinki-security-management/page/product/threatintelligence/
5729task/t_Confi
5730
5731NO.526 Which of the following is a symmetric cryptographic standard?
5732A. DSA
5733B. PKI
5734C. RSA
5735D. 3DES
5736Answer: D
5737
5738NO.527 In this attack, a victim receives an e-mail claiming from PayPal stating that their account has
5739been disabled and confirmation is required before activation. The attackers then scam to collect
5740NO.
5741one but two credit card numbers, ATM PIN number and other personal details. Ig
5742NO.ant users usually
5743fall prey to this scam.
5744Which of the following statement is incorrect related to this attack?
5745132
5746A. Do
5747NO. reply to email messages or popup ads asking for personal or financial information
5748B. Do
5749NO. trust telephone numbers in e-mails or popup ads
5750C. Review credit card and bank account statements regularly
5751D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
5752E. Do
5753NO. send credit card numbers, and personal or financial information via e-mail
5754Answer: D
5755
5756NO.528 ICMP ping and ping sweeps are used to check for active systems and to check
5757A. if ICMP ping traverses a firewall.
5758B. the route that the ICMP ping took.
5759C. the location of the switchport in relation to the ICMP ping.
5760D. the number of hops an ICMP ping takes to reach a destination.
5761Answer: A
5762
5763NO.529 While conducting a penetration test, the tester determines that there is a firewall between
5764the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of
5765packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
5766A. Packet filtering firewall
5767B. Application-level firewall
5768C. Circuit-level gateway firewall
5769D. Stateful multilayer inspection firewall
5770Answer: C
5771
5772NO.530 A penetration tester is conducting a port scan on a specific host. The tester found several
5773ports opened that were confusing in concluding the Operating System (OS) version installed.
5774Considering the NMAP result below, which of the following is likely to be installed on the target
5775machine by the OS?
5776A. The host is likely a printer.
5777B. The host is likely a Windows machine.
5778C. The host is likely a Linux machine.
5779D. The host is likely a router.
5780Answer: A
5781Explanation
5782133
5783The Internet Printing Protocol (IPP) uses port 631.
5784References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
5785
5786NO.531 DHCP s
5787NO.ping is a great solution to prevent rogue DHCP servers on your network. Which
5788security feature on switches leverages the DHCP s
5789NO.ping database to help prevent man-in-themiddle
5790attacks?
5791A. Port security
5792B. A Layer 2 Attack Prevention Protocol (LAPP)
5793C. Dynamic ARP inspection (DAI)
5794D. Spanning tree
5795Answer: C
5796
5797NO.532 What would you enter, if you wanted to perform a stealth scan using Nmap?
5798A. nmap -sU
5799B. nmap -sS
5800C. nmap -sM
5801D. nmap -sT
5802Answer: B
5803
5804NO.533 Which of the following conditions must be given to allow a tester to exploit a Cross-Site
5805Request Forgery (CSRF) vulnerable web application?
5806A. The victim user must open the malicious link with an Internet Explorer prior to version 8.
5807B. The session cookies generated by the application do
5808NO. have the HttpOnly flag set.
5809C. The victim user must open the malicious link with a Firefox prior to version 3.
5810D. The web application should
5811NO. use random tokens.
5812Answer: D
5813
5814NO.534 What is the best Nmap command to use when you want to list all devices in the same
5815network quickly after you successfully identified a server whose IP address is 10.10.0.5?
5816A. nmap -T4 -F 10.10.0.0/24
5817B. nmap -T4 -q 10.10.0.0/24
5818C. nmap -T4 -O 10.10.0.0/24
5819D. nmap -T4 -r 10.10.1.0/24
5820Answer: A
5821
5822NO.535 In Wireshark, the packet bytes panes show the data of the current packet in which format?
5823A. Decimal
5824B. ASCII only
5825C. Binary
5826D. Hexadecimal
5827Answer: D
5828
5829NO.536 While doing a Black box pen test via the TCP port (80), you
5830NO.iced that the traffic gets
5831blocked when you tried to pass IRC traffic from a web enabled host. However, you also
5832NO.iced that
5833134
5834outbound HTTP traffic is being allowed. What type of firewall is being utilized for the outbound
5835traffic?
5836A. Stateful
5837B. Application
5838C. Circuit
5839D. Packet Filtering
5840Answer: B
5841
5842NO.537 What is the correct process for the TCP three-way handshake connection establishment and
5843connection termination?
5844A. Connection Establishment: FIN, ACK-FIN, ACKConnection Termination: SYN, SYN-ACK, ACK
5845B. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: ACK, ACK-SYN, SYN
5846C. Connection Establishment: ACK, ACK-SYN, SYNConnection Termination: FIN, ACK-FIN, ACK
5847D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
5848Answer: D
5849
5850NO.538 As an Ethical Hacker you are capturing traffic from your customer network with Wireshark
5851and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find
5852this kind of traffic?
5853A. request smtp 25
5854B. tcp.port eq 25
5855C. smtp port
5856D. tcp.contains port 25
5857Answer: B
5858
5859NO.539 Which of the following is a design pattern based on distinct pieces of software providing
5860application functionality as services to other applications?
5861A. Service Oriented Architecture
5862B. Object Oriented Architecture
5863C. Lean Coding
5864D. Agile Process
5865Answer: A
5866Explanation
5867A service-oriented architecture (SOA) is an architectural pattern in computer software design in
5868which application components provide services to other components via a communications protocol,
5869typically over a network.
5870References: https://en.wikipedia.org/wiki/Service-oriented_architecture
5871
5872NO.540 What is the way to decide how a packet will move from an untrusted outside host to a
5873protected inside that is behind a firewall, which permits the hacker to determine which ports are
5874open and if the packets can pass through the packet-filtering of the firewall?
5875A. Firewalking
5876B. Session hijacking
5877C. Network sniffing
5878135
5879D. Man-in-the-middle attack
5880Answer: A
5881
5882NO.541 The collection of potentially actionable, overt, and publicly available information is k
5883NO.n
5884as
5885A. Open-source intelligence
5886B. Human intelligence
5887C. Social intelligence
5888D. Real intelligence
5889Answer: A
5890
5891NO.542 Which of the following parameters enables NMAP's operating system detection feature?
5892A. NMAP -sV
5893B. NMAP -oS
5894C. NMAP -sR
5895D. NMAP -O
5896Answer: D
5897
5898NO.543 Which of the following is the structure designed to verify and authenticate the identity of
5899individuals within the enterprise taking part in a data exchange?
5900A. PKI
5901B. single sign on
5902C. biometrics
5903D. SOA
5904Answer: A
5905Explanation
5906A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage,
5907distribute, use, store, and revoke digital certificates [1] and manage public-key encryption. The
5908purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network
5909activities such as e-commerce, internet banking and confidential email.
5910References: https://en.wikipedia.org/wiki/Public_key_infrastructure
5911
5912NO.544 What network security concept requires multiple layers of security controls to be placed
5913throughout an IT infrastructure, which improves the security posture of an organization to defend
5914against malicious attacks or potential vulnerabilities?
5915A. Security through obscurity
5916B. Host-Based Intrusion Detection System
5917C. Defense in depth
5918D. Network-Based Intrusion Detection System
5919Answer: C
5920
5921NO.545 An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN
5922attached to his router as part of a man-in-the-middle attack. What measure on behalf of the
5923legitimate admin can mitigate this attack?
5924136
5925A. Only using OSPFv3 will mitigate this risk.
5926B. Make sure that legitimate network routers are configured to run routing protocols with
5927authentication.
5928C. Redirection of the traffic can
5929NO. happen unless the admin allows it explicitly.
5930D. Disable all routing protocols and only use static routes.
5931Answer: B
5932
5933NO.546 Which of the following is an advantage of utilizing security testing methodologies to conduct
5934a security audit?
5935A. They provide a repeatable framework.
5936B. Anyone can run the command line scripts.
5937C. They are available at low cost.
5938D. They are subject to government regulation.
5939Answer: A
5940
5941NO.547 Darius is analysing logs from IDS. He want to understand what have triggered one alert and
5942verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like
5943below:
5944source IP: 192.168.21.100
5945source port: 80
5946destination IP: 192.168.10.23
5947destination port: 63221
5948What is the most proper answer.
5949A. This is most probably true negative.
5950B. This is most probably true positive which triggered on secure communication between client and
5951server.
5952C. This is most probably false-positive, because an alert triggered on reversed traffic.
5953D. This is most probably false-positive because IDS is monitoring one direction traffic.
5954Answer: A
5955
5956NO.548 You are tasked to perform a penetration test. While you are performing information
5957gathering, you find an employee list in Google. You find the receptionist's email, and you send her an
5958email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf
5959with information. She reads your email and sends back a pdf with links. You exchange the pdf links
5960with your malicious links (these links contain malware) and send back the modified pdf, saying that
5961the links don't work. She reads your email, opens the links, and her machine gets infected. You
5962NO.
5963have access to the company network.
5964What testing method did you use?
5965A. Social engineering
5966B. Tailgating
5967C. Piggybacking
5968D. Eavesdropping
5969Answer: A
5970Explanation
5971137
5972Social engineering, in the context of information security, refers to psychological manipulation of
5973people into performing actions or divulging confidential information. A type of confidence trick for
5974the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in
5975that it is often one of many steps in a more complex fraud scheme.
5976
5977NO.549 SNMP is a protocol used to query hosts, servers, and devices about performance or health
5978status data. This protocol has long been used by hackers to gather great amount of information
5979about remote hosts. Which of the following features makes this possible? (Choose two.)
5980A. It used TCP as the underlying protocol.
5981B. It uses community string that is transmitted in clear text.
5982C. It is susceptible to sniffing.
5983D. It is used by all network devices on the market.
5984Answer: B D
5985
5986NO.550 Firewalk has just completed the second phase (the scanning phase) and a technician
5987receives the output shown below. What conclusions can be drawn based on these scan results?
5988A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target
5989host.
5990B. The lack of response from ports 21 and 22 indicate that those services are
5991NO. running on the
5992destination server.
5993C. The scan on port 23 passed through the filtering device. This indicates that port 23 was
5994NO.
5995blocked at the firewall.
5996D. The scan on port 23 was able to make a connection to the destination host prompting the firewall
5997to respond with a TTL error.
5998Answer: C
5999
6000NO.551 Which of the following is a component of a risk assessment?
6001A. Physical security
6002B. Administrative safeguards
6003C. DMZ
6004D. Logical interface
6005Answer: B
6006
6007NO.552 Which cipher encrypts the plain text digit (bit or byte) one by one?
6008A. Classical cipher
6009B. Block cipher
6010C. Modern cipher
6011D. Stream cipher
6012Answer: D
6013
6014NO.553 Which type of access control is used on a router or firewall to limit network activity?
6015138
6016A. Mandatory
6017B. Discretionary
6018C. Rule-based
6019D. Role-based
6020Answer: C
6021
6022NO.554 If a token and 4-digit personal identification number (PIN) are used to access a computer
6023system and the token performs off-line checking for the correct PIN, what type of attack is possible?
6024A. Birthday
6025B. Brute force
6026C. Man-in-the-middle
6027D. Smurf
6028Answer: B
6029
6030NO.555 Which of the following is designed to identify malicious attempts to penetrate systems?
6031A. Intrusion Detection System
6032B. Firewall
6033C. Proxy
6034D. Router
6035Answer: A
6036Explanation
6037An intrusion detection system (IDS) is a device or software application that monitors network or
6038system activities for malicious activities or policy violations and produces electronic reports to a
6039management station.
6040References: https://en.wikipedia.org/wiki/Intrusion_detection_system
6041
6042NO.556 Which of the following is assured by the use of a hash?
6043A. Integrity
6044B. Confidentiality
6045C. Authentication
6046D. Availability
6047Answer: A
6048Explanation
6049An important application of secure hashes is verification of message integrity. Determining whether
6050any changes have been made to a message (or a file), for example, can be accomplished by
6051comparing message digests calculated before, and after, transmission (or any other event).
6052References:
6053https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_files_or_mes
6054sages
6055
6056NO.557 What is the minimum number of network connections in a multi homed firewall?
6057A. 3
6058B. 5
6059C. 4
6060139
6061D. 2
6062Answer: A
6063
6064NO.558 How does the Address Resolution Protocol (ARP) work?
6065A. It sends a request packet to all the network elements, asking for the MAC address from a specific
6066IP.
6067B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
6068C. It sends a reply packet for a specific IP, asking for the MAC address.
6069D. It sends a request packet to all the network elements, asking for the domain name from a specific
6070IP.
6071Answer: A
6072Explanation
6073When an incoming packet destined for a host machine on a particular local area network arrives at a
6074gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the
6075IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the
6076packet can be converted to the right packet length and format and sent to the machine. If
6077NO.entry is
6078found for the IP address, ARP broadcasts a request packet in a special format to all the machines on
6079the LAN to see if one machine k
6080NO.s that it has that IP address associated with it. A machine that
6081recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for
6082future reference and then sends the packet to the MAC address that replied.
6083References:
6084http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP
6085
6086NO.559 Which security strategy requires using several, varying methods to protect IT systems
6087against attacks?
6088A. Defense in depth
6089B. Three-way handshake
6090C. Covert channels
6091D. Exponential backoff algorithm
6092Answer: A
6093
6094NO.560 Which of the following techniques does a vulnerability scanner use in order to detect a
6095vulnerability on a target service?
6096A. Port scanning
6097B. Banner grabbing
6098C. Injecting arbitrary data
6099D. Analyzing service response
6100Answer: D
6101
6102NO.561 How can you determine if an LM hash you extracted contains a password that is less than 8
6103characters long?
6104A. There is
6105NO.way to tell because a hash can
6106NO. be reversed
6107B. The right most portion of the hash is always the same
6108C. The hash always starts with AB923D
6109140
6110D. The left most portion of the hash is always the same
6111E. A portion of the hash will be all 0's
6112Answer: B
6113
6114NO.562 Which of the following guidelines or standards is associated with the credit card industry?
6115A. Control Objectives for Information and Related Tech
6116NO.ogy (COBIT)
6117B. Sarbanes-Oxley Act (SOX)
6118C. Health Insurance Portability and Accountability Act (HIPAA)
6119D. Payment Card Industry Data Security Standards (PCI DSS)
6120Answer: D
6121
6122NO.563
6123Identify the correct termi
6124NO.ogy that defines the above statement.
6125A. Vulnerability Scanning
6126B. Penetration Testing
6127C. Security Policy Implementation
6128D. Designing Network Security
6129Answer: B
6130
6131NO.564 An attacker tries to do banner grabbing on a remote web server and executes the following
6132command.
6133Service
6134detection performed. Please report any incorrect results at http://nmap.org/submit/.
6135Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
6136What did the hacker accomplish?
6137A. nmap can't retrieve the version number of any running remote service.
6138B. The hacker successfully completed the banner grabbing.
6139C. The hacker should've used nmap -O host.domain.com.
6140D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.
6141Answer: B
6142
6143NO.565 What is the main difference between a "
6144NO.mal" SQL Injection and a "Blind" SQL Injection
6145vulnerability?
6146A. The request to the web server is
6147NO. visible to the administrator of the vulnerable application.
6148B. The attack is called "Blind" because, although the application properly filters user input, it is still
6149141
6150vulnerable to code injection.
6151C. The successful attack does
6152NO. show an error message to the administrator of the affected
6153application.
6154D. The vulnerable application does
6155NO. display errors with information about the injection results to
6156the attacker.
6157Answer: D
6158
6159NO.566 Fingerprinting an Operating System helps a cracker because:
6160A. It defines exactly what software you have installed
6161B. It opens a security-delayed window based on the port being scanned
6162C. It doesn't depend on the patches that have been applied to fix existing security holes
6163D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
6164Answer: D
6165
6166NO.567 You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a
6167sequence number?
6168A. TCP
6169B. UPD
6170C. ICMP
6171D. UPX
6172Answer: A
6173Explanation
6174At the establishment of a TCP session the client starts by sending a SYN-packet (SYN=synchronize)
6175with a sequence number. To hijack a session it is required to send a packet with a right seq-number,
6176otherwise they are dropped.
6177References: https://www.exploit-db.com/papers/13587/
6178
6179NO.568 First thing you do every office day is to check your email inbox. One morning, you received
6180an email from your best friend and the subject line is quite strange. What should you do?
6181A. Delete the email and pretend
6182NO.hing happened.
6183B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
6184C. Forward the message to your company's security response team and permanently delete the
6185messagefrom your computer.
6186D. Reply to the sender and ask them for more information about the message contents.
6187Answer: C
6188
6189NO.569 During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a
6190compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is
6191unimpeded.
6192What type of firewall is inspecting outbound traffic?
6193A. Application
6194B. Circuit
6195C. Stateful
6196D. Packet Filtering
6197142
6198Answer: A
6199Explanation
6200An application firewall is an enhanced firewall that limits access by applications to the operating
6201system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the
6202central processing unit (CPU), examining each packet and determining whether or
6203NO. to forward it
6204toward a particular destination.
6205An application firewall offers additional protection by controlling the execution of files or the
6206handling of data by specific applications.
6207References:
6208http://searchsoftwarequality.techtarget.com/definition/application-firewall
6209
6210NO.570 Neil
6211NO.ices that a single address is generating traffic from its port 500 to port 500 of several
6212other machines on the network. This scan is eating up most of the network bandwidth and Neil is
6213concerned. As a security professional, what would you infer from this scan?
6214A. It is a network fault and the originating machine is in a network loop
6215B. It is a worm that is malfunctioning or hardcoded to scan on port 500
6216C. The attacker is trying to detect machines on the network which have SSL enabled
6217D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
6218Answer: D
6219
6220NO.571 Take a look at the following attack on a Web Server using obstructed URL:
6221How would you protect from these attacks?
6222A. Configure the Web Server to deny requests involving "hex encoded" characters
6223B. Create rules in IDS to alert on strange Unicode requests
6224C. Use SSL authentication on Web Servers
6225D. Enable Active Scripts Detection at the firewall and routers
6226Answer: B
6227
6228NO.572 Which of the following does proper basic configuration of s
6229NO.t as a network intrusion
6230detection system require?
6231A. Limit the packets captured to the s
6232NO.t configuration file.
6233B. Capture every packet on the network segment.
6234C. Limit the packets captured to a single segment.
6235D. Limit the packets captured to the /var/log/s
6236NO.t directory.
6237Answer: A
6238143
6239
6240NO.573 Defining rules, collaborating human workforce, creating a backup plan, and testing the plans
6241are within what phase of the Incident Handling Process?
6242A. Preparation phase
6243B. Containment phase
6244C. Recovery phase
6245D. Identification phase
6246Answer: A
6247
6248NO.574 Which of the following BEST describes how Address Resolution Protocol (ARP) works?
6249A. It sends a reply packet for a specific IP, asking for the MAC address
6250B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
6251C. It sends a request packet to all the network elements, asking for the domain name from a specific
6252IP
6253D. It sends a request packet to all the network elements, asking for the MAC address from a specific
6254IP
6255Answer: D
6256
6257NO.575 It is a short-range wireless communication tech
6258NO.ogy that allows mobile phones,
6259computers and other devices to connect and communicate. This tech
6260NO.ogy intends to replace cables
6261connecting portable devices with high regards to security.
6262A. Bluetooth
6263B. Radio-Frequency Identification
6264C. WLAN
6265D. InfraRed
6266Answer: A
6267
6268NO.576 What is the benefit of performing an unan
6269NO.nced Penetration Testing?
6270A. The tester will have an actual security posture visibility of the target network.
6271B. Network security would be in a "best state" posture.
6272C. It is best to catch critical infrastructure unpatched.
6273D. The tester could
6274NO. provide an honest analysis.
6275Answer: A
6276Explanation
6277Real life attacks will always come without expectation and they will often arrive in ways that are
6278highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to
6279succeed against network security systems, despite the billions invested in the data protection
6280industry.
6281A possible solution to this danger is to conduct intermittent "unan
6282NO.nced" penentration tests
6283whose scheduling and occurrence is only k
6284NO.n to the hired attackers and upper management staff
6285instead of every security employee, as would be the case with "an
6286NO.nced" penetration tests that
6287everyone has planned for in advance. The former may be better at detecting realistic weaknesses.
6288References:
6289http://www.sitepronews.com/2013/03/20/the-pros-and-cons-of-penetration-testing/
6290144
6291
6292NO.577 A hacker was able to easily gain access to a website. He was able to log in via the frontend
6293user login form of the website using default or commonly used credentials. This exploitation is an
6294example of what Software design flaw?
6295A. Insufficient security management
6296B. Insufficient database hardening
6297C. Insufficient input validation
6298D. Insufficient exception handling
6299Answer: B
6300
6301NO.578 When an alert rule is matched in a network-based IDS like s
6302NO.t, the IDS does which of the
6303following?
6304A. Drops the packet and moves on to the next one
6305B. Continues to evaluate the packet until all rules are checked
6306C. Stops checking rules, sends an alert, and lets the packet continue
6307D. Blocks the connection with the source IP address in the packet
6308Answer: B
6309
6310NO.579 If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique
6311can
6312NO. be used?
6313A. Spoof Scan
6314B. TCP Connect scan
6315C. TCP SYN
6316D. Idle Scan
6317Answer: C
6318
6319NO.580 You are performing information gathering for an important penetration test. You have
6320found pdf, doc, and images in your objective. You decide to extract metadata from these files and
6321analyze it.
6322What tool will help you with the task?
6323A. Metagoofil
6324B. Armitage
6325C. Dimitry
6326D. cdpsnarf
6327Answer: A
6328Explanation
6329Metagoofil is an information gathering tool designed for extracting metadata of public documents
6330(pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.
6331Metagoofil will perform a search in Google to identify and download the documents to local disk and
6332then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the
6333results it will generate a report with usernames, software versions and servers or machine names
6334that will help Penetration testers in the information gathering phase.
6335References:
6336http://www.edge-security.com/metagoofil.php
6337145
6338
6339NO.581 The network administrator contacts you and tells you that she
6340NO.iced the temperature on
6341the internal wireless router increases by more than 20% during weekend hours when the office was
6342closed. She asks you to investigate the issue because she is busy dealing with a big conference and
6343she doesn't have time to perform the task.
6344What tool can you use to view the network traffic being sent and received by the wireless router?
6345A. Wireshark
6346B. Nessus
6347C. Netcat
6348D. Netstat
6349Answer: A
6350Explanation
6351Wireshark is a Free and open source packet analyzer. It is used for network troubleshooting, analysis,
6352software and communications protocol development, and education.
6353
6354NO.582 This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
6355e
6356NO.gh data packets have been captured. It implements the standard FMS attack along with some
6357optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster
6358compared to other WEP cracking tools.
6359Which of the following tools is being described?
6360A. Aircrack-ng
6361B. Airguard
6362C. WLAN-crack
6363D. wificracker
6364Answer: A
6365Explanation
6366Aircrack-ng is a complete suite of tools to assess WiFi network security.
6367The default cracking method of Aircrack-ng is PTW, but Aircrack-ng can also use the FMS/KoreK
6368method, which incorporates various statistical attacks to discover the WEP key and uses these in
6369combination with brute forcing.
6370References:
6371http://www.aircrack-ng.org/doku.php?id=aircrack-ng
6372
6373NO.583 An attacker has installed a RAT on a host. The attacker wants to ensure that when a user
6374attempts to go to
6375"www.MyPersonalBank.com", that the user is directed to a phishing site.
6376Which file does the attacker need to modify?
6377A. Hosts
6378B. Sudoers
6379C. Boot.ini
6380D. Networks
6381Answer: A
6382Explanation
6383The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The
6384hosts file contains lines of text consisting of an IP address in the first text field followed by one or
6385146
6386more host names.
6387References: https://en.wikipedia.org/wiki/Hosts_(file)
6388
6389NO.584 Bob is going to perform an active session hijack against Brownies Inc. He has found a target
6390that allows session oriented connections (Telnet) and performs the sequence prediction on the target
6391operating system. He manages to find an active session due to the high level of traffic on the
6392network. What is Bob supposed to do next?
6393A. Take over the session
6394B. Reverse sequence prediction
6395C. Guess the sequence numbers
6396D. Take one of the parties offline
6397Answer: C
6398
6399NO.585 The security concept of "separation of duties" is most similar to the operation of which type
6400of security device?
6401A. Firewall
6402B. Bastion host
6403C. Intrusion Detection System
6404D. Honeypot
6405Answer: A
6406Explanation
6407In most enterprises the engineer making a firewall change is also the one reviewing the firewall
6408metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How
6409would anyone ever find out? This is where the separation of duties comes in to focus on the
6410responsibilities of tasks within security.
6411References:
6412http://searchsecurity.techtarget.com/tip/Modern-security-management-strategy-requires-securityseparation-
6413of-du
6414
6415NO.586 From the following table, identify the wrong answer in terms of Range (ft).
6416A. 802.11b
6417B. 802.11g
6418C. 802.16(WiMax)
6419D. 802.11a
6420Answer: D
6421
6422NO.587 You've just been hired to perform a pen test on an organization that has been subjected to a
6423large-scale attack.
6424The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk.
6425147
6426What is one of the first things you should do when given the job?
6427A. Explain to the CIO that you can
6428NO. eliminate all risk, but you will be able to reduce risk to
6429acceptable levels.
6430B. Interview all employees in the company to rule out possible insider threats.
6431C. Establish attribution to suspected attackers.
6432D. Start the wireshark application to start sniffing network traffic.
6433Answer: A
6434Explanation
6435The goals of penetration tests are:
6436References: https://en.wikipedia.org/wiki/Penetration_test
6437
6438NO.588 Why containers are less secure that virtual machines?
6439A. Host OS on containers has a larger surface attack.
6440B. Containers may full fill disk space of the host.
6441C. A compromise container may cause a CPU starvation of the host.
6442D. Containers are attached to the same virtual network.
6443Answer: A
6444
6445NO.589 To maintain compliance with regulatory requirements, a security audit of the systems on a
6446network must be performed to determine their compliance with security policies. Which one of the
6447following tools would most likely be used in such an audit?
6448A. Vulnerability scanner
6449B. Protocol analyzer
6450C. Port scanner
6451D. Intrusion Detection System
6452Answer: A
6453Explanation
6454A vulnerability scanner is a computer program designed to assess computers, computer systems,
6455networks or applications for weaknesses.
6456They can be run either as part of vulnerability management by those tasked with protecting systems -
6457or by black hat attackers looking to gain unauthorized access.
6458References: https://en.wikipedia.org/wiki/Vulnerability_scanner
6459
6460NO.590 You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using
6461social engineering, you come to k
6462NO. that they are enforcing strong passwords. You understand that
6463all users are required to use passwords that are at least 8 characters in length. All passwords must
6464also use 3 of the 4 following categories:
6465lower case letters, capital letters, numbers and special characters. With your existing k
6466NO.ledge of
6467users, likely user account names and the possibility that they will choose the easiest passwords
6468possible, what would be the fastest type of password cracking attack you can run against these hash
6469values and still get results?
6470A. Online Attack
6471B. Dictionary Attack
6472C. Brute Force Attack
6473148
6474D. Hybrid Attack
6475Answer: D
6476
6477NO.591 When you are collecting information to perform a data analysis, Google commands are very
6478useful to find sensitive information and files. These files may contain information about passwords,
6479system functions, or documentation.
6480What command will help you to search files using Google as a search engine?
6481A. site: target.com filetype:xls username password email
6482B. inurl: target.com filename:xls username password email
6483C. domain: target.com archive:xls username password email
6484D. site: target.com file:xls username password email
6485Answer: A
6486Explanation
6487If you include site: in your query, Google will restrict your search results to the site or domain you
6488specify.
6489If you include filetype:suffix in your query, Google will restrict the results to pages whose names end
6490in suffix. For example, [ web page evaluation checklist filetype:pdf ] will return Adobe Acrobat pdf
6491files that match the terms "web," "page," "evaluation," and "checklist." References:
6492http://www.googleguide.com/advanced_operators_reference.html
6493
6494NO.592 Which Metasploit Framework tool can help penetration tester for evading Anti-virus
6495Systems?
6496A. msfpayload
6497B. msfcli
6498C. msfencode
6499D. msfd
6500Answer: C
6501
6502NO.593 Sandra has been actively scanning the client network on which she is doing a vulnerability
6503assessment test.
6504While conducting a port scan she
6505NO.ices open ports in the range of 135 to 139.
6506What protocol is most likely to be listening on those ports?
6507A. Finger
6508B. FTP
6509C. Samba
6510D. SMB
6511Answer: D
6512
6513NO.594 At a Windows Server command prompt, which command could be used to list the running
6514services?
6515A. Sc query type= running
6516B. Sc query \\servername
6517C. Sc query
6518D. Sc config
6519149
6520Answer: C
6521
6522NO.595 The fundamental difference between symmetric and asymmetric key cryptographic systems
6523is that symmetric key cryptography uses which of the following?
6524A. Multiple keys for
6525NO.-repudiation of bulk data
6526B. Different keys on both ends of the transport medium
6527C. Bulk encryption for data transmission over fiber
6528D. The same key on each end of the transmission medium
6529Answer: D
6530
6531NO.596 What mechanism in Windows prevents a user from accidentally executing a potentially
6532malicious batch (.bat) or PowerShell (.ps1) script?
6533A. User Access Control (UAC)
6534B. Data Execution Prevention (DEP)
6535C. Address Space Layout Randomization (ASLR)
6536D. Windows firewall
6537Answer: B
6538
6539NO.597 K
6540NO.ing the nature of backup tapes, which of the following is the MOST RECOMMENDED
6541way of storing backup tapes?
6542A. In a cool dry environment
6543B. Inside the data center for faster retrieval in a fireproof safe
6544C. In a climate controlled facility offsite
6545D. On a different floor in the same building
6546Answer: C
6547
6548NO.598 Which of the following tools would MOST LIKELY be used to perform security audit on
6549various of forms of network systems?
6550A. Intrusion Detection System
6551B. Vulnerability scanner
6552C. Port scanner
6553D. Protocol analyzer
6554Answer: B
6555
6556NO.599 A company firewall engineer has configured a new DMZ to allow public systems to be
6557located away from the internal network. The engineer has three security zones set:
6558The engineer wants to configure remote desktop access from a fixed IP on the remote network to a
6559remote desktop server in the DMZ. Which rule would best fit this requirement?
6560A. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
6561B. Permit 217.77.88.12 11.12.13.50 RDP 3389
6562C. Permit 217.77.88.12 11.12.13.0/24 RDP 3389
6563150
6564D. Permit 217.77.88.0/24 11.12.13.50 RDP 3389
6565Answer: B
6566
6567NO.600 A consultant has been hired by the V.P. of a large financial organization to assess the
6568company's security posture. During the security testing, the consultant comes across child
6569por
6570NO.raphy on the V.P.'s computer.
6571What is the consultant's obligation to the financial organization?
6572A. Say
6573NO.hing and continue with the security testing.
6574B. Stop work immediately and contact the authorities.
6575C. Delete the por
6576NO.raphy, say
6577NO.hing, and continue security testing.
6578D. Bring the discovery to the financial organization's human resource department.
6579Answer: B
6580
6581NO.601 Tess King is using the nslookup command to craft queries to list all DNS information (such as
6582Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains),
6583zone serial number, TimeToLive (TTL) records, etc) for a Domain.
6584What do you think Tess King is trying to accomplish? Select the best answer.
6585A. A zone harvesting
6586B. A zone transfer
6587C. A zone update
6588D. A zone estimate
6589Answer: B
6590
6591NO.602 Which of the following is a protocol specifically designed for transporting event messages?
6592A. SYSLOG
6593B. SMS
6594C. SNMP
6595D. ICMP
6596Answer: A
6597Explanation
6598syslog is a standard for message logging. It permits separation of the software that generates
6599messages, the system that stores them, and the software that reports and analyzes them. Each
6600message is labeled with a facility code, indicating the software type generating the message, and
6601assigned a severity label.
6602References: https://en.wikipedia.org/wiki/Syslog#Network_protocol
6603
6604NO.603 Alice encrypts her data using her public key PK and stores the encrypted data in the cloud.
6605Which of the following attack scenarios will compromise the privacy of her data?
6606A.
6607NO.e of these scenarios compromise the privacy of Alice's data
6608B. Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server
6609successfully resists Andrew's attempt to access the stored data
6610C. Hacker Harry breaks into the cloud server and steals the encrypted data
6611D. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before
6612Answer: D
6613151
6614
6615NO.604 The network administrator at Spears Tech
6616NO.ogy, Inc has configured the default gateway
6617Cisco router's access-list as below:
6618You are hired to conduct security testing on their network.
6619You successfully brute-force the SNMP community string using a SNMP crack tool.
6620The access-list configured at the router prevents you from establishing a successful connection.
6621You want to retrieve the Cisco configuration from the router. How would you proceed?
6622A. Use the Cisco's TFTP default password to connect and download the configuration file
6623B. Run a network sniffer and capture the returned traffic with the configuration file from the router
6624C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router
6625masking your IP address
6626D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
6627Answer: B D
6628
6629NO.605 In order to prevent particular ports and applications from getting packets into an
6630organization, what does a firewall check?
6631A. Network layer headers and the session layer port numbers
6632B. Presentation layer headers and the session layer port numbers
6633C. Application layer port numbers and the transport layer headers
6634D. Transport layer port numbers and application layer headers
6635Answer: D
6636
6637NO.606 You have successfully gained access to your client's internal network and successfully
6638comprised a Linux server which is part of the internal IP network. You want to k
6639NO. which Microsoft
6640Windows workstations have file sharing enabled.
6641Which port would you see listening on these Windows machines in the network?
6642A. 445
6643B. 3389
6644C. 161
6645D. 1433
6646Answer: A
6647Explanation
6648The following ports are associated with file sharing and server message block (SMB) communications:
6649References: https://support.microsoft.com/en-us/kb/298804
6650
6651NO.607 The following are types of Bluetooth attack EXCEPT_____?
6652A. Bluejacking
6653B. Bluesmaking
6654C. Bluesnarfing
6655D. Bluedriving
6656Answer: D
6657
6658NO.608 Destination unreachable administratively prohibited messages can inform the hacker to
6659what?
6660152
6661A. That a circuit level proxy has been installed and is filtering traffic
6662B. That his/her scans are being blocked by a honeypot or jail
6663C. That the packets are being malformed by the scanning software
6664D. That a router or other packet-filtering device is blocking traffic
6665E. That the network is functioning
6666NO.mally
6667Answer: D
6668
6669NO.609 A possibly malicious sequence of packets that were sent to a web server has been captured
6670by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you
6671need to determine whether this packets are indeed malicious. What tool are you going to use?
6672A. Intrusion Prevention System (IPS)
6673B. Vulnerability scanner
6674C. Protocol analyzer
6675D. Network sniffer
6676Answer: C
6677
6678NO.610 A penetration tester is conducting a port scan on a specific host. The tester found several
6679ports opened that were confusing in concluding the Operating System (OS) version installed.
6680Considering the NMAP result below, which of the following is likely to be installed on the target
6681machine by the OS?
6682A. The host is likely a Windows machine.
6683B. The host is likely a Linux machine.
6684C. The host is likely a router.
6685D. The host is likely a printer.
6686Answer: D
6687
6688NO.611 Which results will be returned with the following Google search query?
6689site:target.com -site:Marketing.target.com accounting
6690A. Results matching all words in the query
6691B. Results matching "accounting" in domain target.com but
6692NO. on the site Marketing.target.com
6693153
6694C. Results from matches on the site marketing.target.com that are in the domain target.com but do
6695
6696NO. include the word accounting
6697D. Results for matches on target.com and Marketing.target.com that include the word "accounting"
6698Answer: B
6699
6700NO.612 What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability?
6701A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed
6702environment variable to a vulnerable Web server
6703B. Manipulate format strings in text fields
6704C. SSH
6705D. SYN Flood
6706Answer: A
6707Explanation
6708Shellshock, also k
6709NO.n as Bashdoor, is a family of security bugs in the widely used Unix Bash shell.
6710One specific exploitation vector of the Shellshock bug is CGI-based web servers.
6711
6712NO.e: When a web server uses the Common Gateway Interface (CGI) to handle a document request,
6713it passes various details of the request to a handler program in the environment variable list. For
6714example, the variable HTTP_USER_AGENT has a value that, in
6715NO.mal usage, identifies the program
6716sending the request. If the request handler is a Bash script, or if it executes one for example using the
6717system call, Bash will receive the environment variables passed by the server and will process them.
6718This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted
6719server request.
6720References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)#Specific_exploitation_vectors
6721
6722NO.613 It is an entity or event with the potential to adversely impact a system through unauthorized
6723access, destruction, disclosure, denial of service or modification of data.
6724Which of the following terms best matches the definition?
6725A. Threat
6726B. Attack
6727C. Vulnerability
6728D. Risk
6729Answer: A
6730Explanation
6731A threat is at any circumstance or event with the potential to adversely impact organizational
6732operations (including mission, functions, image, or reputation), organizational assets, or individuals
6733through an information system via unauthorized access, destruction, disclosure, modification of
6734information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a
6735particular information system vulnerability.
6736References: https://en.wikipedia.org/wiki/Threat_(computer)
6737
6738NO.614 Which of the following cryptography attack methods is usually performed without the use
6739of a computer?
6740A. Ciphertext-only attack
6741B. Chosen key attack
6742154
6743C. Rubber hose attack
6744D. Rainbow table attack
6745Answer: C
6746
6747NO.615 Which statement best describes a server type under an N-tier architecture?
6748A. A group of servers at a specific layer
6749B. A single server with a specific role
6750C. A group of servers with a unique role
6751D. A single server at a specific layer
6752Answer: C
6753
6754NO.616 When utilizing technical assessment methods to assess the security posture of a network,
6755which of the following techniques would be most effective in determining whether end-user security
6756training would be beneficial?
6757A. Vulnerability scanning
6758B. Social engineering
6759C. Application security testing
6760D. Network sniffing
6761Answer: B
6762
6763NO.617 Which statement is TRUE regarding network firewalls preventing Web Application attacks?
6764A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
6765B. Network firewalls can
6766NO. prevent attacks because ports 80 and 443 must be opened.
6767C. Network firewalls can prevent attacks if they are properly configured.
6768D. Network firewalls can
6769NO. prevent attacks because they are too complex to configure.
6770Answer: B
6771Explanation
6772Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP
6773protocol stack,
6774NO. allowing packets to pass through the firewall unless they match the established
6775rule set. To prevent Web Application attacks an Application layer firewall would be required.
6776References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters
6777
6778NO.618 You work as a Security Analyst for a retail organization. In securing the company's network,
6779you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating,
6780you discover that your IDS is
6781NO. configured properly and therefore is unable to trigger alarms when
6782needed. What type of alert is the IDS giving?
6783A. False Negative
6784B. False Positive
6785C. True Negative
6786D. True Positive
6787Answer: A
6788Explanation
6789A false negative error, or in short false negative, is where a test result indicates that a condition
6790failed, while it actually was successful. I.e. erroneously
6791NO.effect has been assumed.
6792155
6793References:
6794https://en.wikipedia.org/wiki/False_positives_and_false_negatives#False_negative_error
6795
6796NO.619 The intrusion detection system at a software development company suddenly generates
6797multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and
6798DNS servers. What should the security team do to determine which alerts to check first?
6799A. Investigate based on the maintenance schedule of the affected systems.
6800B. Investigate based on the service level agreements of the systems.
6801C. Investigate based on the potential effect of the incident.
6802D. Investigate based on the order that the alerts arrived in.
6803Answer: C
6804
6805NO.620 What type of OS fingerprinting technique sends specially crafted packets to the remote OS
6806and analyzes the received response?
6807A. Passive
6808B. Reflective
6809C. Active
6810D. Distributive
6811Answer: C
6812
6813NO.621 During a penetration test, a tester finds a target that is running MS SQL 2000 with default
6814credentials. The tester assumes that the service is running with Local System account. How can this
6815weakness be exploited to access the system?
6816A. Using the Metasploit psexec module setting the SA / Admin credential
6817B. Invoking the stored procedure xp_shell to spawn a Windows command shell
6818C. Invoking the stored procedure cmd_shell to spawn a Windows command shell
6819D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
6820Answer: D
6821
6822NO.622 What is the primary drawback to using advanced encryption standard (AES) algorithm with a
6823256 bit key to share sensitive data?
6824A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient
6825communication.
6826B. To get messaging programs to function with this algorithm requires complex configurations.
6827C. It has been proven to be a weak cipher; therefore, should
6828NO. be trusted to protect sensitive data.
6829D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different
6830channel than the message.
6831Answer: D
6832
6833NO.623 Nathan is testing some of his network devices. Nathan is using Macof to try and flood the
6834ARP cache of these switches.
6835If these switches' ARP cache is successfully flooded, what will be the result?
6836A. The switches will drop into hub mode if the ARP cache is successfully flooded.
6837B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to
6838156
6839attacks.
6840C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache
6841or reroute packets to the nearest switch.
6842D. The switches will route all traffic to the broadcast address created collisions.
6843Answer: A
6844
6845NO.624 This is an attack that takes advantage of a web site vulnerability in which the site displays
6846content that includes un-sanitized user-provided data.
6847What is this attack?
6848A. Cross-site-scripting attack
6849B. SQL Injection
6850C. URL Traversal attack
6851D. Buffer Overflow attack
6852Answer: A
6853
6854NO.625 When setting up a wireless network, an administrator enters a pre-shared key for security.
6855Which of the following is true?
6856A. The key entered is a symmetric key used to encrypt the wireless data.
6857B. The key entered is a hash that is used to prove the integrity of the wireless data.
6858C. The key entered is based on the Diffie-Hellman method.
6859D. The key is an RSA key used to encrypt the wireless data.
6860Answer: A
6861
6862NO.626 For messages sent through an insecure channel, a properly implemented digital signature
6863gives the receiver reason to believe the message was sent by the claimed sender. While using a
6864digital signature, the message digest is encrypted with which key?
6865A. Sender's public key
6866B. Receiver's private key
6867C. Receiver's public key
6868D. Sender's private key
6869Answer: D
6870
6871NO.627 One advantage of an application-level firewall is the ability to
6872A. filter packets at the network level.
6873B. filter specific commands, such as http:post.
6874C. retain state information for each packet.
6875D. monitor tcp handshaking.
6876Answer: B
6877
6878NO.628 Jesse receives an email with an attachment labeled "Court_
6879NO.ice_21206.zip". Inside the zip
6880file is a file named "Court_
6881NO.ice_21206.docx.exe" disguised as a word document. Upon execution, a
6882window appears stating, "This word document is corrupt." In the background, the file copies itself to
6883157
6884Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious
6885binaries.
6886What type of malware has Jesse encountered?
6887A. Trojan
6888B. Worm
6889C. Macro Virus
6890D. Key-Logger
6891Answer: A
6892Explanation
6893In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a
6894computer by misleading users of its true intent. Although their payload can be anything, many
6895modern forms act as a backdoor, contacting a controller which can then have unauthorized access to
6896the affected computer.
6897References: https://en.wikipedia.org/wiki/Trojan_horse_(computing)
6898
6899NO.629 Rebecca commonly sees an error on her Windows system that states that a Data Execution
6900Prevention (DEP) error has taken place. Which of the following is most likely taking place?
6901A. A race condition is being exploited, and the operating system is containing the malicious process.
6902B. A page fault is occurring, which forces the operating system to write data from the hard drive.
6903C. Malware is executing in either ROM or a cache memory area.
6904D. Malicious code is attempting to execute instruction in a
6905NO.-executable memory region.
6906Answer: D
6907
6908NO.630 Insecure direct object reference is a type of vulnerability where the application does
6909NO.
6910verify if the user is authorized to access the internal object via its name or key.
6911Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
6912Which of the following requests best illustrates an attempt to exploit an insecure direct object
6913reference vulnerability?
6914A. "GET/restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1Host: westbank.com"
6915B. "GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com"
6916C. "GET/restricted/bank.getaccount('Ned') HTTP/1.1 Host: westbank.com"
6917D. "GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com"
6918Answer: B
6919
6920NO.631 Based on the below log, which of the following sentences are true?
6921Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip
6922A. SSH communications are encrypted it's impossible to k
6923NO. who is the client or the server
6924B. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
6925C. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
6926D. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server
6927Answer: C
6928
6929NO.632 Which of the statements concerning proxy firewalls is correct?
6930A. Proxy firewalls increase the speed and functionality of a network.
6931158
6932B. Firewall proxy servers decentralize all activity for an application.
6933C. Proxy firewalls block network packets from passing to and from a protected network.
6934D. Computers establish a connection with a proxy firewall which initiates a new network connection
6935for the client.
6936Answer: D
6937
6938NO.633 A new wireless client is configured to join a 802.11 network. This client uses the same
6939hardware and software as many of the other clients on the network. The client can see the network,
6940but can
6941NO. connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is
6942NO.
6943responding to the association requests being sent by the wireless client.
6944What is a possible source of this problem?
6945A. The WAP does
6946NO. recognize the client's MAC address
6947B. The client can
6948NO. see the SSID of the wireless network
6949C. Client is configured for the wrong channel
6950D. The wireless client is
6951NO. configured to use DHCP
6952Answer: A
6953Explanation
6954MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method
6955whereby the 48-bit address assigned to each network card is used to determine access to the
6956network. MAC Filtering is often used on wireless networks.
6957References: https://en.wikipedia.org/wiki/MAC_filtering
6958
6959NO.634 Which method of password cracking takes the most time and effort?
6960A. Brute force
6961B. Rainbow tables
6962C. Dictionary attack
6963D. Shoulder surfing
6964Answer: A
6965Explanation
6966Brute-force cracking, in which a computer tries every possible key or password until it succeeds, is
6967typically very time consuming. More common methods of password cracking, such as dictionary
6968attacks, pattern checking, word list substitution, etc. attempt to reduce the number of trials required
6969and will usually be attempted before brute force.
6970References: https://en.wikipedia.org/wiki/Password_cracking
6971
6972NO.635 How can rainbow tables be defeated?
6973A. Password salting
6974B. Use of
6975NO.-dictionary words
6976C. All uppercase character passwords
6977D. Lockout accounts under brute force password cracking attempts
6978Answer: A
6979
6980NO.636 When creating a security program, which approach would be used if senior management is
6981supporting and enforcing the security policy?
6982159
6983A. A bottom-up approach
6984B. A top-down approach
6985C. A senior creation approach
6986D. An IT assurance approach
6987Answer: B
6988
6989NO.637 The "white box testing" methodology enforces what kind of restriction?
6990A. The internal operation of a system is completely k
6991NO.n to the tester.
6992B. Only the external operation of a system is accessible to the tester.
6993C. Only the internal operation of a system is k
6994NO.n to the tester.
6995D. The internal operation of a system is only partly accessible to the tester.
6996Answer: A
6997Explanation
6998White-box testing (also k
6999NO.n as clear box testing, glass box testing, transparent box testing, and
7000structural testing) is a method of testing software that tests internal structures or workings of an
7001application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal
7002perspective of the system, as well as programming skills, are used to design test cases.
7003References: https://en.wikipedia.org/wiki/White-box_testing
7004
7005NO.638 You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be
7006using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting?
7007A. MD4
7008B. DES
7009C. SHA
7010D. SSL
7011Answer: B
7012
7013NO.639 Which of the following business challenges could be solved by using a vulnerability scanner?
7014A. Auditors want to discover if all systems are following a standard naming convention.
7015B. A web server was compromised and management needs to k
7016NO. if any further systems were
7017compromised.
7018C. There is an emergency need to remove administrator access from multiple machines for an
7019employee that quit.
7020D. There is a monthly requirement to test corporate compliance with host application usage and
7021security policies.
7022Answer: D
7023
7024NO.640 What is the main advantage that a network-based IDS/IPS system has over a host-based
7025solution?
7026A. They do
7027NO. use host system resources.
7028B. They are placed at the boundary, allowing them to inspect all traffic.
7029C. They are easier to install and configure.
7030D. They will
7031NO. interfere with user interfaces.
7032160
7033Answer: A
7034
7035NO.641 An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it.
7036The attacker can
7037NO. use which cryptanalytic technique to attempt to discover the encryption key?
7038A. Birthday attack
7039B. Plaintext attack
7040C. Meet in the middle attack
7041D. Chosen ciphertext attack
7042Answer: D
7043
7044NO.642 One of the Forbes 500 companies has been subjected to a large scale attack. You are one of
7045the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that
7046he wants to totally eliminate all risks. What is one of the first things you should do when hired?
7047A. Interview all employees in the company to rule out possible insider threats.
7048B. Establish attribution to suspected attackers.
7049C. Explain to the CIO that you can
7050NO. eliminate all risk, but you will be able to reduce risk to
7051acceptable levels.
7052D. Start the Wireshark application to start sniffing network traffic.
7053Answer: C
7054
7055NO.643 Which of the following types of firewall inspects only header information in network traffic?
7056A. Packet filter
7057B. Stateful inspection
7058C. Circuit-level gateway
7059D. Application-level gateway
7060Answer: A
7061
7062NO.644 In which of the following password protection technique, random strings of characters are
7063added to the password before calculating their hashes?
7064A. Keyed Hashing
7065B. Key Stretching
7066C. Salting
7067D. Double Hashing
7068Answer: C
7069
7070NO.645 Analyst is investigating proxy logs and found out that one of the internal user visited
7071website storing suspicious Java scripts. After opening one of them, he
7072NO.iced that it is very hard to
7073understand the code and that all codes differ from the typical Java script. What is the name of this
7074technique to hide the code and extend analysis time?
7075A. Encryption
7076B. Code encoding
7077C. Obfuscation
7078D. Stega
7079NO.raphy
7080161
7081Answer: A
7082
7083NO.646 You've just gained root access to a Centos 6 server after days of trying. What tool should
7084you use to maintain access?
7085A. Disable Key Services
7086B. Create User Account
7087C. Download and Install Netcat
7088D. Disable IPTables
7089Answer: B
7090
7091NO.647 E-mail scams and mail fraud are regulated by which of the following?
7092A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
7093B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
7094C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
7095D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
7096Communication
7097Answer: A
7098
7099NO.648 The chance of a hard drive failure is k
7100NO.n to be once every four years. The cost of a new
7101hard drive is $500.
7102EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE).
7103A. $62.5
7104B. $250
7105C. $125
7106D. $65.2
7107Answer: A
7108
7109NO.649 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff
7110the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
7111However, he is unable to capture any logons though he k
7112NO.s that other users are logging in.
7113What do you think is the most likely reason behind this?
7114A. There is a NIDS present on that segment.
7115B. Kerberos is preventing it.
7116C. Windows logons can
7117NO. be sniffed.
7118D. L0phtcrack only sniffs logons to web servers.
7119Answer: B
7120
7121NO.650 In the software security development life cycle process, threat modeling occurs in which
7122phase?
7123A. Design
7124B. Requirements
7125C. Verification
7126D. Implementation
7127162
7128Answer: A
7129
7130NO.651 Your team has won a contract to infiltrate an organization. The company wants to have the
7131attack be as realistic as possible; therefore, they did
7132NO. provide any information besides the
7133company name.
7134What should be the first step in security testing the client?
7135A. Reconnaissance
7136B. Enumeration
7137C. Scanning
7138D. Escalation
7139Answer: A
7140Explanation
7141Phases of hacking
7142Phase 1-Reconnaissance
7143Phase 2-Scanning
7144Phase 3-Gaining Access
7145Phase 4-Maintaining Access
7146Phase 5-Covering Tracks
7147Phase 1: Passive and Active Reconnaissance
7148References:
7149http://hack-o-crack.blogspot.se/2010/12/five-stages-of-ethical-hacking.html
7150
7151NO.652 Eve is spending her day scanning the library computers. She
7152NO.ices that Alice is using a
7153computer whose port
7154445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command
7155prompt, she types the following command.
7156What is Eve trying to do?
7157A. Eve is trying to connect as a user with Administrator privileges
7158B. Eve is trying to enumerate all users with Administrative privileges
7159C. Eve is trying to carry out a password crack for user Administrator
7160D. Eve is trying to escalate privilege of the null user to that of Administrator
7161Answer: C
7162
7163NO.653 You are the Systems Administrator for a large corporate organization. You need to monitor
7164all network traffic on your local network for suspicious activities and receive
7165NO.ifications when an
7166attack is occurring. Which tool would allow you to accomplish this goal?
7167A. Network-based IDS
7168B. Firewall
7169C. Proxy
7170D. Host-based IDS
7171Answer: A
7172Explanation
7173163
7174A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to
7175protect a system from network-based threats.
7176A NIDS reads all inbound packets and searches for any suspicious patterns. When threats are
7177discovered, based on its severity, the system can take action such as
7178NO.ifying administrators, or
7179barring the source IP address from accessing the network.
7180References: https://www.techopedia.com/definition/12941/network-based-intrusion-detectionsystem-
7181nids
7182
7183NO.654 An attacker uses a communication channel within an operating system that is neither
7184designed
7185NO. intended to transfer information. What is the name of the communications channel?
7186A. Classified
7187B. Overt
7188C. Encrypted
7189D. Covert
7190Answer: D
7191
7192NO.655 What does the -oX flag do in an Nmap scan?
7193A. Perform an express scan
7194B. Output the results in truncated format to the screen
7195C. Perform an Xmas scan
7196D. Output the results in XML format to a file
7197Answer: D
7198
7199NO.656 In many states sending spam is illegal. Thus, the spammers have techniques to try and
7200ensure that
7201NO.one k
7202NO.s they sent the spam out to thousands of users at a time. Which of the
7203following best describes what spammers use to hide the origin of these types of e-mails?
7204A. A blacklist of companies that have their mail server relays configured to allow traffic only to their
7205specific domain name.
7206B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers
7207continuously.
7208C. A blacklist of companies that have their mail server relays configured to be wide open.
7209D. Tools that will reconfigure a mail server's relay component to send the e-mail back to the
7210spammers occasionally.
7211Answer: B
7212
7213NO.657 What is correct about digital signatures?
7214A. A digital signature can
7215NO. be moved from one signed document to a
7216NO.her because it is the hash
7217of the original document encrypted with the private key of the signing party.
7218B. Digital signatures may be used in different documents of the same type.
7219C. A digital signature can
7220NO. be moved from one signed document to a
7221NO.her because it is a plain
7222hash of the document content.
7223D. Digital signatures are issued once for each user and can be used everywhere until they expire.
7224Answer: A
7225164
7226
7227NO.658 Null sessions are un-authenticated connections (
7228NO. using a username or password.) to an
7229NT or 2000 system.
7230Which TCP and UDP ports must you filter to check null sessions on your network?
7231A. 137 and 139
7232B. 137 and 443
7233C. 139 and 443
7234D. 139 and 445
7235Answer: D
7236
7237NO.659 Backing up data is a security must. However, it also has certain level of risks when
7238mishandled. Which of the following is the greatest threat posed by backups?
7239A. A backup is the source of Malware or illicit information
7240B. A backup is incomplete because
7241NO.verification was performed
7242C. A backup is unavailable during disaster recovery
7243D. An unencrypted backup can be misplaced or stolen
7244Answer: D
7245
7246NO.660 What is the best description of SQL Injection?
7247A. It is an attack used to gain unauthorized access to a database.
7248B. It is an attack used to modify code in an application.
7249C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
7250D. It is a Denial of Service Attack.
7251Answer: A
7252Explanation
7253SQL injection is a code injection technique, used to attack data-driven applications, in which
7254malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database
7255contents to the attacker).
7256References: https://en.wikipedia.org/wiki/SQL_injection
7257
7258NO.661 A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0
7259and 192.168.5.0.
7260How can NMAP be used to scan these adjacent Class C networks?
7261A. NMAP -P 192.168.1-5.
7262B. NMAP -P 192.168.0.0/16
7263C. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
7264D. NMAP -P 192.168.1/17
7265Answer: A
7266
7267NO.662 Which of the following will perform an Xmas scan using NMAP?
7268A. nmap -sA 192.168.1.254
7269B. nmap -sP 192.168.1.254
7270C. nmap -sX 192.168.1.254
7271D. nmap -sV 192.168.1.254
7272165
7273Answer: C
7274
7275NO.663 _________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin
7276authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks
7277types.
7278A. DNSSEC
7279B. Zone transfer
7280C. Resource transfer
7281D. Resource records
7282Answer: A
7283
7284NO.664 Which definition among those given below best describes a covert channel?
7285A. A server program using a port that is
7286NO. well k
7287NO.n.
7288B. Making use of a protocol in a way it is
7289NO. intended to be used.
7290C. It is the multiplexing taking place on a communication link.
7291D. It is one of the weak channels used by WEP which makes it insecure
7292Answer: B
7293
7294NO.665 Which of the following is a restriction being enforced in "white box testing?"
7295A. Only the internal operation of a system is k
7296NO.n to the tester
7297B. The internal operation of a system is completely k
7298NO.n to the tester
7299C. The internal operation of a system is only partly accessible to the tester
7300D. Only the external operation of a system is accessible to the tester
7301Answer: B
7302
7303NO.666 An unauthorized individual enters a building following an employee through the employee
7304entrance after the lunch rush. What type of breach has the individual just performed?
7305A. Reverse Social Engineering
7306B. Tailgating
7307C. Piggybacking
7308D. An
7309NO.nced
7310Answer: B
7311
7312NO.667 A company has hired a security administrator to maintain and administer Linux and
7313Windows-based systems.
7314Written in the nightly report file is the following:
7315Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later
7316the size has decreased considerably. A
7317NO.her hour goes by and the log files have shrunk in size again.
7318Which of the following actions should the security administrator take?
7319A. Log the event as suspicious activity and report this behavior to the incident response team
7320immediately.
7321B. Log the event as suspicious activity, call a manager, and report this as soon as possible.
7322C. Run an anti-virus scan because it is likely the system is infected by malware.
7323166
7324D. Log the event as suspicious activity, continue to investigate, and act according to the site's security
7325policy.
7326Answer: D
7327
7328NO.668 Which of the following identifies the three modes in which S
7329NO.t can be configured to run?
7330A. Sniffer, Packet Logger, and Network Intrusion Detection System
7331B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
7332C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
7333D. Sniffer, Packet Logger, and Host Intrusion Prevention System
7334Answer: A
7335
7336NO.669 Which of the following statements about a zone transfer is correct? (Choose three.)
7337A. A zone transfer is accomplished with the DNS
7338B. A zone transfer is accomplished with the nslookup service
7339C. A zone transfer passes all zone information that a DNS server maintains
7340D. A zone transfer passes all zone information that a nslookup server maintains
7341E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
7342F. Zone transfers can
7343NO. occur on the Internet
7344Answer: A C E
7345
7346NO.670 A well-intentioned researcher discovers a vulnerability on the web site of a major
7347corporation. What should he do?
7348A. Ig
7349NO.e it.
7350B. Try to sell the information to a well-paying party on the dark web.
7351C.
7352NO.ify the web site owner so that corrective action be taken as soon as possible to patch the
7353vulnerability.
7354D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the
7355problem.
7356Answer: C
7357
7358NO.671 You are an Ethical Hacker who is auditing the ABC company. When you verify the
7359NO. one
7360of the machines has 2 connections, one wired and the other wireless. When you verify the
7361configuration of this Windows system you find two static routes.
7362route add 10.0.0.0 mask 255.0.0.0 10.0.0.1
7363route add 0.0.0.0 mask 255.0.0.0 199.168.0.1
7364What is the main purpose of those static routes?
7365A. Both static routes indicate that the traffic is external with different gateway.
7366B. The first static route indicates that the internal traffic will use an external gateway and the second
7367static route indicates that the traffic will be rerouted.
7368C. Both static routes indicate that the traffic is internal with different gateway.
7369D. The first static route indicates that the internal addresses are using the internal gateway and the
7370second static route indicates that all the traffic that is
7371NO. internal must go to an external gateway.
7372Answer: D
7373167
7374
7375NO.672 Which of the following statements regarding ethical hacking is incorrect?
7376A. Ethical hackers should never use tools or methods that have the potential of exploiting
7377vulnerabilities in an organization's systems.
7378B. Testing should be remotely performed offsite.
7379C. An organization should use ethical hackers who do
7380NO. sell vendor hardware/software or other
7381consulting services.
7382D. Ethical hacking should
7383NO. involve writing to or modifying the target systems.
7384Answer: A
7385Explanation
7386Ethical hackers use the same methods and techniques, including those that have the potential of
7387exploiting vulnerabilities, to test and bypass a system's defenses as their less-principled counterparts,
7388but rather than taking advantage of any vulnerabilities found, they document them and provide
7389actionable advice on how to fix them so the organization can improve its overall security.
7390References:
7391http://searchsecurity.techtarget.com/definition/ethical-hacker
7392
7393NO.673 Low humidity in a data center can cause which of the following problems?
7394A. Heat
7395B. Corrosion
7396C. Static electricity
7397D. Airborne contamination
7398Answer: C
7399
7400NO.674 Seth is starting a penetration test from inside the network. He hasn't been given any
7401information about the network. What type of test is he conducting?
7402A. Internal Whitebox
7403B. External, Whitebox
7404C. Internal, Blackbox
7405D. External, Blackbox
7406Answer: C
7407
7408NO.675 Which type of scan measures a person's external features through a digital video camera?
7409A. Iris scan
7410B. Retinal scan
7411C. Facial recognition scan
7412D. Signature kinetics scan
7413Answer: C
7414
7415NO.676 A security policy will be more accepted by employees if it is consistent and has the support
7416of
7417A. coworkers.
7418B. executive management.
7419C. the security officer.
7420168
7421D. a supervisor.
7422Answer: B
7423
7424NO.677 This international organization regulates billions of transactions daily and provides security
7425guidelines to protect personally identifiable information (PII). These security controls provide a
7426baseline and prevent low-level hackers sometimes k
7427NO.n as script kiddies from causing a data
7428breach.
7429Which of the following organizations is being described?
7430A. Payment Card Industry (PCI)
7431B. Center for Disease Control (CDC)
7432C. Institute of Electrical and Electronics Engineers (IEEE)
7433D. International Security Industry Organization (ISIO)
7434Answer: A
7435Explanation
7436The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security
7437standard for organizations that handle branded credit cards from the major card schemes including
7438Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS standards are very explicit about
7439the requirements for the back end storage and access of PII (personally identifiable information).
7440References: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
7441
7442NO.678 When purchasing a biometric system, one of the considerations that should be reviewed is
7443the processing speed. Which of the following best describes what it is meant by processing?
7444A. The amount of time it takes to convert biometric data into a template on a smart card.
7445B. The amount of time and resources that are necessary to maintain a biometric system.
7446C. The amount of time it takes to be either accepted or rejected form when an individual provides
7447Identification and authentication information.
7448D. How long it takes to setup individual user accounts.
7449Answer: C
7450
7451NO.679 While performing online banking using a Web browser, a user receives an email that
7452contains a link to an interesting Web site. When the user clicks on the link, a
7453NO.her Web browser
7454session starts and displays a video of cats playing a pia
7455NO. The next business day, the user receives
7456what looks like an email from his bank, indicating that his bank account has been accessed from a
7457foreign country. The email asks the user to call his bank and verify the authorization of a funds
7458transfer that took place.
7459What Web browser-based security vulnerability was exploited to compromise the user?
7460A. Cross-Site Request Forgery
7461B. Cross-Site Scripting
7462C. Clickjacking
7463D. Web form input validation
7464Answer: A
7465Explanation
7466Cross-site request forgery, also k
7467NO.n as one-click attack or session riding and abbreviated as CSRF
7468or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted
7469169
7470from a user that the website trusts.
7471Example and characteristics
7472If an attacker is able to find a reproducible link that executes a specific action on the target page
7473while the victim is being logged in there, he is able to embed such link on a page he controls and trick
7474the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to
7475visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or
7476attachment.
7477
7478NO.680 A big company, who wanted to test their security infrastructure, wants to hire elite pen
7479testers like you. During the interview, they asked you to show sample reports from previous
7480penetration tests. What should you do?
7481A. Share reports, after NDA is signed
7482B. Share full reports,
7483NO. redacted
7484C. Decline but, provide references
7485D. Share full reports with redactions
7486Answer: C
7487
7488NO.681 Eve stole a file named secret.txt, transferred it to her computer and she just entered these
7489commands:
7490What is she trying to achieve?
7491A. She is encrypting the file.
7492B. She is using John the Ripper to view the contents of the file.
7493C. She is using ftp to transfer the file to a
7494NO.her hacker named John.
7495D. She is using John the Ripper to crack the passwords in the secret.txt file.
7496Answer: D
7497
7498NO.682 Let's imagine three companies (A, B and C), all competing in a challenging global
7499environment. Company A and B are working together in developing a product that will generate a
7500major competitive advantage for them.
7501Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a
7502spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from
7503company
7504B. How do you prevent DNS spoofing?
7505A. Install DNS logger and track vulnerable packets
7506B. Disable DNS timeouts
7507C. Install DNS Anti-spoofing
7508D. Disable DNS Zone Transfer
7509Answer: C
7510170
7511
7512NO.683 Which of the following is considered an exploit framework and has the ability to perform
7513automated attacks on services, ports, applications and unpatched security flaws in a computer
7514system?
7515A. Wireshark
7516B. Maltego
7517C. Metasploit
7518D. Nessus
7519Answer: C
7520
7521NO.684 Which of the following viruses tries to hide from anti-virus programs by actively altering and
7522corrupting the chosen service call interruptions when they are being run?
7523A. Cavity virus
7524B. Polymorphic virus
7525C. Tunneling virus
7526D. Stealth virus
7527Answer: D
7528
7529NO.685 There are several ways to gain insight on how a cryptosystem works with the goal of reverse
7530engineering the process. A term describes when two pieces of data result in the same value is?
7531A. Collision
7532B. Collusion
7533C. Polymorphism
7534D. Escrow
7535Answer: A
7536
7537NO.686 The network in ABC company is using the network address 192.168.1.64 with mask
7538255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and
7539192.168.1.124.
7540An attacker is trying to find those servers but he can
7541NO. see them in his scanning. The command he is
7542using is:
7543nmap 192.168.1.64/28.
7544Why he can
7545NO. see the servers?
7546A. The network must be down and the nmap command and IP address are ok.
7547B. He needs to add the command ''''ip address'''' just before the IP address.
7548C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are
7549NO.
7550in that range.
7551D. He needs to change the address to 192.168.1.0 with the same mask.
7552Answer: C
7553
7554NO.687 When using Wireshark to acquire packet capture on a network, which device would enable
7555the capture of all traffic on the wire?
7556A. Network tap
7557B. Layer 3 switch
7558171
7559C. Network bridge
7560D. Application firewall
7561Answer: A
7562
7563NO.688 An attacker gains access to a Web server's database and displays the contents of the table
7564that holds all of the names, passwords, and other user information. The attacker did this by entering
7565information into the Web site's user login page that the software's designers did
7566NO. expect to be
7567entered. This is an example of what kind of software design problem?
7568A. Insufficient input validation
7569B. Insufficient exception handling
7570C. Insufficient database hardening
7571D. Insufficient security management
7572Answer: A
7573Explanation
7574The most common web application security weakness is the failure to properly validate input coming
7575from the client or from the environment before using it. This weakness leads to almost all of the
7576major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter
7577injection, locale/Unicode attacks, file system attacks, and buffer overflows.
7578References: https://www.owasp.org/index.php/Testing_for_Input_Validation
7579
7580NO.689 What type of malware is it that restricts access to a computer system that it infects and
7581demands that the user pay a certain amount of money, cryptocurrency, etc. to the operators of the
7582malware to remove the restriction?
7583A. Ransomware
7584B. Riskware
7585C. Adware
7586D. Spyware
7587Answer: A
7588
7589NO.690 Scenario:
7590What is the name of the attack which is mentioned in the scenario?
7591A. HTTP Parameter Pollution
7592B. HTML Injection
7593C. Session Fixation
7594D. ClickJacking Attack
7595Answer: D
7596
7597NO.691 You are a Penetration Tester and are assigned to scan a server. You need to use a scanning
7598technique wherein the TCP Header is split into many packets so that it becomes difficult to detect
7599what the packets are meant for.
7600Which of the below scanning technique will you use?
7601A. ACK flag scanning
7602B. TCP Scanning
7603C. IP Fragment Scanning
7604172
7605D. Inverse TCP flag scanning
7606Answer: C
7607
7608NO.692 You've just discovered a server that is currently active within the same network with the
7609machine you recently compromised. You ping it but it did
7610NO. respond. What could be the case?
7611A. TCP/IP doesn't support ICMP
7612B. ARP is disabled on the target server
7613C. ICMP could be disabled on the target server
7614D. You need to run the ping command with root privileges
7615Answer: C
7616
7617NO.693 How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
7618A. Defeating the scanner from detecting any code change at the kernel
7619B. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
7620C. Performing common services for the application process and replacing real applications with fake
7621ones
7622D. Attaching itself to the master boot record in a hard drive and changing the machine's boot
7623sequence/options
7624Answer: D
7625
7626NO.694 An incident investigator asks to receive a copy of the event logs from all firewalls, proxy
7627servers, and Intrusion Detection Systems (IDS) on the network of an organization that has
7628experienced a possible breach of security. When the investigator attempts to correlate the
7629information in all of the logs, the sequence of many of the logged events do
7630NO. match up.
7631What is the most likely cause?
7632A. The network devices are
7633NO. all synchronized.
7634B. Proper chain of custody was
7635NO. observed while collecting the logs.
7636C. The attacker altered or erased events from the logs.
7637D. The security breach was a false positive.
7638Answer: A
7639Explanation
7640Time synchronization is an important middleware service of distributed systems, amongst which
7641Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in
7642particular.
7643References:
7644http://ieeexplore.ieee.org/xpl/login.jsp?tp
7645&
7646arnumber=5619315&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3
7647D561
7648
7649NO.695 John the Ripper is a technical assessment tool used to test the weakness of which of the
7650following?
7651A. Usernames
7652B. File permissions
7653173
7654C. Firewall rulesets
7655D. Passwords
7656Answer: D
7657
7658NO.696 You are using NMAP to resolve domain names into IP addresses for a ping sweep later.
7659Which of the following commands looks for IP addresses?
7660A. >host -t a hackeddomain.com
7661B. >host -t soa hackeddomain.com
7662C. >host -t ns hackeddomain.com
7663D. >host -t AXFR hackeddomain.com
7664Answer: A
7665Explanation
7666The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map
7667hostnames to an IP address of the host.
7668References: https://en.wikipedia.org/wiki/List_of_DNS_record_types
7669
7670NO.697 A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of
7671engagement states that the penetration test be done from an external IP address with
7672NO.prior
7673k
7674NO.ledge of the internal IT systems.
7675What kind of test is being performed?
7676A. white box
7677B. grey box
7678C. red box
7679D. black box
7680Answer: D
7681
7682NO.698 Which of the following is a strong post designed to stop a car?
7683A. Gate
7684B. Fence
7685C. Bollard
7686D. Reinforced rebar
7687Answer: C
7688
7689NO.699 Which of the following describes a component of Public Key Infrastructure (PKI) where a
7690copy of a private key is stored to provide third-party access and to facilitate recovery operations?
7691A. Key registry
7692B. Recovery agent
7693C. Directory
7694D. Key escrow
7695Answer: D
7696
7697NO.700 A hacker named Jack is trying to compromise a bank's computer system. He needs to k
7698NO.
7699the operating system of that computer to launch further attacks.
7700What process would help him?
7701174
7702A. Banner Grabbing
7703B. IDLE/IPID Scanning
7704C. SSDP Scanning
7705D. UDP Scanning
7706Answer: A
7707
7708NO.701 Which of the following network attacks takes advantage of weaknesses in the fragment
7709reassembly functionality of the TCP/IP protocol stack?
7710A. Teardrop
7711B. SYN flood
7712C. Smurf attack
7713D. Ping of death
7714Answer: A
7715
7716NO.702 What are the three types of compliance that the Open Source Security Testing Methodology
7717Manual (OSSTMM) recognizes?
7718A. Legal, performance, audit
7719B. Audit, standards based, regulatory
7720C. Contractual, regulatory, industry
7721D. Legislative, contractual, standards based
7722Answer: D
7723
7724NO.703 In which of the following cryptography attack methods, the attacker makes a series of
7725interactive queries, choosing subsequent plaintexts based on the information from the previous
7726encryptions?
7727A. Chosen-plaintext attack
7728B. Ciphertext-only attack
7729C. Adaptive chosen-plaintext attack
7730D. K
7731NO.n-plaintext attack
7732Answer: A
7733
7734NO.704 Which of the following DoS tools is used to attack target web applications by starvation of
7735available sessions on the web server?
7736The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily
7737large content-length header value.
7738A. My Doom
7739B. Astacheldraht
7740C. R-U-Dead-Yet?(RUDY)
7741D. LOIC
7742Answer: C
7743
7744NO.705 You are trying to break into a highly classified top-secret mainframe computer with highest
7745security system in place at Merclyn Barley Bank located in Los Angeles.
7746175
7747You k
7748NO. that conventional hacking doesn't work in this case, because organizations such as banks
7749are generally tight and secure when it comes to protecting their systems.
7750In other words, you are trying to penetrate an otherwise impenetrable system.
7751How would you proceed?
7752A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy
7753the necessary exploits from these hackers and target the bank's network
7754B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or
7755disgruntled employee, and offer them money if they'll abuse their access privileges by providing you
7756with sensitive information
7757C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or
7758more "zombies" and "bots"
7759D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the
7760Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques
7761Answer: B
7762
7763NO.706 What is the algorithm used by LM for Windows2000 SAM?
7764A. MD4
7765B. DES
7766C. SHA
7767D. SSL
7768Answer: B
7769
7770NO.707 A Certificate Authority (CA) generates a key pair that will be used for encryption and
7771decryption of email. The integrity of the encrypted email is dependent on the security of which of the
7772following?
7773A. Public key
7774B. Private key
7775C. Modulus length
7776D. Email server certificate
7777Answer: B
7778
7779NO.708 Which command lets a tester enumerate alive systems in a class C network via ICMP using
7780native Windows tools?
7781A. ping 192.168.2.
7782B. ping 192.168.2.255
7783C. for %V in (1 1 255) do PING 192.168.2.%V
7784D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"
7785Answer: D
7786
7787NO.709 How do employers protect assets with security policies pertaining to employee surveillance
7788activities?
7789A. Employers promote monitoring activities of employees as long as the employees demonstrate
7790trustworthiness.
7791B. Employers use informal verbal communication channels to explain employee monitoring activities
7792176
7793to employees.
7794C. Employers use network surveillance to monitor employee email traffic, network access, and to
7795record employee keystrokes.
7796D. Employers provide employees written statements that clearly discuss the boundaries of
7797monitoring activities and consequences.
7798Answer: D
7799
7800NO.710 Which type of Nmap scan is the most reliable, but also the most visible, and likely to be
7801picked up by and IDS?
7802A. SYN scan
7803B. ACK scan
7804C. RST scan
7805D. Connect scan
7806E. FIN scan
7807Answer: D
7808
7809NO.711 > NMAP -sn 192.168.11.200-215
7810The NMAP command above performs which of the following?
7811A. A ping scan
7812B. A trace sweep
7813C. An operating system detect
7814D. A port scan
7815Answer: A
7816Explanation
7817NMAP -sn (
7818NO.port scan)
7819This option tells Nmap
7820NO. to do a port scan after host discovery, and only print out the available
7821hosts that responded to the host discovery probes. This is often k
7822NO.n as a "ping scan", but you can
7823also request that traceroute and NSE host scripts be run.
7824References: https://nmap.org/book/man-host-discovery.html
7825
7826NO.712 If the final set of security controls does
7827NO. eliminate all risk in a system, what could be done
7828next?
7829A. Continue to apply controls until there is zero risk.
7830B. Ig
7831NO.e any remaining risk.
7832C. If the residual risk is low e
7833NO.gh, it can be accepted.
7834D. Remove current controls since they are
7835NO. completely effective.
7836Answer: C
7837
7838NO.713 (
7839NO.e: the student is being tested on concepts learnt during passive OS fingerprinting, basic
7840TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). S
7841NO.t has
7842been used to capture packets on the network. On studying the packets, the penetration tester finds it
7843to be ab
7844NO.mal. If you were the penetration tester, why would you find this ab
7845NO.mal?
7846What is odd about this attack? Choose the best answer.
7847177
7848A. This is
7849NO. a spoofed packet as the IP stack has increasing numbers for the three flags.
7850B. This is back orifice activity as the scan comes from port 31337.
7851C. The attacker wants to avoid creating a sub-carries connection that is
7852NO.
7853NO.mally valid.
7854D. These packets were crafted by a tool, they were
7855NO. created by a standard IP stack.
7856Answer: B
7857
7858NO.714 DNS cache s
7859NO.ping is a process of determining if the specified resource address is present
7860in the DNS cache records. It may be useful during the examination of the network to determine what
7861software update resources are used, thus discovering what software is installed.
7862What command is used to determine if the entry is present in DNS cache?
7863A. nslookup -fullrecursive update.antivirus.com
7864B. dns
7865NO.ping -rt update.antivirus.com
7866C. nslookup -
7867NO.ecursive update.antivirus.com
7868D. dns --s
7869NO.p update.antivirus.com
7870Answer: C
7871
7872NO.715 It has been reported to you that someone has caused an information spillage on their
7873computer. You go to the computer, disconnect it from the network, remove the keyboard and
7874mouse, and power it down. What step in incident handling did you just complete?
7875A. Containment
7876B. Eradication
7877C. Recovery
7878D. Discovery
7879Answer: A
7880
7881
7882NO.716 Which of the following tools is used by pen testers and analysts specifically to analyze links
7883between data using link analysis and graphs?
7884A. Metasploit
7885B. Wireshark
7886C. Maltego
7887D. Cain & Abel
7888Answer: C
7889
7890NO.717 You have gained physical access to a Windows 2008 R2 server which has an accessible disc
7891drive.When you attempt to boot the server and log in, you are unable to guess the password.
7892In your toolkit, you have an Ubuntu 9.10 Linux LiveCD.
7893Which Linux-based tool can change any user's password or activate disabled Windows accounts?
7894A. John the Ripper
7895B. SET
7896C. CHNTPW
7897D. Cain & Abel
7898Answer: C
7899
7900NO.718 Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients.
7901You are requested to accept the offer and you oblige.
7902After 2 days, Bob denies that he had ever sent a mail.
7903What do you want to "k
7904NO." to prove yourself that it was Bob who had send a mail?
7905A. Confidentiality
7906B. Integrity
7907C.
7908NO.-Repudiation
7909D. Authentication
7910Answer: C
7911
7912NO.719 When does the Payment Card Industry Data Security Standard (PCI-DSS) require
7913organizations to perform external and internal penetration testing?
7914A. At least twice a year or after any significant upgrade or modification
7915B. At least once a year and after any significant upgrade or modification
7916C. At least once every two years and after any significant upgrade or modification
7917D. At least once every three years or after any significant upgrade or modification
7918Answer: B
7919
7920
7921NO.720 You have successfully comprised a server having an IP address of 10.10.0.5. You would like
7922to enumerate all machines in the same network quickly.
7923What is the best nmap command you will use?
7924A. nmap -T4 -q 10.10.0.0/24
7925B. nmap -T4 -F 10.10.0.0/24
7926C. nmap -T4 -r 10.10.1.0/24
7927D. nmap -T4 -O 10.10.0.0/24
7928Answer: B