BuY8CTbR

1Exam : 312-50v10
2Title : Certified Ethical Hacker Exam
3(CEH v10)
4Vendor : EC-COUNCIL
5Version : V12.95
6IT Certification Guaranteed, The Easy Way!
71
8NO.1 Which of the following is a wireless network detector that is commonly found on Linux?
9A. Kismet
10B. Abel
11C. Netstumbler
12D. Nessus
13Answer: A
14NO.2 A security consultant decides to use multiple layers of anti-virus defense, such as end user
15desktop anti-virus and E-mail gateway. This approach can be used to mitigate which kind of attack?
16A. Forensic attack
17B. ARP spoofing attack
18C. Social engineering attack
19D. Scanning attack
20Answer: C
21NO.3 Code injection is a form of attack in which a malicious user:
22A. Inserts text into a data field that gets interpreted as code
23B. Gets the server to execute arbitrary code using a buffer overflow
24C. Inserts additional code into the JavaScript running in the browser
25D. Gains access to the codebase on the server and inserts new code
26Answer: A
27NO.4 Sid is a judge for a programming contest. Before the code reaches him it goes through a
28restricted OS and is tested there. If it passes, then it moves onto Sid. What is this middle step called?
29A. Fuzzy-testing the code
30B. Third party running the code
31C. Sandboxing the code
32D. String validating the code
33Answer: A
34NO.5 The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of
35control objectives. Each objective contains one or more requirements, which must be followed in
36order to achieve compliance. Which of the following requirements would best fit under the objective,
37"Implement strong access control measures"?
38A. Regularly test security systems and processes.
39B. Encrypt transmission of cardholder data across open, public networks.
40C. Assign a unique ID to each person with computer access.
41D. Use and regularly update anti-virus software on all systems commonly affected by malware.
42Answer: C
43NO.6 Which of the following act requires employer's standard national numbers to identify them on
44standard transactions?
45A. SOX
46IT Certification Guaranteed, The Easy Way!
472
48B. HIPAA
49C. DMCA
50D. PCI-DSS
51Answer: B
52NO.7 Which of the following is an NMAP script that could help detect HTTP Methods such as GET,
53POST, HEAD, PUT, DELETE, TRACE?
54A. http-git
55B. http-headers
56C. http enum
57D. http-methods
58Answer: D
59NO.8 Fred is the network administrator for his company. Fred is testing an internal switch.
60From an external IP address, Fred wants to try and trick this switch into thinking it already has
61established a session with his computer. How can Fred accomplish this?
62A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of
63his computer.
64B. He can send an IP packet with the SYN bit and the source address of his computer.
65C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
66D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
67Answer: D
68NO.9 What is the process of logging, recording, and resolving events that take place in an
69organization?
70A. Incident Management Process
71B. Security Policy
72C. Internal Procedure
73D. Metrics
74Answer: A
75Explanation
76The activities within the incident management process include:
77References:
78https://en.wikipedia.org/wiki/Incident_management_(ITSM)#Incident_management_procedure
79NO.10 A hacker has managed to gain access to a Linux host and stolen 's password file from
80/etc/passwd. How can he use it?
81A. The password file does not contain the passwords themselves.
82B. He can open it and read the user ids and corresponding passwords.
83C. The file reveals the passwords to the root user only.
84D. He cannot read it because it is encrypted.
85Answer: A
86NO.11 What is the most secure way to mitigate the theft of corporate information from a laptop
87IT Certification Guaranteed, The Easy Way!
883
89that was left in a hotel room?
90A. Set a BIOS password.
91B. Encrypt the data on the hard drive.
92C. Use a strong logon password to the operating system.
93D. Back up everything on the laptop and store the backup in a safe place.
94Answer: B
95NO.12 You are manually conducting Idle Scanning using Hping2. During your scanning you notice
96that almost every query increments the IPID regardless of the port being queried. One or two of the
97queries cause the IPID to increment by more than one value. Why do you think this occurs?
98A. The zombie you are using is not truly idle.
99B. A stateful inspection firewall is resetting your queries.
100C. Hping2 cannot be used for idle scanning.
101D. These ports are actually open on the target system.
102Answer: A
103NO.13 Darius is analysing IDS logs. During the investigation, he noticed that there was nothing
104suspicious found and an alert was triggered on normal web application traffic. He can mark this alert
105as:
106A. False-Negative
107B. False-Positive
108C. True-Positive
109D. False-Signature
110Answer: A
111NO.14 What is the proper response for a NULL scan if the port is closed?
112A. SYN
113B. ACK
114C. FIN
115D. PSH
116E. RST
117F. No response
118Answer: E
119NO.15 The Open Web Application Security Project (OWASP) is the worldwide not-for-profit
120charitable organization focused on improving the security of software. What item is the primary
121concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?
122A. Injection
123B. Cross Site Scripting
124C. Cross Site Request Forgery
125D. Path disclosure
126Answer: A
127Explanation
128IT Certification Guaranteed, The Easy Way!
1294
130The top item of the OWASP 2013 OWASP's Top Ten Project Most Critical Web Application Security
131Risks is injection.
132Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an
133interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into
134executing unintended commands or accessing data without proper authorization.
135References: https://www.owasp.org/index.php/Top_10_2013-Top_10
136NO.16 A recent security audit revealed that there were indeed several occasions that the company's
137network was breached. After investigating, you discover that your IDS is not configured properly and
138therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
139A. True Positive
140B. False Negative
141C. False Positive
142D. False Positive
143Answer: B
144Explanation
145New questions
146NO.17 A Network Administrator was recently promoted to Chief Security Officer at a local university.
147One of employee's new responsibilities is to manage the implementation of an RFID card access
148system to a new server room on campus. The server room will house student enrollment information
149that is securely backed up to an off-site location.
150During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned
151that the existing security controls have not been designed properly. Currently, the Network
152Administrator is responsible for approving and issuing RFID card access to the server room, as well as
153reviewing the electronic access logs on a weekly basis.
154Which of the following is an issue with the situation?
155A. Segregation of duties
156B. Undue influence
157C. Lack of experience
158D. Inadequate disaster recovery plan
159Answer: A
160NO.18 Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
161A. Incident response services to any user, company, government agency, or organization in
162partnership with the Department of Homeland Security
163B. Maintenance of the nation's Internet infrastructure, builds out new Internet infrastructure, and
164decommissions old Internet infrastructure
165C. Registration of critical penetration testing for the Department of Homeland Security and public
166and private sectors
167D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and
168State Department, as well as private sectors
169Answer: A
170IT Certification Guaranteed, The Easy Way!
1715
172NO.19 Which of the following is used to indicate a single-line comment in structured query language
173(SQL)?
174A. --
175B. ||
176C. %%
177D. ''
178Answer: A
179NO.20 Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning
180for a big business expansion and it requires that your network authenticate users connecting using
181analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks
182(VPN) over a Frame Relay network. Which AAA protocol would you implement?
183A. TACACS+
184B. DIAMETER
185C. Kerberos
186D. RADIUS
187Answer: D
188NO.21 Which of the following lists are valid data-gathering activities associated with a risk
189assessment?
190A. Threat identification, vulnerability identification, control analysis
191B. Threat identification, response identification, mitigation identification
192C. Attack profile, defense profile, loss profile
193D. System profile, vulnerability identification, security determination
194Answer: A
195NO.22 Which of the following command line switch would you use for OS detection in Nmap?
196A. -D
197B. -O
198C. -P
199D. -X
200Answer: B
201NO.23 A security consultant is trying to bid on a large contract that involves penetration testing and
202reporting. The company accepting bids wants proof of work so the consultant prints out several
203audits that have been performed. Which of the following is likely to occur as a result?
204A. The consultant will ask for money on the bid because of great work.
205B. The consultant may expose vulnerabilities of other companies.
206C. The company accepting bids will want the same type of format of testing.
207D. The company accepting bids will hire the consultant because of the great work performed.
208Answer: B
209NO.24 What type of vulnerability/attack is it when the malicious person forces the user's browser to
210IT Certification Guaranteed, The Easy Way!
2116
212send an authenticated request to a server?
213A. Cross-site request forgery
214B. Cross-site scripting
215C. Session hijacking
216D. Server side request forgery
217Answer: A
218NO.25 Which of the following is a hashing algorithm?
219A. MD5
220B. PGP
221C. DES
222D. ROT13
223Answer: A
224NO.26 A security engineer has been asked to deploy a secure remote access solution that will allow
225employees to connect to the company's internal network. Which of the following can be
226implemented to minimize the opportunity for the man-in-the-middle attack to occur?
227A. SSL
228B. Mutual authentication
229C. IPSec
230D. Static IP addresses
231Answer: C
232NO.27 On a Linux device, which of the following commands will start the Nessus client in the
233background so that the Nessus server can be configured?
234A. nessus +
235B. nessus *s
236C. nessus &
237D. nessus -d
238Answer: C
239NO.28 If an attacker uses the command SELECT*FROM user WHERE name = 'x' AND userid IS NULL;
240--'; which type of SQL injection attack is the attacker performing?
241A. End of Line Comment
242B. UNION SQL Injection
243C. Illegal/Logically Incorrect Query
244D. Tautology
245Answer: D
246NO.29 A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer
247program in a switched environment network. Which attack could the hacker use to sniff all of the
248packets in the network?
249A. Fraggle
250IT Certification Guaranteed, The Easy Way!
2517
252B. MAC Flood
253C. Smurf
254D. Tear Drop
255Answer: B
256NO.30 Least privilege is a security concept that requires that a user is
257A. limited to those functions required to do the job.
258B. given root or administrative privileges.
259C. trusted to keep all data and access to that data under their sole control.
260D. given privileges equal to everyone else in the department.
261Answer: A
262NO.31 Which DNS resource record can indicate how long any "DNS poisoning" could last?
263A. MX
264B. SOA
265C. NS
266D. TIMEOUT
267Answer: B
268NO.32 During the process of encryption and decryption, what keys are shared?
269During the process of encryption and decryption, what keys are shared?
270A. Private keys
271B. User passwords
272C. Public keys
273D. Public and private keys
274Answer: C
275NO.33 Using Windows CMD, how would an attacker list all the shares to which the current user
276context has access?
277A. NET USE
278B. NET CONFIG
279C. NET FILE
280D. NET VIEW
281Answer: A
282Explanation
283Connects a computer to or disconnects a computer from a shared resource, or displays information
284about computer connections. The command also controls persistent net connections. Used without
285parameters, net use retrieves a list of network connections.
286References: https://technet.microsoft.com/en-us/library/bb490717.aspx
287NO.34 What does the following command in netcat do?
288nc -l -u -p55555 < /etc/passwd
289A. logs the incoming connections to /etc/passwd file
290IT Certification Guaranteed, The Easy Way!
2918
292B. loads the /etc/passwd file to the UDP port 55555
293C. grabs the /etc/passwd file when connected to UDP port 55555
294D. deletes the /etc/passwd file when connected to the UDP port 55555
295Answer: C
296NO.35 Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle
297database server has been compromised and customer information along with financial data has been
298stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of
299competitors. Sandra wants to report this crime to the law enforcement agencies immediately. Which
300organization coordinates computer crime investigations throughout the United States?
301A. NDCA
302B. NICP
303C. CIRP
304D. NPC
305E. CIA
306Answer: D
307NO.36 Which of the following is a characteristic of Public Key Infrastructure (PKI)?
308A. Public-key cryptosystems are faster than symmetric-key cryptosystems.
309B. Public-key cryptosystems distribute public-keys within digital signatures.
310C. Public-key cryptosystems do not require a secure key distribution channel.
311D. Public-key cryptosystems do not provide technical non-repudiation via digital signatures.
312Answer: B
313NO.37 A network administrator received an administrative alert at 3:00 a.m. from the intrusion
314detection system. The alert was generated because a large number of packets were coming into the
315network over ports 20 and 21.
316During analysis, there were no signs of attack on the FTP servers. How should the administrator
317classify this situation?
318A. True negatives
319B. False negatives
320C. True positives
321D. False positives
322Answer: D
323NO.38 In the OSI model, where does PPTP encryption take place?
324A. Transport layer
325B. Application layer
326C. Data link layer
327D. Network layer
328Answer: C
329NO.39 Websites and web portals that provide web services commonly use the Simple Object Access
330IT Certification Guaranteed, The Easy Way!
3319
332Protocol SOAP.
333Which of the following is an incorrect definition or characteristics in the protocol?
334A. Based on XML
335B. Provides a structured model for messaging
336C. Exchanges data between web services
337D. Only compatible with the application protocol HTTP
338Answer: D
339NO.40 A common cryptographical tool is the use of XOR. XOR the following binary values:
34010110001
34100111010
342A. 10001011
343B. 11011000
344C. 10011101
345D. 10111100
346Answer: A
347Explanation
348The XOR gate is a digital logic gate that implements an exclusive or; that is, a true output (1/HIGH)
349results if one, and only one, of the inputs to the gate is true. If both inputs are false (0/LOW) or both
350are true, a false output results. XOR represents the inequality function, i.e., the output is true if the
351inputs are not alike otherwise the output is false. A way to remember XOR is "one or the other but
352not both".
353References: https://en.wikipedia.org/wiki/XOR_gate
354NO.41 Which of the following resources does NMAP need to be used as a basic vulnerability scanner
355covering several vectors like SMB, HTTP and FTP?
356A. Metasploit scripting engine
357B. Nessus scripting engine
358C. NMAP scripting engine
359D. SAINT scripting engine
360Answer: C
361NO.42 During a recent security assessment, you discover the organization has one Domain Name
362Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
363What is this type of DNS configuration commonly called?
364A. Split DNS
365B. DNSSEC
366C. DynDNS
367D. DNS Scheme
368Answer: A
369Explanation
370In a split DNS infrastructure, you create two zones for the same domain, one to be used by the
371internal network, the other used by the external network. Split DNS directs internal hosts to an
372internal domain name server for name resolution and external hosts are directed to an external
373IT Certification Guaranteed, The Easy Way!
37410
375domain name server for name resolution.
376References:
377http://www.webopedia.com/TERM/S/split_DNS.html
378NO.43 A security administrator notices that the log file of the company's webserver contains
379suspicious entries:
380Based on source code analysis, the analyst concludes that the login.php script is vulnerable to
381A. command injection.
382B. SQL injection.
383C. directory traversal.
384D. LDAP injection.
385Answer: B
386NO.44 PGP, SSL, and IKE are all examples of which type of cryptography?
387A. Public Key
388B. Secret Key
389C. Hash Algorithm
390D. Digest
391Answer: A
392Explanation
393Public-key algorithms are fundamental security ingredients in cryptosystems, applications and
394protocols. They underpin various Internet standards, such as Secure Sockets Layer (SSL),Transport
395Layer Security (TLS), S/MIME, PGP, Internet Key Exchange (IKE or IKEv2), and GPG.
396References: https://en.wikipedia.org/wiki/Public-key_cryptography
397NO.45 Which of the following commands runs snort in packet logger mode?
398A. ./snort -dev -h ./log
399B. ./snort -dev -l ./log
400C. ./snort -dev -o ./log
401D. ./snort -dev -p ./log
402Answer: B
403IT Certification Guaranteed, The Easy Way!
40411
405NO.46 An Internet Service Provider (ISP) has a need to authenticate users connecting using analog
406modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN)
407over a Frame Relay network.
408Which AAA protocol is most likely able to handle this requirement?
409A. RADIUS
410B. DIAMETER
411C. Kerberos
412D. TACACS+
413Answer: A
414Explanation
415Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by
416ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and
417integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs,
418network ports, web servers, etc.
419References: https://en.wikipedia.org/wiki/RADIUS
420NO.47 Smart cards use which protocol to transfer the certificate in a secure manner?
421A. Extensible Authentication Protocol (EAP)
422B. Point to Point Protocol (PPP)
423C. Point to Point Tunneling Protocol (PPTP)
424D. Layer 2 Tunneling Protocol (L2TP)
425Answer: A
426NO.48 Every company needs a formal written document which spells out to employees precisely
427what they are allowed to use the company's systems for, what is prohibited, and what will happen to
428them if they break the rules. Two printed copies of the policy should be given to every employee as
429soon as possible after they join the organization. The employee should be asked to sign one copy,
430which should be safely filed by the company. No one should be allowed to use the company's
431computer systems until they have signed the policy in acceptance of its terms.
432What is this document called?
433A. Information Audit Policy (IAP)
434B. Information Security Policy (ISP)
435C. Penetration Testing Policy (PTP)
436D. Company Compliance Policy (CCP)
437Answer: B
438NO.49 One way to defeat a multi-level security solution is to leak data via
439A. a bypass regulator.
440B. steganography.
441C. a covert channel.
442D. asymmetric routing.
443Answer: C
444IT Certification Guaranteed, The Easy Way!
44512
446NO.50 Your next door neighbor, that you do not get along with, is having issues with their network,
447so he yells to his spouse the network's SSID and password and you hear them both clearly. What do
448you do with this information?
449A. Nothing, but suggest to him to change the network's SSID and password.
450B. Sell his SSID and password to friends that come to your house, so it doesn't slow down your
451network.
452C. Log onto to his network, after all it's his fault that you can get in.
453D. Only use his network when you have large downloads so you don't tax your own network.
454Answer: A
455NO.51 A security analyst is performing an audit on the network to determine if there are any
456deviations from the security policies in place. The analyst discovers that a user from the IT
457department had a dial-out modem installed. Which security policy must the security analyst check to
458see if dial-out modems are allowed?
459A. Firewall-management policy
460B. Acceptable-use policy
461C. Remote-access policy
462D. Permissive policy
463Answer: C
464NO.52 You just set up a security system in your network. In what kind of system would you find the
465following string of characters used as a rule within its configuration?
466alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
467A. An Intrusion Detection System
468B. A firewall IPTable
469C. A Router IPTable
470D. FTP Server rule
471Answer: A
472Explanation
473Snort is an open source network intrusion detection system (NIDS) for networks .
474Snort rule example:
475This example is a rule with a generator id of 1000001.
476alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;) References:
477http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html
478NO.53 Which of the following open source tools would be the best choice to scan a network for
479potential targets?
480A. NMAP
481B. NIKTO
482C. CAIN
483D. John the Ripper
484Answer: A
485NO.54 Which of the following is the successor of SSL?
486IT Certification Guaranteed, The Easy Way!
48713
488A. TLS
489B. RSA
490C. GRE
491D. IPSec
492Answer: A
493Explanation
494Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are
495frequently referred to as 'SSL', are cryptographic protocols that provide communications security
496over a computer network.
497References: https://en.wikipedia.org/wiki/Transport_Layer_Security
498NO.55 Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN
499standards on a linux platform?
500A. Kismet
501B. Nessus
502C. Netstumbler
503D. Abel
504Answer: A
505Explanation
506Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.
507Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a,
508802.11b,
509802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS
510X.
511References: https://en.wikipedia.org/wiki/Kismet_(software)
512NO.56 Joseph was the Web site administrator for the Mason Insurance in New York, who's main
513Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to
514administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith.
515According to Smith, the main Mason Insurance web site had been vandalized! All of its normal
516content was removed and replaced with an attacker's message ''Hacker Message: You are dead!
517Freaks!" From his office, which was directly connected to Mason Insurance's internal network, Joseph
518surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.
519No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the
520problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while
521Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To
522help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He
523disconnected his laptop from the corporate internal network and used his modem to dial up the
524same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his
525browser to reveal the following web page:
526After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal
527network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the
528IT Certification Guaranteed, The Easy Way!
52914
530entire Web site, and determined that every system file and all the Web content on the server were
531intact. How did the attacker accomplish this hack?
532A. ARP spoofing
533B. SQL injection
534C. DNS poisoning
535D. Routing table injection
536Answer: C
537NO.57 Under what conditions does a secondary name server request a zone transfer from a primary
538name server?
539A. When a primary SOA is higher that a secondary SOA
540B. When a secondary SOA is higher that a primary SOA
541C. When a primary name server has had its service restarted
542D. When a secondary name server has had its service restarted
543E. When the TTL falls to zero
544Answer: A
545NO.58 Which of the following can take an arbitrary length of input and produce a message digest
546output of 160 bit?
547A. SHA-1
548B. MD5
549C. HAVAL
550D. MD4
551Answer: A
552NO.59 You went to great lengths to install all the necessary technologies to prevent hacking attacks,
553such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention
554tools in your company's network. You have configured the most secure policies and tightened every
555device on your network. You are confident that hackers will never be able to gain access to your
556network with complex security system in place.
557Your peer, Peter Smith who works at the same department disagrees with you.
558He says even the best network security technologies cannot prevent hackers gaining access to the
559network because of presence of "weakest link" in the security chain.
560What is Peter Smith talking about?
561A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your
562security chain
563B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to
564detect these attacks
565C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will
566not be able to detect these attacks
567D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different
568techniques to bypass the filters in your gateway
569Answer: A
570IT Certification Guaranteed, The Easy Way!
57115
572NO.60 Which of the following types of firewalls ensures that the packets are part of the established
573session?
574A. Stateful inspection firewall
575B. Circuit-level firewall
576C. Application-level firewall
577D. Switch-level firewall
578Answer: A
579Explanation
580A stateful firewall is a network firewall that tracks the operating state and characteristics of network
581connections traversing it. The firewall is configured to distinguish legitimate packets for different
582types of connections. Only packets matching a known active connection (session) are allowed to pass
583the firewall.
584References: https://en.wikipedia.org/wiki/Stateful_firewall
585NO.61 You are a Network Security Officer. You have two machines. The first machine (192.168.0.99)
586has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a
587syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from
588snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi
589syslog machine.
590What wireshark filter will show the connections from the snort machine to kiwi syslog machine?
591A. tcp.dstport==514 && ip.dst==192.168.0.150
592B. tcp.srcport==514 && ip.src==192.168.0.99
593C. tcp.dstport==514 && ip.dst==192.168.0.0/16
594D. tcp.srcport==514 && ip.src==192.168.150
595Answer: A
596Explanation
597We need to configure destination port at destination ip. The destination ip is 192.168.0.150, where
598the kiwi syslog is installed.
599References: https://wiki.wireshark.org/DisplayFilters
600NO.62 Which of the following can the administrator do to verify that a tape backup can be
601recovered in its entirety?
602A. Restore a random file.
603B. Perform a full restore.
604C. Read the first 512 bytes of the tape.
605D. Read the last 512 bytes of the tape.
606Answer: B
607Explanation
608A full restore is required.
609NO.63 What would you type on the Windows command line in order to launch the Computer
610Management Console provided that you are logged in as an admin?
611A. c:\compmgmt.msc
612B. c:\gpedit
613IT Certification Guaranteed, The Easy Way!
61416
615C. c:\ncpa.cpl
616D. c:\services.msc
617Answer: A
618NO.64 What is the role of test automation in security testing?
619A. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot
620replace manual testing completely.
621B. It is an option but it tends to be very expensive.
622C. It should be used exclusively. Manual testing is outdated because of low speed and possible test
623setup inconsistencies.
624D. Test automation is not usable in security due to the complexity of the tests.
625Answer: A
626NO.65 Which of the following programming languages is most vulnerable to buffer overflow
627attacks?
628A. Perl
629B. C++
630C. Python
631D. Java
632Answer: B
633NO.66 You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
634A. hping2 host.domain.com
635B. hping2 --set-ICMP host.domain.com
636C. hping2 -i host.domain.com
637D. hping2 -1 host.domain.com
638Answer: D
639NO.67 Which of the following tools is used to analyze the files produced by several packet-capture
640programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
641A. tcptrace
642B. tcptraceroute
643C. Nessus
644D. OpenVAS
645Answer: A
646Explanation
647tcptrace is a tool for analysis of TCP dump files. It can take as input the files produced by several
648popular packet-capture programs, including tcpdump/WinDump/Wireshark, snoop, EtherPeek, and
649Agilent NetMetrix.
650References: https://en.wikipedia.org/wiki/Tcptrace
651NO.68 Which protocol is used for setting up secured channels between two devices, typically in
652VPNs?
653A. IPSEC
654IT Certification Guaranteed, The Easy Way!
65517
656B. PEM
657C. SET
658D. PPP
659Answer: A
660NO.69 What is the approximate cost of replacement and recovery operation per year of a hard drive
661that has a value of $300 given that the technician who charges $10/hr would need 10 hours to
662restore OS and Software and needs further 4 hours to restore the database from the last backup to
663the new hard disk? Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
664A. $440
665B. $100
666C. $1320
667D. $146
668Answer: D
669NO.70 A recently hired network security associate at a local bank was given the responsibility to
670perform daily scans of the internal network to look for unauthorized devices. The employee decides
671to write a script that will scan the network for unauthorized devices every morning at 5:00 am.
672Which of the following programming languages would most likely be used?
673A. PHP
674B. C#
675C. Python
676D. ASP.NET
677Answer: C
678NO.71 As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external
679security assessment through penetration testing.
680What document describes the specifics of the testing, the associated violations, and essentially
681protects both the organization's interest and your liabilities as a tester?
682A. Terms of Engagement
683B. Project Scope
684C. Non-Disclosure Agreement
685D. Service Level Agreement
686Answer: A
687NO.72 When comparing the testing methodologies of Open Web Application Security Project
688(OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
689A. OWASP is for web applications and OSSTMM does not include web applications.
690B. OSSTMM is gray box testing and OWASP is black box testing.
691C. OWASP addresses controls and OSSTMM does not.
692D. OSSTMM addresses controls and OWASP does not.
693Answer: D
694NO.73 Sophia travels a lot and worries that her laptop containing confidential documents might be
695IT Certification Guaranteed, The Easy Way!
69618
697stolen. What is the best protection that will work for her?
698A. Password protected files
699B. Hidden folders
700C. BIOS password
701D. Full disk encryption.
702Answer: D
703NO.74 The establishment of a TCP connection involves a negotiation called 3-way handshake. What
704type of message sends the client to the server in order to begin this negotiation?
705A. RST
706B. ACK
707C. SYN-ACK
708D. SYN
709Answer: D
710NO.75 Which protocol is used for setting up secure channels between two devices, typically in
711VPNs?
712A. PPP
713B. IPSEC
714C. PEM
715D. SET
716Answer: B
717NO.76 What term describes the amount of risk that remains after the vulnerabilities are classified
718and the countermeasures have been deployed?
719A. Residual risk
720B. Inherent risk
721C. Deferred risk
722D. Impact risk
723Answer: A
724Explanation
725The residual risk is the risk or danger of an action or an event, a method or a (technical) process that,
726although being abreast with science, still conceives these dangers, even if all theoretically possible
727safety measures would be applied (scientifically conceivable measures); in other words, the amount
728of risk left over after natural or inherent risks have been reduced by risk controls.
729References: https://en.wikipedia.org/wiki/Residual_risk
730NO.77 Peter, a Network Administrator, has come to you looking for advice on a tool that would help
731him perform SNMP enquires over the network.
732Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
733A. SNMPUtil
734B. SNScan
735C. SNMPScan
736IT Certification Guaranteed, The Easy Way!
73719
738D. Solarwinds IP Network Browser
739E. NMap
740Answer: A B D
741NO.78 Which of the following represents the initial two commands that an IRC client sends to join an
742IRC network?
743A. USER, NICK
744B. LOGIN, NICK
745C. USER, PASS
746D. LOGIN, USER
747Answer: A
748NO.79 An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML
749code to embed a malicious applet in all HTTP connections.
750When users accessed any page, the applet ran and exploited many machines.
751Which one of the following tools the hacker probably used to inject HTML code?
752A. Wireshark
753B. Ettercap
754C. Aircrack-ng
755D. Tcpdump
756Answer: B
757NO.80 Craig received a report of all the computers on the network that showed all the missing
758patches and weak passwords. What type of software generated this report?
759A. a port scanner
760B. a vulnerability scanner
761C. a virus scanner
762D. a malware scanner
763Answer: B
764NO.81 Which of the following antennas is commonly used in communications for a frequency band
765of 10 MHz to VHF and UHF?
766A. Omnidirectional antenna
767B. Dipole antenna
768C. Yagi antenna
769D. Parabolic grid antenna
770Answer: C
771NO.82 What is the name of the international standard that establishes a baseline level of confidence
772in the security functionality of IT products by providing a set of requirements for evaluation?
773A. Blue Book
774B. ISO 26029
775C. Common Criteria
776IT Certification Guaranteed, The Easy Way!
77720
778D. The Wassenaar Agreement
779Answer: C
780NO.83 Switches maintain a CAM Table that maps individual MAC addresses on the network to
781physical ports on the switch.
782In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source
783MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC
784addresses to physical ports. What happens when the CAM table becomes full?
785A. Switch then acts as hub by broadcasting packets to all machines on the network
786B. The CAM overflow table will cause the switch to crash causing Denial of Service
787C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
788D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port
789Answer: A
790NO.84 A company recently hired your team of Ethical Hackers to test the security of their network
791systems. The company wants to have the attack be as realistic as possible. They did not provide any
792information besides the name of their company. What phase of security testing would your team
793jump in right away?
794A. Scanning
795B. Reconnaissance
796C. Escalation
797D. Enumeration
798Answer: B
799NO.85 Study the snort rule given below:
800IT Certification Guaranteed, The Easy Way!
80121
802From the options below, choose the exploit against which this rule applies.
803A. WebDav
804B. SQL Slammer
805C. MS Blaster
806D. MyDoom
807Answer: C
808NO.86 Which of the following programming languages is most susceptible to buffer overflow
809attacks, due to its lack of a built-in-bounds checking mechanism?
810Output:
811Segmentation fault
812A. C#
813B. Python
814C. Java
815D. C++
816Answer: D
817NO.87 You have compromised a server and successfully gained a root access. You want to pivot and
818pass traffic undetected over the network and evade any possible Intrusion Detection System.
819What is the best approach?
820A. Install Cryptcat and encrypt outgoing packets from this server.
821B. Install and use Telnet to encrypt all outgoing traffic from this server.
822C. Use Alternate Data Streams to hide the outgoing packets from this server.
823IT Certification Guaranteed, The Easy Way!
82422
825D. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
826Detection Systems.
827Answer: A
828Explanation
829Cryptcat enables us to communicate between two systems and encrypts the communication
830between them with twofish.
831References:
832http://null-byte.wonderhowto.com/how-to/hack-like-pro-create-nearly-undetectable-backdoorwith-
833cryptcat-0149
834NO.88 If you want only to scan fewer ports than the default scan using Nmap tool, which option
835would you use?
836A. -sP
837B. -P
838C. -r
839D. -F
840Answer: B
841NO.89 The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common
842Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation
843of the transport layer security (TLS) protocols defined in RFC6520.
844What type of key does this bug leave exposed to the Internet making exploitation of any
845compromised system very easy?
846A. Private
847B. Public
848C. Shared
849D. Root
850Answer: A
851Explanation
852The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties
853likely to be confidential, including any form post data in users' requests. Moreover, the confidential
854data exposed could include authentication secrets such as session cookies and passwords, which
855might allow attackers to impersonate a user of the service.
856An attack may also reveal private keys of compromised parties.
857References: https://en.wikipedia.org/wiki/Heartbleed
858NO.90 Which of the following network attacks relies on sending an abnormally large packet size that
859exceeds TCP/IP specifications?
860A. Ping of death
861B. SYN flooding
862C. TCP hijacking
863D. Smurf attack
864Answer: A
865IT Certification Guaranteed, The Easy Way!
86623
867NO.91 Which of the following tools can be used for passive OS fingerprinting?
868A. tcpdump
869B. nmap
870C. ping
871D. tracert
872Answer: A
873Explanation
874The passive operating system fingerprinting is a feature built into both the pf and tcpdump tools.
875References:
876http://geek00l.blogspot.se/2007/04/tcpdump-privilege-dropping-passive-os.html
877NO.92 Which method can provide a better return on IT security investment and provide a thorough
878and comprehensive assessment of organizational security covering policy, procedure design, and
879implementation?
880A. Penetration testing
881B. Social engineering
882C. Vulnerability scanning
883D. Access control list reviews
884Answer: A
885NO.93 You receive an e-mail like the one shown below. When you click on the link contained in the
886mail, you are redirected to a website seeking you to download free Anti-Virus software.
887Dear valued customers,
888We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you
889with total security against the latest spyware, malware, viruses, Trojans and other online threats.
890Simply visit the link below and enter your antivirus code:
891or you may contact us at the following address:
892Media Internet Consultants, Edif. Neptuno, Planta
893Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
894How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?
895A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
896B. Connect to the site using SSL, if you are successful then the website is genuine
897C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious
898warnings against this site
899D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will
900prompt you and stop the installation if the downloaded file is a malware
901E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will
902IT Certification Guaranteed, The Easy Way!
90324
904prompt you and stop the installation if the downloaded file is a malware
905Answer: C
906NO.94 You've gained physical access to a Windows 2008 R2 server which has an accessible disc
907drive. When you attempt to boot the server and log in, you are unable to guess the password. In your
908tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any
909user's password or to activate disabled Windows accounts?
910A. CHNTPW
911B. Cain & Abel
912C. SET
913D. John the Ripper
914Answer: A
915Explanation
916chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP,
917Vista,
9187, 8 and 8.1. It does this by editing the SAM database where Windows stores password hashes.
919References: https://en.wikipedia.org/wiki/Chntpw
920NO.95 Which protocol and port number might be needed in order to send log messages to a log
921analysis tool that resides behind a firewall?
922A. UDP 123
923B. UDP 541
924C. UDP 514
925D. UDP 415
926Answer: C
927NO.96 Which of the following tools will scan a network to perform vulnerability checks and
928compliance auditing?
929A. NMAP
930B. Metasploit
931C. Nessus
932D. BeEF
933Answer: C
934NO.97 Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust
935relationship exists and that a certificate is still valid for specific operations?
936A. Certificate issuance
937B. Certificate validation
938C. Certificate cryptography
939D. Certificate revocation
940Answer: B
941NO.98 Which of the following describes the characteristics of a Boot Sector Virus?
942A. Moves the MBR to another location on the hard disk and copies itself to the original location of
943IT Certification Guaranteed, The Easy Way!
94425
945the MBR
946B. Moves the MBR to another location on the RAM and copies itself to the original location of the
947MBR
948C. Modifies directory table entries so that directory entries point to the virus code instead of the
949actual program
950D. Overwrites the original MBR and only executes the new virus code
951Answer: A
952Explanation
953A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The
954virus moves the boot sector to another location on the hard drive.
955References: https://www.techopedia.com/definition/26655/boot-sector-virus
956NO.99 Bob is doing a password assessment for one of his clients. Bob suspects that security policies
957are not in place.
958He also suspects that weak passwords are probably the norm throughout the company he is
959evaluating. Bob is familiar with password weaknesses and key loggers.
960Which of the following options best represents the means that Bob can adopt to retrieve passwords
961from his clients hosts and servers?
962A. Hardware, Software, and Sniffing.
963B. Hardware and Software Keyloggers.
964C. Passwords are always best obtained using Hardware key loggers.
965D. Software only, they are the most effective.
966Answer: A
967NO.100 The chance of a hard drive failure is once every three years. The cost to buy a new hard
968drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will
969require a further 4 hours to restore the database from the last backup to the new hard disk. The
970recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
971What is the closest approximate cost of this replacement and recovery operation per year?
972A. $146
973B. $1320
974C. $440
975D. $100
976Answer: A
977Explanation
978The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the
979single loss expectancy (SLE).
980Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The
981single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.
982In our example the ARO is 33%, and the SLE is 300+14*10 (as EF=1). The ALO is thus:
98333%*(300+14*10) which equals 146.
984References: https://en.wikipedia.org/wiki/Annualized_loss_expectancy
985NO.101 You are logged in as a local admin on a Windows 7 system and you need to launch the
986Computer Management Console from command line.
987IT Certification Guaranteed, The Easy Way!
98826
989Which command would you use?
990A. c:\compmgmt.msc
991B. c:\services.msc
992C. c:\ncpa.cp
993D. c:\gpedit
994Answer: A
995Explanation
996To start the Computer Management Console from command line just type compmgmt.msc
997/computer:computername in your run box or at the command line and it should automatically open
998the Computer Management console.
999References:
1000http://www.waynezim.com/tag/compmgmtmsc/
1001NO.102 Which Open Web Application Security Project (OWASP) implements a web application full of
1002known vulnerabilities?
1003A. WebBugs
1004B. WebGoat
1005C. VULN_HTML
1006D. WebScarab
1007Answer: B
1008NO.103 Identify the web application attack where the attackers exploit vulnerabilities in dynamically
1009generated web pages to inject client-side script into web pages viewed by other users.
1010A. SQL injection attack
1011B. Cross-Site Scripting (XSS)
1012C. LDAP Injection attack
1013D. Cross-Site Request Forgery (CSRF)
1014Answer: B
1015NO.104 You have successfully gained access to a linux server and would like to ensure that the
1016succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion
1017Detection Systems (NIDS).
1018What is the best way to evade the NIDS?
1019A. Encryption
1020B. Protocol Isolation
1021C. Alternate Data Streams
1022D. Out of band signalling
1023Answer: A
1024Explanation
1025When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis,
1026since the application layer contents are inaccessible. Given that exploits against today's networks are
1027primarily targeted against network services (application layer entities), packet level analysis ends up
1028doing very little to protect our core business assets.
1029References:
1030IT Certification Guaranteed, The Easy Way!
103127
1032http://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/
1033NO.105 What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
1034A. All are hacking tools developed by the legion of doom
1035B. All are tools that can be used not only by hackers, but also security personnel
1036C. All are DDOS tools
1037D. All are tools that are only effective against Windows
1038E. All are tools that are only effective against Linux
1039Answer: C
1040NO.106 The purpose of a __________ is to deny network access to local area networks and other
1041information assets by unauthorized wireless devices.
1042A. Wireless Intrusion Prevention System
1043B. Wireless Access Point
1044C. Wireless Access Control List
1045D. Wireless Analyzer
1046Answer: A
1047Explanation
1048A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum
1049for the presence of unauthorized access points (intrusion detection), and can automatically take
1050countermeasures (intrusion prevention).
1051References: https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system
1052NO.107 An attacker with access to the inside network of a small company launches a successful STP
1053manipulation attack. What will he do next?
1054A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
1055B. He will activate OSPF on the spoofed root bridge.
1056C. He will repeat the same attack against all L2 switches of the network.
1057D. He will repeat this action so that it escalates to a DoS attack.
1058Answer: A
1059NO.108 Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange
1060process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?
1061A. 768 bit key
1062B. 1025 bit key
1063C. 1536 bit key
1064D. 2048 bit key
1065Answer: C
1066NO.109 Which among the following is a Windows command that a hacker can use to list all the
1067shares to which the current user context has access?
1068A. NET FILE
1069B. NET USE
1070C. NET CONFIG
1071IT Certification Guaranteed, The Easy Way!
107228
1073D. NET VIEW
1074Answer: B
1075NO.110 If executives are found liable for not properly protecting their company's assets and
1076information systems, what type of law would apply in this situation?
1077A. Civil
1078B. International
1079C. Criminal
1080D. Common
1081Answer: A
1082NO.111 What is the following command used for?
1083net use \targetipc$ "" /u:""
1084A. Grabbing the etc/passwd file
1085B. Grabbing the SAM
1086C. Connecting to a Linux computer through Samba.
1087D. This command is used to connect as a null session
1088E. Enumeration of Cisco routers
1089Answer: D
1090NO.112 What hacking attack is challenge/response authentication used to prevent?
1091A. Replay attacks
1092B. Scanning attacks
1093C. Session hijacking attacks
1094D. Password cracking attacks
1095Answer: A
1096NO.113 Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a
1097message with a maximum length of (264-1) bits and resembles the MD5 algorithm?
1098A. SHA-2
1099B. SHA-3
1100C. SHA-1
1101D. SHA-0
1102Answer: C
1103NO.114 In order to show improvement of security over time, what must be developed?
1104A. Reports
1105B. Testing tools
1106C. Metrics
1107D. Taxonomy of vulnerabilities
1108Answer: C
1109Explanation
1110Today, management demands metrics to get a clearer view of security.
1111IT Certification Guaranteed, The Easy Way!
111229
1113Metrics that measure participation, effectiveness, and window of exposure, however, offer
1114information the organization can use to make plans and improve programs.
1115References:
1116http://www.infoworld.com/article/2974642/security/4-security-metrics-that-matter.html
1117NO.115 Due to a slowdown of normal network operations, IT department decided to monitor
1118internet traffic for all of the employees. From a legal stand point, what would be troublesome to take
1119this kind of measure?
1120A. All of the employees would stop normal work activities
1121B. IT department would be telling employees who the boss is
1122C. Not informing the employees that they are going to be monitored could be an invasion of privacy.
1123D. The network could still experience traffic slow down.
1124Answer: C
1125NO.116 These hackers have limited or no training and know how to use only basic techniques or
1126tools.
1127What kind of hackers are we talking about?
1128A. Black-Hat Hackers A
1129B. Script Kiddies
1130C. White-Hat Hackers
1131D. Gray-Hat Hacker
1132Answer: C
1133NO.117 You are monitoring the network of your organizations. You notice that:
1134Which of the following solution will you suggest?
1135A. Block the Blacklist IP's @ Firewall
1136B. Update the Latest Signatures on your IDS/IPS
1137C. Clean the Malware which are trying to Communicate with the External Blacklist IP's
1138D. Both B and C
1139Answer: D
1140NO.118 What tool and process are you going to use in order to remain undetected by an IDS while
1141pivoting and passing traffic over a server you've compromised and gained root access to?
1142A. Install Cryptcat and encrypt outgoing packets from this server.
1143B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion
1144Detection Systems.
1145C. Use Alternate Data Streams to hide the outgoing packets from this server.
1146Answer: B
1147NO.119 When discussing passwords, what is considered a brute force attack?
1148A. You attempt every single possibility until you exhaust all possible combinations or discover the
1149password
1150B. You threaten to use the rubber hose on someone unless they reveal their password
1151C. You load a dictionary of words into your cracking program
1152IT Certification Guaranteed, The Easy Way!
115330
1154D. You create hashes of a large number of words and compare it with the encrypted passwords
1155E. You wait until the password expires
1156Answer: A
1157NO.120 Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS)
1158flaws in software applications?
1159A. Validate and escape all information sent to a server
1160B. Use security policies and procedures to define and implement proper security settings
1161C. Verify access right before allowing access to protected information and UI controls
1162D. Use digital certificates to authenticate a server prior to sending data
1163Answer: A
1164Explanation
1165Contextual output encoding/escaping could be used as the primary defense mechanism to stop
1166Cross-site Scripting (XSS) attacks.
1167References:
1168https://en.wikipedia.org/wiki/Crosssite_
1169scripting#Contextual_output_encoding.2Fescaping_of_string_input
1170NO.121 Emil uses nmap to scan two hosts using this command.
1171nmap -sS -T4 -O 192.168.99.1 192.168.99.7
1172He receives this output:
1173What is his conclusion?
1174A. Host 192.168.99.7 is an iPad.
1175B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
1176C. Host 192.168.99.1 is the host that he launched the scan from.
1177D. Host 192.168.99.7 is down.
1178Answer: B
1179IT Certification Guaranteed, The Easy Way!
118031
1181NO.122 What is GINA?
1182A. Gateway Interface Network Application
1183B. GUI Installed Network Application CLASS
1184C. Global Internet National Authority (G-USA)
1185D. Graphical Identification and Authentication DLL
1186Answer: D
1187NO.123 After gaining access to the password hashes used to protect access to a web based
1188application, knowledge of which cryptographic algorithms would be useful to gain access to the
1189application?
1190A. SHA1
1191B. Diffie-Helman
1192C. RSA
1193D. AES
1194Answer: A
1195NO.124 A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur
1196on his network.
1197What are some things he can do to prevent it? Select the best answers.
1198A. Use port security on his switches.
1199B. Use a tool like ARPwatch to monitor for strange ARP activity.
1200C. Use a firewall between all LAN segments.
1201D. If you have a small network, use static ARP entries.
1202E. Use only static IP addresses on all PC's.
1203Answer: A B D
1204NO.125 A hacker has successfully infected an internet-facing server which he will then use to send
1205junk mail, take part in coordinated attacks, or host junk email content.
1206Which sort of trojan infects this server?
1207A. Botnet Trojan
1208B. Turtle Trojans
1209C. Banking Trojans
1210D. Ransomware Trojans
1211Answer: A
1212Explanation
1213In computer science, a zombie is a computer connected to the Internet that has been compromised
1214by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or
1215another under remote direction. Botnets of zombie computers are often used to spread e-mail spam
1216and launch denial-of-service attacks. Most owners of zombie computers are unaware that their
1217system is being used in this way. Because the owner tends to be unaware, these computers are
1218metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also
1219resembles a zombie horde attack.
1220IT Certification Guaranteed, The Easy Way!
122132
1222NO.126 You have initiated an active operating system fingerprinting attempt with nmap against a
1223target system:
1224What operating system is the target host running based on the open ports shown above?
1225A. Windows XP
1226B. Windows 98 SE
1227C. Windows NT4 Server
1228D. Windows 2000 Server
1229Answer: D
1230NO.127 In which phase of the ethical hacking process can Google hacking be employed? This is a
1231technique that involves manipulating a search string with specific operators to search for
1232vulnerabilities.
1233Example:
1234allintitle: root passwd
1235A. Maintaining Access
1236B. Gaining Access
1237C. Reconnaissance
1238D. Scanning and Enumeration
1239Answer: C
1240NO.128 A company's security policy states that all Web browsers must automatically delete their
1241HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to
1242IT Certification Guaranteed, The Easy Way!
124333
1244mitigate?
1245A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's
1246authentication credentials.
1247B. Attempts by attackers to access the user and password information stored in the company's SQL
1248database.
1249C. Attempts by attackers to access passwords stored on the user's computer without the user's
1250knowledge.
1251D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites
1252were visited and for how long.
1253Answer: A
1254Explanation
1255Cookies can store passwords and form content a user has previously entered, such as a credit card
1256number or an address.
1257Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes
1258advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
1259References: https://en.wikipedia.org/wiki/HTTP_cookie#Cross-site_scripting_.E2.80.93_cookie_theft
1260NO.129 Which of the following are well known password-cracking programs?
1261A. L0phtcrack
1262B. NetCat
1263C. Jack the Ripper
1264D. Netbus
1265E. John the Ripper
1266Answer: A E
1267NO.130 One of your team members has asked you to analyze the following SOA record. What is the
1268version?
1269Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose
1270four.)
1271A. 200303028
1272B. 3600
1273C. 604800
1274D. 2400
1275E. 60
1276F. 4800
1277Answer: A
1278NO.131 LM hash is a compromised password hashing function. Which of the following parameters
1279describe LM Hash:?
1280I - The maximum password length is 14 characters.
1281II - There are no distinctions between uppercase and lowercase.
1282III - It's a simple algorithm, so 10,000,000 hashes can be generated per second.
1283A. I
1284B. I, II, and III
1285IT Certification Guaranteed, The Easy Way!
128634
1287C. II
1288D. I and II
1289Answer: B
1290NO.132 Which Nmap option would you use if you were not concerned about being detected and
1291wanted to perform a very fast scan?
1292A. -T0
1293B. -T5
1294C. -O
1295D. -A
1296Answer: B
1297NO.133 Which of the following program infects the system boot sector and the executable files at
1298the same time?
1299A. Stealth virus
1300B. Polymorphic virus
1301C. Macro virus
1302D. Multipartite Virus
1303Answer: D
1304NO.134 If you are to determine the attack surface of an organization, which of the following is the
1305BEST thing to do?
1306A. Running a network scan to detect network services in the corporate DMZ
1307B. Reviewing the need for a security clearance for each employee
1308C. Using configuration management to determine when and where to apply security patches
1309D. Training employees on the security policy regarding social engineering
1310Answer: A
1311NO.135 Which is the first step followed by Vulnerability Scanners for scanning a network?
1312A. TCP/UDP Port scanning
1313B. Firewall detection
1314C. OS Detection
1315D. Checking if the remote host is alive
1316Answer: D
1317NO.136 While testing the company's web applications, a tester attempts to insert the following test
1318script into the search area on the company's web site:
1319< script>alert(" Testing Testing Testing ")</script>
1320Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the
1321text:
1322"Testing Testing Testing". Which vulnerability has been detected in the web application?
1323A. Buffer overflow
1324B. Cross-site request forgery
1325IT Certification Guaranteed, The Easy Way!
132635
1327C. Distributed denial of service
1328D. Cross-site scripting
1329Answer: D
1330NO.137 Which system consists of a publicly available set of databases that contain domain name
1331registration contact information?
1332A. WHOIS
1333B. IANA
1334C. CAPTCHA
1335D. IETF
1336Answer: A
1337NO.138 A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river
1338and library are required to allow the NIC to work in promiscuous mode?
1339A. Libpcap
1340B. Awinpcap
1341C. Winprom
1342D. Winpcap
1343Answer: D
1344NO.139 You perform a scan of your company's network and discover that TCP port 123 is open.
1345What services by default run on TCP port 123?
1346A. Telnet
1347B. POP3
1348C. Network Time Protocol
1349D. DNS
1350Answer: C
1351NO.140
1352What does the option * indicate?
1353IT Certification Guaranteed, The Easy Way!
135436
1355A. s
1356B. t
1357C. n
1358D. a
1359Answer: C
1360NO.141 Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
1361A. tcpdump
1362B. nessus
1363C. etherea
1364D. Jack the ripper
1365Answer: A
1366Explanation
1367tcpdump is a common packet analyzer that runs under the command line. It allows the user to
1368display TCP/IP and other packets being transmitted or received over a network to which the
1369computer is attached.
1370References: https://en.wikipedia.org/wiki/Tcpdump
1371NO.142 Bob, a network administrator at BigUniversity, realized that some students are connecting
1372their notebooks in the wired network to have Internet access. In the university campus, there are
1373many Ethernet ports available for professors and authorized visitors but not for students.
1374He identified this when the IDS alerted for malware activities in the network.
1375What should Bob do to avoid this problem?
1376A. Disable unused ports in the switches
1377B. Separate students in a different VLAN
1378C. Use the 802.1x protocol
1379D. Ask students to use the wireless network
1380Answer: C
1381NO.143 While performing ping scans into a target network you get a frantic call from the
1382organization's security team.
1383They report that they are under a denial of service attack. When you stop your scan, the smurf attack
1384event stops showing up on the organization's IDS monitor.
1385How can you modify your scan to prevent triggering this event in the IDS?
1386A. Scan more slowly.
1387B. Do not scan the broadcast IP.
1388C. Spoof the source IP address.
1389D. Only scan the Windows systems.
1390Answer: B
1391NO.144 While doing a technical assessment to determine network vulnerabilities, you used the TCP
1392XMAS scan. What would be the response of all open ports?
1393A. The port will send an ACK
1394B. The port will send a SYN
1395IT Certification Guaranteed, The Easy Way!
139637
1397C. The port will ignore the packets
1398D. The port will send an RST
1399Answer: C
1400Explanation
1401References:
1402NO.145 Which of the following techniques will identify if computer files have been changed?
1403A. Network sniffing
1404B. Permission sets
1405C. Integrity checking hashes
1406D. Firewall alerts
1407Answer: C
1408NO.146 Which tool would be used to collect wireless packet data?
1409A. NetStumbler
1410B. John the Ripper
1411C. Nessus
1412D. Netcat
1413Answer: A
1414NO.147 You are a security officer of a company. You had an alert from IDS that indicates that one PC
1415on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address
1416was blacklisted just before the alert. You are staring an investigation to roughly analyze the severity
1417of the situation. Which of the following is appropriate to analyze?
1418A. Event logs on the PC
1419B. Internet Firewall/Proxy log
1420C. IDS log
1421D. Event logs on domain controller
1422Answer: B
1423NO.148 The network administrator for a company is setting up a website with e-commerce
1424capabilities. Packet sniffing is a concern because credit card information will be sent electronically
1425over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of
1426certificate is used to encrypt and decrypt the data?
1427A. Asymmetric
1428B. Confidential
1429C. Symmetric
1430D. Non-confidential
1431Answer: A
1432NO.149 Log monitoring tools performing behavioral analysis have alerted several suspicious logins
1433on a Linux server occurring during non-business hours. After further examination of all login
1434activities, it is noticed that none of the logins have occurred during typical work hours. A Linux
1435administrator who is investigating this problem realizes the system time on the Linux server is wrong
1436IT Certification Guaranteed, The Easy Way!
143738
1438by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped
1439working?
1440A. Time Keeper
1441B. NTP
1442C. PPP
1443D. OSPP
1444Answer: B
1445NO.150 Which command line switch would be used in NMAP to perform operating system
1446detection?
1447A. -OS
1448B. -sO
1449C. -sP
1450D. -O
1451Answer: D
1452NO.151 Which Intrusion Detection System is best applicable for large environments where critical
1453assets on the network need extra security and is ideal for observing sensitive network segments?
1454A. Network-based intrusion detection system (NIDS)
1455B. Host-based intrusion detection system (HIDS)
1456C. Firewalls
1457D. Honeypots
1458Answer: A
1459NO.152 Which tool can be used to silently copy files from USB devices?
1460A. USB Grabber
1461B. USB Dumper
1462C. USB Sniffer
1463D. USB Snoopy
1464Answer: B
1465NO.153 The following is part of a log file taken from the machine on the network with the IP address
1466of
1467192.168.1.106:
1468IT Certification Guaranteed, The Easy Way!
146939
1470What type of activity has been logged?
1471A. Port scan targeting 192.168.1.103
1472B. Teardrop attack targeting 192.168.1.106
1473C. Denial of service attack targeting 192.168.1.103
1474D. Port scan targeting 192.168.1.106
1475Answer: D
1476NO.154 How does a denial-of-service attack work?
1477A. A hacker prevents a legitimate user (or group of users) from accessing a service
1478B. A hacker uses every character, word, or letter he or she can think of to defeat authentication
1479C. A hacker tries to decipher a password by using a system, which subsequently crashes the network
1480D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person
1481Answer: A
1482NO.155 Which type of security document is written with specific step-by-step details?
1483A. Process
1484B. Procedure
1485C. Policy
1486D. Paradigm
1487Answer: B
1488NO.156 On performing a risk assessment, you need to determine the potential impacts when some
1489of the critical business process of the company interrupt its service. What is the name of the process
1490by which you can determine those critical business?
1491A. Risk Mitigation
1492B. Emergency Plan Response (EPR)
1493C. Disaster Recovery Planning (DRP)
1494D. Business Impact Analysis (BIA)
1495Answer: D
1496IT Certification Guaranteed, The Easy Way!
149740
1498NO.157 Why would an attacker want to perform a scan on port 137?
1499A. To discover proxy servers on a network
1500B. To disrupt the NetBIOS SMB service on the target host
1501C. To check for file and print sharing on Windows systems
1502D. To discover information about a target host using NBTSTAT
1503Answer: D
1504NO.158 Which of the following is an example of two factor authentication?
1505A. PIN Number and Birth Date
1506B. Username and Password
1507C. Digital Certificate and Hardware Token
1508D. Fingerprint and Smartcard ID
1509Answer: D
1510NO.159 Which of the following is the BEST way to defend against network sniffing?
1511A. Using encryption protocols to secure network communications
1512B. Register all machines MAC Address in a Centralized Database
1513C. Restrict Physical Access to Server Rooms hosting Critical Servers
1514D. Use Static IP Address
1515Answer: A
1516Explanation
1517A way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets
1518Layer (SSL) or Transport Layer Security (TLS). Encryption doesn't prevent packet sniffers from seeing
1519source and destination information, but it does encrypt the data packet's payload so that all the
1520sniffer sees is encrypted gibberish.
1521References:
1522http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm
1523NO.160 Bob finished a C programming course and created a small C application to monitor the
1524network traffic and produce alerts when any origin sends "many" IP packets, based on the average
1525number of packets sent by all origins and using some thresholds.
1526In concept, the solution developed by Bob is actually:
1527A. Just a network monitoring tool
1528B. A signature-based IDS
1529C. A hybrid IDS
1530D. A behavior-based IDS
1531Answer: A
1532NO.161 An NMAP scan of a server shows port 25 is open. What risk could this pose?
1533A. Open printer sharing
1534B. Web portal data leak
1535C. Clear text authentication
1536D. Active mail relay
1537IT Certification Guaranteed, The Easy Way!
153841
1539Answer: D
1540NO.162 Which of the following problems can be solved by using Wireshark?
1541A. Tracking version changes of source code
1542B. Checking creation dates on all webpages on a server
1543C. Resetting the administrator password on multiple systems
1544D. Troubleshooting communication resets between two systems
1545Answer: D
1546NO.163 What kind of risk will remain even if all theoretically possible safety measures would be
1547applied?
1548A. Residual risk
1549B. Inherent risk
1550C. Impact risk
1551D. Deferred risk
1552Answer: A
1553NO.164 Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool
1554"SIDExtractor". Here is the output of the SIDs:
1555From the above list identify the user account with System Administrator privileges.
1556A. John
1557B. Rebecca
1558C. Sheela
1559D. Shawn
1560E. Somia
1561F. Chang
1562G. Micah
1563Answer: F
1564NO.165 When a normal TCP connection starts, a destination host receives a SYN (synchronize/start)
1565packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination
1566host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This
1567is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a
1568connection queue of finite size on the destination host keeps track of connections waiting to be
1569completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds
1570after the SYN ACK.
1571How would an attacker exploit this design by launching TCP SYN attack?
1572IT Certification Guaranteed, The Easy Way!
157342
1574A. Attacker generates TCP SYN packets with random destination addresses towards a victim host
1575B. Attacker floods TCP SYN packets with random source addresses towards a victim host
1576C. Attacker generates TCP ACK packets with random source addresses towards a victim host
1577D. Attacker generates TCP RST packets with random source addresses towards a victim host
1578Answer: B
1579NO.166 An NMAP scan of a server shows port 69 is open. What risk could this pose?
1580A. Unauthenticated access
1581B. Weak SSL version
1582C. Cleartext login
1583D. Web portal data leak
1584Answer: A
1585NO.167 Which of the following is the least-likely physical characteristic to be used in biometric
1586control that supports a large company?
1587A. Height and Weight
1588B. Voice
1589C. Fingerprints
1590D. Iris patterns
1591Answer: A
1592Explanation
1593There are two main types of biometric identifiers:
1594Examples of physiological characteristics used for biometric authentication include fingerprints; DNA;
1595face, hand, retina or ear features; and odor. Behavioral characteristics are related to the pattern of
1596the behavior of a person, such as typing rhythm, gait, gestures and voice.
1597References:
1598http://searchsecurity.techtarget.com/definition/biometrics
1599NO.168 Which component of IPsec performs protocol-level functions that are required to encrypt
1600and decrypt the packets?
1601A. Internet Key Exchange (IKE)
1602B. Oakley
1603C. IPsec Policy Agent
1604D. IPsec driver
1605Answer: A
1606NO.169 Your company was hired by a small healthcare provider to perform a technical assessment
1607on the network.
1608What is the best approach for discovering vulnerabilities on a Windows-based computer?
1609A. Use a scan tool like Nessus
1610B. Use the built-in Windows Update tool
1611C. Check MITRE.org for the latest list of CVE findings
1612D. Create a disk image of a clean Windows installation
1613IT Certification Guaranteed, The Easy Way!
161443
1615Answer: A
1616Explanation
1617Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and
1618Exposures architecture for easy cross-linking between compliant security tools.
1619The Nessus server is currently available for Unix, Linux and FreeBSD. The client is available for Unix- or
1620Windows-based operating systems.
1621Note: Significant capabilities of Nessus include:
1622References:
1623http://searchnetworking.techtarget.com/definition/Nessus
1624NO.170 Which mode of IPSec should you use to assure security and confidentiality of data within
1625the same LAN?
1626A. ESP transport mode
1627B. AH permiscuous
1628C. ESP confidential
1629D. AH Tunnel mode
1630Answer: A
1631Explanation
1632When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the
1633protection of an IP payload through an AH or ESP header. Encapsulating Security Payload (ESP)
1634provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP
1635payload.
1636NO.171 Which of the following tools performs comprehensive tests against web servers, including
1637dangerous files and CGIs?
1638A. Nikto
1639B. Snort
1640C. John the Ripper
1641D. Dsniff
1642Answer: A
1643Explanation
1644Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web
1645servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated
1646versions of over
16471250 servers, and version specific problems on over 270 servers. It also checks for server
1648configuration items such as the presence of multiple index files, HTTP server options, and will
1649attempt to identify installed web servers and software. Scan items and plugins are frequently
1650updated and can be automatically updated.
1651References: https://en.wikipedia.org/wiki/Nikto_Web_Scanner
1652NO.172 In the context of password security, a simple dictionary attack involves loading a dictionary
1653file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the
1654Ripper, and running it against user accounts located by the application. The larger the word and word
1655fragment selection, the more effective the dictionary attack is. The brute force method is the most
1656inclusive, although slow. It usually tries every possible letter and number combination in its
1657IT Certification Guaranteed, The Easy Way!
165844
1659automated exploration. If you would use both brute force and dictionary methods combined
1660together to have variation of words, what would you call such an attack?
1661A. Full Blown
1662B. Thorough
1663C. Hybrid
1664D. BruteDics
1665Answer: C
1666NO.173 A company is using Windows Server 2003 for its Active Directory (AD). What is the most
1667efficient way to crack the passwords for the AD users?
1668A. Perform a dictionary attack.
1669B. Perform a brute force attack.
1670C. Perform an attack with a rainbow table.
1671D. Perform a hybrid attack.
1672Answer: C
1673NO.174 Initiating an attack against targeted businesses and organizations, threat actors compromise
1674a carefully selected website by inserting an exploit resulting in malware infection. The attackers run
1675exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from
1676carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that
1677target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against
1678these exploits.
1679What type of attack is outlined in the scenario?
1680A. Watering Hole Attack
1681B. Heartbleed Attack
1682C. Shellshock Attack
1683D. Spear Phising Attack
1684Answer: A
1685Explanation
1686Watering Hole is a computer attack strategy, in which the victim is a particular group (organization,
1687industry, or region). In this attack, the attacker guesses or observes which websites the group often
1688uses and infects one or more of them with malware. Eventually, some member of the targeted group
1689gets infected.
1690NO.175 Nedved is an IT Security Manager of a bank in his country. One day. he found out that there
1691is a security breach to his company's email server based on analysis of a suspicious connection from
1692the email server to an unknown IP Address.
1693What is the first thing that Nedved needs to do before contacting the incident response team?
1694A. Leave it as it Is and contact the incident response te3m right away
1695B. Block the connection to the suspicious IP Address from the firewall
1696C. Disconnect the email server from the network
1697D. Migrate the connection to the backup email server
1698Answer: C
1699IT Certification Guaranteed, The Easy Way!
170045
1701NO.176 A tester has been using the msadc.pl attack script to execute arbitrary commands on a
1702Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended
1703functions. On further research, the tester come across a perl script that runs the following msadc
1704functions:
1705Which exploit is indicated by this script?
1706A. A buffer overflow exploit
1707B. A chained exploit
1708C. A SQL injection exploit
1709D. A denial of service exploit
1710Answer: B
1711NO.177 From the two screenshots below, which of the following is occurring?
1712A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan
1713IT Certification Guaranteed, The Easy Way!
171446
1715against
171610.0.0.2.
1717B. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against
171810.0.0.2.
1719C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against
172010.0.0.2.
1721D. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against
172210.0.0.2.
1723Answer: A
1724NO.178 What tool can crack Windows SMB passwords simply by listening to network traffic?
1725A. This is not possible
1726B. Netbus
1727C. NTFSDOS
1728D. L0phtcrack
1729Answer: D
1730NO.179 What is the difference between the AES and RSA algorithms?
1731A. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
1732B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is
1733used to encrypt data.
1734C. Both are symmetric algorithms, but AES uses 256-bit keys.
1735D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is
1736used to encrypt data.
1737Answer: B
1738NO.180 What port number is used by LDAP protocol?
1739A. 110
1740B. 389
1741C. 464
1742D. 445
1743Answer: B
1744NO.181 Which of the following types of jailbreaking allows user-level access but does not allow
1745iboot-level access?
1746A. Bootrom Exploit
1747B. iBoot Exploit
1748C. Sandbox Exploit
1749D. Userland Exploit
1750Answer: D
1751NO.182 Jack was attempting to fingerprint all machines in the network using the following Nmap
1752syntax:
1753invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24
1754IT Certification Guaranteed, The Easy Way!
175547
1756TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
1757Obviously, it is not going through. What is the issue here?
1758A. OS Scan requires root privileges
1759B. The nmap syntax is wrong.
1760C. The outgoing TCP/IP fingerprinting is blocked by the host firewall
1761D. This is a common behavior for a corrupted nmap application
1762Answer: A
1763NO.183 What did the following commands determine?
1764A. That the Joe account has a SID of 500
1765B. These commands demonstrate that the guest account has NOT been disabled
1766C. These commands demonstrate that the guest account has been disabled
1767D. That the true administrator is Joe
1768E. Issued alone, these commands prove nothing
1769Answer: D
1770NO.184 Todd has been asked by the security officer to purchase a counter-based authentication
1771system. Which of the following best describes this type of system?
1772A. A biometric system that bases authentication decisions on behavioral attributes.
1773B. A biometric system that bases authentication decisions on physical attributes.
1774C. An authentication system that creates one-time passwords that are encrypted with secret keys.
1775D. An authentication system that uses passphrases that are converted into virtual passwords.
1776Answer: C
1777NO.185 WPA2 uses AES for wireless data encryption at which of the following encryption levels?
1778A. 64 bit and CCMP
1779B. 128 bit and CRC
1780C. 128 bit and CCMP
1781D. 128 bit and TKIP
1782Answer: C
1783NO.186 While examining audit logs, you discover that people are able to telnet into the SMTP server
1784on port 25. You would like to block this, though you do not see any evidence of an attack or other
1785wrong doing. However, you are concerned about affecting the normal functionality of the email
1786server. From the following options choose how best you can achieve this objective?
1787A. Block port 25 at the firewall.
1788B. Shut off the SMTP service on the server.
1789C. Force all connections to use a username and password.
1790D. Switch from Windows Exchange to UNIX Sendmail.
1791IT Certification Guaranteed, The Easy Way!
179248
1793E. None of the above.
1794Answer: E
1795NO.187 You are programming a buffer overflow exploit and you want to create a NOP sled of 200
1796bytes in the program exploit.c
1797What is the hexadecimal value of NOP instruction?
1798A. 0x60
1799B. 0x80
1800C. 0x70
1801D. 0x90
1802Answer: D
1803NO.188 A virus that attempts to install itself inside the file it is infecting is called?
1804A. Tunneling virus
1805B. Cavity virus
1806C. Polymorphic virus
1807D. Stealth virus
1808Answer: B
1809NO.189 Which NMAP command combination would let a tester scan every TCP port from a class C
1810network that is blocking ICMP with fingerprinting and service detection?
1811A. NMAP -PN -A -O -sS 192.168.2.0/24
1812B. NMAP -P0 -A -O -p1-65535 192.168.0/24
1813C. NMAP -P0 -A -sT -p0-65535 192.168.0/16
1814D. NMAP -PN -O -sS -p 1-1024 192.168.0/8
1815Answer: B
1816NO.190 Port scanning can be used as part of a technical assessment to determine network
1817vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system.
1818If a scanned port is open, what happens?
1819A. The port will ignore the packets.
1820B. The port will send an RST.
1821C. The port will send an ACK.
1822D. The port will send a SYN.
1823Answer: A
1824Explanation
1825An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan
1826IT Certification Guaranteed, The Easy Way!
182749
1828type is accomplished by sending TCP segments with the all flags sent in the packet header, generating
1829packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment
1830with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags
1831sent to closed ports should be handled with a RST in response. This behavior should allow an attacker
1832to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed
1833by the TCB) and detect closed ports via RST packets.
1834References: https://capec.mitre.org/data/definitions/303.html
1835NO.191 Which type of security feature stops vehicles from crashing through the doors of a building?
1836A. Turnstile
1837B. Bollards
1838C. Mantrap
1839D. Receptionist
1840Answer: B
1841NO.192 Which of the following programs is usually targeted at Microsoft Office products?
1842A. Polymorphic virus
1843B. Multipart virus
1844C. Macro virus
1845D. Stealth virus
1846Answer: C
1847Explanation
1848A macro virus is a virus that is written in a macro language: a programming language which is
1849embedded inside a software application (e.g., word processors and spreadsheet applications). Some
1850applications, such as Microsoft Office, allow macro programs to be embedded in documents such
1851that the macros are run automatically when the document is opened, and this provides a distinct
1852mechanism by which malicious computer instructions can spread.
1853References: https://en.wikipedia.org/wiki/Macro_virus
1854NO.193 An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The
1855engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the
1856engineer use to accomplish this?
1857A. g++ hackersExploit.cpp -o calc.exe
1858B. g++ hackersExploit.py -o calc.exe
1859C. g++ -i hackersExploit.pl -o calc.exe
1860D. g++ --compile -i hackersExploit.cpp -o calc.exe
1861Answer: A
1862NO.194 An Intrusion Detection System (IDS) has alerted the network administrator to a possibly
1863malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic
1864was captured by the IDS and saved to a PCAP file.
1865What type of network tool can be used to determine if these packets are genuinely malicious or
1866simply a false positive?
1867A. Protocol analyzer
1868IT Certification Guaranteed, The Easy Way!
186950
1870B. Intrusion Prevention System (IPS)
1871C. Network sniffer
1872D. Vulnerability scanner
1873Answer: A
1874Explanation
1875A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer-or, for
1876particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of
1877computer hardware that can intercept and log traffic that passes over a digital network or part of a
1878network. A packet analyzer can analyze packet traffic saved in a PCAP file.
1879References: https://en.wikipedia.org/wiki/Packet_analyzer
1880NO.195 A server has been infected by a certain type of Trojan. The hacker intended to utilize it to
1881send and host junk mails. What type of Trojan did the hacker use?
1882A. Turtle Trojans
1883B. Ransomware Trojans
1884C. Botnet Trojan
1885D. Banking Trojans
1886Answer: C
1887NO.196 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and
1888UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and
1889deny all other traffic. After he applied his ACL configuration in the router nobody can access to the
1890ftp and the permitted hosts cannot access to the Internet. According to the next configuration what
1891is happening in the network?
1892A. The ACL 110 needs to be changed to port 80
1893B. The ACL for FTP must be before the ACL 110
1894C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
1895D. The ACL 104 needs to be first because is UDP
1896Answer: C
1897NO.197 What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'?
1898A. A stealth scan, opening port 123 and 153
1899B. A stealth scan, checking open ports 123 to 153
1900C. A stealth scan, checking all open ports excluding ports 123 to 153
1901D. A stealth scan, determine operating system, and scanning ports 123 to 153
1902Answer: D
1903NO.198 What does a type 3 code 13 represent? (Choose two.)
1904A. Echo request
1905B. Destination unreachable
1906IT Certification Guaranteed, The Easy Way!
190751
1908C. Network unreachable
1909D. Administratively prohibited
1910E. Port unreachable
1911F. Time exceeded
1912Answer: B D
1913NO.199 Which access control mechanism allows for multiple systems to use a central authentication
1914server (CAS) that permits users to authenticate once and gain access to multiple systems?
1915A. Role Based Access Control (RBAC)
1916B. Discretionary Access Control (DAC)
1917C. Windows authentication
1918D. Single sign-on
1919Answer: D
1920NO.200 A hacker is attempting to see which ports have been left open on a network. Which NMAP
1921switch would the hacker use?
1922A. -sO
1923B. -sP
1924C. -sS
1925D. -sU
1926Answer: A
1927NO.201 The following is a sample of output from a penetration tester's machine targeting a machine
1928with the IP address of 192.168.1.106:
1929What is most likely taking place?
1930A. Ping sweep of the 192.168.1.106 network
1931B. Remote service brute force attempt
1932C. Port scan of 192.168.1.106
1933D. Denial of service attack on 192.168.1.106
1934Answer: B
1935NO.202 Company XYZ has asked you to assess the security of their perimeter email gateway. From
1936your office in New York, you craft a specially formatted email message and send it across the Internet
1937to an employee of Company XYZ. The employee of Company XYZ is aware of your test.
1938Your email message looks like this:
1939From: jim_miller@companyxyz.com
1940To: michelle_saunders@companyxyz.com
1941IT Certification Guaranteed, The Easy Way!
194252
1943Subject: Test message
1944Date: 4/3/2017 14:37
1945The employee of Company XYZ receives your email message. This proves that Company XYZ's email
1946gateway doesn't prevent what?
1947A. Email Phishing
1948B. Email Masquerading
1949C. Email Spoofing
1950D. Email Harvesting
1951Answer: C
1952NO.203 Which of the following LM hashes represent a password of less than 8 characters? (Choose
1953two.)
1954A. BA810DBA98995F1817306D272A9441BB
1955B. 44EFCE164AB921CQAAD3B435B51404EE
1956C. 0182BD0BD4444BF836077A718CCDF409
1957D. CEC52EB9C8E3455DC2265B23734E0DAC
1958E. B757BF5C0D87772FAAD3B435B51404EE
1959F. E52CAC67419A9A224A3B108F3FA6CB6D
1960Answer: B E
1961NO.204 A software tester is randomly generating invalid inputs in an attempt to crash the program.
1962Which of the following is a software testing technique used to determine if a software program
1963properly handles a wide range of invalid input?
1964A. Mutating
1965B. Randomizing
1966C. Fuzzing
1967D. Bounding
1968Answer: C
1969NO.205 SOAP services use which technology to format information?
1970A. SATA
1971B. PCI
1972C. XML
1973D. ISDN
1974Answer: C
1975NO.206 Which type of sniffing technique is generally referred as MiTM attack?
1976IT Certification Guaranteed, The Easy Way!
197753
1978A. Password Sniffing
1979B. ARP Poisoning
1980C. Mac Flooding
1981D. DHCP Sniffing
1982Answer: B
1983NO.207 When security and confidentiality of data within the same LAN is of utmost priority, which
1984IPSec mode should you implement?
1985A. AH Tunnel mode
1986B. AH promiscuous
1987C. ESP transport mode
1988D. ESP confidential
1989Answer: C
1990NO.208 You're doing an internal security audit and you want to find out what ports are open on all
1991the servers. What is the best way to find out?
1992A. Scan servers with Nmap
1993B. Physically go to each server
1994C. Scan servers with MBSA
1995D. Telent to every port on each server
1996Answer: A
1997NO.209 Session splicing is an IDS evasion technique in which an attacker delivers data in multiple,
1998smallsized packets to the target computer, making it very difficult for an IDS to detect the attack
1999IT Certification Guaranteed, The Easy Way!
200054
2001signatures.
2002Which tool can be used to perform session splicing attacks?
2003A. Whisker
2004B. tcpsplice
2005C. Burp
2006D. Hydra
2007Answer: A
2008Explanation
2009One basic technique is to split the attack payload into multiple small packets, so that the IDS must
2010reassemble the packet stream to detect the attack. A simple way of splitting packets is by
2011fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker'
2012evasion tool calls crafting packets with small payloads 'session splicing'.
2013References:
2014https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and
2015_small_packet
2016NO.210 A penetration tester was hired to perform a penetration test for a bank. The tester began
2017searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading
2018news articles online about the bank, watching what times the bank employees come into work and
2019leave from work, searching the bank's job postings (paying special attention to IT related jobs), and
2020visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the
2021tester currently in?
2022A. Information reporting
2023B. Vulnerability assessment
2024C. Active information gathering
2025D. Passive information gathering
2026Answer: D
2027NO.211 Advanced encryption standard is an algorithm used for which of the following?
2028A. Data integrity
2029B. Key discovery
2030C. Bulk data encryption
2031D. Key recovery
2032Answer: C
2033NO.212 Which of the following tools can be used to perform a zone transfer?
2034A. NSLookup
2035B. Finger
2036C. Dig
2037D. Sam Spade
2038E. Host
2039F. Netcat
2040G. Neotrace
2041IT Certification Guaranteed, The Easy Way!
204255
2043Answer: A C D E
2044NO.213 By using a smart card and pin, you are using a two-factor authentication that satisfies
2045A. Something you know and something you are
2046B. Something you have and something you know
2047C. Something you have and something you are
2048D. Something you are and something you remember
2049Answer: B
2050NO.214 Your business has decided to add credit card numbers to the data it backs up to tape. Which
2051of the following represents the best practice your business should observe?
2052A. Hire a security consultant to provide direction.
2053B. Do not back up cither the credit card numbers or then hashes.
2054C. Back up the hashes of the credit card numbers not the actual credit card numbers.
2055D. Encrypt backup tapes that are sent off-site.
2056Answer: A
2057NO.215 You are performing a penetration test. You achieved access via a buffer overflow exploit and
2058you proceed to find interesting data, such as files with usernames and passwords. You find a hidden
2059folder that has the administrator's bank account password and login information for the
2060administrator's bitcoin account.
2061What should you do?
2062A. Report immediately to the administrator
2063B. Do not report it and continue the penetration test.
2064C. Transfer money from the administrator's account to another account.
2065D. Do not transfer the money but steal the bitcoins.
2066Answer: A
2067NO.216 A company's policy requires employees to perform file transfers using protocols which
2068encrypt traffic. You suspect some employees are still performing file transfers using unencrypted
2069protocols because the employees do not like changes. You have positioned a network sniffer to
2070capture traffic from the laptops used by employees in the data ingest department. Using Wire shark
2071to examine the captured traffic, which command can be used as a display filter to find unencrypted
2072file transfers?
2073A. tcp.port != 21
2074B. tcp.port = 23
2075C. tcp.port ==21
2076D. tcp.port ==21 || tcp.port ==22
2077Answer: D
2078NO.217 Some clients of TPNQM SA were redirected to a malicious site when they tried to access the
2079TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS
2080Cache Poisoning.
2081What should Bob recommend to deal with such a threat?
2082IT Certification Guaranteed, The Easy Way!
208356
2084A. The use of security agents in clients' computers
2085B. The use of DNSSEC
2086C. The use of double-factor authentication
2087D. Client awareness
2088Answer: B
2089NO.218 During a security audit of IT processes, an IS auditor found that there were no documented
2090security procedures. What should the IS auditor do?
2091A. Identify and evaluate existing practices
2092B. Create a procedures document
2093C. Conduct compliance testing
2094D. Terminate the audit
2095Answer: A
2096Explanation
2097The auditor should first evaluated existing policies and practices to identify problem areas and
2098opportunities.
2099NO.219 A company's Web development team has become aware of a certain type of security
2100vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited,
2101the team wants to modify the software requirements to disallow users from entering HTML as input
2102into their Web application.
2103What kind of Web application vulnerability likely exists in their software?
2104A. Cross-site scripting vulnerability
2105B. Cross-site Request Forgery vulnerability
2106C. SQL injection vulnerability
2107D. Web site defacement vulnerability
2108Answer: A
2109Explanation
2110Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a
2111limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large),
2112output encoding (such as &lt;b&gt;very&lt;/b&gt; large) will not suffice since the user input needs to
2113be rendered as HTML by the browser (so it shows as "very large", instead of "<b>very</b> large").
2114Stopping an XSS attack when accepting HTML input from users is much more complex in this
2115situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it
2116does not contain cross-site scripting code.
2117References: https://en.wikipedia.org/wiki/Crosssite_
2118scripting#Safely_validating_untrusted_HTML_input
2119NO.220 Which of the following defines the role of a root Certificate Authority (CA) in a Public Key
2120Infrastructure (PKI)?
2121A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost.
2122B. The root CA stores the user's hash value for safekeeping.
2123C. The CA is the trusted root that issues certificates.
2124D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.
2125IT Certification Guaranteed, The Easy Way!
212657
2127Answer: C
2128NO.221 Which service in a PKI will vouch for the identity of an individual or company?
2129A. KDC
2130B. CA
2131C. CR
2132D. CBC
2133Answer: B
2134NO.222 It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives
2135attackers access to run remote commands on a vulnerable system. The malicious software can take
2136control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for
2137other vulnerable devices (including routers).
2138Which of the following vulnerabilities is being described?
2139A. Shellshock
2140B. Rootshock
2141C. Rootshell
2142D. Shellbash
2143Answer: A
2144Explanation
2145Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell,
2146the first of which was disclosed on 24 September 2014.
2147References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)
2148NO.223 What is the term coined for logging, recording and resolving events in a company?
2149A. Internal Procedure
2150B. Security Policy
2151C. Incident Management Process
2152D. Metrics
2153Answer: C
2154NO.224 Windows file servers commonly hold sensitive files, databases, passwords and more. Which
2155of the following choices would be a common vulnerability that usually exposes them?
2156A. Cross-site scripting
2157B. SQL injection
2158C. Missing patches
2159D. CRLF injection
2160Answer: C
2161NO.225 Study the following log extract and identify the attack.
2162IT Certification Guaranteed, The Easy Way!
216358
2164A. Hexcode Attack
2165B. Cross Site Scripting
2166C. Multiple Domain Traversal Attack
2167D. Unicode Directory Traversal Attack
2168Answer: D
2169NO.226 Password cracking programs reverse the hashing process to recover passwords.
2170(True/False.)
2171IT Certification Guaranteed, The Easy Way!
217259
2173A. True
2174B. False
2175Answer: B
2176NO.227 What does a firewall check to prevent particular ports and applications from getting packets
2177into an organization?
2178A. Transport layer port numbers and application layer headers
2179B. Presentation layer headers and the session layer port numbers
2180C. Network layer headers and the session layer port numbers
2181D. Application layer port numbers and the transport layer headers
2182Answer: A
2183Explanation
2184Newer firewalls can filter traffic based on many packet attributes like source IP address, source port,
2185destination IP address or transport layer port, destination service like WWW or FTP. They can filter
2186based on protocols, TTL values, netblock of originator, of the source, and many other attributes.
2187Application layer firewalls are responsible for filtering at 3, 4, 5, 7 layer. Because they analyze the
2188application layer headers, most firewall control and filtering is performed actually in the software.
2189References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters
2190http://howdoesinternetwork.com/2012/application-layer-firewalls
2191NO.228 While reviewing the result of scanning run against a target network you come across the
2192following:
2193Which among the following can be used to get this output?
2194A. A Bo2k system query.
2195B. nmap protocol scan
2196C. A sniffer
2197D. An SNMP walk
2198Answer: D
2199NO.229 _________ is a tool that can hide processes from the process list, can hide files, registry
2200entries, and intercept keystrokes.
2201IT Certification Guaranteed, The Easy Way!
220260
2203A. Trojan
2204B. RootKit
2205C. DoS tool
2206D. Scanner
2207E. Backdoor
2208Answer: B
2209NO.230 Which of the following is a client-server tool utilized to evade firewall inspection?
2210A. tcp-over-dns
2211B. kismet
2212C. nikto
2213D. hping
2214Answer: A
2215NO.231 Which of the following scanning tools is specifically designed to find potential exploits in
2216Microsoft Windows products?
2217A. Microsoft Security Baseline Analyzer
2218B. Retina
2219C. Core Impact
2220D. Microsoft Baseline Security Analyzer
2221Answer: D
2222NO.232 Which set of access control solutions implements two-factor authentication?
2223A. USB token and PIN
2224B. Fingerprint scanner and retina scanner
2225C. Password and PIN
2226D. Account and password
2227Answer: A
2228NO.233 An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254
2229addresses.
2230In which order should he perform these steps?
2231A. The sequence does not matter. Both steps have to be performed against all hosts.
2232B. First the port scan to identify interesting services and then the ping sweep to find hosts
2233responding to icmp echo requests.
2234C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he
2235saves time.
2236D. The port scan alone is adequate. This way he saves time.
2237Answer: C
2238NO.234 Which type of intrusion detection system can monitor and alert on attacks, but cannot stop
2239them?
2240A. Detective
2241IT Certification Guaranteed, The Easy Way!
224261
2243B. Passive
2244C. Intuitive
2245D. Reactive
2246Answer: B
2247NO.235 In the field of cryptanalysis, what is meant by a "rubber-hose" attack?
2248A. Attempting to decrypt cipher text by making logical assumptions about the contents of the original
2249plain text.
2250B. Extraction of cryptographic secrets through coercion or torture.
2251C. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC.
2252D. A backdoor placed into a cryptographic algorithm by its creator.
2253Answer: B
2254NO.236 An attacker has been successfully modifying the purchase price of items purchased on the
2255company's web site.
2256The security administrators verify the web server and Oracle database have not been compromised
2257directly.
2258They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could
2259have caused this. What is the mostly likely way the attacker has been able to modify the purchase
2260price?
2261A. By using SQL injection
2262B. By changing hidden form values
2263C. By using cross site scripting
2264D. By utilizing a buffer overflow attack
2265Answer: B
2266NO.237 Which of the following is an extremely common IDS evasion technique in the web world?
2267A. unicode characters
2268B. spyware
2269C. port knocking
2270D. subnetting
2271Answer: A
2272Explanation
2273Unicode attacks can be effective against applications that understand it. Unicode is the international
2274standard whose goal is to represent every character needed by every written human language as a
2275single integer number. What is known as Unicode evasion should more correctly be referenced as
2276UTF-8 evasion. Unicode characters are normally represented with two bytes, but this is impractical in
2277real life.
2278One aspect of UTF-8 encoding causes problems: non-Unicode characters can be represented
2279encoded. What is worse is multiple representations of each character can exist. Non-Unicode
2280character encodings are known as overlong characters, and may be signs of attempted attack.
2281References:
2282http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect-8.html
2283IT Certification Guaranteed, The Easy Way!
228462
2285NO.238 The configuration allows a wired or wireless network interface controller to pass all traffic it
2286receives to the central processing unit (CPU), rather than passing only the frames that the controller
2287is intended to receive.
2288Which of the following is being described?
2289A. promiscuous mode
2290B. port forwarding
2291C. multi-cast mode
2292D. WEM
2293Answer: A
2294Explanation
2295Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface
2296cards (NICs), that allows a NIC to receive all traffic on the network, even if it is not addressed to this
2297NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the
2298destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device.
2299While this makes perfect sense for networking, non-promiscuous mode makes it difficult to use
2300network monitoring and analysis software for diagnosing connectivity issues or traffic accounting.
2301References: https://www.tamos.com/htmlhelp/monitoring/
2302NO.239 Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if
2303he properly configures the firewall to allow access just to servers/ports, which can have direct
2304internet access, and block the access to workstations.
2305Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the
2306case of TPNQM SA.
2307In this context, what can you say?
2308A. Bob can be right since DMZ does not make sense when combined with stateless firewalls
2309B. Bob is partially right. He does not need to separate networks if he can create rules by destination
2310IPs, one by one
2311C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and
2312workstations
2313D. Bob is partially right. DMZ does not make sense when a stateless firewall is available
2314Answer: C
2315NO.240 Which address translation scheme would allow a single public IP address to always
2316correspond to a single machine on an internal network, allowing "server publishing"?
2317A. Overloading Port Address Translation
2318B. Dynamic Port Address Translation
2319C. Dynamic Network Address Translation
2320D. Static Network Address Translation
2321Answer: D
2322NO.241 Which of the following is a passive wireless packet analyzer that works on Linux-based
2323systems?
2324A. Burp Suite
2325B. OpenVAS
2326IT Certification Guaranteed, The Easy Way!
232763
2328C. tshark
2329D. Kismet
2330Answer: D
2331NO.242 Which of the following is the greatest threat posed by backups?
2332A. A backup is the source of Malware or illicit information.
2333B. A backup is unavailable during disaster recovery.
2334C. A backup is incomplete because no verification was performed.
2335D. An un-encrypted backup can be misplaced or stolen.
2336Answer: D
2337Explanation
2338If the data written on the backup media is properly encrypted, it will be useless for anyone without
2339the key.
2340References:
2341http://resources.infosecinstitute.com/backup-media-encryption/
2342NO.243 Which Type of scan sends a packets with no flags set?
2343A. Open Scan
2344B. Null Scan
2345C. Xmas Scan
2346D. Half-Open Scan
2347Answer: B
2348NO.244 Ricardo wants to send secret messages to a competitor company. To secure these
2349messages, he uses a technique of hiding a secret message within an ordinary message. The technique
2350provides 'security through obscurity'.
2351What technique is Ricardo using?
2352A. Steganography
2353B. Public-key cryptography
2354C. RSA algorithm
2355D. Encryption
2356Answer: A
2357Explanation
2358Steganography is the practice of concealing a file, message, image, or video within another file,
2359message, image, or video.
2360References: https://en.wikipedia.org/wiki/Steganography
2361NO.245 Employees in a company are no longer able to access Internet web sites on their computers.
2362The network administrator is able to successfully ping IP address of web servers on the Internet and
2363is able to open web sites by using an IP address in place of the URL. The administrator runs the
2364nslookup command for www.eccouncil.org and receives an error message stating there is no
2365response from the server. What should the administrator do next?
2366A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
2367B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
2368IT Certification Guaranteed, The Easy Way!
236964
2370C. Configure the firewall to allow traffic on TCP port 53.
2371D. Configure the firewall to allow traffic on TCP port 8080.
2372Answer: A
2373NO.246 Which of the following BEST describes the mechanism of a Boot Sector Virus?
2374A. Moves the MBR to another location on the hard disk and copies itself to the original location of
2375the MBR
2376B. Moves the MBR to another location on the RAM and copies itself to the original location of the
2377MBR
2378C. Overwrites the original MBR and only executes the new virus code
2379D. Modifies directory table entries so that directory entries point to the virus code instead of the
2380actual program
2381Answer: A
2382NO.247 You are looking for SQL injection vulnerability by sending a special character to web
2383applications. Which of the following is the most useful for quick validation?
2384A. Double quotation
2385B. Backslash
2386C. Semicolon
2387D. Single quotation
2388Answer: D
2389NO.248 Why should the security analyst disable/remove unnecessary ISAPI filters?
2390A. To defend against social engineering attacks
2391B. To defend against webserver attacks
2392C. To defend against jailbreaking
2393D. To defend against wireless attacks
2394Answer: B
2395NO.249 When a security analyst prepares for the formal security assessment - what of the following
2396should be done in order to determine inconsistencies in the secure assets database and verify that
2397system is compliant to the minimum security baseline?
2398A. Data items and vulnerability scanning
2399B. Interviewing employees and network engineers
2400C. Reviewing the firewalls configuration
2401D. Source code review
2402Answer: A
2403NO.250 It is a regulation that has a set of guidelines, which should be adhered to by anyone who
2404handles any electronic medical data. These guidelines stipulate that all medical practices must ensure
2405that all necessary measures are in place while saving, accessing, and sharing any electronic medical
2406data to keep patient data secure.
2407Which of the following regulations best matches the description?
2408IT Certification Guaranteed, The Easy Way!
240965
2410A. HIPAA
2411B. ISO/IEC 27002
2412C. COBIT
2413D. FISMA
2414Answer: A
2415Explanation
2416The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held
2417by
2418"covered entities" (generally, health care clearinghouses, employer sponsored health plans, health
2419insurers, and medical service providers that engage in certain transactions.)[15] By regulation, the
2420Department of Health and Human Services extended the HIPAA privacy rule to independent
2421contractors of covered entities who fit within the definition of "business associates".
2422References:
2423https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule
2424NO.251 Cross-site request forgery involves:
2425A. A request sent by a malicious user from a browser to a server
2426B. Modification of a request by a proxy between client and server
2427C. A browser making a request to a server without the user's knowledge
2428D. A server making a request to another server without the user's knowledge
2429Answer: C
2430NO.252 Which regulation defines security and privacy controls for Federal information systems and
2431organizations?
2432A. NIST-800-53
2433B. PCI-DSS
2434C. EU Safe Harbor
2435D. HIPAA
2436Answer: A
2437Explanation
2438NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and
2439Organizations," provides a catalog of security controls for all U.S. federal information systems except
2440those related to national security.
2441References: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53
2442NO.253 An ethical hacker for a large security research firm performs penetration tests, vulnerability
2443tests, and risk assessments. A friend recently started a company and asks the hacker to perform a
2444penetration test and vulnerability assessment of the new company as a favor. What should the
2445hacker's next step be before starting work on this job?
2446A. Start by foot printing the network and mapping out a plan of attack.
2447B. Ask the employer for authorization to perform the work outside the company.
2448C. Begin the reconnaissance phase with passive information gathering and then move into active
2449information gathering.
2450D. Use social engineering techniques on the friend's employees to help identify areas that may be
2451IT Certification Guaranteed, The Easy Way!
245266
2453susceptible to attack.
2454Answer: B
2455NO.254 Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in
2456the systems, he uses a detection method where the anti-virus executes the malicious codes on a
2457virtual machine to simulate CPU and memory activities.
2458Which type of virus detection method did Chandler use in this context?
2459A. Heuristic Analysis
2460B. Code Emulation
2461C. Integrity checking
2462D. Scanning
2463Answer: B
2464NO.255 Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You
2465are requested to accept the offer and you oblige. After 2 days. Bob denies that he had ever sent a
2466mail. What do you want to
2467""know"" to prove yourself that it was Bob who had send a mail?
2468A. Authentication
2469B. Confidentiality
2470C. Integrity
2471D. Non-Repudiation
2472Answer: D
2473NO.256 Which type of scan is used on the eye to measure the layer of blood vessels?
2474A. Facial recognition scan
2475B. Retinal scan
2476C. Iris scan
2477D. Signature kinetics scan
2478Answer: B
2479NO.257 A new wireless client that is 802.11 compliant cannot connect to a wireless network given
2480that the client can see the network and it has compatible hardware and software installed. Upon
2481further tests and investigation, it was found out that the Wireless Access Point (WAP) was not
2482responding to the association requests being sent by the wireless client. What MOST likely is the
2483issue on this scenario?
2484A. The client cannot see the SSID of the wireless network
2485B. The WAP does not recognize the client's MAC address.
2486C. The wireless client is not configured to use DHCP.
2487D. Client is configured for the wrong channel
2488Answer: B
2489NO.258 Windows LAN Manager (LM) hashes are known to be weak.
2490Which of the following are known weaknesses of LM? (Choose three.)
2491A. Converts passwords to uppercase.
2492IT Certification Guaranteed, The Easy Way!
249367
2494B. Hashes are sent in clear text over the network.
2495C. Makes use of only 32-bit encryption.
2496D. Effective length is 7 characters.
2497Answer: A B D
2498NO.259 Which element of Public Key Infrastructure (PKI) verifies the applicant?
2499A. Certificate authority
2500B. Validation authority
2501C. Registration authority
2502D. Verification authority
2503Answer: C
2504NO.260 Which of the following algorithms can be used to guarantee the integrity of messages being
2505sent, in transit, or stored?
2506A. symmetric algorithms
2507B. asymmetric algorithms
2508C. hashing algorithms
2509D. integrity algorithms
2510Answer: C
2511NO.261 It is a widely used standard for message logging. It permits separation of the software that
2512generates messages, the system that stores them, and the software that reports and analyzes them.
2513This protocol is specifically designed for transporting event messages. Which of the following is being
2514described?
2515A. SNMP
2516B. ICMP
2517C. SYSLOG
2518D. SMS
2519Answer: C
2520NO.262 When tuning security alerts, what is the best approach?
2521A. Tune to avoid False positives and False Negatives
2522B. Rise False positives Rise False Negatives
2523C. Decrease the false positives
2524D. Decrease False negatives
2525Answer: A
2526NO.263 What is one of the advantages of using both symmetric and asymmetric cryptography in
2527SSL/TLS?
2528A. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
2529B. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited
2530to securely negotiate keys for use with symmetric cryptography.
2531C. Symmetric encryption allows the server to securely transmit the session keys out-of-band.
2532IT Certification Guaranteed, The Easy Way!
253368
2534D. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use
2535symmetric encryption instead.
2536Answer: D
2537NO.264 A newly discovered flaw in a software application would be considered which kind of
2538security vulnerability?
2539A. Input validation flaw
2540B. HTTP header injection vulnerability
2541C. 0-day vulnerability
2542D. Time-to-check to time-to-use flaw
2543Answer: C
2544NO.265 When you are getting information about a web server, it is very important to know the HTTP
2545Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical
2546methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the
2547server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script
2548engine.
2549What nmap script will help you with this task?
2550A. http-methods
2551B. http enum
2552C. http-headers
2553D. http-git
2554Answer: A
2555Explanation
2556You can check HTTP method vulnerability using NMAP.
2557Example: #nmap -script=http-methods.nse 192.168.0.25
2558References:
2559http://solutionsatexperts.com/http-method-vulnerability-check-using-nmap/
2560NO.266 Which of the following options represents a conceptual characteristic of an anomaly-based
2561IDS over a signature-based IDS?
2562A. Produces less false positives
2563B. Can identify unknown attacks
2564C. Requires vendor updates for a new threat
2565D. Cannot deal with encrypted network traffic
2566Answer: B
2567NO.267 TCP/IP stack fingerprinting is the passive collection of configuration attributes from a
2568remote device during standard layer 4 network communications. Which of the following tools can be
2569used for passive OS fingerprinting?
2570A. nmap
2571B. ping
2572C. tracert
2573D. tcpdump
2574IT Certification Guaranteed, The Easy Way!
257569
2576Answer: D
2577NO.268 Which of the following is considered the best way to protect Personally Identifiable
2578Information (PII) from Web application vulnerabilities?
2579A. Use cryptographic storage to store all PII
2580B. Use encrypted communications protocols to transmit PII
2581C. Use full disk encryption on all hard drives to protect PII
2582D. Use a security token to log into all Web applications that use PII
2583Answer: A
2584Explanation
2585As a matter of good practice any PII should be protected with strong encryption.
2586References: https://cuit.columbia.edu/cuit/it-security-practices/handling-personally-identifyinginformation
2587NO.269 What network security concept requires multiple layers of security controls to be placed
2588throughout an IT infrastructure, which improves the security posture of an organization to defend
2589against malicious attacks or potential vulnerabilities?
2590What kind of Web application vulnerability likely exists in their software?
2591A. Host-Based Intrusion Detection System
2592B. Security through obscurity
2593C. Defense in depth
2594D. Network-Based Intrusion Detection System
2595Answer: C
2596NO.270 Which of the following levels of algorithms does Public Key Infrastructure (PKI) use?
2597A. RSA 1024 bit strength
2598B. AES 1024 bit strength
2599C. RSA 512 bit strength
2600D. AES 512 bit strength
2601Answer: A
2602NO.271 A hacker is an intelligent individual with excellent computer skills and the ability to explore a
2603computer's software and hardware without the owner's permission. Their intention can either be to
2604simply gain knowledge or to illegally make changes. Which of the following class of hacker refers to
2605an individual who works both offensively and defensively at various times?
2606A. Suicide Hacker
2607B. Black Hat
2608C. White Hat
2609D. Gray Hat
2610Answer: D
2611NO.272 Fingerprinting VPN firewalls is possible with which of the following tools?
2612A. Angry IP
2613B. Nikto
2614IT Certification Guaranteed, The Easy Way!
261570
2616C. Ike-scan
2617D. Arp-scan
2618Answer: C
2619NO.273 What is a "Collision attack" in cryptography?
2620A. Collision attacks try to find two inputs producing the same hash.
2621B. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the
2622private key.
2623C. Collision attacks try to get the public key.
2624D. Collision attacks try to break the hash into three parts to get the plaintext value.
2625Answer: A
2626Explanation
2627A Collision Attack is an attempt to find two input strings of a hash function that produce the same
2628hash result.
2629References: https://learncryptography.com/hash-functions/hash-collision-attack
2630NO.274 It is a short-range wireless communication technology intended to replace the cables
2631connecting portable of fixed devices while maintaining high levels of security. It allows mobile
2632phones, computers and other devices to connect and communicate using a short-range wireless
2633connection.
2634Which of the following terms best matches the definition?
2635A. Bluetooth
2636B. Radio-Frequency Identification
2637C. WLAN
2638D. InfraRed
2639Answer: A
2640Explanation
2641Bluetooth is a standard for the short-range wireless interconnection of mobile phones, computers,
2642and other electronic devices.
2643References:
2644http://www.bbc.co.uk/webwise/guides/about-bluetooth
2645NO.275 What is a NULL scan?
2646A. A scan in which all flags are turned off
2647B. A scan in which certain flags are off
2648C. A scan in which all flags are on
2649D. A scan in which the packet size is set to zero
2650E. A scan with an illegal packet size
2651Answer: A
2652NO.276 An attacker runs netcat tool to transfer a secret file between two hosts.
2653He is worried about information being sniffed on the network.
2654IT Certification Guaranteed, The Easy Way!
265571
2656How would the attacker use netcat to encrypt the information before transmitting onto the wire?
2657A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234
2658B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234
2659C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 -pw
2660password
2661D. Use cryptcat instead of netcat
2662Answer: D
2663NO.277 This phase will increase the odds of success in later phases of the penetration test. It is also
2664the very first step in Information Gathering, and it will tell you what the "landscape" looks like.
2665What is the most important phase of ethical hacking in which you need to spend a considerable
2666amount of time?
2667A. footprinting
2668B. network mapping
2669C. gaining access
2670D. escalating privileges
2671Answer: A
2672Explanation
2673Footprinting is a first step that a penetration tester used to evaluate the security of any IT
2674infrastructure, footprinting means to gather the maximum information about the computer system
2675or a network and about the devices that are attached to this network.
2676References:
2677http://www.ehacking.net/2011/02/footprinting-first-step-of-ethical.html
2678NO.278 In IPv6 what is the major difference concerning application layer vulnerabilities compared to
2679IPv4?
2680A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
2681B. Vulnerabilities in the application layer are independent of the network layer. Attacks and
2682mitigation techniques are almost identical.
2683C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be
2684addresses.
2685D. Vulnerabilities in the application layer are greatly different from IPv4.
2686Answer: B
2687NO.279 Pentest results indicate that voice over IP traffic is traversing a network. Which of the
2688following tools will decode a packet capture and extract the voice conversations?
2689A. Cain
2690B. John the Ripper
2691C. Nikto
2692D. Hping
2693Answer: A
2694NO.280 Which initial procedure should an ethical hacker perform after being brought into an
2695organization?
2696IT Certification Guaranteed, The Easy Way!
269772
2698A. Begin security testing.
2699B. Turn over deliverables.
2700C. Sign a formal contract with non-disclosure.
2701D. Assess what the organization is trying to protect.
2702Answer: C
2703NO.281 What is the main security service a cryptographic hash provides?
2704A. Integrity and ease of computation
2705B. Message authentication and collision resistance
2706C. Integrity and collision resistance
2707D. Integrity and computational in-feasibility
2708Answer: D
2709NO.282 A large company intends to use Blackberry for corporate mobile phones and a security
2710analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack
2711method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the
2712corporate network. What tool should the analyst use to perform a Blackjacking attack?
2713A. Paros Proxy
2714B. BBProxy
2715C. BBCrack
2716D. Blooover
2717Answer: B
2718Explanation
2719Blackberry users warned of hacking tool threat.
2720Users have been warned that the security of Blackberry wireless e-mail devices is at risk due to the
2721availability this week of a new hacking tool. Secure Computing Corporation said businesses that have
2722installed Blackberry servers behind their gateway security devices could be vulnerable to a hacking
2723attack from a tool call BBProxy.
2724References:
2725http://www.computerweekly.com/news/2240062112/Technology-news-in-brief
2726NO.283 Which of the following is a vulnerability in GNU's bash shell (discovered in September of
27272014) that gives attackers access to run remote commands on a vulnerable system?
2728A. Shellshock
2729B. Rootshell
2730C. Rootshock
2731D. Shellbash
2732Answer: A
2733NO.284 You are working as a Security Analyst in a company XYZ that owns the whole subnet range
2734of 23.0.0.0/8 and
2735192.168.0.0/8.
2736While monitoring the data, you find a high number of outbound connections. You see that IP's owned
2737by XYZ (Internal) and private IP's are communicating to a Single Public IP. Therefore, the Internal IP's
2738IT Certification Guaranteed, The Easy Way!
273973
2740are sending data to the Public IP.
2741After further analysis, you find out that this Public IP is a blacklisted IP, and the internal
2742communicating devices are compromised.
2743What kind of attack does the above scenario depict?
2744A. Botnet Attack
2745B. Spear Phishing Attack
2746C. Advanced Persistent Threats
2747D. Rootkit Attack
2748Answer: A
2749NO.285 What is the least important information when you analyze a public IP address in a security
2750alert?
2751A. ARP
2752B. Whois
2753C. DNS
2754D. Geolocation
2755Answer: A
2756NO.286 How can telnet be used to fingerprint a web server?
2757A. telnet webserverAddress 80HEAD / HTTP/1.0
2758B. telnet webserverAddress 80PUT / HTTP/1.0
2759C. telnet webserverAddress 80HEAD / HTTP/2.0
2760D. telnet webserverAddress 80PUT / HTTP/2.0
2761Answer: A
2762NO.287 If a tester is attempting to ping a target that exists but receives no response or a response
2763that states the destination is unreachable, ICMP may be disabled and the network may be using TCP.
2764Which other option could the tester use to get a response from a host using TCP?
2765A. Hping
2766B. Traceroute
2767C. TCP ping
2768D. Broadcast ping
2769Answer: A
2770NO.288 Which of the following tools would be the best choice for achieving compliance with PCI
2771Requirement 11?
2772A. Truecrypt
2773B. Sub7
2774C. Nessus
2775D. Clamwin
2776Answer: C
2777NO.289 An attacker is trying to redirect the traffic of a small office. That office is using their own
2778IT Certification Guaranteed, The Easy Way!
277974
2780mail server, DNS server and NTP server because of the importance of their job. The attacker gains
2781access to the DNS server and redirects the direction www.google.com to his own IP address. Now
2782when the employees of the office want to go to Google they are being redirected to the attacker
2783machine. What is the name of this kind of attack?
2784A. ARP Poisoning
2785B. Smurf Attack
2786C. DNS spoofing
2787D. MAC Flooding
2788Answer: C
2789NO.290 After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you
2790maintain access, what would you do first?
2791A. Create User Account
2792B. Disable Key Services
2793C. Disable IPTables
2794D. Download and Install Netcat
2795Answer: A
2796NO.291 If an e-commerce site was put into a live environment and the programmers failed to
2797remove the secret entry point that was used during the application development, what is this secret
2798entry point known as?
2799A. SDLC process
2800B. Honey pot
2801C. SQL injection
2802D. Trap door
2803Answer: D
2804NO.292 The following is an entry captured by a network IDS. You are assigned the task of analyzing
2805this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel
2806processor. You figure that the attacker is attempting a buffer overflow attack.
2807You also notice "/bin/sh" in the ASCII part of the output.
2808As an analyst what would you conclude about the attack?
2809IT Certification Guaranteed, The Easy Way!
281075
2811A. The buffer overflow attack has been neutralized by the IDS
2812B. The attacker is creating a directory on the compromised machine
2813C. The attacker is attempting a buffer overflow attack and has succeeded
2814D. The attacker is attempting an exploit that launches a command-line shell
2815Answer: D
2816NO.293 Security and privacy of/on information systems are two entities that requires lawful
2817regulations. Which of the following regulations defines security and privacy controls for Federal
2818information systems and organizations?
2819A. NIST SP 800-53
2820B. PCI-DSS
2821C. EU Safe Harbor
2822D. HIPAA
2823Answer: A
2824NO.294 A circuit level gateway works at which of the following layers of the OSI Model?
2825A. Layer 5 - Application
2826B. Layer 4 - TCP
2827C. Layer 3 - Internet protocol
2828D. Layer 2 - Data link
2829Answer: B
2830NO.295 You need to deploy a new web-based software package for your organization. The package
2831requires three separate servers and needs to be available on the Internet. What is the recommended
2832architecture in terms of server placement?
2833IT Certification Guaranteed, The Easy Way!
283476
2835A. All three servers need to be placed internally
2836B. A web server facing the Internet, an application server on the internal network, a database server
2837on the internal network
2838C. A web server and the database server facing the Internet, an application server on the internal
2839network
2840D. All three servers need to face the Internet so that they can communicate between themselves
2841Answer: B
2842NO.296 What is the purpose of a demilitarized zone on a network?
2843A. To scan all traffic coming through the DMZ to the internal network
2844B. To only provide direct access to the nodes within the DMZ and protect the network behind it
2845C. To provide a place to put the honeypot
2846D. To contain the network devices you wish to protect
2847Answer: B
2848NO.297 Which of the following areas is considered a strength of symmetric key cryptography when
2849compared with asymmetric algorithms?
2850A. Scalability
2851B. Speed
2852C. Key distribution
2853D. Security
2854Answer: B
2855NO.298 A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a
2856company almost two months ago, but has yet to get paid. The customer is suffering from financial
2857problems, and the CEH is worried that the company will go out of business and end up not paying.
2858What actions should the CEH take?
2859A. Threaten to publish the penetration test results if not paid.
2860B. Follow proper legal procedures against the company to request payment.
2861C. Tell other customers of the financial problems with payments from this company.
2862D. Exploit some of the vulnerabilities found on the company webserver to deface it.
2863Answer: B
2864NO.299 Which United States legislation mandates that the Chief Executive Officer (CEO) and the
2865Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of
2866financial reports?
2867A. Sarbanes-Oxley Act (SOX)
2868B. Gramm-Leach-Bliley Act (GLBA)
2869C. Fair and Accurate Credit Transactions Act (FACTA)
2870D. Federal Information Security Management Act (FISMA)
2871Answer: A
2872NO.300 Which of the following Nmap commands will produce the following output?
2873IT Certification Guaranteed, The Easy Way!
287477
2875Output:
2876A. nmap -sN -Ps -T4 192.168.1.1
2877B. nmap -sT -sX -Pn -p 1-65535 192.168.1.1
2878C. nmap -sS -Pn 192.168.1.1
2879D. nmap -sS -sU -Pn -p 1-65535 192.168.1.1
2880Answer: D
2881NO.301 Developers at your company are creating a web application which will be available for use
2882by anyone on the Internet, The developers have taken the approach of implementing a Three-Tier
2883Architecture for the web application. The developers are now asking you which network should the
2884Presentation Tier (front- end web server) be placed in?
2885A. isolated vlan network
2886B. Mesh network
2887C. DMZ network
2888D. Internal network
2889Answer: A
2890NO.302 A medium-sized healthcare IT business decides to implement a risk management strategy.
2891Which of the following is NOT one of the five basic responses to risk?
2892A. Delegate
2893IT Certification Guaranteed, The Easy Way!
289478
2895B. Avoid
2896C. Mitigate
2897D. Accept
2898Answer: A
2899Explanation
2900There are five main ways to manage risk: acceptance, avoidance, transference, mitigation or
2901exploitation.
2902References:
2903http://www.dbpmanagement.com/15/5-ways-to-manage-risk
2904NO.303 Which of the following provides a security professional with most information about the
2905system's security posture?
2906A. Wardriving, warchalking, social engineering
2907B. Social engineering, company site browsing, tailgating
2908C. Phishing, spamming, sending trojans
2909D. Port scanning, banner grabbing, service identification
2910Answer: D
2911NO.304 Which of the following steps for risk assessment methodology refers to vulnerability
2912identification?
2913A. Determines if any flaws exist in systems, policies, or procedures
2914B. Assigns values to risk probabilities; Impact values.
2915C. Determines risk probability that vulnerability will be exploited (High. Medium, Low)
2916D. Identifies sources of harm to an IT system. (Natural, Human. Environmental)
2917Answer: C
2918NO.305 The use of technologies like IPSec can help guarantee the following: authenticity, integrity,
2919confidentiality and
2920A. non-repudiation.
2921B. operability.
2922C. security.
2923D. usability.
2924Answer: A
2925NO.306 A zone file consists of which of the following Resource Records (RRs)?
2926A. DNS, NS, AXFR, and MX records
2927B. DNS, NS, PTR, and MX records
2928C. SOA, NS, AXFR, and MX records
2929D. SOA, NS, A, and MX records
2930Answer: D
2931NO.307 Which of the following is a hardware requirement that either an IDS/IPS system or a proxy
2932server must have in order to properly function?
2933IT Certification Guaranteed, The Easy Way!
293479
2935A. Fast processor to help with network traffic analysis
2936B. They must be dual-homed
2937C. Similar RAM requirements
2938D. Fast network interface cards
2939Answer: B
2940Explanation
2941Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network
2942interface, for redundancy purposes, or in firewall technology, dual-homed is one of the firewall
2943architectures, such as an IDS/IPS system, for implementing preventive security.
2944References: https://en.wikipedia.org/wiki/Dual-homed
2945NO.308 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense
2946conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone,
2947grabs the door as it begins to close.
2948What just happened?
2949A. Phishing
2950B. Whaling
2951C. Tailgating
2952D. Masquerading
2953Answer: C
2954NO.309 Which of the following Nmap commands would be used to perform a stack fingerprinting?
2955A. Nmap -O -p80 <host(s.>
2956B. Nmap -hU -Q<host(s.>
2957C. Nmap -sT -p <host(s.>
2958D. Nmap -u -o -w2 <host>
2959E. Nmap -sS -0p targe
2960Answer: B
2961NO.310 An IT security engineer notices that the company's web server is currently being hacked.
2962What should the engineer do next?
2963A. Unplug the network connection on the company's web server.
2964B. Determine the origin of the attack and launch a counterattack.
2965C. Record as much information as possible from the attack.
2966D. Perform a system restart on the company's web server.
2967Answer: C
2968NO.311 Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt
2969to use these tools in his lab and is now ready for real world exploitation. He was able to effectively
2970intercept communications between the two entities and establish credentials with both sides of the
2971connections. The two remote ends of the communication never notice that Eric is relaying the
2972information between the two. What would you call this attack?
2973A. Interceptor
2974B. Man-in-the-middle
2975IT Certification Guaranteed, The Easy Way!
297680
2977C. ARP Proxy
2978D. Poisoning Attack
2979Answer: B
2980NO.312 Which security control role does encryption meet?
2981A. Preventative
2982B. Detective
2983C. Offensive
2984D. Defensive
2985Answer: A
2986NO.313 Perspective clients want to see sample reports from previous penetration tests.
2987What should you do next?
2988A. Decline but, provide references.
2989B. Share full reports, not redacted.
2990C. Share full reports with redactions.
2991D. Share reports, after NDA is signed.
2992Answer: A
2993Explanation
2994Penetration tests data should not be disclosed to third parties.
2995NO.314 How is sniffing broadly categorized?
2996A. Active and passive
2997B. Broadcast and unicast
2998C. Unmanaged and managed
2999D. Filtered and unfiltered
3000Answer: A
3001NO.315 To send a PGP encrypted message, which piece of information from the recipient must the
3002sender have before encrypting the message?
3003A. Recipient's private key
3004B. Recipient's public key
3005C. Master encryption key
3006D. Sender's public key
3007Answer: B
3008NO.316 ViruXine.W32 virus hides their presence by changing the underlying executable code.
3009This Virus code mutates while keeping the original algorithm intact, the code changes itself each time
3010it runs, but the function of the code (its semantics) will not change at all.
3011IT Certification Guaranteed, The Easy Way!
301281
3013Here is a section of the Virus code:
3014What is this technique called?
3015A. Polymorphic Virus
3016B. Metamorphic Virus
3017IT Certification Guaranteed, The Easy Way!
301882
3019C. Dravidic Virus
3020D. Stealth Virus
3021Answer: A
3022NO.317 Shellshock had the potential for an unauthorized user to gain access to a server. It affected
3023many internet-facing services, which OS did it not directly affect?
3024A. Windows
3025B. Unix
3026C. Linux
3027D. OS X
3028Answer: A
3029NO.318 The Open Web Application Security Project (OWASP) testing methodology addresses the
3030need to secure web applications by providing which one of the following services?
3031A. An extensible security framework named COBIT
3032B. A list of flaws and how to fix them
3033C. Web application patches
3034D. A security certification for hardened web applications
3035Answer: B
3036NO.319 Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP
3037does not encrypt email, leaving the information in the message vulnerable to being read by an
3038unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email
3039transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to
3040transmit email over TLS?
3041A. OPPORTUNISTICTLS STARTTLS
3042B. FORCETLS
3043C. UPGRADETLS
3044Answer: B
3045NO.320 Which of the below hashing functions are not recommended for use?
3046A. SHA-1.ECC
3047B. MD5, SHA-1
3048C. SHA-2. SHA-3
3049D. MD5. SHA-5
3050Answer: A
3051NO.321 Which solution can be used to emulate computer services, such as mail and ftp, and to
3052capture information related to logins or actions?
3053A. Firewall
3054B. Honeypot
3055C. Core server
3056D. Layer 4 switch
3057IT Certification Guaranteed, The Easy Way!
305883
3059Answer: B
3060NO.322 An IT employee got a call from one of our best customers. The caller wanted to know about
3061the company's network infrastructure, systems, and team. New opportunities of integration are in
3062sight for both company and customer. What should this employee do?
3063A. Since the company's policy is all about Customer Service, he/she will provide information.
3064B. Disregarding the call, the employee should hang up.
3065C. The employee should not provide any information without previous management authorization.
3066D. The employees can not provide any information; but, anyway, he/she will provide the name of the
3067person in charge.
3068Answer: C
3069NO.323 Which of the following items is unique to the N-tier architecture method of designing
3070software applications?
3071A. Application layers can be separated, allowing each layer to be upgraded independently from other
3072layers.
3073B. It is compatible with various databases including Access, Oracle, and SQL.
3074C. Data security is tied into each layer and must be updated for all layers when any upgrade is
3075performed.
3076D. Application layers can be written in C, ASP.NET, or Delphi without any performance loss.
3077Answer: A
3078NO.324 This TCP flag instructs the sending system to transmit all buffered data immediately.
3079A. SYN
3080B. RST
3081C. PSH
3082D. URG
3083E. FIN
3084Answer: C
3085NO.325 Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
3086communication?
3087A. 123
3088B. 161
3089C. 69
3090D. 113
3091Answer: A
3092NO.326 A large mobile telephony and data network operator has a data that houses network
3093elements. These are essentially large computers running on Linux. The perimeter of the data center is
3094secured with firewalls and IPS systems. What is the best security policy concerning this setup?
3095A. Network elements must be hardened with user ids and strong passwords. Regular security tests
3096and audits should be performed.
3097IT Certification Guaranteed, The Easy Way!
309884
3099B. As long as the physical access to the network elements is restricted, there is no need for additional
3100measures.
3101C. There is no need for specific security measures on the network elements as long as firewalls and
3102IPS systems exist.
3103D. The operator knows that attacks and down time are inevitable and should have a backup site.
3104Answer: A
3105NO.327 Which of the following attacks exploits web age vulnerabilities that allow an attacker to
3106force an unsuspecting user's browser to send malicious requests they did not intend?
3107A. Command Injection Attacks
3108B. File Injection Attack
3109C. Cross-Site Request Forgery (CSRF)
3110D. Hidden Field Manipulation Attack
3111Answer: C
3112NO.328 The company ABC recently contracted a new accountant. The accountant will be working
3113with the financial statements. Those financial statements need to be approved by the CFO and then
3114they will be sent to the accountant but the CFO is worried because he wants to be sure that the
3115information sent to the accountant was not modified once he approved it. What of the following
3116options can be useful to ensure the integrity of the data?
3117A. The document can be sent to the accountant using an exclusive USB for that document.
3118B. The CFO can use a hash algorithm in the document once he approved the financial statements.
3119C. The financial statements can be sent twice, one by email and the other delivered in USB and the
3120accountant can compare both to be sure it is the same document.
3121D. The CFO can use an excel file with a password.
3122Answer: B
3123NO.329 The "black box testing" methodology enforces which kind of restriction?
3124A. Only the external operation of a system is accessible to the tester.
3125B. Only the internal operation of a system is known to the tester.
3126C. The internal operation of a system is only partly accessible to the tester.
3127D. The internal operation of a system is completely known to the tester.
3128Answer: A
3129Explanation
3130Black-box testing is a method of software testing that examines the functionality of an application
3131without peering into its internal structures or workings.
3132References: https://en.wikipedia.org/wiki/Black-box_testing
3133NO.330 Which of the following statements is TRUE?
3134A. Sniffers operate on Layer 2 of the OSI model
3135B. Sniffers operate on Layer 3 of the OSI model
3136C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model.
3137D. Sniffers operate on the Layer 1 of the OSI model.
3138IT Certification Guaranteed, The Easy Way!
313985
3140Answer: A
3141Explanation
3142The OSI layer 2 is where packet sniffers collect their data.
3143References: https://en.wikipedia.org/wiki/Ethernet_frame
3144NO.331 While performing data validation of web content, a security technician is required to restrict
3145malicious input.
3146Which of the following processes is an efficient way of restricting malicious input?
3147A. Validate web content input for query strings.
3148B. Validate web content input with scanning tools.
3149C. Validate web content input for type, length, and range.
3150D. Validate web content input for extraneous queries.
3151Answer: C
3152NO.332 A bank stores and processes sensitive privacy information related to home loans. However,
3153auditing has never been enabled on the system. What is the first step that the bank should take
3154before enabling the audit feature?
3155A. Perform a vulnerability scan of the system.
3156B. Determine the impact of enabling the audit feature.
3157C. Perform a cost/benefit analysis of the audit feature.
3158D. Allocate funds for staffing of audit log review.
3159Answer: B
3160NO.333 Firewalls are the software or hardware systems that are able to control and monitor the
3161traffic coming in and out the target network based on pre-defined set of rules.
3162Which of the following types of firewalls can protect against SQL injection attacks?
3163A. Data-driven firewall
3164B. Stateful firewall
3165C. Packet firewall
3166D. Web application firewall
3167Answer: D
3168NO.334 Which of these options is the most secure procedure for storing backup tapes?
3169A. In a climate controlled facility offsite
3170B. On a different floor in the same building
3171C. Inside the data center for faster retrieval in a fireproof safe
3172D. In a cool dry environment
3173Answer: A
3174Explanation
3175An effective disaster data recovery strategy should consist of producing backup tapes and housing
3176them in an offsite storage facility. This way the data isn't compromised if a natural disaster affects the
3177business' office. It is highly recommended that the backup tapes be handled properly and stored in a
3178secure, climate controlled facility. This provides peace of mind, and gives the business almost
3179immediate stability after a disaster.
3180IT Certification Guaranteed, The Easy Way!
318186
3182References:
3183http://www.entrustrm.com/blog/1132/why-is-offsite-tape-storage-the-best-disaster-recoverystrategy
3184NO.335 Which of the following items of a computer system will an anti-virus program scan for
3185viruses?
3186A. Boot Sector
3187B. Deleted Files
3188C. Windows Process List
3189D. Password Protected Files
3190Answer: A
3191NO.336 When conducting a penetration test, it is crucial to use all means to get all available
3192information about the target network. One of the ways to do that is by sniffing the network. Which of
3193the following cannot be performed by the passive network sniffing?
3194A. Identifying operating systems, services, protocols and devices
3195B. Modifying and replaying captured network traffic
3196C. Collecting unencrypted information about usernames and passwords
3197D. Capturing a network traffic for further analysis
3198Answer: B
3199NO.337 Passive reconnaissance involves collecting information through which of the following?
3200A. Social engineering
3201B. Network traffic sniffing
3202C. Man in the middle attacks
3203D. Publicly accessible sources
3204Answer: D
3205NO.338 In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an
3206attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan
3207hash of a user's password, instead of requiring the associated plaintext password as is normally the
3208case.
3209Metasploit Framework has a module for this technique: psexec. The psexec module is often used by
3210penetration testers to obtain access to a given system that you already know the credentials for. It
3211was written by sysinternals and has been integrated within the framework. Often as penetration
3212testers, successfully gain access to a system through some exploit, use meterpreter to grab the
3213passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to
3214crack those hash values.
3215Which of the following is true hash type and sort order that is using in the psexec module's
3216'smbpass'?
3217A. NT:LM
3218B. LM:NT
3219C. LM:NTLM
3220D. NTLM:LM
3221IT Certification Guaranteed, The Easy Way!
322287
3223Answer: B
3224NO.339 Which of the following descriptions is true about a static NAT?
3225A. A static NAT uses a many-to-many mapping.
3226B. A static NAT uses a one-to-many mapping.
3227C. A static NAT uses a many-to-one mapping.
3228D. A static NAT uses a one-to-one mapping.
3229Answer: D
3230NO.340 Security Policy is a definition of what it means to be secure for a system, organization or
3231other entity. For Information Technologies, there are sub-policies like Computer Security Policy,
3232Information Protection Policy, Information Security Policy, network Security Policy, Physical Security
3233Policy, Remote Access Policy, and User Account Policy.
3234What is the main theme of the sub-policies for Information Technologies?
3235A. Availability, Non-repudiation, Confidentiality
3236B. Authenticity, Integrity, Non-repudiation
3237C. Confidentiality, Integrity, Availability
3238D. Authenticity, Confidentiality, Integrity
3239Answer: C
3240NO.341 What are two things that are possible when scanning UDP ports? (Choose two.)
3241A. A reset will be returned
3242B. An ICMP message will be returned
3243C. The four-way handshake will not be completed
3244D. An RFC 1294 message will be returned
3245E. Nothing
3246Answer: B E
3247NO.342 Based on the following extract from the log of a compromised machine, what is the hacker
3248really trying to steal?
3249A. har.txt
3250B. SAM file
3251C. wwwroot
3252D. Repair file
3253Answer: B
3254NO.343 The precaution of prohibiting employees from bringing personal computing devices into a
3255facility is what type of security control?
3256A. Physical
3257B. Procedural
3258C. Technical
3259D. Compliance
3260Answer: B
3261IT Certification Guaranteed, The Easy Way!
326288
3263NO.344 Steve, a scientist who works in a governmental security agency, developed a technological
3264solution to identify people based on walking patterns and implemented this approach to a physical
3265control access.
3266A camera captures people walking and identifies the individuals using Steve's approach.
3267After that, people must approximate their RFID badges. Both the identifications are required to open
3268the door.
3269In this case, we can say:
3270A. Although the approach has two phases, it actually implements just one authentication factor
3271B. The solution implements the two authentication factors: physical object and physical characteristi
3272c
3273C. The solution will have a high level of false positives
3274D. Biological motion cannot be used to identify people
3275Answer: B
3276NO.345 A pentester gains access to a Windows application server and needs to determine the
3277settings of the built-in Windows firewall. Which command would be used?
3278A. Netsh firewall show config
3279B. WMIC firewall show config
3280C. Net firewall show config
3281D. Ipconfig firewall show config
3282Answer: A
3283NO.346 You need a tool that can do network intrusion prevention and intrusion detection, function
3284as a network sniffer, and record network activity, what tool would you most likely select?
3285A. Nmap
3286B. Cain & Abel
3287C. Nessus
3288D. Snort
3289Answer: D
3290NO.347 The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but
3291introduces which of the following vulnerabilities?
3292A. An attacker, working slowly enough, can evade detection by the IDS.
3293B. Network packets are dropped if the volume exceeds the threshold.
3294C. Thresholding interferes with the IDS' ability to reassemble fragmented packets.
3295D. The IDS will not distinguish among packets originating from different sources.
3296Answer: A
3297NO.348 Look at the following output. What did the hacker accomplish?
3298IT Certification Guaranteed, The Easy Way!
329989
3300A. The hacker used whois to gather publicly available records for the domain.
3301B. The hacker used the "fierce" tool to brute force the list of available domains.
3302C. The hacker listed DNS records on his own domain.
3303D. The hacker successfully transferred the zone and enumerated the hosts.
3304Answer: D
3305NO.349 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125
3306on port 25?
3307A. tcp.src == 25 and ip.host == 192.168.0.125
3308B. host 192.168.0.125:25
3309C. port 25 and host 192.168.0.125
3310D. tcp.port == 25 and ip.host == 192.168.0.125
3311Answer: D
3312NO.350 A network administrator discovers several unknown files in the root directory of his Linux
3313FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named
3314"nc." The FTP server's access logs show that the anonymous user account logged in to the server,
3315uploaded the files, and extracted the contents of the tarball and ran the script using a function
3316provided by the FTP server's software. The ps command shows that the nc file is running as process,
3317IT Certification Guaranteed, The Easy Way!
331890
3319and the netstat command shows the nc process is listening on a network port.
3320What kind of vulnerability must be present to make this remote attack possible?
3321A. File system permissions
3322B. Privilege escalation
3323C. Directory traversal
3324D. Brute force login
3325Answer: A
3326Explanation
3327To upload files the user must have proper write file permissions.
3328References:
3329http://codex.wordpress.org/Hardening_WordPress
3330NO.351 You have compromised a server on a network and successfully opened a shell. You aimed to
3331identify all operating systems running on the network. However, as you attempt to fingerprint all
3332machines in the network using the nmap syntax below, it is not going through.
3333What seems to be wrong?
3334A. OS Scan requires root privileges.
3335B. The nmap syntax is wrong.
3336C. This is a common behavior for a corrupted nmap application.
3337D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
3338Answer: A
3339Explanation
3340You requested a scan type which requires root privileges.
3341References:
3342http://askubuntu.com/questions/433062/using-nmap-for-information-regarding-web-host
3343NO.352 A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker
3344uses the nslookup interactive mode for the search. Which command should the hacker type into the
3345command shell to request the appropriate records?
3346A. Locate type=ns
3347B. Request type=ns
3348C. Set type=ns
3349D. Transfer type=ns
3350Answer: C
3351NO.353 Which of the following processes evaluates the adherence of an organization to its stated
3352security policy?
3353A. Vulnerability assessment
3354B. Penetration testing
3355C. Risk assessment
3356D. Security auditing
3357IT Certification Guaranteed, The Easy Way!
335891
3359Answer: D
3360NO.354 What is the main reason the use of a stored biometric is vulnerable to an attack?
3361A. The digital representation of the biometric might not be unique, even if the physical characteristic
3362is unique.
3363B. Authentication using a stored biometric compares a copy to a copy instead of the original to a
3364copy.
3365C. A stored biometric is no longer "something you are" and instead becomes "something you have".
3366D. A stored biometric can be stolen and used by an attacker to impersonate the individual identified
3367by the biometric.
3368Answer: D
3369NO.355 A computer science student needs to fill some information into a secured Adobe PDF job
3370application that was received from a prospective employer. Instead of requesting a new document
3371that allowed the forms to be completed, the student decides to write a script that pulls passwords
3372from a list of commonly used passwords to try against the secured PDF until the correct password is
3373found or the list is exhausted.
3374Which cryptography attack is the student attempting?
3375A. Man-in-the-middle attack
3376B. Brute-force attack
3377C. Dictionary attack
3378D. Session hijacking
3379Answer: C
3380NO.356 Which of the following is the best countermeasure to encrypting ransomwares?
3381A. Use multiple antivirus softwares
3382B. Keep some generation of off-line backup
3383C. Analyze the ransomware to get decryption key of encrypted data
3384D. Pay a ransom
3385Answer: B
3386NO.357 You have successfully compromised a machine on the network and found a server that is
3387alive on the same network. You tried to ping it but you didn't get any response back.
3388What is happening?
3389A. ICMP could be disabled on the target server.
3390B. The ARP is disabled on the target server.
3391C. TCP/IP doesn't support ICMP.
3392D. You need to run the ping command with root privileges.
3393Answer: A
3394Explanation
3395The ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.
3396Note: The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet
3397protocol suite. It is used by network devices, like routers, to send error messages indicating, for
3398example, that a requested service is not available or that a host or router could not be reached.
3399IT Certification Guaranteed, The Easy Way!
340092
3401References: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
3402NO.358 Which tool is used to automate SQL injections and exploit a database by forcing a given web
3403application to connect to another database controlled by a hacker?
3404A. DataThief
3405B. NetCat
3406C. Cain and Abel
3407D. SQLInjector
3408Answer: A
3409NO.359 A security engineer is attempting to map a company's internal network. The engineer enters
3410in the following NMAP command:
3411NMAP -n -sS -P0 -p 80 ***.***.**.**
3412What type of scan is this?
3413A. Quick scan
3414B. Intense scan
3415C. Stealth scan
3416D. Comprehensive scan
3417Answer: C
3418NO.360 Which of the following is an example of an asymmetric encryption implementation?
3419A. SHA1
3420B. PGP
3421C. 3DES
3422D. MD5
3423Answer: B
3424NO.361 Which of the following is the BEST way to protect Personally Identifiable Information (PII)
3425from being exploited due to vulnerabilities of varying web applications?
3426A. Use cryptographic storage to store all PII
3427B. Use full disk encryption on all hard drives to protect PII
3428C. Use encrypted communications protocols to transmit PII
3429D. Use a security token to log into all Web applications that use PII
3430Answer: C
3431NO.362 Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest
3432way she can accomplish this with Nmap? Stealth is not a concern.
3433A. nmap -sn -sF 10.1.0.0/16 445
3434B. nmap -p 445 -n -T4 -open 10.1.0.0/16
3435C. nmap -s 445 -sU -T5 10.1.0.0/16
3436D. nmap -p 445 -max -Pn 10.1.0.0/16
3437Answer: B
3438NO.363 It is a kind of malware (malicious software) that criminals install on your computer so they
3439IT Certification Guaranteed, The Easy Way!
344093
3441can lock it from a remote location. This malware generates a pop-up window, webpage, or email
3442warning from what looks like an official authority. It explains that your computer has been locked
3443because of possible illegal activities on it and demands payment before you can access your files and
3444programs again.
3445Which of the following terms best matches the definition?
3446A. Ransomware
3447B. Adware
3448C. Spyware
3449D. Riskware
3450Answer: A
3451Explanation
3452Ransomware is a type of malware that can be covertly installed on a computer without knowledge or
3453intention of the user that restricts access to the infected computer system in some way, and
3454demands that the user pay a ransom to the malware operators to remove the restriction. Some
3455forms of ransomware systematically encrypt files on the system's hard drive, which become difficult
3456or impossible to decrypt without paying the ransom for the encryption key, while some may simply
3457lock the system and display messages intended to coax the user into paying. Ransomware typically
3458propagates as a Trojan.
3459References: https://en.wikipedia.org/wiki/Ransomware
3460NO.364 What are the three types of authentication?
3461A. Something you: know, remember, prove
3462B. Something you: have, know, are
3463C. Something you: show, prove, are
3464D. Something you: show, have, prove
3465Answer: B
3466NO.365 What is the proper response for a NULL scan if the port is open?
3467A. SYN
3468B. ACK
3469C. FIN
3470D. PSH
3471E. RST
3472F. No response
3473Answer: F
3474NO.366 An nmap command that includes the host specification of 202.176.56-57.* will scan
3475_______ number of hosts.
3476A. 2
3477B. 256
3478C. 512
3479D. Over 10, 000
3480Answer: C
3481IT Certification Guaranteed, The Easy Way!
348294
3483NO.367 What is the code written for?
3484A. Buffer Overflow
3485B. Encryption
3486C. Bruteforce
3487D. Denial-of-service (Dos)
3488Answer: A
3489NO.368 When analyzing the IDS logs, the system administrator noticed an alert was logged when
3490the external router was accessed from the administrator's computer to update the router
3491configuration. What type of an alert is this?
3492A. False positive
3493B. False negative
3494C. True positve
3495D. True negative
3496Answer: A
3497NO.369 How does an operating system protect the passwords used for account logins?
3498A. The operating system performs a one-way hash of the passwords.
3499B. The operating system stores the passwords in a secret file that users cannot find.
3500C. The operating system encrypts the passwords, and decrypts them when needed.
3501D. The operating system stores all passwords in a protected segment of non-volatile memory.
3502Answer: A
3503NO.370 What type of analysis is performed when an attacker has partial knowledge of innerworkings
3504of the application?
3505A. Black-box
3506IT Certification Guaranteed, The Easy Way!
350795
3508B. Announced
3509C. White-box
3510D. Grey-box
3511Answer: D
3512NO.371 Which of the following settings enables Nessus to detect when it is sending too many
3513packets and the network pipe is approaching capacity?
3514A. Netstat WMI Scan
3515B. Silent Dependencies
3516C. Consider unscanned ports as closed
3517D. Reduce parallel connections on congestion
3518Answer: D
3519NO.372 Name two software tools used for OS guessing? (Choose two.)
3520A. Nmap
3521B. Snadboy
3522C. Queso
3523D. UserInfo
3524E. NetBus
3525Answer: A C
3526NO.373 What is one thing a tester can do to ensure that the software is trusted and is not changing
3527or tampering with critical data on the back end of a system it is loaded on?
3528A. Proper testing
3529B. Secure coding principles
3530C. Systems security and architecture review
3531D. Analysis of interrupts within the software
3532Answer: D
3533NO.374 Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the
3534Yahoo Bank.
3535Kindly contact me for a vital transaction on: scottsmelby@yahoo.com"". Which statement below is
3536true?
3537A. This is probably a legitimate message as it comes from a respectable organization.
3538B. Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.
3539C. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service
3540employees.
3541D. This is a scam because Bob does not know Scott.
3542Answer: C
3543NO.375 You are attempting to run an Nmap port scan on a web server. Which of the following
3544commands would result in a scan of common ports with the least amount of noise in order to evade
3545IDS?
3546IT Certification Guaranteed, The Easy Way!
354796
3548A. nmap -A - Pn
3549B. nmap -sP -p-65535-T5
3550C. nmap -sT -O -T0
3551D. nmap -A --host-timeout 99-T1
3552Answer: C
3553NO.376 Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?
3554A. Use digital certificates to authenticate a server prior to sending data.
3555B. Verify access right before allowing access to protected information and UI controls.
3556C. Verify access right before allowing access to protected information and UI controls.
3557D. Validate and escape all information sent to a server.
3558Answer: D
3559NO.377 Which of the following is a preventive control?
3560A. Smart card authentication
3561B. Security policy
3562C. Audit trail
3563D. Continuity of operations plan
3564Answer: A
3565NO.378 To determine if a software program properly handles a wide range of invalid input, a form of
3566automated testing can be used to randomly generate invalid input in an attempt to crash the
3567program.
3568What term is commonly used when referring to this type of testing?
3569A. Fuzzing
3570B. Randomizing
3571C. Mutating
3572D. Bounding
3573Answer: A
3574Explanation
3575Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that
3576involves providing invalid, unexpected, or random data to the inputs of a computer program. The
3577program is then monitored for exceptions such as crashes, or failing built-in code assertions or for
3578finding potential memory leaks. Fuzzing is commonly used to test for security problems in software
3579or computer systems. It is a form of random testing which has been used for testing hardware or
3580software.
3581References: https://en.wikipedia.org/wiki/Fuzz_testing
3582NO.379 What is the broadcast address for the subnet 190.86.168.0/22?
3583A. 190.86.168.255
3584B. 190.86.255.255
3585C. 190.86.171.255
3586D. 190.86.169.255
3587IT Certification Guaranteed, The Easy Way!
358897
3589Answer: C
3590NO.380 Which of the following security operations is used for determining the attack surface of an
3591organization?
3592A. Running a network scan to detect network services in the corporate DMZ
3593B. Training employees on the security policy regarding social engineering
3594C. Reviewing the need for a security clearance for each employee
3595D. Using configuration management to determine when and where to apply security patches
3596Answer: A
3597Explanation
3598For a network scan the goal is to document the exposed attack surface along with any easily detected
3599vulnerabilities.
3600References:
3601http://meisecurity.com/home/consulting/consulting-network-scanning/
3602NO.381 Which tier in the N-tier application architecture is responsible for moving and processing
3603data between the tiers?
3604A. Application Layer
3605B. Data tier
3606C. Presentation tier
3607D. Logic tier
3608Answer: D
3609NO.382 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and
3610UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and
3611deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the
3612ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is
3613happening in the network?
3614A. The ACL 104 needs to be first because is UDP
3615B. The ACL 110 needs to be changed to port 80
3616C. The ACL for FTP must be before the ACL 110
3617D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
3618Answer: D
3619NO.383 How can a policy help improve an employee's security awareness?
3620A. By implementing written security procedures, enabling employee security training, and promoting
3621the benefits of security
3622B. By using informal networks of communication, establishing secret passing procedures, and
3623immediately terminating employees
3624C. By sharing security secrets with employees, enabling employees to share secrets, and establishing
3625IT Certification Guaranteed, The Easy Way!
362698
3627a consultative help line
3628D. By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring
3629that managers know employee strengths
3630Answer: A
3631NO.384 Company A and Company B have just merged and each has its own Public Key Infrastructure
3632(PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A
3633and Company B trust one another and each private PKI can validate digital certificates from the other
3634company?
3635A. Poly key exchange
3636B. Cross certification
3637C. Poly key reference
3638D. Cross-site exchange
3639Answer: B
3640NO.385 Risks = Threats x Vulnerabilities is referred to as the:
3641A. Risk equation
3642B. Threat assessment
3643C. BIA equation
3644D. Disaster recovery formula
3645Answer: A
3646Explanation
3647The most effective way to define risk is with this simple equation:
3648Risk = Threat x Vulnerability x Cost
3649This equation is fundamental to all information security.
3650References:
3651http://www.icharter.org/articles/risk_equation.html
3652NO.386 In 2007, this wireless security algorithm was rendered useless by capturing packets and
3653discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ
3654Maxx and data theft through a technique known as wardriving.
3655Which Algorithm is this referring to?
3656A. Wired Equivalent Privacy (WEP)
3657B. Wi-Fi Protected Access (WPA)
3658C. Wi-Fi Protected Access 2 (WPA2)
3659D. Temporal Key Integrity Protocol (TKIP)
3660Answer: A
3661Explanation
3662WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or
3663wlans. In
36642007, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the
3665secret key in less than 60 seconds in some cases.
3666Note: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle,
3667using a portable computer, smartphone or personal digital assistant (PDA).
3668IT Certification Guaranteed, The Easy Way!
366999
3670References: https://events.ccc.de/camp/2007/Fahrplan/events/1943.en.html
3671NO.387 This kind of password cracking method uses word lists in combination with numbers and
3672special characters:
3673A. Hybrid
3674B. Linear
3675C. Symmetric
3676D. Brute Force
3677Answer: A
3678NO.388 Which of the following security policies defines the use of VPN for gaining access to an
3679internal corporate network?
3680A. Network security policy
3681B. Remote access policy
3682C. Information protection policy
3683D. Access control policy
3684Answer: B
3685NO.389 Which of the following ensures that updates to policies, procedures, and configurations are
3686made in a controlled and documented fashion?
3687A. Regulatory compliance
3688B. Peer review
3689C. Change management
3690D. Penetration testing
3691Answer: C
3692NO.390 Within the context of Computer Security, which of the following statements describes Social
3693Engineering best?
3694A. Social Engineering is the act of publicly disclosing information
3695B. Social Engineering is the means put in place by human resource to perform time accounting
3696C. Social Engineering is the act of getting needed information from a person rather than breaking into
3697a system
3698D. Social Engineering is a training program within sociology studies
3699Answer: C
3700NO.391 What is a successful method for protecting a router from potential smurf attacks?
3701A. Placing the router in broadcast mode
3702B. Enabling port forwarding on the router
3703C. Installing the router outside of the network's firewall
3704D. Disabling the router from accepting broadcast ping messages
3705Answer: D
3706NO.392 Attempting an injection attack on a web server based on responses to True/False questions
3707IT Certification Guaranteed, The Easy Way!
3708100
3709is called which of the following?
3710A. Blind SQLi
3711B. DMS-specific SQLi
3712C. Classic SQLi
3713D. Compound SQLi
3714Answer: A
3715NO.393 Your company performs penetration tests and security assessments for small and mediumsized
3716business in the local area. During a routine security assessment, you discover information that
3717suggests your client is involved with human trafficking.
3718What should you do?
3719A. Immediately stop work and contact the proper legal authorities.
3720B. Copy the data to removable media and keep it in case you need it.
3721C. Confront the client in a respectful manner and ask her about the data.
3722D. Ignore the data and continue the assessment until completed as agreed.
3723Answer: A
3724NO.394 Which of the following is a serious vulnerability in the popular OpenSSL cryptographic
3725software library? This weakness allows stealing the information protected, under normal conditions,
3726by the SSL/TLS encryption used to secure the Internet.
3727A. Heartbleed Bug
3728B. POODLE
3729C. SSL/TLS Renegotiation Vulnerability
3730D. Shellshock
3731Answer: A
3732NO.395 Which of the following is not a Bluetooth attack?
3733A. Bluedriving
3734B. Bluejacking
3735C. Bluesmacking
3736D. Bluesnarfing
3737Answer: A
3738NO.396 Bob learned that his username and password for a popular game has been compromised.
3739He contacts the company and resets all the information. The company suggests he use two-factor
3740authentication, which option below offers that?
3741A. A new username and password
3742B. A fingerprint scanner and his username and password.
3743C. Disable his username and use just a fingerprint scanner.
3744D. His username and a stronger password.
3745Answer: B
3746NO.397 Which of the following is considered an acceptable option when managing a risk?
3747IT Certification Guaranteed, The Easy Way!
3748101
3749A. Reject the risk.
3750B. Deny the risk.
3751C. Mitigate the risk.
3752D. Initiate the risk.
3753Answer: C
3754NO.398 Which of the following examples best represents a logical or technical control?
3755A. Security tokens
3756B. Heating and air conditioning
3757C. Smoke and fire alarms
3758D. Corporate security policy
3759Answer: A
3760NO.399 A developer for a company is tasked with creating a program that will allow customers to
3761update their billing and shipping information. The billing address field used is limited to 50
3762characters. What pseudo code would the developer use to avoid a buffer overflow attack on the
3763billing address field?
3764A. if (billingAddress = 50) {update field} else exit
3765B. if (billingAddress != 50) {update field} else exit
3766C. if (billingAddress >= 50) {update field} else exit
3767D. if (billingAddress <= 50) {update field} else exit
3768Answer: D
3769NO.400 A distributed port scan operates by:
3770A. Blocking access to the scanning clients by the targeted host
3771B. Using denial-of-service software against a range of TCP ports
3772C. Blocking access to the targeted host by each of the distributed scanning clients
3773D. Having multiple computers each scan a small number of ports, then correlating the results
3774Answer: D
3775NO.401 The network team has well-established procedures to follow for creating new rules on the
3776firewall. This includes having approval from a manager prior to implementing any new rules. While
3777reviewing the firewall configuration, you notice a recently implemented rule but cannot locate
3778manager approval for it. What would be a good step to have in the procedures for a situation like
3779this?
3780A. Have the network team document the reason why the rule was implemented without prior
3781manager approval.
3782B. Monitor all traffic using the firewall rule until a manager can approve it.
3783C. Do not roll back the firewall rule as the business may be relying upon it, but try to get manager
3784approval as soon as possible.
3785D. Immediately roll back the firewall rule until a manager can approve it
3786Answer: D
3787IT Certification Guaranteed, The Easy Way!
3788102
3789NO.402 Sam is working as s pen-tester in an organization in Houston. He performs penetration
3790testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large
3791amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic.
3792What type of method is Sam using to evade IDS?
3793A. Denial-of-Service
3794B. False Positive Generation
3795C. Insertion Attack
3796D. Obfuscating
3797Answer: B
3798NO.403 What is the best defense against privilege escalation vulnerability?
3799A. Patch systems regularly and upgrade interactive login privileges at the system administrator level.
3800B. Run administrator and applications on least privileges and use a content registry for tracking.
3801C. Run services with least privileged accounts and implement multi-factor authentication and
3802authorization.
3803D. Review user roles and administrator privileges for maximum utilization of automation services.
3804Answer: C
3805NO.404 A botnet can be managed through which of the following?
3806A. IRC
3807B. E-Mail
3808C. Linkedin and Facebook
3809D. A vulnerable FTP server
3810Answer: A
3811NO.405 Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore
3812the systems to a pre-test state.
3813Which of the following activities should not be included in this phase? (see exhibit) Exhibit:
3814A. III
3815B. IV
3816C. III and IV
3817D. All should be included.
3818Answer: A
3819Explanation
3820The post-attack phase revolves around returning any modified system(s) to the pretest state.
3821IT Certification Guaranteed, The Easy Way!
3822103
3823Examples of such activities:
3824References: Computer and Information Security Handbook, John R. Vacca (2012), page 531
3825NO.406 The practical realities facing organizations today make risk response strategies essential.
3826Which of the following is NOT one of the five basic responses to risk?
3827A. Accept
3828B. Mitigate
3829C. Delegate
3830D. Avoid
3831Answer: C
3832NO.407 Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the
3833suite provides different functionality. Collective IPSec does everything except.
3834A. Protect the payload and the headers
3835B. Authenticate
3836C. Encrypt
3837D. Work at the Data Link Layer
3838Answer: D
3839NO.408 A penetration test was done at a company. After the test, a report was written and given to
3840the company's IT authorities. A section from the report is shown below:
3841According to the section from the report, which of the following choice is true?
3842A. MAC Spoof attacks cannot be performed.
3843B. Possibility of SQL Injection attack is eliminated.
3844C. A stateful firewall can be used between intranet (LAN) and DMZ.
3845D. There is access control policy between VLANs.
3846Answer: C
3847NO.409 You want to analyze packets on your wireless network. Which program would you use?
3848A. Wireshark with Airpcap
3849B. Airsnort with Airpcap
3850C. Wireshark with Winpcap
3851D. Ethereal with Winpcap
3852Answer: A
3853NO.410 Bluetooth uses which digital modulation technique to exchange information between paired
3854devices?
3855A. PSK (phase-shift keying)
3856B. FSK (frequency-shift keying)
3857C. ASK (amplitude-shift keying)
3858D. QAM (quadrature amplitude modulation)
3859Answer: A
3860Explanation
3861IT Certification Guaranteed, The Easy Way!
3862104
3863Phase shift keying is the form of Bluetooth modulation used to enable the higher data rates
3864achievable with Bluetooth 2 EDR (Enhanced Data Rate). Two forms of PSK are used: /4 DQPSK, and
38658DPSK.
3866References:
3867http://www.radio-electronics.com/info/wireless/bluetooth/radio-interface-modulation.php
3868NO.411 Which of these is capable of searching for and locating rogue access points?
3869A. HIDS
3870B. WISS
3871C. WIPS
3872D. NIDS
3873Answer: C
3874NO.412 Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24
3875111 (content:"|00 01 86 a5|"; msG. "mountd access";)
3876A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and
3877destined to any IP on port 111
3878B. An alert is generated when any packet other than a TCP packet is seen on the network and
3879destined for the 192.168.1.0 subnet
3880C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
3881192.168.1.0 subnet
3882D. An alert is generated when a TCP packet originating from any IP address is seen on the network
3883and destined for any IP address on the 192.168.1.0 subnet on port 111
3884Answer: D
3885NO.413 Which type of antenna is used in wireless communication?
3886A. Omnidirectional
3887B. Parabolic
3888C. Uni-directional
3889D. Bi-directional
3890Answer: A
3891NO.414 You are the Network Admin, and you get a compliant that some of the websites are no
3892longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP
3893address and then you try on the browser, and find it to be accessible. But they are not accessible
3894when you try using the URL.
3895What may be the problem?
3896A. Traffic is Blocked on UDP Port 53
3897B. Traffic is Blocked on UDP Port 80
3898C. Traffic is Blocked on UDP Port 54
3899D. Traffic is Blocked on UDP Port 80
3900Answer: A
3901NO.415 How is the public key distributed in an orderly, controlled fashion so that the users can be
3902IT Certification Guaranteed, The Easy Way!
3903105
3904sure of the sender's identity?
3905A. Hash value
3906B. Private key
3907C. Digital signature
3908D. Digital certificate
3909Answer: D
3910NO.416 What is the BEST alternative if you discover that a rootkit has been installed on one of your
3911computers?
3912A. Copy the system files from a known good system
3913B. Perform a trap and trace
3914C. Delete the files and try to determine the source
3915D. Reload from a previous backup
3916E. Reload from known good media
3917Answer: E
3918NO.417 Which of the following is optimized for confidential communications, such as bidirectional
3919voice and video?
3920A. RC4
3921B. RC5
3922C. MD4
3923D. MD5
3924Answer: A
3925NO.418 In the context of Windows Security, what is a 'null' user?
3926A. A user that has no skills
3927B. An account that has been suspended by the admin
3928C. A pseudo account that has no username and password
3929D. A pseudo account that was created for security administration purpose
3930Answer: C
3931NO.419 A hacker is attempting to see which IP addresses are currently active on a network. Which
3932NMAP switch would the hacker use?
3933A. -sO
3934B. -sP
3935C. -sS
3936D. -sU
3937Answer: B
3938NO.420 In Risk Management, how is the term "likelihood" related to the concept of "threat?"
3939A. Likelihood is the probability that a threat-source will exploit a vulnerability.
3940B. Likelihood is a possible threat-source that may exploit a vulnerability.
3941C. Likelihood is the likely source of a threat that could exploit a vulnerability.
3942IT Certification Guaranteed, The Easy Way!
3943106
3944D. Likelihood is the probability that a vulnerability is a threat-source.
3945Answer: A
3946Explanation
3947The ability to analyze the likelihood of threats within the organization is a critical step in building an
3948effective security program. The process of assessing threat probability should be well defined and
3949incorporated into a broader threat analysis process to be effective.
3950References:
3951http://www.mcafee.com/campaign/securitybattleground/resources/chapter5/whitepaper-onassessing-
3952threat-attac
3953NO.421 During a wireless penetration test, a tester detects an access point using WPA2 encryption.
3954Which of the following attacks should be used to obtain the key?
3955A. The tester must capture the WPA2 authentication handshake and then crack it.
3956B. The tester must use the tool inSSIDer to crack it using the ESSID of the network.
3957C. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
3958D. The tester must change the MAC address of the wireless network card and then use the AirTraf
3959tool to obtain the key.
3960Answer: A
3961NO.422 What is the main disadvantage of the scripting languages as opposed to compiled
3962programming languages?
3963A. Scripting languages are hard to learn.
3964B. Scripting languages are not object-oriented.
3965C. Scripting languages cannot be used to create graphical user interfaces.
3966D. Scripting languages are slower because they require an interpreter to run the code.
3967Answer: D
3968NO.423 A consultant is hired to do physical penetration testing at a large financial company. In the
3969first day of his assessment, the consultant goes to the company`s building dressed like an electrician
3970and waits in the lobby for an employee to pass through the main access gate, then the consultant
3971follows the employee behind to get into the restricted area. Which type of attack did the consultant
3972perform?
3973A. Man trap
3974B. Tailgating
3975C. Shoulder surfing
3976D. Social engineering
3977Answer: B
3978NO.424 You are about to be hired by a well-known Bank to perform penetration tests. Which of the
3979following documents describes the specifics of the testing, the associated violations, and essentially
3980protects both the bank's interest and your liabilities as a tester?
3981A. Service Level Agreement
3982B. Non-Disclosure Agreement
3983C. Terms of Engagement
3984IT Certification Guaranteed, The Easy Way!
3985107
3986D. Project Scope
3987Answer: C
3988NO.425 A person approaches a network administrator and wants advice on how to send encrypted
3989email from home.
3990The end user does not want to have to pay for any license fees or manage server services. Which of
3991the following is the most secure encryption protocol that the network administrator should
3992recommend?
3993A. IP Security (IPSEC)
3994B. Multipurpose Internet Mail Extensions (MIME)
3995C. Pretty Good Privacy (PGP)
3996D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)
3997Answer: C
3998NO.426 MX record priority increases as the number increases. (True/False.)
3999A. True
4000B. False
4001Answer: B
4002NO.427 Which of the following is a low-tech way of gaining unauthorized access to systems?
4003A. Social Engineering
4004B. Sniffing
4005C. Eavesdropping
4006D. Scanning
4007Answer: A
4008Explanation
4009Social engineering, in the context of information security, refers to psychological manipulation of
4010people into performing actions or divulging confidential information. A type of confidence trick for
4011the purpose of information gathering, fraud, or system access.
4012References: https://en.wikipedia.org/wiki/Social_engineering_(security)
4013NO.428 Bob is acknowledged as a hacker of repute and is popular among visitors of "underground"
4014sites.
4015Bob is willing to share his knowledge with those who are willing to learn, and many have expressed
4016their interest in learning from him. However, this knowledge has a risk associated with it, as it can be
4017used for malevolent attacks as well.
4018In this context, what would be the most effective method to bridge the knowledge gap between the
4019"black" hats or crackers and the "white" hats or computer security professionals? (Choose the test
4020answer.)
4021A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
4022B. Hire more computer security monitoring personnel to monitor computer systems and networks.
4023C. Make obtaining either a computer security certification or accreditation easier to achieve so more
4024individuals feel that they are a part of something larger than life.
4025D. Train more National Guard and reservist in the art of computer security to help out in times of
4026IT Certification Guaranteed, The Easy Way!
4027108
4028emergency or crises.
4029Answer: A
4030NO.429 What statement is true regarding LM hashes?
4031A. LM hashes consist in 48 hexadecimal characters.
4032B. LM hashes are based on AES128 cryptographic standard.
4033C. Uppercase characters in the password are converted to lowercase.
4034D. LM hashes are not generated when the password length exceeds 15 characters.
4035Answer: D
4036NO.430 What information should an IT system analysis provide to the risk assessor?
4037A. Management buy-in
4038B. Threat statement
4039C. Security architecture
4040D. Impact analysis
4041Answer: C
4042NO.431 An attacker has captured a target file that is encrypted with public key cryptography. Which
4043of the attacks below is likely to be used to crack the target file?
4044A. Timing attack
4045B. Replay attack
4046C. Memory trade-off attack
4047D. Chosen plain-text attack
4048Answer: D
4049NO.432 International Organization for Standardization (ISO) standard 27002 provides guidance for
4050compliance by outlining
4051A. guidelines and practices for security controls.
4052B. financial soundness and business viability metrics.
4053C. standard best practice for configuration management.
4054D. contract agreement writing standards.
4055Answer: A
4056NO.433 Which of the following is the primary objective of a rootkit?
4057A. It opens a port to provide an unauthorized service
4058B. It creates a buffer overflow
4059C. It replaces legitimate programs
4060D. It provides an undocumented opening in a program
4061Answer: C
4062NO.434 The "gray box testing" methodology enforces what kind of restriction?
4063A. The internal operation of a system is only partly accessible to the tester.
4064B. The internal operation of a system is completely known to the tester.
4065IT Certification Guaranteed, The Easy Way!
4066109
4067C. Only the external operation of a system is accessible to the tester.
4068D. Only the internal operation of a system is known to the tester.
4069Answer: A
4070Explanation
4071A black-box tester is unaware of the internal structure of the application to be tested, while a whitebox
4072tester has access to the internal structure of the application. A gray-box tester partially knows
4073the internal structure, which includes access to the documentation of internal data structures as well
4074as the algorithms used.
4075References: https://en.wikipedia.org/wiki/Gray_box_testing
4076NO.435 An attacker changes the profile information of a particular user (victim) on the target
4077website. The attacker uses this string to update the victim's profile to a text file and then submit the
4078data to the attacker's database.
4079< iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe> What is this
4080type of attack (that can use either HTTP GET or HTTP POST) called?
4081A. Cross-Site Request Forgery
4082B. Cross-Site Scripting
4083C. SQL Injection
4084D. Browser Hacking
4085Answer: A
4086Explanation
4087Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF
4088(sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where
4089unauthorized commands are transmitted from a user that the website trusts.
4090Different HTTP request methods, such as GET and POST, have different level of susceptibility to CSRF
4091attacks and require different levels of protection due to their different handling by web browsers.
4092References: https://en.wikipedia.org/wiki/Cross-site_request_forgery
4093NO.436 Which of the following tools are used for enumeration? (Choose three.)
4094A. SolarWinds
4095B. USER2SID
4096C. Cheops
4097D. SID2USER
4098E. DumpSec
4099Answer: B D E
4100NO.437 A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the
4101pentester pivot using Metasploit?
4102A. Issue the pivot exploit and set the meterpreter.
4103B. Reconfigure the network settings in the meterpreter.
4104C. Set the payload to propagate through the meterpreter.
4105D. Create a route statement in the meterpreter.
4106Answer: D
4107IT Certification Guaranteed, The Easy Way!
4108110
4109NO.438 Which of the following describes the characteristics of a Boot Sector Virus?
4110A. Moves the MBR to another location on the RAM and copies itself to the original location of the
4111MBR
4112B. Moves the MBR to another location on the hard disk and copies itself to the original location of
4113the MBR
4114C. Modifies directory table entries so that directory entries point to the virus code instead of the
4115actual program
4116D. Overwrites the original MBR and only executes the new virus code
4117Answer: B
4118Explanation
4119A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The
4120virus moves the boot sector to another location on the hard drive.
4121References: https://www.techopedia.com/definition/26655/boot-sector-virus
4122NO.439 In order to have an anonymous Internet surf, which of the following is best choice?
4123A. Use SSL sites when entering personal information
4124B. Use Tor network with multi-node
4125C. Use shared WiFi
4126D. Use public VPN
4127Answer: B
4128NO.440 A security analyst in an insurance company is assigned to test a new web application that
4129will be used by clients to help them choose and apply for an insurance plan. The analyst discovers
4130that the application is developed in ASP scripting language and it uses MSSQL as a database backend.
4131The analyst locates the application's search form and introduces the following code in the search
4132input field:
4133When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".
4134Which web applications vulnerability did the analyst discover?
4135A. Cross-site request forgery
4136B. Command injection
4137C. Cross-site scripting
4138D. SQL injection
4139Answer: C
4140NO.441 You have several plain-text firewall logs that you must review to evaluate network traffic.
4141You know that in order to do fast, efficient searches of the logs you must use regular expressions.
4142Which command-line utility are you most likely to use?
4143A. Grep
4144B. Notepad
4145C. MS Excel
4146D. Relational Database
4147Answer: A
4148IT Certification Guaranteed, The Easy Way!
4149111
4150Explanation
4151grep is a command-line utility for searching plain-text data sets for lines matching a regular
4152expression.
4153References: https://en.wikipedia.org/wiki/Grep
4154NO.442 A computer technician is using a new version of a word processing software package when
4155it is discovered that a special sequence of characters causes the entire computer to crash. The
4156technician researches the bug and discovers that no one else experienced the problem. What is the
4157appropriate next step?
4158A. Ignore the problem completely and let someone else deal with it.
4159B. Create a document that will crash the computer when opened and send it to friends.
4160C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
4161D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
4162Answer: D
4163NO.443 Which of the following is an application that requires a host application for replication?
4164A. Micro
4165B. Worm
4166C. Trojan
4167D. Virus
4168Answer: D
4169Explanation
4170Computer viruses infect a variety of different subsystems on their hosts. A computer virus is a
4171malware that, when executed, replicates by reproducing itself or infecting other programs by
4172modifying them. Infecting computer programs can include as well, data files, or the boot sector of the
4173hard drive. When this replication succeeds, the affected areas are then said to be "infected".
4174References: https://en.wikipedia.org/wiki/Computer_virus
4175NO.444 An organization hires a tester to do a wireless penetration test. Previous reports indicate
4176that the last test did not contain management or control packets in the submitted traces. Which of
4177the following is the most likely reason for lack of management or control packets?
4178A. The wireless card was not turned on.
4179B. The wrong network card drivers were in use by Wireshark.
4180C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
4181D. Certain operating systems and adapters do not collect the management or control packets.
4182Answer: D
4183NO.445 An attacker scans a host with the below command. Which three flags are set? (Choose
4184three.)
4185#nmap -sX host.domain.com
4186A. This is ACK scan. ACK flag is set
4187B. This is Xmas scan. SYN and ACK flags are set
4188C. This is Xmas scan. URG, PUSH and FIN are set
4189D. This is SYN scan. SYN flag is set
4190IT Certification Guaranteed, The Easy Way!
4191112
4192Answer: C
4193NO.446 You work for Acme Corporation as Sales Manager. The company has tight network security
4194restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer
4195them to your home computer. Your company filters and monitors traffic that leaves from the internal
4196network to the Internet. How will you achieve this without raising suspicion?
4197A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
4198B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
4199C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in
4200an innocent looking email or file transfer using Steganography techniques
4201D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail
4202account
4203Answer: C
4204NO.447 A penetration tester is attempting to scan an internal corporate network from the internet
4205without alerting the border sensor. Which is the most efficient technique should the tester consider
4206using?
4207A. Spoofing an IP address
4208B. Tunneling scan over SSH
4209C. Tunneling over high port numbers
4210D. Scanning using fragmented IP packets
4211Answer: B
4212NO.448 A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may
4213contain connectivity passwords that can be decoded with which of the following?
4214A. Cupp
4215B. Nessus
4216C. Cain and Abel
4217D. John The Ripper Pro
4218Answer: C
4219NO.449 Which of the following is an example of IP spoofing?
4220A. SQL injections
4221B. Man-in-the-middle
4222C. Cross-site scripting
4223D. ARP poisoning
4224Answer: B
4225NO.450 A technician is resolving an issue where a computer is unable to connect to the Internet
4226using a wireless access point. The computer is able to transfer files locally to other machines, but
4227cannot successfully reach the Internet. When the technician examines the IP address and default
4228gateway they are both on the
4229192.168.1.0/24. Which of the following has occurred?
4230A. The gateway is not routing to a public IP address.
4231IT Certification Guaranteed, The Easy Way!
4232113
4233B. The computer is using an invalid IP address.
4234C. The gateway and the computer are not on the same network.
4235D. The computer is not using a private IP address.
4236Answer: A
4237NO.451 A certified ethical hacker (CEH) is approached by a friend who believes her husband is
4238cheating. She offers to pay to break into her husband's email account in order to find proof so she
4239can take him to court. What is the ethical response?
4240A. Say no; the friend is not the owner of the account.
4241B. Say yes; the friend needs help to gather evidence.
4242C. Say yes; do the job for free.
4243D. Say no; make sure that the friend knows the risk she's asking the CEH to take.
4244Answer: A
4245NO.452 env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd'
4246What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
4247A. Display passwd content to prompt
4248B. Removes the passwd file
4249C. Changes all passwords in passwd
4250D. Add new user to the passwd file
4251Answer: A
4252Explanation
4253To extract private information, attackers are using a couple of techniques. The simplest extraction
4254attacks are in the form:
4255() {:;}; /bin/cat /etc/passwd
4256That reads the password file /etc/passwd, and adds it to the response from the web server. So an
4257attacker injecting this code through the Shellshock vulnerability would see the password file dumped
4258out onto their screen as part of the web page returned.
4259References: https://blog.cloudflare.com/inside-shellshock/
4260NO.453 As a securing consultant, what are some of the things you would recommend to a company
4261to ensure DNS security?
4262A. Use the same machines for DNS and other applications
4263B. Harden DNS servers
4264C. Use split-horizon operation for DNS servers
4265D. Restrict Zone transfers
4266E. Have subnet diversity between DNS servers
4267Answer: B C D E
4268NO.454 Some passwords are stored using specialized encryption algorithms known as hashes. Why
4269is this an appropriate method?
4270A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
4271B. If a user forgets the password, it can be easily retrieved using the hash key stored by
4272administrators.
4273IT Certification Guaranteed, The Easy Way!
4274114
4275C. Hashing is faster compared to more traditional encryption algorithms.
4276D. Passwords stored using hashes are non-reversible, making finding the password much more
4277difficult.
4278Answer: D
4279NO.455 A company has publicly hosted web applications and an internal Intranet protected by a
4280firewall. Which technique will help protect against enumeration?
4281A. Reject all invalid email received via SMTP.
4282B. Allow full DNS zone transfers.
4283C. Remove A records for internal hosts.
4284D. Enable null session pipes.
4285Answer: C
4286NO.456Which of the following incident handling process phases is responsible for defining rules,
4287collaborating human workforce, creating a back-up plan, and testing the plans for an organization?
4288A. Preparation phase
4289B. Containment phase
4290C. Identification phase
4291D. Recovery phase
4292Answer: A
4293Explanation
4294There are several key elements to have implemented in preparation phase in order to help mitigate
4295any potential problems that may hinder one's ability to handle an incident. For the sake of brevity,
4296the following should be performed:
4297References: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-
429833901
4299NO.457 In both pharming and phishing attacks an attacker can create websites that look similar to
4300legitimate sites with the intent of collecting personal identifiable information from its victims. What is
4301the difference between pharming and phishing attacks?
4302A. In a pharming attack a victim is redirected to a fake website by modifying their host configuration
4303file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a
4304URL that is either misspelled or looks similar to the actual websites domain name.
4305B. Both pharming and phishing attacks are purely technical and are not considered forms of social
4306engineering.
4307C. Both pharming and phishing attacks are identical.
4308D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration
4309file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a
4310URL that is either misspelled or looks very similar to the actual websites domain name.
4311Answer: A
4312NO.458 While you were gathering information as part of security assessments for one of your
4313clients, you were able to gather data that show your client is involved with fraudulent activities. What
4314should you do?
4315IT Certification Guaranteed, The Easy Way!
4316115
4317A. Immediately stop work and contact the proper legal authorities
4318B. Ignore the data and continue the assessment until completed as agreed
4319C. Confront the client in a respectful manner and ask her about the data
4320D. Copy the data to removable media and keep it in case you need it
4321Answer: A
4322NO.459 A tester has been hired to do a web application security test. The tester notices that the site
4323is dynamic and must make use of a back end database.
4324In order for the tester to see if SQL injection is possible, what is the first character that the tester
4325should use to attempt breaking a valid SQL request?
4326A. Semicolon
4327B. Single quote
4328C. Exclamation mark
4329D. Double quote
4330Answer: B
4331NO.460 While
4332using your bank's online servicing you notice the following string in the URL bar:
4333"http://www.MyPersonalBank.com/account?id=368940911028389
4334& Damount=10980&Camount=21"
4335You observe that if you modify the Damount & Camount values and submit the request, that data on
4336the web page reflect the changes.
4337Which type of vulnerability is present on this site?
4338A. Web Parameter Tampering
4339B. Cookie Tampering
4340C. XSS Reflection
4341D. SQL injection
4342Answer: A
4343Explanation
4344The Web Parameter Tampering attack is based on the manipulation of parameters exchanged
4345between client and server in order to modify application data, such as user credentials and
4346permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden
4347form fields, or URL Query Strings, and is used to increase application functionality and control.
4348References: https://www.owasp.org/index.php/Web_Parameter_Tampering
4349NO.461 When does the Payment Card Industry Data Security Standard (PCI-DSS) require
4350organizations to perform external and internal penetration testing?
4351A. At least once a year and after any significant upgrade or modification
4352B. At least once every three years or after any significant upgrade or modification
4353C. At least twice a year or after any significant upgrade or modification
4354D. At least once every two years and after any significant upgrade or modification
4355Answer: A
4356NO.462 A covert channel is a channel that
4357IT Certification Guaranteed, The Easy Way!
4358116
4359A. transfers information over, within a computer system, or network that is outside of the security
4360policy.
4361B. transfers information over, within a computer system, or network that is within the security policy
4362.
4363C. transfers information via a communication path within a computer system, or network for transfer
4364of data.
4365D. transfers information over, within a computer system, or network that is encrypted.
4366Answer: A
4367NO.463 Which of the following scanning method splits the TCP header into several packets and
4368makes it difficult for packet filters to detect the purpose of the packet?
4369A. ICMP Echo scanning
4370B. SYN/FIN scanning using IP fragments
4371C. ACK flag probe scanning
4372D. IPID scanning
4373Answer: B
4374NO.464 Which of the following parameters describe LM Hash (see exhibit):
4375Exhibit:
4376A. I, II, and III
4377B. I
4378C. II
4379D. I and II
4380Answer: A
4381Explanation
4382The LM hash is computed as follows:
43831. The user's password is restricted to a maximum of fourteen characters.
43842. The user's password is converted to uppercase.
4385Etc.
438614 character Windows passwords, which are stored with LM Hash, can be cracked in five seconds.
4387References: https://en.wikipedia.org/wiki/LM_hash
4388NO.465 A hacker was able to sniff packets on a company's wireless network. The following
4389information was discovered:
4390Using the Exlcusive OR, what was the original message?
4391A. 00101000 11101110
4392IT Certification Guaranteed, The Easy Way!
4393117
4394B. 11010111 00010001
4395C. 00001101 10100100
4396D. 11110010 01011011
4397Answer: B
4398NO.466 Which of the following is a form of penetration testing that relies heavily on human
4399interaction and often involves tricking people into breaking normal security procedures?
4400A. Social Engineering
4401B. Piggybacking
4402C. Tailgating
4403D. Eavesdropping
4404Answer: A
4405NO.467 This asymmetry cipher is based on factoring the product of two large prime numbers.
4406What cipher is described above?
4407A. RSA
4408B. SHA
4409C. RC5
4410D. MD5
4411Answer: A
4412Explanation
4413RSA is based on the practical difficulty of factoring the product of two large prime numbers, the
4414factoring problem.
4415Note: A user of RSA creates and then publishes a public key based on two large prime numbers, along
4416with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public key to
4417encrypt a message, but with currently published methods, if the public key is large enough, only
4418someone with knowledge of the prime numbers can feasibly decode the message.
4419References: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
4420NO.468 Which property ensures that a hash function will not produce the same hashed value for
4421two different messages?
4422A. Collision resistance
4423B. Bit length
4424C. Key strength
4425D. Entropy
4426Answer: A
4427NO.469 Assume a business-crucial web-site of some company that is used to sell handsets to the
4428customers worldwide.
4429All the developed components are reviewed by the security team on a monthly basis. In order to
4430drive business further, the web-site developers decided to add some 3rd party marketing tools on it.
4431The tools are written in JavaScript and can track the customer's activity on the site. These tools are
4432located on the servers of the marketing company.
4433What is the main security risk associated with this scenario?
4434IT Certification Guaranteed, The Easy Way!
4435118
4436A. External script contents could be maliciously modified without the security team knowledge
4437B. External scripts have direct access to the company servers and can steal the data from there
4438C. There is no risk at all as the marketing services are trustworthy
4439D. External scripts increase the outbound company data traffic which leads greater financial losses
4440Answer: A
4441NO.470 What attack is used to crack passwords by using a precomputed table of hashed passwords?
4442A. Brute Force Attack
4443B. Hybrid Attack
4444C. Rainbow Table Attack
4445D. Dictionary Attack
4446Answer: C
4447NO.471 A Security Engineer at a medium-sized accounting firm has been tasked with discovering
4448how much information can be obtained from the firm's public facing web servers. The engineer
4449decides to start by using netcat to port 80.
4450The engineer receives this output:
4451Which of the following is an example of what the engineer performed?
4452A. Cross-site scripting
4453B. Banner grabbing
4454C. SQL injection
4455D. Whois database query
4456Answer: B
4457NO.472 Which of the following is an adaptive SQL Injection testing technique used to discover
4458coding errors by inputting massive amounts of random data and observing the changes in the
4459output?
4460A. Function Testing
4461B. Dynamic Testing
4462C. Static Testing
4463D. Fuzzing Testing
4464
4465
4466Answer: D
4467NO.473 What two conditions must a digital signature meet?
4468A. Has to be unforgeable, and has to be authentic.
4469B. Has to be legible and neat.
4470IT Certification Guaranteed, The Easy Way!
4471119
4472C. Must be unique and have special characters.
4473D. Has to be the same number of characters as a physical signature and must be unique.
4474Answer: A
4475NO.474 Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense
4476conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone,
4477grabs the door as it begins to close.
4478What just happened?
4479A. Piggybacking
4480B. Masqurading
4481C. Phishing
4482D. Whaling
4483Answer: A
4484Explanation
4485In security, piggybacking refers to when a person tags along with another person who is authorized to
4486gain entry into a restricted area, or pass a certain checkpoint.
4487References: https://en.wikipedia.org/wiki/Piggybacking_(security)
4488NO.475 You have the SOA presented below in your Zone.
4489Your secondary servers have not been able to contact your primary server to synchronize
4490information. How long will the secondary servers attempt to contact the primary server before it
4491considers that zone is dead and stops responding to queries?
4492collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
4493A. One day
4494B. One hour
4495C. One week
4496D. One month
4497Answer: C
4498NO.476 Study the log below and identify the scan type.
4499A. nmap -sR 192.168.1.10
4500B. nmap -sS 192.168.1.10
4501C. nmap -sV 192.168.1.10
4502IT Certification Guaranteed, The Easy Way!
4503120
4504D. nmap -sO -T 192.168.1.10
4505Answer: D
4506NO.477 Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in
4507common?
4508A. They are written in Java.
4509B. They send alerts to security monitors.
4510C. They use the same packet analysis engine.
4511D. They use the same packet capture utility.
4512Answer: D
4513NO.478 Which of the following is a component of a risk assessment?
4514A. Administrative safeguards
4515B. Physical security
4516C. DMZ
4517D. Logical interface
4518Answer: A
4519Explanation
4520Risk assessment include:
4521References: https://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment
4522NO.479 What is the outcome of the comm"nc -l -p 2222 | nc 10.1.0.43 1234"?
4523A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.
4524B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43
4525port
45261234.
4527C. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to
4528port
45292222.
4530D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.
4531Answer: B
4532NO.480 Which type of cryptography does SSL, IKE and PGP belongs to?
4533A. Secret Key
4534B. Hash Algorithm
4535C. Digest
4536D. Public Key
4537Answer: D
4538NO.481 A regional bank hires your company to perform a security assessment on their network after
4539a recent data breach. The attacker was able to steal financial data from the bank by compromising
4540only a single server.
4541Based on this information, what should be one of your key recommendations to the bank?
4542A. Place a front-end web server in a demilitarized zone that only handles external web traffic
4543IT Certification Guaranteed, The Easy Way!
4544121
4545B. Require all employees to change their passwords immediately
4546C. Move the financial data to another server on the same IP subnet
4547D. Issue new certificates to the web servers from the root certificate authority
4548Answer: A
4549Explanation
4550A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical
4551subnetwork that contains and exposes an organization's external-facing services to a larger and
4552untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of
4553security to an organization's local area network (LAN); an external network node only has direct
4554access to equipment in the DMZ, rather than any other part of the network.
4555References: https://en.wikipedia.org/wiki/DMZ_(computing)
4556NO.482 What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming
4557through the firewall if your network is comprised of Windows NT, 2000, and XP?
4558A. 110
4559B. 135
4560C. 139
4561D. 161
4562E. 445
4563F. 1024
4564Answer: B C E
4565NO.483 In Trojan terminology, what is a covert channel?
4566A. A channel that transfers information within a computer system or network in a way that violates
4567the security policy
4568B. A legitimate communication path within a computer system or network for transfer of data
4569C. It is a kernel operation that hides boot processes and services to mask detection
4570D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish
4571connections
4572Answer: A
4573NO.484 To reduce the attack surface of a system, administrators should perform which of the
4574following processes to remove unnecessary software, services, and insecure configuration settings?
4575A. Harvesting
4576B. Windowing
4577C. Hardening
4578D. Stealthing
4579IT Certification Guaranteed, The Easy Way!
4580122
4581Answer: C
4582NO.485 What tool should you use when you need to analyze extracted metadata from files you
4583collected when you were in the initial stage of penetration test (information gathering)?
4584A. Armitage
4585B. Dimitry
4586C. Metagoofil
4587D. cdpsnarf
4588Answer: C
4589NO.486 While checking the settings on the internet browser, a technician finds that the proxy server
4590settings have been checked and a computer is trying to use itself as a proxy server. What specific
4591octet within the subnet does the technician see?
4592A. 10.10.10.10
4593B. 127.0.0.1
4594C. 192.168.1.1
4595D. 192.168.168.168
4596Answer: B
4597NO.487 Which of the following is NOT an ideal choice for biometric controls?
4598A. Iris patterns
4599B. Fingerprints
4600C. Height and weight
4601D. Voice
4602Answer: C
4603NO.488 In an internal security audit, the white hat hacker gains control over a user account and
4604attempts to acquire access to another account's confidential files and information. How can he
4605achieve this?
4606A. Port Scanning
4607B. Hacking Active Directory
4608C. Privilege Escalation
4609D. Shoulder-Surfing
4610Answer: C
4611NO.489 Which of the following is designed to verify and authenticate individuals taking part in a
4612data exchange within an enterprise?
4613A. SOA
4614B. Single-Sign On
4615C. PKI
4616D. Biometrics
4617Answer: C
4618IT Certification Guaranteed, The Easy Way!
4619123
4620NO.490 One of your team members has asked you to analyze the following SOA record.
4621What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800
46222400.)
4623A. 200303028
4624B. 3600
4625C. 604800
4626D. 2400
4627E. 60
4628F. 4800
4629Answer: D
4630NO.491 Which one of the following Google advanced search operators allows an attacker to restrict
4631the results to those websites in the given domain?
4632A. [cache:]
4633B. [site:]
4634C. [inurl:]
4635D. [link:]
4636Answer: B
4637NO.492 Which of the following is a primary service of the U.S. Computer Security Incident Response
4638Team (CSIRT)?
4639A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact
4640for reporting computer security incidents worldwide.
4641B. CSIRT provides a computer security surveillance service to supply a government with important
4642intelligence information on individuals travelling abroad.
4643C. CSIRT provides a penetration testing service to support exception reporting on incidents
4644worldwide by individuals and multi-national corporations.
4645D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling
4646an individual's property or company's asset.
4647Answer: A
4648NO.493 Which specific element of security testing is being assured by using hash?
4649A. Authentication
4650B. Integrity
4651C. Confidentiality
4652D. Availability
4653Answer: B
4654NO.494 Which of the following Bluetooth hacking techniques does an attacker use to send messages
4655to users without the recipient's consent, similar to email spamming?
4656A. Bluesmacking
4657B. Bluesniffing
4658C. Bluesnarfing
4659IT Certification Guaranteed, The Easy Way!
4660124
4661D. Bluejacking
4662Answer: D
4663NO.495 While performing online banking using a Web browser, Kyle receives an email that contains
4664an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and
4665shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle
4666noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got
4667exploited by the hacker?
4668A. Clickjacking
4669B. Web Form Input Validation
4670C. Cross-Site Request Forgery
4671D. Cross-Site Scripting
4672Answer: C
4673NO.496 Which of the following is the most important phase of ethical hacking wherein you need to
4674spend considerable amount of time?
4675A. Gaining access
4676B. Escalating privileges
4677C. Network mapping
4678D. Footprinting
4679Answer: D
4680NO.497 Vlady works in a fishing company where the majority of the employees have very little
4681understanding of IT let alone IT Security. Several information security issues that Vlady often found
4682includes, employees sharing password, writing his/her password on a post it note and stick it to
4683his/her desk, leaving the computer unlocked, didn't log out from emails or other social media
4684accounts, and etc.
4685After discussing with his boss, Vlady decided to make some changes to improve the security
4686environment in his company. The first thing that Vlady wanted to do is to make the employees
4687understand the importance of keeping confidential information, such as password, a secret and they
4688should not share it with other persons.
4689Which of the following steps should be the first thing that Vlady should do to make the employees in
4690his company understand to importance of keeping confidential information a secret?
4691A. Warning to those who write password on a post it note and put it on his/her desk
4692B. Developing a strict information security policy
4693C. Information security awareness training
4694D. Conducting a one to one discussion with the other employees about the importance of
4695information security
4696Answer: A
4697NO.498 A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
469877 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
4699had an ICMP ID:0 and Seq:0. What can you infer from this information?
4700A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
4701IT Certification Guaranteed, The Easy Way!
4702125
4703B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
4704C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq
4705number
4706D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0
4707and Seq 0
4708Answer: B
4709NO.499 XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
4710A. 10111100
4711B. 11011000
4712C. 10011101
4713D. 10001011
4714Answer: D
4715NO.500 During a penetration test, a tester finds that the web application being analyzed is
4716vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this
4717vulnerability?
4718A. The web application does not have the secure flag set.
4719B. The session cookies do not have the HttpOnly flag set.
4720C. The victim user should not have an endpoint security solution.
4721D. The victim's browser must have ActiveX technology enabled.
4722Answer: B
4723NO.501 Cryptography is the practice and study of techniques for secure communication in the
4724presence of third parties (called adversaries.) More generally, it is about constructing and analyzing
4725protocols that overcome the influence of adversaries and that are related to various aspects in
4726information security such as data confidentiality, data integrity, authentication, and non-repudiation.
4727Modern cryptography intersects the disciplines of mathematics, computer science, and electrical
4728engineering. Applications of cryptography include ATM cards, computer passwords, and electronic
4729commerce.
4730Basic example to understand how cryptography works is given below:
4731Which of the following choices is true about cryptography?
4732A. Algorithm is not the secret, key is the secret.
4733B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different
4734cryptographic keys for both encryption of plaintext and decryption of ciphertext.
4735C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver
4736the shared session key and to achieve a communication way.
4737D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private
4738key is for encrypt.
4739IT Certification Guaranteed, The Easy Way!
4740126
4741Answer: C
4742NO.502 Which of the following cryptography attack is an understatement for the extraction of
4743cryptographic secrets (e.g. the password to an encrypted file) from a person by a coercion or torture?
4744A. Chosen-Cipher text Attack
4745B. Ciphertext-only Attack
4746C. Timing Attack
4747D. Rubber Hose Attack
4748Answer: D
4749NO.503 Which of the following is a detective control?
4750A. Smart card authentication
4751B. Security policy
4752C. Audit trail
4753D. Continuity of operations plan
4754Answer: C
4755NO.504 Which of the following is a common Service Oriented Architecture (SOA) vulnerability?
4756A. Cross-site scripting
4757B. SQL injection
4758C. VPath injection
4759D. XML denial of service issues
4760Answer: D
4761NO.505 Which of the following is considered as one of the most reliable forms of TCP scanning?
4762A. TCP Connect/Full Open Scan
4763B. Half-open Scan
4764C. NULL Scan
4765D. Xmas Scan
4766Answer: A
4767NO.506 Why would you consider sending an email to an address that you know does not exist
4768within the company you are performing a Penetration Test for?
4769A. To determine who is the holder of the root account
4770B. To perform a DoS
4771C. To create needless SPAM
4772D. To illicit a response back that will reveal information about email servers and how they treat
4773undeliverable mail
4774E. To test for virus protection
4775Answer: D
4776NO.507 ........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one
4777offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is
4778IT Certification Guaranteed, The Easy Way!
4779127
4780the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
4781mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used
4782to steal the passwords of unsuspecting users by either snooping the communication link or by
4783phishing, which involves setting up a fraudulent web site and luring people there.
4784Fill in the blank with appropriate choice.
4785A. Collision Attack
4786B. Evil Twin Attack
4787C. Sinkhole Attack
4788D. Signal Jamming Attack
4789Answer: B
4790NO.508 Which NMAP feature can a tester implement or adjust while scanning for open ports to
4791avoid detection by the network's IDS?
4792A. Timing options to slow the speed that the port scan is conducted
4793B. Fingerprinting to identify which operating systems are running on the network
4794C. ICMP ping sweep to determine which hosts on the network are not available
4795D. Traceroute to control the path of the packets sent during the scan
4796Answer: A
4797NO.509 Susan has attached to her company's network. She has managed to synchronize her boss's
4798sessions with that of the file server. She then intercepted his traffic destined for the server, changed
4799it the way she wanted to and then placed it on the server in his home directory.
4800What kind of attack is Susan carrying on?
4801A. A sniffing attack
4802B. A spoofing attack
4803C. A man in the middle attack
4804D. A denial of service attack
4805Answer: C
4806NO.510 Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file
4807contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew
4808opened the said file.
4809Without his knowledge, the file copies itself to Matthew's APPDATA\IocaI directory and begins to
4810beacon to a Command-and-control server to download additional malicious binaries. What type of
4811malware has Matthew encountered?
4812A. Key-logger
4813B. Trojan
4814C. Worm
4815D. Macro Virus
4816Answer: B
4817NO.511 Nation-state threat actors often discover vulnerabilities and hold on to them until they want
4818to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it
4819used four types of vulnerability.
4820IT Certification Guaranteed, The Easy Way!
4821128
4822What is this style of attack called?
4823A. zero-day
4824B. zero-hour
4825C. zero-sum
4826D. no-day
4827Answer: A
4828Explanation
4829Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon.
4830Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows
4831operating system and networks, then seeking out Siemens Step7 software.
4832References: https://en.wikipedia.org/wiki/Stuxnet
4833NO.512 A network security administrator is worried about potential man-in-the-middle attacks
4834when users access a corporate web site from their workstations. Which of the following is the best
4835remediation against this type of attack?
4836A. Implementing server-side PKI certificates for all connections
4837B. Mandating only client-side PKI certificates for all connections
4838C. Requiring client and server PKI certificates for all connections
4839D. Requiring strong authentication for all DNS queries
4840Answer: C
4841NO.513 What is not a PCI compliance recommendation?
4842A. Limit access to card holder data to as few individuals as possible.
4843B. Use encryption to protect all transmission of card holder data over any public network.
4844C. Rotate employees handling credit card transactions on a yearly basis to different departments.
4845D. Use a firewall between the public network and the payment card data.
4846Answer: C
4847NO.514 When you are testing a web application, it is very useful to employ a proxy tool to save
4848every request and response. You can manually test every request and analyze the response to find
4849vulnerabilities. You can test parameter and headers manually to get more precise results than if using
4850web vulnerability scanners.
4851What proxy tool will help you find web vulnerabilities?
4852A. Burpsuite
4853B. Maskgen
4854C. Dimitry
4855D. Proxychains
4856Answer: A
4857Explanation
4858Burp Suite is an integrated platform for performing security testing of web applications. Its various
4859tools work seamlessly together to support the entire testing process, from initial mapping and
4860analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
4861References: https://portswigger.net/burp/
4862IT Certification Guaranteed, The Easy Way!
4863129
4864NO.515 Which of the following algorithms provides better protection against brute force attacks by
4865using a 160-bit message digest?
4866A. MD5
4867B. SHA-1
4868C. RC4
4869D. MD4
4870Answer: B
4871NO.516 During a penetration test, the tester conducts an ACK scan using NMAP against the external
4872interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which
4873type of packet inspection is the firewall conducting?
4874A. Host
4875B. Stateful
4876C. Stateless
4877D. Application
4878Answer: C
4879NO.517 Which tool allows analysts and pen testers to examine links between data using graphs and
4880link analysis?
4881A. Maltego
4882B. Cain & Abel
4883C. Metasploit
4884D. Wireshark
4885Answer: A
4886Explanation
4887Maltego is proprietary software used for open-source intelligence and forensics, developed by
4888Paterva.
4889Maltego focuses on providing a library of transforms for discovery of data from open sources, and
4890visualizing that information in a graph format, suitable for link analysis and data mining.
4891References: https://en.wikipedia.org/wiki/Maltego
4892NO.518 This configuration allows NIC to pass all traffic it receives to the Central Processing Unit
4893(CPU), instead of passing only the frames that the controller is intended to receive. Select the option
4894that BEST describes the above statement.
4895A. Multi-cast mode
4896B. WEM
4897C. Promiscuous mode
4898D. Port forwarding
4899Answer: C
4900NO.519 Yancey is a network security administrator for a large electric company. This company
4901provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over
490215 years and has become very successful. One day, Yancey comes in to work and finds out that the
4903company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and
4904IT Certification Guaranteed, The Easy Way!
4905130
4906decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the
4907company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he
4908just wants the company to pay for what they are doing to him.
4909What would Yancey be considered?
4910A. Yancey would be considered a Suicide Hacker
4911B. Since he does not care about going to jail, he would be considered a Black Hat
4912C. Because Yancey works for the company currently; he would be a White Hat
4913D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
4914Answer: A
4915NO.520 An enterprise recently moved to a new office and the new neighborhood is a little risky. The
4916CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best
4917option to do this job?
4918A. Use fences in the entrance doors.
4919B. Install a CCTV with cameras pointing to the entrance doors and the street.
4920C. Use an IDS in the entrance doors and install some of them near the corners.
4921D. Use lights in all the entrance doors and along the company's perimeter.
4922Answer: B
4923NO.521 What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
4924A. Injecting parameters into a connection string using semicolons as a separator
4925B. Inserting malicious Javascript code into input parameters
4926C. Setting a user's session identifier (SID) to an explicit known value
4927D. Adding multiple parameters with the same name in HTTP requests
4928Answer: A
4929NO.522 You have successfully comprised a server having an IP address of 10.10.0.5. You would like
4930to enumerate all machines in the same network quickly.
4931What is the best nmap command you will use?
4932A. nmap -T4 -F 10.10.0.0/24
4933B. nmap -T4 -r 10.10.1.0/24
4934C. nmap -T4 -O 10.10.0.0/24
4935D. nmap -T4 -q 10.10.0.0/24
4936Answer: A
4937Explanation
4938command = nmap -T4 -F
4939description = This scan is faster than a normal scan because it uses the aggressive timing template
4940and scans fewer ports.
4941References: https://svn.nmap.org/nmap/zenmap/share/zenmap/config/scan_profile.usp
4942NO.523 Suppose you've gained access to your client's hybrid network. On which port should you
4943listen to in order to know which Microsoft Windows workstations has its file sharing enabled?
4944A. 1433
4945B. 161
4946IT Certification Guaranteed, The Easy Way!
4947131
4948C. 445
4949D. 3389
4950Answer: C
4951NO.524 The company ABC recently discovered that their new product was released by the
4952opposition before their premiere. They contract an investigator who discovered that the maid threw
4953away papers with confidential information about the new product and the opposition found it in the
4954garbage. What is the name of the technique used by the opposition?
4955A. Hack attack
4956B. Sniffing
4957C. Dumpster diving
4958D. Spying
4959Answer: C
4960NO.525 When you return to your desk after a lunch break, you notice a strange email in your inbox.
4961The sender is someone you did business with recently, but the subject line has strange characters in
4962it.
4963What should you do?
4964A. Forward the message to your company's security response team and permanently delete the
4965message from your computer.
4966B. Reply to the sender and ask them for more information about the message contents.
4967C. Delete the email and pretend nothing happened
4968D. Forward the message to your supervisor and ask for her opinion on how to handle the situation
4969Answer: A
4970Explanation
4971By setting up an email address for your users to forward any suspicious email to, the emails can be
4972automatically scanned and replied to, with security incidents created to follow up on any emails with
4973attached malware or links to known bad websites.
4974References:
4975https://docs.servicenow.com/bundle/helsinki-security-management/page/product/threatintelligence/
4976task/t_Confi
4977NO.526 Which of the following is a symmetric cryptographic standard?
4978A. DSA
4979B. PKI
4980C. RSA
4981D. 3DES
4982Answer: D
4983NO.527 In this attack, a victim receives an e-mail claiming from PayPal stating that their account has
4984been disabled and confirmation is required before activation. The attackers then scam to collect not
4985one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually
4986fall prey to this scam.
4987Which of the following statement is incorrect related to this attack?
4988IT Certification Guaranteed, The Easy Way!
4989132
4990A. Do not reply to email messages or popup ads asking for personal or financial information
4991B. Do not trust telephone numbers in e-mails or popup ads
4992C. Review credit card and bank account statements regularly
4993D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
4994E. Do not send credit card numbers, and personal or financial information via e-mail
4995Answer: D
4996NO.528 ICMP ping and ping sweeps are used to check for active systems and to check
4997A. if ICMP ping traverses a firewall.
4998B. the route that the ICMP ping took.
4999C. the location of the switchport in relation to the ICMP ping.
5000D. the number of hops an ICMP ping takes to reach a destination.
5001Answer: A
5002NO.529 While conducting a penetration test, the tester determines that there is a firewall between
5003the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of
5004packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
5005A. Packet filtering firewall
5006B. Application-level firewall
5007C. Circuit-level gateway firewall
5008D. Stateful multilayer inspection firewall
5009Answer: C
5010NO.530 A penetration tester is conducting a port scan on a specific host. The tester found several
5011ports opened that were confusing in concluding the Operating System (OS) version installed.
5012Considering the NMAP result below, which of the following is likely to be installed on the target
5013machine by the OS?
5014A. The host is likely a printer.
5015B. The host is likely a Windows machine.
5016C. The host is likely a Linux machine.
5017D. The host is likely a router.
5018Answer: A
5019Explanation
5020IT Certification Guaranteed, The Easy Way!
5021133
5022The Internet Printing Protocol (IPP) uses port 631.
5023References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
5024NO.531 DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which
5025security feature on switches leverages the DHCP snooping database to help prevent man-in-themiddle
5026attacks?
5027A. Port security
5028B. A Layer 2 Attack Prevention Protocol (LAPP)
5029C. Dynamic ARP inspection (DAI)
5030D. Spanning tree
5031Answer: C
5032NO.532 What would you enter, if you wanted to perform a stealth scan using Nmap?
5033A. nmap -sU
5034B. nmap -sS
5035C. nmap -sM
5036D. nmap -sT
5037Answer: B
5038NO.533 Which of the following conditions must be given to allow a tester to exploit a Cross-Site
5039Request Forgery (CSRF) vulnerable web application?
5040A. The victim user must open the malicious link with an Internet Explorer prior to version 8.
5041B. The session cookies generated by the application do not have the HttpOnly flag set.
5042C. The victim user must open the malicious link with a Firefox prior to version 3.
5043D. The web application should not use random tokens.
5044Answer: D
5045NO.534 What is the best Nmap command to use when you want to list all devices in the same
5046network quickly after you successfully identified a server whose IP address is 10.10.0.5?
5047A. nmap -T4 -F 10.10.0.0/24
5048B. nmap -T4 -q 10.10.0.0/24
5049C. nmap -T4 -O 10.10.0.0/24
5050D. nmap -T4 -r 10.10.1.0/24
5051Answer: A
5052NO.535 In Wireshark, the packet bytes panes show the data of the current packet in which format?
5053A. Decimal
5054B. ASCII only
5055C. Binary
5056D. Hexadecimal
5057Answer: D
5058NO.536 While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets
5059blocked when you tried to pass IRC traffic from a web enabled host. However, you also noticed that
5060IT Certification Guaranteed, The Easy Way!
5061134
5062outbound HTTP traffic is being allowed. What type of firewall is being utilized for the outbound
5063traffic?
5064A. Stateful
5065B. Application
5066C. Circuit
5067D. Packet Filtering
5068Answer: B
5069NO.537 What is the correct process for the TCP three-way handshake connection establishment and
5070connection termination?
5071A. Connection Establishment: FIN, ACK-FIN, ACKConnection Termination: SYN, SYN-ACK, ACK
5072B. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: ACK, ACK-SYN, SYN
5073C. Connection Establishment: ACK, ACK-SYN, SYNConnection Termination: FIN, ACK-FIN, ACK
5074D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
5075Answer: D
5076NO.538 As an Ethical Hacker you are capturing traffic from your customer network with Wireshark
5077and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find
5078this kind of traffic?
5079A. request smtp 25
5080B. tcp.port eq 25
5081C. smtp port
5082D. tcp.contains port 25
5083Answer: B
5084NO.539 Which of the following is a design pattern based on distinct pieces of software providing
5085application functionality as services to other applications?
5086A. Service Oriented Architecture
5087B. Object Oriented Architecture
5088C. Lean Coding
5089D. Agile Process
5090Answer: A
5091Explanation
5092A service-oriented architecture (SOA) is an architectural pattern in computer software design in
5093which application components provide services to other components via a communications protocol,
5094typically over a network.
5095References: https://en.wikipedia.org/wiki/Service-oriented_architecture
5096NO.540 What is the way to decide how a packet will move from an untrusted outside host to a
5097protected inside that is behind a firewall, which permits the hacker to determine which ports are
5098open and if the packets can pass through the packet-filtering of the firewall?
5099A. Firewalking
5100B. Session hijacking
5101C. Network sniffing
5102IT Certification Guaranteed, The Easy Way!
5103135
5104D. Man-in-the-middle attack
5105Answer: A
5106NO.541 The collection of potentially actionable, overt, and publicly available information is known
5107as
5108A. Open-source intelligence
5109B. Human intelligence
5110C. Social intelligence
5111D. Real intelligence
5112Answer: A
5113NO.542 Which of the following parameters enables NMAP's operating system detection feature?
5114A. NMAP -sV
5115B. NMAP -oS
5116C. NMAP -sR
5117D. NMAP -O
5118Answer: D
5119NO.543 Which of the following is the structure designed to verify and authenticate the identity of
5120individuals within the enterprise taking part in a data exchange?
5121A. PKI
5122B. single sign on
5123C. biometrics
5124D. SOA
5125Answer: A
5126Explanation
5127A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage,
5128distribute, use, store, and revoke digital certificates [1] and manage public-key encryption. The
5129purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network
5130activities such as e-commerce, internet banking and confidential email.
5131References: https://en.wikipedia.org/wiki/Public_key_infrastructure
5132NO.544 What network security concept requires multiple layers of security controls to be placed
5133throughout an IT infrastructure, which improves the security posture of an organization to defend
5134against malicious attacks or potential vulnerabilities?
5135A. Security through obscurity
5136B. Host-Based Intrusion Detection System
5137C. Defense in depth
5138D. Network-Based Intrusion Detection System
5139Answer: C
5140NO.545 An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN
5141attached to his router as part of a man-in-the-middle attack. What measure on behalf of the
5142legitimate admin can mitigate this attack?
5143IT Certification Guaranteed, The Easy Way!
5144136
5145A. Only using OSPFv3 will mitigate this risk.
5146B. Make sure that legitimate network routers are configured to run routing protocols with
5147authentication.
5148C. Redirection of the traffic cannot happen unless the admin allows it explicitly.
5149D. Disable all routing protocols and only use static routes.
5150Answer: B
5151NO.546 Which of the following is an advantage of utilizing security testing methodologies to conduct
5152a security audit?
5153A. They provide a repeatable framework.
5154B. Anyone can run the command line scripts.
5155C. They are available at low cost.
5156D. They are subject to government regulation.
5157Answer: A
5158NO.547 Darius is analysing logs from IDS. He want to understand what have triggered one alert and
5159verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like
5160below:
5161source IP: 192.168.21.100
5162source port: 80
5163destination IP: 192.168.10.23
5164destination port: 63221
5165What is the most proper answer.
5166A. This is most probably true negative.
5167B. This is most probably true positive which triggered on secure communication between client and
5168server.
5169C. This is most probably false-positive, because an alert triggered on reversed traffic.
5170D. This is most probably false-positive because IDS is monitoring one direction traffic.
5171Answer: A
5172NO.548 You are tasked to perform a penetration test. While you are performing information
5173gathering, you find an employee list in Google. You find the receptionist's email, and you send her an
5174email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf
5175with information. She reads your email and sends back a pdf with links. You exchange the pdf links
5176with your malicious links (these links contain malware) and send back the modified pdf, saying that
5177the links don't work. She reads your email, opens the links, and her machine gets infected. You now
5178have access to the company network.
5179What testing method did you use?
5180A. Social engineering
5181B. Tailgating
5182C. Piggybacking
5183D. Eavesdropping
5184Answer: A
5185Explanation
5186IT Certification Guaranteed, The Easy Way!
5187137
5188Social engineering, in the context of information security, refers to psychological manipulation of
5189people into performing actions or divulging confidential information. A type of confidence trick for
5190the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in
5191that it is often one of many steps in a more complex fraud scheme.
5192NO.549 SNMP is a protocol used to query hosts, servers, and devices about performance or health
5193status data. This protocol has long been used by hackers to gather great amount of information
5194about remote hosts. Which of the following features makes this possible? (Choose two.)
5195A. It used TCP as the underlying protocol.
5196B. It uses community string that is transmitted in clear text.
5197C. It is susceptible to sniffing.
5198D. It is used by all network devices on the market.
5199Answer: B D
5200NO.550 Firewalk has just completed the second phase (the scanning phase) and a technician
5201receives the output shown below. What conclusions can be drawn based on these scan results?
5202A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target
5203host.
5204B. The lack of response from ports 21 and 22 indicate that those services are not running on the
5205destination server.
5206C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not
5207blocked at the firewall.
5208D. The scan on port 23 was able to make a connection to the destination host prompting the firewall
5209to respond with a TTL error.
5210Answer: C
5211NO.551 Which of the following is a component of a risk assessment?
5212A. Physical security
5213B. Administrative safeguards
5214C. DMZ
5215D. Logical interface
5216Answer: B
5217NO.552 Which cipher encrypts the plain text digit (bit or byte) one by one?
5218A. Classical cipher
5219B. Block cipher
5220C. Modern cipher
5221D. Stream cipher
5222Answer: D
5223NO.553 Which type of access control is used on a router or firewall to limit network activity?
5224IT Certification Guaranteed, The Easy Way!
5225138
5226A. Mandatory
5227B. Discretionary
5228C. Rule-based
5229D. Role-based
5230Answer: C
5231NO.554 If a token and 4-digit personal identification number (PIN) are used to access a computer
5232system and the token performs off-line checking for the correct PIN, what type of attack is possible?
5233A. Birthday
5234B. Brute force
5235C. Man-in-the-middle
5236D. Smurf
5237Answer: B
5238NO.555 Which of the following is designed to identify malicious attempts to penetrate systems?
5239A. Intrusion Detection System
5240B. Firewall
5241C. Proxy
5242D. Router
5243Answer: A
5244Explanation
5245An intrusion detection system (IDS) is a device or software application that monitors network or
5246system activities for malicious activities or policy violations and produces electronic reports to a
5247management station.
5248References: https://en.wikipedia.org/wiki/Intrusion_detection_system
5249NO.556 Which of the following is assured by the use of a hash?
5250A. Integrity
5251B. Confidentiality
5252C. Authentication
5253D. Availability
5254Answer: A
5255Explanation
5256An important application of secure hashes is verification of message integrity. Determining whether
5257any changes have been made to a message (or a file), for example, can be accomplished by
5258comparing message digests calculated before, and after, transmission (or any other event).
5259References:
5260https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_files_or_mes
5261sages
5262NO.557 What is the minimum number of network connections in a multi homed firewall?
5263A. 3
5264B. 5
5265C. 4
5266IT Certification Guaranteed, The Easy Way!
5267139
5268D. 2
5269Answer: A
5270NO.558 How does the Address Resolution Protocol (ARP) work?
5271A. It sends a request packet to all the network elements, asking for the MAC address from a specific
5272IP.
5273B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
5274C. It sends a reply packet for a specific IP, asking for the MAC address.
5275D. It sends a request packet to all the network elements, asking for the domain name from a specific
5276IP.
5277Answer: A
5278Explanation
5279When an incoming packet destined for a host machine on a particular local area network arrives at a
5280gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the
5281IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the
5282packet can be converted to the right packet length and format and sent to the machine. If no entry is
5283found for the IP address, ARP broadcasts a request packet in a special format to all the machines on
5284the LAN to see if one machine knows that it has that IP address associated with it. A machine that
5285recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for
5286future reference and then sends the packet to the MAC address that replied.
5287References:
5288http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP
5289NO.559 Which security strategy requires using several, varying methods to protect IT systems
5290against attacks?
5291A. Defense in depth
5292B. Three-way handshake
5293C. Covert channels
5294D. Exponential backoff algorithm
5295Answer: A
5296NO.560 Which of the following techniques does a vulnerability scanner use in order to detect a
5297vulnerability on a target service?
5298A. Port scanning
5299B. Banner grabbing
5300C. Injecting arbitrary data
5301D. Analyzing service response
5302Answer: D
5303NO.561 How can you determine if an LM hash you extracted contains a password that is less than 8
5304characters long?
5305A. There is no way to tell because a hash cannot be reversed
5306B. The right most portion of the hash is always the same
5307C. The hash always starts with AB923D
5308IT Certification Guaranteed, The Easy Way!
5309140
5310D. The left most portion of the hash is always the same
5311E. A portion of the hash will be all 0's
5312Answer: B
5313NO.562 Which of the following guidelines or standards is associated with the credit card industry?
5314A. Control Objectives for Information and Related Technology (COBIT)
5315B. Sarbanes-Oxley Act (SOX)
5316C. Health Insurance Portability and Accountability Act (HIPAA)
5317D. Payment Card Industry Data Security Standards (PCI DSS)
5318Answer: D
5319NO.563
5320Identify the correct terminology that defines the above statement.
5321A. Vulnerability Scanning
5322B. Penetration Testing
5323C. Security Policy Implementation
5324D. Designing Network Security
5325Answer: B
5326NO.564 An attacker tries to do banner grabbing on a remote web server and executes the following
5327command.
5328Service
5329detection performed. Please report any incorrect results at http://nmap.org/submit/.
5330Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
5331What did the hacker accomplish?
5332A. nmap can't retrieve the version number of any running remote service.
5333B. The hacker successfully completed the banner grabbing.
5334C. The hacker should've used nmap -O host.domain.com.
5335D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.
5336Answer: B
5337NO.565 What is the main difference between a "Normal" SQL Injection and a "Blind" SQL Injection
5338vulnerability?
5339A. The request to the web server is not visible to the administrator of the vulnerable application.
5340B. The attack is called "Blind" because, although the application properly filters user input, it is still
5341IT Certification Guaranteed, The Easy Way!
5342141
5343vulnerable to code injection.
5344C. The successful attack does not show an error message to the administrator of the affected
5345application.
5346D. The vulnerable application does not display errors with information about the injection results to
5347the attacker.
5348Answer: D
5349NO.566 Fingerprinting an Operating System helps a cracker because:
5350A. It defines exactly what software you have installed
5351B. It opens a security-delayed window based on the port being scanned
5352C. It doesn't depend on the patches that have been applied to fix existing security holes
5353D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
5354Answer: D
5355NO.567 You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a
5356sequence number?
5357A. TCP
5358B. UPD
5359C. ICMP
5360D. UPX
5361Answer: A
5362Explanation
5363At the establishment of a TCP session the client starts by sending a SYN-packet (SYN=synchronize)
5364with a sequence number. To hijack a session it is required to send a packet with a right seq-number,
5365otherwise they are dropped.
5366References: https://www.exploit-db.com/papers/13587/
5367NO.568 First thing you do every office day is to check your email inbox. One morning, you received
5368an email from your best friend and the subject line is quite strange. What should you do?
5369A. Delete the email and pretend nothing happened.
5370B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
5371C. Forward the message to your company's security response team and permanently delete the
5372messagefrom your computer.
5373D. Reply to the sender and ask them for more information about the message contents.
5374Answer: C
5375NO.569 During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a
5376compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is
5377unimpeded.
5378What type of firewall is inspecting outbound traffic?
5379A. Application
5380B. Circuit
5381C. Stateful
5382D. Packet Filtering
5383IT Certification Guaranteed, The Easy Way!
5384142
5385Answer: A
5386Explanation
5387An application firewall is an enhanced firewall that limits access by applications to the operating
5388system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the
5389central processing unit (CPU), examining each packet and determining whether or not to forward it
5390toward a particular destination.
5391An application firewall offers additional protection by controlling the execution of files or the
5392handling of data by specific applications.
5393References:
5394http://searchsoftwarequality.techtarget.com/definition/application-firewall
5395NO.570 Neil notices that a single address is generating traffic from its port 500 to port 500 of several
5396other machines on the network. This scan is eating up most of the network bandwidth and Neil is
5397concerned. As a security professional, what would you infer from this scan?
5398A. It is a network fault and the originating machine is in a network loop
5399B. It is a worm that is malfunctioning or hardcoded to scan on port 500
5400C. The attacker is trying to detect machines on the network which have SSL enabled
5401D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
5402Answer: D
5403NO.571 Take a look at the following attack on a Web Server using obstructed URL:
5404How would you protect from these attacks?
5405A. Configure the Web Server to deny requests involving "hex encoded" characters
5406B. Create rules in IDS to alert on strange Unicode requests
5407C. Use SSL authentication on Web Servers
5408D. Enable Active Scripts Detection at the firewall and routers
5409Answer: B
5410NO.572 Which of the following does proper basic configuration of snort as a network intrusion
5411detection system require?
5412A. Limit the packets captured to the snort configuration file.
5413B. Capture every packet on the network segment.
5414C. Limit the packets captured to a single segment.
5415D. Limit the packets captured to the /var/log/snort directory.
5416Answer: A
5417IT Certification Guaranteed, The Easy Way!
5418143
5419NO.573 Defining rules, collaborating human workforce, creating a backup plan, and testing the plans
5420are within what phase of the Incident Handling Process?
5421A. Preparation phase
5422B. Containment phase
5423C. Recovery phase
5424D. Identification phase
5425Answer: A
5426NO.574 Which of the following BEST describes how Address Resolution Protocol (ARP) works?
5427A. It sends a reply packet for a specific IP, asking for the MAC address
5428B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
5429C. It sends a request packet to all the network elements, asking for the domain name from a specific
5430IP
5431D. It sends a request packet to all the network elements, asking for the MAC address from a specific
5432IP
5433Answer: D
5434NO.575 It is a short-range wireless communication technology that allows mobile phones,
5435computers and other devices to connect and communicate. This technology intends to replace cables
5436connecting portable devices with high regards to security.
5437A. Bluetooth
5438B. Radio-Frequency Identification
5439C. WLAN
5440D. InfraRed
5441Answer: A
5442NO.576 What is the benefit of performing an unannounced Penetration Testing?
5443A. The tester will have an actual security posture visibility of the target network.
5444B. Network security would be in a "best state" posture.
5445C. It is best to catch critical infrastructure unpatched.
5446D. The tester could not provide an honest analysis.
5447Answer: A
5448Explanation
5449Real life attacks will always come without expectation and they will often arrive in ways that are
5450highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to
5451succeed against network security systems, despite the billions invested in the data protection
5452industry.
5453A possible solution to this danger is to conduct intermittent "unannounced" penentration tests
5454whose scheduling and occurrence is only known to the hired attackers and upper management staff
5455instead of every security employee, as would be the case with "announced" penetration tests that
5456everyone has planned for in advance. The former may be better at detecting realistic weaknesses.
5457References:
5458http://www.sitepronews.com/2013/03/20/the-pros-and-cons-of-penetration-testing/
5459IT Certification Guaranteed, The Easy Way!
5460144
5461NO.577 A hacker was able to easily gain access to a website. He was able to log in via the frontend
5462user login form of the website using default or commonly used credentials. This exploitation is an
5463example of what Software design flaw?
5464A. Insufficient security management
5465B. Insufficient database hardening
5466C. Insufficient input validation
5467D. Insufficient exception handling
5468Answer: B
5469NO.578 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the
5470following?
5471A. Drops the packet and moves on to the next one
5472B. Continues to evaluate the packet until all rules are checked
5473C. Stops checking rules, sends an alert, and lets the packet continue
5474D. Blocks the connection with the source IP address in the packet
5475Answer: B
5476NO.579 If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique
5477cannot be used?
5478A. Spoof Scan
5479B. TCP Connect scan
5480C. TCP SYN
5481D. Idle Scan
5482Answer: C
5483NO.580 You are performing information gathering for an important penetration test. You have
5484found pdf, doc, and images in your objective. You decide to extract metadata from these files and
5485analyze it.
5486What tool will help you with the task?
5487A. Metagoofil
5488B. Armitage
5489C. Dimitry
5490D. cdpsnarf
5491Answer: A
5492Explanation
5493Metagoofil is an information gathering tool designed for extracting metadata of public documents
5494(pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.
5495Metagoofil will perform a search in Google to identify and download the documents to local disk and
5496then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the
5497results it will generate a report with usernames, software versions and servers or machine names
5498that will help Penetration testers in the information gathering phase.
5499References:
5500http://www.edge-security.com/metagoofil.php
5501IT Certification Guaranteed, The Easy Way!
5502145
5503NO.581 The network administrator contacts you and tells you that she noticed the temperature on
5504the internal wireless router increases by more than 20% during weekend hours when the office was
5505closed. She asks you to investigate the issue because she is busy dealing with a big conference and
5506she doesn't have time to perform the task.
5507What tool can you use to view the network traffic being sent and received by the wireless router?
5508A. Wireshark
5509B. Nessus
5510C. Netcat
5511D. Netstat
5512Answer: A
5513Explanation
5514Wireshark is a Free and open source packet analyzer. It is used for network troubleshooting, analysis,
5515software and communications protocol development, and education.
5516NO.582 This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
5517enough data packets have been captured. It implements the standard FMS attack along with some
5518optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster
5519compared to other WEP cracking tools.
5520Which of the following tools is being described?
5521A. Aircrack-ng
5522B. Airguard
5523C. WLAN-crack
5524D. wificracker
5525Answer: A
5526Explanation
5527Aircrack-ng is a complete suite of tools to assess WiFi network security.
5528The default cracking method of Aircrack-ng is PTW, but Aircrack-ng can also use the FMS/KoreK
5529method, which incorporates various statistical attacks to discover the WEP key and uses these in
5530combination with brute forcing.
5531References:
5532http://www.aircrack-ng.org/doku.php?id=aircrack-ng
5533NO.583 An attacker has installed a RAT on a host. The attacker wants to ensure that when a user
5534attempts to go to
5535"www.MyPersonalBank.com", that the user is directed to a phishing site.
5536Which file does the attacker need to modify?
5537A. Hosts
5538B. Sudoers
5539C. Boot.ini
5540D. Networks
5541Answer: A
5542Explanation
5543The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The
5544hosts file contains lines of text consisting of an IP address in the first text field followed by one or
5545IT Certification Guaranteed, The Easy Way!
5546146
5547more host names.
5548References: https://en.wikipedia.org/wiki/Hosts_(file)
5549NO.584 Bob is going to perform an active session hijack against Brownies Inc. He has found a target
5550that allows session oriented connections (Telnet) and performs the sequence prediction on the target
5551operating system. He manages to find an active session due to the high level of traffic on the
5552network. What is Bob supposed to do next?
5553A. Take over the session
5554B. Reverse sequence prediction
5555C. Guess the sequence numbers
5556D. Take one of the parties offline
5557Answer: C
5558NO.585 The security concept of "separation of duties" is most similar to the operation of which type
5559of security device?
5560A. Firewall
5561B. Bastion host
5562C. Intrusion Detection System
5563D. Honeypot
5564Answer: A
5565Explanation
5566In most enterprises the engineer making a firewall change is also the one reviewing the firewall
5567metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How
5568would anyone ever find out? This is where the separation of duties comes in to focus on the
5569responsibilities of tasks within security.
5570References:
5571http://searchsecurity.techtarget.com/tip/Modern-security-management-strategy-requires-securityseparation-
5572of-du
5573NO.586 From the following table, identify the wrong answer in terms of Range (ft).
5574A. 802.11b
5575B. 802.11g
5576C. 802.16(WiMax)
5577D. 802.11a
5578Answer: D
5579NO.587 You've just been hired to perform a pen test on an organization that has been subjected to a
5580large-scale attack.
5581The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk.
5582IT Certification Guaranteed, The Easy Way!
5583147
5584What is one of the first things you should do when given the job?
5585A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
5586acceptable levels.
5587B. Interview all employees in the company to rule out possible insider threats.
5588C. Establish attribution to suspected attackers.
5589D. Start the wireshark application to start sniffing network traffic.
5590Answer: A
5591Explanation
5592The goals of penetration tests are:
5593References: https://en.wikipedia.org/wiki/Penetration_test
5594NO.588 Why containers are less secure that virtual machines?
5595A. Host OS on containers has a larger surface attack.
5596B. Containers may full fill disk space of the host.
5597C. A compromise container may cause a CPU starvation of the host.
5598D. Containers are attached to the same virtual network.
5599Answer: A
5600NO.589 To maintain compliance with regulatory requirements, a security audit of the systems on a
5601network must be performed to determine their compliance with security policies. Which one of the
5602following tools would most likely be used in such an audit?
5603A. Vulnerability scanner
5604B. Protocol analyzer
5605C. Port scanner
5606D. Intrusion Detection System
5607Answer: A
5608Explanation
5609A vulnerability scanner is a computer program designed to assess computers, computer systems,
5610networks or applications for weaknesses.
5611They can be run either as part of vulnerability management by those tasked with protecting systems -
5612or by black hat attackers looking to gain unauthorized access.
5613References: https://en.wikipedia.org/wiki/Vulnerability_scanner
5614NO.590 You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using
5615social engineering, you come to know that they are enforcing strong passwords. You understand that
5616all users are required to use passwords that are at least 8 characters in length. All passwords must
5617also use 3 of the 4 following categories:
5618lower case letters, capital letters, numbers and special characters. With your existing knowledge of
5619users, likely user account names and the possibility that they will choose the easiest passwords
5620possible, what would be the fastest type of password cracking attack you can run against these hash
5621values and still get results?
5622A. Online Attack
5623B. Dictionary Attack
5624C. Brute Force Attack
5625IT Certification Guaranteed, The Easy Way!
5626148
5627D. Hybrid Attack
5628Answer: D
5629NO.591 When you are collecting information to perform a data analysis, Google commands are very
5630useful to find sensitive information and files. These files may contain information about passwords,
5631system functions, or documentation.
5632What command will help you to search files using Google as a search engine?
5633A. site: target.com filetype:xls username password email
5634B. inurl: target.com filename:xls username password email
5635C. domain: target.com archive:xls username password email
5636D. site: target.com file:xls username password email
5637Answer: A
5638Explanation
5639If you include site: in your query, Google will restrict your search results to the site or domain you
5640specify.
5641If you include filetype:suffix in your query, Google will restrict the results to pages whose names end
5642in suffix. For example, [ web page evaluation checklist filetype:pdf ] will return Adobe Acrobat pdf
5643files that match the terms "web," "page," "evaluation," and "checklist." References:
5644http://www.googleguide.com/advanced_operators_reference.html
5645NO.592 Which Metasploit Framework tool can help penetration tester for evading Anti-virus
5646Systems?
5647A. msfpayload
5648B. msfcli
5649C. msfencode
5650D. msfd
5651Answer: C
5652NO.593 Sandra has been actively scanning the client network on which she is doing a vulnerability
5653assessment test.
5654While conducting a port scan she notices open ports in the range of 135 to 139.
5655What protocol is most likely to be listening on those ports?
5656A. Finger
5657B. FTP
5658C. Samba
5659D. SMB
5660Answer: D
5661NO.594 At a Windows Server command prompt, which command could be used to list the running
5662services?
5663A. Sc query type= running
5664B. Sc query \\servername
5665C. Sc query
5666D. Sc config
5667IT Certification Guaranteed, The Easy Way!
5668149
5669Answer: C
5670NO.595 The fundamental difference between symmetric and asymmetric key cryptographic systems
5671is that symmetric key cryptography uses which of the following?
5672A. Multiple keys for non-repudiation of bulk data
5673B. Different keys on both ends of the transport medium
5674C. Bulk encryption for data transmission over fiber
5675D. The same key on each end of the transmission medium
5676Answer: D
5677NO.596 What mechanism in Windows prevents a user from accidentally executing a potentially
5678malicious batch (.bat) or PowerShell (.ps1) script?
5679A. User Access Control (UAC)
5680B. Data Execution Prevention (DEP)
5681C. Address Space Layout Randomization (ASLR)
5682D. Windows firewall
5683Answer: B
5684NO.597 Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED
5685way of storing backup tapes?
5686A. In a cool dry environment
5687B. Inside the data center for faster retrieval in a fireproof safe
5688C. In a climate controlled facility offsite
5689D. On a different floor in the same building
5690Answer: C
5691NO.598 Which of the following tools would MOST LIKELY be used to perform security audit on
5692various of forms of network systems?
5693A. Intrusion Detection System
5694B. Vulnerability scanner
5695C. Port scanner
5696D. Protocol analyzer
5697Answer: B
5698NO.599 A company firewall engineer has configured a new DMZ to allow public systems to be
5699located away from the internal network. The engineer has three security zones set:
5700The engineer wants to configure remote desktop access from a fixed IP on the remote network to a
5701remote desktop server in the DMZ. Which rule would best fit this requirement?
5702A. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
5703B. Permit 217.77.88.12 11.12.13.50 RDP 3389
5704C. Permit 217.77.88.12 11.12.13.0/24 RDP 3389
5705IT Certification Guaranteed, The Easy Way!
5706150
5707D. Permit 217.77.88.0/24 11.12.13.50 RDP 3389
5708Answer: B
5709NO.600 A consultant has been hired by the V.P. of a large financial organization to assess the
5710company's security posture. During the security testing, the consultant comes across child
5711pornography on the V.P.'s computer.
5712What is the consultant's obligation to the financial organization?
5713A. Say nothing and continue with the security testing.
5714B. Stop work immediately and contact the authorities.
5715C. Delete the pornography, say nothing, and continue security testing.
5716D. Bring the discovery to the financial organization's human resource department.
5717Answer: B
5718NO.601 Tess King is using the nslookup command to craft queries to list all DNS information (such as
5719Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains),
5720zone serial number, TimeToLive (TTL) records, etc) for a Domain.
5721What do you think Tess King is trying to accomplish? Select the best answer.
5722A. A zone harvesting
5723B. A zone transfer
5724C. A zone update
5725D. A zone estimate
5726Answer: B
5727NO.602 Which of the following is a protocol specifically designed for transporting event messages?
5728A. SYSLOG
5729B. SMS
5730C. SNMP
5731D. ICMP
5732Answer: A
5733Explanation
5734syslog is a standard for message logging. It permits separation of the software that generates
5735messages, the system that stores them, and the software that reports and analyzes them. Each
5736message is labeled with a facility code, indicating the software type generating the message, and
5737assigned a severity label.
5738References: https://en.wikipedia.org/wiki/Syslog#Network_protocol
5739NO.603 Alice encrypts her data using her public key PK and stores the encrypted data in the cloud.
5740Which of the following attack scenarios will compromise the privacy of her data?
5741A. None of these scenarios compromise the privacy of Alice's data
5742B. Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server
5743successfully resists Andrew's attempt to access the stored data
5744C. Hacker Harry breaks into the cloud server and steals the encrypted data
5745D. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before
5746Answer: D
5747IT Certification Guaranteed, The Easy Way!
5748151
5749NO.604 The network administrator at Spears Technology, Inc has configured the default gateway
5750Cisco router's access-list as below:
5751You are hired to conduct security testing on their network.
5752You successfully brute-force the SNMP community string using a SNMP crack tool.
5753The access-list configured at the router prevents you from establishing a successful connection.
5754You want to retrieve the Cisco configuration from the router. How would you proceed?
5755A. Use the Cisco's TFTP default password to connect and download the configuration file
5756B. Run a network sniffer and capture the returned traffic with the configuration file from the router
5757C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router
5758masking your IP address
5759D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
5760Answer: B D
5761NO.605 In order to prevent particular ports and applications from getting packets into an
5762organization, what does a firewall check?
5763A. Network layer headers and the session layer port numbers
5764B. Presentation layer headers and the session layer port numbers
5765C. Application layer port numbers and the transport layer headers
5766D. Transport layer port numbers and application layer headers
5767Answer: D
5768NO.606 You have successfully gained access to your client's internal network and successfully
5769comprised a Linux server which is part of the internal IP network. You want to know which Microsoft
5770Windows workstations have file sharing enabled.
5771Which port would you see listening on these Windows machines in the network?
5772A. 445
5773B. 3389
5774C. 161
5775D. 1433
5776Answer: A
5777Explanation
5778The following ports are associated with file sharing and server message block (SMB) communications:
5779References: https://support.microsoft.com/en-us/kb/298804
5780NO.607 The following are types of Bluetooth attack EXCEPT_____?
5781A. Bluejacking
5782B. Bluesmaking
5783C. Bluesnarfing
5784D. Bluedriving
5785Answer: D
5786NO.608 Destination unreachable administratively prohibited messages can inform the hacker to
5787what?
5788IT Certification Guaranteed, The Easy Way!
5789152
5790A. That a circuit level proxy has been installed and is filtering traffic
5791B. That his/her scans are being blocked by a honeypot or jail
5792C. That the packets are being malformed by the scanning software
5793D. That a router or other packet-filtering device is blocking traffic
5794E. That the network is functioning normally
5795Answer: D
5796NO.609 A possibly malicious sequence of packets that were sent to a web server has been captured
5797by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you
5798need to determine whether this packets are indeed malicious. What tool are you going to use?
5799A. Intrusion Prevention System (IPS)
5800B. Vulnerability scanner
5801C. Protocol analyzer
5802D. Network sniffer
5803Answer: C
5804NO.610 A penetration tester is conducting a port scan on a specific host. The tester found several
5805ports opened that were confusing in concluding the Operating System (OS) version installed.
5806Considering the NMAP result below, which of the following is likely to be installed on the target
5807machine by the OS?
5808A. The host is likely a Windows machine.
5809B. The host is likely a Linux machine.
5810C. The host is likely a router.
5811D. The host is likely a printer.
5812Answer: D
5813NO.611 Which results will be returned with the following Google search query?
5814site:target.com -site:Marketing.target.com accounting
5815A. Results matching all words in the query
5816B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
5817IT Certification Guaranteed, The Easy Way!
5818153
5819C. Results from matches on the site marketing.target.com that are in the domain target.com but do
5820not include the word accounting
5821D. Results for matches on target.com and Marketing.target.com that include the word "accounting"
5822Answer: B
5823NO.612 What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability?
5824A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed
5825environment variable to a vulnerable Web server
5826B. Manipulate format strings in text fields
5827C. SSH
5828D. SYN Flood
5829Answer: A
5830Explanation
5831Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell.
5832One specific exploitation vector of the Shellshock bug is CGI-based web servers.
5833Note: When a web server uses the Common Gateway Interface (CGI) to handle a document request,
5834it passes various details of the request to a handler program in the environment variable list. For
5835example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program
5836sending the request. If the request handler is a Bash script, or if it executes one for example using the
5837system call, Bash will receive the environment variables passed by the server and will process them.
5838This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted
5839server request.
5840References: https://en.wikipedia.org/wiki/Shellshock_(software_bug)#Specific_exploitation_vectors
5841NO.613 It is an entity or event with the potential to adversely impact a system through unauthorized
5842access, destruction, disclosure, denial of service or modification of data.
5843Which of the following terms best matches the definition?
5844A. Threat
5845B. Attack
5846C. Vulnerability
5847D. Risk
5848Answer: A
5849Explanation
5850A threat is at any circumstance or event with the potential to adversely impact organizational
5851operations (including mission, functions, image, or reputation), organizational assets, or individuals
5852through an information system via unauthorized access, destruction, disclosure, modification of
5853information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a
5854particular information system vulnerability.
5855References: https://en.wikipedia.org/wiki/Threat_(computer)
5856NO.614 Which of the following cryptography attack methods is usually performed without the use
5857of a computer?
5858A. Ciphertext-only attack
5859B. Chosen key attack
5860IT Certification Guaranteed, The Easy Way!
5861154
5862C. Rubber hose attack
5863D. Rainbow table attack
5864Answer: C
5865NO.615 Which statement best describes a server type under an N-tier architecture?
5866A. A group of servers at a specific layer
5867B. A single server with a specific role
5868C. A group of servers with a unique role
5869D. A single server at a specific layer
5870Answer: C
5871NO.616 When utilizing technical assessment methods to assess the security posture of a network,
5872which of the following techniques would be most effective in determining whether end-user security
5873training would be beneficial?
5874A. Vulnerability scanning
5875B. Social engineering
5876C. Application security testing
5877D. Network sniffing
5878Answer: B
5879NO.617 Which statement is TRUE regarding network firewalls preventing Web Application attacks?
5880A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
5881B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
5882C. Network firewalls can prevent attacks if they are properly configured.
5883D. Network firewalls cannot prevent attacks because they are too complex to configure.
5884Answer: B
5885Explanation
5886Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP
5887protocol stack, not allowing packets to pass through the firewall unless they match the established
5888rule set. To prevent Web Application attacks an Application layer firewall would be required.
5889References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters
5890NO.618 You work as a Security Analyst for a retail organization. In securing the company's network,
5891you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating,
5892you discover that your IDS is not configured properly and therefore is unable to trigger alarms when
5893needed. What type of alert is the IDS giving?
5894A. False Negative
5895B. False Positive
5896C. True Negative
5897D. True Positive
5898Answer: A
5899Explanation
5900A false negative error, or in short false negative, is where a test result indicates that a condition
5901failed, while it actually was successful. I.e. erroneously no effect has been assumed.
5902IT Certification Guaranteed, The Easy Way!
5903155
5904References:
5905https://en.wikipedia.org/wiki/False_positives_and_false_negatives#False_negative_error
5906NO.619 The intrusion detection system at a software development company suddenly generates
5907multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and
5908DNS servers. What should the security team do to determine which alerts to check first?
5909A. Investigate based on the maintenance schedule of the affected systems.
5910B. Investigate based on the service level agreements of the systems.
5911C. Investigate based on the potential effect of the incident.
5912D. Investigate based on the order that the alerts arrived in.
5913Answer: C
5914NO.620 What type of OS fingerprinting technique sends specially crafted packets to the remote OS
5915and analyzes the received response?
5916A. Passive
5917B. Reflective
5918C. Active
5919D. Distributive
5920Answer: C
5921NO.621 During a penetration test, a tester finds a target that is running MS SQL 2000 with default
5922credentials. The tester assumes that the service is running with Local System account. How can this
5923weakness be exploited to access the system?
5924A. Using the Metasploit psexec module setting the SA / Admin credential
5925B. Invoking the stored procedure xp_shell to spawn a Windows command shell
5926C. Invoking the stored procedure cmd_shell to spawn a Windows command shell
5927D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
5928Answer: D
5929NO.622 What is the primary drawback to using advanced encryption standard (AES) algorithm with a
5930256 bit key to share sensitive data?
5931A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient
5932communication.
5933B. To get messaging programs to function with this algorithm requires complex configurations.
5934C. It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.
5935D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different
5936channel than the message.
5937Answer: D
5938NO.623 Nathan is testing some of his network devices. Nathan is using Macof to try and flood the
5939ARP cache of these switches.
5940If these switches' ARP cache is successfully flooded, what will be the result?
5941A. The switches will drop into hub mode if the ARP cache is successfully flooded.
5942B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to
5943IT Certification Guaranteed, The Easy Way!
5944156
5945attacks.
5946C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache
5947or reroute packets to the nearest switch.
5948D. The switches will route all traffic to the broadcast address created collisions.
5949Answer: A
5950NO.624 This is an attack that takes advantage of a web site vulnerability in which the site displays
5951content that includes un-sanitized user-provided data.
5952What is this attack?
5953A. Cross-site-scripting attack
5954B. SQL Injection
5955C. URL Traversal attack
5956D. Buffer Overflow attack
5957Answer: A
5958NO.625 When setting up a wireless network, an administrator enters a pre-shared key for security.
5959Which of the following is true?
5960A. The key entered is a symmetric key used to encrypt the wireless data.
5961B. The key entered is a hash that is used to prove the integrity of the wireless data.
5962C. The key entered is based on the Diffie-Hellman method.
5963D. The key is an RSA key used to encrypt the wireless data.
5964Answer: A
5965NO.626 For messages sent through an insecure channel, a properly implemented digital signature
5966gives the receiver reason to believe the message was sent by the claimed sender. While using a
5967digital signature, the message digest is encrypted with which key?
5968A. Sender's public key
5969B. Receiver's private key
5970C. Receiver's public key
5971D. Sender's private key
5972Answer: D
5973NO.627 One advantage of an application-level firewall is the ability to
5974A. filter packets at the network level.
5975B. filter specific commands, such as http:post.
5976C. retain state information for each packet.
5977D. monitor tcp handshaking.
5978Answer: B
5979NO.628 Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip
5980file is a file named "Court_Notice_21206.docx.exe" disguised as a word document. Upon execution, a
5981window appears stating, "This word document is corrupt." In the background, the file copies itself to
5982IT Certification Guaranteed, The Easy Way!
5983157
5984Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious
5985binaries.
5986What type of malware has Jesse encountered?
5987A. Trojan
5988B. Worm
5989C. Macro Virus
5990D. Key-Logger
5991Answer: A
5992Explanation
5993In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a
5994computer by misleading users of its true intent. Although their payload can be anything, many
5995modern forms act as a backdoor, contacting a controller which can then have unauthorized access to
5996the affected computer.
5997References: https://en.wikipedia.org/wiki/Trojan_horse_(computing)
5998NO.629 Rebecca commonly sees an error on her Windows system that states that a Data Execution
5999Prevention (DEP) error has taken place. Which of the following is most likely taking place?
6000A. A race condition is being exploited, and the operating system is containing the malicious process.
6001B. A page fault is occurring, which forces the operating system to write data from the hard drive.
6002C. Malware is executing in either ROM or a cache memory area.
6003D. Malicious code is attempting to execute instruction in a non-executable memory region.
6004Answer: D
6005NO.630 Insecure direct object reference is a type of vulnerability where the application does not
6006verify if the user is authorized to access the internal object via its name or key.
6007Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
6008Which of the following requests best illustrates an attempt to exploit an insecure direct object
6009reference vulnerability?
6010A. "GET/restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1Host: westbank.com"
6011B. "GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com"
6012C. "GET/restricted/bank.getaccount('Ned') HTTP/1.1 Host: westbank.com"
6013D. "GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com"
6014Answer: B
6015NO.631 Based on the below log, which of the following sentences are true?
6016Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip
6017A. SSH communications are encrypted it's impossible to know who is the client or the server
6018B. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
6019C. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
6020D. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server
6021Answer: C
6022NO.632 Which of the statements concerning proxy firewalls is correct?
6023A. Proxy firewalls increase the speed and functionality of a network.
6024IT Certification Guaranteed, The Easy Way!
6025158
6026B. Firewall proxy servers decentralize all activity for an application.
6027C. Proxy firewalls block network packets from passing to and from a protected network.
6028D. Computers establish a connection with a proxy firewall which initiates a new network connection
6029for the client.
6030Answer: D
6031NO.633 A new wireless client is configured to join a 802.11 network. This client uses the same
6032hardware and software as many of the other clients on the network. The client can see the network,
6033but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not
6034responding to the association requests being sent by the wireless client.
6035What is a possible source of this problem?
6036A. The WAP does not recognize the client's MAC address
6037B. The client cannot see the SSID of the wireless network
6038C. Client is configured for the wrong channel
6039D. The wireless client is not configured to use DHCP
6040Answer: A
6041Explanation
6042MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method
6043whereby the 48-bit address assigned to each network card is used to determine access to the
6044network. MAC Filtering is often used on wireless networks.
6045References: https://en.wikipedia.org/wiki/MAC_filtering
6046NO.634 Which method of password cracking takes the most time and effort?
6047A. Brute force
6048B. Rainbow tables
6049C. Dictionary attack
6050D. Shoulder surfing
6051Answer: A
6052Explanation
6053Brute-force cracking, in which a computer tries every possible key or password until it succeeds, is
6054typically very time consuming. More common methods of password cracking, such as dictionary
6055attacks, pattern checking, word list substitution, etc. attempt to reduce the number of trials required
6056and will usually be attempted before brute force.
6057References: https://en.wikipedia.org/wiki/Password_cracking
6058NO.635 How can rainbow tables be defeated?
6059A. Password salting
6060B. Use of non-dictionary words
6061C. All uppercase character passwords
6062D. Lockout accounts under brute force password cracking attempts
6063Answer: A
6064NO.636 When creating a security program, which approach would be used if senior management is
6065supporting and enforcing the security policy?
6066IT Certification Guaranteed, The Easy Way!
6067159
6068A. A bottom-up approach
6069B. A top-down approach
6070C. A senior creation approach
6071D. An IT assurance approach
6072Answer: B
6073NO.637 The "white box testing" methodology enforces what kind of restriction?
6074A. The internal operation of a system is completely known to the tester.
6075B. Only the external operation of a system is accessible to the tester.
6076C. Only the internal operation of a system is known to the tester.
6077D. The internal operation of a system is only partly accessible to the tester.
6078Answer: A
6079Explanation
6080White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
6081structural testing) is a method of testing software that tests internal structures or workings of an
6082application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal
6083perspective of the system, as well as programming skills, are used to design test cases.
6084References: https://en.wikipedia.org/wiki/White-box_testing
6085NO.638 You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be
6086using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting?
6087A. MD4
6088B. DES
6089C. SHA
6090D. SSL
6091Answer: B
6092NO.639 Which of the following business challenges could be solved by using a vulnerability scanner?
6093A. Auditors want to discover if all systems are following a standard naming convention.
6094B. A web server was compromised and management needs to know if any further systems were
6095compromised.
6096C. There is an emergency need to remove administrator access from multiple machines for an
6097employee that quit.
6098D. There is a monthly requirement to test corporate compliance with host application usage and
6099security policies.
6100Answer: D
6101NO.640 What is the main advantage that a network-based IDS/IPS system has over a host-based
6102solution?
6103A. They do not use host system resources.
6104B. They are placed at the boundary, allowing them to inspect all traffic.
6105C. They are easier to install and configure.
6106D. They will not interfere with user interfaces.
6107IT Certification Guaranteed, The Easy Way!
6108160
6109Answer: A
6110NO.641 An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it.
6111The attacker can now use which cryptanalytic technique to attempt to discover the encryption key?
6112A. Birthday attack
6113B. Plaintext attack
6114C. Meet in the middle attack
6115D. Chosen ciphertext attack
6116Answer: D
6117NO.642 One of the Forbes 500 companies has been subjected to a large scale attack. You are one of
6118the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that
6119he wants to totally eliminate all risks. What is one of the first things you should do when hired?
6120A. Interview all employees in the company to rule out possible insider threats.
6121B. Establish attribution to suspected attackers.
6122C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
6123acceptable levels.
6124D. Start the Wireshark application to start sniffing network traffic.
6125Answer: C
6126NO.643 Which of the following types of firewall inspects only header information in network traffic?
6127A. Packet filter
6128B. Stateful inspection
6129C. Circuit-level gateway
6130D. Application-level gateway
6131Answer: A
6132NO.644 In which of the following password protection technique, random strings of characters are
6133added to the password before calculating their hashes?
6134A. Keyed Hashing
6135B. Key Stretching
6136C. Salting
6137D. Double Hashing
6138Answer: C
6139NO.645 Analyst is investigating proxy logs and found out that one of the internal user visited
6140website storing suspicious Java scripts. After opening one of them, he noticed that it is very hard to
6141understand the code and that all codes differ from the typical Java script. What is the name of this
6142technique to hide the code and extend analysis time?
6143A. Encryption
6144B. Code encoding
6145C. Obfuscation
6146D. Steganography
6147IT Certification Guaranteed, The Easy Way!
6148161
6149Answer: A
6150NO.646 You've just gained root access to a Centos 6 server after days of trying. What tool should
6151you use to maintain access?
6152A. Disable Key Services
6153B. Create User Account
6154C. Download and Install Netcat
6155D. Disable IPTables
6156Answer: B
6157NO.647 E-mail scams and mail fraud are regulated by which of the following?
6158A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
6159B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
6160C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
6161D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
6162Communication
6163Answer: A
6164NO.648 The chance of a hard drive failure is known to be once every four years. The cost of a new
6165hard drive is $500.
6166EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE).
6167A. $62.5
6168B. $250
6169C. $125
6170D. $65.2
6171Answer: A
6172NO.649 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff
6173the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
6174However, he is unable to capture any logons though he knows that other users are logging in.
6175What do you think is the most likely reason behind this?
6176A. There is a NIDS present on that segment.
6177B. Kerberos is preventing it.
6178C. Windows logons cannot be sniffed.
6179D. L0phtcrack only sniffs logons to web servers.
6180Answer: B
6181NO.650 In the software security development life cycle process, threat modeling occurs in which
6182phase?
6183A. Design
6184B. Requirements
6185C. Verification
6186D. Implementation
6187IT Certification Guaranteed, The Easy Way!
6188162
6189Answer: A
6190NO.651 Your team has won a contract to infiltrate an organization. The company wants to have the
6191attack be as realistic as possible; therefore, they did not provide any information besides the
6192company name.
6193What should be the first step in security testing the client?
6194A. Reconnaissance
6195B. Enumeration
6196C. Scanning
6197D. Escalation
6198Answer: A
6199Explanation
6200Phases of hacking
6201Phase 1-Reconnaissance
6202Phase 2-Scanning
6203Phase 3-Gaining Access
6204Phase 4-Maintaining Access
6205Phase 5-Covering Tracks
6206Phase 1: Passive and Active Reconnaissance
6207References:
6208http://hack-o-crack.blogspot.se/2010/12/five-stages-of-ethical-hacking.html
6209NO.652 Eve is spending her day scanning the library computers. She notices that Alice is using a
6210computer whose port
6211445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command
6212prompt, she types the following command.
6213What is Eve trying to do?
6214A. Eve is trying to connect as a user with Administrator privileges
6215B. Eve is trying to enumerate all users with Administrative privileges
6216C. Eve is trying to carry out a password crack for user Administrator
6217D. Eve is trying to escalate privilege of the null user to that of Administrator
6218Answer: C
6219NO.653 You are the Systems Administrator for a large corporate organization. You need to monitor
6220all network traffic on your local network for suspicious activities and receive notifications when an
6221attack is occurring. Which tool would allow you to accomplish this goal?
6222A. Network-based IDS
6223B. Firewall
6224C. Proxy
6225D. Host-based IDS
6226Answer: A
6227Explanation
6228IT Certification Guaranteed, The Easy Way!
6229163
6230A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to
6231protect a system from network-based threats.
6232A NIDS reads all inbound packets and searches for any suspicious patterns. When threats are
6233discovered, based on its severity, the system can take action such as notifying administrators, or
6234barring the source IP address from accessing the network.
6235References: https://www.techopedia.com/definition/12941/network-based-intrusion-detectionsystem-
6236nids
6237NO.654 An attacker uses a communication channel within an operating system that is neither
6238designed nor intended to transfer information. What is the name of the communications channel?
6239A. Classified
6240B. Overt
6241C. Encrypted
6242D. Covert
6243Answer: D
6244NO.655 What does the -oX flag do in an Nmap scan?
6245A. Perform an express scan
6246B. Output the results in truncated format to the screen
6247C. Perform an Xmas scan
6248D. Output the results in XML format to a file
6249Answer: D
6250NO.656 In many states sending spam is illegal. Thus, the spammers have techniques to try and
6251ensure that no one knows they sent the spam out to thousands of users at a time. Which of the
6252following best describes what spammers use to hide the origin of these types of e-mails?
6253A. A blacklist of companies that have their mail server relays configured to allow traffic only to their
6254specific domain name.
6255B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers
6256continuously.
6257C. A blacklist of companies that have their mail server relays configured to be wide open.
6258D. Tools that will reconfigure a mail server's relay component to send the e-mail back to the
6259spammers occasionally.
6260Answer: B
6261NO.657 What is correct about digital signatures?
6262A. A digital signature cannot be moved from one signed document to another because it is the hash
6263of the original document encrypted with the private key of the signing party.
6264B. Digital signatures may be used in different documents of the same type.
6265C. A digital signature cannot be moved from one signed document to another because it is a plain
6266hash of the document content.
6267D. Digital signatures are issued once for each user and can be used everywhere until they expire.
6268Answer: A
6269IT Certification Guaranteed, The Easy Way!
6270164
6271NO.658 Null sessions are un-authenticated connections (not using a username or password.) to an
6272NT or 2000 system.
6273Which TCP and UDP ports must you filter to check null sessions on your network?
6274A. 137 and 139
6275B. 137 and 443
6276C. 139 and 443
6277D. 139 and 445
6278Answer: D
6279NO.659 Backing up data is a security must. However, it also has certain level of risks when
6280mishandled. Which of the following is the greatest threat posed by backups?
6281A. A backup is the source of Malware or illicit information
6282B. A backup is incomplete because no verification was performed
6283C. A backup is unavailable during disaster recovery
6284D. An unencrypted backup can be misplaced or stolen
6285Answer: D
6286NO.660 What is the best description of SQL Injection?
6287A. It is an attack used to gain unauthorized access to a database.
6288B. It is an attack used to modify code in an application.
6289C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
6290D. It is a Denial of Service Attack.
6291Answer: A
6292Explanation
6293SQL injection is a code injection technique, used to attack data-driven applications, in which
6294malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database
6295contents to the attacker).
6296References: https://en.wikipedia.org/wiki/SQL_injection
6297NO.661 A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0
6298and 192.168.5.0.
6299How can NMAP be used to scan these adjacent Class C networks?
6300A. NMAP -P 192.168.1-5.
6301B. NMAP -P 192.168.0.0/16
6302C. NMAP -P 192.168.1.0,2.0,3.0,4.0,5.0
6303D. NMAP -P 192.168.1/17
6304Answer: A
6305NO.662 Which of the following will perform an Xmas scan using NMAP?
6306A. nmap -sA 192.168.1.254
6307B. nmap -sP 192.168.1.254
6308C. nmap -sX 192.168.1.254
6309D. nmap -sV 192.168.1.254
6310IT Certification Guaranteed, The Easy Way!
6311165
6312Answer: C
6313NO.663 _________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin
6314authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks
6315types.
6316A. DNSSEC
6317B. Zone transfer
6318C. Resource transfer
6319D. Resource records
6320Answer: A
6321NO.664 Which definition among those given below best describes a covert channel?
6322A. A server program using a port that is not well known.
6323B. Making use of a protocol in a way it is not intended to be used.
6324C. It is the multiplexing taking place on a communication link.
6325D. It is one of the weak channels used by WEP which makes it insecure
6326Answer: B
6327NO.665 Which of the following is a restriction being enforced in "white box testing?"
6328A. Only the internal operation of a system is known to the tester
6329B. The internal operation of a system is completely known to the tester
6330C. The internal operation of a system is only partly accessible to the tester
6331D. Only the external operation of a system is accessible to the tester
6332Answer: B
6333NO.666 An unauthorized individual enters a building following an employee through the employee
6334entrance after the lunch rush. What type of breach has the individual just performed?
6335A. Reverse Social Engineering
6336B. Tailgating
6337C. Piggybacking
6338D. Announced
6339Answer: B
6340NO.667 A company has hired a security administrator to maintain and administer Linux and
6341Windows-based systems.
6342Written in the nightly report file is the following:
6343Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later
6344the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.
6345Which of the following actions should the security administrator take?
6346A. Log the event as suspicious activity and report this behavior to the incident response team
6347immediately.
6348B. Log the event as suspicious activity, call a manager, and report this as soon as possible.
6349C. Run an anti-virus scan because it is likely the system is infected by malware.
6350IT Certification Guaranteed, The Easy Way!
6351166
6352D. Log the event as suspicious activity, continue to investigate, and act according to the site's security
6353policy.
6354Answer: D
6355NO.668 Which of the following identifies the three modes in which Snort can be configured to run?
6356A. Sniffer, Packet Logger, and Network Intrusion Detection System
6357B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
6358C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
6359D. Sniffer, Packet Logger, and Host Intrusion Prevention System
6360Answer: A
6361NO.669 Which of the following statements about a zone transfer is correct? (Choose three.)
6362A. A zone transfer is accomplished with the DNS
6363B. A zone transfer is accomplished with the nslookup service
6364C. A zone transfer passes all zone information that a DNS server maintains
6365D. A zone transfer passes all zone information that a nslookup server maintains
6366E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
6367F. Zone transfers cannot occur on the Internet
6368Answer: A C E
6369NO.670 A well-intentioned researcher discovers a vulnerability on the web site of a major
6370corporation. What should he do?
6371A. Ignore it.
6372B. Try to sell the information to a well-paying party on the dark web.
6373C. Notify the web site owner so that corrective action be taken as soon as possible to patch the
6374vulnerability.
6375D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the
6376problem.
6377Answer: C
6378NO.671 You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one
6379of the machines has 2 connections, one wired and the other wireless. When you verify the
6380configuration of this Windows system you find two static routes.
6381route add 10.0.0.0 mask 255.0.0.0 10.0.0.1
6382route add 0.0.0.0 mask 255.0.0.0 199.168.0.1
6383What is the main purpose of those static routes?
6384A. Both static routes indicate that the traffic is external with different gateway.
6385B. The first static route indicates that the internal traffic will use an external gateway and the second
6386static route indicates that the traffic will be rerouted.
6387C. Both static routes indicate that the traffic is internal with different gateway.
6388D. The first static route indicates that the internal addresses are using the internal gateway and the
6389second static route indicates that all the traffic that is not internal must go to an external gateway.
6390Answer: D
6391IT Certification Guaranteed, The Easy Way!
6392167
6393NO.672 Which of the following statements regarding ethical hacking is incorrect?
6394A. Ethical hackers should never use tools or methods that have the potential of exploiting
6395vulnerabilities in an organization's systems.
6396B. Testing should be remotely performed offsite.
6397C. An organization should use ethical hackers who do not sell vendor hardware/software or other
6398consulting services.
6399D. Ethical hacking should not involve writing to or modifying the target systems.
6400Answer: A
6401Explanation
6402Ethical hackers use the same methods and techniques, including those that have the potential of
6403exploiting vulnerabilities, to test and bypass a system's defenses as their less-principled counterparts,
6404but rather than taking advantage of any vulnerabilities found, they document them and provide
6405actionable advice on how to fix them so the organization can improve its overall security.
6406References:
6407http://searchsecurity.techtarget.com/definition/ethical-hacker
6408NO.673 Low humidity in a data center can cause which of the following problems?
6409A. Heat
6410B. Corrosion
6411C. Static electricity
6412D. Airborne contamination
6413Answer: C
6414NO.674 Seth is starting a penetration test from inside the network. He hasn't been given any
6415information about the network. What type of test is he conducting?
6416A. Internal Whitebox
6417B. External, Whitebox
6418C. Internal, Blackbox
6419D. External, Blackbox
6420Answer: C
6421NO.675 Which type of scan measures a person's external features through a digital video camera?
6422A. Iris scan
6423B. Retinal scan
6424C. Facial recognition scan
6425D. Signature kinetics scan
6426Answer: C
6427NO.676 A security policy will be more accepted by employees if it is consistent and has the support
6428of
6429A. coworkers.
6430B. executive management.
6431C. the security officer.
6432IT Certification Guaranteed, The Easy Way!
6433168
6434D. a supervisor.
6435Answer: B
6436NO.677 This international organization regulates billions of transactions daily and provides security
6437guidelines to protect personally identifiable information (PII). These security controls provide a
6438baseline and prevent low-level hackers sometimes known as script kiddies from causing a data
6439breach.
6440Which of the following organizations is being described?
6441A. Payment Card Industry (PCI)
6442B. Center for Disease Control (CDC)
6443C. Institute of Electrical and Electronics Engineers (IEEE)
6444D. International Security Industry Organization (ISIO)
6445Answer: A
6446Explanation
6447The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security
6448standard for organizations that handle branded credit cards from the major card schemes including
6449Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS standards are very explicit about
6450the requirements for the back end storage and access of PII (personally identifiable information).
6451References: https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
6452NO.678 When purchasing a biometric system, one of the considerations that should be reviewed is
6453the processing speed. Which of the following best describes what it is meant by processing?
6454A. The amount of time it takes to convert biometric data into a template on a smart card.
6455B. The amount of time and resources that are necessary to maintain a biometric system.
6456C. The amount of time it takes to be either accepted or rejected form when an individual provides
6457Identification and authentication information.
6458D. How long it takes to setup individual user accounts.
6459Answer: C
6460NO.679 While performing online banking using a Web browser, a user receives an email that
6461contains a link to an interesting Web site. When the user clicks on the link, another Web browser
6462session starts and displays a video of cats playing a piano. The next business day, the user receives
6463what looks like an email from his bank, indicating that his bank account has been accessed from a
6464foreign country. The email asks the user to call his bank and verify the authorization of a funds
6465transfer that took place.
6466What Web browser-based security vulnerability was exploited to compromise the user?
6467A. Cross-Site Request Forgery
6468B. Cross-Site Scripting
6469C. Clickjacking
6470D. Web form input validation
6471Answer: A
6472Explanation
6473Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF
6474or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted
6475IT Certification Guaranteed, The Easy Way!
6476169
6477from a user that the website trusts.
6478Example and characteristics
6479If an attacker is able to find a reproducible link that executes a specific action on the target page
6480while the victim is being logged in there, he is able to embed such link on a page he controls and trick
6481the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to
6482visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or
6483attachment.
6484NO.680 A big company, who wanted to test their security infrastructure, wants to hire elite pen
6485testers like you. During the interview, they asked you to show sample reports from previous
6486penetration tests. What should you do?
6487A. Share reports, after NDA is signed
6488B. Share full reports, not redacted
6489C. Decline but, provide references
6490D. Share full reports with redactions
6491Answer: C
6492NO.681 Eve stole a file named secret.txt, transferred it to her computer and she just entered these
6493commands:
6494What is she trying to achieve?
6495A. She is encrypting the file.
6496B. She is using John the Ripper to view the contents of the file.
6497C. She is using ftp to transfer the file to another hacker named John.
6498D. She is using John the Ripper to crack the passwords in the secret.txt file.
6499Answer: D
6500NO.682 Let's imagine three companies (A, B and C), all competing in a challenging global
6501environment. Company A and B are working together in developing a product that will generate a
6502major competitive advantage for them.
6503Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a
6504spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from
6505company
6506B. How do you prevent DNS spoofing?
6507A. Install DNS logger and track vulnerable packets
6508B. Disable DNS timeouts
6509C. Install DNS Anti-spoofing
6510D. Disable DNS Zone Transfer
6511Answer: C
6512IT Certification Guaranteed, The Easy Way!
6513170
6514NO.683 Which of the following is considered an exploit framework and has the ability to perform
6515automated attacks on services, ports, applications and unpatched security flaws in a computer
6516system?
6517A. Wireshark
6518B. Maltego
6519C. Metasploit
6520D. Nessus
6521Answer: C
6522NO.684 Which of the following viruses tries to hide from anti-virus programs by actively altering and
6523corrupting the chosen service call interruptions when they are being run?
6524A. Cavity virus
6525B. Polymorphic virus
6526C. Tunneling virus
6527D. Stealth virus
6528Answer: D
6529NO.685 There are several ways to gain insight on how a cryptosystem works with the goal of reverse
6530engineering the process. A term describes when two pieces of data result in the same value is?
6531A. Collision
6532B. Collusion
6533C. Polymorphism
6534D. Escrow
6535Answer: A
6536NO.686 The network in ABC company is using the network address 192.168.1.64 with mask
6537255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and
6538192.168.1.124.
6539An attacker is trying to find those servers but he cannot see them in his scanning. The command he is
6540using is:
6541nmap 192.168.1.64/28.
6542Why he cannot see the servers?
6543A. The network must be down and the nmap command and IP address are ok.
6544B. He needs to add the command ''''ip address'''' just before the IP address.
6545C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not
6546in that range.
6547D. He needs to change the address to 192.168.1.0 with the same mask.
6548Answer: C
6549NO.687 When using Wireshark to acquire packet capture on a network, which device would enable
6550the capture of all traffic on the wire?
6551A. Network tap
6552B. Layer 3 switch
6553IT Certification Guaranteed, The Easy Way!
6554171
6555C. Network bridge
6556D. Application firewall
6557Answer: A
6558NO.688 An attacker gains access to a Web server's database and displays the contents of the table
6559that holds all of the names, passwords, and other user information. The attacker did this by entering
6560information into the Web site's user login page that the software's designers did not expect to be
6561entered. This is an example of what kind of software design problem?
6562A. Insufficient input validation
6563B. Insufficient exception handling
6564C. Insufficient database hardening
6565D. Insufficient security management
6566Answer: A
6567Explanation
6568The most common web application security weakness is the failure to properly validate input coming
6569from the client or from the environment before using it. This weakness leads to almost all of the
6570major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter
6571injection, locale/Unicode attacks, file system attacks, and buffer overflows.
6572References: https://www.owasp.org/index.php/Testing_for_Input_Validation
6573NO.689 What type of malware is it that restricts access to a computer system that it infects and
6574demands that the user pay a certain amount of money, cryptocurrency, etc. to the operators of the
6575malware to remove the restriction?
6576A. Ransomware
6577B. Riskware
6578C. Adware
6579D. Spyware
6580Answer: A
6581NO.690 Scenario:
6582What is the name of the attack which is mentioned in the scenario?
6583A. HTTP Parameter Pollution
6584B. HTML Injection
6585C. Session Fixation
6586D. ClickJacking Attack
6587Answer: D
6588NO.691 You are a Penetration Tester and are assigned to scan a server. You need to use a scanning
6589technique wherein the TCP Header is split into many packets so that it becomes difficult to detect
6590what the packets are meant for.
6591Which of the below scanning technique will you use?
6592A. ACK flag scanning
6593B. TCP Scanning
6594C. IP Fragment Scanning
6595IT Certification Guaranteed, The Easy Way!
6596172
6597D. Inverse TCP flag scanning
6598Answer: C
6599NO.692 You've just discovered a server that is currently active within the same network with the
6600machine you recently compromised. You ping it but it did not respond. What could be the case?
6601A. TCP/IP doesn't support ICMP
6602B. ARP is disabled on the target server
6603C. ICMP could be disabled on the target server
6604D. You need to run the ping command with root privileges
6605Answer: C
6606NO.693 How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
6607A. Defeating the scanner from detecting any code change at the kernel
6608B. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
6609C. Performing common services for the application process and replacing real applications with fake
6610ones
6611D. Attaching itself to the master boot record in a hard drive and changing the machine's boot
6612sequence/options
6613Answer: D
6614NO.694 An incident investigator asks to receive a copy of the event logs from all firewalls, proxy
6615servers, and Intrusion Detection Systems (IDS) on the network of an organization that has
6616experienced a possible breach of security. When the investigator attempts to correlate the
6617information in all of the logs, the sequence of many of the logged events do not match up.
6618What is the most likely cause?
6619A. The network devices are not all synchronized.
6620B. Proper chain of custody was not observed while collecting the logs.
6621C. The attacker altered or erased events from the logs.
6622D. The security breach was a false positive.
6623Answer: A
6624Explanation
6625Time synchronization is an important middleware service of distributed systems, amongst which
6626Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in
6627particular.
6628References:
6629http://ieeexplore.ieee.org/xpl/login.jsp?tp
6630&
6631arnumber=5619315&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3
6632D561
6633NO.695 John the Ripper is a technical assessment tool used to test the weakness of which of the
6634following?
6635A. Usernames
6636B. File permissions
6637IT Certification Guaranteed, The Easy Way!
6638173
6639C. Firewall rulesets
6640D. Passwords
6641Answer: D
6642NO.696 You are using NMAP to resolve domain names into IP addresses for a ping sweep later.
6643Which of the following commands looks for IP addresses?
6644A. >host -t a hackeddomain.com
6645B. >host -t soa hackeddomain.com
6646C. >host -t ns hackeddomain.com
6647D. >host -t AXFR hackeddomain.com
6648Answer: A
6649Explanation
6650The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map
6651hostnames to an IP address of the host.
6652References: https://en.wikipedia.org/wiki/List_of_DNS_record_types
6653NO.697 A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of
6654engagement states that the penetration test be done from an external IP address with no prior
6655knowledge of the internal IT systems.
6656What kind of test is being performed?
6657A. white box
6658B. grey box
6659C. red box
6660D. black box
6661Answer: D
6662NO.698 Which of the following is a strong post designed to stop a car?
6663A. Gate
6664B. Fence
6665C. Bollard
6666D. Reinforced rebar
6667Answer: C
6668NO.699 Which of the following describes a component of Public Key Infrastructure (PKI) where a
6669copy of a private key is stored to provide third-party access and to facilitate recovery operations?
6670A. Key registry
6671B. Recovery agent
6672C. Directory
6673D. Key escrow
6674Answer: D
6675NO.700 A hacker named Jack is trying to compromise a bank's computer system. He needs to know
6676the operating system of that computer to launch further attacks.
6677What process would help him?
6678IT Certification Guaranteed, The Easy Way!
6679174
6680A. Banner Grabbing
6681B. IDLE/IPID Scanning
6682C. SSDP Scanning
6683D. UDP Scanning
6684Answer: A
6685NO.701 Which of the following network attacks takes advantage of weaknesses in the fragment
6686reassembly functionality of the TCP/IP protocol stack?
6687A. Teardrop
6688B. SYN flood
6689C. Smurf attack
6690D. Ping of death
6691Answer: A
6692NO.702 What are the three types of compliance that the Open Source Security Testing Methodology
6693Manual (OSSTMM) recognizes?
6694A. Legal, performance, audit
6695B. Audit, standards based, regulatory
6696C. Contractual, regulatory, industry
6697D. Legislative, contractual, standards based
6698Answer: D
6699NO.703 In which of the following cryptography attack methods, the attacker makes a series of
6700interactive queries, choosing subsequent plaintexts based on the information from the previous
6701encryptions?
6702A. Chosen-plaintext attack
6703B. Ciphertext-only attack
6704C. Adaptive chosen-plaintext attack
6705D. Known-plaintext attack
6706Answer: A
6707NO.704 Which of the following DoS tools is used to attack target web applications by starvation of
6708available sessions on the web server?
6709The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily
6710large content-length header value.
6711A. My Doom
6712B. Astacheldraht
6713C. R-U-Dead-Yet?(RUDY)
6714D. LOIC
6715Answer: C
6716NO.705 You are trying to break into a highly classified top-secret mainframe computer with highest
6717security system in place at Merclyn Barley Bank located in Los Angeles.
6718IT Certification Guaranteed, The Easy Way!
6719175
6720You know that conventional hacking doesn't work in this case, because organizations such as banks
6721are generally tight and secure when it comes to protecting their systems.
6722In other words, you are trying to penetrate an otherwise impenetrable system.
6723How would you proceed?
6724A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy
6725the necessary exploits from these hackers and target the bank's network
6726B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or
6727disgruntled employee, and offer them money if they'll abuse their access privileges by providing you
6728with sensitive information
6729C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or
6730more "zombies" and "bots"
6731D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the
6732Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques
6733Answer: B
6734NO.706 What is the algorithm used by LM for Windows2000 SAM?
6735A. MD4
6736B. DES
6737C. SHA
6738D. SSL
6739Answer: B
6740NO.707 A Certificate Authority (CA) generates a key pair that will be used for encryption and
6741decryption of email. The integrity of the encrypted email is dependent on the security of which of the
6742following?
6743A. Public key
6744B. Private key
6745C. Modulus length
6746D. Email server certificate
6747Answer: B
6748NO.708 Which command lets a tester enumerate alive systems in a class C network via ICMP using
6749native Windows tools?
6750A. ping 192.168.2.
6751B. ping 192.168.2.255
6752C. for %V in (1 1 255) do PING 192.168.2.%V
6753D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"
6754Answer: D
6755NO.709 How do employers protect assets with security policies pertaining to employee surveillance
6756activities?
6757A. Employers promote monitoring activities of employees as long as the employees demonstrate
6758trustworthiness.
6759B. Employers use informal verbal communication channels to explain employee monitoring activities
6760IT Certification Guaranteed, The Easy Way!
6761176
6762to employees.
6763C. Employers use network surveillance to monitor employee email traffic, network access, and to
6764record employee keystrokes.
6765D. Employers provide employees written statements that clearly discuss the boundaries of
6766monitoring activities and consequences.
6767Answer: D
6768NO.710 Which type of Nmap scan is the most reliable, but also the most visible, and likely to be
6769picked up by and IDS?
6770A. SYN scan
6771B. ACK scan
6772C. RST scan
6773D. Connect scan
6774E. FIN scan
6775Answer: D
6776NO.711 > NMAP -sn 192.168.11.200-215
6777The NMAP command above performs which of the following?
6778A. A ping scan
6779B. A trace sweep
6780C. An operating system detect
6781D. A port scan
6782Answer: A
6783Explanation
6784NMAP -sn (No port scan)
6785This option tells Nmap not to do a port scan after host discovery, and only print out the available
6786hosts that responded to the host discovery probes. This is often known as a "ping scan", but you can
6787also request that traceroute and NSE host scripts be run.
6788References: https://nmap.org/book/man-host-discovery.html
6789NO.712 If the final set of security controls does not eliminate all risk in a system, what could be done
6790next?
6791A. Continue to apply controls until there is zero risk.
6792B. Ignore any remaining risk.
6793C. If the residual risk is low enough, it can be accepted.
6794D. Remove current controls since they are not completely effective.
6795Answer: C
6796NO.713 (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic
6797TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has
6798been used to capture packets on the network. On studying the packets, the penetration tester finds it
6799to be abnormal. If you were the penetration tester, why would you find this abnormal?
6800What is odd about this attack? Choose the best answer.
6801IT Certification Guaranteed, The Easy Way!
6802177
6803A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
6804B. This is back orifice activity as the scan comes from port 31337.
6805C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
6806D. These packets were crafted by a tool, they were not created by a standard IP stack.
6807Answer: B
6808NO.714 DNS cache snooping is a process of determining if the specified resource address is present
6809in the DNS cache records. It may be useful during the examination of the network to determine what
6810software update resources are used, thus discovering what software is installed.
6811What command is used to determine if the entry is present in DNS cache?
6812A. nslookup -fullrecursive update.antivirus.com
6813B. dnsnooping -rt update.antivirus.com
6814C. nslookup -norecursive update.antivirus.com
6815D. dns --snoop update.antivirus.com
6816Answer: C
6817NO.715 It has been reported to you that someone has caused an information spillage on their
6818computer. You go to the computer, disconnect it from the network, remove the keyboard and
6819mouse, and power it down. What step in incident handling did you just complete?
6820A. Containment
6821B. Eradication
6822C. Recovery
6823D. Discovery
6824Answer: A
6825NO.716 Which of the following tools is used by pen testers and analysts specifically to analyze links
6826between data using link analysis and graphs?
6827A. Metasploit
6828B. Wireshark
6829C. Maltego
6830D. Cain & Abel
6831Answer: C
6832NO.717 You have gained physical access to a Windows 2008 R2 server which has an accessible disc
6833drive.
6834IT Certification Guaranteed, The Easy Way!
6835178
6836When you attempt to boot the server and log in, you are unable to guess the password.
6837In your toolkit, you have an Ubuntu 9.10 Linux LiveCD.
6838Which Linux-based tool can change any user's password or activate disabled Windows accounts?
6839A. John the Ripper
6840B. SET
6841C. CHNTPW
6842D. Cain & Abel
6843Answer: C
6844NO.718 Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients.
6845You are requested to accept the offer and you oblige.
6846After 2 days, Bob denies that he had ever sent a mail.
6847What do you want to "know" to prove yourself that it was Bob who had send a mail?
6848A. Confidentiality
6849B. Integrity
6850C. Non-Repudiation
6851D. Authentication
6852Answer: C
6853NO.719 When does the Payment Card Industry Data Security Standard (PCI-DSS) require
6854organizations to perform external and internal penetration testing?
6855A. At least twice a year or after any significant upgrade or modification
6856B. At least once a year and after any significant upgrade or modification
6857C. At least once every two years and after any significant upgrade or modification
6858D. At least once every three years or after any significant upgrade or modification
6859Answer: B
6860NO.720 You have successfully comprised a server having an IP address of 10.10.0.5. You would like
6861to enumerate all machines in the same network quickly.
6862What is the best nmap command you will use?
6863A. nmap -T4 -q 10.10.0.0/24
6864B. nmap -T4 -F 10.10.0.0/24
6865C. nmap -T4 -r 10.10.1.0/24
6866D. nmap -T4 -O 10.10.0.0/24
6867Answer: B
6868IT Certification Guaranteed, The Easy Way!
6869179