CEH v10 (312-50v110)

Exam C

QUESTION 1
This phase will increase the odds of success in later phases of the penetration test. It is also the very first step
in Information Gathering and it will tell you the “landscape” looks like. What is the most important phase of
ethical hacking in which you need to spend a considerable amount of time?

A. network mapping
B. footprinting
C. escalating privileges
D. gaining access

Correct Answer: B

QUESTION 2
When you are collecting information to perform a data analysis, Google commands are very useful to find
sensitive information and files. These files may contain information about passwords, system functions, or
documentation. What command will help you to search files using Google as a search engine?

A. site: target.com filetype:xls username password email

B. domain: target.com archieve:xls username password email
C. inurl: target.com filename:xls username password email
D. site: target.com file:xls username password email

Correct Answer: A

QUESTION 3
You have successfully gained access to your client’s internal network and successfully comprised a Linux
server which is part of the internal IP network. You want to know which Microsoft Windows workstations have
file sharing enabled. Which port would you see listening on these Windows machines in the network?

A. 161
B. 3389
C. 445
D. 1433

Correct Answer: C

QUESTION 4
Which of the following is assured by the use of a hash?

A. Authentication
B. Confidentially
C. Availability
D. Integrity

Correct Answer: D

QUESTION 5
Risks=Threats x Vulnerabilities is referred to as the:

A. BIA equation
B. Disaster recovery formula
C. Risk equation
D. Threat assessment

Correct Answer: C

QUESTION 6
The tools which receive event logs from servers, network equipment, and applications, and perform analysis
and correlation on those logs, and can generate alarms for security relevant issues, are known as what?

A. Network Sniffer
B. Vulnerability Scanner
C. Intrusion Prevention Server
D. Security Incident and Event Monitoring

Correct Answer: D

QUESTION 7
You have just been hired to perform a pen test on an organization that has been subjected to a large-scale
attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of
the first things you should do when given the job?

A. Establish attribution to suspected attackers

B. Interview all employees in the company to rule out possible insider threats
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
D. Start the wireshark application to start sniffing network traffic.

Correct Answer: C

QUESTION 8
The purpose of a _______is to deny network access to local area networks and other information assets by
unauthorized wireless devices.

A. Wireless Analyzer
B. Wireless Jammer
C. Wireless Access Point
D. Wireless Access Control List

Correct Answer: D

QUESTION 9
What does the –oX flag do in an Nmap scan?

A. Perform an Xmas scan

B. Perform an eXpress scan
C. Output the results in truncated format to the screen
D. Output the results in XML format to a file

Correct Answer: D

QUESTION 10
During an Xmas scan, what indicates a port is closed?

A. RST
B. SYN
C. ACK
D. No return response

Correct Answer: A

QUESTION 11
While performing online banking using a Web browser, a user receives an email that contains a link to an
interesting Web site. When the user clicks on the link, another Web browser session starts and displays a
video of cats playing a piano. The next business day, the user receives what looks like an email from his bank,
indicating that his bank account has been accessed from a foreign country. The email asks the user to call his
bank and verify the authorization of a funds transfer that took place. What Web browser-based security
vulnerability was exploited to compromise the user?

A. Clickjacking
B. Cross-Site Scripting
C. Cross-Site Request Forgery
D. Web form input validation

Correct Answer: C

QUESTION 12
Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for
an IDS with the following characteristics: -Verifies success or failure of an attack – Monitors system activities –
Detects attacks that a network-based IDS fails to detect. – Near real-time detection and response – Does not
require additional hardware – Lower entry cost. Which type of IDS is best suited for Tremp’s requirements?

A. Network-based IDS
B. Open source-based IDS
C. Host-based IDS
D. Gateway-based IDS

Correct Answer: C

QUESTION 13
Which of the following parameters describe LM Hash:

I – The maximum password length is 14 characters

II – There are no distinctions between uppercase and lowercase
III – The password is split into two 7-byte halves

A. II
B. I
C. I, II, and III
D. I and II

Correct Answer: C

QUESTION 14
Which of the following is not a Bluetooth attack?

A. Bluesnarfing
B. Bluedriving
C. Bluesmacking
D. Bluejacking

Correct Answer: B
QUESTION 15
The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization
focused on improving the security of software. What item is the primary concern on OWASP’s Top Ten Project
Most Critical Web Application Security Risks?

A. Cross Site Scripting

B. Injection
C. Path disclosure
D. Cross Site Request Forgery

Correct Answer: B

QUESTION 16
A pen-tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library are
required to allow the NIC to work in promiscous mode?

A. Winprom
B. Libpcap
C. Winpsw
D. Winpcap

Correct Answer: D

QUESTION 17
Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious
java scripts. After opening one of them, he noticed that it is very hard to understand the code and that all codes
differ from the typical java script. What is the name of this technique to hide the code and extend analysis time?

A. Steganography
B. Code encoding
C. Obfuscation
D. Encryption

Correct Answer: C

QUESTION 18
During the security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?

A. Create a procedures document

B. Terminate the audit
C. Conduct compliance testing
D. Identify and evaluate existing practices

Correct Answer: D

QUESTION 19
You just set up a security system in your network. In what kind of system would you find the following string of
characters used as a rule within its configuration? alert tcp any any ->192.168.100.0/24 21 (msg:””FTP on the
network!””;)

A. A firewall IPTable
B. FTP Server rule
C. A Router IPTable
D. An Intrusion Detection System

Correct Answer: D

QUESTION 20
While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then
decided to conduct: nmap –Pn –p –sl kiosk.adobe.com www.riaa.com kiosk.adobe.com is the host with
incremental IP ID sequence. What is the purpose of using “-sl” with Nmap?

A. Conduct stealth scan

B. Conduct ICMP scan
C. Conduct IDLE scan
D. Conduct silent scan

Correct Answer: C

QUESTION 21
What is the process of logging, recording, and resolving events that take place in an organization?

A. Incident Management Process

B. Security Policy
C. Internal Procedure
D. Metrics

Correct Answer: A

QUESTION 22
During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled
host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting
outbound traffic?

A. Circuit
B. Stateful
C. Application
D. Packet Filtering

Correct Answer: C

QUESTION 23
The change of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will
require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore
the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the
SLE, ARO, and ALE. Assume the EF = 1(100%). What is the closest approximate cost of this replacement and
recovery operation per year?

A. $1320
B. $440
C. $100
D. $146

Correct Answer: D

QUESTION 24
An IT employee got a call from one our best customers. The caller wanted to know about the company’s
network infrastructure, systems, and team. New opportunities of integration are in sight for both company and
customer. What should this employee do?

A. The employee can not provide any information: but, anyway, he/she will provide the name of the person in
charge
B. Since the company’s policy is all about Customer Service. he/she will provide information
C. The employee should not provide any information without previous management authorization
D. Disregarding the call, the employee should hang up

Correct Answer: C

QUESTION 25
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence
number?

A. ICMP
B. TCP
C. UPX
D. UPD

Correct Answer: B

QUESTION 26
What is a “Collision attack” in cryptography?

A. Collision attacks try to get the public key

B. Collision attacks try to break the hash into three parts to get the plaintext value
C. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key
D. Collision attacks try to find two inputs producing the same hash

Correct Answer: D

QUESTION 27
Which of the following is the successor of SSL?

A. GRE
B. IPSec
C. RSA
D. TLS

Correct Answer: D

QUESTION 28
This international organization regulates billions of transactions daily and provides security guidelines to protect
personally identifiable information (PII). These security controls provide a baseline and prevent low-level
hackers sometimes known as script kiddies from causing a data breach. Which of the following organization is
being described?

A. Institute of Electrical and Electronics Engineers(IEEE)

B. International Security Industry Organization (ISIO)
C. Center for Disease Control (CDC)
D. Payment Card Industry (PCI)

Correct Answer: D
QUESTION 29
Which of the following DoS tools is used to attack target web applications by starvation of available sessions on
the web server? The tool keeps sessions at halt using never-ending POST transmissions and sending an
arbitrarily large content-length header value.

A. Stacheldraht
B. LOIC
C. R-U-Dead-Yet? (RUDY)
D. MyDoom

Correct Answer: C

QUESTION 30
WPA2 uses AES for wireless data encryption at which of the following encryption levels?

A. 64 bit and CCMP

B. 128 bit and CRC
C. 128 bit and CCMP
D. 128 bi and TKIP

Correct Answer: C

QUESTION 31
You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23.
Which of the following IP addresses could be leased as a result of the new configuration?

A. 10.1.4.254
B. 10.1.255.200
C. 10.1.5.200
D. 10.1.4.156

Correct Answer: C

QUESTION 32
Your company was hired by a small healthcare provider to perform a technician assessment on the network.
What is the best approach for discovering vulnerabilities on a Windows-based computer?

A. Create a disk image of a clean Windows installation

B. Use the built-in Windows Update tool
C. Use a scan tool like Nessus
D. Check MITRE.org for the latest list of CVE findings

Correct Answer: C

QUESTION 33
You are analyzing a traffic on the network with Wireshark. You want to routinely run a cron job which will run the
capture against a specific set of IPs. – 192.168.8.0/24. What command you would use?

A. tshark –net 192.255.255.255 mask 192.168.8.0

B. wireshark –capture –local –masked 192.168.8.0 –range 24
C. sudo tshark –f “net 192.168.8.0/24”
D. wireshark –fetch “192.168.8/*”

Correct Answer: B
QUESTION 34
Initiating an attack against targeted business and organizations, threat actors compromise a carefully selected
website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and
trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise,
these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the
targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the
scenario?

A. Heartbeat Attack
B. Spear Phishing Attack
C. Shellshock Attack
D. Watering Hole Attack

Correct Answer: D

QUESTION 35
What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data
from multiple protected systems and instead of analyzing files locally it’s made on the provider’s environment.

A. Behavioral based
B. Heuristics based
C. Honypot based
D. Cloud based

Correct Answer: D

QUESTION 36
Which of these options is the most secure procedure for storing backup tapes?

A. In a climate controlled facility offsite

B. In a cool dry environment
C. On a different floor in the same building
D. Inside the data center for faster retrieval in a fireproof safe

Correct Answer: A

QUESTION 37
Which security strategy requires using several, varying methods to protect IT systems against attacks?

A. Defense in depth
B. Covert channels
C. Exponential backoff algorithm
D. Three-way handshake

Correct Answer: A

QUESTION 38
Which utility will tell you in real time which ports are listening or in another state?

A. Netsat
B. Loki
C. Nmap
D. TCPView
Correct Answer: D

QUESTION 39
Which of the following statements regarding ethical hacking is incorrect?

A. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting
services
B. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an
organization’s systems
C. Ethical hacking should not involve writing to or modifying the target systems.
D. Testing should be remotely performed offsite.

Correct Answer: B

QUESTION 40
A common cryptographical tool is the use of XOR. XOR the following binary values: 10110001 00111010

A. 10011101
B. 10001011
C. 10111100
D. 11011000

Correct Answer: B

QUESTION 41
Why containers are less secure that virtual machine?

A. Host OS on containers has a larger surface attack.

B. Containers are attached to the same virtual network.
C. Containers may fulfill disk space of the host.
D. A compromise container may cause a CPU starvation of the host.

Correct Answer: D

QUESTION 42
Which of the following is a component of a risk assessment?

A. Administrative safeguards
B. Physical security
C. Logical interface
D. DMZ

Correct Answer: A

QUESTION 43
Which of the following is the structure designed to verify and authenticate the identity of individuals within the
enterprise taking part in a data exchange?

A. PKI
B. SOA
C. biometrics
D. single sign on
Correct Answer: A

QUESTION 44
You are monitoring the network of your organizations. You notice that:

1. There are huge outbound connections from your Internal Network to External IPs
2. On further investigation, you see that the external IPs are blacklisted
3. Some connections are accepted, and some are dropped
4. You find that it is a CnC communication

Which of the following solution will you suggest?

A. Block the Blacklist IP’s @ Firewall

B. Update the Latest Signatures on your IDS/IPS
C. Clean the Malware which are trying to Communicate with the External Blacklist IP’s
D. Block the Blacklist IP’s @ Firewall as well as Clean the Malware which are trying to Communicate with the
External Blacklist IP’s.

Correct Answer: D

QUESTION 45
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?

A. Scanning
B. Footprinting
C. Enumeration
D. System Hacking

Correct Answer: B

QUESTION 46
Jim’s company regularly performs backups of their critical servers. But the company cannot afford to send
backup tapes to an off-site vendor for long-term storage and archiving. Instead, Jim’s company keeps the
backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit
show a risk because backup tapes are not stored off-site. The Manager of Information Technology has a plan
to take the backup tapes home with him and wants to know what two things he can do to secure the backup
tapes while in transit?

A. Encrypt the backup tapes and transport them in a lock box.

B. Degauss the backup tapes and transport them in a lock box.
C. Hash the backup tapes and transport them in a lock box.
D. Encrypt the backup tapes and use a courier to transport them.

Correct Answer: A

QUESTION 47
A company’s policy requires employees to perform file transfers using protocols which encrypt traffic. You
suspect some employees are still performing file transfers using unencrypted protocols because the employees
do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by
employees in the data ingest department. Using Wireshark to examine the captured traffic, which command
can be used as display filter to find unencrypted file transfers?

A. tcp port = = 21
B. tcp. port = 23
C. tcp.port = = 21 | | tcp.port = =22
D. tcp.port ! = 21

Correct Answer: A

QUESTION 48
What is the known plaintext attack used against DES which gives the result that encrypting plaintext with one
DES key followed by encrypting it with a second DES key is no more secure than using a single key?

A. Man-in-the-middle attack
B. Meet-in-the-middle attack
C. Replay attack
D. Traffic analysis attack

Correct Answer: B

QUESTION 49
Sam is working as a pen-tester in an organization in Houston. He performs penetration testing on IDS in order
to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target
IDS generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade
IDS?

A. Denial-of-Service
B. Obfuscating
C. Insertion Attack
D. False Positive Generation

Correct Answer: D

QUESTION 50
Which of the following tools performs comprehensive tests against web servers, including dangerous files and
CGIs?

A. Dsniff
B. John the Ripper
C. Snort
D. Nikto

Correct Answer: D

QUESTION 51
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets
to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used
to perform session splicing attacks?

A. tcpsplice
B. Burp
C. Hydra
D. Whisker

Correct Answer: D

QUESTION 52
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on
switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
A. Spanning tree
B. Dynamic ARP Inspection (DAI)
C. Port security
D. Layer 2 Attack Prevention Protocol (LAPP)

Correct Answer: B

QUESTION 53
Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not encrypt
email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can
upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted.
What is the name of the command used by SMTP to transmit email over TLS?

A. OPPORTUNISTICTLS
B. UPGRADETLS
C. FORCELTS
D. STARTTLS

Correct Answer: D

QUESTION 54
Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal
email used by the target company. This includes using logos, formatting, and names of the target company.
The phishing message will often use the name of the company CEO, President, or Managers. The time a
hacker spends performing research to locate this information about a company is known as?

A. Exploration
B. Investigation
C. Reconnaissance
D. Enumeration

Correct Answer: C

QUESTION 55
Your business has decided to add credit card numbers to the data it backs up to tape. Which of the following
represents the best practice your business should observe?

A. Do not back up either the credit card numbers or their hashes.

B. Encrypt backup tapes that are sent off-site.
C. Back up the hashes of the credit card numbers not the actual credit card numbers.
D. Hire a security consultant to provide direction.

Correct Answer: D

QUESTION 56
When you are getting information about a web server, it is very important to know the HTTP Methods (GET,
POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and
DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all
these methods (GET, POST, HEAD, DELETE, TRACE) using NMAP script engine. What Nmap script will help
you with this task?

A. http-methods
B. http enum
C. http-headers
D. http-git

Correct Answer: A

QUESTION 57
Suppose your company has just passed a security risk assessment exercise. The results display that the risk of
the breach in the main company application is 50%. Security staff has taken some measures and implemented
the necessary controls. After that, another security risk assessment was performed showing that risk has
decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions will be the
best for the project in terms of its successful continuation with the most business profit?

A. Accept the risk

B. Introduce more controls to bring risk to 0%
C. Mitigate the risk
D. Avoid the risk

Correct Answer: A

QUESTION 58
Which of the following Linux commands will resolve a domain name into IP address?

A. >host-t a hackeddomain.com
B. >host-t ns hackeddomain.com
C. >host -t soa hackeddomain.com
D. >host -t AXFR hackeddomain.com

Correct Answer: A

QUESTION 59
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

A. Nessus
B. Jack the ripper
C. Tcpdump
D. Ethereal

Correct Answer: C

QUESTION 60
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI
to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does
the encryption and decryption of the message take place?

A. Application
B. Transport
C. Session
D. Presentation

Correct Answer: D

QUESTION 61
Which of the following steps for risk assessment methodology refers to vulnerability identification?

A. Assigns values to risk probabilities; Impact values

B. Determines risk probability that vulnerability will be exploited (High, Medium, Low)
C. Identifies sources of harm to an IT system (Natural, Human, Environmental)
D. Determines if any flaws exist in systems, policies, or procedures

Correct Answer: D

QUESTION 62
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of
packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS and
saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely
malicious or simply a false positive?

A. Protocol analyzer
B. Network sniffer
C. Intrusion Prevention System (IPS)
D. Vulnerability scanner

Correct Answer: A

QUESTION 63
CompanyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New
York, you craft a specially formatted email message and send it across the Internet to an employee of
CompanyXYZ. The employee of CompanyXYZ is aware of your test. Your email message looks like this:

From: [email protected]
To: [email protected]
Subject: Test message
Date: 4/3/2017 14:37
The employee of CompanyXYZ receives your email message.

This proves that CompanyXYZ’s email gateway doesn’t prevent what?

A. Email Masquerading
B. Email Harvesting
C. Email Phishing
D. Email Spoofing

Correct Answer: D

QUESTION 64
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of
the connection?

A. IPsec
B. SFTP
C. FTPS
D. SSL

Correct Answer: A

QUESTION 65
What is one of the advantages of using both symmetric and asymmetric cryptogrsphy in SSL/TLS?

A. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric
encryption instead.
B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
C. Symmetric encryption allows the server to security transmit the session keys out-of-band.
D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely
negotiate keys for use with symmetric cryptography.

Correct Answer: D

QUESTION 66
In the field of cryptanalysis, what is meant by a “rubber-hose” attack?

A. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.

B. A backdoor placed into a cryptographic algorithm by its creator.
C. Extraction of cryptographic secrets through coercion or torture.
D. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plaintext.

Correct Answer: C

QUESTION 67
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort
installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perfrom a syn scan in your
network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run
wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark
filter will show the connections from the snort machine to kiwi syslog machine?

A. tcp.srcport= = 514 && ip.src= = 192.168.0.99

B. tcp.srcport= = 514 && ip.src= = 192.168.150
C. tcp.dstport= = 514 && ip.dst= = 192.168.0.99
D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150

Correct Answer: D

QUESTION 68
Which of the following tools can be used for passive OS fingerprinting?

A. tcpdump
B. nmap
C. ping
D. tracert

Correct Answer: A

QUESTION 69
Why is a penetration test considered to be more thorough than vulnerability scan?

A. Vulnerability scans only do host discovery and port scanning by default.

B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan
does not typically involve active exploitation.
C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires
active engagement.
D. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.

Correct Answer: B

QUESTION 70
Which of the following tools is used to detect wireless LANs using the 802.11 a/b/g/n WLAN standards on a
linux platform?

A. Kismet
B. Netstumbler
C. Nessus
D. Abel

Correct Answer: A

QUESTION 71
Which of the following tools is used to analyze the files produced by several packet-capture programs such as
tcpdump, WinDump, Wireshark, and EtherPeek?

A. tcptrace
B. Nessus
C. OpenVAS
D. tcptraceroute

Correct Answer: A

QUESTION 72
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to
review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank
web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

A. If (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit
B. If (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then
permit
C. If (source matches 10.20.20.1 and destination matches 10.10.10.0/24 and port matches 443) then permit
D. If (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit

Correct Answer: A

QUESTION 73
What is the minimum number of network connections in a multihomed firewall?

A. 3
B. 2
C. 5
D. 4

Correct Answer: B

QUESTION 74
Which of the following is an extremely common IDS evasion technique in the web world?

A. Unicode Characters
B. Subnetting
C. Port Knocking
D. Spyware

Correct Answer: A

QUESTION 75
An unauthorized individual enters a building following an employee through the employee entrance after the
lunch rush. What type of breach has the individual just performed?

A. Reverse Social Engineering

B. Tailgating
C. Piggybacking
D. Announced

Correct Answer: B

QUESTION 76
Which of the following is the best countermeasure to encrypting ransomwares?

A. Use multiple antivirus softwares

B. Keep some generation of off-line backup
C. Analyze the ransomware to get decryption key of encrypted data
D. Pay a ransom

Correct Answer: B

QUESTION 77
If an attacker uses the command SELECT*FROM user WHERE name = ‘x’ AND userid IS NULL; --‘; which
type of SQL injection attack is the attacker performing?

A. End of Line Comment

B. UNION SQL Injection
C. Illegal/Logically Incorrect Query
D. Tautology

Correct Answer: D

QUESTION 78
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the
best protection that will work for her?

A. Full Disk encryption

B. BIOS password
C. Hidden folders
D. Password protected files

Correct Answer: A

QUESTION 79
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to
"www.MyPersonalBank.com", that the user is directed to a phishing site.

Which file does the attacker need to modify?

A. Boot.ini
B. Sudoers
C. Networks
D. Hosts

Correct Answer: D
QUESTION 80
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a
signature-based IDS?

A. Produces less false positives

B. Can identify unknown attacks
C. Requires vendor updates for a new threat
D. Cannot deal with encrypted network traffic

Correct Answer: B

QUESTION 81
You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management
Console from command line.

Which command would you use?

A. c:\gpedit
B. c:\compmgmt.msc
C. c:\ncpa.cp
D. c:\services.msc

Correct Answer: B

QUESTION 82
Which of the following act requires employer’s standard national numbers to identify them on standard
transactions?

A. SOX
B. HIPAA
C. DMCA
D. PCI-DSS

Correct Answer: B

QUESTION 83
In Wireshark, the packet bytes panes show the data of the current packet in which format?

A. Decimal
B. ASCII only
C. Binary
D. Hexadecimal

Correct Answer: D

QUESTION 84
_________ is a set of extensions to DNS that provide to DNS clients (resolvers) the origin authentication of
DNS data to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

A. DNSSEC
B. Resource records
C. Resource transfer
D. Zone transfer
Correct Answer: A

QUESTION 85
PGP, SSL, and IKE are all examples of which type of cryptography?

A. Hash Algorithm
B. Digest
C. Secret Key
D. Public Key

Correct Answer: D

QUESTION 86
Which of the following is considered as one of the most reliable forms of TCP scanning?

A. TCP Connect/Full Open Scan

B. Half-open Scan
C. NULL Scan
D. Xmas Scan

Correct Answer: A

QUESTION 87
Which of the following scanning method splits the TCP header into several packets and makes it difficult for
packet filters to detect the purpose of the packet?

A. ICMP Echo scanning

B. SYN/FIN scanning using IP fragments
C. ACK flag probe scanning
D. IPID scanning

Correct Answer: B

QUESTION 88
Which of the following is the BEST way to defend against network sniffing?

A. Restrict Physical Access to Server Rooms hosting Critical Servers

B. Use Static IP Address
C. Using encryption protocols to secure network communications
D. Register all machines MAC Address in a Centralized Database

Correct Answer: C

QUESTION 89
You have successfully gained access to a Linux server and would like to ensure that the succeeding outgoing
traffic from this server will not be caught by Network-Based Intrusion Detection Systems (NIDS).

What is the best way to evade the NIDS?

A. Out of band signaling

B. Protocol Isolation
C. Encryption
D. Alternate Data Streams
Correct Answer: C

QUESTION 90
What is the purpose of a demilitarized zone on a network?

A. To scan all traffic coming through the DMZ to the internal network
B. To only provide direct access to the nodes within the DMZ and protect the network behind it
C. To provide a place to put the honeypot
D. To contain the network devices you wish to protect

Correct Answer: B

QUESTION 91
You need to deploy a new web-based software package for your organization. The package requires three
separate servers and needs to be available on the Internet. What is the recommended architecture in terms of
server placement?

A. All three servers need to be placed internally

B. A web server facing the Internet, an application server on the internal network, a database server on the
internal network
C. A web server and the database server facing the Internet, an application server on the internal network
D. All three servers need to face the Internet so that they can communicate between themselves

Correct Answer: B

QUESTION 92
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host
10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he
applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot
access the Internet. According to the next configuration, what is happening in the network?

A. The ACL 104 needs to be first because is UDP

B. The ACL 110 needs to be changed to port 80
C. The ACL for FTP must be before the ACL 110
D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

Correct Answer: D

QUESTION 93
When conducting a penetration test, it is crucial to use all means to get all available information about the target
network. One of the ways to do that is by sniffing the network. Which of the following cannot be performed by
the passive network sniffing?

A. Identifying operating systems, services, protocols and devices

B. Modifying and replaying captured network traffic
C. Collecting unencrypted information about usernames and passwords
D. Capturing a network traffic for further analysis
Correct Answer: B

QUESTION 94
A company's Web development team has become aware of a certain type of security vulnerability in their Web
software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software
requirements to disallow users from entering HTML as input into their Web application.

What kind of Web application vulnerability likely exists in their software?

A. Cross-site scripting vulnerability

B. Web site defacement vulnerability
C. SQL injection vulnerability
D. Cross-site Request Forgery vulnerability

Correct Answer: A

QUESTION 95
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is
authorized to access the internal object via its name or key.
Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference
vulnerability?

A. “GET/restricted/goldtransfer?to=Rob&from=1 or 1=1’ HTTP/1.1Host: westbank.com”

B. “GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com”
C. “GET/restricted/bank.getaccount(‘Ned’) HTTP/1.1 Host: westbank.com”
D. “GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com”

Correct Answer: B

QUESTION 96
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

A. Metasploit
B. Cain & Abel
C. Maltego
D. Wireshark

Correct Answer: C

QUESTION 97
Which of these is capable of searching for and locating rogue access points?

A. HIDS
B. NIDS
C. WISS
D. WIPS

Correct Answer: D

QUESTION 98
A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer’s
software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge
or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and defensively at
various times?

A. White Hat
B. Suicide Hacker
C. Gray Hat
D. Black Hat

Correct Answer: C

QUESTION 99
Websites and web portals that provide web services commonly use the Simple Object Access Protocol
(SOAP). Which of the following is an incorrect definition or characteristics of the protocol?

A. Based on XML
B. Only compatible with the application protocol HTTP
C. Exchanges data between web services
D. Provides a structured model for messaging

Correct Answer: B

QUESTION 100
You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you
attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu
9.10 Linux LiveCD. Which Linux-based tool can change any user’s password or activate disabled Windows
accounts?

A. John the Ripper

B. SET
C. CHNTPW
D. Cain & Abel

Correct Answer: C

QUESTION 101
What type of analysis is performed when an attacker has partial knowledge of inner-workings of the
application?

A. Black-box
B. Announced
C. White-box
D. Grey-box

Correct Answer: D

QUESTION 102
Which regulation defines security and privacy controls for Federal information systems and organizations?

A. HIPAA
B. EU Safe Harbor
C. PCI-DSS
D. NIST-800-53

Correct Answer: D
QUESTION 103
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?

A. hping2 -1 host.domain.com
B. hping2-i host.domain.com
C. hping2 –set-ICMP host.domain.com
D. hping2 host.domain.com

Correct Answer: A

QUESTION 104
If executives are found liable for not properly protecting their company’s assets and information systems, what
type of law would apply in this situation?

A. Common
B. Criminal
C. Civil
D. International

Correct Answer: C

QUESTION 105
The company ABC recently contracted a new accountant. The accountant will be working with the financial
statements. Those financial statements need to be approved by the CFO and then they will be sent to the
accountant but the CFO is worried because he wants to be sure that the information sent to the accountant was
not modified once he approved it. What is the following options can be useful to ensure the integrity of the
data?

A. The CFO can use a hash algorithm in the document once he approved the financial statements
B. The CFO can use an excel file with a password
C. The financial statements can be sent twice, one by email and the other delivered in USB and the accountant
can compare both to be sure is the same document
D. The document can be sent to the accountant using an exclusive USB for that document

Correct Answer: A

QUESTION 106
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is
behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass
through the packet-filtering of the firewall.

A. Session hijacking
B. Firewalking
C. Man-in-the middle attack
D. Network sniffing

Correct Answer: B

QUESTION 107
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the
received response?

A. Passive
B. Active
C. Reflective
D. Distributive

Correct Answer: B

QUESTION 108
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output
shown below. What conclusions can be drown based on these scan results?

TCP port 21 – no response

TCP port 22 – no response
TCP port 23 – Time-to-live exceeded

A. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond
with a TTL error
B. The lack of response from ports 21 and 22 indicate that those services are not running on the destination
server
C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the
firewall
D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host

Correct Answer: C

QUESTION 109
A computer science student needs to fill some information into a secured Adobe PDF job application that was
received from a prospective employer. Instead of requesting a new document that allowed the forms to be
completed, the student decides to write a script that pulls passwords from a list of commonly used passwords
to try against the secured PDF until the correct password is found or the list is exhausted. Which cryptography
attack is the student attempting?

A. Man-in-the-middle attack
B. Session hijacking
C. Brute-force attack
D. Dictionary-attack

Correct Answer: D

QUESTION 110
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that
were confusing in concluding the Operating System (OS) version installed. Considering that NMAP result
below, which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at
2011-03-15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports
PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp
open 631/tcp open ipp 9100/tcp open MAC Address: 00:00:48:0D:EE:8

A. The host is likely a Linux machine.

B. The host is likely a printer.
C. The host is likely a router.
D. The host is likely a Windows machine.

Correct Answer: B

QUESTION 111
Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo Bank. Kindly
contact me for a vital transaction on: [email protected]”. Which statement below is true?

A. This is scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
B. This is scam because Bob does not know Scott.
C. Bob should write to [email protected] to verify the identity of Scott.
D. This is probably a legitimate message as it comes from a respectable organization.

Correct Answer: A

QUESTION 112
When purchasing a biometric system, one of the considerations that should be reviewed is the processing
speed. Which of the following best describes what it is meant by processing?

A. The amount of time and resources that are necessary to maintain a biometric system
B. How long it takes to setup individual user accounts
C. The amount of time it takes to be either accepted or rejected from when an individual provides identification
and authentication information
D. The amount of time it takes to convert biometric data into a template on a smart card

Correct Answer: C

QUESTION 113
An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses
this string to update the victim’s profile to a text file and then submit the data to the attacker’s database.

<iframe src=””http://www.vulnweb.com/updateif.php”" style=””display:none””></iframe>

What is this type of attack (that can use either HTTP GET or HTTP POST) called?

A. Cross-Site Request Forgery

B. SQL Injection
C. Browser Hacking
D. Cross-Site Scripting

Correct Answer: A

QUESTION 114
An attacker with access to the inside network of a small company launches a successful STP manipulation
attack. What will he do next?

A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
B. He will activate OSPF on the spoofed root bridge.
C. He will repeat this action so that is escalates to a DoS attack.
D. He will repeat the same attack against all L2 switches of the network.

Correct Answer: A

QUESTION 115
Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that
permits users to authenticate once and gain access to multiple systems?

A. Single sign-on
B. Windows authentication
C. Role Based Access Control (RBAC)
D. Discretionary Access Control (DAC)

Correct Answer: A
QUESTION 116
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the
chosen service call interruptions when they are being run?

A. Stealth virus
B. Tunneling virus
C. Cavity virus
D. Polymorphic virus

Correct Answer: A

QUESTION 117
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

A. Spoof Scan
B. TCP SYN
C. TCP Connect scan
D. Idle scan

Correct Answer: B

QUESTION 118
There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the
process. A term describes when two pieces of data result in the value is?

A. Polymorphism
B. Escrow
C. Collusion
D. Collision

Correct Answer: D

QUESTION 119
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much
information can be obtained from the firm's public facing web servers. The engineer decides to start by using
netcat to port 80.
The engineer receives this output:

HTTP/1.1 200 OK
Server: Microsoft-IIS/6
Expires: Tue, 17 Jan 2011 01:41:33 GMT
Date: Mon, 16 Jan 2011 01:41:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 28 Dec 2010 15:32:21 GMT
ETag: "b0aac0542e25c31:89d"
Content-Length: 7369

Which of the following is an example of what the engineer performed?

A. Cross-site scripting
B. Banner grabbing
C. SQL injection
D. Who is database query
Correct Answer: B

QUESTION 120
A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to
evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an
attacker could circumvent perimeter defenses and gain access to the Prometric Online Testing – Reports
https://ibt1.prometric.com/users/custom/report_queue/rq_str... corporate network. What tool should the analyst
use to perform a Blackjacking attack?

A. Paros Proxy
B. BBProxy
C. Bloover
D. BBCrack

Correct Answer: B

QUESTION 121
What attack is used to crack passwords by using a precomputed table of hashed passwords?

A. Brute Force Attack

B. Rainbow Table Attack
C. Dictionary Attack
D. Hybrid Attack

Correct Answer: B

QUESTION 122
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the
Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive.
Which of the following is being described?

A. Multi-cast mode
B. Promiscuous mode
C. WEM
D. Port forwarding

Correct Answer: B

QUESTION 123
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of
the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's
access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted
the contents of the tarball and ran the script using a function provided by the FTP server's software. The "ps"
command shows that the "nc" file is running as process, and the netstat command shows the "nc" process is
listening on a network port.

What kind of vulnerability must be present to make this remote attack possible?

A. File system permissions

B. Privilege escalation
C. Directory traversal
D. Brute force login

Correct Answer: A
QUESTION 124
When you are testing a web application, it is very useful to employ a proxy tool to save every request and
response. You can manually test every request and analyze the response to find vulnerabilities. You can test
parameter and headers manually to get more precise results than if using web vulnerability scanners. What
proxy tool will help you find web vulnerabilities?

A. Burpsuite
B. Maskgen
C. Dimitry
D. Proxychains

Correct Answer: A

QUESTION 125
By using a smart card and pin, you are using a two-factor authentication that satisfies

A. Something you know and something you are

B. Something you have and something you know
C. Something you have and something you are
D. Something you are and something you remember

Correct Answer: B