NEW QUESTION 1

"Testing the network using the same methodologies and tools employed by attackers" Identify the correct terminology that defines the above statement.

• A. Vulnerability Scanning
• B. Penetration Testing
• C. Security Policy Implementation
• D. Designing Network Security

Answer: B

NEW QUESTION 2

Which of the following tools are used for footprinting?(Choose four.

• A. Sam Spade
• B. NSLookup
• C. Traceroute
• D. Neotrace
• E. Cheops

Answer: ABCD

Explanation:
All of the tools listed are used for footprinting except Cheops.

NEW QUESTION 3

Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks?

• A. Port Security
• B. Switch Mapping
• C. Port Reconfiguring
• D. Multiple Recognition

Answer: A

Explanation:
With Port Security the switch will keep track of which ports are allowed to send traffic on a port.

NEW QUESTION 4

You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?

• A. 5 minutes
• B. 23 days
• C. 200 years
• D. 16 million years

Answer: A

Explanation:
A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak.

NEW QUESTION 5

Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get off early because they were not too busy. When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to. What kind of software could Harold use to accomplish this?

• A. Install hardware Keylogger on her computer
• B. Install screen capturing Spyware on her computer
• C. Enable Remote Desktop on her computer
• D. Install VNC on her computer

Answer: B

NEW QUESTION 6

Jim’s organization has just completed a major Linux roll out and now all of the organization’s systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.
Which built-in functionality of Linux can achieve this?

• A. IP Tables
• B. IP Chains
• C. IP Sniffer
• D. IP ICMP

Answer: A

Explanation:
iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.

NEW QUESTION 7

Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network.
Which of the following tool achieves this?

• A. ./macof
• B. ./sniffof
• C. ./dnsiff
• D. ./switchsnarf

Answer: A

Explanation:
macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).

NEW QUESTION 8

Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products?

• A. Covert keylogger
• B. Stealth keylogger
• C. Software keylogger
• D. Hardware keylogger

Answer: D

Explanation:
As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.

NEW QUESTION 9

Buffer X is an Accounting application module for company can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted. Dave decided to insert 400 characters into the 200-character buffer which overflows the buffer. Below is the code snippet:
Void func (void)
{int I; char buffer [200];
for (I=0; I<400; I++)
buffer (I)= ‘A’; return;
}
How can you protect/fix the problem of your application as shown above? (Choose two)

• A. Because the counter starts with 0, we would stop when the counter is less then 200.
• B. Because the counter starts with 0, we would stop when the counter is more than 200.
• C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data.
• D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data.

Answer: AC

Explanation:
I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.

NEW QUESTION 10

Theresa is the chief information security officer for her company, a large shipping company based out of New York City. In the past, Theresa and her IT employees manually checked the status of client computers on the network to see if they had the most recent Microsoft updates. Now that the company has added over 100 more clients to accommodate new departments, Theresa must find some kind of tool to see whether the clients are up-to-date or not. Theresa decides to use Qfecheck to monitor all client computers. When Theresa runs the tool, she is repeatedly told that the software does not have the proper permissions to scan. Theresa is worried that the operating system hardening that she performs on all clients is keeping the software from scanning the necessary registry keys on the client computers.
What registry key permission should Theresa check to ensure that Qfecheck runs properly?

• A. In order for Qfecheck to run properly, it must have enough permission to read
• B. She needs to check the permissions of the HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdates registry key
• C. Theresa needs to look over the permissions of the registry key
• D. The registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft must be checked

Answer: B

Explanation:
Qfecheck check the registry HKLMSoftwareMicrosoftUpdates

NEW QUESTION 11

ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.

Here is a section of the Virus code:

What is this technique called?

• A. Polymorphic Virus
• B. Metamorphic Virus
• C. Dravidic Virus
• D. Stealth Virus

Answer: A

NEW QUESTION 12

In which of the following should be performed first in any penetration test?

• A. System identification
• B. Intrusion Detection System testing
• C. Passive information gathering
• D. Firewall testing

Answer: C

NEW QUESTION 13
DRAG DROP
Drag the application to match with its correct description.
Exhibit:

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 14

Jenny a well known hacker scanning to remote host of 204.4.4.4 using nmap. She got the scanned output but she saw that 25 port states is filtered. What is the meaning of filtered port State?

• A. Can Accessible
• B. Filtered by firewall
• C. Closed
• D. None of above

Answer: B

Explanation:
The state is either open, filtered, closed, or unfiltered. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

NEW QUESTION 15

John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.
Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?
[root@apollo /]# rm rootkit.c
[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ;
rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -
rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd
rm: cannot remove `/tmp/h': No such file or directory
rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap
[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm
/sbin/portmap ;
rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd
rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory
>rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory

• A. The hacker is planting a rootkit
• B. The hacker is trying to cover his tracks
• C. The hacker is running a buffer overflow exploit to lock down the system
• D. The hacker is attempting to compromise more machines on the network

Answer: B

Explanation:
By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.

NEW QUESTION 16

Which is the right sequence of packets sent during the initial TCP three way handshake?

• A. FIN, FIN-ACK, ACK
• B. SYN, URG, ACK
• C. SYN, ACK, SYN-ACK
• D. SYN, SYN-ACK, ACK

Answer: D

Explanation:
A TCP connection always starts with a request for synchronization, a SYN, the reply to that would be another SYN together with a ACK to acknowledge that the last package was delivered successfully and the last part of the three way handshake should be only an ACK to acknowledge that the SYN reply was recived.

NEW QUESTION 17

Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers?

• A. Hardware, Software and Sniffing
• B. Hardware and Software Keyloggers
• C. Software only, they are the most effective
• D. Passwords are always best obtained using Hardware key loggers

Answer: A

Explanation:
All loggers will work as long as he has physical access to the computers.

NEW QUESTION 18

Nathalie would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable?

• A. A FIN Scan
• B. A Half Scan
• C. A UDP Scan
• D. The TCP Connect Scan

Answer: D

Explanation:
The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. This is the fastest scanning method supported by nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is easily detectable and filterable.

NEW QUESTION 19

Which of the following activities would not be considered passive footprinting?

• A. Search on financial site such as Yahoo Financial
• B. Perform multiple queries through a search engine
• C. Scan the range of IP address found in their DNS database
• D. Go through the rubbish to find out any information that might have been discarded

Answer: C

Explanation:
Passive footprinting is a method in which the attacker never makes contact with the target. Scanning the targets IP addresses can be logged at the target and therefore contact has been made.

NEW QUESTION 20

Samuel is high school teenager who lives in Modesto California. Samuel is a straight ‘A’ student who really likes tinkering around with computers and other types of electronic devices. Samuel just received a new laptop for his birthday and has been configuring it ever since. While tweaking the registry, Samuel notices a pop up at the bottom of his screen stating that his computer was now connected to a wireless network. All of a sudden, he was able to get online and surf the Internet.
Samuel did some quick research and was able to gain access to the wireless router he was connecting to and see al of its settings? Being able to hop onto someone else’s wireless network so easily fascinated Samuel so he began doing more and more research on wireless technologies and how to exploit them. The next day Samuel’s fried said that he could drive around all over town and pick up hundred of wireless networks. This really excited Samuel so they got into his friend’s car and drove around the city seeing which networks they could connect to and which ones they could not.
What has Samuel and his friend just performed?

• A. Wardriving
• B. Warwalking
• C. Warchalking
• D. Webdriving

Answer: A

Explanation:
Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio.

NEW QUESTION 21

What are the default passwords used by SNMP?(Choose two.)

• A. Password
• B. SA
• C. Private
• D. Administrator
• E. Public
• F. Blank

Answer: CE

Explanation:
Besides the fact that it passes information in clear text, SNMP also uses well-known passwords. Public and private are the default passwords used by SNMP.

NEW QUESTION 22

The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this:
https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234
The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?

• A. Never include sensitive information in a script
• B. Use HTTPS SSLv3 to send the data instead of plain HTTPS
• C. Replace the GET with POST method when sending data
• D. Encrypt the data before you send using GET method

Answer: C

NEW QUESTION 23

Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

• A. Hayden is attempting to find live hosts on her company's network by using an XMAS scan
• B. She is utilizing a SYN scan to find live hosts that are listening on her network
• C. The type of scan, she is using is called a NULL scan
• D. Hayden is using a half-open scan to find live hosts on her network

Answer: D

NEW QUESTION 24

Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports?

• A. Nmap -h -U
• B. Nmap -hU <host(s.>
• C. Nmap -sU -p 1-1024 <host(s.>
• D. Nmap -u -v -w2 <host> 1-1024
• E. Nmap -sS -O target/1024

Answer: C

Explanation:
Nmap -sU -p 1-1024 <hosts.> is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.

NEW QUESTION 25

You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.
Dear valued customers,
We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:
Antivirus code: 5014 http://www.juggyboy/virus/virus.html
Thank you for choosing us, the worldwide leader Antivirus solutions. Mike Robertson
PDF Reader Support
Copyright Antivirus 2010 ?All rights reserved
If you want to stop receiving mail, please go to: http://www.juggyboy.com
or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

• A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
• B. Connect to the site using SSL, if you are successful then the website is genuine
• C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site
• D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
• E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware

Answer: C

NEW QUESTION 26
......