passemall.

com

CEH V11 PRACTICE Practice Test 2

49 questions

Question 1:
When an attack by a hacker is politically motivated, the hacker is said to be participating in ______.

A Gray-box attacks

B Gray-hat attacks

C Hactivism

D Black-hat hacking

Question 2:
Which of the following best describes an effort to identify systems that are critical for the continuation of
operation for the organization?

A BIA

B MTD

C DRP

D BCP
Question 3:
Which of the following statements most accurately reflects this policy in the case:

Your firm has a document that specifies what workers are permitted to do with their computer systems. It
also specifies what is banned and the punishments for those who violate the regulations. Prior to network
access, all workers sign a copy of this document.

A Information Audit Policy

B Information Security Policy

C Special Access Policy

D Network Connection Policy

Question 4:
Brad has done some research and decided a certain set of systems on his network fails once every ten
years. The purchase price for each of these systems is 1,200. In addition, Brad finds the administrators on
staff, who earn $50 an hour and estimate five hours to replace a machine. Five employees, earning $25 an
hour, depending on each system and will be completely unproductive while it is down. If you were to ask
Brad for an ALE on these devices, what would he answer?

A 2075

B 120

C 1200

D 207.50
Question 5:
Which of the following is a true statement?

Scenario: to evaluate the security of a company network, an ethical hacker is employed. The CEH has no
prior knowledge of the network and works under a particular framework that defines boundaries,
nondisclosure agreements, and the completion date.

A A white hat is attempting a black-box test.

B A black hat is attempting a black-box test.

C A black hat is attempting a gray-box test.

D A white hat is attempting a white-box test.

Question 6:
The following is an SOA record obtained via a zone transfer: What is the name of the domain's
authoritative DNS server, and how frequently will secondary servers check in for updates?

@ IN SOA DNSRV1.anycomp.com. postmaster.anycomp.com. (

4 ; serial number

3600 ; refresh [1h]

600 ; retry [10m]

86400 ; expire [1d]

3600 ) ; min TTL [1h]

A DNSRV1.anycomp.com, 600 seconds

B DNSRV1.anycomp.com, 4 seconds

C postmaster.anycomp.com, 600 seconds

D DNSRV1.anycomp.com, 3,600 seconds

Question 7:
Which DNS record allows you to alias both services to the same record (IP address) if you have an FTP
service and an HTTP site on a single server?

A SOA

B CNAME

C NS

D PTR

Question 8:
Which of the following is a method of passive footprinting?

A Performing a ping sweep against the network range

B Collecting information through publicly accessible sources

C Sniffing network traffic through a network tap

D Checking DNS responses for network mapping.

Question 9:
Which type of footprinting are you accomplishing?

As a member of the pen test team, you begin by searching for IP ranges held by the target organization
and determining their network range. You also look at job listings, news stories, and the organization's
website. During the first week of the exam, you also observe when personnel arrive and go from work, as
well as rummage through the trash outside the building for helpful information.

A Active

B Reconnaissance

C Passive

D None of the above

Question 10:
To find the names and addresses of employees or technical points of contact, which footprinting tool or
technique can be used?

A nslookup

B dig

C traceroute

D whois

Question 11:
Which IDS evasion technique splits the TCP header among multiple packets in the case that you’ve
decided to begin scanning against a target organization but want to keep your efforts as quiet as possible?

A Anonymizer

B IP spoofing

C Fragmenting

D Proxy scanning

Question 12:
Because of exceeding its time to live, which ICMP message type/code indicates the packet could not
arrive at the recipient?

A Type 0

B Type 8

C Type 11

D Type 3, Code 1
Question 13:
The statement is true regarding port scanning is which of the following?

Port scanning is designed to overload the ports on a target in order to identify which are open
A
and which are closed.

B Port scanning is used to identify potential vulnerabilities on a target system.

C Port scanning is designed as a method to view all traffic to and from a system.

D Port scanning’s primary goal is to identify live targets on a network.

Question 14:
An ethical hacker is ACK-scanning against a network segment sitting behind a stateful firewall. A scan
packet receives no response. What does this lack of response indicate?

A It is impossible to determine any port status from this response.

B The port is not filtered at the firewall.

C The firewall allows the packet, but the device has the port closed.

D The port is filtered at the firewall.

Question 15:
(Choose all that apply.) Which of the following command-line entries will successfully perform a banner
grab when assuming you have the correct tools installed in the case that you want to perform banner
grabbing against a machine (168.15.22.4) you suspect as being a web server?
Correct answers: 0/2 selected

A Telnet 80 168.15.22.4

B Telnet 168.15.22.4 80

C nc –v –n 168.15.22.4 80

D nc –v –n 80 168.15.22.4
Question 16:
Which of the following is most likely true in the situation that your customer tells you they understand
beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn’t
appear to be alerted on the traffic?

A The attacker is sending messages over an SSL tunnel.

B The attacker has configured a trunk port on a switch.

C The attacker has set up port security on network switches.

D The attacker has corrupted ACLs on every router in the network.

Question 17:
The best describes a honeypot is which of the following?

A It is used to analyze traffic for detection signatures.

B It is used to gather information about potential network attackers.

C It is used to filter traffic from screened subnets.

D Its primary function involves malware and virus protection.

Question 18:
When an IDS does not suitably identify a malicious packet entering the network, what takes place?

A True positive

B False negative

C True negative

D False positive
Question 19:
(Select all that apply) Which of the following Wireshark filters would show all traffic coming from or
going to systems on the 172.17.15.0/24 subnet?
Correct answers: 0/2 selected

A ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24

B ip.addr == 172.17.15.0/24

C ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

D ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

Question 20:
LM employs which encryption standard?

A SHA-1

B MD5

C SHA-2

D 3DES

E DES
Question 21:
Which of the following is the most likely explanation in the situation

When performing standard maintenance on a database server, you notice one hour of time missing from
the log file during what would normally be regular operation hours. Further investigation reveals that
there have been no user complaints about accessibility.

A No activity occurred during the hour time frame.

B The server was rebooted.

C The server was compromised by an attacker.

D The log file is simply corrupted.

Question 22:
The best definition of steganography is which of the following?

A Steganography is used to create multimedia communication files.

B Steganography is used to create hash values of data files.

C Steganography is used to encrypt data communications, allowing files to be passed unseen.

D Steganography is used to hide information within existing files.

Question 23:
The best protection against XSS attacks would be which of the following?

A Invest in top-of-the-line firewalls.

B Configure input validation on your systems.

C Have a pen test performed against your systems.

D carry out, take vulnerability scans against your systems.

Question 24:
A true statement is which of the following?

A SOAP encrypts messages using HTTP methods.

B SOAP is compatible with HTTP and SMTP.

C SOAP messages are usually bidirectional.

D SOAP cannot bypass a firewall.

Question 25:
To start a SQL injection attempt, which character is the best choice?

A Double quote

B Semicolon

C Colon

D Single quote

Question 26:
A true statement is which of the following?

Configuring the web server to send random challenge tokens is the best mitigation for
A
parameter-manipulation attacks.

Configuring the web server to send random challenge tokens is the best mitigation for XSS
B
attacks.

Configuring the web server to send random challenge tokens is the best mitigation for buffer
C
overflow attacks.

Configuring the web server to send random challenge tokens is the best mitigation for CSRF
D
attacks.
Question 27:
A business's accounting department detects multiple orders that appear to have been placed in error. While
investigating the issue, you learn that the pricing of things on various web orders does not appear to match
the published pricing on the public site. You ensure that neither the website nor the ordering database
seems to have been compromised. Furthermore, there were no alarms in the Snort logs indicating a
probable attack on the online application. Which of the following might explain the current attack?

A The attacker used Metasploit to take control of the web application.

B The attacker has used SQL injection to update the database to reflect new prices for the items.

C The attacker has taken advantage of a server-side include that altered the price.

The attacker has copied the source code to his machine and altered hidden fields to modify the
D
purchase price of the items.

E The attacker takes control of the web application.

Question 28:
Which of the following explains why the APs are still vulnerable in the case

You and your customer are talking about wireless security. He claims that his network is secure because
he has installed MAC filtering on all access points, allowing only MAC addresses from clients he has
manually configured in each list. As you point out, this procedure will not prevent a determined attacker
from joining his network.

A An attacker could sniff an existing MAC address and spoof it.

B An attacker could send a MAC flood, effectively turning the AP into a hub.

C MAC addresses are dynamic and can be sent via DHCP.

D WEP keys are easier to crack when MAC filtering is in place.

E WEP is dynamic and can be sent via DHCP.

Question 29:
The true statement is which of the following?

A Configuring a strong SSID is a vital step in securing your network.

B SSIDs are important for identifying networks but do little to nothing for security.

C An SSID should never be a dictionary word or anything easily guessed.

D An SSID should always be more than eight characters in length.

Question 30:
Which of the following methods is the best way to crack the network key if a WPA2 wireless network is
discovered during a pen test?

A Use a sniffer to capture the SSID.

B Capture the WPA2 authentication traffic and crack the key.

C Capture a large amount of initialization vectors and crack the key inside.

D WPA2 cannot be cracked.

Question 31:
The best represents SOA is which of the following?

A An API that allows different components to communicate

B An application containing both the user interface and the code allowing access to the data

C File server

D A single database accessed by multiple sources

Question 32:
Which of the following is the best choice in the security principle that applies to cloud security if there are
many benefits to cloud computing?

A Job rotation

B Separation of duties

C Least privilege

D Need to know

Question 33:
Which of the following has the responsibility of transmitting the data in the NIST Cloud Computing
Reference Architecture?

A Cloud carrier

B Cloud consumer

C Cloud provider

D Cloud broker

Question 34:
Which sequence numbers would the server willingly accept as part of this session with a window size of
5?

During a TCP data exchange, the client provided a sequence number of 100, while the server provided a
sequence number of 500. During acknowledgments, the packet displays the agreed-upon sequence
numbers 101 and 501, respectively.

A Anything above 501

B 102 through 502

C 102 through 106

D 102 through 501

Question 35:
Which does not define a method of data transmission that violates a security policy in the following?

A Session hijacking

B Backdoor channel

C Overt channel

D Covert channel

Question 36:
In the attack, which doesn’t use ICMP in the following? (select two answers)
Correct answers: 0/2 selected

A SYN flood

B Peer to peer

C Smurf

D Ping of Death

Question 37:
Without human interaction, which of the following propagates?

A MITM

B Worm

C Virus

D Trojan
Question 38:
Which is the appropriate syntax for creating a command shell on port 56 using Netcat on Windows
systems?

A nc -r 56 -c cmd.exe

B nc -p 56 -o cmd.exe

C nc -L 56 -t -e cmd.exe

D nc -port 56 -s -o cmd.exe

Question 39:
Which is used within the PKI system to distribute a public key, therefore authenticating the user's identity
to the recipient?

A Digital signature

B Private key

C Digital certificate

D Hash value

Question 40:
The statement is true regarding encryption algorithms is which of the following?

A Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems.

Symmetric algorithms are slower, are good for bulk encryption, and have no scalability
B
problems.

Symmetric algorithms are faster but have scalability problems and are not suited for bulk
C
encryption.

Symmetric algorithms are faster, are good for bulk encryption, and have no scalability
D
problems.
Question 41:
Joe encrypts and sends a message for Bob using a PKI system. What method does Bob use to decrypt the
message when he receives it?

A Bob’s private key

B Joe’s private key

C Bob’s public key

D Joe’s public key

Question 42:
To asymmetrically encrypt and digitally sign e-mail, which of the following is a software application
used?

A PPTP

B SSL

C PGP

D HTTPS

Question 43:
Using variable block sizes (from 32 to 128 bits) is which symmetric algorithm in the following?

A DES

B MD5

C RC

D 3DES
Question 44:
Employee background checks, device risk assessments, and key management and storage rules are all
examples of __________ measures in physical security.

A technical

B operational

C None of the above

D physical

Question 45:
Which of the following attacks is it attempting to protect against if your organization installs mantraps in
the entranceway?

A Shoulder surfing

B Eavesdropping

C Dumpster diving

D Tailgating

Question 46:
Which of the following are true statements regarding the identification of phishing attempts if phishing e-
mail attacks have caused severe harm to a company and the security office decides to provide training to
all users in phishing prevention? (select all that apply.)
Correct answers: 0/3 selected

A Ensure the last line includes a known salutation and copyright entry (if required).

B Verify all links before clicking them.

C Ensure e-mail is from a trusted, legitimate e-mail address source.

D Verify spelling and grammar is correct.

Question 47:
The main difference between a hacker and an ethical hacker (pen test team member) is which of the
following?

A The tools they use.

B The predefined scope and agreement made with the system owner.

C Ethical hackers never exploit vulnerabilities; they only point out their existence.

D Nothing.

Question 48:
To check policies and procedures within an organization, which security assessment is designed?

A Security audit

B Pen test

C Vulnerability assessment

D None of the above

Question 49:
Which of the following methods would be the best option for testing the effectiveness of user training in
the environment in the situation that a security staff is preparing for a security audit and wants to know if
additional security training for the end user would be beneficial?

A Sniffing

B Vulnerability scanning

C Social engineering

D Application code reviews

Answer:

Question 1: C
Explanation:

Hactivism is practiced by hackers who utilize their abilities and talents to further a cause or a political agenda.

Question 2: A
Explanation:

This description is best matched by the Business Impact Analysis. Although maximum tolerated downtime is part of
the process, and a continuity plan does address it, a BIA is a real process for identifying those important systems.

Question 3: B
Explanation:

The Information Security Policy specifies what is and is not permitted, as well as the consequences of misbehavior
with relation to corporate network resources. Employees often sign this prior to the establishment of their account.

Question 4: D
Explanation:

ALE = ARO × SLE. Divide the number of occurrences by the number of years (1 occurrence / 10 years = 0.1) to get
ARO. To calculate SLE, add the purchase price (1200) to the time required to replace (5*50 = 250) and the amount of
lost work (5 hours*5 employees*25 = 625). In this scenario, the total is $2075. ALE = 0.1*2075, which equals
$207.50.

Question 5: A
Explanation:

In this case, an ethical hacker was recruited on a particular agreement, therefore converting him to a white hat. The
exam for which he was employed is a no-knowledge attack, making it a black-box exam.

Question 6: D
Explanation:

The SOA always begins by defining the authoritative server (in this example, DNSRV1), followed by e-mail contact
information along with a few additional items. The refresh time specifies how frequently secondary servers will check
for updates—in this example, 3,600 seconds (1 hour).

Question 7: B
Explanation:

CNAME records are used to create aliases in a zone.

Question 8: B
Explanation:

The focus of passive footprinting is on publicly accessible sources.

Question 9: C
Explanation:

All the methods discussed are passive in nature, per EC-Council’s definition.

Acording to Walker, Matt. CEH Certified Ethical Hacker Bundle, Second Edition (All-in-One) (Kindle Locations 2354-
2355). McGraw-Hill Education. Kindle Edition.

Question 10: D
Explanation:

Involving technical and business POC addresses and e-mails, whois gives domain registration information.

Question 11: C
Explanation:

Fragmenting packets is a fantastic approach to get around an IDS for any purpose. Splitting a TCP header across
numerous packets, also known as IP fragments, might help you stay hidden while scanning.

Question 12: C
Explanation:

A Type 11 ICMP packet signifies that the packet's TTL has hit 0 and that it must ride the Carousel (from the film
Logan's Run) to a better place.

Question 13: B
Explanation:

Port scanning has a single purpose: to test ports to verify if they are open (listening). Is an open port always a sign that
something is wrong? No, but it does suggest a possible weakness that you may attack in the future.

Question 14: D
Explanation:

A stateful firewall will not allow an ACK packet to pass unless it was "sourced" from within the network. The lack of
response indicates that the firewall screened that port packet and did not allow it to pass.

Question 15: C
Explanation:

Telnet and netcat, among others, can be used to capture banners. The port number should come last in both cases.

Question 16: A
Explanation:

The bane of IDS’ existence is Encryption. The IDS is blind as a bat if traffic is encrypted.
Question 17: B
Explanation:

A honeypot is created to encourage attackers so that you may see what they do, how they do it, and where they do it.

Question 18: B
Explanation:

A false negative occurs when traffic reaches the IDS, is analyzed and is still allowed through despite being nasty. And a
false negative is quite dangerous.

Question 19: B
Explanation:

Always pay attention to the operators when answering Wireshark filter questions.

Question 20: E
Explanation:

LAN Manager (LM), an ancient and outmoded authentication system, employed DES, an outmoded method of hashing
data (in this case, passwords).

Question 21: C
Explanation:

During regular business hours, it's a database server, and there's nothing in the log? Forget about the fact that a reboot
would have occurred somewhere—no one complained about it being down at all. No, we believe this one will need
some forensics work. Contact the IR team.

Question 22: D
Explanation:

Steganography is a technique for concealing data in files until it is needed. Although picture and video files are
generally connected with steganography, information may be buried in virtually any file.

Question 23: B
Explanation:

The word "best" is usually a tricky one. Configuring server-side procedures to validate what is entered into the input
field is by far the greatest protection in this instance. Could vulnerability scans and pen testing alert you to a problem?
Sure, but they don't do anything to defend you on their own.

Question 24: B
Explanation:

SOAP is interoperable with HTTP and SMTP, and messages are often one-way.
Question 25: D
Explanation:

SQL injection attempts should begin with a single quotation, even if this is not usually the case in many database
systems.

Question 26: D
Explanation:

Requests from the bad guy masquerading as your session ID through your browser may be greatly reduced by ensuring
that each request contains a challenge token - it's naughty and dropped if the server receives one without a token.

Question 27: D
Explanation:

Because the logs and IDSs reveal no direct attack in this example, the attacker most likely transferred the source code
straight to his computer and changed the secret "price" fields on the order form. All other forms of attacks would have
readily shown themselves in some shape or other.

Question 28: A
Explanation:

MAC filtering can readily be circumvented by sniffing the network for a valid MAC and then spoofing it using any of
the available alternatives.

Question 29: B
Explanation:

An SSID serves no use other than to identify the network. It is not intended to be a security measure.

Question 30: B
Explanation:

WPA2 is a strong encryption method, but with enough time, practically everything can be hacked. Capturing the
password pairwise master key (PMK) during the handshake is the only method to achieve it, and even then it's very
difficult if the password is complex.

Question 31: A
Explanation:

The best available option is Service Oriented Architecture (SOA), which is all about software components giving
information to one another through a network.

Question 32: B
Explanation:

While using cloud computing does not entirely resolve the separation of duties, it is the only option available. By
definition, the cloud may separate the data owner from the data custodian (the cloud provider assumes the role).
Question 33: A
Explanation:

The carrier, such as the power distributor for the electric grid, acts as an intermediary for connectivity and transit
between the subscriber and the provider.

Question 34: C
Explanation:

The server will receive packets 102 through 106 before providing an acknowledgment, which beginning with the
acknowledged sequence number 101.

Question 35: C
Explanation:

Overt channels are legal and are utilized legally. Everything else on the list is naughty.

Question 36: B
Explanation:

A SYN flood, like a peer-to-peer attack, does not utilize ICMP at all.

Question 37: B
Explanation:

Worms, like Skynet from the Terminator movies, do not need us.

Question 38: C
Explanation:

To leave a command shell open on port 56, this is the correct syntax for using Netcat.

Question 39: C
Explanation:

A digital certificate contains the sender's public key, among other things, and may be used to identify the sender.

Question 40: A
Explanation:

Symmetric methods are quick and useful for mass encryption, but they have scaling issues.

Question 41: A
Explanation:

The message is encrypted using Bob's public key. It is decrypted using his private key.
Question 42: C
Explanation:

For signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions,
mainly in an effort to increase the security of e-mail communications, Pretty Good Privacy (PGP) is used.

Question 43: C
Explanation:

Variable block sizes (from 32 to 128 bits) is used by Rivest Cipher (RC)

Question 44: B
Explanation:

To enforce a security-minded operation, operational measures are the policies and procedures you set up.

Question 45: D
Explanation:

To prevent tailgating, mantraps are specifically designed

Question 46: D
Explanation:

Phishing e-mails can be identified by the sender, the recipient, spelling and grammatical problems, and unfamiliar or
harmful attached links.

Question 47: B
Explanation:

Pen tests are always preceded by an agreement with the customer outlining the scope and activity. An ethical hacker
will never proceed without written authorization.

Question 48: A
Explanation:

To verify security policies and procedures in place, a security audit is used.

Question 49: C
Explanation:

Social engineering is used to put the human aspect of an organization to the test. It is the only viable option among the
real option.