Professional Documents
Culture Documents
Ceh v11 Practice Practice Test 2
Ceh v11 Practice Practice Test 2
Ceh v11 Practice Practice Test 2
com
Question 1:
When an attack by a hacker is politically motivated, the hacker is said to be participating in ______.
A Gray-box attacks
B Gray-hat attacks
C Hactivism
D Black-hat hacking
Question 2:
Which of the following best describes an effort to identify systems that are critical for the continuation of
operation for the organization?
A BIA
B MTD
C DRP
D BCP
Question 3:
Which of the following statements most accurately reflects this policy in the case:
Your firm has a document that specifies what workers are permitted to do with their computer systems. It
also specifies what is banned and the punishments for those who violate the regulations. Prior to network
access, all workers sign a copy of this document.
Question 4:
Brad has done some research and decided a certain set of systems on his network fails once every ten
years. The purchase price for each of these systems is 1,200. In addition, Brad finds the administrators on
staff, who earn $50 an hour and estimate five hours to replace a machine. Five employees, earning $25 an
hour, depending on each system and will be completely unproductive while it is down. If you were to ask
Brad for an ALE on these devices, what would he answer?
A 2075
B 120
C 1200
D 207.50
Question 5:
Which of the following is a true statement?
Scenario: to evaluate the security of a company network, an ethical hacker is employed. The CEH has no
prior knowledge of the network and works under a particular framework that defines boundaries,
nondisclosure agreements, and the completion date.
Question 6:
The following is an SOA record obtained via a zone transfer: What is the name of the domain's
authoritative DNS server, and how frequently will secondary servers check in for updates?
4 ; serial number
B DNSRV1.anycomp.com, 4 seconds
A SOA
B CNAME
C NS
D PTR
Question 8:
Which of the following is a method of passive footprinting?
Question 9:
Which type of footprinting are you accomplishing?
As a member of the pen test team, you begin by searching for IP ranges held by the target organization
and determining their network range. You also look at job listings, news stories, and the organization's
website. During the first week of the exam, you also observe when personnel arrive and go from work, as
well as rummage through the trash outside the building for helpful information.
A Active
B Reconnaissance
C Passive
A nslookup
B dig
C traceroute
D whois
Question 11:
Which IDS evasion technique splits the TCP header among multiple packets in the case that you’ve
decided to begin scanning against a target organization but want to keep your efforts as quiet as possible?
A Anonymizer
B IP spoofing
C Fragmenting
D Proxy scanning
Question 12:
Because of exceeding its time to live, which ICMP message type/code indicates the packet could not
arrive at the recipient?
A Type 0
B Type 8
C Type 11
D Type 3, Code 1
Question 13:
The statement is true regarding port scanning is which of the following?
Port scanning is designed to overload the ports on a target in order to identify which are open
A
and which are closed.
C Port scanning is designed as a method to view all traffic to and from a system.
Question 14:
An ethical hacker is ACK-scanning against a network segment sitting behind a stateful firewall. A scan
packet receives no response. What does this lack of response indicate?
C The firewall allows the packet, but the device has the port closed.
Question 15:
(Choose all that apply.) Which of the following command-line entries will successfully perform a banner
grab when assuming you have the correct tools installed in the case that you want to perform banner
grabbing against a machine (168.15.22.4) you suspect as being a web server?
Correct answers: 0/2 selected
A Telnet 80 168.15.22.4
B Telnet 168.15.22.4 80
C nc –v –n 168.15.22.4 80
D nc –v –n 80 168.15.22.4
Question 16:
Which of the following is most likely true in the situation that your customer tells you they understand
beyond a doubt an attacker is sending messages back and forth from their network, yet the IDS doesn’t
appear to be alerted on the traffic?
Question 17:
The best describes a honeypot is which of the following?
Question 18:
When an IDS does not suitably identify a malicious packet entering the network, what takes place?
A True positive
B False negative
C True negative
D False positive
Question 19:
(Select all that apply) Which of the following Wireshark filters would show all traffic coming from or
going to systems on the 172.17.15.0/24 subnet?
Correct answers: 0/2 selected
B ip.addr == 172.17.15.0/24
Question 20:
LM employs which encryption standard?
A SHA-1
B MD5
C SHA-2
D 3DES
E DES
Question 21:
Which of the following is the most likely explanation in the situation
When performing standard maintenance on a database server, you notice one hour of time missing from
the log file during what would normally be regular operation hours. Further investigation reveals that
there have been no user complaints about accessibility.
Question 22:
The best definition of steganography is which of the following?
Question 23:
The best protection against XSS attacks would be which of the following?
Question 25:
To start a SQL injection attempt, which character is the best choice?
A Double quote
B Semicolon
C Colon
D Single quote
Question 26:
A true statement is which of the following?
Configuring the web server to send random challenge tokens is the best mitigation for
A
parameter-manipulation attacks.
Configuring the web server to send random challenge tokens is the best mitigation for XSS
B
attacks.
Configuring the web server to send random challenge tokens is the best mitigation for buffer
C
overflow attacks.
Configuring the web server to send random challenge tokens is the best mitigation for CSRF
D
attacks.
Question 27:
A business's accounting department detects multiple orders that appear to have been placed in error. While
investigating the issue, you learn that the pricing of things on various web orders does not appear to match
the published pricing on the public site. You ensure that neither the website nor the ordering database
seems to have been compromised. Furthermore, there were no alarms in the Snort logs indicating a
probable attack on the online application. Which of the following might explain the current attack?
B The attacker has used SQL injection to update the database to reflect new prices for the items.
C The attacker has taken advantage of a server-side include that altered the price.
The attacker has copied the source code to his machine and altered hidden fields to modify the
D
purchase price of the items.
Question 28:
Which of the following explains why the APs are still vulnerable in the case
You and your customer are talking about wireless security. He claims that his network is secure because
he has installed MAC filtering on all access points, allowing only MAC addresses from clients he has
manually configured in each list. As you point out, this procedure will not prevent a determined attacker
from joining his network.
B An attacker could send a MAC flood, effectively turning the AP into a hub.
B SSIDs are important for identifying networks but do little to nothing for security.
Question 30:
Which of the following methods is the best way to crack the network key if a WPA2 wireless network is
discovered during a pen test?
C Capture a large amount of initialization vectors and crack the key inside.
Question 31:
The best represents SOA is which of the following?
B An application containing both the user interface and the code allowing access to the data
C File server
A Job rotation
B Separation of duties
C Least privilege
D Need to know
Question 33:
Which of the following has the responsibility of transmitting the data in the NIST Cloud Computing
Reference Architecture?
A Cloud carrier
B Cloud consumer
C Cloud provider
D Cloud broker
Question 34:
Which sequence numbers would the server willingly accept as part of this session with a window size of
5?
During a TCP data exchange, the client provided a sequence number of 100, while the server provided a
sequence number of 500. During acknowledgments, the packet displays the agreed-upon sequence
numbers 101 and 501, respectively.
A Session hijacking
B Backdoor channel
C Overt channel
D Covert channel
Question 36:
In the attack, which doesn’t use ICMP in the following? (select two answers)
Correct answers: 0/2 selected
A SYN flood
B Peer to peer
C Smurf
D Ping of Death
Question 37:
Without human interaction, which of the following propagates?
A MITM
B Worm
C Virus
D Trojan
Question 38:
Which is the appropriate syntax for creating a command shell on port 56 using Netcat on Windows
systems?
A nc -r 56 -c cmd.exe
B nc -p 56 -o cmd.exe
C nc -L 56 -t -e cmd.exe
D nc -port 56 -s -o cmd.exe
Question 39:
Which is used within the PKI system to distribute a public key, therefore authenticating the user's identity
to the recipient?
A Digital signature
B Private key
C Digital certificate
D Hash value
Question 40:
The statement is true regarding encryption algorithms is which of the following?
A Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems.
Symmetric algorithms are slower, are good for bulk encryption, and have no scalability
B
problems.
Symmetric algorithms are faster but have scalability problems and are not suited for bulk
C
encryption.
Symmetric algorithms are faster, are good for bulk encryption, and have no scalability
D
problems.
Question 41:
Joe encrypts and sends a message for Bob using a PKI system. What method does Bob use to decrypt the
message when he receives it?
Question 42:
To asymmetrically encrypt and digitally sign e-mail, which of the following is a software application
used?
A PPTP
B SSL
C PGP
D HTTPS
Question 43:
Using variable block sizes (from 32 to 128 bits) is which symmetric algorithm in the following?
A DES
B MD5
C RC
D 3DES
Question 44:
Employee background checks, device risk assessments, and key management and storage rules are all
examples of __________ measures in physical security.
A technical
B operational
D physical
Question 45:
Which of the following attacks is it attempting to protect against if your organization installs mantraps in
the entranceway?
A Shoulder surfing
B Eavesdropping
C Dumpster diving
D Tailgating
Question 46:
Which of the following are true statements regarding the identification of phishing attempts if phishing e-
mail attacks have caused severe harm to a company and the security office decides to provide training to
all users in phishing prevention? (select all that apply.)
Correct answers: 0/3 selected
A Ensure the last line includes a known salutation and copyright entry (if required).
B The predefined scope and agreement made with the system owner.
C Ethical hackers never exploit vulnerabilities; they only point out their existence.
D Nothing.
Question 48:
To check policies and procedures within an organization, which security assessment is designed?
A Security audit
B Pen test
C Vulnerability assessment
Question 49:
Which of the following methods would be the best option for testing the effectiveness of user training in
the environment in the situation that a security staff is preparing for a security audit and wants to know if
additional security training for the end user would be beneficial?
A Sniffing
B Vulnerability scanning
C Social engineering
Question 1: C
Explanation:
Hactivism is practiced by hackers who utilize their abilities and talents to further a cause or a political agenda.
Question 2: A
Explanation:
This description is best matched by the Business Impact Analysis. Although maximum tolerated downtime is part of
the process, and a continuity plan does address it, a BIA is a real process for identifying those important systems.
Question 3: B
Explanation:
The Information Security Policy specifies what is and is not permitted, as well as the consequences of misbehavior
with relation to corporate network resources. Employees often sign this prior to the establishment of their account.
Question 4: D
Explanation:
ALE = ARO × SLE. Divide the number of occurrences by the number of years (1 occurrence / 10 years = 0.1) to get
ARO. To calculate SLE, add the purchase price (1200) to the time required to replace (5*50 = 250) and the amount of
lost work (5 hours*5 employees*25 = 625). In this scenario, the total is $2075. ALE = 0.1*2075, which equals
$207.50.
Question 5: A
Explanation:
In this case, an ethical hacker was recruited on a particular agreement, therefore converting him to a white hat. The
exam for which he was employed is a no-knowledge attack, making it a black-box exam.
Question 6: D
Explanation:
The SOA always begins by defining the authoritative server (in this example, DNSRV1), followed by e-mail contact
information along with a few additional items. The refresh time specifies how frequently secondary servers will check
for updates—in this example, 3,600 seconds (1 hour).
Question 7: B
Explanation:
Question 9: C
Explanation:
All the methods discussed are passive in nature, per EC-Council’s definition.
Acording to Walker, Matt. CEH Certified Ethical Hacker Bundle, Second Edition (All-in-One) (Kindle Locations 2354-
2355). McGraw-Hill Education. Kindle Edition.
Question 10: D
Explanation:
Involving technical and business POC addresses and e-mails, whois gives domain registration information.
Question 11: C
Explanation:
Fragmenting packets is a fantastic approach to get around an IDS for any purpose. Splitting a TCP header across
numerous packets, also known as IP fragments, might help you stay hidden while scanning.
Question 12: C
Explanation:
A Type 11 ICMP packet signifies that the packet's TTL has hit 0 and that it must ride the Carousel (from the film
Logan's Run) to a better place.
Question 13: B
Explanation:
Port scanning has a single purpose: to test ports to verify if they are open (listening). Is an open port always a sign that
something is wrong? No, but it does suggest a possible weakness that you may attack in the future.
Question 14: D
Explanation:
A stateful firewall will not allow an ACK packet to pass unless it was "sourced" from within the network. The lack of
response indicates that the firewall screened that port packet and did not allow it to pass.
Question 15: C
Explanation:
Telnet and netcat, among others, can be used to capture banners. The port number should come last in both cases.
Question 16: A
Explanation:
The bane of IDS’ existence is Encryption. The IDS is blind as a bat if traffic is encrypted.
Question 17: B
Explanation:
A honeypot is created to encourage attackers so that you may see what they do, how they do it, and where they do it.
Question 18: B
Explanation:
A false negative occurs when traffic reaches the IDS, is analyzed and is still allowed through despite being nasty. And a
false negative is quite dangerous.
Question 19: B
Explanation:
Always pay attention to the operators when answering Wireshark filter questions.
Question 20: E
Explanation:
LAN Manager (LM), an ancient and outmoded authentication system, employed DES, an outmoded method of hashing
data (in this case, passwords).
Question 21: C
Explanation:
During regular business hours, it's a database server, and there's nothing in the log? Forget about the fact that a reboot
would have occurred somewhere—no one complained about it being down at all. No, we believe this one will need
some forensics work. Contact the IR team.
Question 22: D
Explanation:
Steganography is a technique for concealing data in files until it is needed. Although picture and video files are
generally connected with steganography, information may be buried in virtually any file.
Question 23: B
Explanation:
The word "best" is usually a tricky one. Configuring server-side procedures to validate what is entered into the input
field is by far the greatest protection in this instance. Could vulnerability scans and pen testing alert you to a problem?
Sure, but they don't do anything to defend you on their own.
Question 24: B
Explanation:
SOAP is interoperable with HTTP and SMTP, and messages are often one-way.
Question 25: D
Explanation:
SQL injection attempts should begin with a single quotation, even if this is not usually the case in many database
systems.
Question 26: D
Explanation:
Requests from the bad guy masquerading as your session ID through your browser may be greatly reduced by ensuring
that each request contains a challenge token - it's naughty and dropped if the server receives one without a token.
Question 27: D
Explanation:
Because the logs and IDSs reveal no direct attack in this example, the attacker most likely transferred the source code
straight to his computer and changed the secret "price" fields on the order form. All other forms of attacks would have
readily shown themselves in some shape or other.
Question 28: A
Explanation:
MAC filtering can readily be circumvented by sniffing the network for a valid MAC and then spoofing it using any of
the available alternatives.
Question 29: B
Explanation:
An SSID serves no use other than to identify the network. It is not intended to be a security measure.
Question 30: B
Explanation:
WPA2 is a strong encryption method, but with enough time, practically everything can be hacked. Capturing the
password pairwise master key (PMK) during the handshake is the only method to achieve it, and even then it's very
difficult if the password is complex.
Question 31: A
Explanation:
The best available option is Service Oriented Architecture (SOA), which is all about software components giving
information to one another through a network.
Question 32: B
Explanation:
While using cloud computing does not entirely resolve the separation of duties, it is the only option available. By
definition, the cloud may separate the data owner from the data custodian (the cloud provider assumes the role).
Question 33: A
Explanation:
The carrier, such as the power distributor for the electric grid, acts as an intermediary for connectivity and transit
between the subscriber and the provider.
Question 34: C
Explanation:
The server will receive packets 102 through 106 before providing an acknowledgment, which beginning with the
acknowledged sequence number 101.
Question 35: C
Explanation:
Overt channels are legal and are utilized legally. Everything else on the list is naughty.
Question 36: B
Explanation:
A SYN flood, like a peer-to-peer attack, does not utilize ICMP at all.
Question 37: B
Explanation:
Worms, like Skynet from the Terminator movies, do not need us.
Question 38: C
Explanation:
To leave a command shell open on port 56, this is the correct syntax for using Netcat.
Question 39: C
Explanation:
A digital certificate contains the sender's public key, among other things, and may be used to identify the sender.
Question 40: A
Explanation:
Symmetric methods are quick and useful for mass encryption, but they have scaling issues.
Question 41: A
Explanation:
The message is encrypted using Bob's public key. It is decrypted using his private key.
Question 42: C
Explanation:
For signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions,
mainly in an effort to increase the security of e-mail communications, Pretty Good Privacy (PGP) is used.
Question 43: C
Explanation:
Variable block sizes (from 32 to 128 bits) is used by Rivest Cipher (RC)
Question 44: B
Explanation:
To enforce a security-minded operation, operational measures are the policies and procedures you set up.
Question 45: D
Explanation:
Question 46: D
Explanation:
Phishing e-mails can be identified by the sender, the recipient, spelling and grammatical problems, and unfamiliar or
harmful attached links.
Question 47: B
Explanation:
Pen tests are always preceded by an agreement with the customer outlining the scope and activity. An ethical hacker
will never proceed without written authorization.
Question 48: A
Explanation:
Question 49: C
Explanation:
Social engineering is used to put the human aspect of an organization to the test. It is the only viable option among the
real option.