CEH v11

INDEX

Q541 - The collection of potentially actionable, overt, and publicly available information is known as

  1. Open-source intelligence
  2. Human intelligence
  3. Social intelligence
  4. Real intelligence

Answer: A

Q542 - Which of the following parameters enables NMAP's operating system detection feature?

  1. NMAP -sV
  2. NMAP -oS
  3. NMAP -sR
  4. NMAP -O

Answer: D

Q543 - Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?

  1. PKI
  2. single sign on
  3. biometrics
  4. SOA

Answer: A

Q544 - What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?

  1. Security through obscurity
  2. Host-Based Intrusion Detection System
  3. Defense in depth
  4. Network-Based Intrusion Detection System

Answer: C

Q545 - An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?

  1. Only using OSPFv3 will mitigate this risk.
  2. Make sure that legitimate network routers are configured to run routing protocols with authentication.
  3. Redirection of the traffic cannot happen unless the admin allows it explicitly.
  4. Disable all routing protocols and only use static routes.

Answer: B

Q546 - Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?

  1. They provide a repeatable framework.
  2. Anyone can run the command line scripts.
  3. They are available at low cost.
  4. They are subject to government regulation.

Answer: A

Q547 - Darius is analysing logs from IDS. He want to understand what have triggered one alert and verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like below:
source IP: 192.168.21.100
source port: 80
destination IP: 192.168.10.23
destination port: 63221
What is the most proper answer.

  1. This is most probably true negative.
  2. This is most probably true positive which triggered on secure communication between client and server.
  3. This is most probably false-positive, because an alert triggered on reversed traffic.
  4. This is most probably false-positive because IDS is monitoring one direction traffic.

Answer: A

Q548 - You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?

  1. Social engineering
  2. Tailgating
  3. Piggybacking
  4. Eavesdropping

Answer: A

Q549 - SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts. Which of the following features makes this possible? (Choose two.)

  1. It used TCP as the underlying protocol.
  2. It uses community string that is transmitted in clear text.
  3. It is susceptible to sniffing.
  4. It is used by all network devices on the market.

Answer: B and D

Q550 - Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results?

  1. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
  2. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.
  3. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
  4. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.

Answer: C

Q551 - Which of the following is a component of a risk assessment?

  1. Physical security
  2. Administrative safeguards
  3. DMZ
  4. Logical interface

Answer: B

Q552 - Which cipher encrypts the plain text digit (bit or byte) one by one?

  1. Classical cipher
  2. Block cipher
  3. Modern cipher
  4. Stream cipher

Answer: D

Q553 - Which type of access control is used on a router or firewall to limit network activity?

  1. Mandatory
  2. Discretionary
  3. Rule-based
  4. Role-based

Answer: C

Q554 - If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

  1. Birthday
  2. Brute force
  3. Man-in-the-middle
  4. Smurf

Answer: B

Q555 - Which of the following is designed to identify malicious attempts to penetrate systems?

  1. Intrusion Detection System
  2. Firewall
  3. Proxy
  4. Router

Answer: A

Q556 - Which of the following is assured by the use of a hash?

  1. Integrity
  2. Confidentiality
  3. Authentication
  4. Availability

Answer: A

Q557 - What is the minimum number of network connections in a multi homed firewall?

  1. 3
  2. 5
  3. 4
  4. 2

Answer: A

Q558 - How does the Address Resolution Protocol (ARP) work?

  1. A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
  2. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
  3. It sends a reply packet for a specific IP, asking for the MAC address.
  4. It sends a request packet to all the network elements, asking for the domain name from a specific IP.

Answer: A

Q559 - Which security strategy requires using several, varying methods to protect IT systems against attacks?

  1. Defense in depth
  2. Three-way handshake
  3. Covert channels
  4. Exponential backoff algorithm

Answer: A

Q560 - Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?

  1. Port scanning
  2. Banner grabbing
  3. Injecting arbitrary data
  4. Analyzing service response

Answer: D

Q561 - How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?

  1. There is no way to tell because a hash cannot be reversed
  2. The right most portion of the hash is always the same
  3. The hash always starts with AB923D
  4. The left most portion of the hash is always the same
  5. A portion of the hash will be all 0's

Answer: B

Q562 - Which of the following guidelines or standards is associated with the credit card industry?

  1. Control Objectives for Information and Related Technology (COBIT)
  2. Sarbanes-Oxley Act (SOX)
  3. Health Insurance Portability and Accountability Act (HIPAA)
  4. Payment Card Industry Data Security Standards (PCI DSS)

Answer: D

Q563 - Identify the correct terminology that defines the below statement.

  1. Vulnerability Scanning
  2. Penetration Testing
  3. Security Policy Implementation
  4. Designing Network Security

Answer: B

Q564 - An attacker tries to do banner grabbing on a remote web server and executes the following command.

What did the hacker accomplish?

  1. nmap can't retrieve the version number of any running remote service.
  2. The hacker successfully completed the banner grabbing.
  3. The hacker should've used nmap -O host.domain.com.
  4. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.

Answer: B

Q565 - What is the main difference between a "Normal" SQL Injection and a "Blind" SQL Injection vulnerability?

  1. The request to the web server is not visible to the administrator of the vulnerable application.
  2. The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection.
  3. The successful attack does not show an error message to the administrator of the affected application.
  4. The vulnerable application does not display errors with information about the injection results to the attacker.

Answer: D

Q566 - Fingerprinting an Operating System helps a cracker because:

  1. It defines exactly what software you have installed
  2. It opens a security-delayed window based on the port being scanned
  3. It doesn't depend on the patches that have been applied to fix existing security holes
  4. It informs the cracker of which vulnerabilities he may be able to exploit on your system

Answer: D

Q567 - You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number?

  1. TCP
  2. UPD
  3. ICMP
  4. UPX

Answer: A

Q568 - First thing you do every office day is to check your email inbox. One morning, you received an email from your best friend and the subject line is quite strange. What should you do?

  1. Delete the email and pretend nothing happened.
  2. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
  3. Forward the message to your company's security response team and permanently delete the messagefrom your computer.
  4. Reply to the sender and ask them for more information about the message contents.

Answer: C

Q569 - During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

  1. Application
  2. Circuit
  3. Stateful
  4. Packet Filtering

Answer: A

Q570 - Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

  1. It is a network fault and the originating machine is in a network loop
  2. It is a worm that is malfunctioning or hardcoded to scan on port 500
  3. The attacker is trying to detect machines on the network which have SSL enabled
  4. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Answer: D