CEH v11

INDEX

Q571 - Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?

  1. Configure the Web Server to deny requests involving "hex encoded" characters
  2. Create rules in IDS to alert on strange Unicode requests
  3. Use SSL authentication on Web Servers
  4. Enable Active Scripts Detection at the firewall and routers

Answer: B

Q572 - Which of the following does proper basic configuration of snort as a network intrusion detection system require?

  1. Limit the packets captured to the snort configuration file.
  2. Capture every packet on the network segment.
  3. Limit the packets captured to a single segment.
  4. Limit the packets captured to the /var/log/snort directory.

Answer: A

Q573 - Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within what phase of the Incident Handling Process?

  1. Preparation phase
  2. Containment phase
  3. Recovery phase
  4. Identification phase

Answer: A

Q574 - Which of the following BEST describes how Address Resolution Protocol (ARP) works?

  1. It sends a reply packet for a specific IP, asking for the MAC address
  2. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
  3. It sends a request packet to all the network elements, asking for the domain name from a specific IP
  4. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

Answer: D

Q575 - It is a short-range wireless communication technology that allows mobile phones, computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security.

  1. Bluetooth
  2. Radio-Frequency Identification
  3. WLAN
  4. InfraRed

Answer: A

Q576 - What is the benefit of performing an unannounced Penetration Testing?

  1. The tester will have an actual security posture visibility of the target network.
  2. Network security would be in a "best state" posture.
  3. It is best to catch critical infrastructure unpatched.
  4. The tester could not provide an honest analysis.

Answer: A

Q577 - A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials. This exploitation is an example of what Software design flaw?

  1. Insufficient security management
  2. Insufficient database hardening
  3. Insufficient input validation
  4. Insufficient exception handling

Answer: B

Q578 - When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?

  1. Drops the packet and moves on to the next one
  2. Continues to evaluate the packet until all rules are checked
  3. Stops checking rules, sends an alert, and lets the packet continue
  4. Blocks the connection with the source IP address in the packet

Answer: B

Q579 - If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

  1. Spoof Scan
  2. TCP Connect scan
  3. TCP SYN
  4. Idle Scan

Answer: C

Q580 - You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task?

  1. Metagoofil
  2. Armitage
  3. Dimitry
  4. cdpsnarf

Answer: A

Q581 - The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task. What tool can you use to view the network traffic being sent and received by the wireless router?

  1. Wireshark
  2. Nessus
  3. Netcat
  4. Netstat

Answer: A

Q582 - This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. Which of the following tools is being described?

  1. Aircrack-ng
  2. Airguard
  3. WLAN-crack
  4. wificracker

Answer: A

Q583 - An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site. Which file does the attacker need to modify?

  1. Hosts
  2. Sudoers
  3. Boot.ini
  4. Networks

Answer: A

Q584 - Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. What is Bob supposed to do next?

  1. Take over the session
  2. Reverse sequence prediction
  3. Guess the sequence numbers
  4. Take one of the parties offline

Answer: C

Q585 - The security concept of "separation of duties" is most similar to the operation of which type of security device?

  1. Firewall
  2. Bastion host
  3. Intrusion Detection System
  4. Honeypot

Answer: A

Q586 - From the following table, identify the wrong answer in terms of Range (ft).

  1. 802.11b
  2. 802.11g
  3. 802.16(WiMax)
  4. 802.11a

Answer: D

Q587 - You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?

  1. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
  2. Interview all employees in the company to rule out possible insider threats.
  3. Establish attribution to suspected attackers.
  4. Start the wireshark application to start sniffing network traffic.

Answer: A

Q588 - Why containers are less secure that virtual machines?

  1. Host OS on containers has a larger surface attack.
  2. Containers may full fill disk space of the host.
  3. A compromise container may cause a CPU starvation of the host.
  4. Containers are attached to the same virtual network.

Answer: A

Q589 - To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?

  1. Vulnerability scanner
  2. Protocol analyzer
  3. Port scanner
  4. Intrusion Detection System

Answer: A

Q590 - You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

  1. Online Attack
  2. Dictionary Attack
  3. Brute Force Attack
  4. Hybrid Attack

Answer: D

Q591 - When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine?

  1. site: target.com filetype:xls username password email
  2. inurl: target.com filename:xls username password email
  3. domain: target.com archive:xls username password email
  4. site: target.com file:xls username password email

Answer: A

Q592 - Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

  1. msfpayload
  2. msfcli
  3. msfencode
  4. msfd

Answer: C

Q593 - Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?

  1. Finger
  2. FTP
  3. Samba
  4. SMB

Answer: D

Q594 - At a Windows Server command prompt, which command could be used to list the running services?

  1. Sc query type= running
  2. Sc query \\servername
  3. Sc query
  4. Sc config

Answer: C

Q595 - The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

  1. Multiple keys for non-repudiation of bulk data
  2. Different keys on both ends of the transport medium
  3. Bulk encryption for data transmission over fiber
  4. The same key on each end of the transmission medium

Answer: D

Q596 - What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?

  1. User Access Control (UAC)
  2. Data Execution Prevention (DEP)
  3. Address Space Layout Randomization (ASLR)
  4. Windows firewall

Answer: B

Q597 - Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing backup tapes?

  1. In a cool dry environment
  2. Inside the data center for faster retrieval in a fireproof safe
  3. In a climate controlled facility offsite
  4. On a different floor in the same building

Answer: C

Q598 - Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of network systems?

  1. Intrusion Detection System
  2. Vulnerability scanner
  3. Port scanner
  4. Protocol analyzer

Answer: B

Q599 - A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:

The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?

  1. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
  2. Permit 217.77.88.12 11.12.13.50 RDP 3389
  3. Permit 217.77.88.12 11.12.13.0/24 RDP 3389
  4. Permit 217.77.88.0/24 11.12.13.50 RDP 3389

Answer: B

Q600 - A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?

  1. Say nothing and continue with the security testing.
  2. Stop work immediately and contact the authorities.
  3. Delete the pornography, say nothing, and continue security testing.
  4. Bring the discovery to the financial organization's human resource department.

Answer: B