Certified Ethical Hacker Exam 312-50v12

Questions and Answers

Which of the following best describes a counter-based authentication system?

A biometric system that bases authentication decisions on physical attributes.

An authentication system that uses passphrases that are converted into virtual passwords.

An authentication system that creates one-time passwords that are encrypted with secret keys. (correct)

A biometric system that bases authentication decisions on behavioral attributes.

What term is commonly used when referring to testing a software program with invalid input to attempt to crash it?

Bounding

Fuzzing (correct)

Mutating

Randomizing

Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

AH Tunnel mode

ESP confidential

AH promiscuous

ESP transport mode (correct)

What is the first step followed by Vulnerability Scanners for scanning a network?

Checking if the remote host is alive

What type of attack does the log extract describe?

Unicode Directory Traversal Attack

Which of the following is not a Bluetooth attack?

Bluedriving

What testing method was used when an employee was tricked into opening links that contained malware?

Social engineering

What kind of vulnerability must be present to make the remote attack possible?

File system permissions

What does a firewall check to prevent particular ports and applications from getting packets into an organization?

Transport layer port numbers and application layer headers

Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a Linux platform?

Kismet

What type of key does the Heartbleed bug leave exposed to the Internet, making exploitation of any compromised system very easy?

Private

Which system consists of a publicly available set of databases that contain domain name registration contact information?

WHOIS

Which of the following is assured by the use of a hash?

Integrity

Choose the exploit against which the given snort rule applies.

MS Blaster

Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication.

123

How did the attacker accomplish the hack on the Mason Insurance website?

DNS poisoning

What may be the problem if some websites are not accessible using the URL but can be accessed using the IP address?

Traffic is blocked on UDP Port 53

If a token and 4-digit PIN are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

Brute force

What did the following commands determine?

That the true administrator is Joe

What does the –oX flag do in an Nmap scan?

Output the results in XML format to a file

What would be the most effective method to bridge the knowledge gap between 'black' hats and 'white' hats?

Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.

What is the recommended architecture for deploying a new web-based software package that requires three separate servers?

A web server facing the Internet, an application server on the internal network, a database server on the internal network

Which of the following Linux commands will resolve a domain name into an IP address?

host -t a hackeddomain.com

What can be said about Bob's conclusion that a DMZ is not needed if a firewall is properly configured?

Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations.

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network?

Static Network Address Translation

Which type of security feature stops vehicles from crashing through the doors of a building?

Bollards

The collection of potentially actionable, overt, and publicly available information is known as?

Open-source intelligence

At what layer of the OSI model does the encryption and decryption of the message take place?

Presentation

Which other option could the tester use to get a response from a host using TCP?

Hping

What does receiving the email message prove about CompanyXYZ’s email gateway?

Email Spoofing

What Nmap script will help you detect HTTP methods available on a web server?

http-methods

Which risk decision will be the best for the project's successful continuation with the most business profit?

Accept the risk

What is the TTL in the SOA record 'Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400)?'

2400

Under what conditions does a secondary name server request a zone transfer from a primary name server?

When a primary SOA is higher than a secondary SOA

Which of the following programs is usually targeted at Microsoft Office products?

Macro virus

Which of the following is a component of a risk assessment?

Administrative safeguards

Which tool can be used to perform session splicing attacks?

Whisker

Which of the following tools can be used to perform a zone transfer?

Sam Spade

What is the name of the attack mentioned in the scenario where an attacker uses a transparent iframe?

Clickjacking Attack

Which regulation defines security and privacy controls for Federal information systems and organizations?

NIST-800-53

What is being described when a network interface passes all traffic it receives to the CPU?

Promiscuous mode

PGP, SSL, and IKE are all examples of which type of cryptography?

Public Key

Which of the following program infects the system boot sector and the executable files at the same time?

Multipartite Virus

Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

USER, NICK

What is a possible source of the problem when a wireless client can see the network but cannot connect?

The WAP does not recognize the client’s MAC address

What is the proper response for a NULL scan if the port is open?

No response

What is not a PCI compliance recommendation?

Rotate employees handling credit card transactions on a yearly basis to different departments.

What is the name of the command used by SMTP to transmit email over TLS?

STARTTLS

What kind of attack is Susan carrying on when she synchronizes her boss's sessions and intercepts his traffic?

A man in the middle attack

What type of authentication factors does Steve's technological solution implement?

The solution implements the two authentication factors: physical object and physical characteristic

What should Bob do to avoid students connecting their notebooks to the wired network?

Use the 802.1x protocol

Which incident handling process phase is responsible for defining rules, collaborating, creating backup plans, and testing plans?

Preparation phase

Why is a penetration test considered to be more thorough than a vulnerability scan?

A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.

What should you do if you discover information suggesting your client is involved with human trafficking during a security assessment?

Immediately stop work and contact the proper legal authorities.

What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?

Display passwd content to prompt

Based on the extract from the log of a compromised machine, what is the hacker really trying to steal?

SAM file

........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises.

Evil Twin Attack

A zone file consists of which of the following Resource Records (RRs)?

SOA, NS, A, and MX records

The time a hacker spends performing research to locate this information about a company is known as?

Reconnaissance

What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?

tcp.dstport==514 && ip.dst==192.168.0.150

Which results will be returned with the following Google search query? site:target.com – site:Marketing.target.com accounting

Results matching 'accounting' in domain target.com but not on the site Marketing.target.com.

Which hacking process is Peter doing when searching for information about DX Company?

Footprinting

What type of firewall is inspecting outbound traffic when outbound HTTP traffic is unimpeded but IRC traffic is blocked?

Application

Which command can be used as a display filter to find unencrypted file transfers?

tcp.port == 21

What kind of detection techniques is being used in antivirus software that identifies malware by collecting data from multiple protected systems?

Cloud based

What is the purpose of a demilitarized zone on a network?

To only provide direct access to the nodes within the DMZ and protect the network behind it

What is the proper response for a NULL scan if the port is closed?

RST

What is the best Nmap command to quickly enumerate all machines in the network 10.10.0.0/24?

nmap -T4 -F 10.10.0.0/24

Which of the following statements about a zone transfer is correct? (Choose three.)

A zone transfer is accomplished with the DNS

What is the purpose of the command 'net use \targetipc$ "" /u:""'?

This command is used to connect as a null session

Which tool did the hacker probably use to inject HTML code during an MITM attack?

Ettercap

What will an attacker do next if he has launched a successful STP manipulation attack?

He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.

What has occurred if a computer is able to transfer files locally but cannot reach the Internet?

The gateway is not routing to a public IP address.

What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?

Residual risk

Why would you consider sending an email to an address that does not exist within a company you are testing?

To elicit a response back that will reveal information about email servers and how they treat undeliverable mail.

Which DNS resource record indicates how long any 'DNS poisoning' could last?

SOA

What means can Bob adopt to retrieve passwords from client hosts and servers?

Hardware, Software, and Sniffing.

Which layer 3 protocol allows for end-to-end encryption of FTP connections?

IPsec

Which Intrusion Detection System is ideal for observing sensitive network segments?

Network-based Intrusion Detection System (NIDS)

Which algorithms can guarantee the integrity of messages?

Hashing algorithms

What type of vulnerability is present if modifying parameters in the URL affects the displayed data?

Web Parameter Tampering

Which method of password cracking takes the most time and effort?

Brute force

Why should the security analyst disable/remove unnecessary ISAPI filters?

To defend against web server attacks

What can the CFO use to ensure the integrity of financial statements sent to an accountant?

The CFO can use a hash algorithm in the document once he approved the financial statements.

What is a ‘Collision attack’ in cryptography?

Collision attacks try to find two inputs producing the same hash

Which network tool can determine if captured packets are malicious or a false positive?

Protocol analyzer

From the provided SIDs list, identify the user account with System Administrator privileges.

Chang

What two conditions must a digital signature meet?

Has to be unforgeable, and has to be authentic.

Which statement is true regarding the text message Bob received?

This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.

Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

Nikto

What tool should the analyst use to perform a Blackjacking attack?

BBProxy

What sort of security breach is the policy attempting to mitigate if all web browsers must automatically delete their HTTP browser cookies upon termination?

Attempts by attackers to access web sites that trust the web browser user by stealing the user’s authentication credentials.

What type of attack occurs when Eric relays information between two entities without either party noticing?

Man-in-the-middle

What is the best approach for discovering vulnerabilities on a Windows-based computer?

Use a scan tool like Nessus

Which TCP and UDP ports must you filter to check null sessions on your network?

139 and 445

Which tools would be effective for SNMP enumeration?

SNMPUtil

What is the minimum number of network connections in a multihomed firewall?

3

What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.

Which of the following tools can be used for passive OS fingerprinting?

tcpdump

What type of alert is logged when an external router is accessed by the administrator’s computer to update the router configuration?

False positive

Which security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks?

Dynamic ARP Inspection (DAI)

What is the known plaintext attack used against DES which shows that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key?

Meet-in-the-middle attack

What can a network admin do to prevent ARP spoofing or poisoning?

Use port security on switches.

How long will the secondary servers attempt to contact the primary server before they consider the zone dead?

One week

What is the first step that the bank should take before enabling the audit feature?

Determine the impact of enabling the audit feature.

Which command line packet analyzer is similar to GUI-based Wireshark?

tcpdump

Which tools would be effective for enumeration? (Choose three.)

SID2USER

What is the role of test automation in security testing?

It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.

What is meant by a 'rubber-hose' attack in cryptanalysis?

Extraction of cryptographic secrets through coercion or torture.

What is the best security policy concerning a secured data center housing network elements?

Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.

What is the version in the following SOA record: Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400)?

200303028

By using a smart card and PIN, you are using a two-factor authentication that satisfies:

Something you have and something you know

Study Notes

Certified Ethical Hacker Exam (CEHv12) Overview

• Exam code for certification: 312-50v12
• Total number of questions: 572
• Contact for support: [email protected]

Exam Topic Breakdown

• Topic 1 (Exam Pool A): 141 questions
• Topic 2 (Exam Pool B): 182 questions
• Topic 3 (Exam Pool C): 249 questions

OSI Model and Encryption

• Encryption occurs at the Presentation Layer (Layer 6) of the OSI model, responsible for data formatting and translation.
• Decryption also takes place within the presentation layer, handling data received by applications.

Network Testing and Pinging

• When ICMP is disabled and TCP is used, Hping can be employed as an alternative to receive responses from hosts.

Email Security Assessments

• Email spoofing is when a malicious sender fabricates an email header to appear as though it originated from a legitimate source.
• Testing email gateways is crucial to ensure they can detect and prevent email spoofing.

HTTP Methods and Nmap

• Common HTTP methods: GET, POST, PUT, DELETE, among others.
• Nmap's http-methods script detects available HTTP methods on a web server.

Risk Management in Security

• Risk Acceptance is preferable when risk levels drop below the company’s risk threshold after mitigation efforts.
• Different strategies include Risk Mitigation, Avoidance, Limitation, and Transference, each with distinct approaches to handling risks.

Domain Name System (DNS) Records

• When analyzing SOA (Start of Authority) records, the Time to Live (TTL) indicates how long the data remains valid.
• A secondary name server requests a zone transfer when the primary SOA record has a higher version identifier.

Malware and Security Threats

• Macro viruses specifically target Microsoft Office applications, executing automatically when infected documents are opened.
• Clickjacking is an attack tricking users into clicking on transparent links, redirecting them to malicious sites.

Federal Security Regulations

• NIST-800-53 regulates security and privacy controls for federal information systems and organizations in the U.S.

Network Interface Modes

• Promiscuous mode allows a network interface to pass all traffic to the CPU instead of just intended frames, useful for monitoring.

Cryptography Types

• PGP, SSL, and IKE are examples of Public Key cryptography, utilized for secure communications.

Network Traffic Analysis

• To identify unencrypted file transfers, use the Wireshark display filter tcp.port == 21 for FTP traffic.

Detection Techniques in Antivirus Software

• Cloud-based detection identifies malware through data analysis from protected systems, enabling real-time threat detection and response.

Demilitarized Zones (DMZs)

• A DMZ serves to protect internal networks while allowing controlled access to nodes within the DMZ itself.

Nmap and Network Enumeration

• The optimal Nmap command for quick enumeration of machines on the same network: nmap -T4 -F 10.10.0.0/24.### Nmap Scanning
• nmap -T4 -O 10.10.0.0/24 command used for fast, aggressive scanning with OS detection.
• The -T flag adjusts scan speed from 0 (paranoid) to 5 (insane), impacting stealth and performance.
• The -F option reduces scanned ports from 1000 to 100 for a faster scan.

Zone Transfers

• Zone transfers are DNS operations that transfer all zone information from a primary to a secondary DNS server.
• Can be prevented by blocking inbound TCP connections on port 53.

Null Session Connections

• Command net use \targetipc$ "" /u:"" is a method to create a null session connection.
• Null session allows unauthenticated access to an NT or Windows 2000 machine.

Man-in-the-Middle (MITM) Attacks

• Attackers can use tools like Ettercap to inject malicious code into HTTP traffic through MITM attacks.
• MITM utilizes rogue access points to manipulate traffic between users and servers.

STP Manipulation

• Attacker can perform Spanning Tree Protocol (STP) manipulation to redirect network traffic after gaining access to internal networks.

Wireless Connection Issues

• A failure to connect to the internet while local file transfers can occur may suggest that gateways are not routing properly to public IP addresses.

Risk Management

• The concept of residual risk refers to the remaining risk after vulnerabilities are addressed and countermeasures are applied.

Email Testing in Penetration Testing

• Sending emails to non-existent addresses can reveal information about email server treatment of undeliverable mail, aiding security assessments.

Digital Signature Integrity

• Digital signatures must be unforgeable and authentic to ensure document integrity.

Vulnerability Detection Tools

• Nikto is a comprehensive web server vulnerability scanner capable of identifying dangerous files and CGIs.

Encryption Protocols

• IPsec is an effective layer 3 protocol that provides encryption for FTP and other connections, ensuring secure communications.

Cryptography and Hashing

• Collision attacks in cryptography aim to find two inputs that produce the same hash output.

Intrusion Detection Systems (IDS)

• Network-based IDS (NIDS) is particularly effective in large environments for monitoring sensitive network segments.

Password Cracking Methods

• Brute force attacks take the most effort and time, testing every possible combination until the correct one is found.

HTTP Cookie Security

• Policies to delete HTTP cookies upon browser closure are aimed at mitigating risks related to stolen authentication credentials.

Dsniff Tool Usage

• Dsniff can intercept communications, allowing an attacker to relay information unnoticed, demonstrating a man-in-the-middle attack.

Vulnerability Assessment Best Practices

• Utilizing dedicated scanning tools, like Nessus, is best for identifying vulnerabilities on Windows-based systems.### SNMP Enumeration Tools
• Recommended tools for SNMP enumeration include SNMPUtil, SNScan, and Solarwinds IP Network Browser.

Network Connections in Multihomed Firewalls

• The minimum number of network connections required is two.

L0phtcrack and SMB Sniffing

• Kerberos usage is likely preventing the ability to capture Windows logon credentials.

SSL/TLS Cryptography

• Using both symmetric and asymmetric cryptography provides efficiency for devices with limited processing power.

Passive OS Fingerprinting

• Tcpdump is the tool utilized for passive operating system fingerprinting.

IDS Log Analysis Alerts

• An alert logged for accessing an external router during a legitimate operation is considered a false positive.

DHCP Snooping and Security Features

• Dynamic ARP Inspection (DAI) uses the DHCP snooping database to mitigate ARP spoofing attacks.

Meet-in-the-Middle Attack on DES

• A known plaintext attack demonstrating that Double DES is not more secure than using a single key is called a meet-in-the-middle attack.

Preventing ARP Spoofing

• Recommended actions to prevent ARP spoofing include using port security, monitoring with ARPwatch, and using static ARP entries.

Zone Transfer Attempt Duration

• Secondary servers will attempt to contact primary servers for up to one week before considering the zone dead.

Audit Feature Activation

• Before enabling audit features in sensitive systems, evaluate the impact of enabling them.

Command Line Packet Analyzer

• Tcpdump serves as a command line packet analyzer, similar to the GUI-based Wireshark.

Enumeration Tools

• USER2SID, SID2USER, and DumpSec are effective tools used for enumeration.

Role of Test Automation in Security Testing

• Test automation accelerates security benchmark tests but does not fully replace manual testing.

Rubber-Hose Attack

• This term refers to the extraction of cryptographic secrets through coercion or extreme pressure on individuals.

Security Policy for Data Centers

• Ensure network elements are secured with strong user IDs and regular security audits.

SOA Record Version Identification

• The version from an SOA record can be determined as 200302028.

Two-Factor Authentication

• Two-factor authentication includes something the user has (like a smart card) and something they know (like a PIN).

Vulnerability Causing Remote Attacks on FTP Servers

• Improper file system permissions can lead to unauthorized executive actions on a Linux FTP server.

Firewall Packet Checking

• Firewalls check transport layer port numbers and application layer headers to restrict packet flow.

Wireless LAN Detection Tool

• Kismet detects wireless LANs compliant with 802.11 standards on Linux platforms.

Heartbleed Bug Vulnerability

• The Heartbleed bug exposes private keys, making it easier to exploit compromised systems.

WHOIS Database

• A publicly available database holding domain name registration contact information is known as WHOIS.

Hash Function Assurance

• The use of a hash guarantees data integrity, ensuring that information has not been altered.

Snort Rule Target

• The Snort rule was designed to apply against the MS Blaster exploit.

NTP UDP Port

• The primary UDP port used by Network Time Protocol (NTP) is 123.

Description

Test your knowledge with the Certified Ethical Hacker Exam (CEHv12) quiz based on version 6.3. This quiz covers various aspects of ethical hacking, preparing you for the certification process with a range of questions. Challenge yourself and see if you're ready for this critical cybersecurity credential.