CEH_V12_vishnu_provided_dumps.pdf

Transcript

2022

Eccouncil
312-50v12 Exam
CEH

Questions & Answers
(Full Version)

Thank you for Purchasing 312-50v12 Exam
Questions and Answers PDF 1/252

Topic 1, Exam Pool A

Question: 1

User A is writing a sensitive email message to user B outside the local network. User A has chosen to
use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of
the OSI layer does the encryption and decryption of the message take place?

A. Application
B. Transport
C. Session
D. Presentation

Answer: D
Explanation:

https://en.wikipedia.org/wiki/Presentation_layer
In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as
the data translator for the network. It is sometimes called the syntax layer. The presentation layer is
responsible for the formatting and delivery of information to the application layer for further
processing or display.
Encryption is typically done at this level too, although it can be done on the application, session,
transport, or network layers, each having its own advantages and disadvantages. Decryption is also
handled at the presentation layer. For example, when logging on to bank account sites the
presentation layer will decrypt the data as it is received.

Question: 2
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and
software as many of the other clients on the network. The client can see the network, but cannot
connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to
the association requests being sent by the wireless client. What is a possible source of this problem?

A. The WAP does not recognize the client’s MAC address
B. The client cannot see the SSID of the wireless network
C. Client is configured for the wrong channel
D. The wireless client is not configured to use DHCP
Questions and Answers PDF 2/252

Answer: A
Explanation:

https://en.wikipedia.org/wiki/MAC_filtering
MAC filtering is a security method based on access control. Each address is assigned a 48-bit address,
which is used to determine whether we can access a network or not. It helps in listing a set of
allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on
your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white
list certain computers based on their MAC address. We can configure the filter to allow connection
only to those devices included in the white list. White lists provide greater security than blacklists
because the router grants access only to selected devices.
It is used on enterprise wireless networks having multiple access points to prevent clients from
communicating with each other. The access point can be configured only to allow clients to talk to
the default gateway, but not other wireless clients. It increases the efficiency of access to a network.
The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to
choose which devices can connect to your network. The router has several functions designed to
improve the network's security, but not all are useful. Media access control may seem advantageous,
but there are certain flaws.
On a wireless network, the device with the proper credentials such as SSID and password can
authenticate with the router and join the network, which gets an IP address and access to the
internet and any shared resources.
MAC address filtering adds an extra layer of security that checks the device’s MAC address against a
list of agreed addresses. If the client’s address matches one on the router’s list, access is granted;
otherwise, it doesn’t join the network.

Question: 3

You are tasked to perform a penetration test. While you are performing information gathering, you
find an employee list in Google. You find the receptionist’s email, and you send her an email
changing the source email to her boss’s email (boss@company). In this email, you ask for a pdf with
information. She reads your email and sends back a pdf with links. You exchange the pdf links with
your malicious links (these links contain malware) and send back the modified pdf, saying that the
links don’t work. She reads your email, opens the links, and her machine gets infected. You now have
access to the company network. What testing method did you use?

A. Social engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping

Answer: A
Explanation:
Questions and Answers PDF 3/252

Social engineering is the term used for a broad range of malicious activities accomplished through
human interactions. It uses psychological manipulation to trick users into making security mistakes or
giving away sensitive information.
Social engineering attacks typically involve some form of psychological manipulation, fooling
otherwise unsuspecting users or employees into handing over confidential or sensitive data.
Commonly, social engineering involves email or other communication that invokes urgency, fear, or
similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a
malicious link, or open a malicious file. Because social engineering involves a human element,
preventing these attacks can be tricky for enterprises.
Incorrect answers:
Tailgating and Piggybacking are the same thing
Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an
unauthorized person follows an authorized individual to enter a secured premise.
Tailgating provides a simple social engineering-based way around many security mechanisms one
would think of as secure. Even retina scanners don't help if an employee holds the door for an
unknown person behind them out of misguided courtesy.
People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers,
and issues with employees or the company. Any of these can disrupt business, cause damage, create
unexpected costs, and lead to further safety issues.

Eavesdropping https://en.wikipedia.org/wiki/Eavesdropping
Eavesdropping is the act of secretly or stealthily listening to the private conversation or
communications of others without their consent in order to gather information. Since the beginning
of the digital age, the term has also come to hold great significance in the world of cybersecurity.
The question does not specify at what level and how this attack is used. An attacker can eavesdrop
on a conversation or use special software and obtain information on the network. There are many
options, but this is not important because the correct answer is clearly not related to information
interception.

Question: 4

If a tester is attempting to ping a target that exists but receives no response or a response that states
the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which
other option could the tester use to get a response from a host using TCP?

A. Traceroute
B. Hping
C. TCP ping
D. Broadcast ping

Answer: B
Explanation:

https://tools.kali.org/information-gathering/hping3

http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf
Questions and Answers PDF 4/252

Question: 5

Which is the first step followed by Vulnerability Scanners for scanning a network?

A. OS Detection
B. Firewall detection
C. TCP/UDP Port scanning
D. Checking if the remote host is alive

Answer: D
Explanation:

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational
network in three steps:
1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network
using various scanning techniques.
2. Performing service and OS discovery on them: After detecting the live hosts in the target network,
the next step is to enumerate the open ports and services and the operating system on the target
systems.
3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services
and the operating system running on the target nodes, they are tested for known vulnerabilities.

Question: 6
Which of the following programs is usually targeted at Microsoft Office products?

A. Polymorphic virus
B. Multipart virus
C. Macro virus
D. Stealth virus

Answer: C
Explanation:

A macro virus is a virus that is written in a macro language: a programming language which is
embedded inside a software application (e.g., word processors and spreadsheet applications). Some
applications, such as Microsoft Office, allow macro programs to be embedded in documents such
that the macros are run automatically when the document is opened, and this provides a distinct
mechanism by which malicious computer instructions can spread. (Wikipedia)
NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

Question: 7
A technician is resolving an issue where a computer is unable to connect to the Internet using a
wireless access point. The computer is able to transfer files locally to other machines, but cannot
Questions and Answers PDF 5/252

successfully reach the Internet. When the technician examines the IP address and default gateway
they are both on the 192.168.1.0/24. Which of the following has occurred?

A. The computer is not using a private IP address.
B. The gateway is not routing to a public IP address.
C. The gateway and the computer are not on the same network.
D. The computer is using an invalid IP address.

Answer: B
Explanation:

https://en.wikipedia.org/wiki/Private_network
In IP networking, a private network is a computer network that uses private IP address space. Both
the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly
used for local area networks (LANs) in residential, office, and enterprise environments.
Private network addresses are not allocated to any specific organization. Anyone may use these
addresses without approval from regional or local Internet registries. Private IP address spaces were
originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or
addressed to a private IP address cannot be routed through the public Internet.
The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority
(IANA) to reserve the following IPv4 address ranges for private networks:
· 10.0.0.0 – 10.255.255.255
· 172.16.0.0 – 172.31.255.255
· 192.168.0.0 – 192.168.255.255
Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if
no measures are taken, are isolated from the Internet. However, several technologies allow such
machines to connect to the Internet.
· Mediation servers like IRC, Usenet, SMTP and Proxy server
· Network address translation (NAT)
· Tunneling protocol
NOTE: So, the problem is just one of these technologies.

Question: 8

Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
communication?

A. 113
B. 69
C. 123
D. 161

Answer: C
Explanation:

https://en.wikipedia.org/wiki/Network_Time_Protocol
Questions and Answers PDF 6/252

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between
computer systems over packet-switched, variable-latency data networks.
NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated
Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm,
to select accurate time servers and is designed to mitigate variable network latency effects. NTP can
usually maintain time to within tens of milliseconds over the public Internet and achieve better than
one millisecond accuracy in local area networks. Asymmetric routes and network congestion can
cause errors of 100 ms or more.
The protocol is usually described in terms of a client-server model but can easily be used in peer-to-
peer relationships where both peers consider the other to be a potential time source.
Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port
number 123.

Incorrect answers: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
19 - Character Generator Protocol (CHARGEN)
177 - X Display Manager Control Protocol (XDMCP)
161 - Simple Network Management Protocol (SNMP)

Question: 9

Which of the following tools performs comprehensive tests against web servers, including dangerous
files and CGIs?

A. Nikto
B. John the Ripper
C. Dsniff
D. Snort

Answer: A
Explanation:

https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner)
Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous
files/CGIs, outdated server software, and other problems. It performs generic and server types
specific checks. It also captures and prints any cookies received. The Nikto code itself is free
software, but the data files it uses to drive the program are not.

Question: 10

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and
Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible
breach of security. When the investigator attempts to correlate the information in all of the logs, the
sequence of many of the logged events do not match up.
What is the most likely cause?
Questions and Answers PDF 7/252

A. The network devices are not all synchronized.
B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.

D. The security breach was a false positive.

Answer: A
Explanation:

Many network and system administrators don't pay enough attention to system clock accuracy and
time synchronization. Computer clocks can run faster or slower over time, batteries and power
sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing
security issues to deal with, but not ensuring that the time on network devices is synchronized can
cause problems. And these problems often only come to light after a security incident.
If you suspect a hacker is accessing your network, for example, you will want to analyze your log files
to look for any suspicious activity. If your network's security devices do not have synchronized times,
the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only
will you have difficulty in tracking events, but you will also find it difficult to use such evidence in
court; you won't be able to illustrate a smooth progression of events as they occurred throughout
your network.

Question: 11

During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised
web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type
of firewall is inspecting outbound traffic?

A. Circuit
B. Stateful
C. Application
D. Packet Filtering

Answer: C
Explanation:

https://en.wikipedia.org/wiki/Internet_Relay_Chat
Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The
Questions and Answers PDF 8/252

chat process works on a client/server networking model. IRC clients are computer programs that
users can install on their system or web-based applications running either locally in the browser or
on a third-party server. These clients communicate with chat servers to transfer messages to other
clients.
IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running
the service on this port requires running it with root-level permissions, which is inadvisable. As a
result, the well-known port for IRC is 6667, a high-number port that does not require elevated
privileges. However, an IRC server can also be configured to run on other ports as well.
You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see
an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be
malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.
https://en.wikipedia.org/wiki/Application_firewall
An application firewall is a form of firewall that controls input/output or system calls of an
application or service. It operates by monitoring and blocking communications based on a configured
policy, generally with predefined rule sets to choose from. The application firewall can control
communications up to the OSI model's application layer, which is the highest operating layer, and
where it gets its name. The two primary categories of application firewalls are network-based and
host-based.
Application layer filtering operates at a higher level than traditional security appliances. This allows
packet decisions to be made based on more than just source/destination IP Addresses or ports. It can
also use information spanning across multiple connections for any given host.

Network-based application firewalls
Network-based application firewalls operate at the application layer of a TCP/IP stack. They can
understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name
System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications
or services using a non-standard port or detect if an allowed protocol is being abused.

Host-based application firewalls
A host-based application firewall monitors application system calls or other general system
communication. This gives more granularity and control but is limited to only protecting the host it is
running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to
define rules for processes that have not yet received a connection. Further filtering can be done by
examining the process ID of the owner of the data packets. Many host-based application firewalls are
combined or used in conjunction with a packet filter.

Question: 12
By using a smart card and pin, you are using a two-factor authentication that satisfies

A. Something you are and something you remember
B. Something you have and something you know
C. Something you know and something you are
D. Something you have and something you are

Answer: B
Explanation:
Questions and Answers PDF 9/252

Two-factor Authentication or 2FA is a user identity verification method, where two of the three
possible authentication factors are combined to grant access to a website or application.1)
something the user knows, 2) something the user has, or 3) something the user is.
The possible factors of authentication are:
· Something the User Knows:
This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge,
the user must provide information that matches the answers previously provided to the organization
by that user, such as “Name the town in which you were born.”
· Something the User Has:
This involves entering a one-time password generated by a hardware authenticator. Users carry
around an authentication device that will generate a one-time password on command. Users then
authenticate by providing this code to the organization. Today, many organizations offer software
authenticators that can be installed on the user’s mobile device.
· Something the User Is:
This third authentication factor requires the user to authenticate using biometric data. This can
include fingerprint scans, facial scans, behavioral biometrics, and more.
For example: In internet security, the most used factors of authentication are:
something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is
two-factor authentication. Two-factor authentication is also sometimes referred to as strong
authentication, Two-Step Verification, or 2FA.
The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA)
is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three
possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of
these authentication factors.

Question: 13
“.......is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on
the premises, but actually has been set up to eavesdrop on wireless communications. It is the
wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be
used to steal the passwords of

unsuspecting users by either snooping the communication link or by phishing, which involves setting
up a fraudulent web site and luring people there.”

Fill in the blank with appropriate choice.

A. Evil Twin Attack
B. Sinkhole Attack
C. Collision Attack
D. Signal Jamming Attack

Answer: A
Explanation:

https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a
Questions and Answers PDF 10/252

legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are
ordinary people like you and me.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is
used to eavesdrop on users and steal their login credentials or other sensitive information. Because
the hacker owns the equipment being used, the victim will have no idea that the hacker might be
intercepting things like bank transactions.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will
connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their
sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once
the hacker gets them, they might simply disconnect the victim and show that the server is
temporarily unavailable.
ADDITION: It may not seem obvious what happened. The problem is in the question statement. The
attackers were not Alice and John, who were able to connect to the network without a password, but
on the contrary, they were attacked and forced to connect to a fake network, and not to the real
network belonging to Jane.

Question: 14

What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?

A. Residual risk
B. Impact risk
C. Deferred risk
D. Inherent risk

Answer: A
Explanation:

https://en.wikipedia.org/wiki/Residual_risk
The residual risk is the risk or danger of an action or an event, a method or a (technical) process that,
although being abreast with science, still conceives these dangers, even if all theoretically possible
safety measures would be applied (scientifically conceivable measures); in other words, the amount
of risk left over after natural or inherent risks have been reduced by risk controls.
· Residual risk = (Inherent risk) – (impact of risk controls)

Question: 15

Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized
packets to the target computer, making it very difficult for an IDS to detect the attack signatures.
Which tool can be used to perform session splicing attacks?

A. tcpsplice
Questions and Answers PDF 11/252

B. Burp
C. Hydra
D. Whisker

Answer: D
Explanation:

«Many IDS reassemble communication streams; hence, if a packet is not received within a
reasonable period, many IDS stop reassembling and handling that stream. If the application under
attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS
will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to
malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing
attack. Attackers can use tools such as Nessus for session splicing attacks.»
Did you know that the EC-Council exam shows how well you know their official book? So, there is no
"Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for
performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I
will assume the author of the question found it while copying Wikipedia.
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
One basic technique is to split the attack payload into multiple small packets so that the IDS must
reassemble the packet stream to detect the attack. A simple way of splitting packets is by
fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker'
evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small
packets can be further modified in order to complicate reassembly and detection. One evasion
technique is to pause between sending parts of the attack, hoping that the IDS will time out before
the target computer does. A second evasion technique is to send the packets out of order, confusing
simple packet re-assemblers but not the target computer.
NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you
unverified information. According to the official tutorials, the correct answer is Nessus, but if you
know anything about Wisker, please write in the QA section. Maybe this question will be updated
soon, but I'm not sure about that.

Question: 16

You have successfully comprised a server having an IP address of 10.10.0.5. You would like to
enumerate all machines in the same network quickly.
What is the best Nmap command you will use?

A. nmap -T4 -q 10.10.0.0/24
B. nmap -T4 -F 10.10.0.0/24
C. nmap -T4 -r 10.10.1.0/24
D. nmap -T4 -O 10.10.0.0/24

Answer: B
Explanation:

https://nmap.org/book/man-port-specification.html
Questions and Answers PDF 12/252

NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come
across a question with a similar wording on the exam. What does "fast" mean? If we want to increase
the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T
values, we will sacrifice stealth and gain speed, but we will not limit functionality.
«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.
-F (Fast (limited port) scan)
Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common
1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Technically, scanning will be faster, but just because we have reduced the number of ports by 10
times, we are just doing 10 times less work, not faster.

Question: 17
Which of the following is the BEST way to defend against network sniffing?

A. Using encryption protocols to secure network communications
B. Register all machines MAC Address in a Centralized Database
C. Use Static IP Address
D. Restrict Physical Access to Server Rooms hosting Critical Servers

Answer: A
Explanation:

https://en.wikipedia.org/wiki/Sniffing_attack
To prevent networks from sniffing attacks, organizations and individual users should keep away from
applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and
Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell
(SSH) should be preferred. In case there is a necessity for using any insecure protocol in any
application, all the data transmission should be encrypted. If required, VPN (Virtual Private
Networks) can be used to provide secure access to users.
NOTE: I want to note that the wording "best option" is valid only for the EC-Council's exam since the
other options will not help against sniffing or will only help from some specific attack vectors.
The sniffing attack surface is huge. To protect against it, you will need to implement a complex of
measures at all levels of abstraction and apply controls at the physical, administrative, and technical
levels. However, encryption is indeed the best option of all, even if your data is intercepted - an
attacker cannot understand it.

Question: 18

Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end
encryption of the connection?

A. SFTP
Questions and Answers PDF 13/252

B. Ipsec
C. SSL
D. FTPS

Answer: B
Explanation:

https://en.wikipedia.org/wiki/IPsec
Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts
the packets of data to provide secure encrypted communication between two computers over an
Internet Protocol network. It is used in virtual private networks (VPNs).
IPsec includes protocols for establishing mutual authentication between agents at the beginning of a
session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows
between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or
between a security gateway and a host (network-to-host). IPsec uses cryptographic security services
to protect communications over Internet Protocol (IP) networks. It supports network-level peer
authentication, data-origin authentication, data integrity, data confidentiality (encryption), and
replay protection.
The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement,
IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some
other Internet security systems in widespread use operate above layer 3, such as Transport Layer
Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the
Application layer, IPsec can automatically secure applications at the IP layer.

Incorrect answers:
SFTP https://en.wikipedia.org/wiki/File_Transfer_Protocol#FTP_over_SSH
FTP over SSH is the practice of tunneling a normal FTP session over a Secure Shell connection.
Because FTP uses multiple TCP connections (unusual for a TCP/IP protocol that is still in use), it is
particularly difficult to tunnel over SSH. With many SSH clients, attempting to set up a tunnel for the
control channel (the initial client-to-server connection on port 21) will protect only that channel;
when data is transferred, the FTP software at either end sets up new TCP connections (data channels)
and thus have no confidentiality or integrity protection.

FTPS https://en.wikipedia.org/wiki/FTPS
FTPS (also known FTP-SSL, and FTP Secure) is an extension to the commonly used File Transfer
Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure
Sockets Layer cryptographic protocols.

SSL https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols designed to provide communications security over a computer network.
Several versions of the protocols are widely used in applications such as web browsing, email, instant
messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between
their servers and web browsers.
NOTE: All of these protocols are the application layer of the OSI model.
Questions and Answers PDF 14/252

Question: 19

You are the Network Admin, and you get a complaint that some of the websites are no longer
accessible. You try to ping the servers and find them to be reachable. Then you type the IP address
and then you try on the browser, and find it to be accessible. But they are not accessible when you
try using the URL.
What may be the problem?

A. Traffic is Blocked on UDP Port 53
B. Traffic is Blocked on TCP Port 80
C. Traffic is Blocked on TCP Port 54
D. Traffic is Blocked on UDP Port 80

Answer: A
Explanation:

Most likely have an issue with DNS.
DNS stands for “Domain Name System.” It’s a system that lets you connect to websites by matching
human-readable domain names (like example.com) with the server's unique ID where a website is
stored.
Think of the DNS system as the internet’s phonebook. It lists domain names with their corresponding
identifiers called IP addresses, instead of listing people’s names with their phone numbers. When a
user enters a domain name like wpbeginner.com on their device, it looks up the IP address and
connects them to the physical location where that website is stored.
NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely
in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is
cached, steps are skipped from the DNS lookup process, making it quicker. The example below
outlines all 8 steps when nothing is cached.

The 8 steps in a DNS lookup:
1. A user types ‘example.com’ into a web browser, and the query travels into the Internet and is
received by a DNS recursive resolver;
2. The resolver then queries a DNS root nameserver;
3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS
server (such as.com or.net), which stores the information for its domains. When searching for
example.com, our request is pointed toward the.com TLD;
4. The resolver then requests the.com TLD;
5. The TLD server then responds with the IP address of the domain’s nameserver, example.com;
6. Lastly, the recursive resolver sends a query to the domain’s nameserver;
7. The IP address for example.com is then returned to the resolver from the nameserver;
8. The DNS resolver then responds to the web browser with the IP address of the domain requested
initially;
Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can
request the web page:
9. The browser makes an HTTP request to the IP address;
10. The server at that IP returns the webpage to be rendered in the browser.
Questions and Answers PDF 15/252

NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests.
And if this port is blocked, then a problem arises already in the first step. But the ninth step is
performed without problems.

Question: 20

Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN
standards on a linux platform?

A. Kismet
B. Abel
C. Netstumbler
D. Nessus

Answer: A
Explanation:

https://en.wikipedia.org/wiki/Kismet_(software)
Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.
Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a,
802.11b, 802.11g, and 802.11n traffic.

Incorrect answers:
Nessus https://en.wikipedia.org/wiki/Nessus_(software)
Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any
vulnerabilities that malicious hackers could use to access any computer you have connected to a
network.

Nmap https://en.wikipedia.org/wiki/Nmap
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also
known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a
computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and
service and operating system detection. These features are extensible by scripts that provide more
advanced service detection, vulnerability detection, and other features. Nmap can adapt to network
conditions including latency and congestion during a scan.

Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software)
Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It
could recover many kinds of passwords using methods such as network packet sniffing, cracking
various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis
attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the
winrtgen.exe program provided with Cain and Abel.
Questions and Answers PDF 16/252

Question: 21

Scenario1:
1. Victim opens the attacker's web site.
2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to
make
$1000 in a day?'.
3. Victim clicks to the interesting and attractive content URL.
4. Attacker creates a transparent 'iframe' in front of the URL which victim attempts to click, so victim
thinks that he/she clicks to the 'Do you want to make $1000 in a day?' URL but actually he/she clicks
to the content or URL that exists in the transparent 'iframe' which is setup by the attacker.

What is the name of the attack which is mentioned in the scenario?

A. Session Fixation
B. HTML Injection
C. HTTP Parameter Pollution
D. Clickjacking Attack

Answer: D
Explanation:

https://en.wikipedia.org/wiki/Clickjacking
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or
disguised as another element. This can cause users to unwittingly download malware, visit malicious
web pages, provide credentials or sensitive information, transfer money, or purchase products
online.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe,
on top of the page the user sees. The user believes they are clicking the visible page but in fact they
are clicking an invisible element in the additional page transposed on top of it.

Question: 22

A network administrator discovers several unknown files in the root directory of his Linux FTP server.
One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The
FTP server's access logs show that the anonymous user account logged in to the server, uploaded the
files, and extracted the contents of the tarball and ran the script using a function provided by the FTP
server's software. The “ps” command shows that the “nc” file is running as process, and the netstat
command shows the “nc” process is listening on a network port.

What kind of vulnerability must be present to make this remote attack possible?

A. File system permissions
B. Privilege escalation
C. Directory traversal
D. Brute force login
Questions and Answers PDF 17/252

Answer: A
Explanation:

File system permissions
Processes may automatically execute specific binaries as part of their functionality or to perform
other actions. If the permissions on the file system directory containing a target binary, or
permissions on the binary itself, are improperly set, then the target binary may be overwritten with
another binary using user-level permissions and executed by the original process. If the original
process and thread are running under a higher permissions level, then the replaced binary will also
execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of
executing code at a higher permissions level. If the executing process is set to run at a specific time
or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

Question: 23
Which method of password cracking takes the most time and effort?

A. Dictionary attack
B. Shoulder surfing
C. Rainbow tables
D. Brute force

Answer: D
Explanation:

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the
response until he succeeds. Success depends on the set of predefined values. It will take more time if
it is larger, but there is a better probability of success. In a traditional brute-force attack, the
passcode or password is incrementally increased by one letter/number each time until the right
passcode/password is found.
Questions and Answers PDF 18/252

Question: 24

What does the –oX flag do in an Nmap scan?

A. Perform an eXpress scan
B. Output the results in truncated format to the screen
C. Output the results in XML format to a file
D. Perform an Xmas scan

Answer: C
Explanation:

https://nmap.org/book/man-output.html
-oX - Requests that XML output be directed to the given filename.

Incorrect answers:
Run an express scan https://nmap.org/book/man-port-specification.html
There is no express scan in Nmap, but there is a fast scan.
-F (Fast (limited port) scan)
Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common
1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Or we can influence the intensity (and speed) of the scan with the -T
flag. https://nmap.org/book/man-performance.html
-T paranoid|sneaky|polite|normal|aggressive|insane

Output the results in truncated format to the screen https://nmap.org/book/man-output.html
-oG (grepable output)
It is a simple format that lists each host on one line and can be trivially searched and parsed with
standard Unix tools such as grep, awk, cut, sed, diff, and Perl.

Run a Xmas scan https://nmap.org/book/man-port-scanning-techniques.html
Xmas scan (-sX)
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Question: 25

A bank stores and processes sensitive privacy information related to home loans. However, auditing
has never been enabled on the system. What is the first step that the bank should take before
enabling the audit feature?

A. Perform a vulnerability scan of the system.
B. Determine the impact of enabling the audit feature.
C. Perform a cost/benefit analysis of the audit feature.
D. Allocate funds for staffing of audit log review.
Questions and Answers PDF 19/252

Answer: B
Explanation:

Question: 26

Which Intrusion Detection System is the best applicable for large environments where critical assets
on the network need extra scrutiny and is ideal for observing sensitive network segments?

A. Honeypots
B. Firewalls
C. Network-based intrusion detection system (NIDS)
D. Host-based intrusion detection system (HIDS)

Answer: C
Explanation:

Question: 27
The collection of potentially actionable, overt, and publicly available information is known as

A. Open-source intelligence
B. Real intelligence
C. Social intelligence
D. Human intelligence

Answer: A
Explanation:

Question: 28
What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

A. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use
symmetric encryption instead.
B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
C. Symmetric encryption allows the server to security transmit the session keys out-of-band.
D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited
to securely negotiate keys for use with symmetric cryptography.

Answer: A
Explanation:

Question: 29
The change of a hard drive failure is once every three years. The cost to buy a new hard drive is $300.
Questions and Answers PDF 20/252

It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4
hours to restore the database from the last backup to the new hard disk. The recovery person earns
$10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1(100%). What is the closest
approximate cost of this replacement and recovery operation per year?

A. $1320
B. $440
C. $100
D. $146

Answer: D
Explanation:

1. AV (Asset value) = $300 + (14 * $10) = $440 - the cost of a hard drive plus the work of a recovery
person, i.e.how much would it take to replace 1 asset? 10 hours for resorting the OS and soft + 4
hours for DB restore multiplies by hourly rate of the recovery person.
2. SLE (Single Loss Expectancy) = AV * EF (Exposure Factor) = $440 * 1 = $440
3. ARO (Annual rate of occurrence) = 1/3 (every three years, meaning the probability of occurring
during 1 years is 1/3)
4. ALE (Annual Loss Expectancy) = SLE * ARO = 0.33 * $440 = $145.2

Question: 30

What is the known plaintext attack used against DES which gives the result that encrypting plaintext
with one DES key followed by encrypting it with a second DES key is no more secure than using a
single key?

A. Man-in-the-middle attack
B. Meet-in-the-middle attack
C. Replay attack
D. Traffic analysis attack

Answer: B
Explanation:

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space–time tradeoff
cryptographic attack against encryption schemes that rely on performing multiple encryption
operations in sequence. The MITM attack is the primary reason why Double DES is not used and why
a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations.
The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle
attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption
using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack
was first presented by Diffie and Hellman for cryptanalysis of DES algorithm.

Question: 31
Questions and Answers PDF 21/252

Steve, a scientist who works in a governmental security agency, developed a technological solution
to identify people based on walking patterns and implemented this approach to a physical control
access.
A camera captures people walking and identifies the individuals using Steve’s approach.
After that, people must approximate their RFID badges. Both the identifications are required to open
the door. In this case, we can say:

A. Although the approach has two phases, it actually implements just one authentication factor
B. The solution implements the two authentication factors: physical object and physical characteristic
C. The solution will have a high level of false positives
D. Biological motion cannot be used to identify people

Answer: B
Explanation:

Question: 32
What is not a PCI compliance recommendation?

A. Use a firewall between the public network and the payment card data.
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Limit access to card holder data to as few individuals as possible.

Answer: C
Explanation:

https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
Questions and Answers PDF 22/252

Question: 33

What is the minimum number of network connections in a multihomed firewall?

A. 3
B. 5
C. 4
D. 2

Answer: A
Explanation:

Question: 34

Suppose your company has just passed a security risk assessment exercise. The results display that
the risk of the breach in the main company application is 50%. Security staff has taken some
measures and

implemented the necessary controls. After that, another security risk assessment was performed
showing that risk has decreased to 10%. The risk threshold for the application is 20%. Which of the
following risk decisions will be the best for the project in terms of its successful continuation with the
most business profit?

A. Accept the risk
B. Introduce more controls to bring risk to 0%
C. Mitigate the risk
D. Avoid the risk

Answer: A
Explanation:

Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk
mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating
risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.
Questions and Answers PDF 23/252

Risk Acceptance
Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is
a common option when the cost of other risk management options such as avoidance or limitation
may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on
avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk
whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk
mitigation options.

Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy
limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance
and a bit of risk avoidance or an average of both. An example of risk limitation would be a company
accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example,
numerous companies outsource certain operations such as customer service, payroll services, etc.
This can be beneficial for a company if a transferred risk is not a core competency of that company. It
can also be used so a company can focus more on its core competencies.

Question: 35

You need to deploy a new web-based software package for your organization. The package requires
three separate servers and needs to be available on the Internet. What is the recommended
architecture in terms of server placement?
Questions and Answers PDF 24/252

A. All three servers need to be placed internally
B. A web server facing the Internet, an application server on the internal network, a database server
on the internal network
C. A web server and the database server facing the Internet, an application server on the internal
network
D. All three servers need to face the Internet so that they can communicate between themselves

Answer: B
Explanation:

Question: 36

An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to
embed a malicious applet in all HTTP connections.
When users accessed any page, the applet ran and exploited many machines. Which one of the
following tools the hacker probably used to inject HTML code?

A. Wireshark
B. Ettercap
C. Aircrack-ng
D. Tcpdump

Answer: B
Explanation:

Question: 37
Which mode of IPSec should you use to assure security and confidentiality of data within the same
LAN?

A. ESP transport mode
B. ESP confidential
C. AH permiscuous
D. AH Tunnel mode

Answer: A
Explanation:

Question: 38

Hackers often raise the trust level of a phishing message by modeling the email to look similar to the
internal email used by the target company. This includes using logos, formatting, and names of the
target company. The phishing message will often use the name of the company CEO, President, or
Managers. The time a hacker spends performing research to locate this information about a
Questions and Answers PDF 25/252

company is known as?

A. Exploration
B. Investigation
C. Reconnaissance
D. Enumeration

Answer: C
Explanation:

Question: 39
Which of the following viruses tries to hide from anti-virus programs by actively altering and
corrupting the chosen service call interruptions when they are being run?

A. Macro virus
B. Stealth/Tunneling virus
C. Cavity virus
D. Polymorphic virus

Answer: B
Explanation:

Question: 40
The “Gray-box testing” methodology enforces what kind of restriction?

A. Only the external operation of a system is accessible to the tester.
B. The internal operation of a system in only partly accessible to the tester.
C. Only the internal operation of a system is known to the tester.
D. The internal operation of a system is completely known to the tester.

Answer: D
Explanation:

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and
structural testing) is a method of software testing that tests internal structures or workings of an
application, as opposed to its functionality (i.e. black-box testing). In white-box testing, an internal
perspective of the system, as well as programming skills, are used to design test cases. The tester
chooses inputs to exercise paths through the code and determine the expected outputs. This is
analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied
at the unit, integration and system levels of the software testing process. Although traditional testers
tended to think of white-box testing as being done at the unit level, it is used for integration and
system testing more frequently today. It can test paths within a unit, paths between units during
integration, and between subsystems during a system-level test. Though this method of test design
Questions and Answers PDF 26/252

can uncover many errors or problems, it has the potential to miss unimplemented parts of the
specification or missing requirements. Where white-box testing is design-driven, that is, driven
exclusively by agreed specifications of how each component of the software is required to behave (as
in DO-178C and ISO 26262 processes) then white-box test techniques can accomplish assessment for
unimplemented or missing requirements.
White-box test design techniques include the following code coverage criteria:
· Control flow testing
· Data flow testing
· Branch testing
· Statement coverage
· Decision coverage
· Modified condition/decision coverage
· Prime path testing
· Path testing

Question: 41

When analyzing the IDS logs, the system administrator noticed an alert was logged when the
external router was accessed from the administrator’s Computer to update the router configuration.
What type of an alert is this?

A. False negative
B. True negative
C. True positive
D. False positive

Answer: D
Explanation:

True Positive - IDS referring a behavior as an attack, in real life it is
True Negative - IDS referring a behavior not an attack and in real life it is not
False Positive - IDS referring a behavior as an attack, in real life it is not
False Negative - IDS referring a behavior not an attack, but in real life is an attack.

False Negative - is the most serious and dangerous state of all !!!!

Question: 42

A large company intends to use Blackberry for corporate mobile phones and a security analyst is
assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to
demonstrate how an attacker could circumvent perimeter defenses and gain access to the Prometric
Online Testing – Reports https://ibt1.prometric.com/users/custom/report_queue/rq_str... corporate
network. What tool should the analyst use to perform a Blackjacking attack?

A. Paros Proxy
B. BBProxy
C. Blooover
Questions and Answers PDF 27/252

D. BBCrack

Answer: B
Explanation:

Question: 43
When you are getting information about a web server, it is very important to know the HTTP
Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical
methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the
server. You can detect all these methods (GET, POST, HEAD, DELETE, PUT, TRACE) using NMAP script
engine. What Nmap script will help you with this task?

A. http-methods
B. http enum
C. http-headers
D. http-git

Answer: A
Explanation:

Question: 44

Todd has been asked by the security officer to purchase a counter-based authentication system.
Which of the following best describes this type of system?

A. A biometric system that bases authentication decisions on behavioral attributes.
B. A biometric system that bases authentication decisions on physical attributes.
C. An authentication system that creates one-time passwords that are encrypted with secret keys.
D. An authentication system that uses passphrases that are converted into virtual passwords.

Answer: C
Explanation:

Question: 45
Which of the following is a low-tech way of gaining unauthorized access to systems?

A. Social Engineering
B. Eavesdropping
C. Scanning
D. Sniffing

Answer: A
Questions and Answers PDF 28/252

Explanation:

Question: 46

Which system consists of a publicly available set of databases that contain domain name registration
contact information?

A. WHOIS
B. CAPTCHA
C. IANA
D. IETF

Answer: A
Explanation:

Question: 47

Why is a penetration test considered to be more thorough than vulnerability scan?

A. Vulnerability scans only do host discovery and port scanning by default.
B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a
vulnerability scan does not typically involve active exploitation.
C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan
requires active engagement.
D. The tools used by penetration testers tend to have much more comprehensive vulnerability
databases.

Answer: B
Explanation:

Question: 48
Bob received this text message on his mobile phone: “Hello, this is Scott Smelby from the Yahoo
Bank. Kindly contact me for a vital transaction on: [email protected]”. Which statement
below is true?

A. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service
employees.
B. This is a scam because Bob does not know Scott.
C. Bob should write to [email protected] to verify the identity of Scott.
D. This is probably a legitimate message as it comes from a respectable organization.

Answer: A
Explanation:
Questions and Answers PDF 29/252

Question: 49

env x=’(){ :;};echo exploit’ bash –c ‘cat/etc/passwd’

What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?

A. Removes the passwd file
B. Changes all passwords in passwd
C. Add new user to the passwd file
D. Display passwd content to prompt

Answer: D
Explanation:

Question: 50

Which of the following is assured by the use of a hash?

A. Authentication
B. Confidentiality
C. Availability
D. Integrity

Answer: D
Explanation:

Question: 51
Which results will be returned with the following Google search query? site:target.com –
site:Marketing.target.com accounting

A. Results from matches on the site marketing.target.com that are in the domain target.com but do
not include the word accounting.
B. Results matching all words in the query.
C. Results for matches on target.com and Marketing.target.com that include the word “accounting”
D. Results matching “accounting” in domain target.com but not on the site Marketing.target.com

Answer: D
Explanation:

Question: 52

Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP does not
encrypt email, leaving the information in the message vulnerable to being read by an unauthorized
person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by
Questions and Answers PDF 30/252

SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over
TLS?

A. OPPORTUNISTICTLS
B. UPGRADETLS
C. FORCETLS
D. STARTTLS

Answer: D
Explanation:

Question: 53

In the field of cryptanalysis, what is meant by a “rubber-hose” attack?

A. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.
B. A backdoor placed into a cryptographic algorithm by its creator.
C. Extraction of cryptographic secrets through coercion or torture.
D. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original
plaintext.

Answer: C
Explanation:

A powerful and often the most effective cryptanalysis method in which the attack is directed at the
most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail,
threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's
fundamental independence from the volume of secret information, the length of the key, and the
cipher's mathematical strength.
The method can reduce the time to guess a password, for example, for AES, to an acceptable level;
however, it requires special authorization from the relevant regulatory authorities. Therefore, it is
outside the scope of this course and is not considered in its practical part.

Question: 54

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has
snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn
scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort.
You decide to run wireshark in the snort machine to check if the messages are going to the kiwi
syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi
syslog machine?

A. tcp.srcport= = 514 && ip.src= = 192.168.0.99
B. tcp.srcport= = 514 && ip.src= = 192.168.150
C. tcp.dstport= = 514 && ip.dst= = 192.168.0.99
D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150
Questions and Answers PDF 31/252

Answer: D
Explanation:

Question: 55

What two conditions must a digital signature meet?

A. Has to be the same number of characters as a physical signature and must be unique.
B. Has to be unforgeable, and has to be authentic.
C. Must be unique and have special characters.
D. Has to be legible and neat.

Answer: B
Explanation:

Question: 56

A company’s security policy states that all Web browsers must automatically delete their HTTP
browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

A. Attempts by attackers to access the user and password information stored in the company’s SQL
database.
B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s
authentication credentials.
C. Attempts by attackers to access password stored on the user’s computer without the user’s
knowledge.
D. Attempts by attackers to determine the user’s Web browser usage patterns, including when sites
were visited and for how long.

Answer: B
Explanation:

Question: 57
What is correct about digital signatures?

A. A digital signature cannot be moved from one signed document to another because it is the hash
of the original document encrypted with the private key of the signing party.
B. Digital signatures may be used in different documents of the same type.
C. A digital signature cannot be moved from one signed document to another because it is a plain
hash of the document content.
D. Digital signatures are issued once for each user and can be used everywhere until they expire.

Answer: A
Questions and Answers PDF 32/252

Explanation:

Question: 58

An attacker with access to the inside network of a small company launches a successful STP
manipulation attack. What will he do next?

A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
B. He will activate OSPF on the spoofed root bridge.
C. He will repeat this action so that it escalates to a DoS attack.
D. He will repeat the same attack against all L2 switches of the network.

Answer: A
Explanation:

Question: 59

You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive.
When you attempt to boot the server and log in, you are unable to guess the password. In your
toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user’s
password or activate disabled Windows accounts?

A. John the Ripper
B. SET
C. CHNTPW
D. Cain & Abel

Answer: C
Explanation:

Question: 60

What does a firewall check to prevent particular ports and applications from getting packets into an
organization?

A. Transport layer port numbers and application layer headers
B. Presentation layer headers and the session layer port numbers

C. Network layer headers and the session layer port numbers
D. Application layer port numbers and the transport layer headers

Answer: A
Explanation:

Question: 61
Questions and Answers PDF 33/252

An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to
go to "www.MyPersonalBank.com", the user is directed to a phishing site.

Which file does the attacker need to modify?

A. Boot.ini
B. Sudoers
C. Networks
D. Hosts

Answer: D
Explanation:

Question: 62

is a set of extensions to DNS that provide the origin authentication of DNS data to DNS
clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

A. DNSSEC
B. Resource records
C. Resource transfer
D. Zone transfer

Answer: A
Explanation:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force
(IETF) specifications for securing certain kinds of information provided by DNS for use on IP
networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin
authentication of DNS data, authenticated denial of existence, and data integrity, but not availability
or confidentiality. DNSSEC is necessary because the original DNS design did not include security but
was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward
compatibility.

Question: 63

Which of the following incident handling process phases is responsible for defining rules,
collaborating human workforce, creating a back-up plan, and testing the plans for an organization?

A. Preparation phase
B. Containment phase
C. Identification phase
D. Recovery phase

Answer: A
Explanation:
Questions and Answers PDF 34/252

Question: 64

The configuration allows a wired or wireless network interface controller to pass all traffic it receives
to the Central Processing Unit (CPU), rather than passing only the frames that the controller is
intended to receive. Which of the following is being described?

A. Multi-cast mode
B. Promiscuous mode
C. WEM
D. Port forwarding

Answer: B
Explanation:

Question: 65
A large mobile telephony and data network operator has a data center that houses network
elements. These are essentially large computers running on Linux. The perimeter of the data center
is secured with firewalls and IPS systems.

What is the best security policy concerning this setup?

A. Network elements must be hardened with user ids and strong passwords. Regular security tests
and audits should be performed.
B. As long as the physical access to the network elements is restricted, there is no need for additional
measures.
C. There is no need for specific security measures on the network elements as long as firewalls and
IPS systems exist.
D. The operator knows that attacks and down time are inevitable and should have a backup site.

Answer: A
Explanation:

Question: 66
PGP, SSL, and IKE are all examples of which type of cryptography?

A. Digest
B. Secret Key
C. Public Key
D. Hash Algorithm
Questions and Answers PDF 35/252

Question: 67

Peter is surfing the internet looking for information about DX Company. Which hacking process is
Peter doing?

A. Scanning
B. Footprinting
C. Enumeration
D. System Hacking

Answer: B
Explanation:

Question: 68

A hacker is an intelligent individual with excellent computer skills and the ability to explore a
computer’s software and hardware without the owner’s permission. Their intention can either be to
simply gain knowledge or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and
defensively at various times?

A. White Hat
B. Suicide Hacker
C. Gray Hat
D. Black Hat

Answer: C
Explanation:

Question: 69
During a recent security assessment, you discover the organization has one Domain Name Server
(DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.

What is this type of DNS configuration commonly called?

A. DynDNS
B. DNS Scheme
C. DNSSEC
D. Split DNS

Answer: D
Explanation:
Questions and Answers PDF 36/252

Question: 70

What kind of detection techniques is being used in antivirus software that identifies malware by
collecting data from multiple protected systems and instead of analyzing files locally it’s made on the
provider’s environment?

A. Behavioral based
B. Heuristics based
C. Honeypot based
D. Cloud based

Answer: D
Explanation:

Question: 71
Which of the following tools is used to analyze the files produced by several packet-capture programs
such as tcpdump, WinDump, Wireshark, and EtherPeek?

A. tcptrace
B. Nessus
C. OpenVAS
D. tcptraceroute

Answer: A
Explanation:

Question: 72

What is the way to decide how a packet will move from an untrusted outside host to a protected
inside that is behind a firewall, which permits the hacker to determine which ports are open and if
the packets can pass through the packet-filtering of the firewall?

A. Session hijacking
B. Firewalking
C. Man-in-the middle attack
D. Network sniffing

Answer: B
Explanation:

Question: 73
Questions and Answers PDF 37/252

Which of the following is not a Bluetooth attack?

A. Bluedriving
B. Bluesmacking
C. Bluejacking
D. Bluesnarfing

Answer: A
Explanation:

https://github.com/verovaleros/bluedriving
Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services,
get GPS information and present everything in a nice web page. It can search for and show a lot of
information about the device, the GPS address and the historic location of devices on a map. The
main motivation of this tool is to research about the targeted surveillance of people by means of its
cellular phone or car. With this tool you can capture information about bluetooth devices and show,
on a map, the points where you have seen the same device in the past.

Question: 74
What is the role of test automation in security testing?

A. It is an option but it tends to be very expensive.
B. It should be used exclusively. Manual testing is outdated because of low speed and possible test
setup inconsistencies.
C. Test automation is not usable in security due to the complexity of the tests.
D. It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot
replace manual testing completely.

Answer: D
Explanation:

Question: 75

Your company performs penetration tests and security assessments for small and medium-sized
business in the local are
a. During a routine security assessment, you discover information that suggests your client is
involved with human trafficking.

What should you do?

A. Confront the client in a respectful manner and ask her about the data.
B. Copy the data to removable media and keep it in case you need it.
C. Ignore the data and continue the assessment until completed as agreed.
D. Immediately stop work and contact the proper legal authorities.
Questions and Answers PDF 38/252

Answer: D
Explanation:

Question: 76

While using your bank’s online servicing you notice the following string in the URL bar:
“http: // www. MyPersonalBank. com/
account?id=368940911028389&Damount=10980&Camount=21”
You observe that if you modify the Damount & Camount values and submit the request, that data on
the web page reflects the changes.
Which type of vulnerability is present on this site?

A. Cookie Tampering
B. SQL Injection
C. Web Parameter Tampering
D. XSS Reflection

Answer: C
Explanation:

Question: 77

The establishment of a TCP connection involves a negotiation called three-way handshake. What
type of message does the client send to the server in order to begin this negotiation?

A. ACK
B. SYN
C. RST
D. SYN-ACK

Answer: B
Explanation:

Question: 78

Which type of security feature stops vehicles from crashing through the doors of a building?

A. Bollards
B. Receptionist
C. Mantrap
D. Turnstile

Answer: A
Explanation:
Questions and Answers PDF 39/252

Question: 79

The company ABC recently contracts a new accountant. The accountant will be working with the
financial statements. Those financial statements need to be approved by the CFO and then they will
be sent to the accountant but the CFO is worried because he wants to be sure that the information
sent to the accountant was not modified once he approved it. Which of the following options can be
useful to ensure the integrity of the data?

A. The CFO can use a hash algorithm in the document once he approved the financial statements
B. The CFO can use an excel file with a password
C. The financial statements can be sent twice, one by email and the other delivered in USB and the
accountant can compare both to be sure is the same document
D. The document can be sent to the accountant using an exclusive USB for that document

Answer: A
Explanation:

Question: 80
What is the purpose of a demilitarized zone on a network?

A. To scan all traffic coming through the DMZ to the internal network
B. To only provide direct access to the nodes within the DMZ and protect the network behind it
C. To provide a place to put the honeypot
D. To contain the network devices you wish to protect

Answer: B
Explanation:

Question: 81
Which of the following Linux commands will resolve a domain name into IP address?

A. >host-t a hackeddomain.com
B. >host-t ns hackeddomain.com
C. >host -t soa hackeddomain.com
D. >host -t AXFR hackeddomain.com

Answer: A
Explanation:

Question: 82

Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing
Questions and Answers PDF 40/252

services, which OS did it not directly affect?

A. Linux
B. Unix
C. OS X
D. Windows

Answer: D
Explanation:

Question: 83
Which regulation defines security and privacy controls for Federal information systems and
organizations?

A. HIPAA
B. EU Safe Harbor
C. PCI-DSS
D. NIST-800-53

Answer: D
Explanation:

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal
information systems except those related to national security. It is published by the National Institute
of Standards and Technology, which is a non-regulatory agency of the United States Department of
Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal
agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and
to help with managing cost-effective programs to protect their information and information systems.

Question: 84

What is a “Collision attack” in cryptography?

A. Collision attacks try to get the public key
B. Collision attacks try to break the hash into three parts to get the plaintext value
C. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the
private key
D. Collision attacks try to find two inputs producing the same hash

Answer: D
Explanation:

Question: 85
Questions and Answers PDF 41/252

Which of the following tools can be used for passive OS fingerprinting?

A. nmap
B. tcpdump
C. tracert
D. ping

Answer: B
Explanation:

Question: 86

Which of the following describes the characteristics of a Boot Sector Virus?

A. Modifies directory table entries so that directory entries point to the virus code instead of the
actual program.
B. Moves the MBR to another location on the RAM and copies itself to the original location of the
MBR.
C. Moves the MBR to another location on the hard disk and copies itself to the original location of
the MBR.
D. Overwrites the original MBR and only executes the new virus code.

Answer: C
Explanation:

Question: 87
Your company was hired by a small healthcare provider to perform a technical assessment on the
network.
What is the best approach for discovering vulnerabilities on a Windows-based computer?

A. Use the built-in Windows Update tool
B. Use a scan tool like Nessus
C. Check MITRE.org for the latest list of CVE findings
D. Create a disk image of a clean Windows installation

Answer: B
Explanation:

Question: 88

Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

A. nessus
B. tcpdump
Questions and Answers PDF 42/252

C. ethereal
D. jack the ripper

Answer: B
Explanation:

Tcpdump is a data-network packet analyzer computer program that runs under a command-line
interface. It allows the user to display TCP/IP and other packets being transmitted or received over a
network to which the computer is attached. Distributed under the BSD license, tcpdump is free
software.
https://www.wireshark.org/
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,
software and communications protocol development, and education.
NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated
sorting and filtering options.

Question: 89

DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security
feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle
attacks?

A. Spanning tree
B. Dynamic ARP Inspection (DAI)
C. Port security
D. Layer 2 Attack Prevention Protocol (LAPP)

Answer: B
Explanation:

Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP)
packet spoofing (also known as ARP poisoning or ARP cache poisoning).
DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch
to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared
against entries in the DHCP snooping database, and filtering decisions are made based on the results
of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the
switch compares the address with entries in the database. If the media access control (MAC) address
or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the
packet is dropped.

Question: 90

Bob, a network administrator at BigUniversity, realized that some students are connecting their
notebooks in the wired network to have Internet access. In the university campus, there are many
Ethernet ports available for professors and authorized visitors but not for students.
He identified this when the IDS alerted for malware activities in the network. What should Bob do to
avoid this problem?
Questions and Answers PDF 43/252

A. Disable unused ports in the switches
B. Separate students in a different VLAN
C. Use the 802.1x protocol

D. Ask students to use the wireless network

Answer: C
Explanation:

Question: 91
A company’s policy requires employees to perform file transfers using protocols which encrypt
traffic. You suspect some employees are still performing file transfers using unencrypted protocols
because the employees do not like changes. You have positioned a network sniffer to capture traffic
from the laptops used by employees in the data ingest department. Using Wireshark to examine the
captured traffic, which command can be used as display filter to find unencrypted file transfers?

A. tcp.port = = 21
B. tcp.port = 23
C. tcp.port = = 21 | | tcp.port = =22
D. tcp.port ! = 21

Answer: A
Explanation:

Question: 92

You just set up a security system in your network. In what kind of system would you find the
following string of characters used as a rule within its configuration? alert tcp any any ->
192.168.100.0/24 21 (msg: ““FTP on the network!””;)

A. A firewall IPTable
B. FTP Server rule
C. A Router IPTable
D. An Intrusion Detection System

Answer: D
Explanation:

Question: 93

Which of the following program infects the system boot sector and the executable files at the same
time?

A. Polymorphic virus
Questions and Answers PDF 44/252

B. Stealth virus
C. Multipartite Virus
D. Macro virus

Answer: C
Explanation:

Question: 94
To determine if a software program properly handles a wide range of invalid input, a form of
automated testing can be used to randomly generate invalid input in an attempt to crash the
program.

What term is commonly used when referring to this type of testing?

A. Randomizing
B. Bounding
C. Mutating
D. Fuzzing

Answer: D
Explanation:

Question: 95

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious
sequence of packets sent to a Web server in the network’s external DMZ. The packet traffic was
captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if
these packets are genuinely malicious or simply a false positive?

A. Protocol analyzer
B. Network sniffer
C. Intrusion Prevention System (IPS)
D. Vulnerability scanner

Answer: A
Explanation:

Question: 96
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common
Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation
of the Transport Layer Security (TLS) protocols defined in RFC6520.
Questions and Answers PDF 45/252

What type of key does this bug leave exposed to the Internet making exploitation of any
compromised system very easy?

A. Public
B. Private
C. Shared
D. Root

Answer: B
Explanation:

Question: 97
Why should the security analyst disable/remove unnecessary ISAPI filters?

A. To defend against social engineering attacks
B. To defend against webserver attacks
C. To defend against jailbreaking
D. To defend against wireless attacks

Answer: B
Explanation:

Question: 98
Which of the following is a component of a risk assessment?

A. Administrative safeguards
B. Physical security
C. DMZ
D. Logical interface

Answer: A
Explanation:

Question: 99
CompanyXYZ has asked you to assess the security of their perimeter email gateway. From your office
in New York, you craft a specially formatted email message and send it across the Internet to an
employee of CompanyXYZ. The employee of CompanyXYZ is aware of your test. Your email message
looks like this:

From: [email protected]
To: [email protected] Subject: Test message
Questions and Answers PDF 46/252

Date: 4/3/2017 14:37
The employee of CompanyXYZ receives your email message.

This proves that CompanyXYZ’s email gateway doesn’t prevent what?

A. Email Masquerading
B. Email Harvesting
C. Email Phishing
D. Email Spoofing

Answer: D
Explanation:

Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking
the email originated from someone or somewhere other than the intended source. Because core
email protocols do not have a built-in method of authentication, it is common for spam and phishing
emails to use said spoofing to trick the recipient into trusting the origin of the message.
The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a
solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides
removal, the more malicious varieties can cause significant problems and sometimes pose a real
security threat.

Question: 100

Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he
properly configures the firewall to allow access just to servers/ports, which can have direct internet
access, and block the access to workstations.
Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the
case of TPNQM SA.
In this context, what can you say?

A. Bob can be right since DMZ does not make sense when combined with stateless firewalls
B. Bob is partially right. He does not need to separate networks if he can create rules by destination
IPs, one by one
C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and
workstations
D. Bob is partially right. DMZ does not make sense when a stateless firewall is available

Answer: C
Explanation:

Question: 101

Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.
Bob is willing to share his knowledge with those who are willing to learn, and many ha