Untitled document.docx
Document Details
Uploaded by StatuesqueAntigorite3952
Bahrain Polytechnic
Full Transcript
#### Chapter 1 Introduction to Ethical Hacking, Ethics, and Legality 1\. Which of the following statements best describes a white-hat hacker? A. Security professional B. Former black hat C. Former gray hat D. Malicious hacker 2\. A security audit performed on the internal network of an organiz...
#### Chapter 1 Introduction to Ethical Hacking, Ethics, and Legality 1\. Which of the following statements best describes a white-hat hacker? A. Security professional B. Former black hat C. Former gray hat D. Malicious hacker 2\. A security audit performed on the internal network of an organization by the network administration is also known as. A. Gray-box testing B. Black-box testing C. White-box testing D. Active testing E. Passive testing 3\. What is the first phase of hacking? A. Attack B. Maintaining access C. Gaining access D. Reconnaissance E. Scanning 4\. What type of ethical hack tests access to the physical infrastructure? A. Internal network B. Remote network C. External network D. Physical access 5\. The security, functionality, and ease of use triangle illustrates which concept? A. As security increases, functionality and ease of use increase. B. As security decreases, functionality and ease of use increase. C. As security decreases, functionality and ease of use decrease. D. Security does not affect functionality and ease of use. 6\. Which type of hacker represents the highest risk to your network? A. Disgruntled employees B. Black-hat hackers C. Gray-hat hackers D. Script kiddies 7\. What are the three phases of a security evaluation plan? (Choose three answers.) A. Security evaluation B. Preparation C. Conclusion D. Final E. Reconnaissance F. Design security G. Vulnerability assessment 8\. Hacking for a cause is called. A. Active hacking B. Hacktivism C. Activism D. Black-hat hacking 9\. Which federal law is most commonly used to prosecute hackers? A. Title 12 B. Title 18 C. Title 20 D. Title 2 10\. When a hacker attempts to attack a host via the Internet, it is known as what type of attack? A. Remote attack B. Physical access C. Local access D. Internal attack 11\. Which law allows for gathering of information on targets? A. Freedom of Information Act B. Government Paperwork Elimination Act C. USA PATRIOT Act of 2001 D. Privacy Act of 1974 12\. The Securely Protect Yourself Against Cyber Trespass Act prohibits which of the following? (Choose all that apply.) A. Sending spam B. Installing and using keystroke loggers C. Using video surveillance D. Implementing pop-up windows 13\. Which step in the framework of a security audit is critical to protect the ethical hacker from legal liability? A. Talk to the client prior to the testing. B. Sign an ethical hacking agreement and NDA with the client prior to the testing. C. Organize an ethical hacking team and prepare a schedule prior to testing. D. Analyze the testing results and prepare a report. 14\. Which of the following is a system, program, or network that is the subject of a security analysis? A. Owned system B. Vulnerability C. Exploited system D. Target of evaluation 15\. Which term best describes a hacker who uses their hacking skills for destructive purposes? A. Cracker B. Ethical hacker C. Script kiddie D. White-hat hacker 16\. MAC address spoofing is which type of attack? A. Encryption B. Brute-force C. Authentication D. Social engineering 17\. Which law gives authority to intercept voice communications in computer hacking attempts? A. Patriot Act B. Telecommunications Act C. Privacy Act D. Freedom of Information Act 18\. Which items should be included in an ethical hacking report? (Choose all that apply.) A. Testing type B. Vulnerabilities discovered C. Suggested countermeasures D. Router configuration information 19\. Which type of person poses the most threat to an organization's security? A. Black-hat hacker B. Disgruntled employee C. Script kiddie D. Gray-hat hacker 20\. Which of the following should be included in an ethical hacking report? (Choose all that apply.) A. Findings of the test B. Risk analysis C. Documentation of laws D. Ethics disclosure #### Answers to Chapter 1 1\. A. White-hat hackers are "good" guys who use their skills for defensive purposes. 2\. C. White-box testing is a security audit performed with internal knowledge of the systems. 3\. D. Reconnaissance is gathering information necessary to perform the attack. 4\. D. Physical access tests access to the physical infrastructure. 5\. B. As security increases, it makes it more difficult to use and less functional. 6\. A. Disgruntled employees have information that can allow them to launch a powerful attack. 7\. A, B, C. The three phases of a security evaluation plan are preparation, security evaluation, and conclusion. 8\. B. Hacktivism is performed by individuals who claim to be hacking for a political or social Cause. 9\. B. Title 18 of the US Code is most commonly used to prosecute hackers. 10\. A. An attack from the Internet is known as a remote attack. 11\. A. The Freedom of Information Act ensures public release of many documents and records and can be a rich source of information on potential targets. 12\. A, B, D. Sending spam, installing and using keystroke loggers, and implementing pop-up windows are all prohibited by the SPY ACT. 13\. B. Signing an NDA agreement is critical to ensuring the testing is authorized and the ethical hacker has the right to access the client's systems. 14\. D. A target of evaluation is a system, program, or network that is the subject of a security analysis. It is the target of the ethical hacker's attacks. 15\. A. A cracker is a hacker who uses their hacking skills for destructive purposes. 16\. C. MAC address spoofing is an authentication attack used to defeat MAC address filters. 17\. A. The Patriot Act gives authority to intercept voice communications in many cases, including computer hacking. 18\. A, B, C. All information about the testing process, vulnerabilities discovered in the network or system, and suggested countermeasures should be included in the ethical hacking report. 19\. B. Disgruntled employees pose the biggest threat to an organization's security because of the information and access that they possess. 20\. A, B. Findings of the test and risk analysis should both be included in an ethical hacking #### #### Chapter 2 Gathering Target Information 1\. Which are the four regional Internet registries? A. APNIC, PICNIC, NANIC, RIPE NCC B. APNIC, MOSTNIC, ARIN, RIPE NCC C. APNIC, PICNIC, NANIC, ARIN D. APNIC, LACNIC, ARIN, RIPE NCC 2\. Which of the following is a tool for performing footprinting undetected? A. Whois search B. Traceroute C. Ping sweep D. Host scanning 3\. Which of the following tools are used for footprinting? (Choose 3.) A. Whois B. Sam Spade C. NMAP D. SuperScan E. NSlookup 4\. What is the next immediate step to be performed after footprinting? A. Scanning B. Enumeration C. System hacking D. Bypassing an IDS 5\. Which are good sources of information about a company or its employees? (Choose all that apply.) A. Newsgroups B. Job postings C. Company website D. Press releases 6\. How does traceroute work? A. It uses an ICMP destination-unreachable message to elicit the name of a router. B. It sends a specially crafted IP packet to a router to locate the number of hops from the sender to the destination network. C. It uses a protocol that will be rejected by the gateway to determine the location. D. It uses the TTL value in an ICMP message to determine the number of hops from the sender to the router. 7\. What is footprinting? A. Measuring the shoe size of an ethical hacker B. Accumulation of data by gathering information on a target C. Scanning a target network to detect operating system types D. Mapping the physical layout of a target's network 8\. NSlookup can be used to gather information regarding which of the following? A. Hostnames and IP addresses B. Whois information C. DNS server locations D. Name server types and operating systems 9\. Which of the following is a type of social engineering? A. Shoulder surfing B. User identification C. System monitoring D. Face-to-face communication 10\. Which is an example of social engineering? A. A user who holds open the front door of an office for a potential hacker B. Calling a help desk and convincing them to reset a password for a user account C. Installing a hardware keylogger on a victim's system to capture passwords D. Accessing a database with a cracked password 11\. What is the best way to prevent a social-engineering attack? A. Installing a firewall to prevent port scans B. Configuring an IDS to detect intrusion attempts C. Increasing the number of help desk personnel D. Employee training and education 58 Chapter 2 n Gathering Target Information 12\. Which of the following is the best example of reverse social engineering? A. A hacker pretends to be a person of authority in order to get a user to give them information. B. A help desk employee pretends to be a person of authority. C. A hacker tries to get a user to change their password. D. A user changes their password. 13\. Using pop-up windows to get a user to give out information is which type of social-engineering attack? A. Human-based B. Computer-based C. Nontechnical D. Coercive 14\. What is it called when a hacker pretends to be a valid user on the system? A. Impersonation B. Third-person authorization C. Help desk D. Valid user 15\. What is the best reason to implement a security policy? A. It increases security. B. It makes security harder to enforce. C. It removes the employee's responsibility to make judgments. D. It decreases security. 16\. Faking a website for the purpose of getting a user's password and username is which type of social-engineering attack? A. Human-based B. Computer-based C. Web-based D. User-based 17\. Dumpster diving can be considered which type of social-engineering attack? A. Human-based B. Computer-based C. Physical access D. Paper-based 18\. What information-gathering tool will give you information regarding the operating system of a web server? A. NSlookup B. DNSlookup C. tracert D. Netcraft 19\. What tool is a good source of information for employee's names and addresses? A. NSlookup B. Netcraft C. Whois D. tracert 20\. Which tool will only work on publicly traded companies? A. EDGAR B. NSlookup C. Netcraft D. Whois #### Answers to Chapter 2 1\. D. The four Internet registries are ARIN (American Registry of Internet Numbers), RIPE NCC (Europe, the Middle East, and parts of Central Asia), LACNIC (Latin American and Caribbean Internet Addresses Registry), and APNIC (Asia Pacific Network Information Centre). 2\. A. Whois is the only tool listed that won't trigger an IDS alert or otherwise be detected by an organization. 3\. A, B, E. Whois, Sam Spade, and NSlookup are all used to passively gather information about a target. NMAP and SuperScan are host and network scanning tools. 4\. A. According to CEH methodology, scanning occurs after footprinting. Enumeration and system hacking are performed after footprinting. Bypassing an IDS would occur later in the hacking cycle. 5\. A, B, C, D. Newsgroups, job postings, company websites, and press releases are all good sources for information gathering. 6\. D. Traceroute uses the TTL values to determine how many hops the router is from the sender. Each router decrements the TTL by one under normal conditions. 7\. B. Footprinting is gathering information about a target organization. Footprinting is not scanning a target network or mapping the physical layout of a target network. 8\. A. NSlookup queries a DNS server for DNS records such as hostnames and IP addresses. 9\. A. Of the choices listed here, shoulder surfing is considered a type of social engineering. 10\. B. Calling a help desk and convincing them to reset a password for a user account is an example of social engineering. Holding open a door and installing a keylogger are examples of physical access intrusions. Accessing a database with a cracked password is system hacking. 11\. D. Employee training and education is the best way to prevent a social-engineering attack. 12\. A. When a hacker pretends to be a person of authority in order to get a user to ask them for information, it's an example of reverse social engineering. 13\. B. Pop-up windows are a method of getting information from a user utilizing a computer. The other options do not require access to a computer. 14\. A. Impersonation involves a hacker pretending to be a valid user on the system. 15\. C. Security policies remove the employee's responsibility to make judgments regarding a potential social-engineering attack. #### 3 Gathering Network and Host Information: Scanning and Enumeration 1\. What port number does FTP use? A. 21 B. 25 C. 23 D. 80 2\. What port number does HTTPS use? A. 443 B. 80 C. 53 D. 21 3\. What is war dialing used for? A. Testing firewall security B. Testing remote access system security C. Configuring a proxy filtering gateway D. Configuring a firewall 4\. Banner grabbing is an example of what? A. Passive operating system fingerprinting B. Active operating system fingerprinting C. Footprinting D. Application analysis 5\. What are the three types of scanning? A. Port, network, and vulnerability B. Port, network, and services C. Grey, black, and white hat D. Server, client, and network 6\. What is the main problem with using only ICMP queries for scanning? A. The port is not always available. B. The protocol is unreliable. C. Systems may not respond because of a firewall. D. Systems may not have the service running. 7\. What does the TCP RST command do? A. Starts a TCP connection B. Restores the connection to a previous state C. Finishes a TCP connection D. Resets the TCP connection 8\. What is the proper sequence of a TCP connection? A. SYN-SYN-ACK-ACK B. SYN-ACK-FIN C. SYN-SYNACK-ACK D. SYN-PSH-ACK 9\. A packet with all flags set is which type of scan? A. Full Open B. Syn scan C. XMAS D. TCP connect 10\. What is the proper command to perform an nmap SYN scan every 5 minutes? A. nmap -ss - paranoid B. nmap -sS -paranoid C. nmap -sS -fast D. namp -sS -sneaky 11\. To prevent a hacker from using SMB session hijacking, which TCP and UDP ports would you block at the firewall? A. 167 and 137 B. 80 and 23 C. 139 and 445 D. 1277 and 1270 12\. Why would an attacker want to perform a scan on port 137? A. To locate the FTP service on the target host B. To check for file and print sharing on Windows systems C. To discover proxy servers on a network D. To discover a target system with the NetBIOS null session vulnerability Review Questions 91 13\. SNMP is a protocol used to manage network infrastructure devices. What is the SNMP read/write community name used for? A. Viewing the configuration information B. Changing the configuration information C. Monitoring the device for errors D. Controlling the SNMP management station 14\. Why would the network security team be concerned about ports 135--139 being open on a system? A. SMB is enabled, and the system is susceptible to null sessions. B. SMB is not enabled, and the system is susceptible to null sessions. C. Windows RPC is enabled, and the system is susceptible to Windows DCOM remote sessions. D. Windows RPC is not enabled, and the system is susceptible to Windows DCOM remote sessions. 15\. Which step comes after enumerating users in the CEH hacking cycle? A. Crack password B. Escalate privileges C. Scan D. Cover tracks 16\. What is enumeration? A. Identifying active systems on the network B. Cracking passwords C. Identifying users and machine names D. Identifying routers and firewalls 17\. What is a command-line tool used to look up a username from a SID? A. UsertoSID B. Userenum C. SID2User D. GetAcct 18\. Which tool can be used to perform a DNS zone transfer on Windows? A. NSlookup B. DNSlookup C. Whois D. IPconfig 19\. What is a null session? A. Connecting to a system with the administrator username and password B. Connecting to a system with the admin username and password C. Connecting to a system with a random username and password D. Connecting to a system with no username and password 20\. What is a countermeasure for SNMP enumeration? A. Remove the SNMP agent from the device. B. Shut down ports 135 and 139 at the firewall. C. Shut down ports 80 and 443 at the firewall. D. Enable SNMP read-only security on the agent device. #### Answers to Chapter 3 1\. A. FTP uses TCP port 21. This is a well-known port number and can be found in the Windows Services file. 2\. A. HTTPS uses TCP port 443. This is a well-known port number and can be found in the Windows Services file. 3\. B. War dialing involves placing calls to a series of numbers in hopes that a modem will answer the call. It can be used to test the security of a remote-access system. 4\. A. Banner grabbing is not detectible; therefore it is considered passive OS fingerprinting. 5\. A. Port, network, and vulnerability are the three types of scanning. 6\. C. Systems may not respond to ICMP because they have firewall software installed that blocks the responses. 7\. D. The TCP RST command resets the TCP connection. 8\. A. A SYN packet is followed by a SYN-ACK packet. Then, an ACK finishes a successful TCP connection. 9\. C. An XMAS scan has all flags set. 10\. B. The command nmap -sS -paranoid performs a SYN scan every 300 seconds, or 5 minutes. 11\. C. Block the ports used by NetBIOS null sessions. These are 139 and 445. 12\. D. Port 137 is used for NetBIOS null sessions. 13\. B. The SNMP read/write community name is the password used to make changes to the device configuration. 14\. A. Ports in the 135 to 139 range indicate the system has SMB services running and is susceptible to null sessions. 15\. A. Password cracking is the next step in the CEH hacking cycle after enumerating users. 16\. C. Enumeration is the process of finding usernames, machine names, network shares, and services on the network. 17\. C. SID2User is a command-line tool that is used to find a username from a SID. 18\. A. NSlookup is a Windows tool that can be used to initiate a DNS zone transfer that sends all the DNS records to a hacker's system. 19\. D. A null session involves connecting to a system with no username and password. 20\. A. The best countermeasure to SNMP enumeration is to remove the SNMP agent from the device. Doing so prevents it from responding to SNMP requests.