2015年6月28日 星期日

0627(考題)-CEH認證考試

趁著腦袋還有印象,趕緊將題目記下來,答案選項中,紅粗字是我應答的答案,其中二題跟考古題的答案不同,題目用藍底者是我沒把握的,共有14題,本次考試我總共錯了2題,至於是哪2題,我也不知道:
  1. QUESTION:
    How many bits encryption does SHA-1 use?
    • A. 64 bits
    • B. 128 bits
    • C. 256 bits
    • D. 160 bits

  2. QUESTION
    Bob has been hired to do a web application security test. Bob notices that the site is dynamic and must make use of a back end database. Bob wants to see if SQL Injection would be possible. What is the first character that Bob should use to attempt breaking valid SQL request?
    • A. Semi Column
    • B. Double Quote
    • C. Single Quote
    • D. Exclamation Mark

  3. QUESTION
    This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

    <ahref="http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js %22%3E%3C/script%3E">See foobar</a>

    What is this attack?
    • A. Cross-site-scripting attack
    • B. SQL Injection
    • C. URL Traversal attack
    • D. Buffer Overflow attack

  4. QUESTION
    Least privilege is a security concept that requires that a user is
    • A. limited to those functions required to do the job.
    • B. given root or administrative privileges.
    • C. trusted to keep all data and access to that data under their sole control.
    • D. given privileges equal to everyone else in the department.

  5. QUESTION
    A covert channel is a channel that
    • A. transfers information over,within a computer system,or network that is outside of the security policy.
    • B. transfers information over,within a computer system,or network that is within the security policy.
    • C. transfers information via a communication path within a computer system,or network for transfer of data.
    • D. transfers information over,within a computer system,or network that is encrypted.

  6. QUESTION
    SOAP services use which technology to format information?
    • A. SATA
    • B. PCI
    • C. XML
    • D. ISDN

  7. QUESTION
    A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP commanD.

    NMAP -n -sS -P0 -p 80 ***.***.**.**

    What type of scan is this?
    • A. Quick scan
    • B. Intense scan
    • C. Stealth scan
    • D. Comprehensive scan

  8. QUESTION
    Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
    • A. Incident response services to any user,company,government agency,or organization in partnership with the Department of Homeland Security
    • B. Maintenance of the nation Internet infrastructure,builds out new Internet infrastructure,and decommissions old Internet infrastructure
    • C. Registration of critical penetration testing for the Department of Homeland Security and public and private sectors
    • D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Department,as well as private sectors

  9. QUESTION
    What is the broadcast address for the subnet 190.86.168.0/22?
    • A. 190.86.168.255
    • B. 190.86.255.255
    • C. 190.86.171.255
    • D. 190.86.169.255

  10. QUESTION
    John the Ripper is a technical assessment tool used to test the weakness of which of the following?
    • A. Usernames
    • B. File permissions
    • C. Firewall rulesets
    • D. Passwords

  11. QUESTION
    Which type of scan measures a person's external features through a digital video camera?
    • A. Iris scan
    • B. Retinal scan
    • C. Facial recognition scan
    • D. Signature kinetics scan

  12. QUESTION
    In order to show improvement of security over time, what must be developed?
    • A. Reports
    • B. Testing tools
    • C. Metrics
    • D. Taxonomy of vulnerabilities

  13. QUESTION
    In the software security development life cyle process, threat modeling occurs in which phase?
    • A. Design
    • B. Requirements
    • C. Verification
    • D. Implementation

  14. QUESTION
    Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?
    • A. SHA-1
    • B. MD5
    • C. HAVAL
    • D. MD4

  15. QUESTION
    A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network?
    • A. Fraggle
    • B. MAC Flood
    • C. Smurf
    • D. Tear Drop

  16. QUESTION
    A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users?
    • A. Perform a dictionary attack.
    • B. Perform a brute force attack.
    • C. Perform an attack with a rainbow table.
    • D. Perform a hybrid attack.

  17. QUESTION
    During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?
    • A. Host
    • B. Stateful
    • C. Stateless
    • D. Application

  18. QUESTION
    What is the main reason the use of a stored biometric is vulnerable to an attack?
    • A. The digital representation of the biometric might not be unique,even if the physical characteristic is unique.
    • B. Authentication using a stored biometric compares a copy to a copy instead of the original to a copy.
    • C. A stored biometric is no longer "something you are" and instead becomes "something you have".
    • D. A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the biometric.

  19. QUESTION
    Which of the following types of firewall inspects only header information in network traffic?
    • A. Packet filter
    • B. Stateful inspection
    • C. Circuit-level gateway
    • D. Application-level gateway

  20. QUESTION
    Which tool would be used to collect wireless packet data?
    • A. NetStumbler
    • B. John the Ripper
    • C. Nessus
    • D. Netcat

  21. QUESTION
    Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an appropriate method?
    • A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
    • B. If a user forgets the password,it can be easily retrieved using the hash key stored by administrators.
    • C. Hashing is faster compared to more traditional encryption algorithms.
    • D. Passwords stored using hashes are non-reversible, making finding the password much more difficult.

  22. QUESTION
    What is the main disadvantage of the scripting languages as opposed to compiled programming languages?
    • A. Scripting languages are hard to learn.
    • B. Scripting languages are not object-oriented.
    • C. Scripting languages cannot be used to create graphical user interfaces.
    • D. Scripting languages are slower because they require an interpreter to run the code.

  23. QUESTION
    Which of the following guidelines or standards is associated with the credit card industry?
    • A. Control Objectives for Information and Related Technology (COBIT)
    • B. Sarbanes-Oxley Act (SOX)
    • C. Health Insurance Portability and Accountability Act (HIPAA)
    • D. Payment Card Industry Data Security Standards (PCI DSS)

  24. QUESTION
    A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature?
    • A. Perform a vulnerability scan of the system.
    • B. Determine the impact of enabling the audit feature.
    • C. Perform a cost/benefit analysis of the audit feature.
    • D. Allocate funds for staffing of audit log review.

  25. QUESTION
    A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?
    • A. Say nothing and continue with the security testing.
    • B. Stop work immediately and contact the authorities.
    • C. Delete the pornography,say nothing,and continue security testing.
    • D. Bring the discovery to the financial organization's human resource department.

  26. QUESTION
    How is sniffing broadly categorized?
    • A. Active and passive
    • B. Broadcast and unicast
    • C. Unmanaged and managed
    • D. Filtered and unfiltered

  27. QUESTION
    A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?
    • A. Ignore the problem completely and let someone else deal with it.
    • B. Create a document that will crash the computer when opened and send it to friends.
    • C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
    • D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

  28. QUESTION
    What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a hotel room?
    • A. Set a BIOS password.
    • B. Encrypt the data on the hard drive.
    • C. Use a strong logon password to the operating system.
    • D. Back up everything on the laptop and store the backup in a safe place.

  29. QUESTION
    The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?
    • A. Investigate based on the maintenance schedule of the affected systems.
    • B. Investigate based on the service level agreements of the systems.
    • C. Investigate based on the potential effect of the incident.
    • D. Investigate based on the order that the alerts arrived in.

  30. QUESTION
    Which of the statements concerning proxy firewalls is correct?
    • A. Proxy firewalls increase the speed and functionality of a network.
    • B. Firewall proxy servers decentralize all activity for an application.
    • C. Proxy firewalls block network packets from passing to and from a protected network.
    • D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

  31. QUESTION
    Which of the following is an example of two factor authentication?
    • A. PIN Number and Birth Date
    • B. Username and Password
    • C. Digital Certificate and Hardware Token
    • D. Fingerprint and Smartcard ID

  32. QUESTION
    A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?
    • A. The consultant will ask for money on the bid because of great work.
    • B. The consultant may expose vulnerabilities of other companies.
    • C. The company accepting bids will want the same type of format of testing.
    • D. The company accepting bids will hire the consultant because of the great work performed.

  33. QUESTION
    A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed.

    Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?
    Starting NMAP 5.21 at 2011-03-15 11:06
    NMAP scan report for 172.16.40.65
    Host is up (1.00s latency).
    Not shown: 993 closed ports
    PORT STATE SERVICE
    21/tcp open ftp
    23/tcp open telnet
    80/tcp open http
    139/tcp open netbios-ssn
    515/tcp open
    631/tcp open ipp
    9100/tcp open
    MAC Address: 00:00:48:0D:EE:89
    • A. The host is likely a Windows machine.
    • B. The host is likely a Linux machine.
    • C. The host is likely a router.
    • D. The host is likely a printer.

  34. QUESTION
    For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key?
    • A. Sender's public key
    • B. Receiver's private key
    • C. Receiver's public key
    • D. Sender's private key

  35. QUESTION
    Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?
    • A. Penetration testing
    • B. Social engineering
    • C. Vulnerability scanning
    • D. Access control list reviews

  36. QUESTION
    How does an operating system protect the passwords used for account logins?
    • A. The operating system performs a one-way hash of the passwords.
    • B. The operating system stores the passwords in a secret file that users cannot find.
    • C. The operating system encrypts the passwords, and decrypts them when needed.
    • D. The operating system stores all passwords in a protected segment of non-volatile memory.

  37. QUESTION
    Which of the following programs is usually targeted at Microsoft Office products?
    • A. Polymorphic virus
    • B. Multipart virus
    • C. Macro virus
    • D. Stealth virus

  38. QUESTION
    When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
    • A. OWASP is for web applications and OSSTMM does not include web applications.
    • B. OSSTMM is gray box testing and OWASP is black box testing.
    • C. OWASP addresses controls and OSSTMM does not.
    • D. OSSTMM addresses controls and OWASP does not.

  39. QUESTION
    Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network IDS?
    • A. Timing options to slow the speed that the port scan is conducted
    • B. Fingerprinting to identify which operating systems are running on the network
    • C. ICMP ping sweep to determine which hosts on the network are not available
    • D. Traceroute to control the path of the packets sent during the scan

  40. QUESTION
    The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?
    • A. Multiple keys for non-repudiation of bulk data
    • B. Different keys on both ends of the transport medium
    • C. Bulk encryption for data transmission over fiber
    • D. The same key on each end of the transmission medium

  41. QUESTION
    Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?
    • A. ping 192.168.2.
    • B. ping 192.168.2.255
    • C. for %V in (1 1 255) do PING 192.168.2.%V
    • D. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

  42. QUESTION
    How can telnet be used to fingerprint a web server?
    • A. telnet webserverAddress 80 HEAD / HTTP/1.0
    • B. telnet webserverAddress 80 PUT / HTTP/1.0
    • C. telnet webserverAddress 80 HEAD / HTTP/2.0
    • D. telnet webserverAddress 80 PUT / HTTP/2.0

  43. QUESTION
    Which of the following problems can be solved by using Wireshark?
    • A. Tracking version changes of source code
    • B. Checking creation dates on all webpages on a server
    • C. Resetting the administrator password on multiple systems
    • D. Troubleshooting communication resets between two systems

  44. QUESTION
    Which of the following is an example of an asymmetric encryption implementation?
    • A. SHA1
    • B. PGP
    • C. 3DES
    • D. MD5

  45. QUESTION
    Which of the following is a characteristic of Public Key Infrastructure (PKI)?
    • A. Public-key cryptosystems are faster than symmetric-key cryptosystems.
    • B. Public-key cryptosystems distribute public-keys within digital signatures.
    • C. Public-key cryptosystems do not require a secure key distribution channel.
    • D. Public-key cryptosystems do not provide technical non-repudiation via digital signatures.
    考古題答案: B

  46. QUESTION
    What statement is true regarding LM hashes?
    • A. LM hashes consist in 48 hexadecimal characters.
    • B. LM hashes are based on AES128 cryptographic standard.
    • C. Uppercase characters in the password are converted to lowercase.
    • D. LM hashes are not generated when the password length exceeds 15 characters.

  47. QUESTION
    What is a successful method for protecting a router from potential smurf attacks?
    • A. Placing the router in broadcast mode
    • B. Enabling port forwarding on the router
    • C. Installing the router outside of the network's firewall
    • D. Disabling the router from accepting broadcast ping messages

  48. QUESTION
    The use of technologies like IPSec can help guarantee the following. authenticity, integrity, confidentiality and
    • A. non-repudiation.
    • B. operability.
    • C. security.
    • D. usability.

  49. QUESTION
    A security administrator notices that the log file of the company's webserver contains suspicious entries:

    \[20/Mar/2011:10:49:07\] "GET /login.php?user=test'+oR+3>2%20-- HTTP/1.1" 200 9958
    \[20/Mar/2011:10:51:02\] "GET /login.php?user=admin';%20-- HTTP/1.1" 200 9978

    The administrator decides to further investigate and analyze the source code of login php file

    php
    include('./../config/db_connect.php');
    $user = $_GET['user'];
    $pass = $_GET['pass'];
    $sql = "SELECT * FROM USERS WHERE username='$user' AND password = '$pass'";
    $result = mysql_query($sql) or die("couldn't execute query");

    if(mysql_num_rows($result) != 0) echo 'Authentication granted!';
    else echo 'Authentication failed!';
    ?>

    Based on source code analysis, the analyst concludes that the login.php script is vulnerable to
    • A. command injection.
    • B. SQL injection.
    • C. directory traversal.
    • D. LDAP injection.

  50. QUESTION
    A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?
    • A. Implementing server-side PKI certificates for all connections
    • B. Mandating only client-side PKI certificates for all connections
    • C. Requiring client and server PKI certificates for all connections
    • D. Requiring strong authentication for all DNS queries

  51. QUESTION
    Bluetooth uses which digital modulation technique to exchange information between paired devices?
    • A. PSK (phase-shift keying)
    • B. FSK (frequency-shift keying)
    • C. ASK (amplitude-shift keying)
    • D. QAM (quadrature amplitude modulation)

  52. QUESTION
    A security consultant decides to use multiple layers of anti-virus defense, such as end user desktop anti-virus and E-mail gateway. This approach can be used to mitigate which kind of attack?
    • A. Forensic attack
    • B. ARP spoofing attack
    • C. Social engineering attack
    • D. Scanning attack

  53. QUESTION
    A security policy will be more accepted by employees if it is consistent and has the support of
    • A. coworkers.
    • B. executive management.
    • C. the security officer.
    • D. a supervisor.

  54. QUESTION
    Which of the following parameters enables NMAP's operating system detection feature?
    • A. NMAP -sV
    • B. NMAP -oS
    • C. NMAP -sR
    • D. NMAP -O

  55. QUESTION
    What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?
    • A. tcp.src == 25 and ip.host == 192.168.0.125
    • B. host 192.168.0.125:25
    • C. port 25 and host 192.168.0.125
    • D. tcp.port == 25 and ip.host == 192.168.0.125
    考古題答案:D

  56. QUESTION
    Which element of Public Key Infrastructure (PKI) verifies the applicant?
    • A. Certificate authority
    • B. Validation authority
    • C. Registration authority
    • D. Verification authority

  57. QUESTION
    Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?
    • A. WebBugs
    • B. WebGoat
    • C. VULN_HTML
    • D. WebScarab

  58. QUESTION
    A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interactive mode for the search.
    Which command should the hacker type into the command shell to request the appropriate records?
    • A. Locate type=ns
    • B. Request type=ns
    • C. Set type=ns
    • D. Transfer type=ns

  59. QUESTION
    After gaining access to the password hashes used to protect access to a web based application, knowledge of which cryptographic algorithms would be useful to gain access to the application?
    • A. SHA1
    • B. Diffie-Helman
    • C. RSA
    • D. AES

  60. QUESTION
    An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?
    • A. By using SQL injection
    • B. By changing hidden form values
    • C. By using cross site scripting
    • D. By utilizing a buffer overflow attack

  61. QUESTION
    A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.
    The engineer receives this output:
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/6
    Expires: Tue, 17 Jan 2011 01:41:33 GMT
    Date. Mon, 16 Jan 2011 01:41:33 GMT
    Content-TypE. text/html
    Accept-Ranges: bytes
    Last-Modified. Wed, 28 Dec 2010 15:32:21 GMT
    Etag. "b0aac0542e25c31:89d"
    Content-Length: 7369
    Which of the following is an example of what the engineer performed?
    • A. Cross-site scripting
    • B. Banner grabbing
    • C. SQL injection
    • D. Whois database query

  62. QUESTION
    A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field.

    IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>"

    When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".

    Which web applications vulnerability did the analyst discover?
    • A. Cross-site request forgery
    • B. Command injection
    • C. Cross-site scripting
    • D. SQL injection

  63. QUESTION
    A hacker was able to sniff packets on a company's wireless network. The following information was discovered.

    The Key 10110010 01001011
    The Cyphertext 01100101 01011010

    Using the Exlcusive OR, what was the original message?
    • A. 00101000 11101110
    • B. 11010111 00010001
    • C. 00001101 10100100
    • D. 11110010 01011011

  64. QUESTION
    International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining
    • A. guidelines and practices for security controls.
    • B. financial soundness and business viability metrics.
    • C. standard best practice for configuration management.
    • D. contract agreement writing standards.

  65. QUESTION
    Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?
    • A. Firewall
    • B. Honeypot
    • C. Core server
    • D. Layer 4 switch

  66. QUESTION
    A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?
    • A. True negatives
    • B. False negatives
    • C. True positives
    • D. False positives

  67. QUESTION
    Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?
    • A. Netstat WMI Scan
    • B. Silent Dependencies
    • C. Consider unscanned ports as closed
    • D. Reduce parallel connections on congestion

  68. QUESTION
    Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?
    • A. 768 bit key
    • B. 1025 bit key
    • C. 1536 bit key
    • D. 2048 bit key

  69. QUESTION
    Which results will be returned with the following Google search query?

    site:target.com -site:Marketing.target.com accounting
    • A. Results matching all words in the query
    • B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
    • C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting
    • D. Results for matches on target.com and Marketing.target.com that include the word "accounting"

  70. QUESTION
    Which type of security document is written with specific step-by-step details?
    • A. Process
    • B. Procedure
    • C. Policy
    • D. Paradigm

  71. QUESTION
    How can rainbow tables be defeated?
    • A. Password salting
    • B. Use of non-dictionary words
    • C. All uppercase character passwords
    • D. Lockout accounts under brute force password cracking attempts

  72. QUESTION
    A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50 characters. What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field?
    • A. if (billingAddress = 50) {update field} else exit
    • B. if (billingAddress != 50) {update field} else exit
    • C. if (billingAddress >= 50) {update field} else exit
    • D. if (billingAddress <= 50) {update field} else exit

  73. QUESTION
    If the final set of security controls does not eliminate all risk in a system, what could be done next?
    • A. Continue to apply controls until there is zero risk.
    • B. Ignore any remaining risk.
    • C. If the residual risk is low enough,it can be accepted.
    • D. Remove current controls since they are not completely effective.

  74. QUESTION
    What is one thing a tester can do to ensure that the software is trusted and is not changing or tampering with critical data on the back end of a system it is loaded on?
    • A. Proper testing
    • B. Secure coding principles
    • C. Systems security and architecture review
    • D. Analysis of interrupts within the software

  75. QUESTION
    Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?
    • A. MD5
    • B. SHA-1
    • C. RC4
    • D. MD4

  76. QUESTION
    Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital certificates from the other company?
    • A. Poly key exchange
    • B. Cross certification
    • C. Poly key reference
    • D. Cross-site exchange

  77. QUESTION
    What is the best defense against privilege escalation vulnerability?
    • A. Patch systems regularly and upgrade interactive login privileges at the system administrator level.
    • B. Run administrator and applications on least privileges and use a content registry for tracking.
    • C. Run services with least privileged accounts and implement multi-factor authentication and authorization.
    • D. Review user roles and administrator privileges for maximum utilization of automation services.

  78. QUESTION
    Fingerprinting VPN firewalls is possible with which of the following tools?
    • A. Angry IP
    • B. Nikto
    • C. Ike-scan
    • D. Arp-scan

  79. QUESTION
    A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration?
    • A. Reject all invalid email received via SMTP.
    • B. Allow full DNS zone transfers.
    • C. Remove A records for internal hosts.
    • D. Enable null session pipes.

  80. QUESTION
    Which of the following cryptography attack methods is usually performed without the use of a computer?
    • A. Ciphertext-only attack
    • B. Chosen key attack
    • C. Rubber hose attack
    • D. Rainbow table attack

  81. QUESTION
    What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
    • A. Injecting parameters into a connection string using semicolons as a separator
    • B. Inserting malicious Javascript code into input parameters
    • C. Setting a user's session identifier (SID) to an explicit known value
    • D. Adding multiple parameters with the same name in HTTP requests

  82. QUESTION
    Which of the following open source tools would be the best choice to scan a network for potential targets?
    • A. NMAP
    • B. NIKTO
    • C. CAIN
    • D. John the Ripper

  83. QUESTION
    Which cipher encrypts the plain text digit (bit or byte) one by one?
    • A. Classical cipher
    • B. Block cipher
    • C. Modern cipher
    • D. Stream cipher

  84. QUESTION
    WPA2 uses AES for wireless data encryption at which of the following encryption levels?
    • A. 64 bit and CCMP
    • B. 128 bit and CRC
    • C. 128 bit and CCMP
    • D. 128 bit and TKIP

  85. QUESTION
    Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?
    • A. Ping of death
    • B. SYN flooding
    • C. TCP hijacking
    • D. Smurf attack

  86. QUESTION
    Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
    • A. Cavity virus
    • B. Polymorphic virus
    • C. Tunneling virus
    • D. Stealth virus

  87. QUESTION
    Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?
    • A. Port scanning
    • B. Banner grabbing
    • C. Injecting arbitrary data
    • D. Analyzing service response

  88. QUESTION
    Which of the following is a preventive control?
    • A. Smart card authentication
    • B. Security policy
    • C. Audit trail
    • D. Continuity of operations plan

  89. QUESTION
    The precaution of prohibiting employees from bringing personal computing devices into a facility is what type of security control?
    • A. Physical
    • B. Procedural
    • C. Technical
    • D. Compliance

  90. QUESTION
    A botnet can be managed through which of the following?
    • A. IRC
    • B. E-Mail
    • C. Linkedin and Facebook
    • D. A vulnerable FTP server

  91. QUESTION
    Which of the following is a strong post designed to stop a car?
    • A. Gate
    • B. Fence
    • C. Bollard
    • D. Reinforced rebar

  92. QUESTION
    While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?
    • A. Validate web content input for query strings.
    • B. Validate web content input with scanning tools.
    • C. Validate web content input for type,length,and range.
    • D. Validate web content input for extraneous queries.

  93. QUESTION
    A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24.
    Which of the following has occurred?
    • A. The gateway is not routing to a public IP address.
    • B. The computer is using an invalid IP address.
    • C. The gateway and the computer are not on the same network.
    • D. The computer is not using a private IP address.

  94. QUESTION
    A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location.

    During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis.

    Which of the following is an issue with the situation?
    • A. Segregation of duties
    • B. Undue influence
    • C. Lack of experience
    • D. Inadequate disaster recovery plan

  95. QUESTION
    What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
    • A. They do not use host system resources.
    • B. They are placed at the boundary,allowing them to inspect all traffic.
    • C. They are easier to install and configure.
    • D. They will not interfere with user interfaces.

  96. QUESTION
    An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information. What is the name of the communications channel?
    • A. Classified
    • B. Overt
    • C. Encrypted
    • D. Covert

  97. QUESTION
    Which of the following is used to indicate a single-line comment in structured query language (SQL)?
    • A. --
    • B. ||
    • C. %%
    • D. ''

  98. QUESTION
    How can a policy help improve an employee's security awareness?
    • A. By implementing written security procedures,enabling employee security training,and promoting the benefits of security
    • B. By using informal networks of communication,establishing secret passing procedures,and immediately terminating employees 
    • C. By sharing security secrets with employees,enabling employees to share secrets,and establishing a consultative help line
    • D. By decreasing an employee's vacation time,addressing ad-hoc employment clauses,and ensuring that managers know employee strengths

  99. QUESTION
    Which statement is TRUE regarding network firewalls preventing Web Application attacks?
    • A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
    • B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
    • C. Network firewalls can prevent attacks if they are properly configured.
    • D. Network firewalls cannot prevent attacks because they are too complex to configure.

  100. QUESTION
    Which of the following does proper basic configuration of snort as a network intrusion detection system require?
    • A. Limit the packets captured to the snort configuration file.
    • B. Capture every packet on the network segment.
    • C. Limit the packets captured to a single segment.
    • D. Limit the packets captured to the /var/log/snort directory.

  101. QUESTION
    What information should an IT system analysis provide to the risk assessor?
    • A. Management buy-in
    • B. Threat statement
    • C. Security architecture
    • D. Impact analysis

  102. QUESTION
    Which security strategy requires using several, varying methods to protect IT systems against attacks?
    • A. Defense in depth
    • B. Three-way handshake
    • C. Covert channels
    • D. Exponential backoff algorithm

  103. QUESTION
    Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety?
    • A. Restore a random file.
    • B. Perform a full restore.
    • C. Read the first 512 bytes of the tape.
    • D. Read the last 512 bytes of the tape.

  104. QUESTION
    An NMAP scan of a server shows port 69 is open. What risk could this pose?
    • A. Unauthenticated access
    • B. Weak SSL version
    • C. Cleartext login
    • D. Web portal data leak

  105. QUESTION
    Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)?
    • A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost.
    • B. The root CA stores the user's hash value for safekeeping.
    • C. The CA is the trusted root that issues certificates.
    • D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.

  106. QUESTION
    Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results?

    TCP port 21 - no response
    TCP port 22 - no response
    TCP port 23 - Time-to-live exceeded

    • A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
    • B. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.
    • C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
    • D. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.

  107. QUESTION
    What results will the following command yield. 'NMAP -sS -O -p 123-153 192.168.100.3'?
    • A. A stealth scan,opening port 123 and 153
    • B. A stealth scan,checking open ports 123 to 153
    • C. A stealth scan,checking all open ports excluding ports 123 to 153
    • D. A stealth scan,determine operating system,and scanning ports 123 to 153

  108. QUESTION
    A pentester gains acess to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used?
    • A. Netsh firewall show config
    • B. WMIC firewall show config
    • C. Net firewall show config
    • D. Ipconfig firewall show config

  109. QUESTION
    A newly discovered flaw in a software application would be considered which kind of security vulnerability?
    • A. Input validation flaw
    • B. HTTP header injection vulnerability
    • C. 0-day vulnerability
    • D. Time-to-check to time-to-use flaw

  110. QUESTION
    What are the three types of authentication?
    • A. Something you: know,remember,prove
    • B. Something you: have,know,are
    • C. Something you: show,prove,are
    • D. Something you: show,have,prove

  111. QUESTION
    What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?
    • A. Legal,performance,audit
    • B. Audit,standards based,regulatory
    • C. Contractual,regulatory,industry
    • D. Legislative,contractual,standards based

  112. QUESTION
    Which of the following business challenges could be solved by using a vulnerability scanner?
    • A. Auditors want to discover if all systems are following a standard naming convention.
    • B. A web server was compromised and management needs to know if any further systems were compromised.
    • C. There is an emergency need to remove administrator access from multiple machines for an employee that quit.
    • D. There is a monthly requirement to test corporate compliance with host application usage and security policies.

  113. QUESTION
    If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the application development, what is this secret entry point known as?
    • A. SDLC process
    • B. Honey pot
    • C. SQL injection
    • D. Trap door

  114. QUESTION
    Which statement best describes a server type under an N-tier architecture?
    • A. A group of servers at a specific layer
    • B. A single server with a specific role
    • C. A group of servers with a unique role
    • D. A single server at a specific layer

  115. QUESTION
    During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?
    • A. The web application does not have the secure flag set.
    • B. The session cookies do not have the HttpOnly flag set.
    • C. The victim user should not have an endpoint security solution.
    • D. The victim's browser must have ActiveX technology enabled.

  116. QUESTION
    Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?
    • A. UDP 123
    • B. UDP 541
    • C. UDP 514
    • D. UDP 415

  117. QUESTION
    A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court. What is the ethical response?
    • A. Say no; the friend is not the owner of the account.
    • B. Say yes; the friend needs help to gather evidence.
    • C. Say yes; do the job for free.
    • D. Say no; make sure that the friend knows the risk she's asking the CEH to take.

  118. QUESTION
    The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet. Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?
    • A. Asymmetric
    • B. Confidential
    • C. Symmetric
    • D. Non-confidential

  119. QUESTION
    Which security control role does encryption meet?
    • A. Preventative
    • B. Detective
    • C. Offensive
    • D. Defensive

  120. QUESTION
    A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?
    • A. Issue the pivot exploit and set the meterpreter.
    • B. Reconfigure the network settings in the meterpreter.
    • C. Set the payload to propagate through the meterpreter.
    • D. Create a route statement in the meterpreter.

  121. QUESTION
    A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the following.

    Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours  later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.

    Which of the following actions should the security administrator take?
    • A. Log the event as suspicious activity and report this behavior to the incident response team immediately.
    • B. Log the event as suspicious activity,call a manager,and report this as soon as possible.
    • C. Run an anti-virus scan because it is likely the system is infected by malware.
    • D. Log the event as suspicious activity,continue to investigate,and act according to the site's security policy.

  122. QUESTION
    A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use?
    • A. -sO
    • B. -sP
    • C. -sS
    • D. -sU

  123. QUESTION
    The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
    • A. An attacker,working slowly enough,can evade detection by the IDS.
    • B. Network packets are dropped if the volume exceeds the threshold.
    • C. Thresholding interferes with the IDS' ability to reassemble fragmented packets.
    • D. The IDS will not distinguish among packets originating from different sources.

  124. QUESTION
    Which of the following is considered an acceptable option when managing a risk?
    • A. Reject the risk.
    • B. Deny the risk.
    • C. Mitigate the risk.
    • D. Initiate the risk.

  125. QUESTION
    Vulnerability mapping occurs after which phase of a penetration test?
    • A. Host scanning
    • B. Passive information gathering
    • C. Analysis of host scanning
    • D. Network level discovery

3 則留言:

  1. 同學!我是跟你同一班上課的,拜讀你這篇文章後,我也於今日順利考上CEH囉!感恩~

    回覆刪除
    回覆
    1. 恭禧您! 這是您努力的成果。

      刪除
  2. 陳先生,您好:
    感謝您的分享,您的網站對我受益良多。
    碰巧QUESTION 45是我熟知的領域,也許您已經知道了,但我還是分享一下我的見解。

    此題的(B)(C)描述皆正確,PKI確實不需要金鑰的安全通道(選項C);
    然而,C並不能稱得上是PKI的特徵(特色)。
    選項(B)的數位簽章更加符合本提問題主旨,(B)會比(C)更合適,
    故此題單選答案應選(B)。

    回覆刪除