CEH

Question 1

What is the nmap parameter for aggressive scanning?

Answer 1

-A

Question 2

What is the nmap parameter for enabling the script engine?

Answer 2

-sC

Question 3

What is the nmap parameter used for OS fingerprinting?

Answer 3

-O

Question 4

What is the nmap parameter used to identify the path taken by a packet as it travels toward the destination?

Answer 4

–traceroute

Question 5

What nmap parameter is used to disable ICMP pings?

Answer 5

• P0 or -PN (old)

- Pn (new)

Question 6

What nmap parameter configures nmap to perform a stealth scan, also known as a SYN scan or half-open scan?

Answer 6

-sS

Question 7

What nmap parameter configures nmap to disable DNS?

Answer 7

-n

Question 8

What nmap parameter configures nmap to always perform DNS?

Answer 8

-R

Question 9

What nmap command is equivalent to nmap -A?

Answer 9

nmap -sV -sC -O –traceroute

Question 10

What is JXplorer?

Answer 10

Java-based LDAP browser

Question 11

What is Luma?

Answer 11

Python-based LDAP browser

Question 12

What is Coral Directory?

Answer 12

LDAP browser specific to Windows 2000 or later

Question 13

What are Cloudborne attacks?

How can they be mitigated?

Answer 13

firmware backdoor is installed on cloud server that is later repurposed for another client

Reflash the firmware on a server before repurposing it

Question 14

What was Operation Cloud Hopper?

Answer 14

Spear phishing was used to infiltrate cloud provider networks, enabling attackers to compromise target data stored in the cloud

Question 15

Which MIB stores information about TCP/IP on network hosts as well as information about SNMP configuration itself?

Answer 15

MIB_II

Question 16

Which MIB contains information about the network traffic between hosts and DHCP servers?

Answer 16

DHCP.MIB

Question 17

Which MIB contains information about workstation and server services?

Answer 17

LMMIB2.MIB

Question 18

Which MIB contains information the windows internet name service, a name resolution service for NetBIOS?

Answer 18

WINS.MIB

Question 19

Which MIB contains information about managing and monitoring resources on hosts on the network, such as host’s date and time, users, processes, memory, physical storage, etc.?

Answer 19

HOSTMIB.MIB

Question 20

What is KoreK chopchop?

Answer 20

An attack that can decrypt a WEP packet without requiring the key

Question 21

What is KRACK?

Answer 21

Key Reinstallation Attack. Replay attack that exploits WPA2’s four-way handshake process.
The attacker captures the shared secret and tricks the victim into reinstalling a key that is already in use.

Question 22

What type of information is included in a WHOIS query?

Answer 22

information about the IP network range from which the IP address was allocated
technical, administrative, and billing contact information for the parties associated with a particular domain name

Question 23

Which DNS records contain information about the OSs implemented and the hardware platforms in an organization?

Answer 23

HINFO

Question 24

Which nmap parameter configures nmap to perform an ACK scan?

Answer 24

-sA

Question 25

What is a DROWN attack?

Answer 25

a vulnerability in servers that support SSLv2 related to its handling of the cipher text in an RSA certificate during the initial handshake

Question 26

What is a linear cryptanalysis attack?

Answer 26

using both the plain text and corresponding cipher text to extract an encryption key. Also known as a known plaintext attack

Question 27

Describe blowfish

Answer 27

A symmetric 64-bit block cipher that uses a variable-length key ranging from 32 to 448 bits

Question 28

Describe Twofish

Answer 28

A symmetric 128-bit block cipher that uses a key length of 128 or 256 bits

Question 29

Describe IDEA

Answer 29

A symmetric 64-bit block cipher that uses a 128-bit key. It uses a series of eight rounds of 64-bit block encryption

Question 30

Describe AES

Answer 30

A symmetric block cipher with 128 bit block size that uses a key length of 128, 192, or 256 bits

Question 31

Describe 3DES

Answer 31

A 64-bit block symmetric encryption algorithm that uses multiple 56-bit passes to encrypt data, resulting in a 168-bit key

Question 32

Describe RSA

Answer 32

An asymmetric encryption algorithm that uses prime numbers to generate keys, recommended at least 2048 bits long.

Question 33

Describe SHA1

Answer 33

A hashing algorithm that creates a 160-bit hash

Question 34

Which key is created when a TPM is manufactured?

Answer 34

endorsement key

Question 35

Which key is created when a user takes ownership of a TPM?

Answer 35

storage root key

Question 36

What is an STP attack?

Answer 36

rogue switch added to network and advertises as having the lowest bridge priority value, making it a root bridge

Question 37

What is switch spoofing?

Answer 37

a VLAN hopping attack in which an attacker configures their system to act like a switch with a trunk port and uses DTP (dynamic trunking protocol) to negotiate a trunk link with a switch port

Question 38

What is a MITC attack?

Answer 38

Attacker uses malware to steal synchronization tokens used to authenticate and synchronize data with cloud providers

Question 39

How can MITC attacks be mitigated?

Answer 39

Educating users about social engineering

Installing a CASB

Question 40

What is HULK?

Answer 40

HTTP Unbearable Load King tool

A tool that can initiate an HTTP flood and can evade IDSs

Question 41

What is MEDUSA?

Answer 41

Tool used to gather open-source intelligence (OSINT) from social media platforms

Question 42

What is hootsuite?

Answer 42

A social media management platform

Question 43

What is VisualRotue?

Answer 43

a suite of networking tools that can visualize networking issues

Question 44

Which port does SMB use?

Answer 44

445

Question 45

Which port does SNMP use?

Answer 45

161 and 162

Question 46

What algorithms do the different wireless protocols use to encrypt communications?

Answer 46

WEP: RC4
WPA: TKIP
WPA2: AES-CCMP
WPA3: AES-GCMP

Question 47

What is dnsenum?

Answer 47

a Perl script used to enumerate DNS information

Question 48

What is Bluto?

Answer 48

a python script that can query a target domain for MX and NS records and can perform an AXFR query to discover subdomains. Can also brute force using Alexa Top 1 Million subdomains list

Question 49

What is SubBrute?

Answer 49

a python script used for DNS enumeration that recursively crawls enumerated DNS records similar to how a search engine spider crawls a website. Can enumerate any DNS record type

Question 50

What is InstaRecon?

Answer 50

A python-based DNS enumeration tool which adds the ability to use Shodan for performing queries and can perform reverse DNS lookups on an entire IP range

Question 51

What do the various error directives in a php.ini file do?

Answer 51

error_log: configures the error log itself
log_errors: whether or not to write errors to log
display_errors: whether or not to display errors on browser
error_reporting: determines the level at which the PHP process will produce error messages

Question 52

What is DGA?

Answer 52

Domain Generation Algorithm. Attack relying on domains that have not yet been categorized or classified by a reputation-based security system.
Commonly used to ensure that C2 systems remain accessible.
Malware dynamically generates predicable list of domain names that can be used to contact C2 server

Question 53

What is fast fluxing?

Answer 53

Using a network of compromised hosts to proxy services for an attacker. The attackers communications are dynamically proxied through the botnet, making it difficult for the security team to blacklist the IP of the hosts of the botnet

Can be mitigated by taking down the domain server that corresponds to the malicious domain

Question 54

What is double fluxing?

Answer 54

similar to fast fluxing, but a separate botnet is used to proxy the DNS services for the attacker, protecting the attacker’s DNS server from takedown efforts

Can be mitigated by contacting the appropriate Top Level Domain (TLD) registrar to take down the domain

Question 55

What does the mod_negotiation module do on an Apache server?

Answer 55

Disables file extensions on the server. The file extensions are not revealed in the URL, and the extension of the file returned by the server is based on the browser’s preferences

Question 56

Which parameter should be used to silence error messages when using the curl command to scrape hyperlinks from a webpage?

Answer 56

-s

Question 57

What is a DNS DDoS?

Answer 57

Flooding TCP port 53 of a DNS server with illegitimate traffic to deny access to the server

Question 58

What is a DNS amplification attack?

Answer 58

A DRDoS attack in which attackers send a flood of DNS queries from their own servers, but the queries contain spoofed source addresses that are sent to the address of the target

Question 59

What is DNS tunneling?

Answer 59

data exfiltration technique in which nonstandard traffic is sent over TCP port 53 in order to bypass firewall protections

Question 60

What does the NSE smb-os-discovery script return?

Answer 60

OS
Computer name
Domain name
Forest name
FQDN
NetBIOS name
NetBIOS domain name
Workgroup
System time

Question 61

What does the NSE enip-info script return?

Answer 61

If target device is listening on port 44818:
Device type
vendor ID
Product name
Serial number
Product Code
Revision number
Status
State
IP Address

Question 62

What does the netbus-info NSE script return?

Answer 62

Uses port 12345 to return:
Applications
Installation path
Restart persistence
User login ID
number of connected clients
Log settings
Password
Email address
SMTP server
Sound volume settings

Question 63

What does the http-enum NSE script return?

Answer 63

exposed applications, directories, and files on web servers

Question 64

What does a passive aLTEr attack do?

Answer 64

Uses OSI Layer 2 meta-information to determine which sites a user visits

Question 65

What is an active aLTEr attack?

Answer 65

Attacker simulates a legitimate cell tower to redirect connections

Question 66

What is Maltego?

Answer 66

Software used for OSINT and forensics. Specializes in displaying info in graph format. Permits creating custom entities, allowing it to represent any type of information.

Question 67

What was the previous name for Wireshark?

Answer 67

Ethereal

Question 68

What is Nessus?

Answer 68

A proprietary vulnerability scanner

Question 69

What TTL value indicates a Windows OS?

Answer 69

128

Question 70

Describe the four iOS jailbreaking techniques

Answer 70

Tethered: Computer is required to boot and maintain jailbreak after restart
Untethered: Device remains jailbroken after restarting
Semi-tethered: Rebooting returns device to non-jailbroken status. Must use a computer to re-jailbreak
Semi-untethered: Device reboots to normal state, but can be re-jailbroken using an app installed on the device

Question 71

What are the common NetBIOS suffixes (also called NetBIOS End Character)?

Answer 71

Unique names:
00: Workstation Name
03: Messenger service
06: remote access service
20: file service
21: Remote access service client
1B: domain master browser
1D: Master browser

Group names:
00: Workstation service (workgroup/domain name)
1C: domain controllers
1E: browser service elections

Question 72

What is RADIUS?

Answer 72

Remote Authentication Dial In User Service. AAA protocol for users who connect and use a networks service. Runs in the application layer and can use TCP or UDP. Provides 802.1X authentication.

Question 73

What are the different modes for Hping2?

Answer 73

default: TCP

- 1: ICMP

Question 74

What port do compromised IoT devices typically use to spread malware?

Answer 74

48101

Question 75

What type of web-service API uses HTTP methods such as PUT, POST, GET, and DELETE?

Answer 75

RESTful API

Question 76

What is Burp Suite?

Answer 76

A java-based web penetration testing framework. Industry standard suite of tools. Helps identify vulnerabilities and verify attack vectors affecting web apps

Can be classified as an interception proxy. Pen tester can configure their internet browser to route traffic through Burp Suite proxy server, which then acts as sort of a man in the middle, capturing and analyzing each request to and from the web app

Question 77

What SMTP command is used to verify a user ID on a mail domain?

Answer 77

VRFY

Question 78

Which SMTP command asks for confirmation about the ID of a mailing list?

Answer 78

EXPN

Question 79

What is an encryption virus?

Answer 79

Ransomware. Encrypts victims data and demands ransom to decrypt it

Question 80

What is a tunneling virus?

Answer 80

attempts to intercept anti-virus software before it can detect malicious code

Question 81

What is a teardrop attack?

Answer 81

DoS attacks in which an attacker sends several large overlapping IP fragments. When the victim system tries to reassemble the packets, the system will sometimes crash

Question 82

Which nmap parameter is used to perform a TCP ACK Ping scan?

Answer 82

-PA

Question 83

Which nmap parameter is used to indicate that nmap should not perform a port scan after performing host discovery?

Answer 83

-sn

Question 84

Which nmap parameter is used to perform a TCP SYN ping scan?

Answer 84

-PS

Question 85

Which nmap parameter is used to perform a UDP ping scan?

Answer 85

-PU

Question 86

What is Flowmon?

Answer 86

A company that provides network flow-based monitoring solutions

Question 87

What is Robotium?

Answer 87

An open-source test automation framework for Android apps

Question 88

What is URLFuzzer?

Answer 88

An app that uses fuzzing to seek out hidden files, directories, and other resources on a web server

Question 89

What is IntentFuzzer

Answer 89

a fuzzing framework which targets the Inter-process communication (IPC) mechanisms of Android apps

Question 90

Which type of nmap scan is most appropriate for scanning large IP ranges?

Answer 90

-PR ARP scan because it’s faster and more accurate than IP-based scans

Question 91

Which MSFVenom option is used to specify the output format?

Answer 91

-f or –format

Question 92

What file is a rich target to discover the structure of a website during web-server footprinting?

Answer 92

Robots.txt - used to control crawling access.

Question 93

What is the folder where the website files for a domain name are stored, such as index.php, index.html, default.html, etc.?

Answer 93

Document root

Question 94

What was operation cloud hopper?

Answer 94

Attackers used MSPs as intermediaries to acquire assets and trade secrets from MSP clients. Malware was delivered through spear-phishing emails. Stolen data was then compressed and exfiltrated from MSP’s network

Question 95

What is ZoomInfo?

Answer 95

Vancouver-based software company providing subscription-based SaaS services

Question 96

What is Factiva?

Answer 96

Business information and research tool which aggregates content from more than 32,000 news sources such as newspapers, journals, magazines, etc.

Question 97

What is Infoga?

Answer 97

Tool for gathering email account information from different public sources and checks to see if emails were leaked

Question 98

What is Netcraft

Answer 98

Internet services company from England. Provides cybercrime disruption services.

Question 99

What is cryptcat?

Answer 99

a tool that enables communication between two systems and encrypts the communication with twofish in order to evade IDS

Question 100

What is a webhook?

Answer 100

a method of augmenting or altering the behaviour of a web page or web app with custom callbacks
This is usually done with HTTP POST requests

Question 101

What is a TCP Maimon scan?

Answer 101

-sM
nmap scan using the FIN/ACK flags. a RST packet should be generated whether the port is open or closed. However, BSD-derived systems often drop the packet if it’s open

Question 102

What is a CRIME attack?

Answer 102

Compression Ratio Info-leak Made Easy. A security exploit against secret web cookies over connections using HTTPS and SPDY protocols. Can be used to perform session hijacking

Question 103

What is a slowloris attack?

Answer 103

DoS attack which allows single machine to take down another machine’s web server by keeping as many connections to the target server open, maxing out the concurrent connection pool

Question 104

What is Phlashing?

Answer 104

permanent DoS attack that exploits a vulnerability in network-based firmware updates. Currently theoretical.

Question 105

What is ike-scan?

Answer 105

a command-line IPSec VPN scanner and testing tool used to discover, fingerprint, and test IPSEC VPN systems

Question 106

What type of SQLi makes use of DNS to pass data to an attacker?

Answer 106

out-of-band

Question 107

What MSFVenom option can be used to manually specify the architecture for the output payload?

Answer 107

-a or –arch

Question 108

Which MSFVenom option can be used to specify characters which should not be included in the shellcode?

Answer 108

-b or –bard-chars

Question 109

Which MSFVenom option can be used to specify the payload?

Answer 109

-p or –payload

Question 110

Which techniques does Aircrack-ng use to crack WEP keys?

Answer 110

Dictionary
Pyshkin, Tews, Weinmann (PTW)
Fluhrer, Mantin, Shamir (FMS)
KoreK

Question 111

Which type of rootkit can migrate the OS into a VM?

Answer 111

hypervisor-level

They install themselves between the hardware layer and the OS

Question 112

What is the difference between DNS spoofing and DNS hijacking?

Answer 112

DNS spoofing is the same as poisoning. Malicious DNS data is inserted into a DNS server.
DNS hijacking is the same as DNS redirection. Malware is used to hijack DNS services and place them under the control of the attacker.
Rather than injecting data into a legitimate DNS server, DNS hijacking reconfigures the TCP/IP stack to point at a malicious server

Question 113

What is domain hijacking?

Answer 113

Registrar-level attack in which name servers assigned to resolve a target’s top-level domain are modified, redirecting requests for those domains to malicious servers

Question 114

If a computer’s data is protected with BitLocker and then Windows fails to start, how do you access the data?

Answer 114

Use the BitLocker recovery password

Question 115

What is the GNU Bash Shellshock vulnerability?

Answer 115

A vulnerability in GNU Bash versions 4.3 and earlier that enables an attacker to send trailing information in an environment variable and execute arbitrary commands on the remote host

Question 116

Which Bash shell file is parsed when Bash shell starts, automatically executing any config commands contained in the file?

Answer 116

.bashrc

Typically sets display coloring, command aliases, command history configurations, etc.

Question 117

Which Bash shell file contains a limited amount of the user’s command history?

Answer 117

.bash_history

Question 118

Which Bash shell file contains configuration commands that are executed when a user logs in and are only executed once regardless of the number of shells the user opens

Answer 118

.bash_profile

typically configured to search for a .bashrc file in order to configure command aliases and other info

Question 119

Which Bash shell file is executed when a user logs out of a session and contains cleanup routines?

Answer 119

.bash_logout

Question 120

Which cURL option is used to prevent errors from displaying in the output?

Answer 120

-s

Question 121

Which cURL option is used to specify a delimiter instead of the default delimiter?

Answer 121

-d

Question 122

Which cURL option is used to specify which field’s parsed input line will be included in the output line?

Answer 122

-f
Thus, -f 2 specifies that the second field will be in the output. As in, if a line is delimited into 2 parts, only the second part will be output

Question 123

What is the purpose of the classes.dex file in android apps?

Answer 123

It includes the java libraries that the app requires

Question 124

What is the RIR for China, India, Japan, and Australia?

Answer 124

APNIC

Question 125

What is the RIR for Africa and parts of the indian ocean?

Answer 125

AFRINIC

Question 126

What is the RIR for North America, including Canada and the US?

Answer 126

ARIN

Question 127

What is the RIR for Europe, the Middle East, and Central Asia?

Answer 127

RIPE NCC

Question 128

What is the RIR for Mexico, Central America, South America, and portions of the Caribbean?

Answer 128

LACNIC

Question 129

Where do network and agent-based vulnerability scanners operate from?

Answer 129

Network runs on a dedicated host such as an appliance or VM

Agent requires a small amount of code on each host to be scanned

Question 130

What is Zigbee?

Answer 130

Wireless communications protocol used in electronics such as switches, timers, remote controls, and sensors.
Low-cost alternative to other wireless PANs, but has a short range

Question 131

What is NB-IoT?

Answer 131

Narrowband-IoT. A cellular WAN tech used to power cellular services that do not operate on LTE. Can be considered a cellular implementation of LPWAN

Question 132

What is MQTT?

Answer 132

Message Queuing Telemetry Transport. a TCP/IP publish/subsribe network used to send messages between devices. Intended for use in remote environments with limited bandwidth. Involves message brokers (servers) and clients.

Question 133

What is LPWAN?

Answer 133

Low-Power Wide Area Network. A wireless comm protocol used to communicate over long distances at a low bit rate. Low cost to implement and maintain

Question 134

What is juice jacking?

Answer 134

A type of malware attack that exploits USB power delivery systems to inject malware into a phone or tablet

Question 135

What is XML-RPC?

Answer 135

an HTTP-based call method which returns a single result in XML format

Question 136

What year was XML-RPC first developed?

Answer 136

1998

Question 137

What is NSTX?

Answer 137

A tool that is used to tunnel IP traffic within DNS packets

Question 138

What is Bitvisie?

Answer 138

a windows-based tool used to tunnel packets over SSH

Question 139

What is Loki?

Answer 139

A tool used to tunnel traffic over ICMP

Question 140

What is Super Network Tunnel?

Answer 140

A tool used to tunnel packets over HTTP

Question 141

What is a Mirai attack?

Answer 141

Very pervasive IoT malware. Spreads by scanning for vulnerable IoT devices, typically through port 48101

Question 142

What is a Heartbleed attack?

Answer 142

An OpenSSL vulnerability that allows an attacker to obtain approximately 65kb of information from a server’s memory at regular intervals. Allows attackers to obtain a server’s private key, enabling the decryption of communications

Question 143

What is a Gobuster attack?

Answer 143

a command line tool that can be used to enumerate applications, directories, and files, including hidden ones, on internet connected web servers

Question 144

What is a Dragonblood attack?

Answer 144

a vulnerability in WPA3 that allows attackers to steal passwords and crash WAPs. Caused by design flaws in the Dragonfly key exchange mechanism used by WPA3

Question 145

What are the 4 components of a risk assessment?

Answer 145

Technical, Organizational, Physical, and Administrative safeguards

Question 146

Describe a counter-based authentication system

Answer 146

Authentication system which creates one time passwords that are encrypted with secret keys. A counter value kept on the authenticating server is also used to generate the OTP

Question 147

What is blackjacking?

Answer 147

hijacking a blackberry connection, usually with the BBProxy tool

Question 148

What are the names of two vulnerabilities in modern processors such as Intel, AMD, and ARM using speculative execution?

Answer 148

Spectre and Meltdown

Question 149

Which nmap parameter is used to change the scan speed?

Answer 149

-Tx

x is replaced with numbers 0-5

Question 150

What is tcpdump?

Answer 150

A command-line packet analyzer that can be used for OS fingerprinting

Question 151

What is hping?

Answer 151

an open-source packet generator and analyzer for TCP/IP protocol. Inspired by ping unix command, but not limited to ICMP echo

Question 152

Which SMTP command is used to transmit email over TLS?

Answer 152

STARTTLS

Question 153

What is nessus?

Answer 153

a vulnerability scanner

Question 154

What is code emulation?

Answer 154

a virus detection technique in which a virtual machine is implemented to simulate CPU and memory management to mimic code execution. Malicious code is simulated in the virtual machine and no virus code is executed by the real processor

Question 155

What is a Markov Chain?

Answer 155

A password cracking technique in which attackers assemble a password database, split each password, and calculate the probability of placing characters in a quasi-brute attack

Question 156

What is PRINCE?

Answer 156

Probability Infinite Chained Elements. Uses an algorithm to try the most likely password candidates with a refined combinator attack. Creates chains of combined words using a single dictionary

Question 157

At which layer do sniffers operate?

Answer 157

Layer 2

Question 158

Which open port indicates a network device is likely a printer?

Answer 158

515

Question 159

Which IPSec mode should be used to ensure integrity and confidentiality of data on the same LAN?

Answer 159

ESP Transport

Question 160

Which IPSec mode should be used to ensure the integrity of LAN data?

Answer 160

AH transport

Question 161

Which IPSec mode should be used to ensure integrity and confidentiality of data between networks?

Answer 161

ESP tunnel mode

Question 162

Which IPSec mode should be used to ensure integrity of data between networks?

Answer 162

AH tunnel

Question 163

Which linux command is used to resolve a domain name into an IP address?

Answer 163

host -t a

Question 164

What is crypter?

Answer 164

a type of software that can encrypt, obfuscate, and manipulate malware to make it harder to detect by security programs

Question 165

What is dropper?

Answer 165

a program that secretly installs malicious programs

Question 166

What is global deduction?

Answer 166

attacker discovers a functionally equivalent algorithm for encryption and decryption, without learning the key

Question 167

What is instance (local) deduction?

Answer 167

attacker discovers additional plaintext (or cipherteexts) not previously known

Question 168

hat is information deduction?

Answer 168

attacker gains some Shannon information about plaintexts or ciphertexts not previously known

Question 169

What is ettercap?

Answer 169

a free and open soruuce network security tool for MITM attacks on LAN

Question 170

Where does active sniffing occur vs passive sniffing?

Answer 170

active is on switch, passive is on hub

Question 171

What is the min number of network connections in a multihomed firewall?

Answer 171

2

Question 172

What is nikto?

Answer 172

a free software command-line vulnerability scanner for webservers

Question 173

What is chntpw?

Answer 173

a linux-based software utility for resetting or blanking local passwords on windows.

Question 174

Which nmap parameter can be used to help evade IDS systems?

Answer 174

-T (0 and 1 option)