CEH Flashcards
(174 cards)
1
Q
What is the nmap parameter for aggressive scanning?
A
-A
2
Q
What is the nmap parameter for enabling the script engine?
A
-sC
3
Q
What is the nmap parameter used for OS fingerprinting?
A
-O
4
Q
What is the nmap parameter used to identify the path taken by a packet as it travels toward the destination?
A
–traceroute
5
Q
What nmap parameter is used to disable ICMP pings?
A
- P0 or -PN (old)
- Pn (new)
6
Q
What nmap parameter configures nmap to perform a stealth scan, also known as a SYN scan or half-open scan?
A
-sS
7
Q
What nmap parameter configures nmap to disable DNS?
A
-n
8
Q
What nmap parameter configures nmap to always perform DNS?
A
-R
9
Q
What nmap command is equivalent to nmap -A?
A
nmap -sV -sC -O –traceroute
10
Q
What is JXplorer?
A
Java-based LDAP browser
11
Q
What is Luma?
A
Python-based LDAP browser
12
Q
What is Coral Directory?
A
LDAP browser specific to Windows 2000 or later
13
Q
What are Cloudborne attacks?
How can they be mitigated?
A
firmware backdoor is installed on cloud server that is later repurposed for another client
Reflash the firmware on a server before repurposing it
14
Q
What was Operation Cloud Hopper?
A
Spear phishing was used to infiltrate cloud provider networks, enabling attackers to compromise target data stored in the cloud
15
Q
Which MIB stores information about TCP/IP on network hosts as well as information about SNMP configuration itself?
A
MIB_II
16
Q
Which MIB contains information about the network traffic between hosts and DHCP servers?
A
DHCP.MIB
17
Q
Which MIB contains information about workstation and server services?
A
LMMIB2.MIB
18
Q
Which MIB contains information the windows internet name service, a name resolution service for NetBIOS?
A
WINS.MIB
19
Q
Which MIB contains information about managing and monitoring resources on hosts on the network, such as host’s date and time, users, processes, memory, physical storage, etc.?
A
HOSTMIB.MIB
20
Q
What is KoreK chopchop?
A
An attack that can decrypt a WEP packet without requiring the key
21
Q
What is KRACK?
A
Key Reinstallation Attack. Replay attack that exploits WPA2’s four-way handshake process.
The attacker captures the shared secret and tricks the victim into reinstalling a key that is already in use.
22
Q
What type of information is included in a WHOIS query?
A
information about the IP network range from which the IP address was allocated
technical, administrative, and billing contact information for the parties associated with a particular domain name
23
Q
Which DNS records contain information about the OSs implemented and the hardware platforms in an organization?
A
HINFO
24
Q
Which nmap parameter configures nmap to perform an ACK scan?
A
-sA
25
What is a DROWN attack?
a vulnerability in servers that support SSLv2 related to its handling of the cipher text in an RSA certificate during the initial handshake
26
What is a linear cryptanalysis attack?
using both the plain text and corresponding cipher text to extract an encryption key. Also known as a known plaintext attack
27
Describe blowfish
A symmetric 64-bit block cipher that uses a variable-length key ranging from 32 to 448 bits
28
Describe Twofish
A symmetric 128-bit block cipher that uses a key length of 128 or 256 bits
29
Describe IDEA
A symmetric 64-bit block cipher that uses a 128-bit key. It uses a series of eight rounds of 64-bit block encryption
30
Describe AES
A symmetric block cipher with 128 bit block size that uses a key length of 128, 192, or 256 bits
31
Describe 3DES
A 64-bit block symmetric encryption algorithm that uses multiple 56-bit passes to encrypt data, resulting in a 168-bit key
32
Describe RSA
An asymmetric encryption algorithm that uses prime numbers to generate keys, recommended at least 2048 bits long.
33
Describe SHA1
A hashing algorithm that creates a 160-bit hash
34
Which key is created when a TPM is manufactured?
endorsement key
35
Which key is created when a user takes ownership of a TPM?
storage root key
36
What is an STP attack?
rogue switch added to network and advertises as having the lowest bridge priority value, making it a root bridge
37
What is switch spoofing?
a VLAN hopping attack in which an attacker configures their system to act like a switch with a trunk port and uses DTP (dynamic trunking protocol) to negotiate a trunk link with a switch port
38
What is a MITC attack?
Attacker uses malware to steal synchronization tokens used to authenticate and synchronize data with cloud providers
39
How can MITC attacks be mitigated?
Educating users about social engineering
Installing a CASB
40
What is HULK?
HTTP Unbearable Load King tool
| A tool that can initiate an HTTP flood and can evade IDSs
41
What is MEDUSA?
Tool used to gather open-source intelligence (OSINT) from social media platforms
42
What is hootsuite?
A social media management platform
43
What is VisualRotue?
a suite of networking tools that can visualize networking issues
44
Which port does SMB use?
445
45
Which port does SNMP use?
161 and 162
46
What algorithms do the different wireless protocols use to encrypt communications?
WEP: RC4
WPA: TKIP
WPA2: AES-CCMP
WPA3: AES-GCMP
47
What is dnsenum?
a Perl script used to enumerate DNS information
48
What is Bluto?
a python script that can query a target domain for MX and NS records and can perform an AXFR query to discover subdomains. Can also brute force using Alexa Top 1 Million subdomains list
49
What is SubBrute?
a python script used for DNS enumeration that recursively crawls enumerated DNS records similar to how a search engine spider crawls a website. Can enumerate any DNS record type
50
What is InstaRecon?
A python-based DNS enumeration tool which adds the ability to use Shodan for performing queries and can perform reverse DNS lookups on an entire IP range
51
What do the various error directives in a php.ini file do?
error_log: configures the error log itself
log_errors: whether or not to write errors to log
display_errors: whether or not to display errors on browser
error_reporting: determines the level at which the PHP process will produce error messages
52
What is DGA?
Domain Generation Algorithm. Attack relying on domains that have not yet been categorized or classified by a reputation-based security system.
Commonly used to ensure that C2 systems remain accessible.
Malware dynamically generates predicable list of domain names that can be used to contact C2 server
53
What is fast fluxing?
Using a network of compromised hosts to proxy services for an attacker. The attackers communications are dynamically proxied through the botnet, making it difficult for the security team to blacklist the IP of the hosts of the botnet
Can be mitigated by taking down the domain server that corresponds to the malicious domain
54
What is double fluxing?
similar to fast fluxing, but a separate botnet is used to proxy the DNS services for the attacker, protecting the attacker's DNS server from takedown efforts
Can be mitigated by contacting the appropriate Top Level Domain (TLD) registrar to take down the domain
55
What does the mod_negotiation module do on an Apache server?
Disables file extensions on the server. The file extensions are not revealed in the URL, and the extension of the file returned by the server is based on the browser's preferences
56
Which parameter should be used to silence error messages when using the curl command to scrape hyperlinks from a webpage?
-s
57
What is a DNS DDoS?
Flooding TCP port 53 of a DNS server with illegitimate traffic to deny access to the server
58
What is a DNS amplification attack?
A DRDoS attack in which attackers send a flood of DNS queries from their own servers, but the queries contain spoofed source addresses that are sent to the address of the target
59
What is DNS tunneling?
data exfiltration technique in which nonstandard traffic is sent over TCP port 53 in order to bypass firewall protections
60
What does the NSE smb-os-discovery script return?
```
OS
Computer name
Domain name
Forest name
FQDN
NetBIOS name
NetBIOS domain name
Workgroup
System time
```
61
What does the NSE enip-info script return?
```
If target device is listening on port 44818:
Device type
vendor ID
Product name
Serial number
Product Code
Revision number
Status
State
IP Address
```
62
What does the netbus-info NSE script return?
```
Uses port 12345 to return:
Applications
Installation path
Restart persistence
User login ID
number of connected clients
Log settings
Password
Email address
SMTP server
Sound volume settings
```
63
What does the http-enum NSE script return?
exposed applications, directories, and files on web servers
64
What does a passive aLTEr attack do?
Uses OSI Layer 2 meta-information to determine which sites a user visits
65
What is an active aLTEr attack?
Attacker simulates a legitimate cell tower to redirect connections
66
What is Maltego?
Software used for OSINT and forensics. Specializes in displaying info in graph format. Permits creating custom entities, allowing it to represent any type of information.
67
What was the previous name for Wireshark?
Ethereal
68
What is Nessus?
A proprietary vulnerability scanner
69
What TTL value indicates a Windows OS?
128
70
Describe the four iOS jailbreaking techniques
Tethered: Computer is required to boot and maintain jailbreak after restart
Untethered: Device remains jailbroken after restarting
Semi-tethered: Rebooting returns device to non-jailbroken status. Must use a computer to re-jailbreak
Semi-untethered: Device reboots to normal state, but can be re-jailbroken using an app installed on the device
71
What are the common NetBIOS suffixes (also called NetBIOS End Character)?
```
Unique names:
00: Workstation Name
03: Messenger service
06: remote access service
20: file service
21: Remote access service client
1B: domain master browser
1D: Master browser
```
Group names:
00: Workstation service (workgroup/domain name)
1C: domain controllers
1E: browser service elections
72
What is RADIUS?
Remote Authentication Dial In User Service. AAA protocol for users who connect and use a networks service. Runs in the application layer and can use TCP or UDP. Provides 802.1X authentication.
73
What are the different modes for Hping2?
default: TCP
| - 1: ICMP
74
What port do compromised IoT devices typically use to spread malware?
48101
75
What type of web-service API uses HTTP methods such as PUT, POST, GET, and DELETE?
RESTful API
76
What is Burp Suite?
A java-based web penetration testing framework. Industry standard suite of tools. Helps identify vulnerabilities and verify attack vectors affecting web apps
Can be classified as an interception proxy. Pen tester can configure their internet browser to route traffic through Burp Suite proxy server, which then acts as sort of a man in the middle, capturing and analyzing each request to and from the web app
77
What SMTP command is used to verify a user ID on a mail domain?
VRFY
78
Which SMTP command asks for confirmation about the ID of a mailing list?
EXPN
79
What is an encryption virus?
Ransomware. Encrypts victims data and demands ransom to decrypt it
80
What is a tunneling virus?
attempts to intercept anti-virus software before it can detect malicious code
81
What is a teardrop attack?
DoS attacks in which an attacker sends several large overlapping IP fragments. When the victim system tries to reassemble the packets, the system will sometimes crash
82
Which nmap parameter is used to perform a TCP ACK Ping scan?
-PA
83
Which nmap parameter is used to indicate that nmap should not perform a port scan after performing host discovery?
-sn
84
Which nmap parameter is used to perform a TCP SYN ping scan?
-PS
85
Which nmap parameter is used to perform a UDP ping scan?
-PU
86
What is Flowmon?
A company that provides network flow-based monitoring solutions
87
What is Robotium?
An open-source test automation framework for Android apps
88
What is URLFuzzer?
An app that uses fuzzing to seek out hidden files, directories, and other resources on a web server
89
What is IntentFuzzer
a fuzzing framework which targets the Inter-process communication (IPC) mechanisms of Android apps
90
Which type of nmap scan is most appropriate for scanning large IP ranges?
-PR ARP scan because it's faster and more accurate than IP-based scans
91
Which MSFVenom option is used to specify the output format?
-f or --format
92
What file is a rich target to discover the structure of a website during web-server footprinting?
Robots.txt - used to control crawling access.
93
What is the folder where the website files for a domain name are stored, such as index.php, index.html, default.html, etc.?
Document root
94
What was operation cloud hopper?
Attackers used MSPs as intermediaries to acquire assets and trade secrets from MSP clients. Malware was delivered through spear-phishing emails. Stolen data was then compressed and exfiltrated from MSP's network
95
What is ZoomInfo?
Vancouver-based software company providing subscription-based SaaS services
96
What is Factiva?
Business information and research tool which aggregates content from more than 32,000 news sources such as newspapers, journals, magazines, etc.
97
What is Infoga?
Tool for gathering email account information from different public sources and checks to see if emails were leaked
98
What is Netcraft
Internet services company from England. Provides cybercrime disruption services.
99
What is cryptcat?
a tool that enables communication between two systems and encrypts the communication with twofish in order to evade IDS
100
What is a webhook?
a method of augmenting or altering the behaviour of a web page or web app with custom callbacks
This is usually done with HTTP POST requests
101
What is a TCP Maimon scan?
-sM
nmap scan using the FIN/ACK flags. a RST packet should be generated whether the port is open or closed. However, BSD-derived systems often drop the packet if it's open
102
What is a CRIME attack?
Compression Ratio Info-leak Made Easy. A security exploit against secret web cookies over connections using HTTPS and SPDY protocols. Can be used to perform session hijacking
103
What is a slowloris attack?
DoS attack which allows single machine to take down another machine's web server by keeping as many connections to the target server open, maxing out the concurrent connection pool
104
What is Phlashing?
permanent DoS attack that exploits a vulnerability in network-based firmware updates. Currently theoretical.
105
What is ike-scan?
a command-line IPSec VPN scanner and testing tool used to discover, fingerprint, and test IPSEC VPN systems
106
What type of SQLi makes use of DNS to pass data to an attacker?
out-of-band
107
What MSFVenom option can be used to manually specify the architecture for the output payload?
-a or --arch
108
Which MSFVenom option can be used to specify characters which should not be included in the shellcode?
-b or --bard-chars
109
Which MSFVenom option can be used to specify the payload?
-p or --payload
110
Which techniques does Aircrack-ng use to crack WEP keys?
Dictionary
Pyshkin, Tews, Weinmann (PTW)
Fluhrer, Mantin, Shamir (FMS)
KoreK
111
Which type of rootkit can migrate the OS into a VM?
hypervisor-level
| They install themselves between the hardware layer and the OS
112
What is the difference between DNS spoofing and DNS hijacking?
DNS spoofing is the same as poisoning. Malicious DNS data is inserted into a DNS server.
DNS hijacking is the same as DNS redirection. Malware is used to hijack DNS services and place them under the control of the attacker.
Rather than injecting data into a legitimate DNS server, DNS hijacking reconfigures the TCP/IP stack to point at a malicious server
113
What is domain hijacking?
Registrar-level attack in which name servers assigned to resolve a target's top-level domain are modified, redirecting requests for those domains to malicious servers
114
If a computer's data is protected with BitLocker and then Windows fails to start, how do you access the data?
Use the BitLocker recovery password
115
What is the GNU Bash Shellshock vulnerability?
A vulnerability in GNU Bash versions 4.3 and earlier that enables an attacker to send trailing information in an environment variable and execute arbitrary commands on the remote host
116
Which Bash shell file is parsed when Bash shell starts, automatically executing any config commands contained in the file?
.bashrc
| Typically sets display coloring, command aliases, command history configurations, etc.
117
Which Bash shell file contains a limited amount of the user's command history?
.bash_history
118
Which Bash shell file contains configuration commands that are executed when a user logs in and are only executed once regardless of the number of shells the user opens
.bash_profile
| typically configured to search for a .bashrc file in order to configure command aliases and other info
119
Which Bash shell file is executed when a user logs out of a session and contains cleanup routines?
.bash_logout
120
Which cURL option is used to prevent errors from displaying in the output?
-s
121
Which cURL option is used to specify a delimiter instead of the default delimiter?
-d
122
Which cURL option is used to specify which field's parsed input line will be included in the output line?
-f
Thus, -f 2 specifies that the second field will be in the output. As in, if a line is delimited into 2 parts, only the second part will be output
123
What is the purpose of the classes.dex file in android apps?
It includes the java libraries that the app requires
124
What is the RIR for China, India, Japan, and Australia?
APNIC
125
What is the RIR for Africa and parts of the indian ocean?
AFRINIC
126
What is the RIR for North America, including Canada and the US?
ARIN
127
What is the RIR for Europe, the Middle East, and Central Asia?
RIPE NCC
128
What is the RIR for Mexico, Central America, South America, and portions of the Caribbean?
LACNIC
129
Where do network and agent-based vulnerability scanners operate from?
Network runs on a dedicated host such as an appliance or VM
| Agent requires a small amount of code on each host to be scanned
130
What is Zigbee?
Wireless communications protocol used in electronics such as switches, timers, remote controls, and sensors.
Low-cost alternative to other wireless PANs, but has a short range
131
What is NB-IoT?
Narrowband-IoT. A cellular WAN tech used to power cellular services that do not operate on LTE. Can be considered a cellular implementation of LPWAN
132
What is MQTT?
Message Queuing Telemetry Transport. a TCP/IP publish/subsribe network used to send messages between devices. Intended for use in remote environments with limited bandwidth. Involves message brokers (servers) and clients.
133
What is LPWAN?
Low-Power Wide Area Network. A wireless comm protocol used to communicate over long distances at a low bit rate. Low cost to implement and maintain
134
What is juice jacking?
A type of malware attack that exploits USB power delivery systems to inject malware into a phone or tablet
135
What is XML-RPC?
an HTTP-based call method which returns a single result in XML format
136
What year was XML-RPC first developed?
1998
137
What is NSTX?
A tool that is used to tunnel IP traffic within DNS packets
138
What is Bitvisie?
a windows-based tool used to tunnel packets over SSH
139
What is Loki?
A tool used to tunnel traffic over ICMP
140
What is Super Network Tunnel?
A tool used to tunnel packets over HTTP
141
What is a Mirai attack?
Very pervasive IoT malware. Spreads by scanning for vulnerable IoT devices, typically through port 48101
142
What is a Heartbleed attack?
An OpenSSL vulnerability that allows an attacker to obtain approximately 65kb of information from a server's memory at regular intervals. Allows attackers to obtain a server's private key, enabling the decryption of communications
143
What is a Gobuster attack?
a command line tool that can be used to enumerate applications, directories, and files, including hidden ones, on internet connected web servers
144
What is a Dragonblood attack?
a vulnerability in WPA3 that allows attackers to steal passwords and crash WAPs. Caused by design flaws in the Dragonfly key exchange mechanism used by WPA3
145
What are the 4 components of a risk assessment?
Technical, Organizational, Physical, and Administrative safeguards
146
Describe a counter-based authentication system
Authentication system which creates one time passwords that are encrypted with secret keys. A counter value kept on the authenticating server is also used to generate the OTP
147
What is blackjacking?
hijacking a blackberry connection, usually with the BBProxy tool
148
What are the names of two vulnerabilities in modern processors such as Intel, AMD, and ARM using speculative execution?
Spectre and Meltdown
149
Which nmap parameter is used to change the scan speed?
-Tx
| x is replaced with numbers 0-5
150
What is tcpdump?
A command-line packet analyzer that can be used for OS fingerprinting
151
What is hping?
an open-source packet generator and analyzer for TCP/IP protocol. Inspired by ping unix command, but not limited to ICMP echo
152
Which SMTP command is used to transmit email over TLS?
STARTTLS
153
What is nessus?
a vulnerability scanner
154
What is code emulation?
a virus detection technique in which a virtual machine is implemented to simulate CPU and memory management to mimic code execution. Malicious code is simulated in the virtual machine and no virus code is executed by the real processor
155
What is a Markov Chain?
A password cracking technique in which attackers assemble a password database, split each password, and calculate the probability of placing characters in a quasi-brute attack
156
What is PRINCE?
Probability Infinite Chained Elements. Uses an algorithm to try the most likely password candidates with a refined combinator attack. Creates chains of combined words using a single dictionary
157
At which layer do sniffers operate?
Layer 2
158
Which open port indicates a network device is likely a printer?
515
159
Which IPSec mode should be used to ensure integrity and confidentiality of data on the same LAN?
ESP Transport
160
Which IPSec mode should be used to ensure the integrity of LAN data?
AH transport
161
Which IPSec mode should be used to ensure integrity and confidentiality of data between networks?
ESP tunnel mode
162
Which IPSec mode should be used to ensure integrity of data between networks?
AH tunnel
163
Which linux command is used to resolve a domain name into an IP address?
host -t a
164
What is crypter?
a type of software that can encrypt, obfuscate, and manipulate malware to make it harder to detect by security programs
165
What is dropper?
a program that secretly installs malicious programs
166
What is global deduction?
attacker discovers a functionally equivalent algorithm for encryption and decryption, without learning the key
167
What is instance (local) deduction?
attacker discovers additional plaintext (or cipherteexts) not previously known
168
hat is information deduction?
attacker gains some Shannon information about plaintexts or ciphertexts not previously known
169
What is ettercap?
a free and open soruuce network security tool for MITM attacks on LAN
170
Where does active sniffing occur vs passive sniffing?
active is on switch, passive is on hub
171
What is the min number of network connections in a multihomed firewall?
2
172
What is nikto?
a free software command-line vulnerability scanner for webservers
173
What is chntpw?
a linux-based software utility for resetting or blanking local passwords on windows.
174
Which nmap parameter can be used to help evade IDS systems?
-T (0 and 1 option)
