CEH Flashcards
What is the nmap parameter for aggressive scanning?
-A
What is the nmap parameter for enabling the script engine?
-sC
What is the nmap parameter used for OS fingerprinting?
-O
What is the nmap parameter used to identify the path taken by a packet as it travels toward the destination?
–traceroute
What nmap parameter is used to disable ICMP pings?
- P0 or -PN (old)
- Pn (new)
What nmap parameter configures nmap to perform a stealth scan, also known as a SYN scan or half-open scan?
-sS
What nmap parameter configures nmap to disable DNS?
-n
What nmap parameter configures nmap to always perform DNS?
-R
What nmap command is equivalent to nmap -A?
nmap -sV -sC -O –traceroute
What is JXplorer?
Java-based LDAP browser
What is Luma?
Python-based LDAP browser
What is Coral Directory?
LDAP browser specific to Windows 2000 or later
What are Cloudborne attacks?
How can they be mitigated?
firmware backdoor is installed on cloud server that is later repurposed for another client
Reflash the firmware on a server before repurposing it
What was Operation Cloud Hopper?
Spear phishing was used to infiltrate cloud provider networks, enabling attackers to compromise target data stored in the cloud
Which MIB stores information about TCP/IP on network hosts as well as information about SNMP configuration itself?
MIB_II
Which MIB contains information about the network traffic between hosts and DHCP servers?
DHCP.MIB
Which MIB contains information about workstation and server services?
LMMIB2.MIB
Which MIB contains information the windows internet name service, a name resolution service for NetBIOS?
WINS.MIB
Which MIB contains information about managing and monitoring resources on hosts on the network, such as host’s date and time, users, processes, memory, physical storage, etc.?
HOSTMIB.MIB
What is KoreK chopchop?
An attack that can decrypt a WEP packet without requiring the key
What is KRACK?
Key Reinstallation Attack. Replay attack that exploits WPA2’s four-way handshake process.
The attacker captures the shared secret and tricks the victim into reinstalling a key that is already in use.
What type of information is included in a WHOIS query?
information about the IP network range from which the IP address was allocated
technical, administrative, and billing contact information for the parties associated with a particular domain name
Which DNS records contain information about the OSs implemented and the hardware platforms in an organization?
HINFO
Which nmap parameter configures nmap to perform an ACK scan?
-sA
What is a DROWN attack?
a vulnerability in servers that support SSLv2 related to its handling of the cipher text in an RSA certificate during the initial handshake
What is a linear cryptanalysis attack?
using both the plain text and corresponding cipher text to extract an encryption key. Also known as a known plaintext attack
Describe blowfish
A symmetric 64-bit block cipher that uses a variable-length key ranging from 32 to 448 bits
Describe Twofish
A symmetric 128-bit block cipher that uses a key length of 128 or 256 bits
Describe IDEA
A symmetric 64-bit block cipher that uses a 128-bit key. It uses a series of eight rounds of 64-bit block encryption
Describe AES
A symmetric block cipher with 128 bit block size that uses a key length of 128, 192, or 256 bits
Describe 3DES
A 64-bit block symmetric encryption algorithm that uses multiple 56-bit passes to encrypt data, resulting in a 168-bit key
Describe RSA
An asymmetric encryption algorithm that uses prime numbers to generate keys, recommended at least 2048 bits long.
Describe SHA1
A hashing algorithm that creates a 160-bit hash
Which key is created when a TPM is manufactured?
endorsement key
Which key is created when a user takes ownership of a TPM?
storage root key
What is an STP attack?
rogue switch added to network and advertises as having the lowest bridge priority value, making it a root bridge
What is switch spoofing?
a VLAN hopping attack in which an attacker configures their system to act like a switch with a trunk port and uses DTP (dynamic trunking protocol) to negotiate a trunk link with a switch port
What is a MITC attack?
Attacker uses malware to steal synchronization tokens used to authenticate and synchronize data with cloud providers
How can MITC attacks be mitigated?
Educating users about social engineering
Installing a CASB
What is HULK?
HTTP Unbearable Load King tool
A tool that can initiate an HTTP flood and can evade IDSs
What is MEDUSA?
Tool used to gather open-source intelligence (OSINT) from social media platforms
What is hootsuite?
A social media management platform
What is VisualRotue?
a suite of networking tools that can visualize networking issues
Which port does SMB use?
445
Which port does SNMP use?
161 and 162
What algorithms do the different wireless protocols use to encrypt communications?
WEP: RC4
WPA: TKIP
WPA2: AES-CCMP
WPA3: AES-GCMP
What is dnsenum?
a Perl script used to enumerate DNS information
What is Bluto?
a python script that can query a target domain for MX and NS records and can perform an AXFR query to discover subdomains. Can also brute force using Alexa Top 1 Million subdomains list
What is SubBrute?
a python script used for DNS enumeration that recursively crawls enumerated DNS records similar to how a search engine spider crawls a website. Can enumerate any DNS record type
What is InstaRecon?
A python-based DNS enumeration tool which adds the ability to use Shodan for performing queries and can perform reverse DNS lookups on an entire IP range
What do the various error directives in a php.ini file do?
error_log: configures the error log itself
log_errors: whether or not to write errors to log
display_errors: whether or not to display errors on browser
error_reporting: determines the level at which the PHP process will produce error messages
What is DGA?
Domain Generation Algorithm. Attack relying on domains that have not yet been categorized or classified by a reputation-based security system.
Commonly used to ensure that C2 systems remain accessible.
Malware dynamically generates predicable list of domain names that can be used to contact C2 server
What is fast fluxing?
Using a network of compromised hosts to proxy services for an attacker. The attackers communications are dynamically proxied through the botnet, making it difficult for the security team to blacklist the IP of the hosts of the botnet
Can be mitigated by taking down the domain server that corresponds to the malicious domain
What is double fluxing?
similar to fast fluxing, but a separate botnet is used to proxy the DNS services for the attacker, protecting the attacker’s DNS server from takedown efforts
Can be mitigated by contacting the appropriate Top Level Domain (TLD) registrar to take down the domain
What does the mod_negotiation module do on an Apache server?
Disables file extensions on the server. The file extensions are not revealed in the URL, and the extension of the file returned by the server is based on the browser’s preferences
Which parameter should be used to silence error messages when using the curl command to scrape hyperlinks from a webpage?
-s
What is a DNS DDoS?
Flooding TCP port 53 of a DNS server with illegitimate traffic to deny access to the server
What is a DNS amplification attack?
A DRDoS attack in which attackers send a flood of DNS queries from their own servers, but the queries contain spoofed source addresses that are sent to the address of the target
What is DNS tunneling?
data exfiltration technique in which nonstandard traffic is sent over TCP port 53 in order to bypass firewall protections
What does the NSE smb-os-discovery script return?
OS Computer name Domain name Forest name FQDN NetBIOS name NetBIOS domain name Workgroup System time
What does the NSE enip-info script return?
If target device is listening on port 44818: Device type vendor ID Product name Serial number Product Code Revision number Status State IP Address
What does the netbus-info NSE script return?
Uses port 12345 to return: Applications Installation path Restart persistence User login ID number of connected clients Log settings Password Email address SMTP server Sound volume settings
What does the http-enum NSE script return?
exposed applications, directories, and files on web servers
What does a passive aLTEr attack do?
Uses OSI Layer 2 meta-information to determine which sites a user visits
What is an active aLTEr attack?
Attacker simulates a legitimate cell tower to redirect connections
What is Maltego?
Software used for OSINT and forensics. Specializes in displaying info in graph format. Permits creating custom entities, allowing it to represent any type of information.
What was the previous name for Wireshark?
Ethereal
What is Nessus?
A proprietary vulnerability scanner
What TTL value indicates a Windows OS?
128