fc_three

Question 1

Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is
the best protection that will work for her?
A. Password protected files
B. Hidden folders
C. BIOS password
D. Full disk encryption.

Answer 1

Answer: D

Question 2

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should
he do?
A. Ignore it.
B. Try to sell the information to a well-paying party on the dark web.
C. Notify the web site owner so that corrective action be taken as soon as possible to patch the
vulnerability.
D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.

Answer 2

Answer: C

Question 3

What two conditions must a digital signature meet?
A. Has to be unforgeable, and has to be authentic.
B. Has to be legible and neat.
C. Must be unique and have special characters.
D. Has to be the same number of characters as a physical signature and must be unique.

Answer 3

Answer: A

Question 4

A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How
can he use it?
A. The password file does not contain the passwords themselves.
B. He can open it and read the user ids and corresponding passwords.
C. The file reveals the passwords to the root user only.
D. He cannot read it because it is encrypted.

Answer 4

Answer: A

Question 5

Which Intrusion Detection System is best applicable for large environments where critical assets on the
network need extra security and is ideal for observing sensitive network segments?
A. Network-based intrusion detection system (NIDS)
B. Host-based intrusion detection system (HIDS)
C. Firewalls
D. Honeypots

Answer 5

Answer: A

Question 6

A company’s Web development team has become aware of a certain type of security vulnerability in their
Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the
software requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A. Cross-site scripting vulnerability
B. Cross-site Request Forgery vulnerability
C. SQL injection vulnerability
D. Web site defacement vulnerability

Answer 6

Answer: A

Question 7

Bob learned that his username and password for a popular game has been compromised. He contacts the
company and resets all the information. The company suggests he use two-factor authentication, which
option below offers that?
A. A new username and password
B. A fingerprint scanner and his username and password.
C. Disable his username and use just a fingerprint scanner.
D. His username and a stronger password.

Answer 7

Answer: B

Question 8

A network administrator discovers several unknown files in the root directory of his Linux FTP server. One
of the files is a tarball, two are shell script files, and the third is a binary file is named “nc.” The FTP server’s
access logs show that the anonymous user account logged in to the server, uploaded the files, and
extracted the contents of the tarball and ran the script using a function provided by the FTP server’s
software. The ps command shows that the nc file is running as process, and the netstat command shows
the nc process is listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
A. File system permissions
B. Privilege escalation
C. Directory traversal
D. Brute force login

Answer 8

Answer: A

Question 9

Which of the following incident handling process phases is responsible for defining rules, collaborating
human workforce, creating a back-up plan, and testing the plans for an organization?
A. Preparation phase
B. Containment phase
C. Identification phase
D. Recovery phase

Answer 9

Answer: A

Question 10

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and
Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible
breach of security. When the investigator attempts to correlate the information in all of the logs, the
sequence of many of the logged events do not match up.
What is the most likely cause?
A. The network devices are not all synchronized.
B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.
D. The security breach was a false positive.

Answer 10

Answer: A

Question 11

What is correct about digital signatures?
A. A digital signature cannot be moved from one signed document to another because it is the hash of the
original document encrypted with the private key of the signing party.
B. Digital signatures may be used in different documents of the same type.
C. A digital signature cannot be moved from one signed document to another because it is a plain hash of
the document content.
D. Digital signatures are issued once for each user and can be used everywhere until they expire.

Answer 11

Answer: A

Question 12

Look at the following output. What did the hacker accomplish?

A. The hacker used whois to gather publicly available records for the domain.
B. The hacker used the “fierce” tool to brute force the list of available domains.
C. The hacker listed DNS records on his own domain.
D. The hacker successfully transferred the zone and enumerated the hosts.

Answer 12

Answer: D

Question 13

If executives are found liable for not properly protecting their company’s assets and information systems,
what type of law would apply in this situation?
A. Civil
B. International
C. Criminal
D. Common

Answer 13

Answer: A

Question 14

Which of the following is considered an exploit framework and has the ability to perform automated attacks
on services, ports, applications and unpatched security flaws in a computer system?
A. Wireshark
B. Maltego
C. Metasploit
D. Nessus

Answer 14

Answer: C

Question 15

What network security concept requires multiple layers of security controls to be placed throughout an IT
infrastructure, which improves the security posture of an organization to defend against malicious attacks or
potential vulnerabilities?
A. Security through obscurity
B. Host-Based Intrusion Detection System
C. Defense in depth
D. Network-Based Intrusion Detection System

Answer 15

Answer: C

Question 16

Which of the following tools can be used for passive OS fingerprinting?
A. tcpdump
B. nmap
C. ping
D. tracert

Answer 16

Answer: A

Question 17

Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on
his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it
begins to close.
What just happened?
A. Phishing
B. Whaling
C. Tailgating
D. Masquerading

Answer 17

Answer: C

Question 18

What is the correct process for the TCP three-way handshake connection establishment and connection
termination?
A. Connection Establishment: FIN, ACK-FIN, ACKConnection Termination: SYN, SYN-ACK, ACK
B. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: ACK, ACK-SYN, SYN
C. Connection Establishment: ACK, ACK-SYN, SYNConnection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK

Answer 18

Answer: D

Question 19

What is not a PCI compliance recommendation?
A. Limit access to card holder data to as few individuals as possible.
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Use a firewall between the public network and the payment card data.

Answer 19

Answer: C

Question 20

Websites and web portals that provide web services commonly use the Simple Object Access Protocol
SOAP. Which of the following is an incorrect definition or characteristics in the protocol?
A. Based on XML
B. Provides a structured model for messaging
C. Exchanges data between web services
D. Only compatible with the application protocol HTTP

Answer 20

Answer: D

Question 21

Which of the following statements regarding ethical hacking is incorrect?
A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in
an organization’s systems.
B. Testing should be remotely performed offsite.
C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting
services.
D. Ethical hacking should not involve writing to or modifying the target systems.

Answer 21

Answer: A

Question 22

An IT employee got a call from one of our best customers. The caller wanted to know about the company’s
network infrastructure, systems, and team. New opportunities of integration are in sight for both company
and customer. What should this employee do?
A. Since the company’s policy is all about Customer Service, he/she will provide information.
B. Disregarding the call, the employee should hang up.
C. The employee should not provide any information without previous management authorization.
D. The employees can not provide any information; but, anyway, he/she will provide the name of the person
in charge.

Answer 22

Answer: C

Question 23

When purchasing a biometric system, one of the considerations that should be reviewed is the processing
speed. Which of the following best describes what it is meant by processing?
A. The amount of time it takes to convert biometric data into a template on a smart card.
B. The amount of time and resources that are necessary to maintain a biometric system.
C. The amount of time it takes to be either accepted or rejected form when an individual provides
Identification and authentication information.
D. How long it takes to setup individual user accounts.

Answer 23

Answer: C

Question 24

What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?
A. Residual risk
B. Inherent risk
C. Deferred risk
D. Impact risk

Answer 24

Answer: A

Question 25

Cryptography is the practice and study of techniques for secure communication in the presence of third
parties (called adversaries.) More generally, it is about constructing and analyzing protocols that overcome
the influence of adversaries and that are related to various aspects in information security such as data
confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the
disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography
include ATM cards, computer passwords, and electronic commerce.
Basic example to understand how cryptography works is given below:

Which of the following choices is true about cryptography?
A. Algorithm is not the secret, key is the secret.
B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different cryptographic
keys for both encryption of plaintext and decryption of ciphertext.
C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the
shared session key and to achieve a communication way.
D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private key is for encrypt.

Answer 25

Answer: C

Question 26

You're doing an internal security audit and you want to find out what ports are open on all the servers. What
is the best way to find out?
A. Scan servers with Nmap
B. Physically go to each server
C. Scan servers with MBSA
D. Telent to every port on each server

Answer 26

Answer: A

Question 27

You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
A. hping2 host.domain.com
B. hping2 --set-ICMP host.domain.com
C. hping2 -i host.domain.com
D. hping2 -1 host.domain.com

Answer 27

Answer: D

Question 28

Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention
(DEP) error has taken place. Which of the following is most likely taking place?
A. A race condition is being exploited, and the operating system is containing the malicious process.
B. A page fault is occurring, which forces the operating system to write data from the hard drive.
C. Malware is executing in either ROM or a cache memory area.
D. Malicious code is attempting to execute instruction in a non-executable memory region.

Answer 28

Answer: D

Question 29

What is the difference between the AES and RSA algorithms?
A. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to
encrypt data.
C. Both are symmetric algorithms, but AES uses 256-bit keys.
D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to
encrypt data.

Answer 29

Answer: B

Question 30

Seth is starting a penetration test from inside the network. He hasn’t been given any information about the
network. What type of test is he conducting?
A. Internal Whitebox
B. External, Whitebox
C. Internal, Blackbox
D. External, Blackbox

Answer 30

Answer: C

Question 31

Which of the following is a protocol specifically designed for transporting event messages?
A. SYSLOG
B. SMS
C. SNMP
D. ICMP

Answer 31

Answer: A

Question 32

Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack
of a built-in-bounds checking mechanism?

Output: Segmentation fault
A. C#
B. Python
C. Java
D. C++

Answer 32

Answer: D

Question 33

You are the Systems Administrator for a large corporate organization. You need to monitor all network
traffic on your local network for suspicious activities and receive notifications when an attack is occurring.
Which tool would allow you to accomplish this goal?
A. Network-based IDS
B. Firewall
C. Proxy
D. Host-based IDS

Answer 33

Answer: A

Question 34

In order to have an anonymous Internet surf, which of the following is best choice?
A. Use SSL sites when entering personal information
B. Use Tor network with multi-node
C. Use shared WiFi
D. Use public VPN

Answer 34

Answer: B

Question 35

Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7
He receives this output:

What is his conclusion?
A. Host 192.168.99.7 is an iPad.
B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
C. Host 192.168.99.1 is the host that he launched the scan from.
D. Host 192.168.99.7 is down.

Answer 35

Answer: B

Question 36

An attacker gains access to a Web server’s database and displays the contents of the table that holds all of
the names, passwords, and other user information. The attacker did this by entering information into the
Web site’s user login page that the software’s designers did not expect to be entered. This is an example of
what kind of software design problem?
A. Insufficient input validation
B. Insufficient exception handling
C. Insufficient database hardening
D. Insufficient security management

Answer 36

Answer: A

Question 37

Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides
different functionality. Collective IPSec does everything except.
A. Protect the payload and the headers
B. Authenticate
C. Encrypt
D. Work at the Data Link Layer

Answer 37

Answer: D

Question 38

Which of the following is a passive wireless packet analyzer that works on Linux-based systems?
A. Burp Suite
B. OpenVAS
C. tshark
D. Kismet

Answer 38

Answer: D

Question 39

While performing online banking using a Web browser, Kyle receives an email that contains an image of a
well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF
of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the
bank was gone. What Web browser-based security vulnerability got exploited by the hacker?
A. Clickjacking
B. Web Form Input Validation
C. Cross-Site Request Forgery
D. Cross-Site Scripting

Answer 39

Answer: C

Question 40

A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
had an ICMP ID:0 and Seq:0. What can you infer from this information?
A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number
D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and
Seq 0

Answer 40

Answer: B

Question 41

One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted
pen testers that they may hire. During the interview with the CIO, he emphasized that he wants to totally
eliminate all risks. What is one of the first things you should do when hired?
A. Interview all employees in the company to rule out possible insider threats.
B. Establish attribution to suspected attackers.
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable
levels.
D. Start the Wireshark application to start sniffing network traffic.

Answer 41

Answer: C

Question 42

You’ve just discovered a server that is currently active within the same network with the machine you
recently compromised. You ping it but it did not respond. What could be the case?
A. TCP/IP doesn’t support ICMP
B. ARP is disabled on the target server
C. ICMP could be disabled on the target server
D. You need to run the ping command with root privileges

Answer 42

Answer: C

Question 43

In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire
access to another account’s confidential files and information. How can he achieve this?
A. Port Scanning
B. Hacking Active Directory
C. Privilege Escalation
D. Shoulder-Surfing

Answer 43

Answer: C

Question 44

You have initiated an active operating system fingerprinting attempt with nmap against a target system:
What operating system is the target host running based on the open ports shown above?
A. Windows XP
B. Windows 98 SE
C. Windows NT4 Server
D. Windows 2000 Server

Answer 44

Answer: D

Question 45

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?
A. Running a network scan to detect network services in the corporate DMZ
B. Reviewing the need for a security clearance for each employee
C. Using configuration management to determine when and where to apply security patches
D. Training employees on the security policy regarding social engineering

Answer 45

Answer: A

Question 46

A software tester is randomly generating invalid inputs in an attempt to crash the program. Which of the
following is a software testing technique used to determine if a software program properly handles a wide range of invalid input?
A. Mutating
B. Randomizing
C. Fuzzing
D. Bounding

Answer 46

Answer: C

Question 47

The practical realities facing organizations today make risk response strategies essential. Which of the
following is NOT one of the five basic responses to risk?
A. Accept
B. Mitigate
C. Delegate
D. Avoid

Answer 47

Answer: C

Question 48

Which among the following is a Windows command that a hacker can use to list all the shares to which the
current user context has access?
A. NET FILE
B. NET USE
C. NET CONFIG
D. NET VIEW

Answer 48

Answer: B

Question 49

As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to
find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?
A. request smtp 25
B. tcp.port eq 25
C. smtp port
D. tcp.contains port 25

Answer 49

Answer: B

Question 50

What tool and process are you going to use in order to remain undetected by an IDS while pivoting and
passing traffic over a server you’ve compromised and gained root access to?
A. Install Cryptcat and encrypt outgoing packets from this server.
B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection
Systems.
C. Use Alternate Data Streams to hide the outgoing packets from this server.

Answer 50

Answer: B

Question 51

There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering
the process. A term describes when two pieces of data result in the same value is?
A. Collision
B. Collusion
C. Polymorphism
D. Escrow

Answer 51

Answer: A

Question 52

A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host
junk mails. What type of Trojan did the hacker use?
A. Turtle Trojans
B. Ransomware Trojans
C. Botnet Trojan
D. Banking Trojans

Answer 52

Answer: C

Question 53

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the
host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic.
After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts
cannot access to the Internet. According to the next configuration what is happening in the network?

A. The ACL 110 needs to be changed to port 80
B. The ACL for FTP must be before the ACL 110
C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
D. The ACL 104 needs to be first because is UDP

Answer 53

Answer: C

Question 54

Security and privacy of/on information systems are two entities that requires lawful regulations. Which of
the following regulations defines security and privacy controls for Federal information systems and
organizations?
A. NIST SP 800-53
B. PCI-DSS
C. EU Safe Harbor
D. HIPAA

Answer 54

Answer: A

Question 55

First thing you do every office day is to check your email inbox. One morning, you received an email from
your best friend and the subject line is quite strange. What should you do?
A. Delete the email and pretend nothing happened.
B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
C. Forward the message to your company’s security response team and permanently delete the messagefrom your computer.
D. Reply to the sender and ask them for more information about the message contents.

Answer 55

Answer: C

Question 56

……..is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the
premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version
of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted
hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting up a
fraudulent web site and luring people there.
Fill in the blank with appropriate choice.
A. Collision Attack
B. Evil Twin Attack
C. Sinkhole Attack
D. Signal Jamming Attack

Answer 56

Answer: B

Question 57

What is the term coined for logging, recording and resolving events in a company?
A. Internal Procedure
B. Security Policy
C. Incident Management Process
D. Metrics

Answer 57

Answer: C

Question 58

Which of the following is a wireless network detector that is commonly found on Linux?
A. Kismet
B. Abel
C. Netstumbler
D. Nessus

Answer 58

Answer: A

Question 59

You want to analyze packets on your wireless network. Which program would you use?
A. Wireshark with Airpcap
B. Airsnort with Airpcap
C. Wireshark with Winpcap
D. Ethereal with Winpcap

Answer 59

Answer: A

Question 60

Study the log below and identify the scan type.

A. nmap -sR 192.168.1.10
B. nmap -sS 192.168.1.10
C. nmap -sV 192.168.1.10
D. nmap -sO -T 192.168.1.10

Answer 60

Answer: D

Question 61

In which phase of the ethical hacking process can Google hacking be employed? This is a technique that
involves manipulating a search string with specific operators to search for vulnerabilities.
Example:

allintitle: root passwd
A. Maintaining Access
B. Gaining Access
C. Reconnaissance
D. Scanning and Enumeration

Answer 61

Answer: C

Question 62

Which specific element of security testing is being assured by using hash?
A. Authentication
B. Integrity
C. Confidentiality
D. Availability

Answer 62

Answer: B

Question 63

While performing ping scans into a target network you get a frantic call from the organization’s security
team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack
event stops showing up on the organization’s IDS monitor.
How can you modify your scan to prevent triggering this event in the IDS?
A. Scan more slowly.
B. Do not scan the broadcast IP.
C. Spoof the source IP address.
D. Only scan the Windows systems.

Answer 63

Answer: B

Question 64

You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost
every query increments the IPID regardless of the port being queried. One or two of the queries cause the
IPID to increment by more than one value. Why do you think this occurs?

A. The zombie you are using is not truly idle.
B. A stateful inspection firewall is resetting your queries.
C. Hping2 cannot be used for idle scanning.
D. These ports are actually open on the target system.

Answer 64

Answer: A

Question 65

Which of the following is designed to verify and authenticate individuals taking part in a data exchange
within an enterprise?
A. SOA
B. Single-Sign On
C. PKI
D. Biometrics

Answer 65

Answer: C

Question 66

Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle database
server has been compromised and customer information along with financial data has been stolen. The
financial loss will be estimated in millions of dollars if the database gets into the hands of competitors.
Sandra wants to report this crime to the law enforcement agencies immediately. Which organization
coordinates computer crime investigations throughout the United States?
A. NDCA
B. NICP
C. CIRP
D. NPC
E. CIA

Answer 66

Answer: D

Question 67

While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan.
What would be the response of all open ports?
A. The port will send an ACK
B. The port will send a SYN
C. The port will ignore the packets
D. The port will send an RST

Answer 67

Answer: C

Question 68

A distributed port scan operates by:
A. Blocking access to the scanning clients by the targeted host
B. Using denial-of-service software against a range of TCP ports
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Having multiple computers each scan a small number of ports, then correlating the results

Answer 68

Answer: D

Question 69

Why would an attacker want to perform a scan on port 137?
A. To discover proxy servers on a network
B. To disrupt the NetBIOS SMB service on the target host
C. To check for file and print sharing on Windows systems
D. To discover information about a target host using NBTSTAT

Answer 69

Answer: D

Question 70

While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you
tried to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is
being allowed. What type of firewall is being utilized for the outbound traffic?
A. Stateful
B. Application
C. Circuit
D. Packet Filtering

Answer 70

Answer: B

Question 71

Which of the following is NOT an ideal choice for biometric controls?
A. Iris patterns
B. Fingerprints
C. Height and weight
D. Voice

Answer 71

Answer: C

Question 72

Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to
his spouse the network’s SSID and password and you hear them both clearly. What do you do with this
information?
A. Nothing, but suggest to him to change the network’s SSID and password.
B. Sell his SSID and password to friends that come to your house, so it doesn’t slow down your network.
C. Log onto to his network, after all it’s his fault that you can get in.
D. Only use his network when you have large downloads so you don’t tax your own network.

Answer 72

Answer: A

Question 73

Which of the following BEST describes the mechanism of a Boot Sector Virus?
A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
C. Overwrites the original MBR and only executes the new virus code
D. Modifies directory table entries so that directory entries point to the virus code instead of the actual
program

Answer 73

Answer: A

Question 74

Matthew received an email with an attachment named “YouWon$10Grand.zip.” The zip file contains a file
named “HowToClaimYourPrize.docx.exe.” Out of excitement and curiosity, Matthew opened the said file.
Without his knowledge, the file copies itself to Matthew’s APPDATA\IocaI directory and begins to beacon to
a Command-and-control server to download additional malicious binaries. What type of malware has
Matthew encountered?
A. Key-logger
B. Trojan
C. Worm
D. Macro Virus

Answer 74

Answer: B

Question 75

LM hash is a compromised password hashing function. Which of the following parameters describe LM
Hash:?
I – The maximum password length is 14 characters.
II – There are no distinctions between uppercase and lowercase.
III – It’s a simple algorithm, so 10,000,000 hashes can be generated per second.
A. I
B. I, II, and III
C. II
D. I and II

Answer 75

Answer: B

Question 76

What is the approximate cost of replacement and recovery operation per year of a hard drive that has a
value of $300 given that the technician who charges $10/hr would need 10 hours to restore OS and
Software and needs further 4 hours to restore the database from the last backup to the new hard disk?
Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
A. $440
B. $100
C. $1320
D. $146

Answer 76

Answer: D

Question 77

Backing up data is a security must. However, it also has certain level of risks when mishandled. Which of
the following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information
B. A backup is incomplete because no verification was performed
C. A backup is unavailable during disaster recovery
D. An unencrypted backup can be misplaced or stolen

Answer 77

Answer: D

Question 78

Which of the following is an NMAP script that could help detect HTTP Methods such as GET, POST, HEAD,
PUT, DELETE, TRACE?
A. http-git
B. http-headers
C. http enum
D. http-methods

Answer 78

Answer: D

Question 79

A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you.
During the interview, they asked you to show sample reports from previous penetration tests. What should
you do?
A. Share reports, after NDA is signed
B. Share full reports, not redacted
C. Decline but, provide references
D. Share full reports with redactions

Answer 79

Answer: C

Question 80

Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing
backup tapes?
A. In a cool dry environment
B. Inside the data center for faster retrieval in a fireproof safe
C. In a climate controlled facility offsite
D. On a different floor in the same building

Answer 80

Answer: C

Question 81

Which of the following is a vulnerability in GNU’s bash shell (discovered in September of 2014) that gives
attackers access to run remote commands on a vulnerable system?
A. Shellshock
B. Rootshell
C. Rootshock
D. Shellbash

Answer 81

Answer: A

Question 82

Which of the following is the BEST way to protect Personally Identifiable Information (PII) from being
exploited due to vulnerabilities of varying web applications?
A. Use cryptographic storage to store all PII
B. Use full disk encryption on all hard drives to protect PII
C. Use encrypted communications protocols to transmit PII
D. Use a security token to log into all Web applications that use PII

Answer 82

Answer: C

Question 83

Which of the following is a restriction being enforced in “white box testing?”
A. Only the internal operation of a system is known to the tester
B. The internal operation of a system is completely known to the tester
C. The internal operation of a system is only partly accessible to the tester
D. Only the external operation of a system is accessible to the tester

Answer 83

Answer: B

Question 84

When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode
should you implement?
A. AH Tunnel mode
B. AH promiscuous
C. ESP transport mode
D. ESP confidential

Answer 84

Answer: C

Question 85

What is the code written for?

A. Buffer Overflow
B. Encryption
C. Bruteforce
D. Denial-of-service (Dos)

Answer 85

Answer: A

Question 86

What tool should you use when you need to analyze extracted metadata from files you collected when you
were in the initial stage of penetration test (information gathering)?
A. Armitage
B. Dimitry
C. Metagoofil
D. cdpsnarf

Answer 86

Answer: C

Question 87

Which type of security feature stops vehicles from crashing through the doors of a building?
A. Turnstile
B. Bollards
C. Mantrap
D. Receptionist

Answer 87

Answer: B

Question 88

Name two software tools used for OS guessing? (Choose two.)
A. Nmap
B. Snadboy
C. Queso
D. UserInfo
E. NetBus

Answer 88

Answer: A C

Question 89

An nmap command that includes the host specification of 202.176.56-57.* will scan number of hosts.
A. 2
B. 256
C. 512
D. Over 10, 000

Answer 89

Answer: C

Question 90

In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation
techniques are almost identical.
C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be
addresses.
D. Vulnerabilities in the application layer are greatly different from IPv4.

Answer 90

Answer: B

Question 91

Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?
A. Use digital certificates to authenticate a server prior to sending data.
B. Verify access right before allowing access to protected information and UI controls.
C. Verify access right before allowing access to protected information and UI controls.
D. Validate and escape all information sent to a server.

Answer 91

Answer: D

Question 92

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during
standard layer 4 network communications. Which of the following tools can be used for passive OS fingerprinting?
A. nmap
B. ping
C. tracert
D. tcpdump

Answer 92

Answer: D

Question 93

A company recently hired your team of Ethical Hackers to test the security of their network systems. The
company wants to have the attack be as realistic as possible. They did not provide any information besides
the name of their company. What phase of security testing would your team jump in right away?
A. Scanning
B. Reconnaissance
C. Escalation
D. Enumeration

Answer 93

Answer: B

Question 94

It is a widely used standard for message logging. It permits separation of the software that generates
messages, the system that stores them, and the software that reports and analyzes them. This protocol is
specifically designed for transporting event messages. Which of the following is being described?
A. SNMP
B. ICMP
C. SYSLOG
D. SMS

Answer 94

Answer: C

Question 95

Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within
what phase of the Incident Handling Process?
A. Preparation phase
B. Containment phase
C. Recovery phase
D. Identification phase

Answer 95

Answer: A

Question 96

Which service in a PKI will vouch for the identity of an individual or company?
A. KDC
B. CA
C. CR
D. CBC

Answer 96

Answer: B

Question 97

Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test.
While conducting a port scan she notices open ports in the range of 135 to 139.
What protocol is most likely to be listening on those ports?
A. Finger
B. FTP
C. Samba
D. SMB

Answer 97

Answer: D

Question 98

What attack is used to crack passwords by using a precomputed table of hashed passwords?
A. Brute Force Attack
B. Hybrid Attack
C. Rainbow Table Attack
D. Dictionary Attack

Answer 98

Answer: C

Question 99

Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library?
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS
encryption used to secure the Internet.
A. Heartbleed Bug
B. POODLE
C. SSL/TLS Renegotiation Vulnerability
D. Shellshock

Answer 99

Answer: A

Question 100

Bob received this text message on his mobile phone: ““Hello, this is Scott Smelby from the Yahoo Bank.
Kindly contact me for a vital transaction on: scottsmelby@yahoo.com””. Which statement below is true?
A. This is probably a legitimate message as it comes from a respectable organization.
B. Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.
C. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
D. This is a scam because Bob does not know Scott.

Answer 100

Answer: C

Question 101

Which of the following security policies defines the use of VPN for gaining access to an internal corporate
network?
A. Network security policy
B. Remote access policy
C. Information protection policy
D. Access control policy

Answer 101

Answer: B

Question 102

In order to prevent particular ports and applications from getting packets into an organization, what does a
firewall check?
A. Network layer headers and the session layer port numbers
B. Presentation layer headers and the session layer port numbers
C. Application layer port numbers and the transport layer headers
D. Transport layer port numbers and application layer headers

Answer 102

Answer: D

Question 103

Which of the following is a form of penetration testing that relies heavily on human interaction and often
involves tricking people into breaking normal security procedures?
A. Social Engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping

Answer 103

Answer: A

Question 104

Which of the following Nmap commands would be used to perform a stack fingerprinting?
A. Nmap -O -p80 
B. Nmap -hU -Q
C. Nmap -sT -p 
D. Nmap -u -o -w2 
E. Nmap -sS -0p targe

Answer 104

Answer: B

Question 105

Which of the following is the most important phase of ethical hacking wherein you need to spend
considerable amount of time?
A. Gaining access
B. Escalating privileges
C. Network mapping
D. Footprinting

Answer 105

Answer: D

Question 106

An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to
monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
A. Use fences in the entrance doors.
B. Install a CCTV with cameras pointing to the entrance doors and the street.
C. Use an IDS in the entrance doors and install some of them near the corners.
D. Use lights in all the entrance doors and along the company’s perimeter.

Answer 106

Answer: B

Question 107

What would you type on the Windows command line in order to launch the Computer Management Console
provided that you are logged in as an admin?
A. c:\compmgmt.msc
B. c:\gpedit
C. c:\ncpa.cpl
D. c:\services.msc

Answer 107

Answer: A

Question 108

What are two things that are possible when scanning UDP ports? (Choose two.)
A. A reset will be returned
B. An ICMP message will be returned
C. The four-way handshake will not be completed
D. An RFC 1294 message will be returned
E. Nothing

Answer 108

Answer: B E

Question 109

A recent security audit revealed that there were indeed several occasions that the company’s network was
breached. After investigating, you discover that your IDS is not configured properly and therefore is unable
to trigger alarms when needed. What type of alert is the IDS giving?
A. True Positive
B. False Negative
C. False Positive
D. False Positive

Answer 109

Answer: B

Question 110

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines
on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security
professional, what would you infer from this scan?
A. It is a network fault and the originating machine is in a network loop
B. It is a worm that is malfunctioning or hardcoded to scan on port 500
C. The attacker is trying to detect machines on the network which have SSL enabled
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Answer 110

Answer: D

Question 111

You’ve just gained root access to a Centos 6 server after days of trying. What tool should you use to
maintain access?
A. Disable Key Services
B. Create User Account
C. Download and Install Netcat
D. Disable IPTables

Answer 111

Answer: B

Question 112

Which of the following tools is used by pen testers and analysts specifically to analyze links between data
using link analysis and graphs?
A. Metasploit
B. Wireshark
C. Maltego
D. Cain & Abel

Answer 112

Answer: C

Question 113

The chance of a hard drive failure is known to be once every four years. The cost of a new hard drive is
$500.
EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE).
A. $62.5
B. $250
C. $125
D. $65.2

Answer 113

Answer: A

Question 114

A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion
Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine
whether this packets are indeed malicious. What tool are you going to use?
A. Intrusion Prevention System (IPS)
B. Vulnerability scanner
C. Protocol analyzer
D. Network sniffer

Answer 114

Answer: C

Question 115

What kind of risk will remain even if all theoretically possible safety measures would be applied?
A. Residual risk
B. Inherent risk
C. Impact risk
D. Deferred risk

Answer 115

Answer: A

Question 116

Destination unreachable administratively prohibited messages can inform the hacker to what?
A. That a circuit level proxy has been installed and is filtering traffic
B. That his/her scans are being blocked by a honeypot or jail
C. That the packets are being malformed by the scanning software
D. That a router or other packet-filtering device is blocking traffic
E. That the network is functioning normally

Answer 116

Answer: D

Question 117

This configuration allows NIC to pass all traffic it receives to the Central Processing Unit (CPU), instead of
passing only the frames that the controller is intended to receive. Select the option that BEST describes the
above statement.
A. Multi-cast mode
B. WEM
C. Promiscuous mode
D. Port forwarding

Answer 117

Answer: C

Question 118

(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP

connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to
capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If
you were the penetration tester, why would you find this abnormal?
What is odd about this attack? Choose the best answer.

A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D. These packets were crafted by a tool, they were not created by a standard IP stack.

Answer 118

Answer: B

Question 119

What is the best Nmap command to use when you want to list all devices in the same network quickly after
you successfully identified a server whose IP address is 10.10.0.5?
A. nmap -T4 -F 10.10.0.0/24
B. nmap -T4 -q 10.10.0.0/24
C. nmap -T4 -O 10.10.0.0/24
D. nmap -T4 -r 10.10.1.0/24

Answer 119

Answer: A

Question 120

SNMP is a protocol used to query hosts, servers, and devices about performance or health status data.
This protocol has long been used by hackers to gather great amount of information about remote hosts.
Which of the following features makes this possible? (Choose two.)
A. It used TCP as the underlying protocol.
B. It uses community string that is transmitted in clear text.
C. It is susceptible to sniffing.
D. It is used by all network devices on the market.

Answer 120

Answer: B D

Question 121

Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and
IDS?
A. SYN scan
B. ACK scan
C. RST scan
D. Connect scan
E. FIN scan

Answer 121

Answer: D

Question 122

While reviewing the result of scanning run against a target network you come across the following:

Which among the following can be used to get this output?
A. A Bo2k system query.
B. nmap protocol scan
C. A sniffer
D. An SNMP walk

Answer 122

Answer: D

Question 123

Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of
network systems?
A. Intrusion Detection System
B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer

Answer 123

Answer: B

Question 124

What does a type 3 code 13 represent? (Choose two.)
A. Echo request
B. Destination unreachable
C. Network unreachable
D. Administratively prohibited
E. Port unreachable
F. Time exceeded

Answer 124

Answer: B D

Question 125

You are about to be hired by a well-known Bank to perform penetration tests. Which of the following
documents describes the specifics of the testing, the associated violations, and essentially protects both
the bank’s interest and your liabilities as a tester?
A. Service Level Agreement
B. Non-Disclosure Agreement
C. Terms of Engagement
D. Project Scope

Answer 125

Answer: C

Question 126

Which of the following commands runs snort in packet logger mode?
A. ./snort -dev -h ./log
B. ./snort -dev -l ./log
C. ./snort -dev -o ./log
D. ./snort -dev -p ./log

Answer 126

Answer: B

Question 127

Which Type of scan sends a packets with no flags set?
A. Open Scan
B. Null Scan
C. Xmas Scan
D. Half-Open Scan

Answer 127

Answer: B

Question 128

Which of the following command line switch would you use for OS detection in Nmap?
A. -D
B. -O
C. -P
D. –X

Answer 128

Answer: B

Question 129

Which access control mechanism allows for multiple systems to use a central authentication server (CAS)
that permits users to authenticate once and gain access to multiple systems?
A. Role Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Windows authentication
D. Single sign-on

Answer 129

Answer: D

Question 130

It is a short-range wireless communication technology that allows mobile phones, computers and other
devices to connect and communicate. This technology intends to replace cables connecting portable
devices with high regards to security.
A. Bluetooth
B. Radio-Frequency Identification
C. WLAN
D. InfraRed

Answer 130

Answer: A

Question 131

Which type of cryptography does SSL, IKE and PGP belongs to?
A. Secret Key
B. Hash Algorithm
C. Digest
D. Public Key

Answer 131

Answer: D

Question 132

What type of malware is it that restricts access to a computer system that it infects and demands that the
user pay a certain amount of money, cryptocurrency, etc. to the operators of the malware to remove the
restriction?
A. Ransomware
B. Riskware
C. Adware
D. Spyware

Answer 132

Answer: A

Question 133

Shellshock had the potential for an unauthorized user to gain access to a server. It affected many
internet-facing services, which OS did it not directly affect?
A. Windows
B. Unix
C. Linux
D. OS X

Answer 133

Answer: A

Question 134

A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form
of the website using default or commonly used credentials. This exploitation is an example of what
Software design flaw?
A. Insufficient security management
B. Insufficient database hardening
C. Insufficient input validation
D. Insufficient exception handling

Answer 134

Answer: B

Question 135

A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can
see the network and it has compatible hardware and software installed. Upon further tests and investigation,
it was found out that the Wireless Access Point (WAP) was not responding to the association requests
being sent by the wireless client. What MOST likely is the issue on this scenario?
A. The client cannot see the SSID of the wireless network
B. The WAP does not recognize the client’s MAC address.
C. The wireless client is not configured to use DHCP.
D. Client is configured for the wrong channel

Answer 135

Answer: B

Question 136

The following are types of Bluetooth attack EXCEPT ?
A. Bluejacking
B. Bluesmaking
C. Bluesnarfing
D. Bluedriving

Answer 136

Answer: D

Question 137

Which of the following BEST describes how Address Resolution Protocol (ARP) works?
A. It sends a reply packet for a specific IP, asking for the MAC address
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
C. It sends a request packet to all the network elements, asking for the domain name from a specific IP
D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

Answer 137

Answer: D

Question 138

Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big
business expansion and it requires that your network authenticate users connecting using analog modems,
Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame
Relay network. Which AAA protocol would you implement?
A. TACACS+
B. DIAMETER
C. Kerberos
D. RADIUS

Answer 138

Answer: D

Question 139

Suppose you’ve gained access to your client’s hybrid network. On which port should you listen to in order to
know which Microsoft Windows workstations has its file sharing enabled?

A. 1433
B. 161
C. 445
D. 3389

Answer 139

Answer: C

Question 140

Which of the following will perform an Xmas scan using NMAP?
A. nmap -sA 192.168.1.254
B. nmap -sP 192.168.1.254
C. nmap -sX 192.168.1.254
D. nmap -sV 192.168.1.254

Answer 140

Answer: C

Question 141

It has been reported to you that someone has caused an information spillage on their computer. You go to
the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What
step in incident handling did you just complete?
A. Containment
B. Eradication
C. Recovery
D. Discovery

Answer 141

Answer: A

Question 142

XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
A. 10111100
B. 11011000
C. 10011101
D. 10001011

Answer 142

Answer: D

Question 143

Jack was attempting to fingerprint all machines in the network using the following Nmap syntax:
invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! Obviously, it is not going
through. What is the issue here?
A. OS Scan requires root privileges
B. The nmap syntax is wrong.
C. The outgoing TCP/IP fingerprinting is blocked by the host firewall
D. This is a common behavior for a corrupted nmap application

Answer 143

Answer: A

Question 144

While you were gathering information as part of security assessments for one of your clients, you were able
to gather data that show your client is involved with fraudulent activities. What should you do?
A. Immediately stop work and contact the proper legal authorities
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Copy the data to removable media and keep it in case you need it

Answer 144

Answer: A

Question 145

Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose
port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command
prompt, she types the following command.

What is Eve trying to do?

A. Eve is trying to connect as a user with Administrator privileges
B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator

Answer 145

Answer: C

Question 146

Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform
SNMP enquires over the network.
Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
A. SNMPUtil
B. SNScan
C. SNMPScan
D. Solarwinds IP Network Browser
E. NMap

Answer 146

Answer: A B D

Question 147

Study the following log extract and identify the attack.
A. Hexcode Attack
B. Cross Site Scripting
C. Multiple Domain Traversal Attack
D. Unicode Directory Traversal Attack

Answer 147

Answer: D

Question 148

Hackers often raise the trust level of a phishing message by modeling the email to look similar to the
internal email used by the target company. This includes using logos, formatting, and names of the target
company.
The phishing message will often use the name of the company CEO, president, or managers. The time a
hacker spends performing research to locate this information about a company is known as?
A. Enumeration
B. Investigation
C. Exploration
D. Reconnaissance

Answer 148

Answer: D

Question 149

Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by
running a scan which looks for common misconfigurations and outdated software versions. Which of the
following tools is he most likely using?
A. Nikto
B. Nmap
C. Metasploit
D. Armitage

Answer 149

Answer: B

Question 150

Based on the following extract from the log of a compromised machine, what is the hacker really trying to
steal?
A. har.txt
B. SAM file
C. wwwroot
D. Repair file

Answer 150

Answer: B

Question 151

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router’s
access-list as below:
You are hired to conduct security testing on their network.
You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list configured at the router prevents you from establishing a successful connection. You want
to retrieve the Cisco configuration from the router. How would you proceed?

A. Use the Cisco’s TFTP default password to connect and download the configuration file
B. Run a network sniffer and capture the returned traffic with the configuration file from the router
C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking
your IP address
D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0

Answer 151

Answer: B D

Question 152

You are analysing traffic on the network with Wireshark. You want to routinely run a cron job which will run
the capture against a specific set of IPs - 192.168.8.0/24. What command you would use?
A. wireshark –fetch ‘‘192.168.8*’’
B. wireshark –capture –local masked 192.168.8.0 —range 24
C. tshark -net 192.255.255.255 mask 192.168.8.0
D. sudo tshark -f’‘net 192 .68.8.0/24’’

Answer 152

Answer: D

Question 153

You have the SOA presented below in your Zone.
Your secondary servers have not been able to contact your primary server to synchronize information. How
long will the secondary servers attempt to contact the primary server before it considers that zone is dead
and stops responding to queries?
collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
A. One day
B. One hour
C. One week
D. One month

Answer 153

Answer: C

Question 154

Why is a penetration test considered to be more thorough than vulnerability scan?

A. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan
does not typically involve active exploitation.
C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires
active engagement.
D. Vulnerability scans only do host discovery and port scanning by default.

Answer 154

Answer: B

Question 155

This TCP flag instructs the sending system to transmit all buffered data immediately.
A. SYN
B. RST
C. PSH
D. URG
E. FIN

Answer 155

Answer: C

Question 156

Fingerprinting an Operating System helps a cracker because:
A. It defines exactly what software you have installed
B. It opens a security-delayed window based on the port being scanned
C. It doesn’t depend on the patches that have been applied to fix existing security holes
D. It informs the cracker of which vulnerabilities he may be able to exploit on your system

Answer 156

Answer: D

Question 157

Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of
these switches.
If these switches’ ARP cache is successfully flooded, what will be the result?
A. The switches will drop into hub mode if the ARP cache is successfully flooded.
B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.
C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or
reroute packets to the nearest switch.
D. The switches will route all traffic to the broadcast address created collisions.

Answer 157

Answer: A

Question 158

Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000
system. Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445

Answer 158

Answer: D

Question 159

Suppose your company has just passed a security risk assessment exercise. The results display that the
risk of the breach in the main company application is 50%. Security staff has taken some measures and
implemented the necessary controls. After that another security risk assessment was performed showing
that risk has decreased to 10%. The risk threshold for the application is 20%.
Which of the following risk decisions will be the best for the project in terms of its successful continuation
with most business profit?
A. Avoid the risk
B. Accept the risk
C. Introduce more controls to bring risk to 0%
D. Mitigate the risk

Answer 159

Answer: B

Question 160

Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?
A. Overloading Port Address Translation
B. Dynamic Port Address Translation
C. Dynamic Network Address Translation
D. Static Network Address Translation

Answer 160

Answer: D

Question 161

When discussing passwords, what is considered a brute force attack?
A. You attempt every single possibility until you exhaust all possible combinations or discover the password
B. You threaten to use the rubber hose on someone unless they reveal their password
C. You load a dictionary of words into your cracking program
D. You create hashes of a large number of words and compare it with the encrypted passwords
E. You wait until the password expires

Answer 161

Answer: A

Question 162

In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file
full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it
against user accounts located by the application. The larger the word and word fragment selection, the
more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It
usually tries every possible letter and number combination in its automated exploration. If you would use
both brute force and dictionary methods combined together to have variation of words, what would you call
such an attack?
A. Full Blown
B. Thorough
C. Hybrid
D. BruteDics

Answer 162

Answer: C

Question 163

What port number is used by LDAP protocol?
A. 110
B. 389
C. 464
D. 445

Answer 163

Answer: B

Question 164

What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall
if your network is comprised of Windows NT, 2000, and XP?
A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024

Answer 164

Answer: B C E

Question 165

You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet to.
1.4.0/23. Which of the following IP addresses could be teased as a result of the new configuration?
A. 210.1.55.200
B. 10.1.4.254
C. 10..1.5.200
D. 10.1.4.156

Answer 165

Answer: C

Question 166

What is the known plaintext attack used against DES which gives the result that encrypting plaintext with
one DES key followed by encrypting it with a second DES key is no more secure than using a single key?
A. Man-in-the-middle attack
B. Meet-in-the-middle attack
C. Replay attack
D. Traffic analysis attack

Answer 166

Answer: B

Question 167

Why would you consider sending an email to an address that you know does not exist within the company
you are performing a Penetration Test for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat
undeliverable mail
E. To test for virus protection

Answer 167

Answer: D

Question 168

Within the context of Computer Security, which of the following statements describes Social Engineering
best?
A. Social Engineering is the act of publicly disclosing information
B. Social Engineering is the means put in place by human resource to perform time accounting
C. Social Engineering is the act of getting needed information from a person rather than breaking into a
system
D. Social Engineering is a training program within sociology studies

Answer 168

Answer: C

Question 169

You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c

What is the hexadecimal value of NOP instruction?
A. 0x60
B. 0x80
C. 0x70
D. 0x90

Answer 169

Answer: D

Question 170

Which of the following statements is FALSE with respect to Intrusion Detection Systems?
A. Intrusion Detection Systems can be configured to distinguish specific content in network packets
B. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic
C. Intrusion Detection Systems require constant update of the signature library
D. Intrusion Detection Systems can examine the contents of the data n context of the network protocol

Answer 170

Answer: B

Question 171

MX record priority increases as the number increases. (True/False.)
A. True
B. False

Answer 171

Answer: B

Question 172

What is GINA?
A. Gateway Interface Network Application
B. GUI Installed Network Application CLASS
C. Global Internet National Authority (G-USA)
D. Graphical Identification and Authentication DLL

Answer 172

Answer: D

Question 173

Which of the following Linux commands will resolve a domain name into IP address?
A. >host -t AXFR hackeddomain.com
B. >host -t a hackeddomain.com
C. >host -t soa hackeddomain.com
D. >host -t ns hackeddomain.com

Answer 173

Answer: B

Question 174

Which of the following tools are used for enumeration? (Choose three.)
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec

Answer 174

Answer: B D E

Question 175

What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
A. Copy the system files from a known good system
B. Perform a trap and trace
C. Delete the files and try to determine the source
D. Reload from a previous backup
E. Reload from known good media

Answer 175

Answer: E

Question 176

An LDAP directory can be used to store information similar to a SQL database. LDAP uses a database
structure instead of SQL’s structure. Because of this, LDAP has difficulty representing many-to-one
relationships.
A. Relational, Hierarchical
B. Strict, Abstract
C. Hierarchical, Relational
D. Simple, Complex

Answer 176

Answer: C

Question 177

Joseph was the Web site administrator for the Mason Insurance in New York, who’s main Web site was
located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One
night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason
Insurance web site had been vandalized! All of its normal content was removed and replaced with an
attacker’s message ‘‘Hacker Message: You are dead! Freaks!” From his office, which was directly
connected to Mason Insurance’s internal network, Joseph surfed to the Web site using his laptop. In his
browser, the Web site looked completely intact.
No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The
Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend
could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this
problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the
corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem
connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network,
and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web
site, and determined that every system file and all the Web content on the server were intact. How did the
attacker accomplish this hack?
A. ARP spoofing
B. SQL injection
C. DNS poisoning
D. Routing table injection

Answer 177

Answer: C

Question 178

Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows
session oriented connections (Telnet) and performs the sequence prediction on the target operating system.
He manages to find an active session due to the high level of traffic on the network. What is Bob supposed
to do next?
A. Take over the session
B. Reverse sequence prediction
C. Guess the sequence numbers
D. Take one of the parties offline

Answer 178

Answer: C

Question 179

What hacking attack is challenge/response authentication used to prevent?
A. Replay attacks
B. Scanning attacks
C. Session hijacking attacks
D. Password cracking attacks

Answer 179

Answer: A

Question 180

Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit,
or stored?
A. symmetric algorithms
B. asymmetric algorithms
C. hashing algorithms
D. integrity algorithms

Answer 180

Answer: C

Question 181

An attacker runs netcat tool to transfer a secret file between two hosts.

He is worried about information being sniffed on the network.
How would the attacker use netcat to encrypt the information before transmitting onto the wire?
A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat 1234
B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat 1234
C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat 1234 -pw
password
D. Use cryptcat instead of netcat

Answer 181

Answer: D

Question 182

Which of the following statements about a zone transfer is correct? (Choose three.)
A. A zone transfer is accomplished with the DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfers cannot occur on the Internet

Answer 182

Answer: A C E

Question 183

In Trojan terminology, what is a covert channel?
A. A channel that transfers information within a computer system or network in a way that violates the
security policy
B. A legitimate communication path within a computer system or network for transfer of data
C. It is a kernel operation that hides boot processes and services to mask detection
D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish
connections

Answer 183

Answer: A

Question 184

What does the following command in netcat do? nc -l -u -p55555 < /etc/passwd
A. logs the incoming connections to /etc/passwd file
B. loads the /etc/passwd file to the UDP port 55555
C. grabs the /etc/passwd file when connected to UDP port 55555
D. deletes the /etc/passwd file when connected to the UDP port 55555

Answer 184

Answer: C

Question 185

You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute
force hacking tool for decryption. What encryption algorithm will you be decrypting?
A. MD4
B. DES
C. SHA
D. SSL

Answer 185

Answer: B

Question 186

Which type of sniffing technique is generally referred as MiTM attack?

A. Password Sniffing
B. ARP Poisoning
C. Mac Flooding
D. DHCP Sniffing

Answer 186

Answer: B

Question 187

What is a NULL scan?
A. A scan in which all flags are turned off
B. A scan in which certain flags are off
C. A scan in which all flags are on
D. A scan in which the packet size is set to zero
E. A scan with an illegal packet size

Answer 187

Answer: A

Question 188

Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)
A. BA810DBA98995F1817306D272A9441BB
B. 44EFCE164AB921CQAAD3B435B51404EE
C. 0182BD0BD4444BF836077A718CCDF409
D. CEC52EB9C8E3455DC2265B23734E0DAC
E. B757BF5C0D87772FAAD3B435B51404EE
F. E52CAC67419A9A224A3B108F3FA6CB6D

Answer 188

Answer: B E

Question 189

Which of the following is the primary objective of a rootkit?
A. It opens a port to provide an unauthorized service
B. It creates a buffer overflow
C. It replaces legitimate programs
D. It provides an undocumented opening in a program

Answer 189

Answer: C

Question 190

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked
to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the
bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?
A. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit
B. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then
permit
C. if (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit
D. if (source matches 10.20.20.1 and destination matches 10.10.10.0/24and port matches 443) then permit

Answer 190

Answer: A

Question 191

Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with
that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted
to and then placed it on the server in his home directory.
What kind of attack is Susan carrying on?
A. A sniffing attack
B. A spoofing attack
C. A man in the middle attack
D. A denial of service attack

Answer 191

Answer: C

Question 192

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s
determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays
into injected queries to determine whether they are successful. What type of SQL injection is Elliot most
likely performing?
A. Error-based SQL injection
B. Blind SQL injection
C. Union-based SQL injection
D. NoSQL injection

Answer 192

Answer: B

Question 193

Which DNS resource record can indicate how long any "DNS poisoning" could last?
A. MX
B. SOA
C. NS
D. TIMEOUT

Answer 193

Answer: B

Question 194

OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?
A. openssl s_client -site www.website.com:443
B. openssl_client -site www.website.com:443
C. openssl s_client -connect www.website.com:443
D. openssl_client -connect www.website.com:443

Answer 194

Answer: C

Question 195

The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You
notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that
the attacker is attempting a buffer overflow attack.
You also notice “/bin/sh” in the ASCII part of the output. As an analyst what would you conclude about the
attack?

A. The buffer overflow attack has been neutralized by the IDS
B. The attacker is creating a directory on the compromised machine
C. The attacker is attempting a buffer overflow attack and has succeeded
D. The attacker is attempting an exploit that launches a command-line shell

Answer 195

Answer: D

Question 196

What did the following commands determine?

A. That the Joe account has a SID of 500
B. These commands demonstrate that the guest account has NOT been disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing

Answer 196

Answer: D

Question 197

You are performing a penetration test for a client and have gained shell access to a Windows machine on
the internal network. You intend to retrieve all DNS records for the internal domain, if the DNS server is at
192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup
prompt to attempt a zone transfer?
A. list server=192.168.10.2 type=all
B. is-d abccorp.local
C. Iserver 192.168.10.2-t all
D. List domain=Abccorp.local type=zone

Answer 197

Answer: B

Question 198

\_\_\_\_\_ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept
keystrokes.
A. Trojan
B. RootKit
C. DoS tool
D. Scanner
E. Backdoor

Answer 198

Answer: B

Question 199

Which definition among those given below best describes a covert channel?
A. A server program using a port that is not well known.
B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure

Answer 199

Answer: B

Question 200

Study the snort rule given below and interpret the rule. alert tcp any any –> 192.168.1.0/24 111
(content:”|00 01 86 a5|”; msG. “mountd access”;)
A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and
destined to any IP on port 111
B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for
the 192.168.1.0 subnet
C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
192.168.1.0 subnet
D. An alert is generated when a TCP packet originating from any IP address is seen on the network and
destined for any IP address on the 192.168.1.0 subnet on port 111

Answer 200

Answer: D

Question 201

While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He
then decided to conduct: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com. kiosk.adobe.com is the host
with incremental IP ID sequence. What is the purpose of using “-si” with Nmap?
A. Conduct stealth scan
B. Conduct ICMP scan
C. Conduct IDLE scan
D. Conduct silent scan

Answer 201

Answer: A

Question 202

What is the proper response for a NULL scan if the port is open?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response

Answer 202

Answer: F

Question 203

One of your team members has asked you to analyze the following SOA record. What is the version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800

Answer 203

Answer: A

Question 204

One of your team members has asked you to analyze the following SOA record.
What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800
2400.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800

Answer 204

Answer: D

Question 205

This is an attack that takes advantage of a web site vulnerability in which the site displays content that
includes un-sanitized user-provided data.

What is this attack?
A. Cross-site-scripting attack
B. SQL Injection
C. URL Traversal attack
D. Buffer Overflow attack

Answer 205

Answer: A

Question 206

What is the purpose of DNS AAAA record?
A. Authorization, Authentication and Auditing record
B. Address prefix record
C. Address database record
D. IPv6 address resolution record

Answer 206

Answer: D

Question 207

Which of the following are well known password-cracking programs?
A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper

Answer 207

Answer: A E

Question 208

How can you determine if an LM hash you extracted contains a password that is less than 8 characters
long?
A. There is no way to tell because a hash cannot be reversed
B. The right most portion of the hash is always the same
C. The hash always starts with AB923D
D. The left most portion of the hash is always the same
E. A portion of the hash will be all 0’s

Answer 208

Answer: B

Question 209

In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled
and confirmation is required before activation. The attackers then scam to collect not one but two credit
card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam.
Which of the following statement is incorrect related to this attack?
A. Do not reply to email messages or popup ads asking for personal or financial information
B. Do not trust telephone numbers in e-mails or popup ads
C. Review credit card and bank account statements regularly
D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
E. Do not send credit card numbers, and personal or financial information via e-mail

Answer 209

Answer: D

Question 210

Fred is the network administrator for his company. Fred is testing an internal switch.
From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?
A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his
computer.
B. He can send an IP packet with the SYN bit and the source address of his computer.
C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

Answer 210

Answer: D

Question 211

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a
source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear
an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the
“TCP three-way handshake.” While waiting for the ACK to the SYN ACK, a connection queue of finite size
on the destination host keeps track of connections waiting to be completed. This queue typically empties
quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.
How would an attacker exploit this design by launching TCP SYN attack?
A. Attacker generates TCP SYN packets with random destination addresses towards a victim host
B. Attacker floods TCP SYN packets with random source addresses towards a victim host
C. Attacker generates TCP ACK packets with random source addresses towards a victim host
D. Attacker generates TCP RST packets with random source addresses towards a victim host

Answer 211

Answer: B

Question 212

Password cracking programs reverse the hashing process to recover passwords. (True/False.)
A. True
B. False

Answer 212

Answer: B

Question 213

Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil
Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501.
What needs to happen before Matthew has full administrator access?
A. He must perform privilege escalation.
B. He needs to disable antivirus protection.
C. He needs to gain physical access.
D. He already has admin privileges, as shown by the “501” at the end of the SID.

Answer 213

Answer: A

Question 214

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these
tools in his lab and is now ready for real world exploitation. He was able to effectively intercept
communications between the two entities and establish credentials with both sides of the connections. The
two remote ends of the communication never notice that Eric is relaying the information between the two.
What would you call this attack?
A. Interceptor
B. Man-in-the-middle
C. ARP Proxy
D. Poisoning Attack

Answer 214

Answer: B

Question 215

In the context of Windows Security, what is a ‘null’ user?
A. A user that has no skills
B. An account that has been suspended by the admin
C. A pseudo account that has no username and password
D. A pseudo account that was created for security administration purpose

Answer 215

Answer: C

Question 216

ViruXine.W32 virus hides their presence by changing the underlying executable code.
This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it
runs, but the function of the code (its semantics) will not change at all.

Here is a section of the Virus code:

What is this technique called?
A. Polymorphic Virus
B. Metamorphic Virus
C. Dravidic Virus
D. Stealth Virus

Answer 216

Answer: A

Question 217

A zone file consists of which of the following Resource Records (RRs)?
A. DNS, NS, AXFR, and MX records
B. DNS, NS, PTR, and MX records
C. SOA, NS, AXFR, and MX records
D. SOA, NS, A, and MX records

Answer 217

Answer: D

Question 218

During an Xmas scan what indicates a port is closed?
A. No return response
B. RST
C. ACK
D. SYN

Answer 218

Answer: B

Question 219

Which command can be used to show the current TCP/IP connections?
A. Netsh
B. Netstat
C. Net use connection
D. Net use

Answer 219

Answer: A

Question 220

Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their
interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for
malevolent attacks as well.
In this context, what would be the most effective method to bridge the knowledge gap between the “black”
hats or crackers and the “white” hats or computer security professionals? (Choose the test answer.)
A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems and networks.
C. Make obtaining either a computer security certification or accreditation easier to achieve so more
individuals feel that they are a part of something larger than life.
D. Train more National Guard and reservist in the art of computer security to help out in times of emergency
or crises.

Answer 220

Answer: A

Question 221

You are trying to break into a highly classified top-secret mainframe computer with highest security system
in place at Merclyn Barley Bank located in Los Angeles.
You know that conventional hacking doesn’t work in this case, because organizations such as banks are
generally tight and secure when it comes to protecting their systems.
In other words, you are trying to penetrate an otherwise impenetrable system. How would you proceed?
A. Look for “zero-day” exploits at various underground hacker websites in Russia and China and buy the
necessary exploits from these hackers and target the bank’s network
B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled
employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive
information
C. Launch DDOS attacks against Merclyn Barley Bank’s routers and firewall systems using 100, 000 or
more “zombies” and “bots”
D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley
Bank’s Webserver to that of your machine using DNS Cache Poisoning techniques

Answer 221

Answer: B

Question 222

What is the algorithm used by LM for Windows2000 SAM?
A. MD4
B. DES
C. SHA
D. SSL

Answer 222

Answer: B

Question 223

Identify the correct terminology that defines the above statement.
A. Vulnerability Scanning
B. Penetration Testing
C. Security Policy Implementation
D. Designing Network Security

Answer 223

Answer: B

Question 224

How does a denial-of-service attack work?
A. A hacker prevents a legitimate user (or group of users) from accessing a service
B. A hacker uses every character, word, or letter he or she can think of to defeat authentication
C. A hacker tries to decipher a password by using a system, which subsequently crashes the network
D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person

Answer 224

Answer: A

Question 225

Which utility will tell you in real time which ports are listening or in another state?
A. Netstat
B. TCPView
C. Nmap
D. Loki

Answer 225

Answer: B

Question 226

Which of the following represents the initial two commands that an IRC client sends to join an IRC network?
A. USER, NICK
B. LOGIN, NICK
C. USER, PASS
D. LOGIN, USER

Answer 226

Answer: A

Question 227

A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB
exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
However, he is unable to capture any logons though he knows that other users are logging in. What do you
think is the most likely reason behind this?
A. There is a NIDS present on that segment.
B. Kerberos is preventing it.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to web servers.

Answer 227

Answer: B

Question 228

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering,
you come to know that they are enforcing strong passwords. You understand that all users are required to
use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following
categories: lower case letters, capital letters, numbers and special characters. With your existing
knowledge of users, likely user account names and the possibility that they will choose the easiest
passwords possible, what would be the fastest type of password cracking attack you can run against these
hash values and still get results?

A. Online Attack
B. Dictionary Attack
C. Brute Force Attack
D. Hybrid Attack

Answer 228

Answer: D

Question 229

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS
security?
A. Use the same machines for DNS and other applications
B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers

Answer 229

Answer: B C D E

Question 230

Every company needs a formal written document which spells out to employees precisely what they are
allowed to use the company’s systems for, what is prohibited, and what will happen to them if they break
the rules. Two printed copies of the policy should be given to every employee as soon as possible after they
join the organization. The employee should be asked to sign one copy, which should be safely filed by the
company. No one should be allowed to use the company’s computer systems until they have signed the
policy in acceptance of its terms.
What is this document called?
A. Information Audit Policy (IAP)
B. Information Security Policy (ISP)
C. Penetration Testing Policy (PTP)
D. Company Compliance Policy (CCP)

Answer 230

Answer: B

Question 231

What is the following command used for? net use \targetipc$ “ /u:”
A. Grabbing the etc/passwd file
B. Grabbing the SAM
C. Connecting to a Linux computer through Samba.
D. This command is used to connect as a null session
E. Enumeration of Cisco routers

Answer 231

Answer: D

Question 232

A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.
What are some things he can do to prevent it? Select the best answers.
A. Use port security on his switches.
B. Use a tool like ARPwatch to monitor for strange ARP activity.
C. Use a firewall between all LAN segments.
D. If you have a small network, use static ARP entries.
E. Use only static IP addresses on all PC’s.

Answer 232

Answer: A B D

Question 233

Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send
backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the
backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s
audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has
a plan to take the backup tapes home with him and wants to know what two things he can do to secure the
backup tapes while in transit?
A. Encrypt the backup tapes and use a courier to transport them.
B. Encrypt the backup tapes and transport them in a lock box
C. Degauss the backup tapes and transport them in a lock box.
D. Hash the backup tapes and transport them in a lock box.

Answer 233

Answer: B

Question 234

Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter
doing?
A. Scanning
B. System Hacking
C. Footprinting
D. Enumeration

Answer 234

Answer: C

Question 235

Yancey is a network security administrator for a large electric company. This company provides power for
over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become
very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and
he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses,
Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not
care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are
doing to him.
What would Yancey be considered?
A. Yancey would be considered a Suicide Hacker
B. Since he does not care about going to jail, he would be considered a Black Hat
C. Because Yancey works for the company currently; he would be a White Hat
D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing

Answer 235

Answer: A

Question 236

What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting
data from multiple protected systems and instead of analyzing files locally it’s made on the premiers
environment
A. VCloud based
B. Honypot based
C. Behaviour based
D. Heuristics based

Answer 236

Answer: A

Question 237

Which of the following tools can be used to perform a zone transfer?
A. NSLookup
B. Finger
C. Dig
D. Sam Spade
E. Host
F. Netcat
G. Neotrace

Answer 237

Answer: A C D E

Question 238

Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in
place. He also suspects that weak passwords are probably the norm throughout the company he is
evaluating. Bob is familiar with password weaknesses and key loggers.
Which of the following options best represents the means that Bob can adopt to retrieve passwords from his
clients hosts and servers?
A. Hardware, Software, and Sniffing.
B. Hardware and Software Keyloggers.
C. Passwords are always best obtained using Hardware key loggers.
D. Software only, they are the most effective.

Answer 238

Answer: A

Question 239

Take a look at the following attack on a Web Server using obstructed URL:

How would you protect from these attacks?
A. Configure the Web Server to deny requests involving “hex encoded” characters
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active Scripts Detection at the firewall and routers

Answer 239

Answer: B

Question 240

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the
token performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf

Answer 240

Answer: B

Question 241

You work for Acme Corporation as Sales Manager. The company has tight network security restrictions.
You are trying to steal data from the company’s Sales database (Sales.xls) and transfer them to your home
computer. Your company filters and monitors traffic that leaves from the internal network to the Internet.
How will you achieve this without raising suspicion?
A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an
innocent looking email or file transfer using Steganography techniques
D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Answer 241

Answer: C

Question 242

You have successfully logged on a Linux system. You want to now cover your trade Your login attempt may
be logged on several files located in /var/log. Which file does NOT belongs to the list:
A. user.log
B. auth.fesg
C. wtmp
D. btmp

Answer 242

Answer: C

Question 243

Study the snort rule given below:

From the options below, choose the exploit against which this rule applies.
A. WebDav
B. SQL Slammer
C. MS Blaster
D. MyDoom

Answer 243

Answer: C

Question 244

John is an incident handler at a financial institution. His steps in a recent incident are not up to the
standards of the company. John frequently forgets some steps and procedures while handling responses
as they are very stressful to perform. Which of the following actions should John take to overcome this
problem with the least administrative effort?
A. Create an incident checklist.
B. Select someone else to check the procedures.
C. Increase his technical skills.
D. Read the incident manual every time it occurs.

Answer 244

Answer: C

Question 245

What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
A. All are hacking tools developed by the legion of doom
B. All are tools that can be used not only by hackers, but also security personnel
C. All are DDOS tools
D. All are tools that are only effective against Windows
E. All are tools that are only effective against Linux

Answer 245

Answer: C

Question 246

This kind of password cracking method uses word lists in combination with numbers and special
characters:
A. Hybrid
B. Linear
C. Symmetric
D. Brute Force

Answer 246

Answer: A

Question 247

E- mail scams and mail fraud are regulated by which of the following?

A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
Communication

Answer 247

Answer: A

Question 248

Under what conditions does a secondary name server request a zone transfer from a primary name server?
A. When a primary SOA is higher that a secondary SOA
B. When a secondary SOA is higher that a primary SOA
C. When a primary name server has had its service restarted
D. When a secondary name server has had its service restarted
E. When the TTL falls to zero

Answer 248

Answer: A

Question 249

Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here
is the output of the SIDs:

From the above list identify the user account with System Administrator privileges.
A. John
B. Rebecca
C. Sheela
D. Shawn
E. Somia
F. Chang
G. Micah

Answer 249

Answer: F

Question 250

The tools which receive event logs from servers, network equipment, and applications, and perform
analysis
and correlation on those logs, and can generate alarms for security relevant issues, are known as what?
A. network Sniffer
B. Vulnerability Scanner
C. Intrusion prevention Server
D. Security incident and event Monitoring

Answer 250

Answer: D

Question 251

Let’s imagine three companies (A, B and C), all competing in a challenging global environment. Company A
and B are working together in developing a product that will generate a major competitive advantage for
them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing.
With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from
company
B. How do you prevent DNS spoofing?
A. Install DNS logger and track vulnerable packets
B. Disable DNS timeouts
C. Install DNS Anti-spoofing
D. Disable DNS Zone Transfer

Answer 251

Answer: C

Question 252

Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on
the switch.
In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC
addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to
physical ports. What happens when the CAM table becomes full?
A. Switch then acts as hub by broadcasting packets to all machines on the network
B. The CAM overflow table will cause the switch to crash causing Denial of Service
C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port

Answer 252

Answer: A

Question 253

What tool can crack Windows SMB passwords simply by listening to network traffic?
A. This is not possible
B. Netbus
C. NTFSDOS
D. L0phtcrack

Answer 253

Answer: D

Question 254

Tess King is using the nslookup command to craft queries to list all DNS information (such as Name
Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone
serial number, TimeToLive (TTL) records, etc) for a Domain.
What do you think Tess King is trying to accomplish? Select the best answer.

A. A zone harvesting
B. A zone transfer
C. A zone update
D. A zone estimate

Answer 254

Answer: B

Question 255

Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking
for an IDS with the following characteristics: - Verifies success or failure of an attack - Monitors system
activities Detects attacks that a network-based IDS fails to detect - Near real-time detection and response Does not require additional hardware - Lower entry cost Which type of IDS is best suited for Tremp’s
requirements?
A. Gateway-based IDS
B. Network-based IDS
C. Host-based IDS
D. Open source-based

Answer 255

Answer: C

Question 256

You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are
redirected to a website seeking you to download free Anti-Virus software.
Dear valued customers,
We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with
total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the
link below and enter your antivirus code:

or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta

Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?
A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
B. Connect to the site using SSL, if you are successful then the website is genuine
C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings
against this site
D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt
you and stop the installation if the downloaded file is a malware
E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt
you and stop the installation if the downloaded file is a malware

Answer 256

Answer: C

Question 257

While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25.
You would like to block this, though you do not see any evidence of an attack or other wrong doing.
However, you are concerned about affecting the normal functionality of the email server. From the following
options choose how best you can achieve this objective?
A. Block port 25 at the firewall.
B. Shut off the SMTP service on the server.
C. Force all connections to use a username and password.
D. Switch from Windows Exchange to UNIX Sendmail.
E. None of the above.

Answer 257

Answer: E

Question 258

You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as
expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your
company’s network. You have configured the most secure policies and tightened every device on your
network. You are confident that hackers will never be able to gain access to your network with complex
security system in place.

Your peer, Peter Smith who works at the same department disagrees with you.
He says even the best network security technologies cannot prevent hackers gaining access to the network
because of presence of “weakest link” in the security chain.
What is Peter Smith talking about?
A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security
chain
B. “zero-day” exploits are the weakest link in the security chain since the IDS will not be able to detect these
attacks
C. “Polymorphic viruses” are the weakest link in the security chain since the Anti-Virus scanners will not be
able to detect these attacks
D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different
techniques to bypass the filters in your gateway

Answer 258

Answer: A

Question 259

What is the proper response for a NULL scan if the port is closed?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response

Answer 259

Answer: E

Question 260

Windows LAN Manager (LM) hashes are known to be weak.
Which of the following are known weaknesses of LM? (Choose three.)
A. Converts passwords to uppercase.
B. Hashes are sent in clear text over the network.
C. Makes use of only 32-bit encryption.
D. Effective length is 7 characters.

Answer 260

Answer: A B D