fc_three Flashcards
(260 cards)
1
Q
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is
the best protection that will work for her?
A. Password protected files
B. Hidden folders
C. BIOS password
D. Full disk encryption.
A
Answer: D
2
Q
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should
he do?
A. Ignore it.
B. Try to sell the information to a well-paying party on the dark web.
C. Notify the web site owner so that corrective action be taken as soon as possible to patch the
vulnerability.
D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.
A
Answer: C
3
Q
What two conditions must a digital signature meet?
A. Has to be unforgeable, and has to be authentic.
B. Has to be legible and neat.
C. Must be unique and have special characters.
D. Has to be the same number of characters as a physical signature and must be unique.
A
Answer: A
4
Q
A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How
can he use it?
A. The password file does not contain the passwords themselves.
B. He can open it and read the user ids and corresponding passwords.
C. The file reveals the passwords to the root user only.
D. He cannot read it because it is encrypted.
A
Answer: A
5
Q
Which Intrusion Detection System is best applicable for large environments where critical assets on the
network need extra security and is ideal for observing sensitive network segments?
A. Network-based intrusion detection system (NIDS)
B. Host-based intrusion detection system (HIDS)
C. Firewalls
D. Honeypots
A
Answer: A
6
Q
A company’s Web development team has become aware of a certain type of security vulnerability in their
Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the
software requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A. Cross-site scripting vulnerability
B. Cross-site Request Forgery vulnerability
C. SQL injection vulnerability
D. Web site defacement vulnerability
A
Answer: A
7
Q
Bob learned that his username and password for a popular game has been compromised. He contacts the
company and resets all the information. The company suggests he use two-factor authentication, which
option below offers that?
A. A new username and password
B. A fingerprint scanner and his username and password.
C. Disable his username and use just a fingerprint scanner.
D. His username and a stronger password.
A
Answer: B
8
Q
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One
of the files is a tarball, two are shell script files, and the third is a binary file is named “nc.” The FTP server’s
access logs show that the anonymous user account logged in to the server, uploaded the files, and
extracted the contents of the tarball and ran the script using a function provided by the FTP server’s
software. The ps command shows that the nc file is running as process, and the netstat command shows
the nc process is listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
A. File system permissions
B. Privilege escalation
C. Directory traversal
D. Brute force login
A
Answer: A
9
Q
Which of the following incident handling process phases is responsible for defining rules, collaborating
human workforce, creating a back-up plan, and testing the plans for an organization?
A. Preparation phase
B. Containment phase
C. Identification phase
D. Recovery phase
A
Answer: A
10
Q
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and
Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible
breach of security. When the investigator attempts to correlate the information in all of the logs, the
sequence of many of the logged events do not match up.
What is the most likely cause?
A. The network devices are not all synchronized.
B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.
D. The security breach was a false positive.
A
Answer: A
11
Q
What is correct about digital signatures?
A. A digital signature cannot be moved from one signed document to another because it is the hash of the
original document encrypted with the private key of the signing party.
B. Digital signatures may be used in different documents of the same type.
C. A digital signature cannot be moved from one signed document to another because it is a plain hash of
the document content.
D. Digital signatures are issued once for each user and can be used everywhere until they expire.
A
Answer: A
12
Q
Look at the following output. What did the hacker accomplish?
A. The hacker used whois to gather publicly available records for the domain.
B. The hacker used the “fierce” tool to brute force the list of available domains.
C. The hacker listed DNS records on his own domain.
D. The hacker successfully transferred the zone and enumerated the hosts.
A
Answer: D
13
Q
If executives are found liable for not properly protecting their company’s assets and information systems,
what type of law would apply in this situation?
A. Civil
B. International
C. Criminal
D. Common
A
Answer: A
14
Q
Which of the following is considered an exploit framework and has the ability to perform automated attacks
on services, ports, applications and unpatched security flaws in a computer system?
A. Wireshark
B. Maltego
C. Metasploit
D. Nessus
A
Answer: C
15
Q
What network security concept requires multiple layers of security controls to be placed throughout an IT
infrastructure, which improves the security posture of an organization to defend against malicious attacks or
potential vulnerabilities?
A. Security through obscurity
B. Host-Based Intrusion Detection System
C. Defense in depth
D. Network-Based Intrusion Detection System
A
Answer: C
16
Q
Which of the following tools can be used for passive OS fingerprinting? A. tcpdump B. nmap C. ping D. tracert
A
Answer: A
17
Q
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. What just happened? A. Phishing B. Whaling C. Tailgating D. Masquerading
A
Answer: C
18
Q
What is the correct process for the TCP three-way handshake connection establishment and connection
termination?
A. Connection Establishment: FIN, ACK-FIN, ACKConnection Termination: SYN, SYN-ACK, ACK
B. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: ACK, ACK-SYN, SYN
C. Connection Establishment: ACK, ACK-SYN, SYNConnection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
A
Answer: D
19
Q
What is not a PCI compliance recommendation?
A. Limit access to card holder data to as few individuals as possible.
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Use a firewall between the public network and the payment card data.
A
Answer: C
20
Q
Websites and web portals that provide web services commonly use the Simple Object Access Protocol
SOAP. Which of the following is an incorrect definition or characteristics in the protocol?
A. Based on XML
B. Provides a structured model for messaging
C. Exchanges data between web services
D. Only compatible with the application protocol HTTP
A
Answer: D
21
Q
Which of the following statements regarding ethical hacking is incorrect?
A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in
an organization’s systems.
B. Testing should be remotely performed offsite.
C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting
services.
D. Ethical hacking should not involve writing to or modifying the target systems.
A
Answer: A
22
Q
An IT employee got a call from one of our best customers. The caller wanted to know about the company’s
network infrastructure, systems, and team. New opportunities of integration are in sight for both company
and customer. What should this employee do?
A. Since the company’s policy is all about Customer Service, he/she will provide information.
B. Disregarding the call, the employee should hang up.
C. The employee should not provide any information without previous management authorization.
D. The employees can not provide any information; but, anyway, he/she will provide the name of the person
in charge.
A
Answer: C
23
Q
When purchasing a biometric system, one of the considerations that should be reviewed is the processing
speed. Which of the following best describes what it is meant by processing?
A. The amount of time it takes to convert biometric data into a template on a smart card.
B. The amount of time and resources that are necessary to maintain a biometric system.
C. The amount of time it takes to be either accepted or rejected form when an individual provides
Identification and authentication information.
D. How long it takes to setup individual user accounts.
A
Answer: C
24
Q
What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed? A. Residual risk B. Inherent risk C. Deferred risk D. Impact risk
A
Answer: A
25
Cryptography is the practice and study of techniques for secure communication in the presence of third
parties (called adversaries.) More generally, it is about constructing and analyzing protocols that overcome
the influence of adversaries and that are related to various aspects in information security such as data
confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the
disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography
include ATM cards, computer passwords, and electronic commerce.
Basic example to understand how cryptography works is given below:
Which of the following choices is true about cryptography?
A. Algorithm is not the secret, key is the secret.
B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different cryptographic
keys for both encryption of plaintext and decryption of ciphertext.
C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the
shared session key and to achieve a communication way.
D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private key is for encrypt.
Answer: C
26
```
You're doing an internal security audit and you want to find out what ports are open on all the servers. What
is the best way to find out?
A. Scan servers with Nmap
B. Physically go to each server
C. Scan servers with MBSA
D. Telent to every port on each server
```
Answer: A
27
```
You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?
A. hping2 host.domain.com
B. hping2 --set-ICMP host.domain.com
C. hping2 -i host.domain.com
D. hping2 -1 host.domain.com
```
Answer: D
28
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention
(DEP) error has taken place. Which of the following is most likely taking place?
A. A race condition is being exploited, and the operating system is containing the malicious process.
B. A page fault is occurring, which forces the operating system to write data from the hard drive.
C. Malware is executing in either ROM or a cache memory area.
D. Malicious code is attempting to execute instruction in a non-executable memory region.
Answer: D
29
What is the difference between the AES and RSA algorithms?
A. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to
encrypt data.
C. Both are symmetric algorithms, but AES uses 256-bit keys.
D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to
encrypt data.
Answer: B
30
Seth is starting a penetration test from inside the network. He hasn't been given any information about the
network. What type of test is he conducting?
A. Internal Whitebox
B. External, Whitebox
C. Internal, Blackbox
D. External, Blackbox
Answer: C
31
```
Which of the following is a protocol specifically designed for transporting event messages?
A. SYSLOG
B. SMS
C. SNMP
D. ICMP
```
Answer: A
32
Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack
of a built-in-bounds checking mechanism?
```
Output: Segmentation fault
A. C#
B. Python
C. Java
D. C++
```
Answer: D
33
You are the Systems Administrator for a large corporate organization. You need to monitor all network
traffic on your local network for suspicious activities and receive notifications when an attack is occurring.
Which tool would allow you to accomplish this goal?
A. Network-based IDS
B. Firewall
C. Proxy
D. Host-based IDS
Answer: A
34
In order to have an anonymous Internet surf, which of the following is best choice?
A. Use SSL sites when entering personal information
B. Use Tor network with multi-node
C. Use shared WiFi
D. Use public VPN
Answer: B
35
Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7
He receives this output:
What is his conclusion?
A. Host 192.168.99.7 is an iPad.
B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
C. Host 192.168.99.1 is the host that he launched the scan from.
D. Host 192.168.99.7 is down.
Answer: B
36
An attacker gains access to a Web server's database and displays the contents of the table that holds all of
the names, passwords, and other user information. The attacker did this by entering information into the
Web site's user login page that the software's designers did not expect to be entered. This is an example of
what kind of software design problem?
A. Insufficient input validation
B. Insufficient exception handling
C. Insufficient database hardening
D. Insufficient security management
Answer: A
37
Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides
different functionality. Collective IPSec does everything except.
A. Protect the payload and the headers
B. Authenticate
C. Encrypt
D. Work at the Data Link Layer
Answer: D
38
```
Which of the following is a passive wireless packet analyzer that works on Linux-based systems?
A. Burp Suite
B. OpenVAS
C. tshark
D. Kismet
```
Answer: D
39
While performing online banking using a Web browser, Kyle receives an email that contains an image of a
well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF
of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the
bank was gone. What Web browser-based security vulnerability got exploited by the hacker?
A. Clickjacking
B. Web Form Input Validation
C. Cross-Site Request Forgery
D. Cross-Site Scripting
Answer: C
40
A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets
had an ICMP ID:0 and Seq:0. What can you infer from this information?
A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites
B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system
C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number
D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and
Seq 0
Answer: B
41
One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted
pen testers that they may hire. During the interview with the CIO, he emphasized that he wants to totally
eliminate all risks. What is one of the first things you should do when hired?
A. Interview all employees in the company to rule out possible insider threats.
B. Establish attribution to suspected attackers.
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable
levels.
D. Start the Wireshark application to start sniffing network traffic.
Answer: C
42
You’ve just discovered a server that is currently active within the same network with the machine you
recently compromised. You ping it but it did not respond. What could be the case?
A. TCP/IP doesn’t support ICMP
B. ARP is disabled on the target server
C. ICMP could be disabled on the target server
D. You need to run the ping command with root privileges
Answer: C
43
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire
access to another account's confidential files and information. How can he achieve this?
A. Port Scanning
B. Hacking Active Directory
C. Privilege Escalation
D. Shoulder-Surfing
Answer: C
44
You have initiated an active operating system fingerprinting attempt with nmap against a target system:
What operating system is the target host running based on the open ports shown above?
A. Windows XP
B. Windows 98 SE
C. Windows NT4 Server
D. Windows 2000 Server
Answer: D
45
If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?
A. Running a network scan to detect network services in the corporate DMZ
B. Reviewing the need for a security clearance for each employee
C. Using configuration management to determine when and where to apply security patches
D. Training employees on the security policy regarding social engineering
Answer: A
46
A software tester is randomly generating invalid inputs in an attempt to crash the program. Which of the
following is a software testing technique used to determine if a software program properly handles a wide range of invalid input?
A. Mutating
B. Randomizing
C. Fuzzing
D. Bounding
Answer: C
47
The practical realities facing organizations today make risk response strategies essential. Which of the
following is NOT one of the five basic responses to risk?
A. Accept
B. Mitigate
C. Delegate
D. Avoid
Answer: C
48
```
Which among the following is a Windows command that a hacker can use to list all the shares to which the
current user context has access?
A. NET FILE
B. NET USE
C. NET CONFIG
D. NET VIEW
```
Answer: B
49
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to
find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?
A. request smtp 25
B. tcp.port eq 25
C. smtp port
D. tcp.contains port 25
Answer: B
50
What tool and process are you going to use in order to remain undetected by an IDS while pivoting and
passing traffic over a server you’ve compromised and gained root access to?
A. Install Cryptcat and encrypt outgoing packets from this server.
B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection
Systems.
C. Use Alternate Data Streams to hide the outgoing packets from this server.
Answer: B
51
There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering
the process. A term describes when two pieces of data result in the same value is?
A. Collision
B. Collusion
C. Polymorphism
D. Escrow
Answer: A
52
A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host
junk mails. What type of Trojan did the hacker use?
A. Turtle Trojans
B. Ransomware Trojans
C. Botnet Trojan
D. Banking Trojans
Answer: C
53
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the
host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic.
After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts
cannot access to the Internet. According to the next configuration what is happening in the network?
A. The ACL 110 needs to be changed to port 80
B. The ACL for FTP must be before the ACL 110
C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
D. The ACL 104 needs to be first because is UDP
Answer: C
54
Security and privacy of/on information systems are two entities that requires lawful regulations. Which of
the following regulations defines security and privacy controls for Federal information systems and
organizations?
A. NIST SP 800-53
B. PCI-DSS
C. EU Safe Harbor
D. HIPAA
Answer: A
55
First thing you do every office day is to check your email inbox. One morning, you received an email from
your best friend and the subject line is quite strange. What should you do?
A. Delete the email and pretend nothing happened.
B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
C. Forward the message to your company’s security response team and permanently delete the messagefrom your computer.
D. Reply to the sender and ask them for more information about the message contents.
Answer: C
56
........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the
premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version
of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted
hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting up a
fraudulent web site and luring people there.
Fill in the blank with appropriate choice.
A. Collision Attack
B. Evil Twin Attack
C. Sinkhole Attack
D. Signal Jamming Attack
Answer: B
57
```
What is the term coined for logging, recording and resolving events in a company?
A. Internal Procedure
B. Security Policy
C. Incident Management Process
D. Metrics
```
Answer: C
58
```
Which of the following is a wireless network detector that is commonly found on Linux?
A. Kismet
B. Abel
C. Netstumbler
D. Nessus
```
Answer: A
59
```
You want to analyze packets on your wireless network. Which program would you use?
A. Wireshark with Airpcap
B. Airsnort with Airpcap
C. Wireshark with Winpcap
D. Ethereal with Winpcap
```
Answer: A
60
Study the log below and identify the scan type.
A. nmap -sR 192.168.1.10
B. nmap -sS 192.168.1.10
C. nmap -sV 192.168.1.10
D. nmap -sO -T 192.168.1.10
Answer: D
61
In which phase of the ethical hacking process can Google hacking be employed? This is a technique that
involves manipulating a search string with specific operators to search for vulnerabilities.
Example:
```
allintitle: root passwd
A. Maintaining Access
B. Gaining Access
C. Reconnaissance
D. Scanning and Enumeration
```
Answer: C
62
```
Which specific element of security testing is being assured by using hash?
A. Authentication
B. Integrity
C. Confidentiality
D. Availability
```
Answer: B
63
While performing ping scans into a target network you get a frantic call from the organization's security
team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack
event stops showing up on the organization's IDS monitor.
How can you modify your scan to prevent triggering this event in the IDS?
A. Scan more slowly.
B. Do not scan the broadcast IP.
C. Spoof the source IP address.
D. Only scan the Windows systems.
Answer: B
64
You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost
every query increments the IPID regardless of the port being queried. One or two of the queries cause the
IPID to increment by more than one value. Why do you think this occurs?
A. The zombie you are using is not truly idle.
B. A stateful inspection firewall is resetting your queries.
C. Hping2 cannot be used for idle scanning.
D. These ports are actually open on the target system.
Answer: A
65
```
Which of the following is designed to verify and authenticate individuals taking part in a data exchange
within an enterprise?
A. SOA
B. Single-Sign On
C. PKI
D. Biometrics
```
Answer: C
66
Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle database
server has been compromised and customer information along with financial data has been stolen. The
financial loss will be estimated in millions of dollars if the database gets into the hands of competitors.
Sandra wants to report this crime to the law enforcement agencies immediately. Which organization
coordinates computer crime investigations throughout the United States?
A. NDCA
B. NICP
C. CIRP
D. NPC
E. CIA
Answer: D
67
While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan.
What would be the response of all open ports?
A. The port will send an ACK
B. The port will send a SYN
C. The port will ignore the packets
D. The port will send an RST
Answer: C
68
A distributed port scan operates by:
A. Blocking access to the scanning clients by the targeted host
B. Using denial-of-service software against a range of TCP ports
C. Blocking access to the targeted host by each of the distributed scanning clients
D. Having multiple computers each scan a small number of ports, then correlating the results
Answer: D
69
Why would an attacker want to perform a scan on port 137?
A. To discover proxy servers on a network
B. To disrupt the NetBIOS SMB service on the target host
C. To check for file and print sharing on Windows systems
D. To discover information about a target host using NBTSTAT
Answer: D
70
While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you
tried to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is
being allowed. What type of firewall is being utilized for the outbound traffic?
A. Stateful
B. Application
C. Circuit
D. Packet Filtering
Answer: B
71
```
Which of the following is NOT an ideal choice for biometric controls?
A. Iris patterns
B. Fingerprints
C. Height and weight
D. Voice
```
Answer: C
72
Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to
his spouse the network's SSID and password and you hear them both clearly. What do you do with this
information?
A. Nothing, but suggest to him to change the network's SSID and password.
B. Sell his SSID and password to friends that come to your house, so it doesn't slow down your network.
C. Log onto to his network, after all it's his fault that you can get in.
D. Only use his network when you have large downloads so you don't tax your own network.
Answer: A
73
Which of the following BEST describes the mechanism of a Boot Sector Virus?
A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
C. Overwrites the original MBR and only executes the new virus code
D. Modifies directory table entries so that directory entries point to the virus code instead of the actual
program
Answer: A
74
Matthew received an email with an attachment named “YouWon$10Grand.zip.” The zip file contains a file
named “HowToClaimYourPrize.docx.exe.” Out of excitement and curiosity, Matthew opened the said file.
Without his knowledge, the file copies itself to Matthew’s APPDATA\IocaI directory and begins to beacon to
a Command-and-control server to download additional malicious binaries. What type of malware has
Matthew encountered?
A. Key-logger
B. Trojan
C. Worm
D. Macro Virus
Answer: B
75
LM hash is a compromised password hashing function. Which of the following parameters describe LM
Hash:?
I – The maximum password length is 14 characters.
II – There are no distinctions between uppercase and lowercase.
III – It’s a simple algorithm, so 10,000,000 hashes can be generated per second.
A. I
B. I, II, and III
C. II
D. I and II
Answer: B
76
What is the approximate cost of replacement and recovery operation per year of a hard drive that has a
value of $300 given that the technician who charges $10/hr would need 10 hours to restore OS and
Software and needs further 4 hours to restore the database from the last backup to the new hard disk?
Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
A. $440
B. $100
C. $1320
D. $146
Answer: D
77
Backing up data is a security must. However, it also has certain level of risks when mishandled. Which of
the following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information
B. A backup is incomplete because no verification was performed
C. A backup is unavailable during disaster recovery
D. An unencrypted backup can be misplaced or stolen
Answer: D
78
```
Which of the following is an NMAP script that could help detect HTTP Methods such as GET, POST, HEAD,
PUT, DELETE, TRACE?
A. http-git
B. http-headers
C. http enum
D. http-methods
```
Answer: D
79
A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you.
During the interview, they asked you to show sample reports from previous penetration tests. What should
you do?
A. Share reports, after NDA is signed
B. Share full reports, not redacted
C. Decline but, provide references
D. Share full reports with redactions
Answer: C
80
Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing
backup tapes?
A. In a cool dry environment
B. Inside the data center for faster retrieval in a fireproof safe
C. In a climate controlled facility offsite
D. On a different floor in the same building
Answer: C
81
Which of the following is a vulnerability in GNU’s bash shell (discovered in September of 2014) that gives
attackers access to run remote commands on a vulnerable system?
A. Shellshock
B. Rootshell
C. Rootshock
D. Shellbash
Answer: A
82
Which of the following is the BEST way to protect Personally Identifiable Information (PII) from being
exploited due to vulnerabilities of varying web applications?
A. Use cryptographic storage to store all PII
B. Use full disk encryption on all hard drives to protect PII
C. Use encrypted communications protocols to transmit PII
D. Use a security token to log into all Web applications that use PII
Answer: C
83
Which of the following is a restriction being enforced in “white box testing?”
A. Only the internal operation of a system is known to the tester
B. The internal operation of a system is completely known to the tester
C. The internal operation of a system is only partly accessible to the tester
D. Only the external operation of a system is accessible to the tester
Answer: B
84
```
When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode
should you implement?
A. AH Tunnel mode
B. AH promiscuous
C. ESP transport mode
D. ESP confidential
```
Answer: C
85
What is the code written for?
A. Buffer Overflow
B. Encryption
C. Bruteforce
D. Denial-of-service (Dos)
Answer: A
86
What tool should you use when you need to analyze extracted metadata from files you collected when you
were in the initial stage of penetration test (information gathering)?
A. Armitage
B. Dimitry
C. Metagoofil
D. cdpsnarf
Answer: C
87
```
Which type of security feature stops vehicles from crashing through the doors of a building?
A. Turnstile
B. Bollards
C. Mantrap
D. Receptionist
```
Answer: B
88
```
Name two software tools used for OS guessing? (Choose two.)
A. Nmap
B. Snadboy
C. Queso
D. UserInfo
E. NetBus
```
Answer: A C
89
```
An nmap command that includes the host specification of 202.176.56-57.* will scan number of hosts.
A. 2
B. 256
C. 512
D. Over 10, 000
```
Answer: C
90
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation
techniques are almost identical.
C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be
addresses.
D. Vulnerabilities in the application layer are greatly different from IPv4.
Answer: B
91
Which of the following is the BEST approach to prevent Cross-site Scripting (XSS) flaws?
A. Use digital certificates to authenticate a server prior to sending data.
B. Verify access right before allowing access to protected information and UI controls.
C. Verify access right before allowing access to protected information and UI controls.
D. Validate and escape all information sent to a server.
Answer: D
92
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during
standard layer 4 network communications. Which of the following tools can be used for passive OS fingerprinting?
A. nmap
B. ping
C. tracert
D. tcpdump
Answer: D
93
A company recently hired your team of Ethical Hackers to test the security of their network systems. The
company wants to have the attack be as realistic as possible. They did not provide any information besides
the name of their company. What phase of security testing would your team jump in right away?
A. Scanning
B. Reconnaissance
C. Escalation
D. Enumeration
Answer: B
94
It is a widely used standard for message logging. It permits separation of the software that generates
messages, the system that stores them, and the software that reports and analyzes them. This protocol is
specifically designed for transporting event messages. Which of the following is being described?
A. SNMP
B. ICMP
C. SYSLOG
D. SMS
Answer: C
95
Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within
what phase of the Incident Handling Process?
A. Preparation phase
B. Containment phase
C. Recovery phase
D. Identification phase
Answer: A
96
```
Which service in a PKI will vouch for the identity of an individual or company?
A. KDC
B. CA
C. CR
D. CBC
```
Answer: B
97
Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test.
While conducting a port scan she notices open ports in the range of 135 to 139.
What protocol is most likely to be listening on those ports?
A. Finger
B. FTP
C. Samba
D. SMB
Answer: D
98
```
What attack is used to crack passwords by using a precomputed table of hashed passwords?
A. Brute Force Attack
B. Hybrid Attack
C. Rainbow Table Attack
D. Dictionary Attack
```
Answer: C
99
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library?
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS
encryption used to secure the Internet.
A. Heartbleed Bug
B. POODLE
C. SSL/TLS Renegotiation Vulnerability
D. Shellshock
Answer: A
100
Bob received this text message on his mobile phone: ““Hello, this is Scott Smelby from the Yahoo Bank.
Kindly contact me for a vital transaction on: scottsmelby@yahoo.com””. Which statement below is true?
A. This is probably a legitimate message as it comes from a respectable organization.
B. Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.
C. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
D. This is a scam because Bob does not know Scott.
Answer: C
101
```
Which of the following security policies defines the use of VPN for gaining access to an internal corporate
network?
A. Network security policy
B. Remote access policy
C. Information protection policy
D. Access control policy
```
Answer: B
102
In order to prevent particular ports and applications from getting packets into an organization, what does a
firewall check?
A. Network layer headers and the session layer port numbers
B. Presentation layer headers and the session layer port numbers
C. Application layer port numbers and the transport layer headers
D. Transport layer port numbers and application layer headers
Answer: D
103
Which of the following is a form of penetration testing that relies heavily on human interaction and often
involves tricking people into breaking normal security procedures?
A. Social Engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping
Answer: A
104
```
Which of the following Nmap commands would be used to perform a stack fingerprinting?
A. Nmap -O -p80
B. Nmap -hU -Q
C. Nmap -sT -p
D. Nmap -u -o -w2
E. Nmap -sS -0p targe
```
Answer: B
105
```
Which of the following is the most important phase of ethical hacking wherein you need to spend
considerable amount of time?
A. Gaining access
B. Escalating privileges
C. Network mapping
D. Footprinting
```
Answer: D
106
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to
monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
A. Use fences in the entrance doors.
B. Install a CCTV with cameras pointing to the entrance doors and the street.
C. Use an IDS in the entrance doors and install some of them near the corners.
D. Use lights in all the entrance doors and along the company's perimeter.
Answer: B
107
What would you type on the Windows command line in order to launch the Computer Management Console
provided that you are logged in as an admin?
A. c:\compmgmt.msc
B. c:\gpedit
C. c:\ncpa.cpl
D. c:\services.msc
Answer: A
108
What are two things that are possible when scanning UDP ports? (Choose two.)
A. A reset will be returned
B. An ICMP message will be returned
C. The four-way handshake will not be completed
D. An RFC 1294 message will be returned
E. Nothing
Answer: B E
109
A recent security audit revealed that there were indeed several occasions that the company’s network was
breached. After investigating, you discover that your IDS is not configured properly and therefore is unable
to trigger alarms when needed. What type of alert is the IDS giving?
A. True Positive
B. False Negative
C. False Positive
D. False Positive
Answer: B
110
Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines
on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security
professional, what would you infer from this scan?
A. It is a network fault and the originating machine is in a network loop
B. It is a worm that is malfunctioning or hardcoded to scan on port 500
C. The attacker is trying to detect machines on the network which have SSL enabled
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
Answer: D
111
```
You’ve just gained root access to a Centos 6 server after days of trying. What tool should you use to
maintain access?
A. Disable Key Services
B. Create User Account
C. Download and Install Netcat
D. Disable IPTables
```
Answer: B
112
```
Which of the following tools is used by pen testers and analysts specifically to analyze links between data
using link analysis and graphs?
A. Metasploit
B. Wireshark
C. Maltego
D. Cain & Abel
```
Answer: C
113
The chance of a hard drive failure is known to be once every four years. The cost of a new hard drive is
$500.
EF (Exposure Factor) is about 0.5. Calculate for the Annualized Loss Expectancy (ALE).
A. $62.5
B. $250
C. $125
D. $65.2
Answer: A
114
A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion
Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine
whether this packets are indeed malicious. What tool are you going to use?
A. Intrusion Prevention System (IPS)
B. Vulnerability scanner
C. Protocol analyzer
D. Network sniffer
Answer: C
115
```
What kind of risk will remain even if all theoretically possible safety measures would be applied?
A. Residual risk
B. Inherent risk
C. Impact risk
D. Deferred risk
```
Answer: A
116
Destination unreachable administratively prohibited messages can inform the hacker to what?
A. That a circuit level proxy has been installed and is filtering traffic
B. That his/her scans are being blocked by a honeypot or jail
C. That the packets are being malformed by the scanning software
D. That a router or other packet-filtering device is blocking traffic
E. That the network is functioning normally
Answer: D
117
This configuration allows NIC to pass all traffic it receives to the Central Processing Unit (CPU), instead of
passing only the frames that the controller is intended to receive. Select the option that BEST describes the
above statement.
A. Multi-cast mode
B. WEM
C. Promiscuous mode
D. Port forwarding
Answer: C
118
(Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP
connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to
capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If
you were the penetration tester, why would you find this abnormal?
What is odd about this attack? Choose the best answer.
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
D. These packets were crafted by a tool, they were not created by a standard IP stack.
Answer: B
119
What is the best Nmap command to use when you want to list all devices in the same network quickly after
you successfully identified a server whose IP address is 10.10.0.5?
A. nmap -T4 -F 10.10.0.0/24
B. nmap -T4 -q 10.10.0.0/24
C. nmap -T4 -O 10.10.0.0/24
D. nmap -T4 -r 10.10.1.0/24
Answer: A
120
SNMP is a protocol used to query hosts, servers, and devices about performance or health status data.
This protocol has long been used by hackers to gather great amount of information about remote hosts.
Which of the following features makes this possible? (Choose two.)
A. It used TCP as the underlying protocol.
B. It uses community string that is transmitted in clear text.
C. It is susceptible to sniffing.
D. It is used by all network devices on the market.
Answer: B D
121
```
Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and
IDS?
A. SYN scan
B. ACK scan
C. RST scan
D. Connect scan
E. FIN scan
```
Answer: D
122
While reviewing the result of scanning run against a target network you come across the following:
```
Which among the following can be used to get this output?
A. A Bo2k system query.
B. nmap protocol scan
C. A sniffer
D. An SNMP walk
```
Answer: D
123
```
Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of
network systems?
A. Intrusion Detection System
B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer
```
Answer: B
124
```
What does a type 3 code 13 represent? (Choose two.)
A. Echo request
B. Destination unreachable
C. Network unreachable
D. Administratively prohibited
E. Port unreachable
F. Time exceeded
```
Answer: B D
125
You are about to be hired by a well-known Bank to perform penetration tests. Which of the following
documents describes the specifics of the testing, the associated violations, and essentially protects both
the bank’s interest and your liabilities as a tester?
A. Service Level Agreement
B. Non-Disclosure Agreement
C. Terms of Engagement
D. Project Scope
Answer: C
126
```
Which of the following commands runs snort in packet logger mode?
A. ./snort -dev -h ./log
B. ./snort -dev -l ./log
C. ./snort -dev -o ./log
D. ./snort -dev -p ./log
```
Answer: B
127
```
Which Type of scan sends a packets with no flags set?
A. Open Scan
B. Null Scan
C. Xmas Scan
D. Half-Open Scan
```
Answer: B
128
```
Which of the following command line switch would you use for OS detection in Nmap?
A. -D
B. -O
C. -P
D. –X
```
Answer: B
129
Which access control mechanism allows for multiple systems to use a central authentication server (CAS)
that permits users to authenticate once and gain access to multiple systems?
A. Role Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Windows authentication
D. Single sign-on
Answer: D
130
It is a short-range wireless communication technology that allows mobile phones, computers and other
devices to connect and communicate. This technology intends to replace cables connecting portable
devices with high regards to security.
A. Bluetooth
B. Radio-Frequency Identification
C. WLAN
D. InfraRed
Answer: A
131
```
Which type of cryptography does SSL, IKE and PGP belongs to?
A. Secret Key
B. Hash Algorithm
C. Digest
D. Public Key
```
Answer: D
132
What type of malware is it that restricts access to a computer system that it infects and demands that the
user pay a certain amount of money, cryptocurrency, etc. to the operators of the malware to remove the
restriction?
A. Ransomware
B. Riskware
C. Adware
D. Spyware
Answer: A
133
Shellshock had the potential for an unauthorized user to gain access to a server. It affected many
internet-facing services, which OS did it not directly affect?
A. Windows
B. Unix
C. Linux
D. OS X
Answer: A
134
A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form
of the website using default or commonly used credentials. This exploitation is an example of what
Software design flaw?
A. Insufficient security management
B. Insufficient database hardening
C. Insufficient input validation
D. Insufficient exception handling
Answer: B
135
A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can
see the network and it has compatible hardware and software installed. Upon further tests and investigation,
it was found out that the Wireless Access Point (WAP) was not responding to the association requests
being sent by the wireless client. What MOST likely is the issue on this scenario?
A. The client cannot see the SSID of the wireless network
B. The WAP does not recognize the client’s MAC address.
C. The wireless client is not configured to use DHCP.
D. Client is configured for the wrong channel
Answer: B
136
```
The following are types of Bluetooth attack EXCEPT ?
A. Bluejacking
B. Bluesmaking
C. Bluesnarfing
D. Bluedriving
```
Answer: D
137
Which of the following BEST describes how Address Resolution Protocol (ARP) works?
A. It sends a reply packet for a specific IP, asking for the MAC address
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
C. It sends a request packet to all the network elements, asking for the domain name from a specific IP
D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP
Answer: D
138
Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big
business expansion and it requires that your network authenticate users connecting using analog modems,
Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame
Relay network. Which AAA protocol would you implement?
A. TACACS+
B. DIAMETER
C. Kerberos
D. RADIUS
Answer: D
139
Suppose you’ve gained access to your client’s hybrid network. On which port should you listen to in order to
know which Microsoft Windows workstations has its file sharing enabled?
A. 1433
B. 161
C. 445
D. 3389
Answer: C
140
```
Which of the following will perform an Xmas scan using NMAP?
A. nmap -sA 192.168.1.254
B. nmap -sP 192.168.1.254
C. nmap -sX 192.168.1.254
D. nmap -sV 192.168.1.254
```
Answer: C
141
It has been reported to you that someone has caused an information spillage on their computer. You go to
the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What
step in incident handling did you just complete?
A. Containment
B. Eradication
C. Recovery
D. Discovery
Answer: A
142
```
XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
A. 10111100
B. 11011000
C. 10011101
D. 10001011
```
Answer: D
143
Jack was attempting to fingerprint all machines in the network using the following Nmap syntax:
invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING! Obviously, it is not going
through. What is the issue here?
A. OS Scan requires root privileges
B. The nmap syntax is wrong.
C. The outgoing TCP/IP fingerprinting is blocked by the host firewall
D. This is a common behavior for a corrupted nmap application
Answer: A
144
While you were gathering information as part of security assessments for one of your clients, you were able
to gather data that show your client is involved with fraudulent activities. What should you do?
A. Immediately stop work and contact the proper legal authorities
B. Ignore the data and continue the assessment until completed as agreed
C. Confront the client in a respectful manner and ask her about the data
D. Copy the data to removable media and keep it in case you need it
Answer: A
145
Eve is spending her day scanning the library computers. She notices that Alice is using a computer whose
port 445 is active and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command
prompt, she types the following command.
What is Eve trying to do?
A. Eve is trying to connect as a user with Administrator privileges
B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator
Answer: C
146
```
Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform
SNMP enquires over the network.
Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.
A. SNMPUtil
B. SNScan
C. SNMPScan
D. Solarwinds IP Network Browser
E. NMap
```
Answer: A B D
147
```
Study the following log extract and identify the attack.
A. Hexcode Attack
B. Cross Site Scripting
C. Multiple Domain Traversal Attack
D. Unicode Directory Traversal Attack
```
Answer: D
148
Hackers often raise the trust level of a phishing message by modeling the email to look similar to the
internal email used by the target company. This includes using logos, formatting, and names of the target
company.
The phishing message will often use the name of the company CEO, president, or managers. The time a
hacker spends performing research to locate this information about a company is known as?
A. Enumeration
B. Investigation
C. Exploration
D. Reconnaissance
Answer: D
149
Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by
running a scan which looks for common misconfigurations and outdated software versions. Which of the
following tools is he most likely using?
A. Nikto
B. Nmap
C. Metasploit
D. Armitage
Answer: B
150
```
Based on the following extract from the log of a compromised machine, what is the hacker really trying to
steal?
A. har.txt
B. SAM file
C. wwwroot
D. Repair file
```
Answer: B
151
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's
access-list as below:
You are hired to conduct security testing on their network.
You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list configured at the router prevents you from establishing a successful connection. You want
to retrieve the Cisco configuration from the router. How would you proceed?
A. Use the Cisco's TFTP default password to connect and download the configuration file
B. Run a network sniffer and capture the returned traffic with the configuration file from the router
C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking
your IP address
D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
Answer: B D
152
You are analysing traffic on the network with Wireshark. You want to routinely run a cron job which will run
the capture against a specific set of IPs - 192.168.8.0/24. What command you would use?
A. wireshark --fetch ''192.168.8*''
B. wireshark --capture --local masked 192.168.8.0 ---range 24
C. tshark -net 192.255.255.255 mask 192.168.8.0
D. sudo tshark -f''net 192 .68.8.0/24''
Answer: D
153
You have the SOA presented below in your Zone.
Your secondary servers have not been able to contact your primary server to synchronize information. How
long will the secondary servers attempt to contact the primary server before it considers that zone is dead
and stops responding to queries?
collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
A. One day
B. One hour
C. One week
D. One month
Answer: C
154
Why is a penetration test considered to be more thorough than vulnerability scan?
A. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan
does not typically involve active exploitation.
C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires
active engagement.
D. Vulnerability scans only do host discovery and port scanning by default.
Answer: B
155
```
This TCP flag instructs the sending system to transmit all buffered data immediately.
A. SYN
B. RST
C. PSH
D. URG
E. FIN
```
Answer: C
156
Fingerprinting an Operating System helps a cracker because:
A. It defines exactly what software you have installed
B. It opens a security-delayed window based on the port being scanned
C. It doesn't depend on the patches that have been applied to fix existing security holes
D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
Answer: D
157
Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of
these switches.
If these switches' ARP cache is successfully flooded, what will be the result?
A. The switches will drop into hub mode if the ARP cache is successfully flooded.
B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.
C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or
reroute packets to the nearest switch.
D. The switches will route all traffic to the broadcast address created collisions.
Answer: A
158
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000
system. Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445
Answer: D
159
Suppose your company has just passed a security risk assessment exercise. The results display that the
risk of the breach in the main company application is 50%. Security staff has taken some measures and
implemented the necessary controls. After that another security risk assessment was performed showing
that risk has decreased to 10%. The risk threshold for the application is 20%.
Which of the following risk decisions will be the best for the project in terms of its successful continuation
with most business profit?
A. Avoid the risk
B. Accept the risk
C. Introduce more controls to bring risk to 0%
D. Mitigate the risk
Answer: B
160
```
Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?
A. Overloading Port Address Translation
B. Dynamic Port Address Translation
C. Dynamic Network Address Translation
D. Static Network Address Translation
```
Answer: D
161
When discussing passwords, what is considered a brute force attack?
A. You attempt every single possibility until you exhaust all possible combinations or discover the password
B. You threaten to use the rubber hose on someone unless they reveal their password
C. You load a dictionary of words into your cracking program
D. You create hashes of a large number of words and compare it with the encrypted passwords
E. You wait until the password expires
Answer: A
162
In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file
full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it
against user accounts located by the application. The larger the word and word fragment selection, the
more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It
usually tries every possible letter and number combination in its automated exploration. If you would use
both brute force and dictionary methods combined together to have variation of words, what would you call
such an attack?
A. Full Blown
B. Thorough
C. Hybrid
D. BruteDics
Answer: C
163
```
What port number is used by LDAP protocol?
A. 110
B. 389
C. 464
D. 445
```
Answer: B
164
```
What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall
if your network is comprised of Windows NT, 2000, and XP?
A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024
```
Answer: B C E
165
You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet to.
1.4.0/23. Which of the following IP addresses could be teased as a result of the new configuration?
A. 210.1.55.200
B. 10.1.4.254
C. 10..1.5.200
D. 10.1.4.156
Answer: C
166
What is the known plaintext attack used against DES which gives the result that encrypting plaintext with
one DES key followed by encrypting it with a second DES key is no more secure than using a single key?
A. Man-in-the-middle attack
B. Meet-in-the-middle attack
C. Replay attack
D. Traffic analysis attack
Answer: B
167
Why would you consider sending an email to an address that you know does not exist within the company
you are performing a Penetration Test for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat
undeliverable mail
E. To test for virus protection
Answer: D
168
Within the context of Computer Security, which of the following statements describes Social Engineering
best?
A. Social Engineering is the act of publicly disclosing information
B. Social Engineering is the means put in place by human resource to perform time accounting
C. Social Engineering is the act of getting needed information from a person rather than breaking into a
system
D. Social Engineering is a training program within sociology studies
Answer: C
169
You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c
```
What is the hexadecimal value of NOP instruction?
A. 0x60
B. 0x80
C. 0x70
D. 0x90
```
Answer: D
170
Which of the following statements is FALSE with respect to Intrusion Detection Systems?
A. Intrusion Detection Systems can be configured to distinguish specific content in network packets
B. Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic
C. Intrusion Detection Systems require constant update of the signature library
D. Intrusion Detection Systems can examine the contents of the data n context of the network protocol
Answer: B
171
MX record priority increases as the number increases. (True/False.)
A. True
B. False
Answer: B
172
What is GINA?
A. Gateway Interface Network Application
B. GUI Installed Network Application CLASS
C. Global Internet National Authority (G-USA)
D. Graphical Identification and Authentication DLL
Answer: D
173
```
Which of the following Linux commands will resolve a domain name into IP address?
A. >host -t AXFR hackeddomain.com
B. >host -t a hackeddomain.com
C. >host -t soa hackeddomain.com
D. >host -t ns hackeddomain.com
```
Answer: B
174
```
Which of the following tools are used for enumeration? (Choose three.)
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec
```
Answer: B D E
175
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
A. Copy the system files from a known good system
B. Perform a trap and trace
C. Delete the files and try to determine the source
D. Reload from a previous backup
E. Reload from known good media
Answer: E
176
An LDAP directory can be used to store information similar to a SQL database. LDAP uses a database
structure instead of SQL’s structure. Because of this, LDAP has difficulty representing many-to-one
relationships.
A. Relational, Hierarchical
B. Strict, Abstract
C. Hierarchical, Relational
D. Simple, Complex
Answer: C
177
Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was
located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One
night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason
Insurance web site had been vandalized! All of its normal content was removed and replaced with an
attacker's message ''Hacker Message: You are dead! Freaks!” From his office, which was directly
connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his
browser, the Web site looked completely intact.
No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The
Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend
could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this
problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the
corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem
connected, he quickly typed www.masonins.com in his browser to reveal the following web page:
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network,
and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web
site, and determined that every system file and all the Web content on the server were intact. How did the
attacker accomplish this hack?
A. ARP spoofing
B. SQL injection
C. DNS poisoning
D. Routing table injection
Answer: C
178
Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows
session oriented connections (Telnet) and performs the sequence prediction on the target operating system.
He manages to find an active session due to the high level of traffic on the network. What is Bob supposed
to do next?
A. Take over the session
B. Reverse sequence prediction
C. Guess the sequence numbers
D. Take one of the parties offline
Answer: C
179
```
What hacking attack is challenge/response authentication used to prevent?
A. Replay attacks
B. Scanning attacks
C. Session hijacking attacks
D. Password cracking attacks
```
Answer: A
180
```
Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit,
or stored?
A. symmetric algorithms
B. asymmetric algorithms
C. hashing algorithms
D. integrity algorithms
```
Answer: C
181
An attacker runs netcat tool to transfer a secret file between two hosts.
He is worried about information being sniffed on the network.
How would the attacker use netcat to encrypt the information before transmitting onto the wire?
A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat 1234
B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat 1234
C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat 1234 -pw
password
D. Use cryptcat instead of netcat
Answer: D
182
Which of the following statements about a zone transfer is correct? (Choose three.)
A. A zone transfer is accomplished with the DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfers cannot occur on the Internet
Answer: A C E
183
In Trojan terminology, what is a covert channel?
A. A channel that transfers information within a computer system or network in a way that violates the
security policy
B. A legitimate communication path within a computer system or network for transfer of data
C. It is a kernel operation that hides boot processes and services to mask detection
D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish
connections
Answer: A
184
What does the following command in netcat do? nc -l -u -p55555 < /etc/passwd
A. logs the incoming connections to /etc/passwd file
B. loads the /etc/passwd file to the UDP port 55555
C. grabs the /etc/passwd file when connected to UDP port 55555
D. deletes the /etc/passwd file when connected to the UDP port 55555
Answer: C
185
You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute
force hacking tool for decryption. What encryption algorithm will you be decrypting?
A. MD4
B. DES
C. SHA
D. SSL
Answer: B
186
Which type of sniffing technique is generally referred as MiTM attack?
A. Password Sniffing
B. ARP Poisoning
C. Mac Flooding
D. DHCP Sniffing
Answer: B
187
What is a NULL scan?
A. A scan in which all flags are turned off
B. A scan in which certain flags are off
C. A scan in which all flags are on
D. A scan in which the packet size is set to zero
E. A scan with an illegal packet size
Answer: A
188
```
Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)
A. BA810DBA98995F1817306D272A9441BB
B. 44EFCE164AB921CQAAD3B435B51404EE
C. 0182BD0BD4444BF836077A718CCDF409
D. CEC52EB9C8E3455DC2265B23734E0DAC
E. B757BF5C0D87772FAAD3B435B51404EE
F. E52CAC67419A9A224A3B108F3FA6CB6D
```
Answer: B E
189
Which of the following is the primary objective of a rootkit?
A. It opens a port to provide an unauthorized service
B. It creates a buffer overflow
C. It replaces legitimate programs
D. It provides an undocumented opening in a program
Answer: C
190
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked
to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the
bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?
A. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit
B. if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then
permit
C. if (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit
D. if (source matches 10.20.20.1 and destination matches 10.10.10.0/24and port matches 443) then permit
Answer: A
191
Susan has attached to her company's network. She has managed to synchronize her boss's sessions with
that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted
to and then placed it on the server in his home directory.
What kind of attack is Susan carrying on?
A. A sniffing attack
B. A spoofing attack
C. A man in the middle attack
D. A denial of service attack
Answer: C
192
Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s
determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays
into injected queries to determine whether they are successful. What type of SQL injection is Elliot most
likely performing?
A. Error-based SQL injection
B. Blind SQL injection
C. Union-based SQL injection
D. NoSQL injection
Answer: B
193
```
Which DNS resource record can indicate how long any "DNS poisoning" could last?
A. MX
B. SOA
C. NS
D. TIMEOUT
```
Answer: B
194
OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?
A. openssl s_client -site www.website.com:443
B. openssl_client -site www.website.com:443
C. openssl s_client -connect www.website.com:443
D. openssl_client -connect www.website.com:443
Answer: C
195
The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You
notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that
the attacker is attempting a buffer overflow attack.
You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the
attack?
A. The buffer overflow attack has been neutralized by the IDS
B. The attacker is creating a directory on the compromised machine
C. The attacker is attempting a buffer overflow attack and has succeeded
D. The attacker is attempting an exploit that launches a command-line shell
Answer: D
196
What did the following commands determine?
A. That the Joe account has a SID of 500
B. These commands demonstrate that the guest account has NOT been disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing
Answer: D
197
You are performing a penetration test for a client and have gained shell access to a Windows machine on
the internal network. You intend to retrieve all DNS records for the internal domain, if the DNS server is at
192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup
prompt to attempt a zone transfer?
A. list server=192.168.10.2 type=all
B. is-d abccorp.local
C. Iserver 192.168.10.2-t all
D. List domain=Abccorp.local type=zone
Answer: B
198
```
_____ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept
keystrokes.
A. Trojan
B. RootKit
C. DoS tool
D. Scanner
E. Backdoor
```
Answer: B
199
Which definition among those given below best describes a covert channel?
A. A server program using a port that is not well known.
B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure
Answer: B
200
Study the snort rule given below and interpret the rule. alert tcp any any --> 192.168.1.0/24 111
(content:"|00 01 86 a5|"; msG. "mountd access";)
A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and
destined to any IP on port 111
B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for
the 192.168.1.0 subnet
C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the
192.168.1.0 subnet
D. An alert is generated when a TCP packet originating from any IP address is seen on the network and
destined for any IP address on the 192.168.1.0 subnet on port 111
Answer: D
201
While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He
then decided to conduct: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com. kiosk.adobe.com is the host
with incremental IP ID sequence. What is the purpose of using "-si" with Nmap?
A. Conduct stealth scan
B. Conduct ICMP scan
C. Conduct IDLE scan
D. Conduct silent scan
Answer: A
202
```
What is the proper response for a NULL scan if the port is open?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response
```
Answer: F
203
```
One of your team members has asked you to analyze the following SOA record. What is the version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
```
Answer: A
204
```
One of your team members has asked you to analyze the following SOA record.
What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800
2400.)
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
```
Answer: D
205
This is an attack that takes advantage of a web site vulnerability in which the site displays content that
includes un-sanitized user-provided data.
```
What is this attack?
A. Cross-site-scripting attack
B. SQL Injection
C. URL Traversal attack
D. Buffer Overflow attack
```
Answer: A
206
```
What is the purpose of DNS AAAA record?
A. Authorization, Authentication and Auditing record
B. Address prefix record
C. Address database record
D. IPv6 address resolution record
```
Answer: D
207
```
Which of the following are well known password-cracking programs?
A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper
```
Answer: A E
208
How can you determine if an LM hash you extracted contains a password that is less than 8 characters
long?
A. There is no way to tell because a hash cannot be reversed
B. The right most portion of the hash is always the same
C. The hash always starts with AB923D
D. The left most portion of the hash is always the same
E. A portion of the hash will be all 0's
Answer: B
209
In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled
and confirmation is required before activation. The attackers then scam to collect not one but two credit
card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam.
Which of the following statement is incorrect related to this attack?
A. Do not reply to email messages or popup ads asking for personal or financial information
B. Do not trust telephone numbers in e-mails or popup ads
C. Review credit card and bank account statements regularly
D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
E. Do not send credit card numbers, and personal or financial information via e-mail
Answer: D
210
Fred is the network administrator for his company. Fred is testing an internal switch.
From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?
A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his
computer.
B. He can send an IP packet with the SYN bit and the source address of his computer.
C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
Answer: D
211
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a
source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear
an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the
"TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size
on the destination host keeps track of connections waiting to be completed. This queue typically empties
quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.
How would an attacker exploit this design by launching TCP SYN attack?
A. Attacker generates TCP SYN packets with random destination addresses towards a victim host
B. Attacker floods TCP SYN packets with random source addresses towards a victim host
C. Attacker generates TCP ACK packets with random source addresses towards a victim host
D. Attacker generates TCP RST packets with random source addresses towards a victim host
Answer: B
212
Password cracking programs reverse the hashing process to recover passwords. (True/False.)
A. True
B. False
Answer: B
213
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil
Corp’s lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501.
What needs to happen before Matthew has full administrator access?
A. He must perform privilege escalation.
B. He needs to disable antivirus protection.
C. He needs to gain physical access.
D. He already has admin privileges, as shown by the “501” at the end of the SID.
Answer: A
214
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these
tools in his lab and is now ready for real world exploitation. He was able to effectively intercept
communications between the two entities and establish credentials with both sides of the connections. The
two remote ends of the communication never notice that Eric is relaying the information between the two.
What would you call this attack?
A. Interceptor
B. Man-in-the-middle
C. ARP Proxy
D. Poisoning Attack
Answer: B
215
In the context of Windows Security, what is a 'null' user?
A. A user that has no skills
B. An account that has been suspended by the admin
C. A pseudo account that has no username and password
D. A pseudo account that was created for security administration purpose
Answer: C
216
ViruXine.W32 virus hides their presence by changing the underlying executable code.
This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it
runs, but the function of the code (its semantics) will not change at all.
Here is a section of the Virus code:
```
What is this technique called?
A. Polymorphic Virus
B. Metamorphic Virus
C. Dravidic Virus
D. Stealth Virus
```
Answer: A
217
```
A zone file consists of which of the following Resource Records (RRs)?
A. DNS, NS, AXFR, and MX records
B. DNS, NS, PTR, and MX records
C. SOA, NS, AXFR, and MX records
D. SOA, NS, A, and MX records
```
Answer: D
218
```
During an Xmas scan what indicates a port is closed?
A. No return response
B. RST
C. ACK
D. SYN
```
Answer: B
219
```
Which command can be used to show the current TCP/IP connections?
A. Netsh
B. Netstat
C. Net use connection
D. Net use
```
Answer: A
220
Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their
interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for
malevolent attacks as well.
In this context, what would be the most effective method to bridge the knowledge gap between the "black"
hats or crackers and the "white" hats or computer security professionals? (Choose the test answer.)
A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems and networks.
C. Make obtaining either a computer security certification or accreditation easier to achieve so more
individuals feel that they are a part of something larger than life.
D. Train more National Guard and reservist in the art of computer security to help out in times of emergency
or crises.
Answer: A
221
You are trying to break into a highly classified top-secret mainframe computer with highest security system
in place at Merclyn Barley Bank located in Los Angeles.
You know that conventional hacking doesn't work in this case, because organizations such as banks are
generally tight and secure when it comes to protecting their systems.
In other words, you are trying to penetrate an otherwise impenetrable system. How would you proceed?
A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the
necessary exploits from these hackers and target the bank's network
B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled
employee, and offer them money if they'll abuse their access privileges by providing you with sensitive
information
C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or
more "zombies" and "bots"
D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley
Bank's Webserver to that of your machine using DNS Cache Poisoning techniques
Answer: B
222
```
What is the algorithm used by LM for Windows2000 SAM?
A. MD4
B. DES
C. SHA
D. SSL
```
Answer: B
223
```
Identify the correct terminology that defines the above statement.
A. Vulnerability Scanning
B. Penetration Testing
C. Security Policy Implementation
D. Designing Network Security
```
Answer: B
224
How does a denial-of-service attack work?
A. A hacker prevents a legitimate user (or group of users) from accessing a service
B. A hacker uses every character, word, or letter he or she can think of to defeat authentication
C. A hacker tries to decipher a password by using a system, which subsequently crashes the network
D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person
Answer: A
225
```
Which utility will tell you in real time which ports are listening or in another state?
A. Netstat
B. TCPView
C. Nmap
D. Loki
```
Answer: B
226
```
Which of the following represents the initial two commands that an IRC client sends to join an IRC network?
A. USER, NICK
B. LOGIN, NICK
C. USER, PASS
D. LOGIN, USER
```
Answer: A
227
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB
exchanges which carry user logons. The user is plugged into a hub with 23 other systems.
However, he is unable to capture any logons though he knows that other users are logging in. What do you
think is the most likely reason behind this?
A. There is a NIDS present on that segment.
B. Kerberos is preventing it.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to web servers.
Answer: B
228
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering,
you come to know that they are enforcing strong passwords. You understand that all users are required to
use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following
categories: lower case letters, capital letters, numbers and special characters. With your existing
knowledge of users, likely user account names and the possibility that they will choose the easiest
passwords possible, what would be the fastest type of password cracking attack you can run against these
hash values and still get results?
A. Online Attack
B. Dictionary Attack
C. Brute Force Attack
D. Hybrid Attack
Answer: D
229
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS
security?
A. Use the same machines for DNS and other applications
B. Harden DNS servers
C. Use split-horizon operation for DNS servers
D. Restrict Zone transfers
E. Have subnet diversity between DNS servers
Answer: B C D E
230
Every company needs a formal written document which spells out to employees precisely what they are
allowed to use the company's systems for, what is prohibited, and what will happen to them if they break
the rules. Two printed copies of the policy should be given to every employee as soon as possible after they
join the organization. The employee should be asked to sign one copy, which should be safely filed by the
company. No one should be allowed to use the company's computer systems until they have signed the
policy in acceptance of its terms.
What is this document called?
A. Information Audit Policy (IAP)
B. Information Security Policy (ISP)
C. Penetration Testing Policy (PTP)
D. Company Compliance Policy (CCP)
Answer: B
231
What is the following command used for? net use \targetipc$ " /u:"
A. Grabbing the etc/passwd file
B. Grabbing the SAM
C. Connecting to a Linux computer through Samba.
D. This command is used to connect as a null session
E. Enumeration of Cisco routers
Answer: D
232
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.
What are some things he can do to prevent it? Select the best answers.
A. Use port security on his switches.
B. Use a tool like ARPwatch to monitor for strange ARP activity.
C. Use a firewall between all LAN segments.
D. If you have a small network, use static ARP entries.
E. Use only static IP addresses on all PC's.
Answer: A B D
233
Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send
backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the
backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s
audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has
a plan to take the backup tapes home with him and wants to know what two things he can do to secure the
backup tapes while in transit?
A. Encrypt the backup tapes and use a courier to transport them.
B. Encrypt the backup tapes and transport them in a lock box
C. Degauss the backup tapes and transport them in a lock box.
D. Hash the backup tapes and transport them in a lock box.
Answer: B
234
```
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter
doing?
A. Scanning
B. System Hacking
C. Footprinting
D. Enumeration
```
Answer: C
235
Yancey is a network security administrator for a large electric company. This company provides power for
over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become
very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and
he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses,
Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not
care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are
doing to him.
What would Yancey be considered?
A. Yancey would be considered a Suicide Hacker
B. Since he does not care about going to jail, he would be considered a Black Hat
C. Because Yancey works for the company currently; he would be a White Hat
D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
Answer: A
236
What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting
data from multiple protected systems and instead of analyzing files locally it's made on the premiers
environment
A. VCloud based
B. Honypot based
C. Behaviour based
D. Heuristics based
Answer: A
237
```
Which of the following tools can be used to perform a zone transfer?
A. NSLookup
B. Finger
C. Dig
D. Sam Spade
E. Host
F. Netcat
G. Neotrace
```
Answer: A C D E
238
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in
place. He also suspects that weak passwords are probably the norm throughout the company he is
evaluating. Bob is familiar with password weaknesses and key loggers.
Which of the following options best represents the means that Bob can adopt to retrieve passwords from his
clients hosts and servers?
A. Hardware, Software, and Sniffing.
B. Hardware and Software Keyloggers.
C. Passwords are always best obtained using Hardware key loggers.
D. Software only, they are the most effective.
Answer: A
239
Take a look at the following attack on a Web Server using obstructed URL:
How would you protect from these attacks?
A. Configure the Web Server to deny requests involving "hex encoded" characters
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active Scripts Detection at the firewall and routers
Answer: B
240
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the
token performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
Answer: B
241
You work for Acme Corporation as Sales Manager. The company has tight network security restrictions.
You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home
computer. Your company filters and monitors traffic that leaves from the internal network to the Internet.
How will you achieve this without raising suspicion?
A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer
C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an
innocent looking email or file transfer using Steganography techniques
D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account
Answer: C
242
You have successfully logged on a Linux system. You want to now cover your trade Your login attempt may
be logged on several files located in /var/log. Which file does NOT belongs to the list:
A. user.log
B. auth.fesg
C. wtmp
D. btmp
Answer: C
243
Study the snort rule given below:
```
From the options below, choose the exploit against which this rule applies.
A. WebDav
B. SQL Slammer
C. MS Blaster
D. MyDoom
```
Answer: C
244
John is an incident handler at a financial institution. His steps in a recent incident are not up to the
standards of the company. John frequently forgets some steps and procedures while handling responses
as they are very stressful to perform. Which of the following actions should John take to overcome this
problem with the least administrative effort?
A. Create an incident checklist.
B. Select someone else to check the procedures.
C. Increase his technical skills.
D. Read the incident manual every time it occurs.
Answer: C
245
What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
A. All are hacking tools developed by the legion of doom
B. All are tools that can be used not only by hackers, but also security personnel
C. All are DDOS tools
D. All are tools that are only effective against Windows
E. All are tools that are only effective against Linux
Answer: C
246
```
This kind of password cracking method uses word lists in combination with numbers and special
characters:
A. Hybrid
B. Linear
C. Symmetric
D. Brute Force
```
Answer: A
247
E- mail scams and mail fraud are regulated by which of the following?
A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
Communication
Answer: A
248
Under what conditions does a secondary name server request a zone transfer from a primary name server?
A. When a primary SOA is higher that a secondary SOA
B. When a secondary SOA is higher that a primary SOA
C. When a primary name server has had its service restarted
D. When a secondary name server has had its service restarted
E. When the TTL falls to zero
Answer: A
249
Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor". Here
is the output of the SIDs:
```
From the above list identify the user account with System Administrator privileges.
A. John
B. Rebecca
C. Sheela
D. Shawn
E. Somia
F. Chang
G. Micah
```
Answer: F
250
The tools which receive event logs from servers, network equipment, and applications, and perform
analysis
and correlation on those logs, and can generate alarms for security relevant issues, are known as what?
A. network Sniffer
B. Vulnerability Scanner
C. Intrusion prevention Server
D. Security incident and event Monitoring
Answer: D
251
Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A
and B are working together in developing a product that will generate a major competitive advantage for
them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing.
With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from
company
B. How do you prevent DNS spoofing?
A. Install DNS logger and track vulnerable packets
B. Disable DNS timeouts
C. Install DNS Anti-spoofing
D. Disable DNS Zone Transfer
Answer: C
252
Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on
the switch.
In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC
addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to
physical ports. What happens when the CAM table becomes full?
A. Switch then acts as hub by broadcasting packets to all machines on the network
B. The CAM overflow table will cause the switch to crash causing Denial of Service
C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port
Answer: A
253
```
What tool can crack Windows SMB passwords simply by listening to network traffic?
A. This is not possible
B. Netbus
C. NTFSDOS
D. L0phtcrack
```
Answer: D
254
Tess King is using the nslookup command to craft queries to list all DNS information (such as Name
Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone
serial number, TimeToLive (TTL) records, etc) for a Domain.
What do you think Tess King is trying to accomplish? Select the best answer.
A. A zone harvesting
B. A zone transfer
C. A zone update
D. A zone estimate
Answer: B
255
Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking
for an IDS with the following characteristics: - Verifies success or failure of an attack - Monitors system
activities Detects attacks that a network-based IDS fails to detect - Near real-time detection and response Does not require additional hardware - Lower entry cost Which type of IDS is best suited for Tremp's
requirements?
A. Gateway-based IDS
B. Network-based IDS
C. Host-based IDS
D. Open source-based
Answer: C
256
You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are
redirected to a website seeking you to download free Anti-Virus software.
Dear valued customers,
We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with
total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the
link below and enter your antivirus code:
or you may contact us at the following address: Media Internet Consultants, Edif. Neptuno, Planta
Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama
How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?
A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
B. Connect to the site using SSL, if you are successful then the website is genuine
C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings
against this site
D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt
you and stop the installation if the downloaded file is a malware
E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt
you and stop the installation if the downloaded file is a malware
Answer: C
257
While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25.
You would like to block this, though you do not see any evidence of an attack or other wrong doing.
However, you are concerned about affecting the normal functionality of the email server. From the following
options choose how best you can achieve this objective?
A. Block port 25 at the firewall.
B. Shut off the SMTP service on the server.
C. Force all connections to use a username and password.
D. Switch from Windows Exchange to UNIX Sendmail.
E. None of the above.
Answer: E
258
You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as
expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your
company's network. You have configured the most secure policies and tightened every device on your
network. You are confident that hackers will never be able to gain access to your network with complex
security system in place.
Your peer, Peter Smith who works at the same department disagrees with you.
He says even the best network security technologies cannot prevent hackers gaining access to the network
because of presence of "weakest link" in the security chain.
What is Peter Smith talking about?
A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security
chain
B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these
attacks
C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be
able to detect these attacks
D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different
techniques to bypass the filters in your gateway
Answer: A
259
```
What is the proper response for a NULL scan if the port is closed?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response
```
Answer: E
260
Windows LAN Manager (LM) hashes are known to be weak.
Which of the following are known weaknesses of LM? (Choose three.)
A. Converts passwords to uppercase.
B. Hashes are sent in clear text over the network.
C. Makes use of only 32-bit encryption.
D. Effective length is 7 characters.
Answer: A B D
