CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

The Pen Test: Putting It All Together

This chapter includes questions from the following topics:

• Describe penetration testing, security assessments, and risk management

• Define automatic and manual testing

• List pen test methodology and deliverables

I used to work in a paint and body auto shop when I was a teenager and saw some amazing work come out of the place. The proprietor, Rob Dunne, seemingly knew everything about cars—from the minutiae of the internal engine to the right buffing, sanding, paint, and clear coat on the exterior—and taught me more about vehicles than anyone else on the planet. He also taught me some important work lessons, such as preparing correctly for a job, organizing and planning the steps, working hard and smart through a job, and, possibly just as importantly, finishing the right way.

On many jobs we performed during my time there, especially early on, I just couldn’t wait to finish things off. After all that taping and paper, sanding and buffing, and finally painting the darned thing, I couldn’t wait to rip off all the tape and paper and see the final product. But, as I learned several times over before the lesson finally sank into my head, rushing the final steps of a job can ruin the whole thing. The paint needed time to cure, and as exciting as it is to pull everything off and see your work come to life, it’s far better to see things through to the end, all the way, with all the patience and care you started with.

This chapter is, admittedly, short and sweet, but don’t go ripping off the tape and paper just yet—there’s a little bit more curing to be done. The questions and answers here should be on the easy side (if memorizing terms is easy for you, that is), and the write-ups on what’s correct and what’s false will reflect that as well. Sure, I might sneak in a question from earlier in the book—just to see whether you’re paying attention and to wrap up terms EC-Council throws into this section—but these are all supposed to be about the pen test itself. We’ve already covered the nuts and bolts, so now we’re going to spend some time on the finished product. And, yes, you will see this stuff on your exam. But I hope, when that time comes, you’ll confidently and patiently finish it off, just as well as you started it.

STUDY TIPS The information covered in this chapter, that you’ll find on the exam, generally boils down to basic memorization. While that may sound easy enough to you, I think you’ll find that some of these terms are so closely related that questions on the exam referencing them will be confusing in the least—and most likely rage-inducing by the time the exam ends. Pay close attention to the details and key words for definitions (in particular the insiders, outsiders, and affiliates definitions), and take the time to memorize the phases involved with a pen test and an actual attack. Lastly, and I think I’ve said this before, it’s sometimes easier to eliminate wrong answers than it is to choose the correct one. When you’re looking at one of these questions that seems totally out of left field, spend your time eliminating the choices you know aren’t correct. Eventually all that’s left must be the correct answer. After all, the mechanism scoring the test doesn’t care how you got to the answer, only that the right one is chosen.

1. Which of the following would be found in a final report from a full penetration test? (Choose all that apply.)

A. The names of all the participants

B. A list of findings from the assessments

C. An executive summary of the assessments

D. A list of vulnerabilities that were patched by the team

2. A team is starting a security assessment and has been provided a system on an internal subnet. No other previous knowledge of any pertinent information has been given. Which of the following best describes the type of test the team will be performing?

A. Internal, white box

B. Internal, black box

C. External, white box

D. External, black box

3. Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)

A. Metasploit

B. Nessus

C. Core Impact

D. CANVAS

E. SAINT

F. GFI Languard

4. Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them?

A. Penetration test

B. Partial penetration test

C. Vulnerability assessment

D. Security scan

5. A spouse of an employee illegally uses the employee’s credentials to gain access to the organization and carry out an attack. Which of the following best defines the attacker?

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

6. In which phase of a pen test is scanning performed?

A. Pre-attack

B. Attack

C. Post-attack

D. Reconnaissance

7. Which of the following tests is generally faster and costs less than a manual pen test?

A. Automatic

B. Internal

C. Black box

D. External

8. Which of the following best defines an attack against the organization by an internal user?

A. External, black box

B. Internal, gray box

C. Internal, announced

D. External, white box

9. Brad is part of an environmental group protesting SomeBiz, Inc., for the company’s stance on a variety of issues. Frustrated by the failure of multiple attempts to raise awareness of his cause, Brad launches sophisticated web defacement and denial-of-service attacks against the company, without attempting to hide the attack source and with no regard to being caught. Which of the following terms best defines Brad?

A. Hactivism

B. Ethical hacker

C. Script kiddie

D. Suicide hacker

10. A security team has been hired by upper management to assess the organization’s security. The assessment is designed to emulate an Internet hacker and to test the behavior of the security devices and policies in place as well as the IT security staff. Which of the following best describe this test? (Choose all that apply.)

A. Internal

B. External

C. Announced

D. Unannounced

11. In which phase of a pen test will the team penetrate the perimeter and acquire targets?

A. Pre-attack

B. Attack

C. Post-attack

D. None of the above

12. Which of the following test types presents a higher probability of encountering problems and takes the most amount of time?

A. Black box

B. Gray box

C. White box

D. Internal

13. Which of the following best describes the difference between a professional pen test team member and a hacker?

A. Ethical hackers are paid for their time.

B. Ethical hackers never exploit vulnerabilities; they only point out their existence.

C. Ethical hackers do not use the same tools and actions as hackers.

D. Ethical hackers hold a predefined scope and agreement from the system owner.

14. Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Sally performing?

A. External, white box

B. External, black box

C. Internal, white box

D. Internal, black box

15. Joe is part of a pen test team that has been hired by AnyBiz to perform testing under a contract. As part of the defined scope and activities, no IT employees within AnyBiz know about the test. After some initial information gathering, Joe strikes up a conversation with an employee in the cafeteria and steals the employee’s access badge. Joe then uses this badge to gain entry to secured areas of AnyBiz’s office space. Which of the following best defines Joe in this scenario?

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

16. In which phase of a penetration test would you compile a list of vulnerabilities found?

A. Pre-attack

B. Attack

C. Post-attack

D. Reconciliation

17. Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?

E. Nessus

F. Hping

G. LOIC

H. SNMPUtil

18. Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?

A. Covering tracks

B. Pre-attack

C. Attack

D. Post-attack

19. Jake, an employee of AnyBiz, Inc., parks his vehicle outside the corporate offices of SomeBiz, Inc. He turns on a laptop and connects to an open wireless access point internal to SomeBiz’s network. Which of the following best defines Jake?

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

20. Which of the following are true regarding a pen test? (Choose all that apply.)

A. Pen tests do not include social engineering.

B. Pen tests may include unannounced attacks against the network.

C. During a pen test, the security professionals can carry out any attack they choose.

D. Pen tests always have a scope.

E. The client is not notified of the vulnerabilities the team chooses to exploit.

21. Which of the following causes a potential security breach?

A. Vulnerability

B. Threat

C. Exploit

D. Zero day

22. Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up?

A. Inline

B. Meterpreter

C. Staged

D. Remote

23. Metasploit is a framework allowing for the development and execution of exploit code against a remote host and is designed for use in pen testing. The framework consists of several libraries, each performing a specific task and set of functions. Which library is considered the most fundamental component of the Metasploit framework?

A. MSF Core

B. MSF Base

C. MSF Interfaces

D. Rex

24. EC-Council defines six stages of scanning methodology. Which of the following correctly lists the six steps?

A. Scan for vulnerabilities, check for live systems, check for open ports, perform banner grabbing, draw network diagrams, prepare proxies

B. Perform banner grabbing, check for live systems, check for open ports, scan for vulnerabilities, draw network diagrams, prepare proxies

C. Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, prepare proxies

D. Prepare proxies, check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams

25. Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.)

A. Enforce elevated privilege control.

B. Secure all dumpsters and shred collection boxes.

C. Enforce good physical security practice and policy.

D. Perform background checks on all employees.

26. The IP address 132.58.90.55/20 is given for a machine your team is to test. Which of the following represents an address within the same subnet?

A. 132.58.88.254

B. 132.58.96.20

C. 132.58.254.90

D. 132.58.55.90

1. A, B, C

2. B

3. A, C, D

4. C

5. C

6. A

7. A

8. B

9. D

10. B, D

11. B

12. A

13. D

14. D

15. C

16. C

17. A

18. D

19. A

20. B, D

21. B

22. B

23. D

24. C

25. A, B, C, D

26. A

1. Which of the following would be found in a final report from a full penetration test? (Choose all that apply.)

A. The names of all the participants

B. A list of findings from the assessments

C. An executive summary of the assessments

D. A list of vulnerabilities that were patched by the team

A, B, and C. It seems fairly obvious that if you hire someone to perform a security audit of your organization that you would expect a report at the end of it. Pen tests vary from company to company and from test to test, but some basics are part of every pen test final report to the customer. The basics that are part of every report are listed here:

• An executive summary of the organization’s overall security posture (if testing under the auspices of FISMA, DIACAP, HIPAA, or other standard, this will be tailored to the standard)

• The names of all participants as well as the dates of all tests

• A list of findings, usually presented in order of highest risk

• An analysis of each finding as well as recommended mitigation steps (if available)

• Log files and other evidence from your toolset

D is incorrect because a pen test is not designed to repair or mitigate security problems as they are discovered. The point of a pen test is to identify these potential security shortcomings so the organization can make a determination on repair or mitigation: There may be an acceptable level of risk versus the cost to fix for certain findings that the customer is perfectly comfortable with. Something that may seem to you, the pen tester, as a glaring security hole dooming the organization to certain virtual death simply may not matter to the client—no matter how clearly and forcefully you try to stress that point.

A. Internal, white box

B. Internal, black box

C. External, white box

D. External, black box

B. EC-Council defines two types of penetration tests: external and internal. An external assessment analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter—usually from the Internet. An internal assessment, as you might imagine, is performed from within the organization, from various network access points. On your exam, just as it is here, this pure definition term may be combined with the white-, gray-, and black-box testing terms you’re already familiar with.

A is incorrect because although the test is indeed internal, it is not a white-box test—where the team would be provided with all knowledge of the inner workings of the system.

C and D are incorrect because this is not an external test.

3. Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)

A. Metasploit

B. Nessus

C. Core Impact

D. CANVAS

E. SAINT

F. GFI Languard

A, C, and D. Automated tool suites for pen testing can be viewed as a means to save time and money by the client’s management, but (in my opinion, at least) these tools do not provide the same quality results as a test performed by security professionals. Automated tools can provide a lot of genuinely good information but are also susceptible to false positives and false negatives and don’t necessarily care what your agreed-upon scope says is your stopping point. Metasploit has a free, open source version and an insanely expensive “Pro” version for developing and executing exploit code against a remote target machine. Metasploit offers an autopwn module that can automate the exploitation phase of a penetration test.

Core Impact is probably the best-known, all-inclusive automated testing framework. From its website (www.coresecurity.com/content/core-impact-overview), Core Impact “takes security testing to the next level by safely replicating a broad range of threats to the organization’s sensitive data and mission-critical infrastructure—providing extensive visibility into the cause, effect, and prevention of data breaches.” Core Impact tests everything from web applications and individual systems to network devices and wireless.

Per the Immunity Security website (www.immunitysec.com), CANVAS “makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals.” Additionally, the company claims CANVAS’s Reference Implementation (CRI) is “the industry’s first open platform for IDS and IPS testing.”

For you real-world purists out there and for those reading this who don’t have any experience with any of this just quite yet, it’s important to note that no automated testing suite provides anything close to the results you’d gain from a real pen test. Core Impact provides a one-step automated pen test result feature (and probably offers the best result and report features), Metasploit offers autopwn, and CANVAS has a similar “run everything” mode; however, all lack the ability to provide results that a true pen test would provide. In the truest sense of “automated pen test,” you simply can’t do it in the real world. However, for your exam stick with the three listed here.

B, E, and F are incorrect for the same reason: They are all vulnerability assessment tool suites, not automated pen test frameworks. Nessus is probably the most recognizable of the three, but SAINT and GFI Languard are both still listed as top vulnerability assessment applications.

4. Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them?

A. Penetration test

B. Partial penetration test

C. Vulnerability assessment

D. Security scan

C. A vulnerability assessment is exactly what it sounds like: the search for and identification of potentially exploitable vulnerabilities on a system or network. These vulnerabilities can be poor security configurations, missing patches, or any number of other weaknesses a bad guy might exploit. The two keys to a vulnerability assessment are that the vulnerabilities are identified, not exploited, and the report is simply a snapshot in time. The organization will need to determine how often they want to run a vulnerability assessment. Lastly, it’s important to note that there are some vulnerabilities that simply can’t be confirmed without exploiting them. For example, the act of infecting SQL statements to expose a SQL injection vulnerability may very well constitute an exploit action, but it’s the only way to prove it exists. For your exam, though, stick with no exploitation during this assessment and move on with your life.

A is incorrect because team members on a pen test not only discover vulnerabilities but also actively exploit them (within the scope of their prearranged agreement, of course).

B and D are incorrect because they are not valid terms associated with assessment types and are included as distractors.

5. A spouse of an employee illegally uses the employee’s credentials to gain access to the organization and carry out an attack. Which of the following best defines the attacker?

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

C. There are few truisms in life, but this is one of them: You will need to memorize certain terms that are important for the exam you are taking but probably don’t amount to a hill of Skittles in the real world (and this memorization will infuriate and frustrate you to no end). This is a prime example. In the CEH world, you can define attackers by a lot of different criteria (for example, white hat versus black hat). When it comes to these terms, you differentiate attackers by who they are in relation to the company and how they gain access.

Defining inside versus outside may seem simple, but you have to be careful. It has nothing to do with where the attack is coming from, but everything to do with the person’s relationship to the company. All company employees (including contractors) are considered “inside.” Anyone who is not an employee is considered “outside,” with one notable exception: An inside affiliate is a spouse, friend, or acquaintance of an employee who makes use of the employee’s credentials to gain access and cause havoc. It’s a tricky little differentiation that you’ll definitely see on your test somewhere. For memorization purposes, know the following:

• Insiders are employees and contractors of the organization.

• Outsiders are everyone else attempting to get in (hackers and so on).

• Affiliate deals with the credentials used in the attack: An insider affiliate is the employee’s credentials (most often used by a spouse, friend, or client), and an outsider affiliate is the use of open access (such as open wireless).

• Insider associates are contractors, janitors, and so on, who may have limited access to resources. This authorized access isn’t necessarily to IT resources, but it does allow the attacker to roam freely into and out of organization offices and buildings—which makes things such as social engineering attacks easier.

A is incorrect because an outside affiliate is someone who is not employed with the company in any way (a hacker or maybe a corporate spy) and makes use of open access to the organization’s network. For example, a corporate spy may park his car close to a building and tie in to an unsecured WAP to look for information on the network.

B is incorrect because outside associate isn’t a term EC-Council defines.

D is incorrect because an insider associate is someone who has limited access to resources, such as a guard or a contractor.

6. In which phase of a pen test is scanning performed?

A. Pre-attack

B. Attack

C. Post-attack

D. Reconnaissance

A. I know you’re sick of CEH definitions, terms, and phases of attacks, but this is another one you’ll just need to commit to memory. Per EC-Council, there are three phases of a pen test: pre-attack, attack, and post-attack. The pre-attack phase is where you’d find scanning and other reconnaissance (competitive intelligence, website crawling, and so on).

B is incorrect because scanning is completed in the pre-attack phase. The attack phase holds four areas of work: penetrate the perimeter, acquire targets, execute attack, and escalate privileges.

C is incorrect because scanning is completed long before the post-attack phase. Actions accomplished in post-attack include removing all uploaded files and tools, restoring (if needed) to the original state, analyzing results, and preparing reports for the customer.

D is incorrect because reconnaissance is not a phase of pen testing.

7. An organization wants a security test but is concerned about time and cost. Which of the following tests is generally faster and costs less than a manual pen test?

A. Automatic

B. Internal

C. Black box

D. External

A. Automated tests—using tools such as CANVAS and Core Impact—are generally faster and cheaper than manual pen testing, which involve a professional team and a predefined scope/agreement. These automated tests are more susceptible to false positives and false negatives. Perhaps more importantly, though, they also don’t necessarily care about any scope or test boundary. With a manual pen test, you have a predetermined scope and agreement in place. With an automated tool, you risk it running past the boundary of your test. While setting the software to stay within a predetermined IP subnet range is easy enough, boundaries don’t always follow those clear-cut guidelines in the real world. Additionally, automated pen tests suffer the same flaw as most virus scanners: They rarely find anything a real hacker would use. Automated tools are dependent on the same signature-based mind-set of most antivirus software, so if you really want to know whether your custom application, your complex architecture, your websites, and your users are vulnerable, you should hire a professional.

B is incorrect because this definition doesn’t match an internal test. Internal testing is performed from inside the organization’s network boundary. Internal testing can be announced (IT staff know it’s going on) or unannounced (IT staff is kept in the dark and only management knows the test is being performed).

C is incorrect because black box doesn’t necessarily have anything to do with cost. It generally takes longer than, say, white-box testing, but it doesn’t fit this question.

D is incorrect because this definition doesn’t match external testing. External testing is all about publicly available information and attempts to enumerate targets and other goodies from outside the network boundary.

8. Which of the following best defines an attack against the organization by an internal user?

A. External, black box

B. Internal, gray box

C. Internal, announced

D. External, white box

B. I understand some of you are going to try arguing semantics with me on this one, but trust me, the “best” designator in this question covers me here. Most employees are going to have at least some idea of internal networks or operations within the company—even if it’s just the domain to log into, password policy, or lockout policy. The internal gray-box test best describes this: an attack inside the network by someone who has some information or knowledge about the network and resources being attacked. As an aside, these insider attacks may very well be the work of the “disgruntled employee,” whom EC-Council has dubbed as the most dangerous threat to an organization’s security.

A is incorrect because a disgruntled employee would not need to perform an external test—much less a black-box (no knowledge) one. Is it possible a disgruntled employee wouldn’t take advantage of his internal knowledge? Is it possible he would ignore the built-in advantage of already being on the network and having login credentials there? Sure, it is—it’s just not likely.

C is incorrect because the attack most certainly will not be announced (that is, the IT security staff is notified it is being conducted). It’s highly unlikely the disgruntled employee will want to assist the IT security team in noting and patching security problems within the network.

D is incorrect but just barely so. It is possible that this particular employee has all the knowledge of the network segment he’s attacking. And it’s plausible he may even decide to run an attack externally. However, ignoring the advantage of being inside the network to launch an attack—even if it’s simply to set up a listening port to be used from a remote location—is highly unlikely. This choice simply isn’t the best description of the disgruntled employee attack.

A. Hactivism

B. Ethical hacker

C. Script kiddie

D. Suicide hacker

D. This is another definition term from EC-Council you’ll see on your exam. And, much like in this question, you’ll almost always see it paired with “hactivism” as an answer. A suicide hacker is an attacker who is so wrapped up in promoting their cause they do not care about the consequences of their actions. If defacing a website or blowing up a company server results in 30 years of prison time, so be it—as long as the cause has been promoted. In some instances (I’ve seen this in practice test exams before), the suicide hacker even wants to be caught to serve as a martyr for the cause.

A is incorrect because hactivism refers to the act, not the attacker. Hactivism is the act of hacking for a cause, but those participating may very well want to avoid jail time. Suicide hackers don’t care.

B is incorrect for obvious reasons. As a matter of fact, if you chose this answer, stop right now and go back to page 1—you need to start the whole thing over again. An ethical hacker is employed as part of a team of security professionals and works under strict guidelines and agreed-upon scope.

C is incorrect because a script kiddie is a point-and-shoot type of “hacker” who simply pulls information off the Internet and fires away.

A. Internal

B. External

C. Announced

D. Unannounced

B and D. An external test is designed to mirror steps a hacker might take from outside the company perimeter. The team will start, of course, with publicly available information and ratchet up attempts from there. Because the question states it’s testing security devices, policies, and the IT staff, the indication is this is an unannounced test. After all, if the IT staff knew the attack was going to occur in advance, it wouldn’t be a true test of their ability to detect and react to an actual, real attack.

A and C are incorrect because this attack is not internal to the organization’s network perimeter, nor has it been announced to the IT staff.

11. In which phase of a pen test will the team penetrate the perimeter and acquire targets?

A. Pre-attack

B. Attack

C. Post-attack

D. None of the above

B. EC-Council splits a pen test into three phases: pre-attack, attack, and post-attack. In the attack phase, the team will attempt to penetrate the network perimeter, acquire targets, execute attacks, and elevate privileges. Getting past the perimeter might take into account things such as verifying ACLs by crafting packets as well as checking the use of any covert tunnels inside the organization. Attacks such as XSS, buffer overflows, and SQL injections will be used on web-facing applications and sites. After acquiring specific targets, password cracking, privilege escalation, and a host of other attacks will be carried out.

A is incorrect because these actions do not occur in the pre-attack phase. Per EC-Council, pre-attack includes planning, reconnaissance, scanning, and gathering competitive intelligence.

C is incorrect because these actions do not occur in the post-attack phase. Per EC-Council, post-attack includes removing all files, uploaded tools, registry entries, and other items installed during testing from the targets. Additionally, your analysis of findings and creation of the pen test report will occur here.

D is incorrect because there is an answer for the question listed.

12. Which of the following test types presents a higher probability of encountering problems and takes the most amount of time?

A. Black box

B. Gray box

C. White box

D. Internal

A. Tests can be internal or external, can be announced or unannounced, and can be classified by the knowledge the team has before the test occurs. A black-box test, whether internal or external, is designed to simulate a hacker’s attempts at gaining entry into the organization. Obviously this usually starts as an external test but can become internal as time progresses (depending on the pen test team’s scope and agreement). Because it’s a test with no prior knowledge to simulate that true outsider threat, black-box testing provides more opportunity for problems along the way and takes the most amount of time. External, black-box testing takes the longest because the tester has to plan higher-risk activities.

Lastly (and a fun little nugget added by our renowned tech editor), in the real world the attacker has to figure out what is important to the target. What actions would damage or cause harm to the target? Where are critical files, folders, data, and other resources held? It’s targeted reconnaissance and prepares your “battlespace” for attack.

B and C are incorrect for the same reason: In both cases, the information provided to the team greatly reduces the amount of time and effort needed to gain entry.

D is incorrect because there is no reference in the question to where this attack is actually taking place. As an aside, an internal test, where the team is given a network access point inside the network to start with, should obviously provide a leg up in both time and effort compared to an external one.

13. Which of the following best describes the difference between a professional pen test team member and a hacker?

A. Ethical hackers are paid for their time.

B. Ethical hackers never exploit vulnerabilities; they only point out their existence.

C. Ethical hackers do not use the same tools and actions as hackers.

D. Ethical hackers hold a predefined scope and agreement from the system owner.

D. This one is a blast from the book’s past and will pop up a couple of times on your exam. The only true difference between a professional pen test team member (an ethical hacker) and the hackers of the world is the existence of the formally approved, agreed-upon scope and contract before any attacks begin.

A is incorrect because although professional ethical hackers are paid for their efforts during the pen test, it’s not necessarily a delineation between the two (ethical and nonethical). Some hackers may be paid for a variety of illicit activities. For one example, maybe a company wants to cause harm to a competitor, so they hire a hacker to perform attacks.

B and C are incorrect for the same reason. If a pen test team member never exploited an opportunity and refused to use the same tools and techniques that the hackers of the world have at their collective fingertips, what would be the point of an assessment? A pen test is designed to show true security weaknesses and flaws, and the only way to do that is to attack it just as a hacker would.

A. External, white box

B. External, black box

C. Internal, white box

D. Internal, black box

D. Sally was provided a network drop inside the organization’s network, so we know it’s an internal test. Additionally, no information of any sort was provided—from what we can gather, she knows nothing of the inner workings, logins, network design, and so on. Therefore, this is a black-box test—an internal black-box test.

A and B are incorrect because this is an internal test, not an external one.

C is incorrect because a white-box test would have included all the information Sally wanted about the network—designed to simulate a disgruntled internal network or system administrator.

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

C. You had to know I would check to see whether you’re paying attention, right? Otherwise, there would be no explanation for asking nearly the same question twice within one chapter, unless, of course, I was trying to make a point about how important these definitions are. Remember, an insider affiliate is someone—a spouse, friend, or acquaintance—who uses the employee’s access credentials to further their attack.

A is incorrect because an outside affiliate is someone who is not employed with the company who makes use of open access (such as unsecured wireless) to the organization’s network.

B is incorrect because “outside associate” isn’t a term within CEH study.

D is incorrect because an insider associate is a member of the organization—such as a guard or a subcontractor—who has limited access to resources.

16. In which phase of a penetration test would you compile a list of vulnerabilities found?

A. Pre-attack

B. Attack

C. Post-attack

D. Reconciliation

C. This is another simple definition question you’re sure to see covered on the exam. You compile the results of all testing in the post-attack phase of a pen test so you can create and deliver the final report to the customer.

A and B are incorrect because this action does not occur in the pre-attack or attack phase.

D is incorrect because reconciliation is not a phase of a pen test as defined by EC-Council.

17. Which of the following has a database containing thousands of signatures used to detect vulnerabilities in multiple operating systems?

A. Nessus

B. Hping

C. LOIC

D. SNMPUtil

A. Nessus is probably the best-known, most-utilized vulnerability assessment tool on the planet—even though it’s not necessarily free anymore. Nessus works on a server-client basis and provides “plug-ins” to test everything from Cisco devices, Mac OS, and Windows machines to SCADA devices, SNMP, and VMware ESX (you can find a list of plug-in families here: www.tenable.com/plugins/index.php?view=all). It’s part of virtually every security team’s portfolio, and you should definitely spend some time learning how to use it.

As an aside—not necessarily because it has anything to do with your test but because I am all about informing you to become a good pen tester—Openvas (www.openvas.org) is the open source community’s attempt to have a free vulnerability scanner. Nessus was a free scanner for the longest time. However, once purchased by Tenable Network Security, it, for lack of a better term, angered a lot of people in the security community because it became a for-profit entity instead of a for-security one. Don’t get me wrong—Nessus is outstanding in what it does; it just costs you money. Openvas is attempting to do the same thing for free because the community wants security over profit.

Just keep in mind that most vulnerabilities that are actually capable of causing harm to your systems probably won’t be found by any scanner. The recent Heartbleed vulnerability, taking advantage of an SSL issue, was a prime example: scanners simply can’t find vulnerabilities we don’t already know about.

B is incorrect because Hping is not a vulnerability assessment tool. Per Hping’s website (www.hping.org), it is “a command-line-oriented TCP/IP packet assembler/analyzer” used to test firewalls, to fingerprint operating systems, and even to perform man-in-the-middle (MITM) attacks.

C is incorrect because Low Orbit Ion Cannon (LOIC) is a distributed interface denial-of-service tool. It’s open source and can be used, supposedly legitimately, to test “network stress levels.”

D is incorrect because SNMPUtil is an SNMP security verification and assessment tool.

18. Cleaning registry entries and removing uploaded files and tools are part of which phase of a pen test?

A. Covering tracks

B. Pre-attack

C. Attack

D. Post-attack

D. Cleaning up all your efforts occurs in the post-attack phase, alongside analyzing the findings and generating the final report. The goal is to put things back exactly how they were before the assessment.

A is incorrect because covering tracks is part of the phases defining a hacking attack, not a phase of a pen test.

B and C are incorrect because these steps do not occur in the pre-attack or attack phase.

A. Outside affiliate

B. Outside associate

C. Insider affiliate

D. Insider associate

A. Here we are again, back at a pure memorization question you’re sure to see on your exam. EC-Council defines four types of attackers in this scenario: a pure insider (easy enough to figure out), an insider associate, an insider affiliate, and an outside affiliate. In this example, Jake best fits outside affiliate. He is a nontrusted outsider: He’s not an employee or employed contractor, and he’s not using credentials stolen from one. His access is from an unsecured, open access point (usually wireless but doesn’t have to be).

B is incorrect because EC-Council does not define an outside associate.

C is incorrect because an insider affiliate is someone who does not have actual, authorized, direct access to the company’s network, but they use credentials they’ve stolen from a pure insider to gain entry and launch attacks.

D is incorrect because an insider associate is defined as someone who has limited access (to the network or to the facility itself) and uses that access to elevate privileges and launch attacks. The most common examples of this you’ll see are subcontractors, janitors, and guards.

20. Which of the following are true regarding a pen test? (Choose all that apply.)

A. Pen tests do not include social engineering.

B. Pen tests may include unannounced attacks against the network.

C. During a pen test, the security professionals can carry out any attack they choose.

D. Pen tests always have a scope.

E. A list of all personnel involved in the test is not included in the final report.

B and D. Pen tests are carried out by security professionals who are bound by a specific scope and rules of engagement, which must be carefully crafted, reviewed, and agreed on before the assessment begins. This agreement can allow for unannounced testing, should upper management of the organization decide to test their IT security staff’s reaction times and methods.

A, C, and E are incorrect because these are false statements concerning a pen test. Unless expressly forbidden in the scope agreement, social engineering is a big part of any true pen test. The scope agreement usually defines how far a pen tester can go—for example, no intentional denial-of-service attacks and so on. Clients are provided a list of discovered vulnerabilities after the test, even if the team did not exploit them: There’s not always time to crack into every security flaw during an assessment, but that’s no reason to hide it from the customer. Lastly, the final report includes a list of all personnel taking part in the test.

21. Which of the following causes a potential security breach?

A. Vulnerability

B. Threat

C. Exploit

D. Zero day

B. A threat is something that could potentially take advantage of an existing vulnerability. Threats can be intentional, accidental, human, or even an “act of God.” A hacker is a threat to take advantage of an open port on a system and/or poor password policy. A thunderstorm is a threat to exploit a tear in the roof, leaking down to your systems. Heck, a rhinoceros is a threat to bust down the door and destroy all the equipment in the room. Whether those threats have intent, are viable, and are willing/able to take up the vulnerability is a matter for risk assessment to decide; they’ll probably beef up password policy and fix the roof, but I doubt much will be done on the rhino front.

A is incorrect because a vulnerability is a weakness in security. A vulnerability may or may not necessarily be a problem. For example, your system may have horribly weak password policy or even a missing security patch, but if it’s never on the network and is locked in a guarded room accessible by only three people who must navigate a biometric system to even open the door, the existence of those vulnerabilities is moot.

C is incorrect because an exploit is what is or actually can be done by a threat agent to utilize the vulnerability. Exploits can be local or remote, a piece of software, a series of commands, or anything that actually uses the vulnerability to gain access to, or otherwise affect, the target.

D is incorrect because a zero-day exploit is simply an exploit that most of us don’t really know much about at the time of its use. For instance, a couple years back some bad guys discovered a flaw in Adobe Reader and developed an exploit for it. From the time the exploit was created to the time Adobe finally recognized its existence and built a fix action to mitigate against it, the exploit was referred to as zero day.

22. Which Metasploit payload type operates via DLL injection and is difficult for antivirus software to pick up?

A. Inline

B. Meterpreter

C. Staged

D. Remote

B. For those of you panicking over this question, relax. You do not have to know all the inner workings of Metasploit, but it does appear enough—in the variety of study materials available for the version 7 exam—that EC-Council wants you to know some basics, and this question falls in that category. There are a bunch of different payload types within Metasploit, and meterpreter (short for meta-interpreter) is one of them. The following is from Metasploit’s website: “Meterpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard anti-virus detection.”

A is incorrect because inline payloads are single payloads that contain the full exploit and shell code for the designed task. They may be more stable than other payloads, but they’re easier to detect and, because of their size, may not be viable for many attacks.

C is incorrect because staged payloads establish a connection between the attacking machine and the victim. They then will read in a payload to execute on the remote machine.

D is incorrect because remote isn’t a recognized payload type.

A. MSF Core

B. MSF Base

C. MSF Interfaces

D. Rex

D. Once again, this is another one of those weird questions you may see (involving any of the framework components) on your exam. It’s included here so you’re not caught off guard in the actual exam room and freak out over not hearing it before. Don’t worry about learning all the nuances of Metasploit and its architecture before the exam—just concentrate on memorizing the basics of the framework (key words for each area will assist with this), and you’ll be fine.

Metasploit, as you know, is an open source framework allowing all sorts of automated (point-and-shoot) pen test methods. The framework is designed in a modular fashion, with each library and component responsible for its own function. The following is from the Metasploit’s development guide (http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide#12-Design-and-Architecture): “The most fundamental piece of the architecture is the Rex library, which is short for the Ruby Extension Library. Some of the components provided by Rex include a wrapper socket subsystem, implementations of protocol clients and servers, a logging subsystem, exploitation utility classes, and a number of other useful classes.” Rex provides critical services to the entire framework.

A is incorrect because the MSF Core “is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins.” It interfaces directly with Rex.

B is incorrect because the MSF Base “is designed to provide simpler wrapper routines for dealing with the framework core as well as providing utility classes for dealing with different aspects of the framework, such as serializing module state to different output formats.” The Base is an extension of the Core.

C is incorrect because the MSF Interfaces are the means by which you (the user) interact with the framework. Interfaces for Metasploit include Console, CLI, Web, and GUI.

24. EC-Council defines six stages of scanning methodology. Which of the following correctly lists the six steps?

A. Scan for vulnerabilities, check for live systems, check for open ports, perform banner grabbing, draw network diagrams, prepare proxies

B. Perform banner grabbing, check for live systems, check for open ports, scan for vulnerabilities, draw network diagrams, prepare proxies

C. Check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams, prepare proxies

D. Prepare proxies, check for live systems, check for open ports, perform banner grabbing, scan for vulnerabilities, draw network diagrams

C. I can hear the complaints now: “You mean to tell me I have yet another list of steps to remember? Another methodology I’ve got to commit to memory?” Unfortunately, the answer to that question is yes, Dear Reader. I would apologize, but you’re probably used to at least a little bit of CEH madness by now.

EC-Council defines the process of scanning by splitting it into six steps. First, you determine which hosts are alive on the network, followed by a check to see which ports they may have open. Next, a little perform banner grabbing will help in identifying operating systems and such. In step 4, you’ll turn your attention to vulnerabilities that may be present on these systems. Next (and the step I, personally, find humorous to be involved in this particular methodology), you’ll put all this together in a neat little network drawing for future reference. Lastly (in another step I find to be a weird addition), you’ll start preparing proxies from which you will launch attacks later.

These six steps are outlined in EC-Council’s official study preparation for the exam. Get to know them because you’ll see a question like this somewhere on your exam.

A, B, and D are all incorrect because they do not list the correct steps in order.

25. Which of the following may be effective countermeasures against an inside attacker? (Choose all that apply.)

A. Enforce elevated privilege control.

B. Secure all dumpsters and shred collection boxes.

C. Enforce good physical security practice and policy.

D. Perform background checks on all employees.

A, B, C, and D. All of the answers are correct. Admittedly there’s nothing you can really do to completely prevent an inside attack. There’s simply no way to ensure every single employee is going to remain happy and satisfied, just as there’s no way to tell when somebody might just up and decide to turn to crime. It happens all the time, in and out of Corporate America, so the best you can do is, of course, the best you can do.

Enforcing elevated privilege control (that is, ensuring users have only the amount of access, rights, and privileges to get their job done, and no more) seems like a commonsense thing, but it’s amazing how many enterprise networks simply ignore this, and a disgruntled employee with administrator rights on his machine can certainly do more damage than one with just plain user rights. Securing dumpsters and practicing good physical security should help protect against an insider who wants to come back after hours and snoop around. And background checks on employees, although by no means a silver bullet in this situation, can certainly help to ensure you’rehiring the right people in the first place (in many companies a background check is a requirement of law). Other steps include, but are not limited to, the following:

• Monitoring user network behavior

• Monitoring user computer behavior

• Disabling remote access

• Disabling removable drive use on all systems (USB drives and so on)

• Shredding all discarded paperwork

• Conducting user education and training programs

26. The IP address 132.58.90.55/20 is given for a machine your team is to test. Which of the following represents an address within the same subnet?

A. 132.58.88.254

B. 132.58.96.20

C. 132.58.254.90

D. 132.58.55.90

A. Truth being told here, you will not see many subnetting questions on your exam. As a matter of fact, many of you won’t have to do any math on your exam at all. But some of you will see it, and all of you had better know it before entering the workplace. Subnetting can be a gigantic pain, but once you’re used to seeing it, the process gets easier and easier. There are hundreds of different tips and tricks to make it all easier and quicker for you, but the best and most foolproof way to handle it is to break it all down to bits and do some good old math.

In this case, the subnet is /20, meaning the first 20 bits of the address belong to the network, and the remaining 12 bits constitute hosts in that network. If you break down the address from decimal to binary, 132.58.90.55 equates to the following:

10000100.00111010.01011010.00110111

The first 20 bits of this equate to 10000100.00111010.0101xxxx.xxxxxxxx (where x represents a host bit), and breaking this down to decimal shows us that everything from 132.58.80.1 through 132.58.95.254 would be a valid host within this subnet.

B, C, and D are all incorrect because they do not fit the subnet. When looking at the third octet of each address in bits, you can clearly see none matches the static four-bit set in the subnet mask. The first four bits of 96, 254, and 55 do not match the static four-bit set for the subnet: The first four bits of the octet for 96 (0110), 254 (1111), and 55 (0011) do not match the first four bits of 0101.