Pre-assessment Test - CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

image

Pre-assessment Test

This pre-assessment test is designed to help you prepare to study for the CEH Certified Ethical Hacker examination. You should take this test to identify the areas where you should focus your study and preparation.

The pre-assessment test includes 55 questions that are similar in style and format to the questions on the exam. As you prepare to take this test, try to simulate the actual exam conditions as closely as possible. Go to a quiet place and be sure that you will not be interrupted for the full length of time it will take to complete the test. You should give yourself one hour and 45 minutes. Do not use any reference materials or other assistance while taking the pre-assessment—remember, the idea is to help you determine what areas you need to focus on during your preparation for the actual exam.

The pre-assessment test contains questions divided in proportion to the CEH exam. Here is a breakdown of the exam content:

image

Complete the entire pre-assessment test before checking your results. Once you have finished, use both the “Quick Answer Key” and the “Answers” sections to score your test. Use the table in the “Analyzing Your Results” section to determine how well you performed. The objective map at the end of the appendix will help you identify those areas that require the most attention while you prepare for the exam.

Are you ready? Set your clock for one hour and 45 minutes and begin!

image

1. A vendor is alerted of a newly discovered flaw in its software that presents a major vulnerability to systems. While working to prepare a fix action, the vendor releases a notice alerting the community of the discovered flaw and providing best practices to follow until the patch is available. Which of the following best describes the discovered flaw?

A. Input validation flaw

B. Shrink-wrap vulnerability

C. Insider vulnerability

D. Zero-day

2. A security professional applies encryption methods to communication channels. Which security control role is she attempting to meet?

A. Preventive

B. Detective

C. Defensive

D. Corrective

3. Which of the following comes after scanning in the CEH methodology for testing a system?

A. Gaining access

B. Reconnaissance

C. Maintaining access

D. Covering tracks

4. An organization allows the data owner to set security permissions on an object. Which access control mechanism is in place?

A. Mandatory access control

B. Role-based access control

C. Discretionary access control

D. Authorized access control

5. Which of the following is true regarding MX records?

A. MX records require an accompanying CNAME record.

B. MX records point to name servers.

C. MX record priority increases as the preference number decreases.

D. MX record entries are required for every namespace.

6. From the partial e-mail header provided, which of the following represents the true originator of the e-mail message?

image

A. The originator is 185.213.4.77.

B. The originator is 177.190.50.254.

C. The originator is 229.88.53.154.

D. The e-mail header does not show this information.

7. What is the primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for reporting computer security incidents worldwide.

B. CSIRT provides computer security surveillance to governments, supplying important intelligence information on individuals traveling abroad.

C. CSIRT provides pen testing services to individuals and multinational corporations.

D. CSIRT provides vulnerability assessment services to law enforcement agencies.

8. Which Google operator is the best choice in searching for a particular string in the website’s title?

A. intext:

B. inurl:

C. site:

D. intitle:

9. An ethical hacker begins by visiting the target’s website and then peruses social networking sites and job boards looking for information and building a profile on the organization. Which of the following best describes this effort?

A. Active footprinting

B. Passive footprinting

C. Internet footprinting

D. Sniffing

10. Which of the following methods correctly performs banner grabbing with Telnet on a Windows system?

A. telnet <IPAddress> 80

B. telnet 80 <IPAddress>

C. telnet <IPAddress> 80 -u

D. telnet 80 <IPAddress> -u

11. You are examining results of a SYN scan. A port returns a RST/ACK. What does this mean?

A. The port is open.

B. The port is closed.

C. The port is filtered.

D. Information about this port cannot be gathered.

12. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?

A. URG

B. PSH

C. RST

D. BUF

13. You want to run a reliable scan but remain as stealthy as possible. Which of the following Nmap commands accomplishes your goal best?

A. nmap –sN targetIPaddress

B. nmap –sO targetIPaddress

C. nmap –sS targetIPaddress

D. nmap –sT targetIPaddress

14. As your IDLE scan moves along, you notice that fragment identification numbers gleaned from the zombie machine are incrementing randomly. What does this mean?

A. Your IDLE scan results will not be useful to you.

B. The zombie system is a honeypot.

C. There is a misbehaving firewall between you and the zombie machine.

D. This is an expected result during an IDLE scan.

15. What step immediately follows banner grabbing in EC-Council’s scanning methodology?

A. Check for live systems

B. Check for open ports

C. Scan for vulnerabilities

D. Draw network diagrams

E. Prepare proxies

16. Which of the following correctly describes the TCP three-way handshake?

A. SYN, ACK, SYN/ACK

B. SYN, SYN/ACK, ACK

C. ACK, SYN, ACK/SYN

D. ACK, ACK/SYN, SYN

17. The loopback address represents the local host and in IPv4 was represented by 127.0.0.1. What is the loopback address in IPv6?

A. fe80::/10

B. fc00::/7

C. fec0::/10

D. ::1

18. Angie captures traffic using Wireshark. Which filter should she apply to see only packets sent from 220.99.88.77?

A. ip = 220.99.88.77

B. ip.src == 220.99.88.77

C. ip.equals 220.99.88.77

D. ip.addr == 220.99.88.77

19. Given the following Wireshark filter, what is the attacker attempting to view?

image

A. SYN, SYN/ACK, ACK

B. SYN, FIN, URG, and PSH

C. ACK, ACK, SYN, URG

D. SYN/ACK only

20. An ACK scan from an external location produces responses from machines inside the target network. Which of the following best describes the circumstances?

A. The IDS is not functioning for the DMZ subnet.

B. The systems are Unix machines.

C. The systems are Windows based.

D. The external firewall is not performing stateful inspection.

21. A pen tester connects a laptop to a switch port and enables promiscuous mode on the NIC. He then turns on Wireshark and leaves for the day, hoping to catch interesting traffic over the next few hours. Which of the following is true regarding this scenario? (Choose all that apply.)

A. The packet capture will provide the MAC addresses of other machines connected to the switch.

B. The packet capture will provide only the MAC addresses of the laptop and the default gateway.

C. The packet capture will display all traffic intended for the laptop.

D. The packet capture will display all traffic intended for the default gateway.

22. Which of the following protocols are considered susceptible to sniffing? (Choose all that apply.)

A. FTP

B. IMAP

C. Telnet

D. POP

E. SMTP

F. SSH

23. What does the following Snort rule accomplish?

image

A. The rule logs any Telnet attempt over port 23 to any internal client.

B. The rule logs any Telnet attempt over port 23 leaving the internal network.

C. The rule alerts the monitor of any Telnet attempt to an internal client.

D. The rule alerts the monitor of any Telnet attempt leaving the internal network.

24. Where is the SAM file found on a Windows 7 machine?

A. C:\windows\config

B. C:\windows\system32

C. C:\windows\system32\etc

D. C:\windows\system32\config

25. Which of the following commands would be useful in adjusting settings on the built-in firewall on a Windows machine?

A. The netstat command

B. The netsh command

C. The sc command

D. The ntfw command

26. Which password cracking method usually takes the most time and uses the most resources?

A. Hybrid

B. Dictionary

C. Brute force

D. Bot-net

27. Which SID indicates the true administrator account on the Windows machine?

A. S-1-5-31-1045337334-12924807993-5683276715-1500

B. S-1-5-31-1045337334-12924807993-5683276715-1001

C. S-1-5-31-1045337334-12924807993-5683276715-501

D. S-1-5-31-1045337334-12924807993-5683276715-500

28. Which of the following keyloggers provides the greatest risk because it cannot be detected by antivirus software?

A. Polymorphic

B. Heuristic

C. Hardware

D. Software

29. Which of the following is true regarding LM hashes?

A. If the left side of the hash begins with 1404EE, the password is less than eight characters.

B. If the right side of the hash ends with 1404EE, the password is less than eight characters.

C. There is no way to tell whether passwords are less than eight characters because hashes are not reversible.

D. There is no way to tell whether passwords are less than eight characters because each hash is always 32 characters long.

30. Which of the following is considered the most secure password?

A. Ireallyhateshortpasswords

B. Apassword123

C. CEHPassw)rd

D. Ap@ssw0rd123

31. The < character opens an HTML tag, while the > character closes it. In some web forms, input validation may deny these characters to protect against XSS. Which of the following represents the HTML entities used in place of these characters? (Choose two.)

A. <

B. >

C. &

D. ®

E.

32. An attacker discovers a form on a target organization’s website. He interjects some simple JavaScript into one of the form fields, instead of the username. Which attack is he carrying out?

A. XSS

B. SQL injection

C. Buffer overflow

D. Brute force

33. An attackers enters the following into a web form: ‘ or 1=1 --. Which attack is being attempted?

A. XSS

B. Brute force

C. Parameter manipulation

D. SQL injection

34. You are discussing different web application attacks and mitigations against them. Which of the following is a proper mitigation against cross-site scripting attacks?

A. Configure strong passwords.

B. Ensure the web server is behind a firewall.

C. Ensure the web server is behind an IDS.

D. Perform input validation.

35. Which of the following describes a primary advantage for using Digest authentication over Basic authentication?

A. Digest authentication never sends a password in clear text over the network.

B. Digest authentication uses multifactor authentication.

C. In Digest authentication, the password is sent in clear text over the network but is never reused.

D. In Digest authentication, Kerberos is used to encrypt the password.

36. In HTTP, passwords can be passed in a variety of means—many of them insecure. Which of the following methods is used to encode passwords within HTTP basic access authentication?

A. MD5

B. TDM

C. FDM

D. Base64

E. DES

37. After a recent attack, log files are reviewed by the IR team to determine attack scope, success or failure, and lessons learned. Concerning the following entry:

image

Which of the following best describes the result of this command query?

A. The command deletes username and password fields from a table named users.

B. The command adds username and password fields to a table named users.

C. The command displays the contents of the username and password fields stored in the table named users.

D. The command will not produce any results.

38. An attacker performs reconnaissance and learns the organization’s SSID. He places an access point inside a closet, which tricks normal users into connecting, and begins redirecting them to malicious sites. Which of the following categorizes this attack?

A. Replay attack

B. Evil twin attack

C. Closet AP attack

D. WEP nap attack

39. During a pen test, the team lead decides to attempt intrusion using the organization’s BlackBerry enterprise. Which tool is used in the blackjacking attempt?

A. Aircrack

B. Kismet

C. BBProxy

D. PrismStumbler

40. Which of the following is a passive wireless discovery tool?

A. NetStumbler

B. Aircrack

C. Kismet

D. Netsniff

41. Which of the following is not true regarding SSIDs?

A. They are used to identify networks.

B. They are used to encrypt traffic on networks.

C. They can be a maximum of 32 characters.

D. Even when not broadcast, SSIDs are easily discovered.

42. Which of the following are true regarding wireless security? (Choose all that apply.)

A. WPA-2 is the best available encryption security for the system.

B. WEP is the best encryption security for the system.

C. Regardless of encryption, turning off SSID broadcast protects the system.

D. SSIDs do not provide any effective security measures for a wireless network.

43. Which command displays all connections and listening ports in numerical form?

A. netstat –an

B. netstat –a localhost –n

C. netstat –r

D. netstat –s

44. Which of the following is true regarding session hijacking?

A. The session must be hijacked before authentication.

B. The session is hijacked after authentication.

C. Strong authentication measures eliminate session hijacking concerns.

D. Session hijacking cannot be carried out against Windows 7 machines.

45. Which virus type overwrites otherwise empty areas within a file?

A. Polymorphic

B. Cavity

C. Macro

D. Boot sector

46. Which of the following is not a field within an X.509 standard certificate?

A. Version

B. Algorithm ID

C. Private key

D. Public key

E. Key usage

47. Which of the following is a common registry location for malware insertion?

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

E. All the above

48. Which of the following is a symmetric cryptographic standard?

A. AES

B. PKI

C. RSA

D. 3DES

49. Which of the following could be a potentially effective countermeasure against social engineering?

A. User education and training

B. Strong security policy and procedure

C. Clear operational guidelines

D. Proper classification of information and individuals’ access to that information

E. All of the above

50. Which of the following represents the highest risk to an organization?

A. Black hat

B. Gray hat

C. White hat

D. Disgruntled employee

51. Jill receives an e-mail that appears legitimate and clicks the included link. She is taken to a malicious website that steals her login credentials. Which of the following best describes this attack?

A. Phishing

B. Javelin

C. Wiresharking

D. Bait and switch

52. Angie waits by a side door entrance and follows a group of employees inside. She has no visible badge of any kind. Which of the following best describes this action?

A. Tailgating

B. Piggybacking

C. Surfing

D. Reverse SE

53. Bill is asked to perform an assessment but is provided with no knowledge of the system other than the name of the organization. Which of the following best describes the test he will be performing?

A. White box

B. Gray box

C. Black box

D. None of the above

54. OWASP provides a testing methodology. Which of the following is provided to assist in securing web applications?

A. COBIT

B. A list of potential security flaws and mitigations to address them

C. Web application patches

D. Federally recognized security accreditation

55. Joe is an IT security consultant, specializing in social engineering. Joe has been given authority to perform any and all tests necessary to audit the company’s network security, and no employees know about his efforts. After obtaining a list of employees through company website contact pages, Joe befriends an employee of the company. Soon thereafter, Joe steals the employee’s access badge and uses it to gain unauthorized access to the organization offices. What type of insider threat would Joe be considered?

A. Insider affiliate

B. Outside affiliate

C. Inside associate

D. Pure insider

image

1. D

2. A

3. A

4. C

5. C

6. C

7. A

8. D

9. B

10. A

11. B

12. B

13. C

14. A

15. B

16. B

17. D

18. B

19. A

20. D

21. A, C

22. A, B, C, D, E

23. C

24. D

25. B

26. C

27. D

28. C

29. B

30. D

31. A, B

32. A

33. D

34. D

35. A

36. D

37. C

38. B

39. C

40. C

41. B

42. A, D

43. A

44. B

45. B

46. C

47. E

48. D

49. E

50. D

51. A

52. B

53. C

54. B

55. A

Total Score: ______

image

1.imageD. Zero day means there has been no time to work on a solution. The bad thing is that the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up—it means it’s been there without the good guy’s knowledge and could have already been exploited.

imageA, B, and C are incorrect. Input validation refers to verifying that a user’s entry into a form or field contains only what the form or field was designed to accept. The terms shrink-wrap vulnerability and insider vulnerabilityare not valid so far as your exam is concerned.

2.imageA. Controls fall into three categories: preventive, detective, and corrective. In this instance, encryption of data is designed to prevent unauthorized eyes from seeing it. Depending on the encryption used, this can provide for confidentiality and nonrepudiation and is most definitely preventive in nature.

imageB, C, and D are incorrect. Detective controls are designed to watch for security breaches and detect when they occur. Corrective controls are designed to fix things after an attack has been discovered and stopped.

3.imageA. The Ethical Hacking methodology laid out by EC-Council flows in five (or six) steps: reconnaissance, scanning and enumeration, gaining access, maintaining access, and covering tracks. In version 7, escalating privileges wasn’t a separate step but seems to be looked at as such in version 8. Escalating privileges lives between gaining access and maintaining access, should you be asked.

imageB, C, and D are incorrect. These do not match the methodology.

4.imageC. Discretionary access control allows the data owner, the user, to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit.

imageA, B, and D are incorrect. Mandatory access control (MAC) assigns sensitivity labels to data and controls access by matching the user’s security level to the resource label. Role-based access control (RBAC) can use either discretionary access control (DAC) or MAC to get the job done. The goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles).

5.imageC. MX records have a preference number to tell the SMTP client to try (and retry) each of the relevant addresses in this list in order, until a delivery attempt succeeds. The smallest preference number has the highest priority, and any server with the smallest preference number must be tried first. If there is more than one MX record with the same preference number, all of them must be tried before moving on to lower-priority entries.

imageA, B, and D are incorrect. MX records do not require an alias (CNAME), they do not point to name servers, and not every namespace absolutely requires an e-mail server.

6.imageC is correct. On e-mail headers, you’ll most likely be asked to identify the true originator—although there are many other entries to pay attention to. The machine (person) who sent the message in the first place may be impossible to truly decipher, since in the real world attackers have proxies and whatnot to hide behind; however, we can only go off the header provided. From the bottom up (the bottom entry is the first in the line), the originator is clearly shown: “Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]).”

imageA, B, and D are incorrect. These IPs do not represent the true originator of the message. They show e-mail servers that are passing/handling the message.

7.imageA is correct. From its website, the Computer Security Incident Response Team (CSIRT; www.csirt.org/) “provides 24x7 Computer Security Incident Response Services to any user, company, government agency or organization. CSIRT provides a reliable and trusted single point of contact for reporting computer security incidents worldwide. CSIRT provides the means for reporting incidents and for disseminating important incident-related information.”

imageB, C, and D are incorrect. These statements don’t match CSIRT’s purpose.

8.imageD is correct. Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things, from legitimate descriptions of the page or author information to a list of words useful for a search engine.

imageA, B, and C are incorrect. The intext: operator looks for pages that contain a specific string in the text of the page body. The inurl: operator looks for a specific string within the URL. The site operator limits the current search to only the specified site (instead of the entire Internet).

9.imageB is correct. Footprinting competitive intelligence is a passive effort because of competitive intelligence being open and accessible to anyone. Passive footprinting is an effort that doesn’t usually put you at risk of discovery.

imageA, C, and D are incorrect. This is not active footprinting since no internal targets have been touched and there is little to no risk of discovery. Internet footprinting isn’t a legitimate term to commit to memory, and sniffing is irrelevant to this question.

10.imageA is correct. Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.

imageB, C, and D are incorrect. These are all bad syntax for Telnet.

11.imageB is correct. Think about a TCP handshake—SYN, SYN/ACK, ACK—and then read this question again. Easy, right? In a SYN scan, an open port is going to respond with a SYN/ACK, and a closed one is going to respond with a RST/ACK.

imageA, C, and D are incorrect. The return response indicates the port is closed. An open port would respond with a SYN/ACK, and a filtered one likely wouldn’t respond at all.

12.imageB is correct. It really does sound like an urgent request, but the PSH flag is designed for these scenarios.

imageA, C, and D are incorrect. The URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized (not used much by modern protocols). The RST flag forces a termination of communications (in both directions). BUF is not a TCP flag.

13.imageC is correct. A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this Nmap command line, is the best remaining option.

imageB, C, and D are incorrect. A null scan probably won’t provide the reliability asked for since it doesn’t work on Windows hosts at all. The –sO (operating system) scan would prove too noisy here. The full scan (–sT) would provide reliable results, but without a timing modifier to greatly slow it down, it will definitely be seen.

14.imageA is correct. It is absolutely essential the zombie remain idle to all other traffic during an IDLE scan. The attacker will send packets to the target with the (spoofed) source address of the zombie. If the port is open, the target will respond to the SYN packet with a SYN/ACK, but this will be sent to the zombie. The zombie system will then craft a RST packet in answer to the unsolicited SYN/ACK, and the IPID will increase. If this occurs randomly, then it’s probable your zombie is not, in fact, idle, and your results are moot.

imageB, C, and D are incorrect. There is not enough information here to identify the zombie machine as anything at all (much less a machine set up as a honeypot), and a firewall has nothing to do with any of this. This is also notexpected behavior during an IDLE scan.

15.imageB is correct. In order from start to finish, the methodology is as follows: 1. Check for live systems, 2. Check for open ports, 3. Perform scanning beyond IDS, 4. Perform banner grabbing, 5. Scan for vulnerabilities, 6. Draw network diagrams, and 7. Prepare proxies.

imageA, C, D, and E are incorrect. These are not the steps immediately following banner grabbing.

16.imageB is correct. This is bedrock knowledge you should already have memorized from networking 101 classes. TCP starts a communication with a synchronize packet (with the SYN flag set). The recipient acknowledges this by sending both the SYN and ACK flags. Finally, the originator acknowledges communications can begin with an ACK packet.

imageA, C, and D are incorrect. These answers do not have the correct three-way handshake order.

17.imageD is correct. IPv6 uses a 128-bit address instead of the 32-bit IPv4 version. It’s represented as eight groups of four hexadecimal digits separated by colons but can be shortened in display by removing leading zeroes (replaced by a double colon). The loopback address, in full, is 0000:0000:0000:0000:0000:0000:0000: 0001, which can be reduced all the way down to ::1.

imageA, B, and C are incorrect. These values do not represent the loopback address in IPv6. Fe80::/10 is reserved for link local, FC00::/7 is the unique local (like private addressing in IPv4), and FEC0::/10 is for site local.

18.imageB is correct. The ip.src xxxx filter tells Wireshark to display only those packets with the IP address xxxx in the source field.

imageA, C, and D are incorrect. These are incorrect Wireshark filters.

19.imageA. You’ll see bunches of Wireshark questions on your exam, and EC-Council just loves the “TCP flags = decimal numbers” side of it all. Wireshark also has the ability to filter based on a decimal numbering system assigned to TCP flags. The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding these numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For example, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both.

imageB, C, and D are incorrect because they do not match the decimals provided in the capture (2 for SYN, 18 for SYN/ACK, and 16 for ACK).

20.image D. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence.

imageA, B, and C are incorrect. IDS is passive and reactive, so it would not prevent the packet flow. There is no way to tell, from the information provided, what OS the systems are.

21.imageA and C. Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC—to only the port that holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.

imageB and D are incorrect. The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.

22.imageA, B, C, D, and E. All the protocols listed here transfer data—including passwords—in clear text.

imageF is incorrect. SSH can be thought of as an encrypted version of Telnet.

23.imageC. This rule alerts on Telnet in only one direction—into the internal network. It states that any IP address on any port attempting to connect to an internal client will generate the message “Telnet Connection Attempt.”

imageA, B, and D are incorrect. A and B are incorrect because they reference log-only rules. D is incorrect because the arrow is in only one direction.

24.imageD is correct. The SAM file, holding all those wonderful password hashes you want access to, is located in the C:\Windows\system32\config folder. You may also find a copy sitting in repair, at c:\windows\repair\sam.

imageA, B, and C are incorrect. These folders do not contain the SAM file.

25.imageB is correct. Netsh is “a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running.” Typing netsh at the command line then allows you to step into various “contexts” for adjusting all sorts of network configuration options, including the firewall. Typing a question mark shows all available commands at the context you are in. You can also execute the command without stepping into each context. For example, typing netsh firewall show config will show the configuration of the firewall.

imageA, C, and D are incorrect. Netstat is a great tool for viewing ports and what’s happening to them on the device. Sc is service control. Ntfw isn’t a valid command-line tool.

26.imageC is correct. Brute-force attacks attempt every conceivable combination of letters, numbers, characters, and length in an attempt to find a match. Given you’re starting from scratch, it follows you’d need a lot of time and a lot of resources. As an aside, the increase in processing power of systems and the ability to combine multiple systems together to work on problems cuts down on the time portion of this in modern cracking fairly significantly.

imageA, B, and D are incorrect. Both hybrid and dictionary have a word list to work with and can run through it fairly quickly (in computing time, that is). A bot-net is a series of zombie systems set up by an attacker to carry out duties.

27.imageD is correct. A security identifier (SID) has five components, each one providing specific information. The last component—the relative identifier (RID)—provides information on the type of account. The RID of 500 indicates the true administrator account on the machine.

imageB, C, and D are incorrect. The RID values starting at 1000 refer to standard user accounts, so answers A and B can be thrown out. The 501 RID indicates the built-in guest account.

28.imageC is correct. Hardware keyloggers are the highest risk because they are almost impossible to detect by software analyzers. Their use requires physical access to the target, but they are virtually guaranteed to provide results.

imageA, B, and D are incorrect. Antivirus systems easily catch most software-based keyloggers. Polymorphic is not a keylogger type. Heuristic reflects to the method in which an antivirus solution functions, not how a keylogger works.

29.imageB. LM hashes will always have the right side of the hash the same, ending in 1404EE, because of the method by which LM performs the hash.

imageA, C, and D are incorrect. The left side of each hash will always be different and indicates nothing. Answers C and D are incorrect because the hash value can tell you password length.

30.imageD. EC-Council cares nothing about the actual length of the password. On this exam, complexity trumps all.

imageA, B, and C are incorrect. These passwords do not hold all three elements of complexity.

31.imageA and B are correct. Whether attempting to bypass input validation or just having things appear the way you want them to on a web page, HTML entities can be useful. The less-than sign (<) equates to <, while the greater-than sign (>) equates to >. You can also use their numbered equivalents (< and >), respectively.

imageC and D are incorrect. & equates to the ampersand (&), and &reg; equates to the Registered symbol, ®. is a nonbreaking space.

32.imageA is correct. Using a script entry in a web form field is cross-site scripting.

imageB, C, and D are incorrect. This entry does not indicate SQL injection or buffer overflow. Brute force refers to a password cracking effort.

33.imageD is correct. If you missed this one, please consider taking a break or just starting your study process over again—you’re obviously too tired to concentrate or you’ve never seen this before and are attempting to memorize your way to exam success. This question displays the classic SQL injection example that you’ll see on every single practice test you’ll take on the subject.

imageA, B, and C are incorrect. XSS is cross-site scripting and involves inserting a script into a web form entry field to produce an outcome. Brute force is a password cracking technique, using all possible variants to match the encrypted value. Parameter manipulation refers to any parameter within communications being manipulated to force a desired outcome and is most likely displayed on the exam within the URL.

34.imageD is correct. A typical XSS attack involves an attacker submitting a script in a web form entry field. Input validation—making sure the web form entry field accepts only expected entries—can help prevent this from occurring.

imageA, B, and C are incorrect. Strong passwords will not protect against XSS, and placing the server behind a firewall or IDS doesn’t necessarily do a thing against this attack either.

35.imageA is correct. There are a couple of different methods a web page can use to negotiate credentials with a web user using HTTP. Digest authentication hashes a password before sending it out, while Basic just sends it out plain text.

imageB, C, and D are incorrect. The remaining answers do not describe Digest authentication.

36.imageD is correct. HTTP Basic access authentication is a quick and easy way to pass credentials within an HTTP session; however, it’s also easy to intercept. Base64 is a feeble attempt to obfuscate the user ID/password combination, by using 64 bits to represent alphanumeric characters.

imageA, B, and C are incorrect. MD5 is a hash algorithm used in Digest Access Authentication (DAA). TDM is Time Division Multiplexing, and FDM is Frequency Division Multiplexing, both of which are cool topics but do not belong here. DES and encryption algorithm are also not valid here.

37.imageC is correct. Walking through this command, SELECT retrieves information from a database, and the username and password fields are designated as what to select. Last, using the FROM command, the table holding the fields is identified.

imageA, B, and D are incorrect. DROP TABLE would be used to delete an entire table. ALTER TABLE can add or remove individual fields (columns), among other things.

38.imageB is correct. A rogue access point is also known as an evil twin. Usually they’re discovered quickly; however, there are lots of organizations that don’t regularly scan for them.

imageA, C, and D are incorrect. A replay attack occurs when communications (usually authentication-related) are recorded and replayed by the attacker. Closet AP and WEP nap aren’t legitimate terms.

39.imageC is correct. Since BlackBerry devices are basically VPN’d into the corporate network, they can provide a nice back way in, using the proper technique. Blackjacking involves setting up a proxy and bouncing things off and through it into the internal network. BBProxy was presented during a DEF CON conference several years ago as a means to pull off this attack.

imageA, B, and D are incorrect. Aircrack is used to crack WEP encryption keys. Kismet is best known as a passive wireless sniffer. PrismStumbler is a wireless network identifier.

40.imageC is correct. Kismet works as a passive network discovery tool, without using packet interjection to gather information. Kismet also works by channel hopping to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or TCPDump.

imageA, B, and D are incorrect. NetStumbler is an active discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.

41.imageB is correct. The SSID has a singular purpose, which is to identify a network for a client. It can be up to 32 characters long, and you can turn off the SSID broadcast at the access point. However, the SSID is included with most packets leaving the access point and is easily discoverable anyway.

imageA, C, and D are incorrect. These are all true statements regarding an SSID.

42.imageA and D. WPA-2 is the latest encryption standard for wireless. SSIDs do nothing for security other than frustrate casual (lazy) attackers. It’s not the intent of an SSID to do anything other than identify a network.

imageB and C are incorrect. WEP is poor encryption (and never the correct answer on this exam for security purposes), and SSID broadcast is nearly irrelevant to security.

43.imageA is correct. Netstat provides all sorts of good info on your machine. The –a option is for all connections and listening ports. The –n option puts them in numerical order.

imageB, C, and D are incorrect. netstat –a localhost –n is incorrect syntax. netstat –r displays the route table. netstat –s displays per-protocol statistics.

44.imageB is correct. Session hijacking involves predicting an acceptable sequence number during an exchange of information and taking over the communications channel. By its very nature, authentication must already be completed in order for it to work.

imageA, C, and D are incorrect. Hijacking occurs after authentication, so the measure used is largely irrelevant. Session hijacking can be carried out against all operating systems.

45.imageB is correct. One thing all malware writers attempt to do is find ways to hide their work. By finding empty spaces in a file and writing to them, a cavity virus can infect a file and not change its size so far as the system is concerned.

imageA, C, and D are incorrect. Polymorphic viruses try mutating themselves to avoid detection. Macro viruses use macros built in to various programs (such as Microsoft Excel). A boot sector virus is exceedingly difficult to get rid of and, obviously, installs on the boot sector of the disk.

46.imageC is correct. The private key is never shared. Ever. It’s not shared via a digital certificate, smoke signal, carrier pigeon, or any other distribution method.

imageA, B, D, and E are incorrect. X.509 is an ITU-T standard defining all sorts of things regarding PKI, including the digital certificate and what it holds. It identifies several components of a digital certificate, including the version, the algorithm ID, a copy of the public key, and the key usage description.

47.imageE is correct. All of the registry keys listed here are common locations to find malware. The key is that, from here, the malware is continually launched.

imageA, B, C, and D are incorrect as individual choices because they are all viable registry locales.

48.imageD is correct. 3DES is a symmetric encryption algorithm.

imageA, B, and C are incorrect. PKI, RSA, and AES are asymmetric in nature.

49.imageE is correct. Social engineering can’t ever be fully contained—after all, we’re only human. However, these options present good steps to take in slowing it down. A properly trained employee, who not only knows the policies and guideline but agrees with and practices them, is a tough nut to crack. Assigning classification levels helps by restricting access to specific data, thereby limiting (ideally) the amount of damage of a successful social engineering attack.

imageA, B, C, and D are incorrect individually because they all apply.

50.imageD is correct. It’s bad enough we have to worry about the external hackers trying to break their way into a network, but what about all the folks we already let onto it? Disgruntled employees are serious threats because they already have connectivity and, depending on their job, a lot of access to otherwise protected areas.

imageA, B, and C are incorrect. A black hat is an external, malicious attacker. A white hat is an ethical hacker. A gray hat doesn’t work under an agreement but may not be malicious.

51.imageA is correct. Phishing is the act of crafting e-mails to trick recipients into behavior they would not otherwise complete. Usually the phishing e-mail contains a link to a malicious site or even an embedded piece of malware.

imageB, C, and D are incorrect. The remaining answers are not legitimate attacks and do not apply here.

52.imageB is correct. If the attacker is not carrying a badge—real or fake—the correct definition is piggybacking.

imageA, C, and D are incorrect. Tailgating involves the use of a badge (real or fake) when following employees in through an open door. Surfing and reverse SE have nothing to do with this.

53.imageC is correct. While there may be some argument in the real-world version of a black-box test, as far as your exam goes it is an assessment without any knowledge provided about the target.

imageA, B, and D are incorrect. White-box and gray-box tests both provide information about the target (white is all of it, gray some of it).

54.imageB is correct. OWASP provides an inside look at known web application vulnerabilities to assist developers in creating more secure environments. From the site, “Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.”

imageA, C, and D are incorrect. COBIT is a framework for IT governance and control provided by ISACA. (Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only to reflect the broad range of IT governance professionals it serves.)

55.imageA is correct. This is one of those infuriating areas of EC-Council’s exam that you’re just going to have to muddle through. The credential used defines the person carrying out the attack, not the actual human being sitting behind the keyboard. An insider affiliate is a friend or spouse that uses a stolen credential of some sort to access resources. The insider part comes from the credential; the affiliate part comes from being a friend or spouse.

imageB, C, and D are incorrect. An outside affiliate represents the hackers—attackers from outside the organization. An inside associate is someone with limited access, generally a cleaning crew member, contractor, or other service personnel. A pure insider would be an employee—someone who already has internal access.

Analyzing Your Results

Congratulations on completing the CEH pre-assessment. You should now take the time to analyze your results with these two objectives in mind:

• Identifying the resources you should use to prepare for the exam

• Identifying the specific topics you should focus on in your preparation

Use this table to help you gauge your overall readiness for the CEH examination:

Number of Answers Correct

Recommended Course of Study

1–25

I recommend you spend a significant amount of time reviewing the material in the CEH Certified Ethical Hacker All-in-One Exam Guide, Second Edition, before using this practice exams book.

26–37

I recommend you review the following objective map to identify the particular areas that require your focused attention and use CEH Certified Ethical Hacker All-in-One Exam Guide, Second Edition, to review that material. Once you have done so, you should proceed to work through the questions in this book.

38–55

I recommend you use this book to refresh your knowledge and prepare yourself mentally for the exam.

Once you have identified your readiness for the exam, use the following table to identify the specific objectives that require your focus as you continue your preparation:

image

image

image