CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

Attacking a System

This chapter includes questions from the following topics:

• Describe password attacks

• Describe best-effort password complexity and protection

• Describe Microsoft authentication mechanisms

• Understand Windows architecture

• Identify various password-cracking tools, keyloggers, and spyware technologies

• Define privilege escalation

• Describe file-hiding methods, alternate data streams, and evidence erasure

• Define rootkit

• Understand basic Linux file structure, directories, and commands

I hope nobody reading this will ever find themselves in this situation, but have you ever given any thought at all to what you would do if challenged to a fight? I’m not talking about the free-for-all brawls in elementary and middle school, surrounded by a circle of cheering, but ignorant, children; I’m talking about an actual street confrontation you cannot get out of. In almost every situation, most people are taught to leave the situation and protect themselves, and that’s absolutely the right way to go. But every once in a while, good law-abiding folks are put in a situation they can’t get out of, and a physical confrontation is inevitable.

Did you know there’s a science to hand-to-hand combat? Pugilism (pygmachia in Greek, made into an Olympic sport in 688 BC) is the hand-to-hand combat sport better known as boxing. Despite the circus it has become in the past 20 years or so, boxing was a well-respected and carefully studied art for thousands of years. It’s not just simply putting two guys in a ring and having them beat on each other; it’s about crafting a strategy to accentuate strengths and exploit weaknesses. Sound familiar?

And we’re not talking about just boxing here—hand-to-hand combat takes on many forms. Professional boxers, for example, might tell you that light punches are faster, require less energy, and leave you less vulnerable. They might also advise you that deception and speed in combat are much more valuable than strength and the “knockout punch.” Self-defense experts might point out areas of the human anatomy that disable an attacker, providing you a means of escape. They might also point out things like the value of a knife versus a gun in defense situations and that one cleverly executed strike, set up and thrown with quickness (sometimes not even with power), may be all it takes to frustrate and confuse an attacker. The science of carrying out a physical attack on an individual, and protecting yourself against such an attack, is founded on the principles of distance, leverage, and timing. It’s fascinating stuff, even if you don’t ever plan on being in a situation requiring the knowledge.

You may be sitting there having no idea what kind of virtual damage you can do with the knowledge you’ve gained so far. Who knows if, put in the right situation, you’d knock out virtual targets with ease? I can see you now, looking down at your keyboard in awe and answering the “How did you do that?” question with, “I don’t know—the training just kicked in.” Granted, we still have a lot of training to do, and I doubt you’ll be punching any virtual targets outside an agreed-upon scope (after all, you are an ethical hacker, right?). However, this chapter will help hone your skills. Here, we’ll talk all about system attacks and putting to use some of the training and knowledge you already have in place.

STUDY TIPS System attacks come in many forms, but EC-Council really likes the password attacks. Know your password rules, attacks, and tools well. You will definitely see loads of questions about passwords, and the use, storage, hashing of, and attacks against passwords will be covered ad nauseam on your exam. Pull some of these tools down and play with them because you’ll need to know what they look like, how they operate, and what capabilities they have.

Next, when it comes to this chapter, you really need to get to know Linux better. Questions regarding Linux will most likely revolve around kernel modules, file structure, storage locations, and the command-line interface. Again, the easiest way to learn all this is to download a Linux distro and run it in a VM on your machine. Take advantage of the thousands of Linux how-to videos and articles you can find on the Internet: It’s one thing to read it in a book, but you’ll learn far more if you actually perform it yourself.

1. Examine the following password hashes obtained from a Windows XP machine using LM hashing:

B757BF5C0D87772FAAD3B435B51404EE

BA810DBA98995F1817306D272A9441BB

E52CAC67419A9A224A3B108F3FA6CB6D

0182BD0BD4444BF836077A718CCDF409

CEC52EB9C8E3455DC2265B23734E0DAC

Which of the following is true regarding the hashes listed?

A. The hashes are protected using Syskey.

B. The third hash listed is the local administrator’s password.

C. The first hash listed is from a password of seven characters or less.

D. The hashes can be easily decrypted by reversing the hash algorithm.

2. Amanda works as a security administrator for a large organization. She discovers some remote tools installed on a server and has no record of a change request asking for them. After some investigation, she discovers an unknown IP address connection that was able to access the network through a high-level port that was not closed. The IP address is first traced to a proxy server in Mexico. Further investigation shows the connection bounced between several proxy servers in many locations. Which of the following is the most likely proxy tool used by the attacker to cover his tracks?

A. ISA proxy

B. IAS proxy

C. TOR proxy

D. Netcat

3. Which of the following correctly describes brute-force password attacks?

A. Feeding a list of words into a cracking program

B. Comparing the hash values to lists of prehashed values for a match

C. Attempting all possible combinations of letters, numbers, and special characters in succession

D. Threatening the user with physical violence unless they reveal their password

4. Which password theft method is almost always successful, requires little technical knowledge, and is nearly impossible to detect?

A. Installing a hardware keylogger

B. Installing a software keylogger

C. Sniffing the network segment with Ettercap

D. Attempting a brute-force attack using Cain and Abel

5. Which of the following will extract an executable file from NTFS streaming?

A. c:\> cat file1.txt:hidden.exe > visible.exe

B. c:\> more file1.txt | hidden.exe > visible.exe

C. c:\> type notepad.exe > file1.txt:hidden.exe

D. c:\> list file1.txt$hidden.exe > visible.exe

6. Which command is used to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file, on a Linux machine?

A. chmod 411 file1

B. chmod 114 file1

C. chmod 117 file1

D. chmod 711 file1

E. chmod 744 file1

7. Examine the following passwd file:

Which of the following statements are true regarding this passwd file? (Choose all that apply.)

A. None of the user accounts has passwords assigned.

B. The system makes use of the shadow file.

C. The root account password is root.

D. The root account has a shadowed password.

E. Files created by Alecia will initially be viewable by Jason.

8. You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)

A. /etc/passwd

B. /etc/shadow

C. c:\windows\system32\config

D. c:\winnt\config

E. c:\windows\repair

9. Which of the following statements are true concerning Kerberos? (Choose all that apply.)

A. Kerberos uses symmetric encryption.

B. Kerberos uses asymmetric encryption.

C. Clients ask for authentication tickets from the KDC in clear text.

D. KDC responses to clients never include a password.

E. Clients decrypt a TGT from the server.

10. What is the difference between a dictionary attack and a hybrid attack?

A. Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.

B. Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.

C. Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.

D. Hybrid and dictionary attacks are the same.

11. Which of the following contains a listing of port numbers for well-known services defined by IANA?

A. %windir%\etc\lists

B. %windir%\system32\drivers\etc\lmhosts

C. %windir%\system32\drivers\etc\services

D. %windir%\system32\drivers\etc\hosts

12. Which of the following SIDs indicates the true administrator account?

A. S-1-5-21-1388762127-2960977290-773940301-1100

B. S-1-5-21-1388762127-2960977290-773940301-1101

C. S-1-5-21-1388762127-2960977290-773940301-500

D. S-1-5-21-1388762127-2960977290-773940301-501

13. In which step of EC-Council’s system hacking methodology would you find steganography?

A. Cracking passwords

B. Escalating privileges

C. Executing applications

D. Hiding files

E. Covering tracks

14. Examine the following extract from a compromised system:

Which of the following is the best description of what the attacker is attempting to accomplish?

A. Replacing the SAM file with a file of his choosing

B. Copying the SAM file for offline cracking attempts

C. Cracking any Syskey encryption on the SAM file

D. Uploading a virus

15. Which password would be considered the most secure?

A. CEH123TEST

B. CEHisaHARDTEST

C. 638154849675

D. C3HisH@rd

16. Which of the following are true statements? (Choose all that apply.)

A. John the Ripper does not display the case of cracked LM hash passwords.

B. NTLMV1 represents an effective countermeasure to password cracking.

C. Syskey provides additional protection against password cracking.

D. The hash value of a Windows LM password that is seven characters or less will always be passed as 00112233445566778899.

E. Enforcing complex passwords provides additional protection against password cracking.

17. Which of the following are considered offline password attacks? (Choose all that apply.)

A. Using a hardware keylogger

B. Brute-force cracking with Cain and Abel on a stolen SAM file

C. Using John the Ripper on a stolen passwd file

D. Shoulder surfing

18. If a rootkit is discovered on the system, which of the following is the best alternative for recovery?

A. Replacing all data files from a good backup

B. Installing Tripwire

C. Reloading the entire system from known good media

D. Deleting all data files and reboot

19. Examine the following portion of a log file, captured during a hacking attempt:

What was the attacker attempting to do?

A. Copy files for later examination

B. Cover his tracks

C. Change the shell to lock out other users

D. Upload a rootkit

20. You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

A. ls -d

B. ls -l

C. su

D. ps -ef

E. ifconfig

21. An organization wants to control network traffic and perform stateful inspection of traffic going into and out of their DMZ. Which built-in functionality of Linux can achieve this?

A. iptables

B. ipchains

C. ipsniffer

D. ipfirewall

22. Which of the following best describes Cygwin?

A. Cygwin is a UNIX subsystem running on top of Windows.

B. Cygwin is a Windows subsystem running on top of UNIX.

C. Cygwin is a C++ compiler.

D. Cygwin is a password cracking tool.

23. Which folder in Linux holds administrative commands and daemons?

A. /sbin

B. /bin

C. /dev

D. /mnt

E. /usr

24. Which of the following is the appropriate means to pivot within a Metasploit attack session?

A. Use the pivot exploit outside meterpreter.

B. Reconfigure network settings in meterpreter.

C. Set the payload to propagate.

D. Create a route statement in the meterpreter.

25. You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?

A. The file is flagged for backup.

B. The file is part of the help function.

C. The file is fragmented because of size.

D. The file has been quarantined by an antivirus program.

E. The file is hidden.

26. You have gained access to a SAM file from an older Windows machine and are preparing to run a Syskey cracker against it. How many bits are used for Syskey encryption?

A. 128

B. 256

C. 512

D. 1024

27. Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

A. LADS

B. ADS Spy

C. Sfind

D. Snow

28. Which of the following are true regarding Kerberos?

A. Kerberos makes use of UDP as a transport protocol.

B. Kerberos makes use of TCP as a transport protocol.

C. Kerberos uses port 88 for the transmission of data.

D. Kerberos makes use of both symmetric and asymmetric encryption techniques.

E. All of the above.

29. Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

A. NTLMv1

B. NTLMv2

C. LAN Manager

D. Kerberos

1. C

2. C

3. C

4. A

5. A

6. D

7. B, D, E

8. C, E

9. A, B, C, D, E

10. C

11. C

12. C

13. D

14. B

15. D

16. A, C, E

17. A, B, C

18. C

19. B

20. D

21. A

22. A

23. A

24. D

25. E

26. A

27. A, B, C

28. E

29. C

1. Examine the following password hashes obtained from a Windows XP machine using LM hashing:

B757BF5C0D87772FAAD3B435B51404EE

BA810DBA98995F1817306D272A9441BB

E52CAC67419A9A224A3B108F3FA6CB6D

0182BD0BD4444BF836077A718CCDF409

CEC52EB9C8E3455DC2265B23734E0DAC

Which of the following is true regarding the hashes listed?

A. The hashes are protected using Syskey.

B. The third hash listed is the local administrator’s password.

C. The first hash listed is from a password of seven characters or less.

D. The hashes can be easily decrypted by reversing the hash algorithm.

C. Windows 2000 and NT-type machines used something called LAN Manager, and then NT LAN Manager, to hash passwords. LM hashing is an older, outdated, and easily crackable method. It worked by converting all password characters to uppercase and, if necessary, appending blank spaces to reach 14 characters. Next, the password was split directly in the middle, and both sides would then be encrypted separately. The problem with this is the LM “hash” value (which is actually not a one-way function but a compilation of an encryption function using two DES keys created from each side of the original password) of seven blank characters will always be the same (AAD3B435B51404EE). This greatly simplifies your cracking efforts because running through only 7 characters is much easier than 14.

A is incorrect because Syskey is not in use here. Syskey is an older, optional utility added in Windows NT 4.0 SP3 that encrypted hashed password information in a SAM database using a 128-bit encryption key. It was meant to protect against offline password-cracking attacks; however, security problems were discovered that rendered it moot: Brute-force attacking worked even with Syskey in place.

B is incorrect because there is no way to tell from a hash which password belongs with which user.

D is incorrect because hashes cannot be reversed.

A. ISA proxy

B. IAS proxy

C. TOR proxy

D. Netcat

C. I’ve mentioned it before, and I’ll mention it again here: Sometimes the CEH exam and real life just don’t match up. Yes, this question may be, admittedly, a little on the “hokey” side, but it’s valid insofar as EC-Council is concerned. The point here is that TOR (The Onion Routing; https://www.torproject.org/) provides a quick, easy, and really groovy way to hide your true identity when performing almost anything online. From the site, “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” (For the real-world folks out there, just know that without law enforcement and some serious network visibility, you’d probably be successful in tracking to the first hop, but that’d be it.) TOR is, by nature, dynamic, and a hacker can simply use a different path for each attack. Just remember the question is really about identifying TOR as a means of covering tracks and not necessarily a treatise on how it really works.

A is incorrect because an Internet Security and Acceleration (ISA) server isn’t designed to bounce between multiple proxies to obscure the original source. From Microsoft, ISA “is the successor to Microsoft’s Proxy Server 2.0 (see proxy server) and provides the two basic services of an enterprise firewall and a Web proxy/cache server. ISA Server’s firewall screens all packet-level, circuit-level, and application-level traffic. The Web cache stores and serves all regularly accessed Web content in order to reduce network traffic and provide faster access to frequently-accessed Web pages. ISA Server also schedules downloads of Web page updates for non-peak times.”

B is incorrect because Internet Authentication Service (IAS) is a component of servers that allows you to provide a Remote Authentication Dial-In User Service (RADIUS) connection to clients. It’s not designed as an obfuscating proxy—its purpose is in authentication.

D is incorrect because while you can set up a single proxy using Netcat and it may even be possible to chain several together, it’s simply not designed to work that way (and that’s what this question was all about to begin with). You can set up a listening port with it, but it’s not designed to act as a proxy, and setting one up as a chain of proxies would be insanely complicated and unnecessary with the myriad other options available.

3. Which of the following correctly describes brute-force password attacks?

A. Feeding a list of words into a cracking program

B. Comparing the hash values to lists of prehashed values for a match

C. Attempting all possible combinations of letters, numbers, and special characters in succession

D. Threatening the user with physical violence unless they reveal their password

C. A brute-force attack uses every possible combination of letters, numbers, and special characters against an authentication effort—whether in succession or (more commonly) at random. The drawbacks to its use are substantial: It takes the longest amount of time and a tremendous amount of processing resources. However, it is your best option on complex passwords, and there is no arguing its effectiveness: Given enough time, everypassword can be cracked using brute force. It may take years to try every combination, but if you keep at it long enough, it is successful 100 percent of the time.

A is incorrect because this describes a dictionary attack. It is much easier and faster than a brute-force attack, and it uses far fewer resources. The attack works by using a list of passwords in a text file, which is then hashed by the same algorithm/process the original password was put through. The hashes are compared, and if a match is found, the password is cracked. Although this attack is supposed to (technically speaking) use only words you’d find in a dictionary, you can create your own word list to feed into the cracker. Using this method, you can crack “complex” passwords too. However, the word list you use must have the exact match in it—you can’t get it close; it must be exact. Although it may be fun for you to spend hours of your day creating your own dictionary file, it’s a lot easier to simply download one of the thousands already on the Internet.

B is incorrect because this describes the use of rainbow tables. A rainbow table crack effort can be faster than anything else, assuming you can pull the right one to look through. Rainbow tables are created when someone, with lots of time on their hands, feeds every conceivable password in creation through a hash. The hashes are then saved to a table, to which you can compare the password hashes off your target machine. It’s simple and easy; however, keep in mind these tables are huge. Additionally, “salting” a password makes rainbow tables moot. One final note for the purists in the reading audience: The use of multi-GPU cracking systems (employing computing resources to cracking passwords that boggle the mind) may be faster than using rainbow tables. Just don’t say that on your exam!

D is incorrect because this refers to something defined by EC-Council and the CEH exam as a rubber hose attack. No, I’m not making this up. And I’m not encouraging you to use this in your own pen testing—just know it for your exam.

4. Which password theft method is almost always successful, requires little technical knowledge, and is nearly impossible to detect?

A. Installing a hardware keylogger

B. Installing a software keylogger

C. Sniffing the network segment with Ettercap

D. Attempting a brute-force attack using Cain and Abel

A. Questions on hardware keyloggers will almost always reference the fact that they’re nearly impossible to detect. Unless the user notices them or you have dedicated security staff watching for them, these are foolproof, easy to install, and great tools to use. They are usually small devices connected between the keyboard cable and the computer that simply capture all keystrokes going by. Install one day and just wait—when you pick it up, it will be filled with all the access information you need. Just remember that the hardest part of using a hardware keylogger is the physical access required to install it: They’re not remote access, introvert-friendly, work-in-the-shadows tools, so you’ll have to actually get next to a system to put it into action.

B is incorrect because although a software keylogger does the same thing as a hardware keylogger and will provide excellent results (I’ve used one on my kids before—it’s fantastic), it’s fairly easy to spot and requires a little configuration to get things just the way you want them.

C is incorrect because sniffing a network tap with Ettercap isn’t going to provide you with anything other than an open text protocol password (FTP and so on). Sniffing isn’t guaranteed to provide anything password-wise. Yes, Ettercap is powerful, but it does require a fairly substantial amount of technical know-how to get the most out of it.

D is incorrect because a brute-force attack—with any tool—is exceedingly easy to detect. Additionally, it’s not just a point-and-shoot endeavor: You do need some technical ability to pull it off. Lastly, I know some of you are thinking that taking the passwords offline and pounding away at them is as quiet as you can get. Trust me, that’s not the intent of this question, and don’t let that fact trip you up.

5. Which of the following will extract an executable file from NTFS streaming?

A. c:\> cat file1.txt:hidden.exe > visible.exe

B. c:\> more file1.txt | hidden.exe > visible.exe

C. c:\> type notepad.exe > file1.txt:hidden.exe

D. c:\> list file1.txt$hidden.exe > visible.exe

A. This is the correct syntax. The cat command will extract the executable directly into the folder you execute the command from. NTFS file steaming allows you to hide virtually any file behind any other file, rendering it invisible to directory searches. The file can be a text file, to remind you of steps to take when you return to the target, or even an executable file you can run at your leisure later. Alternate Data Streams (ADS) in the form of NTFS file streaming is a feature of the Windows-native NTFS file systems to ensure compatibility with Apple file systems (called HFS). Be careful on the exam—you will see ADS and NTFS file streaming used interchangeably. As an aside, the cat command isn’t available on Windows 7 machines; you’ll need a Linux emulator or something like it to pull this off on a Windows 7 system.

B is incorrect because this is not the correct syntax. There is no pipe (|) function in extracting a file, and the more command is used to display the contents of a text file, not extract an executable from ADS.

C is incorrect because this is not the correct syntax. This option would display the contents of a hidden text file—maybe one you’ve stowed away instructions in for use later.

D is incorrect because the syntax is not correct by any stretch of the imagination. This is included as a distractor.

6. Which command is used to allow all privileges to the user, read-only to the group, and read-only for all others to a particular file, on a Linux machine?

A. chmod 411 file1

B. chmod 114 file1

C. chmod 117 file1

D. chmod 711 file1

E. chmod 744 file1

D. You’re going to need to know some basic Linux commands to survive this exam, and one command I can guarantee you’ll see a question on is chmod. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: Read is equivalent to 4, write to 2, and execute to 1. To accumulate permissions, you add the number: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7. As an aside, if you think in binary, the numbers are just as easy to define: 111 equates to 7 in decimal, and each bit turned on gives read, write, and execute. Setting the bits to 101 turns on read, turns off write, and turns on execute; and its decimal equivalent is 5.

A, B, C, and E are all incorrect syntax for what we’re trying to accomplish here: 411 equates to read-only, execute, and execute (with 114 being the reverse of that), and 117 equates to execute, execute, full permissions, with 711 being the reverse.

7. Examine the following passwd file:

Which of the following statements are true regarding this passwd file? (Choose all that apply.)

A. None of the user accounts has passwords assigned.

B. The system makes use of the shadow file.

C. The root account password is root.

D. The root account has a shadowed password.

E. Files created by Alecia will initially be viewable by Jason.

B, D, and E. If there are not two to four questions on your exam regarding the Linux passwd file, I’ll eat my hat. Every exam and practice exam I’ve ever taken references this file—a lot—and it’s included here to ensure you pay attention. Fields in the passwd file, from left to right, are as follows:

• User Name This is what the user types in as the login name. Each of these must be unique.

• Password If a shadow file is being used, an x will be displayed here. If not, you’ll see the password in clear text. As an aside, setting this to an asterisk (*) is a method to deactivate an account.

• UID The user identifier is used by the operating system for internal purposes. It is typically incremented by 1 for each new user added.

• GID The group identifier identifies the primary group of the user. All files that are created by this user will normally be accessible to this group, unless a chmod command prevents it (which is the reason for the “initial” portion of the question).

• Gecos This is a descriptive field for the user, generally containing contact information separated by commas.

• Home Directory This is the location of the user’s home directory.

• Startup Program This is the program that is started every time the user logs in. It’s usually a shell for the user to interact with the system.

A is incorrect because the x indicates a shadowed password, not the absence of one.

C is incorrect because the x indicates that root does indeed have a password, but it is shadowed. Could it actually be root? Sure, but there’s no way to tell that from this listing.

8. You are attempting to hack a Windows machine and want to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)

A. /etc/passwd

B. /etc/shadow

C. c:\windows\system32\config

D. c:\winnt\config

E. c:\windows\repair

C and E. From Microsoft’s definition, the Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. The SAM file can be found in c:\windows\system32\ config. If you’re having problems getting there, try pulling a copy from system restore (c:\windows\repair).

A and B are both incorrect because /etc is a dead giveaway this is a Linux folder (note the forward slash instead of the Windows backward slash). The /etc folder contains all the administration files and passwords on a Linux system. Both the password and shadow files are found here.

D is incorrect because this is not the correct location of the SAM. It’s included as a distractor.

9. Which of the following statements are true concerning Kerberos? (Choose all that apply.)

A. Kerberos uses symmetric encryption.

B. Kerberos uses asymmetric encryption.

C. Clients ask for authentication tickets from the KDC in clear text.

D. KDC responses to clients never include a password.

E. Clients decrypt a TGT from the server.

A, B, C, D, and E. All answers are correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the Ticket Granting Ticket (TGT). A basic Kerberos exchange starts with a client asking the KDC, which holds the AS and TGS, for a ticket, which will be used to authenticate throughout the network. This request is in clear text. The server will respond with a secret key, which is hashed by the password copy kept on the server (passwords are never sent—only hashes and keys). This is known as the TGT. The client decrypts the message, since it knows the password, and the TGT is sent back to the server requesting a TGS service ticket. The server responds with the service ticket, and the client is allowed to log on and access network resources.

10. What is the difference between a dictionary attack and a hybrid attack?

A. Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.

B. Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.

C. Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.

D. Hybrid and dictionary attacks are the same.

C. A hybrid attack is a variant on a dictionary attack. In this effort, you still have a word list; however, the cracker is smart enough to replace letters and characters within those words. For example, both attacks might use a list containing the word Password. To have multiple variants on it, the dictionary attack would need to have each variant added to the list individually (P@ssword, Pa$$word, and so on). A hybrid attack would require the word list only to include Password because it would swap out characters and letters to find different versions of the same word.

A is incorrect because hybrid attacks don’t use rainbow tables.

B is incorrect because dictionary attacks can use all sorts of variants of a whole word; they just need to be listed separately in the list.

D is incorrect because hybrid and dictionary attacks are most definitely different.

11. Which of the following contains a listing of port numbers for well-known services defined by IANA?

A. %windir%\etc\lists

B. %windir%\system32\drivers\etc\lmhosts

C. %windir%\system32\drivers\etc\services

D. %windir%\system32\drivers\etc\hosts

C. I’ve sat back many times in writing these books struggling to determine why certain specific but not very useful things seem to be so near and dear to the test makers at EC-Council, but I can’t find any particular rhyme or reason. Sometimes, Dear Reader, you just have to memorize and move on, and this example is no exception. If you happen to be out on your real job and completely forget every well-known port number, you’d probably just look up the list on an Internet search. If you’re bored or really nerdy, though, you can pull up a list of them by visiting the services file. It’s sitting right there beside the hosts and lmhosts files.

A, B, and D are incorrect because these locations do not hold the services file.

12. Which of the following SIDs indicates the true administrator account?

A. S-1-5-21-1388762127-2960977290-773940301-1100

B. S-1-5-21-1388762127-2960977290-773940301-1101

C. S-1-5-21-1388762127-2960977290-773940301-500

D. S-1-5-21-1388762127-2960977290-773940301-501

C. The security identifier (SID) in Windows is used to identify a “security principle.” It’s unique to each account and service and is good for the life of the principle. Everything else associated with the account is simply a property of the SID, allowing accounts to be renamed without affecting their security attributes. In a Windows system, the true administrator account always has an RID (relative identifier) of 500.

A and B are incorrect because neither 1100 nor 1101 is the RID associated with the administrator account. RID values between 1000 and 1500 indicate a standard user account.

D is incorrect because 501 is the RID for the guest account.

13. In which step of EC-Council’s system hacking methodology would you find steganography?

A. Cracking passwords

B. Escalating privileges

C. Executing applications

D. Hiding files

E. Covering tracks

D. Yes, sometimes you get a question that’s relatively easy, and this is a prime example. Hiding files is exactly what it sounds like—find a way to hide files on the system. There are innumerable ways to accomplish this, but steganography (which includes hiding all sorts of stuff inside images, video, and such) and NTFS file streaming are the two you’ll most likely see referenced on the exam.

A, B, C, and E are incorrect because you do not hide files in these steps. Cracking passwords is self-explanatory. Escalating privileges refers to the means taken to elevate access to administrator level. Executing applications is exactly what it sounds like, and you’ll probably see remote execution tools referenced (and, for some bizarre reason, keyloggers and spyware). Covering tracks deals with proxies, log files, and such.

14. Examine the following extract from a compromised system:

Which of the following is the best description of what the attacker is attempting to accomplish?

A. Replacing the SAM file with a file of his choosing

B. Copying the SAM file for offline cracking attempts

C. Cracking any Syskey encryption on the SAM file

D. Uploading a virus

B. This one is actually pretty simple to decipher, yet I’ve seen versions of this on nearly every practice exam I used in prepping for the exam myself. If you see something like this, don’t get all wrapped up in the name of the text file. The command sequence should read pretty clearly: “Type the contents of the file named sam, which is located in the c:\winnt\reair\ folder into a new file called syskey.txt, and put that new file in the root directory (C:).” As an aside, you’ll likely see a question or two referencing the location of the repair copy for SAM, so this one’s a two-fer. You’re welcome.

A is incorrect because this command is outputting, not inputting.

C is incorrect because there is no cracking attempt being made here.

D is incorrect because there is no uploading going on at all here, virus or otherwise.

15. Which password would be considered the most secure?

A. CEH123TEST

B. CEHisaHARDTEST

C. 638154849675

D. C3HisH@rd

D. According to EC-Council and the CEH exam, D is the correct answer. On this exam, complexity trumps length no matter what. Sure, an argument can be made that a longer password is better than a shorter one (regardless of complexity and if used for a shorter amount of time), but just stick with complexity—using letters, numbers, and special characters—and you’ll be fine. However, obviously, a longer complex password is more secure than a shorter one.

A is incorrect because it uses only letters and numbers.

B is incorrect for the same reason. It is much longer than the correct answer, but there’s no complexity.

C is incorrect because it uses only numbers. It has no complexity, and it’s a fairly short length.

16. Which of the following are true statements? (Choose all that apply.)

A. John the Ripper does not display the case of cracked LM hash passwords.

B. NTLMv1 represents an effective countermeasure to password cracking.

C. Syskey provides additional protection against password cracking.

D. The hash value of a Windows LM password that is seven characters or less will always be passed as 00112233445566778899.

E. Enforcing complex passwords provides additional protection against password cracking.

A, C, and E. John the Ripper is one of the more well-known password crackers, it’s been around seemingly forever, and you’ll definitely see it on your exam. On LM-hashed passwords, it displays the passwords in all caps. Syskey definitely isn’t foolproof, but it does provide additional protection against password cracking. And, last but not least, complex passwords are harder to crack than simple ones, so this should’ve been an easy choice.

B is incorrect because NTLMv1 is about as secure as sticky notes pasted to computer screens. It’s old and easily cracked.

D is incorrect because even a seven-character password will generate a unique first half of the hash. It’s the second part that always remains the same on seven-character (or less) passwords: AAD3B435B51404EE.

17. Which of the following are considered offline password attacks? (Choose all that apply.)

A. Using a hardware keylogger

B. Brute-force cracking with Cain and Abel on a stolen SAM file

C. Using John the Ripper on a stolen passwd file

D. Shoulder surfing

A, B, and C. An offline password attack occurs when you take the password file (or the passwords themselves) offline for work. Common methods are stealing the SAM or passwd (shadow) files and then running dictionary, hybrid, or brute-force attacks against them (using a password-cracking tool such as Cain and Abel or John the Ripper). Keyloggers are also considered offline attacks because you examine the contents off network.

D is incorrect because shoulder surfing is considered another form of attack altogether—a nonelectronic attack. No, I’m not making this up; it’s actually a term in CEH lingo and refers to social engineering methods of obtaining a password. Shoulder surfing is basically standing behind someone and watching their keystrokes.

18. If a rootkit is discovered on the system, which of the following is the best alternative for recovery?

A. Replacing all data files from a good backup

B. Installing Tripwire

C. Reloading the entire system from known good media

D. Deleting all data files and reboot

C. Sometimes a good old wipe and reload is not only faster than a clean effort but is just flat out better. When it comes to rootkits, it’s really your only option. If it’s an off-the-shelf rootkit that has been documented, it’s likely that good instructions on how to fully remove it are available somewhere. However, just remember that while you think you may have it removed by following removal instructions, you know it’s gone if you blow the system away and reload it.

A and D are incorrect because nearly anything you’re doing with the data files themselves isn’t going to help in getting rid of a rootkit. The device has been rooted, so all data should be treated as suspect.

B is incorrect because while Tripwire is a great tool, it isn’t really useful to you once the machine has been infected.

19. Examine the following portion of a log file, captured during a hacking attempt:

What was the attacker attempting to do?

A. Copy files for later examination

B. Cover his tracks

C. Change the shell to lock out other users

D. Upload a rootkit

B. You’ll definitely see basic Linux commands on your test, and this is one example of how you’ll be asked about them. In this example, the rm command is used to remove (delete) files on a Linux system. Looking at what the hacker is attempting to remove, it seems logical to assume—even without seeing the rest of the log—that the hacker is covering his tracks.

A is incorrect because the command for copy in Linux is cp.

C is incorrect because the shell is not being tampered with. This answer is included as a distractor.

D is incorrect because there is no evidence in this capture that anything is being uploaded; all commands are for removal of files (using the rm command). Granted, it’s highly likely something was uploaded before this portion, but we’re not privy to that information here.

20. You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?

A. ls -d

B. ls -l

C. su

D. ps -ef

E. ifconfig

D. The ps command is used in Linux to display processes. The –e switch selects all processes, running or not, and the –f switch provides a full listing. A couple of other options you might see include –r (restrict output to running processes), –u (select by effective user ID; supports names), and –p (select by process ID).

A and B are incorrect because the ls command in Linux lists files inside a storage directory. A couple switches of note include –d (list directory entries instead of contents), –h (print sizes in human readable format), –l (use a long listing format), and –p (file type).

C is incorrect because the su command in Linux is for “switch user.” Assuming you have permission/authentication to do so, this allows you to change the effective user ID and group ID to whatever you want.

E is incorrect because ifconfig is used to configure a network interface in Linux. It looks, and works, very much like the ipconfig command in Windows, which makes it an easy target for test question writers, so pay close attention to the OS when asked about configuring your NIC.

21. An organization requires an option to control network traffic and perform stateful inspection of traffic going into and out of the DMZ. Which built-in functionality of Linux can achieve this?

A. iptables

B. ipchains

C. ipsniffer

D. ipfirewall

A. iptables is a built-in “user space” application in Linux that allows you to configure the tables used by the Linux kernel firewall. It must be executed with root privileges and allows for stateful inspection. On most Linux systems, iptables is installed as /usr/sbin/iptables.

B is incorrect because ipchains won’t allow for stateful inspection.

C and D are incorrect because as far as I know there’s no such thing as ipsniffer or ipfirewall.

22. Which of the following best describes Cygwin?

A. Cygwin is a UNIX subsystem running on Windows.

B. Cygwin is a Windows subsystem running on top of UNIX.

C. Cygwin is a C++ compiler.

D. Cygwin is a password cracking tool.

A. Cygwin (www.cygwin.com/) provides a Linux-like environment for Windows. It’s a large collection of GNU and open source tools that provide functionality similar to a Linux distribution on Windows, as well as a DLL (cygwin1.dll) that provides substantial POSIX API functionality, according to the website. The Cygwin DLL currently works with all recent, commercially released x86 32-bit and 64-bit versions of Windows, starting with Windows XP SP3.

B, C, and D are incorrect descriptions of Cygwin.

23. Which folder in Linux holds administrative commands and daemons?

A. /sbin

B. /bin

C. /dev

D. /mnt

E. /usr

A. The system binaries folder holds most administrative commands (/etc holds others) and is the repository for most of the routines Linux runs (known as daemons).

B is incorrect because this folder holds all sorts of basic Linux commands (a lot like the C:\Windows\System32 folder in Windows).

C is incorrect because this folder contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives and additional hard drives or partitions. By the way, everything in Linux is a file. Everything.

D is incorrect because this folder holds the access locations you’ve actually mounted.

E is incorrect because this folder holds most of the information, commands, and files unique to the users.

24. Which of the following is the appropriate means to pivot within a Metasploit attack session?

A. Use the pivot exploit outside meterpreter.

B. Reconfigure network settings in meterpreter.

C. Set the payload to propagate.

D. Create a route statement in the meterpreter.

D. To answer this, you have to know what pivot means and what the meterpreter is, and the best explanation for both are found right on the Offensive Security website (www.offensive-security.com/): “Pivoting is the unique technique of using an instance (also referred to as a plant or foothold) to be able to ‘move’ around inside a network. Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems. Metasploit has an autoroute meterpreter script that allows an attack into a secondary network through a first compromised machine. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Meterpreter resides entirely in memory and writes nothing to disk.” Adding a route statement inside the dynamic meterpreter environment allows the attack to “pivot” to a new target. Neat, eh?

A, B, and C are incorrect because they are neither legitimate nor accurate statements regarding a pivot attack.

25. You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?

A. The file is flagged for backup.

B. The file is part of the help function.

C. The file is fragmented because of size.

D. The file has been quarantined by an antivirus program.

E. The file is hidden.

E. The hidden attribute can be set on any file to hide it from standard directory searches. You can accomplish this with the following command line:

or by right-clicking, choosing Properties, and checking the Hidden attribute check box at the bottom of the dialog.

A, B, C, and D are all incorrect definitions of the hidden attribute.

26. You have gained access to a SAM file from an older Windows machine and are preparing to run a Syskey cracker against it. How many bits are used for Syskey encryption?

A. 128

B. 256

C. 512

D. 1024

A. I know, Syskey is outdated, and you’ll probably never see it again. However, it’s still in your exam pool, so you have to know it. I could rehash the definition, but it appears in an earlier question, and you should have it memorized by now anyway. Just know it provides additional security on older Windows NT boxes and uses 128 bits for encryption.

B, C, and D are incorrect because Syskey uses only 128 bits for encryption.

27. Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)

A. LADS

B. ADS Spy

C. Sfind

D. Snow

A, B, and C. NTFS streaming (alternate data streaming) isn’t a huge security problem, but it is something many security administrators concern themselves with. If you want to know where it’s going on, you can use any of these tools: LADS and ADS Spy are freeware tools that list all alternate data streams of an NTFS directory. ADS Spy can also remove Alternate Data Streams (ADS) from NTFS file systems. Sfind, probably the oldest one here, is a Foundstone forensic tool you can use for finding ADS.

D is incorrect because Snow is a steganography tool used to conceal messages in ASCII text by appending whitespace to the end of lines.

28. Which of the following are true regarding Kerberos?

A. Kerberos makes use of UDP as a transport protocol.

B. Kerberos makes use of TCP as a transport protocol.

C. Kerberos uses port 88 for the transmission of data.

D. Kerberos makes use of both symmetric and asymmetric encryption techniques.

E. All of the above.

E. Kerberos uses both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process consists of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and the ticket granting ticket (TGT). It can make use of both TCP and UDP and runs over port 88.

A, B, C, and D are incorrect because they’re all true regarding Kerberos, which makes them correct but wrong choices.

29. Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?

A. NTLMv1

B. NTLMv2

C. LAN Manager

D. Kerberos

C. LAN Manager is an older authentication model that burst onto the scene around the Windows 95 launch. It uses DES as an encryption standard (a 56-bit key DES, to be technical) and, as covered before, has a quirky habit of capitalizing passwords and splitting them into two seven-character halves. Believe it or not, this is still in use in the field. It’s most often found in places where backward compatibility was needed for something and, eventually, it was just forgotten or overlooked.

A is incorrect because NTLMv1 (NT LAN Manager) improved upon LM methods. It stopped crazy practices such as padding passwords to 14 characters, and so on, and it supported stronger encryption.

B is incorrect because NTLMv2 also did not follow the encryption methods used by LM. In addition to the improvements from version 1, NTLMv2 made use of 128-bit MD5 hashing.

D is incorrect because Kerberos is a strong and secure authentication method that does not work like LM. Kerberos makes use of a key distribution center (KDC) and grants tickets to properly authenticated clients to access resources on the network.