EXAMEN DE CERTIFICACION DE CEH V10

1. The “white box testing” methodology enforces what kind of restriction?

2. You are logged in as a local admin on a windows 7 system and you need to launch the
Computer Management Console from command line.
Which command would you use?

3. What is a “Collision attack” in cryptography?

4. When you are testing a web application, it is very useful to employ a proxy tool to save
every resquest and response. You can manually test every request and analyze the
response to find vulnerabilities. You can test parameter and headers manually to get
more precise results than if using web vulnerability scanners.
What prooxy too wuill help you find web vulnerabilities?

5. It is a regulation that has a set of guidelines, which should be adhered to by anyone who
handles any electronic medical data. These guidelines stipulate that all medical practices
must ensure that all necessary measures are in place while saving, accessing, and
sharing any electronic medical data to keep patient data secure.
Which of following regulations best matches the description?
6. Which of the following tools performs comprehensive tests against web servers,
including dangerous files and CGIs?

7. A virus that attempts to install itself inside the file it is infecting is called?

8. Which of the following is assured by the use of a hash?

9. The Heartbleed bug was discovered in 2014 and is widely referred to under MITER’s
Common Vulnerabilities and Exposures (CVE) asCVE-2014-0160. This bug affects the
OpenSSL implementation of thee transport layer security (TLS) protocols defined in
RFC6520.
What type of key does this bug leave exposed to the internet making exploitation of any
compromised system very easy?

10. You are tasked to perform a penetration test. While you are performing information
gathering, you find an employed list in Google. You find the receptionist’s email, and
you send her and email changing the source email to her boss’s email( boss@company
). In this email, you ask for a pdf with information. She reads your email and sends back
a pdf with links. You exchange the pdf links with your malicious links (these links contain
malware) and send back the modified pdf, saying that the links don’t work. She reads
your email, opens the links, and her machine gets infected. You now have access to the
company network.
What testing method did you use?
11. It is an entity or event with the potential to adversely impact a system through
aunauthorized access, destruction, disclosure, denial of service or modification of data.
Which of the following terms best matches the definition?

12. While using your bank’s online servicing you notice the following string in the URL bar:
“http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980
&Camount=21”
You observe that if you modify the Damount & Camount values and submit the request,
that data on the web page reflect the change.
Which type of vulnerability is present on the site?

13. Your team has won a contract to infiltrate an organization. The company wants to have
the attack be as realistic as possible; therefore, they did not provide any information
besides the company name.
What should be the first step in security testing the client?

14. The chance of a hard drive failure is once every three years. The cost to buy a new hard
drive is $300. It will require 10 hours to restore the OS and software to the new hard
disk. It will require a further 4 hours to restore the database from the last backup to the
new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE.
Assume the EF = 1 (100%).
What is the closest approximate cost of this replacement and recovery operation per
year?
15. Which of the following is a low-tech way of gaining unauthorized access to systems?

16. > Nmap -sn 192.168.11.200-215

The NMAP command above performs which of the following?

17. You have compromised a server and successfully gained a root access. You want to pivot
and pass traffic undetected over the network and evade any possible Intrusion
Detection System.
What is the best approach?

18. A hacker has successfully infected an internet-facing server which he will then
use to send junk mail, take part in coordinated attacks, or host junk email
content.
Which sort of trojan infects this server?

19. You just set up a security system in your network. In what kind of system would you find
the following string of characters used as a rule within this its configuration?
alert tcp any any ->192.168.100/0.24 (msg: ””FTP on the network!””;)

20. Which method of password cracking takes the most time and effort?
21. You’ve just been hired to perform a pen test on a organization that has been subjected
to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities
to totally eliminate risk.
What is one of the first things you should do when given the job?

22. Which of the following is not a Bluetooth attack?

23. During a security audit of IT processes, an IS auditor found that there were no
documented security procedures. What should the IS auditor do?

24. Which of the following Linux commands will resolve a domain name into IP address?

25. Risks = Threats x Vulnerabilities is referred to as the:

26. The collection of potentially actionable, overt, and publicly available information is
known as
27. Which of the following is a protocol specifically designed for transporting event
messages?

28. An attacker changes the profile information of a particular user (victim) on the target
website. The attacker uses this string to update the victim’s profile to a text and then
submit the data to attacker’s database.
<iframe src=http://www.vulnweb.com/updateif.php style= “display: none”></iframe>

What is this type of attack (that can use either HTTP GET or HTTP POST) called?

29. You have successfully gained access your client’s internal network and successfully
comprised a linux server which is part of the internal IP network. You want to know
which Microsoft Windows workstations have file sharing enabled
Which port would you see listening on these Windows machines in the network?

30. Which of the following can the administrator do to verify that a tape backup can be
recovered in its entirety?

31. The “black box testing” methodology enforces which kind of restriction?
32. Which tool can be used to silently copy files from USB devices?

33. Which of the following types of firewalls ensures that the packets are part of the
established session?

34. Which of the following tools can be used for passive OS fingerprinting?

35. You are attempting to man-in-the-middle a session. Which protocol will allow you to
guess a sequence number?

36. To maintain compliance with regulatory requirements, a security audit of the systems
on a network must be performed to determine their compliance with security policies.
Which one of the following tools would most likely be used in such an audit?

37. When you are collecting information to perfom a data analysis, Google commands are
very useful to find sensitive information and files. These files may contain information
about password, system functions, or documentation.
What command will help you to search files using Google as a search engine?

38. It is a short-range wireless communication technology intended to replace the cables

connecting portable of fixed devices while maintaining high levels of security. It allows
 mobiles phones, computers and other devices to connect and communicate using a
short-range wireless connection.
Which of the following terms best matches the definition?

39. Which of the following tools is used to direct wireless LANs using the 802.11a/b/g/n
WLAN standards on a linux platform?

40. You are monitoring the network of your organization. You notice that
1. There are huge outbound connections from your Internal Network to External IPs.
2. On further investigation, you see that External IPs are blacklisted.
3. Some connections are accepted, and some are dropped.
4. You find that it is a CnC communication.
Which of the following solution will you suggest?

41. John is an incident handler at a financial institution. His steps in a recent incident are
not up to the standards of the company. John frquently forgets some steps and
procedures while handling responses as they are very stressful to perform.
Which of the following actions should John take to overcome this problem with the least
administrative effort?

42. The security concept of “separation of duties” is most similar to the operation of which
type of security device?
43. This asymmetry cipther is based on factoring the product of two large prime numbers.
What cipher is described above?

44. When you are getting information about a web server, it is very important to know the
HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available becaue there
are two critical methods (PUT and DELETE). PUT can upload a file to the server and
DELETE can delete a file from the server. You can detect all these methods (GET, POST,
HEAD, PUT, DELETE, TRACE) using NMAP script engine.
What nmap script will help you with this task?

45. Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside

the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word
document. Upon execution, a window appears stating, “This word document is corrupt.”
In the background, the file copies itself to Jesse APPDATA\local directory and begins to
beacon to a C2 server to dowwnload additional malicious binaries.
What type of malware has Jesse encountered?

46. Your company performs penetration tests and security assessments for small and
medium-sized business in the local area. During a routine security assessment, you
discover information that suggests your client is involved with human trafficking.
What should you do?

47. You have successfully compromised a machine on the network and found a server that
is alive on the same network. You tired to ping it but you didn’t get any response back.
What is happening?
48. Which of the following statements regarding ethical hacking is incorrect?

49. A common cryptographical tool is the use of XOR. XOR the fllowing binary values:
10110001
00111010

50. If an attacker uses the command SELECT * FROM user WHERE name = ‘x’ AND userid IS
NULL; --‘;which type of SQL injection attack is the attacker performing?

51. Which of the following statements is TRUE?

52. Which of the following parameters describe LM hash:

I. The maximum password length is 14 characters.
II. There are no distinctions between uppercase and lowercase.
III. The password is split into two 7-byte halves.
53. This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys
once enough data packets have been captured. It implements the standar FMS attack
much faster compared to other WEP cracking tools.
Which of the following tools is being described?

54. Sam is working as pen-tester in an organization in Houston. He performs penetration

testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam
sends a large amount of packets to the target IDS that generates alerts, which enable
Sam to hide the real traffic. What type of method is Sam using to evade IDS?

55. An attacker gains access to a Web server’s database and displays the contents of the
table that holds all of the names, passwords, and other user information. The attacker
did this by entering information into the Web site’s user login page that the software’s
designers did not expect to be entered. This is an example of what kind of software
design problem?

56. You are Penetration Tester and are assigned to scan a server. You need to use a scanning
technique wherein the TCP Header is split into many packets so that it becomes difficult
to detect what the packets are meant for.
Which of the below scanning technique will you use?

57. A medium-sized healthcare IT business decides to implement a risk management

strategy.
Which of the following is NOT one of the five basic responses to risk?
58. Which mode of IPSecshould you use to assure security and confidentiality of data within
the same LAN?

59. Which of the following describes the characteristics of a Boot Sector Virus?

60. What is the process of logging, recording and resolving events that take place in a
organization?

61. Jimmy is standing outside a secure entrance to a facility. He is pretending to having a

tense conversation on his cell phone as an authorized employee badges in. Jimmy, while
still on the phone, grabs the door as it begins to close.
What just happened?

62. While performing online banking using a Web browser, a user receives an email that
contains a link to an interesting Web site. When the user clicks on the link, another Web
browser session starts and displays a video of cats playing a piano. The next business
day, the user receives what looks like an email from his bank, indicating that his bank
account has been accessed from a foreign country. The email asks the user to call his
bank and verify the authorization of a funds transfer that took place.
What Web browser-based security vulnerability was exploited to compromise the user?
63. A company’s Web development team has become aware of a certain type of security
vulnerability in their Web software. To mitigate the possibility of this vulnerability being
exploited, the team wants to modify the software requirements to disallow users from
entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists software?

64. The configuration allows a wired or wireless network interface controller to pass all
traffic it receives to the central processing unit (CPU), rather than passing only the
frames that the controller is intended to receive.
Which of the following is being described?

65. Initiating an attack against targeted businesses and organizations, threat actors
compromise a carefully selected website by inserting an exploit rsulting in malware
infection. The attackers run exploits on wellknown and trusted sites likely to be visited
by their targeted victims. Aside from carefully choosing sites to compromise, these
attacks are known to incorporate zero-day exploits that target unpatched
vulnerabilities. Thus, the targeted entities are left with little or no defense against these
exploits.
What type of attack is outline in the scenario?

66. What is the most common method to exploit the “Bash Bug” or “ShellShock”
vulnerability?

67. Which of these options is the most secure procedure for storing backup tapes?
68. Which of the following is the successor of SSL?

69. A new wireless client is configured to join a 802.11 network. This client uses the same
hardware and software as many of the other clients on the network. This client can see
the network, but cannot connect. A wireless packet sniffer shows that the Wireless
Access Point (WAP) is not responding to the association requests being sent by the
wireless client.
What is a possible source of this problem?

70. PGP, SSL and IKE are all examples of which type of cryptography?

71. Which of the following incident handling process phases is responsible for defining rules,
collaborating human workforce, creating a back-up plan, and testing the plans for an
organization?

72. Port scanning can be used as part of a technical assessment to determine network
vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted
system.
If a scanned port is open, what happens?
73. A regional bank hires your company to perform a security assessment on their network
after a recent data breach. The attacker was able to steal financial data from the bank
by compromising only a single server.
Based on this information, what should be one of your key recommendations to the
bank?

74. You are a Network Security Officer. You have two machines. The first machine
(192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi
syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog
is not receiving the alert message from snort. You decide to run wireshark in the snort
machine to check if the messages are going to the kiwi syslog machine.
What wireshark filter will show the connections from the snort machine to kiwi syslog
machine?

75. You have compromised a server on a network and successfully opened a shell. You
aimed to identify all operating systems running on the network. However, as you
attempt to fingerprint all machines in the network using the nmap syntax below, it os
not going through.
Invictus@victim_server:-$nmap-T$ -O 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx.
QUITTING!
What seems to be wrong?

76. You need to deploy a new web-based software package for your organization. The
package requires three separate servers and needs to be available on the Internet. What
is the recommended architecture in terms of server placement?
77. Which regulation defines security and privacy controls for Federal information systems
and organizations?

78. Which of the following security operations is used for determining the attack surface of
an organization?

79. You work as a Security Analyst for a retail organization. In securing the company’s
network, you set up a firewall and an IDS. However, hackers are able to attack the
network. After investigating, you discover that your IDS is not configured properly and
therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?

80. Your company was hired by a small healthcare provider to perform a technical
assessment on the network.
What is the best approach for discovering vulnerabilities on a Windows-based
computer?

81. Which of the following is designed to identify malicious attempts to penetrate systems?

82. Which of the following is the BEST way to defend against network sniffing?
83. Which of the following is an extremely common IDS evasion technique in the web
world?

84. Session splicing is an IDS evasion technique in which an attacker delivers data in
multiple, smallsized packets to target computer, making it very difficult for an IDS to
detect the attack signatures.
Which tool can be used to perform session splicing attacks?

85. When you return to your desk after a lunch break, you notie a strange email in your
inbox. The sender is someone you did business with recently, but the subject line has
strange characters in it.
What should you do?

86. Which of the following tools is used to analyze the files produced by several packet-
capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?

87. A network administrator discovers several unknown files in the root directory of his
Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a
binary file is named “nc.” The FTP server’s access logs show that the anonymous user
account logged in to server, uploaded the files, and extracted the contents of the tarball
and ran the script using a function provide by the FTP server’s software. The ps
command shows that the nc file is running as process, and the netstat command shows
the nc process is listening on a network port.
What kind of vulnerabilities must be present to make this remote attack possible?
88. An incident investigator asks to receive a copy of the event logs all firewalls, proxy
servers, and intrusion Detection System (IDS) on the network of an organization that has
experienced a possible breach of security. When the investigator attempts to correlate
the information in all of the logs, the sequence of many of the logged events do not
match up.
What is the most likely cause?

89. A company’s security policy states that all web browsers must automatically delete their
HTTP browser cookies upon terminating. What sort of security breach is this policy
attempting to mitigate?

90. An Intrusion Detection System (IDS) has alerted the network administrator to a possibly
malicious sequence of packets sent to a Web server in the network’s external DMZ. The
packet traffic was captured by the IDS and saved to a PCAP file. What type of network
tool can be used to determine if these packets are genuinely malicoius or simply a false
positive?

91. Which of the following is a component of a risk assessment?

92. What term describes the amount of risk that remains after the vulnerabilities are
classified and the countermeasures have been deployed?
93. This phase will increase the odds of success in later phases of the penetration test. It is
also the very first step in information Gathering, and it will tell you what the “landscape”
looks like.
What is the most important phase of ethical hacking in which you need to spend amount
of time?

94. Env x= ‘(){ :;};echo exploit ‘ bash -c cat/etc/passwd’

What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?

95. You’ve gained physical access to a Windows 2008 R2 server which has an accessible disc
drive. When you attempt to boot the server and log in, you are unable to guess the
password. In your toll kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool
has the ability to change any user’s password or to activate disable Windows accounts?

96. A penetration tester is conducting a port scan on a specific host. The tester found several
ports opened that were confusing in concluding the Operating System (OS) version
installed. Considering the NMAP result below, which of the following is likely to be
installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-15 11:06
NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed
ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp
open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address:
00:00:48:0D:EE:8
97. You are performing a penetration test. You achieved access via a buffer overflow exploit
and you proceed to find interesting data, such as files with usernames and passwords.
You find a hidden folder that has the administrator’s bank account password and login
information for the administrator’s bitcoin account.
What should you?

98. To determine if a software program properly handles a wide range of invalid input, a
from of a automated testing can be used to randomly generate invalid input in an
attempt to crash the program.
What term is commonly used when referring to this type of testing?

99. WPA2 uses AE for wireless data encryption at which of the following encryption levels?

100. The purpose of a ___________ is to deny network access to local area networks
and other information assets by unauthorized wireless devices.

101. Which tool allows analysts and pen testers to examine links between data using
graphs and link analysis?

102. Which of the following is the structure designed to verify and authenticate the
identity of individuals within the enterprise taking part in a data exchange?
103. It is a vulnerability in GNU’s bash shell, discovered in September of 2014, that
gives attackers access to run remote commands on a vulnerable system. The malicious
software can take control of an infected machine, launch denial-of-service attacks to
disrupt websites, and scan for other vulnerable devices (including routers).
Which of the following vulnerabilities is being described?

104. As a Certified Ethical Hacker, you were contracted by a private firm to conduct
an external security assessment through penetration testing.
What document describes the specifics of the testing, the associated violations, and
essentially protects both the organization’s interest and your liabilities as a tester?

105. You have successfully gained access to linux server and would like to ensure that
the succeeding outgoing traffic from this server will not be caught by a Network Based
Intrusion Detection System (NIDS).
What is the best way to evade the NIDS?

106. In 2007, this wireless security algorithm was rendered useless by capturing
packets and discovering the passkey in matter of seconds. This security flaw led to a
network invasion of TJ Maxx and data theft through a technique known as wardriving.
Which Algorithm is this referring to?

107. Which of the following is a command line packet analyzer similar to GUI-based
Wireshark?
108. You have successfully compromised a server having an IP address of 10.10.0.5.
You would like to enumerate all machines in the same network quickly.
What is the best nmap command you will use?

109. The “gray box testing” methodology enforces what kind of restriction?

110. The “white box testing” methodology enforces what kind of restriction?

111. In which of the following cryptography attack methods, attacker makes a series
of interactive queries choosing subsequent plaintexts based on the information from
the previous encryptions?

112. During a black box pentest you attempt to pass IRC traffic over port 80/TCP from
a compromised web enabled host. The traffic gets blocked; however, outbound HTTP
traffic is unimpeded.
What type of firewall is inspecting outbound traffic?

113. What is the best description of SQL Injection?

114. An attacker has installed a RAT on a host. The attacker wants to ensure that
when a user attempts to go to “WWW.MyPersonalBank.com”, that the user is directed
to a phishing site.
Which file does the attacker need to modify?

115. The Open Web Application Security Project (OWASP) is the worldwide not-for-
profit charitable organization focused on improving the security of software. What item
is the primary concern mon OWASP’s Top Ten Project Most Critical Web Application
Security Risks?

116. During a recent security assessment, you discover the organization has one
Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and second DNS server on
the internal network.
What is this type of DNS configuration commonly called?

117. This international organization regulates billions of transactions daily and

provides security guidelines to protect personally identifiable information (PII). These
security controls provide a baseline and prevent low-level hackers sometimes known as
script kiddies from causing a data breach.
Which of the following organizations is being described?

118. Which of the following is the least-likely physical characteristic to be used in

biometric control that supports a large company?
119. Which security strategy requires using several, varying methods to protect IT
systems against attacks?

120. How does the Address Resolution Protocol (ARP) work?

121. You are performing information gathering for an important penetration test.
You have found pdf, doc, and images in your objective. You decide to extract metadata
from these files and analyze it.
What tool will help you with the task?

122. What does a firewall check to prevent particular ports and applications from
getting packets into an organization?

123. In Risk Management, how is the term “likelihood” related to the concept of
“threat”?