PASS - TAKER : Anonymos

CEH v10 Certified Ethical Hacker Study Guide 2019 - Assessment Test

Correct : 22

73% Complete (success)

73 %

False : 8

26% Complete (success)

26 %



Anonymos 2019-10-22T05:11:19

Correct

Which header field is used to reassemble fragmented IP packets?

The destination address is used as the address to send messages to. The don’t fragment bit is used to tell network devices not to fragment the packet. The Type of Service (ToS) field can be used to perform quality of service. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.

Correct

If you were to see the following in a packet capture, what would you expect was happening? ‘ or 1=1;

A SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks use a syntax that looks like the example.

Correct

What method might you use to successfully get malware onto a mobile device?

The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s not impossible to get malware onto mobile devices that way, but it’s very difficult because apps get run through a vetting process. While some Android devices will support external storage, it’s not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed but it’s not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don’t vet apps that are submitted.

Correct

What protocol is used to take a destination IP address and get a packet to a destination on the local network?

DHCP is used to get IP configuration to endpoints. DNS is used to resolve a hostname to an IP address and vice versa. RARP is the reverse address protocol used to take a MAC address and resolve it to an IP address. ARP is used to resolve an IP address to a MAC address. Communication on a local network requires the use of a MAC address. The IP address is used to get to systems off the local network.

Correct

What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes?

Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. A SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data into the application than space has been allocated for.

Not Correct

If you were to see the subnet mask 255.255.248.0, what CIDR notation (prefix) would you use to indicate the same thing?

A /23 network would be 255.255.254.0. A /22 would be 255.255.252. A /20 would be 255.255.240.0. Only a /21 would give you a 255.255.248.0 subnet mask.

Correct

What is the primary difference between a worm and a virus?

Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It’s the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute.

Correct

How would you calculate risk?

Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified so it could be put into a risk calculation.

Correct

How does an evil twin attack work?

An evil twin attack uses an access point masquerading to be the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don’t get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won’t do much, since fourway assumes both ends are communicating, so the injection of a full communication stream will get ignored.

Correct

In order to remove malware in the network before it gets to the endpoint, you would use which of the following?

Antivirus solutions are used on endpoints or maybe on email servers. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

Not Correct

What is the purpose of a security policy?

Standards and practices should be derived from a security policy, which is the highlevel guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.

Correct

What has been done to the following string? %3Cscript%3Ealert(‘wubble’);%3C/ script%3E

Base64 encoding takes non-printable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A cryptographic hash is a way of generating a fixed-length value to identify a value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so they can be used in a URL.

Correct

What would you get from running the command dig ns domain.com?

Mail exchanger records would be identified as MX records. A name server record is identified with the tag NS. While an enterprise may have one or even several caching name servers, the caching name server wouldn’t be said to belong to the domain since it doesn’t have any domain identification associated with it.

Not Correct

What technique would you ideally use to get all of the hostnames associated with a domain?

A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute-force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer.

Correct

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?

Tunneling attacks can be used to hide one protocol inside another. This may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn’t be found inside a DNS request.

Correct

What would be the purpose of running a ping sweep?

There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics.

Not Correct

How many functions are specified by NIST’s cybersecurity framework?

The NIST cybersecurity framework specifies five functions—identify, protect, detect, response, recover.

Correct

What would be one reason not to write malware in Python?

Python interpreters may be considered to be slower to execute than a compiled program, however the difference is negligible and generally speed of execution isn’t much of a concern when it comes to malware. Python is not a hard language to learn and there are a lot of community-developed libraries. One challenge, though, is that you may need a Python interpreter, unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn’t commonly have a Python interpreter installed.

Correct

If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5

The expression host 192.168.10.5 is BPF indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest.

Correct

What is Diffie-Hellman used for?

Certificates can be revoked but that’s not what Diffie-Hellman is used for. Key management is a much broader topic than what Diffie-Hellman is used for. Diffie-Hellman is used for key exchange. It is a process that allows parties to an encrypted conversation to mutually derive the same key starting with the same base value.

Not Correct

Which social engineering principle may allow a phony call from the help desk to be effective?

While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity are at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority.

Correct

How do you authenticate with SNMPv1?

SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn’t use hashes and while the word “public” is often used as a community string, a public string is not a way to authenticate with SNMPv1.

Correct

What is the process Java programs identify themselves to if they are sharing procedures over the network?

Interprocess communications across systems using a network is called remote method invocation. The process that programs have to communicate with to get a dynamic port allocation is the RMI registry. This is the program you query to identify services that are available on a system that has implemented RMI.

Not Correct

What do we call an ARP response without a corresponding ARP request?

When an ARP response is sent without a corresponding ARP request, it’s an unexpected or unnecessary message, so it is a gratuitous ARP.

Correct

What are the three times that are typically stored as part of file metadata?

There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file, expecting to modify it but not ending up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC like modified, accessed, and created, those are not tasks associated with file times.

Correct

Which of these is a reason to use an exploit against a local vulnerability?

Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect passwords since you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.

Correct

What principle is used to demonstrate that a signed message came from the owner of the key that signed it?

Integrity is part of the CIA triad but isn’t the principle that ties a signed message back to the subject of the signing certificate. Non-verifiability is nonsense and authority isn’t relevant here. Instead, non-repudiation means someone can’t say they didn’t send a message if it was signed with their key and that key was in their possession and password-protected.

Correct

What is a viable approach to protecting against tailgaiting?

Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity but it won’t protect against tailgating. A man trap, however, will protect against tailgating because a man trap only allows one person in at a time.

Not Correct

Why is bluesnarfing potentially more dangerous than bluejacking?

Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluejacking can be used to send information to a Bluetooth device that is receiving from the attacker, such as a text message. Neither of these attacks install keyloggers. The victim device sends information to the attacker in a bluesnarfing attack.

Not Correct

Which of the security triad properties does the Biba security model relate to?

The Biba security model covers data integrity. While other models cover confidentiality, none of them cover availability.