CEH v11


Q181 - Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access?

  1. Bootrom Exploit
  2. iBoot Exploit
  3. Sandbox Exploit
  4. Userland Exploit

Answer: D

Q182 - Jack was attempting to fingerprint all machines in the network using the following Nmap syntax:
invictus@victim_server:~$ nmap -T4 -0
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
Obviously, it is not going through. What is the issue here?

  1. OS Scan requires root privileges
  2. The nmap syntax is wrong.
  3. The outgoing TCP/IP fingerprinting is blocked by the host firewall
  4. This is a common behavior for a corrupted nmap application

Answer: A

Q183 - What did the following commands determine?

  1. That the Joe account has a SID of 500
  2. These commands demonstrate that the guest account has NOT been disabled
  3. These commands demonstrate that the guest account has been disabled
  4. That the true administrator is Joe
  5. Issued alone, these commands prove nothing

Answer: D

Q184 - Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?

  1. A biometric system that bases authentication decisions on behavioral attributes.
  2. A biometric system that bases authentication decisions on physical attributes.
  3. An authentication system that creates one-time passwords that are encrypted with secret keys.
  4. An authentication system that uses passphrases that are converted into virtual passwords.

Answer: C

Q185 - WPA2 uses AES for wireless data encryption at which of the following encryption levels?

  1. 64 bit and CCMP
  2. 128 bit and CRC
  3. 128 bit and CCMP
  4. 128 bit and TKIP

Answer: C

Q186 - While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

  1. Block port 25 at the firewall.
  2. Shut off the SMTP service on the server.
  3. Force all connections to use a username and password.
  4. Switch from Windows Exchange to UNIX Sendmail.
  5. None of the above.

Answer: E

Q187 - You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c

What is the hexadecimal value of NOP instruction?

  1. 0x60
  2. 0x80
  3. 0x70
  4. 0x90

Answer: D

Q188 - A virus that attempts to install itself inside the file it is infecting is called?

  1. Tunneling virus
  2. Cavity virus
  3. Polymorphic virus
  4. Stealth virus

Answer: B

Q189 - Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?

  1. NMAP -PN -A -O -sS
  2. NMAP -P0 -A -O -p1-65535 192.168.0/24
  3. NMAP -P0 -A -sT -p0-65535 192.168.0/16
  4. NMAP -PN -O -sS -p 1-1024 192.168.0/8

Answer: B

Q190 - Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens?

  1. The port will ignore the packets.
  2. The port will send an RST.
  3. The port will send an ACK.
  4. The port will send a SYN.

Answer: A

Q191 - Which type of security feature stops vehicles from crashing through the doors of a building?

  1. Turnstile
  2. Bollards
  3. Mantrap
  4. Receptionist

Answer: B

Q192 - Which of the following programs is usually targeted at Microsoft Office products?

  1. Polymorphic virus
  2. Multipart virus
  3. Macro virus
  4. Stealth virus

Answer: C

Q193 - An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this?

  1. g++ hackersExploit.cpp -o calc.exe
  2. g++ hackersExploit.py -o calc.exe
  3. g++ -i hackersExploit.pl -o calc.exe
  4. g++ --compile -i hackersExploit.cpp -o calc.exe

Answer: A

Q194 - An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

  1. Protocol analyzer
  2. Intrusion Prevention System (IPS)
  3. Network sniffer
  4. Vulnerability scanner

Answer: A

Q195 - A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host junk mails. What type of Trojan did the hacker use?

  1. Turtle Trojans
  2. Ransomware Trojans
  3. Botnet Trojan
  4. Banking Trojans

Answer: C

Q196 - The security administrator of ABC needs to permit Internet traffic in the host and UDP traffic in the host Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network?

  1. The ACL 110 needs to be changed to port 80
  2. The ACL for FTP must be before the ACL 110
  3. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
  4. The ACL 104 needs to be first because is UDP

Answer: C

Q197 - What results will the following command yield: 'NMAP -sS -O -p 123-153'?

  1. A stealth scan, opening port 123 and 153
  2. A stealth scan, checking open ports 123 to 153
  3. A stealth scan, checking all open ports excluding ports 123 to 153
  4. A stealth scan, determine operating system, and scanning ports 123 to 153

Answer: D

Q198 - What does a type 3 code 13 represent? (Choose two.)

  1. Echo request
  2. Destination unreachable
  3. Network unreachable
  4. Administratively prohibited
  5. Port unreachable
  6. Time exceeded

Answer: B and D

Q199 - Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems?

  1. Role Based Access Control (RBAC)
  2. Discretionary Access Control (DAC)
  3. Windows authentication
  4. Single sign-on

Answer: D

Q200 - A hacker is attempting to see which ports have been left open on a network. Which NMAP switch would the hacker use?

  1. -sO
  2. -sP
  3. -sS
  4. -sU

Answer: A

Q201 - The following is a sample of output from a penetration tester's machine targeting a machine with the IP address of

What is most likely taking place?

  1. Ping sweep of the network
  2. Remote service brute force attempt
  3. Port scan of
  4. Denial of service attack on

Answer: B

Q202 - Company XYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of Company XYZ. The employee of Company XYZ is aware of your test. Your email message looks like this:
From: jim_miller@companyxyz.com
To: michelle_saunders@companyxyz.com
Subject: Test message
Date: 4/3/2017 14:37
The employee of Company XYZ receives your email message. This proves that Company XYZ's email gateway doesn't prevent what?

  1. Email Phishing
  2. Email Masquerading
  3. Email Spoofing
  4. Email Harvesting

Answer: C

Q203 - Which of the following LM hashes represent a password of less than 8 characters? (Choose two.)

  1. BA810DBA98995F1817306D272A9441BB
  2. 44EFCE164AB921CQAAD3B435B51404EE
  3. 0182BD0BD4444BF836077A718CCDF409
  4. CEC52EB9C8E3455DC2265B23734E0DAC
  5. B757BF5C0D87772FAAD3B435B51404EE
  6. E52CAC67419A9A224A3B108F3FA6CB6D

Answer: B and E

Q204 - A software tester is randomly generating invalid inputs in an attempt to crash the program. Which of the following is a software testing technique used to determine if a software program properly handles a wide range of invalid input?

  1. Mutating
  2. Randomizing
  3. Fuzzing
  4. Bounding

Answer: C

Q205 - SOAP services use which technology to format information?

  1. SATA
  2. PCI
  3. XML
  4. ISDN

Answer: C

Q206 - Which type of sniffing technique is generally referred as MiTM attack?

  1. Password Sniffing
  2. ARP Poisoning
  3. Mac Flooding
  4. DHCP Sniffing

Answer: B

Q207 - When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement?

  1. AH Tunnel mode
  2. AH promiscuous
  3. ESP transport mode
  4. ESP confidential

Answer: C

Q208 - You're doing an internal security audit and you want to find out what ports are open on all the servers. What is the best way to find out?

  1. Scan servers with Nmap
  2. Physically go to each server
  3. Scan servers with MBSA
  4. Telent to every port on each server

Answer: A

Q209 - Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?

  1. Whisker
  2. tcpsplice
  3. Burp
  4. Hydra

Answer: A

Q210 - A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in?

  1. Information reporting
  2. Vulnerability assessment
  3. Active information gathering
  4. Passive information gathering

Answer: D