Question 1. Which of the following statements best describes a white-hat hacker?
- A. Security professional
- B. Former black hat
- C. Former grey hat
- D. Malicious hacker
Answer 1. Option A.
Explanation: A white-hat hacker is a “good” guy who uses his skills for defensive purposes.
Question 2. A security audit performed on the internal network of an organization by the network administration is also known as ___________.
- A. Grey-box testing
- B. Black-box testing
- C. White-box testing
- D. Active testing
- E. Passive testing
Answer 2. Option C.
Explanation: White-box testing is a security audit performed with internal knowledge of the systems.
Question 3. What is the first phase of hacking?
- A. Attack
- B. Maintaining access
- C. Gaining access
- D. Reconnaissance
- E. Scanning
Answer 3. Option D.
Explanation: Reconnaissance is gathering information necessary to perform the attack.
Question 4. What type of ethical hack tests access to the physical infrastructure?
- A. Internal network
- B. Remote network
- C. External network
- D. Physical access
Answer 4. Option D.
Explanation: Physical access tests access to the physical infrastructure.
Question 5. The security, functionality, and ease of use triangle illustrates which concept?
- A. As security increases, functionality and ease of use increase.
- B. As security decreases, functionality and ease of use increase.
- C. As security decreases, functionality and ease of use decrease.
- D. Security does not affect functionality and ease of use.
Answer 5. Option B.
Explanation: As security increases it makes it more difficult to use and less functional.
Question 6. Which type of hacker represents the highest risk to your network?
- A. Disgruntled employees
- B. Black-hat hackers
- C. Grey-hat hackers
- D. Script kiddies
Answer 6. Option A.
Explanation: Disgruntled employees have information which can allow them to launch a powerful attack.
Question 7. What are the three phases of a security evaluation plan? (Choose three answers.)
- A. Conduct Security Evaluation
- B. Preparation
- C. Conclusion
- D. Final
- E. Reconnaissance
- F. Design Security
- G. Vulnerability Assessment
Answer 7. Options A, B, C.
Explanation: The three phases of a security evaluation plan are preparation, conduct security evaluation, and conclusion.
Question 8. Hacking for a cause is called __________________.
- A. Active hacking
- B. Hacktivism
- C. Activism
- D. Black-hat hacking
Answer 8. Option B.
Explanation: Hacktivism is performed by individual who claim to be hacking for a political or social cause.
Question 9. Which federal law is most commonly used to prosecute hackers?
- A. Title 12
- B. Title 18
- C. Title 20
- D. Title 2
Answer 9. Option B.
Explanation: Title 18 of the U.S. Code of law is most commonly used to prosecute hackers
Question 10. When a hacker attempts to attack a host via the Internet it is known as what type of attack?
- A. Remote attack
- B. Physical access
- C. Local access
- D. Internal attack
Answer 10. Option A.
Explanation: An attack from the Internet is known as a remote attack.
Question 11. Which are the four regional Internet registries?
- A. APNIC, PICNIC, NANIC, RIPE NCC
- B. APNIC, MOSTNIC, ARIN, RIPE NCC
- C. APNIC, PICNIC, NANIC, ARIN
- D. APNIC, LACNIC, ARIN, RIPE NCC
Answer 11. Option D.
Explanation: The four Internet registries are ARIN (American Registry of Internet Numbers), RIPE NCC (Europe, the Middle East, and parts of Central Asia), LACNIC (Latin American and Caribbean Internet Addresses Registry), and APNIC (Asia Pacific Network Information Centre).
Question 12. Which of the following is a tool for performing footprinting undetected?
- A. Whois search
- B. Traceroute
- C. Ping sweep
- D. Host scanning
Answer 12. Option A.
Explanation: Whois is the only tool listed that won’t trigger an IDS alert or otherwise be detected by an organization.
Question 13. Which of the following tools are used for footprinting? (Choose 3 answers.)
- A. Whois
- B. Sam Spade
- C. NMAP
- D. SuperScan
- E. Nslookup
Answer 13. Options A, B, E.
Explanation: Whois, Sam Spade, and nslookup are all used to passively gather information about a target. NMAP and SuperScan are host and network scanning tools.
Question 14. What is the next step to be performed after footprinting?
- A. Scanning
- B. Enumeration
- C. System hacking
- D. Active information gathering
Answer 14. Option A.
Explanation: According to CEH methodology, scanning occurs after footprinting.
Question 15. Which are good sources of information about a company or its employees? (Choose all that apply.)
- A. Newsgroups
- B. Job postings
- C. Company website
- D. Press releases
Answer 15. Options A, B, C, D.
Explanation: Newsgroups, job postings, company websites, and press releases are all good sources for information gathering.
Question 16. How does traceroute work?
- A. It uses an ICMP destination-unreachable message to elicit the name of a router.
- B. It sends a specially crafted IP packet to a router to locate the number of hops from the sender to the destination network.
- C. It uses a protocol that will be rejected by the gateway to determine the location.
- D. It uses the TTL value in an ICMP message to determine the number of hops from the sender to the router.
Answer 16. Option D.
Explanation: Traceroute uses the TTL values to determine how many hops the router is from the sender. Each router decrements the TTL by one under normal conditions.
Question 17. What is footprinting?
- A. Measuring the shoe size of an ethical hacker
- B. Accumulation of data by gathering information on a target
- C. Scanning a target network to detect operating system types
- D. Mapping the physical layout of a target’s network
Answer 17. Option B.
Explanation: Footprinting is gathering information about a target organization.
Question 18. Nslookup can be used to gather information regarding which of the following?
- A. Host names and IP addresses
- B. Whois information
- C. DNS server locations
- D. Name server types and operating systems
Answer 18. Option A.
Explanation: Nslookup queries a DNS server for DNS records such as host names and IP addresses.
Question 19. Which of the following is a type of social engineering?
- A. Shoulder surfing
- B. User identification
- C. System monitoring
- D. Face-to-face communication
Answer 19. Option A.
Explanation: Of the choices listed here, shoulder surfing is considered a type of social engineering.
Question 20. Which is an example of social engineering?
- A. A user who holds open the front door of an office for a potential hacker
- B. Calling a help desk and convincing them to reset a password for a user account
- C. Installing a hardware keylogger on a victim’s system to capture passwords
- D. Accessing a database with a cracked password
Answer 20. Option B.
Explanation: Calling a help desk and convincing them to reset a password for a user account is an example of social engineering.
Question 21. What is the best way to prevent a social-engineering attack?
- A. Installing a firewall to prevent port scans
- B. Configuring an IDS to detect intrusion attempts
- C. Increasing the number of help-desk personnel
- D. Employee training and education
Answer 21. Option D.
Explanation: Employee training and education is the best way to prevent a social-engineering attack.
Question 22. Which of the following is the best example of reverse social engineering?
- A. A hacker pretends to be a person of authority in order to get a user to give them information.
- B. A help-desk employee pretends to be a person of authority.
- C. A hacker tries to get a user to change their password.
- D. A user changes their password.
Answer 22. Option A.
Explanation: When a hacker pretends to be a person of authority in order to get a user to ask them for information, it’s an example of reverse social engineering.
Question 23. Using pop-up windows to get a user to give out information is which type of social engineering attack?
- A. Human-based
- B. Computer-based
- C. Nontechnical
- D. Coercive
Answer 23. Option B.
Explanation: Pop-up windows are a method of getting information from a user utilizing a computer.
Question 24. What is it called when a hacker pretends to be a valid user on the system?
- A. Impersonation
- B. Third-person authorization
- C. Help desk
- D. Valid user
Answer 24. Option A.
Explanation: Impersonation involves a hacker pretending to be a valid user on the system.
Question 25. What is the best reason to implement a security policy?
- A. It increases security.
- B. It makes security harder to enforce.
- C. It removes the employee’s responsibility to make judgments.
- D. It decreases security.
Answer 25. Option C.
Explanation: Security policies remove the employee’s responsibility to make judgments regarding a potential social-engineering attack.
Question 26. Faking a website for the purpose of getting a user’s password and username is which type of social engineering attack?
- A. Human-based
- B. Computer-based
- C. Web-based
- D. User-based
Answer 26. Option B.
Explanation: Website faking is a form of computer-based social engineering attack.
Question 27. Dumpster diving can be considered which type of social engineering attack?
- A. Human-based
- B. Computer-based
- C. Physical access
- D. Paper-based
Answer 27. Option A.
Explanation: Dumpster diving is a human-based social engineering attack.
Question 28. What port number does FTP use?
- A. 21
- B. 25
- C. 23
- D. 80
Answer 28. Option A.
Explanation: FTP uses TCP port 21. This is a well-known port number and can be found in the Windows services file.
Question 29. What port number does HTTPS use?
- A. 443
- B. 80
- C. 53
- D. 21
Answer 29. Option A.
Explanation: HTTPS uses TCP port 443. This is a well-known port number and can be found in the Windows services file.
Question 30. What is war dialing used for?
- A. Testing firewall security
- B. Testing remote access system security
- C. Configuring a proxy filtering gateway
- D. Configuring a firewall
Answer 30. Option B.
Explanation: War dialing involves placing calls to a series of numbers in hopes that a modem will Answer the call. It can be used to test the security of a remote-access system.
Question 31. Banner grabbing is an example of what?
- A. Passive operating system fingerprinting
- B. Active operating system fingerprinting
- C. Footprinting
- D. Application analysis
Answer 31. Option A.
Explanation: Banner grabbing is not detectible; therefore it is considered passive OS fingerprinting.
Question 32. What are the three types of scanning?
- A. Port, network, and vulnerability
- B. Port, network, and services
- C. Grey, black, and white hat
- D. Server, client, and network
Answer 32. Option A.
Explanation: Port, network, and vulnerability are the three types of scanning.
Question 33. What is the main problem with using only ICMP queries for scanning?
- A. The port is not always available.
- B. The protocol is unreliable.
- C. Systems may not respond because of a firewall.
- D. Systems may not have the service running.
Answer 33. Option C.
Explanation: Systems may not respond to ICMP because they have firewall software installed that blocks the responses.
Question 34. What does the TCP RST command do?
- A. Starts a TCP connection
- B. Restores the connection to a previous state
- C. Finishes a TCP connections
- D. Resets the TCP connection
Answer 34. D.
Explanation: The TCP RST command resets the TCP connection.
Question 35. What is the proper sequence of a TCP connection?
- A. SYN-SYN ACK-ACK
- B. SYN-ACK-FIN
- C. SYN-SYNACK-ACK
- D. SYN-PSH-ACK
Answer 35. Option A.
Explanation: A SYN packet is followed by a SYN-ACK packet. Then, an ACK finishes a successful TCP connection.
Question 36. A packet with all flags set is which type of scan?
- A. Full Open
- B. Syn scan
- C. XMAS
- D. TCP connect
Answer 36. Option C.
Explanation: An XMAS scan has all flags set.
Question 37. What is the proper command to perform and NMAP SYN scan every 5 minutes?
- A. nmap -ss – paranoid
- B. nmap -Ss -paranoid
- C. nmap -Ss -fast
- D. namp -Ss -sneaky
Answer 37. Option B.
Explanation: The command nmap -Ss – paranoid performs a SYN scan every 300 seconds or 5 minutes.
Question 38. In order to prevent a hacker from using SMB session hijacking, which TCP and UDP ports would you block at the firewall?
- A. 167 and 137
- B. 80 and 23
- C. 139 and 445
- D. 1277 and 1270
Answer 38. Option C.
Explanation: Block the ports used by NetBIOS null sessions. These are 139 and 445.
Question 39. Why would an attacker want to perform a scan on port 137?
- A. To locate the FTP service on the target host
- B. To check for file and print sharing on Windows systems
- C. To discover proxy servers on a network
- D. To discover a target system with the NetBIOS null session vulnerability
Answer 39. Option D.
Explanation: Port 137 is used for NetBIOS null sessions.
Question 40. SNMP is a protocol used to manage network infrastructure devices. What is the SNMP read/write community name used for?
- A. Viewing the configuration information
- B. Changing the configuration information
- C. Monitoring the device for errors
- D. Controlling the SNMP management station
Answer 40. Option B.
Explanation: The SNMP read/write community name is the password used to make changes to the device configuration.
Question 41. Why would the network security team be concerned about ports 135–139 being open on a system?
- A. SMB is enabled, and the system is susceptible to null sessions.
- B. SMB is not enabled, and the system is susceptible to null sessions.
- C. Windows RPC is enabled, and the system is susceptible to Windows DCOM remote sessions.
- D. Windows RPC is not enabled, and the system is susceptible to Windows DCOM remote sessions.
Answer 41. Option A.
Explanation: Ports in the 135 to 139 range indicate the system has SMB services running and is susceptible to null sessions.
Question 42. Which step comes after enumerating users in the CEH hacking cycle?
- A. Crack password
- B. Escalate privileges
- C. Scanning
- D. Covering tracks
Answer 42. Option A.
Explanation: Password cracking is the next step in the CEH hacking cycle after enumerating users.
Question 43. What is enumeration?
- A. Identifying active systems on the network
- B. Cracking passwords
- C. Identifying users and machine names
- D. Identifying routers and firewalls
Answer 43. Option C.
Explanation: Enumeration is the process of finding usernames, machine names, network shares, and services on the network.
Question 44. What is a command-line tool used to look up a username from a SID?
- A. UsertoSID
- B. Userenum
- C. SID2User
- D. Getacct
Answer 44. Option C.
Explanation: SID2User is a command-line tool to find a username from a SID.
Question 45. Which tool can be used to perform a DNS zone transfer on Windows?
- A. nslookup
- B. DNSlookup
- C. whois
- D. ipconfig
Answer 45. Option A.
Explanation: nslookup is a Windows tool that can be used to initiate a DNS zone transfer that sends all
the DNS records to a hacker’s system.
Question 46. What is a null session?
- A. Connecting to a system with the administrator username and password
- B. Connecting to a system with the admin username and password
- C. Connecting to a system with a random username and password
- D. Connecting to a system with no username and password
Answer 46. Option D.
Explanation: A null session involves connecting to a system with no username and password.
Question 47. What is a countermeasure for SNMP enumeration?
- A. Remove the SNMP agent from the device.
- B. Shut down ports 135 and 139 at the firewall.
- C. Shut down ports 80 and 443 at the firewall.
- D. Enable SNMP read-only security on the agent device.
Answer 47. Option A.
Explanation: The best countermeasure to SNMP enumeration is to remove the SNMP agent from the device. Doing so prevents it from responding to SNMP requests.