Question 48. What is the process of hiding text within an image called?
- A. Steganography
- B. Encryption
- C. Spyware
- D. Keystroke logging
Answer 48. Option A.
Explanation: Steganography is the process of hiding text within an image.
Question 49. What is a rootkit?
- A. A simple tool to gain access to the root of the Windows system
- B. A Trojan that sends information to an SMB relay
- C. An invasive program that affects the system files, including the kernel and libraries
- D. A tool to perform a buffer overflow
Answer 49. Option C.
Explanation: A rootkit is a program that modifies the core of the operating system: the kernel and libraries.
Question 50. Why would hackers want to cover their tracks?
- A. To prevent another person from using the programs they have installed on a target system
- B. To prevent detection or discovery
- C. To prevent hacking attempts
- D. To keep other hackers from using their tools
Answer 50. Option B.
Explanation: Hackers cover their tracks to keep from having their identity or location discovered.
Question 51. What is privilege escalation?
- A. Creating a user account with higher privileges
- B. Creating a user account with Administrator privileges
- C. Creating two user accounts: one with high privileges and one with lower privileges
- D. Increasing privileges on a user account
Answer 51. Option D.
Explanation: Privilege escalation is a hacking method to increase privileges on a user account.
Question 52. What are two methods used to hide files? (Choose all that apply.)
- A. NTFS file streaming
- B. Attrib command
- C. Steganography
- D. Encrypted File System
Answer 52. Options A, B.
Explanation: NTFS file streaming and the attrib command are two hacking techniques to hide files.
Question 53. What is the recommended password-change interval?
- A. 30 days
- B. 20 days
- C. 1 day
- D. 7 days
Answer 53. Option A.
Explanation: Passwords should be changed every 30 days for the best balance of security and usability.
Question 54. What type of password attack would be most successful against the password T63k#s23A?
- A. Dictionary
- B. Hybrid
- C. Password guessing
- D. Brute force
Answer 54. Option D.
Explanation: A brute-force attack tries every combination of letters, numbers, and symbols.
Question 55. Which of the following is a passive online attack?
- A. Password guessing
- B. Network sniffing
- C. Brute-force attack
- D. Dictionary attack
Answer 55. Option B.
Explanation: Network sniffing is a passive online attack because it can’t be detected.
Question 56. Why is it necessary to clear the event log after using the auditpol command to turn off logging?
- A. The auditpol command places an entry in the event log.
- B. The auditpol command doesn’t stop logging until the event log has been cleared.
- C. auditpol relies on the event log to determine whether logging is taking place.
- D. The event log doesn’t need to be cleared after running the auditpol command.
Answer 56. Option A.
Explanation: The event log must be cleared because the auditpol command places an entry in the event log indicating that login has been disabled.
Question 57. What is necessary in order to install a hardware keylogger on a target system?
- A. The IP address of the system
- B. The Administrator username and password
- C. Physical access to the system
- D. Telnet access to the system
Answer 57. Option C.
Explanation: A hardware keylogger is an adapter that connects the keyboard to the PC. A hacker needs physical access to the PC in order to plug in the hardware keylogger.
Question 58. What is a wrapper?
- A. A Trojaned system
- B. A program used to combine a Trojan and legitimate software into a single executable
- C. A program used to combine a Trojan and a backdoor into a single executable
- D. A way of accessing a Trojaned system
Answer 58. Option B.
Explanation: A wrapper is software used to combine a Trojan and legitimate software into a single executable so that the Trojan is installed during the installation of the other software.
Question 59. What is the difference between a backdoor and a Trojan?
- A. A Trojan usually provides a backdoor for a hacker.
- B. A backdoor must be installed first.
- C. A Trojan is not a way to access a system.
- D. A backdoor is provided only through a virus, not through a Trojan.
Answer 59. Option A.
Explanation: A Trojan infects a system first and usually includes a backdoor for later access.
Question 60. What port does Tini use by default?
- A. 12345
- B. 71
- C. 7777
- D. 666
Answer 60. Option C.
Explanation: Tini uses port 7777 by default.
Question 61. Which is the best Trojan and backdoor countermeasure?
- A. Scan the hard drive on network connection, and educate users not to install unknown software.
- B. Implement a network firewall.
- C. Implement personal firewall software.
- D. Educate systems administrators about the risks of using systems without firewalls.
E. Scan the hard drive on startup.
Answer 61. Option A.
Explanation: The best prevention is to scan the hard drive for known Trojans on network connection and backdoors and to educate users not to install any unknown software.
Question 62. How do you remove a Trojan from a system?
- A. Search the Internet for freeware removal tools.
- B. Purchase commercially available tools to remove the Trojan.
- C. Reboot the system.
- D. Uninstall and reinstall all applications.
Answer 62. Option B.
Explanation: To remove a Trojan, you should use commercial tools. Many freeware tools contain Trojans.
Question 63. What is ICMP tunneling?
- A. Tunneling ICMP messages through HTTP
- B. Tunneling another protocol through ICMP
- C. An overt channel
- D. Sending ICMP commands using a different protocol
Answer 63. Option B.
Explanation: ICMP tunneling involves sending what appear to be ICMP commands but really are Trojan communications.
Question 64. What is reverse WWW shell?
- A. Connecting to a website using a tunnel
- B. A Trojan that connects from the server to the client using HTTP
- C. A Trojan that issues command to the client using HTTP
- D. Connecting through a firewall
Answer 64. Option B.
Explanation: Reverse WWW shell is a connection from a Trojan server component on the compromised system to the Trojan client on the hacker’s system.
Question 65. What is a covert channel?
- A. Using a communications channel in a way that was not intended
- B. Tunneling software
- C. A Trojan removal tool
- D. Using a communications channel in the original, intended way
Answer 65. Option A.
Explanation: A covert channel is the use of a protocol or communications channel in a nontraditional way.
Question 66. What is the purpose of system-file verification?
- A. To find system files
- B. To determine whether system files have been changed or modified
- C. To find out if a backdoor has been installed
- D. To remove a Trojan
Answer 66. Option B.
Explanation: System-file verification tracks changes made to system files and ensures that a Trojan has not overwritten a critical system file.
Question 67. Which of the following is an example of a covert channel?
- A. Reverse WWW shell
- B. Firewalking
- C. SNMP enumeration
- D. Steganography
Answer 67. Option A.
Explanation: Reverse WWW shell is an example of a covert channel.
Question 68. What is the difference between a virus and a worm?
- A. A virus can infect the boot sector but a worm cannot.
- B. A worm spreads by itself but a virus must attach to an e-mail.
- C. A worm spreads by itself but a virus must attach to another program.
- D. A virus is written in C++ but a worm is written in shell code.
Answer 68. Option C.
Explanation: A worm can replicate itself automatically but a virus must attach to another program.
Question 69. What type of virus modifies itself to avoid detection?
- A. Stealth virus
- B. Polymorphic virus
- C. Multipartite virus
- D. Armored virus
Answer 69. Option B.
Explanation: A polymorphic virus modifies itself to evade detection.
Question 70. Which virus spreads through Word macros?
- A. Melissa
- B. Slammer
- C. Sobig
- D. Blaster
Answer 70. Option A.
Explanation: Melissa is a virus that spreads via Word Macros.
Question 71. Which worm affects SQL servers?
- A. Sobig
- B. SQL Blaster
- C. SQL Slammer
- D. Melissa
Answer 71. Option C.
Explanation: SQL Slammer is a worm that attacks SQL servers.
Question 72. Armored viruses are ___________.
- A. Hidden
- B. Tunneled
- C. Encrypted
- D. Stealth
Answer 72. Option C.
Explanation: Armored viruses are encrypted.
Question 73. What are the three methods used to detect a virus?
- A. Scanning
- B. Integrity checking
- C. Virus signature comparison
- D. Firewall rules
- E. IDS anomaly detection
- F. Sniffing
Answer 73. Options A, B, C.
Explanation: Scanning, integrity checking, and virus signature comparison are three ways to detect a virus infection.
Question 74. What components of a system do viruses infect?
- A. Files
- B. System sectors
- C. Memory
- D. CPU
- E. DLL files
Answer 74. Options A, B, E.
Explanation: A virus can affect files, system sectors, and DLL files.
Question 75. All anomalous behavior can be attributed to a virus.
- A. True
- B. False
Answer 75. Option B.
Explanation: Not all anomalous behavior can be attributed to a virus.
Question 76. A virus that can cause multiple infections is know as what type of virus?
- A. Multipartite
- B. Stealth
- C. Camouflage
- D. Multi-infection
Answer 76. Option A.
Explanation: A multipartite virus can cause multiple infections.
Question 77. A way to evade an antivirus program is to do what?
- A. Write a custom virus script.
- B. Write a custom virus signature.
- C. Write a custom virus evasion program.
- D. Write a custom virus detection program.
Answer 77. Option A.
Explanation: A custom virus script can be used to evade detection because the script will not match a virus signature.
Question 78. What is sniffing?
- A. Sending corrupted data on the network to trick a system
- B. Capturing and deciphering traffic on a network
- C. Corrupting the ARP cache on a target system
- D. Performing a password-cracking attack
Answer 78. Option B.
Explanation: Sniffing is the process of capturing and analyzing data on a network.
Question 79. What is a countermeasure to passive sniffing?
- A. Implementing a switched network
- B. Implementing a shared network
- C. ARP spoofing
- D. Port-based security
Answer 79. Option A.
Explanation: By implementing a switched network, passive sniffing attacks are prevented.
Question 80. What type of device connects systems on a shared network?
- A. Routers
- B. Gateways
- C. Hubs
- D. Switches
Answer 80. Option C.
Explanation: A network connected via hubs is called a shared network.
Question 81. Which of the following is a countermeasure to ARP spoofing?
- A. Port-based security
- B. WinTCPkill
- C. Ethereal
- D. MAC-based security
Answer 81. Option A.
Explanation: Port-based security implemented on a switch prevents ARP spoofing.
Question 82. What is dsniff?
- A. A MAC spoofing tool
- B. An IP address spoofing tool
- C. A collection of hacking tools
- D. A sniffer
Answer 82. Option C.
Explanation: Dsniff is a group of hacking tools.
Question 83. At what layer of the OSI model is data formatted into packets?
- A. Layer 1
- B. Layer 2
- C. Layer 3
- D. Layer 4
Answer 83. Option C.
Explanation: Packets are created and used to carry data at layer 3.
Question 84. What is snort?
- A. An IDS and packet sniffer
- B. Only an IDS
- C. Only a packet sniffer
- D. Only a frame sniffer
Answer 84. Option A.
Explanation: Snort is both an intrusion detection system (IDS) and a sniffer.
Question 85. What mode must a network card operate in to perform sniffing?
- A. Shared
- B. Unencrypted
- C. Open
- D. Promiscuous
Answer 85. Option D.
Explanation: A network card must operate in promiscuous mode in order to capture traffic destined to a different MAC address than its own.
Question 86. The best defense against any type of sniffing is ____________.
- A. Encryption
- B. A switched network
- C. Port-based security
- D. A good security training program
Answer 86. Option A.
Explanation: Encryption renders the information captured in a sniffer useless to a hacker.
Question 87. For what type of traffic can winsniffer capture passwords? (Choose all that apply.)
- A. POP3
- B. SMTP
- C. HTTP
- D. HTTPS
Answer 87. Options A, B, C.
Explanation: Winsniffer can capture passwords for POP3, SMTP, and HTTP traffic.
Question 88. Which is a method to prevent Denial of Service attacks?
- A. Static routing
- B. Traffic filtering
- C. Firewall rules
- D. Personal firewall
Answer 88. Option B.
Explanation: Traffic filtering is a method to prevent DoS attacks.
Question 89. What is a zombie?
- A. A compromised system used to launch a DDoS attack
- B. The hacker’s computer
- C. The victim of a DDoS attack
- D. A compromised system that is the target of a DDoS attack
Answer 89. Option A.
Explanation: A zombie is a compromised system used to launch a DDoS attack.
Question 90. The Trinoo tool uses what protocol to perform a DoS attack?
- A. TCP
- B. IP
- C. UDP
- D. HTTP
Answer 90. Option C.
Explanation: Trinoo uses UDP to flood the target system with data.
Question 91. What is the first phase of a DDoS attack?
- A. Intrusion
- B. Attack
- C. DoS
- D. Finding a target system
Answer 91. Option A.
Explanation: The intrusion phase compromises and recruits zombie systems to use in the coordinated attack phase.
Question 92. Which tool can run eight different types of DoS attacks?
- A. Ping of Death
- B. Trinoo
- C. Targa
- D. TFN2K
Answer 92. Option C.
Explanation: Targa is able to send eight different types of DoS attacks.
Question 93. What is a smurf attack?
- A. Sending a large amount of ICMP traffic with a spoofed source address
- B. Sending a large amount of TCP traffic with a spoofed source address
- C. Sending a large number of TCP connection requests with a spoofed source address
- D. Sending a large number of TCP connection requests
Answer 93. Option A.
Explanation: A smurf attack sends a large number of ICMP request frames with a spoofed address of the victim system.
Question 94. What is a LAND attack?
- A. Sending oversized ICMP packets
- B. Sending packets to a victim with a source address set to the victim’s IP address
- C. Sending packets to a victim with a destination address set to the victim’s IP address
- D. Sending a packet with the same source and destination address
Answer 94. Option B.
Explanation: A LAND attack sends packets to a system with that system as the source address, causing the system to try to reply to itself.