Q1. Which of the following activities will not be considered passive footprinting?
A. Go through the rubbish to find out any information that might have been discarded
B. Search on financial site such as Yahoo Financial to identify assets
C. Scan the range of IP address found in the target DNS database
D. Perform multiples queries using a search engine
Answer: C
Explanation: Scanning is not considered to be passive footprinting.
Q2. Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network.
Why would an attacker try to create a null session with a computer on a network?
A. Enumerate users shares
B. Install a backdoor for later attacks
C. Escalate his/her privileges on the target server
D. To create a user with administrative privileges for later use
Answer: A
Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host:
-List of users and groups
-List of machines
-List of shares
-Users and host SID' (Security Identifiers)
Topic 5, System Hacking
177. If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
Q3. What happens during a SYN flood attack?
A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports.
B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host’s address as both source and destination, and is using the same port on the target host as both source and destination.
C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
Answer: A
Explanation: To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.
Q4. The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination.
The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination.
How would you overcome the Firewall restriction on ICMP ECHO packets?
A. Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
B. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
C. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connections. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.
D. Do not use traceroute command to determine the path packets take to reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command
E. \> JOHNTHETRACER www.eccouncil.org -F -evade
Answer: A
Q5. Which of the following LM hashes represent a password of less than 8 characters? (Select 2)
A. BA810DBA98995F1817306D272A9441BB
B. 44EFCE164AB921CQAAD3B435B51404EE
C. 0182BD0BD4444BF836077A718CCDF409
D. CEC52EB9C8E3455DC2265B23734E0DAC
E. B757BF5C0D87772FAAD3B435B51404EE
F. E52CAC67419A9A224A3B108F3FA6CB6D
Answer: BE
Explanation: Notice the last 8 characters are the same
Q6. Which of the following best describes Vulnerability?
A. The loss potential of a threat
B. An action or event that might prejudice security
C. An agent that could take advantage of a weakness
D. A weakness or error that can lead to compromise
Answer: D
Explanation: A vulnerability is a flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity.
Q7. How do you defend against ARP spoofing?
A. Place static ARP entries on servers, workstation and routers
B. True IDS Sensors to look for large amount of ARP traffic on local subnets
C. Use private VLANS
D. Use ARPWALL system and block ARP spoofing attacks
Answer: ABC
Explanation: ARPWALL is a opensource tools will give early warning when arp attack occurs.
This tool is still under construction.
Q8. In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:
FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR = 128
Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters.
What is Jason trying to accomplish here?
A. SYN, FIN, URG and PSH
B. SYN, SYN/ACK, ACK
C. RST, PSH/URG, FIN
D. ACK, ACK, SYN, URG
Answer: B
Q9. Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT department of his company installed a wireless network throughout the building. The problem is, is that they are only going to make it available to upper management and the IT department.
Most employees don't have a problem with this since they have no need for wireless networking, but Jeffery would really like to use wireless since he has a personal laptop that he works from as much as he can. Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless networks available. After about an hour of trying to figure it out, Jeffery cannot get on the company's wireless network. Discouraged, Jeffery leaves the office and goes home.
The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT department might have turned off SSID broadcasting, and that is why he could not see any wireless networks. How would Jeffrey access the wireless network?
A. Run WEPCrack tool and brute force the SSID hashes
B. Jam the wireless signal by launching denial of service attack
C. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext
D. Attempt to connect using wireless device default SSIDs
Answer: C
Q10. What are two things that are possible when scanning UDP ports? (Choose two.
A. A reset will be returned
B. An ICMP message will be returned
C. The four-way handshake will not be completed
D. An RFC 1294 message will be returned
E. Nothing
Answer: BE
Explanation: Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.