Q1. _____ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer
A. Steganography
B. Merge Streams
C. NetBIOS vulnerability
D. Alternate Data Streams
Answer: D
Explanation: ADS (or Alternate Data Streams) is a “feature” in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream.
Q2. Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IP Address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out.
Who are the primary victims of these attacks on the Internet today?
A. IRC servers are the primary victim to smurf attacks
B. IDS devices are the primary victim to smurf attacks
C. Mail Servers are the primary victim to smurf attacks
D. SPAM filters are the primary victim to surf attacks
Answer: A
Explanation: IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.
Q3. NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traffic from a victim machine to a corporate network printer. You are attempting to hijack the printer network connection from your laptop by sniffing the wire. Which port does SMB over TCP/IP use?
A. 443
B. 139
C. 179
D. 445
Answer: D
Q4. Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?
A. Snort
B. argus
C. TCPflow
D. Tcpdump
Answer: C
Explanation: Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Q5. Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports?
A. Nmap -h -U
B. Nmap -hU <host(s.>
C. Nmap -sU -p 1-1024 <host(s.>
D. Nmap -u -v -w2 <host> 1-1024
E. Nmap -sS -O target/1024
Answer: C
Explanation: Nmap -sU -p 1-1024 <hosts.> is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.
Q6. Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency’s network. The firm first sets up a sniffer on the agency’s wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agency’s wireless network to capture the same amount of traffic. This capture only takes about 30 minutes to get 10 GB of data.
Why did capturing of traffic take much less time on the wireless network?
A. Because wireless access points act like hubs on a network
B. Because all traffic is clear text, even when encrypted
C. Because wireless traffic uses only UDP which is easier to sniff
D. Because wireless networks can’t enable encryption
Answer: A
Explanation: You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far as possible with no concerns about who might hear it.
Q7. A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.
What do you think is the most likely reason behind this?
A. There is a NIDS present on that segment.
B. Kerberos is preventing it.
C. Windows logons cannot be sniffed.
D. L0phtcrack only sniffs logons to web servers.
Answer: B
Explanation: In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.
Q8. System Administrators sometimes post questions to newsgroups when they run into technical challenges. As an ethical hacker, you could use the information in newsgroup posting to glean insight into the makeup of a target network. How would you search for these posting using Google search?
A. Search in Google using the key strings “the target company” and “newsgroups”
B. Search for the target company name at http://groups.google.com
C. Use NNTP websites to search for these postings
D. Search in Google using the key search strings “the target company” and “forums”
Answer: B
Explanation: Using http://groups.google.com is the easiest way to access various newsgroups today. Before http://groups.google.com you had to use special NNTP clients or subscribe to some nntp to web services.
Q9. You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about?
A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain
B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks
C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks
D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway
Answer: A
Q10. Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400 . . .
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid.
D. There packets were created by a tool; they were not created by a standard IP stack.
Answer: B
Explanation: Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of ‘elite’, meaning ‘elite hackers’.