CEH v10 (312-50v110)

Exam A

QUESTION 1
An unauthorized individual enters a building following an employee through the employee entrance after the
lunch rush. What type of breach has the individual just performed?

A. Reverse Social Engineering

B. Tailgating
C. Piggybacking
D. Announced

Correct Answer: B

QUESTION 2
Which of the following is the best countermeasure to encrypting ransomwares?

A. Use multiple antivirus softwares

B. Keep some generation of off-line backup
C. Analyze the ransomware to get decryption key of encrypted data
D. Pay a ransom

Correct Answer: B

QUESTION 3
If an attacker uses the command SELECT*FROM user WHERE name = ‘x’ AND userid IS NULL; --‘; which
type of SQL injection attack is the attacker performing?

A. End of Line Comment

B. UNION SQL Injection
C. Illegal/Logically Incorrect Query
D. Tautology

Correct Answer: D

QUESTION 4
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the
best protection that will work for her?

A. Full Disk encryption

B. BIOS password
C. Hidden folders
D. Password protected files

Correct Answer: A

QUESTION 5
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to
"www.MyPersonalBank.com", that the user is directed to a phishing site.

Which file does the attacker need to modify?

A. Boot.ini
B. Sudoers
C. Networks
D. Hosts

Correct Answer: D

QUESTION 6
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a
signature-based IDS?

A. Produces less false positives

B. Can identify unknown attacks
C. Requires vendor updates for a new threat
D. Cannot deal with encrypted network traffic

Correct Answer: B

QUESTION 7
You are logged in as a local admin on a Windows 7 system and you need to launch the Computer
Management Console from command line.

Which command would you use?

A. c:\gpedit
B. c:\compmgmt.msc
C. c:\ncpa.cp
D. c:\services.msc

Correct Answer: B

QUESTION 8
Which of the following act requires employer’s standard national numbers to identify them on standard
transactions?

A. SOX
B. HIPAA
C. DMCA
D. PCI-DSS

Correct Answer: B

QUESTION 9
In Wireshark, the packet bytes panes show the data of the current packet in which format?

A. Decimal
B. ASCII only
C. Binary
D. Hexadecimal

Correct Answer: D

QUESTION 10
_________ is a set of extensions to DNS that provide to DNS clients (resolvers) the origin authentication of
DNS data to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

A. DNSSEC
B. Resource records
C. Resource transfer
D. Zone transfer

Correct Answer: A

QUESTION 11
PGP, SSL, and IKE are all examples of which type of cryptography?

A. Hash Algorithm
B. Digest
C. Secret Key
D. Public Key

Correct Answer: D

QUESTION 12
Which of the following is considered as one of the most reliable forms of TCP scanning?

A. TCP Connect/Full Open Scan

B. Half-open Scan
C. NULL Scan
D. Xmas Scan

Correct Answer: A

QUESTION 13
Which of the following scanning method splits the TCP header into several packets and makes it difficult for
packet filters to detect the purpose of the packet?

A. ICMP Echo scanning

B. SYN/FIN scanning using IP fragments
C. ACK flag probe scanning
D. IPID scanning

Correct Answer: B

QUESTION 14
Which of the following is the BEST way to defend against network sniffing?

A. Restrict Physical Access to Server Rooms hosting Critical Servers

B. Use Static IP Address
C. Using encryption protocols to secure network communications
D. Register all machines MAC Address in a Centralized Database

Correct Answer: C

QUESTION 15
You have successfully gained access to a Linux server and would like to ensure that the succeeding outgoing
traffic from this server will not be caught by Network-Based Intrusion Detection Systems (NIDS).

What is the best way to evade the NIDS?

A. Out of band signaling

B. Protocol Isolation
C. Encryption
D. Alternate Data Streams

Correct Answer: C

QUESTION 16
What is the purpose of a demilitarized zone on a network?

A. To scan all traffic coming through the DMZ to the internal network
B. To only provide direct access to the nodes within the DMZ and protect the network behind it
C. To provide a place to put the honeypot
D. To contain the network devices you wish to protect

Correct Answer: B

QUESTION 17
You need to deploy a new web-based software package for your organization. The package requires three
separate servers and needs to be available on the Internet. What is the recommended architecture in terms of
server placement?

A. All three servers need to be placed internally

B. A web server facing the Internet, an application server on the internal network, a database server on the
internal network
C. A web server and the database server facing the Internet, an application server on the internal network
D. All three servers need to face the Internet so that they can communicate between themselves

Correct Answer: B

QUESTION 18
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the
host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After
he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot
access the Internet. According to the next configuration, what is happening in the network?

A. The ACL 104 needs to be first because is UDP

B. The ACL 110 needs to be changed to port 80
C. The ACL for FTP must be before the ACL 110
D. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

Correct Answer: D

QUESTION 19
When conducting a penetration test, it is crucial to use all means to get all available information about the
target network. One of the ways to do that is by sniffing the network. Which of the following cannot be
performed by the passive network sniffing?

A. Identifying operating systems, services, protocols and devices

B. Modifying and replaying captured network traffic
C. Collecting unencrypted information about usernames and passwords
D. Capturing a network traffic for further analysis

Correct Answer: B

QUESTION 20
A company's Web development team has become aware of a certain type of security vulnerability in their Web
software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software
requirements to disallow users from entering HTML as input into their Web application.

What kind of Web application vulnerability likely exists in their software?

A. Cross-site scripting vulnerability

B. Web site defacement vulnerability
C. SQL injection vulnerability
D. Cross-site Request Forgery vulnerability

Correct Answer: A

QUESTION 21
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is
authorized to access the internal object via its name or key.
Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference
vulnerability?

A. “GET/restricted/goldtransfer?to=Rob&from=1 or 1=1’ HTTP/1.1Host: westbank.com”

B. “GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com”
C. “GET/restricted/bank.getaccount(‘Ned’) HTTP/1.1 Host: westbank.com”
D. “GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com”

Correct Answer: B

QUESTION 22
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

A. Metasploit
B. Cain & Abel
C. Maltego
D. Wireshark

Correct Answer: C

QUESTION 23
Which of these is capable of searching for and locating rogue access points?

A. HIDS
B. NIDS
C. WISS
D. WIPS

Correct Answer: D

QUESTION 24
A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer’s
software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge
or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and defensively at
various times?

A. White Hat
B. Suicide Hacker
C. Gray Hat
D. Black Hat

Correct Answer: C

QUESTION 25
Websites and web portals that provide web services commonly use the Simple Object Access Protocol
(SOAP). Which of the following is an incorrect definition or characteristics of the protocol?

A. Based on XML
B. Only compatible with the application protocol HTTP
C. Exchanges data between web services
D. Provides a structured model for messaging

Correct Answer: B

QUESTION 26
You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you
attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an
Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user’s password or activate disabled
Windows accounts?

A. John the Ripper

B. SET
C. CHNTPW
D. Cain & Abel

Correct Answer: C

QUESTION 27
What type of vulnerability/attack is it when the malicious person forces the user’s browser to send an
authenticated request to a server?

A. Cross-site request forgery

B. Cross-site scripting
C. Session hijacking
D. Server side request forgery

Correct Answer: A

QUESTION 28
From the following table, identify the wrong answer in terms of Range (ft).
A. 802.11b
B. 802.11g
C. 802.16(WiMax)
D. 802.11a

Correct Answer: D

QUESTION 29
What would you enter, if you wanted to perform a stealth scan using Nmap?

A. nmap -sU
B. nmap -sS
C. nmap -sM
D. nmap -sT

Correct Answer: B

QUESTION 30
You are doing an internal security audit and intend to find out what ports are open on all the servers. What is
the best way to find out?

A. Scan servers with Nmap

B. Scan servers with MBSA
C. Telnet to every port on each server
D. Physically go to each server

Correct Answer: A

QUESTION 31
Steve, a scientist who works in a governmental security agency, developed a technological solution to identify
people based on walking patterns and implemented this approach to a physical control access.
A camera captures people walking and identifies the individuals using Steve’s approach.
After that, people must approximate their RFID badges. Both the identifications are required to open the door.
In this case, we can say:

A. Although the approach has two phases, it actually implements just one authentication factor
B. The solution implements the two authentication factors: physical object and physical characteristic
C. The solution will have a high level of false positives
D. Biological motion cannot be used to identify people

Correct Answer: B

QUESTION 32
Which Intrusion Detection System is the best applicable for large environments where critical assets on the
network need extra security and is ideal for observing sensitive network segments?
A. Honeypots
B. Firewalls
C. Network-based intrusion detection system (NIDS)
D. Host-based intrusion detection system (HIDS)

Correct Answer: C

QUESTION 33
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library? This
weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used
to secure the Internet.

A. SSL/TLS Renegotiation Vulnerability

B. Shellshock
C. Heartbleed Bug
D. POODLE

Correct Answer: C

QUESTION 34
Which protocol is used for setting up secure channels between two devices, typically in VPNs?

A. PPP
B. IPSEC
C. PEM
D. SET

Correct Answer: B

QUESTION 35
Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a message with a
maximum length of (264-1) bits and resembles the MD5 algorithm?

A. SHA-2
B. SHA-3
C. SHA-1
D. SHA-0

Correct Answer: C

QUESTION 36
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform
external and internal penetration testing?

A. At least twice a year or after any significant upgrade or modification

B. At least once a year and after any significant upgrade or modification
C. At least once every two years and after any significant upgrade or modification
D. At least once every three years or after any significant upgrade or modification

Correct Answer: B

QUESTION 37
If a tester is attempting to ping a target that exists but receives no response or a response that states the
destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option
could the tester use to get a response from a host using TCP?

A. Traceroute
B. Hping
C. TCP ping
D. Broadcast ping

Correct Answer: B

QUESTION 38
Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access?

A. Bootrom Exploit
B. iBoot Exploit
C. Sandbox Exploit
D. Userland Exploit

Correct Answer: D

QUESTION 39
What is not a PCI compliance recommendation?

A. Use a firewall between the public network and the payment card data.
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Limit access to card holder data to as few individuals as possible.

Correct Answer: C

QUESTION 40
The "white box testing" methodology enforces what kind of restriction?

A. Only the internal operation of a system is known to the tester.

B. The internal operation of a system is completely known to the tester.
C. The internal operation of a system is only partly accessible to the tester.
D. Only the external operation of a system is accessible to the tester.

Correct Answer: B

QUESTION 41
Identify the web application attack where the attackers exploit vulnerabilities in dynamically generated web
pages to inject client-side script into web pages viewed by other users.

A. SQL injection attack

B. Cross-Site Scripting (XSS)
C. LDAP Injection attack
D. Cross-Site Request Forgery (CSRF)

Correct Answer: B

QUESTION 42
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data
packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK
attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking
tools.

Which of the following tools is being described?

A. wificracker
B. Airguard
C. WLAN-crack
D. Aircrack-ng

Correct Answer: D

QUESTION 43
The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110:

What type of activity has been logged?

A. Teardrop attack targeting 192.168.0.110

B. Denial of service attack targeting 192.168.0.105
C. Port scan targeting 192.168.0.110
D. Port scan targeting 192.168.0.105

Correct Answer: C

QUESTION 44
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result
in a scan of common ports with the least amount of noise in order to evade IDS?

A. nmap –A - Pn
B. nmap –sP –p-65535-T5
C. nmap –sT –O –T0
D. nmap –A --host-timeout 99-T1

Correct Answer: C

QUESTION 45
Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients. You are requested to
accept the offer and you oblige.
After 2 days, Bob denies that he had ever sent a mail.
What do you want to “know” to prove yourself that it was Bob who had send a mail?

A. Confidentiality
B. Integrity
C. Non-Repudiation
D. Authentication
Correct Answer: C

QUESTION 46
What is attempting an injection attack on a web server based on responses to True/False questions called?

A. DMS-specific SQLi
B. Compound SQLi
C. Blind SQLi
D. Classic SQLi

Correct Answer: C

QUESTION 47
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of
message does the client send to the server in order to begin this negotiation?

A. ACK
B. SYN
C. RST
D. SYN-ACK

Correct Answer: B

QUESTION 48
You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer,
and record network activity. What tool would you most likely select?

A. Snort
B. Nmap
C. Cain & Abel
D. Nessus

Correct Answer: A

QUESTION 49
Which of the following will perform an Xmas scan using NMAP?

A. nmap -sA 192.168.1.254

B. nmap -sP 192.168.1.254
C. nmap -sX 192.168.1.254
D. nmap -sV 192.168.1.254

Correct Answer: C

QUESTION 50
Code injection is a form of attack in which a malicious user:

A. Inserts text into a data field that gets interpreted as code

B. Gets the server to execute arbitrary code using a buffer overflow
C. Inserts additional code into the JavaScript running in the browser
D. Gains access to the codebase on the server and inserts new code

Correct Answer: A
QUESTION 51
The collection of potentially actionable, overt, and publicly available information is known as

A. Open-source intelligence
B. Human intelligence
C. Social intelligence
D. Real intelligence

Correct Answer: A

QUESTION 52
Which one of the following Google advanced search operators allows an attacker to restrict the results to those
websites in the given domain?

A. [cache:]
B. [site:]
C. [inurl:]
D. [link:]

Correct Answer: B

QUESTION 53
This asymmetry cipher is based on factoring the product of two large prime numbers.

What cipher is described above?

A. SHA
B. RSA
C. MD5
D. RC5

Correct Answer: B

QUESTION 54
Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and
out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection attacks?

A. Data-driven firewall
B. Stateful firewall
C. Packet firewall
D. Web application firewall

Correct Answer: D

QUESTION 55
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a
Demilitarized Zone (DMZ) and a second DNS server on the internal network.

What is this type of DNS configuration commonly called?

A. DynDNS
B. DNS Scheme
C. DNSSEC
D. Split DNS

Correct Answer: D

QUESTION 56
In which of the following cryptography attack methods, the attacker makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions?

A. Chosen-plaintext attack
B. Ciphertext-only attack
C. Adaptive chosen-plaintext attack
D. Known-plaintext attack

Correct Answer: A

QUESTION 57
Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting
user’s browser to send malicious requests they did not intend?

A. Command Injection Attacks

B. File Injection Attack
C. Cross-Site Request Forgery (CSRF)
D. Hidden Field Manipulation Attack

Correct Answer: C

QUESTION 58
Which is the first step followed by Vulnerability Scanners for scanning a network?

A. TCP/UDP Port scanning

B. Firewall detection
C. OS Detection
D. Checking if the remote host is alive

Correct Answer: D

QUESTION 59
Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services,
which OS did it not directly affect?

A. Linux
B. Unix
C. OS X
D. Windows

Correct Answer: D

QUESTION 60
Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the
following attack scenarios will compromise the privacy of her data?

A. None of these scenarios compromise the privacy of Alice’s data

B. Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server
successfully resists Andrew’s attempt to access the stored data
C. Hacker Harry breaks into the cloud server and steals the encrypted data
D. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before

Correct Answer: D

QUESTION 61
A hacker named Jack is trying to compromise a bank’s computer system. He needs to know the operating
system of that computer to launch further attacks.
What process would help him?

A. Banner Grabbing
B. IDLE/IPID Scanning
C. SSDP Scanning
D. UDP Scanning

Correct Answer: A

QUESTION 62
What two conditions must a digital signature meet?

A. Has to be legible and neat.

B. Has to be unforgeable, and has to be authentic.
C. Must be unique and have special characters.
D. Has to be the same number of characters as a physical signature and must be unique.

Correct Answer: B

QUESTION 63
Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in
the wired network to have Internet access. In the university campus, there are many Ethernet ports available
for professors and authorized visitors but not for students.
He identified this when the IDS alerted for malware activities in the network.
What should Bob do to avoid this problem?

A. Disable unused ports in the switches

B. Separate students in a different VLAN
C. Use the 802.1x protocol
D. Ask students to use the wireless network

Correct Answer: C

QUESTION 64
Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without
the recipient’s consent, similar to email spamming?

A. Bluesmacking
B. Bluesniffing
C. Bluesnarfing
D. Bluejacking

Correct Answer: D

QUESTION 65
Which method of password cracking takes the most time and effort?
A. Shoulder surfing
B. Brute force
C. Dictionary attack
D. Rainbow tables

Correct Answer: B

QUESTION 66
Which of the following program infects the system boot sector and the executable files at the same time?

A. Stealth virus
B. Polymorphic virus
C. Macro virus
D. Multipartite Virus

Correct Answer: D

QUESTION 67
You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique
wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are
meant for.
Which of the below scanning technique will you use?

A. ACK flag scanning

B. TCP Scanning
C. IP Fragment Scanning
D. Inverse TCP flag scanning

Correct Answer: C

QUESTION 68
An IT employee got a call from one of our best customers. The caller wanted to know about the company's
network infrastructure, systems, and team. New opportunities of integration are in sight for both company and
customer. What should this employee do?

A. The employees cannot provide any information; but, anyway, he/she will provide the name of the person in
charge.
B. Since the company's policy is all about Customer Service, he/she will provide information.
C. Disregarding the call, the employee should hang up.
D. The employee should not provide any information without previous management authorization.

Correct Answer: D

QUESTION 69
You perform a scan of your company’s network and discover that TCP port 123 is open. What services by
default run on TCP port 123?

A. Telnet
B. POP3
C. Network Time Protocol
D. DNS

Correct Answer: C
QUESTION 70
Based on the below log, which of the following sentences are true?

Mar 1, 2016, 7:33:28 AM 10.240.250.23 – 54373 10.249.253.15 – 22 tcp_ip

A. SSH communications are encrypted it’s impossible to know who is the client or the server
B. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
C. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
D. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server

Correct Answer: C

QUESTION 71
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all
machines in the same network quickly.

What is the best Nmap command you will use?

A. nmap -T4 -q 10.10.0.0/24

B. nmap -T4 -F 10.10.0.0/24
C. nmap -T4 -r 10.10.1.0/24
D. nmap -T4 -O 10.10.0.0/24

Correct Answer: B

QUESTION 72
........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the
premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of
the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted
hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting up a
fraudulent web site and luring people there.

Fill in the blank with appropriate choice.

A. Evil Twin Attack

B. Sinkhole Attack
C. Collision Attack
D. Signal Jamming Attack

Correct Answer: A

QUESTION 73
DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache
records. It may be useful during the examination of the network to determine what software update resources
are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache?

A. nslookup -fullrecursive update.antivirus.com

B. dnsnooping –rt update.antivirus.com
C. nslookup -norecursive update.antivirus.com
D. dns --snoop update.antivirus.com

Correct Answer: C
QUESTION 74
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and
192.168.0.0/8.

While monitoring the data, you find a high number of outbound connections. You see that IP’s owned by XYZ
(Internal) and private IP’s are communicating to a Single Public IP. Therefore, the Internal IP’s are sending
data to the Public IP.

After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices
are compromised.

What kind of attack does the above scenario depict?

A. Botnet Attack
B. Spear Phishing Attack
C. Advanced Persistent Threats
D. Rootkit Attack

Correct Answer: A

QUESTION 75
Which of the following is an adaptive SQL Injection testing technique used to discover coding errors by
inputting massive amounts of random data and observing the changes in the output?

A. Function Testing
B. Dynamic Testing
C. Static Testing
D. Fuzzing Testing

Correct Answer: D

QUESTION 76
Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main
site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning.
What should Bob recommend to deal with such a threat?

A. The use of security agents in clients’ computers

B. The use of DNSSEC
C. The use of double-factor authentication
D. Client awareness

Correct Answer: B

QUESTION 77
In which of the following password protection technique, random strings of characters are added to the
password before calculating their hashes?

A. Keyed Hashing
B. Key Stretching
C. Salting
D. Double Hashing

Correct Answer: C

QUESTION 78
Which Nmap option would you use if you were not concerned about being detected and wanted to perform a
very fast scan?

A. –T0
B. –T5
C. -O
D. -A

Correct Answer: B

QUESTION 79
Which of the following provides a security professional with most information about the system’s security
posture?

A. Wardriving, warchalking, social engineering

B. Social engineering, company site browsing, tailgating
C. Phishing, spamming, sending trojans
D. Port scanning, banner grabbing, service identification

Correct Answer: D

QUESTION 80
What is the most common method to exploit the “Bash Bug” or “ShellShock" vulnerability?

A. Manipulate format strings in text fields

B. SSH
C. SYN Flood
D. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment
variable to a vulnerable Web server

Correct Answer: D

QUESTION 81
What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?

A. Deferred risk
B. Impact risk
C. Inherent risk
D. Residual risk

Correct Answer: D

QUESTION 82
A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd. How can
he use it?

A. The file reveals the passwords to the root user only.

B. The password file does not contain the passwords themselves.
C. He cannot read it because it is encrypted.
D. He can open it and read the user ids and corresponding passwords.

Correct Answer: B
QUESTION 83
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless
access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the
Internet. When the technician examines the IP address and default gateway they are both on the
192.168.1.0/24. Which of the following has occurred?

A. The computer is not using a private IP address.

B. The gateway is not routing to a public IP address.
C. The gateway and the computer are not on the same network.
D. The computer is using an invalid IP address.

Correct Answer: B

QUESTION 84
Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he
uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate
CPU and memory activities.
Which type of virus detection method did Chandler use in this context?

A. Heuristic Analysis
B. Code Emulation
C. Integrity checking
D. Scanning

Correct Answer: B

QUESTION 85
An attacker scans a host with the below command. Which three flags are set? (Choose three.)

#nmap –sX host.domain.com

A. This is ACK scan. ACK flag is set

B. This is Xmas scan. SYN and ACK flags are set
C. This is Xmas scan. URG, PUSH and FIN are set
D. This is SYN scan. SYN flag is set

Correct Answer: C

QUESTION 86
Due to a slowdown of normal network operations, the IT department decided to monitor internet traffic for all of
the employees. From a legal standpoint, what would be troublesome to take this kind of measure?

A. All of the employees would stop normal work activities

B. IT department would be telling employees who the boss is
C. Not informing the employees that they are going to be monitored could be an invasion of privacy.
D. The network could still experience traffic slow down.

Correct Answer: C

QUESTION 87
Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the
packets?

A. Internet Key Exchange (IKE)

B. Oakley
C. IPsec Policy Agent
D. IPsec driver

Correct Answer: A

QUESTION 88
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a
malicious applet in all HTTP connections.
When users accessed any page, the applet ran and exploited many machines.
Which one of the following tools the hacker probably used to inject HTML code?

A. Wireshark
B. Ettercap
C. Aircrack-ng
D. Tcpdump

Correct Answer: B

QUESTION 89
You are monitoring the network of your organizations. You notice that:

1. There are huge outbound connections from your Internal Network to External IPs
2. On further investigation, you see that the external IPs are blacklisted
3. Some connections are accepted, and some are dropped
4. You find that it is a CnC communication

Which of the following solution will you suggest?

A. Block the Blacklist IP’s @ Firewall

B. Update the Latest Signatures on your IDS/IPS
C. Clean the Malware which are trying to Communicate with the External Blacklist IP’s
D. Both B and C

Correct Answer: D

QUESTION 90
Security Policy is a definition of what it means to be secure for a system, organization or other entity. For
Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy,
Information Security Policy, network Security Policy, Physical Security Policy, Remote Access Policy, and User
Account Policy.

What is the main theme of the sub-policies for Information Technologies?

A. Availability, Non-repudiation, Confidentiality

B. Authenticity, Integrity, Non-repudiation
C. Confidentiality, Integrity, Availability
D. Authenticity, Confidentiality, Integrity

Correct Answer: C

QUESTION 91
Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF
and UHF?

A. Omnidirectional antenna
B. Dipole antenna
C. Yagi antenna
D. Parabolic grid antenna

Correct Answer: C

QUESTION 92
Why should the security analyst disable/remove unnecessary ISAPI filters?

A. To defend against social engineering attacks

B. To defend against webserver attacks
C. To defend against jailbreaking
D. To defend against wireless attacks

Correct Answer: B

QUESTION 93
Which of the following security policies defines the use of VPN for gaining access to an internal corporate
network?

A. Network security policy

B. Information protection policy
C. Access control policy
D. Remote access policy

Correct Answer: D

QUESTION 94
To determine if a software program properly handles a wide range of invalid input, a form of automated testing
can be used to randomly generate invalid input in an attempt to crash the program.

What term is commonly used when referring to this type of testing?

A. Randomizing
B. Bounding
C. Mutating
D. Fuzzing

Correct Answer: D

QUESTION 95
If you want only to scan fewer ports than the default scan using Nmap tool, which option would you use?

A. -sP
B. -P
C. -r
D. -F

Correct Answer: D

QUESTION 96
In Risk Management, how is the term "likelihood" related to the concept of "threat?"

A. Likelihood is the likely source of a threat that could exploit a vulnerability.

B. Likelihood is the probability that a threat-source will exploit a vulnerability.
C. Likelihood is a possible threat-source that may exploit a vulnerability.
D. Likelihood is the probability that a vulnerability is a threat-source.

Correct Answer: B

QUESTION 97
Which of the following statements is TRUE?

A. Sniffers operate on Layer 2 of the OSI model

B. Sniffers operate on Layer 3 of the OSI model
C. Sniffers operate on both Layer 2 & Layer 3 of the OSI model.
D. Sniffers operate on the Layer 1 of the OSI model.

Correct Answer: A

QUESTION 98
What is the least important information when you analyze a public IP address in a security alert?

A. ARP
B. Whois
C. DNS
D. Geolocation

Correct Answer: A

QUESTION 99
You are the Network Admin, and you get a compliant that some of the websites are no longer accessible. You
try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the
browser, and find it to be accessible. But they are not accessible when you try using the URL.
What may be the problem?

A. Traffic is Blocked on UDP Port 53

B. Traffic is Blocked on UDP Port 80
C. Traffic is Blocked on UDP Port 54
D. Traffic is Blocked on UDP Port 80

Correct Answer: A

QUESTION 100
Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different
functionality. Collective IPSec does everything except.

A. Work at the Data Link Layer

B. Protect the payload and the headers
C. Encrypt
D. Authenticate

Correct Answer: A

QUESTION 101
On performing a risk assessment, you need to determine the potential impacts when some of the critical
business process of the company interrupt its service. What is the name of the process by which you can
determine those critical business?
A. Risk Mitigation
B. Emergency Plan Response (EPR)
C. Disaster Recovery Planning (DRP)
D. Business Impact Analysis (BIA)

Correct Answer: D

QUESTION 102
Assume a business-crucial web-site of some company that is used to sell handsets to the customers
worldwide. All the developed components are reviewed by the security team on a monthly basis. In order to
drive business further, the web-site developers decided to add some 3 rd party marketing tools on it. The tools
are written in JavaScript and can track the customer’s activity on the site. These tools are located on the
servers of the marketing company.
What is the main security risk associated with this scenario?

A. External script contents could be maliciously modified without the security team knowledge
B. External scripts have direct access to the company servers and can steal the data from there
C. There is no risk at all as the marketing services are trustworthy
D. External scripts increase the outbound company data traffic which leads greater financial losses

Correct Answer: A

QUESTION 103
What type of analysis is performed when an attacker has partial knowledge of inner-workings of the
application?

A. Black-box
B. Announced
C. White-box
D. Grey-box

Correct Answer: D

QUESTION 104
Bob finished a C programming course and created a small C application to monitor the network traffic and
produce alerts when any origin sends “many” IP packets, based on the average number of packets sent by all
origins and using some thresholds.
In concept, the solution developed by Bob is actually:

A. Just a network monitoring tool

B. A signature-based IDS
C. A hybrid IDS
D. A behavior-based IDS

Correct Answer: A

QUESTION 105
Which of the following is a low-tech way of gaining unauthorized access to systems?

A. Scanning
B. Sniffing
C. Social Engineering
D. Enumeration
Correct Answer: C

QUESTION 106
When tuning security alerts, what is the best approach?

A. Tune to avoid False positives and False Negatives

B. Rise False positives Rise False Negatives
C. Decrease the false positives
D. Decrease False negatives

Correct Answer: A

QUESTION 107
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire
access to another account's confidential files and information. How can he achieve this?

A. Privilege Escalation
B. Shoulder-Surfing
C. Hacking Active Directory
D. Port Scanning

Correct Answer: A

QUESTION 108
Which regulation defines security and privacy controls for Federal information systems and organizations?

A. HIPAA
B. EU Safe Harbor
C. PCI-DSS
D. NIST-800-53

Correct Answer: D

QUESTION 109
Your company performs penetration tests and security assessments for small and medium-sized business in
the local area. During a routine security assessment, you discover information that suggests your client is
involved with human trafficking.

What should you do?

A. Confront the client in a respectful manner and ask her about the data.
B. Copy the data to removable media and keep it in case you need it.
C. Ignore the data and continue the assessment until completed as agreed.
D. Immediately stop work and contact the proper legal authorities.

Correct Answer: D

QUESTION 110
You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet
is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before
the alert. You are staring an investigation to roughly analyze the severity of the situation. Which of the following
is appropriate to analyze?

A. Event logs on the PC

B. Internet Firewall/Proxy log
C. IDS log
D. Event logs on domain controller

Correct Answer: B

QUESTION 111
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?

A. 123
B. 161
C. 69
D. 113

Correct Answer: A

QUESTION 112
It has been reported to you that someone has caused an information spillage on their computer. You go to the
computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in
incident handling did you just complete?

A. Discovery
B. Recovery
C. Containment
D. Eradication

Correct Answer: C

QUESTION 113
Which of the following cryptography attack is an understatement for the extraction of cryptographic secrets
(e.g. the password to an encrypted file) from a person by a coercion or torture?

A. Chosen-Cipher text Attack

B. Ciphertext-only Attack
C. Timing Attack
D. Rubber Hose Attack

Correct Answer: D

QUESTION 114
In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to
authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's
password, instead of requiring the associated plaintext password as is normally the case.
Metasploit Framework has a module for this technique: psexec. The psexec module is often used by
penetration testers to obtain access to a given system whose credentials are known. It was written by
sysinternals and has been integrated within the framework. The penetration testers successfully gain access to
a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump,
pwdump, or cachedump and then utilize rainbowtables to crack those hash values.

Which of the following is true hash type and sort order that is used in the psexec module's 'smbpass' option?

A. LM:NT
B. NTLM:LM
C. NT:LM
D. LM:NTLM
Correct Answer: A

QUESTION 115
You are looking for SQL injection vulnerability by sending a special character to web applications. Which of the
following is the most useful for quick validation?

A. Double quotation
B. Backslash
C. Semicolon
D. Single quotation

Correct Answer: D

QUESTION 116
A virus that attempts to install itself inside the file it is infecting is called?

A. Tunneling virus
B. Cavity virus
C. Polymorphic virus
D. Stealth virus

Correct Answer: B

QUESTION 117
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly
configures the firewall to allow access just to servers/ports, which can have direct internet access, and block
the access to workstations.
Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of
TPNQM SA.
In this context, what can you say?

A. Bob can be right since DMZ does not make sense when combined with stateless firewalls
B. Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one
by one
C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations
D. Bob is partially right. DMZ does not make sense when a stateless firewall is available

Correct Answer: C

QUESTION 118
Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order
to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the
target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using
to evade IDS?

A. Denial-of-Service
B. False Positive Generation
C. Insertion Attack
D. Obfuscating

Correct Answer: B

QUESTION 119
Cross-site request forgery involves:
A. A request sent by a malicious user from a browser to a server
B. Modification of a request by a proxy between client and server
C. A browser making a request to a server without the user’s knowledge
D. A server making a request to another server without the user’s knowledge

Correct Answer: C

QUESTION 120

What does the option * indicate?

A. s
B. t
C. n
D. a

Correct Answer: C

QUESTION 121
An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital
Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay
network.
Which AAA protocol is the most likely able to handle this requirement?

A. DIAMETER
B. RADIUS
C. TACACS+
D. Kerberos

Correct Answer: B

QUESTION 122
What network security concept requires multiple layers of security controls to be placed throughout an IT
infrastructure, which improves the security posture of an organization to defend against malicious attacks or
potential vulnerabilities?
What kind of Web application vulnerability likely exists in their software?

A. Host-Based Intrusion Detection System

B. Security through obscurity
C. Defense in depth
D. Network-Based Intrusion Detection System

Correct Answer: C

QUESTION 123
During the process of encryption and decryption, what keys are shared?

A. Private keys
B. User passwords
C. Public keys
D. Public and private keys

Correct Answer: C

QUESTION 124
How does the Address Resolution Protocol (ARP) work?

A. It sends a request packet to all the network elements, asking for the domain name from a specific IP.
B. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
C. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
D. It sends a reply packet for a specific IP, asking for the MAC address.

Correct Answer: B

QUESTION 125
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

A. AH promiscuous
B. ESP confidential
C. AH Tunnel mode
D. ESP transport mode

Correct Answer: D