Answers to Practice Exam Questions

A1:

1. D. Sending a bogus email is one way to find out more about internal servers, gather additional IP addresses, and learn how they treat mail. Answer A is incorrect, as this will not allow you to determine the holder of the root account. Answer B is incorrect, as this will not tell you if the mail server is vulnerable to a relay attack. Answer C is incorrect, as bounced email will not normally trigger an IDS. For more information, see Chapter 3.

A2:

2. C. Dynamic random ports range from 4915265535. Most established well-known applications range from 01023. Answers A, B, and D are incorrect because well-known ports range from 01023, registered ports range from 102449151, and dynamic ports range from 4915265535. For more information, see Chapter 3.

A3:

3. C. This command is used for banner grabbing. Banner grabbing helps identify the service and version of the web server running. Answer A is incorrect, as this command will not return the web server's home page. Answer B is incorrect because it will not open a backdoor on the IP address specified. Answer D is incorrect, as this command will not allow an attacker to determine if there is a SQL server at the target IP address. For more information, see Chapter 3.

A4:

4. D. An ACK scan would be the best choice to determine if stateless inspection is being used. If there is an ACL in place, the ACK would be allowed to pass. Answer A is incorrect because an XMAS scan is not used to bypass stateless inspection. It uses an abnormal flag setting. Answer B is incorrect, as an idle scan requires a third idle device and is used because it is considered stealthy. Answer C is incorrect, as a stealth scan simply performs the first two steps of the three-step handshake. For more information, see Chapter 3.

   
A5:

5. C. The TTL is the value that would determine how long cache poisoning would last. It is typically found in the SOA record. Answer A is incorrect, as the A record maps a hostname to its IP address. Answer B is incorrect because the CNAME is an alias. Answer D is incorrect because the MX record maps to mail exchange servers. For more information, see Chapter 3.

A6:

6. D. Beast uses port 6666 and is considered unique because it uses injection technology. Answer A is incorrect, as Subseven uses port 6711. Answer B is incorrect because NetBus uses port 12345, and answer C is incorrect because Amitis uses port 27551. For more information, see Chapter 6.

A7:

7. D. Wrappers are used to package covert programs with overt programs. They act as a type of file joiner program or installation packager program. Answer A is incorrect because wrappers do not tunnel programs. An example of a tunneling program would be Loki. Answer B is incorrect, as wrappers are not used to cause a Trojan to execute when previewed in email; the user must be tricked into running the program. Answer C is incorrect because wrappers are not used as back-doors. A backdoor program allows unauthorized users to access and control a computer or a network without normal authentication. For more information, see Chapter 6.

A8:

8. A. Loki is a Trojan that opens and can be used as a backdoor to a victim's computer by using ICMP. Answer B is incorrect because Loki does not use UDP port 69 by default. Answer C is incorrect because Loki does not use TCP port 80 by default. Answer D is incorrect because Loki does not use IGRP. For more information, see Chapter 6.

A9:

9. A. Netstat -an would be the proper syntax. The -a displays all connections and listening ports. The -n displays addresses and port numbers in numerical form. Answer B is incorrect, as -r displays the routing table. Answer C is incorrect because -p shows connections for a specific protocol, although none was specified in the answer. Answer D is incorrect, as -s displays per-protocol statistics. By default, statistics are shown for TCP, UDP, and IP. For more information, see Chapter 6.

A10:

10. D. NetBus uses port 12345 by default. Answers A, B, and C are incorrect because Donald Dick uses 23476, BOK uses port 31337, and Subseven uses port 6711. For more information, see Chapter 6.

A11:

11. D. 18 USC 1029 makes it a crime to knowingly and intentionally use cellular telephones that are altered or have been cloned. Answer A is incorrect because 18 USC 2701 addresses access to electronic information, answer B is incorrect because 18 USC 2511 addresses interception of data, and answer C is incorrect because 18 USC 2319 addresses copyright issues. For more information, see Chapter 9.

A12:

12. C. The SSID is a 32-bit character identifier attached to the header of wireless packets that are sent over a wireless LAN. Because the SSID can be sniffed in clear text from the packet, it does not provide any real security. The SSID is used to differentiate one network from another and is used to identify the network. Answer A is incorrect because SSIDs are case sensitive, answer B is incorrect because SSIDs are 32 bits, not 24, and answer D is incorrect because, as mentioned, they are case sensitive and are not 24 bits. For more information, see Chapter 9.

   
A13:

13. A. WEP encrypts the wireless packet but not the header; therefore, the MAC addresses will still be visible. Answer B is incorrect, as the IP header will be encrypted. Answer C is incorrect, as the FTP data will be encrypted. Answer D is incorrect, as WEP will not make the network secure from DoS attacks. A hacker can still jam the network or even launch a deauthentication attack against one of the clients. For more information, see Chapter 9.

A14:

14. D. EAP-MD5 does not provide server authentication. Answers A, B, and C are incorrect because they do provide this capability. LEAP does so by password hash, and PEAP and EAP-TLS provide authentication with public key technology. For more information, see Chapter 9.

A15:

15. C. RedFang is used to scan for Bluetooth devices. Answer A is incorrect because Airsnort is an 802.11 wireless tool. Answer B is incorrect, as Aeropeek is a Windows 802.11 wireless sniffer. Answer D is incorrect because Netstumbler is used to find 802.11 wireless devices, not Bluetooth devices. For more information, see Chapter 9.

A16:

16. C. The commercial application of steganography lies mainly in the use of digital watermark. A digital watermark acts as a type of digital fingerprint and can verify proof of source. Answer A is incorrect because copyrighting the picture would allow her protection, but it might not be enough to prove that the stolen digital photos are hers. Answer B is incorrect, as steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of their existence. Answer D is incorrect because a digital certificate would not prove ownership of the files. For more information, see Chapter 12.

A17:

17. B. Programs, such as Tripwire, MD5sum, and Windows System File, all rely on hashing. Hashing is performed to verify integrity. Answer A is incorrect because digital certificates are not used by Tripwire, MD5sum, and Windows System File Protection. Digital certificates provide authentication. Answer C is incorrect, as digital signatures provide non-repudiation and are not used in the hashing process. Answer D is incorrect, as steganography is used for file hiding. For more information, see Chapter 12.

A18:

18. C. The output of an MD5sum is 32 characters long. An example is shown here: 4145bc316b0bf78c2194b4d635f3bd27. All other answers are incorrect because they do not correctly specify the character length of an MD5sum. For more information, see Chapter 12.

A19:

19. A. UUencode was developed to aid in the transport of binary images via email. Answer B is incorrect, as Simple Mail Transport Protocol (SMTP) is not an encoding method; it used to send standard email. Answer C is incorrect because XOR is not commonly used to encode email, although it is used for weak password management. Answer D is incorrect because Base64 is not used for email; it is primarily used for weak password management. For more information, see Chapter 12.

A20:

20. A. MD5 produces a 128-bit hash value. Answer B is incorrect, as 3DES is a symmetric algorithm. Answer C is incorrect because SHA-1 is a hashing algorithm, although it produces a 160-bit hash value. Answer D is incorrect because AES is the advanced encryption standard, which is a symmetric algorithm chosen to replace DES. For more information, see Chapter 12.

A21:

21. B. A cookie file resides on a client system and can contain data passed from websites so that web-sites can communicate with this file when the same client returns. Cookie files have caused some issues with respect to privacy because they can be used with form authentication and they can contain passwords. Answers A, C, and D are incorrect. Even though they all relate to a cookie, they do not specifically address the security risks to the user. For more information, see Chapter 8.

   
A22:

22. C. This script is insecure because it allows anyone with a username of customer and a password of solutions to access the customer.html web page. Anyone reading the source code could determine this information. Answer A is incorrect because no PKI is used here, only security by obscurity. Answer B is incorrect because it is part of a page for authentication users. Answer D is incorrect because there are problems, as anyone viewing the source code can see the username and password in clear text. For more information, see Chapter 8.

A23:

23. A. The WAP gateway is a critical junction because encrypted messages from end customers must be decrypted for transmission to the Internet. If the hacker could hack the gateway, all the data traffic would be exposed. WTLS provides authentication, privacy, and integrity SSL protects users from sniffing attacks on the Internet, which limits disclosure of the customer's information. Answer B is incorrect, as sniffing in front of the server would only provide encrypted traffic. Answer C is incorrect, as the laptop would not be useful without a username and password. Answer D is incorrect, as the wireless transmission is encrypted. For more information, see Chapter 9.

A24:

24. D. The true administrator account has a RID of 500. Therefore, answers A, B, and C are incorrect. For more information, see Chapter 4.

A25:

25. B. The most common definition of a rogue access point is an access point that was set up without permission by the network owners to allow individuals to capture users' wireless MAC addresses. Answer A is incorrect because wardriving is the act of searching for wireless points. Answer C is incorrect, as the purpose of a DoS is specifically to deny service, not to capture information. Answer D is incorrect because Bluejacking involves Bluetooth connections. For more information, see Chapter 9.

A26:

26. B. By using a write-once CD that cannot be overwritten, the logs are much safer. Answers A, C, and D are incorrect, as write protecting the system log does little to prevent a hacker from deleting or modifying logs because the superuser or administrator can override the write protection. Backup and mirroring could overwrite earlier files and might not be current. Storing the backup does not prevent tampering. For more information, see Chapter 5.

A27:

27. D. Authentication is not one of the items that is part of the three building blocks of security. Answers A, B, and C are incorrect because they are part of the three basic security items. There are many ways in which security can be achieved, although it's universally agreed that confidentiality, integrity, and availability (CIA) form the basic building blocks of any good security initiative. For more information, see Chapter 1.

A28:

28. A. A phreaker is a hacker who is skilled in manipulating the phone system. Answers B, C, and D are incorrect, as phreakers don't specialize in social engineering, VoIP, or cryptography. For more information, see Chapter 1.

A29:

29. B. A threat is any agent, condition, or circumstance that could potentially cause harm, loss, or damage. Answers A, C, and D are incorrect because risk is the probability or likelihood of the occurrence or realization of a threat. A vulnerability is a weakness in the system design, implementation, software, code, or other mechanism. An exploit refers to a piece of software, tool, or technique that takes advantage of a vulnerability, which leads to privilege escalation, loss of integrity, or denial of service on a computer system. For more information, see Chapter 1.

   
A30:

30. C. Using a firewall as well as encrypted data is the best example of defense in-depth. Answer A is incorrect because firewalls alone are not an example of defense in-depth. Answer B is incorrect because even though it is a good idea to ensure that a computer center is not marked, it is not an example of defense in-depth. Answer D is incorrect because using firewalls by different vendors is a good example of layered firewall security, and defense in-depth would best be assured if you had both firewall and logical controls. For more information, see Chapter 1.

A31:

31. B. Sections 1029 and 1030 are the main federal statutes that address computer hacking under U.S. Federal Law. Answers A, C, and D are incorrect, as Sections 2510 and 2701 are part of the Electronic Communication Privacy Act and address information in storage and in transit. For more information, see Chapter 1.

A32:

32. B. False-negative reporting of uncovered weaknesses means that potential vulnerabilities in the network are not identified and might not be addressed. This would leave the network vulnerable to attack from malicious hackers. Answer A is incorrect because false positives would indicate that defenses are in place but are weak and should be checked. Answer C is incorrect, as non-specific reporting features would not be as serious a discovery as false negatives. Answer D is incorrect, as many vulnerability scanners run only from a specific platform and are not as important as false negatives. For more information, see Chapter 5.

A33:

33. B. After the SAM has been extracted, you can examine the rightmost portion of the hash. Padding on a password is used when passwords are fewer than eight characters long. Therefore, answers A, C, and D are incorrect. For more information, see Chapter 4.

A34:

34. A. Wget is used to retrieve HTTP, HTTPS, and FTP files and data. Answers B, C, and D are incorrect because pwdump is used to extract the SAM, dumpsec is used for examining user account details on a Windows system, and Achilles is used to proxy web pages. For more information, see Chapter 8.

A35:

35. D. Regional registries maintain records from the areas from which they govern. RIPE is responsible for domains served within Europe and therefore would be a good starting point for a .fr domain. Answers A, B, and C are incorrect because AfriNIC is a proposed registry for Africa, ARIN is for North and South America, and APNIC is for Asian and Pacific countries. For more information, see Chapter 8.

A36:

36. D. Reconnaissance is considered a passive information gathering method. Answers A, B, and C are incorrect because maintaining access is not a passive step; it is active. Maintaining access can be achieved if you use rootkits and sniffers. Covering tracks is also an active attack, as the hacker seeks to hide his activities. For more information, see Chapter 2.

A37:

37. D. Packet filters cannot keep up with transaction state; therefore, the ACK packets would easily pass. Answer A is incorrect, as not enough information is given to determine if the systems are all Windows based. Answer B is incorrect because not enough information is given to determine if the organization is using an IDS. Answer C is incorrect, as not enough information is given to determine if the systems are all UNIX based. For more information, see Chapter 3.

A38:

38. B. Encryption is the most secure method to ensure the security of information in transit. Answers A, C, and D are incorrect because they are all less secure methods and still leave open the possibility of interception of traffic. For more information, see Chapter 12.

   
A39:

39. C. Cryptcat is an encrypted version of netcat. Answers A, B, and D are incorrect because v is verbose, -p is for port number, and e is for execute. None of the options will make the traffic more secure to sniffing. For more information, see Chapter 12.

A40:

40. B. Paper shredders are an easy option to implement to prevent dumpster divers from retrieving sensitive information. Although answers A, C, and D are all important, shredding is the easiest and most effective fix from the choices given. For more information, see Chapter 13.

A41:

41. D. Packet replay is a combination of passive and active attacks that can be used to inject packets into the network. Answers A, B, and C are incorrect because eavesdropping is the act of sniffing, message modification is the act of altering a message, and a brute force attack attempts to use all possible combinations. For more information, see Chapter 7.

A42:

42. A. A IDS system can detect a SYN flood, as there will be a large number of SYN packets appearing on the network without corresponding ACK responses. Answers B, C, and D are incorrect because the source and target IP and port will not be the same, and segment size is not the determining factor in a SYN attack. For more information, see Chapter 7.

A43:

43. C. TCP port 53 is used for zone transfers. Therefore, answers A, B, and D are incorrect. Port 79 is used by finger, and UDP 53 is usually used for lookups. For more information, see Chapter 3.

A44:

44. B. In Figure PE.1, the packet shown is targeted to the broadcast address of ff ff ff ff ff ff. Answers A, C, and D are incorrect, as it is not a multicast that would begin with an 01; it is not the default gateway, as that is now a broadcast address, and it is not c0 A8 7B 65. That is the IP address of the originator, 192.168.123.101. For more information, see Chapter 7.

Figure PE.1. Packet capture.

A45:

45. C. Non-repudiation is the ability to verify proof of identity. It is used to ensure that a sender of data is provided with proof of delivery and the recipient is assured of the sender's identity. Neither party should be able to deny having sent or received the data at a later date. Answers A, B, and D are incorrect, as asymmetric encryption is used primarily for confidentiality, as is symmetric encryption. Hashing is used for integrity. For more information, see Chapter 12.

A46:

46. B. Your basic padlock that uses a key is a warded lock. These can be picked by inserting a stiff piece of wire or thin strip of metal. They do not provide a high level of security. Answers A, C, and D are incorrect, as cipher, device, and tumbler locks are considered more robust than warded locks. For more information, see Chapter 13.

A47:

47. A. By default, IIS 4.0 (inetinfo.exe) is configured to run in the local System account context. Answers B, C, and D are incorrect, as they do not properly specify the user privilege. For more information, see Chapter 8.

A48:

48. C. An idle scan uses the IP ID number to allow for a truly blind scan of a target. It simply reads the current value of the IP ID to determine if the port was open or closed when the zombie made the probe. Answer A is incorrect, as an idle scan does not tweak the datagram size. Answer B is incorrect, as the TCP segment size is not altered. Answer D is incorrect, as the TCP ACK number is not manipulated during an idle scan. For more information, see Chapter 3.

A49:

49. C. To ensure a sender's authenticity and an email's confidentiality, first encrypt the hash of the message with the sender's private key and then encrypt the message with the receiver's public key. This is the only correct combination; therefore, answers A, B, and D are incorrect. For more information, see Chapter 12.

   
A50:

50. C. MD5 is a hashing algorithm and, as such, is used for integrity; it produces a 128-bit output. Answer A is incorrect, as DES is a symmetric encryption standard. Answer B is incorrect, as Diffie-Hellman is used for key distribution. Answer D is incorrect, as AES is the symmetric standard used to replace DES. For more information, see Chapter 12.

A51:

51. B. Cipher locks can use keypads or smart locks to control access into restricted areas. Answers A, C, and D are incorrect because warded locks are the weakest form of padlock, device locks are used to secure equipment, and tumbler locks are more complex than warded locks and offer greater security. For more information, see Chapter 13.

A52:

52. D. The packet shown in Figure PE.2 is a Windows ping packet. That can be determined by examining the ASCII portion of the packer that displays "a, b, c, d, e, f, g ...". Answers, A, B, and C are incorrect because the ICMP packet was not generated by Loki, it is not a Linux packer, and there is enough information to tell, as the entire packet is shown. For more information, see Chapter 3.

Figure PE.2. Data dump.

A53:

53. C. The first user account has a RID of 1000. Answer A is incorrect because it is not a valid RID. Answer B is incorrect because it is the RID of the administrator. Answer D is incorrect because it is the RID of the second user account. For more information, see Chapter 4.

A54:

54. C. N-Stealth is a Windows-based scanner used to scan on port 80 for web server vulnerabilities. Answer A is incorrect because Nessus runs on Linux; answer B is incorrect because Etheral is a sniffer, not a vulnerability scanner; and answer D is incorrect because Whisker can be run on Linux or Windows clients. For more information, see Chapter 5.

A55:

55. C. Basic64 provides very weak security as it performs encoding, not encryption. Answers A, B, and D are incorrect because DES, RC5, and AES are all much stronger. For more information, see Chapter 12.

A56:

56. D. Eight feet should deter a determined intruder. Three strands of topping of barbed wire can be added and pointed out at a 45° angle. Answers A, B, and C are incorrect. Four and five feet are only causal deterrent, whereas 6 foot is hard to climb. Eight feet is needed for effective security. For more information, see Chapter 12.

A57:

57. B. Loki is a covert channel tool that can be used to set up a covert server and client that will transmit information in ICMP ping packets. Answers A, C, and D are incorrect because Netbus is a Trojan, Fpipe is a port redirection tool, and Sid2User is used for enumeration. For more information, see Chapter 6.

A58:

58. C. A Land DoS sends packets with the same source and destination address. Answers A, B, and D are incorrect, as a ping of death uses large ICMP ping packets, Smurf is targeted to a broadcast address, and Targa is a DDOS attack. For more information, see Chapter 7.

A59:

59. C. There are two basic methods to overcome the functionality of a switch. One of these is ARP poisoning. Answers A, B, and D are incorrect because MAC flooding, ICMP redirection, and IP forwarding are not supported by Cain. For more information, see Chapter 7.

A60:

60. D. RC5 is a block-based symmetric cipher in which the number of rounds can range from 0255, and the key can range from 0 to 2040 bits in size. Answers A, B, and C are incorrect because they are examples of asymmetric algorithms. For more information, see Chapter 12.

   
A61:

61. A. MAC flooding and ARP poisoning are the two ways that switches are attacked for active sniffing. Answers, B, C, and D are incorrect because MAC flooding seeks to overflow the switch's CAM. For more information, see Chapter 12.

A62:

62. C. The most critical item is the involvement of the client organization. It must be involved to determine what kind of test should occur and what the organization's most critical assets are. Answers A, B, and D are incorrect. Even though they are important, management's involvement is the most important. Penetration testing without management approval could reasonably be considered criminal in many jurisdictions. For more information, see Chapter 1.

A63:

63. D. Screensaver passwords are an easy way to ensure end user security. These can be used as a effective security control. Answer A is incorrect because it would be of no help in this situation. Answer B is incorrect because it would not ensure that users actually logged off systems. Answer C is incorrect because it would not prevent the occurrence in the question from happening. For more information, see Chapter 13.

A64:

64. A. A honeypot can be used to lure attackers away from real servers and allow for their detection. Answers B, C, and D are incorrect. Jails are not an adequate description of what is actually a honeypot. An IDS would not help in luring an attacker. A firewall can be used to prevent attacks or to limit access, but will not hold or lure an attacker. For more information, see Chapter 10.

A65:

65. B. Collisions occur when two message digests produce the same hash value. Attackers can use this vulnerability to make an illegitimate item appear genuine. This is not something that should easily occur. Answers A, C, and D are incorrect, as fragments, agreements, and hash completion are not the proper terms for when two message digests produce the same hash value. For more information, see Chapter 12.

A66:

66. B. Piggybacking is the primary way that someone would try to bypass a mantrap. To prevent and detect this, guards and CCTV can be used. Answer A is incorrect because shoulder surfing is done to steal passwords. Answer C is incorrect because spoofing is pretending to be someone else, and answer D is incorrect because lock picking is not the most common way to bypass access. For more information, see Chapter 13.

A67:

67. B. Nmap -sU -p 1-1024 is the proper syntax for performing a Nmap UDP scan. Learning Nmap and its uses are critical for successful completion of the CEH exam. Answers A, C, and D are incorrect because they are not the correct switches. -hU and -u are invalid, and -sS is used for stealth scanning. For more information, see Chapter 3.

A68:

68. D. PortSentry may not be able to pick up an ACK scan as the program is looking for a startup connection sequence. Answer A is incorrect as a fingerprint "-O" scan relies on one open and one closed port. When PostSentry detects such a scan it will block access from the requesting IP address. Answer B is incorrect as PortSentry will detect and log a notice saying this IP has been blocked and will subsequently ignor this activity. Answer C is incorrect as a sO is an IP protocol scan and looks for IP header values.

A69:

69. B. The 24-bit IV field is too small because of this, and key reusage, WEP is vulnerable. Answer A is incorrect because RC4 is not too small. Answer C is incorrect because while 40 bits is not overly strong, it was not cracked in the 1980s. Answer D is incorrect because tools such as WEPCrack must capture millions of packets before it can crack the WEP key. For more information, see Chapter 9.

   
A70:

70. D. In 2002, NIST decided on the replacement for DES. Rijndael was the chosen replacement. Rijndael is an iterated block cipher that supports variable key and block lengths of 128, 192, or 256 bits. Answer A is incorrect because it is a symmetric encryption standard but is not the replacement for DES. Answer B is incorrect because it is an asymmetric encryption standard. Answer incorrect because it is also a asymmetric encryption standard and, as such, is not the replacement for DES. For more information, see Chapter 12.

A71:

71. A. The best defense to having individuals illegally physically enter a facility is by requiring them to be escorted. Answers B, C, and D are incorrect because they are not the best defense, but badges and sign-in sheets are recommended. Searching guests might not be socially or legally acceptable. For more information, see Chapter 13.

A72:

72. A. FHSS is a method of transmission that operates by taking a broad slice of the bandwidth spectrum and dividing it into smaller subchannels of about 1MHz. The transmitter then hops between subchannels, sending out short bursts of data on each subchannel for a short period of time. Answer B is incorrect because WEP is not a transmission method. It is a means of protection. Answer C is incorrect because DSSS is a method of transmission that divides the stream of information to be transmitted into small bits. These bits of data are mapped to a pattern of ratios called a spreading code. Answer D is incorrect, as it is an improved method of protecting wireless transmissions that replaced WEP. For more information, see Chapter 9.

A73:

73. B. C language is one of the languages that is more vulnerable to buffer overflows, and their use may actually increase the chance of buffer overflow. Answers A, C, and D are incorrect because Return Address Defender (RAD), StackGuard, and Immunix are all software products that can be used to defend against buffer overflows. For more information, see Chapter 11.

A74:

74. B. Heuristic scanning examines computer files for irregular or unusual instructions. Therefore, answers A, C, and D are incorrect because integrity checking, activity blocking, and signature scanning do not work in that way. For more information, see Chapter 11.

A75:

75. A. DES electronic code book (ECB) produces the highest throughput but is the easiest form of DES to break. The same plaintext encrypted with the same key will always produce the same ciphertext. CBC, CFM, and OFB are all more secure; therefore, answers B, C, and D are incorrect. For more information, see Chapter 12.

A76:

76. B. Two factor authentication requires that you use two of the three authentication types such as a token, something you have, and a pin, something you know. Answers A, C, and D are incorrect, as each only represents one form of authentication. For more information, see Chapter 12.

A77:

77. C. The output is from an SNMP walk. SNMP is used to remotely manage a network and hosts/devices on the network. It contains a lot of information about each host that probably shouldn't be shared. Answers A, B, and D are incorrect because Nmap scan would not include this type of information, nor would Nessus Solar Winds is used for SNMP discovery but is a GUI tool. For more information, see Chapter 3.

   
A78:

78. B. When using NTFS, a file consists of different data streams. Streams can hold security information, real data, or even a link to information instead of the real data stream. This link allows attackers to hide data that cannot easily be found on an NTFS drive. Answer A is incorrect because a wrapper is used to hide a Trojan; answer C is incorrect because a dropper is used to hide a virus; and answer D is incorrect because the example shown is not a steganographic tool. For more information, see Chapter 4.

A79:

79. B. Your best option would be to replace the original version of ifconfig with a rootkit version. Answer A is incorrect, as a stealth setting will not keep the program from being discovered. Answer C is incorrect, as screen redirection will not help. Answer D is not possible, as ADS is only on Windows NTFS drives. For more information, see Chapter 5.

A80:

80. A. Toneloc is a wardialing program, whereas Kismet and Netstumbler are used for wardriving. Superscan is a port scanning program. For more information, see Chapter 9.

A81:

81. D. Tripwire is a file integrity program and, as such, makes answers A, B, and C incorrect. For more information, see Chapter 10.

A82:

82. D. The net use statement shown in this question is used to establish a null session. This will enable more information to be extracted from the server. Answer A is incorrect because it is not used to attack the passwd file. Answer B is incorrect because it is not used to steal the SAM. Answer C is incorrect because it is not used to probe a Linux server. For more information, see Chapter 4.

A83:

83. D. Linux passwords are encrypted with symmetric passwords; therefore, answer D is correct. Answers A, B, and C are incorrect DES, MD5, or Blowfish are valid password encryption types. For more information, see Chapter 5.

A84:

84. B. PHF is a cgi program that came with many web servers such as Apache. It had a parsing problem such that you could execute arbitrary commands on the web server host as the web server user. Answers A, C, and D are incorrect because a PHF attack does not DoS the server, is not a vulnerability in IIs, and does not target SQL. For more information, see Chapter 8.

A85:

85. A. This is an example of a directory traversal attack. It is not a buffer overflow, .+htr, or MS Blaster; therefore answers B, C, and D are incorrect. For more information, see Chapter 8.

A86:

86. B. DES has an effective key length of 56 bits; eight bits are used for parity As it is symmetric encryption, it uses the same key to encrypt and decrypt. Answers A, C, and D are incorrect because DES does not use a 48-, 64-, or 128-bit key. For more information, see Chapter 12.

A87:

87. C. The accuracy of a biometric device is going to be determined by several items. The false rejection rate (FRR), which is the number of times a legitimate user is denied access. Its false acceptance rate (FAR) is the number of times unauthorized individuals can gain access. The point on a graph at which these two measurements meet is known as the crossover error rate (CER). The lower the CER, the better. Therefore, answers A, B, and D are incorrect. For more information, see Chapter 13.

A88:

88. D. The SOA includes a timeout value Among other things, this informs a hacker how long DNS poisoning would last 2400 seconds is 40 minutes. Answers A, B, and C are incorrect because those fields do not display the timeout value. For more information, see Chapter 2.

A89:

89. C. The SSID is set on the wireless AP and broadcast to all wireless devices in range. Answers A, B, and D are incorrect. The SSID is not 32 bits; it is 32 characters: it is not the same on all devices and does not match the MAC. For more information, see Chapter 9.

   
A90:

90. B. The code shown in this question was taken from a WUFTP buffer overflow program. The code is not a hex dump, which should be visible, as it is C code; it is not an encrypted file and is not used for password cracking; therefore, A, C, and D are incorrect. For more information, see Chapter 11.

A91:

91. A. The use of cleartext community strings, such as public and private, is a huge vulnerability of SNMP. Answers B, C, and D are incorrect. SNMP does not use TCP, and is not on in Windows 2003 by default. Being turned off in Windows 2000 would be considered a good thing. For more information, see Chapter 3.

A92:

92. D. Disabling SSID broadcasting adds security by making it more difficult for hackers to find the name of the access point. Answers A, B, and C are incorrect, as disabling WEP, MAC filtering, or LEAP would make the wireless network more vulnerable. For more information, see Chapter 9.

A93:

93. D. When the serial number within the SOA record of the primary server is higher than the serial number in the SOA record of the secondary DNS server, a zone transfer will take place; therefore, answers A, B, and C are incorrect. For more information, see Chapter 2.

A94:

94. B. A type 3 is an ICMP destination unreachable. Answers A, C, and D are incorrect because type 0 is aping, type 5 is a redirect, and type 13 is a timestamp request. For more information, see Chapter 11.

A95:

95. D. Signature scanning antivirus software looks at the beginning and end of executable files for known virus signatures. Answers A, B, and C do not describe that type of scanning. Heuristics looks at usual activity, integrity looks at changes to hash values, and activity blocks known virus activity. For more information, see Chapter 11.

A96:

96. D. Windows 2003 IIS 6.0 is more secure than earlier versions and is configured to run as in the lower access IUSR_Computername account. Answers A, B, and C are incorrect because they do not properly specify the user privilege. For more information, see Chapter 8.

A97:

97. A. Diffie-Hellman was developed for key exchange protocol. It is used for key exchange in Secure Sockets Layer (SSL) and IPSec. It is extremely valuable in that it allows two individuals to exchange keys who have not communicated with each other before. Answers B, C, and D are incorrect because they are not examples of key exchange protocols. For more information, see Chapter 12.

A98:

98. B. When a subject attempts to access an object, the label is examined for a match to the subject's level of clearance. If a match is found, access is allowed. Answers A, C, and D are incorrect because they do not use subjects, objects, and labels. For more information, see Chapter 13.

A99:

99. A. The most likely reason is that the packet filter is blocking ping. This is a common practice with many organizations. Answers B, C, and D are incorrect because UDP is probably not the cause of the problem, the web server would most likely be up, and it is unlikely that this is caused by the TTL. For more information, see Chapter 12.

A100:

100. B. Locks are a preventative control, and although they might not keep someone from breaking in, they do act as a deterrent and slow the potential loss. Answers A, C, and D are incorrect because they are not primarily a detective control. Weak and expanded controls are just distracters. For more information, see Chapter 13.

   
A101:

101. B. Firewalk is a network security tool that attempts to determine what the ruleset is on a firewall. It works by sending out TCP and UDP packets with a TTL configured one greater than the targeted firewall. Answers A, C, and D are incorrect because Firewalk is not used to determine NIC settings, used for buffer overflows, or used for mapping wireless networks. For more information, see Chapter 10.

A102:

102. B. With steganography, messages can be hidden in image files, sound files, or even the whitespace of a document before being sent. Answers A, C, and D are incorrect because they do not describe steganography. For more information, see Chapter 12.

A103:

103. C. Snort is a popular open source IDS service. The rule shown in the question is used to detect if SSH is being used. Locating the target port of 22 should have helped in this summation. Therefore, answers A, B, and D are incorrect because FTP is port 21, Telnet is port 22, and TFTP is port 69. For more information, see Chapter 10.

A104:

104. B. Snort can be a powerful IDS. The rule shown in the question triggers on detection of a Netbus scan. Netbus defaults to port 12345. Answers A, C, and D are incorrect. Subseven, BackOrfice, and DonaldDick do not use that port by default. For more information, see Chapter 10.

A105:

105. A. An access control list implemented on a router is the best choice for a stateless firewall. Most organizations already have the routers in place to perform such services, so this type of protection can be added for little additional cost. Answers B, C, and D are incorrect because they represent more expensive options and offer more than stateless inspection. For more information, see Chapter 10.

A106:

106. C. Worms are replicating programs that can run independently and travel from system to system. Answer A is incorrect because a Trojan typically gives someone else control of the system. Answer B is incorrect because viruses do not run independently. Answer D is incorrect because a dropper is used with a virus. For more information, see Chapter 11.

A107:

107. C. SYSKEY was added in Windows NT (SP3) to add a second layer id 128-bit encryption. As such, answers A, B, and D are incorrect. For more information, see Chapter 4.

A108:

108. B. SQL Injection is a subset of an unverified/unsanitized user input vulnerability. The idea is to convince the application to run SQL code that was not intended. Therefore, answers A, C, and D are incorrect because they do not describe SQL injection. For more information, see Chapter 8.

A109:

109. D. Archive.org maintains the wayback machine that preserves copies of many websites from months or years ago. Answers A, B, and C are incorrect because none of these methods offer much hope in uncovering the needed information. For more information, see Chapter 8.

A110:

110. A. Snow is used to conceal messages in ASCII text by appending whitespace to the end of lines. Spaces and tabs are not usually visible in document viewer programs; therefore, the message is effectively hidden from casual observers. Answer B is incorrect because wget is used to copy web pages. Answer C is incorrect because Blindside is used to hide text in graphics files, and answer D is incorrect because a wrapper is used with Trojans to make their installation easy. For more information, see Chapter 12.

Glossary

Категории