EMT Practice Test

1. Question Content...


Question List

Question1: What are two things that are possible when scanning UDP ports? (Choose two.)

Question2: If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

Question3: Which of the following identifies the three modes in which Snort can be configured to run?

Question4: A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites.
77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?

Question5: A company is using Windows Server 2003 for its Active Directory (AD). What is the most efficient way to crack the passwords for the AD users?

Question6: Which of the following is an extremely common IDS evasion technique in the web world?

Question7: A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content.
Which sort of trojan infects this server?

Question8: What are the three types of authentication?

Question9: Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?

Question10: Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?

Question11: What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation?

Question12: Which of the following is a primary service of the U.S. Computer Security Incident Response Team (CSIRT)?

Question13: It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure.
Which of the following regulations best matches the description?

Question14: Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall?

Question15: A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system.
The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Question16: As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?

Question17: In many states sending spam is illegal. Thus, the spammers have techniques to try and ensure that no one knows they sent the spam out to thousands of users at a time. Which of the following best describes what spammers use to hide the origin of these types of e-mails?

Question18: Which element of Public Key Infrastructure (PKI) verifies the applicant?

Question19: Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test state.
Which of the following activities should not be included in this phase? (see exhibit) Exhibit:

Question20: How does an operating system protect the passwords used for account logins?

Question21: Which of the following does proper basic configuration of snort as a network intrusion detection system require?

Question22: In the software security development life cycle process, threat modeling occurs in which phase?

Question23: Jack was attempting to fingerprint all machines in the network using the following Nmap syntax:
invictus@victim_server:~$ nmap -T4 -0 10.10.0.0/24
TCP/IP fingerprinting (for OS scan) xxxxxxx xxxxxx xxxxxxxxx. QUITTING!
Obviously, it is not going through. What is the issue here?

Question24: WPA2 uses AES for wireless data encryption at which of the following encryption levels?

Question25: Attempting an injection attack on a web server based on responses to True/False questions is called which of the following?

Question26: A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials. This exploitation is an example of what Software design flaw?

Question27: A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network?

Question28: What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?

Question29: After gaining access to the password hashes used to protect access to a web based application, knowledge of which cryptographic algorithms would be useful to gain access to the application?

Question30: Which of the following Nmap commands would be used to perform a stack fingerprinting?

Question31: You've just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case?

Question32: Which of the following tools will scan a network to perform vulnerability checks and compliance auditing?

Question33: What is the difference between the AES and RSA algorithms?

Question34: An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database.
<iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe> What is this type of attack (that can use either HTTP GET or HTTP POST) called?

Question35: It is a short-range wireless communication technology intended to replace the cables connecting portable of fixed devices while maintaining high levels of security. It allows mobile phones, computers and other devices to connect and communicate using a short-range wireless connection.
Which of the following terms best matches the definition?

Question36: Pentest results indicate that voice over IP traffic is traversing a network. Which of the following tools will decode a packet capture and extract the voice conversations?

Question37: The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124.
An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is:
nmap 192.168.1.64/28.
Why he cannot see the servers?

Question38: Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

Question39: Which of the following statements is TRUE?

Question40: A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer. What is the consultant's obligation to the financial organization?

Question41: A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use?

Question42: Which protocol is used for setting up secured channels between two devices, typically in VPNs?

Question43: A server has been infected by a certain type of Trojan. The hacker intended to utilize it to send and host junk mails. What type of Trojan did the hacker use?

Question44: Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?

Question45: What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?

Question46: Which of the following programming languages is most vulnerable to buffer overflow attacks?

Question47: A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email.
The integrity of the encrypted email is dependent on the security of which of the following?

Question48: What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?

Question49: An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.
What is the most likely cause?

Question50: Which type of antenna is used in wireless communication?

Question51: Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

Question52: Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain.
What do you think Tess King is trying to accomplish? Select the best answer.

Question53: While you were gathering information as part of security assessments for one of your clients, you were able to gather data that show your client is involved with fraudulent activities. What should you do?

Question54: > NMAP -sn 192.168.11.200-215
The NMAP command above performs which of the following?

Question55: A security administrator notices that the log file of the company's webserver contains suspicious entries:

Based on source code analysis, the analyst concludes that the login.php script is vulnerable to

Question56: Which type of cryptography does SSL, IKE and PGP belongs to?

Question57: What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?

Question58: As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing.
What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?

Question59: What is the main disadvantage of the scripting languages as opposed to compiled programming languages?

Question60: A certified ethical hacker (CEH) is approached by a friend who believes her husband is cheating. She offers to pay to break into her husband's email account in order to find proof so she can take him to court.
What is the ethical response?

Question61: A zone file consists of which of the following Resource Records (RRs)?

Question62: This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like.
What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?

Question63: An IT security engineer notices that the company's web server is currently being hacked. What should the engineer do next?

Question64: An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?

Question65: The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

Question66: Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?

Question67: You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System.
What is the best approach?

Question68: A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP command:
NMAP -n -sS -P0 -p 80 ***.***.**.**
What type of scan is this?

Question69: Scenario:
1. Victim opens the attacker's web site.
2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make
$1000 in a day?'.
3. Victim clicks to the interesting and attractive content url.
4. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker.
What is the name of the attack which is mentioned in the scenario?

Question70: Which of the following items is unique to the N-tier architecture method of designing software applications?

Question71: Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

Question72: Which of the following is the BEST way to defend against network sniffing?

Question73: Which specific element of security testing is being assured by using hash?

Question74: You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back.
What is happening?

Question75: Which type of scan is used on the eye to measure the layer of blood vessels?

Question76: Employees in a company are no longer able to access Internet web sites on their computers. The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL. The administrator runs the nslookup command for www.eccouncil.org and receives an error message stating there is no response from the server. What should the administrator do next?

Question77: Which method can provide a better return on IT security investment and provide a thorough and comprehensive assessment of organizational security covering policy, procedure design, and implementation?

Question78: What is the correct process for the TCP three-way handshake connection establishment and connection termination?

Question79: Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system.
If a scanned port is open, what happens?

Question80: An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?

Question81: Which of the following will perform an Xmas scan using NMAP?

Question82: During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system?

Question83: A distributed port scan operates by:

Question84: From the two screenshots below, which of the following is occurring?

Question85: A newly discovered flaw in a software application would be considered which kind of security vulnerability?

Question86: The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and

Question87: What statement is true regarding LM hashes?

Question88: The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive.
Which of the following is being described?

Question89: A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost two months ago, but has yet to get paid. The customer is suffering from financial problems, and the CEH is worried that the company will go out of business and end up not paying. What actions should the CEH take?

Question90: You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration?
alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)

Question91: How is sniffing broadly categorized?

Question92: Look at the following output. What did the hacker accomplish?

Question93: A security policy will be more accepted by employees if it is consistent and has the support of

Question94: An attacker is using nmap to do a ping sweep and a port scanning in a subnet of 254 addresses.
In which order should he perform these steps?

Question95: While performing ping scans into a target network you get a frantic call from the organization's security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization's IDS monitor.
How can you modify your scan to prevent triggering this event in the IDS?

Question96: Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?

Question97: Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

Question98: Which of the following business challenges could be solved by using a vulnerability scanner?

Question99: Which of the following problems can be solved by using Wireshark?

Question100: Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except.

Question101: What is the outcome of the comm"nc -l -p 2222 | nc 10.1.0.43 1234"?

Question102: Which cipher encrypts the plain text digit (bit or byte) one by one?

Question103: The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task.
What tool can you use to view the network traffic being sent and received by the wireless router?

Question104: Due to a slow down of normal network operations, IT department decided to monitor internet traffic for all of the employees. From a legal stand point, what would be troublesome to take this kind of measure?

Question105: An attacker sniffs encrypted traffic from the network and is subsequently able to decrypt it. The attacker can now use which cryptanalytic technique to attempt to discover the encryption key?

Question106: If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

Question107: A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location.
During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis.
Which of the following is an issue with the situation?

Question108: Which of the following is an example of two factor authentication?

Question109: A recent security audit revealed that there were indeed several occasions that the company's network was breached. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?

Question110: Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of the following is the correct bit size of the Diffie-Hellman (DH) group 5?

Question111: Which of the following guidelines or standards is associated with the credit card industry?

Question112: The precaution of prohibiting employees from bringing personal computing devices into a facility is what type of security control?

Question113: Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

Question114: Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments?

Question115: Sandra is the security administrator of XYZ.com. One day she notices that the XYZ.com Oracle database server has been compromised and customer information along with financial data has been stolen. The financial loss will be estimated in millions of dollars if the database gets into the hands of competitors.
Sandra wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crime investigations throughout the United States?

Question116: The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices.

Question117: Which initial procedure should an ethical hacker perform after being brought into an organization?

Question118: Smart cards use which protocol to transfer the certificate in a secure manner?

Question119: What is the best description of SQL Injection?

Question120: Which DNS resource record can indicate how long any "DNS poisoning" could last?

Question121: Which of the following parameters enables NMAP's operating system detection feature?

Question122: Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity?

Question123: It is a vulnerability in GNU's bash shell, discovered in September of 2014, that gives attackers access to run remote commands on a vulnerable system. The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers).
Which of the following vulnerabilities is being described?

Question124: A botnet can be managed through which of the following?

Question125: Which of the following is the greatest threat posed by backups?

Question126: You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly.
What is the best nmap command you will use?

Question127: Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

Question128: You have the SOA presented below in your Zone.
Your secondary servers have not been able to contact your primary server to synchronize information.
How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?
collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

Question129: Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

Question130: Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place?

Question131: (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
What is odd about this attack? Choose the best answer.

Question132: Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations?

Question133: Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?

Question134: A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the following:
Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.
Which of the following actions should the security administrator take?

Question135: A penetration test was done at a company. After the test, a report was written and given to the company's IT authorities. A section from the report is shown below:
Access List should be written between VLANs.

Port security should be enabled for the intranet.

A security solution which filters data packets should be set between intranet (LAN) and DMZ.

A WAF should be used in front of the web applications.

According to the section from the report, which of the following choice is true?

Question136: How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

Question137: Which tool can be used to silently copy files from USB devices?

Question138: Websites and web portals that provide web services commonly use the Simple Object Access Protocol SOAP. Which of the following is an incorrect definition or characteristics in the protocol?

Question139: You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?

Question140: What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data?

Question141: During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?

Question142: Bob received this text message on his mobile phone: ""Hello, this is Scott Smelby from the Yahoo Bank.
Kindly contact me for a vital transaction on:
[email protected]"". Which statement below is true?

Question143: Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results?

Question144: Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close.
What just happened?

Question145: You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line.
Which command would you use?

Question146: Your company was hired by a small healthcare provider to perform a technical assessment on the network.
What is the best approach for discovering vulnerabilities on a Windows-based computer?

Question147: Which of the following Nmap commands will produce the following output?
Output:

Question148: International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining

Question149: Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability.
What is this style of attack called?

Question150: When security and confidentiality of data within the same LAN is of utmost priority, which IPSec mode should you implement?

Question151: Fingerprinting VPN firewalls is possible with which of the following tools?

Question152: It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location. This malware generates a pop-up window, webpage, or email warning from what looks like an official authority. It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again.
Which of the following terms best matches the definition?

Question153: Which of the following is optimized for confidential communications, such as bidirectional voice and video?

Question154: When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it.
What should you do?

Question155: An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?

Question156: Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in-bounds checking mechanism?

Output:
Segmentation fault

Question157: To reduce the attack surface of a system, administrators should perform which of the following processes to remove unnecessary software, services, and insecure configuration settings?

Question158: What is the term coined for logging, recording and resolving events in a company?

Question159: What is the main reason the use of a stored biometric is vulnerable to an attack?

Question160: One way to defeat a multi-level security solution is to leak data via

Question161: What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a hotel room?

Question162: Which of the following tools are used for enumeration? (Choose three.)

Question163: The network administrator for a company is setting up a website with e-commerce capabilities. Packet sniffing is a concern because credit card information will be sent electronically over the Internet.
Customers visiting the site will need to encrypt the data with HTTPS. Which type of certificate is used to encrypt and decrypt the data?

Question164: When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true?

Question165: A pentester gains access to a Windows application server and needs to determine the settings of the built- in Windows firewall. Which command would be used?

Question166: What is the benefit of performing an unannounced Penetration Testing?

Question167: Which of the following is a common Service Oriented Architecture (SOA) vulnerability?

Question168: The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?

Question169: Which of the following is a client-server tool utilized to evade firewall inspection?

Question170: Which of the following is a strong post designed to stop a car?

Question171: Which of the following types of firewall inspects only header information in network traffic?

Question172: Bob learned that his username and password for a popular game has been compromised. He contacts the company and resets all the information. The company suggests he use two-factor authentication, which option below offers that?

Question173: Which of the following cryptography attack methods is usually performed without the use of a computer?

Question174: In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system that you already know the credentials for. It was written by sysinternals and has been integrated within the framework. Often as penetration testers, successfully gain access to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values.
Which of the following is true hash type and sort order that is using in the psexec module's 'smbpass'?

Question175: During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting?

Question176: Which of the following descriptions is true about a static NAT?

Question177: Suppose you've gained access to your client's hybrid network. On which port should you listen to in order to know which Microsoft Windows workstations has its file sharing enabled?

Question178: Which of the following is a vulnerability in GNU's bash shell (discovered in September of 2014) that gives attackers access to run remote commands on a vulnerable system?

Question179: Supposed you are the Chief Network Engineer of a certain Telco. Your company is planning for a big business expansion and it requires that your network authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol would you implement?

Question180: A medium-sized healthcare IT business decides to implement a risk management strategy.
Which of the following is NOT one of the five basic responses to risk?

Question181: Which type of scan measures a person's external features through a digital video camera?

Question182: An attacker has captured a target file that is encrypted with public key cryptography. Which of the attacks below is likely to be used to crack the target file?

Question183: An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

Question184: You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS).
What is the best way to evade the NIDS?

Question185: By using a smart card and pin, you are using a two-factor authentication that satisfies

Question186: What is the broadcast address for the subnet 190.86.168.0/22?

Question187: In order to prevent particular ports and applications from getting packets into an organization, what does a firewall check?

Question188: Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?

Question189: You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

Question190: Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well- known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits.
What type of attack is outlined in the scenario?

Question191: How can a policy help improve an employee's security awareness?

Question192: Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?

Question193: What is a NULL scan?

Question194: A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?

Question195: Which of the following is NOT an ideal choice for biometric controls?

Question196: A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?

Question197: You have compromised a server on a network and successfully opened a shell. You aimed to identify all operating systems running on the network. However, as you attempt to fingerprint all machines in the network using the nmap syntax below, it is not going through.

What seems to be wrong?

Question198: A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database.
In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?

Question199: Which of the following is a wireless network detector that is commonly found on Linux?

Question200: While performing online banking using a Web browser, Kyle receives an email that contains an image of a well-crafted art. Upon clicking the image, a new tab on the web browser opens and shows an animated GIF of bills and coins being swallowed by a crocodile. After several days, Kyle noticed that all his funds on the bank was gone. What Web browser-based security vulnerability got exploited by the hacker?

Question201: What is not a PCI compliance recommendation?

Question202: Which of the following is an example of an asymmetric encryption implementation?

Question203: When purchasing a biometric system, one of the considerations that should be reviewed is the processing speed. Which of the following best describes what it is meant by processing?

Question204: Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

Question205: You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled.
Which port would you see listening on these Windows machines in the network?

Question206: Which type of security document is written with specific step-by-step details?

Question207: Which tool would be used to collect wireless packet data?

Question208: Under what conditions does a secondary name server request a zone transfer from a primary name server?

Question209: What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?

Question210: Emil uses nmap to scan two hosts using this command.
nmap -sS -T4 -O 192.168.99.1 192.168.99.7
He receives this output:


What is his conclusion?

Question211: Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

Question212: A hacker was able to sniff packets on a company's wireless network. The following information was discovered:

Using the Exlcusive OR, what was the original message?

Question213: In order to have an anonymous Internet surf, which of the following is best choice?

Question214: What is correct about digital signatures?

Question215: First thing you do every office day is to check your email inbox. One morning, you received an email from your best friend and the subject line is quite strange. What should you do?

Question216: The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. Also he needs to permit all FTP traffic to the rest of the network and deny all other traffic.
After he applied his ACL configuration in the router nobody can access to the ftp and the permitted hosts cannot access to the Internet. According to the next configuration what is happening in the network?

Question217: Which of the following ensures that updates to policies, procedures, and configurations are made in a controlled and documented fashion?

Question218: A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?

Question219: Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?

Question220: Advanced encryption standard is an algorithm used for which of the following?

Question221: It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data.
Which of the following terms best matches the definition?

Question222: A large mobile telephony and data network operator has a data that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup?

Question223: Name two software tools used for OS guessing? (Choose two.)

Question224: Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?

Question225: Destination unreachable administratively prohibited messages can inform the hacker to what?

Question226: The establishment of a TCP connection involves a negotiation called 3 way handshake. What type of message sends the client to the server in order to begin this negotiation?

Question227: Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11?

Question228: Which of the following is a component of a risk assessment?

Question229: A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend. The analyst locates the application's search form and introduces the following code in the search input field:

When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".
Which web applications vulnerability did the analyst discover?

Question230: Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

Question231: Which of the following is a hashing algorithm?

Question232: While reviewing the result of scanning run against a target network you come across the following:

Which among the following can be used to get this output?

Question233: An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information. What is the name of the communications channel?

Question234: You're doing an internal security audit and you want to find out what ports are open on all the servers.
What is the best way to find out?

Question235: Which of the following is a passive wireless packet analyzer that works on Linux-based systems?

Question236: Which of the following items of a computer system will an anti-virus program scan for viruses?

Question237: What is a successful method for protecting a router from potential smurf attacks?

Question238: A developer for a company is tasked with creating a program that will allow customers to update their billing and shipping information. The billing address field used is limited to 50 characters. What pseudo code would the developer use to avoid a buffer overflow attack on the billing address field?

Question239: Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!" From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.
No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem.
The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack?

Question240: What results will the following command yield: 'NMAP -sS -O -p 123-153 192.168.100.3'?

Question241: What tool should you use when you need to analyze extracted metadata from files you collected when you were in the initial stage of penetration test (information gathering)?

Question242: Which of the following BEST describes the mechanism of a Boot Sector Virus?

Question243: When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?

Question244: Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

Question245: XOR is a common cryptographic tool. 10110001 XOR 00111010 is?

Question246: A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?

Question247: When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire?

Question248: Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms?

Question249: What is the main difference between a "Normal" SQL Injection and a "Blind" SQL Injection vulnerability?

Question250: The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?

Question251: On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured?

Question252: How do employers protect assets with security policies pertaining to employee surveillance activities?

Question253: While testing the company's web applications, a tester attempts to insert the following test script into the search area on the company's web site:
<script>alert(" Testing Testing Testing ")</script>
Afterwards, when the tester presses the search button, a pop-up box appears on the screen with the text:
"Testing Testing Testing". Which vulnerability has been detected in the web application?

Question254: Which of the following is assured by the use of a hash?

Question255: Which of the following is used to indicate a single-line comment in structured query language (SQL)?

Question256: An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job?

Question257: Which of the following is a restriction being enforced in "white box testing?"

Question258: What is the best defense against privilege escalation vulnerability?

Question259: In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this?

Question260: Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing.
With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B How do you prevent DNS spoofing?

Question261: Which of the following open source tools would be the best choice to scan a network for potential targets?

Question262: What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

Question263: You are using NMAP to resolve domain names into IP addresses for a ping sweep later.
Which of the following commands looks for IP addresses?

Question264: During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). Which of the following conditions must be met to exploit this vulnerability?

Question265: An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?

Question266: When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?