Certified Ethical Hacker (CEH) Practice

Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help to prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo code represents the best solution to prevent this issue?

Options are :

  • if (shippingAddress >= 75) {update field} else exit
  • if (shippingAddress = 75) {update field} else exit
  • if (shippingAddress <= 75) {update field} else exit (Correct)
  • if (shippingAddress != 75) {update field} else exit

Answer : if (shippingAddress <= 75) {update field} else exit

Explanation In order to ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field would be the right way to go. If the input is 76 characters or more, then the field will not be update and the algorithm will "exit"? the function.

During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key?

Options are :

  • The tester must capture the WPA2 authentication handshake and then crack it. (Correct)
  • The tester must use the tool inSSIDer to crack it using the ESSID of the network.
  • The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
  • The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

Answer : The tester must capture the WPA2 authentication handshake and then crack it.

Explanation In order to crack WPA2, you must capture the WPA2 authentication handshake and then crack that offline. You can use tools like the AirCrack-Ng suite to crack the handshake offline.

What type of approach should be used if senior management is supporting and enforcing the security policy?

Options are :

  • Bottom-up
  • Senior creation
  • IT assurance
  • Top-down (Correct)

Answer : Top-down

Explanation The top-down approach begins with management establishing a framework for initiating and implementing security practices in the enterprise. A bottom-up approach occurs when the system administrators and security personnel try to establish a security program on their own without senior management support and enforcement.

When using a network-based IDS such as Snort, what occurs when an alert rule has been matched?

Options are :

  • Snort will block the connection with the source IP address from the packet scanned
  • Snort will drop the current packet being scanned and moves onto the next one
  • Snort will stop checking the rules, send an alert, and the allow the packet to continue across the network
  • Snort will evaluate the entire packet until all the alert rules have been checked (Correct)

Answer : Snort will evaluate the entire packet until all the alert rules have been checked

Explanation When Snort is operating as an IDS, it will not block the connect of drop the packet. Instead, Snort will evaluate the entire packet and check all the alert rules, logging any matches it finds.

You have been hired as a penetration test by an organization that wants you to conduct a risk assessment of their DMZ. The company provided Rules of Engagement states that you must do all penetration testing from an external IP address without being given any prior knowledge of the internal IT system architecture. What kind of penetration test have you been hired to perform?

Options are :

  • White box
  • Black box (Correct)
  • Red team
  • Grey box

Answer : Black box

Explanation A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system or network. This provides a very realistic scenario for testing of the defenses, but it can be costlier and takes much more time to conduct.

What best represents a logical or technical control?

Options are :

  • HVAC
  • Security tokens (Correct)
  • Corporate security policy
  • Smoke and fire alarms

Answer : Security tokens

Explanation Security tokens are a logical or technical controls. HVAC, smoke alarms, and fire alarms are a form of physical controls. Corporate security policy is a form of administrative control.

What process evaluates if an organization follows its stated security policies?

Options are :

  • Penetration testing
  • Security audit (Correct)
  • Vulnerability assessment
  • Risk assessment

Answer : Security audit

Explanation A security audit is a manual or systematic measurable technical assessment of a system to determine if it adheres to the organizational security policies. Audits can include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems.

A recently hired security employee at a bank was asked to perform daily scans of the bank’s intranet in order to look for unauthorized devices. The new employee decides to create a script that scans the network for unauthorized devices every morning at 2:00 am. What programming language would work best to create this script?

Options are :

  • C#
  • PHP
  • ASP.NET
  • Python (Correct)

Answer : Python

Explanation Python is a commonly used scripting language used in cybersecurity. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.

What is an advantage of an application-level firewall?

Options are :

  • Monitoring of TCP handshakes
  • Filtering packets at the network level
  • Retaining state information for each packet
  • Filtering specific commands such as HTTP:GET or HTTP:POST (Correct)

Answer : Filtering specific commands such as HTTP:GET or HTTP:POST

Explanation An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer, such as the GET and PUT commands used by the HTTP application.

What NMAP switch would you use to perform operating system detection?

Options are :

  • -OS
  • -s0
  • -O (Correct)
  • -sP

Answer : -O

Explanation The –O switch is used to tell NMAP to conduct fingerprinting of the operating system based on the responses received during scanning. NMAP will then report on the suspected operating system of the scanned host. If you use –O –v, you will get additional details, as this runs the operating system scan in verbose mode.

What system contains a publicly available set of databases with registration contact information for every domain name on the Internet?

Options are :

  • CAPTCHA
  • WHOIS (Correct)
  • IETF
  • IANA

Answer : WHOIS

Explanation WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format and is publicly available for use.

What must you do to verify that you could fully restore the data from a tape backup?

Options are :

  • Read the data contained in the last 512 bytes of the tape backup
  • Read the data contained in the first 512 bytes of the tape backup
  • Perform a full restoration of the data from the tape backup (Correct)
  • Restore a random file from the tape backup

Answer : Perform a full restoration of the data from the tape backup

Explanation While reading from a tape backup can determine that the parts you have read data from are accessible, without performing a full restoration of the data from the tape backup you will never know if the entire backup was successful. The only surefire way to know that a full tape backup was successful is to conduct a full restoration of the data from the tape backup.

At 2:35 a.m., a cybersecurity analyst received an administrative alert from the intrusion detection system. The alert shows that a large number of packets going into the network over ports 20 and 21. During their analysis, the analyst found no signs of attack on the FTP servers. How should this situation be classified?

Options are :

  • False positives (Correct)
  • True positives
  • False negatives
  • True negatives

Answer : False positives

Explanation Since the investigation verified that there was no signs of attack, the alert should be categorized as a false positive. False positive occurs when an alert condition or finding that does not exist is reported as having occurred.

If a cyber security administrator is worried about a potential man-in-the-middle attack when a user accesses the corporate web site from their workstations, what would be the best remediation?

Options are :

  • Requiring client and server PKI certificates for all connections (Correct)
  • Mandating only client-side PKI certificates for all connections
  • Implementing server-side PKI certificates for all connections
  • Requiring strong authentication for all DNS queries

Answer : Requiring client and server PKI certificates for all connections

Explanation By requiring client and server PKI certificates for all connections, both the client and server are validated as authentic which can prevent a man-in-the-middle attack.

How does the Open Web Application Security Project (OWASP) testing methodology address the need to secure web applications?

Options are :

  • By providing web application patches
  • By providing a list of flaws and how to fix them (Correct)
  • By providing a security certification for hardened web applications
  • By providing an extensible security framework named COBIT

Answer : By providing a list of flaws and how to fix them

Explanation The Open Web Application Security Project, an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. This includes their Top 10 list of the most common vulnerabilities and how to fix them.

What tool could be used to fingerprinting VPN firewalls?

Options are :

  • Arp-scan
  • Nikto
  • Angry IP
  • Ike-scan (Correct)

Answer : Ike-scan

Explanation Ike-scan is a command-line tool that uses the IKE protocol to discover, fingerprint and test IPsec VPN servers and firewalls. It scans IP addresses for VPN servers or firewalls by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE will respond, identifying their presence.

What vulnerability is introduced if you use alert thresholding (reducing the volume of repeated alerts) in an Intrusion Detection System?

Options are :

  • The IDS won’t distinguish between packets coming from different sources
  • An attacker could evade detection by the IDS if they operated slowly enough (Correct)
  • If the volume exceeds the threshold, network packets could be dropped
  • The IDS’ ability to reassemble fragmented packets is interfered with by thresholding

Answer : An attacker could evade detection by the IDS if they operated slowly enough

Explanation When thresholding is used, an attacker operating slowly enough could evade detection by the IDS by staying under the alerting threshold.

What type of scan is used to measure the blood vessels in a user’s eye?

Options are :

  • Signature kinetics scan
  • Facial recognition scan
  • Iris scan
  • Retinal scan (Correct)

Answer : Retinal scan

Explanation A retinal scan is a biometric technique that uses the unique patterns on a person's retina blood vessels. Another ocular-based scan technology is called an iris recognition scan, or more commonly referred to as an iris scan.

A network administrator enters a pre-shared key to setup wireless security on a network. What is true concerning the pre-shared key?

Options are :

  • It is an RSA key used to encrypt the wireless data
  • It is a hash that is used to prove the integrity of the wireless data
  • It is based on the Diffie-Hellman method
  • It is a symmetric key used to encrypt the wireless data (Correct)

Answer : It is a symmetric key used to encrypt the wireless data

Explanation The pre-shared key is a symmetric key used to encrypt the wireless data between the Wireless Access Point and the user's workstation.

What results will the following command yield?

# nmap -sS -O -p 80-443 145.18.24.7

Options are :

  • A stealth scan, determine operating system, and scanning ports 80 to 443 (Correct)
  • A stealth scan, scanning ports 80 and 443
  • A stealth scan, scanning ports 80 to 443
  • A stealth scan, scanning all open ports excluding ports 80 to 443

Answer : A stealth scan, determine operating system, and scanning ports 80 to 443

Explanation When using NMAP, the -sS tells the tool to use a stealth scan, the -O is used to determine the operating system, and -p dictates which ports to scan.

What PKI (Public Key Infrastructure) process ensures that a trust relationship exists and that a certificate is still valid for specific operations?

Options are :

  • Certificate cryptography
  • Certificate validation (Correct)
  • Certificate revocation
  • Certificate issuance

Answer : Certificate validation

Explanation Certificate validation is a key part of the process of authenticating users and systems and securing network communications through the use of digital certificates. To validate a digital certificate, a public key infrastructure (PKI)-enabled application must determine whether the certificate and the public key it contains are trustworthy. Validating a certificate requires the certificate-validation logic in the PKI-enabled application to perform a series of checks on different parts of the certificate.

What open source tool is the best choice to scan a network for potential targets?

Options are :

  • John the Ripper
  • NMAP (Correct)
  • Cain and Abel
  • NIKTO

Answer : NMAP

Explanation NMAP is the most popular network scanner in the world. To accomplish its goal, NMAP sends specially crafted packets to the target host(s) and then analyzes the responses. It is available for Windows, Mac, and *NIX operating systems.

What could be used to best manage a botnet?

Options are :

  • Linkedin and Facebook
  • Vulnerable FTP server
  • IRC (Correct)
  • E-Mail

Answer : IRC

Explanation IRC, or Internet Relay Chat, is often used to effectively manage a botnet. For example DorkBot, IRCBot.HI, RageBot, and Phorpiex are all examples of botnets managed through IRC in the past.

Your organization’s networks contain 4 subnets: 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0. Using NMAP, how can you scan all 4 subnets using a single command?

Options are :

  • nmap -P 10.0.0-3.0 (Correct)
  • nmap -P 10.0.0.0,1.0,2.0,3.0
  • nmap -P 10.0.0.0/23
  • nmap -P 10.0.0.0/25

Answer : nmap -P 10.0.0-3.0

Explanation The simplest way to scan multiple subnets that are adjacent to each other is to use the – to signified “this network through this network?. So, 10.0.0-3.0 will scan every IP from 10.0.0.0 through 10.0.3.255.

What vulnerability must exist for a penetration tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?

Options are :

  • Victim must open the malicious link with a Firefox version 3 or older
  • A victim must open the malicious link with Internet Explorer version 8 or order
  • Session cookies generated by the application haven’t set the HttpOnly flag
  • Random tokens should not be utilized by the web application (Correct)

Answer : Random tokens should not be utilized by the web application

Explanation If a web application uses random tokens, it can help to prevent Cross-Site Request Forgery (CSRF). Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed.

A cybersecurity administrator is required to restrict malicious input when they are performing data validation of a website. What process is an efficient way of restricting malicious input?

Options are :

  • Validate the input with scanning tools
  • Validate the input for extra queries
  • Validate the input for type, length, and range (Correct)
  • Validate the input for query strings

Answer : Validate the input for type, length, and range

Explanation Input validation is the most efficient way to restrict input from being used in a malicious way. This includes validating the input receive to ensure it of the expected type, length, and range before submitting it to the backend database for execution. Input validation is one of the most effective methods to preventing SQL injection attacks.

A mortgage brokerage’s server stores and processes sensitive privacy information related to their client’s home loans. Unfortunately, when the server was originally installed, auditing has never been enabled on the server. Before enabling the audit feature on the server, what should the mortgage brokerage do first?

Options are :

  • Determine the impact of enabling the audit feature (Correct)
  • Perform a cost/benefit analysis of the audit feature
  • Allocate funds for staffing of audit log review
  • Perform a vulnerability scan of the system

Answer : Determine the impact of enabling the audit feature

Explanation Before turning on additional security features, the impact to the server needs to be considered. For example, if enabling the auditing would place an significant resource load upon the server, it could crash the server and create a self-imposed denial of service. Once the impact is understood, then the cost/benefit analysis and allocation of funds would need to be considered.

What type of access control is used on a firewall or router to limit network traffic?

Options are :

  • Rule-based (Correct)
  • Role-based
  • Mandatory
  • Discretionary

Answer : Rule-based

Explanation Routers and firewalls rely on Access Control List (ACLs) to limit network traffic. ACLs are a list of rules to allow or deny traffic from entering or leaving a network. Therefore, they are a type of rule-based access control.

What best describes the security concept of least privilege?

Options are :

  • A user is limited to those functions required to do their job. (Correct)
  • A user is given privileges equal to everyone else in their department.
  • A user is given root or administrative privileges.
  • A user is trusted to keep all data and access to that data under their full control.

Answer : A user is limited to those functions required to do their job.

Explanation The principle of least privilege means giving a user account only those privileges which are essential to perform their intended job function. For example, a user whose sole job function is to creating backups does not need the ability to install software. Therefore, their user account will only have rights to run backup and backup-related applications.

What technique does a vulnerability scanner use in order to detect a vulnerability on a specific service?

Options are :

  • Fuzzing
  • Port scanning
  • Banner grabbing
  • Analyzing the response received from the service when probed (Correct)

Answer : Analyzing the response received from the service when probed

Explanation When a vulnerability scanner analyzes the response received from a service during a scan/probe, it can determine if the vulnerability exists on the given service on a server.

What digital modulation technique is used to exchange information between Bluetooth paired devices when using the basic rate (BR) of 1 mbps?

Options are :

  • ASK (amplitude-shift keying)
  • FSK (frequency-shift keying) (Correct)
  • PSK (phase-shift keying)
  • QAM (quadrature amplitude modulation)

Answer : FSK (frequency-shift keying)

Explanation Bluetooth devices operate in the 2.4 Ghz frequency band using frequency hopping techniques that utilize the Gaussian Frequency Shift Keying (FSK) to exchange information in the basic rate (BR) of 1 mbps.

You have been hired to perform a web application security test. During the test, you notice that the site is dynamic and therefore must be using a backend database. You decide you want to test to determine if the site is susceptible to a SQL injection. What is the first character that you should use to attempt breaking a valid SQL request?

Options are :

  • Semicolon
  • Exclamation mark
  • Double quote
  • Single quote (Correct)

Answer : Single quote

Explanation The single quote character (') is used because this is the character limiter in SQL. With a single quote,' you delimit strings and therefore you can test whether the strings are properly escaped in the targeted application or not. If they are not escaped directly you can end any string supplied to the application and add other SQL code after that, which is a common technique for SQL injections.

If you wanted to automate SQL injections and exploit a database by forcing a given web application to connect to another database that you control as the attacker, what tool would you use?

Options are :

  • Netcat
  • SQLInjector
  • Data Thief (Correct)
  • Cain and Abel

Answer : Data Thief

Explanation Data Thief is a proof-of-concept tool used to demonstrate to web administrators and developers how easy it is to steal data from a web application that is vulnerable to SQL Injection. Data Thief is designed to retrieve the data from a Microsoft SQL Server back-end behind a web application with a SQL Injection vulnerability. Once a SQL Injection vulnerability is identified, Data Thief does all the work of listing the linked severs, laying out the database schema, and actually selecting the data from a table in the application.

What type of network attack takes advantage of a weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

Options are :

  • SYN flood
  • Teardrop (Correct)
  • Smurf attack
  • Ping of death

Answer : Teardrop

Explanation A teardrop attack is a denial of service (DoS) attack conducted by targeting TCP/IP fragmentation reassembly codes. This attack causes fragmented packets to overlap one another on the host receipt; the host attempts to reconstruct them during the process but fails. Gigantic payloads are sent to the machine that is being targeted, causing system crashes.

You have conducted a Google search for the “site:webserver.com -site:sales.webserver.com financial?. What results do you expect to receive?

Options are :

  • Google results for keyword matches from the site sales.webserver.com that are in the domain webserver.com but do not include the word financial
  • Google results matching all words in the query
  • Google results for keyword matches on webserver.com and sales.webserver.com that include the word “financial?
  • Google results matching “financial? in domain webserver.com, but no results from the site sales.webserver.com (Correct)

Answer : Google results matching “financial? in domain webserver.com, but no results from the site sales.webserver.com

Explanation When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use –site:AAA, you will get results that are explicitly not on the website (AAA). In the case of this question, no results should show up from sales.webserver.com. All results should only come from webserver.com.

Which layer in the OSI model does PPTP encryption occur?

Options are :

  • Application layer
  • Data link layer (Correct)
  • Transport layer
  • Network layer

Answer : Data link layer

Explanation The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks, with many known security issues. PPTP uses a TCP control channel and a GRE tunnel to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement security functionality. This is considered a Layer 2 protocol and occurs at the Data Link Layer.

The Service Desk just received dozens of calls from employees across the organization that they are unable to access Facebook.com. You just checked the web proxy, but Facebook.com is not setup to be blocked. You open a command prompt and try to ping Facebook.com, but you get no response. You then try to ping 8.8.8.8, and immediately get a successful reply. Next, you try running nslookup for www.facebook.com and receive an error message stating there is no response from the server. What should you do next to solve this issue?

Options are :

  • Configure the firewall to allow traffic on TCP ports 53 and UDP port 53 (Correct)
  • Configure the firewall to allow traffic on TCP ports 80 and UDP port 443
  • Configure the firewall to allow traffic on TCP port 53
  • Configure the firewall to allow traffic on TCP port 8080

Answer : Configure the firewall to allow traffic on TCP ports 53 and UDP port 53

Explanation It appears that the DNS queries are not working properly, since you can reach servers by their IP addresses but not by their domain names. DNS uses port 53 to transfer information over both TCP and UDP. If you are having a DNS issue, it is a good idea to check if your firewall is block port 53 on tCP and UDP.

What protocol is used by smart cards to securely transfer the certificate?

Options are :

  • Point to Point Protocol (PPP)
  • Point to Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)
  • Extensible Authentication Protocol (EAP) (Correct)

Answer : Extensible Authentication Protocol (EAP)

Explanation EAP-TLS: Both the client and authentication server mutually authenticate over a TLS session with digital certificates. In addition to ensuring that the client is authorized to access the network, the client can be confident that he or she is communicating with the desired network, not an impostor. This method is the most secure because an attacker must steal both a digital certificate and its password. However, organizations that have many clients may find there is too much overhead in administering the client certificates for EAP-TLS to be feasible.

A penetration tester discovered a firewall between their machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. What kind of firewall did the penetration tester find?

Options are :

  • Stateful multilayer inspection firewall
  • Application-level firewall
  • Packet filtering firewall
  • Circuit-level gateway firewall (Correct)

Answer : Circuit-level gateway firewall

Explanation Circuit-level gateway firewall works at the session layer of the OSI model, between the application layer and the transport layer of the TCP/IP stack. These firewalls monitor TCP handshaking between packets to determine whether a requested session is actually legitimate.

What is the best defense against a privilege escalation vulnerability?

Options are :

  • Review user roles and administrator privileges for maximum utilization of automation services
  • Patch systems regularly and upgrade interactive login privileges at the system administrator level
  • Run services with least privileged accounts and implement multi-factor authentication/authorization (Correct)
  • Run administrator and applications on least privileges and use a content registry for tracking

Answer : Run services with least privileged accounts and implement multi-factor authentication/authorization

Explanation Running services with the least privileged accounts is a good practice, because if an attacker is able to compromise a service they will then only have limited privileges on the system. Implementing multi-factor authentication/authorization is important, because then even if an attacker is able to compromise an accounts login credentials (such as the username/password), they will be unable to login without the second authentication factor.

Which property ensures that a hash function will not produce the same hashed value for two different messages?

Options are :

  • Bit length
  • Collision resistance (Correct)
  • Entropy
  • Key strength

Answer : Collision resistance

Explanation Collision resistance is a property of cryptographic hash functions. Every hash function with more inputs than outputs will necessarily have collisions. The larger the hash value size, the less likely there are for collisions to occur and therefore the more collision resistant the hash algorithm. For example, SHA-256 is much more collision resistant than MD5.

What type of scan will measure the size or distance of a person's external features with a digital video camera?

Options are :

  • Signature kinetics scan
  • Facial recognition scan (Correct)
  • Retinal scan
  • Iris scan

Answer : Facial recognition scan

Explanation A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One of the ways to do this is by comparing selected facial features from the image and a face database. This is done by measuring the external features of your face (such as the distance between your eyes and nose) to identify a user.

A security analyst conducts a NMAP scan of a server and found that port 25 is open. What risk might this server be exposed to?

Options are :

  • Web portal data leak
  • Clear text authentication
  • Active mail relay (Correct)
  • Open file/print sharing

Answer : Active mail relay

Explanation Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending email. An active mail relay occurs when an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail originating from your known and trusted users. This type of vulnerability can be exploited by spammers to use your email server for their own benefit.

To configure Snort as a network intrusion detection system, what basic configuration is required?

Options are :

  • Limit the packets captured to a single segment
  • Limit the packets captured to the /var/log/snort directory
  • Limit the packets captured in the Snort configuration file (Correct)
  • Capture every packet on the network segment

Answer : Limit the packets captured in the Snort configuration file

Explanation Using the Snort configuration file, you can limit the packets being captured by setting up alerts based on rules defined in the configuration file.

Two organizations each have their own Public Key Infrastructure (PKI), but are going through a business merger and need to ensure that their Certificate Authorities (CAs) can establish a trust relationship so that the PKIs in both organizations trust one another and that each organization's PKI can validate digital certificates from the other organization. What is this setup referred to as?

Options are :

  • Cross certification (Correct)
  • Cross-site exchange
  • Poly key reference
  • Poly key exchange

Answer : Cross certification

Explanation Cross certification enables entities in one public key infrastructure (PKI) to trust entities in another PKI. This mutual trust relationship is typically supported by a cross-certification agreement between the certification authorities (CAs) in each PKI. The agreement establishes the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issue a certificate to the other to establish the relationship in both directions.

What client-server tool can be used to evade firewall inspection?

Options are :

  • tcp-over-dns (Correct)
  • nikto
  • kismet
  • hping

Answer : tcp-over-dns

Explanation tcp-over-dns contains a special DNS server and a special DNS client that allows the client and server to work in tandem to provide a TCP tunnel through the standard DNS protocol. This can be used by attackers to evade inspection by the firewall, since most firewalls allow DNS traffic to freely pass into and out of the network.

What switch is used for operating system detection in NMAP?

Options are :

  • nmap -oS
  • nmap -sR
  • nmap -sV
  • nmap -O (Correct)

Answer : nmap -O

Explanation The -O switch is used in NMAP to determine the operating system. This is done through a process called fingerprinting as NMAP attempts to best guess the operating system based on the way it responded to different type of requests during the scan.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions