ceh prep guide
DESCRIPTION
CEH prep guideTRANSCRIPT
CEH Study Guide
The Certified Ethical Hacker certification exam is a standalone certification from
EC-Council with the exam code 312-50v8. The certification is targeted at Ethical
Hacking professionals involved with hacking fundamentals, footprinting,
scanning. The exam covers hacking skills, Linux System Security, Trojans, Web
server hacking, and Wireless hacking.
© 2013 TrainACE / Advanced Security.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
www.trainace.com/security
Mike wants to use NMAP to do basic vulnerability scanning. What does NMAP use for
protocols such as FTP and HTTP?
a. NESSUS scripting engine
b. Metasploit scripting engine
c. SAINT scripting engine
d. NMAP scripting engine
Answer: D
39. Q: John is a college student. He is interested in computer security. He wants to gain
knowledge about ethical hacking so that he can make information systems secure. In which
of the following areas should John acquire expertise in order to fulfill his dream?
Each correct answer represents a complete solution. Choose all that apply.
a. John should have excellent knowledge of computers and their functioning, including
programming and networking.
b. Since organizations have a variety of operating systems, such as UNIX, Linux,
Windows, and Macintosh, John must be an expert in dealing with these operating
systems.
c. John should be familiar with a number of hardware platforms.
d. John should be an expert in security-related communication and report writing.
Explanation: Answer options A, B, C, and D are correct.
According to the scenario, John should have expertise in all the areas listed in the above options. An
ethical hacker should have an excellent knowledge of computers and their functioning, including
programming and networking. Since organizations have a variety of operating systems, such as
UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these
operating systems. Ethical hackers should also be familiar with a number of hardware platforms.
They should be knowledgeable about security areas and related issues as well.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Routers use "routing" protocols. Which of the following would a router use? (Choose 2)
a. UDP
b. RIP
c. TCP
d. BGP
e. SMTP
Answer: B and D
39. Q: Which of the following classes of hackers describes an individual who uses his computer
knowledge for breaking security laws, invading privacy, and making information systems
insecure?
a. Black Hat
b. White Hat
c. Gray Hat
d. Security providing organizations
Explanation: Answer option A is correct.
A Black Hat Hacker is an individual who uses his computer knowledge for breaking security laws,
invading privacy, and making information systems insecure.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Hackers are categorized into the following classes:
Black Hat Hackers (Crackers): These are persons who are computer specialists and use their
hacking skills to carry out malicious attacks on information systems.
Gray Hat Hackers: These are persons who sometimes do not break laws and help to defend a
network, but sometimes act as Black Hat Hackers.
White Hat Hackers (Ethical Hackers): These are persons who have excellent computer skills
and use their knowledge to secure information systems.
Security Providing Organizations: Some organizations and communities also provide security to
information systems.
39. Q: Which of the following statements is true of vulnerability?
a. It is a security weakness in a Target of Evaluation due to failures in analysis, design,
implementation, or operation.
b. It refers to a situation in which humans or natural occurrences can cause an
undesirable outcome.
c. It is an agent that can take advantage of a weakness.
d. It is a potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm.
Explanation: Answer option A is correct.
Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing
harm to the information systems or networks. It can exist in hardware, operating systems, firmware,
applications, and configuration files.
Answer options B, C, and D are incorrect. A threat is an indication of a potential undesirable event.
It refers to a situation in which humans or natural occurrences can cause an undesirable outcome
Vulnerability is an agent that can take the advantage of the weakness.
5. Q: Maria works as a professional Ethical Hacker. She recently has been assigned a
project to test the security of www.we-are-secure.com. The company has provided the
following information about the infrastructure of its network:
Network diagrams of the we-are-secure infrastructure
Source code of the security tools
IP addressing information of the we-are-secure network
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Which of the following testing methodologies is we-are-secure.com using to test the security
of its network?
a. Whitebox
b. Blackbox
c. Graybox
d. Alpha testing
Explanation: Answer option A is correct.
According to the scenario, we-are-secure.com is using the whitebox testing technique. Whitebox
testing is a testing technique in which an organization provides full knowledge about the
infrastructure to the testing team.
Answer option B is incorrect. Blackbox testing is a technique in which the testing team has no
knowledge about the infrastructure of the organization. This testing technique is costly and time
consuming.
Answer option C is incorrect. Graybox testing is a combination of whitebox testing and blackbox
testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs
test cases or test data based on system knowledge.
What is the principle that a party cannot deny its role (i.e. sending a document) in an activity?
a. Non-repudiation
b. Availability
c. Privacy
d. Confidentiality
Answer: A
Microsoft servers (file and print) are often a target of attackers. What are common
vulnerabilities?
a. XSS
b. SQL injection
c. missing patches
d. weak IVs
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: C
6. Q: Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the
security of the we-are-secure server for DoS attacks. She sends a large number of ICMP
ECHO packets to the target computer. Which of the following DoS attacking techniques is
she using to accomplish her task?
a. Smurf dos attack
b. Ping flood attack
c. Teardrop attack
d. Land attack
Explanation: Answer option B is correct.
According to the scenario, Samantha is using the ping flood attack. In a ping flood attack, an
attacker sends a large number of ICMP packets to the target computer.
Answer option A is incorrect. In a smurf DoS attack, the attacker sends a large amount of ICMP
echo request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source
address of the intended victim.
Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target
system with overlapping offset field values. As a result, the target system is unable to reassemble
these packets and is forced to crash, hang, or reboot.
Answer option D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in
which the IP address of the target host is filled in both the source and destination fields
Q: Which individuals believe that hacking and defacing web sites can promote social changes?
e. Hactivists
f. Crackers
g. Script kiddies
h. Phreakers
Explanation: Answer option A is correct.
Hactivists are individuals who believe that hacking and defacing web sites can promote social
changes.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Hacktivism is the act of hacking or breaking into a computer system for a politically or socially
motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A
hacktivist uses the same tools and techniques as those used by a hacker.
Answer option B is incorrect. Crackers are individuals who use their skill and knowledge for harmful
activities.
Answer option C is incorrect. Script kiddies are individuals who have little or no programming skills
and use freely available hacking software.
Answer option D is incorrect. Phreakers are individuals who focus on communication systems to
steal information.
To limit the possibility of a system being compromised, also referred to as reducing the attack
surface, what should your security team do?
a. Harvesting
b. Hardening
c. Scanning
d. Windowing
answer: B
7. Q: Which of the following statements are true about threats?
Each correct answer represents a complete solution. Choose all that apply.
a. A threat is a sequence of circumstances and events that allows a human or other
agent to cause an information-related misfortune by exploiting vulnerability in an IT
product.
b. A threat is a potential for violation of security which exists when there is a
circumstance, capability, action, or event that could breach security and cause harm.
c. A threat is a weakness or lack of safeguard that can be exploited by vulnerability,
thus causing harm to the information systems or networks.
d. A threat is any circumstance or event with the potential of causing harm to a system
in the form of destruction, disclosure, modification of data, or denial of service.
Explanation: Answer options A, B, and D are correct.
A threat is an indication of a potential undesirable event. It refers to a situation in which humans or
natural occurrences can cause an undesirable outcome.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
8. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security
of www.we-are-secure.com. He knows the steps taken by a malicious hacker to perform
hacking. What steps are performed in malicious hacking?
a. Step 1: Reconnaissance: In this phase, the attacker gathers information about the
victim.
b. Step 2: Scanning: In this phase, the attacker begins to probe the target for
vulnerabilities that can be exploited.
c. Step 3: Gaining Access: In this phase, the attacker exploits a vulnerability to gain
access into the system.
d. Step 4: Maintaining Access: In this phase, the attacker maintains access to fulfill his
purpose of entering into the network.
e. Step 5:Covering\Clearing Tracks: In this phase, the attacker attempts to cover his
tracks so that he cannot be detected or penalized under criminal law.
Explanation: The following are the phases of malicious hacking:
When using Wireshark to acquire packet capture on a network, which device would enable the
capture of all traffic on the wire?
A. Layer 3 switch
B. Network tap
C. Network bridge
D. router
answer: B
.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: John is a malicious attacker. He illegally accesses the server of We-are-secure Inc. He then
places a backdoor in the We-are-secure server and alters its log files. Which of the following steps of
malicious hacking includes altering the server log files?
f. Reconnaissance
g. Maintaining access
h. Gaining access
i. Covering\Clearing tracks
Explanation: Answer option i. is correct.
According to the scenario, John has installed a backdoor on the We-are-secure server so that he
can have access whenever he wants to log in. This process comes under the Maintaining access
phase of malicious hacking. Further, John alters the server's log files, which could give a clue about
his malicious intent to the Network Administrator. This process comes under the Covering tracks
phase of malicious hacking.
if two companies merge what must be done so that each company’s Certificate Authority will trust
the certificates generated by the other company?
a. Cross-certification
b. Federated Identity
c. Public Key Exchange Authorization
d. It cannot be done; a new PKI system will need to be created
answer: A
Which system of PKI verifies the applicant?
a. Certificate Authority
b. Registration Authority
c. Root CA
d. Validation Authority
answer: B
9. Q: Which of the following statements correctly defines a script kiddie?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. He is an individual who uses hacking programs developed by others to attack
information systems and spoil websites.
b. He is an individual who has lost respect and integrity as an employee in any
organization.
c. He is an individual who breaks communication systems to perform hacking.
d. He is an individual who is an expert in various computer fields, such as operating
systems, networking, hardware, software, etc. and enjoys the mental challenge of
decoding computer programs, solving network vulnerabilities and security threats,
etc.
Explanation: Answer option A is correct.
Answer option B is incorrect. This option defines a disgruntled employee. A disgruntled employee
is an individual who has lost respect and integrity as an employee in an organization. Most of the
time, he/she has more knowledge than a script kiddie.
10. Q: Which of the following penetration testing phases involves reconnaissance or data
gathering?
a. Pre-attack phase
b. Attack phase
c. Post-attack phase
d. Out-attack phase
Explanation: Answer option A is correct.
The pre-attack phase is the first step for a penetration tester. The pre-attack phase involves
reconnaissance or data gathering. It also includes gathering data from Whois, DNS, and network
scanning, which help in mapping a target network and provide valuable information regarding the
operating system and applications running on the systems
Q: Which of the following policies defines the acceptable methods of remotely connecting a
system to the internal network?
e. Remote access policy
f. Network security policy
g. Computer security policy
h. User Account Policy
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Remote access policy is a document, which outlines and defines acceptable methods of remotely
connecting to the internal network
Answer option B is incorrect. A network security policy is a generic document that outlines rules
for computer network access. It also determines how policies are enforced and lays out some of the
basic architecture of the company security/ network security environment
Answer option C is incorrect. A computer security policy defines the goals and elements of the
computer systems of an organization. The definition can be highly formal or informal. Security
policies are enforced by organizational policies or security mechanisms.
Answer option D is incorrect. The User Account Policy is a type of document, which focuses on the
requirements for requesting and maintaining an account on computer systems or networks within an
organization.
Q: Security is a state of well-being of information and infrastructure in which the possibilities
of successful yet undetected theft, tampering, and/or disruption of information and services
are kept low or tolerable. Which of the following are the elements of security?
Each correct answer represents a complete solution. Choose all that apply.
a. Confidentiality
b. Authenticity
c. Availability
d. Integrity
e. Non-Repudiation
Explanation: Answer options A, B, C, and D are correct.
The elements of security are as follows:
1. Confidentiality: It is the concealment of information or resources.
2. Authenticity: It is the identification and assurance of the origin of information.
3. Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper
and unauthorized changes.
4. Availability: It refers to the ability to use the information or resources as desired.
5. Non-Repudiation - refers to inability of a sender to disassociate him/herself with a message
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options B and C are correct.
5. Q: Which of the following is the most common way of performing social engineering
attacks?
a. Phone
b. Email
c. War driving
d. Session hijacking
Explanation: Answer option A is correct.
The phone is the most common way of performing social engineering attacks. Social engineering is
the art of convincing people and making them disclose useful information such as account names
and passwords.
Answer option C is incorrect. War driving, also called access point mapping, is the act of locating
and possibly exploiting connections to wireless local area networks while driving around a city or
elsewhere.
Answer option D is incorrect. Session hijacking refers to the exploitation of a valid computer
session to gain unauthorized access to information or services in a computer system. In particular, it
is used to refer to the theft of a magic cookie used to authenticate a user to a remote server
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since
most authentication only occurs at the start of a TCP session, this allows the hacker to gain access
to a machine.
During a wireless penetration test, a tester detects an access point using WPA2,
which of the following attacks should she use to obtain the key?
A. The tester must use the tool airodump-ng to crack it using the ESSID of the network.
B. The tester must capture the WPA2 authentication handshake and then crack it.
C. The tester must change the MAC address of the wireless network card and then use the AirCrack
tool to obtain the key.
D. WPA2 cannot be cracked
answer: B
What is the main reason the use of a stored biometric is vulnerable to an attack?
A. The stored biometric data can be stolen and used by an attacker to impersonate the individual
identified by the biometric.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
B. A stored biometric is no longer “something you have” and instead becomes “something you are”.
C. Authentication using a stored biometric compares the original to a copy instead of the original to a
copy
D. The digital representation of the biometric might not be unique
answer: A
Which type of scan measures a person’s external features through a digital video camera?
A. Facial recognition scan
B. Retina scan
C. Signature dynamics scan
D. Iris scan
answer: A
When creating a new Nessus policy, where would you enable Global Variable Settings?
A. Plugins
b. General
c. Preferences
D. Credentials
answer: C
A pentester enters the following command. What type of scan is this?
nmap -N -sS -PO -p 123 192.168.2.25
a. Stealth scan
b. intense scan
c. idle scan
d. Fin scan
answer: A
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
A hacker has been successfully modifying the purchase price of several items on your
client’s web site. What is she using to do this? (The IDS shows no signs of alerts)
a. sql injection
b. hidden form fields
c. XSS
d. port scanning
answer: B
If you are sending specially designed packets to a remote system and analyzing the results
what type of scan would this be considered?
a. active
b. passive
c. directive
d. bounce
answer: A
6. Q: You run the following command in the command prompt:
Telnet <IP Address><Port 80>
HEAD /HTTP/1.0
<Return>
<Return>
Which of the following types of information gathering techniques are you using?
a. Banner grabbing
b. OS fingerprinting
c. Dumpster diving
d. Port scanning
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Banner grabbing is an enumeration technique used to glean information about computer systems
on a network and the services running its open ports. Administrators can use this to take inventory of
the systems and services on their network.
Answer option B is incorrect. OS Fingerprinting is the easiest way to detect the Operating System
(OS) of a remote system. OS detection is important because, after knowing the target system's OS,
it becomes easier to hack the system. The comparison of data packets that are sent by the target
system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which
operating system is being used by the remote system. There are two types of fingerprinting
techniques as follows:
1. Active fingerprinting
2. Passive fingerprinting
In active fingerprinting, ICMP messages are sent to the target system and the response message
of the target system shows which OS is being used by the remote system. In passive
fingerprinting, the number of hops reveals the OS of the remote system.
Answer option C is incorrect. Dumpster diving is a term that refers to going through someone's
trash in an attempt to find out useful or confidential information.
Answer option D is incorrect. Port scanning is the first basic step to get the details of open ports on
the target system. Port scanning is used to find a hackable server with a hole or vulnerability. A port
is a medium of communication between two computers. Every service on a host is identified by a
unique 16-bit number called a port.
Q: Which of the following involves changing data prior to or during input to a
computer in an effort to commit fraud?
e. Eavesdropping
f. Spoofing
g. Wiretapping
h. Data diddling
Explanation: Answer option D is correct.
Data diddling involves changing data prior to or during input to a computer in an effort to commit
fraud. It also refers to the act of intentionally modifying information, programs, or documentations.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option A is incorrect. Eavesdropping is the process of listening to private conversations. It
also includes attackers listening the network traffic.
Answer option B is incorrect. Spoofing is a technique that makes a transmission appear to have
come from an authentic source by forging the IP address, email address, caller ID, etc. In IP
spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity.
However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging
the source IP address causes the responses to be misdirected.
Answer option C is incorrect. Wiretapping is an act of monitoring telephone and Internet
conversations by a third party. It is only legal with prior consent. Legalized wiretapping is generally
practiced by the police or any other recognized governmental authority.
Q: Maria works as a professional Ethical Hacker. She recently got a project to test the
security of www.we-are-secure.com. What are three pre-test phases of the attack to
test the security of we-are-secure?
Identifying the active system
Web server hacking
Enumerating the system
Session hijacking
Placing backdoors
Footprinting
Explanation: Following are the three pretest phases of the attack:
Footprinting
Identifying the active system
Enumerating the system
Placing backdoors, Web server hacking, and session hijacking are the phases of executing attacks.
Q: Which of the following tools can a user use to hide his identity?
Each correct answer represents a complete solution. Choose all that apply.
a. War dialer
b. Proxy server
c. IPchains
d. Anonymizer
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
e. Rootkit
Explanation: Answer options B, C, and D are correct.
A user can hide his identity using any firewall (such as IPChains), a proxy server, or an anonymizer.
A proxy server hides the identity of a user's system from the outside world. Instead of creating a
connection directly with the remote host, the user's system creates a direct connection with the proxy
server, and the proxy server establishes a connection with the remote host to which the user wants
to connect.
Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user surfs the
Internet. In this manner, it ensures the privacy of the user.
IPChains is a linux packet filtering firewall that allows a Network Administrator to ACCEPT, DENY,
MASQ, or REDIRECT packets. There are three built-in chains in the IPChains firewall as follows:
Note: Each packet passing through the forward chain also passes through both the input and output
chains.
Answer option A is incorrect. A war dialer is a tool that is used to scan thousands of telephone
numbers to detect vulnerable modems to provide unauthorized access to the system. THC-Scan,
ToneLoc, and PhoneSweep are some good examples of war dialer tools. There are various War
Dialing tools, such as THC Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools,
etc.
Answer option E is incorrect. A rootkit is a set of tools that take Administrative control of a computer
system without authorization by the computer owners and/or legitimate managers. A rootkit requires
root access to be installed in the Linux operating system, but once installed, the attacker can get root
access at any time.
1. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing
the security of www.we-are-secure.com. He begins to perform footprinting and scanning.
Which of the following steps do footprinting and scanning include?
Each correct answer represents a complete solution. Choose all that apply.
a. Information gathering
b. Determining network range
c. Identifying active machines
d. Finding open ports and applications
e. Enumeration
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options A, B, C, and D are correct.
Fingerprinting services
1. Mapping the network
Answer option E is incorrect. In the enumeration phase, the attacker gathers information, such as
the network user and group names, routing tables, and Simple Network Management Protocol
(SNMP) data. The techniques used in this phase are as follows:
1. Obtaining Active Directory information and identifying vulnerable user accounts
2. Discovering NetBIOS names
3. Employing Windows DNS queries
4. Establishing NULL sessions and queries
4. Q: Which of the following is a passive information gathering tool?
a. Nmap
b. Whois
c. Snort
d. Ettercap
Explanation: Answer option B is correct.
The whois tool is a passive information gathering tool. whois queries are used to determine the IP
address ranges associated with clients. A whois query can be run on most UNIX environments. In a
Windows environment, the tools, such as WsPingPro and Sam Spade, can be used to perform
whois queries. Whois queries can also be executed over the Web from www.arin.net and
www.networksolutions.com.
Answer option A is incorrect. Nmap is an active information gathering tool. The nmap utility, also
commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by
the administrators to determine which services are available for external users.
Answer option C is incorrect. Snort is an active information gathering tool. Snort is an open source
network intrusion prevention and detection system that operates as a network sniffer. It logs
activities of the network that is matched with the predefined signatures.
The three main modes in which Snort can be configured are as follows:
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on
the console.
Packet logger mode: It logs the packets to the disk.
Network intrusion detection mode: It is the most complex and configurable configuration,
allowing Snort to analyze network traffic for matches against a user-defined rule set.
Answer option D is incorrect. Ettercap is an active information gathering tool. Ettercap is a UNIX
and Windows tool for computer network protocol analysis and security auditing. It is capable of
intercepting traffic on a network segment, capturing passwords, and conducting active
eavesdropping against a number of common protocols.
Q: You want to retrieve password files (stored in the Web server's index directory) from various Web
sites. Which of the following tools can you use to accomplish the task?
e. Google
f. Whois
g. Sam spade
h. Nmap
Explanation: Answer option E is correct.
You can use Google to retrieve password files (stored in the Web server's index directory) from
various Web sites. Google allows the search queries that can search information from the Web
server's index directory. Such search technique is known as Google hacking.
Q: You see the career section of a company's Web site and analyze the job profile requirements.
You conclude that the company wants professionals who have a sharp knowledge of Windows
server 2003 and Windows active directory installation and placement. Which of the following steps
are you using to perform hacking?
i. Reconnaissance
j. Scanning
k. Gaining access
l. Covering tracks
Explanation: Answer option A is correct.
When an alert rule is matched in snort, the IDS does which of the following?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
A. Blocks the connection with the source IP address in the packet
B. Stops checking rules, sends an alert, and drops the packet
C. Continues to evaluate the packet until all rules are checked
D. Drops the packet and moves on to the next one
answer: C
7. Q: Anonymizers are the services that help make a user's own Web surfing anonymous. An
anonymizer removes all the identifying information from a user's computer while the user
surfs the Internet. It ensures the privacy of the user in this manner. After the user
anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also
automatically accessed anonymously. Which of the following are limitations of anonymizers?
Each correct answer represents a complete solution. Choose all that apply.
a. Secure protocols
b. Plugins
c. ActiveX controls
d. Java applications
e. JavaScript
Explanation: Answer options A, B, C, D, and E are correct.
Anonymizers have the following limitations:
1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs
to access the site directly to properly maintain secure encryption.
2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established
independent direct connection from the user computer to a remote site.
3. Java: Any Java application accessed through an anonymizer will not be able to bypass the Java
security wall.
4. ActiveX: ActiveX applications have almost unlimited access to the user's computer system.
5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.
8. Q: Which of the following statements are true of the TCP/IP model?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Each correct answer represents a complete solution. Choose all that apply.
a. It describes a set of general design guidelines and implementations of specific
networking protocols to enable computers to communicate over a network.
b. It provides end-to-end connectivity specifying how data should be formatted,
addressed, transmitted, routed, and received at the destination.
c. It is generally described as having five abstraction layers.
d. It consists of various protocols present in each layer.
Explanation: Answer options A, B, and D are correct.
The TCP/IP model is a description framework for computer network protocols. It describes a set of
general design guidelines and implementations of specific networking protocols to enable computers
to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data
should be formatted, addressed, transmitted, routed, and received at the destination. Protocols exist
for a variety of different types of communication services between computers. The TCP/IP model is
sometimes called the Internet Model or the DoD Model.
The TCP/IP model has four unique layers as shown in the image. This layer architecture is often
compared with the seven-layer OSI Reference Model. The TCP/IP model and related protocols are
maintained by the Internet Engineering Task Force (IETF).
Layer 4 Application
The application layer is where programs communicate. Sometimes called the user interface layer
because it is an easy way to think about its purpose. This is where web browsers, file sharing
software, email, and other user facing software interacts. Encryption and session details are also
handled in this layer.
Layer 3 Transport
In the transport layer, devices negotiate and decide how they will communicate over the network.
The devices will decide on communication type (e.g., UDP or TCP), window size, port, error
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
handling, and sequencing. This layer does a large portion of the work in device communications.
Layer 2 Internet
IP addressing, internetworking, and path determination happen in the internet layer. Routers
communicate at this layer to determine the path that a packet will take through a network. Given
multiple possibilities, the protocols at this layer will determine the best way for one host to connect to
another.
Layer 1 Link
Based on the type of network in use, the link layer encapsulates the data. For testing purposes this
may be in the form of Ethernet, Frame Relay, PPP, HDLC or CDP encapsulation protocols. The
protocol selected depends on the physical connection of the devices and the network topology.
Answer option C is incorrect. This option is invalid, as TCP/IP model consists of four abstraction
layers NOT five.
9. Q: You want to obtain information of a Web server whose IP address range comes in the IP
address range used in Brazil. Which of the following registries can be used to get information
about Web server IP addresses, reverse DNS, etc?
a. RIPE NCC
b. APNIC
c. ARIN
d. LACNIC
Explanation: Answer option D is correct.
According to the scenario, you have to get information about Web server IP addresses, reverse
DNS, etc. of a Web server situated in Brazil. For this, you will search information in Latin American
and Caribbean Internet Addresses Registry (LACNIC). LACNIC is the Regional Internet Registry for
the Latin American and Caribbean regions. LACNIC provides number resource allocation and
registration services that support the global operation of the Internet.
Answer option A is incorrect. The Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option B is incorrect. The Asia Pacific Network Information Centre (APNIC) is the Regional
Internet Registry for the Asia Pacific region. APNIC provides number resource allocation and
registration services that support the global operation of the Internet
Answer option C is incorrect. The American Registry for Internet Numbers (ARIN) is the Regional
Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United
States.
What best defines the principle of least privilege?
A. At a minimum, a manager should have all the privileges of his or her employees.
B. People lower in the organization’s hierarchy should have fewer privileges than people higher in
the hierarchy.
C. At a minimum, all users should supply a password before accessing a service.
D. One should have access only to the data and services that are required to perform one’s job.
answer: D
10. Q: John works as a System Administrator for uCertify Inc. He is responsible for securing the
network of the organization. He is configuring some of the advanced features of the Windows
firewall so that he can block a client machine from responding to pings. Which of the
following advanced setting types should John change for accomplishing the task?
a. ICMP
b. SMTP
c. SNMP
d. UDP
Explanation: Answer option A is correct.
According to the scenario, John should change ICMP because it is a protocol that is used when a
PING command is issued, received, and responded to. Internet Control Message Protocol (ICMP) is
an integral part of IP. It is used to report an error in datagram processing.
Answer option B is incorrect. Simple Mail Transfer Protocol (SMTP-25) is a protocol for sending e-
mail messages between servers
Answer option C is incorrect. The Simple Network Management Protocol (SNMP-161) allows a
monitored device (for example, a router or a switch) to run an SNMP agent. This protocol is used for
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
managing many network devices remotely.
Answer option D is incorrect. User Datagram Protocol (UDP) is often used for one-to-many
communications, using broadcast or multicast IP datagrams. UDP is a connectionless and unreliable
communication protocol. It does not guarantee delivery or verify sequencing for any datagram. UDP
provides faster transportation of data between TCP/IP hosts than TCP.
Q: DNS cache poisoning is a maliciously created or unintended situation that provides data to a
caching name server that did not originate from authoritative Domain Name System (DNS) sources.
Once a DNS server has received, such non-authentic data and caches it for future performance
increase, it is considered poisoned, supplying the non-authentic data to the clients of the server.
Which of the following DNS records can indicate the time up to which DNS cache poisoning will be
effective?
a. MX
b. NS
c. PTR
d. SOA
Explanation: Answer option D is correct.
What is a start of authority (SOA) record?
A start of authority (SOA) record is information stored in a domain name system (DNS) zone about
that zone and about other DNS records. A DNS zone is the part of a domain for which an individual
DNS server is responsible. Each zone contains a single SOA record.
DNS cache poisoning attack
DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching
name server that did not originate from authoritative Domain Name System (DNS) sources. Once a
DNS server has received such non-authentic data and caches it for future performance increase, it is
considered poisoned, supplying the non-authentic data to the clients of the server. To perform a
cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not
correctly validate DNS responses to ensure that they are from an authoritative source, the server will
end up caching the incorrect entries locally and serve them to other users that make the same
request.
Answer option A is incorrect. An MX record is also known as mail exchanger record in the zone file
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
of Domain Name Server (DNS). MX record associates the domain name to a domain name
classified in an address record (A record).
Answer option B is incorrect. An NS record or name server record is used to denote the server that
is authoritative for a DNS zone.
Answer option C is incorrect. PTR record, also known as pointer record, is a record in the Domain
Name System (DNS) database that maps an Internet Protocol (IP) address to a host name in the in-
addr.arpa domain. PTR records are used to perform reverse DNS lookups.
Which of following is an example of two factor authentication?
a. fingerprint and smartcard
b. username and password
c. ID and token
d. Iris scan and fingerprint
answer A
What is a successful method for protecting a router from potential smurf attacks?
A. Disabling port forwarding on the router
B. Placing the router in broadcast-only mode
C. Disabling the router from accepting broadcast ping messages
D. Installing the router in the DMZ
answer: C
11. Q: Which of the following tools are used for footprinting?
Each correct answer represents a complete solution. Choose all that apply.
a. Traceroute
b. Sam spade
c. Brutus
d. Whois
Explanation: Answer options A, B, and D are correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
The traceroute, sam spade, and whois tools are used for footprinting.
What is TRACEROUTE utility?
TRACEROUTE is a route-tracing utility that displays the path an IP packet takes to reach its
destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully
Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote
host.
Q: Which information can an attacker get after tracerouting any network?
Each correct answer represents a complete solution. Choose all that apply.
a. Network topology
b. Trusted routers
c. Firewall locations
d. Web administrator email address
Explanation: Answer options A, B, and C are correct.
What is Google hacking?
Google hacking is a computer hacking technique that uses Google search and other Google
applications to find security holes in the configuration and computer code that Web sites use. Google
hacking involves using advance operators in the Google search engine to locate specific strings of
text within search results.
Q: Which of the following is a valid Google searching operator that is used to search a specified file
type?
e. filetype
f. inurl
g. file type
h. intitle
Explanation: Answer option A is correct.
The filetype google search query operator is used to search a specified file type. For example, if you
want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
hacking.
Answer option B is incorrect. inurl is used to search a specified text in the URL of Web sites.
Answer option C is incorrect. file type is not a valid search operator.
Answer option D is incorrect. intitle is used to search a specified text in the title of Web sites.
12. Q: You want to retrieve the default security report of nessus. Which of the following Google
search queries will you use?
a. filetype:pdf "Assessment Report" nessus
b. filetype:pdf nessus
c. site:pdf nessus "Assessment report"
d. link:pdf nessus "Assessment report"
Explanation: Answer option A is correct.
Nessus is a vulnerability scanner. What techniques do vulnerability scanners use?
a. Port Scanning
b. banner grabbing
c. analyzing service responses
d. malware analysis
answer: C
One way to defeat a multi-level security solution is to leak data via
A. asymmetric routing
B. a covert channel.
C. steganography.
D. an overt channel
answer: B
Administrators access their servers through Remote Desktop. How could a hacker exploit this to
gain access?
a. Capture the LANMAN hashes and crack them with Cain and Abel
b. capture the RDP traffic and decode it with Cain and Abel
c. Use social engineering to get the domain name of the server
d. scan the server to see what ports are open
answer: B
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
What is the best defense against privilege escalation vulnerability?
A. Require all computers and servers to be patched immediately upon release of new updates.
B. Run administrator and applications on least privileges and use a content registry for tracking.
C. Run services with least privileged accounts and implement multi-factor authentication
D. Periodically review user roles and administrator
answer: C
Hardware and software devices have been created to emulate computer services, such as web and
mail. These can also be used to capture various information. What is being described?
a. Core Switch
b. Honeypot
c. Port Scanner
d. Router
answer: B
1. Q: You are the Security Consultant and have been hired to check security for a client's
network. Your client has stated that he has many concerns but the most critical is the
security of Web applications on their Web server. What should be your highest priority now in
checking his network?
a. Port scanning
b. Setting up IDS
c. Setting up a honey pot
d. Vulnerability scanning
Explanation: Answer option D is correct.
Q: If you want to know what services are running on a target and the possible entry points to launch
an attack, what will you do?
a. Nmap scan
b. Ping
c. Traceroute
d. Banner grabbing
Explanation: Answer option A is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
In scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered. What type of
packet inspection is the firewall using?
a. Stateless
b. Proxy
c. Deep
d. Stateful
answer: A
Which of the following are detective controls? (Choose 2)
a. audits
b. encryption
c. DRP
d. CCTV
e. two-factor authentication
answer: A and D
IPSec can provides for which of the following?
a. availability
b. non-repudiation
c. anti-virus protection
d. DDOS protection
answer: B
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces
which of the following vulnerabilities?
A. The IDS will not distinguish among packets originating from different sources.
B. An attacker, working slowly enough, may be able to evade detection by the IDS.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
C. Network packets will be dropped once the volume exceeds the threshold.
D. Thresholding disables the IDS’ ability to reassemble fragmented packets.
answer A
Q: Which of the following netcat command switches will you use to telnet a remote host?
a. nc -t
b. nc -z
c. nc -g
d. nc -l -p
Explanation: Answer option A is correct.
Netcat is a freely available networking utility that reads and writes data across network connections
using the TCP/IP protocol. Netcat has the following features:
It provides outbound and inbound connections for TCP and UDP ports.
It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network
parameters.
It is a good port scanner.
It contains advanced usage options, such as buffered send-mode (one line every N seconds),
and hexdump (to stderr or to a specified file) of transmitted and received data.
It is an optional RFC854 telnet code parser and responder.
The common Netcat switches are as follows:
Command Description
nc -d It is used to detach Netcat from the console.
nc -l -p [port] It is used to create a simple listening TCP port; adding u will put it in UDP mode.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
nc -e [program] It is used to redirect stdin/stdout from a program.
nc -z It is used for port scanning.
nc -g or nc -G It is used to specify source routing flags.
nc -t It is used for Telnet negotiation.
nc -w [timeout] It is used to set a timeout before Netcat automatically quits.
nc -v It is used to put Netcat into verbose mode.
Q: You are brought in as an external consultant to review the results of a vulnerability of an internal
scan to be run on website hosting servers. All code has been developed in Java and the team wants
to test the code for buffer overflow vulnerabilities with the SAINT scanning tool. When the internal
team asks for your opinion, you discourage them from starting this exercise. What is the probable
reason for your recommendation?
a. An automated vulnerability assessment tool like SAINT is too noisy.
b. Java is not vulnerable to buffer overflow attacks.
c. The vulnerability signatures have to be updated prior to running the scan.
d. The SAINT scanner does not incorporate the new OWASP Top 10 web application
scanning policy.
Explanation: Answer option B is correct.
Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks.
Almost all known web servers, application servers, and web application environments are
susceptible to buffer overflows, the notable exception being environments written in interpreted
languages like Java or Python, which are immune to these attacks (except for overflows in the
Interpreter itself).
Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are
connected to the server or not. Which of the following will he use to ping these computers?
a. PING
b. TRACEROUTE
c. Ping sweeping
d. NETSTAT
Explanation: Answer option C is correct.
The Ping sweeping technique is used to ping a batch of devices and to get the list of active devices.
Since it is a time taking and tedious task to ping every address into the network, the ping sweeping
technique is used by the attacker.
Answer option A is incorrect. The ping command-line utility is used to test connectivity with a host on
a TCP/IP-based network. This is achieved by sending out a series of packets to a specified
destination host.
2. Q: During the attack process, what method is used to discover what rules are configured on
a gateway?
a. Firewalking
b. Firewalling
c. OS Fingerprinting
d. Ping Scan
Explanation: Answer option A is correct.
Firewalking is a technique used to discover what rules are configured on a gateway. Usually
packets are sent to the remote host with the exact TTL of the target. Hping2 can also be used for
firewalking.
What is the process of identifying hosts or services by sending packets into the network perimeter to
see which ones get through?
A. firewalking
B. Banner Grabbing
C. Enumerating
D. Trace-configuring
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: A
Answer option B is incorrect. There is no separate term called Firewalling.
Which of the following statements are true regarding N-tier architecture? (Choose two.)
A. The N-tier architecture must have at least one logical layer
B. Each layer should exchange information only with the layers above and below it.
C. When a layer is changed or updated, the other layers must also be changed
D. Each layer must be able to exist on a physically independent system.
ANSWER: B, D
Q: Which of the following is a technique used to determine which range of IP addresses is mapped
to live hosts?
a. TRACERT utility
b. Ping sweep
c. KisMAC
d. PATHPING
Explanation: Answer option B is correct.
Q: You want to determine which protocols a router or firewall will block and which they will pass on
to downstream hosts. You want to map out all intermediate routers or hops between a scanning host
and the target host. Based upon the results of the scans, you are going to identify which ports are
open. The tool displays "A!" when it determines that the metric host is directly behind the target
gateway. Which tool are you using for the scan?
a. Firewalk
b. nmap
c. hping
d. traceroute
Explanation: Answer option A is correct.
Answer option C is incorrect. hping is a free packet generator and analyzer for the TCP/IP protocol.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was
used to exploit the idle scan scanning technique.
9. Q: You are running an nmap scan to determine which ports are filtered. You send an ACK
flag and receive a RST packet for open and closed ports. What kind of nmap scan are you
running?
a. Null Scan -sN
b. Fin Scan -sF
c. XMAS Scan -sX
d. TCP ACK scan -sA
Explanation: Answer option D is correct.
TCP ACK Scan does not determine open/closed ports; instead it determines which ports are
filtered/unfiltered. When ACK flag is sent, Open/Closed ports will send RST. Ports that do not send a
response are considered Filtered.
Answer option A is incorrect. In a NULL Scan, no flags are set on the packet. Target must follow
RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is
closed.
Answer option B is incorrect. In Fin Scan, the Fin flag is set on the packet. Target must follow RFC
793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.
Answer option C is incorrect. In XMAS Scan, the FIN, URG, and PSH flags are set on the packet.
Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive
RST if the port is closed.
Reference: http://nmap.org/
11. Q: A war dialer is a tool that is used to scan thousands of telephone numbers to detect
vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the
following tools can an attacker use to perform war dialing?
Each correct answer represents a complete solution. Choose two.
a. THC-Scan
b. ToneLoc
c. NetStumbler
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
d. Wingate
Explanation: Answer options A and B are correct.
THC-Scan and ToneLoc are tools used for war dialing. A war dialer is a tool that is used to scan
thousands of telephone numbers to detect vulnerable modems. It provides the attacker unauthorized
access to a computer.
Q: Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping
sweeper and hostname resolver?
a. SuperScan
b. Nmap
c. Netstat
d. Hping
Explanation: Answer option A is correct.
SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It
can ping a given range of IP addresses and resolve the host name of the remote system.
Q: Which of the following is the correct sequence of packets to perform the 3-way handshake
method?
e. SYN, SYN/ACK, ACK
f. SYN, ACK, SYN/ACK
g. SYN, ACK, ACK
h. SYN, SYN, ACK
Explanation: Answer option A is correct.
The TCP/IP 3-way handshake method is used by the TCP protocol to establish a connection
between a client and the server. It involves three steps:
1. In the first step of the three-way handshake method, a SYN message is sent from a client to the
server.
2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the
client.
3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is
sent from the client to the server. At this point, both the client and server have received an
acknowledgment of the TCP connection.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
13. Q: In which of the following scanning methods do Windows operating systems send only RST
packets irrespective of whether the port is open or closed?
a. TCP FIN
b. FTP bounce
c. UDP port
d. TCP SYN
Explanation: Answer option A is correct.
In the TCP FIN scanning method, Windows operating systems send only RST packets irrespective
of whether the port is open or closed. TCP FIN scanning is a type of stealth scanning through which
the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this
packet was sent mistakenly by the attacker and sends the RST packet to the attacker
Q: Which of the following Nmap commands is used to perform a UDP port scan?
e. nmap -sU
f. nmap -sS
g. nmap -sF
h. nmap -sN
Explanation: Answer option A is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
The nmap -sU command is used to perform a UDP port scan.
Answer option B is incorrect. The nmap -sS command is used to perform stealth scanning.
Answer option C is incorrect. The nmap -sF command is used to perform FIN scanning.
Answer option D is incorrect. The nmap -sN command is used to perform TCP NULL port scanning.
14. Q: In which of the following scanning methods does an attacker send SYN packets and then a
RST packet?
a. TCP FIN scan
b. IDLE scan
c. TCP SYN scan
d. XMAS scan
Explanation: Answer option C is correct.
In a TCP SYN scan, an attacker sends SYN packets and then a RST packet. TCP SYN scanning is
also known as half-open scanning because in this type of scanning, a full TCP connection is never
opened. The steps of TCP SYN scanning are as follows:
1. The attacker sends a SYN packet to the target port.
2. If the port is open, the attacker receives the SYN/ACK message.
3. Now the attacker breaks the connection by sending an RST packet.
4. If the RST packet is received, it indicates that the port is closed.
15.
Answer option D is incorrect. Xmas scanning is just the opposite of null scanning. In Xmas Tree
scanning, multiple flags( at least FIN, URG and PSH) are turned on. If the target port is open, the
service running on the target port discards the packets without any reply. According to RFC 793,
if the port is closed, the remote system replies with the RST packet
16. Q: In which of the following scanning methods does an attacker send the spoofed IP address to
send a SYN packet to the target?
a. IDLE
b. NULL
c. TCP FIN
d. XMAS
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
In the IDLE scan method, an attacker sends the spoofed IP address to send a SYN packet to the
target. The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only
totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes difficult to
detect the hacker.
What is a sequence number?
A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the
network, it is broken into fragments (packets) at the source and reassembled at the destination
system. Each packet contains a sequence number that is used by the destination system to
reassemble the data packets in the correct order. Each time a system boots, it has an initial
sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When the
system connects to another system and establishes a connection, the ISN is incremented by 64,000.
For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the ISN
value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.
Conditions Increment in the ISN Value
Transfer of SYN packet 1
Transfer of FIN packet 1
Transfer of ACK packet 0
Transfer of SYN/ACK packet 1
Transfer of FIN/ACK packet 1
Passage of 1 second 128,000
Establishment of one connection 64,000
17. Q: Which of the following scanning methods is most accurate and reliable, although it is easily
detectable and hence avoided by a hacker?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. TCP SYN/ACK
b. TCP half-open
c. TCP FIN
d. Xmas Tree
Explanation: Answer option A is correct.
Although the TCP SYN/ACK connection method is most reliable, it can be easily detected. A hacker
should avoid this scanning method
Q: Which nmap switch have you used to retrieve as many different protocols as possible being used
by the remote host?
e. nmap -sO
f. nmap -vO
g. nmap -sT
h. nmap -sS
Explanation: Answer option E is correct.
the nmap -sO switch, which is used for IP scanning. The IP protocol scan is used for searching
additional IP protocols, such as ICMP, TCP, and UDP. It locates uncommon IP protocols that may
be in use on a system..
Answer option F is incorrect. Nmap doesn't permit you to combine the verbose and OS scanning
options. It produces this error:
Invalid argument to -v: "O"
Answer option G is incorrect. The nmap -sT switch is used to perform a TCP full scan.
Answer option D is incorrect. The nmap -sS is used to perform a TCP half scan. The attacker sends
a SYN packet to the target port.
18.
19. Q: Mark is performing a security assessment of a Web server. He wants to identify a cross-site
scripting vulnerability also. Which of the following recommendations can Mark give to correct the
vulnerability?
a. Inform the Web Administrator to validate all Web application data inputs before
processing.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. Inform Website users to ensure that cookies are transferred only over secure
connections.
c. Disable ActiveX support within Web browsers.
d. Disable Java applet support within Web browsers.
Explanation: Answer option A is correct.
The best way to address cross-site scripting vulnerabilities is to validate data input. It will fix
occurrences of cross-site scripting on ActiveX controls and Java applets that are downloaded to the
client and any vulnerability located on server-side code within the application.
Answer option B is incorrect. Disabling cookies is not a countermeasure against cross-site scripting.
Answer options C and D are incorrect. XSS vulnerabilities can exist within downloaded Java applets
or ActiveX controls, but these controls are executed on the client and will not address the server-side
cross-site scripting vulnerability.
Q: Which of the following are packet capturing tools?
Each correct answer represents a complete solution. Choose all that apply.
a. Aero peek
b. Cain
c. Wireshark
d. Aircrack-ng
Explanation: Answer options A, B, and C are correct.
Q: Which of the following is a type of stealth scanning through which the attacker sends a FIN
packet to the target port?
a. TCP FIN scanning
b. TCP FTP proxy scanning
c. UDP port scanning
d. TCP SYN scanning
Explanation: Answer option A is correct. Port scanning is the process by which an attacker
connects to TCP and UDP ports to find the services and applications running on the target system.
In port scanning, data packets are sent to a port to gather information about it. The following are
Q: You are sending a file to an FTP server. The file will be broken into several pieces of information
packets (segments) and will be sent to the server. The file will again be reassembled and
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
reconstructed once the packets reach the FTP server. Which of the following information should be
used to maintain the correct order of information packets during the reconstruction of the file?
e. Sequence number
f. Acknowledge number
g. Checksum
h. TTL
Explanation: Answer option A is correct.
29. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing
the security of www.we-are-secure.com. He performs a Teardrop attack on the we-are-
secure server and observes that the server has crashed. Which of the following is the most
likely cause of this?
a. The we-are-secure server cannot handle the overlapping data fragments.
b. Ping requests at the server are too high.
c. The ICMP packet is larger than 65,536 bytes.
d. The spoofed TCP SYN packet containing the IP address of the target is filled in both
the source and destination fields.
Explanation: Answer option A is correct.
In such a situation, while performing a Teardrop attack, John sends a series of data packets with
overlapping offset field values to the we-are-secure server. As a result, the server is unable to
reassemble these packets and is forced to crash, hang, or reboot.
Q: Which of the following techniques uses a modem in order to automatically scan a list of telephone
numbers?
e. War dialing
f. Warchalking
g. War driving
h. Warkitting
Explanation: Answer option A is correct. War dialing is a technique of using a modem to
automatically scan a list of telephone numbers, usually dialing every number in a local area code to
search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various
purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for
password guessing.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option B is incorrect. Warchalking is the drawing of symbols in public places to advertise an
open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on
a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived
from the cracker terms war dialing and war driving.
Q: You work as a Database Manager for uCertify Inc. Due to a lot of pending work, you decide to
install remote control software on your desktop at work, so that you can work from anywhere in the
organization. After installing the remote desktop connection, you connect a modem to a fax line that
is not being used yet. As you have no authentication to configure a password for host connection of
the remote connection, the remote connection is open for anyone to connect to the remotely
controlled host system. Which of the following types of attacks can be performed by an attacker on
the remote connection?
i. War dialing
j. Warchalking
k. War driving
l. Zero-day
Explanation: Answer option A is correct.
Q: John works as a contract Ethical Hacker. He has recently got a project to do security checking for
www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in
the information gathering step. Which of the following commands will he use to accomplish the task?
Each correct answer represents a complete solution. Choose two.
m. nmap -v -O 208. 100. 2. 25
n. nc -v -n 208. 100. 2. 25 80
o. nc 208. 100. 2. 25 23
p. nmap -v -O www.we-are-secure.com
Explanation: Answer options A and D are correct.
According to the scenario, John will use "nmap -v -O 208. 100. 2. 25" to detect the operating system
of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting to
guess the remote operating system. John may also use the DNS name of we-are-secure instead of
using the IP address of the we-are-secure server. So, he can also use the nmap command "nmap -v
-O www.we-are-secure.com ".
Q: Which of the following techniques are NOT used to perform active OS fingerprinting?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Each correct answer represents a complete solution. Choose all that apply.
a. ICMP error message quoting
b. Sniffing and analyzing packets
c. Sending FIN packets to open ports on the remote system
d. Analyzing email headers
Explanation: Answer options B and D are correct.
Sniffing and analyzing packets and analyzing email headers are some of the techniques used to
perform passive OS fingerprinting.
What is email header passive OS fingerprinting?
Email header passive OS fingerprinting is a method by which an attacker can use the email
header for remote OS detection. The email header is analyzed to get information about the remote
OS. Email headers usually give information about the mail daemon of a remote computer. Since a
specific mail daemon is usually used for a particular OS, an attacker can easily guess the OS of the
remote computer with the help of the mail daemon information.
Answer options A and D are incorrect. ICMP error message quoting and sending FIN packets to
open ports on the remote system are some of the techniques used to perform active OS
fingerprinting.
29. Q: You have received a file named new.com in your email as an attachment. When you
execute this file in your laptop, you get the following message:
'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'
When you open the file in Notepad, you get the following string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
What step will you take as a countermeasure against this attack?
a. Clean up your laptop with antivirus.
b. Do nothing.
c. Traverse to all of your drives, search new.com files, and delete them.
d. Immediately shut down your laptop.
Explanation: Answer option B is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
When you get the new.com file and execute it, the following error message is displayed:
'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'
This indicates it might be the EICAR virus, which is a test virus to check whether an antivirus is
working or not. The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test
the response of computer antivirus (AV) programs. The rationale behind it is to allow people,
companies, and antivirus programmers to test their software without having to use a real computer
virus that could cause actual damage should the antivirus not respond correctly
30. Q: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a
remote device during standard layer 4 network communications. The combination of
parameters may then be used to infer the remote operating system (OS fingerprinting), or
incorporated into a device fingerprint. Which of the following Nmap switches can be used to
perform TCP/IP stack fingerprinting?
a. nmap -O -p
b. nmap -sU -p
c. nmap -sS
d. nmap -sT
Explanation: Answer option A is correct.
Q: Which of the following tools allow you to perform HTTP tunneling?
Each correct answer represents a complete solution. Choose all that apply.
e. HTTPort
f. Tunneled
g. BackStealth
h. Nikto
Explanation: Answer options A, B, and C are correct.
The HTTPort, Tunneled, and BackStealth tools are used to perform HTTP tunneling.
Answer option D is incorrect. Nikto is a Web scanner
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: Your company has blocked all the ports via an external firewall and only allows port 80/443 to
connect to the Internet. You want to use FTP to connect to some remote server on the Internet.
Which of the following tools will you use to accomplish the task?
Each correct answer represents a complete solution. Choose all that apply.
a. HTTPort
b. Backstealth
c. Nmap
d. BiDiBLAH
Explanation: Answer options A and B are correct.
HTTP tunneling is a technique by which communications performed using various network
protocols are encapsulated using the HTTP protocol. . The HTTP protocol therefore acts as a
wrapper for a covert channel that the network protocol being tunneled uses to communicateHTTPort:
The HTTPort tool is used to create a transparent tunnel through a proxy server or a firewall. It
allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses HTTPS
and HTTP proxies, transparent accelerators, and firewalls.
29. Q: You have been called in as a security consultant to investigate the case of an internal
employee who is suspected of doing ftp of sensitive corporate data to a competitor's remote
ftp server. The system and network administrators confirm that ftp protocol and ports are
disallowed by the firewall. You suspect that the employee is bypassing the firewall by using
the following technique.
a. IP spoofing
b. Tor Proxy Chaining software
c. HTTP tunneling
Explanation: Answer option C is correct.
Answer option A is incorrect. IP-spoofing is when an attacker changes his source address. By
forging the header to contain a different address, an attacker can make it appear that the packet was
sent by a different machine. The machine that receives spoofed packets will send a response back
to the forged source address.
Answer option B is incorrect. Tor is a network of virtual tunnels connected together and works like a
big chained proxy. It masks the identity of the originating computer from the Internet and uses a
random set of intermediary nodes to reach the target system.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
30. Q: You configure a rule on your gateway device to block packets from outside of the network
that have a source address from inside the network. Which attacks are you trying to protect
your network from?
a. ARP spoofing
b. IP spoofing
c. Egress filtering
d. DOS attack
Explanation: Answer option B is correct.
Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually
performs ingress filtering, which is blocking of packets from outside the network with a source
address inside the network. This prevents from an outside attacker spoofing the address of an
internal machine.
Answer option A is incorrect. ARP spoofing, also known as ARP cache poisoning or ARP poison
routing, is a technique used to attack a local-area network. ARP spoofing may allow an attacker to
intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. The attack can only
be used on local networks.
Answer option C is incorrect. Egress filtering is performed on outgoing packets, which is blocking of
packets from inside the network with a source address that is not inside. This prevents an attacker
within the network performing filtering from launching IP spoofing attacks against external machines.
1. Q: Brutus is a password cracking tool that can be used to crack the following
authentications:
HTTP (Basic Authentication)
HTTP (HTML Form/CGI)
POP3 (Post Office Protocol v3)
FTP (File Transfer Protocol)
SMB (Server Message Block)
Telnet
Which of the following attacks can be performed by Brutus for password cracking?
Each correct answer represents a complete solution. Choose three.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. Brute force attack
b. Dictionary attack
c. Hybrid attack
d. Man-in-the-middle attack
e. Replay attack
Explanation: Answer options A, B, and C are correct.
Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.
Brute force attack
In a brute force attack, the attacker uses software that tries a large number of key combinations in
order to get a password. To prevent such attacks, users should create passwords more difficult to
guess, e.g., using a minimum of six characters, alphanumeric combinations, lower-upper case
combinations, etc.
2. Q: You are a Network Administrator of a TCP/IP network. You are facing DNS resolution
problems. Which of the following utilities will you use to diagnose the problem?
a. NSLOOKUP
b. PING
c. TRACERT
d. IPCONFIG
Explanation: Answer option A is correct.
NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It
performs its function by sending queries to the DNS server and obtaining detailed responses at the
command prompt. This information can be useful for diagnosing and resolving name resolution
issues, verifying whether or not the resource records are added or updated correctly in a zone, and
debugging other server-related problems.
Q: Which of the following tools can be used to perform tasks such as Windows password cracking,
Windows enumeration, and VoIP session sniffing?
a. Cain
b. L0phtcrack
c. John the Ripper
d. Obiwan
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Cain and Abel is a multipurpose tool that can be used to perform many tasks, such as Windows
password cracking, Windows enumeration, and VoIP session sniffing. This password-cracking
program can perform the following types of password cracking attacks:
Dictionary attack
Brute force attack
Rainbow attack
Hybrid attack
Answer option B is incorrect. L0phtcrack is a tool that identifies and remediates security
vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows
and Unix account passwords to access user and administrator accounts.
Answer option C is incorrect. John the Ripper is a fast password-cracking tool that is available for
most versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and
Windows NT/2000/XP/2003 LM hashes.
An attacker has captured VOIP traffic on your network. What tool can he use to recreate the
conversation from these captured packets.
a. HPing
b. NMAP
c. Cain and Abel
d. VOIP-killer
answer: C
You have been instructed to open ports on your firewall to allow web and email services. Which
ports must you open. (choose 4)
a. 80
b. 53
c. 25
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
d. 139
e. 443
f. 21
3. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing
the security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure
server is open. Assuming that the Network Administrator of We-are-secure Inc. has not
changed the default port values of the services, which of the following services is running on
UDP port 137?
a. NetBIOS
b. HTTP
c. HTTPS
d. TELNET
Explanation: Answer option A is correct.
NetBIOS is a Microsoft service that enables applications on different computers to communicate
within a LAN. The default port value of NetBIOS Name Resolution Service is 137/UDP.
Q: In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone
file for a domain from a DNS server. The information provided by the DNS zone can help an attacker
gather user names, passwords, and other valuable information. To attempt a zone transfer, an
attacker must be connected to a DNS server that is the authoritative server for that zone. Besides
this, an attacker can launch a Denial of Service attack against the zone's DNS servers by flooding
them with a lot of requests. Which of the following tools can an attacker use to perform a DNS zone
transfer?
Each correct answer represents a complete solution. Choose all that apply.
a. Host
b. Dig
c. NSLookup
d. DSniff
Explanation: Answer options A, B, and C are correct.
An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option D is incorrect. DSniff is a sniffer that can be used to record network traffic.
4. Q: John works as a Security Professional. He is assigned a project to test the security of
www.we-are-secure.com. John wants to get information of all network connections and
listening ports in numerical form. Which of the following commands will he use?
a. netstat -an
b. netstat -e
c. netstat -r
d. netstat -s
Explanation: Answer option A is correct.
According to the scenario, John will use the netstat -an command to accomplish the task. The
netstat -an command is used to get information of all network connections and listening ports in
numerical form.
Answer option B is incorrect. The netstat -e command displays Ethernet information.
Answer option C is incorrect. The netstat -r command displays routing table information.
Answer option D is incorrect. The netstat -s command displays per-protocol statistics. By default,
statistics are shown for TCP, UDP, and IP.
5. Q: Which of the following can be the countermeasures to prevent NetBIOS NULL session
enumeration in Windows 2000 operating systems?
Each correct answer represents a complete solution. Choose all that apply.
a. Disabling TCP port 139/445
b. Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP
from the interface
c. Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value
RestrictAnonymous
d. Denying all unauthorized inbound connections to TCP port 53
Explanation: Answer options A, B, and C are correct.
NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of
the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session
vulnerabilities:
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a
Network Administrator.
2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding
WINS Client TCP/IP from the interface.
3. A Network Administrator can also restrict the anonymous user by editing the registry values:
a. Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
b. Choose edit > add value.
Value name: RestrictAnonymous
Data Type: REG_WORD
Value: 2
Answer option D is incorrect. TCP port 53 is the default port for DNS zone transfer. Although
disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure
against NetBIOS NULL session enumeration.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
6. Q: You have just installed a Windows 2003 server. What action should you take regarding
the default shares?
a. Disable them.
b. Disable them only if this is a domain server.
c. Make them hidden shares.
d. Leave them, as they are needed for Windows Server operations.
Explanation: Answer option A is correct.
Default shares should be disabled, unless they are absolutely needed. They pose a significant
security risk by providing a way for an intruder to enter your machine.
Q: Which of the following is an attempt to give false information or to deny that a real event or
transaction should have occurred?
a. A DDoS attack
b. A repudiation attack
c. A reply attack
d. A dictionary attack
Explanation: Answer option B is correct.
A repudiation attack is an attempt to give false information or to deny that a real event or
transaction should have occurred.
Answer option A is incorrect. In a distributed denial of service (DDOS) attack, the attacker uses
multiple computers throughout the network that it has previously infected. Such computers act as
zombies and work together to send out bogus messages, thereby increasing the amount of phony
traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that
multiple machines can generate more attack traffic than one machine, multiple attack machines are
harder to turn off than one attack machine, and that the behavior of each attack machine can be
stealthier, making it harder to track down and shut down.
Answer option C is incorrect. A replay attack is a type of attack in which attackers capture packets
containing passwords or digital signatures whenever packets pass between two hosts on a network.
In an attempt to obtain an authenticated connection, the attackers then resend the captured packet
to the system.
Answer option D is incorrect. A dictionary attack is a type of password guessing attack. This type of
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
attack uses a dictionary of common words to find out the password of a user. It can also use
common words in either upper or lower case to find a password.
7. Q: You work as a Network Administrator for Infonet Inc. The company's network has an FTP
server. You want to secure the server so that only authorized users can access it. What will
you do to accomplish this?
a. Disable anonymous authentication.
b. Enable anonymous authentication.
c. Stop the FTP service on the server.
d. Disable the network adapter on the server.
Explanation: Answer option A is correct.
You will have to disable anonymous authentication. This will prevent unauthorized users from
accessing the FTP server. Using this method, a user can establish a Web connection to the IIS
server without providing a username and password.
Q: You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000
Server operating system. You want to harden the security of the server. Which of the following
changes are required to accomplish this?
Each correct answer represents a complete solution. Choose two.
a. Enable the Guest account.
b. Remove the Administrator account.
c. Rename the Administrator account.
d. Disable the Guest account.
Explanation: Answer options C and D are correct.
A company has publicly hosted web applications and an internal Intranet protected by a firewall.
Which technique will help protect against enumeration?
A. Enable null session pipes
B. Remove A records for internal hosts.
C. Allow full DNS zone transfers to non-authoritative servers
D. Reject all email received via POP3
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: B
Q: John works as a professional Ethical Hacker. He has been assigned a project for testing the
security of www.we-are-secure.com. He runs an SNMP scanner named snmpbulkwalk to send
SNMP requests to multiple IP addresses. He tries different community strings and waits for a reply.
However, he does not get any response. Which of the following statements may be valid reasons for
getting no response?
Each correct answer represents a complete solution. Choose all that apply.
a. The target system is unreachable due to low Internet connectivity.
b. The target system has stopped SNMP services.
c. John is searching for Public and Private community strings, but the Network
administrator has changed their default names.
d. The target system is using SNMP version 2, which cannot be scanned by
snmpbulkwalk.
Explanation: Answer options A, B, and C are correct.
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
A. Injecting parameters into a connection string using semicolons as a separator
B. Adding multiple parameters with the same name in HTTP requests
C. Inserting malicious Javascript code into input parameters
D. adding a single quote after a URP
answer: A
What is snmpwalk?
The SNMP application snmpwalk retrieves SNMP GETNEXT requests to query a network entity for
a tree of information. The command syntax for SNMP is as follows:
Q: Which of the following statements are true about SNMPv1 and SNMPv3 enumeration?
Each correct answer represents a complete solution. Choose all that apply.
a. All the versions of SNMP protocols use community strings in clear text format, which
is easily recognizable.
b. Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol that is
used for remote monitoring and managing hosts, routers, and devices on a network.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
c. Gathering information about host, routers, devices etc. with the help of SNMP is
known as SNMP enumeration.
d. Implementing Access control list filtering to allow only access to the read-write
community from approved stations or subnets can be a valid countermeasure against
SNMP enumeration.
Explanation: Answer options B, C, and D are correct.
Although SNMP version 3 provides data encryption, the more widely used SNMP version 1 is a clear
text protocol that offers limited security by using community strings. The names of the default
community strings are public and private, which are transmitted in clear text
22. Q: John works as a professional Ethical Hacker. He has been assigned a project for testing
the security of www.we-are-secure.com. He wants to perform an SNMP enumeration of the
We-are-secure server so that he can gather information about the hosts, routers, devices,
etc. of We-are-secure Inc. However, he is unable to perform an SNMP scan until he gives
the password for the SNMP service. Now, he thinks that it may be possible that the Network
Administrator of We-are-secure Inc. has not changed the default password of the SNMP
service. He enters the default password and gets the SNMP service details. Which of the
following passwords does SNMP use as a default password?
Each correct answer represents a complete solution. Choose all that apply.
a. Password
b. Administrator
c. Public
d. Private
Explanation: Answer options C and D are correct.
Public and Private are the default passwords that are used by SNMP.
Q: Which of the following SNMP versions does not send passwords and messages in clear text
format?
a. SNMPv3
b. SNMPv2
c. SNMPv1
d. SNMPv2c
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Q: IP Network Browser scans an IP subnet and shows what devices are responding on that subnet.
Each of the responding devices is then queried via SNMP. Which of the following ports is used by IP
Network Browser to scan SNMP enabled devices?
a. 80
b. 161
c. 22
d. 21
Explanation: Answer option B is correct.
Q: Which of the following are countermeasures against SNMP enumeration?
Each correct answer represents a complete solution. Choose all that apply.
a. Removing the SNMP agent or disabling the SNMP service
b. Changing the default PUBLIC community name when 'shutting off SNMP' is not an
option
c. Implementing the Group Policy security option called Additional restrictions for
anonymous connections
d. Allowing access to NULL session pipes and NULL session shares
Explanation: Answer options A, B, and C are correct.
Following are the countermeasures against SNMP enumeration:
1. Removing the SNMP agent or disabling the SNMP service
2. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option
3. Implementing the Group Policy security option called Additional restrictions for anonymous
connections
4. Restricting access to NULL session pipes and NULL session shares
5. Upgrading SNMP Version 1 with the latest version
6. Implementing Access control list filtering to allow only access to the read-write community from
approved stations or subnets
22. Q: SNMP is not usually audited, and may pose a significant threat if it is not configured
properly. SNMP can be used to enumerate user accounts and devices on a target system.
SNMP has two passwords to access and configure the SNMP agent from the management
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
station: read and read-write community string. What tool or utility would you use for SNMP
enumeration?
Each correct answer represents a complete solution. Choose two.
a. SNMP Util
b. SNMP Agent
c. SNMP Manager
d. SNMPEnum
Explanation: Answer option A is correct.
Which Open Web Application Security Project (OWASP) implements a web application with known
vulnerabilities?
A. WebVuln
B. Hackme.com
C. BackTrack
D. WebGoat
answer: D
Which of the following best dictates whether or not a certain behavior is allowed?
a. Network Firewall
b. Data Loss Prevention Policy
c. Acceptable Use Policy
d. Information Security Policy
answer: D
WebScarab
SNMPUtil is a command-line tool which gathers Windows user accounts information via SNMP in
Windows system. Information such as routing tables, ARP tables, IP Addresses, MAC Addresses,
TCP/UDP open ports, user accounts and shares can be obtained using this tool.
What risk could this pose? A server shows port 25 is open.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
A. Web portal data leak
B. Active mail relay
C. Clear text authentication
D. Open printer sharing
answer: B
Which of the following is an example of an asymmetric encryption implementation? (choose 2)
A. PGP
B. 3DES
C. RSA
D. SHA1
E. 3DES
answer: A and C
1. \Q: John works as a Network Security Professional. He is assigned a project of testing the
security of www.we-are-secure.com. He analyzes that the company has blocked all ports
except port 80. Which of the following attacking methods can he use to send insecure
software protocols?
a. HTTP tunneling
b. MAC spoofing
c. URL obfuscation
d. Banner grabbing
Explanation: Answer option A is correct.
According to the scenario, the company has blocked all ports except port 80. Hence, John can use
HTTP tunneling to send insecure software protocols.
Answer option B is incorrect. MAC spoofing is a hacking technique of changing an assigned Media
Access Control (MAC) address of a networked device to a different one.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option C is incorrect. URL obfuscation is a technique through which an attacker changes
the format of URLs so that they can bypass filters or other application defenses that have been put
in place to block specific IP addresses.
The Advanced Encryption Standard (AES) is primarily used for?
A. key exchange
B. bulk data encryption
c. key creation
d. IPSec
answer: B
1. Q: Which of the following password cracking attacks is based on a pre-calculated hash table
to retrieve plain text passwords?
a. Dictionary attack
b. Rainbow attack
c. Hybrid attack
d. Brute Force attack
Explanation: Answer option B is correct.
A rainbow attack uses a hash table to retrieve plain text passwords. A rainbow attack is one of the
fastest method of password cracking. This method of password cracking is implemented by
calculating all the possible hashes for a set of characters and then storing them in a table known as
the Rainbow table.
Q: Which of the following password cracking tools can work on UNIX and Linux environments?
a. Cain and Abel
b. Brutus
c. John the Ripper
d. Ophcrack
Explanation: Answer option C is correct.
John the Ripper (JTR) is a password cracking tool that works successfully on UNIX, Linux, and
Windows environments. JTR implements the dictionary and brute force attacks.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
4. Q: Which of the following attacks allow the bypassing of access control lists on servers or
routers, and help an attacker to hide?
Each correct answer represents a complete solution. Choose two.
a. MAC spoofing attack
b. DNS cache poisoning attack
c. DDoS attack
d. IP spoofing attack
Explanation: Answer options A and D are correct.
Either the IP spoofing attack or the MAC spoofing attack can be performed to hide the identity in the
network. MAC spoofing is a hacking technique of changing an assigned Media Access Control
(MAC) address of a networked device to a different one. The changing of the assigned MAC address
may allow the bypassing of access control lists on servers or routers, either hiding a computer on a
network or allowing it to impersonate another computer.
Answer option B is incorrect. DNS cache poisoning is a maliciously created or unintended situation
that provides data to a caching name server that did not originate from authoritative Domain Name
System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for
future performance increase, it is considered poisoned, supplying the non-authentic data to the
clients of the server
Q: Fill in the blank with the appropriate attack name.
It is a maliciously created or unintended situation that provides data to a caching name server that
did not originate from authoritative Domain Name System (DNS) sources. To perform a cache
poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as
attack.
Correct Answer:
It is a maliciously created or unintended situation that provides data to a caching name server that
did not originate from authoritative Domain Name System (DNS) sources. To perform a cache
poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as
attack. DNS cache poisoning
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
5. Q: Which of the following statements are true of session hijacking?
Each correct answer represents a complete solution. Choose all that apply.
a. It is the exploitation of a valid computer session to gain unauthorized access to
information or services in a computer system.
b. TCP session hijacking occurs when a hacker takes over a TCP session between two
machines.
c. It uses a long random number or string as the session key reduces session hijacking.
d. It is used to slow down the working of the victim's network resources.
Explanation: Answer options A, B, and C are correct.
Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access
to information or services in a computer system. In particular, it is used to refer to the theft of a
magic cookie used to authenticate a user to a remote server.
How do operating systems protect login passwords?
A. The operating system stores all passwords in a protected segment of non-volatile memory.
B. The operating system encrypts the passwords, and decrypts them when needed.
C. The operating system stores the passwords in a secret file that users cannot find.
D. The operating system performs a one-way hash of the passwords.
answer: D
Which of the following are password cracking tools? (choose 3)
A. NMAP
B. John the Ripper
C. WebGoat
D. KerbCrack
E. Wireshark
F. Cain and Abel
answer: A, B and D
Q: In which of the following attacks does an attacker use packet sniffing to read network traffic
between two parties to steal the session cookie?
e. Session sidejacking
f. Session fixation
g. Cross-site scripting
h. ARP spoofing
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
In Session sidejacking, the attacker uses packet sniffing to read network traffic between two
parties to steal the session cookie. Many Web sites use SSL encryption for login pages to prevent
attackers from seeing the password, but do not use encryption for the rest of the site once
authenticated. This allows attackers that can read the network traffic to intercept all the data that is
submitted to the server or Web pages viewed by the client. Since this data includes the session
cookie, it allows him to impersonate the victim, even if the password itself is not compromised.
Answer option B is incorrect. In Session fixation, the attacker sets a user's session id to one known
to him, for example, by sending the user an email with a link that contains a particular session id.
The attacker now only has to wait until the user logs in.
Answer option C is incorrect. In cross-site scripting, the attacker tricks the user's computer into
running code, which is treated as trustworthy because it appears to belong to the server, allowing
the attacker to obtain a copy of the cookie or perform other operations.
6. Q: Which of the following statements are true of firewalking?
Each correct answer represents a complete solution. Choose all that apply.
a. malicious attacker can use firewalking to determine the types of ports/protocols that
can bypass the firewall.
b. To use firewalking, the attacker needs the IP address of the last known gateway
before the firewall and the IP address of a host located behind the firewall.
c. Firewalking works on UDP packets.
d. In this technique, the attacker sends a crafted packet with a TTL value that is set to
expire one hop past the firewall.
Explanation: Answer options A, B, and D are correct.
Q: Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which
Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is
eavesdropping the conversation and keeps the password. After the interchange is over, Eve
connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password
read from the last session, which Bob accepts. Which of the following attacks is being performed by
Eve?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
e. Replay
f. Cross-site scripting
g. Firewalking
h. Session fixation
Explanation: Answer option A is correct.
Q: Which of the following commands can be used for port scanning?
i. nc -z
j. nc -g
k. nc -t
l. nc -w
Explanation: Answer option A is correct.
The nc -z command is used to switch the netcat command in port scanning mode. Netcat is a freely
available networking utility that reads and writes data across network connections using the TCP/IP
protocol. Netcat has the following features:
Q: John works as a Security Administrator for Enet Inc. He uses a 4-digit personal identification
number (PIN) to access his laptop, and a token to perform offline checking whether he has entered
the correct PIN or not. Which of the following attacks is possible on John's computer?
a. Brute force
b. Man-in-the-middle
c. Smurf
d. Replay
Explanation: Answer option A is correct.
A brute force attack is possible on John's laptop. According to the scenario, John uses a 4-digit
personal identification number (PIN) to access his computer and a token to perform offline checking
whether he has entered the correct PIN or not. Since the PIN contains only 4 digits, it is vulnerable
to a brute force attack.
Answer option B is incorrect. Since the token is checking the PIN offline, it is not possible to perform
a man-in-the-middle attack. Man-in-the-middle attacks occur when an attacker successfully inserts
an intermediary software or program between two communicating hosts. The intermediary software
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
or program allows attackers to listen to and modify the communication packets passing between the
two hosts. The software intercepts the communication packets and then sends the information to the
receiving host. The receiving host responds to the software, presuming it to be the legitimate client.
Q: John works as a contract Ethical Hacker. He recently got a project to do a security check for
www.we-are-secure.com. While performing the security check, he successfully steals the SAM file
from the server of we-are-secure. The output of the SAM file is given below:
Mark:501:D4DCC2975DC76FB2AAD3B435B51404EE James:500:5351CF62FC930923AAD3B435B51404EE
Administrator:1002:8AD7EAA34F1A9A31DA5A59A9D0150C17
Samantha:1001:F1402A82F3AB3A2EBA12F405D7E7327B
Which of the following user accounts, given in the above list, will John break to get administrative
privileges?
a. Administrator
b. Samantha
c. James
d. Mark
Explanation: Answer option C is correct.
RID 500 is used for the Administrator account. In the given scenario, the RID code of James is
500. Therefore, John will break the user account of James to get administrative privileges.
Q: Which of the following tools can be used for cracking the password of Server Message Block
(SMB)?
Each correct answer represents a complete solution. Choose all that apply.
a. L0phtCrack
b. KrbCrack
c. SMBRelay
d. Pwddump2
Explanation: Answer options A and C are correct.
L0phtCrack is a Windows password recovery tool that performs dictionary, brute-force, and
hybrid password cracking attacks. It can also capture a Server Message Block (SMB) packet on the
local network segment and capture individual login sessions. SMBRelay is an SMB server that
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
captures usernames and password hashes from incoming SMB traffic.
Answer option B is incorrect. KrbCrack is a Kerberos password cracker and sniffer.
Answer option D is incorrect. Pwddump2 is a program that extracts the password hashes from a
SAM file on a Windows system.
Q: You want to connect to your friend's computer and run a Trojan on it. Which of the
following tools will you use to accomplish the task?
a. PSExec
b. Remoxec
c. GetAdmin.exe
d. Hk.exe
Explanation: Answer option A is correct.
You will use the PSExec tool to accomplish the task. PsExec is a light-weight telnet-replacement
tool that executes processes on remote computers and has full interactivity for console applications.
The main advantage of using PsExec is that there is no need to manually install client software on
remote computers for executing processes remotely
Q: You are auditing the security of a client company. You find that their password policy only
requires a minimum of 5 characters with letters and numbers. What, if anything, is wrong with
this policy?
e. Nothing, this is a strong password policy.
f. The only flaw is that the password policy should require symbols as well.
g. The password policy is too weak for multiple reasons.
h. The only flaw is that the password policy should require a minimum of 6 characters.
Explanation: Answer option G is correct.
A good password policy is a minimum of 6 characters, but also has letters and numbers required.
However, a good password policy also sets how often passwords are changed, and how long the
password history should be kept. Answer A is incorrect. This password policy is very weak.
Q: LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft
Windows versions prior to Windows NT to store user passwords. It is very much vulnerable
to various types of password cracking attacks. Which of the following are known weaknesses
of LAN Manager hash?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Each correct answer represents a complete solution. Choose all that apply.
a. It converts passwords to uppercase.
b. Hashes are sent in clear text over the network.
c. Its effective length is 7 characters.
d. It does not use cryptographic salt.
e. It uses only 16-bit encryption.
Explanation: Answer options A, B, C, and D are correct.
LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft Windows
versions prior to Windows NT to store user passwords. It is very much vulnerable to various types of
password cracking attacks. Security caveats in LAN Manager hash are as follows:
It converts passwords to uppercase.
Hashes are sent in clear text over the network.
Its effective length is 7 characters.
It does not use cryptographic salt.
5. Q: Passwords are the most common access control methods used by system
administers to manage the usage of network resources and applications. Password
stealing is used by hackers to exploit user credentials and may cause serious data
loss in the system. Which of these is NOT a type of password attack?
a. Social engineering
b. Phishing
c. Password hashing
d. Shoulder surfing
Explanation: Answer option C is correct.
Password hashing is a way of encrypting a password before it's stored so that if your database gets
into the wrong hands, the damage is limited. A hash or message digest can be thought of as the
digital fingerprint of a piece of data.
Answer option A is incorrect. Social engineering is the human side of breaking into a corporate
network to get personal information. In a typical example, an unknown person gets hold of user
credentials from the victim by manipulating him or her into believing a contrived situation.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option B is incorrect. Phishing is an example of social engineering techniques used to
deceive users, and exploits the poor usability of current web security technologies. Phishing is
typically carried out by e-mail spoofing and it often directs users to enter details at a fake website
whose look and feel are almost identical to the legitimate one.
Answer option D is incorrect. Shoulder surfing is done using direct observation techniques, such as
looking over someone's shoulder when they enter a password or PIN code
Q: Which of the following is generally practiced by the police or any other recognized
governmental authority?
a. SMB signing
b. Wiretapping
c. Spoofing
d. Phishing
Explanation: Answer option B is correct.
Answer option A is incorrect. Server Message Block (SMB) signing is a security feature of
Windows operating systems. SMB signing ensures that the transmission and reception of files
across a network are not altered in any way.
Note: Enabling SMB signing on the network reduces the performance of the network because of the
increased processing and network traffic required to digitally sign each SMB packet.
Q: Which of the following records everything a person types using the keyboard?
e. Line conditioner
f. Port scanner
g. Keystroke logger
h. Firewall
Explanation: Answer option G is correct.
A keystroke logger records everything a person types using the keyboard. Keystroke logging is a
method of logging and recording user keystrokes. It can be performed with software or hardware
devices.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Answer option B is incorrect. A port scanner is a software tool that is designed to search a network
host for open ports. This tool is often used by administrators to check the security of their networks.
It is also used by hackers to compromise the network and systems.
Answer option D is incorrect. A firewall is a tool to provide security to a network. It is used to protect
an internal network or intranet against unauthorized access from the Internet or other outside
networks. It restricts inbound and outbound access and can analyze all traffic between an internal
network and the Internet.
Q: Which of the following user authentications are supported by the SSH-1 protocol but not
by the SSH-2 protocol?
Each correct answer represents a complete solution. Choose all that apply.
a. Rhosts (rsh-style) authentication
b. TIS authentication
c. Password-based authentication
d. Kerberos authentication
Explanation: Answer options A, B, and D are correct.
The SSH-2 protocol supports the following user authentications:
Public key authentication (DSA, RSA*, OpenPGP)
Host-based authentication
Password-based authentication
Note: SSH-1 supports a wider range of user authentications, i.e., the public-key, RSA only,
RhostsRSA, password, Rhosts (rsh-style), TIS, and Kerberos authentications.
Q: Which of the following are the drawbacks of the NTLM Web authentication scheme?
Each correct answer represents a complete solution. Choose all that apply.
e. It can be brute forced easily.
f. It works only with Microsoft Internet Explorer.
g. The password is sent in clear text format to the Web server.
h. The password is sent in hashed format to the Web server.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options E and F are correct.
The following are drawbacks of the NTLM Web Authentication Scheme:
NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response
pairs) can be cracked with the help of brute force password guessing. The "cracking" program
would repeatedly try all possible passwords, hashing each and comparing the result to the hash
that the malicious user has obtained.
This authentication technique works only with Microsoft Internet Explorer.
5. Q: Which of the following statements is true of the Digest Authentication scheme?
a. It uses the base64 encoding encryption scheme.
b. The password is sent over the network in clear text format.
c. In this authentication scheme, the username and password are passed with every
request, not just when the user first types them.
d. A valid response from the client contains a checksum of the username, the
password, the given random value, the HTTP method, and the requested URL.
Explanation: Answer option D is correct.
The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This
authentication scheme is based on the challenge response model. In Digest authentication, the
password is never sent across the network in clear text format but is always transmitted as an MD5
digest of the user's password.
Q: Which of the following Web authentication techniques uses a single sign-on scheme?
a. Basic authentication
b. Digest authentication
c. NTLM authentication
d. Microsoft Passport authentication
Explanation: Answer option D is correct.
Microsoft Passport authentication is based on single sign-on authentication in which a user needs to
remember only one username and password to be authenticated for multiple services
5. Q: What is L0phtcrack (LC4) used for?
a. Launch Denial of service attacks through cracks in the network
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. Run lofty port scans for open services in a network
c. Windows password cracking tool
d. Network traffic sniffing tool
Explanation: Answer option C is correct.
Q: According to a password policy, which of the following rules should be followed by a user
while creating a password?
Each correct answer represents a complete solution. Choose all that apply.
e. Use of both upper- and lower-case letters (case sensitivity)
f. Inclusion of one or more numerical digits
g. Inclusion of special characters
h. Inclusion of words found in a dictionary or the user's personal information
Explanation: Answer options E, F and G are correct.
A password policy is a set of rules designed to enhance computer security by encouraging users to
employ strong passwords and use them properly
Q: You work as a professional Ethical Hacker. You are assigned a project to test the security
of www.we-are-secure.com. You are working on the Windows Server 2003 operating system.
You suspect that your friend has installed the keyghost keylogger onto your computer.
Which of the following countermeasures would you employ in such a situation?
Each correct answer represents a complete solution. Choose all that apply.
a. Monitor the programs running on the server to see whether any new process is
running on the server or not.
b. Use on-screen keyboards and speech-to-text conversion software which can also be
useful against keyloggers, as there are no typing or mouse movements involved.
c. Use commercially available anti-keyloggers such as PrivacyKeyboard.
d. Remove the SNMP agent or disable the SNMP service.
e.
5. Q: In which of the following malicious hacking steps does email tracking come under?
a. Reconnaissance
b. Scanning
c. Gaining access
d. Maintaining Access
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Email tracking comes under the reconnaissance step of malicious hacking.
Q: In which of the following attacks does an attacker create the IP packets with a forged
(spoofed) source IP address with the purpose of concealing the identity of the sender or
impersonating another computing system?
a. IP address spoofing
b. Rainbow attack
c. Cross-site request forgery
d. Polymorphic shell code attack
Explanation: Answer option A is correct.
Answer option C is incorrect. Cross-site request forgery, also known as one-click attack or session
riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted
from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user
has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works
by including a link or script in a page that accesses a site to which the user is known to have
authenticated.
Q: Which of the following tools can be used for anti-phishing?
e. Netcraft
f. Legion
g. eblaster
h. Spector
Explanation: Answer option E is correct.
The Netcraft Web site stores data of phishing Web sites and provides a toolbar that tells whether or
not a Web site is authenticated.
Netcraft is a Web site that periodically polls Web servers to determine the operating system version
and the Web-server software version. It provides Web server and Web hosting market-share
analysis, including Web server and operating system detection.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: John works as a Network Administrator for We-are-secure Inc. The We-are-secure server
is Linux-based. John wants to install a tool that can be used to filter packets according to the
MAC address and TCP header flag values. Which of the following tools will he use to
accomplish his task?
a. Chkrootkit
b. PsLogList
c. PsExec
d. IPTables
Explanation: Answer option D is correct.
IPTables is a firewall that is a replacement of the IPChains firewall for the Linux 2.4 kernel and later
versions.
5. Q: John works as a professional Ethical Hacker. He is assigned a project to test the
security of www.we-are-secure.com. He installs a rootkit on the Linux server of the
We-are-secure network. Which of the following statements are true about rootkits?
Each correct answer represents a complete solution. Choose all that apply.
a. They allow an attacker to run packet sniffers secretly to capture passwords.
b. They allow an attacker to conduct a buffer overflow.
c. They allow an attacker to set a Trojan in the operating system and thus open a
backdoor for anytime access.
d. They allow an attacker to replace utility programs that can be used to detect the
attacker's activity.
Explanation: Answer options A, C, and D are correct.
6. Q: You have placed a Trojan file trojan.exe inside another text file readme.txt using
NTFS streaming. Which of the following commands will you execute to extract the
Trojan from the readme.txt file?
a. c:\> cat readme.txt:trojan.exe > trojan.exe
b. c:\> cat trojan.exe > readme.txt > trojan.exe
c. c:\> cat readme.txt > trojan.exe
d. c:\> cat trojan.exe
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one data
stream to be associated with a filename, using the filename format "filename:streamname". Alternate
streams are not listed in Windows Explorer, and their size is not included in the file size. ADS
provides the hacker a place to hide root kits or hacker tools, which can be executed without being
detected by the system administrator.
7. Q: You work as a Network Security Administrator for we-are-secure Inc. You feel that
someone has accessed your computer and used your e-mail account. To check
whether there is any virus installed on your computer, you scan your computer but do
not find any illegal software. Which of the following types of security attacks generally
runs behind the scenes on your computer?
a. Rootkit
b. Zero-day
c. Hybrid
d. Replay
Explanation: Answer option A is correct.
Answer option B is incorrect. A zero-day attack, also known as zero-hour attack, is a computer
threat that tries to exploit computer application vulnerabilities which are unknown to others,
undisclosed to the software vendor, or for which no security fix is available.
Q: Victor works as a professional Ethical Hacker for SecureNet Inc. He wants to use the
Steganographic file system method to encrypt and hide some secret information. Which of
the following disk spaces will he use to store this secret information?
Each correct answer represents a complete solution. Choose three.
e. Unused sectors
f. Dumb space
g. Hidden partition
h. Slack space
Explanation: Answer options E , G and H are correct.
The Steganographic file system is a technique of storing files in such a manner that it encrypts data
and hides it in an efficient way so that it cannot be traced. There are three basic methods of hiding
data in disk space:
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Unused sectors
Slack space
Hidden partition
8. Q: John used to work as a Network Administrator for We-are-secure Inc. Now he has
resigned from the company for personal reasons. He wants to send out some secret
information of the company. To do so, he takes an image file and simply uses a tool
image hide and embeds the secret file within an image file of the famous actress,
Jennifer Lopez, and sends it to his Yahoo mail id. Since he is using the image file to
send the data, the mail server of his company is unable to filter this mail. Which of the
following techniques is he performing to accomplish his task?
a. Web ripping
b. Social engineering
c. Email spoofing
d. Steganography
Explanation: Answer option D is correct.
According to the scenario, John is performing the Steganography technique for sending malicious
data. Steganography is an art and science of hiding information by embedding harmful messages
within other seemingly harmless messages
9. Q: Which of the following tools is used to hide secret data in text files and is based on
the concept that spaces and tabs are generally not visible in text viewers, and
therefore a message can be effectively hidden without affecting the text's visual
representation for the casual observer?
a. Image hide
b. Snow.exe
c. SARA
d. Fpipe
Explanation: Answer option B is correct.
Snow.exe is a Steganography tool that is used to hide secret data in text files. It is based on the
concept that spaces and tabs are generally not visible in text viewers and therefore a message can
be effectively hidden without affecting the text's visual representation for the casual observer
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Watermarking is the irreversible process of embedding information into digital media. The purpose
of digital watermarks is to provide copyright protection for intellectual property that is in digital form.
Watermarking is basically divided into two main sections
Q: You have physical access to Maria's laptop. You have downloaded a keylogger and
installed there with password protection. Now, in the covering tracks step, what will you
perform before leaving the laptop?
Each correct answer represents a complete solution. Choose all that apply.
a. Clear recent docs from registry
b. Clear caches
c. Delete cookies
d. Disabling auditing
e. Changing OS password
Explanation: Answer options A, B, C, and D are correct.
Covering Tracks is the last and important step of remote hacking, which includes the deletion of all
logs on the remote system. In Linux or UNIX, all entries of the /var folder need to be deleted, and if it
is a Windows operating system, all events and logs are deleted. This step is used by hackers to
keep their identity anonymous. The hacker generally removes security events or error messages
that have been logged to avoid being detected. To prevent detection, hackers either clear the event
logs or disable auditing.
Q: A hacker broke into an application, but forgot to cover his track within the enterprise
systems. You have been called in as a forensics investigator and were easily able to trace
back the activities of the hacker. What should the hacker have done to cover her tracks and
make her difficult to identify?
Each correct answer represents a complete solution. Choose all that apply.
a. Disable auditing
b. Clear the event log
c. Run Traceless
d. Use Armor Tools
Explanation: Answer option A is correct.
Q: A Windows server has been hacked and you have been brought in to investigate how the
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
incident may have occurred. You look for malicious activity traces in the event logs to
investigate the hacker's attack pattern. Which of the following is a tool that system
administrators often use to enable auditing on Windows systems to capture such events?
a. Auditpol
b. WinZapper
c. Evidence Eliminator
d. ELSave
Explanation: Answer option A is correct.
Auditpol is a tool included in the Windows NT Resource Kit for system administrators. This tool can
disable or enable auditing from the Windows command line. It can also be used to determine the
level of logging implemented by a system administrator.
The EC-Council group has divided Trojans into seven primary types:
1. Remote Access Trojans: They allow attackers to gain full control over computer systems.
Remote access Trojans are usually set up as client/server programs, so that an attacker can
connect to the infected system and control it remotely.
2. Data Sending Trojans: They are used to capture and redirect data. eBlaster is an example of
this type of Trojan. It can capture keystrokes, passwords, or any other type of information and
send them back to the attacker via email.
3. Destructive Trojans: They are used to destroy files or operating systems.
4. DoS Attack Trojans: They are designed to cause a DoS attack.
5. Proxy Trojans: They are designed to work as proxies. These programs can help a hacker hide
and perform activities from the victim's computer.
6. FTP Trojans: They are specifically designed to work on port 21. These Trojans allow a hacker to
upload, download, or move files on the victim's computer.
7. Security Software Disabler Trojans: They are designed to attack and kill antivirus or software
firewalls. The goal of disabling these programs is to make it easier for the hacker to control the
system.
A Trojan horse is a malicious software program code that masquerades itself as a normal program.
When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard
disk.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
4. Q: Ralph wants to provide a demo to his team of an attack type that cannot be
detected by regular firewall and IDS systems. The attack can be detected only with
tcpdump used to capture all packets entering and leaving the server machine. He
initiates a TCP connection with the server on port 80. Two separate hosts on two
separate networks were used - one machine served as a server and the other as a
client. The latest version of Snort with all the current rule sets was installed and kept
running, yet could not identify the attacks. What method of attack is Ralph planning to
use?
a. Covert channel attack
b. Tor attacks
c. Inside-Out Attack
d. White-listing attack
Explanation: Answer option A is correct.
A Covert Channel is a communication channel that allows a process to transfer information in a
manner that violates the system's security policy without alerting any firewalls and IDS's on the
network.
5. Q: Which of the following are uses of the covert channel?
Each correct answer represents a complete solution. Choose all that apply.
a. Transferring a file from the victim's computer to the hacker's computer and vice-versa
b. Launching applications on the victim's computer
c. Interactive remote control access from the hacker's computer to the victim's
computer
d. Vigilance of any corporate filtered firewall rules
Explanation: Answer options A, B, and C are correct.
Q: A company suspects that a disgruntled employee or a malicious insider is sending
information to an accomplice outside the corporate network. You are brought in as a security
consultant to test for insider attacks which are initiated from inside the corporate network.
What are some of the tests that you perform?
Each correct answer represents a complete solution. Choose two.
a. Reverse Engineering
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. Bypass corporate filter firewall rules from inside-out
c. DNS Tunneling
d. Social Engineering
Explanation: Answer options B and C are correct.
Q: You check your snort log and get the following suspicious part:
What type of attack might it be?
a. Back orifice
b. Netbus
c. SubSeven
d. BoBo
Explanation: Answer option A is correct.
In the log used in the question, you can see that packets are coming from 31337,
Q: Which of the following parameters of the NETSTAT command is used to display all active
connections and the TCP and UDP ports on which the computer is listening?
a. -a
b. -b
c. -e
d. -f
Explanation: Answer option A is correct.
-a: It is used to display all active connections and the TCP and UDP ports on which the
computer is listening.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
-b: It is used to display the binary program's name involved in creating each connection or
listening port.
-e: It is used to display ethernet statistics, such as the number of bytes and packets sent and
received. This parameter can be combined with -s.
-f: It is used to display fully qualified domain names <FQDN> for foreign addresses.
5. Q: Which of the following parameters of the NETSTAT command is used to display the
contents of the IP routing table?
a. -r
b. -p
c. -s
d. -t
Explanation: Answer option A is correct.
Q: You have placed a Trojan in the we-are-secure.com server, which is transmitting data from
the server to the attacker . In the meantime, the attacker runs the following command:
nc -l -u -p 22222 < /etc/passwd What does this command do?
a. It loads the /etc/passwd file on the server.
b. It downloads the /etc/password from the server.
c. It deletes the /etc/password from the server.
d. It updates the /etc/password of the server.
Explanation: Answer option B is correct.
Q: Which of the following statements are true about ICMP tunneling?
Each correct answer represents a complete solution. Choose all that apply.
a. It is a method in which ICMP packets are sent in encrypted form via the HTTP port.
b. It is a method in which tunneling of another protocol through ICMP is performed.
c. An example of this technique is tunneling complete TCP traffic over ping requests
and replies.
d. ICMP tunneling is used to bypass firewalls, which do not block ICMP packets.
Explanation: Answer options B, C, and D are correct.
A wrapper is a program that is used to combine a harmful executable file with a harmless
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
executable file.
Q: You want to add a netbus Trojan in the chess.exe game program so that you can gain
remote access to a friend's computer. Which of the following tools will you use to accomplish
the task?
Each correct answer represents a complete solution. Choose all that apply.
a. Wrapper
b. Yet Another Binder
c. Beast
d. Tripwire
Explanation: Answer options A are correct.
Q: Mark works as a Network Security Administrator for uCertify Inc. He is responsible for
securing and analyzing the network of the organization. Mark is concerned about the current
network security, as individuals can access the network with bypass authentication, thus
allowing them to get more permissions than allotted. Which of the following is responsible
for this type of privilege escalation?
a. Backdoor
b. Rootkit
c. Boot sector
d. Master Boot Record
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
According to the scenario, a backdoor is responsible for this type of privilege escalation. A backdoor
is a program or account that allows access to a system by skipping the security checks. Many
vendors and developers implement backdoors to save time and effort by skipping the security
checks while troubleshooting. A backdoor is considered to be a security threat and should be treated
with the highest security. If a backdoor becomes known to attackers and malicious users, they can
use it to exploit the system.
Q: Which of the following are symptoms of a virus attack on your computer?
Each correct answer represents a complete solution. Choose two.
a. Faster read/write access of the CD-ROM drive
b. Sudden reduction in system resources
c. Corrupted or missing files
d. Unclear monitor display
Explanation: Answer options B and C are correct.
Q: Your Web server crashes at exactly the point where it reaches 1 million total visits. You
discover the cause of the server crash is malicious code. Which description best fits this
code?
a. Virus
b. Polymorphic Virus
c. Worm
d. Logic Bomb
Explanation: Answer option D is correct.
A logic bomb is malware that executes its malicious activity when a certain condition is met, often
when a certain date/time is reached. In this case it waited for the Web server to pass a certain
threshold.
Worms are programs that replicate themselves from system to system without the use of a host file.
5. Q: John works as a Marketing Manager for we-are-secure Inc. Today, when he opens
his email account, he gets an email of subject security issue. In the email, he gets the
following message:
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Remove the Boot.ini file because it is harmful for operating system.
When John reads about the Boot.ini file on the Internet, he discovers that it is a system file
that is used to load the operating system on the computer. Which of the following types of
virus has attacked John's computer?
a. Hoax
b. Polymorphic
c. Macro
d. Multipartite
Explanation: Answer option A is correct.
According to the scenario, John's computer has been attacked by a virus hoax. A computer virus
hoax is a message warning the recipient of a non-existent computer virus threat. the system.
6. Q: Which of the following statements is true about the difference between worms and
Trojan horses?
a. Trojan horses are a form of malicious code, while worms are not.
b. Trojan horses are harmful to computers while worms are not.
c. Worms replicate themselves while Trojan horses do not.
d. Worms can be distributed through emails while Trojan horses cannot.
Explanation: Answer option C is correct.
Worms replicate themselves while Trojan horses do not. A worm is a software program that uses
computer networks and security holes to replicate itself from one computer to another.
Q: Which of the following is used to describe the type of FTP access in which a user does not
have permissions to list the contents of directories, but can access the contents if he knows
the path and file name?
e. Blind FTP
f. Secure FTP
g. Passive FTP
h. Hidden FTP
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Blind FTP (sometimes called anonymous FTP) gives a user the ability to go directly to specific
directories if the user knows the path and file name. However, they cannot peruse items. This is a
more secure way of allowing FTP.
Q: Which of the following tasks can be performed by a malicious bot/botnet?
Each correct answer represents a complete solution. Choose all that apply.
a. Performing DDoS attacks
b. Harvesting email addresses from contact forms or guestbook pages
c. Downloading entire Web site to suck the bandwidth of a target
d. Stealing information like credit card numbers, login, ids, etc.
e. Performing a spoofing attack
Explanation: Answer options A, B, C, and D are correct.
A malicious bot is automated software that is used for various unethical activities. A bot/botnet can
be used to perform any or all of the following malicious activities:
Q: A user has opened a Web site that automatically starts downloading malicious code onto
his computer. What should he do to prevent this?
Each correct answer represents a complete solution. Choose two.
a. Configure Security Logs
b. Disable ActiveX Controls
c. Implement File Integrity Auditing
d. Disable Active Scripting
Explanation: Answer options B and D are correct.
In order to prevent malicious code from being downloaded from the Internet onto a computer, you
will have to disable unauthorized ActiveX Controls and Active Scripting on the Web browser.
Disabling Active Scripting and ActiveX controls makes browsers safer for browsing the Web.
4. Q: John works as a professional Ethical Hacker. He has been assigned a project to
test the security of www.we-are-secure.com. He wants to test the effect of a virus on
the We-are-secure server. He injects the virus on the server and, as a result, the server
becomes infected with the virus even though an established antivirus program is
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
installed on the server. Which of the following do you think are the reasons why the
antivirus installed on the server did not detect the virus injected by John?
Each correct answer represents a complete solution. Choose all that apply.
a. John has changed the signature of the virus.
b. John has created a new virus.
c. The virus, used by John, is not in the database of the antivirus program installed on
the server.
d. The mutation engine of the virus is generating a new encrypted code.
Explanation: Answer options A, B, C, and D are correct.
Every virus cannot be detected by a signature-based antivirus, largely for the following reasons:
If an attacker has changed the signature of a virus, any signature-based antivirus will not be able
to find the virus.
Any new virus will not be captured by the antivirus, as it will not be on the list in the antivirus
database.
If the virus is not in the database of a signature-based antivirus, it will be virtually impossible for
the antivirus to detect that virus.
If the mutation engine of a polymorphic virus is generating a new encrypted code, this changes
the signature of the virus. Therefore, polymorphic viruses cannot be detected by a signature-
based antivirus.
Promiscuous mode is a configuration of a network card that makes the card pass all traffic it
receives to the central processing unit rather than just packets addressed to it.
Q: Which of the following tools is an open source protocol analyzer that can capture traffic in
real time?
a. Snort
b. NetWitness
c. Netresident
d. Wireshark
Explanation: Answer option D is correct.
Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a
free packet sniffer computer application. It is used for network troubleshooting, analysis, software
and communications protocol development, and education.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: Which of the following is a network maintenance protocol of the TCP/IP protocol suite that
is responsible for the resolution of IP addresses to media access control (MAC) addresses of
a network interface card (NIC)?
e. ARP
f. DHCP
g. RARP
h. PIM
Explanation: Answer option A is correct.
Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol
suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses.
2. Q: Which of the following is the Windows GUI tool that can perform MITM attacks,
along with sniffing and ARP poisoning?
a. CAIN
b. Ettercap
c. wsniff
d. Airjack
Explanation: Answer option A is correct.
3. Q: In which of the following attacks does an attacker change the MAC address on the sniffer
to one that is the same in another system on the local subnet?
a. MAC duplicating
b. MAC flooding
c. ARP spoofing
d. IP spoofing
Explanation: Answer option A is correct.
In a MAC duplicating attack, the attacker confuses the switch and the switch begins to think that two
ports have the same MAC address. To perform a MAC duplicating attack, the attacker changes the
MAC address on the sniffer to one that is the same in another system on the local subnet. This
differs from ARP Spoofing because, in ARP Spoofing, the attacker confuses the host by poisoning
its ARP cache.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: Which of the following tools can be used for an ARP poisoning attack?
Each correct answer represents a complete solution. Choose all that apply.
e. Arpspoof
f. Cain and Abel
g. Ettercap
h. Brutus
Explanation: Answer options A, B, and C are correct.
Arpspoof (part of the DSniff suite of tools), Cain and Abel, and Ettercap are the tools that can be
used to carry out ARP poisoning attacks.
4. Q: Which of the following attacks allows an attacker to sniff data frames on a local
area network (LAN) or stop the traffic altogether?
a. ARP spoofing
b. Port scanning
c. Man-in-the-middle
d. Session hijacking
Explanation: Answer option A is correct.
Q: As a security consultant, you are investigating a possible attack scenario where corporate
employees within a corporation get redirected an unknown website page when entering a
public email site address in the browser. This new site requests their user id and password to
validate credentials, before forwarding the request to the email site. As a consultant, you
want to validate this website change, and when you access this site from your iPhone, you
directly go to the original webpage of the email site. What possible attack has the company
been subjected to?
a. DNS cache poisoning attack
b. DNS zone transfer attack
c. Webcache poisoning attack of the email server
d. Directory traversal attack
Explanation: Answer option A is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: You want to install Windump, the Windows substitute of the TCPDump packet sniffer,
which is Linux-based. For this, you need to install a library. Which of the following is the
name of the library?
a. WinPCAP
b. idconfig
c. Winconf
d. WinTCP
Explanation: Answer option A is correct.
WinDump is the Windows version of tcpdump that is used to view, diagnose, and save to disk
network traffic as defined in the various rules. It is used in Windows 95, Windows 98, Windows ME,
Windows NT, Windows 2000, Windows XP, Windows 2003, and Windows Vista. WinDump uses the
WinPcap library and drivers for packet capturing. It also uses the 802.11b/g wireless capturing
technique and the CACE Technologies AirPcap adapter.
WinPcap is the tool that is used for link-layer network access in Windows environments. It allows
applications to capture and transmit network packets bypassing the protocol stack, and has
additional useful features, which includes kernel-level packet filtering, a network statistics engine and
support for remote packet capture.
2. Q: In which of the following conditions does Ethereal(Wireshark) work best?
a. When you are targeting networks using hubs
b. When you are targeting switched networks
c. When you are targeting Windows-based networks
d. When you are targeting Linux-based networks
Explanation: Answer option A is correct.
Q: Which of the following attacks can be performed by attacking the CAM switches?
a. MAC flooding
b. ARP spoofing
c. IP address spoofing
d. DNS cache poisoning
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
MAC flooding is an attack that can be performed by attacking the CAM switches. MAC flooding is a
technique employed to compromise the security of network switches. In a typical MAC flooding
attack, a switch is flooded with packets, each containing different source MAC addresses. The
intention is to consume the limited memory set aside in the switch to store the MAC address-to-
physical port translation table. The result of this attack causes the switch to enter a state called
failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead
of just down the correct port as per normal operation
Q: Which of the following statements are true of spoofing and session hijacking?
Each correct answer represents a complete solution. Choose all that apply.
e. Spoofing is an attack in which an attacker can spoof the IP address or other identity
of the target but the valid user can be active.
f. Session hijacking is an attack in which the attacker takes over the session, and the
valid user's session is disconnected.
g. Session hijacking is an attack in which the attacker takes over the session, and the
valid user's session is not disconnected.
h. Spoofing is an attack in which the attacker can spoof the IP address or other identity
of the target, and the valid user cannot be active.
Explanation: Answer options E and G are correct.
Q: Which of the following options is used by hackers to control a malicious bot?
a. IRC channels
b. IM tools
c. Websites
d. FTP servers
Explanation: Answer option A is correct.
IRC connections are usually unencrypted and typically span long time periods, they are an attractive
target for malicious crackers.
Q: Against which of the following does SSH provide protection?
Each correct answer represents a complete solution. Choose two.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. IP spoofing
b. Broadcast storm
c. DoS attack
d. Password sniffing
Explanation: Answer options A and D are correct.
Secure Shell (SSH) is a protocol that provides strong authentication and secure communications
over insecure channels. It uses public key encryption as the main method for user authentication.
SSH secures connections over the Internet by encrypting passwords and other data. It also protects
networks against IP spoofing, packet spoofing, password sniffing, and eavesdropping. SSH uses
TCP port 22 as the default port and operates at the application layer.
Q: Which of the following are the parts of active sniffing?
Each correct answer represents a complete solution. Choose all that apply.
a. MAC flooding
b. ARP spoofing
c. MAC duplicating
d. OS fingerprinting
Explanation: Answer options A, B, and C are correct.
Q: Which Snort mode reads the packets of the network and displays them in a continuous
stream on the console?
a. Sniffer
b. Packet logger
c. Network intrusion detection
d. Output module
Explanation: Answer option A is correct.
Q: Which of the following steps can be taken as countermeasures against sniffer attacks?
Each correct answer represents a complete solution. Choose all that apply.
a. Use encrypted protocols for all communications.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. Use switches instead of hubs since they switch communications, which means that
information is delivered only to the predefined host.
c. Use tools such as StackGuard and Immunix System to avoid attacks.
d. Reduce the range of the network to avoid attacks into wireless networks.
Explanation: Answer options A, B, and D are correct.
1. Q: John works as a claims processor for an Insurance company. He gets an email marked
urgent from a customer who says she uploaded all her accident pictures online and that John
could click on the link to view pictures of the damaged vehicle. John understands that this is
not the usual process to review accident claims, but clicks on the link out of curiosity. It takes
him to a website which he does not recognize, and after a few moments, he closes his
browser. Later on, John notices that his workstation has become slower and documents are
taking significantly longer time to open up. What could be a probable cause for this
slowness?
a. The system has been subjected to a pharming attack.
b. John has been subjected to a vishing attack.
c. John has been subjected to a phishing attack.
d. The system slowness is due to inadequate capacity planning.
Explanation: Answer option C is correct.
Phishing involves sending emails that appear to come from reliable sources and that try to get users
click on a link to a spoofed web page.
2. Q: Please identify from the scenario described what kind of hacking attack it is - A
coworker hacker renames or moves a file so that the target thinks that it no longer
exists. The hacker speculates that they can get the file back. The target, keen to get on
with their work, or concerned that the loss of the information could be their own fault,
leaps at this offer. The hacker states that this could only be done if they were to log on
as the target. He or she may even say company policy prohibits this. The target will
beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker
agrees, reinstates the original file, and steals the target's user ID and password. He or
she has even embellished their reputation such that they receive requests to assist
other coworkers. This approach can bypass the regular IT support channels and make
it easier for the hacker to remain unnoticed.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. Tailgating
b. Piggybacking
c. Reverse social engineering
d. Dumpster diving
Explanation: Answer option B is correct.
Answer option A is incorrect. In tailgating, an unauthorized person wearing a fake ID badge enters
a secured area by closely following an authorized person through a door requiring key access. An
authorized person may not be aware of having provided an unauthorized person access to a
secured area.
Answer option B is incorrect. Piggybacking occurs when an authorized person allows the hacker to
pass through a secure door either intentionally or unintentionally. The attacker may fabricate a story
of having forgotten the ID or badge and the victim may fall for it. Sometimes piggybacking can
happen without awareness or intention.
4. Q: John works as an IT Technician for uCertify Inc. One morning, John receives an e-
mail from the company's Manager asking him to provide his logon ID and password,
but the company policy restricts users from disclosing their logon IDs and
passwords. Which type of possible attack is this?
a. DoS
b. Replay attack
c. Social engineering
d. Trojan horse
Explanation: Answer option C is correct.
Q: You work as an IT Technician for BlueBell Inc. Your work includes implementing security
for the company's network to protect users against social engineering attacks. Which of the
following are most commonly used by a social engineering hacker?
Each correct answer represents a complete solution. Choose all that apply.
a. E-mail
b. Telephone
c. Personal approaches
d. Brute force
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
e. Trojan horse
Explanation: Answer options A, B, and C are correct.
Q: Which of the following are examples of passive attacks?
Each correct answer represents a complete solution. Choose all that apply.
a. Eavesdropping
b. Dumpster diving
c. Shoulder surfing
d. Placing a backdoor
Explanation: Answer options A, B, and C are correct.
Q: John works as a professional Ethical Hacker. He has been assigned the project of testing
the security of www.we-are-secure.com. He is using dumpster diving to gather information
about We-are-secure, Inc. In which of the following steps of malicious hacking does
dumpster diving come under?
a. Reconnaissance
b. Scanning
c. Gaining access
d. Maintaining access
Explanation: Answer option A is correct.
According to the scenario, John is performing dumpster diving, which comes under the
Reconnaissance step of malicious hacking. Reconnaissance is the first step in malicious hacking in
which the attacker gathers information about the victim.
5. Q: John works as a Programmer for We-are-secure Inc. On one of his routine visits to
the company, he noted down the passwords of some employees while they were
typing them on their computer screens. Which of the following social engineering
attacks did he just perform?
a. Dumpster diving
b. Shoulder surfing
c. Important user posing
d. Authorization by third party
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option B is correct.
In the given scenario, John was performing a shoulder surfing attack. Shoulder surfing is a type of
in person attack in which the attacker gathers information about the premises of an organization.
This attack is often performed by looking surreptitiously at the keyboard of an employee's computer
while he is typing in his password at any access point such as a terminal/Web site.
Q: In which of the following social engineering attacks does an attacker first damage any part
of the target's equipment and then advertise himself as an authorized person who can help
fix the problem?
e. Reverse social engineering attack
f. Impersonation attack
g. Important user posing attack
h. In person attack
Explanation: Answer option A is correct.
A reverse social engineering attack is a person-to-person attack in which the attacker convinces
the target that he or she has a problem or might have a certain problem in the future and that he, the
attacker, is ready to help solve the problem.
6. Q: You are the Network Administrator for a bank. In addition to the usual security
issues, you are concerned that your customers could be the victim of phishing
attacks that use fake bank Web sites. Which of the following would protect against
this?
a. Mutual authentication
b. Two factor authentication
c. Three factor authentication
d. MAC
Explanation: Answer option A is correct.
In mutual authentication, not only does the server (in this case, the banks Web server)
authenticate the client, but the client authenticates the server.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
7. Q: Which of the following statements are true about a phishing attack?
a. It is a way of attempting to obtain sensitive information, such as usernames,
passwords, and credit card details.
b. It is usually carried out by e-mail spoofing or instant messaging.
c. It frequently directs users to enter details at a fake website whose look and feel are
almost identical to the legitimate one.
d. In a phishing attack, an attacker sends multiple SYN packets to the target computer.
Explanation: Answer options A, B, and C are correct.
Q: Which of the following is a technique through which an attacker changes the format of
URLs so that they can bypass filters or other application defenses that have been put in place
to block specific IP addresses?
a. URL obfuscation
b. Reverse social engineering
c. Dumpster diving
d. Shoulder surfing
Explanation: Answer option A is correct.
Q: Into which two primary categories can all social engineering attacks be divided?
a. Human-based and computer-based attacks
b. Fear-based and persuasion-based attacks
c. Phishing-based and spear-phishing based attacks
d. Insider-based attacks and outsider-based attacks
Explanation: Answer option A is correct.
Q: A social engineer is someone who uses deception, persuasion, and influence to get
information that would otherwise be unavailable. Please order as per sequence the general
methodology used by a hacker to complete a social engineering attack.
a. Select victim, Research, Develop relationship, Exploit relationship
b. Research, Develop relationship, Select victim, Exploit relationship
c. Research, Select victim, Develop relationship, Exploit relationship
d. Select victim, Develop relationship, Research, Exploit relationship
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option C is correct.
5. Q: What are some of the possible countermeasures for social engineering attacks?
Each correct answer represents a complete solution. Choose all that apply.
a. Use relevant firewalls and updated tools.
b. Enforce appropriate security policies.
c. Have an open-minded corporate culture.
d. Implement relevant security training and awareness methods.
Explanation: Answer option B is correct.
Appropriate security policies around passwords, auditability, separation of duties and accountability
will make the employees less susceptible to social engineering attacks. Specify that service desk is
the single point of contact for reporting user issues.
1. Q: In which of the following DoS attacks does an attacker send an ICMP packet larger
than 65,536 bytes to the target system?
a. Jolt
b. Ping of death
c. Teardrop
d. Fraggle
Explanation: Answer option B is correct.
In the ping of death attack, the attacker sends an ICMP packet larger than 65,536 bytes.
Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target
system with overlapping offset field values. As a result, the target system is unable to reassemble
these packets and is forced to crash, hang, or reboot.
Answer option D is incorrect. In a fraggle DoS attack, an attacker sends a large amount of UDP
echo request traffic to the IP broadcast addresses. These UDP requests have a spoofed source
address of the intended victim.
Q: Maria works as a professional Ethical Hacker. She has been assigned a project to test the
security of www.we-are-secure.com. She wants to test a DoS attack on the We-are-secure
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
server. She finds that the firewall of the server is blocking the ICMP messages, but it is not
checking the UDP packets. Therefore, she sends a large amount of UDP echo request traffic
to the IP broadcast addresses. These UDP requests have a spoofed source address of the
We-are-secure server. Which of the following DoS attacks is Maria using to accomplish her
task?
a. Fraggle DoS attack
b. Smurf DoS attack
c. Ping flood attack
d. Teardrop attack
Explanation: Answer option A is correct.
A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason
that a honey pot has low security permissions. A honeypot is used to gain information about the
intruders and their attack strategies.
2. Q: John works as a professional Ethical Hacker. He has been assigned the project of
testing the security of www.we-are-secure.com. He is using the TFN and Trin00 tools
to test the security of the We-are-secure server, so that he can check whether the
server is vulnerable or not. Using these tools, which of the following attacks can John
perform to test the security of the We-are-secure server?
e. DDoS attack
f. Reply attack
g. Brute force attack
h. Cross site scripting attack
Explanation: Answer option E is correct.
DDoS attack
In a distributed denial of service (DDOS) attack, the attacker uses multiple computers throughout the
network that it has previously infected. Such computers act as zombies and work together to send
out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an
attacker of using a distributed denial-of-service attack are that multiple machines can generate more
attack traffic than one machine, multiple attack machines are harder to turn off than one attack
machine, and that the behavior of each attack machine can be stealthier, making it harder to track
down and shut down. TFN, TRIN00, etc. are tools used for the DDoS attack.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
4. Q: In which of the following attacks does an attacker send a spoofed TCP SYN packet
in which the IP address of the target is filled in both source and destination fields?
a. Land attack
b. Jolt DoS attack
c. Smurf DoS attack
d. Fraggle DoS attack
Explanation: Answer option A is correct.
In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the
target host is filled in both the source and destination fields.
Q: Which of the following can be applied as countermeasures against DDoS attacks?
Each correct answer represents a complete solution. Choose all that apply.
a. Using Intrusion detection systems
b. Limiting the amount of network bandwidth
c. Using network-ingress filtering
d. Blocking the IP address
e. Using LM hashes for passwords
Explanation: Answer options A, B, C, and D are correct.
The techniques to prevent DDoS attacks are as follows:
Applying router filtering
Blocking undesired IP addresses
Permitting network access only to desired traffic
Disabling unneeded network services
Updating antivirus software regularly
Establishing and maintaining appropriate password policies, especially for access to highly
privileged accounts such as UNIX root or Microsoft Windows NT Administrator
Limiting the amount of network bandwidth
Using network-ingress filtering
Using automated network-tracing tools
5. Q: John works as a professional Ethical Hacker. He has been assigned the project of
testing the security of www.we-are-secure.com. He observes that the We-are-secure
server is vulnerable to a special type of DoS attack and he makes the following
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
suggestions to the security authority to protect the server from this DoS attack. The
countermeasures against this type of DoS attack are as follows:
Disabling IP-directed broadcasts at the We-are-secure router
Configuring local computers so as not to respond to such ICMP packets that are configured to
be sent to IP broadcast addresses
Which of the following DoS attacks has John discovered as a vulnerability for the We-are-secure
security network?
a. Teardrop attack
b. Smurf attack
c. Fraggle attack
d. Jolt attack
Explanation: Answer option B is correct.
According to the countermeasures, John has discovered that the We-are-secure server is vulnerable
to a smurf DoS attack. In a smurf DoS attack, the attacker sends a large amount of ICMP echo
request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source address
of the intended victim.
6. Q: Which of the following are malicious activities performed by a bot/botnet?
Each correct answer represents a complete solution. Choose three.
a. It can work as spambots that harvest email addresses from contact forms or
guestbook pages.
b. It can be a malicious downloader program that sucks bandwidth by downloading
entire Web sites.
c. It can work as a virus or as a worm.
d. It can detect honeypots.
Explanation: Answer options A, B, and C are correct.
A malicious bot is automated software that is used for various unethical activities. A bot/botnet can
be used to perform any or all of the following malicious activities:
It can work as spambots, which harvest email addresses from contact forms or guestbook
pages.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
It can be a malicious downloader program that sucks bandwidth by downloading entire Web
sites.
It can be Web site scrapers that grab the content of Web sites and re-use it without permission
on automatically generated doorway pages.
It can work as virus or as a worm.
It can perform DDoS attacks.
It can be malicious File-name modifiers on peer-to-peer file-sharing networks. These change the
names of files (often containing malware) to match user search queries.
Botnet is a type of malware that allows an attacker to take control over an infected computer. It is
also known as Web robots. Botnets are usually part of a network of infected machines, which is
typically made up of victim machines that stretch across the globe
7. Q: As part of a forensic investigation done on a hacked network, the investigator
discovered that the password of the administrator account had been discovered
locally, despite preventative measures like anti-virus and anti-spyware software being
installed on the domain controller servers. What technique did the attacker possibly
use?
a. Stealth anonymizer
b. Hardware keylogger
c. SNMP community strings
d. SMB signing
Explanation: Answer option B is correct.
A hardware keylogger cannot be detected by anti-virus or anti-spyware products
Q: You suspect that your server is being subjected to SYN flooding attacks, as the server is
becoming unresponsive and the listen queue is filling up very quickly. This attack works by
filling up the table reserved for half open TCP connections in the operating system's TCP IP
stack. In a 3 way TCP handshake, what missing process is contributing to this attack?
a. SYN
b. SYN-ACK
c. ACK-SYN
d. ACK
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option D is correct.
1. Q: Which of the following are methods to prevent session hijacking?
Each correct answer represents a complete solution. Choose all that apply.
a. Regenerating the session id after a successful login
b. Using a short straight number or string as the session key
c. Encrypting data passed between the parties, in particular the session key
d. Changing the value of the cookie with each and every request
Explanation: Answer options A, C, and D are correct.
Following are the methods to prevent session hijacking:
Use a long random number or string as the session key. This reduces the risk that an attacker
could simply guess a valid session key through trial and error or brute force attacks.
Regenerate the session id after a successful login. This prevents session fixation because the
attacker does not know the session id of the user after he has logged in.
Encrypt the data passed between the parties, in particular the session key. This technique is
widely relied-upon by Web-based banks and other e-commerce services, because it completely
prevents sniffing-style attacks. However, it could still be possible to perform some other kind of
session hijack.
Some services make secondary checks against the identity of the user. For example, a Web
server could check with each request made that the IP address of the user matched the one last
used during that session. This does not prevent attacks by somebody who shares the same IP
address, however, and could be frustrating for users whose IP address is liable to change during
a browsing session.
Alternatively, some services will change the value of the cookie with each and every request.
This dramatically reduces the window in which an attacker can operate and makes it easy to
identify whether an attack has taken place, but can cause other technical problems (for example,
preventing the back button from working properly on the Web).
1. Q: You are in the process of recommending mitigation attacks against possible session
hijacking threats. You advise the development team to use a random long number as the
session key. Which session hijacking attack are you trying to mitigate?
a. Brute force
b. Misdirected Trust
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
c. Blind Hijacking
d. IP Spoofing
Explanation: Answer option A is correct.
2. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing
the security of www.we-are-secure.com. John notices that the We-are-secure network is
vulnerable to the man-in-the-middle attack since the key exchange process of the
cryptographic algorithm does not authenticate participants. Which cryptographic algorithm is
being used by the We-are-secure server?
a. RSA
b. Diffie-Hellman
c. Blowfish
d. Twofish
Explanation: Answer option B is correct.
Diffie-Hellman encryption is a key agreement protocol
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Cryptography
Cryptography is a technique of encrypting and decrypting messages. When the text is encrypted, it
is unreadable by humans but when it is decrypted, it is readable. The terms used in cryptography are
as follows:
Plaintext: This text can be read by a user.
Ciphertext: This text can be converted to a non-readable format.
Encryption: It is the process of creating ciphertext from plaintext.
Decryption: It is the process of converting ciphertext to plaintext.
Cipher: It is an algorithm that is used to encrypt and decrypt text.
Key: Keys are the elements used in the technology of encrypting and decrypting text.
Q: Which type of attack is the Man in the middle attack?
e. Active
f. Passive
g. Both active and passive
h. Neither active nor passive.
Explanation: Answer option E is correct.
Q: Which of the following can be used to perform session hijacking?
Each correct answer represents a complete solution. Choose all that apply.
i. Session fixation
j. Session sidejacking
k. Cross-site scripting
l. ARP spoofing
Explanation: Answer options A, B, and C are correct.
3. Q: Which of the following types of attack techniques forces a user's session ID to an explicit
value?
a. Session Fixation attack
b. FMS attack
c. Zero-day attack
d. Max Age attack
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Q: In this particular mode of hijacking, the authentication check is performed only when the session
is open. A hijacker who successfully launches this attack is able to take control of the connection
throughout the duration of the session. If an attacker is able to steal the session cookie, he can
pretend to be the same user, or hijack the session during its lifetime. What countermeasures can the
developer implement to prevent this kind of hijacking?
Each correct answer represents a complete solution. Choose two.
a. Ignore or report unknown or suspicious links forwarded through mails or IM's.
b. Clear cookie after browser session is closed.
c. Reduce the life span of a session or a cookie.
d. Regenerate the session id after a successful login.
Explanation: Answer option C is correct.
Reducing the life or session of a cookie can increase security, as the expiration of the cookie after a
certain time will cause an interruption in application usage.
Q: You have been tasked with finding vulnerabilities in a web application. You run a sniffer and try to
predict the sessionID number, and try to establish connection impersonating as another user. What
vulnerability are you checking for?
a. Session hijacking
b. Cross site scripting
c. SQL injection
d. Insecure direct object reference
Explanation: Answer option A is correct.
4. Q: Which of the following consists of exploiting insufficient security validation/sanitization of
user-supplied input file names?
a. Directory traversal
b. Dictionary
c. Hybrid
d. Smart Force
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct
Directory traversal (or path traversal) is an attacking method to exploit insufficient security
validation/sanitization of user-supplied input file names, so that characters representing "traverse to
parent directory" are passed through to the file APIs.
Q: Jack was provided a pre-installed Apache server. The server came with default and sample files,
including applications, configuration files, scripts, and web pages. In addition, it also had content
management and remote administration services enabled. Debugging functions were enabled and
administrative functions were made accessible to anonymous users. When Jack's manager takes a
look at the server, what does he recommend?
a. Appreciate Jack's willingness to leave the default features enabled, so that the server
functionalities can be leveraged.
b. Alerts Jack that this opens up the possibility that server misconfiguration attacks
exploit configuration weaknesses found in web servers and application servers.
c. Runs a performance test on the server to check CPU utilization with default files and
passwords.
d. Gives a go ahead to deploy the server for production applications.
Explanation: Answer option B is correct.
Q: Jill is a senior developer who is aware of security threats. She writes her code so that when a
malicious user makes a URI request for a file/directory , it will build a full path to the file/directory if it
exists, and normalize all characters (e.g., %20 converted to spaces). Which web application
vulnerability is Jill securing the application against?
a. SQL injection
b. Cross site scripting
c. Security misconfiguration
d. Directory traversal attacks
Explanation: Answer option D is correct.
Q: You are trying to test your webserver security and try navigating to web pages such as
http://target.tgt/../../etc/password or http://target.tgt/../../etc/shadown in an effort to pull the files
containing user accounts and hashed passwords. What kind of attack are you initially performing?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. Rainbow table attack
b. Brute force attack
c. Dictionary-based attack
d. Directory traversal attack
Explanation: Answer option D is correct.
Q: You have come to know that your online store page has changed. However, you have not
performed any Website update. Which of the following attacks can be the cause of this?
e. Session hijacking
f. DoS
g. DNS cache poisoning
h. Social engineering
Explanation: Answer option G is correct.
This situation is caused by a DNS cache poisoning attack. DNS cache poisoning is a maliciously
created or unintended situation that provides data to a caching name server that did not originate
from authoritative Domain Name System (DNS) sources.
Q: Mark is trying to mitigate again his application so that user-supplied parameters which are placed
into HTTP headers should be checked for illegal characters such as carriage returns (%0d) and
newlines (%0a). Which web vulnerability is Mark securing his application for?
a. SQL injection
b. Http response splitting attacks
c. Broken authentication and session management
d. Security misconfiguration
Explanation: Answer option B is correct.
5. Q: On which port is an SSH brute force attack usually executed and what is the purpose of
the attack?
a. On port 22 to try to do remote login to guess passwords on user accounts
b. On port 25 to send emails from the open port
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
c. On port 80 to send multiple TCP handshake attacks
d. On port 21 to check for ftp accounts
Explanation: Answer option A is correct.
Q: You are investigating SSH logs and notice different patterns of attack. In one instance, you see a
user ID, and guess with password1, password2, password3, etc. One log file showed that instead of
the password changing, the user ID was changed. For example, pick a password and try it with
userid1, userid2, userid3, etc. Quite a few IP addresses showed up in different logs examined. The
most common user IDs were root, admin, administrator, mysql, oracle, nagios. What kind of attack
are you seeing?
Each correct answer represents a complete solution. Choose two.
a. Replay attack
b. Bit flipping attack
c. Dictionary attack
d. Brute force attack
Explanation: Answer options C and D are correct.
5. Q: Which of the following types of attacks occurs when an attacker successfully inserts an
intermediary program between two communicating hosts?
a. Denial-of-service attack
b. Password guessing attack
c. Dictionary attack
d. Man-in-the-middle attack
Explanation: Answer option D is correct.
Q: In which of the following processes would a DNS server return an incorrect IP address, diverting
traffic to another computer?
e. TCP FIN scanning
f. DNS poisoning
g. TCP SYN scanning
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
h. Snooping
Explanation: Answer option B is correct.
6. Q: Encrypted viruses use cryptographic techniques to avoid detection. Which of the following
statements are true of encrypted viruses?
Each correct answer represents a complete solution. Choose all that apply.
a. Encrypted viruses are quite similar to polymorphic viruses in their outward
appearance.
b. Each infected system has a virus with a different signature.
c. Encrypted viruses protect Internet clients from forged DNS data, such as DNS cache
poisoning.
d. Encrypted viruses facilitate slave DNS servers to transfer records from the master
server to a slave server.
Explanation: Answer options A and B are correct.
Q: Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data
created by DNS cache poisoning?
e. Domain Name System Extension (DNSSEC)
f. Split-horizon DNS
g. Stub resolver
h. BINDER
Explanation: Answer option A is correct.
Domain Name System Security Extension (DNSSEC) was designed to protect Internet resolvers
(clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in
DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if
the information is identical (correct and complete) to the information on the authoritative DNS server.
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force
(IETF) specifications for securing certain kinds of information provided by the Domain Name System
(DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to
DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity,
but not availability or confidentiality.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
1. Q: Which of the following protocols is designed to secure a wireless network and can be
considered equivalent to the security of a wired network?
a. WPA2
b. WTLS
c. WEP
d. WAP
Explanation: Answer option A is correct.
WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers
enhanced protection to wireless networks than WPA and WEP standards. It is also available as
WPA2-PSK and WPA2-EAP for home and enterprise environment respectively.
Answer option B is incorrect. Wireless Transport Layer Security (WTLS) is a security layer of WAP
which is specifically designed for a wireless environment. It provides privacy, data integrity, and
authentication for client-server communications over a wireless network
3. Q: A developer assigns the value of a watch as $500. A hacker alters the value of the watch
using an HTML Editor and changes it from $500 to $20. He submits the slightly altered
HTML page and concludes a transaction of the item. What kind of attack has the website
been subjected to?
a. Buffer overflow
b. Hidden field manipulation
c. Cross site scripting
d. SQL injection
Explanation: Answer option B is correct.
Sometimes developers working under tight timelines may take the help of hidden fields to store
information. Sensitive information should not be made available in the client code where a malicious
user can change it. In this case, even though the hidden fields are beyond the reach of usual users,
a curious hacker with the knowledge of programming can unearth the fields and data and exploit
them. Hidden field manipulation attacks can expose crucial business information of a website and
make the online store face huge losses.
Q: An attacker posts a message that contains malicious code to any newsgroup site. When another
user views this message, the browser interprets this code and executes it and, as a result, the
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
attacker takes control of the user's system. Which of the following attacks has the attacker
performed?
a. Cross-site scripting attack
b. Code injection attack
c. Replay attack
d. Buffer-overflow attack
Explanation: Answer option A is correct.
A cross-site scripting attack is one in which an attacker enters malicious data into a Website
Q: John works as a Network Security Administrator for uCertify Inc. An employee of the company
meets John and tells him that a few months ago, he had filled an online bank form for some account
related work. Today, when he revisits the same site, he finds that some of his personal information is
still being displayed on the web page. Which of the following types of cookies should John disable to
resolve the issue?
a. Persistent
b. Temporary
c. Session
d. Secure
Explanation: Answer option A is correct.
According to the scenario, John should disable the persistent cookie. Persistent cookies are those
that remain on a computer even when Internet Explorer is closed
Q: You visit a malicious website soon after visiting your bank website. Your session on the previous
site might still be valid. The malicious website causes a form post to the previous website. Your
browser sends the authentication cookie back to that site and appears to be making a request on
your behalf, even though you did not authorize it. What kind of attack have you been exposed to?
a. CSRF attack
b. Stored cross site scripting attack
c. Reflected cross site scripting attack
d. Dom based cross-site scripting attack
Explanation: Answer option A is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
CSRF exploits the trust that a site has in a user's browser. The attack works by including a script in
a malicious site that accesses a site to which the user is known to have been authenticated. CSRF
exploits vulnerable web applications that perform actions based on input from trusted and
authenticated users without requiring the user to authorize the specific action.
Q: Which of the following is a proxy server for security testing of Web applications?
e. BURP
f. BlackWidow
g. cURL
h. Instant Source
Explanation: Answer option A is correct.
BURP: Burp Proxy is a proxy server for security testing of Web applications, which operates as
a man-in-the-middle between the browser and the target application.
4. Q: You have been invited as a web application security architect to recommend important
countermeasures to the development team that will protect web application against common
attacks. What is one of the most basic checks that you would recommend developers
implement in their code for malicious user entries?
a. Input validation
b. ESAPI locators
c. Security Misconfiguration
d. Randomizers
Explanation: Answer option A is correct.
A malicious user may enter scripts where data or numerical variables are expected. Input validation
can be done by sanitizing, encoding or replacing user inputs.
5. Q: You are an application security architect who is designing a defense in depth security for
common website vulnerabilities like cross-site scripting, SQL injection etc. You ensure that
secure coding practices are followed by developers and the network team deploys IDS/IPS
appliances. Personal firewalls and anti-virus systems are deployed. What else do you
configure to counter web application attacks?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. Honeypot
b. Web application firewalls
c. VPN
d. RBAC
Explanation: Answer option B is correct.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules
to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting
(XSS) and SQL Injection.
Answer option A is incorrect. A honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of information systems. Generally, it consists of a
computer, data, or a network site that appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a resource of value to attackers.
Chapter 14
SQL Injection
1. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security
of www.we-are-secure.com. He enters a single quote in the input field of the login page of
the We-are-secure Web site and receives the following error message:
Microsoft OLE DB Provider for ODBC Drivers error '0x80040E14'
This error message shows that the We-are-secure Website is vulnerable to __________.
a. An XSS attack
b. A Denial-of-Service attack
c. A buffer overflow
d. A SQL injection attack
Explanation: Answer option D is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
3. Q: You work as a Network Penetration tester in Secure Inc. Your company takes the projects
to test the security of various companies. Recently, Secure Inc. has assigned you a project
to test the security of a Web site. You go to the Web site login page and you run the
following SQL query:
1. SELECT email, passwd, login_id, full_nameFROM membersWHERE email
='[email protected]'; DROP TABLE members;--'
What task will the above SQL query perform?
a. Deletes the entire members table.
b. Deletes the rows of members table where email id is '[email protected]'
given.
c. Deletes the database in which members table resides.
d. Performs the XSS attacks.
Explanation: Answer option A is correct.
4. Q: Which of the following characters will you use to check whether an application is
vulnerable to a SQL injection attack?
a. Single quote (')
b. Double quote (")
c. Semi colon (;)
d. Dash (-)
Explanation: Answer option A is correct.
A single quote (') can be used to explore a SQL injection attack. A SQL injection attack is a process
in which an attacker tries to execute unauthorized SQL statements.
5. Q: The security department of a financial company has mandated that developers secure
applications against SQL injection. Developers must never allow client supplied data to
modify the syntax of the SQL statements. All SQL statements required by the applications
should be in stored procedures and kept on a database server. However, the organization is
worried about the increasing number of attacks, and asks you if any additional defensive
security scanning tools should be deployed. What would you recommend?
a. Acutenix
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. sqlninja
c. SQLIer
d. sqlmap
Explanation: Answer option A is correct.
Acunetix Web Vulnerability Scanner automatically checks web applications for SQL Injection,
XSS, and other web vulnerabilities.
6. Q: The Voyager worm is a computer worm that was posted on the Internet on October 31,
2005, and is designed to target Oracle databases. If activated, it will grant DBA to PUBLIC.
What methodology does the Voyager worm use to attack Oracle servers?
a. SQL Injection
b. Buffer Overflow
c. Code Injection attack
d. By using default accounts and passwords
Explanation: Answer option D is correct.
Chapter 15
Hacking Wireless Networks
1. Q: Every network device contains a unique built-in Media Access Control (MAC) address,
which is used to identify the authentic device to limit network access. Which of the following
addresses is a valid MAC address?
a. 1011-0011-1010-1110-1100-0001
b. A3-07-B9-E3-BC-F9
c. 132.298.1.23
d. F936.28A1.5BCD.DEFA
Explanation: Answer option B is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
The general format for writing MAC addresses is to use six groups of two hexadecimal digits, each
separated by a hyphen
Q: Which of the following wireless security features provides the best wireless security mechanism?
a. WEP
b. WPA with Pre Shared Key
c. WPA with 802.1X authentication
d. WAP
Explanation: Answer option C is correct.
WPA with 802.1X authentication provides the best wireless security mechanism. 802.1X
authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks.
802.1X provides port-based authentication, which involves communications between a supplicant,
authenticator, and authentication server.
What is an Initialization Vector (IV)?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher
to be executed in any of several streaming modes of operation to produce a unique stream
independent from other streams produced by the same encryption key, without having to go through
a re-keying process. The size of the IV depends on the encryption algorithm and on the
cryptographic protocol in use and is normally as large as the block size of the cipher or as large as
the encryption key. The IV must be known to the recipient of the encrypted information to be able to
decrypt it.
2. Q: Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the
wireless network of the company. He uses a tool that is a free open-source utility for network
exploration. The tool uses raw IP packets to determine the following:
To determine what ports are open on network systems
To determine what hosts are available on the network
To identify unauthorized wireless access points
To determine what services (application name and version) those hosts are offering
To determine what operating systems (and OS versions) they are running
To determine what type of packet filters/firewalls are in use
Which of the following tools is Victor using?
a. Kismet
b. Nessus
c. Nmap
d. Sniffer
Explanation: Answer option C is correct.
Nmap is an active information gathering tool. The nmap utility, also commonly known as port
scanner, is used to view the open ports on a Linux computer. It is used by administrators to
determine which services are available for external users.
5. Q: Victor works as a network administrator for DataSecu Inc. He uses a dual firewall
Demilitarized Zone (DMZ) to insulate the rest of the network from the portions that are
available to the Internet. Which of the following security threats may occur if DMZ protocol
attacks are performed?
Each correct answer represents a complete solution. Choose three.
a. The attacker can gain access to the Web server in a DMZ and exploit the database.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
b. The attacker can exploit any protocol used to go into the internal network or intranet
of the company.
c. The attacker can perform a Zero Day attack by delivering a malicious payload that is
not a part of the intrusion detection/prevention systems guarding the network.
d. The attacker managing to break the first firewall defense can access the internal
network without breaking the second firewall if it is different.
Explanation: Answer options A, B, and C are correct.
Q: Which of the following statements are true about SSIDs?
Each correct answer represents a complete solution. Choose three.
e. An SSID is used to identify a wireless network.
f. SSIDs are case insensitive text strings and have a maximum length of 64 characters.
g. All wireless devices on a wireless network must have the same SSID in order to
communicate with one another.
h. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of
other networks will create a conflict.
Explanation: Answer options A, C, and D are correct.
SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case
sensitive text strings and have a maximum length of 32 characters.
What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A. They will slow down the interfaces on the user's machine
B. They are easier to install and configure.
C. They do not use the host system's resources.
D. They are placed at the boundary
answer: C
Which security strategy requires using several, varying methods to protect IT systems
against attacks?
A. Data Loss Prevention
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
B. Overt channels
C. Three-way handshake
D. Defense in depth
answer: D
6. Q: Which of the following statements are true for WPA?
Each correct answer represents a complete solution. Choose all that apply.
a. WPA provides better security than WEP.
b. WPA-PSK requires that a user enter an 8-character to 63-character passphrase into
a wireless client.
c. WPA-PSK converts the passphrase into a 256-bit key.
d. Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is
used.
Explanation: Answer options A, B, C, and D are correct.
WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better security
than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP.
7. Q: You are concerned about attackers simply passing by your office, discovering your
wireless network, and getting into your network via the wireless connection. Which of the
following are NOT the steps involved in securing your wireless connection?
Each correct answer represents a complete solution. Choose two.
a. Using either WEP or WPA encryption
b. MAC filtering on the router
c. Hardening the server OS
d. Not broadcasting SSID
e. Using strong password policies on workstations
Explanation: Answer options C and E are correct.
Both hardening the server OS and using strong password policies on workstations are good ideas,
but neither has anything to do with securing your wireless connection.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Q: A Web developer with your company wants to have wireless access for contractors that come in
to work on various projects. The process of getting this approved takes time. So rather than wait, he
has put his own wireless router attached to one of the network ports in his department. What security
risk does this present?
a. None, adding a wireless access point is a common task and not a security risk.
b. It is likely to increase network traffic and slow down network performance.
c. An unauthorized WAP is one way for hackers to get into a network.
d. This circumvents network intrusion detection.
Explanation: Answer option C is correct.
What is WAP?
Wireless Access Point (WAP) is a communication device that is capable of both transmitting and
receiving signals in a wireless LAN. This unit is connected to servers or directly to a network and
other devices using a standard cabled network protocol.
Q: You are concerned about rogue wireless access points being connected to your network. What is
the best way to detect and prevent these?
a. Network anti-virus software
b. Network anti-spyware software
c. Site surveys
d. Protocol analyzers
Explanation: Answer option C is correct.
Q: You have detected what appears to be an unauthorized wireless access point on your network.
However, this access point has the same MAC address as one of your real access points and is
broadcasting with a stronger signal. What is this called?
a. The evil twin attack
b. Bluesnarfing
c. DOS
d. WAP cloning
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as
one of your legitimate access points. That rogue WAP will often then initiate a denial of service
attack on your legitimate access point, making it unable to respond to users, so they are redirected
to the 'evil twin'.
Q: You are concerned about war driving bringing the hacker's attention to your wireless network.
What is the most basic step you can take to mitigate this risk?
a. Don't broadcast SSID
b. Implement WEP
c. Implement WPA
d. Implement MAC filtering
Explanation: Answer option A is correct.
Q: Which of the following statements are true about locating rogue access points using WLAN
discovery software such as NetStumbler, Kismet, or MacStumbler if you are using a Laptop
integrated with Wi-Fi compliant MiniPCI card?
Each correct answer represents a complete solution. Choose all that apply.
a. These tools cannot detect rogue access points if the victim is using data encryption.
b. These tools detect rogue access points if the victim is using IEEE 802.11 frequency
bands.
c. These tools can determine the rogue access point even when it is attached to a
wired network.
d. These tools can determine the authorization status of an access point.
Explanation: Answer options B and D are correct.
Q: Which of the following tools monitors the radio spectrum for the presence of unauthorized,
rogue access points and the use of wireless attack tools?
a. WIPS
b. IDS
c. Snort
d. Firewall
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of
unauthorized, rogue access points and the use of wireless attack tools. The system monitors the
radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a
rogue access point is detected.
Q: You work as an Administrator for Bluesky Inc. The company has 145 Windows XP Professional
client computers and eighty Windows 2003 Server computers. You want to install a security layer of
WAP specifically designed for a wireless environment. You also want to ensure that the security
layer provides privacy, data integrity, and authentication for client-server communications over a
wireless network. Moreover, you want a client and server to be authenticated so that wireless
transactions remain secure and the connection is encrypted. Which of the following options will you
use to accomplish the task?
a. Wireless Transport Layer Security (WTLS)
b. Recovery Console
c. Wired Equivalent Privacy (WEP)
d. Virtual Private Network (VPN)
Explanation: Answer option A is correct.
Wireless Transport Layer Security (WTLS) is a security layer of WAP which is specifically
designed for a wireless environment. It provides privacy, data integrity, and authentication for client-
server communications over a wireless network
Q: Ryan wants to create an ad hoc wireless network so that he can share some important files with
another employee of his company. Which of the following wireless security protocols should he
choose for setting up an ad hoc wireless network?
Each correct answer represents a complete solution. Choose two.
e. WEP
f. WPA2 -EAP
g. WPA-PSK
h. WPA-EAP
Explanation: Answer options E and G are correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
6. Q: An executive in your company reports odd behavior on her PDA. After investigation, you
discover that a trusted device is actually copying data of the PDA. The executive tells you
that the behavior started shortly after accepting an e-business card from an unknown person.
What type of attack is this?
a. Bluesnarfing
b. PDA hijacking
c. Session hijacking
d. Privilege escalation
Explanation: Answer option A is correct.
Bluesnarfing is a rare attack in which an attacker takes control of a Bluetooth-enabled device. One
way to do this is to get your PDA to accept the attacker's device as a trusted device.
7. Q: One of the sales people in your company complains that sometimes he gets a lot of
unsolicited messages on his PDA. After asking a few questions, you determine that the issue
only occurs in crowded areas such as airports. What is the most likely problem?
a. Bluesnarfing
b. Bluejacking
c. A virus
d. Spam
Explanation: Answer option B is correct.
Bluejacking is the process of using another Bluetooth device that is within range (about 30' or less)
and sending unsolicited messages to the target.
Q: Mark works as a project engineer in Tech Perfect Inc. His office is configured with Windows XP-
based computers. The computer that he uses is not configured with a default gateway. He is able to
access the Internet, but is not able to use e-mail services via the Internet. However, he is able to
access e-mail services via the intranet of the company. Which of the following could be the reason of
not being able to access e-mail services via the Internet?
a. Protocols other than TCP/IP
b. IP packet filter
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
c. Router
d. Proxy server
Explanation: Answer option D is correct.
A proxy server exists between a client's Web-browsing program and a real Internet server
1. Q: When no anomaly is present in an Intrusion Detection, but an alarm is generated, the
response is known as __________.
a. False positive
b. False negative
c. True positive
d. True negative
Explanation: Answer option A is correct.
The following are the types of responses generated by an IDS :
1. True Positive: A valid anomaly is detected, and an alarm is generated.
2. True Negative: No anomaly is present, and no alarm is generated.
3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case
scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and
not used.
4. False Negative: A valid anomaly is present, and no alarm is generated.
2. Q: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to
be monitored. HIDS monitors only the data that it is directed to, or originates from the
system on which HIDS is installed. Besides monitoring network traffic for detecting
attacks, it can also monitor other parameters of the system such as running
processes, file system access and integrity, and user logins for identifying malicious
activities. Which of the following tools are examples of HIDS?
Each correct answer represents a complete solution. Choose all that apply.
a. Tripwire
b. BlackIce Defender
c. HPing
d. Legion
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options A and B are correct.
Tripwire and BlackIce Defender are examples of HIDS. Tripwire is an HIDS tool that automatically
calculates the cryptographic hashes of all system files as well as any other file that a Network
Administrator wants to monitor for modifications. It then periodically scans all monitored files and
recalculates the information to see whether the files have been modified or not
Q: You work as a Network Administrator for Tech2tech Inc. You have configured a network-
based IDS for your company. You have physically installed sensors at all key positions
throughout the network such that they all report to the command console. What will be the
key functions of the sensors in such a physical layout?
Each correct answer represents a complete solution. Choose all that apply.
a. To analyze for known signatures
b. To collect data from operating system logs
c. To collect data from Web servers
d. To notify the console with an alert if any intrusion is detected
Explanation: Answer options A and D are correct.
In a network-based IDS, when sensors are installed at key positions throughout a network-based
IDS, they work as full detection engines. In such a case, they have the ability to sniff the packets,
analyze them for known signatures, and notify to the console as soon as an intrusion is detected.
Q: You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP-
based routed network. You have recently come to know about the Slammer worm, which
attacked computers in 2003 and doubled the number of infected hosts every 9 seconds or so.
Slammer infected 75000 hosts in the first 10 minutes of the attack. To mitigate such security
threats, you want to configure security tools on the network. Which of the following tools will
you use?
e. Intrusion Detection Systems
f. Intrusion Prevention Systems
g. Anti-x
h. Firewall
Explanation: Answer option B is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the
network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that
use particular patterns of messages, and other factors
6. Q: John works as a Network Security Administrator for uCertify Inc. He has been
assigned the task of installing a MySQL server. John wants to monitor only the data
that is directed to or originating from the server. He also wants to monitor running
processes, file system access and integrity, and user logins for identifying malicious
activities. Which of the following intrusion detection techniques will John use to
accomplish the task?
a. Host-based
b. Network-based
c. Anomaly-based
d. Signature-based
Explanation: Answer option A is correct.
A host-based IDS (HIDS) is an Intrusion Detection System that runs on the system that is to be
monitored. HIDS monitors only the data that is directed to or originating from the system on which
HIDS is installed. Besides relying on network traffic for detecting attacks,
Q: Adam works as a Security Analyst for Umbrella Inc. He is retrieving a large amount
of log data from various resources such as Apache log files, IIS logs, streaming
servers, and some FTP servers. He is facing difficulties in analyzing the logs that he
has retrieved. To solve this problem, Adam decides to use the AWStats application.
Which of the following statements are true of AWStats?
Each correct answer represents a complete solution. Choose all that apply.
e. It generates advanced Web, streaming, or mail server statistics graphically.
f. It works only as a CGI and shows all possible information contained in the log.
g. It can analyze log files server tools such as Apache log files, WebStar, IIS and other
Web, proxy, and some ftp servers.
h. It can work with all Web hosting providers, which allow Perl, CGI, and log access.
Explanation: Answer options A, C, and D are correct.
AWStats is a free powerful tool, which is used to generate Web, streaming, mail server statistics
graphically. It works as a CGI or from command line. AWStats shows all possible information
contained in a log. It can analyze log files from almost all server tools such as Apache log files,
WebStar, IIS (W3C log format) and various other Web, proxy, wap, streaming servers, mail servers
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
and some ftp servers. AWStats can work with all Web hosting providers, which allow Perl, CGI and
log access.
Answer option B is incorrect. AWStats works as a CGI or from command line.
Reference: EC-Council Certified Security Analyst Course Manual, Contents: "Log Analysis"
7. Q: You work as a Network Administrator for NetTech Inc. Employees in remote
locations connect to the company's network using Remote Access Service (RAS).
Which of the following will you use to pass or block packets from specific IP
addresses and ports?
a. Firewall
b. Bridge
c. Gateway
d. Antivirus software
Explanation: Answer option A is correct.
A firewall is a tool to provide security to a network. It is used to protect an internal network or
intranet against unauthorized access from the Internet or other outside networks. It restricts inbound
and outbound access and can analyze all traffic between an internal network and the Internet. Users
can configure a firewall to pass or block packets from specific IP addresses and ports. An
administrator can configure the following settings for a firewall:
Q: Which of the following statements about packet filtering is true?
a. It allows or restricts the flow of specific types of packets to provide security.
b. It is used to send confidential data on the public network.
c. It allows or restricts the flow of encrypted packets to provide security.
d. It is used to store information about confidential data.
Explanation: Answer option A is correct.
Packet filtering is a method that allows or restricts the flow of specific types of packets to provide
security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a
network interface based on the source and destination addresses, ports, or protocols.
Q: Which of the following areas of a network contains DNS servers and Web servers for
Internet users?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
e. VLAN
f. VPN
g. MMZ
h. DMZ
Explanation: Answer option D is correct.
The DMZ is an IP network segment that contains resources available to Internet users such as Web
servers, FTP servers, e-mail servers, and DNS servers. DMZ provides a large enterprise network or
corporate network the ability to use the Internet while still maintaining its security.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
6.
7. Q: Which of the following types of computers is used for attracting potential intruders?
a. Files pot
b. Honeypot
c. Bastion host
d. Data pot
Explanation: Answer option B is correct.
A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason
that a honey pot has low security permissions. A honeypot is used to gain information about the
intruders and their attack strategies.
8. Q: Which of the following two cryptography methods are used by the NTFS
Encrypting File System (EFS) to encrypt data stored on a disk on a file-by-file basis?
Each correct answer represents a complete solution. Choose all that apply.
a. Public key
b. Twofish
c. RSA
d. Digital certificates
Explanation: Answer options A and D are correct.
EFS uses public key cryptography and digital certificates to encrypt data stored on a disk on a file-
by-file basis.
Q: Which of the following tools is based on Linux and used to carry out the Penetration
Testing?
e. Ettercap
f. JPlag
g. Vedit
h. BackTrack (now KALI)
Explanation: Answer option D is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
46.
46. Q: You want to create a binary log file using tcpdump. Which of the following
commands will you use?
a. tcpdump -w
b. tcpdump -B
c. tcpdump -d
d. tcpdump -dd
Explanation: Answer option A is correct.
The term tcpdump refers to a common packet sniffer that runs under the command line
54. Q: Which of the following protocols is used by Internet Relay Chat (IRC) for its proper
working?
a. TCP
b. ICMP
c. SMTP
d. IMAP
Explanation: Answer option A is correct.
Q: Adam works as a Network Administrator. He discovers that the wireless AP transmits 128
bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the
resulting ciphertext using the same key and cipher that are used by WEP to encrypt
subsequent network traffic. Which of the following types of authentication mechanism is
used here?
a. Single key authentication
b. Open system authentication
c. Pre-shared key authentication
d. Shared key authentication
Explanation: Answer option D is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
57. Q: Adam works as a professional Ethical Hacker. A project has been assigned to him
to test the security of www.adam-forgenet.com. He starts a port scan, which gives the
following result:
Scan directed at open port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH-----
>192.168.1.120:23adam-forgenet.com192.168.1.90:4079 <----NO RESPONSE------
192.168.1.120:23
Scan directed at the closed port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH-----
>192.168.1.120:23192.168.1.90:4079<-----RST/ACK----------192.168.1.120:23
Which of the following types of scans is Adam implementing?
a. XMAS scan
b. SYN scan
c. RPC scan
d. IDLE scan
Explanation: Answer option A is correct.
59. Q: Adam works as a sales manager for Umbrella Inc. He wants to download software
from the Internet. As the software comes from a site in his untrusted zone, Adam
wants to ensure that the downloaded software has not been Trojaned. Which of the
following options would indicate the best course of action for Adam?
a. Compare the file's virus signature with the one published on the distribution.
b. Compare the file size of the software with the one given on the Website.
c. Compare the version of the software with the one published on the distribution
media.
d. Compare the file's MD5 signature with the one published on the distribution media.
Explanation: Answer option D is correct.
The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit
"fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to
produce two messages having the same message digest, or to produce any message having a
given pre-specified target message digest.
Q: Which of the following tools is described in the statement given below?
"It has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX,
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Windows, and commonly used web CGI scripts. Moreover, the database detects DDoS zombies and
Trojans as well."
a. Nmap
b. Nessus
c. SARA
d. Anti-x
Explanation: Answer option B is correct.
Nessus is proprietary comprehensive vulnerability scanning software. It is free of charge for
personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on tested
systems. It is capable of checking various types of vulnerabilities, some of which are as follows:
63. Q: Which of the following attacks can be overcome by applying cryptography?
a. Buffer overflow
b. Sniffing
c. Web ripping
d. DoS
Explanation: Answer option B is correct.
where the hostlist.txt file contains the list of IP addresses and request.txt is the output file. Which of
the following tasks do you want to perform by running this script?
a. You want to perform banner grabbing to the hosts given in the IP address list.
b. You want to perform port scanning to the hosts given in the IP address list.
c. You want to put nmap in the listen mode to the hosts given in the IP address list.
d. You want to transfer the hostlist.txt file to the hosts given in the IP address list.
Explanation: Answer option A is correct.
Each correct answer represents a complete solution. Choose all that apply.
a. Firewall testing
b. Port scanning and service identification
c. Creating a Backdoor
d. Checking file integrity
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options A, B, and C are correct.
NetCat can be used to perform various tasks, such as firewall testing, port scanning and service
identification, creating a backdoor, etc.
Q: Adam works as a Security Administrator for Umbrella Inc. While monitoring his IDS, Adam
discovers that there are a large number of ICMP Echo Reply packets being received on the
external gateway interface. On further inspection, he notices that the ICMP Echo Reply
packets are coming from the Internet without any request from the internal host. Which of the
following is the most likely cause of this issue?
a. A smurf attack has occurred on the company's network.
b. A land attack has occurred on the company's network.
c. A DoS attack has occurred on the company's network.
d. A fraggle attack has occurred on the company's network.
Explanation: Answer option A is correct.
What are common signs that a system has been compromised or hacked? (Choose three.)
A. Server hard drives become fragmented
B. Partitions are encrypted
C. Consistency in usage baselines
D. Patterns in time gaps in system and/or event logs
E. New user accounts created
F. Increased amount of failed logon events
answer: b, c and f
which of the following is the BEST option when dealing with risk?
a. ignore the risk
b. mitigate the risk
c. deny the risk
d. exploit the risk
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: B
72. Q: Adam works as a professional Penetration tester. A project has been assigned to
him to employ penetration testing on the network of Umbrella Inc. He is running the
test from home and had downloaded every security scanner from the Internet. Despite
knowing the IP range of all of the systems and the exact network configuration, Adam
is unable to get any useful results. Which of the following is the most like cause of
this problem?
Each correct answer represents a complete solution. Choose all that apply.
a. Security scanners are not designed to do testing through a firewall.
b. Security scanners cannot perform vulnerability linkage.
c. Security scanners are only as smart as their database and cannot find unpublished
vulnerabilities.
d. Security scanners are as smart as their database and can find unpublished
vulnerabilities.
Explanation: Answer options A, B, and C are correct.
Your manager has asked you to develop something that will show improvement of the state
of security of your network over time. What must you develop?
a. reports
b. metrics
c. standards
d. testing policy
answer B
7. Q: John works as a C programmer. He develops the following C program:
#include <stdlib.h>#include <stdio.h>#include <string.h> int buffer(char *str) { char
buffer1[10]; strcpy(buffer1, str); return 1;} int main(int argc, char *argv[]) { buffer
(argv[1]); printf("Executed\n"); return 1;}
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
His program is vulnerable to a __________ attack.
a. Buffer overflow
b. Denial-of-Service
c. SQL injection
d. Cross site scripting
Explanation: Answer option A is correct.
This program takes a user-supplied string and copies it into 'buffer1', which can hold up to 10 bytes
of data. If a user sends more than 10 bytes, it would result in a buffer overflow.
Buffer Overflow
Buffer overflow is a condition in which an application receives more data than it is configured to
accept. It helps an attacker not only to execute a malicious code on the target system but also to
install backdoors on the target system for further attacks
Q: Which of the following is a term that refers to unsolicited e-mails sent to a large number of
e-mail users?
a. Buffer overflow
b. Biometrics
c. Hotfix
d. Spam
Explanation: Answer option D is correct.
Spam is a term that refers to the unsolicited e-mails sent to a large number of e-mail users.
Q: Which of the following languages are vulnerable to a buffer overflow attack?
Each correct answer represents a complete solution. Choose all that apply.
a. C
b. C++
c. Java
d. Action script
Explanation: Answer options A and B are correct.
C and C++ are the languages that are vulnerable to a buffer overflow attack
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
1. Q: Which of the following algorithms can be used to check the integrity of a file?
Each correct answer represents a complete solution. Choose two.
a. md5
b. sha
c. rsa
d. blowfish
Explanation: Answer options A and B are correct.
Any hashing algorithm can be used to know whether any changes have occurred in a file or not. In
this process, the hashing algorithm calculates the hash value of the file specified and a sender
sends hash value also with the file. Now, a receiver recalculates the hash value of the file and
matches whether both the hashes are the same or not. Since md5 and sha are hashing algorithms,
these can be used to check the integrity of a file.
Functions of SSL
Secure Sockets Layer (SSL) is used to secure Web communications between clients and Web
servers. The SSL protocol provides communications privacy, authentication, and message integrity.
This protocol enables clients and servers to communicate in a manner that prevents eavesdropping
and tampering.
Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of
VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN
connections that use the L2TP protocol. It secures both data and password. IPSec cannot be used
with Point-to-Point Tunneling Protocol (PPTP).
Which property ensures that a hash function will not produce the same hashed value for two
different messages?
A. Entropy
B. Key length
C. Bit strength
D. Collision resistance
answer: D
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
5. Q: You work as a Network Administrator for Tech Perfect Inc. The company has a
Linux-based network. You have configured a VPN server for remote users to connect
to the company's network. Which of the following encryption types will Linux use?
a. RC2
b. MSCHAP
c. CHAP
d. 3DES
Explanation: Answer option D is correct.
For VPN connections, Linux uses 3DES encryption.
8. Q: Andrew works as a Software Developer for Mansoft Inc. The company's network
has a Web server that hosts the company's Web site. Andrew wants to enhance the
security of the Web site by implementing Secure Sockets Layer (SSL). Which of the
following types of encryption does SSL use?
Each correct answer represents a complete solution. Choose two.
a. Secret
b. IPSec
c. Asymmetric
d. Symmetric
Explanation: Answer options C and D are correct.
SSL uses asymmetric and symmetric encryptions to accomplish the task.Secure Sockets Layer
(SSL) is a protocol used to transmit private documents via the Internet. SSL uses a combination of
public key and symmetric encryption to provide communication privacy, authentication, and
message integrity.
Q: Which of the following encryption algorithms are based on stream ciphers?
Each correct answer represents a complete solution. Choose all that apply.
a. Blowfish
b. FISH
c. Twofish
d. RC4
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer options B and D are correct.
FISH and RC4 encryption algorithms are based on stream ciphers.
Q: Which of the following cryptographic algorithms is a hashing algorithm that is vulnerable
to collision and rainbow attacks?
a. MD5
b. RC5
c. AES
d. RSA
Explanation: Answer option A is correct.
Q: Which of the following cryptographic algorithms is easiest to crack?
a. AES
b. DES
c. SHA-1
d. RC5
Explanation: Answer option B is correct.
Each correct answer represents a complete solution. Choose all that apply.
a. RC4
b. MD5
c. SHA
d. AES
Explanation: Answer options B and C are correct.
MD5 and SHA are hashing algorithms.
Q: Which of the following protocols provides a framework for the negotiation and
management of security associations between peers and traverses the UDP/500 port?
a. ISAKMP
b. IKE
c. ESP
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
d. AH
Explanation: Answer option A is correct.
Q: Which of the following statements is true of digital signature?
a. Digital signature verifies the identity of the person who applies it to a document.
b. Digital signature is required for an e-mail message to get through a firewall.
c. Digital signature compresses the message to which it is applied.
d. Digital signature decrypts the contents of documents.
Explanation: Answer option A is correct.
Digital signature is a personal authentication method based on encryption and authorization
codes. It is used for signing electronic documents. Digital signature not only validates the sender's
identity, but also ensures that the document's content has not been altered.
20. Q: Mark is implementing security on his e-commerce site. He wants to ensure that a
customer sending a message is really the one he claims to be. Which of the following
techniques will he use to ensure this?
a. Digital signature
b. Authentication
c. Packet filtering
d. Firewall
Explanation: Answer option A is correct.
Q: In which of the following cryptographic attacking techniques does an attacker obtain
encrypted messages that have been encrypted using the same encryption algorithm?
a. Known plaintext attack
b. Ciphertext only attack
c. Chosen plaintext attack
d. Chosen ciphertext attack
Explanation: Answer option B is correct.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
In a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using
the same encryption algorithm.
Known plaintext attack: In a known plaintext attack, the attacker should have both the plaintext
and ciphertext of one or more messages. These two items are used to extract the cryptographic
key and recover the encrypted text.
Ciphertext only attack: In this attack, the attacker obtains encrypted messages that have been
encrypted using the same encryption algorithm. For example, the original version of WEP used
RC4, and if sniffed long enough, the repetitions would allow a hacker to extract the WEP key.
Such types of attacks do not require the attacker to have the plaintext because the statistical
analysis of the sniffed log is enough.
Chosen plaintext attack: In a chosen plaintext attack, the attacker somehow picks up the
information to be encrypted and takes a copy of it with the encrypted data. This is used to find
patterns in the cryptographic output that might uncover vulnerability or reveal a cryptographic
key.
Chosen ciphertext attack: In this type of attack, the attacker can choose the ciphertext to be
decrypted and can then analyze the plaintext output of the event. The early versions of RSA
used in SSL were actually vulnerable to this attack.
2. Q: How is Gray box testing different from black hat testing?
a. In the white box testing, the tester has no knowledge of the target. He has been
given only the name of the company.
b. In the black box testing, the test has complete knowledge of the internal company
network.
c. In the gray box testing, the tester has to try to gain access into a system using
commercially available tools only.
d. In the gray box testing, the attacker performs attacks with a normal user account to
see if he can escalate privileges.
Explanation: Answer option D is correct.
In the gray box testing, the attacker performs attacks with a normal user account to see if he can
escalate privileges.
Answer option A is incorrect. White box testing is a security testing method that can be used to
validate whether application implementation follows the intended design, to validate implemented
security functionality, and to uncover exploitable vulnerabilities.
Answer option B is incorrect. Black box testing assumes no prior knowledge of the infrastructure to
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
be tested. The testers must first determine the location and extent of the systems before
commencing their analysis.
Q: As a security consultant, you have been brought in to run vulnerability assessment on a
large entertainment organization. Company management wants to know how long it will take
before you can break into and get access to sensitive financial data. How would you respond
to them?
a. You would try your best, and should be able to get access within 2-3 weeks.
b. You politely point out to them that you are running a vulnerability assessment and
that does not involve pentesting, which includes getting access to sensitive data.
c. You let me know that it is directly dependant on the security posture of the
organization, and how well controls have been implemented.
d. You let them know that it depends on the contract on whether white-box testing is
allowed or black-box testing approach has to be taken.
Explanation: Answer option B is correct.
Q: What are some of the end goals of a successful pentesting effort?
a. Verifying whether in the event of hardware damage, certain data could be restored
with a regular backup
b. Generally examining the IT infrastructure in terms of its compliance, efficiency,
effectiveness, etc
c. Identifying vulnerabilities and improving security of technical systems
d. Cataloging assets and resources in a system
Explanation: Answer option C is correct. For a successful penetration test that meets the client's
expectations, the clear definition of goals is absolutely essential. If goals cannot be attained or
cannot be achieved efficiently, the tester should notify the client in the preparation phase and
recommend alternative procedures such as an IT audit or IT security consulting services.
Q: Which of the following statements differentiates a penetration tester from an attacker?
a. A penetration tester uses various vulnerability assessment tools.
b. A penetration tester does not test the physical security.
c. A penetration tester does not perform a sniffing attack.
d. A penetration tester differs from an attacker by his intent and lack of malice.
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option D is correct.
A penetration test is a method of evaluating the security of a computer system or network by
simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker. The process
involves an active analysis of the system for any potential vulnerabilities that may result from poor or
improper system configuration, known and/or unknown hardware or software flaws, or operational
weaknesses in process or technical countermeasures.
7. Q: Which of the following principle steps of risk management includes identification
of vulnerabilities, assessment of losses caused by threats materialized, cost-benefit
examination of countermeasures, and assessment of attacks?
a. Risk assessment
b. Vulnerability management
c. Assessment, monitoring, and assurance
d. Adherence to security standards and policies for development and deployment
Explanation: Answer option A is correct.
Risk assessment includes identification of vulnerabilities, assessment of losses caused by threats
materialized, cost-benefit examination of countermeasures, and assessment of attacks.
9. Q: If you are trying domain name related records for a given organization, which tool
would you first use?
a. NSLookup
b. Nmap
c. Neotrace
d. Traceroute
Explanation: Answer option A is correct. NSLookup is used to query Internet domain name servers.
It is used to display DNS records for IP and host names of important servers.
10. Q: What command will you use to grab a password file through Netcat?
a. pwdump> file.txt.
b. nc -l -p <port number> -e cmd.exe -d
c. nc -l -u -p 1111 < /etc/passwd
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
d. nc <ip address><port number><passwd>
Explanation: Answer option C is correct. You can use netcat to grab a password file. This command
is listening on port 1111 and grabbing the /etc/passwd file.
Q: A fast food chain is planning to tighten the security posture of the IT infrastructure. For
the initial period, a lower security budget has been approved, and the company is planning to
run the tests via tools with an internal team in a concurrent fashion that will replicate the
attacks from external intruders. When an increased budget gets approved, the new
assessments will take into account other areas such as security architecture and policy.
What testing sequence should the company follow?
a. Black box testing followed by white box testing
b. Automated testing followed by manual testing
c. Grey box testing all through
d. Manual testing followed by automated testing
Explanation: Answer option B is correct.
Q: Mark, a malicious hacker, hides a hacking tool from a system administrator of his
company by using Alternate Data Streams (ADS). Which of the following statements is true in
this situation?
a. Mark is using the NTFS file system.
b. Mark is using the FAT file system.
c. Alternate Data Streams is a feature of the Linux operating system.
d. Mark's computer runs on the Microsoft Windows 98 operating system.
answer: A
13. Q: Mark works as a backup administrator for uCertify Inc. He is responsible for taking
backups of important data, and so he is only authorized to access this data for backing it
up. However, sometimes users with different roles need to access the same resources. By
which of the following can this situation be handled?
a. Role-Based Access Control (RBAC)
b. Mandatory Access Control (MAC)
c. Discretionary Access Control (DAC)
d. Access Control List (ACL)
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct. Role-based access control (RBAC) is an access control
model. In this model, a user can access resources according to his role in the organization. For
example, a backup administrator is responsible for taking backups of important data. Therefore, he
is only authorized to access this data for backing it up. However, sometimes users with different
roles need to access the same resources. This situation can also be handled using the RBAC
model.
Answer option B is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined
set of access privileges for an object of the system. Access to an object is restricted on the basis of
the sensitivity of the object and granted through authorization. Sensitivity of an object is defined by
the label assigned to it. For example, if a user receives a copy of an object that is marked as
"secret", he cannot grant permission to other users to see this object unless they have the
appropriate permission.
Answer option C is incorrect. Discretionary access control (DAC) is an access policy determined
by the owner of an object. The owner decides who is allowed to access the object and what
privileges they have. Two important concepts in DAC are as follows:
14. Q: You are a malicious hacker and want to run a port scan on a system to investigate
open ports and other valuable information. You are using the nmap command for this
purpose. As you are concerned that someone running PortSentry could block your scans,
you decide to slow the scans so that no one can detect them. Which nmap command will
you use to accomplish the task?
a. nmap -sS -PT -PI -O -T1 <ip address>
b. nmap -sO -PT -O -C5 <ip address>
c. nmap -sF -P0 -O <ip address>
d. nmap -sF -PT -PI -O <ip address>
Explanation: Answer option A is correct.
Q: You work as a security administrator for uCertify Inc. Mark, a manager of the sales
department, is currently out of station due to some urgent work. He has asked that you send
some very sensitive data to him in a USB Flash drive. You are concerned about the security
of the data. For security reasons, you initially think of encrypting these files, but decide
against it out of fear that the encryption keys could eventually be broken. Which software
application will you use to hide the data in the USB flash drive?
a. Snow
b. EFS
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
c. File Sniff
d. File Sneaker
Explanation: Answer option A is correct.
Q: You work as a security administrator for uCertify Inc. You discover that there are a large
number of ICMP Echo Reply packets being received on the external gateway interface while
monitoring your IDS. After more investigations, you notice that the ICMP Echo Reply packets
are coming from the Internet without any request from the internal host. Which of the
following types of attacks can be the reason of this issue?
e. Smurf attack
f. Land attack
g. DoS attack
h. Fraggle attack
Explanation: Answer option E is correct.
Q: Which of the following are the effects of a DoS attack?
Each correct answer represents a complete solution. Choose all that apply.
i. Saturates network resources
j. Helps services to a specific computer
k. Causes failure to access a Web site
l. Results in an increase in the amount of spam
Explanation: Answer options A, C, and D are correct.
Q: You work as a professional ethical hacker. You have been assigned the project of testing
the security of www.ucertify.com. You want to perform a stealth scan to discover open ports
and applications running on the uCertify server. For this purpose, you want to initiate
scanning with the IP address of any third party. Which of the following scanning techniques
will you use to accomplish the task?
m. IDLE
n. RPC
o. UDP
p. TCP SYN/ACK
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Explanation: Answer option A is correct.
The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan.
Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the
hacker.
Q: Mark works as a security administrator for uCertify Inc. He wants to perform an active
session hijack against Secure Inc. He has found a target that allows a Telnet session. He has
also searched an active session because of the high level of traffic on the network. What
should be the next step taken by Mark?
q. Guess the sequence numbers.
r. Use Brutus to crack the telnet password.
s. Use a sniffer to listen to the network traffic.
t. Use macoff to change the MAC address.
Explanation: Answer option A is correct.
Q: Your client has given you the permission to execute exploit code on the corporate network
to test if IDS/IPS is able to identify and prevent the attacks. What mechanism can you
potentially employ to bypass the security mechanisms of the network?
u. Payload
v. Metapreter
w. Exploit
x. Encoder
Explanation: Answer option D is correct.
An encoder scrambles the payloads to hide the exploit. Most encoders use an algorithm to change
parts of the payload. This algorithm includes a decoder so that when the payload reaches to its
target, the machine can understand what it really needs to do after it runs the decoder.
13. Q: When users access a certain popular news site, they are being redirected to a similar
looking site that contains malicious software. You suspect that your router has been
attacked. What kind of attack has the hacker launched?
a. Route table poisoning
b. Black hole attack
c. Hit and Run Attacks
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
d. Persistent Attacks
Explanation: Answer option A is correct.
Routing table poisoning is considered to be an effective and one of the most prominent types of
attacks, and consists of unauthorized altering or poisoning routing tables. Wrong entries in the
routing table lead to a false destination address and several other defects.
Q: As a new pentester, you are developing your arsenal of tools. Name a bootable open
source live-CD Linux distribution with a huge variety of Security and Forensics tools that is a
must have in your toolkit.
e. BackTrack (now Kali)
f. Bidiblah
g. VMware
h. botnets
Explanation: Answer option A is correct.
Which protocol and port number is needed to allow log messages through a firewall?
a. SMNP - 161
b. SMTP - 25
c. Syslog - 514
d. POP3 -110
answer: C
In PGP what is used to encrypt a message before it is sent?
a. receiver's private key
b. senders private key
c. receiver's public key
d. sender's public key
answer C
Which of the following is a preventative control?
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
a. audits
b. smart cards
c. disaster recovery plan
d. digital signatures
answer: b
The main difference between symmetric and asymmetric encryption is that symmetric
encryption...
a. uses multiple keys to encrypt and decrypt data
b. uses sessions keys generated from each parties private key
c. uses the same key to encrypt and decrypt data
d. creates a one way hash that cannot be reversed
answer: c
As the Sec Engineer you have been tasked with creating a secure remote access solution
that minimizes the chance for a MiTM attack, what should you use?
a. SSL
b. IPSec
c. TLS
d. HTTP over DNS
answer: B
If after applying all of your security controls you still have not eliminated all risk what now?
a. cancel the project (go in a different direction)
b. deny to management that there is remaining risk
c. accept the risk if it is low enough (to management)
d. continue to apply additional controls until all risk is eliminated
answer: c
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
Information gathered from social networking websites such as Facebook, Twitter and
LinkedIn can be used to launch which of the following types of attacks? (Choose two.)
A. Distributed denial of service attack
B. MiTM attack
C. Teardrop attack
D. SQL injection attack
E. Phishing attack
F. Social engineering attack
answer: E and F
Which of the following is true about proxy firewalls?
A. Proxy firewalls block network packets from passing to and from a protected network.
B. Proxy firewalls increase the speed and functionality of a network
C. systems establish a connection with a proxy firewall which then creates a new network
connection for that device
D. Firewall proxy servers decentralize all activity for an application.
answer: C
Which of the following provides for protection against brute force attacks by using 160-bit
hash?
a. PGP
b. MD5
c. SHA-1
d. RSA
answer: C
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
A security administrator has decided to use multiple layers of anti-virus defense, such as end
user desktop anti-virus and E-mail gateway. This will mitigate which kind of attack?
A. Scanning attack
B. Social engineering attack
C. ARP spoofing attack
D. Forensic attack
answer: B
Which would be most effective in determining whether additional end user training is
needed?
a. sql injection
b. social engineering
c. vulnerability scanning
d. application hardening
answer: B
Which type of access control is used on firewalls and routers?
a. mandatory
b. rule-based
c. discretionary
d. role-based
answer: B
Which type of detection system can monitor, log and alert but will not stop an attack?
a. active
b. passive
c. reative
d. detective
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: D
How can we defeat rainbow tables?
a. salt
b. pepper
c. cinnamon
d. juju beans
answer: A
How often does the PCI-DSS require an organization to perform an external pentest?
a. once a quarter
b. once a year
c. every two years
d. at least once a year and after a major change or update
answer: D
Which of the following is used to ensure that policies, configurations and procedural
modications are made in a controlled and are documented?
a. peer review
b. compliance
c. change management
d. vulnerability scanning
answer: C
What is the name of the international standard for the functionality of IT systems?
a. ISO 18011
b. Orange Book
c. Common Criteria
d. ITSec
www.trainace.com/security © 2012-2013 TrainACE / Advanced Security.
answer: C
What should an ethical hacker first get before starting a pentest?
a. report on findings
b. nmap scan
c. social engineering
d. get a signed document from senior management
answer: D