Vendor: GIAC. Exam Code: GPEN. Exam Name: GIAC Certified Penetration Tester. Version: Demo

Transcription

1 Vendor: GIAC Exam Code: GPEN Exam Name: GIAC Certified Penetration Tester Version: Demo

2 QUESTION 1 You execute the following netcat command: c:\target\nc -1 -p 53 -d -e cmd.exe What action do you want to perform by issuing the above command? A. Capture data on port 53 and performing banner grabbing. B. Listen the incoming traffic on port 53 and execute the remote shell. C. Listen the incoming data and performing port scanning. D. Capture data on port 53 and delete the remote shell. QUESTION 2 TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop the packet. Which of the following operating systems can be easily identified with the help of TCP FIN scanning? A. Solaris B. Red Hat C. Windows D. Knoppix QUESTION 3 You work as a professional Ethical Hacker. You are assigned a project to perform blackhat testing on You visit the office of we-are-secure.com as an air-condition mechanic. You claim that someone from the office called you saying that there is some fault in the air-conditioner of the server room. After some inquiries/arguments, the Security Administrator allows you to repair the airconditioner of the server room. When you get into the room, you found the server is Linux-based. You press the reboot button of the server after inserting knoppix Live CD in the CD drive of the server. Now, the server promptly boots backup into Knoppix. You mount the root partition of the server after replacing the root password in the / etc/shadow file with a known password hash and salt. Further, you copy the netcat tool on the server and install its startup files to create a reverse tunnel and move a shell to a remote server whenever the server is restarted. You simply restart the server, pull out the Knoppix Live CD from the server, and inform that the air-conditioner is working properly. After completing this attack process, you create a security auditing report in which you mention various threats such as social engineering threat, boot from Live CD, etc. and suggest the countermeasures to stop booting from the external media and retrieving sensitive data. Which of the following steps have you suggested to stop booting from the external media and retrieving sensitive data with regard to the above scenario? Each correct answer represents a complete solution. Choose two. A. Encrypting disk partitions B. Using password protected hard drives C. Placing BIOS password D. Setting only the root level access for sensitive data B QUESTION 4 Which of the following statements are true about KisMAC?

3 A. Data generated by KisMAC can also be saved in pcap format. B. It cracks WEP and WPA keys by Rainbow attack or by dictionary attack. C. It scans for networks passively on supported cards. D. It is a wireless network discovery tool for Mac OS X. CD QUESTION 5 A Web developer with your company wants to have wireless access for contractors that come in to work on various projects. The process of getting this approved takes time. So rather than wait, he has put his own wireless router attached to one of the network ports in his department. What security risk does this present? A. An unauthorized WAP is one way for hackers to get into a network. B. It is likely to increase network traffic and slow down network performance. C. This circumvents network intrusion detection. D. None, adding a wireless access point is a common task and not a security risk. QUESTION 6 Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether? A. Man-in-the-middle B. ARP spoofing C. Port scanning D. Session hijacking QUESTION 7 Which of the following statements are true about SSIDs? Each correct answer represents a complete solution. Choose all that apply. A. SSIDs are case insensitive text strings and have a maximum length of 64 characters. B. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a conflict. C. SSID is used to identify a wireless network. D. All wireless devices on a wireless network must have the same SSID in order to communicate with each other. CD QUESTION 8 Adam works on a Linux system. He is using Sendmail as the primary application to transmit s. Linux uses Syslog to maintain logs of what has occurred on the system. Which of the following log files contains information such as source and destination IP addresses, date and time stamps etc? A. /log/var/logd B. /var/log/logmail C. /log/var/mailog D. /var/log/mailog QUESTION 9

4 You have inserted a Trojan on your friend's computer and you want to put it in the startup so that whenever the computer reboots the Trojan will start to run on the startup. Which of the following registry entries will you edit to accomplish the task? A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Start B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Startup D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices QUESTION 10 Which of the following are the scanning methods used in penetration testing? Each correct answer represents a complete solution. Choose all that apply. A. Vulnerability B. Port C. Network D. Services BC QUESTION 11 An executive in your company reports odd behavior on her PDA. After investigation you discover that a trusted device is actually copying data off the PDA. The executive tells you that the behavior started shortly after accepting an e-business card from an unknown person. What type of attack is this? A. Session Hijacking B. PDA Hijacking C. Privilege Escalation D. Bluesnarfing QUESTION 12 John works as a professional Ethical Hacker. He has been assigned a project to test the security of He copies the whole structure of the We-are-secure Web site to the local disk and obtains all the files on the Web site. Which of the following techniques is he using to accomplish his task? A. TCP FTP proxy scanning B. Eavesdropping C. Web ripping D. Fingerprinting QUESTION 13 Which of the following statements is true about the Digest Authentication scheme? A. In this authentication scheme, the username and password are passed with every request, not just when the user first types them. B. A valid response from the client contains a checksum of the username, the password, the given random value, the HTTP method, and the requested URL. C. The password is sent over the network in clear text format. D. It uses the base64 encoding encryption scheme.

5 QUESTION 14 Which of the following tools is used to verify the network structure packets and confirm that the packets are constructed according to specification? A. EtherApe B. Snort decoder C. AirSnort D. snort_inline QUESTION 15 Which of the following is NOT an example of passive footprinting? A. Scanning ports. B. Analyzing job requirements. C. Performing the whois query. D. Querying the search engine. QUESTION 16 You work as a Network Administrator for Infosec Inc. Nowadays, you are facing an unauthorized access in your Wi-Fi network. Therefore, you analyze a log that has been recorded by your favorite sniffer, Ethereal. You are able to discover the cause of the unauthorized access after noticing the following string in the log file: (Wlan.fc.type_subtype eq 32 and llc.oui eq 0x00601d and llc.pid eq 0x0001) When you find All your b are belong to us as the payload string, you are convinced about which tool is being used for the unauthorized access. Which of the following tools have you ascertained? A. AirSnort B. Kismet C. AiroPeek D. NetStumbler QUESTION 17 Which of the following options holds the strongest password? A. california B. $#164aviD^% C. Admin1234 D. Joe12is23good QUESTION 18 Which of the following encryption modes are possible in WEP? Each correct answer represents a complete solution. Choose all that apply. A. No encryption B. 256 bit encryption C. 128 bit encryption D. 40 bit encryption

6 CD QUESTION 19 Which of the following tools can be used to perform brute force attack on a remote database? Each correct answer represents a complete solution. Choose all that apply. A. FindSA B. SQLDict C. nmap D. SQLBF BD QUESTION 20 Which of the following statements are true about WPA? Each correct answer represents a complete solution. Choose all that apply. A. WPA-PSK converts the passphrase into a 256-bit key. B. WPA provides better security than WEP. C. WPA-PSK requires a user to enter an 8-character to 63-character passphrase into a wireles s client. D. Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used. BCD QUESTION 21 Which of the following are the limitations for the cross site request forgery (CSRF) attack? Each correct answer represents a complete solution. Choose all that apply. A. The target site should have limited lifetime authentication cookies. B. The attacker must target a site that doesn't check the referrer header. C. The target site should authenticate in GET and POST parameters, not only cookies. D. The attacker must determine the right values for all the form inputs. D QUESTION 22 You want to integrate the Nikto tool with nessus vulnerability scanner. Which of the following steps will you take to accomplish the task? Each correct answer represents a complete solution. Choose two. A. Restart nessusd service. B. Place nikto.pl file in the /var/www directory. C. Place nikto.pl file in the /etc/nessus directory. D. Place the directory containing nikto.pl in root's PATH environment variable. D QUESTION 23 Which of the following tools can be used to read NetStumbler's collected data files and present street maps showing the logged WAPs as icons, whose color and shape indicates WEP mode and signal strength? A. NetStumbler B. StumbVerter C. WEPcrack

7 D. Kismet QUESTION 24 Which of the following types of cyber stalking damage the reputation of their victim and turn other people against them by setting up their own Websites, blogs or user pages for this purpose? A. Encouraging others to harass the victim B. False accusations C. Attempts to gather information about the victim D. False victimization QUESTION 25 Which of the following statements are true about MS-CHAPv2? Each correct answer represents a complete solution. Choose all that apply. A. It is a connectionless protocol. B. It can be replaced with EAP-TLS as the authentication mechanism for PPTP. C. It provides an authenticator-controlled password change mechanism. D. It is subject to offline dictionary attacks. CD QUESTION 26 You work as a Network Administrator for Net World International. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server There are ten Sales Managers in the company. The company has recently provided laptops to all its Sales Managers. All the laptops run Windows XP Professional. These laptops will be connected to the company's network through wireless connections. The company's management wants to implement Shared Key authentication for these laptops. When you try to configure the network interface card of one of the laptops for Shared Key authentication, you find no such option. What will you do to enable Shared Key authentication? A. Install PEAP-MS-CHAP v2 B. Install Service Pack 1 C. Enable WEP D. Install EAP-TLS QUESTION 27 Which of the following ports will you scan to search for SNMP enabled devices in the network? A. 163 B. 123 C. 151 D. 161 QUESTION 28 Which of the following attacks is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker?

8 A. DoS B. Sniffing C. Man-in-the-middle D. Brute force QUESTION 29 In which of the following scanning techniques does a scanner connect to an FTP server and request that server to start data transfer to the third system? A. Bounce attack scanning B. Xmas Tree scanning C. TCP FIN scanning D. TCP SYN scanning QUESTION 30 Which of the following enables an inventor to legally enforce his right to exclude others from using his invention? A. Patent B. Spam C. Phishing D. Artistic license QUESTION 31 When you conduct the XMAS scanning using Nmap, you find that most of the ports scanned do not give a response. What can be the state of these ports? A. Closed B. Open C. Filtered QUESTION 32 You work as a Desktop Technician in we-are-secure.com Inc. Due to some misunderstanding you are terminated from the company. You feel that you were wrongly terminated. Due to this, you want to revenge of your wrong termination by hacking into the we-are-secure network. Since you worked as a Desktop Technician, you remember all the server names. You try to run the axfr and ixfr commands on these servers using the DIG tool. What attack do you want to perform? A. Sniffing attack B. Password cracking attack C. DNS zone transfer D. Replay attack QUESTION 33 Which of the following can be the countermeasures to prevent NetBIOS NULL session enumeration in Windows 2000 operating systems? Each correct answer represents a complete solution. Choose all that apply.

9 A. Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface B. Denying all unauthorized inbound connections to TCP port 53 C. Disabling TCP port 139/445 D. Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value RestrictAnonymous CD QUESTION 34 Which TCP and UDP ports can be used to start a NULL session attack in NT and 2000 operating systems? A. 139 and 445 B. 149 and 133 C. 203 and 333 D. 198 and 173 QUESTION 35 John works as a professional Ethical Hacker. He is assigned a project to test the security of aresecure.com. You have searched all open ports of the we-are-secure server. Now, you want to perform the next information-gathering step, i.e., passive OS fingerprinting. Which of the following tools can you use to accomplish the task? A. Superscan B. Nmap C. P0f D. NBTscan QUESTION 36 Which of the following tools can be used for cracking the password of Server Message Block (SMB)? Each correct answer represents a complete solution. Choose all that apply. A. Pwddump2 B. SMBRelay C. KrbCrack D. L0phtCrack D QUESTION 37 The employees of CCN Inc. require remote access to the company's proxy servers. In order to provide solid wireless security, the company uses LEAP as the authentication protocol. Which of the following is supported by the LEAP protocol? Each correct answer represents a complete solution. Choose all that apply. A. Password hash for client authentication B. Strongest security level C. Dynamic key encryption D. Public key certificate for server authentication C QUESTION 38

10 Which of the following TCP flags shows that the system is forwarding the buffered data? A. URG B. RST C. PSH D. FIN QUESTION 39 Which of the following functions can be used as a countermeasure to a Shell Injection attack? Each correct answer represents a complete solution. Choose all that apply. A. regenerateid() B. escapeshellarg() C. escapeshellcmd() D. mysql_real_escape_string() C QUESTION 40 You want to obtain the Information of a Web server, whose IP address range comes in the IP address range used in Brazil. Which of the following registries can be used to get information about the Web server administers IP addresses, reverse DNS, etc? A. ARIN B. LACNIC C. APNIC D. RIPE NCC QUESTION 41 Which of the following tools is used to make fake authentication certificates? A. Brutus B. WinSSLMiM C. Obiwan D. Netcat QUESTION 42 Which of the following functions can you use to mitigate a command injection attack? Each correct answer represents a complete solution. Choose all that apply. A. htmlentities() B. strip_tags() C. escapeshellarg() D. escapeshellcmd() D QUESTION 43 Which of the following programming languages are NOT vulnerable to buffer overflow attacks? Each correct answer represents a complete solution. Choose two. A. Perl

11 B. C++ C. Java D. C C QUESTION 44 You work as a Computer Hacking Forensic Investigator for SecureNet Inc. You want to investigate Cross- Site Scripting attack on your company's Website. Which of the following methods of investigation can you use to accomplish the task? Each correct answer represents a complete solution. Choose all that apply. A. Review the source of any HTML-formatted messages for embedded scripts or links in the URL to the company's site. B. Look at the Web servers logs and normal traffic logging. C. Use a Web proxy to view the Web server transactions in real time and investigate any communication with outside servers. D. Use Wireshark to capture traffic going to the server and then searching for the requests going to the input page, which may give log of the malicious traffic and the IP address of the source. BC QUESTION 45 You want that some of your Web pages should not be crawled. Which one of the following options will you use to accomplish the task? A. Use HTML NO Crawl tag in the Web page not to be crawled B. Enable the SSL C. Place the name of restricted Web pages in the robotes.txt file D. Place the name of restricted Web pages in the private.txt file QUESTION 46 Which of the following attacks allows the bypassing of access control lists on servers or routers, and helps an attacker to hide? Each correct answer represents a complete solution. Choose two. A. IP spoofing attack B. DNS cache poisoning C. DDoS attack D. MAC spoofing D QUESTION 47 What is the maximum limit of the file size that a user can upload according to the code snippet given below? <form enctype="multipart/form-data" action="index.php" method="post"> <input type="hidden" name="max_file_size" value="5000? /> <input name="filedata" type="file" /> <input type="submit" value="send file" /> </form> A. 5,000 Kilobytes B. 5,000 Megabytes C. 5,000 bytes D. 5,000 bits

12 QUESTION 48 Which of the following tools uses exploits to break into remote operating systems? A. Nmap B. John the Ripper C. Metasploit framework D. Nessus QUESTION 49 In which of the following scanning methods does an attacker send the spoofed IP address to send a SYN packet to the target? A. IDLE B. TCP FIN C. NULL D. XMAS QUESTION 50 You work as a Network Administrator for Tech Perfect Inc. The company requires a secure wireless network. To provide security, you are configuring ISA Server 2006 as a firewall. While configuring ISA Server 2006, which of the following is NOT necessary? A. Defining ISA Server network configuration B. Configuration of VPN access C. Defining how ISA Server would cache Web contents D. Setting up of monitoring on ISA Server QUESTION 51 John works as a contract Ethical Hacker. He has recently got a project to do security checking for He wants to find out the operating system of the we-are-secure server in the information gathering step. Which of the following commands will he use to accomplish the task? Each correct answer represents a complete solution. Choose two. A. nc B. nmap -v -O C. nc -v -n D. nmap -v -O D QUESTION 52 You enter the following URL on your Web browser: af../windows/system32/cmd.exe?/c+dir+c:\ What kind of attack are you performing? A. Session hijacking B. Replay C. URL obfuscating D. Directory traversal

13 QUESTION 53 Which of the following is a valid google searching operator that is used to search a specified file type? A. inurl B. filetype C. intitle D. file type QUESTION 54 Which of the following can be used to mitigate the evil twin phishing attack? A. SARA B. Obiwan C. Magic Lantern D. IPSec VPN QUESTION 55 TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting? A. nmap -ss B. nmap -st C. nmap -su -p D. nmap -O -p QUESTION 56 Which of the following protocols is the mandatory part of the WPA2 standard in the wireless networking? A. TKIP B. ARP C. CCMP D. WEP QUESTION 57 You want to get the Windows administrator account even when it is renamed. Which of the following tools will you use? A. Ntop B. Brutus C. Sniffer D. Sid2user QUESTION 58

14 Which of the following can be used to perform session hijacking? Each correct answer represents a complete solution. Choose all that apply. A. Cross-site scripting B. ARP spoofing C. Session sidejacking D. Session fixation CD QUESTION 59 You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active Directorybased single domain single forest network. The functional level of the forest is Windows Server The company has recently provided fifty laptops to its sales team members. You are required to configure an wireless network for the laptops. The sales team members must be able to use their data placed at a server in a cabled network. The planned network should be able to handle the threat of unauthorized access and data interception by an unauthorized user. You are also required to prevent the sales team members from communicating directly to one another. Which of the following actions will you take to accomplish the task? Each correct answer represents a complete solution. Choose all that apply. A. Implement the open system authentication for the wireless network. B. Configure the wireless network to use WEP encryption for the data transmitted over a wireless network. C. Using group policies, configure the network to allow the wireless computers to connect to the ad hoc networks only. D. Using group policies, configure the network to allow the wireless computers to connect to the infrastructure networks only. E. Implement the IEEE 802.1X authentication for the wireless network. DE QUESTION 60 Which of the following can be used as a countermeasure to the rainbow password attack? A. Using salt in the password B. Using alphanumeric characters C. Using hashed password D. Using 8 character password QUESTION 61 Which of the following encryption encoding techniques is used in the basic authentication method? A. Base64 B. DES (ECB mode) C. HMAC_MD5 D. Md5 QUESTION 62 Which of the following password cracking attacks is based on a pre-calculated hash table to retrieve plain text passwords? A. Rainbow attack

15 B. Brute Force attack C. Hybrid attack D. Dictionary attack QUESTION 63 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He finds that the We-are-secure server is vulnerable to attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP printing capability from the server. He is suggesting this as a countermeasure against. A. SNMP enumeration B. NetBIOS NULL session C. DNS zone transfer D. IIS buffer overflow QUESTION 64 Which of the following tools is used for the HTTP, HTTPS based MITM attacks? A. Ettercap B. dsniff C. AirJack D. wsniff QUESTION 65 You have just installed a Windows 2003 server. What action should you take regarding the default administrator and guest accounts for securing a computer? A. Disable both and create new accounts with different names for those functions. B. Disable the administrator account but keep the guest account. C. Leave them as they are, since they are needed for Windows Server Operation. D. Disable the guest account but keep the administrator account. QUESTION 66 Which of the following are the two different file formats in which Microsoft Outlook saves messages based on system configuration? Each correct answer represents a complete solution. Choose two. A..xst B..ost C..pst D..txt C QUESTION 67 Which of the following statutes is enacted in the U.S., which prohibits creditors from collecting data from applicants, such as national origin, caste, religion etc? A. The Electronic Communications Privacy Act B. The Equal Credit Opportunity Act (ECOA)

16 C. The Fair Credit Reporting Act (FCRA) D. The Privacy Act QUESTION 68 John works as a professional Ethical Hacker. He is assigned a project to test the security of aresecure.com. John has gained the access to the network of the organization and placed a backdoor in the network. Now, he wants to clear all event logs related to previous hacking attempts. Which of the following tools can John use if we-are-secure.com is using the Windows 2000 server? Each correct answer represents a complete solution. Choose two. A. AuditPol B. Blindside C. elsave.exe D. WinZapper D QUESTION 69 Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping the conversation and keeps the password. After the interchange is over, Eve connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob accepts. Which of the following attacks is being used by Eve? A. Session fixation B. Cross site scripting C. Firewalking D. Replay QUESTION 70 A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the following tools can an attacker use to perform war dialing? Each correct answer represents a complete solution. Choose all that apply. A. THC-Scan B. NetStumbler C. ToneLoc D. Wingate C QUESTION 71 Mark works as a Network Administrator for Infonet Inc. The company has a Windows 2000 Active Directory domain-based network. The domain contains one hundred Windows XP Professional client computers. Mark is deploying an wireless LAN on the network. The wireless LAN will use Wired Equivalent Privacy (WEP) for all the connections. According to the company's security policy, the client computers must be able to automatically connect to the wireless LAN. However, the unauthorized computers must not be allowed to connect to the wireless LAN and view the wireless network. Mark wants to configure all the wireless access points and client computers to act in accordance with the company's security policy. What will he do to accomplish this? Each correct answer represents a part of the solution. Choose three. A. Configure the authentication type for the wireless LAN to Open system. B. Broadcast SSID to connect to the access point (AP).

17 C. Disable SSID Broadcast and enable MAC address filtering on all wireless access points. D. Install a firewall software on each wireless access point. E. Configure the authentication type for the wireless LAN to Shared Key. F. On each client computer, add the SSID for the wireless LAN as the preferred network. EF QUESTION 72 John works as a Network Security Professional. He is assigned a project to test the security of He establishes a connection to a target host running a Web service with netcat and sends a bad html request in order to retrieve information about the service on the host. Which of the following attacks is John using? A. Banner grabbing B. War driving C. Eavesdropping D. Sniffing QUESTION 73 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He has successfully completed the following steps of the preattack phase: Information gathering Determining network range Identifying active machines Finding open ports and applications l OS fingerprinting Fingerprinting services Now John wants to perform network mapping of the We-are-secure network. Which of the following tools can he use to accomplish his task? Each correct answer represents a complete solution. Choose all that apply. A. Traceroute B. NeoTrace C. Cheops D. Ettercap BC

18 QUESTION 74 You work as a Network Administrator for McNeil Inc. The company has a Windows Active Directory- based single domain single forest network. The functional level of the forest is Windows Server The company's management has decided to provide laptops to its sales team members. These laptops are equipped with smart card readers. The laptops will be configured as wireless network clients. You are required to accomplish the following tasks: The wireless network communication should be secured. The laptop users should be able to use smart cards for getting authenticated. n order to accomplish the tasks, you take the following steps: Configure 802.1x and WEP for the wireless connections. Configure the PEAP-MS-CHAP v2 protocol for authentication. What will happen after you have taken these steps? A. The wireless network communication will be secured. B. The laptop users will be able to use smart cards for getting authenticated. C. Both tasks will be accomplished. D. None of the tasks will be accomplished QUESTION 75 You want to perform passive footprinting against we-are-secure Inc. Web server. Which of the following tools will you use? A. Ettercap B. Nmap C. Netcraft D. Ethereal QUESTION 76 You see the career section of a company's Web site and analyze the job profile requirements. You conclude that the company wants professionals who have a sharp knowledge of Windows server2003 and Windows active directory installation and placement. Which of the following steps are you using to perform hacking? A. Scanning B. Gaining access C. Reconnaissance D. Covering tracks QUESTION 77 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He performs a Teardrop attack on the we-are-secure server and observes that the server crashes. Which of the following is the most likely cause of the server crash? A. The ICMP packet is larger than 65,536 bytes. B. Ping requests at the server are too high. C. The spoofed TCP SYN packet containing the IP address of the target is filled in both the source and destination fields. D. The we-are-secure server cannot handle the overlapping data fragments.

19 QUESTION 78 The 3-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps: 1. In the first step, a SYN message is sent from a client to the server. 2. In the second step, a SYN/ACK message is sent from the server to the client. 3. In the third step, an ACK (usually called SYN-ACK-ACK) message is sent from the client to the server. At this point, both the client and the server have received acknowledgements of the TCP connection. If the Initial Sequence Numbers of the client and server were and respectively at the time when the client was sending the SYN message in the first step of the TCP 3-way handshake method, what will be the value of the acknowledgement number field of the server's packet when the server was sending the SYN/ACK message to the client in the second step of the TCP 3-way handshake method? A B C D QUESTION 79 Which of the following tools crashes computers running Windows 2000/XP/NT by sending crafted SMB requests? A. NBTdeputy B. SMBGrind C. SMBDie D. Samdump QUESTION 80 Which of the following penetration testing phases involves gathering data from whois, DNS, and network scanning, which helps in mapping a target network and provides valuable information regarding the operating system and applications running on the systems? A. Post-attack phase B. On-attack phase C. Attack phase D. Pre-attack phase QUESTION 81 You work as a Network Administrator in the SecureTech Inc. The SecureTech Inc. is using Linuxbased server. Recently, you have updated the password policy of the company in which the server will disable passwords after four trials. What type of attack do you want to stop by enabling this policy? A. Cookie poisoning B. XSS C. Brute force D. Replay QUESTION 82 Which of the following is the correct sequence of packets to perform the 3-way handshake method?

20 A. SYN, ACK, SYN/ACK B. SYN, SYN/ACK, ACK C. SYN, SYN, ACK D. SYN, ACK, ACK QUESTION 83 John is a black hat hacker. FBI arrested him while performing some scams. Under which of the following US laws will john be charged? A. 18 U.S.C B. 18 U.S.C C. 18 U.S.C D. 18 U.S.C QUESTION 84 Which of the following is a person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem? A. Dumpster diving B. Social engineering C. Vulnerability scanning D. Reverse social engineering QUESTION 85 As a professional hacker, you want to crack the security of secureserver.com. For this, in the information gathering step, you performed scanning with the help of nmap utility to retrieve as many different protocols as possible being used by the secureserver.com so that you could get the accurate knowledge about what services were being used by the secure server.com. Which of the following nmap switches have you used to accomplish the task? A. nmap -st B. nmap -ss C. nmap -vo D. nmap -so QUESTION 86 Which of the following tools is a Windows-based commercial wireless LAN analyzer for IEEE802.11b and supports all high level protocols such as TCP/IP, NetBEUI, and IPX? A. Sam Spade B. Cheops-ng C. AiroPeek D. John the Ripper QUESTION 87 Which of the following tools will you use to prevent from session hijacking? Each correct answer

21 represents a complete solution. Choose all that apply. A. Telnet B. OpenSSH C. SSL D. Rlogin C QUESTION 88 Which of the following tools can be used to assign, display, or modify ACLs (access control lists) to files or folders and could also be used within batch files in Windows NT/2000/XP operating system? A. netstat B. ipconfig.exe C. cacls.exe D. tracert QUESTION 89 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He wants to use Kismet as a wireless sniffer to sniff the Weare- secure network. Which of the following IEEE-based traffic can be sniffed with Kismet? Each correct answer represents a complete solution. Choose all that apply. A n B b C a D g BCD QUESTION 90 Which of the following are countermeasures to prevent unauthorized database access attacks? Each correct answer represents a complete solution. Choose all that apply. A. Removing all stored procedures B. Input sanitization C. Applying strong firewall rules D. Session encryption BCD QUESTION 91 You work as an IT Technician for PassGuide Inc. You have to take security measures for the wireless network of the company. You want to prevent other computers from accessing the company's wireless network. On the basis of the hardware address, which of the following will you use as the best possible method to accomplish the task? A. WEP B. MAC Filtering C. RAS D. SSID QUESTION 92

22 Which of the following wireless security features provides the best wireless security mechanism? A. WEP B. WPA C. WPA with Pre Shared Key D. WPA with 802.1X authentication QUESTION 93 Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks (WLANs). It has two components, authentication and encryption. It provides security equivalent to wired networks for wireless networks. WEP encrypts data on a wireless network by using a fixed secret key. Which of the following statements are true about WEP? Each correct answer represents a complete solution. Choose all that apply. A. The Initialization Vector (IV) field of WEP is only 24 bits long. B. It provides better security than the Wi-Fi Protected Access protocol. C. WEP uses the RC4 encryption algorithm. D. Automated tools such as AirSnort are available for discovering WEP keys. CD QUESTION 94 You want to search Microsoft Outlook Web Access Default Portal using Google search on the Internet so that you can perform the brute force attack and get unauthorized access. What search string will you use to accomplish the task? A. intitle:"index Of" -inurl:maillog maillog size B. intext:"outlook.asp" C. intitle:index.of inbox dbx D. allinurl:"exchange/logon.asp" QUESTION 95 Mark works as a Network Administrator for NetTech Inc. Several employees of the company work from the remote locations. The company provides a dial-up connection to employees to connect to the company's network using remote access service. Mark wants to implement call back feature for the employees who are dialing for long distance. Which of the following protocols will he use for remote access services to accomplish the task? A. PPP B. WEP C. UDP D. SLIP QUESTION 96 You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task? A. PSExec B. Hk.exe C. Remoxec D. GetAdmin.exe

23 QUESTION 97 Which of the following protocols uses a combination of public key and symmetric encryption to provide communication privacy, authentication, and message integrity for secure browsing on the Internet? A. MS-CHAP v2 B. WEP C. SSL D. EFS QUESTION 98 Which of the following wireless security standards supported by Windows Vista provides the highest level of security? A. WPA2 B. WPA-PSK C. WPA-EAP D. WEP QUESTION 99 John visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1. Original cookie values: ItemID1=2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1=2 ItemPrice1=1 ItemID2=1 ItemPrice2=1 Now, he clicks the Buy button, and the prices are sent to the server that calculates the total price. Which of the following hacking techniques is John performing? A. Cross site scripting B. Computer-based social engineering C. Man-in-the-middle attack D. Cookie poisoning QUESTION 100 Every network device contains a unique built in Media Access Control (MAC) address, which is used to identify the authentic device to limit the network access. Which of the following addresses is a valid MAC address? A. A3-07-B9-E3-BC-F9 B. F936.28A1.5BCD.DEFA C

24 D QUESTION 101 Which of the following attacks can be overcome by applying cryptography? A. Web ripping B. DoS C. Sniffing D. Buffer overflow QUESTION 102 Network mapping provides a security testing team with a blueprint of the organization. Which of the following steps is NOT a part of manual network mapping? A. Collecting employees information B. Gathering private and public IP addresses C. Performing Neotracerouting D. Banner grabbing QUESTION 103 You are auditing the security of a client company. You find that their password policy only requires a minimum of 5 characters with letters and numbers. What, if anything, is wrong with this policy? A. The password policy is too weak for multiple reasons. B. Nothing, this is a strong password policy. C. The only flaw is that the password policy should require a minimum of 6 characters. D. The only flaw is that the password policy should require symbols as well. QUESTION 104 In which of the following security tests does the security testing team simulate as an employee or other person with an authorized connection to the organization's network? A. Remote dial-up network B. Stolen equipment C. Remote network D. Local network QUESTION 105 You have detected what appears to be an unauthorized wireless access point on your network. However this access point has the same MAC address as one of your real access points and is broadcasting with a stronger signal. What is this called? A. DOS B. Buesnarfing C. The evil twin attack D. WAP cloning

25 QUESTION 106 In which of the following scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed? A. TCP FIN B. TCP SYN C. FTP bounce D. XMAS QUESTION 107 In which of the following IDS evasion techniques does an attacker deliver data in multiple small sized packets, which makes it very difficult for an IDS to detect the attack signatures of such attacks? A. Insertion B. Fragmentation overlap C. Fragmentation overwrite D. Session splicing QUESTION 108 You work as a Network Administrator in the Secure Inc. You often need to send PDF documents that contain secret information, such as, client password, their credit card details, passwords, etc. through to your customers. However, you are making PDFs password protected you are getting complaints from customers that their secret information is being misused. When you analyze this complaint you get that however you are applying the passwords on PDFs, they are not providing the maximum protection. What may be the cause of this security hole? A. PDFs can be read easily in the plain-text form by applying a sniffer. B. PDFs are sent in in the plain-text form. C. PDF passwords can easily be cracked by brute force attacks. D. You are applying easily guessed passwords. QUESTION 109 Which of the following tasks can be performed by using netcat utility? Each correct answer represents a complete solution. Choose all that apply. A. Firewall testing B. Creating a Backdoor C. Port scanning and service identification D. Checking file integrity BC QUESTION 110 You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of the Bluehill Inc. For this, you start monitoring the network traffic of the Bluehill Inc. In this process, you get that there are too many FTP packets traveling in the Bluehill Inc. network. Now, you want to sniff the traffic and extract usernames and passwords of the FTP server. Which of the following tools will you use to accomplish the task? A. Ettercap B. L0phtcrack

26 C. NetStumbler D. SARA QUESTION 111 Peter, a malicious hacker, obtains addresses by harvesting them from postings, blogs, DNS listings, and Web pages. He then sends large number of unsolicited commercial (UCE) messages on these addresses. Which of the following crimes is Peter committing? A. spoofing B. Spam C. bombing D. Storm QUESTION 112 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He has successfully performed the following steps of the preattack phase to check the security of the We-are-secure network: l Gathering information l Determining the network range l Identifying active systems Now, he wants to find the open ports and applications running on the network. Which of the following tools will he use to accomplish his task? A. APNIC B. SuperScan C. RIPE D. ARIN QUESTION 113 Which of the following is the most common method for an attacker to spoof ? A. Back door B. Replay attack C. Man in the middle attack D. Open relay QUESTION 114 You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Web site. For this, you want to perform the idle scan so that you can get the ports open in the we- aresecure.com server. You are using Hping tool to perform the idle scan by using a zombie computer. While scanning, you notice that every IPID is being incremented on every query, regardless whether the ports are open or close. Sometimes, IPID is being incremented by more than one value. What may be the reason? A. The zombie computer is not connected to the we-are-secure.com Web server. B. The zombie computer is the system interacting with some other system besides your comp uter. C. Hping does not perform idle scanning. D. The firewall is blocking the scanning process.

27 QUESTION 115 Joseph works as a Network Administrator for WebTech Inc. He has to set up a centralized area on the network so that each employee can share resources and documents with one another. Which of the following will he configure to accomplish the task? A. WEP B. VPN C. Intranet D. Extranet QUESTION 116 Adam works as a professional Computer Hacking Forensic Investigator. He works with the local police. A project has been assigned to him to investigate an ipod, which was seized from a student of the high school. It is suspected that the explicit child pornography contents are stored in the ipod. Adam wants to investigate the ipod extensively. Which of the following operating systems will Adam use to carry out his investigations in more extensive and elaborate manner? A. Windows XP B. Mac OS C. MINIX 3 D. Linux QUESTION 117 Which of the following tools is an automated tool that is used to implement SQL injections and to retrieve data from Web server databases? A. Fragroute B. Absinthe C. Stick D. ADMutate QUESTION 118 Which of the following methods will free up bandwidth in a Wireless LAN (WLAN)? A. Implement WEP. B. Disabling SSID broadcast. C. Change hub with switch. D. Deploying a powerful antenna. QUESTION 119 Which of the following is a passive information gathering tool? A. Whois B. Snort C. Ettercap D. Nmap

28 QUESTION 120 Mark works as a Network Administrator for NetTech Inc. The company has a Windows 2003 Active Directory domain-based network. The domain consists of a domain controller, two Windows 2003 member servers, and one hundred client computers. The company employees use laptops with Windows XP Professional. These laptops are equipped with wireless network cards that are used to connect to access points located in the Marketing department of the company. The company employees log on to the domain by using a user name and password combination. The wireless network has been configured with WEP in addition to 802.1x. Mark wants to provide the best level of security for the kind of authentication used by the company. What will Mark do to accomplish the task? A. Use EAP-TLS B. Use MD5 C. Use PEAP D. Use IPSec QUESTION 121 You work as a professional Ethical Hacker. You are assigned a project to perform blackhat testing on You visit the office of we-are-secure.com as an air-condition mechanic. You claim that someone from the office called you saying that there is some fault in the air-conditioner of the server room. After some inquiries/arguments, the Security Administrator allows you to repair the airconditioner of the server room. When you get into the room, you found the server is Linux-based. You press the reboot button of the server after inserting knoppix Live CD in the CD drive of the server. Now, the server promptly boots backup into Knoppix. You mount the root partition of the server after replacing the root password in the / etc/shadow file with a known password hash and salt. Further, you copy the netcat tool on the server and install its startup files to create a reverse tunnel and move a shell to a remote server whenever the server is restarted. You simply restart the server, pull out the Knoppix Live CD from the server, and inform that the air-conditioner is working properly. After completing this attack process, you create a security auditing report in which you mention various threats such as social engineering threat, boot from Live CD, etc. and suggest the countermeasures to stop booting from the external media and retrieving sensitive data. Which of the following steps have you suggested to stop booting from the external media and retrieving sensitive data with regard to the above scenario? Each correct answer represents a complete solution. Choose two. A. Setting only the root level access for sensitive data. B. Encrypting disk partitions. C. Placing BIOS password. D. Using password protected hard drives. D QUESTION 122 What happens when you scan a broadcast IP address of a network? Each correct answer represents a complete solution. Choose all that apply. A. It may show smurf DoS attack in the network IDS of the victim. B. It leads to scanning of all the IP addresses on that subnet at the same time. C. It will show an error in the scanning process. D. Scanning of the broadcast IP address cannot be performed. B QUESTION 123 Which of the following tools can be used to perform Windows password cracking, Windows enumeration, and VoIP session sniffing?

29 A. Cain B. L0phtcrack C. Pass-the-hash toolkit D. John the Ripper QUESTION 124 John works as a Professional Penetration Tester. He has been assigned a project to test the Website security of Inc. On the We-are-secure Website login page, he enters='or''=' as a username and successfully logs on to the user page of the Web site. Now, John asks the we-are-secure Inc. to improve the login page PHP script. Which of the following suggestions can John give to improve the security of the we-are-secure Website login page from the SQL injection attack? A. Use the session_regenerate_id() function B. Use the escapeshellcmd() function C. Use the mysql_real_escape_string() function for escaping input D. Use the escapeshellarg() function QUESTION 125 Which of the following attacks can be overcome by applying cryptography? A. Buffer overflow B. Web ripping C. DoS D. Sniffing QUESTION 126 Which of the following tools uses exploits to break into remote operating systems? A. Nessus B. Metasploit framework C. Nmap D. John the Ripper QUESTION 127 Which of the following penetration testing phases involves gathering data from whois, DNS, and network scanning, which helps in mapping a target network and provides valuable information regarding the operating system and applications running on the systems? A. Post-attack phase B. Attack phase C. Pre-attack phase D. On-attack phase QUESTION 128 John works as a Penetration Tester in a security service providing firm named you-are-secure Inc. Recently, John's company has got a project to test the security of a promotional Website and assigned the pen-testing work to John. When John is performing penetration testing, he inserts the following script in the search box at the company home page:

30 <script>alert('hi, John')</script> After pressing the search button, a pop-up box appears on his screen with the text - "Hi, John." Which of the following attacks can be performed on the Web site tested by john while considering the above scenario? A. Replay attack B. Buffer overflow attack C. CSRF attack D. XSS attack QUESTION 129 Which of the following is a Windows-based tool that is used for the detection of wireless LANs using the IEEE a, b, and g standards and also detects wireless networks marking their relative position with a GPS? A. NetStumbler B. Tcpdump C. Kismet D. Ettercap QUESTION 130 Which of the following tools is used for vulnerability scanning and calls Hydra to launch a dictionary attack? A. Whishker B. Nmap C. Nessus D. SARA QUESTION 131 Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether? A. Man-in-the-middle B. ARP spoofing C. Port scanning D. Session hijacking QUESTION 132 You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Web site. For this, you want to perform the idle scan so that you can get the ports open in the we- aresecure.com server. You are using Hping tool to perform the idle scan by using a zombie computer. While scanning, you notice that every IPID is being incremented on every query, regardless whether the ports are open or close. Sometimes, IPID is being incremented by more than one value. What may be the reason? A. The zombie computer is the system interacting with some other system besides your comp uter.

31 B. The firewall is blocking the scanning process. C. The zombie computer is not connected to the we-are-secure.com Web server. D. Hping does not perform idle scanning. QUESTION 133 You execute the following netcat command: c:\target\nc -1 -p 53 -d -e cmd.exe What action do you want to perform by issuing the above command? A. Capture data on port 53 and performing banner grabbing. B. Capture data on port 53 and delete the remote shell. C. Listen the incoming traffic on port 53 and execute the remote shell. D. Listen the incoming data and performing port scanning. QUESTION 134 You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Website. The we-are-secure.com Web server is using Linux operating system. When you port scanned the we-aresecure.com Web server, you got that TCP port 23, 25, and 53 are open. When you tried to telnet to port 23, you got a blank screen in response. When you tried to type the dir, copy, date, del, etc. commands you got only blank spaces or underscores symbols on the screen. What may be the reason of such unwanted situation? A. The we-are-secure.com server is using honeypot. B. The we-are-secure.com server is using a TCP wrapper. C. The telnet service of we-are-secure.com has corrupted. D. The telnet session is being affected by the stateful inspection firewall. QUESTION 135 Which of the following tools is used to verify the network structure packets and confirm that the packets are constructed according to specification? A. snort_inline B. EtherApe C. Snort decoder D. AirSnort QUESTION 136 You have just set up a wireless network for customers at a coffee shop. Which of the following are good security measures to implement? Each correct answer represents a complete solution. Choose two. A. MAC filtering the router B. Using WPA encryption C. Using WEP encryption D. Not broadcasting SSID C

32 QUESTION 137 You work as an Administrator for Bluesky Inc. The company has 145 Windows XP Professional client computers and eighty Windows 2003 Server computers. You want to install a security layer of WAP specifically designed for a wireless environment. You also want to ensure that the security layer provides privacy, data integrity, and authentication for client-server communications over a wireless network. Moreover, you want a client and server to be authenticated so that wireless transactions remain secure and the connection is encrypted. Which of the following options will you use to accomplish the task? A. Wired Equivalent Privacy (WEP) B. Virtual Private Network (VPN) C. Wireless Transport Layer Security (WTLS) D. Recovery Console QUESTION 138 You run the following PHP script: <?php $name = mysql_real_escape_string($_post["name"]); $password = mysql_real_escape_string($_post["password"]);?> What is the use of the mysql_real_escape_string() function in the above script. Each correct answer represents a complete solution. Choose all that apply A. It escapes all special characters from strings $_POST["name"] and $_POST["password"]. B. It escapes all special characters from strings $_POST["name"] and $_POST["password"] except ' and ". C. It can be used to mitigate a cross site scripting attack. D. It can be used as a countermeasure against a SQL injection attack. D QUESTION 139 You run the following bash script in Linux: for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done where, hostlist.txt file contains the list of IP addresses and request.txt is the output file. Which of the following tasks do you want to perform by running this script? A. You want to perform port scanning to the hosts given in the IP address list. B. You want to transfer file hostlist.txt to the hosts given in the IP address list. C. You want to perform banner grabbing to the hosts given in the IP address list. D. You want to put nmap in the listen mode to the hosts given in the IP address list. QUESTION 140 You want to perform an active session hijack against Secure Inc. You have found a target that allows Telnet session. You have also searched an active session due to the high level of traffic on the network. What should you do next? A. Use a sniffer to listen network traffic. B. Use macoff to change MAC address. C. Guess the sequence numbers. D. Use brutus to crack telnet password.

33 QUESTION 141 Which of the following statements are true about firewalking? Each correct answer represents a complete solution. Choose all that apply. A. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. B. Firewalking works on the UDP packets. C. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. D. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. CD QUESTION 142 Which of the following Web attacks is performed by manipulating codes of programming languages such as SQL, Perl, Java present in the Web pages? A. Command injection attack B. Cross-Site Scripting attack C. Cross-Site Request Forgery D. Code injection attack QUESTION 143 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He is using a tool to crack the wireless encryption keys. The description of the tool is as follows: Which of the following tools is John using to crack the wireless encryption keys? A. AirSnort B. PsPasswd C. Cain D. Kismet QUESTION 144 What happens when you scan a broadcast IP address of a network? Each correct answer represents a complete solution. Choose all that apply. A. It will show an error in the scanning process. B. Scanning of the broadcast IP address cannot be performed. C. It may show smurf DoS attack in the network IDS of the victim. D. It leads to scanning of all the IP addresses on that subnet at the same time. D QUESTION 145 You have forgotten your password of an online shop. The web application of that online shop asks you to enter your so that they can send you a new password. You enter your you@gmail.com' and press the submit button. The Web application displays the server error. What can be the reason of the error?

34 A. The remote server is down. B. You have entered any special character in . C. Your internet connection is slow. D. entered is not valid. QUESTION 146 You want to run the nmap command that includes the host specification of *. How many hosts will you scan? A. 512 B. 64 C D. 256 QUESTION 147 John works as a professional Ethical Hacker. He has been assigned a project to test the security of He enters the following command on the Linux terminal:chmod 741 secure.c Considering the above scenario, which of the following statements are true? Each correct answer represents a complete solution. Choose all that apply. A. John is restricting a guest to only write or execute the secure.c file. B. John is providing all rights to the owner of the file. C. By the octal representation of the file access permission, John is restricting the group members to only read the secure.c file. D. The textual representation of the file access permission of 741 will be -rwxr--rw-. C QUESTION 148 John works as a Professional Penetration Tester. He has been assigned a project to test the Website security of Inc. On the We-are-secure Website login page, he enters ='or''=' as a username and successfully logs on to the user page of the Web site. Now, John asks the we-are-secure Inc. to improve the login page PHP script. Which of the following suggestions can John give to improve the security of the we-are-secure Website login page from the SQL injection attack? A. Use the escapeshellarg() function B. Use the session_regenerate_id() function C. Use the mysql_real_escape_string() function for escaping input D. Use the escapeshellcmd() function QUESTION 149 Which of the following Web authentication techniques uses a single sign-on scheme? A. NTLM authentication B. Microsoft Passport authentication C. Basic authentication D. Digest authentication

35 QUESTION 150 Which of the following tools is spyware that makes Windows clients send their passwords as clear text? A. Pwddump2 B. SMBRelay C. KrbCrack D. C2MYAZZ QUESTION 151 Which of the following tools allow you to perform HTTP tunneling? Each correct answer represents a complete solution. Choose all that apply. A. BackStealth B. Tunneled C. Nikto D. HTTPort BD QUESTION 152 You want to create a binary log file using tcpdump. Which of the following commands will you use? A. tcpdump -B B. tcpdump -dd C. tcpdump -w D. tcpdump d QUESTION 153 Which of the following standards is used in wireless local area networks (WLANs)? A. IEEE B. IEEE C. IEEE b D. IEEE QUESTION 154 Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers? Each correct answer represents a complete solution. Choose all that apply. A. Java applications B. Secure protocols C. ActiveX controls D. JavaScript E. Plugins

36 BCDE QUESTION 155 You configure a wireless router at your home. To secure your home Wireless LAN (WLAN), you implement WEP. Now you want to connect your client computer to the WLAN. Which of the following is the required information that you will need to configure the client computer? Each correct answer represents a part of the solution. Choose two. A. WEP key B. MAC address of the router C. IP address of the router D. SSID of the WLAN D QUESTION 156 Which of the following vulnerability scanner scans from CGI, IDA, Unicode, and Nimda vulnerabilities? A. Hackbot B. SARA C. Nessus D. Cgichk QUESTION 157 You want to scan your network quickly to detect live hosts by using ICMP ECHO Requests. What type of scanning will you perform to accomplish the task? A. Idle scan B. TCP SYN scan C. Ping sweep scan D. XMAS scan QUESTION 158 In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone file for a domain from a DNS server. The information provided by the DNS zone can help an attacker gather user names, passwords, and other valuable information. To attempt a zone transfer, an attacker must be connected to a DNS server that is the authoritative server for that zone. Besides this, an attacker can launch a Denial of Service attack against the zone's DNS servers by flooding them with a lot of requests. Which of the following tools can an attacker use to perform a DNS zone transfer? Each correct answer represents a complete solution. Choose all that apply. A. NSLookup B. Host C. DSniff D. Dig BD QUESTION 159 This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE a, b, and g standards. The main features of these tools are as follows: It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc. It is commonly used for the following purposes: A. War driving

37 B. Detecting unauthorized access points C. Detecting causes of interference on a WLAN D. WEP ICV error tracking E. Making Graphs and Alarms on Data, including Signal Strength This tool is known as. F. Absinthe G. THC-Scan H. NetStumbler I. Kismet QUESTION 160 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He has successfully completed the following pre-attack phases while testing the security of the server: Footprinting Scanning Now he wants to conduct the enumeration phase. Which of the following tools can John use to conduct it? Each correct answer represents a complete solution. Choose all that apply. A. PsFile B. PsPasswd C. UserInfo D. WinSSLMiM BC QUESTION 161 You want to search the Apache Web server having version 2.0 using google hacking. Which of the following search queries will you use? A. intitle:"test Page for Apache Installation" "You are free" B. intitle:"test Page for Apache Installation" "It worked!" C. intitle:test.page "Hey, it worked!" "SSl/TLS aware" D. intitle:sample.page.for.apache Apache.Hook.Function QUESTION 162 The employees of EWS Inc. require remote access to the company's Web servers. In order to provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which of the following statements are true about EAP-TLS? Each correct answer represents a complete solution. Choose all that apply. A. It provides a moderate level of security. B. It uses password hash for client authentication. C. It uses a public key certificate for server authentication. D. It is supported by all manufacturers of wireless LAN hardware and software. D QUESTION 163 Which of the following tools can be used as a Linux vulnerability scanner that is capable of identifying operating systems and network services? Each correct answer represents a complete solution. Choose all that apply. A. Cheops B. Fport

38 C. Elsave D. Cheops-ng D QUESTION 164 In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie? A. Cross-site scripting B. Session fixation C. Session sidejacking D. ARP spoofing QUESTION 165 Which of the following Nmap commands is used to perform a UDP port scan? A. nmap -ss B. nmap -sy C. nmap -sn D. nmap su QUESTION 166 John works as an Ethical Hacker for ucertify Inc. He wants to find out the ports that are open in ucertify's server using a port scanner. However, he does not want to establish a full TCP connection. Which of the following scanning techniques will he use to accomplish this task? A. TCP FIN B. Xmas tree C. TCP SYN/ACK D. TCP SYN QUESTION 167 Which of following tasks can be performed when Nikto Web scanner is using a mutation technique? Each correct answer represents a complete solution. Choose all that apply. A. Guessing for password file names. B. Sending mutation payload for Trojan attack. C. Testing all files with all root directories. D. Enumerating user names via Apache. CD QUESTION 168 You are sending a file to an FTP server. The file will be broken into several pieces of information packets (segments) and will be sent to the server. The file will again be reassembled and reconstructed once the packets reach the FTP server. Which of the following information should be used to maintain the correct order of information packets during the reconstruction of the file? A. Acknowledge number B. TTL C. Checksum

39 D. Sequence number QUESTION 169 Which of the following is the frequency range to tune IEEE a network? A GHz B GHz C GHz D GHz QUESTION 170 Which of the following tools monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools? A. IDS B. Firewall C. Snort D. WIPS QUESTION 171 Adam works as a professional Computer Hacking Forensic Investigator. He wants to investigate a suspicious that is sent using a Microsoft Exchange server. Which of the following files will he review to accomplish the task? Each correct answer represents a part of the solution. Choose all that apply. A. Checkpoint files B. cookie files C. Temporary files D. EDB and STM database files CD QUESTION 172 You work as a Web developer in the IBM Inc. Your area of proficiency is PHP. Since you have proper knowledge of security, you have bewared from rainbow attack. For mitigating this attack, you design the PHP code based on the following algorithm: key = hash(password + salt) for 1 to do key = hash(key + salt) Which of the following techniques are you implementing in the above algorithm? A. Key strengthening B. Hashing C. Sniffing D. Salting QUESTION 173 You are concerned about war driving bringing hackers attention to your wireless network. What is the most basic step you can take to mitigate this risk? A. Implement WEP

40 B. Implement MAC filtering C. Don't broadcast SSID D. Implement WPA QUESTION 174 John works as a professional Ethical Hacker. He has been assigned the project of testing the security of He is using the Linux operating system. He wants to use a wireless sniffer to sniff the We-are-secure network. Which of the following tools will he use to accomplish his task? A. NetStumbler B. Snadboy's Revelation C. WEPCrack D. Kismet QUESTION 175 You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query: SELECT , passwd, login_id, full_name FROM members WHERE = 'attacker@somehwere.com'; DROP TABLE members; --' What task will the above SQL query perform? A. Performs the XSS attacks. B. Deletes the entire members table. C. Deletes the rows of members table where id is 'attacker@somehwere.com' given. D. Deletes the database in which members table resides. QUESTION 176 John works as a professional Ethical Hacker. He has been assigned a project to test the security of He performs Web vulnerability scanning on the We-are-secure server. The output of the scanning test is as follows: C:\whisker.pl -h target_ip_address -- whisker / v1.4.0 / rain forest puppy / -- = - = - = - = - = = Host: target_ip_address = Server: Apache/ (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/ OK: HEAD /cgi-bin/printenv John recognizes /cgi-bin/printenv vulnerability ('Printenv' vulnerability) in the We_are_secure server. Which of the following statements about 'Printenv' vulnerability are true? Each correct answer represents a complete solution. Choose all that apply. A. 'Printenv' vulnerability maintains a log file of user activities on the Website, which may be useful for the attacker. B. The countermeasure to 'printenv' vulnerability is to remove the CGI script. C. This vulnerability helps in a cross site scripting attack. D. With the help of 'printenv' vulnerability, an attacker can input specially crafted links and/or other malicious scripts. CD

41 To Read the Whole Q&As, please purchase the Complete Version from Our website. Trying our product! 100% Guaranteed Success 100% Money Back Guarantee 365 Days Free Update Instant Download After Purchase 24x7 Customer Support Average 99.9% Success Rate More than 69,000 Satisfied Customers Worldwide Multi-Platform capabilities - Windows, Mac, Android, iphone, ipod, ipad, Kindle Need Help Please provide as much detail as possible so we can best assist you. To update a previously submitted ticket: Guarantee & Policy Privacy & Policy Terms & Conditions Any charges made through this site will appear as Global Simulators Limited. All trademarks are the property of their respective owners. Copyright , All Rights Reserved.