Providing accurate, up to date exam questions of popular IT exams

Learning Knowledge Brings Hope

Practice Makes Perfect

Practicing CEH v9: EC-Council Certified Ethical Hacker Exam: 312-50

NO.1 You have gained physical access to a Windows 2008 R2 server which has an accessible disc
drive.
When you attempt to boot the server and log in, you are unable to guess the password.
In your toolkit, you have an Ubuntu 9.10 Linux LiveCD.
Which Linux-based tool can change any user's password or activate disabled Windows accounts?
(A) John the Ripper
(B) SET
(C) CHNTPW
(D) Cain & Abel
Answer : C
NO.2 Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients.
You are requested to accept the offer and you oblige.
After 2 days, Bob denies that he had ever sent a mail.
What do you want to "know" to prove yourself that it was Bob who had send a mail?
(A) Confidentiality
(B) Integrity
(C) Non-Repudiation
(D) Authentication
Answer : C
NO.3 When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations
to perform external and internal penetration testing?
(A) At least twice a year or after any significant upgrade or modification
(B) At least once a year and after any significant upgrade or modification
(C) At least once every two years and after any significant upgrade or modification
(D) At least once every three years or after any significant upgrade or modification
Answer : B
NO.4 An attacker scans a host with the below command. Which three flags are set? (Choose three.)
#nmap -sX host.domain.com
(A) This is ACK scan. ACK flag is set
(B) This is Xmas scan. SYN and ACK flags are set
(C) This is Xmas scan. URG, PUSH and FIN are set
(D) This is SYN scan. SYN flag is set
Answer : C
NO.5 Which of the following types of jailbreaking allows user-level access but does not allow ibootlevel
access?
(A) Bootrom Exploit
(B) iBoot Exploit
(C) Sandbox Exploit
(D) Userland Exploit
Answer : D
NO.6 You have successfully comprised a server having an IP address of 10.10.0.5. You would like to
enumerate all machines in the same network quickly.
What is the best nmap command you will use?
(A) nmap -T4 -q 10.10.0.0/24
(B) nmap -T4 -F 10.10.0.0/24
(C) nmap -T4 -r 10.10.1.0/24
(D) nmap -T4 -O 10.10.0.0/24
Answer : B
NO.7 You need a tool that can do network intrusion prevention and intrusion detection, function as
a network sniffer, and record network activity. What tool would you most likely select?
(A) Snort
(B) Nmap
(C) Cain & Abel
(D) Nessus
Answer : A
NO.8 If a tester is attempting to ping a target that exists but receives no response or a response that
states the destination is unreachable, ICMP may be disabled and the network may be using TCP.
Which tool could the tester use to get a response from a host using TCP?
(A) Traceroute
(B) Hping
(C) TCP ping
(D) Broadcast ping
Answer : B
NO.9 You are a security officer of a company. You had an alert from IDS that indicates that one PC on
your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet.
The IP address was blacklisted just before the alert. You are staring an investigation to roughly
analyze the severity of the situation. Which of the following is appropriate to analyze?
(A) Event logs on the PC
(B) Internet Firewall/Proxy log
(C) IDS log
(D) Event logs on domain controller
Answer : B
NO.10 You are working as a Security Analyst in a company XYZ that owns the whole subnet range of
23.0.0.0/8 and 192.168.0.0/8.
While monitoring the data, you find a high number of outbound connections. You see that IP's owned
by XYZ (Internal) and private IP's are communicating to a Single Public IP.
Therefore, the Internal IP's are sending data to the Public IP.
After further analysis, you find out that this Public IP is a blacklisted IP, and the internal
communicating devices are compromised.
What kind of attack does the above scenario depict?
(A) Botnet Attack
(B) Spear Phishing Attack
(C) Advanced Persistent Threats
(D) Rootkit Attack
Answer : A
NO.11 Bob, a network administrator at BigUniversity, realized that some students are connecting
their notebooks in the wired network to have Internet access. In the university campus, there are
many Ethernet ports available for professors and authorized visitors but not for students.
He identified this when the IDS alerted for malware activities in the network.
What should Bob do to avoid this problem?
(A) Disable unused ports in the switches
(B) Separate students in a different VLAN
(C) Use the 802.1x protocol
(D) Ask students to use the wireless network
Answer : C
NO.12 During the process of encryption and decryption, what keys are shared?
(A) Private keys
(B) User passwords
(C) Public keys
(D) Public and private keys
Answer : C
NO.13 An Internet Service Provider (ISP) has a need to authenticate users connecting via analog
modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN)
over a Frame Relay network.
Which AAA protocol is the most likely able to handle this requirement?
(A) DIAMETER
(B) RADIUS
(C) TACACS+
(D) Kerberos
Answer : B
NO.14 Code injection is a form of attack in which a malicious user:

(A) Inserts text into a data field that gets interpreted as code
(B) Gets the server to execute arbitrary code using a buffer overflow
(C) Inserts additional code into the JavaScript running in the browser
(D) Gains access to the codebase on the server and inserts new code
Answer : A
NO.15 It has been reported to you that someone has caused an information spillage on their
computer. You go to the computer, disconnect it from the network, remove the keyboard and
mouse, and power it down. What step in incident handling did you just complete?
(A) Discovery
(B) Recovery
(C) Containment
(D) Eradication
Answer : C
NO.16 DNS cache snooping is a process of determining if the specified resource address is present in
the DNS cache records. It may be useful during the examination of the network to determine what
software update resources are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache?
(A) nslookup -fullrecursive update.antivirus.com
(B) dnsnooping -rt update.antivirus.com
(C) nslookup -norecursive update.antivirus.com
(D) dns --snoop update.antivirus.com
Answer : C
NO.17 What is the purpose of a demilitarized zone on a network?
(A) To scan all traffic coming through the DMZ to the internal network
(B) To only provide direct access to the nodes within the DMZ and protect the network behind it
(C) To provide a place to put the honeypot
(D) To contain the network devices you wish to protect
Answer : B
NO.18 When tuning security alerts, what is the best approach?
(A) Tune to avoid False positives and False Negatives
(B) Rise False positives Rise False Negatives
(C) Decrease the false positives
(D) Decrease False negatives
Answer : A
NO.19 Why should the security analyst disable/remove unnecessary ISAPI filters?
(A) To defend against social engineering attacks
(B) To defend against webserver attacks
(C) To defend against jailbreaking
(D) To defend against wireless attacks
Answer : B
NO.20 Which of the following act requires employer's standard national numbers to identify them
on standard transactions?
(A) SOX
(B) HIPAA
(C) DMCA
(D) PCI-DSS
Answer : B
NO.21 To determine if a software program properly handles a wide range of invalid input, a form of
automated testing can be used to randomly generate invalid input in an attempt to crash the
program.
What term is commonly used when referring to this type of testing?
(A) Fuzzing
(B) Mutating
(C) Randomizing
(D) Bounding
Answer : A
NO.22 Which of the following scanning method splits the TCP header into several packets and makes
it difficult for packet filters to detect the purpose of the packet?
(A) ICMP Echo scanning
(B) SYN/FIN scanning using IP fragments
(C) ACK flag probe scanning
(D) IPID scanning
Answer : B
NO.23 Which Intrusion Detection System is the best applicable for large environments where critical
assets on the network need extra security and is ideal for observing sensitive network segments?
(A) Honeypots
(B) Firewalls
(C) Network-based intrusion detection system (NIDS)
(D) Host-based intrusion detection system (HIDS)
Answer : C
NO.24 How does the Address Resolution Protocol (ARP) work?IP.
IP.

(A) It sends a request packet to all the network elements, asking for the domain name from a specific
(B) It sends a request packet to all the network elements, asking for the MAC address from a specific
(C) It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
(D) It sends a reply packet for a specific IP, asking for the MAC address.
Answer : B
NO.25 You are doing an internal security audit and intend to find out what ports are open on all the
servers. What is the best way to find out?
(A) Scan servers with Nmap
(B) Scan servers with MBSA
(C) Telnet to every port on each server
(D) Physically go to each server
Answer : A
NO.26 Which of the following is a low-tech way of gaining unauthorized access to systems?
(A) Scanning
(B) Sniffing
(C) Social Engineering
(D) Enumeration
Answer : C
NO.27 During a recent security assessment, you discover the organization has one Domain Name
Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
What is this type of DNS configuration commonly called?
(A) DynDNS
(B) DNS Scheme
(C) DNSSEC
(D) Split DNS
Answer : D
NO.28 What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability?environment variable to a vulnerable Web server

(A) Manipulate format strings in text fields
(B) SSH
(C) SYN Flood
(D) Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed
Answer : D
NO.29 You need to deploy a new web-based software package for your organization. The package
requires three separate servers and needs to be available on the Internet. What is the recommended
architecture in terms of server placement?on the internal network
network

(A) All three servers need to be placed internally
(B) A web server facing the Internet, an application server on the internal network, a database server
(C) A web server and the database server facing the Internet, an application server on the internal
(D) All three servers need to face the Internet so that they can communicate between themselves
Answer : B
NO.30 What is the least important information when you analyze a public IP address in a security
alert?
(A) ARP
(B) Whois
(C) DNS
(D) Geolocation
Answer : A
NO.31 Sam is working as s pen-tester in an organization in Houston. He performs penetration testing
on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large
amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic.
What type of method is Sam using to evade IDS?
(A) Denial-of-Service
(B) False Positive Generation
(C) Insertion Attack
(D) Obfuscating
Answer : B
NO.32 Which of the following security policies defines the use of VPN for gaining access to an
internal corporate network?
(A) Network security policy
(B) Information protection policy
(C) Access control policy
(D) Remote access policy
Answer : D
NO.33 Which of the following attacks exploits web age vulnerabilities that allow an attacker to force
an unsuspecting user's browser to send malicious requests they did not intend?
(A) Command Injection Attacks
(B) File Injection Attack
(C) Cross-Site Request Forgery (CSRF)
(D) Hidden Field Manipulation Attack
Answer : C
NO.34 Which of the following is an adaptive SQL Injection testing technique used to discover coding
errors by inputting massive amounts of random data and observing the changes in the output?
(A) Function Testing
(B) Dynamic Testing
(C) Static Testing
(D) Fuzzing Testing
Answer : D
NO.35 Which Nmap option would you use if you were not concerned about being detected and
wanted to perform a very fast scan?
(A) -O
(B) -A
(C) -T0
(D) -T5
Answer : D
NO.36 Which Nmap option would you use if you were not concerned about being detected and
wanted to perform a very fast scan?
(A) -T0
(B) -T5
(C) -O
(D) -A
Answer : B
NO.37 An attacker has installed a RAT on a host. The attacker wants to ensure that when a user
attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site.
Which file does the attacker need to modify?
(A) Boot.ini
(B) Sudoers
(C) Networks
(D) Hosts
Answer : D
NO.38 A hacker has managed to gain access to a Linux host and stolen the password file from
/etc/passwd. How can he use it?
(A) The file reveals the passwords to the root user only.
(B) The password file does not contain the passwords themselves.
(C) He cannot read it because it is encrypted.
(D) He can open it and read the user ids and corresponding passwords.
Answer : B
NO.39 The "white box testing" methodology enforces what kind of restriction?
(A) Only the internal operation of a system is known to the tester.
(B) The internal operation of a system is completely known to the tester.
(C) The internal operation of a system is only partly accessible to the tester.
(D) Only the external operation of a system is accessible to the tester.
Answer : B
NO.40 You are logged in as a local admin on a Windows 7 system and you need to launch the
Computer Management Console from command line.
Which command would you use?
(A) c:\gpedit
(B) c:\compmgmt.msc
(C) c:\ncpa.cp
(D) c:\services.msc
Answer : B
NO.41 Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a
message with a maximum length of (264-1) bits and resembles the MD5 algorithm?
(A) SHA-2
(B) SHA-3
(C) SHA-1
(D) SHA-0
Answer : C
NO.42 Due to a slowdown of normal network operations, the IT department decided to monitor
internet traffic for all of the employees. From a legal stand point, what would be troublesome to take
this kind of measure?
(A) All of the employees would stop normal work activities
(B) IT department would be telling employees who the boss is
(C) Not informing the employees that they are going to be monitored could be an invasion of privacy.
(D) The network could still experience traffic slow down.
Answer : C
NO.43 What type of analysis is performed when an attacker has partial knowledge of inner- workings
of the application?
(A) Black-box
(B) Announced
(C) White-box
(D) Grey-box
Answer : D
NO.44 An unauthorized individual enters a building following an employee through the employee
entrance after the lunch rush. What type of breach has the individual just performed?
(A) Reverse Social Engineering
(B) Tailgating
(C) Piggybacking
(D) Announced
Answer : B
NO.45 To determine if a software program properly handles a wide range of invalid input, a form of
automated testing can be used to randomly generate invalid input in an attempt to crash the
program.
What term is commonly used when referring to this type of testing?
(A) Randomizing
(B) Bounding
(C) Mutating
(D) Fuzzing
Answer : D
NO.46 You are the Network Admin, and you get a compliant that some of the websites are no longer
accessible. You try to ping the servers and find them to be reachable. Then you type the IP address
and then you try on the browser, and find it to be accessible. But they are not accessible when you
try using the URL.
What may be the problem?
(A) Traffic is Blocked on UDP Port 53
(B) Traffic is Blocked on UDP Port 80
(C) Traffic is Blocked on UDP Port 54
(D) Traffic is Blocked on UDP Port 80
Answer : A
NO.47 The establishment of a TCP connection involves a negotiation called three-way handshake.
What type of message does the client send to the server in order to begin this negotiation?
(A) ACK
(B) SYN
(C) RST
(D) SYN-ACK
Answer : B
NO.48 A hacker named Jack is trying to compromise a bank's computer system. He needs to know
the operating system of that computer to launch further attacks.
What process would help him?
(A) Banner Grabbing
(B) IDLE/IPID Scanning
(C) SSDP Scanning
(D) UDP Scanning
Answer : A
NO.49 Which component of IPsec performs protocol-level functions that are required to encrypt and
decrypt the packets?
(A) Internet Key Exchange (IKE)
(B) Oakley
(C) IPsec Policy Agent
(D) IPsec driver
Answer : A
NO.50 What type of analysis is performed when an attacker has partial knowledge of inner- workings
of the application?
(A) Black-box
(B) Announced
(C) White-box
(D) Grey-box
Answer : D
NO.51 Which of the following program infects the system boot sector and the executable files at the
same time?
(A) Stealth virus
(B) Polymorphic virus
(C) Macro virus
(D) Multipartite Virus
Answer : D
NO.52 Which of the following is considered as one of the most reliable forms of TCP scanning?
(A) TCP Connect/Full Open Scan
(B) Half-open Scan
(C) NULL Scan
(D) Xmas Scan
Answer : A
NO.53 What is not a PCI compliance recommendation?
(A) Use a firewall between the public network and the payment card data.
(B) Use encryption to protect all transmission of card holder data over any public network.
(C) Rotate employees handling credit card transactions on a yearly basis to different departments.
(D) Limit access to card holder data to as few individuals as possible.
Answer : C
NO.54 This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
enough data packets have been captured. It implements the standard FMS attack along with some
optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster
compared to other WEP cracking tools.
Which of the following tools is being described?
(A) wificracker
(B) Airguard
(C) WLAN-crack
(D) Aircrack-ng
Answer : D
NO.55 Which of the following statements is TRUE?
(A) Sniffers operate on Layer 2 of the OSI model
(B) Sniffers operate on Layer 3 of the OSI model
(C) Sniffers operate on both Layer 2 & Layer 3 of the OSI model.
(D) Sniffers operate on the Layer 1 of the OSI model.
Answer : A
NO.55
NO.56 Which of the following will perform an Xmas scan using NMAP?
(A) nmap -sA 192.168.1.254
(B) nmap -sP 192.168.1.254
(C) nmap -sX 192.168.1.254
(D) nmap -sV 192.168.1.254
Answer : C
NO.57 Which tool allows analysts and pen testers to examine links between data using graphs and
link analysis?
(A) Metasploit
(B) Cain & Abel
(C) Maltego
(D) Wireshark
Answer : C
NO.58 Alice encrypts her data using her public key PK and stores the encrypted data in the cloud.
Which of the following attack scenarios will compromise the privacy of her data?successfully resists Andrew's attempt to access the stored data

(A) None of these scenarios compromise the privacy of Alice's data
(B) Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server
(C) Hacker Harry breaks into the cloud server and steals the encrypted data
(D) Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before
Answer : D
NO.59 Which of the following is a serious vulnerability in the popular OpenSSL cryptographic
software library? This weakness allows stealing the information protected, under normal conditions,
by the SSL/TLS encryption used to secure the Internet.

(A) SSL/TLS Renegotiation Vulnerability
(B) Shellshock
(C) Heartbleed Bug
(D) POODLE
Answer : C
NO.60 From the following table, identify the wrong answer in terms of Range (ft).

(A) 802.11b
(B) 802.11g
(C) 802.16(WiMax)
(D) 802.11a
Answer : D
NO.61 Which is the first step followed by Vulnerability Scanners for scanning a network?
(A) TCP/UDP Port scanning
(B) Firewall detection
(C) OS Detection
(D) Checking if the remote host is alive
Answer : D
NO.62 Which of the following is the best countermeasure to encrypting ransomwares?
(A) Use multiple antivirus softwares
(B) Keep some generation of off-line backup
(C) Analyze the ransomware to get decryption key of encrypted data
(D) Pay a ransom
Answer : B
NO.63 Your company performs penetration tests and security assessments for small and mediumsized
business in the local area. During a routine security assessment, you discover information that
suggests your client is involved with human trafficking.
What should you do?
(A) Confront the client in a respectful manner and ask her about the data.
(B) Copy the data to removable media and keep it in case you need it.
(C) Ignore the data and continue the assessment until completed as agreed.
(D) Immediately stop work and contact the proper legal authorities.
Answer : D
NO.64 Which of the following Bluetooth hacking techniques does an attacker use to send messages
to users without the recipient's consent, similar to email spamming?
(A) Bluesmacking
(B) Bluesniffing
(C) Bluesnarfing
(D) Bluejacking
Answer : D
NO.65 The collection of potentially actionable, overt, and publicly available information is known as

(A) Open-source intelligence
(B) Human intelligence
(C) Social intelligence
(D) Real intelligence
Answer : A
NO.66 In Wireshark, the packet bytes panes show the data of the current packet in which format?
(A) Decimal
(B) ASCII only
(C) Binary
(D) Hexadecimal
Answer : D
NO.67 In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an
attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan
hash of a user's password, instead of requiring the associated plaintext password as is normally the
case.
Metasploit Framework has a module for this technique: psexec. The psexec module is often used by
penetration testers to obtain access to a given system whose credentials are known. It was written by
sysinternals and has been integrated within the framework. The penetration testers successfully gain
access to a system through some exploit, use meterpreter to grab the passwords or other methods
like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values.
Which of the following is true hash type and sort order that is used in the psexec module's
'smbpass' option?
(A) LM:NT
(B) NTLM:LM
(C) NT:LM
(D) LM:NTLM
Answer : A
NO.68 Shellshock allowed an unauthorized user to gain access to a server. It affected many Internetfacing
services, which OS did it not directly affect?
(A) Linux
(B) Unix
(C) OS X
(D) Windows
Answer : D
NO.69 Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
communication?
(A) 123
(B) 161
(C) 69
(D) 113
Answer : A
NO.70 A technician is resolving an issue where a computer is unable to connect to the Internet using
a wireless access point. The computer is able to transfer files locally to other machines, but cannot
successfully reach the Internet. When the technician examines the IP address and default gateway
they are both on the 192.168.1.0/24. Which of the following has occurred?
(A) The computer is not using a private IP address.
(B) The gateway is not routing to a public IP address.
(C) The gateway and the computer are not on the same network.
(D) The computer is using an invalid IP address.
Answer : B
NO.71 Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he
properly configures the firewall to allow access just to servers/ports, which can have direct internet
access, and block the access to workstations.
Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the
case of TPNQM SA.
In this context, what can you say?IPs, one by one
workstations

(A) Bob can be right since DMZ does not make sense when combined with stateless firewalls
(B) Bob is partially right. He does not need to separate networks if he can create rules by destination
(C) Bob is totally wrong. DMZ is always relevant when the company has internet servers and
(D) Bob is partially right. DMZ does not make sense when a stateless firewall is available
Answer : C
NO.72 ........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one
offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is
the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used
to steal the passwords of unsuspecting users by either snooping the communication link or by
phishing, which involves setting up a fraudulent web site and luring people there.
Fill in the blank with appropriate choice.

(A) Evil Twin Attack
(B) Sinkhole Attack
(C) Collision Attack
(D) Signal Jamming Attack
Answer : A
NO.73 Firewalls are the software or hardware systems that are able to control and monitor the
traffic coming in and out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection attacks?
(A) Data-driven firewall
(B) Stateful firewall
(C) Packet firewall
(D) Web application firewall
Answer : D
NO.74 An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML
code to embed a malicious applet in all HTTP connections.
When users accessed any page, the applet ran and exploited many machines.
Which one of the following tools the hacker probably used to inject HTML code?
(A) Wireshark
(B) Ettercap
(C) Aircrack-ng
(D) Tcpdump
Answer : B
NO.75 Which is the first step followed by Vulnerability Scanners for scanning a network?
(A) Checking if the remote host is alive
(B) TCP/UDP Port scanning
(C) Firewall detection
(D) OS Detection
Answer : A
NO.76 You are attempting to run an Nmap port scan on a web server. Which of the following
commands would result in a scan of common ports with the least amount of noise in order to evade
IDS?
(A) nmap -A - Pn
(B) nmap -sP -p-65535-T5
(C) nmap -sT -O -T0
(D) nmap -A --host-timeout 99-T1
Answer : C
NO.77 Websites and web portals that provide web services commonly use the Simple Object Access
Protocol (SOAP). Which of the following is an incorrect definition or characteristics of the protocol?
(A) Based on XML
(B) Only compatible with the application protocol HTTP
(C) Exchanges data between web services
(D) Provides a structured model for messaging
Answer : B
NO.78 Which protocol is used for setting up secure channels between two devices, typically in
VPNs?
(A) PPP
(B) IPSEC
(C) PEM
(D) SET
Answer : B
NO.79 Based on the below log, which of the following sentences are true?Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

(A) SSH communications are encrypted it's impossible to know who is the client or the server
(B) Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
(C) Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
(D) Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server
Answer : C
NO.80 What term describes the amount of risk that remains after the vulnerabilities are classified
and the countermeasures have been deployed?
(A) Deferred risk
(B) Impact risk
(C) Inherent risk
(D) Residual risk
Answer : D
NO.81 Sophia travels a lot and worries that her laptop containing confidential documents might be
stolen. What is the best protection that will work for her?
(A) Disk encryption
(B) BIOS password
(C) Hidden folders
(D) Password protected files
Answer : A
NO.82 In which of the following cryptography attack methods, the attacker makes a series of
interactive queries, choosing subsequent plaintexts based on the information from the previous
encryptions?
(A) Chosen-plaintext attack
(B) Ciphertext-only attack
(C) Adaptive chosen-plaintext attack
(D) Known-plaintext attack
Answer : A
NO.83 When conducting a penetration test, it is crucial to use all means to get all available
information about the target network. One of the ways to do that is by sniffing the network.
Which of the following cannot be performed by the passive network sniffing?
(A) Identifying operating systems, services, protocols and devices
(B) Modifying and replaying captured network traffic
(C) Collecting unencrypted information about usernames and passwords
(D) Capturing a network traffic for further analysis
Answer : B
NO.84 You perform a scan of your company's network and discover that TCP port 123 is open.
What services by default run on TCP port 123?
(A) Telnet
(B) POP3
(C) Network Time Protocol
(D) DNS
Answer : C
NO.85 Insecure direct object reference is a type of vulnerability where the application does not
verify if the user is authorized to access the internal object via its name or key.
Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object
reference vulnerability?
(A) "GET/restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1Host: westbank.com"
(B) "GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com"
(C) "GET/restricted/bank.getaccount('Ned') HTTP/1.1 Host: westbank.com"
(D) "GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com"
Answer : B
NO.86 You are looking for SQL injection vulnerability by sending a special character to web
applications. Which of the following is the most useful for quick validation?
(A) Double quotation
(B) Backslash
(C) Semicolon
(D) Single quotation
Answer : D
NO.87 PGP, SSL, and IKE are all examples of which type of cryptography?
(A) Hash Algorithm
(B) Digest
(C) Secret Key
(D) Public Key
Answer : D
NO.88 Which method of password cracking takes the most time and effort?
(A) Shoulder surfing
(B) Brute force
(C) Dictionary attack
(D) Rainbow tables
Answer : B
NO.89 Which of the following options represents a conceptual characteristic of an anomaly-based
IDS over a signature-based IDS?
(A) Produces less false positives
(B) Can identify unknown attacks
(C) Requires vendor updates for a new threat
(D) Cannot deal with encrypted network traffic
Answer : B
NO.89
NO.90 Which of the following cryptography attack is an understatement for the extraction of
cryptographic secrets (e.g. the password to an encrypted file) from a person by a coercion or torture?
(A) Chosen-Cipher text Attack
(B) Ciphertext-only Attack
(C) Timing Attack
(D) Rubber Hose Attack
Answer : D
NO.91 In which of the following password protection technique, random strings of characters are
added to the password before calculating their hashes?
(A) Keyed Hashing
(B) Key Stretching
(C) Salting
(D) Double Hashing
Answer : C
NO.92 Which of these is capable of searching for and locating rogue access points?
(A) HIDS
(B) NIDS
(C) WISS
(D) WIPS
Answer : D
NO.93 Some clients of TPNQM SA were redirected to a malicious site when they tried to access the
TPNQM main site. Bob, a system administrator at TPNQM SA, found that they were victims of DNS
Cache Poisoning.
What should Bob recommend to deal with such a threat?
(A) The use of security agents in clients' computers
(B) The use of DNSSEC
(C) The use of double-factor authentication
(D) Client awareness
Answer : B
NO.94 Cross-site request forgery involves:

(A) A request sent by a malicious user from a browser to a server
(B) Modification of a request by a proxy between client and server
(C) A browser making a request to a server without the user's knowledge
(D) A server making a request to another server without the user's knowledge
Answer : C
NO.95 Which of the following is the BEST way to defend against network sniffing?
(A) Restrict Physical Access to Server Rooms hosting Critical Servers
(B) Use Static IP Address
(C) Using encryption protocols to secure network communications
(D) Register all machines MAC Address in a Centralized Database
Answer : C
NO.96 What would you enter, if you wanted to perform a stealth scan using Nmap?
(A) nmap -sU
(B) nmap -sS
(C) nmap -sM
(D) nmap -sT
Answer : B
NO.97 You are a Penetration Tester and are assigned to scan a server. You need to use a scanning
technique wherein the TCP Header is split into many packets so that it becomes difficult to detect
what the packets are meant for.
Which of the below scanning technique will you use?
(A) ACK flag scanning
(B) TCP Scanning
(C) IP Fragment Scanning
(D) Inverse TCP flag scanning
Answer : C
NO.98 You have successfully gained access to a Linux server and would like to ensure that the
succeeding outgoing traffic from this server will not be caught by Network-Based Intrusion Detection
Systems (NIDS).
What is the best way to evade the NIDS?
(A) Out of band signaling
(B) Protocol Isolation
(C) Encryption
(D) Alternate Data Streams
Answer : C
NO.99 Bob finished a C programming course and created a small C application to monitor the
network traffic and produce alerts when any origin sends "many" IP packets, based on the average
number of packets sent by all origins and using some thresholds.
In concept, the solution developed by Bob is actually:

(A) Just a network monitoring tool
(B) A signature-based IDS
(C) A hybrid IDS
(D) A behavior-based IDS
Answer : A
NO.100 In an internal security audit, the white hat hacker gains control over a user account and
attempts to acquire access to another account's confidential files and information. How can he
achieve this?
(A) Privilege Escalation
(B) Shoulder-Surfing
(C) Hacking Active Directory
(D) Port Scanning
Answer : A
NO.101 Internet Protocol Security IPSec is actually a suite of protocols. Each protocol within the
suite provides different functionality. Collective IPSec does everything except.

(A) Work at the Data Link Layer
(B) Protect the payload and the headers
(C) Encrypt
(D) Authenticate
Answer : A
NO.102 A hacker is an intelligent individual with excellent computer skills and the ability to explore a
computer's software and hardware without the owner's permission. Their intention can either be to
simply gain knowledge or to illegally make changes.
Which of the following class of hacker refers to an individual who works both offensively and
defensively at various times?
(A) White Hat
(B) Suicide Hacker
(C) Gray Hat
(D) Black Hat
Answer : C
NO.103 The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and
UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and
deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the
ftp, and the permitted hosts cannot access the Internet.
According to the next configuration, what is happening in the network?
(A) The ACL 104 needs to be first because is UDP
(B) The ACL 110 needs to be changed to port 80
(C) The ACL for FTP must be before the ACL 110
(D) The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
Answer : D
NO.104 What two conditions must a digital signature meet?
(A) Has to be legible and neat.
(B) Has to be unforgeable, and has to be authentic.
(C) Must be unique and have special characters.
(D) Has to be the same number of characters as a physical signature and must be unique.
Answer : B
NO.105 In Risk Management, how is the term "likelihood" related to the concept of "threat?"

(A) Likelihood is the likely source of a threat that could exploit a vulnerability.
(B) Likelihood is the probability that a threat-source will exploit a vulnerability.
(C) Likelihood is a possible threat-source that may exploit a vulnerability.
(D) Likelihood is the probability that a vulnerability is a threat-source.
Answer : B
NO.106 What network security concept requires multiple layers of security controls to be placed
throughout an IT infrastructure, which improves the security posture of an organization to defend
against malicious attacks or potential vulnerabilities?What kind of Web application vulnerability likely exists in their software?
(A) Host-Based Intrusion Detection System
(B) Security through obscurity
(C) Defense in depth
(D) Network-Based Intrusion Detection System
Answer : C
NO.107 A virus that attempts to install itself inside the file it is infecting is called?
(A) Tunneling virus
(B) Cavity virus
(C) Polymorphic virus
(D) Stealth virus
Answer : B
NO.108 Security Policy is a definition of what it means to be secure for a system, organization or
other entity. For Information Technologies, there are sub-policies like Computer Security Policy,
Information Protection Policy, Information Security Policy, network Security Policy, Physical Security
Policy, Remote Access Policy, and User Account Policy.
What is the main theme of the sub-policies for Information Technologies?
(A) Availability, Non-repudiation, Confidentiality
(B) Authenticity, Integrity, Non-repudiation
(C) Confidentiality, Integrity, Availability
(D) Authenticity, Confidentiality, Integrity
Answer : C
NO.109 _________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin
authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attacks
types.

(A) DNSSEC
(B) Resource records
(C) Resource transfer
(D) Zone transfer
Answer : A
NO.110 Steve, a scientist who works in a governmental security agency, developed a technological
solution to identify people based on walking patterns and implemented this approach to a physical
control access.
A camera captures people walking and identifies the individuals using Steve's approach.
After that, people must approximate their RFID badges. Both the identifications are required to open
the door.
In this case, we can say:
c

(A) Although the approach has two phases, it actually implements just one authentication factor
(B) The solution implements the two authentication factors: physical object and physical characteristi
(C) The solution will have a high level of false positives
(D) Biological motion cannot be used to identify people
Answer : B
NO.111 On performing a risk assessment, you need to determine the potential impacts when some
of the critical business process of the company interrupt its service. What is the name of the process
by which you can determine those critical business?
(A) Risk Mitigation
(B) Emergency Plan Response (EPR)
(C) Disaster Recovery Planning (DRP)
(D) Business Impact Analysis (BIA)
Answer : D
NO.112 This asymmetry cipher is based on factoring the product of two large prime numbers.
What cipher is described above?
(A) SHA
(B) RSA
(C) MD5
(D) RC5
Answer : B
NO.113 Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in
the systems, he uses a detection method where the anti-virus executes the malicious codes on a
virtual machine to simulate CPU and memory activities.
Which type of virus detection method did Chandler use in this context?
(A) Heuristic Analysis
(B) Code Emulation
(C) Integrity checking
(D) Scanning
Answer : B
NO.113
NO.114 You are monitoring the network of your organizations. You notice that:
Which of the following solution will you suggest?
(A) Block the Blacklist IP's @ Firewall
(B) Update the Latest Signatures on your IDS/IPS
(C) Clean the Malware which are trying to Communicate with the External Blacklist IP's
(D) Both B and C
Answer : D
NO.115 What type of vulnerability/attack is it when the malicious person forces the user's browser
to send an authenticated request to a server?
(A) Cross-site request forgery
(B) Cross-site scripting
(C) Session hijacking
(D) Server side request forgery
Answer : A
NO.116 If you want only to scan fewer ports than the default scan using Nmap tool, which option
would you use?
(A) -sP
(B) -P
(C) -r
(D) -F
Answer : B
NO.117 A company's Web development team has become aware of a certain type of security
vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited,
the team wants to modify the software requirements to disallow users from entering HTML as input
into their Web application.
What kind of Web application vulnerability likely exists in their software?
(A) Cross-site scripting vulnerability
(B) Web site defacement vulnerability
(C) SQL injection vulnerability
(D) Cross-site Request Forgery vulnerability
Answer : A
NO.118 Which of the following antennas is commonly used in communications for a frequency band
of 10 MHz to VHF and UHF?
(A) Omnidirectional antenna
(B) Dipole antenna
(C) Yagi antenna
(D) Parabolic grid antenna
Answer : C
NO.118
NO.119 What is attempting an injection attack on a web server based on responses to True/False
questions called?
(A) DMS-specific SQLi
(B) Compound SQLi
(C) Blind SQLi
(D) Classic SQLi
Answer : C
NO.120 The following is part of a log file taken from the machine on the network with the IP address
of 192.168.0.110:
What type of activity has been logged?
(A) Teardrop attack targeting 192.168.0.110
(B) Denial of service attack targeting 192.168.0.105
(C) Port scan targeting 192.168.0.110
(D) Port scan targeting 192.168.0.105
Answer : C
NO.121 Which regulation defines security and privacy controls for Federal information systems and
organizations?
(A) HIPAA
(B) EU Safe Harbor
(C) PCI-DSS
(D) NIST-800-53
Answer : D
NO.122 Which one of the following Google advanced search operators allows an attacker to restrict
the results to those websites in the given domain?
(A) [cache:]
(B) [site:]
(C) [inurl:]
(D) [link:]
Answer : B
NO.123 If an attacker uses the command SELECT*FROM user WHERE name = 'x' AND userid IS NULL;
--'; which type of SQL injection attack is the attacker performing?
(A) End of Line Comment
(B) UNION SQL Injection
(C) Illegal/Logically Incorrect Query
(D) Tautology
Answer : D
NO.124 An IT employee got a call from one of our best customers. The caller wanted to know about
the company's network infrastructure, systems, and team. New opportunities of integration are in
sight for both company and customer. What should this employee do?person in charge.

(A) The employees cannot provide any information; but, anyway, he/she will provide the name of the
(B) Since the company's policy is all about Customer Service, he/she will provide information.
(C) Disregarding the call, the employee should hang up.
(D) The employee should not provide any information without previous management authorization.
Answer : D
NO.125 Assume a business-crucial web-site of some company that is used to sell handsets to the
customers worldwide. All the developed components are reviewed by the security team on a
monthly basis. In order to drive business further, the web-site developers decided to add some 3rd
party marketing tools on it. The tools are written in JavaScript and can track the customer's activity
on the site. These tools are located on the servers of the marketing company.
What is the main security risk associated with this scenario?
(A) External script contents could be maliciously modified without the security team knowledge
(B) External scripts have direct access to the company servers and can steal the data from there
(C) There is no risk at all as the marketing services are trustworthy
(D) External scripts increase the outbound company data traffic which leads greater financial losses
Answer : A
NO.126 Which of the following provides a security professional with most information about the
system's security posture?
(A) Wardriving, warchalking, social engineering
(B) Social engineering, company site browsing, tailgating
(C) Phishing, spamming, sending trojans
(D) Port scanning, banner grabbing, service identification
Answer : D
NO.127
ping -* 6 192.168.0.101
output
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Pinging 192.168.0.101:bytes=32 times<1ms TTL=128
Ping statistics for 192.168.0.101:
Packets: Sent=6, Received=6, Lost=0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum=0ms, Maximum=0ms, Average=0ms
What does the option * indicate?
(A) s
(B) t
(C) n
(D) a
Answer : C
NO.128 Which mode of IPSec should you use to assure security and confidentiality of data within
the same LAN?
(A) AH permiscuous
(B) ESP confidential
(C) AH Tunnel mode
(D) ESP transport mode
Answer : D
NO.129 Which regulation defines security and privacy controls for Federal information systems and
organizations?
(A) HIPAA
(B) EU Safe Harbor
(C) PCI-DSS
(D) NIST-800-53
Answer : D
NO.130 Identify the web application attack where the attackers exploit vulnerabilities in dynamically
generated web pages to inject client-side script into web pages viewed by other users.

(A) SQL injection attack
(B) Cross-Site Scripting (XSS)
(C) LDAP Injection attack
(D) Cross-Site Request Forgery (CSRF)
Answer : B
NO.131 Which property or concept ensures that a hash function will not produce the same hashed value for two different messages?
(A) Key strength
(B) Bit length
(C) Entropy
(D) Collision resistance
Answer : D
NO.132 Secure Hashing Algorithm (SHA) is an algorithm for generating cryptographically secure one-way hash, published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard. What is the block (word) size used by SHA-512 algorithm?
(A) 32-bit
(B) 64-bit
(C) 128-bit
(D) 256-bit
Answer : B
NO.133 This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?
(A) Gaining access
(B) Escalating privileges
(C) Network mapping
(D) Footprinting
Answer : D
NO.134 What's stack smashing?
(A) It's when code is executed from a default heap.
(B) It's when an attacker gets to a stack after they're done with the pumpkins.
(C) A buffer overflow that overwrites the return address
(D) The input of No Operation instruction code in a string
Answer : C
NO.135 Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company?
(A) Fingerprints
(B) Height and Weight
(C) Iris patterns
(D) Voice
Answer : B
NO.136 Wireless antenna is an electrical device which converts electric currents into radio waves, and vice versa.
Which of the following antenna used in wireless base stations and provides a 360 degree horizontal radiation pattern?
(A) Omnidirectional antenna
(B) Parabolic grid antenna
(C) Yagi antenna
(D) Dipole antenna
Answer : A
NO.137 Which of these attacks does bounds checking prevent:
(A) SQL injection
(B) DoS
(C) Buffer overflow
(D) Memory overflow
Answer : C
NO.138 More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode.
This is a technique common among virus writers. It basically hides the true nature of the shellcode in different disguises.
How does a polymorphic shellcode work?
(A) They encrypt the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode
(B) They convert the shellcode into Unicode, using loader to convert back to machine code then executing them
(C) They reverse the working instructions into opposite order by masking the IDS signatures
(D) They compress shellcode into normal instructions, uncompressed the shellcode using loader code and then executing the shellcode
Answer : A
NO.139 Which of these is used during steganography to withstand statistical steganalysis?
(A) Stream-based cryptography process
(B) Data whitening process
(C) Data encoding process
(D) All of these
Answer : D
NO.140 An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse.
Which of the following IDS detection technique detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system?
(A) Signature recognition
(B) Anomaly detection
(C) Protocol anomaly detection
(D) All of the above
Answer : B
NO.141 The security concept of "separation of duties" is most similar to the operation of which type of security device?
(A) Bastion host
(B) Honeypot
(C) Firewall
(D) Intrusion Detection System
Answer : A
NO.142 Which of the following is a hashing algorithm?
(A) DES
(B) ROT13
(C) MD5
(D) PGP
Answer : C
NO.143 Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data.
Which of the following steganography technique embed secret message in the frequency domain of a signal?
(A) Substitution techniques
(B) Transform domain techniques
(C) Spread spectrum techniques
(D) Domain distortion techniques
(E) Cover generation techniques
Answer : B
NO.144 Which of the following programming languages is not susceptible to a stack-based buffer overflow attack?
(A) C++
(B) C
(C) Assembler
(D) Java
Answer : D
NO.145 It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data.
These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data
secure.
Which of the following regulations best matches the description?
(A) ISO/IEC 27002
(B) HIPAA
(C) FISMA
(D) COBIT
Answer : B
NO.146 From a security perspective, there is no problem in using the '>>' operator.
(A) True
(B) False
(C)
(D)
Answer : B
NO.147 Which tool queries publicly available databases that contain domain name registration contact information?
(A) netstat
(B) ifconfig
(C) WHOIS
(D) nslookup
Answer : C
NO.148 Which of the following problems can be solved by using Wireshark?
(A) Resetting the administrator password on multiple systems
(B) Troubleshooting communication resets between two systems
(C) Tracking version changes of source code
(D) Checking creation dates on all webpages on a server
Answer : B
NO.149 Which of the following activities is not considered to be anti-forensics?
(A) Data sanitizing
(B) Trail obfuscation
(C) Artifact wiping
(D) Data hiding
Answer : A
NO.150 A jailbroken iOS device is usually less secure than an unjailbroken iOS device. True or false?
(A) True
(B) False
(C)
(D)
Answer : A
NO.151 Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met.
Identify the virus that modifies the directory table entries so that directory entries point to the virus code instead of the actual program.

(A) Macro Viruses
(B) Cluster Viruses
(C) Encryption Viruses
(D) Boot Sector Viruses
Answer : B
NO.152 Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
(A) tcptrace
(B) Tcptraceroute
(C) OpenVAS
(D) Nessus
Answer : A
NO.153 Identify the denial-of-service attack that is carried out using a method known as ?bricking a system.?
Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware.

(A) ICMP Flood Attack
(B) Application Level Flood Attacks
(C) Phlashing
(D) Bandwidth Attacks
Answer : C
NO.154 What is a "Collision attack" in cryptography?
(A) Collision attacks try to get the public key
(B) Collision attacks try to find two inputs producing the same hash.
(C) Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key.
(D) Collision attacks try to break the hash into three parts to get the plaintext value.
Answer : B
NO.155 OS fingerprinting is the method used to determine the operating system running on a remote target system. It is an important scanning method, as the attacker will have a greater probability of success if he/she knows the OS. Active stack fingerprinting is one of the types of OS fingerprinting.
Which of the following is true about active stack fingerprinting?
(A) Uses password crackers to escalate system privileges
(B) Is based on the fact that various vendors of OS implement the TCP stack differently
(C) TCP connect scan
(D) Uses sniffing techniques instead of the scanning techniques
(E) Is based on the differential implantation of the stack and the various ways an OS responds to it
Answer : B
NO.156 Buffer Overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold. Buffer overflow attacks allow an attacker to modify the ___________ in order to control the process execution, crash the process and modify internal variables.
(A) Target process?s address space
(B) Target remote access
(C) Target rainbow table
(D) Target SAM file
Answer : A
NO.157 During a routine assessment you discover information that suggests the customer is involved in human trafficking.
(A) Copy the data to a thumb drive and keep it as leverage.
(B) Immediately stop work and contact the proper legal authorities
(C) Ignore the data complete the job collect a check. Keep it moving!
(D) Confront the client in a respectful manner and ask about the data
Answer : B
NO.158 As a countermeasure to buffer overflows, bounds checking should be performed.
(A) True
(B) False
(C)
(D)
Answer : A
NO.159 A regional bank hires your company to perform a security assessment on their network after a recent data breach.
The attacker was able to steal financial data from the bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
(A) Require all employees to change their anti-virus program with a new one
(B) Move the financial data to another server on the same IP subnet
(C) Issue new certificates to the web servers from the root certificate authority
(D) Place a front-end web server in a demilitarized zone that only handles external web traffic
Answer : D
NO.160 You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack.
The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?
(A) Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
(B) Interview all employees in the company to rule out possible insider threats
(C) Establish attribution to suspected attackers
(D) Start the Wireshark application to start sniffing network traffic.
Answer : A
NO.161 You have compromised a server and successfully gained a root access.
You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System.
What is the best approach?
(A) Install and use Telnet to encrypt all outgoing traffic from this server.
(B) Use Alternate Data Streams to hide the outgoing packets from this server.
(C) Install Cryptcat and encrypt outgoing packets from this server.
(D) Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection Systems.
Answer : C
NO.161 True or false? Stenography's niche in security of information is to replace cryptography?
(A) True
(B) False
(C)
(D)
Answer : B
NO.162 LSB insertion can serve as a steganographic technique to hide messages in audio files.
(A) True
(B) False
(C)
(D)
Answer : A
NO.163 Rootkits are harder to detect than other malware.
(A) True
(B) False
(C)
(D)
Answer : A
NO.164 During a routine assessment you discover information that suggests the customer is involved in human trafficking.
(A) Ignore the data complete the job collect a check. Keep it moving!
(B) Immediately stop work and contact the proper legal authorities
(C) Copy the data to a thumb drive and keep it as leverage.
(D) Confront the client in a respectful manner and ask about the data
Answer : B
NO.165 Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment. It can constantly read all information entering the computer through the NIC by decoding the information encapsulated in the data packet. Passive sniffing is one of the types of sniffing. Passive sniffing refers to:
(A) Sniffing through a hub
(B) Sniffing through a router
(C) Sniffing through a switch
(D) Sniffing through a bridge
Answer : A
NO.166 What's stack smashing?
(A) The input of No Operation instruction code in a string
(B) A buffer overflow that overwrites the return address
(C) It's when code is executed from a default heap.
(D) It's when an attacker gets to a stack after they're done with the pumpkins.
Answer : B
NO.167 What is the best way a designer can mitigate buffer overflow from occurring in their code? Choose all that apply.
(A) Write code using boundary checks within the code.
(B) Write code without boundary scans.
(C) Write code that uses C++ and everything will be great, no worries.
(D) Use a protocol robustness test to verify the code meets qualifications for proper boundary and common key stroke entries.
Answer : A;D
NO.168 The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive.
Which of the following is being described?
(A) Port forwarding
(B) Multi-cast mode
(C) WEP
(D) promiscuous mode
Answer : D
NO.169 How do you defend against Privilege Escalation? (4 answers)
(A) Use encryption to protect sensitive data
(B) Restrict the interactive logon privileges
(C) Run services as unprivileged accounts
(D) Allow security settings of IE to zero or Low
(E) Run users and applications on the least privileges
Answer : A;B;C;E
NO.170 You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network.
After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed.
What type of alert is the IDS giving?
(A) True Positive
(B) True Negative
(C) False Negative
(D) False Positive
Answer : C
NO.171 Which of the following Wi-Fi chalking method refers to drawing symbols in public places to advertise open Wi-Fi networks?
(A) WarWalking
(B) WarFlying
(C) WarChalking
(D) WarDriving
Answer : C
NO.172 RSA is a public-key cryptosystem developed by MIT professors Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman in 1977 in an effort to help ensure Internet security. RSA uses modular arithmetic and elementary number theory to do computations using two very large prime numbers. Identify the statement which is true for RC6 algorithm:
(A) Is a variable key-size stream cipher with byte-oriented operations and is based on the use of a random permutation
(B) Includes integer multiplication and the use of four 4-bit working registers
(C) Is a parameterized algorithm with a variable block size, key size, and a variable number of rounds
(D) Is a 64 bit block cipher that uses a key length that can vary between 32 and 448 bits
Answer : B
NO.173 It is possible to hide a text message in _.
(A) All of these
(B) A graphic file
(C) An audio file
(D) Another message
Answer : A
NO.174 Which property or concept ensures that a hash function will not produce the same hashed value for two different messages?
(A) Key strength
(B) Entropy
(C) Bit length
(D) Collision resistance
Answer : D
NO.175 Which of the following describes the characteristics of a Boot Sector Virus?
(A) Overwrites the original MBR and only executes the new virus code
(B) Modifies directory table entries so that directory entries point to the virus code instead of the actual program
(C) Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
(D) Moves the MBR to another location on the RAM and copies itself to the original location of the MBR
Answer : C
NO.176 You have several plain-text firewall logs that you must review to evaluate network traffic.
You know that in order to do fast, efficient searches of the logs you must use regular expressions.
Which command-line utility are you most likely to use?
(A) Grep
(B) Relational Database
(C) Notepad
(D) MS Excel
Answer : A
NO.177 The tool 'snow' is a steganography tool.
(A) whitespace
(B) blackspace
(C) deep
(D) deadspace
Answer : A
NO.178 What is the main use of digital watermarks and digital fingerprinting today?
(A) Track copyright issues
(B) To develop covert communications
(C) To monitor patent applications
(D) To enhance duplication
Answer : A
NO.179 An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem/issue?
(A) Insufficient firewall rules
(B) Insufficient input validation
(C) Insufficient exception handling
(D) Insufficient anti-virus detection
Answer : B
NO.180 You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords.
You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account.
What should you do?
(A) Transfer money from the administrator's account to another account
(B) Do not report it and continue the penetration test
(C) Report immediately to the administrator
(D) Do not transfer the money but steal the bitcoins
Answer : C
NO.181 It is a kind of malware (malicious software) that criminals install on your computer so they can lock it from a remote location.
This malware generates a pop-up window, webpage, or email warning from what looks like an official authority.
It explains that your computer has been locked because of possible illegal activities on it and demands payment before you can access your files and programs again.
Which of the following terms best matches the definition?
(A) Ransomware
(B) Spyware
(C) Riskware
(D) Adware
Answer : A
NO.182 Which layered approach to security hides data in ICMP traffic?
(A) Hiding directories
(B) Encryption
(C) Covert channels
(D) Unique
Answer : C
NO.183 Which of the following is an example of the principle of least privilege as a system security control?
(A) User should have limited access to the information regardless of its purpose
(B) User must be able to access only the information and resources that are necessary for legitimate purpose
(C) User should access all the information stored in the business to best execute their functions
(D) Companies should have only a few employees
Answer : B
NO.184 An individual who aims to bring down critical infrastructure for a "cause" and is not worried about facing 30 years in jail for their action.
(A) Black Hat
(B) Suicide Hacker
(C) Gray Hat
(D) White Hat
Answer : B
NO.185 Which solution can be used to emulate real services such as ftp, mail, etc and capture login attempts and related information? They're often used to study hacker’s activities.
(A) Layer 4 switch
(B) Core server
(C) Honeypot
(D) Firewall
Answer : C
NO.186 What should you do if a friend asks you to perform and penetration test as a favor outside your normal job of being a pen tester for a consulting company?
(A) Start the test immediately
(B) Start foot printing the friend’s network
(C) Start social engineering the friends company
(D) Ask your employer for permission to perform the test outside of your normal work
Answer : D
NO.187 It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data.
Which of the following terms best matches the definition?
(A) Threat
(B) Attack
(C) Vulnerability
(D) Risk
Answer : A
NO.188 Which device in a wireless local area network (WLAN) determines the next network point to which a packet should be forwarded toward its destination?
(A) Wireless modem
(B) Antenna
(C) Wireless router
(D) Mobile station
Answer : C
NO.189 Hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive data or to perform any malicious attacks.
Black hat hackers are:
(A) Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers
(B) Individuals professing hacker skills and using them for defensive purposes and are also known as security analysts
(C) Individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing 30 years in jail for their actions
(D) Individuals who work both offensively and defensively at various times
Answer : A
NO.190 True or false. The robustness of spread spectrum steganography against active text comes at the cost of low and embedding capacity.
(A) True
(B) False
(C)
(D)
Answer : A
NO.191 What are noisy areas in steganography realm?
(A) Grayscale color area
(B) Black areas
(C) Areas with a great deal of natural color variation
(D) Areas with little color variation
Answer : C
NO.192 After trying multiple exploits, you've gained root access to a Centos 6 server. To ensure you maintain access, what would you do first?
(A) Disable Key Services
(B) Create User Account
(C) Disable IPTables
(D) Download and Install Netcat
Answer : D
NO.193 In Risk Management, how is the term "likelihood" related to the concept of "threat?"
(A) Likelihood is a possible threat-source that may exploit a vulnerability.
(B) Likelihood is the likely source of a threat that could exploit a vulnerability.
(C) Likelihood is the probability that a vulnerability is a threat-source.
(D) Likelihood is the probability that a threat-source will exploit a vulnerability.
Answer : D
NO.194 Secret communications where the existence of the message is hidden is known as .
(A) Concealment Cipher
(B) Image Processing
(C) Running Cipher
(D) Steganography
Answer : D
NO.195 When you return to your desk after a lunch break, you notice a strange email in your inbox.
The sender is someone you did business with recently, but the subject line has strange characters in it.
What should you do?
(A) Delete the email and pretend nothing happened.
(B) Reply to the sender and ask them for more information about the message contents.
(C) Forward the message to your company’s security response team and permanently delete the message from your computer.
(D) Forward the message to your supervisor and ask for her opinion on how to handle the situation.
Answer : C
NO.196 What technique is used to ensure a buffer overflow will successfully execute the desired code by creating a padding in memory?
(A) NOP sled
(B) Heap spray
(C) Heap sled
(D)
Answer : A
NO.197 StackGuard can use the value of "0" as the canary value even though it is easily guessed by the attacker.
(A) True
(B) False
(C)
(D)
Answer : A
NO.198 Which type of stenography includes the replication of an image, text, or logo, so that the source of the document can be partially authenticated?
(A) Date stamping
(B) JPEG tagging
(C) Digital watermarking
(D) Time stamping
Answer : C
NO.199 Which of the following is designed to identify malicious attempts to penetrate systems?
(A) Intrusion Detection System
(B) Router
(C) Proxy
(D) Firewall
Answer : A
NO.200 Which method is used where a stego is sent in information embedded within normal traffic?
(A) Covert channels
(B) Encryption
(C) Hidden directory
(D) Cipher text
Answer : A
NO.201 Which of the following cryptographic attack refers to extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture?
(A) Ciphertext-only Attack
(B) Chosen-ciphertext Attack
(C) Adaptive Chosen-plaintext Attack
(D) Rubber Hose Attack
Answer : D
NO.202 In the case of C and C++ languages, there are no automatic bounds checks on buffers.
(A) True
(B) False
(C)
(D)
Answer : A
NO.203 An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site.
Which file does the attacker need to modify?
(A) Hosts
(B) Sudoers
(C) Boot.ini
(D) Networks
Answer : A
NO.204 This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram.
The datagram is not reassembled until it reaches its final destination.
It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network.
What is this technique called?
(A) IP Routing or Packet Dropping
(B) IDS Spoofing or Session Assembly
(C) IP Fragmentation or Session
(D) Splicing IP Splicing or Packet Reassembly
Answer : C
NO.205 Splint is a source code analyzer that is capable of detecting a ______
(A) XSRF
(B) XSS
(C) Buffer overflow
(D) SQL injection
Answer : C
NO.206 Which of the following languages are the primary targets of cross-site scripting? (Choose two.)
(A) HTML
(B) SQL
(C) XSLT
(D) Javascript
Answer : A;D
NO.207 Under the "Post-attack Phase and Activities," it is the responsibility of the tester to restore the systems to a pre-test state.
Which of the following activities should not be included in this phase?
I. Removing all files uploaded on the system
II. Cleaning all registry entries
III. Removing all tools and maintaining backdoor for reporting
IV. Mapping of network state
(A) III
(B) III and IV
(C) IV
(D) All should be included
Answer : A
NO.208 CAM table in switch stores information such as MAC addresses available on physical ports with their associated VLAN parameters.
What happens when the CAM table is full?
(A) Additional ARP request traffic will not be forwarded to any port on the switch
(B) The switch will stop functioning and get disconnected from network
(C) Additional ARP request traffic will flood every port on the switch
(D) It does not affect the switch functioning
Answer : C
NO.209 An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ.
The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
(A) Protocol analyzer
(B) Network sniffer
(C) Intrusion Prevention System (IPS)
(D) Vulnerability scanner
Answer : C
NO.210 You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?
(A) Firewall
(B) Proxy
(C) Network-based IDS
(D) Host-based IDS
Answer : C
NO.211 Which of the following is a component of a risk assessment?
(A) Administrative safeguards
(B) Logical interface
(C) DMZ
(D) Physical security
Answer : D
NO.212 The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE- 2014- 0160.
This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520.
What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?
(A) Root
(B) Private
(C) Public
(D) Shared
Answer : B
NO.213 During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?
(A) Terminate the audit
(B) Identify and evaluate existing practices
(C) Create a procedures document
(D) Conduct compliance testing
Answer : B
NO.214 To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies.
Which one of the following tools would most likely be used in such an audit?
(A) Intrusion Detection System
(B) Protocol analyzer
(C) Vulnerability scanner
(D) Port scanner
Answer : C
NO.215 Which of the following bit size images provides the most hiding space for information?
(A) Single bit
(B) 16-bit
(C) 24-bit
(D) 8-bit
Answer : C
NO.216 Steganography can be used for legitimate purposes.
(A) True
(B) False
(C)
(D)
Answer : A
NO.217 Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.
Which of the following port NTP uses as its primary means of communication?
(A) UDP port 123
(B) UDP port 113
(C) UDP port 161
(D) UDP port 320
Answer : A
NO.218 As a system administrator, you are responsible for maintaining the website of your company which deals in online recharge of mobile phone cards. One day to your surprise, you find the home page of your company?s website defaced. What is the reason for webpage defacement?
(A) Denial of Service attack
(B) Session Hijacking
(C) DNS attack through cache poisoning
(D) Buffer overflow
Answer : C
NO.219 env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd'
What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
(A) Display passwd content to prompt
(B) Changes all passwords in passwd
(C) Add new user to the passwd file
(D) Removes the passwd file
Answer : A
NO.220 When setting up a wireless network, an administrator enters a pre-shared key for security. Which of the following is true?
(A) The key entered is a symmetric key used to encrypt the wireless data.
(B) The key entered is a hash that is used to prove the integrity of the wireless data.
(C) The key entered is based on the Diffie-Hellman method.
(D) The key is an RSA key used to encrypt the wireless data.
Answer : A
NO.221 Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web application vulnerabilities?
(A) Use a security token to log into all Web applications that use PII
(B) Use full disk encryption on all hard drives to protect PII
(C) Use encrypted communications protocols to transmit PII
(D) Store all PII in encrypted format
Answer : C
NO.222 Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system.
Which of the following command can be used in UNIX environment to enumerate the shared directories on a machine?
(A) showmount
(B) finger
(C) rpcinfo
(D) rpcclient
Answer : A
NO.223 Denial of Service (DoS) is an attack on a computer or network that prevents legitimate use of its resources. In a DoS attack, attackers flood a victim system with non-legitimate service requests or traffic to overload its resources, which prevents it from performing intended tasks.
Which of the following is a symptom of a DoS attack?
(A) Unavailability of a particular website
(B) Decrease in the amount of spam emails received
(C) Automatic increase in network bandwidth
(D) Automatic increase in network performance
Answer : A
NO.224 Password cracking is a technique used to extract user?s password of application/files without the knowledge of the legitimate user. Which of the password cracking technique will the attacker use if he/she gets some information about the password to crack?
(A) Denial of Service Attack
(B) Syllable Attack
(C) Rule-based Attack
(D) Distributed Network Attack (DNA)
Answer : C
NO.225 Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document.
Upon execution, a window appears stating, “This word document is corrupt.”. In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.
What type of malware has Jesse encountered?
(A) Macro Virus
(B) Trojan
(C) Key-Logger
(D) Worm
Answer : B
NO.226 Using Windows CMD, how would an attacker list all the shares to which the current user context has access?
(A) NET FILE
(B) NET USE
(C) NET VIEW
(D) NET CONFIG
Answer : C
NO.227 Which wireless standard has bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz?
(A) 802.11a
(B) 802.11b
(C) 802.11g
(D) 802.11i
Answer : A
NO.228 Which solution can be used to emulate real services such as ftp, mail, etc and capture login attempts and related information? They're often used to study hacker’s activities.
(A) Honeypot
(B) Layer 4 switch
(C) Core server
(D) Firewall
Answer : A
NO.229 Which of these is present in BOTH Windows and Linux:
(A) Program code
(B) All of these
(C) Stack segment
(D) Heap address space
Answer : B
NO.230 Port scanning can be used as part of a technical assessment to determine network vulnerabilities.
The TCP XMAS scan is used to identify listening ports on the targeted system.
If a scanned port is open, what happens?
(A) The port will ignore the packets
(B) The port will send an RST
(C) The port will send a SYN
(D) The port will send an ACK
Answer : C
NO.231 The color of every 50th pixel in a video file corresponds to a letter in the alphabet. This is an example of steganography.
(A) True
(B) False
(C)
(D)
Answer : A
NO.232 You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network.
You want to know which Microsoft Windows workstations have file sharing enabled.
Which port would you see listening on these Windows machines in the network?
(A) 1433
(B) 161
(C) 3389
(D) 445
Answer : D
NO.233 What software can be used to alter an image in stenography?
(A) Photoshop
(B) Firefox
(C) Explorer
(D) S-Tools
Answer : A
NO.234 Identify the web application attack where attackers exploit webpage vulnerabilities to force an unsuspecting user?s browser to send malicious requests they did not intend.
The victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user?s session, compromising its integrity
(A) Cross-Site Scripting (XSS)
(B) Cross-Site Request Forgery (CSRF)
(C) LDAP Injection attack
(D) SQL injection attack
Answer : B
NO.235 Steganography noticeably changes the carrier file.
(A) True
(B) False
(C)
(D)
Answer : B
NO.236 Which of the following defines the role of a root Certificate Authority (CA) in a Public Key Infrastructure (PKI)?
unintended disclosure of data.
(A) The root CA is the recovery agent used to encrypt data when a user's certificate is lost.
(B) The root CA stores the user's hash value for safekeeping.
(C) The CA is the trusted root that issues certificates.
(D) The root CA is used to encrypt email messages to prevent
Answer : C
NO.237 This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do?
(A) UDP Scanning
(B) IP Fragment Scanning
(C) Inverse TCP flag scanning
(D) ACK flag scanning
Answer : B
NO.238 Which of the following is the successor of SSL?
(A) IPSec
(B) TLS
(C) GRE
(D) RSA
Answer : B
NO.239 A virus is a self-replicating program that produces its own code by attaching copies of it into other executable codes.
Which of the following virus evade the anti-virus software by intercepting its requests to the operating system?
(A) Stealth/Tunneling virus
(B) Cluster virus
(C) Macro virus
(D) System or boot sector virus
Answer : A
NO.240 The Open Web Application Security Project (OWASP) is the worldwide not- for-profit charitable organization focused on improving the security of software.
What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?
(A) Cross Site Scripting
(B) Cross Site Request Forgery
(C) Injection
(D) Path disclosure
Answer : C
NO.241 Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. Stuxnet attack was an unprecedented style of attack because it used four types of this vulnerability. What is this style of attack called?
(A) zero-sum
(B) zero-day
(C) no-day
(D) zero-hour
Answer : B
NO.242 Consider the attack scenario given below:
Step 1: User browses a web page
Step 2: Web server replies with requested page and sets a cookie on the user?s browser
Step 3: Attacker steals cookie (Sniffing, XSS, phishing attack)
Step 4: Attacker orders for product using modified cookie
Step 5: Product is delivered to attacker?s address
Identify the web application attack.
(A) Session fixation attack
(B) Unvalidated redirects attack
(C) Cookie poisoning attack
(D) Denial-of-Service (DoS) attack
Answer : C
NO.243 IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else.
Which of the following IP spoofing detection technique succeed only when the attacker is in a different subnet?
(A) Direct TTL probes technique
(B) IP identification number technique
(C) TCP flow control method
(D) UDP flow control method
Answer : A
NO.244 Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address that is recognized in the local network. ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload:
(A) Switch
(B) Router
(C) Hub
(D) Bridge
Answer : A
NO.245 This kind of malware is installed by criminals on your computer so they can lock it from a remote location. This malware generates a popup window, webpage, or
email warning from what looks like an official authority such as the FBI. It explains your computer has been locked because of possible illegal activities and
demands payment before you can access your files and programs again. Which term best matches this definition?
Correct Answer:
(A) Ransomware
(B) Adware
(C) Riskware
(D) Spyware
Answer : A
NO.246 Which of these is a potential carrier file?
(A) All of these
(B) Executable file
(C) Audio file
(D) Image file
Answer : A
NO.247 How does the Address Resolution Protocol (ARP) work?
(A) It sends a request packet to all the network elements, asking for the domain name from a specific IP.
(B) It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
(C) It sends a reply packet for a specific IP, asking for the MAC address.
(D) It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
Answer : B
NO.248 You need to monitor all traffic on your local network for suspicious activity and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?
(A) Host based IDS
(B) Proxy
(C) Network based IDS
(D) Firewall
Answer : C
NO.249 Firewall implementation and design for an enterprise can be a daunting task. Choices made early in the design process can have far-reaching security implications for years to come. Which of the following firewall architecture is designed to host servers that offer public services?
(A) Bastion Host
(B) Screened subnet
(C) Screened host
(D) Screened
Answer : B
NO.250 The program snow is used for:
(A) Password attacks
(B) Spyware
(C) Steganography
(D) Sniffing
Answer : C
NO.251 It is a vulnerability in GNU's bash shell, discovered in September of 2014 that gives attackers access to run remote commands on a vulnerable system.
The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and scan for other vulnerable devices (including routers).
Which of the following vulnerabilities is being described?
(A) Shellbash
(B) Rootshock
(C) Shellshock
(D) Rootshell
Answer : C
NO.252 It is common for buffer overflows to occur in the heap memory space.
Application dynamically allocates heap memory as needed through a function.
This function is called what?
(A) strncopy()
(B) strprint()
(C) strcopy()
(D) malloc()
Answer : D
NO.253 You have successfully compromised a machine on the network and found a server that is alive on the same network.
You tried to ping it but you didn't get any response back. What is happening?
(A) The ARP is disabled on the target server.
(B) ICMP could be disabled on the target server.
(C) TCP/IP doesn't support ICMP.
(D) You need to run the ping command with root privileges.
Answer : B
NO.254 Which of the following programming languages are less vunerable to buffer overflow attacks? (select 3)
(A) Ruby
(B) C
(C) C++
(D) Assembly
(E) Java
(F) Python
Answer : A;E;F
NO.255 Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sys
Which step would you perform to detect this type of Trojan?
(A) Scan for suspicious startup programs using msconfig
(B) Scan for suspicious network activities using Wireshark
(C) Scan for suspicious device drivers in c:\windows\system32\drivers
(D) Scan for suspicious open ports using netstat
Answer : C
NO.256 This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information.
Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site, but the URLs in the e-mail actually point to a false Web site.
(A) Wiresharp attack
(B) Switch and bait attack
(C) Phishing attack
(D) Man-in-the-Middle attack
Answer : C
NO.257 A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers.
The engineer decides to start by using netcat to port 80.
The engineer receives this output:

HTTP/1.1 200 OK
Server: Microsoft-IIS/6
Expires: Tue, 17 Jan 2011 01:41:33 GMT
Content-Type.text/html
Accept-Ranges: bytes
Last-Modified Wed, 28 Dec 2010 15:32:21 GMT
ETaG. "b0aac0542e25c31:89d"
Content-Length: 7369

Which of the following is an example of what the engineer performed?
(A) Cross-site scripting
(B) Banner grabbing
(C) SQL injection
(D) Whois database query
Answer : B
NO.258 Which of the following programs is usually targeted at Microsoft Office products?
(A) Polymorphic virus
(B) Multipart virus
(C) Macro virus
(D) Stealth virus
Answer : C
NO.259 A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place.
The analyst discovers that a user from the IT department had a dial-out modem installed.
Which security policy must the security analyst check to see if dial-out modems are allowed?
(A) Firewall-management policy
(B) Acceptable-use policy
(C) Remote-access policy
(D) Permissive policy
Answer : C
NO.260 Which statement is TRUE regarding network firewalls preventing Web Application attacks?
(A) Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
(B) Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
(C) Network firewalls can prevent attacks if they are properly configured.
(D) Network firewalls cannot prevent attacks because they are too complex to configure.
Answer : B
NO.261 A tester is attempting to capture and analyze the traffic on a given network and realizes that the network has several switches.
What could be used to successfully sniff the traffic on this switched network?
(Choose three answers)
(A) ARP spoofing
(B) MAC duplication
(C) MAC flooding
(D) SYN flood
(E) Reverse smurf attack
(F) ARP broadcasting
Answer : A;B;C
NO.262 What type of port scan is represented here.
(A) Stealth Scan
(B) Full Scan
(C) XMAS Scan
(D) FIN Scan
Answer : A
NO.263 Which of the following parameters enables NMAP's operating system detection feature?
(A) NMAP -sV
(B) NMAP -oS
(C) NMAP -sR
(D) NMAP -O
Answer : D
NO.264 There is a WEP encrypted wireless access point (AP) with no clients connected.
In order to crack the WEP key, a fake authentication needs to be performed.
What information is needed when performing fake authentication to an AP?

Choose two answers.
(A) The IP address of the AP
(B) The MAC address of the AP
(C) The SSID of the wireless network
(D) A failed authentication packet
Answer : B;C
NO.265 This tool is widely used for ARP Poisoning attack. Name the tool.
(A) Cain and Able
(B) Beat Infector
(C) Poison Ivy
(D) Webarp Infector
Answer : A
NO.266 What port number is used by LDAP protocol?
(A) 110
(B) 389
(C) 464
(D) 445
Answer : B
NO.267 Which Open Web Application Security Project (OWASP) implements a web application full of known vulnerabilities?
(A) WebBugs
(B) WebGoat
(C) VULN_HTML
(D) WebScarab
Answer : B
NO.268 How can telnet be used to fingerprint a web server?
(A) telnet webserverAddress 80 HEAD / HTTP/1.0
(B) telnet webserverAddress 80 PUT / HTTP/1.0
(C) telnet webserverAddress 80 HEAD / HTTP/2.0
(D) telnet webserverAddress 80 PUT / HTTP/2.0
Answer : A
NO.269 When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
(A) At least once a year and after any significant upgrade or modification
(B) At least once every three years or after any significant upgrade or modification
(C) At least twice a year or after any significant upgrade or modification
(D) At least once every two years and after any significant upgrade or modification
Answer : A
NO.270 Which type of scan measures a person's external features through a digital video camera?
(A) Iris scan
(B) Retinal scan
(C) Facial recognition scan
(D) Signature kinetics scan
Answer : C
NO.271 Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65, 536 bytes.
What is Lee seeing here?
(A) Lee is seeing activity indicative of a Smurf attack.
(B) Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing.
(C) Lee is seeing a Ping of death attack.
(D) This is not unusual traffic, ICMP packets can be of any size.
Answer : C
NO.272 A botnet can be managed through which of the following?
(A) IRC
(B) E-Mail
(C) Linkedin and Facebook
(D) A vulnerable FTP server
Answer : A
NO.273 Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up.
The IP address of the Cisco switch is 172.16.0.45.
What command can Charlie use to attempt this task?
(A) Charlie can use the commanD. ping -l 56550 172.16.0.45 -t.
(B) Charlie can try using the commanD. ping 56550 172.16.0.45.
(C) By using the command ping 172.16.0.45 Charlie would be able to lockup the router
(D) He could use the commanD. ping -4 56550 172.16.0.45.
Answer : A
NO.274 In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and
ord fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary combined together to
ave variations of words, what would you call such an attack?
(A) Full Blown Attack
(B) Thorough Attack
(C) Hybrid Attack
(D) BruteDict Attack
Answer : C
NO.275 Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest?
(A) MD5
(B) SHA-1
(C) RC4
(D) MD4
Answer : B
NO.276 You are the security administrator of Jaco Banking Systems located in Boston. You are setting up ebanking
website (http://www.ejacobank.com) authentication system. Instead of issuing banking customer
with a single password, you give them a printed list of 100 unique passwords. Each time the customer
needs to log into the e-banking system website, the customer enters the next password on the list. If
someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is
done because the password will not be accepted a second time. Once the list of 100 passwords is almost
finished, the system automatically sends out a new password list by encrypted e-mail to the customer.
You are confident that this security implementation will protect the customer from password abuse.
Two months later, a group of hackers called "HackJihad" found a way to access the one-time password list
issued to customers of Jaco Banking Systems. The hackers set up a fake website (http://www.e-jacobank.
com) and used phishing attacks to direct ignorant customers to it. The fake website asked users for their ebanking
username and password, and the next unused entry from their one-time password sheet. The
hackers collected 200 customer's username/passwords this way. They transferred money from the
customer's bank account to various offshore accounts.
Your decision of password policy implementation has cost the bank with USD 925, 000 to hackers. You
immediately shut down the e-banking website while figuring out the next best security solution
What effective security solution will you recommend in this case?

authentication database


immediately after they logon and do not store password histories
(A) Implement Biometrics based password authentication system. Record the customers face image to the
(B) Configure your firewall to block logon attempts of more than three wrong tries
(C) Enable a complex password policy of 20 characters and ask the user to change the password
(D) Implement RSA SecureID based authentication system
Answer : D
NO.277 Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters.
The programmer makes an assumption that 200 characters are more than enough.
Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer).

Below is the code snippet:

How can you protect/fix the problem of your application as shown above?
(select 2 answers)
(A) Because the counter starts with 0, we would stop when the counter is equal to 200
(B) Because the counter starts with 0, we would stop when the counter is more than 200
(C) Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it cannot hold any more data
(D) Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it cannot hold any more data
Answer : A;D
NO.278 Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu.
The bank has deployed a new Internet-accessible Web application recently.
Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.
John Stevens is in charge of information security at Bank of Timbuktu.
After one month in production, several customers have complained about the Internet enabled banking application.
Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts.
Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

What kind of attack did the Hacker attempt to carry out at the bank?
(A) Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.
(B) The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.
(C) The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.
(D) The Hacker first attempted logins with suspected user names, then used SQL Injection to gain access to valid bank login IDs.
Answer : D
NO.279 You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker?
(A) 16 million years
(B) 5 minutes
(C) 23 days
(D) 200 years
Answer : B
NO.280 A security analyst in an insurance company is assigned to test a new web application that will be used by clients to help them choose and apply for an insurance plan.
The analyst discovers that the application is developed in ASP scripting language and it uses MSSQL as a database backend.
The analyst locates the application's search form and introduces the following code in the search input field.<

<IMG SRC=vbscript:msgbox("Vulnerable");> originalAttribute="SRC" originalPath="vbscript:msgbox ("Vulnerable");>"

When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable".
Which web applications vulnerability did the analyst discover?
(A) Cross-site request forgery
(B) Command injection
(C) Cross-site scripting
(D) SQL injection
Answer : C
NO.281 How can rainbow tables be defeated?
(A) Password salting
(B) Use of non-dictionary words
(C) All uppercase character passwords
(D) Lockout accounts under brute force password cracking attempts
Answer : A
NO.282 Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.
Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's
boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.
How was Bill able to get Internet access without using an agency laptop?
(A) Bill spoofed the MAC address of Dell laptop
(B) Bill connected to a Rogue access point
(C) Toshiba and Dell laptops share the same hardware address
(D) Bill brute forced the Mac address ACLs
Answer : A
NO.283 Employees in a company are no longer able to access Internet web sites on their computers.
The network administrator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL.
The administrator runs the nslookup command for www.
eccouncil.
org and receives an error message stating there is no response from the server.
What should the administrator do next?
(A) Configure the firewall to allow traffic on TCP ports 53 and UDP port 53.
(B) Configure the firewall to allow traffic on TCP ports 80 and UDP port 443.
(C) Configure the firewall to allow traffic on TCP port 53.
(D) Configure the firewall to allow traffic on TCP port 8080.
Answer : A
NO.284 What type of session hijacking attack is shown in the exhibit?
(A) Session Sniffing Attack
(B) Cross-site scripting Attack
(C) SQL Injection Attack
(D) Token sniffing Attack
Answer : A
NO.285 International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by outlining
(A) guidelines and practices for security controls.
(B) financial soundness and business viability metrics.
(C) standard best practice for configuration management.
(D) contract agreement writing standards.
Answer : A
NO.286 How do employers protect assets with security policies pertaining to employee surveillance activities?
(A) Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness.
(B) Employers use informal verbal communication channels to explain employee monitoring activities to employees.
(C) Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes.
(D) Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.
Answer : D
NO.287 One of the most common and the best way of cracking RSA encryption is to begin to derive the two prime numbers, which are used in the RSA PKI mathematical process.
If the two numbers p and q are discovered through a _____________ process, then the private key can be derived.
(A) Factorization
(B) Prime Detection
(C) Hashing
(D) Brute-forcing
Answer : A
NO.288 TCP SYN Flood attack uses the three-way handshake mechanism.
1. An attacker at system A sends a SYN packet to victim at system B
2. System B sends a SYN/ACK packet to victim A
3. As a normal three-way handshake mechanism system A should send an ACK packet to system B,
however, system A does not send an ACK packet to system "B". In this case client B is waiting for an ACK
packet from client A
This status of client B is called _________________
(A) "half-closed"
(B) "half open"
(C) "full-open"
(D) "xmas-open"
Answer : B
NO.289 You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c
What is the hexadecimal value of NOP instruction?
(A) 0x60
(B) 0x80
(C) 0x70
(D) 0x90
Answer : D
NO.290 Which type of hacker represents the highest risk to your network?
(A) black hat hackers
(B) grey hat hackers
(C) disgruntled employees
(D) script kiddies
Answer : C
NO.291 An attacker has captured a target file that is encrypted with public key cryptography.
Which of the attacks below is likely to be used to crack the target file?
(A) Timing attack
(B) Replay attack
(C) Memory trade-off attack
(D) Chosen plain-text attack
Answer : D
NO.292 Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?
(A) NMAP -PN -A -O -sS 192.168.2.0/24
(B) NMAP -P0 -A -O -p1-65535 192.168.0/24
(C) NMAP -P0 -A -sT -p0-65535 192.168.0/16
(D) NMAP -PN -O -sS -p 1-1024 192.168.0/8
Answer : B
NO.293 This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do.
(A) UDP Scanning
(B) IP Fragment Scanning
(C) Inverse TCP flag scanning
(D) ACK flag scanning
Answer : B
NO.294 Dan is conducting penetration testing and has found a vulnerability in a Web Application which gave him the
sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session
ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address
in order to replay the sessionI

Why do you think Dan might not be able to get an interactive session?
(A) Dan cannot spoof his IP address over TCP network
(B) The scenario is incorrect as Dan can spoof his IP and get responses
(C) The server will send replies back to the spoofed IP address
(D) Dan can establish an interactive session only if he uses a NAT
Answer : C
NO.295 The SYN flood attack sends TCP connections requests faster than a machine can process them.
- Attacker creates a random source address for each packet
- SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
- Victim responds to spoofed IP address, then waits for confirmation that never arrives (timeout wait is about 3 minutes)
- Victim's connection table fills up waiting for replies and ignores new connections
- Legitimate users are ignored and will not be able to access the server

How do you protect your network against SYN Flood attacks?

number generated as a hash of the clients IP address, port number, and other information. When the
client responds with a normal ACK, that special sequence number will be included, which the server
then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first.

RST packet telling the server that something is wrong. At this point, the server knows the client is valid
and will now accept incoming connections from that client normally

using ACLs at the Firewall

Reduce the timeout before a stack frees up the memory allocated for a connection

for the incoming SYN object
(A) SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first.
(B) RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally
(C) Check the incoming packet's IP address with the SPAM database on the Internet and enable the filter using ACLs at the Firewal
(D) Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection
(E) Micro Blocks. Instead of allocating a complete connection, simply allocate a micro record of 16- bytes for the incoming SYN object
Answer : A;B;D;E
NO.296 A circuit level gateway works at which of the following layers of the OSI Model?
(A) Layer 5 - Application
(B) Layer 4 - TCP
(C) Layer 3 - Internet protocol
(D) Layer 2 - Data link
Answer : B
NO.297 When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge).
The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established.
This is referred to as the "TCP three-way handshake."
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed.
This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.

How would an attacker exploit this design by launching TCP SYN attack?
(A) Attacker generates TCP SYN packets with random destination addresses towards a victim host
(B) Attacker floods TCP SYN packets with random source addresses towards a victim host
(C) Attacker generates TCP ACK packets with random source addresses towards a victim host
(D) Attacker generates TCP RST packets with random source addresses towards a victim host
Answer : B
NO.298 Which of the following is used to indicate a single-line comment in structured query language (SQL)?
(A) --
(B) ||
(C) %%
(D) ''
Answer : A
NO.299 What is the best defense against privilege escalation vulnerability?
(A) Patch systems regularly and upgrade interactive login privileges at the system administrator level.
(B) Run administrator and applications on least privileges and use a content registry for tracking.
(C) Run services with least privileged accounts and implement multi-factor authentication and authorization.
(D) Review user roles and administrator privileges for maximum utilization of automation services.
Answer : C
NO.300 An IT security engineer notices that the company's web server is currently being hacked.
What should the engineer do next?
(A) Unplug the network connection on the company's web server.
(B) Determine the origin of the attack and launch a counterattack.
(C) Record as much information as possible from the attack.
(D) Perform a system restart on the company's web server.
Answer : C
NO.301 Consider the following code:

URL:http://www.certified.com/search.pl?text=&lt;script&gt;alert(document.cookie)&lt;/script&gt;

If an attacker can trick a victim user to click a link like this, and the Web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page, or redirecting the user to another Web site.

What is the countermeasure against XSS scripting?
(A) Create an IP access list and restrict connections based on port number
(B) Replace "<" and ">" characters with "& l t;" and "& g t;" using server scripts
(C) Disable Javascript in IE and Firefox browsers
(D) Connect to the server using HTTPS protocol instead of HTTP
Answer : B
NO.302 Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database.
What technique does Jimmy use to compromise a database?
(A) Jimmy can submit user input that executes an operating system command to compromise a target system
(B) Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access
(C) Jimmy can utilize an incorrect configuration that leads to access with higher-than expected privilege of the database
(D) Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system
Answer : D
NO.303 Some passwords are stored using specialized encryption algorithms known as hashes.
Why is this an appropriate method?
(A) It is impossible to crack hashed user passwords unless the key used to encrypt them is obtained.
(B) If a user forgets the password, it can be easily retrieved using the hash key stored by administrators.
(C) Hashing is faster compared to more traditional encryption algorithms.
(D) Passwords stored using hashes are non-reversible, making finding the password much more difficult.
Answer : D
NO.304 Which of the following is a detective control?
(A) Smart card authentication
(B) Security policy
(C) Audit trail
(D) Continuity of operations plan
Answer : C
NO.305 If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?
(A) The zombie computer will respond with an IPID of 24334.
(B) The zombie computer will respond with an IPID of 24333.
(C) The zombie computer will not send a response.
(D) The zombie computer will respond with an IPID of 24335.
Answer : A
NO.306 Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. What Google search will accomplish this?
(A) related:intranet allinurl:intranet:"human resources"
(B) cache:"human resources" inurl:intranet(SharePoint)
(C) intitle:intranet inurl:intranet+intext:"human resources"
(D) site:"human resources"+intext:intranet intitle:intranet
Answer : C
NO.307 During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials.
The tester assumes that the service is running with Local System account.
How can this weakness be exploited to access the system?
(A) Using the Metasploit psexec module setting the SA / Admin credential
(B) Invoking the stored procedure xp_shell to spawn a Windows command shell
(C) Invoking the stored procedure cmd_shell to spawn a Windows command shell
(D) Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
Answer : D
NO.308 Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some information about the target they are attempting to penetrate.
How would you call this type of activity?
(A) Dumpster Diving
(B) Scanning
(C) CI Gathering
(D) Garbage Scooping
Answer : A
NO.309 Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization.
Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com.
He tries random URLs on the company's website and finds confidential information leaked over the web.
Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website.
Where can Stephanie go to see past versions and pages of a website?
(A) She should go to the web page Samspade.org to see web pages that might no longer be on the website
(B) If Stephanie navigates to Search.com; she will see old versions of the company website
(C) Stephanie can go to Archive.org to see past versions of the company website
(D) AddressPast.com would have any web pages that are no longer hosted on the company's website
Answer : C
NO.310 "Testing the network using the same methodologies and tools employed by attackers"

Identify the correct terminology that defines the above statement.
(A) Vulnerability Scanning
(B) Penetration Testing
(C) Security Policy Implementation
(D) Designing Network Security
Answer : B
NO.311 If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization.
How would you prevent such type of attacks?
(A) It is impossible to block these attacks
(B) Hire the people through third-party job agencies who will vet them for you
(C) Conduct thorough background checks before you engage them
(D) Investigate their social networking profiles
Answer : C
NO.312 John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts.
Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool?
(A) hping2
(B) nessus
(C) nmap
(D) make
Answer : B
NO.313 You run nmap port Scan on 10.0.0.5 and attempt to gain banner/server information from services runningon ports 21, 110 and 123.
Here is the output of your scan results:
Which of the following nmap command did you run?
(A) nmap -A -sV -p21, 110, 123 10.0.0.5
(B) nmap -F -sV -p21, 110, 123 10.0.0.5
(C) nmap -O -sV -p21, 110, 123 10.0.0.5
(D) nmap -T -sV -p21, 110, 123 10.0.0.5
Answer : C
NO.314 Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit?
(A) SHA-1
(B) MD5
(C) HAVAL
(D) MD4
Answer : A
NO.315 Jason works in the sales and marketing department for a very large advertising agency located in Atlanta.
Jason is working on a very important marketing campaign for his company's largest client. Before the
project could be completed and implemented, a competing advertising company comes out with the exact
same marketing materials and advertising, thus rendering all the work done for Jason's client unusable.
Jason is questioned about this and says he has no idea how all the material ended up in the hands of a
competitor.
Without any proof, Jason's company cannot do anything except move on. After working on another high
profile client for about a month, all the marketing and sales material again ends up in the hands of another
competitor and is released to the public before Jason's company can finish the project. Once again, Jason
says that he had nothing to do with it and does not know how this could have happened. Jason is given
leave with pay until they can figure out what is going on.
Jason's supervisor decides to go through his email and finds a number of emails that were sent to the
competitors that ended up with the marketing material. The only items in the emails were attached jpg files,
but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with
them.
What technique has Jason most likely used?
(A) Stealth Rootkit Technique
(B) ADS Streams Technique
(C) Snow Hiding Technique
(D) Image Steganography Technique
Answer : D
NO.316 Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?
(A) Incident response services to any user, company, government agency, or organization in partnership with the Department of Homeland Security
(B) Maintenance of the nation's Internet infrastructure, builds out new Internet infrastructure, and decommissions old Internet infrastructure
(C) Registration of critical penetration testing for the Department of Homeland Security and public and private sectors
(D) Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Department, as well as private sectors
Answer : A
NO.317 What command would you type to OS fingerprint a server using the command line?
(A) Option A
(B) Option B
(C) Option C
(D) Option D
Answer : C
NO.318 Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?
(A) Image Hide
(B) Snow
(C) Gif-It-Up
(D) NiceText
Answer : B
NO.319 What is the IV key size used in WPA2?
(A) 32
(B) 24
(C) 16
(D) 48
(E) 128
Answer : D
NO.320 Which of the following statement correctly defines ICMP Flood Attack? (Select 2 answers)
(A) Bogus ECHO reply packets are flooded on the network spoofing the IP and MAC address
(B) The ICMP packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network
(C) ECHO packets are flooded on the network saturating the bandwidth of the subnet causing denial of service
(D) A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to the victim system.
Answer : B;D
NO.321 What is the correct PCAP filter to capture all TCP traffic going to or from host 192.168.0.125 on port 25?
(A) tcp.src == 25 and ip.host == 192.168.0.125
(B) host 192.168.0.125:25
(C) port 25 and host 192.168.0.125
(D) tcp.port == 25 and ip.host == 192.168.0.125
Answer : D
NO.322 What are the limitations of Vulnerability scanners? (Select 2 answers)
(A) There are often better at detecting well-known vulnerabilities than more esoteric ones
(B) The scanning speed of their scanners are extremely high
(C) It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner
(D) The more vulnerabilities detected, the more tests required
(E) They are highly expensive and require per host scan license
Answer : A;C
NO.323 Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the
recommendations for securing the operating system and IIS. These servers are going to run numerous ecommerce
websites that are projected to bring in thousands of dollars a day. Bob is still concerned about
the security of these servers because of the potential for financial loss. Bob has asked his company's
firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no
malicious data is getting into the network.
Why will this not be possible?
(A) Firewalls cannot inspect traffic coming through port 443
(B) Firewalls can only inspect outbound traffic
(C) Firewalls cannot inspect traffic at all, they can only block or allow certain ports
(D) Firewalls cannot inspect traffic coming through port 80
Answer : C
NO.324 An NMAP scan of a server shows port 69 is open.
What risk could this pose?
(A) Unauthenticated access
(B) Weak SSL version
(C) Cleartext login
(D) Web portal data leak
Answer : A
NO.325 Which of the following does proper basic configuration of snort as a network intrusion detection system require?
(A) Limit the packets captured to the snort configuration file.
(B) Capture every packet on the network segment.
(C) Limit the packets captured to a single segment.
(D) Limit the packets captured to the /var/log/snort directory.
Answer : A
NO.326 In which step Steganography fits in CEH System Hacking Cycle (SHC)
(A) Step 1: Enumerate users
(B) Step 2: Crack the password
(C) Step 3: Escalate privileges
(D) Step 4: Execute applications
(E) Step 5: Hide files
(F) Step 6: Cover your tracks
Answer : E
NO.327 Fred is the network administrator for his company. Fred is testing an internal switch.
From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer.
How can Fred accomplish this?
(A) Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.
(B) He can send an IP packet with the SYN bit and the source address of his computer.
(C) Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
(D) Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
Answer : D
NO.328 A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship.
Who is considered an insider?
(A) A competitor to the company because they can directly benefit from the publicity generated by making such an attack
(B) Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants
(C) The CEO of the company because he has access to all of the computer systems
(D) A government agency since they know the company's computer system strengths and weaknesses
Answer : B
NO.329 ICMP ping and ping sweeps are used to check for active systems and to check
(A) if ICMP ping traverses a firewall.
(B) the route that the ICMP ping took.
(C) the location of the switchport in relation to the ICMP ping.
(D) the number of hops an ICMP ping takes to reach a destination.
Answer : A
NO.330 What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)
(A) Use fragmented IP packets
(B) Spoof your IP address when launching attacks and sniff responses from the server
(C) Overload the IDS with Junk traffic to mask your scan
(D) Use source routing (if possible)
(E) Connect to proxy servers or compromised Trojaned machines to launch attacks
Answer : A;B;D;E
NO.331 What do you call a pre-computed hash?
(A) Sun tables
(B) Apple tables
(C) Rainbow tables
(D) Moon tables
Answer : C
NO.332 TCP/IP Session Hijacking is carried out in which OSI layer?
(A) Datalink layer
(B) Transport layer
(C) Network layer
(D) Physical layer
Answer : B
NO.333 Hayden is the network security administrator for her company, a large finance firm based in Miami.
Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of.
Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address.
To see how some of the hosts on her network react, she sends out SYN packets to an IP range.
A number of IPs responds with a SYN/ACK response.
Before the connection is established she sends RST packets to those hosts to stop the session.
She does this to see how her intrusion detection system will log the traffic.
What type of scan is Hayden attempting here?
(A) Hayden is attempting to find live hosts on her company's network by using an XMAS scan
(B) She is utilizing a SYN scan to find live hosts that are listening on her network
(C) The type of scan, she is using is called a NULL scan
(D) Hayden is using a half-open scan to find live hosts on her network
Answer : D
NO.334 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?
(A) Drops the packet and moves on to the next one
(B) Continues to evaluate the packet until all rules are checked
(C) Stops checking rules, sends an alert, and lets the packet continue
(D) Blocks the connection with the source IP address in the packet
Answer : B
NO.335 Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study
engineering but later changed to marine biology after spending a month at sea with her friends. These
friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula
eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the
parent company's computers and destroy critical data knowing fully well that, if caught, she probably would
be sent to jail for a very long time. What would Ursula be considered?
(A) Ursula would be considered a gray hat since she is performing an act against illegal activities.
(B) She would be considered a suicide hacker.
(C) She would be called a cracker.
(D) Ursula would be considered a black hat.
Answer : B
NO.336 John is the network administrator of XSECURITY systems.
His network was recently compromised.
He analyzes the log files to investigate the attack.
Take a look at the following Linux log file snippet.
The hacker compromised and "owned" a Linux machine.
What is the hacker trying to accomplish here?
(A) The hacker is attempting to compromise more machines on the network
(B) The hacker is planting a rootkit
(C) The hacker is running a buffer overflow exploit to lock down the system
(D) The hacker is trying to cover his tracks
Answer : D
NO.337 Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses.
He planned the attack carefully and carried out the attack at the appropriate moment.
Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked.
As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company.
This process involves human interaction to fix it.
What kind of Denial of Service attack was best illustrated in the scenario above?
(A) Simple DDoS attack
(B) DoS attacks which involves flooding a network or system
(C) DoS attacks which involves crashing a network or system
(D) DoS attacks which is done accidentally or deliberately
Answer : C
NO.338 How do you defend against Privilege Escalation?
(A) Use encryption to protect sensitive data
(B) Restrict the interactive logon privileges
(C) Run services as unprivileged accounts
(D) Allow security settings of IE to zero or Low
(E) Run users and applications on the least privileges
Answer : A;B;C;E
NO.339 Which of the following open source tools would be the best choice to scan a network for potential targets?
(A) NMAP
(B) NIKTO
(C) CAIN
(D) John the Ripper
Answer : A
NO.340 In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them:
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128

Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters.
What is Jason trying to accomplish here?
(A) SYN, FIN, URG and PSH
(B) SYN, SYN/ACK, ACK
(C) RST, PSH/URG, FIN
(D) ACK, ACK, SYN, URG
Answer : B
NO.341 An attacker uses a communication channel within an operating system that is neither designed nor intended to transfer information.
What is the name of the communications channel?
(A) Classified
(B) Overt
(C) Encrypted
(D) Covert
Answer : D
NO.342 While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server.
What specific octet within the subnet does the technician see?
(A) 10.10.10.10
(B) 127.0.0.1
(C) 192.168.1.1
(D) 192.168.168.168
Answer : B
NO.343 Syslog is a standard for logging program messages. It allows separation of the software that generates
messages from the system that stores them and the software that reports and analyzes them. It also
provides devices, which would otherwise be unable to communicate a means to notify administrators of
problems or performance.
What default port Syslog daemon listens on?
(A) 242
(B) 312
(C) 416
(D) 514
Answer : D
NO.344 While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for all the
pings you have sent out. What is the most likely cause of this?
(A) The firewall is dropping the packets
(B) An in-line IDS is dropping the packets
(C) A router is blocking ICMP
(D) The host does not respond to ICMP packets
Answer : C
NO.345 A company has publicly hosted web applications and an internal Intranet protected by a firewall.
Which technique will help protect against enumeration?
(A) Reject all invalid email received via SMTP.
(B) Allow full DNS zone transfers.
(C) Remove A records for internal hosts.
(D) Enable null session pipes.
Answer : C
NO.346 What type of Virus is shown here?
(A) Macro Virus
(B) Cavity Virus
(C) Boot Sector Virus
(D) Metamorphic Virus
(E) Sparse Infector Virus
Answer : B
NO.347 Which of the following is a protocol that is prone to a man-in-the-middle (MITM) attack and maps a 32-bit address to a 48-bit address?
(A) ICPM
(B) ARP
(C) RARP
(D) ICMP
Answer : B
NO.348 What type of Trojan is this?
(A) RAT Trojan
(B) E-Mail Trojan
(C) Defacement Trojan
(D) Destructing Trojan
(E) Denial of Service Trojan
Answer : C
NO.349 SOAP services use which technology to format information?
(A) SATA
(B) PCI
(C) XML
(D) ISDN
Answer : C
NO.350 Which of the following is a component of a risk assessment?
(A) Physical security
(B) Administrative safeguards
(C) DMZ
(D) Logical interface
Answer : B
NO.351 An attacker has been successfully modifying the purchase price of items purchased on the company's web site.
The security administrators verify the web server and Oracle database have not been compromised directly.
They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this.
What is the mostly likely way the attacker has been able to modify the purchase price?
(A) By using SQL injection
(B) By changing hidden form values
(C) By using cross site scripting
(D) By utilizing a buffer overflow attack
Answer : B
NO.352 You ping a target IP to check if the host is up.
You do not get a response.
You suspect ICMP is blocked at the firewall.
Next you use hping2 tool to ping the target host and you get a response.
Why does the host respond to hping2 and not ping packet?
(A) Ping packets cannot bypass firewalls
(B) You must use ping 10.2.3.4 switch
(C) Hping2 uses stealth TCP packets to connect
(D) Hping2 uses TCP instead of ICMP by default
Answer : D
NO.353 What statement is true regarding LM hashes?
(A) LM hashes consist in 48 hexadecimal characters.
(B) LM hashes are based on AES128 cryptographic standard.
(C) Uppercase characters in the password are converted to lowercase.
(D) LM hashes are not generated when the password length exceeds 15 characters.
Answer : D
NO.354 An organization hires a tester to do a wireless penetration test.
Previous reports indicate that the last test did not contain management or control packets in the submitted traces.
Which of the following is the most likely reason for lack of management or control packets?
(A) The wireless card was not turned on.
(B) The wrong network card drivers were in use by Wireshark.
(C) On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode.
(D) Certain operating systems and adapters do not collect the management or control packets.
Answer : D
NO.355 On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured?
(A) nessus +
(B) nessus *s
(C) nessus &
(D) nessus -d
Answer : C
NO.356 A security engineer is attempting to map a company's internal network. The engineer enters in the following NMAP command.

NMAP -n -sS -P0 -p 80 ***.***.**.**

What type of scan is this?
(A) Quick scan
(B) Intense scan
(C) Stealth scan
(D) Comprehensive scan
Answer : C
NO.357 Which Steganography technique uses Whitespace to hide secret messages?
(A) snow
(B) beetle
(C) magnet
(D) cat
Answer : A
NO.358 Harold just got home from working at Henderson LLC where he works as an IT technician.
He was able to get off early because they were not too busy.
When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online.
As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game.
When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer.
Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort.
Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing.
Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to.
What kind of software could Harold use to accomplish this?
(A) Install hardware Keylogger on her computer
(B) Install screen capturing Spyware on her computer
(C) Enable Remote Desktop on her computer
(D) Install VNC on her computer
Answer : B
NO.359 Which of the following represent weak password?
(Select 2 answers)
(A) Passwords that contain letters, special characters, and numbers ExamplE. ap1$%##f@52
(B) Passwords that contain only numbers Example. 23698217
(C) Passwords that contain only special characters Example. &*#@!(%)
(D) Passwords that contain letters and numbers Example. meerdfget123
(E) Passwords that contain only letters Example. QWERTYKLRTY
(F) Passwords that contain only special characters and numbers Example. 123@$45
(G) Passwords that contain only letters and special characters Examplbob@&ba
Answer : B;E
NO.360 A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network.
Which attack could the hacker use to sniff all of the packets in the network?
(A) Fraggle
(B) MAC Flood
(C) Smurf
(D) Tear Drop
Answer : B
NO.361 When writing shellcodes, you must avoid ____________ because these will end the string.
(A) Root bytes
(B) Null bytes
(C) Char bytes
(D) Unicode bytes
Answer : B
NO.362 How do you defend against MAC attacks on a switch?
(A) Disable SPAN port on the switch
(B) Enable SNMP Trap on the switch
(C) Configure IP security on the switch
(D) Enable Port Security on the switch
Answer : D
NO.363 What is a successful method for protecting a router from potential smurf attacks?
(A) Placing the router in broadcast mode
(B) Enabling port forwarding on the router
(C) Installing the router outside of the network's firewall
(D) Disabling the router from accepting broadcast ping messages
Answer : D
NO.364 What sequence of packets is sent during the initial TCP three-way handshake?
(A) SYN, SYN-ACK, ACK
(B) SYN, URG, ACK
(C) SYN, ACK, SYN-ACK
(D) FIN, FIN-ACK, ACK
Answer : A
NO.365 Identify SQL injection attack from the HTTP requests shown below:
(A) http://www.myserver.c0m/search.asp?lname=smith%27%3bupdate%20usertable%20set%20passwd%3d%27hAx0r%27%3b--%00
(B) http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22
(C) http%3a%2f%2fwww.yourserver.c0m%2fbadscript.js%22%3e%3c%2fscript%3e
(D) http://www.victim.com/example accountnumber=67891&creditamount=999999999
Answer : A
NO.366 Which of the following is a symmetric cryptographic standard?
(A) DSA
(B) PKI
(C) RSA
(D) 3DES
Answer : D
NO.367 When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
(A) OWASP is for web applications and OSSTMM does not include web applications.
(B) OSSTMM is gray box testing and OWASP is black box testing.
(C) OWASP addresses controls and OSSTMM does not.
(D) OSSTMM addresses controls and OWASP does not.
Answer : D
NO.368 Which of the following programming languages is most vulnerable to buffer overflow attacks?
(A) Perl
(B) C++
(C) Python
(D) Java
Answer : B
NO.369 Pentest results indicate that voice over IP traffic is traversing a network.
Which of the following tools will decode a packet capture and extract the voice conversations?
(A) Cain
(B) John the Ripper
(C) Nikto
(D) Hping
Answer : A
NO.370 Which United States legislation mandates that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) must sign statements verifying the completeness and accuracy of financial reports?
(A) Sarbanes-Oxley Act (SOX)
(B) Gramm-Leach-Bliley Act (GLBA)
(C) Fair and Accurate Credit Transactions Act (FACTA)
(D) Federal Information Security Management Act (FISMA)
Answer : A
NO.371 Steven the hacker realizes the network administrator of Acme Corporation is using syskey in Windows
2008 Server to protect his resources in the organization. Syskey independently encrypts the hashes so that
physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must
break through the encryption used by syskey before he can attempt to use brute force dictionary attacks on
the hashes. Steven runs a program called "SysCracker" targeting the Windows 2008 Server machine in
attempting to crack the hash used by Syskey. He needs to configure the encryption level before he can
launch the attack. How many bits does Syskey use for encryption?
(A) 40-bit encryption
(B) 128-bit encryption
(C) 256-bit encryption
(D) 64-bit encryption
Answer : B
NO.372 While performing data validation of web content, a security technician is required to restrict malicious input.
Which of the following processes is an efficient way of restricting malicious input?
(A) Validate web content input for query strings.
(B) Validate web content input with scanning tools.
(C) Validate web content input for type, length, and range.
(D) Validate web content input for extraneous queries.
Answer : C
NO.373 The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers.
What should the security team do to determine which alerts to check first?
(A) Investigate based on the maintenance schedule of the affected systems.
(B) Investigate based on the service level agreements of the systems.
(C) Investigate based on the potential effect of the incident.
(D) Investigate based on the order that the alerts arrived in.
Answer : C
NO.374 What type of port scan is shown below?
(A) Idle Scan
(B) FIN Scan
(C) XMAS Scan
(D) Windows Scan
Answer : B
NO.375 Least privilege is a security concept that requires that a user is
(A) limited to those functions required to do the job.
(B) given root or administrative privileges.
(C) trusted to keep all data and access to that data under their sole control.
(D) given privileges equal to everyone else in the department.
Answer : A
NO.376 Which type of scan does NOT open a full TCP connection?
(A) Stealth Scan
(B) XMAS Scan
(C) Null Scan
(D) FIN Scan
Answer : A
NO.377 Anonymizer sites access the Internet on your behalf, protecting your personal information from disclosure.
An anonymizer protects all of your computer's identifying information while it surfs for you, enabling you to remain at least one step removed from the sites you visit.
You can visit Web sites without allowing anyone to gather information on sites visited by you. Services that provide anonymity disable pop-up windows and cookies, and conceal visitor's IP address.
These services typically use a proxy server to process each HTTP request. When the user requests a Web page by clicking a hyperlink or typing a URL into their browser, the service retrieves and displays the information using its own server.
The remote server (where the requested Web page resides) receives information on the anonymous Web surfing service in place of your information.
In which situations would you want to use anonymizer? (Select 3 answers)
(A) Increase your Web browsing bandwidth speed by using Anonymizer
(B) To protect your privacy and Identity on the Internet
(C) To bypass blocking applications that would prevent access to Web sites or parts of sites that you want to visit.
(D) Post negative entries in blogs without revealing your IP identity
Answer : B;C;D
NO.378 Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs.
From the extracted list identify the user account with System Administrator privileges.
(A) John
(B) Rebecca
(C) Sheela
(D) Shawn
(E) Somia
(F) Chang
(G) Micah
Answer : F
NO.379 A company has five different subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0.
How can NMAP be used to scan these adjacent Class C networks?
(A) NMAP -P 192.168.1-5.
(B) NMAP -P 192.168.0.0/16
(C) NMAP -P 192.168.1.0, 2.0, 3.0, 4.0, 5.0
(D) NMAP -P 192.168.1/17
Answer : A
NO.380 Defense-in-depth is a security strategy in which several protection layers are placed throughout an information system.
It helps to prevent direct attacks against an information system and data because a break in one layer only leads the attacker to the next layer.

(A) True
(B) False
(C)
(D)
Answer : A
NO.381 Which of the following is the successor of SSL?
(A) GRE
(B) IPSec
(C) RSA
(D) TLS
Answer : D
NO.382 Which of the following programs is usually targeted at Microsoft Office products?
(A) Polymorphic virus
(B) Multipart virus
(C) Macro virus
(D) Stealth virus
Answer : C
NO.383 Hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive data or to perform any malicious attacks.Black hat hackers are:
(A) Individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers
(B) Individuals professing hacker skills and using them for defensive purposes and are also known as security analysts
(C) Individuals who aim to bring down critical infrastructure for a 'cause' and are not worried about facing 30 years in jail for their actions
(D) Individuals who work both offensively and defensively at various times
Answer : A
NO.384 Which of the following Wi-Fi chalking method refers to drawing symbols in public places to advertise open Wi-Fi networks?
(A) WarWalking
(B) WarFlying
(C) WarChalking
(D) WarDriving
Answer : C
NO.385 In which of the following password protection technique, random strings of characters are added to the password before calculating their hashes?
(A) Keyed Hashing
(B) Key Stretching
(C) Salting
(D) Double Hashing
Answer : C
NO.386 The purpose of a _______is to deny network access to local area networks and other information assets by unauthorized wireless devices.

(A) Wireless Analyzer
(B) Wireless Jammer
(C) Wireless Access Point
(D) Wireless Access Control List
Answer : D
NO.387 When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files.
These files may contain information about passwords, system functions, or documentation.
What command will help you to search files using Google as a search engine?
(A) site: target.com filetype:xls username password email
(B) domain: target.com archieve:xls username password email
(C) inurl: target.com filename:xls username password email
(D) site: target.com file:xls username password email
Answer : A
NO.388 PGP, SSL, and IKE are all examples of which type of cryptography?
(A) Hash Algorithm
(B) Digest
(C) Secret Key
(D) Public Key
Answer : D
NO.389 RSA is a public-key cryptosystem developed by MIT professors Ronald L.Rivest, Adi Shamir, and Leonard M.Adleman in 1977 in an effort to help ensure Internet security.
RSA uses modular arithmetic and elementary number theory to do computations using two very large prime numbers.
Identify the statement which is true for RC6 algorithm:
(A) Is a variable key-size stream cipher with byte-oriented operations and is based on the use of a random permutation
(B) Includes integer multiplication and the use of four 4-bit working registers
(C) Is a parameterized algorithm with a variable block size, key size, and a variable number of rounds
(D) Is a 64 bit block cipher that uses a key length that can vary between 32 and 448 bits
Answer : B
NO.390 An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush.
What type of breach has the individual just performed?
(A) Reverse Social Engineering
(B) Tailgating
(C) Piggybacking
(D) Announced
Answer : B
NO.391 In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this?
(A) Privilege Escalation
(B) Shoulder-Surfing
(C) Hacking Active Directory
(D) Port Scanning
Answer : A
NO.392 Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system.
Which of the following enumeration an attacker uses to obtain list of computers that belongs to a domain?
(A) NTP enumeration
(B) SNMP enumeration
(C) Netbios enumeration
(D) SMTP enumeration
Answer : A
NO.393 Nmap is a free open source utility, which is designed to rapidly scan large networks.
Identify the Nmap Scan method that is often referred to as half open scan because it does not open a full TCP connection.

(A) ACK Scan
(B) SYN Stealth
(C) Half open
(D) Windows Scan
Answer : B
NO.394 Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address that is recognized in the local network.
ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload:
(A) Switch
(B) Router
(C) Hub
(D) Bridge
Answer : A
NO.395 Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”.
Inside the zip file named “Court_Notice_21206.docx.exe” disguised as a word document.
Upon execution, a window appears stating, “This word document is corrupt”.
In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.
What type of malware has Jesse encountered?
(A) Worm
(B) Macro Virus
(C) Key-Logger
(D) Trojan
Answer : D
NO.396 In order to have an anonymous Internet surf, which of the following is best choice?
(A) Use SSL sites when entering personal information
(B) Use Tor network with multi-node
(C) Use shared WiFi
(D) Use public VPN
Answer : B
NO.397 In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
(A) Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too.
(B) Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
(C) Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addresses.
(D) Vulnerabilities in the application layer are greatly different from IPv4.
Answer : B
NO.398 Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment.
It can constantly read all information entering the computer through the NIC by decoding the information encapsulated in the data packet.
Passive sniffing is one of the types of sniffing.
Passive sniffing refers to:
(A) Sniffing through a switch
(B) Sniffing through a router
(C) Sniffing through a hub
(D) Sniffing through a bridge
Answer : c
NO.399 Which of the following security policies defines the use of VPN for gaining access to an internal corporate network?
(A) Network security policy
(B) Information protection policy
(C) Access control policy
(D) Remote access policy
Answer : D
NO.400 Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?
(A) Omnidirectional antenna
(B) Dipole antenna
(C) Yagi antenna
(D) Parabolic grid antenna
Answer : C
NO.401 Denial of Service (DoS) is an attack on a computer or network that prevents legitimate use of its resources.
In a DoS attack, attackers flood a victim system with non-legitimate service requests or traffic to overload its resources, which prevents it from performing intended tasks.
Which of the following is a symptom of a DoS attack?
(A) Automatic increase in network performance
(B) Decrease in the amount of spam emails received
(C) Automatic increase in network bandwidth
(D) Unavailability of a particular website
Answer : D
NO.402 You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity.
What tool would you most likely select?
(A) Snort
(B) Nmap
(C) Cain & Abel
(D) Nessus
Answer : A
NO.403 A hacker named Jack is trying to compromise a bank’s computer system.
He needs to know the operating system of that computer to launch further attacks.
What process would help him?
(A) Banner Grabbing
(B) IDLE/IPID Scanning
(C) SSDP Scanning
(D) UDP Scanning
Answer : A
NO.404 A company's Web development team has become aware of a certain type of security vulnerability in their Web software.
To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
(A) Cross-site scripting vulnerability
(B) Session management vulnerability 
(C) SQL injection vulnerability
(D) Cross-site Request Forgery vulnerability
Answer : A
NO.405 Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety?
(A) Read the first 512 bytes of the tape
(B) Perform a full restore
(C) Read the last 512 bytes of the tape
(D) Restore a random file
Answer : B
NO.406 Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system.
Which of the following command can be used in UNIX environment to enumerate the shared directories on a machine?
(A) showmount
(B) finger
(C) rpcinfo
(D) rpcclient
Answer : A
NO.407 What two conditions must a digital signature meet?
(A) Has to be legible and neat.
(B) Has to be unforgeable, and has to be authentic.
(C) Must be unique and have special characters.
(D) Has to be the same number of characters as a physical signature and must be unique.
Answer : B
NO.408 You are analyzing a traffic on the network with Wireshark.
You want to routinely run a cron job which will run the capture against a specific set of IPs.
– 192.168.8.0/24.
What command you would use?
(A) tshark –net 192.255.255.255 mask 192.168.8.0
(B) wireshark –capture –local –masked 192.168.8.0 –range 24
(C) sudo tshark –f “net 192.168.8.0/24”
(D) wireshark –fetch “192.168.8/*”
Answer : B
NO.409 Jason, a penetration tester, is testing a web application that he knows is vulnerable to an SQL injection but the results of the injection are not visible to him.
He tried waitfor delay command to check the SQL execution status which confirmed the presence of the SQL injection vulnerability.
Which type of SQL injection Jason is attempting on the web application?
(A) Simple SQL Injection
(B) Error-based SQL injection
(C) UNION SQL Injection
(D) Blind SQL injection
Answer : D
NO.410 As a system administrator, you are responsible for maintaining the website of your company which deals in online recharge of mobile phone cards.
One day to your surprise, you find the home page of your company's website defaced.
What is the reason for webpage defacement?
(A) Denial of Service attack
(B) Session Hijacking
(C) DNS attack through cache poisoning
(D) Buffer overflow
Answer : C
NO.411 During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host.
The traffic gets blocked; however, outbound HTTP traffic is unimpeded.
What type of firewall is inspecting outbound traffic?
(A) Circuit
(B) Stateful
(C) Application
(D) Packet Filtering
Answer : C
NO.412 Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on a target as authorized by a judicial or administrative order.
Which of the following statement is true for lawful intercept?
(A) Affects the subscriber’s services on the router
(B) Hides information about lawful intercepts from all but the most privileged users
(C) Does not allows multiple LEAs to run a lawful intercept on the same target without each others knowledge
(D) Allows wiretaps only for outgoing communication
(E) alters the traffic
Answer : B
NO.413 Which command can be used to show the current TCP/IP connections?
(A) Netsh
(B) Net use connection
(C) Netstat
(D) Net use
Answer : C
NO.414 A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating.
What sort of security breach is this policy attempting to mitigate?
(A) Attempts by attackers to access the user and password information stored in the company’s SQL database.
(B) Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
(C) Attempts by attackers to access password stored on the user’s computer without the user’s knowledge.
(D) Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.
Answer : B
NO.415 The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110.

What type of activity has been logged?
(A) Teardrop attack targeting 192.168.0.110
(B) Denial of service attack targeting 192.168.0.105
(C) Port scan targeting 192.168.0.110
(D) Port scan targeting 192.168.0.105
Answer : C
NO.416 You are the Network Admin, and you get a complaint that some of the websites are no longer accessible.
You try to ping the servers and find them to be reachable.
Then you type the IP address and then you try on the browser, and find it to be accessible.
But they are not accessible when you try using the URL.
What may be the problem?
(A) Traffic is Blocked on TCP Port 53
(B) Traffic is Blocked on TCP Port 80
(C) Traffic is Blocked on UDP Port 54
(D) Traffic is Blocked on UDP Port 80
Answer : A
NO.417 While using your bank’s online servicing you notice the following string in the URL bar: “http: // www.MyPersonalBank.com/ account?id=368940911028389&Damount=10980&Camount=21”
You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the changes.

Which type of vulnerability is present on this site?
(A) Cookie Tampering
(B) SQL Injection
(C) Web Parameter Tampering
(D) XSS Reflection
Answer : C
NO.418 You are a security officer of a company.
You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet.
The IP address was blacklisted just before the alert.
You are staring an investigation to roughly analyze the severity of the situation.
Which of the following is appropriate to analyze?
(A) Event logs on the PC
(B) Internet Firewall/Proxy log
(C) IDS log
(D) Event logs on domain controller
Answer : B
NO.419 Which of the following program infects the system boot sector and the executable files at the same time?
(A) Stealth virus
(B) Polymorphic virus
(C) Macro virus
(D) Multipartite Virus
Answer : D
NO.420 Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection attacks?
(A) Data-driven firewall
(B) Stateful firewall
(C) Packet firewall
(D) Web application firewall
Answer : D
NO.421 It is an entity or event with the potential to adversely impact a system through unauthorized acces, destruction, disclosure, denial of service or modification of data.
Which of the following terms best matches the definition?
(A) Attack
(B) Vulnerability
(C) Threat
(D) Risk
Answer : C
NO.422 You are looking for SQL injection vulnerability by sending a special character to web applications.
Which of the following is the most useful for quick validation?
(A) Double quotation
(B) Backslash
(C) Semicolon
(D) Single quotation
Answer : D
NO.423 A penetration test was done at a company.
After the test, a report was written and given to the company’s IT authorities.
A section from the report is shown below:

: Access List should be written between VLANs.
: Port security should be enabled for the intranet.
: A security solution which filters data packets should be set between intranet (LAN) and DMZ.
: A WAF should be used in front of the web applications.

According to the section from the report, which of the following choice is true?
(A) A stateful firewall can be used between intranet (LAN) and DMZ.
(B) There is access control policy between VLANs.
(C) MAC Spoof attacks cannot be performed.
(D) Possibility of SQL Injection attack is eliminated.
Answer : A
NO.424 When you return to your desk after a lunch break, you notice a strange email in your inbox.
The sender is someone you did business with recently, but the subject line has strange characters in it.
What should you do?
(A) Forward the message to your company’s security response team and permanently delete the message from your computer.
(B) Reply to the sender and ask them for more information about the message contents.
(C) Delete the email and pretend nothing happened.
(D) Forward the message to your supervisor and ask for her opinion on how to handle the situation.
Answer : A
NO.425 Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards.
It improves on the authentication and encryption features of WEP (Wired Equivalent Privacy).
Temporal Key Integrity Protocol (TKIP) enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys.
Temporal keys are changed for every ___________.

(A) 1,000 packets
(B) 5,000 packets
(C) 10,000 packets
(D) 15,000 packets
Answer : C
NO.426 You have successfully comprised a server having an IP address of 10.10.0.5.
You would like to enumerate all machines in the same network quickly.
What is the best nmap command you will use?
(A) nmap -T4 -q 10.10.0.0/24
(B) nmap -T4 -F 10.10.0.0/24
(C) nmap -T4 -r 10.10.1.0/24
(D) nmap -T4 -O 10.10.0.0/24
Answer : B
NO.427 Which of the following is a component of a risk assessment?
(A) Administrative safeguards
(B) Physical security
(C) Logical interface
(D) DMZ
Answer : A
NO.428 Which of the following scan only works if the operating system's TCP/IP implementation is based on RFC 793?
(A) NULL scan
(B) IDLE scan
(C) TCP connect scan
(D) Maintaining Access
(E) FTP bounce scan
Answer : A
NO.429 You have invested millions of dollars for protecting your corporate network.
You have the best IDS, firewall with strict rules and routers with no configuration errors.
Which of the following techniques practiced by an attacker exploits human behavior to make your network vulnerable to attacks?
(A) Denial of Service
(B) Buffer overflow
(C) Social Engineering
(D) SQL injection
Answer : C
NO.430 Some viruses affect computers as soon as their code is executed; other viruses lie dormant until a pre-determined logical circumstance is met.
Identify the virus that modifies the directory table entries so that directory entries point to the virus code instead of the actual program.

(A) Macro Viruses
(B) Cluster Viruses
(C) Encryption Viruses
(D) Boot Sector Viruses
Answer : B
NO.431 Which utility will tell you in real time which ports are listening or in another state?
(A) Netview
(B) Loki
(C) Nmap
(D) TCPView
Answer : D
NO.432 An LDAP directory can be used to store information similar to a SQL database.
LDAP uses a ____ database structure instead of SQL’s ______ structure.
Because of this, LDAP has difficulty representing many-to-one relationships.

(A) Strict, Abstract
(B) Simple, Complex
(C) Relational, Hierarchical
(D) Hierarchical, Relational
Answer : D
NO.433 IP spoofing refers to the procedure of an attacker changing his or her IP address so that he or she appears to be someone else.
Which of the following IP spoofing detection technique succeed only when the attacker is in a different subnet?
(A) Direct TTL probes technique
(B) IP identification number technique
(C) TCP flow control method
(D) UDP flow control method
Answer : A
NO.434 Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients.
You are requested to accept the offer and you oblige.
After 2 days, Bob denies that he had ever sent a mail.
What do you want to “know” to prove yourself that it was Bob who had send a mail?
(A) Confidentiality
(B) Integrity
(C) Non-Repudiation
(D) Authentication
Answer : C
NO.435 Attackers craft malicious probe packets and scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS) and IMAP over SSL (IMAPS) to detect honeypots in a network.
Which of the following condition shows the presence of a honeypot?
(A) Ports show a particular service running but deny a three-way handshake connection
(B) Ports show a particular service running and allow a three-way handshake connection
(C) Ports do not show any particular service running
(D) Scan shows that no scanned port is live on the network
Answer : A
NO.436 Risks=Threats x Vulnerabilities is referred to as the:
(A) BIA equation
(B) Disaster recovery formula
(C) Risk equation
(D) Threat assessment
Answer : C
NO.437 Buffer Overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold.
Buffer overflow attacks allow an attacker to modify the ___________ in order to control the process execution, crash the process and modify internal variables.

(A) Target process's address space
(B) Target remote access
(C) Target rainbow table
(D) Target SAM file
Answer : A
NO.438 Security Policy is a definition of what it means to be secure for a system, organization or other entity.
For Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy, Information Security Policy, network Security Policy, Physical Security Policy, Remote Access Policy, and User Account Policy.
What is the main theme of the sub-policies for Information Technologies?
(A) Confidentiality, Integrity, Availability
(B) Availability, Non-repudiation, Confidentiality
(C) Authenticity, Integrity, Non-repudiation
(D) Authenticity, Confidentiality, Integrity
Answer : A
NO.439 Firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria.
Packet filter is one of the categories of firewall.
Packet filtering firewall works at which of these layers of the OSI model?
(A) Network layer
(B) Physical layer
(C) Session layer
(D) Application layer
Answer : A
NO.440 The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192.
In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124.
An attacker is trying to find those servers but he cannot see them in his scanning.
The command he is using is: nmap 192.168.1.64/28

Why he cannot see the servers?
(A) He needs to change the address to 192.168.1.0 with the same mask
(B) He needs to add the command “”ip address”” just before the IP address.
(C) He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range.
(D) The network must be down and the nmap command and IP address are ok
Answer : C
NO.441 Bob finished a C programming course and created a small C application to monitor the network traffic and produce alerts when any origin sends “many” IP packets, based on the average number of packets sent by all origins and using some thresholds.
In concept, the solution developed by Bob is actually:
(A) Just a network monitoring tool
(B) A signature-based IDS
(C) A hybrid IDS
(D) A behavior-based IDS
Answer : A
NO.442 Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?
(A) PKI
(B) SOA
(C) biometrics
(D) single sign on
Answer : A
NO.443 Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?
(A) ICMP Echo scanning
(B) SYN/FIN scanning using IP fragments
(C) ACK flag probe scanning
(D) IPID scanning
Answer : B
NO.444 Session Hijacking refers to the exploitation of a valid computer session where an attacker takes over a session between two computers.
Which of the following factor contribute to a successful session hijacking attack?
(A) Account lockout for invalid session IDs
(B) Definite session expiration time
(C) Weak session ID generation algorithm
(D) No clear text transmission
Answer : C
NO.445 The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software.
What item is the primary concern on OWASP’s Top Ten Project Most Critical Web Application Security Risks?
(A) Cross Site Scripting
(B) Injection
(C) Path disclosure
(D) Cross Site Request Forgery
Answer : B
NO.446 Wired Equivalent Privacy (WEP) is an IEEE 802.11 wireless protocol which provides security algorithms for data confidentiality during wireless transmissions.
WEP uses stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission.
What is the size of WEP initialization vector (IV)?
(A) 8-bit
(B) 16-bit
(C) 24-bit
(D) 32-bit
Answer : C
NO.447 What is the most secure way to mitigate the theft of corporate information from a laptop that was left in a hotel room?
(A) Set a BIOS password
(B) Encrypt the data on the hard drive.
(C) Use a strong logon password to the operating system.
(D) Back up everything on the laptop and store the backup in a safe place.
Answer : B
NO.448 As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic.
What command in Wireshark will help you to find this kind of traffic?
(A) request smtp 25
(B) tcp.port eq 25
(C) smtp port
(D) tcp.contains port 25
Answer : B
NO.449 Which of the following is assured by the use of a hash?
(A) Authentication
(B) Confidentially
(C) Availability
(D) Integrity
Answer : D
NO.450 What is a “Collision attack” in cryptography?
(A) Collision attacks try to get the public key
(B) Collision attacks try to break the hash into three parts to get the plaintext value
(C) Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key
(D) Collision attacks try to find two inputs producing the same hash
Answer : D
NO.451 This phase will increase the odds of success in later phases of the penetration test.
It is also the very first step in Information Gathering and it will tell you the “landscape” looks like.
What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?
(A) network mapping
(B) footprinting
(C) escalating privileges
(D) gaining access
Answer : B
NO.452 Which of the following describes the characteristics of a Boot Sector Virus?
(A) Modifies directory table entries so that directory entries point to the virus code instead of the actual program.
(B) Moves the MBR to another location on the RAM and copies itself to the original location of the MBR.
(C) Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
(D) Overwrites the original MBR and only executes the new virus code.
Answer : C
NO.453 Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?
(A) –T0
(B) –T5
(C) -O
(D) -A
Answer : B
NO.454 An attacker attaches a rogue router in a network.
He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack.
What measure on behalf of the legitimate admin can mitigate this attack?
(A) Make sure that legitimate network routers are configured to run routing protocols with authentication.
(B) Disable all routing protocols and only use static routes
(C) Only using OSPFv3 will mitigate this risk.
(D) Redirection of the traffic cannot happen unless the admin allows it explicitly.
Answer : A
NO.455 What is the purpose of a demilitarized zone on a network?
(A) To scan all traffic coming through the DMZ to the internal network
(B) To only provide direct access to the nodes within the DMZ and protect the network behind it
(C) To provide a place to put the honeypot
(D) To contain the network devices you wish to protect
Answer : B
NO.456 In order to compromise or to hack a system or network the hackers go through various phases of the hacking.
What is the first hacking phase that hackers perform to gather information about a target prior to launching an attack?
(A) Reconnaissance
(B) Scanning
(C) Gaining Access
(D) Maintaining Access
(E) Clearing Track
Answer : A
NO.457 Internet Protocol Security IPSec is actually a suite of protocols.
Each protocol within the suite provides different functionality.
Collective IPSec does everything except.

(A) Work at the Data Link Layer
(B) Protect the payload and the headers
(C) Encrypt
(D) Authenticate
Answer : A
NO.458 Identify the denial-of-service attack that is carried out using a method known as bricking a system.
Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware.

(A) ICMP Flood Attack
(B) Application Level Flood Attacks
(C) Phlashing
(D) Bandwidth Attacks
Answer : C
NO.459 Based on the below log, which of the following sentences are true?

Mar 1, 2016, 7:33:28 AM 10.240.250.23 – 54373 10.249.253.15 – 22 tcp_ip
(A) SSH communications are encrypted it’s impossible to know who is the client or the server
(B) Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server
(C) Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server
(D) Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server
Answer : C
NO.460 Which of the following areas is considered a strength of symmetric key cryptography when compared with asymmetric algorithms?
(A) Scalability
(B) Speed
(C) Key distribution
(D) Security
Answer : B
NO.461 An enterprise recently moved to a new office and the new neighborhood is a little risky.
The CEO wants to monitor the physical perimeter and the entrance doors 24 hours.
What is the best option to do this job?
(A) Use fences in the entrance doors.
(B) Install a CCTV with cameras pointing to the entrance doors and the street.
(C) Use an IDS in the entrance doors and install some of them near the corners.
(D) Use lights in all the entrance doors and along the company's perimeter.
Answer : B
NO.462 You have successfully gained access to a Linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by Network-Based Intrusion Detection Systems (NIDS).
What is the best way to evade the NIDS?
(A) Out of band signaling
(B) Protocol Isolation
(C) Encryption
(D) Alternate Data Streams
Answer : C
NO.463 A regional bank hires your company to perform a security assessment on their network after a recent data breach.
The attacker was able to steal financial data from the bank by compromising only a single server.
Based on this information, what should be one of your key recommendations to the bank?
(A) Place a front-end web server in a demilitarized zone that only handles external web traffic
(B) Require all employees to change their passwords immediately
(C) Move the financial data to another server on the same IP subnet
(D) Issue new certificates to the web servers from the root certificate authority
Answer : A
NO.464 An IT employee got a call from one of our best customers.
The caller wanted to know about the company's network infrastructure, systems, and team.
New opportunities of integration are in sight for both company and customer.
What should this employee do?
(A) The employees cannot provide any information; but, anyway, he/she will provide the name of the person in charge.
(B) Since the company's policy is all about Customer Service, he/she will provide information.
(C) Disregarding the call, the employee should hang up.
(D) The employee should not provide any information without previous management authorization.
Answer : D
NO.465 An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse.
Which of the following IDS detection technique detects the intrusion based on the fixed behavioral characteristics of the users and components in a computer system?
(A) Signature recognition
(B) Anomaly detection
(C) Protocol anomaly detection
(D) All of the above
Answer : B
NO.466 Port scanning can be used as part of a technical assessment to determine network vulnerabilities.
The TCP XMAS scan is used to identify listening ports on the targeted system.
If a scanned port is open, what happens?
(A) The port will ignore the packets.
(B) The port will send an RST.
(C) The port will send an ACK.
(D) The port will send a SYN.
Answer : A
NO.467 A large mobile telephony and data network operator has a data center that houses network elements.
These are essentially large computers running on Linux.
The perimeter of the data center is secured with firewalls and IPS systems.
What is the best security policy concerning this setup?
(A) Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed.
(B) As long as the physical access to the network elements is restricted, there is no need for additional measures.
(C) There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.
(D) The operator knows that attacks and down time are inevitable and should have a backup site.
Answer : A
NO.468 OS fingerprinting is the method used to determine the operating system running on a remote target system.
It is an important scanning method, as the attacker will have a greater probability of success if he/she knows the OS.
Active stack fingerprinting is one of the types of OS fingerprinting.
Which of the following is true about active stack fingerprinting?
(A) Uses password crackers to escalate system privileges
(B) Is based on the fact that various vendors of OS implement the TCP stack differently
(C) TCP connect scan
(D) Uses sniffing techniques instead of the scanning techniques
(E) Is based on the differential implantation of the stack and the various ways an OS responds to it
Answer : B
NO.469 Which wireless standard has bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz?
(A) 802.11a
(B) 802.11b
(C) 802.11g
(D) 802.11i
Answer : A
NO.470 Which of the following protocols are susceptible to sniffing?
(A) SNMP
(B) FTP
(C) NNTP
(D) Telnet
Answer : D
NO.471 What is the least important information when you analyze a public IP address in a security alert?
(A) ARP
(B) Whois
(C) DNS
(D) Geolocation
Answer : A
NO.472 On performing a risk assessment, you need to determine the potential impacts when some of the critical business process of the company interrupt its service.
What is the name of the process by which you can determine those critical business?
(A) Risk Mitigation
(B) Emergency Plan Response (EPR)
(C) Disaster Recovery Planning (DRP)
(D) Business Impact Analysis (BIA)
Answer : D
NO.473 You are tasked to perform a penetration test.
While you are performing information gathering, you find an employee list in Google.
You find the receptionist’s email, and you send her an email changing the source email to her boss’s email (boss@company).
In this email, you ask for a pdf with information.
She reads your email and sends back a pdf with links.
You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don’t work.
She reads your email, opens the links, and her machine gets infected.
You now have access to the company network.
What testing method did you use?
(A) Social engineering
(B) Piggybacking
(C) Tailgating
(D) Eavesdropping
Answer : A
NO.474 This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.
Which of the following tools is being described?
(A) wificracker
(B) Airguard
(C) WLAN-crack
(D) Aircrack-ng
Answer : D
NO.475 To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies.
Which one of the following tools would most likely be used in such an audit?
(A) Protocol analyzer 
(B) Intrusion Detection System
(C) Port scanner
(D) Vulnerability scanner
Answer : D
NO.476 Which security strategy requires using several, varying methods to protect IT systems against attacks?
(A) Defense in depth
(B) Covert channels
(C) Exponential backoff algorithm
(D) Three-way handshake
Answer : A
NO.477 Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP).
Which of the following is an incorrect definition or characteristics of the protocol?
(A) Based on XML
(B) Only compatible with the application protocol HTTP
(C) Exchanges data between web services
(D) Provides a structured model for messaging
Answer : B
NO.478 Firewall implementation and design for an enterprise can be a daunting task.
Choices made early in the design process can have far-reaching security implications for years to come.
Which of the following firewall architecture is designed to host servers that offer public services?
(A) Bastion Host
(B) Screened subnet
(C) Screened host
(D) Screened
Answer : B
NO.479 A virus is a self-replicating program that produces its own code by attaching copies of it into other executable codes.
Which of the following virus evade the anti-virus software by intercepting its requests to the operating system?
(A) Macro virus
(B) Cluster virus
(C) Stealth/Tunneling virus
(D) System or boot sector virus
Answer : C
NO.480 A new wireless client is configured to join an 802.11 network.
This client uses the same hardware and software as many of the other clients on the network.
The client can see the network, but cannot connect.
A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client.
What is a possible source of this problem?
(A) The WAP does not recognize the client’s MAC address
(B) The client cannot see the SSID of the wireless network
(C) Client is configured for the wrong channel
(D) The wireless client is not configured to use DHCP
Answer : A
NO.481 Chandler works as a pen-tester in an IT-firm in New York.
As a part of detecting viruses in the systems, he uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate CPU and memory activities.
Which type of virus detection method did Chandler use in this context?
(A) Heuristic Analysis
(B) Code Emulation
(C) Integrity checking
(D) Scanning
Answer : B
NO.482 What type of vulnerability/attack is it when the malicious person forces the user’s browser to send an authenticated request to a server?
(A) Cross-site request forgery
(B) Cross-site scripting
(C) Session hijacking
(D) Server side request forgery
Answer : A
NO.483 Consider the attack scenario given below:

Step 1: User browses a web page
Step 2: Web server replies with requested page and sets a cookie on the user's browser
Step 3: Attacker steals cookie (Sniffing, XSS, phishing attack)
Step 4: Attacker orders for product using modified cookie
Step 5: Product is delivered to attacker's address

Identify the web application attack.

(A) Session fixation attack
(B) Unvalidated redirects attack
(C) Cookie poisoning attack
(D) Denial-of-Service (DoS) attack
Answer : C
NO.484 Some clients of TPNQM SA were redirected to a malicious site when they tried to access the TPNQM main site.
Bob, a system administrator at TPNQM SA, found that they were victims of DNS Cache Poisoning.
What should Bob recommend to deal with such a threat?
(A) The use of security agents in clients’ computers
(B) The use of DNSSEC
(C) The use of double-factor authentication
(D) Client awareness
Answer : B
NO.485 Which Intrusion Detection System is the best applicable for large environments where critical assets on the network need extra security and is ideal for observing sensitive network segments?
(A) Honeypots
(B) Firewalls
(C) Network-based intrusion detection system (NIDS)
(D) Host-based intrusion detection system (HIDS)
Answer : C
NO.486 Which of the following is a mutation technique used for writing buffer overflow exploits in order to avoid IDS and other filtering mechanisms?
(A) Assuming that a string function is exploited, send a long string as the input
(B) Randomly replace the NOPs with functionally equivalent segments of the code (e.g.: x++; x-; ? NOP NOP)
(C) Pad the beginning of the intended buffer overflow with a long run of NOP instructions (a NOP slide or sled) so the CPU will do nothing until it gets to the “main event”
(D) makes a buffer to overflow on the lower part of heap, overwriting other dynamic variables, which can have unexpected and unwanted effects
Answer : B
NO.487 What does a firewall check to prevent particular ports and applications from getting packets into an organization?
(A) Transport layer port numbers and application layer headers
(B) Presentation layer headers and the session layer port numbers
(C) Network layer headers and the session layer port numbers
(D) Application layer port numbers and the transport layer headers
Answer : A
NO.488 Wireless antenna is an electrical device which converts electric currents into radio waves, and vice versa.
Which of the following antenna used in wireless base stations and provides a 360 degree horizontal radiation pattern?
(A) Omnidirectional antenna
(B) Parabolic grid antenna
(C) Yagi antenna
(D) Dipole antenna
Answer : A
NO.489 Which device in a wireless local area network (WLAN) determines the next network point to which a packet should be forwarded toward its destination?
(A) Wireless modem
(B) Antenna
(C) Wireless router
(D) Mobile station
Answer : C
NO.490 Bluetooth hacking refers to exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks.
Which of the following Bluetooth attack refers to sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones?
(A) Bluesmacking
(B) Bluejacking
(C) Blue Snarfing
(D) BlueSniff
Answer : B
NO.491 It has been reported to you that someone has caused an information spillage on their computer.
You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down.
What step in incident handling did you just complete?
(A) Discovery
(B) Recovery
(C) Containment
(D) Eradication
Answer : C
NO.492 What does the –oX flag do in an Nmap scan?
(A) Perform an Xmas scan
(B) Perform an eXpress scan
(C) Output the results in truncated format to the screen
(D) Output the results in XML format to a file
Answer : D
NO.493 You have several plain-text firewall logs that you must review to evaluate network traffic.
You know that in order to do fast, efficient searches of the logs you must use regular expressions.
Which command-line utility are you most likely to use?
(A) Relational Database
(B) MS Excel
(C) Notepad
(D) Grep
Answer : D
NO.494 Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.
Which of the following port NTP uses as its primary means of communication?
(A) UDP port 123
(B) UDP port 113
(C) UDP port 161
(D) UDP port 320
Answer : A
NO.495 Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?
(A) 123
(B) 161
(C) 69
(D) 113
Answer : A
NO.496 _________ is a set of extensions to DNS that provide to DNS clients (resolvers) the origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

(A) DNSSEC
(B) Resource records
(C) Resource transfer
(D) Zone transfer
Answer : A
NO.497 Which of the following is an adaptive SQL Injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output?
(A) Function Testing
(B) Dynamic Testing
(C) Static Testing
(D) Fuzzing Testing
Answer : D
NO.498 Which of the following is an adaptive SQL Injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output?
(A) Function Testing
(B) Dynamic Testing
(C) Static Testing
(D) Fuzzing Testing
Answer : D
NO.499 The "white box testing" methodology enforces what kind of restriction?
(A) Only the internal operation of a system is known to the tester.
(B) The internal operation of a system is completely known to the tester.
(C) The internal operation of a system is only partly accessible to the tester.
(D) Only the external operation of a system is accessible to the tester.
Answer : B
NO.500 An IT employee got a call from one our best customers.
The caller wanted to know about the company’s network infrastructure, systems, and team.
New opportunities of integration are in sight for both company and customer.
What should this employee do?
(A) The employee can not provide any information: but, anyway, he/she will provide the name of the person in charge
(B) Since the company’s policy is all about Customer Service. he/she will provide information
(C) The employee should not provide any information without previous management authorization
(D) Disregarding the call, the employee should hang up
Answer : C
NO.501 Your team has won a contract to infiltrate an organization.
The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name.
What should be the first step in security testing the client?
(A) Reconnaissance
(B) Escalation
(C) Scanning
(D) Enumeration
Answer : A
NO.502 Why should the security analyst disable/remove unnecessary ISAPI filters?
(A) To defend against social engineering attacks
(B) To defend against webserver attacks
(C) To defend against jailbreaking
(D) To defend against wireless attacks
Answer : B
NO.503 Ricardo wants to send secret messages to a competitor company.
To secure these messages, he uses a technique of hiding a secret message within an ordinary message.
The technique provides ‘security through obscurity’.
What technique is Ricardo using?
(A) Encryption
(B) Steganography
(C) RSA algorithm
(D) Public-key cryptography
Answer : B
NO.504 Bob learned that his username and password for a popular game has been compromised.
He contacts the company and resets all the information.
The company suggests he use two-factor authentication; which option below offers that?
(A) A fingerprint scanner and his username and password
(B) His username and a stronger password
(C) A new username and password
(D) Disable his username and use just a fingerprint scanner
Answer : A