A WHERE clause in SQL specifies that a SQL Data Manipulation Language (DML) statement should only affect rows that meet specified criteria. The criteria are expressed in the form of predicates. WHERE clauses are not mandatory clauses of SQL DML statements, but can be used to limit the number of rows affected by a SQL DML statement or returned by a query.
A pen tester is trying to gain access to a database by inserting exploited query statements with a WHERE clause. The pen tester wants to retrieve all the entries from the database using the WHERE clause from a particular table (e.g. StudentTable).
What query does he need to write to retrieve the information?
- A . EXTRACT* FROM StudentTable WHERE roll_number = 1 order by 1000
- B . DUMP * FROM StudentTable WHERE roll_number = 1 AND 1=1―
- C . SELECT * FROM StudentTable WHERE roll_number = ” or ‘1’ = ‘1‘
- D . RETRIVE * FROM StudentTable WHERE roll_number = 1’#
Which of the following has an offset field that specifies the length of the header and data?
- A . IP Header
- B . UDP Header
- C . ICMP Header
- D . TCP Header
War Driving is the act of moving around a specific area, mapping the population of wireless access points for statistical purposes. These statistics are then used to raise awareness of the security problems associated with these types of networks.
Which one of the following is a Linux based program that exploits the weak IV (Initialization Vector) problem documented with static WEP?
- A . Airsnort
- B . Aircrack
- C . WEPCrack
- D . Airpwn
Which one of the following tools of trade is an automated, comprehensive penetration testing product for assessing the specific information security threats to an organization?
- A . Sunbelt Network Security Inspector (SNSI)
- B . CORE Impact
- C . Canvas
- D . Microsoft Baseline Security Analyzer (MBSA)
Which of the following methods is used to perform server discovery?
- A . Banner Grabbing
- B . Who is Lookup
- C . SQL Injection
- D . Session Hijacking
A penetration test will show you the vulnerabilities in the target system and the risks associated with it. An educated valuation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low risk issues.
What are the two types of ‘white-box’ penetration testing?
- A . Announced testing and blind testing
- B . Blind testing and double blind testing
- C . Blind testing and unannounced testing
- D . Announced testing and unannounced testing
The objective of social engineering pen testing is to test the strength of human factors in a security chain within the organization. It is often used to raise the level of security awareness among employees.
The tester should demonstrate extreme care and professionalism during a social engineering pen test as it might involve legal issues such as violation of privacy and may result in an embarrassing situation for the organization.
Which of the following methods of attempting social engineering is associated with bribing, handing out gifts, and becoming involved in a personal relationship to befriend someone inside the company?
- A . Accomplice social engineering technique
- B . Identity theft
- C . Dumpster diving
- D . Phishing social engineering technique
What are placeholders (or markers) in an HTML document that the web server will dynamically replace with data just before sending the requested documents to a browser?
- A . Server Side Includes
- B . Sort Server Includes
- C . Server Sort Includes
- D . Slide Server Includes
During the process of fingerprinting a web application environment, what do you need to do in order to analyze HTTP and HTTPS request headers and the HTML source code?
- A . Examine Source of the Available Pages
- B . Perform Web Spidering
- C . Perform Banner Grabbing
- D . Check the HTTP and HTML Processing by the Browser
After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address.
Only five hosts responds to your ICMP pings; definitely not the number of hosts you were expecting.
Why did this ping sweep only produce a few responses?
- A . A switched network will not respond to packets sent to the broadcast address
- B . Only IBM AS/400 will reply to this scan
- C . Only Unix and Unix-like systems will reply to this scan
- D . Only Windows systems will reply to this scan
Which of the following pen testing reports provides detailed information about all the tasks performed during penetration testing?
- A . Client-Side Test Report
- B . Activity Report
- C . Host Report
- D . Vulnerability Report
The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 64K, most transmission links enforce a smaller maximum packet length limit, called a MTU.
The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences by allowing routers to fragment IP datagrams as necessary. The receiving station is responsible for reassembling the fragments back into the original full size IP datagram.
IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later. The IP source, destination, identification, total length, and fragment offset fields in the IP header, are used for IP fragmentation and reassembly.
The fragment offset is 13 bits and indicates where a fragment belongs in the original IP datagram.
This value is a:
- A . Multiple of four bytes
- B . Multiple of two bytes
- C . Multiple of eight bytes
- D . Multiple of six bytes
The Web parameter tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in a URL) as the only security measure for certain operations.
Attackers can easily modify these parameters to bypass the security mechanisms that rely on them.
What is the best way to protect web applications from parameter tampering attacks?
- A . Validating some parameters of the web application
- B . Minimizing the allowable length of parameters
- C . Using an easily guessable hashing algorithm
- D . Applying effective input field filtering parameters
Which one of the following scans starts, but does not complete the TCP handshake sequence for each port selected, and it works well for direct scanning and often works well through firewalls?
- A . SYN Scan
- B . Connect() scan
- C . XMAS Scan
- D . Null Scan
The first and foremost step for a penetration test is information gathering. The main objective of this test is to gather information about the target system which can be used in a malicious manner to gain access to the target systems.
Which of the following information gathering terminologies refers to gathering information through social engineering on-site visits, face-to-face interviews, and direct questionnaires?
- A . Active Information Gathering
- B . Pseudonymous Information Gathering
- C . Anonymous Information Gathering
- D . Open Source or Passive Information Gathering
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses.
You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same.
What type of virus is this that you are testing?
- A . Metamorphic
- B . Oligomorhic
- C . Polymorphic
- D . Transmorphic
Which of the following statements is true about Multi-Layer Intrusion Detection Systems (mIDSs)?
- A . Decreases consumed employee time and increases system uptime
- B . Increases detection and reaction time
- C . Increases response time
- D . Both Decreases consumed employee time and increases system uptime and Increases response time
Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette’s duties include logging on to all the company’s network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible.
Paulette presents the following screenshot to her boss so he can inform the clients about necessary changes need to be made. From the screenshot, what changes should the client company make?
Exhibit:
- A . The banner should not state "only authorized IT personnel may proceed"
- B . Remove any identifying numbers, names, or version information
- C . The banner should include the Cisco tech support contact information as well
- D . The banner should have more detail on the version numbers for the network equipment
Which of the following statements is true about the LM hash?
- A . Disabled in Windows Vista and 7 OSs
- B . Separated into two 8-character strings
- C . Letters are converted to the lowercase
- D . Padded with NULL to 16 characters
Which of the following is NOT related to the Internal Security Assessment penetration testing strategy?
- A . Testing to provide a more complete view of site security
- B . Testing focused on the servers, infrastructure, and the underlying software, including the target
- C . Testing including tiers and DMZs within the environment, the corporate network, or partner company connections
- D . Testing performed from a number of network access points representing each logical and physical segment
A framework for security analysis is composed of a set of instructions, assumptions, and limitations to analyze and solve security concerns and develop threat free applications.
Which of the following frameworks helps an organization in the evaluation of the company’s information security with that of the industrial standards?
- A . Microsoft Internet Security Framework
- B . Information System Security Assessment Framework
- C . The IBM Security Framework
- D . Nortell’s Unified Security Framework
A framework is a fundamental structure used to support and resolve complex issues.
The framework that delivers an efficient set of technologies in order to develop applications which are more secure in using Internet and Intranet is:
- A . Microsoft Internet Security Framework
- B . Information System Security Assessment Framework (ISSAF)
- C . Bell Labs Network Security Framework
- D . The IBM Security Framework
Identify the framework that comprises of five levels to guide agency assessment of their security programs and assist in prioritizing efforts for improvement:
- A . Information System Security Assessment Framework (ISSAF)
- B . Microsoft Internet Security Framework
- C . Nortells Unified Security Framework
- D . Federal Information Technology Security Assessment Framework
NTP protocol is used to synchronize the system clocks of computers with a remote time server or time source over a network.
Which one of the following ports is used by NTP as its transport layer?
- A . TCP port 152
- B . UDP port 177
- C . UDP port 123
- D . TCP port 113
In the context of penetration testing, what does blue teaming mean?
- A . A penetration test performed with the knowledge and consent of the organization’s IT staff
- B . It is the most expensive and most widely used
- C . It may be conducted with or without warning
- D . A penetration test performed without the knowledge of the organization’s IT staff but with permission from upper management
Vulnerability assessment is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
A vulnerability assessment is used to identify weaknesses that could be exploited and predict the effectiveness of additional security measures in protecting information resources from attack.
Which of the following vulnerability assessment technique is used to test the web server infrastructure for any misconfiguration and outdated content?
- A . Passive Assessment
- B . Host-based Assessment
- C . External Assessment
- D . Application Assessment
You work as an IT security auditor hired by a law firm in Boston. You have been assigned the responsibility to audit the client for security risks.
When assessing the risk to the clients network, what step should you take first?
- A . Analyzing, categorizing and prioritizing resources
- B . Evaluating the existing perimeter and internal security
- C . Checking for a written security policy
- D . Analyzing the use of existing management and control architecture
Firewall is an IP packet filter that enforces the filtering and security policies to the flowing network traffic. Using firewalls in IPv6 is still the best way of protection from low level attacks at the network and transport layers.
Which one of the following cannot handle routing protocols properly?
- A . “Internet-router-firewall-net architecture”
- B . “Internet-firewall-router-net architecture”
- C . “Internet-firewall/router(edge device)-net architecture”
- D . “Internet-firewall -net architecture”
You are assisting a Department of Defense contract company to become compliant with the stringent security policies set by the DoD. One such strict rule is that firewalls must only allow incoming connections that were first initiated by internal computers.
What type of firewall must you implement to abide by this policy?
- A . Circuit-level proxy firewall
- B . Packet filtering firewall
- C . Application-level proxy firewall
- D . Statefull firewall
George is a senior security analyst working for a state agency in Florida. His state’s congress just passed a bill mandating every state agency to undergo a security audit annually. After learning what will be required, George needs to implement an IDS as soon as possible before the first audit occurs.
The state bill requires that an IDS with a "time-based induction machine" be used.
What IDS feature must George implement to meet this requirement?
- A . Pattern matching
- B . Statistical-based anomaly detection
- C . Real-time anomaly detection
- D . Signature-based anomaly detection
Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but questionable in the logs.
He looks up the behavior on the Internet, but cannot find anything related.
What organization should Frank submit the log to find out if it is a new vulnerability or not?
- A . CVE
- B . IANA
- C . RIPE
- D . APIPA
What is a difference between host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS)?
- A . NIDS are usually a more expensive solution to implement compared to HIDS.
- B . Attempts to install Trojans or backdoors cannot be monitored by a HIDS whereas NIDS can monitor and stop such intrusion events.
- C . NIDS are standalone hardware appliances that include network intrusion detection capabilities whereas HIDS consist of software agents installed on individual computers within the system.
- D . HIDS requires less administration and training compared to NIDS.
A chipset is a group of integrated circuits that are designed to work together and are usually marketed as a single product.” It is generally the motherboard chips or the chips used on the expansion card.
Which one of the following is well supported in most wireless applications?
- A . Orinoco chipsets
- B . Prism II chipsets
- C . Atheros Chipset
- D . Cisco chipset
In the process of hacking a web application, attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields that relate to the user ID, username, access group, cost, file names, file identifiers, etc.
They first access the web application using a low privileged account and then escalate privileges to access protected resources.
What attack has been carried out?
- A . XPath Injection Attack
- B . Authorization Attack
- C . Authentication Attack
- D . Frame Injection Attack
In which of the following IDS evasion techniques does IDS reject the packets that an end system accepts?
- A . IPS evasion technique
- B . IDS evasion technique
- C . UDP evasion technique
- D . TTL evasion technique
Besides the policy implications of chat rooms, Internet Relay Chat (IRC) is frequented by attackers and used as a command and control mechanism.
IRC normally uses which one of the following TCP ports?
- A . 6566 TCP port
- B . 6771 TCP port
- C . 6667 TCP port
- D . 6257 TCP port
Internet Control Message Protocol (ICMP) messages occur in many situations, such as whenever a datagram cannot reach the destination or the gateway does not have the buffering capacity to forward a datagram.
Each ICMP message contains three fields: type, code, and checksum. Different types of Internet Control Message Protocols (ICMPs) are identified by a TYPE field.
If the destination is not reachable, which one of the following are generated?
- A . Type 8 ICMP codes
- B . Type 12 ICMP codes
- C . Type 3 ICMP codes
- D . Type 7 ICMP codes
John and Hillary works at the same department in the company. John wants to find out Hillary’s network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found.
What information will he be able to gather from this?
- A . The SID of Hillary’s network account
- B . The network shares that Hillary has permissions
- C . The SAM file from Hillary’s computer
- D . Hillary’s network username and password hash
Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer.
Where should Harold navigate on the computer to find the file?
- A . %systemroot%LSA
- B . %systemroot%repair
- C . %systemroot%system32driversetc
- D . %systemroot%system32LSA
Which one of the following log analysis tools is a Cisco Router Log Format log analyzer and it parses logs, imports them into a SQL database (or its own built-in database), aggregates them, and generates the dynamically filtered reports, all through a web interface?
- A . Event Log Tracker
- B . Sawmill
- C . Syslog Manager
- D . Event Log Explorer
Identify the policy that defines the standards for the organizational network connectivity and security standards for computers that are connected in the organizational network.
- A . Information-Protection Policy
- B . Special-Access Policy
- C . Remote-Access Policy
- D . Acceptable-Use Policy
By default, the TFTP server listens on UDP port 69.
Which of the following utility reports the port status of target TCP and UDP ports on a local or a remote computer and is used to troubleshoot TCP/IP connectivity issues?
- A . PortQry
- B . Netstat
- C . Telnet
- D . Tracert
Traffic on which port is unusual for both the TCP and UDP ports?
- A . Port 81
- B . Port 443
- C . Port 0
- D . Port 21
Identify the type of testing that is carried out without giving any information to the employees or administrative head of the organization.
- A . Unannounced Testing
- B . Double Blind Testing
- C . Announced Testing
- D . Blind Testing
Identify the person who will lead the penetration-testing project and be the client point of contact.
- A . Database Penetration Tester
- B . Policy Penetration Tester
- C . Chief Penetration Tester
- D . Application Penetration Tester
ARP spoofing is a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
ARP spoofing attack is used as an opening for other attacks.
What type of attack would you launch after successfully deploying ARP spoofing?
- A . Parameter Filtering
- B . Social Engineering
- C . Input Validation
- D . Session Hijacking
Which of the following password hashing algorithms is used in the NTLMv2 authentication mechanism?
- A . AES
- B . DES (ECB mode)
- C . MD5
- D . RC5
Which of the following will not handle routing protocols properly?
- A . “Internet-router-firewall-net architecture”
- B . “Internet-firewall-router-net architecture”
- C . “Internet-firewall -net architecture”
- D . “Internet-firewall/router(edge device)-net architecture”
TCP/IP provides a broad range of communication protocols for the various applications on the network. The TCP/IP model has four layers with major protocols included within each layer.
Which one of the following protocols is used to collect information from all the network devices?
- A . Simple Network Management Protocol (SNMP)
- B . Network File system (NFS)
- C . Internet Control Message Protocol (ICMP)
- D . Transmission Control Protocol (TCP)
The term social engineering is used to describe the various tricks used to fool people (employees, business partners, or customers) into voluntarily giving away information that would not normally be known to the general public.
What is the criminal practice of social engineering where an attacker uses the telephone system in an attempt to scam the user into surrendering private information?
- A . Phishing
- B . Spoofing
- C . Tapping
- D . Vishing
What is the maximum value of a “tinyint” field in most database systems?
- A . 222
- B . 224 or more
- C . 240 or less
- D . 225 or more
After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet.
Why is that?
- A . IPSEC does not work with packet filtering firewalls
- B . NAT does not work with IPSEC
- C . NAT does not work with statefull firewalls
- D . Statefull firewalls do not work with packet filtering firewalls
What are the 6 core concepts in IT security?
- A . Server management, website domains, firewalls, IDS, IPS, and auditing
- B . Authentication, authorization, confidentiality, integrity, availability, and non-repudiation
- C . Passwords, logins, access controls, restricted domains, configurations, and tunnels
- D . Biometrics, cloud security, social engineering, DoS attack, viruses, and Trojans
What are the scanning techniques that are used to bypass firewall rules and logging mechanisms and disguise themselves as usual network traffic?
- A . Connect Scanning Techniques
- B . SYN Scanning Techniques
- C . Stealth Scanning Techniques
- D . Port Scanning Techniques
What is the difference between penetration testing and vulnerability testing?
- A . Penetration testing goes one step further than vulnerability testing; while vulnerability tests check for known vulnerabilities, penetration testing adopts the concept of ‘in-depth ethical hacking’
- B . Penetration testing is based on purely online vulnerability analysis while vulnerability testing engages ethical hackers to find vulnerabilities
- C . Vulnerability testing is more expensive than penetration testing
- D . Penetration testing is conducted purely for meeting compliance standards while vulnerability testing is focused on online scans
Which of the following defines the details of services to be provided for the client’s organization and the list of services required for performing the test in the organization?
- A . Draft
- B . Report
- C . Requirement list
- D . Quotation
You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London.
After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords.
What tool could you use to get this information?
- A . RaidSniff
- B . Snort
- C . Ettercap
- D . Airsnort
Which of the following attributes has a LM and NTLMv1 value as 64bit + 64bit + 64bit and NTLMv2 value as 128 bits?
- A . Hash Key Length
- B . C/R Value Length
- C . C/R Key Length
- D . Hash Value Length
When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?
- A . Passive IDS
- B . Active IDS
- C . Progressive IDS
- D . NIPS
Which one of the following acts makes reputational risk of poor security a reality because it requires public disclosure of any security breach that involves personal information if it is unencrypted or if it is reasonably believed that the information has been acquired by an unauthorized person?
- A . California SB 1386
- B . Sarbanes-Oxley 2002
- C . Gramm-Leach-Bliley Act (GLBA)
- D . USA Patriot Act 2001