EXAMTOPICS CEH QUESTIONS WITH
COMPLETE SOLUTIONS
Which of the following is a hardware requirement that either an IDS/IPS system or a
proxy server must have in order to properly function?
A. Fast processor to help with network traffic analysis
B. They must be dual-homed
C. Similar RAM requirements
D. Fast network interface cards - Correct Answers -B. They must be dual-homed
Which of the following is an application that requires a host application for replication?
A. Micro
B. Worm
C. Trojan
D. Virus - Correct Answers -D. Virus
A large company intends to use Blackberry for corporate mobile phones and a security
analyst is assigned to evaluate the possible threats. The analyst will use the
Blackjacking attack method to demonstrate how an attacker could circumvent perimeter
defenses and gain access to the corporate network. What tool should the analyst use to
perform a Blackjacking attack?
A. Paros Proxy
B. BBProxy
C. BBCrack
D. Blooover - Correct Answers -B. BBProxy
Which of the following can the administrator do to verify that a tape backup can be
recovered in its entirety?
A. Restore a random file.
B. Perform a full restore.
C. Read the first 512 bytes of the tape.
D. Read the last 512 bytes of the tape. - Correct Answers -B. Perform a full restore.
Which of the following describes the characteristics of a Boot Sector Virus?
,A. Moves the MBR to another location on the RAM and copies itself to the original
location of the MBR
B. Moves the MBR to another location on the hard disk and copies itself to the original
location of the MBR
C. Modifies directory table entries so that directory entries point to the virus code
instead of the actual program
D. Overwrites the original MBR and only executes the new virus code - Correct Answers
-B. Moves the MBR to another location on the hard disk and copies itself to the original
location of the MBR
Which statement is TRUE regarding network firewalls preventing Web Application
attacks?
A. Network firewalls can prevent attacks because they can detect malicious HTTP
traffic.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
C. Network firewalls can prevent attacks if they are properly configured.
D. Network firewalls cannot prevent attacks because they are too complex to configure.
- Correct Answers -B. Network firewalls cannot prevent attacks because ports 80 and
443 must be opened.
Which of the following programs is usually targeted at Microsoft Office products?
A. Polymorphic virus
B. Multipart virus
C. Macro virus
D. Stealth virus - Correct Answers -C. Macro virus
Bluetooth uses which digital modulation technique to exchange information between
paired devices?
A. PSK (phase-shift keying)
B. FSK (frequency-shift keying)
C. ASK (amplitude-shift keying)
D. QAM (quadrature amplitude modulation) - Correct Answers -A. PSK (phase-shift
keying)
In order to show improvement of security over time, what must be developed?
A. Reports
,B. Testing tools
C. Metrics
D. Taxonomy of vulnerabilities - Correct Answers -C. Metrics
Passive reconnaissance involves collecting information through which of the following?
A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources - Correct Answers -D. Publicly accessible sources
How can rainbow tables be defeated?
A. Password salting
B. Use of non-dictionary words
C. All uppercase character passwords
D. Lockout accounts under brute force password cracking attempts - Correct Answers -
A. Password salting
The following is a sample of output from a penetration tester's machine targeting a
machine with the IP address of 192.168.1.106:What is most likely taking place?
[ATTEMPT] target 192.168.1.106 - login "root" - pass "a" 1 of 20
[ATTEMPT] target 192.168.1.106 - login "root" - pass "123" 2 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "a" 1 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "123" 3 of 20
A. Ping sweep of the 192.168.1.106 network
B. Remote service brute force attempt
C. Port scan of 192.168.1.106
D. Denial of service attack on 192.168.1.106 - Correct Answers -B. Remote service
brute force attempt
An NMAP scan of a server shows port 25 is open. What risk could this pose?
A. Open printer sharing
B. Web portal data leak
C. Clear text authentication
D. Active mail relay - Correct Answers -D. Active mail relay
A penetration tester is conducting a port scan on a specific host. The tester found
several ports opened that were confusing in concluding the Operating System(OS)
version installed. Considering the NMAP result below, which of the following is likely to
be installed on the target machine by the OS?
starting nmap 5.21 at 2011-03-15 11:6
, nmap scan report for 172.16.40.65
Host is up (1.00s latency)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
613/tcp open ipp
9100/tcp open
MAC address 00:00:48:0D:EE:89
A. The host is likely a Windows machine.
B. The host is likely a Linux machine.
C. The host is likely a router.
D. The host is likely a printer. - Correct Answers -D. The host is likely a printer.
What type of OS fingerprinting technique sends specially crafted packets to the remote
OS and analyzes the received response?
A. Passive
B. Reflective
C. Active
D. Distributive
Reveal Solution - Correct Answers -C. Active
Which of the following lists are valid data-gathering activities associated with a risk
assessment?
A. Threat identification, vulnerability identification, control analysis
B. Threat identification, response identification, mitigation identification
C. Attack profile, defense profile, loss profile
D. System profile, vulnerability identification, security determination - Correct Answers -
A. Threat identification, vulnerability identification, control analysis
A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of
engagement states that the penetration test be done from an external IP address with
no prior knowledge of the internal IT systems. What kind of test is being performed?
A. white box
B. grey box
C. red box
D. black box - Correct Answers -D. black box
COMPLETE SOLUTIONS
Which of the following is a hardware requirement that either an IDS/IPS system or a
proxy server must have in order to properly function?
A. Fast processor to help with network traffic analysis
B. They must be dual-homed
C. Similar RAM requirements
D. Fast network interface cards - Correct Answers -B. They must be dual-homed
Which of the following is an application that requires a host application for replication?
A. Micro
B. Worm
C. Trojan
D. Virus - Correct Answers -D. Virus
A large company intends to use Blackberry for corporate mobile phones and a security
analyst is assigned to evaluate the possible threats. The analyst will use the
Blackjacking attack method to demonstrate how an attacker could circumvent perimeter
defenses and gain access to the corporate network. What tool should the analyst use to
perform a Blackjacking attack?
A. Paros Proxy
B. BBProxy
C. BBCrack
D. Blooover - Correct Answers -B. BBProxy
Which of the following can the administrator do to verify that a tape backup can be
recovered in its entirety?
A. Restore a random file.
B. Perform a full restore.
C. Read the first 512 bytes of the tape.
D. Read the last 512 bytes of the tape. - Correct Answers -B. Perform a full restore.
Which of the following describes the characteristics of a Boot Sector Virus?
,A. Moves the MBR to another location on the RAM and copies itself to the original
location of the MBR
B. Moves the MBR to another location on the hard disk and copies itself to the original
location of the MBR
C. Modifies directory table entries so that directory entries point to the virus code
instead of the actual program
D. Overwrites the original MBR and only executes the new virus code - Correct Answers
-B. Moves the MBR to another location on the hard disk and copies itself to the original
location of the MBR
Which statement is TRUE regarding network firewalls preventing Web Application
attacks?
A. Network firewalls can prevent attacks because they can detect malicious HTTP
traffic.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
C. Network firewalls can prevent attacks if they are properly configured.
D. Network firewalls cannot prevent attacks because they are too complex to configure.
- Correct Answers -B. Network firewalls cannot prevent attacks because ports 80 and
443 must be opened.
Which of the following programs is usually targeted at Microsoft Office products?
A. Polymorphic virus
B. Multipart virus
C. Macro virus
D. Stealth virus - Correct Answers -C. Macro virus
Bluetooth uses which digital modulation technique to exchange information between
paired devices?
A. PSK (phase-shift keying)
B. FSK (frequency-shift keying)
C. ASK (amplitude-shift keying)
D. QAM (quadrature amplitude modulation) - Correct Answers -A. PSK (phase-shift
keying)
In order to show improvement of security over time, what must be developed?
A. Reports
,B. Testing tools
C. Metrics
D. Taxonomy of vulnerabilities - Correct Answers -C. Metrics
Passive reconnaissance involves collecting information through which of the following?
A. Social engineering
B. Network traffic sniffing
C. Man in the middle attacks
D. Publicly accessible sources - Correct Answers -D. Publicly accessible sources
How can rainbow tables be defeated?
A. Password salting
B. Use of non-dictionary words
C. All uppercase character passwords
D. Lockout accounts under brute force password cracking attempts - Correct Answers -
A. Password salting
The following is a sample of output from a penetration tester's machine targeting a
machine with the IP address of 192.168.1.106:What is most likely taking place?
[ATTEMPT] target 192.168.1.106 - login "root" - pass "a" 1 of 20
[ATTEMPT] target 192.168.1.106 - login "root" - pass "123" 2 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "a" 1 of 20
[ATTEMPT] target 192.168.1.106 - login "testuser" - pass "123" 3 of 20
A. Ping sweep of the 192.168.1.106 network
B. Remote service brute force attempt
C. Port scan of 192.168.1.106
D. Denial of service attack on 192.168.1.106 - Correct Answers -B. Remote service
brute force attempt
An NMAP scan of a server shows port 25 is open. What risk could this pose?
A. Open printer sharing
B. Web portal data leak
C. Clear text authentication
D. Active mail relay - Correct Answers -D. Active mail relay
A penetration tester is conducting a port scan on a specific host. The tester found
several ports opened that were confusing in concluding the Operating System(OS)
version installed. Considering the NMAP result below, which of the following is likely to
be installed on the target machine by the OS?
starting nmap 5.21 at 2011-03-15 11:6
, nmap scan report for 172.16.40.65
Host is up (1.00s latency)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
613/tcp open ipp
9100/tcp open
MAC address 00:00:48:0D:EE:89
A. The host is likely a Windows machine.
B. The host is likely a Linux machine.
C. The host is likely a router.
D. The host is likely a printer. - Correct Answers -D. The host is likely a printer.
What type of OS fingerprinting technique sends specially crafted packets to the remote
OS and analyzes the received response?
A. Passive
B. Reflective
C. Active
D. Distributive
Reveal Solution - Correct Answers -C. Active
Which of the following lists are valid data-gathering activities associated with a risk
assessment?
A. Threat identification, vulnerability identification, control analysis
B. Threat identification, response identification, mitigation identification
C. Attack profile, defense profile, loss profile
D. System profile, vulnerability identification, security determination - Correct Answers -
A. Threat identification, vulnerability identification, control analysis
A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of
engagement states that the penetration test be done from an external IP address with
no prior knowledge of the internal IT systems. What kind of test is being performed?
A. white box
B. grey box
C. red box
D. black box - Correct Answers -D. black box
