Q241. Which of the following is the primary objective of a rootkit? 

A. It opens a port to provide an unauthorized service 

B. It creates a buffer overflow 

C. It replaces legitimate programs 

D. It provides an undocumented opening in a program 

Answer: C

Explanation: Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn’t show the files and process implanted by the attacker. 

Q242. Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT department of his company installed a wireless network throughout the building. The problem is, is that they are only going to make it available to upper management and the IT department. 

Most employees don't have a problem with this since they have no need for wireless networking, but Jeffery would really like to use wireless since he has a personal laptop that he works from as much as he can. Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless networks available. After about an hour of trying to figure it out, Jeffery cannot get on the company's wireless network. Discouraged, Jeffery leaves the office and goes home. 

The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT department might have turned off SSID broadcasting, and that is why he could not see any wireless networks. How would Jeffrey access the wireless network? 

A. Run WEPCrack tool and brute force the SSID hashes 

B. Jam the wireless signal by launching denial of service attack 

C. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext 

D. Attempt to connect using wireless device default SSIDs 

Answer: C

Q243. Which of the following activities will NOT be considered as passive footprinting? 

A. Go through the rubbish to find out any information that might have been discarded. 

B. Search on financial site such as Yahoo Financial to identify assets. 

C. Scan the range of IP address found in the target DNS database. 

D. Perform multiples queries using a search engine. 

Answer: C

Explanation: Passive footprinting is a method in which the attacker never makes contact with the target systems. Scanning the range of IP addresses found in the target DNS is considered making contact to the systems behind the IP addresses that is targeted by the scan. 

Q244. You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? 

A. display==facebook 

B. traffic.content==facebook 

C. tcp contains facebook 

D. list.display.facebook 

Answer: C

Q245. You have initiated an active operating system fingerprinting attempt with nmap against a target system: 

[root@ceh NG]# /usr/local/bin/nmap -sT -O 

Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT Interesting ports on (The 1628 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open LDAP 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s 2301/tcp open compaqdiag 5555/tcp open freeciv 

5800/tcp open vnc-http 

5900/tcp open vnc 

6000/tcp filtered X11 

Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE Nmap run completed -- 1 IP address (1 host up) scanned in 3.334 seconds 

Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE. 

What operating system is the target host running based on the open ports shown above? 

A. Windows XP 

B. Windows 98 SE 

C. Windows NT4 Server 

D. Windows 2000 Server 


Explanation: The system is reachable as an active directory domain controller (port 389, LDAP) 

Q246. Jack Hacker wants to break into company’s computers and obtain their secret double fudge cookie recipe. Jacks calls Jane, an accountant at company pretending to be an administrator from company. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him “just to double check our records”. Jane does not suspect anything amiss, and parts with her password. Jack can now access company’s computers with a valid user name and password, to steal the cookie recipe. 

What kind of attack is being illustrated here? (Choose the best answer) 

A. Reverse Psychology 

B. Reverse Engineering 

C. Social Engineering 

D. Spoofing Identity 

E. Faking Identity 

Answer: C

Explanation: This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. 

Q247. Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. 

What Google search will accomplish this? 

A. related:intranet allinurl:intranet:"human resources" 

B. cache:"human resources" inurl:intranet(SharePoint) 

C. intitle:intranet inurl:intranet+intext:"human resources" 

D. site:"human resources"+intext:intranet intitle:intranet 

Answer: C

Q248. Fake Anti-Virus, is one of the most frequently encountered and persistent threats on the web. This malware uses social engineering to lure users into infected websites with a technique called Search Engine Optimization. 

Once the Fake AV is downloaded into the user's computer, the software will scare them into believing their system is infected with threats that do not really exist, and then push users to purchase services to clean up the non-existent threats. 

The Fake AntiVirus will continue to send these annoying and intrusive alerts until a payment is made. 

What is the risk of installing Fake AntiVirus? 

A. Victim's Operating System versions, services running and applications installed will be published on Blogs and Forums 

B. Victim's personally identifiable information such as billing address and credit card details, may be extracted and exploited by the attacker 

C. Once infected, the computer will be unable to boot and the Trojan will attempt to format the hard disk 

D. Denial of Service attack will be launched against the infected computer crashing other machines on the connected network 

Answer: B

Q249. On a default installation of Microsoft IIS web server, under which privilege does the web server software execute? 

A. Everyone 

B. Guest 

C. System 

D. Administrator 

Answer: C

Explanation: If not changed during the installation, IIS will execute as Local System with way to high privileges. 

Q250. You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack? 

A. Configure routers to restrict the responses to Footprinting requests 

B. Configure Web Servers to avoid information leakage and disable unwanted protocols 

C. Lock the ports with suitable Firewall configuration 

D. Use an IDS that can be configured to refuse suspicious traffic and pick up Footprinting patterns 

E. Evaluate the information before publishing it on the Website/Intranet 

F. Monitor every employee computer with Spy cameras, keyloggers and spy on them 

G. Perform Footprinting techniques and remove any sensitive information found on DMZ sites 

H. Prevent search engines from caching a Webpage and use anonymous registration services 

I. Disable directory and use split-DNS 

Answer: F