312-50 : CEH Certified Ethical Hacker (312-50v9) : Part 14

312-50 : CEH Certified Ethical Hacker (312-50v9) : Part 14

1. A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server.

   Based on this information, what should be one of your key recommendations to the bank?

   • Place a front-end web server in a demilitarized zone that only handles external web traffic
   • Require all employees to change their passwords immediately
   • Move the financial data to another server on the same IP subnet
   • Issue new certificates to the web servers from the root certificate authority
   Explanation:
   A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.

2. Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system.

   If a scanned port is open, what happens?

   • The port will ignore the packets.
   • The port will send an RST.
   • The port will send an ACK.
   • The port will send a SYN.
   Explanation:
   An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the all flags sent in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

3. During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.

   What is this type of DNS configuration commonly called?

   • Split DNS
   • DNSSEC
   • DynDNS
   • DNS Scheme
   Explanation:
   In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution.

4. This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

   Which of the following tools is being described?

   • Aircrack-ng
   • Airguard
   • WLAN-crack
   • wificracker
   Explanation:
   Aircrack-ng is a complete suite of tools to assess WiFi network security.
   The default cracking method of Aircrack-ng is PTW, but Aircrack-ng can also use the FMS/KoreK method, which incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing.

5. The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE’s Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the transport layer security (TLS) protocols defined in RFC6520.

   What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?

   • Private
   • Public
   • Shared
   • Root
   Explanation:
   The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties likely to be confidential, including any form post data in users’ requests. Moreover, the confidential data exposed could include authentication secrets such as session cookies and passwords, which might allow attackers to impersonate a user of the service.
   An attack may also reveal private keys of compromised parties.

6. In 2007, this wireless security algorithm was rendered useless by capturing packets and discovering the passkey in a matter of seconds. This security flaw led to a network invasion of TJ Maxx and data theft through a technique known as wardriving.

   Which Algorithm is this referring to?

   • Wired Equivalent Privacy (WEP)
   • Wi-Fi Protected Access (WPA)
   • Wi-Fi Protected Access 2 (WPA2)
   • Temporal Key Integrity Protocol (TKIP)
   Explanation:
   WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. In 2007, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases.

   Note: Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).

7. This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach.

   Which of the following organizations is being described?

   • Payment Card Industry (PCI)
   • Center for Disease Control (CDC)
   • Institute of Electrical and Electronics Engineers (IEEE)
   • International Security Industry Organization (ISIO)
   Explanation:
   The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS standards are very explicit about the requirements for the back end storage and access of PII (personally identifiable information).

8. Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved with human trafficking.

   What should you do?

   • Immediately stop work and contact the proper legal authorities.
   • Copy the data to removable media and keep it in case you need it.
   • Confront the client in a respectful manner and ask her about the data.
   • Ignore the data and continue the assessment until completed as agreed.

9. Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating, “This word document is corrupt.” In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries.

   What type of malware has Jesse encountered?

   • Trojan
   • Worm
   • Macro Virus
   • Key-Logger
   Explanation:
   In computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.

10. Which tool allows analysts and pen testers to examine links between data using graphs and link analysis?

    • Maltego
    • Cain & Abel
    • Metasploit
    • Wireshark
    Explanation:
    Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

11. While using your bank’s online servicing you notice the following string in the URL bar: “http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21”

    You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes.

    Which type of vulnerability is present on this site?

    • Web Parameter Tampering
    • Cookie Tampering
    • XSS Reflection
    • SQL injection
    Explanation:
    The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

12. Perspective clients want to see sample reports from previous penetration tests.

    What should you do next?

    • Decline but, provide references.
    • Share full reports, not redacted.
    • Share full reports with redactions.
    • Share reports, after NDA is signed.
    Explanation:
    Penetration tests data should not be disclosed to third parties.

13. During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded.

    What type of firewall is inspecting outbound traffic?

    • Application
    • Circuit
    • Stateful
    • Packet Filtering
    Explanation:
    An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications.

14. Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close.

    What just happened?

    • Piggybacking
    • Masqurading
    • Phishing
    • Whaling
    Explanation:
    In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.

15. You’ve gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your tool kit you have an Ubuntu 9.10 Linux LiveCD. Which Linux based tool has the ability to change any user’s password or to activate disabled Windows accounts?

    • CHNTPW
    • Cain & Abel
    • SET
    • John the Ripper
    Explanation:
    chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8 and 8.1. It does this by editing the SAM database where Windows stores password hashes.

16. An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to “www.MyPersonalBank.com”, that the user is directed to a phishing site.

    Which file does the attacker need to modify?

    • Hosts
    • Sudoers
    • Boot.ini
    • Networks
    Explanation:
    The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.

17. After trying multiple exploits, you’ve gained root access to a Centos 6 server. To ensure you maintain access, what would you do first?

    • Create User Account
    • Disable Key Services
    • Disable IPTables
    • Download and Install Netcat

18. env x=`(){ :;};echo exploit` bash -c ‘cat /etc/passwd’

    What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host?

    • Display passwd content to prompt
    • Removes the passwd file
    • Changes all passwords in passwd
    • Add new user to the passwd file
    Explanation:
    To extract private information, attackers are using a couple of techniques. The simplest extraction attacks are in the form:
    () {:;}; /bin/cat /etc/passwd
    That reads the password file /etc/passwd, and adds it to the response from the web server. So an attacker injecting this code through the Shellshock vulnerability would see the password file dumped out onto their screen as part of the web page returned.

19. Using Windows CMD, how would an attacker list all the shares to which the current user context has access?

    • NET USE
    • NET CONFIG
    • NET FILE
    • NET VIEW
    Explanation:
    Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.

20. A common cryptographical tool is the use of XOR. XOR the following binary values:

    10110001

    00111010

    • 10001011
    • 11011000
    • 10011101
    • 10111100
    Explanation:
    The XOR gate is a digital logic gate that implements an exclusive or; that is, a true output (1/HIGH) results if one, and only one, of the inputs to the gate is true. If both inputs are false (0/LOW) or both are true, a false output results. XOR represents the inequality function, i.e., the output is true if the inputs are not alike otherwise the output is false. A way to remember XOR is “one or the other but not both”.