CEH v9: Certified Ethical Hacker Version 9 Practice Tests

Introduction

This exam book is designed to give the CEH candidate a realistic idea of what the CEH exam will look like. As a candidate, you should be familiar with Wireshark, Nmap, and other tools. To get the most out of these exams, you should consider constructing a virtual lab and practicing with the tools to become familiar with viewing the logs that are generated. In preparing for the CEH exam, you will benefit greatly by using YouTube. YouTube is a goldmine of information—and it’s free. It is also recommended that you keep up with the latest malware and cybersecurity news provided online. Most cybersecurity-related websites provide insight on the latest vulnerabilities and exploits that are in the wild. Keeping up to date with this information will only add value to your CEH knowledge and will help solidify your understanding even more.

Finally, this exam book should not be the only resource you use to prepare. You should use other exam books and study guides as well. The more diverse the exposure in terms of reading and preparation material, the better. Take your time studying; invest at least one hour per day prior to your exam date.

If you have not already read CEHv9: Certified Ethical Hacker Version 9 Study Guide by Sean-Philip Oriyano (Sybex, 2016) and you’re not seeing passing grades on these practice tests, you should invest in the Study Guide since it is an excellent resource to master any of the CEH topics that may be causing you problems.

CHAPTER 1

Practice Test 1

1.Which of the following is considered a passive reconnaissance action?

Searching through the local paper

Calling Human Resources

Using the nmap -sT command

Conducting a man-in-the-middle attack

Setting up a rogue hot spot

2. Which encryption was selected by NIST as the principal method for providing confidentiality after the DES algorithm?

3DES

Twofish

RC4

AES

3. What tool is able to conduct a man-in-the-Middle Attack on an 802.3 environment?

Ettercap

Cain & Abel

Wireshark

Nmap

4. What is the difference between a traditional firewall and an IPS?

Firewalls do not generate logs.

IPS cannot drop packets.

IPS does not follow rules.

IPS can dissect packets.

5. Why is it important to scan your target network slowly?

To avoid alerting the IDS

It is not necessary to scan the network slowly.

To evade the firewall

Services may not have started, so starting slowly ensures that you capture services that started late.

6. You are the senior manager in the IT department for your company. What is the most cost effective way to prevent social engineering attacks?

Install HIDS.

Ensure that all patches are up-to-date.

Monitor and control all email activity.

Implement user awareness training.

7. In which phase within the ethical hacking framework do you alter or delete log information?

Scanning and enumeration

Gaining access

Reconnaissance

Covering tracks

8. A hacker is conducting the following on the target workstation: nmap -sT 192.33.10.5. The attacker is in which phase?

Covering tracks

Enumeration

Scanning and enumeration

Gaining access

9. Which encryption algorithm is a symmetric stream cipher?

AES

ECC

RC4

PGP

10. What is the most important aspect when conducting a penetration test?

Receiving a formal written agreement

Documenting all actions and activities

Remediating serious threats immediately

Maintaining proper handoff with the information assurance team

11. You are a CISO for a giant tech company. You are charged with implementing an encryption cipher for your new mobile devices that will be introduced in 2017. What encryption standard will you most likely choose?

RC4

MD5

ECC

Skipjack

12. What does a SYN scan accomplish?

It establishes a full TCP connection.

It establishes only a half open connection.

It opens an ACK connection with the target.

It detects all closed ports on a target system.

13. What is the major vulnerability for an ARP request?

It sends out an address request to all the hosts on the LAN.

The address is returned with a username and password in cleartext.

The address request can cause a DoS.

The address request can be spoofed with the attacker’s MAC address.

14.You are the CISO for a popular social website. You recently learned that your web servers have been compromised with the SSL Heart Bleed zero day exploit. What will be your most likely first course of action to defend against?

Patch all systems.

Establish new cryptographic keys.

Shut down Internet-facing web services.

Restrict access to sensitive information.

15. In what phase is an attacker who is currently conducting a successful man-in-the-middle attack?

Gaining access

Maintaining access

Reconnaissance

Covering tracks

16. What method of exploitation allows the adversary to test for SQL queries within the URL?

SQL injection

XSS

Spear phishing

Ruby on Rails injection method

17. What is the default TTL values for Microsoft Windows 7 OS?

64

128

255

256

18. Which input value would you utilize in order to evaluate and test for SQL injection vulnerabilities?

SQL test

admin and password

|| or |!

1'or'1'='1

19. What is the downside of using SSH with Telnet when it comes to security?

SSH encrypts the traffic and credentials.

You cannot see what the adversary is doing.

Data is sent in the clear.

You do not know what keys you are using.

20. What year did the Ping of Death first appear?

1992

1989

1990

1996

21. Which of the following viruses was the most infectious?

The Melisa virus

I Love You Virus

Blue Cross virus punter

Stuxnet

22. You are part of the help desk team. You receive a ticket from one of your users that their computer is periodically slow. The user also states that from time to time, documents have either disappeared or have been moved from their original location to another. You remote desktop to the user’s computer and investigate. Where is the most likely place to see if any new processes have started?

The Processes tab in Task Manager

C:\Temp

The Logs tab in Task Manager

C:\Windows\System32\User

23. As a network engineer, you received the task of bridging two corporate facilities by way of wireless communication. These facilities are more than 20 miles apart, contain more than 400 employees at each site, and have a $20,000 budget. Each site has a single-mode fiber connection. Which antenna would you use to bridge the gap?

Multimode fiber

Very small aperture terminal (VSAT)

Omni direction antenna

Directional antenna

24. What does a checksum indicate?

That the data has made it to its destination

That the three-way TCP/IP handshake finished

That there were changes to the data during transit or at rest

The size of the data after storage

25. Out of the following, which is one of RSA’s registered key strengths?

1,024 bits

256 bits

128 bits

512 bits

26. To provide nonrepudiation for email, which algorithm would you choose to implement?

AES

DSA

3DES

Skipjack

27. Which of the following describes a race condition?

Where two conditions occur at the same time and there is a chance that arbitrary commands can be executed with a user’s elevated permissions, which can then be used by the adversary

Where two conditions cancel one another out and arbitrary commands can be used based on the user privilege level

Where two conditions are executed under the same user account

Where two conditions are executed simultaneously with elevated user privileges

28. Your end clients report that they cannot reach any website on the external network. As the network administrator, you decide to conduct some fact finding. Upon your investigation, you determine that you are able to ping outside of the LAN to external websites using their IP address. Pinging websites with their domain name resolution does not work. What is most likely causing the issue?

The firewall is blocking DNS resolution.

The DNS server is not functioning correctly.

The external websites are not responding.

HTTP GET request is being dropped at the firewall from going out.

29. You are the security administration for your local city. You just installed a new IPS. Other than plugging it in and applying some basic IPS rules, no other configuration has been made. You come in the next morning and you discover that there was a so much activity generated by the IPS in the logs that it is too time consuming to view. What most likely caused the huge influx of logs from the IPS?

The clipping level was established.

There was a DoS attack on the network.

The LAN experienced a switching loop.

There was no baseline established.

30. Which method would be considered a client-side attack?

Cross-site scripting (XSS)

Man-in-the-middle attack

Watering hole attack

Denial of service (DoS)

31. As a penetration tester, only you and a few key selected individuals from the company will know of the targeted network that will be tested. You also have zero knowledge of your target other than the name and location of the company. What type of assessment is this called?

Gray box testing

White box testing

Black box testing

Blue box testing

32. As an attacker, you found your target. You spend the next two weeks observing and watching personnel move in and move out of the facility. You also observe how the front desk handles large packages that are delivered as well as people who do not have access badges. You finally come up with a solid schedule of security patrols that you see being conducted. What is it that you are doing?

Casing the target

Gaining access

Maintaining access

Reconnaissance

33. Which scanning tool is more likely going to yield accurate results for the hacker?

Ncat

Nmap

Ping

Nslookup

34. Why would an attacker conduct an open TCP connection scan using Ncat?

The attacker does not want to attack the system.

The attacker made a mistake using the nmap function.

The attacker is trying to connect to network services.

The attacker is trying to see what ports are open for connection.

35. Why would an attacker want to avoid tapping into a fiber-optic line?

It costs a lot of money to tap into a fiber line.

If done wrong, it could cause the entire connection signal to drop, therefore bringing unwanted attention from the targeted organization.

The network traffic would slow down significantly.

Tapping the line could alert an IPS/IDS.

36. You are an attacker who has successfully infiltrated your target’s web server. You performed a web defacement on the targeted organization’s website, and you were able to create your own credential with administrative privileges. Before conducting data exfiltration, what is the next move?

Log in to the new user account that you created.

Go back and delete or edit the logs.

Ensure that you log out of the session.

Ensure that you migrate to a different session and log out.

37.What is the main drawback to using Kerberos?

Symmetric keys can be compromised if not secured.

Kerberos uses weak cryptography and keys can be easily cracked.

Kerberos uses asymmetric cryptography and can be easily exploited.

The adversary can replay the ticket-granting ticket to gain access to a system or service.

38. Where is the password file located on a Windows system?

C:\Windows\temp

C:\Win\system\config

C:\Windows\accounts\config

C:\Windows\system32\config

39. Which response would the adversary receive on closed ports if they conducted an XMAS scan?

RST

RST/ACK

No Response

FIN/ACK

40. Why would the adversary encode their payload before sending it to the target victim?

Encoding the payload will not provide any additional benefit.

By encoding the payload, the adversary actually encrypts the payload.

The encoded payload can bypass the firewall because there is no port associated with the payload.

Encoding the payload can bypass IPS/IDS detection because it changes the signature.

41. Which password is more secure?

!9Apple

pass123!!

P@$$w0rD

keepyourpasswordsecuretoyourself

42. Which of the following best describes DNS poisoning?

The adversary intercepts and replaces the victims MAC address with their own.

The adversary replaces their malicious IP address with the victim’s IP address for the domain name.

The adversary replaces the legitimate domain name with the malicious domain name.

The adversary replaces the legitimate IP address that is mapped to the domain name with the malicious IP address.

43.Which of the following allows the adversary to forge certificates for authentication?

Wireshark

Ettercap

Cain & Abel

Ncat

44. Which encryption standard is used in WEP?

AES

RC5

MD5

RC4

45. You are sitting inside of your office and you notice a strange person in the parking lot with what appears to be a tall antenna connected to a laptop. What is the stranger most likely doing?

Brute-forcing their personal electronic device

Wardriving

Warflying

Bluesnarfing

46. As a network administrator, you see a familiar IP address pinging the broadcast address. What do you believe is happening?

Smurf attack

DNS poisoning

Man-in-the-middle attack

Trojan virus infecting the gateway

47. Which best describes a denial of service (DoS)?

Victim’s computer is infected with a virus.

A misconfigured switch is in a switching loop.

An adversary is forging a certificate.

An adversary is