QCM 1: Essential Knowledge

In this test you will

 Identify components of TCP/IP computer networking
 Understand basic elements of information security
 Understand incident management steps
 Identify fundamentals of security policies
 Identify essential terminology associated with ethical hacking
 Define ethical hacker and classifications of hackers
 Describe the five stages of ethical hacking
 Define the types of system attacks

Questions
1. Elements of security include confidentiality, integrity, and availability. Which technique provides for
integrity?
A. Encryption
B. Uninterruptible power supply
C. Hash
D. Passwords

2. A hacker grows frustrated in his attempts against a network server and performs a successful denial-
of-service attack. Which security element is being compromised?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication

3. As security in the enterprise increases,

A. ease of use increases and functionality decreases.
B. functionality increases and ease of use decreases.
C. ease of use decreases and functionality increases.
D. functionality decreases and ease of use decreases.

4. An ethical hacker is hired to test the security of a business network. The CEH is given no prior
knowledge of the network and has a specific framework in which to work, defining boundaries,
nondisclosure agreements, and the completion date. Which of the following is a true statement?
A. A white hat is attempting a black-box test.
B. A white hat is attempting a white-box test.
C. A black hat is attempting a black-box test.
D. A black hat is attempting a gray-box test.

5. When an attack by a hacker is politically motivated, the hacker is said to be participating in

A. black-hat hacking.
B. gray-box attacks.
C. gray-hat attacks.
D. hactivism.

6. Two hackers attempt to crack a company's network resource security. One is considered an ethical
hacker, whereas the other is not. What distinguishes the ethical hacker from the "cracker"?
A. The cracker always attempts white-box testing.
B. The ethical hacker always attempts black-box testing.
C. The cracker posts results to the Internet.
D. The ethical hacker always obtains written permission before testing.

7. In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more
in-depth information on the targets?
A. Active reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Passive reconnaissance

8. Which type of attack is generally conducted as an inside attacker with elevated privileges on the
resources?
A. Gray box B. White box C. Black box
D. Active reconnaissance

9. Which attacks take advantage of the built-in code and scripts most off-the-shelf applications come
with?
A. OS attacks
B. Bit flipping
C. Misconfiguration
D. Shrink-wrap

10. Your company has a document that spells out exactly what employees are allowed to do on their
computer systems. It also defines what is prohibited and what consequences await those who break the
rules. A copy of this document is signed by all employees prior to their network access. Which of the
following best describes this policy?

A. Information Security Policy

B. Special Access Policy
C. Information Audit Policy
D. Network Connection Policy

11. Sally is a member of a pen test team newly hired to test a bank's security. She begins searching for
IP addresses the bank may own by searching public records on the Internet. She also looks up news
articles and job postings to discover information that may be valuable. What phase of the pen test is
Sally working?
A. Preparation
B. Assessment
C. Conclusion
D. Reconnaissance

12. Ioe is a security engineer for a firm. His company downsizes, and Ioe discovers he will be laid off
within a short amount of time. Ioe plants viruses and sets about destroying data and settings throughout
the network, with no regard to being caught. Which type of hacker is Ioe considered to be?
A. Hactivist
B. Suicide hacker
C. Black hat
D. Script kiddie

13. Which of the following is a preventive control?

A. Good security policy
B. Audit trails
C. Good continuity of operations plans
D. Smartcard authentication measures E. Alarm bells
QCM 2: Reconnaissance: Information Gathering for the Ethical Hacker
In this test you will
 Define active and passive footprinting
 Identify methods and procedures in information gathering
 Understand the use of whois, ARIN, and nslookup
 Describe DNS record types
 Define and describe Google hacking
 Use Google hacking in footprinting

1. You've been hired to test security for a business headquartered in Chile. Which regional registry would
be the best place to go for network range determination?
A. APNIC B. RIPE C. ARISK D. LACNIC

2. While footprinting a network, you successfully perform a zone transfer. Which DNS record in the zone
transfer indicates the company's e-mail server?
A. MX B. EM C. SOA D. PTR

3. Which of the following best describes the role that the U.S. Computer Security Incident Response
Team (CSIRT) provides?
A. Vulnerability measurement and assessments for the U.S. Department of Defense
B. A reliable and consistent point of contact for all incident response services for associates of the
Department of Homeland Security
C. Incident response services for all Internet providers
D. Pen test registration for public and private sector

4. An SOA record gathered from a zone transfer is shown here:

@ IN SOA DNSRVI.anycomp.com. postmaster.anycomp.com. (
4 ; serial number
3600 ; refresh [1h]
600 ; retry [10m]
86400 ; expire [1d]
3600 ) ; min TTL [1h]

- What is the name of the authoritative DNS server for the domain, and how often will secondary servers
check in for updates?
A. DNSRV1.anycomp.com, 3,600 seconds
B. DNSRV1.anycomp.com, 600 seconds
C. DNSRV1.anycomp.com, 4 seconds
D. postmaster.anycomp.com, 600 seconds

5. A security peer is confused about a recent incident. An attacker successfully accessed a machine in
the organization and made off with some sensitive data. A full vulnerability scan was run immediately
following the theft, and nothing was discovered. Which of the following best describes what may have
happened?
A. The attacker took advantage of a zero-day vulnerability on the machine.
B. The attacker performed a full rebuild of the machine after he was done.
C. The attacker performed a denial-of-service attack.
D. Security measures on the device were completely disabled before the attack began.

6. Which footprinting tool or technique can be used to find the names and addresses of employees or
technical points of contact?
A. whois B. nslookup C. dig D. traceroute

7. Which Google hack would display all pages that have the words SQL and Version in their titles?
A. inurl:SQL inurl:version
B. allinurl:SQL version
C. intitle:SQL inurl:version
D. allintitle:SQL version

8. Which of the following is a passive footprinting method? (Choose all that apply.)
A. Checking DNS replies for network mapping purposes
B. Collecting information through publicly accessible sources
C. Performing a ping sweep against the network range
D. Sniffing network traffic through a network tap

9. Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups?
A. NS B. MX C. A D. SOA

10. You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias
both services to the same record (IP address)?
A. NS B. SOA C. CNAME D. PTR

11. As a pen test team member, you begin searching for IP ranges owned by the target organization and
discover their network range. You also read job postings and news articles and visit the organization's
website. Throughout the first week of the test, you also observe when employees come to and leave work
and rummage through the trash outside the building for useful information. Which type of footprinting are
you accomplishing?
A. Active B. Passive C. Reconnaissance D. None of the above
QCM3: Scanning and Enumeration
In this test you will

 Describe scan types and the objectives of scanning

 Understand the use of various scanning and enumeration tools
 Describe TCP communication (three-way handshake and flag types)
 Understand OS fingerprinting through banner grabbing
 Understand enumeration and its techniques
 Describe NULL sessions and their countermeasures
 Describe SNMP enumeration and its countermeasures
 Describe the steps involved in performing enumeration

1. Which of the following is not part of EC-Council's CEH scanning methodology?

A. Perform banner grabbing.
B. Draw network diagrams.
C. Check for live systems.
D. Prepare proxies.
E. Scan for vulnerabilities.
F. Try social engineering.

2. You want to perform banner grabbing against a machine (168.15.22.4) you sus- pect as being a web
server. Assuming you have the correct tools installed, which of the following command-line entries will
successfully perform a banner grab? (Choose all that apply.)
A. Telnet 168.15.22.4 80
B. Telnet 80 168.15.22.4
C. nc -v -n 168.15.22.4 80
D. nc -v -n 80 168.15.22.4

3. You've decided to begin scanning against a target organization but want to keep your efforts as quiet
as possible. Which IDS evasion technique splits the TCp header among multiple packets?
A. Fragmenting
B. Null session
C. proxy scanning
D. Half-open scanning

4. You're using Nmap to run port scans. What syntax will attempt a half-open scan as stealthily as
possible?
A. nmap -sT 192.168.1.0/24 -T0
B. nmap -sX 192.168.1.0/24 -T0
C. nmap -sO 192.168.1.0/24 -T0
D. nmap -sS 192.168.1.0/24 -T0

5. What flag or flags are sent in the segment during the second step of the TCp three-way handshake?
A. SYN
B. ACK
C. SYN/ACK
D. ACK/FIN

6. You are port scanning a system and begin sending TCp packets with the FIN flag set. A response
from the host on a particular port comes back as RST/ACK. Which of the following is a true statement
regarding the response?
A. The response indicates an open port.
B. The response indicates a closed port.
C. The response doesn’t provide enough information to determine port status.
D. FIN probe packets do not generate this type of response.
7. An ethical hacker is ACK scanning against a network segment he knows is sitting behind a stateful
firewall. If a scan packet receives no response, what does that indicate?
A. The port is filtered at the firewall.
B. The port is not filtered at the firewall.
C. The firewall allows the packet, but the device has the port closed.
D. It is impossible to determine any port status from this response.

8. Which flag forces a termination of communications in both directions?

A. RST B. FIN C. ACK D. PSH

9. You are examining the output of a recent SYN scan. You see a port from one machine has returned an
RST/ACK. What is the state of the port?
A. Open B. Closed C. Filtered
D. Unknown

10. What is the term used to describe searching for open modems on a target?
A. Port scanning
B. Vulnerability scanning
C. War driving
D. War dialing

11. Which of the following methods of concealment involves a hacker spoofing

an IP address to have packets returned directly to him regardless of the routers between sender and
receiver?
A. Proxy server B. Anonymizer C. Filtering
D. Source routing

12. You're running an IDLE scan and send the first packet to the target machine.
Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is
36754. If the starting IPID was 36753, in what state is the port on the target machine?
A. Open
B. Closed
C. Unknown
D. None of the above

13. Which of the following best describes the term fingerprinting?

A. Efforts to discover a target's operating system
B. Efforts to discover a target's system name
C. Identifying live targets on a network segment
D. None of the above

14. An ethical hacker is sending TCp packets to a machine with the SYN flag set.
None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this?
A. ping sweep
B. XMAS
C. Half-open
D. Full