No products in the cart.
EC-Council CEH Exam Questions
Page 6 of 65
101.
How can attackers prevent system administrators from detecting unauthorized changes?
-
By clearing or modifying system logs
-
By scanning for open ports
-
By using encrypted communication
-
By deploying a keylogger
Correct answer: By clearing or modifying system logs
Clearing or modifying system logs can erase traces of unauthorized activities, preventing system administrators from detecting changes or intrusions.
While port scanning, encrypted communication, and deploying keyloggers serve various purposes in the hacking process, only the direct manipulation of logs effectively hides unauthorized changes in the system logs.
102.
What do "Blue Teams" primarily focus on in cybersecurity exercises?
-
Defending and securing IT systems.
-
Attacking and exploiting vulnerabilities
-
Analyzing malware and its origin
-
Training employees on cybersecurity practices
Correct answer: Defending and securing IT systems
Blue Teams are oriented toward defense, with a primary focus on securing systems and thwarting attacks. Most organizations are more likely to have an internal security team performing Blue Team activities than an offensive security team (sometimes referred to as a Red Team).
The other options, while part of the broader cybersecurity landscape, don't define a Blue Team's core mission.
103.
Which tool can aid in determining weak or default credentials on a large number of devices within an organization's network?
-
Hydra
-
Nbtscan
-
Armitage
-
Tcpdump
Correct answer: Hydra
Hydra is known as a versatile password-cracking tool that can be used against various protocols. It can aid in determining weak or default credentials easily within an organization's network.
Nbtscan is used for scanning IP networks for NetBIOS name information. Armitage is a graphical cyber attack management tool for Metasploit, and Tcpdump is a packet analyzer.
104.
What is the primary aim of impersonation attacks on social media platforms?
-
To deceive individuals by posing as someone they trust
-
To increase followers on a fake profile
-
To engage in social media advertising
-
To participate in online debates
Correct answer: To deceive individuals by posing as someone they trust
Impersonation attacks on social media platforms primarily aim to deceive individuals by posing as someone they trust or know. This guise can be used for a variety of malicious activities such as phishing, spreading disinformation, or other deceptive tactics.
While increasing followers might be a side effect of a successful impersonation, it's not the primary aim. Engaging in advertising or online debates does not inherently involve impersonation.
105.
Which of the following is not a function of the tool MegaPing?
-
Password cracking
-
IP scanning
-
Port scanning
-
Ping sweeps
Correct answer: Password cracking
The tool MegaPing does not contain any password-cracking functionality.
MegaPing is a GUI-based tool that runs on Windows. MegaPing has multiple functions in regard to network troubleshooting. MegaPing can be used to perform a ping sweep as an IP scanner and as a port scanner.
106.
To provide a robust security network framework, which encryption protocol would be most suitable for corporate environments due to its support for server-based authentication?
-
WPA Enterprise
-
WPA Personal
-
WPA2 Personal
-
WEP
Correct answer: WPA Enterprise
WPA Enterprise is designed for use in enterprise environments because it supports server-based authentication, typically using a RADIUS server.
WPA Enterprise is more secure than WPA Personal and WPA2 Personal, which use a Pre-Shared Key (PSK) and are intended for home and small office networks. WEP is an older and less secure encryption standard and is not suitable for a robust security framework.
107.
When analyzing network traffic, what might indicate a honeypot if it exists in higher than typical amounts?
-
Tarpit connections
-
DNS requests
-
SSL/TLS handshakes
-
ICMP redirects
Correct answer: Tarpit connections
Tarpit connections, where connections are intentionally delayed to frustrate or monitor attackers, can indicate the presence of a honeypot.
While excessive DNS requests, SSL/TLS handshakes, or ICMP redirects can be suspicious, they aren't direct indicators of a honeypot.
108.
How many possible TCP ports exist?
-
65,536
-
1,024
-
48,127
-
16,383
Correct answer: 65,536
Since the transport protocols use 2 bytes for the port numbers in their headers, this means there are 65,536 possible ports. The possible ports are 0-65535. Although the value 0 is reserved and implies an unspecified source or destination, it still technically exists.
Out of the 65,536 ports that exist, 1,024 of these ports (ports 0-1023) are considered to be well-known ports and include ports like 22 for SSH and 80 for HTTP. The 48,127 port numbers from 1024 to 49151 are referred to as registered ports, while the remaining 16,383 port numbers are considered dymanic, private, and ephemeral.
109.
Which vulnerability assessment type is focused on identifying vulnerabilities within an organization's internal network?
-
Internal assessment
-
External assessment
-
Database assessment
-
Passive assessment
Correct answer: Internal assessment
Internal assessments are focused on identifying vulnerabilities within an organization's internal network. During an internal assessment, scans are done against the internal infrastructure to discover vulnerabilities and possible exploits.
External assessments target vulnerabilities that are visible from the public internet. Passive assessments monitor network traffic without actively sending packets, and database assessments specifically evaluate databases.
110.
What type of cloud computing threat is primarily involved in intercepting and redirecting users to malicious sites or services?
-
DNS poisoning
-
API vulnerability exploitation
-
Credential cracking
-
Insecure interfaces
Correct answer: DNS poisoning
DNS poisoning, also known as DNS spoofing, is a threat where the attacker intercepts and redirects users to malicious sites or services by corrupting (or poisoning) the DNS resolution process.
API vulnerability exploitation involves attacking the Application Programming Interfaces (APIs) directly, not redirecting traffic. Insecure interfaces can lead to unauthorized access but are not specifically about traffic redirection. Credential cracking refers to obtaining unauthorized access by breaking password security, not redirecting users.
111.
What is an in-band SQL injection attack?
-
An attack exploiting the same communication channel to launch the attack and gather results
-
A legitimate process of database mirroring and replication
-
A technique for database administrators to manage SQL transactions
-
A method where error messages are used to optimize database performance
Correct answer: An attack exploiting the same communication channel to launch the attack and gather results
In-band SQL injection is a type of SQL injection attack that uses the same communication channel to both launch the attack and gather results, typically through visible error messages or direct database query outputs. The key characteristic of in-band SQL injection is its reliance on a single channel for both attack delivery and data extraction, making it one of the simpler forms of SQL injection to execute and detect.
In-band SQL injection is not a method for database performance optimization, a technique for managing transactions, or a legitimate database process like mirroring or replication.
112.
Which cloud threat could involve the unintentional exposure of cloud storage data due to misconfigured security settings?
-
Improper Access Management
-
Data remanence
-
Advanced Persistent Threat (APT)
-
Insecure Direct Object References (IDOR)
Correct answer: Improper access management
Improper access management often leads to the unintentional exposure of cloud storage data due to misconfigured security settings such as permissions or access controls.
An Advanced Persistent Threat (APT) is a prolonged and targeted cyberattack where an unauthorized user gains access to a network and remains undetected for an extended period. Insecure Direct Object References (IDOR) involve the exposure of internal implementation objects, like files and database keys. Data remanence refers to the residual representation of data that has been nominally erased or removed, not to misconfigurations leading to data exposure.
113.
Which technique is used by attackers to manipulate users into revealing confidential information often by posing as a trusted entity?
-
Phishing
-
Port scanning
-
Buffer overflow
-
Traffic analysis
Correct answer: Phishing
Phishing is a method where attackers deceive users into disclosing confidential data often by pretending to be a trusted source. Phishing is typically done via email, but SMS phishing and voice phishing over the phone are becoming increasingly popular.
Port scanning detects open ports on a system. Buffer overflow exploits vulnerabilities in software by overwriting memory. Traffic analysis involves studying patterns of network traffic.
114.
In the context of vulnerability assessments, what do false positives refer to?
-
Incorrectly identified vulnerabilities that don't exist
-
Genuine vulnerabilities that can be safely ignored
-
Accurate results that directly lead to a breach
-
Vulnerabilities found outside the assessment scope
Correct answer: Incorrectly identified vulnerabilities that don't exist
In vulnerability assessments, false positives refer to incorrectly identified vulnerabilities that don't actually exist in the assessed system. They represent errors in the assessment process. The four categories of vulnerabilities include false positives, false negatives, true positives, and true negatives.
Accurate results that directly lead to a breach would be considered a true positive. The other options do not accurately define any of the vulnerability categories.
115.
Which wireless packet sniffer is particularly useful for its open-source nature and ability to work with a variety of wireless cards, making it flexible for different testing environments?
-
Kismet
-
CommView for WiFi
-
SteelCentral Packet Analyzer
-
OmniPeek Network Protocol Analyzer
Correct answer: Kismet
Kismet is a widely-used, open-source wireless network detector, sniffer, and intrusion detection system. It supports many wireless cards and is flexible for use in various testing scenarios. It is highly customizable due to its open-source nature.
CommView for WiFi is commercial and not open-source. SteelCentral focuses on network performance, and OmniPeek is known for protocol analysis.
116.
What could be a consequence of a successful directory traversal attack?
-
The attacker could gain unauthorized read and/or execute access to system files
-
The attacker could delete the server's directory structure
-
The attacker could increase the storage space used by the server
-
The attacker could install new operating systems on the server
Correct answer: The attacker could gain unauthorized read and/or execute access to system files
The consequence of a successful directory traversal attack is that the attacker could potentially gain unauthorized read and execute access to system files, which can lead to data theft, server compromise, or further exploitation.
Deleting directories, increasing storage space, or installing new operating systems are not direct consequences of directory traversal.
117.
How can network segmentation act as a malware countermeasure?
-
By limiting the spread of malware across different network segments
-
By accelerating network traffic
-
By updating software automatically
-
By generating fake traffic to confuse attackers
Correct answer: By limiting the spread of malware across different network segments
Network segmentation divides a network into multiple segments or subnets. If malware infects one segment, the segmentation can help limit its spread to other parts of the network, containing the threat.
Accelerating network traffic, auto-updating software, and generating fake traffic are not primary functions or benefits of network segmentation.
118.
When performing an SQL injection attack, what is the significance of the following symbol ('--')?
-
It signifies the end of an SQL command to the database parser
-
It is used to encrypt the remainder of the SQL query
-
It allows the attacker to temporarily disable parts of the SQL query for testing
-
It is used to add a comment to the SQL code for clarity
Correct answer: It signifies the end of an SQL command to the database parser
In the context of an SQL injection attack, the comment symbol ('--') is used to signify the end of the SQL command to the database parser. This can effectively hide the remainder of the query, which may include malicious SQL code, from being processed by security filters or logs.
The comment ('--') symbol is not used for encrypting, disabling parts of the query, or adding clarity to the code from an attacker's perspective.
119.
When deploying MDM, what is a common security measure to prevent unauthorized access if a device is compromised?
-
Implementing strong device encryption
-
Disabling camera function
-
Restricting access to gaming websites
-
Limiting screen timeout settings
Correct answer: Implementing strong device encryption
A common security measure when deploying MDM is to implement strong device encryption, which protects the data on the device if it is lost or stolen.
Disabling the camera, restricting access to certain websites, and limiting screen timeout are security measures but are not as critical as encryption for preventing data access.
120.
Hoang noticed the line Received: from mailserver1.company.com ([192.168.0.10]) in an email header. What can this information be used for in email footprinting?
-
It identifies an internal mail server of the sender's organization
-
It provides the public IP address of the sender
-
It reveals the content of the email
-
It specifies the email's encryption method
Correct answer: It identifies an internal mail server of the sender's organization
The line Received: from mailserver1.company.com ([192.168.0.10]) gives details about an internal mail server that processed the email. It would tell Hoang that the internal mail server is mailserver1.company.com.
The IP address displayed is a private IP address, not the public IP address of the sender. The line does not provide information about the contents of the email or the encryption method in use.