ECSA.v2011-05-17 pdf

EC Council Security Analyst/LPT

Number: 79 -412Passing Score: 800Time Limit: 120 minFile Version: 1.0

Exam A

QUESTION 1Heather is a licensed penetration tester working on contract for the city of Miami for 6months. Heather has performed a number of tests against their network and now isreviewing their IT policies and procedures. Heather has commended them for theirprocedures when it comes to logging and backing up their log files. She has noticedthat they have automatic processes that backup their SQL databases and transaction logfiles on a production server and restore them onto a standby server. What is this processcalled?

A. Log parsing is what this process is called

B. This procedure when carried out in this manner is called backlogging

C. This process is called transact-restore

D. Backing up SQL databases and log files and restoring them to a standby server iscalled log shipping

Answer: DSection: (none)

Explanation/Reference:

QUESTION 2Gerald is a pen tester working on contract to audit and test the network of the New YorkLottery. Under new state laws, the lottery must undergo an external audit at least once ayear. According to the lottery, the most important function they carry out is the nightlydrawing of numbers for all their games. This process must measure up to the moststringent set of guidelines and rules; otherwise all players would loose faith in thelottery itself. One way the lottery accomplishes this is with the use of MD5 checksums.Reports are printed out before each drawing to ensure that all numbers balance. Onthese pre-draw reports there is a checksum number. This checksum must exactly matchthe checksum on the report that is ran after the drawing to ensure that nothing wastampered with or changed.What principle is being used here by the lottery to ensure reliability?

A. The authorization of those with access to the reports is being verified by usingMD5 checksums before and after the drawings

B. The principal of integrity is being used here, verifying that no data has beenchanged

C. Since the drawings are such a vital function to the lottery, they must ensure theavailability of the reports by using the checksums

D. The MD5 checksums ensure the confidentiality of the data being used

Answer: BSection: (none)


QUESTION 3Why is it essential that security analysts know Cisco routers inside and out?

A. 25% of Internet core routers are Cisco

B. 75% of Enterprise routers are Cisco

C. 99% of Enterprise routers are Cisco

D. 90% of Internet core routers are Cisco



QUESTION 4John and Hillary works at the same department in the company. John wants to find outHillary’s network password so he can take a look at her documents on the file server.He enables Lophtcrack program to sniffing mode. John sends Hillary an email with alink to \\FileServer1\sales.xlsWhat information will he be able to gather from this?

A. The SAM file from Hillary’s computer

B. The SID of Hillary’s network account

C. Hillary’s network username and password hash

D. The network shares that Hillary has permissions

Answer: CSection: (none)


QUESTION 5Blake is a licensed penetration tester working as the chief information officer for theCalifornia Lottery. Blake has been asked to set up an internal IIS web server on aWindows 2003 Server machine to host an Intranet for the agency. When Blake sets upIIS with the default configuration, where will the log files be sent to for the webservice?

A. As with all events on Windows 2003 server, the log files will be sent toC:\Windows\system32\inetsrv\W3SVC1

B. C:\Windows\system32\LogFiles\W3SVC1 is the default logging directory for IIS

C. Blake will need to look for the IIS log files in C:\Programfiles\inetsrv\LogFiles\W3SVC1 since that is the default

D. The log files will be saved to C:\Windows\inetsrv\LogFiles\W3SVC1 which is thedefault for IIS



QUESTION 6

Henry is a network administrator for Teryson Incorporated, a shipping company basedout of Chicago. Henry is preparing his network for an external audit that will take placein one month. Henry’s company uses VoIP phones throughout the office which arevery feature-rich, but pose a security threat if not protected. Henry decides to shut offall ports from his internal subnet to another subnet that contains his servers, except forthe standard SIP ports. After doing this, all the IP phones are not able to download thecustom configuration that was set up and available on the VoIP server. Henry checks his firewall logs and sees that the phones are trying to connect to the VoIP server usingTFTP to get the configurations.What must Henry do to allow traffic to pass between the subnets so that the phones candownload the necessary configuration files?

A. Henry must open UDP port 69 on his firewall in order for the phones to get theconfiguration files

B. He needs to disable NAT on the border firewall so the subnets can talk to eachother

C. UDP port 21 needs to be open on the firewall so the configuration files can get tothe phones

D. An IPSEC tunnel using UDP port 23 needs to be created

Answer: ASection: (none)


QUESTION 7George is a senior security analyst working for a state agency in Florida. His state’scongress just passed a bill mandating every state agency to undergo a security auditannually. After learning what will be required, George needs to implement an IDS assoon as possible before the first audit occurs. The state bill requires that an IDS with a"time-based induction machine" be used.What IDS feature must George implement to meet this requirement?

A. Real-time anomaly detection

B. Statistical-based anomaly detection

C. Pattern matching

D. Signature-based anomaly detection



QUESTION 8Lyle is a licensed penetration tester working as a network administrator for Jacobson &Associates. Lyle has been asked by his supervisor to audit the network of a partnercompany on the other side of town. Through some Nessus scans, Lyle is able to see thatthe company is running an FTP, web, and email server on a publicly accessible IPsubnet. Through vulnerabilities on the web server, Lyle is able to execute somearbitrary code and gain administrative access on the server. Lyle then tries to find otherworkstations or servers on the same subnet, but the scans do not turn up any results.What scheme has the partner company implemented to separate the FTP, web, and

email servers?

A. The partner company has implemented a DMZ which separates the public facingcomputers from the internal ones

B. An RRAS solution was used to route the networks separately to keep the internalIP’s hidden

C. An implementation of NAT was used to hide internal IP’s and separate the publicfacing computers

D. The scheme used by the partner company was to implement PAT to hide internalIP’s and separate the public facing computers



QUESTION 9Tyler is a licensed penetration tester helping a company write signatures for a Snortnode they placed internally that captures all mirrored traffic from their border firewall.From the following signature, what will Snort look for in the payload of the suspectedpackets?alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG -SubSseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|";reference:arachnids,485;)alert

A. From this snort signature, packets with HOME_NET 27374 in the payload will beflagged

B. The payload of 485 is what this Snort signature will look for

C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will beflagged

D. Snort will look for 0d0a5b52504c5d3030320d0a in the payload



QUESTION 10Victor is a licensed penetration tester working on contract for a large financialinstitution in Miami. After signing the legal agreements for the testing he will perform,Victor examines the security policies that are currently in place at the company. To hissurprise, the company actually has an Internet and remote users policy, but it is the mostlax he has ever seen. The policy states that there are no restrictions on Internet usageand that anyone in the company can gain remote access. What is this type of policycalled?

A. Many smaller companies without the financial resources choose to use this type ofpolicy; a prudent policy

B. This type of policy is called an all-inclusive policy

C. A permissive policy, as seen here, is essentially wide open

D. This is called a promiscuous policy since it is essentially wide open



QUESTION 11Rita is a licensed penetration tester working as the senior security analyst for MytimeIncorporated, an ISP based out of Seattle. Rita has been asked to travel to one of thecompany’s branch offices to perform a network security audit. Rita takes her laptop andplugs it into a port inside the office. Right away she is able to get an IP addressapparently from the office’s DHCP server. Rita starts up Wireshark and is immediatelyable to sniff large amounts of traffic. Rita stops the capture, examines the logs, and isable to see numerous packets being sent around to the MAC address01:00:0C:CC:CC:CC. What can she deduce from this MAC address?

A. If network equipment such as routers and switches are seen sending out packetswith the source MAC address as seen here, they are susceptible to ARP cachepoisoning

B. From this specific MAC address, Rita can deduce that they are using Juniperrouters

C. She can tell that they are using Cisco routers

D. Routers running in hub mode normally use this specific MAC address



QUESTION 12What does the following command trying to accomplish?C:\> nmap -sU -p445 192.168.0.0/24

A. Verify that NETBIOS is running on 192.168.0.0 network

B. Verify that UDP port 445 is open on 192.168.0.0 network

C. Verify that TCP port 445 is open on 192.168.0.0 network

D. Verify that UDP port 445 is closed on 192.168.0.0 network



QUESTION 13Bill is a licensed penetration tester working as the chief security analyst for On TheMove Incorporated, a car rental company based out of Kansas City. Bill is currentlyperforming an audit on all company networks in each office throughout the UnitedStates. Bill did not let any of the Network Administrators of the offices know that this

audit was occurring so he could get a better measure of their network’s security. Billbegins scanning what appears to be a DMZ of the office in Kansas City. From the scan,Bill can see ports listening for SFTP, web, and email traffic which is normal. But Billalso finds another machine listening on port 3389, which infuriates him since he hastold all the Network Administrators that this port is not allowed to be open.Why would Bill be angry about finding out this information?

A. Windows Messaging runs on port 3389, which transfers data in clear text

B. Bill is angry because RDP runs on port 3389 and it is not secure to have that openin a DMZ

C. Port 3389 is used by SNMP which is inherently insecure, especially when used ina DMZ

D. Bill is most likely angry because TFTP runs on port 3389



QUESTION 14You work as an IT security auditor hired by a law firm in Boston to test whether youcan gain access to sensitive information about the company’s clients. You haverummaged through their trash and found very little information. You do not want to setoff any alarms on their network, so you plan on performing passive footprinting againsttheir Web servers. What tool should you use?

A. Dig

B. Nmap

C. Netcraft

D. Ping sweep



QUESTION 15After undergoing an external IT audit, George realizes his network is vulnerable toDDoS attacks. What countermeasures could he take to prevent DDoS attacks?

A. Enable BGP

B. Disable BGP

C. Disable direct broadcasts

D. Enable direct broadcasts



QUESTION 16Tyler is a licensed penetration tester who just signed a contract with AnytimeProductions, an entertainment company based out of Hollywood. Tyler has been askedby the company to perform security audits at all of their 15 offices spread throughoutthe United States. Tyler has no prior knowledge about any of the company’s networks.What type of penetration testing is Tyler going to perform?

A. Since Tyler has no information about the company’s systems; this would be calleda white-box test

B. When a penetration tester is not informed or told about a network that will betested, that test is called a grey-box test

C. Tyler is going to perform a black-box test since he does not know anything aboutthe networks

D. This method of penetration testing is referred as an orange-book test since Tylerdoes not know anything about the networks



QUESTION 17Travis is the chief security analyst for a large construction company in Memphis. Afterundergoing a recent IT security audit, Travis’ company was told to implement moresecurity measures if they wanted to become ISO certified. Travis was told that heneeded a network-based IPS to monitor and block traffic if needed. Travis does nothave money in his budget for any commercial products, so he decides to use Snort.What Snort mode should Travis run to block traffic coming into his network?

A. Travis would have to run Snort in core-wall mode

B. Travis should run Snort in inline mode to block traffic coming into his network

C. If Travis wants to block traffic and he wants Snort to be network based, he shouldrun Snort in NIDS mode

D. Snort’s pass-through mode would be able to accomplish what Travis needs



QUESTION 18Simon is studying for his ECSA/LPT test and is having difficulty with certain topics.Simon is a network administrator at his job and thus does not have to write or programat all. The ECSA/LPT section on exploits has a large amount of coding and scriptinglanguages, so Simon is struggling. Simon cannot figure out or understand why itrepeatedly states that Linux is easier to write exploits for than Windows. Why is iteasier to write exploits for Linux?

A. Shellcode for Windows is only written in a proprietary Microsoft language, thusmaking it harder to exploit than Linux

B. Since the shellcode for Linux is only written in C++, it is easier to exploit

C. It is easier to write exploits for Linux because the shellcode for Linux can be assmall as 24 bytes

D. The larger the shellcode, the easier and operating system is to exploit. Since Linuxshellcode can be as large as 800 bytes, it is easier to exploit than Windows



QUESTION 19Lori is a pen tester working for Yertas Associates, an IT consulting firm out of Austin,Texas. Lori is currently working on contract at a manufacturing company in Dallas,ensuring that they are compliant with all necessary regulations and standards. The firststep that Lori carries out in a pen test is to ensure the company has all the processes inplace that properly recognize the identity of an individual when he or she attempts togain access to any systems.What is this first process that Lori checks on?

A. The first process that Lori checks is the authentication of individuals before accessto systems is granted

B. She checks to make sure that the users are authorized to gain access to thecompany’s systems

C. Lori checks the confidentiality of the users’ IDs to ensure that sensitiveinformation is not leaked

D. The availability of a users’ account, whether it is active or locked



QUESTION 20Jason has set up a honeypot environment by creating a DMZ that has no physical orlogical access to his production network. In this honeypot, he has placed a serverrunning Windows Active Directory. He has also placed a Web server in the DMZ thatservices a number of web pages that offer visitors a chance to download sensitiveinformation by clicking on a button. A week later, Jason finds in his network logs howan intruder accessed the honeypot and downloaded sensitive information. Jason usesthe logs to try and prosecute the intruder for stealing sensitive corporate information.Why will this not be viable?

A. Intruding into a honeypot is not illegal

B. Enticement

C. Entrapment

D. Intruding into a DMZ is not illegal



Exam B

QUESTION 1You are running through a series of tests on your network to check for securityvulnerabilities. After normal working hours, you initiate a DoS attack against yourexternal firewall. The firewall quickly freezes up and becomes unusable. You theninitiate FTP connection from an external IP into your internal network. The connectionis successful even though you have blocked FTP at the external firewall. What hashappened?

A. The firewall failed-bypass

B. The firewall’s ACL has been purged

C. The firewall failed-open

D. The firewall failed-closed



QUESTION 2George passed his ECSA/LPT exam about 6 months ago and now is about to start hisfirst external penetration test for a company. Before any testing can begin, the companyhas asked George to sign an agreement that outlines the framework for his external andinternal testing. This agreement ensures that there is a common understanding of thelimitations, constraints, liabilities, and indemnification considerations prior to the tests.What has the company asked George to sign?

A. The company has asked George to sign the rules of behavior

B. George has to sign a non-disclosure clause, which creates the commonunderstanding of limitations, constraints, and liabilities between George and thecompany

C. George has been asked by the company to sign a mea culpa clause, outlining thelimitations, constraints, and liabilities of the test

D. The ISO 27002 title clause is what the company has asked George to sign,outlining all restrictions to the test



QUESTION 3After passing her CEH exam, Carol wants to ensure that her network is completelysecure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filteringfirewall. Since all security measures were taken, none of the hosts on her network canreach the Internet. Why is that?

A. Stateful firewalls do not work with packet filtering firewalls

B. IPSEC does not work with packet filtering firewalls

C. NAT does not work with IPSEC

D. NAT does not work with statefull firewalls



QUESTION 4You are an IT security consultant attempting to gain access to State of NewHampshire’s network. After trying numerous routes of attack, you are stillunsuccessful. You decide to perform a Google search for ftp.nh.st.us to check if theNew Hampshire’s network utilized an FTP site. You find information about their FTPsite and from there; you are able to perform a thorough scan of their network. Whattype of scan have you just performed?

A. RPC scan

B. FTP backdoor scan

C. FTP bounce scan

D. SYN scan



QUESTION 5Kyle is the chief network security analyst for Yertas Shipping, a logistics companybased out of San Francisco. Kyle is also a licensed penetration tester. Kyle is workingfrom a laptop at a WiFi hotspot performing Nessus scans against his company’snetwork trying to see where any weaknesses might be. Kyle finds that the built-in testsare not enough, so he wants to create his own custom security tests with Nessus. Whatcan Kyle use to create his own custom tests for Nessus?

A. Nessus-Perl is a scripting language that can be used to create custom Nessusscripts

B. Kyle can use NASL, the scripting language built into Nessus, to create his owncustom scripts

C. There is a built-in Nessus scripting language called STAR that will allow Kyle tocreate his own custom scripts

D. Kyle should use the scripting language NSPT, which is a built-in native languagefor Nessus



QUESTION 6James is testing the ability of his routers to withstand DoS attacks. James sends ICMP

ECHO requests to the broadcast address of his network. What type of DoS attack isJames testing against his network?

A. Trinoo

B. Fraggle

C. Smurf

D. SYN flood



QUESTION 7Your company’s network just finished going through a SAS 70 audit. This auditreported that overall, your network is secure, but there are some areas that needsimprovement. The major area was SNMP security. The audit company recommendedturning off SNMP, but that is not an option since you have so many remote nodes tokeep track of. What step could you take to help secure SNMP on your network?

A. Block access to UDP port 171

B. Change the default community string names

C. Block all internal MAC address from using SNMP

D. Block access to TCP port 171



QUESTION 8Meyer Electronics Systems just recently had a number of laptops stolen out of theiroffice. On these laptops contained sensitive corporate information regarding patentsand company strategies. A month after the laptops were stolen, a competing companywas found to have just developed products that almost exactly duplicated products thatMeyer produces. What could have prevented this information from being stolen fromthe laptops?

A. SDW Encryption

B. EFS Encryption

C. IPS Encryption

D. DFS Encryption



QUESTION 9At which layer of the OSI model does a screened router function on?

A. Physical layer

B. Data link layer

C. Session layer

D. Network layer



QUESTION 10After undergoing a security audit, it was suggested that a hardened computer be placedin the DMZ to run firewall software. What is this hardened computer called?

A. Bastion firewall

B. Perimeter firewall

C. Perimeter host

D. Bastion host



QUESTION 11George is the network administrator of a large Internet company on the west coast. Percorporate policy, none of the employees in the company are allowed to use FTP orSFTP programs without obtaining approval from the IT department. Few managers areusing SFTP program on their computers. Before talking to his boss, George wants tohave some proof of their activity.George wants to use Ethereal to monitor network traffic, but only SFTP traffic to andfrom his network. What filter should George use in Ethereal?

A. net port 22

B. udp port 22 and host 172.16.28.1/24

C. src port 23 and dst port 23

D. src port 22 and dst port 22



QUESTION 12Cylie is a licensed penetration tester currently working on contract for Greyson Team

Builders, a building contractor company based out of Dallas. Cylie has set up a networkprobe on the network perimeter to analyze traffic coming into and going out of theirnetwork. Cylie looks at the log files and notices an enormous amount of ICMP trafficwith the type field of 8.What does this ICMP type field indicate?

A. The type 8 field means the ICMP packet is performing an echo request

B. The type 8 field in the ICMP packet means that the host is saying whether it isopen or closed

C. From this type field, Cylie can infer that the Ping packet is performing an echoreply

D. It indicates that the host keep-alive message is being sent



QUESTION 13Sally is a licensed penetration tester that is about to begin auditing the network securityfor a bank in central Michigan. Sally has to make a presentation to the Executivesexplaining what tasks will be carried out and why. Sally also shows them the riskinvolved when referring to information and assets. The formula she shows them is:R = A x T x VIn this formula, what does the “T” stand for?

A. A company or organization’s information assets

B. Perceived targets is represented by the “T” when calculating risk

C. The vulnerable time span of an information asset in regards to risk

D. The “T” stands for perceived threat



QUESTION 14You are working on a thesis for your doctorate degree in Computer Science. Your thesisis based on HTML, DHTML, and other web-based languages and how they haveevolved over the years. You navigate to archive.org and view the HTML code ofnews.com. You then navigate to the current news.com website and copy over thesource code. While searching through the code, you come across something abnormal:<img src=http://coolwebsearch.com/ads/pixel.news.com width=1 height=1 border=0>What have you found?

A. Web bug

B. Blind bug

C. Trojan.downloader

D. CGI code



QUESTION 15On Linux/Unix based web servers, what privilege should the daemon service be rununder?

A. Root

B. Guest

C. Something other than root

D. You cannot determine what privilege runs the daemon service



QUESTION 16Zane is a licensed penetration tester working as a network administrator for a large carrental company in Miami. Zane is currently performing his annual security auditagainst the company’s entire network. Zane is plugged into a port inside his companyand is using Macof to flood the ARP cache of a network switch. If this MAC floodingtechnique works, what will happen to that network switch?

A. Depending on the switch manufacturer, the device will either delete every entry inits ARP cache or reroute packets to the nearest switch

B. If the ARP cache is flooded the switch will drop into pix mode making it lesssusceptible to attacks

C. The switch will drop into hub mode if the ARP cache of the switch is successfullyflooded

D. Zane should never perform this type of attack on a production switch since itwould turn the switch off completely, disrupting network traffic



QUESTION 17Sharon is about to begin penetration tests against a manufacturing company’s networkthat hired her on for a one year contract. Throughout each step of her test, she mustdocument meticulously what actions she takes. Sharon attempts to break into some ofthe network’s devices using an SNMP hack. In her documentation, what TCP/IP layershould she write down as being attacked by this SNMP hack?

A. SNMP normally uses the application layer, but SNMP hacks must occur on theInternet layer

B. Sharon should document that this attack occurs on the application layer

C. SNMP exists on the transport layer, so that is the layer she should write down theattack as occurring

D. She should write that the attack occurs on the network access layer



QUESTION 18Madison is the IT director for Lincoln Financial, an investment company based out ofSeattle. Madison’s company just underwent an external information systems audit andthey passed every test with flying colors. Since she has proven herself to theexecutives, she wants to convince them to allow her to implement wireless throughoutthe office. Their main concern is that the wireless network would be too slow to run allthe network-based applications they run. Madison assures the executives that if theyuse 802.11n, there will be plenty of bandwidth. What is the maximum raw data rateavailable in 802.11n?

A. If they choose to use 802.11n, the maximum data rate available is 54 Mbps

B. The maximum data rate available in 802.11n is 600 Mbps

C. 100 Mbps is the maximum data rate available when using the wireless standard802.11n

D. Since the maximum data rate available in 802.11n is only 2.4 Mbps, Madisonshould recommend this as a solution



QUESTION 19You are a security analyst performing a penetration tests for a company in the Midwest.After some initial reconnaissance, you discover the IP addresses of some Cisco routersused by the company. You type in the following URL that includes the IP address ofone of the routers:http://172.168.4.131/level/99/exec/show/configAfter typing in this URL, you are presented with configuration file for that router. Whathave you discovered?

A. Cisco IOS Arbitrary Administrative Access Online Vulnerability

B. URL Obfuscation Arbitrary Administrative Access Vulnerability

C. HTTP Configuration Arbitrary Administrative Access Vulnerability

D. HTML Configuration Arbitrary Administrative Access Vulnerability



QUESTION 20Simon is a licensed penetration tester working under contract for the state of Oregon.He has been hired on to perform network audits for every state agency. Through somesocial engineering, Simon was able to discover that the Oregon department oftransportation uses a Citrix server to connect remote users to their main office. If Simon wanted to scan the agency’s network for servers using Citrix, how could heaccomplish that?

A. Simon needs to search for port 5900 to find servers running Citrix

B. Simon can tell which servers are running Citrix if he can successfully connect totheir IPs on port 6250

C. Since Citrix runs on TCP port 389, Simon would need to scan the servers for thatport to see which ones are running that service

D. To scan the agency’s network for Citrix servers, Simon needs to search for port2598



Exam C

QUESTION 1When setting up a wireless network with multiple access points, why is it important toset each access point on a different channel?

A. Multiple access points can be set up on the same channel without any issues

B. Avoid over-saturation of wireless signals

C. Avoid cross talk

D. So that the access points will work on different frequencies



QUESTION 2Xavier is a licensed penetration tester who works for Getright Technologies, an ITsecurity consulting firm based out of Boston. Xavier and a team of consultants haveflown to St. Louis to perform a complete external audit on a company. This company,before any testing can begin, asks that Xavier and his team sign a legal document thatprevents them from talking about any sensitive information they might find in thetesting process. What has the company asked Xavier and his team to sign?

A. A FERPA document, otherwise known as a closed-lip agreement, was what thecompany asked Xavier and his team to sign

B. Xavier has been asked by the company to sign a Habeas corpus document,specifying how Xavier and his team cannot release the sensitive informationfound in the test

C. The company has asked Xavier and his team to sign a NDA document

D. In order to proceed with the tests, Xavier and his team were asked to sign anascension clause



QUESTION 3Cindy is an IT consultant currently working on-site at Hesterman & Associates, a largelaw firm in Dallas. Hesterman & Associates has hired Cindy to perform an external ITaudit so that they can become ISO 27001 certified. After performing some footprintingand passive scanning steps, she is able to log on to one of the company’s servers to findout some more information.What should Cindy do to find out all the ports the server is listening on?

A. She should open a command window and type in: finger –an

B. On the company’s servers, Cindy needs to type in CMD at the Run line and typein: tracert –r

C. Cindy should open a command window and type in: netstat –an

D. Cindy needs to open a telnet session and type in: netcat –an



QUESTION 4Thompson is a licensed penetration tester working on a two-month contract for TylerAssociates, a marketing firm based out of Dallas. Thompson was asked to first examineand audit the company’s website to see how secure it is. Thompson performs searchesand research on the Internet for records referring to the company. Thompson was ableto find an article on a national news website that pointed back to the company’s site.From the article’s title, it appeared that there was a data leak at the company a couple ofmonths ago that led to customer information being stolen. When Thompson clicked onthe link, it said that the page could not be found. Where can Thompson go to that mighthave an old record of what the company’s website used to look like?

A. Whois.com is a very useful website when looking for past versions of a website

B. Thompson can perform the following search on Google: rewind.org:”name ofcompany’s website” to see past versions of the website

C. If Thompson wants to see past versions of the website; he can go to the Library ofCongress since they archive websites as well as books

D. Thompson can go to archive.org to see past versions of the website



QUESTION 5Travis is the owner of an IT security company and is also a licensed penetration tester.Travis’ company has been contracted by the city of Cleveland to audit the networks ofevery school in the city’s district. Travis and his company usually base their testing onthe different regulations that a hiring company falls under. What regulatory act shouldTravis’ company use to measure the schools against?

A. Since Travis’ company will be testing schools, the SOX act is the primaryregulation that they should be measured against

B. Travis’ company needs to use the Gramm-Leach-Bliley act to measure the schoolsagainst

C. The HIPPA act, which regulates education and educational institutions, should befollowed when testing the schools

D. If Travis’ company wants to base their testing on the specific regulation thatapplies to this school district, they should use the FERPA act



QUESTION 6Michael is a certified penetration tester working on contract with the US Department ofDefense. Michael has been hired on to test all the internal and external websites that thedepartment hosts. Michael performs a number of Google searches against their sites.When Michael tries to navigate to the specific pages he finds, he keeps getting anHTTP/1.1 error page with message code of 407.What does this specific error message mean?

A. Michael can see from the error message that the website cannot be found

B. This means that proxy authentication is required

C. This error means that the page requires a client certificate

D. This tells Michael that the page must be displayed with a high-security webbrowser



QUESTION 7Jayson is the chief network security analyst for Simonton Incorporated, a largeinvestment form with offices all over the world. Jayson is using a tool that simulates anattack against his company’s website. Jayson runs Wireshark to capture and display thetraffic to and from the website. If Jayson wants to display just HTTP request packets,what filter should he use in Wireshark?

A. There is no specific filter in Wireshark that will only display HTTP requestpackets. He must sort those packets out by hand.

B. The filter in Wireshark that will display HTTP request packets is the get.requestfilter

C. Jayson should use the http.request filter to see HTTP request packets

D. The tshark.timerequest filter is the correct filter to use if he wants to displayHTTP request packets



QUESTION 8Jacob is the network administrator for his company, a large investment firm based outof Miami. Jacob wants to ensure that his company is as secure as possible, so hedecides to hire an outside IT consulting firm to perform some penetration tests nextmonth. Before that company performs their tests, Jacob wants to secure the network asmuch as possible, according to industry standards.What standard for information security management could Jacob follow to help preparefor the upcoming penetration test?

A. There is no defacto standard for information management security, so he shouldrely entirely on the external company

B. The ISO 27000 regulation is what Jacob needs to adhere to in order to prepare forthe tests

C. If Jacob wants to prepare his company; he should purchase the ISO 9000 standardwhich is the blanket standard for all information systems

D. Jacob should read and follow the ISO 27002 standard for informationmanagement to prepare for the upcoming penetration test



QUESTION 9You are performing a security analysis of a company’s website, running on IIS 6.0,which contains over 200 web pages. You use HTTrack to pull all the pages and files toyour local computer for examination. After examining all the images and javascriptfiles, you pour through the html code on each and every page. On a contact page, youfind the following code that you believe should not be there:<a href="shell:cache\..\..\Local Settings\temp\install.exe">What is the purpose of this code?

A. Copy install.exe from the company’s web server to the local user that clicks onthe link

B. This code will do nothing since IIS 6.0 will stop this from executing

C. Execute install.exe in the profile of any user that clicks on the link

D. Open up a command shell that allows install.exe to run from the web server



QUESTION 10Why are Linux/Unix based computers better to use than Windows computers for idlescanning?

A. Linux/Unix computers are constantly talking

B. Windows computers are constantly talking

C. Linux/Unix computers are easier to compromise

D. Windows computers will not respond to idle scans



QUESTION 11At what layer of the OSI model do routers function on?

A. 3

B. 4

C. 5

D. 1


QUESTION 12An "idle" system is also referred to as what?ActualTests.com

A. Zombie

B. PC not being used

C. Bot

D. PC not connected to the Internet


QUESTION 13What operating system would respond to the following command?

A. Mac OS X

B. Windows XP

C. Windows 95

D. FreeBSD



QUESTION 14How many bits is Source Port Number in TCP Header packet?

A. 48

B. 32

C. 64

D. 16



QUESTION 15Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack intohis former company's network. Since Simon remembers some of the server names, he attempts to run the axfrand ixfr commands using DIG. What is Simon trying to accomplish here?

A. Enumerate all the users in the domain

B. Perform DNS poisoning

C. Send DOS commands to crash the DNS servers

D. Perform a zone transfer



QUESTION 16You are carrying out the last round of testing for your new website before it goes live. The website has manydynamic pages and connects to a SQL backend that accesses your product inventory in a database. Youcome across a web security site that recommends inputting the following code into a search field on webpages to check for vulnerabilities:

<script>alert("This is a test.")</script>

When you type this and click on search, you receive a pop-up window that says:

"This is a test."

What is the result of this test?

A. Your website is vulnerable to web bugs

B. Your website is vulnerable to CSS

C. Your website is not vulnerable

D. Your website is vulnerable to SQL injection



QUESTION 17After attending a CEH security seminar, you make a list of changes you would like to perform on your networkto increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session onthe server. Using Userinfo tool mentioned at the seminar, you succeed in establishing a null session with oneof the servers. Why is that?

A. RestrictAnonymous must be set to "2" for complete security

B. RestrictAnonymous must be set to "3" for complete security

C. There is no way to always prevent an anonymous null session from establishing

D. RestrictAnonymous must be set to "10" for complete security



QUESTION 18What will the following command accomplish?

A. Test ability of a router to handle over-sized packets

B. Test the ability of a router to handle fragmented packets

C. Test the ability of a WLAN to handle fragmented packets

D. Test the ability of a router to handle under-sized packets



QUESTION 19What are the security risks of running a "repair" installation for Windows XP?

A. There are no security risks when running the "repair" installation for Windows XP

B. Pressing Shift+F1gives the user administrative rights

C. Pressing Ctrl+F10 gives the user administrative rights

D. Pressing Shift+F10 gives the user administrative rights



QUESTION 20You are the security analyst working for a private company out of France. Your current assignment is to obtaincredit card information from a Swiss bank owned by that company. After initial reconnaissance, you discoverthat the bank security defenses are very strong and would take too long to penetrate. You decide to get theinformation by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoringsome of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic andextract usernames and passwords. What tool could you use to get this information?

A. RaidSniff

B. Snort

C. Ettercap

D. Airsnort



Exam D

QUESTION 1You are assisting a Department of Defense contract company to become compliant with the stringent securitypolicies set by the DoD. One such strict rule is that firewalls must only allow incoming connections that werefirst initiated by internal computers. What type of firewall must you implement to abide by this policy?

A. Circuit-level proxy firewall

B. Packet filtering firewall

C. Application-level proxy firewall

D. Statefull firewall



QUESTION 2You are running known exploits against your network to test for possible vulnerabilities. To test the strength ofyour virus software, you load a test network to mimic your production network. Your software successfullyblocks some simple macro and encrypted viruses. You decide to really test the software by using virus codewhere the code rewrites itself entirely and the signatures change "Pass Any Exam. Any Time." - www.actualtests.com 6ECCouncil 412-79: Practice Exam

from child to child, but the functionality stays the same. What type of virus is this that you are testing?

A. Metamorphic

B. Oligomorhic

C. Polymorphic

D. Transmorphic


QUESTION 3In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimicthe backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet".Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in anattempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What willthe other routers communicate between themselves?

A. More RESET packets to the affected router to get it to power back up

B. RESTART packets to the affected router to get it to power back up

C. The change in the routing fabric to bypass the affected router

D. STOP packets to all other routers warning of where the attack originated


QUESTION 4Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best ofyour knowledge, an outside security firm is brought in to assess the network security. Although they found veryfew issues, they were able to enumerate the model, OS version, andcapabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the abilityto enumerate this information on your Cisco routers?

A. Simple Network Management Protocol

B. Broadcast System Protocol

C. Cisco Discovery Protocol

D. Border Gateway Protocol



QUESTION 5George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities oftheir wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scannerlike Nessus is not recommended in this situation?

A. Nessus is too loud

B. There are no ways of performing a "stealthy" wireless scan

C. Nessus cannot perform wireless testing

D. Nessus is not a network scanner


QUESTION 6Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utilitythat executes exploits against his system to verify the results of the vulnerability test. The second utilityexecutes five known exploits against his network in which the vulnerability analysis said were not exploitable.What kind of results did Jim receive from his vulnerability analysis?

A. True negatives

B. False negatives

C. False positives

D. True positives



QUESTION 7You work as a penetration tester for Hammond Security Consultants. You are currently working on a contractfor the state government of California. Your next step is to initiate a DoS attack on their network. Why wouldyou want to initiate a DoS attack on a system you are testing?

A. Use attack as a launching point to penetrate deeper into the network

B. Demonstrate that no system can be protected against DoS attacks

C. List weak points on their network

D. Show outdated equipment so it can be replaced



QUESTION 8To test your website for vulnerabilities, you type in a quotation mark (? for the username field. After you clickOk, you receive the following error message window:

What can you infer from this error window?

Exhibit:

A. SQL injection is not possible

B. SQL injection is possible

C. The user for line 3306 in the SQL database has a weak password

D. The quotation mark (? is a valid username



QUESTION 9Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreementhe signed with the client, Harold is performing research online and seeing how much exposure the site hasreceived so far. Harold navigates to google.com and types in the following search.

link:www.ghttech.net

What will this search produce?

A. All sites that link to ghttech.net

B. Sites that contain the code: link:www.ghttech.net

C. All sites that ghttech.net links to

D. All search engines that link to .net domains



QUESTION 10Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly todetect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A. Smurf scan

B. Tracert

C. Ping trace

D. ICMP ping sweep



QUESTION 11Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. Heknows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT.Which firewall would be most appropriate for Harold? needs?

A. Application-level proxy firewall

B. Data link layer firewall

C. Packet filtering firewall

D. Circuit-level proxy firewall



QUESTION 12Jonathan is a network administrator who is currently testing the internal security of his network. He isattempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan notsucceed?

A. Only an HTTPS session can be hijacked

B. Only DNS traffic can be hijacked

C. Only FTP traffic can be hijacked

D. HTTP protocol does not maintain session


QUESTION 13What is a good security method to prevent unauthorized users from "tailgating"?

A. Electronic key systems

B. Man trap

C. Pick-resistant locks

D. Electronic combination locks



QUESTION 14If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning,what will be the response?

A. 31401

B. The zombie will not send a response

C. 31402

D. 31399



QUESTION 15What will the following URL produce in an unpatched IIS Web Server? http://www.thetargetsite.com/scripts/..%co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

A. Execute a buffer flow in the C: drive of the web server

B. Insert a Trojan horse into the C: drive of the web server

C. Directory listing of the C:\windows\system32 folder on the web server

D. Directory listing of C: drive on the web server


QUESTION 16A packet is sent to a router that does not have the packet destination address in its route table, how will the

packet get to its properA packet is sent to a router that does not have the packet?

"Pass Any Exam. Any Time." - www.actualtests.com 13ECCouncil 412-79: Practice Exam

destination address in its route table, how will the packet get to its proper destination?

A. Root Internet servers

B. Border Gateway Protocol

C. Gateway of last resort

D. Reverse DNS


QUESTION 17Larry is an IT consultant who works for corporations and government agencies. Larry plans on shutting downthe city's network using BGP devices and ombies? What type of Penetration Testing is Larry planning to carryout?

A. Internal Penetration Testing

B. Firewall Penetration Testing

C. DoS Penetration Testing

D. Router Penetration Testing


QUESTION 18You are a security analyst performing reconnaissance on a company you will be carrying out a penetration testfor. You conduct a search for IT jobs on Dice.com and find the following information for an open position:

7+ years experience in Windows Server environmentActualTests.com5+ years experience in Exchange 2000/2003 environment Experience with Cisco Pix Firewall, Linksys 1376router, Oracle 11i and MYOB v3.4 Accounting software are required MCSA desired,MCSE, CEH preferredNo Unix/Linux Experience needed

What is this information posted on the job website considered?

A. Information vulnerability

B. Social engineering exploit

C. Trade secret

D. Competitive exploit



QUESTION 19Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit,Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the portsscanned do not give a response. In what state are these ports?

A. Filtered

B. Stealth

C. Closed

D. Open


QUESTION 20Terri works for a security consulting firm that is currently performing a penetration test on First National Bank inTokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IPpacket to one of the company's switches with ACK bit and the source address of her machine set. What isTerri trying to accomplish by sending this IP packet?

A. Poison the switch's MAC address table by flooding it with ACK bits

B. Enable tunneling feature on the switch

C. Trick the switch into thinking it already has a session with Terri's computer

D. Crash the switch with a DoS attack since switches cannot send ACK bits



Exam E

QUESTION 1Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all thedirections from the ISP as well as the wireless router manual. He does not have any encryption set and theSSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but thenthe connection drops and the signal goes away. Eventually the wireless signal shows back up, but dropsintermittently. What could be Tyler issue with his home wireless network?

A. 2.4Ghz Cordless phones

B. Satellite television

C. CB radio

D. Computers on his wired network


QUESTION 2You have compromised a lower-level administrator account on an Active Directory network of a small companyin Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the DomainControllers on port 389 using ldp.exe. What are you trying to accomplish here?

A. Enumerate domain user accounts and built-in groups

B. Establish a remote connection to the Domain Controller

C. Poison the DNS records with false records

D. Enumerate MX and A records from DNS



QUESTION 3Why is it a good idea to perform a penetration test from the inside?

A. It is easier to hack from the inside

B. It is never a good idea to perform a penetration test from the inside

C. To attack a network from a hacker's perspective

D. Because 70% of attacks are from inside the organization


QUESTION 4Click on the Exhibit Button

Paulette works for an IT security consulting company that is currently performing an audit for the firm ACEUnlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions

are up-to-date and all the other security settings are as stringent as possible. Paulette presents the followingscreenshot to her boss so he can inform the client about necessary changes need to be made. From thescreenshot, what changes should the client company make?

Exhibit:

ActualTests.com

A. The banner should not state "only authorized IT personnel may proceed"

B. Remove any identifying numbers, names, or version information

C. The banner should include the Cisco tech support contact information as well

D. The banner should have more detail on the version numbers for the network equipment



QUESTION 5You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet.What search string will you use to locate them?

A. intitle:"exchange server"

B. outlook:"search"

C. locate:"logon page"

D. allinurl:"exchange/logon.asp"



QUESTION 6Kyle is performing the final testing of an application he developed for the accounting department. His last round

of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is hetesting at this point?

#include <stdio.h>#include <string.h>

int main(int argc, char *argv[]){char buffer[10];if (argc < 2){fprintf(stderr, "USAGE: %s string\n", argv[0]);return 1;}strcpy(buffer, argv[1]);return 0;}

A. Buffer overflow

B. Format string bug

C. Kernal injection

D. SQL injection



QUESTION 7Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank toassess its network security through scanning, pen tests, and vulnerability assessments. After discoveringnumerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items thatshow up as unknown but questionable in the logs. He looks up the behavior on the Internet, but cannot findanything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

A. CVE

B. IANA

C. RIPE

D. APIPA


QUESTION 8Software firewalls work at which layer of the OSI model?

A. Data Link

B. Network

C. Transport

D. Application



QUESTION 9The objective of this act was to protect consumers personal financial information held by financial institutionsand their service providers.

A. HIPAA

B. Sarbanes-Oxley 2002

C. Gramm-Leach-Bliley Act

D. California SB 1386


QUESTION 10What does ICMP Type 3/Code 13 mean?

A. Host Unreachable

B. Port Unreachable

C. Protocol Unreachable

D. Administratively Blocked


Explanation/Reference:ActualTests.com

QUESTION 11After passively scanning the network of Department of Defense (DoD), you switch over to active scanning toidentify live hosts on their network. DoD is a lage organization and should respond to any number of scans.You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts responds toyour ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only producea few responses?

A. A switched network will not respond to packets sent to the broadcast address

B. Only IBM AS/400 will reply to this scan

C. Only Unix and Unix-like systems will reply to this scan

D. Only Windows systems will reply to this scan



QUESTION 12How many possible sequence number combinations are there in TCP/IP protocol?

A. 320 billion

B. 32 million

C. 4 billion

D. 1 billion



QUESTION 13Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a smallaccounting firm in Florida. They have given her permission to perform social engineering attacks on thecompany to see if their in-house training did any good. Julia calls the main number for the accounting firm andtalks to the receptionist. Julia says that she is an IT technician from the company's main office in Iowa. Shestates that she needs the receptionist's network username and password to troubleshoot a problem they arehaving. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing thename of the CEO, the receptionist gave Julia all the information she asked for.What principal of social engineering did Julia use?

A. Reciprocation

B. Friendship/Liking

C. Social Validation

D. Scarcity



QUESTION 14John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on asubnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of thetraffic produced by Firewalk. Why is that?

A. Firewalk sets all packets with a TTL of zero

B. Firewalk cannot pass through Cisco firewalls

C. Firewalk sets all packets with a TTL of one

D. Firewalk cannot be detected by network sniffers


QUESTION 15When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDSis being used?

A. NIPS

B. Passive IDS

C. Progressive IDS

D. Active IDS



QUESTION 16As a security analyst you setup a false survey website that will require users to create a username and astrong password. You send the link to all the employees of the company. What information will you be able togather?

A. The employees network usernames and passwords

B. The MAC address of the employees?computers

C. The IP address of the employees computers

D. Bank account numbers and the corresponding routing numbers



QUESTION 17Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers manydifferent programming as well as networking languages. What networking protocol language should she learnthat routers utilize?

A. OSPF

B. BPG

C. ATM

D. UDP


QUESTION 18Paul's company is in the process of undergoing a complete security audit including logical and physicalsecurity testing. After all logical tests were performed; it is now time for the physical round to begin. None ofthe employees are made aware of this round of testing. The security-auditing firm sends in a techniciandressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behindthem when they access the restricted areas. After entering the main office, he is able to get into the server

room telling the IT manager that there is a problem with the outlets in that room. What type of attack has thetechnician performed?

A. Fuzzing

B. Tailgating

C. Man trap attack

D. Backtrapping



QUESTION 19Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM file on a computer.Where should Harold navigate on the computer to find the file?

A. %systemroot%\LSA

B. %systemroot%\repair

C. %systemroot%\system32\drivers\etc

D. %systemroot%\system32\LSA


QUESTION 20What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

A. Service account passwords in plain text

B. Cached password hashes for the past 20 users

C. IAS account names and passwords

D. Local store PKI Kerberos certificates



Exam F

QUESTION 1You just passed your ECSA exam and are about to start your first consulting job running security audits for afinancial institution in Los Angeles. The IT manager of the company you will be working for tries to see if youremember your ECSA class. He asks about the methodology you will be using to test the company's network.How would you answer?

A. IBM Methodology

B. LPT Methodology

C. Google Methodology

D. Microsoft Methodology


QUESTION 2You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data fromother offices like it is for your main office. You suspect that firewall changes are to blame. What ports shouldyou open for SNMP to work through Firewalls (Select 2)

A. 162

B. 160

C. 161

D. 163

Answer: ACSection: (none)


QUESTION 3What will the following command produce on a website login page?

SELECT email, passwd, login_id, full_nameFROM membersWHERE email = '[email protected]'; DROP TABLE members; --'

A. Inserts the Error! Reference source not found.email address into the members table

B. Retrieves the password for the first user in the members table

C. Deletes the entire members table

D. This command will not produce anything since the syntax is incorrect


QUESTION 4Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send

PDF documents containing sensitive information through E-mail to his customers. Bill protects the PDFdocuments with a password and sends them to their intended recipients.Why PDF passwords do not offer maximum protection?

A. PDF passwords can easily be cracked by software brute force tools

B. PDF passwords are not considered safe by Sarbanes-Oxley

C. PDF passwords are converted to clear text when sent through E-mail

D. When sent through E-mail, PDF passwords are stripped from the document completely


QUESTION 5You are the network administrator for a small bank in Dallas, Texas. To ensure network security, you enact asecurity policy that requires all users to have 14 character passwords. After giving your users 2 weeks notice,you change the Group Policy to force 14 character passwords. A week later you dump the SAM database fromthe standalone server and run a password-cracking tool against it. Over 99% of the passwords are brokenwithin an hour. Why were these passwords cracked so quickly?

A. Networks using Active Directory never use SAM databases so the SAM database pulled was empty

B. Passwords of 14 characters or less are broken up into two 7-character hashes

C. The passwords that were cracked are local accounts on the Domain Controller

D. A password Group Policy change takes at least 3 weeks to completely replicate throughout a networkActualTests.com


QUESTION 6In Linux, what is the smallest possible shellcode?

A. 800 bytes

B. 8 bytes

C. 80 bytes

D. 24 bytes



QUESTION 7What is the target host IP in the following command? c:\>firewalk -f 80 10.10.150.1 172.16.28.95 -p

A. Firewalk does not scan target hosts

B. 172.16.28.95

C. This command is using FIN packets, which cannot scan target hosts

D. 10.10.150.1



QUESTION 8The four typical network security policies can be classified as prudent, permissive,promiscuous and:

A. Prominent

B. Pervasive

C. Paranoid

D. Pre-emptive



QUESTION 9What is the definition of a grey hat?

A. Reformed Black Hat

B. A former network administrator

C. A white hat who at certain time breaks ethics for his/her own agenda

D. A person who is tries to exploit weaknesses in systems who is not technically sophisticated



QUESTION 10An attackers methods are designed to impact confidentiality, availability, integrity, and which of the following?

A. file rights

B. verification of data

C. use control

D. privacy



QUESTION 11When performing a penetration test which of the following is the most important action to take as you gatherdata?

A. inform system administrators as soon as a vulnerability is found

B. make note of the amount of time spent on each action

C. create a log of all actions, results, and findings you have collected

D. avoid interaction with any employees associated to the client you are testing



QUESTION 12When doing a penetration test what is the definition of a race condition?

A. a deadline imposed for penetration testing to be completed by

B. discoverin g, documenting, informing, and p atching a vuln erability in the most efficient and quickest timepossible to avoid exploitation

C. when an exploit has to beat a currently running process or soon to be running process to the creation ormodification of a file

D. discoverin g vulnerabilities before system administrators patch them



QUESTION 13Larry is an IT consultant who works for corporations and governments. He is currentlyworking for the city of Denver, Colorado. Larry plans on shutting down the city'snetwork using a number of BGP routers and zombies he has taken control of over the lastfew months. What type of attack is Larry planning to carry out?

A. DRDoS

B. DDoS

C. DoS

D. Smurf



QUESTION 14Jennifer works at a small law firm in Chicago. Jennifer's work duties take up about threehours of her day, so the rest of the day she spends on the Internet. One of Jennifer's

favorite sites is Myspace. One day, Jennifer comes into work and tries to access theMyspace page but is met with a "This site has been restricted" message. Jennifer is upsetbecause she really wants to keep using Myspace to stay in touch with her friends. Whatservice could Jennifer possibly use to get around the block on Myspace at her company?

A. FTP proxy

B. Anonymizer

C. Hping2

D. HTTrack



QUESTION 15As part of the reconnaissance you are performing on a network, you use dnstracer to findvaluable information. You type in the following command:What information will this return?

A. The A record(s) for 164.58.245.134

B. The in-addr.arpa record(s) for 164.58.245.134

C. The PTR record(s) for 164.58.245.134

D. The host file record for 164.58.245.134



QUESTION 16Larry is the network administrator of a Windows environment. Larry uses a sniffing toolcalled WinDump to monitor traffic on his network. Larry's friend, who works as anetwork administrator for another company, saw Larry use WinDump one day and reallyliked its functionality. The only problem is that Larry's friend administrates a Linuxnetwork environment. What equivalent tool could Larry's friend use to monitor networktraffic?

A. Tcpdump

B. Pwdump

C. Xdump

D. Httport



QUESTION 17Tom is a systems administrator for a Unix network. He needs to run some brute forceattacks on the passwords of his users to ensure that they are abiding by the corporatepassword policy. Where can Tom find these passwords?

A. /etc/passwd

B. /drivers/etc/shadow

C. /root/hidden

D. /etc/pwd



QUESTION 18What is the smallest possible Windows shellcode?

A. 600 bytes

B. 100 bytes

C. 1000 bytes

D. 800 bytes



QUESTION 19Where would you find a list of well known ports on your Windows Server 2003?

A. %systemroot%\system32\drivers\etc\services

B. %systemroot%\system32\services

C. %systemroot%\system32\WBEM\services

D. %systemroot%\drivers\etc\services



QUESTION 20Harold is the senior security analyst for a law firm on the East coast. He wants to test thesecurity of his company's web pages, so he decides to use Form Scalpel from an outsideconnection through a proxy server over HTTPS. What will be the results from Harold'stest?

A. He will be able to extract all the forms from the pages

B. Form Scalpel will not work over an HTTPS connection

C. Form Scalpel will extract all javascript and perl code

D. Form Scalpel will not work through a proxy server connection



Exam G

QUESTION 1If an attacker's computer sends an IPID of 31400 to a zombie computer on a closed port,what will be the response?

A. 31402

B. The zombie computer will not send a response

C. 31400

D. 31401



QUESTION 2You are monitoring your internal network while a security consulting firm attemptsvarious means of network intrusion from the outside. Using ethereal, you notice a largeamount of traffic on TCP ports 16660 and 65000. What tool is the consulting firmattempting to use?

A. Beast

B. TFN 2K

C. Trinoo

D. Stacheldraht



QUESTION 3You are testing to see if your network is susceptible to ARP poisoning. You set this upby redirecting packets between two hosts to travel through your computer. You set upthe packets to use your MAC address. After a short time, both hosts becomeunresponsive and freeze up completely. What do you need to do to prevent this?

A. You must force the packets to transmit to the hosts MAC addresses

B. You must retransmit the packets to their intended destinations

C. You must force the packets to send to your IP address first, then to the hosts' IPaddresses

D. You must retransmit the packets through the broadcast address of your computer first



QUESTION 4Victor, who owns a large ISP in Texas, wants to make sure that his company'sinfrastructure is as secure as possible. He hires an outside security consulting firm thatperforms tests on his routers. The first test they perform is an attempted DoS attackagainst his routers' BGP implementation. Fortunately, the DoS attack is not successful.What attempted attack did the consulting company perform?

A. Ruffing

B. Smurfing

C. Fuzzing

D. Blurring



QUESTION 5What technology changes all source IP addresses of every packet with its own addressbefore sending out?

A. MAC filtering

B. NAT

C. AMT

D. Anonymizer



QUESTION 6Why is a static packet filter firewall not as secure as other types of firewalls?

A. They cannot restrict IP packets based on their destination

B. They cannot look into the packet at all

C. They do not look into the packet past the header information

D. They cannot restrict IP packets based on their source



QUESTION 7After attending a security class, William decides to set up a dual-homed proxy for thenetwork of his small business. He installs an extra network card on his computer, creates

ACL rules, and enables packet forwarding. William also turns on a sniffer to monitortraffic on his new proxy. He quickly notices that source IPs he added to his ACL are stillable to send to his network and through his proxy. Why is William seeing this result?

A. Packet forwarding should be disabled

B. ACL rules should not be used with a proxy

C. Only one network card should be used for a dual-homed proxy

D. Dual-homed proxies need at least three network cards, two for functionality and onefor monitoring



QUESTION 8For security reasons and to conserve the number of public IP addresses owned by hiscompany, Jason uses NAT to translate the private IPs on his internal network to a privateIP. Jason decides to use 192.169.0.0 through 192.169.255.255 for his internal IPs.Jason's company decides to pay for a security audit. Why would the security auditcompany recommend that Jason change his internal IP address scheme?

A. His IP scheme does not fall under RFC 1918

B. His IP scheme does not fall under RFC 19872

C. His IP scheme includes too many class B networks

D. His IP scheme includes too many Class C networks



QUESTION 9For security reasons and to conserve the number of public IP addresses owned by hiscompany, Jason uses NAT to translate the private IPs on his internal network to a privateIP. Jason decides to use 192.169.0.0 through 192.169.255.255 for his internal IPs.Jason's company decides to pay for a security audit. Why would the security auditcompany recommend that Jason change his internal IP address scheme?

A. His IP scheme includes too many class B networks

B. His IP scheme does not fall under RFC 1918

C. His IP scheme includes too many Class C networks

D. His IP scheme does not fall under RFC 19872



QUESTION 10Why is it important to mention ROI when presenting executive report findings of asecurity analysis?

A. ROI has nothing to do with a thorough security analysis report

B. Executives will not spend money unless there is a return on their investment

C. There is no need to mention ROI in an executive report since that should be reservedfor a financial report

D. There is no need to mention ROI in an executive report since that should be reservedfor a technical report



ECSA.v2011-05-17 pdf

Documents

network shares

enterprise routers

hillarys network username

file server

cisco routers

outhillarys network

internet core routers

log files