Certified Ethical Hacker v 12 Exam
Questions and Answers
What type of rootkit loads itself underneath the computer's operating system and can
intercept hardware calls made by the original operating system. - Answer -Kernel Mode
Rootkit
is the core of the Operating System and Kernel Level Rootkits are created by adding
additional code or replacing portions of the core operating system, with modified code
via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level
Rootkits can have a serious effect on the stability of the system if the kit's code contains
bugs. Kernel rootkits are difficult to detect because they have the same privileges of the
Operating System, and therefore they can intercept or subvert operating system
operations.
Subnets communicate with each other through a gateway protected by a firewall. What
is the name of the external subnet? - Answer -Demilitarized Zone
DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened
subnet) is a physical or logical subnetwork that contains and exposes an organization's
external-facing services to an untrusted, usually larger, network such as the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local
area network (LAN): an external network node can access only what is exposed in the
DMZ, while the rest of the organization's network is firewalled. The DMZ functions as a
small, isolated network positioned between the Internet and the private network.
The name is from the term demilitarized zone, an area between states in which military
operations are not permitted.
What s a vulnerability in modern processors such as Intel, AMD and ARM using
speculative execution? - Answer -Spectre and Meltdown
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These
hardware vulnerabilities allow programs to steal data which is currently processed on
the computer. While programs are typically not permitted to read data from other
programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets
stored in the memory of other running programs. This might include your passwords
stored in a password manager or browser, your personal photos, emails, instant
messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.
Depending on the cloud provider's infrastructure, it might be possible to steal data from
other customers.
What is the detection method where the anti-virus executes the malicious codes on a
virtual machine to simulate CPU and memory activities? - Answer -Code Emulation
,Code emulation is an extremely powerful virus detection technique. A virtual machine is
implemented to simulate the CPU and memory management systems to mimic the code
execution. Thus malicious code is simulated in the virtual machine of the scanner, and
no actual virus code is executed by the real processor.
What is the scanning tool that looks for common misconfigurations and outdated
software versions? - Answer -Nikto
Nikto is a free software command-line vulnerability scanner that scans webservers for
dangerous files/CGIs, outdated server software and other problems. It performs generic
and server type specific checks. It also captures and prints any cookies received. The
Nikto code itself is free software, but the data files it uses to drive the program are not.
What Linux command will you use to resolve a domain name into an IP address? -
Answer -host -t a resolveddomain.com
What is an access control mechanism that allows multiple systems to use a CAS that
permits users to authenticate once and gain access to multiple systems? - Answer -
Single sign-on
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a
single ID and password to any of several related, yet independent, software systems.
True single sign-on allows the user to login once and access services without re-
entering authentication factors.
IPsec is a suite of protocols developed to ensure the integrity, confidentiality, and
authentication of data communications over an IP network. Which protocol is NOT
included in the IPsec suite? - Answer -Media Access Control (MAC)
The following protocols make up the IPsec suite:
· Authentication Header (AH)
The AH protocol ensures that data packets are from a trusted source and that the data
has not been tampered with, like a tamper-proof seal on a consumer product. These
headers do not provide any encryption; they do not help conceal the data from
attackers.
· Encapsulating Security Protocol (ESP)
ESP encrypts the IP header and the payload for each packet — unless transport mode
is used, in which case it only encrypts the payload. ESP adds its own header and a
trailer to each data packet.
· Security Association (SA)
SA refers to several protocols used for negotiating encryption keys and algorithms. One
of the most common SA protocols is Internet Key Exchange (IKE).
Finally, while the Internet Protocol (IP) is not part of the IPsec suite, IPsec runs directly
on top of IP.
, What is an entity in a PKI that will vouch for the identity of an individual or company? -
Answer -Certificate Authority (CA)
Certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named
subject of the certificate. This allows others (relying parties) to rely upon signatures or
on assertions made about the private key that corresponds to the certified public key. A
CA acts as a trusted third-party—trusted both by the subject (owner) of the certificate
and by the party relying upon the certificate. The format of these certificates is specified
by the X.509 or EMV standard.
One particularly common use for certificate authorities is to sign certificates used in
HTTPS, the secure browsing protocol for the World Wide Web. Another common use is
in issuing identity cards by national governments for use in electronically signing
documents.
How can an organization resist an attack using rainbow tables? - Answer -Use
password salting.
A salt is random data that is used as an additional input to a one-way function that
hashes data, a password or passphrase. Salts are used to safeguard passwords in
storage. Historically a password was stored in plaintext on a system, but over time
additional safeguards were developed to protect a user's password against being read
from the system. A salt is one of those methods. password salting.
When getting information about the web server, you should be familiar with methods
GET, POST, HEAD, PUT, DELETE, TRACE. There are two critical methods in this list:
PUT (upload a file to the server) and DELETE (delete a file from the server). When
using nmap, you can detect all these methods. Which of the following nmap scripts will
help you detect these methods? - Answer -http-methods
What is the type of message that sends the client to the server to begin a 3-way
handshake while establishing a TCP connection? - Answer -SYN
To establish a connection, TCP uses a three-way handshake. Before a client attempts
to connect with a server, the server must first bind to and listen at a port to open it up for
connections: this is called a passive open. Once the passive open is established, a
client may initiate an active open. To establish a connection, the three-way (or 3-step)
handshake occurs:
SYN: The active open is performed by the client sending an SYN to the server. The
client sets the segment's sequence number to a random value A.
SYN-ACK: In response, the server replies with an SYN-ACK. The acknowledgement
number is set to one more than the received sequence number i.e. A+1, and the
sequence number that the server chooses for the packet is another random number, B.
ACK: Finally, the client sends an ACK back to the server. The sequence number is set
to the received acknowledgement value i.e. A+1, and the acknowledgement number is
set to one more than the received sequence number i.e. B+1.