Certified Ethical Hacker. Test 1. - Results
Question 1: Correct
Which type of viruses tries to hide from antivirus programs by actively changing and corrupting the chosen
service call interruptions when they are being run?
● Stealth/Tunneling virus
(Correct)
● Cavity virus
● Tunneling virus
● Polymorphic virus
Explanation
Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt
handler chain. Interception programs, which remain in the background of an operating system and catch
viruses, become disabled during the course of a tunneling virus. Similar viruses install themselves in device
drivers.
Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection
of the virus becomes very difficult. For example, it can change the read system call such that whenever the
user asks to read a code modified by a virus, the original form of code is shown rather than infected code.
NOTE: I don't know why EC-Council decided to combine 2 types of viruses into one. Nevertheless, on their
exam, the Stealth/ tunneling virus (as in the book) is encountered on the exam, but I think the Tunneling virus
is fine too.
Incorrect answers:
Cavity virus
To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on
the DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected
by the virus. This approach does not fool antivirus software, however, especially those which maintain and date
cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or
damaging the files. They accomplish this by overwriting unused areas of executable files. These are called
cavity viruses.
Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular
encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a
decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on
each infection. A well-written polymorphic virus therefore has no parts which remain identical between
infections, making it very difficult to detect directly using "signatures". Antivirus software can detect it by
decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
,Question 2: Correct
Your company has a risk assessment, and according to its results, the risk of a breach in the main company
application is 40%. Your cybersecurity department has made changes to the application and requested a
re-assessment of the risks. The assessment showed that the risk fell to 12%, with a risk threshold of 20%.
Which of the following options would be the best from a business point of view?
● Accept the risk.
(Correct)
● Introduce more controls to bring risk to 0%.
● Avoid the risk.
● Limit the risk.
Explanation
Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation
strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to
develop a strategy that closely relates to and matches your company’s profile.
Risk Acceptance
Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a
common option when the cost of other risk management options such as avoidance or limitation may outweigh
the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not
have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk
whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a
company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk
avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive
may fail and avoiding a long period of failure by having backups.
Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous
companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial
for a company if a transferred risk is not a core competency of that company. It can also be used so a company
can focus more on its core competencies.
,NOTE: On my own, I would like to add. It is possible to create absolute protection (0% risk), but with an
increase in protection, the system's complexity also grows (and monetary costs, of course). At some point, you
can get a complete absence of risks and clients. So you have to compromise and take some risks. This is a
profound and interesting topic.
Question 3: Correct
Alex, a cybersecurity specialist, received a task from the head to scan open ports. One of the main conditions
was to use the most reliable type of TCP scanning. Which of the following types of scanning should Alex use?
● NULL Scan.
● Xmas Scan.
● TCP Connect/Full Open Scan.
(Correct)
● Half-open Scan.
Explanation
TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning,
the OS’s TCP connect() system call tries to open a connection to every port of interest on the target machine. If
the port is listening, the connect() call will result in a successful connection with the host on that particular port;
otherwise, it will return an error message stating that the port is not reachable.
TCP Connect scan completes a three-way handshake with the target machine. In the TCP three-way
handshake, the client sends an SYN packet, which the recipient acknowledges with an SYN+ACK packet.
Then, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once
the handshake is completed, the scanner sends an RST packet to end the connection.
Incorrect answers:
NULL Scan
The Null Scan is a type of TCP scan that hackers — both ethical and malicious — use to identify listening TCP
ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the wrong
hands, it is a reconnaissance tool. It is a pre-attack probe.
Xmas scan
Nmap Xmas scan was considered a stealthy scan which analyzes responses to Xmas packets to determine
the nature of the replying device. Each operating system or network device responds in a different way to
Xmas packets revealing local information such as OS (Operating System), port state and more.
Half-open scan
The TCP half-open port scan sometimes referred to as an SYN scan it’s a fast and sneaky scan that tries to
find potential open ports on the target computer.
,SYN packets request a response from a computer, and an ACK packet is a response. In a typical TCP
transaction, there is an SYN, an ACK from the service, and a third ACK confirming the message received.
This scan is fast and hard to detect because it never completes the full TCP 3 way-handshake. The scanner
sends an SYN message and just notes the SYN-ACK responses. The scanner doesn’t complete the
connection by sending the final ACK: it leaves the target hanging.
Any SYN-ACK responses are possibly open ports. An RST (reset) response means the port is closed, but
there is a live computer here. No responses indicate SYN is filtered on the network. An ICMP (or ping) no
response also counts as a filtered response.
TCP half-open scans are the default scan in NMAP.
Question 4: Correct
Which of the following characteristics is not true about the Simple Object Access Protocol?
● Allows for any programming model.
● Exchanges data between web services.
● Only compatible with the application protocol HTTP.
(Correct)
● Using Extensible Markup Language.
Explanation
https://en.wikipedia.org/wiki/SOAP
SOAP can be used with any application-level protocol: SMTP, FTP, HTTP, HTTPS, etc. However, its interaction
with each of these protocols has its own characteristics, which must be defined separately. Most often SOAP is
used over HTTP.
SOAP (formerly an acronym for Simple Object Access Protocol) is a messaging protocol specification for
exchanging structured information in the implementation of web services in computer networks. Its purpose is
to provide extensibility, neutrality, verbosity and independence. It uses XML Information Set for its message
format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although
some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and
transmission.
SOAP allows developers to invoke processes running on disparate operating systems (such as Windows,
macOS, and Linux) to authenticate, authorize, and communicate using Extensible Markup Language (XML).
Since Web protocols like HTTP are installed and running on all operating systems, SOAP allows clients to
invoke web services and receive responses independent of language and platforms.
SOAP provides the Messaging Protocol layer of a web services protocol stack for web services. It is an
XML-based protocol consisting of three parts:
· an envelope, which defines the message structure and how to process it
· a set of encoding rules for expressing instances of application-defined datatypes
· a convention for representing procedure calls and responses
SOAP has three major characteristics:
,extensibility (security and WS-Addressing are among the extensions under development)
neutrality (SOAP can operate over any protocol such as HTTP, SMTP, TCP, UDP)
independence (SOAP allows for any programming model)
As an example of what SOAP procedures can do, an application can send a SOAP request to a server that
has web services enabled—such as a real-estate price database—with the parameters for a search. The
server then returns a SOAP response (an XML-formatted document with the resulting data), e.g., prices,
location, features. Since the generated data comes in a standardized machine-parsable format, the requesting
application can then integrate it directly.
Question 5: Correct
Rajesh, a network administrator found several unknown files in the root directory of his FTP server. He was
very interested in a binary file named "mfs". Rajesh decided to check the FTP server logs and found that the
anonymous user account logged in to the server, uploaded the files and ran the script using a function provided
by the FTP server's software. Also, he found that "mfs" file is running as a process and it listening to a network
port. What kind of vulnerability must exist to make this attack possible?
● Brute force login.
● Directory traversal.
● File system permissions.
(Correct)
● Privilege escalation.
Explanation
File system permissions
Processes may automatically execute specific binaries as part of their functionality or to perform other actions.
If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are
improperly set, then the target binary may be overwritten with another binary using user-level permissions and
executed by the original process. If the original process and thread are running under a higher permissions
level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing
code at a higher permissions level. If the executing process is set to run at a specific time or during a certain
event (e.g., system bootup) then this technique can also be used for persistence.
Incorrect answers:
Privilege escalation https://en.wikipedia.org/wiki/Privilege_escalation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system
or network. Adversaries can often enter and explore a network with unprivileged access but require elevated
,permissions to follow through on their objectives. Common approaches are to take advantage of system
weaknesses, misconfigurations, and vulnerabilities.
Directory traversal https://en.wikipedia.org/wiki/Directory_traversal_attack
A path traversal attack (also known as directory traversal) aims to access files and directories stored outside
the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its
variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the
file system, including application source code or configuration and critical system files. It should be noted that
access to files is limited by system operational access control (such as in the case of locked or in-use files on
the Microsoft Windows operating system).
This attack is also known as “dot-dot-slash,” “directory traversal,” “directory climbing,” and “backtracking.”
Brute force login https://en.wikipedia.org/wiki/Brute-force_attack
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page.
Hackers work through all possible combinations hoping to guess correctly.
These attacks are made by ‘brute force,’ meaning they use excessive forceful attempts to try and ‘force’ their
way into your private account(s). This is an old attack method, but it's still effective and popular with hackers.
Because depending on the password's length and complexity, cracking it can take anywhere from a few
seconds to many years.
Question 6: Correct
Which of the following is the type of violation when an unauthorized individual enters a building following an
employee through the employee entrance?
● Announced.
● Tailgating.
(Correct)
● Pretexting.
● Reverse Social Engineering.
Explanation
The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that
lacks the proper authentication.
The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack
scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee
opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place
(e.g., electronic access control).
Incorrect answers:
Pretexting
,The term pretexting indicates the practice of presenting oneself as someone else to obtain private information.
Usually, attackers create a fake identity and use it to manipulate the receipt of information.
Attackers leveraging this specific social engineering technique adopt several identities they have created. This
bad habit could expose their operations to the investigations conducted by security experts and law
enforcement.
Reverse Social Engineering
A reverse social engineering attack is a person-to-person attack in which an attacker convinces the target that
he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help
solve the problem.
Question 7: Correct
John, a pentester, received an order to conduct an internal audit in the company. One of its tasks is to search
for open ports on servers. Which of the following methods is the best solution for this task?
● Scan servers with MBSA.
● Scan servers with Nmap.
(Correct)
● Manual scan on each server.
● Telnet to every port on each server.
Explanation
https://nmap.org/book/port-scanning-tutorial.html
The correct answer is “Scan servers with Nmap” because Nmap combines high speed of work and keeps the
most common usage simple while retaining the flexibility for custom and advanced scans which accomplished
with the command-line interface by offering dozens of options, but choosing sane defaults when they are not
specified.
Question 8: Correct
Which of the following UDP ports is usually used by Network Time Protocol (NTP)?
● 161
● 19
● 177
● 123
(Correct)
Explanation
https://en.wikipedia.org/wiki/Network_Time_Protocol
,The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer
systems over packet-switched, variable-latency data networks.
NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated Universal
Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select accurate
time servers and is designed to mitigate variable network latency effects. NTP can usually maintain time to
within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in local
area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.
The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer
relationships where both peers consider the other to be a potential time source. Implementations send and
receive timestamps using the User Datagram Protocol (UDP) on port number 123.
Incorrect answers: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
19 - Character Generator Protocol (CHARGEN)
177 - X Display Manager Control Protocol (XDMCP)
161 - Simple Network Management Protocol (SNMP)
Question 9: Correct
Ivan, a black hat hacker, sends partial HTTP requests to the target webserver to exhaust the target server’s
maximum concurrent connection pool. He wants to ensure that all additional connection attempts are rejected.
What type of attack does Ivan implement?
● Fragmentation
● Spoofed Session Flood
● HTTP GET/POST
● Slowloris
(Correct)
Explanation
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Slowloris is a type of denial of service attack tool which allows a single machine to take down another
machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as long as
possible. It accomplishes this by opening connections to the target web server and sending a partial request.
Periodically, it will send subsequent HTTP headers, adding to, but never completed, the request. Affected
servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying
additional connection attempts from clients.
The program was named after Slow lorises, a group of primates that are known for their slow movement.
,Incorrect answers:
HTTP GET/POST (HTTP Flood) https://en.wikipedia.org/wiki/HTTP_Flood
HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP
and POST unwanted requests in order to attack a web server or application. These attacks often use
interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of
using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the
targeted sites or servers.
Spoofed Session Flood
Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying an SYN,
multiple ACK and one or more RST or FIN packets.
This attack can bypass defence mechanisms that are only monitoring incoming traffic on the network. These
DDoS attacks can also exhaust the target’s resources and result in a complete system shutdown or
unacceptable system performance.
Fragmentation https://en.wikipedia.org/wiki/IP_fragmentation_attack
IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP)
requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to
partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple
smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a
maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU
plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation
attacks exploit this process as an attack vector.
Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is
responsible for the transmission of packets between network endpoints. IP includes some features which
provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (a type of service) and
support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The
support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into
smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation
exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Question 10: Correct
Wireshark is one of the most important tools for a cybersecurity specialist. It is used for network
troubleshooting, analysis, software, etc. And you often have to work with a packet bytes pane. In what format is
the data presented in this pane?
● Binary
● Hexadecimal
(Correct)
● Decimal
● ASCII only
Explanation
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html
, The packet bytes pane shows the data of the current packet in a hexdump style.
hexdump is a hexadecimal view (on screen or paper) of computer data, from RAM or from a computer file or
storage device.
Question 11: Correct
Determine what of the list below is the type of honeypots that simulates the real production network of the
target organization?
● High-interaction Honeypots.
● Pure Honeypots.
(Correct)
● Low-interaction Honeypots.
● Research honeypots.
Explanation
https://en.wikipedia.org/wiki/Honeypot_(computing)
Pure honeypots are full-fledged production systems. The attacker's activities are monitored by using a bug tap
installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure
honeypot is useful, a more controlled mechanism stealthiness of the defense mechanisms can be ensured.
Incorrect answers:
Low-interaction Honeypots
A low interaction honeypot will only give an attacker minimal access to the operating system. ‘Low interaction’
means precisely that the adversary will not be able to interact with your decoy system in any depth, as it is a
much more static environment. A low interaction honeypot will usually emulate a small number of internet
protocols and network services, just enough to deceive the attacker and no more. In general, most businesses
simulate TCP and IP protocols, which allows the attacker to think they are connecting to a real system and not
a honeypot environment.
A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use
significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is
only the basic simulation of a machine. It may not fool attackers into engaging, and it’s certainly not in-depth
enough to capture complex threats such as zero-day exploits.
High interaction honeypots
A high interaction honeypot emulates certain protocols or services. The attacker is provided with real systems
to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only
present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats
and track and trace an attacker's behavior. Using a high interaction honeypot, researchers can learn the tools
an attacker uses to escalate privileges or the lateral movements they make to attempt to uncover sensitive
data.
