Ethical Hacking and Countermeasures
Question No: 141 – (Topic 4)
Which of the following represents the initial two commands that an IRC client sends to join an IRC network?
Explanation: A quot;PASSquot; command is not required for either client or server connection to be registered, but it must precede the server message or the latter of the NICK/USER combination. (RFC 1459)
Question No: 142 – (Topic 4)
Sara is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer.
A zone harvesting
A zone transfer
A zone update
A zone estimate
Explanation: The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls -d domain-name gt; file-name you have initiated a zone transfer.
Question No: 143 – (Topic 4)
Which of the following tools are used for enumeration? (Choose three.)
Explanation: USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.
Question No: 144 – (Topic 4)
Under what conditions does a secondary name server request a zone transfer from a primary name server?
When a primary SOA is higher that a secondary SOA
When a secondary SOA is higher that a primary SOA
When a primary name server has had its service restarted
When a secondary name server has had its service restarted
When the TTL falls to zero
Explanation: Understanding DNS is critical to meeting the requirements of the CEH. When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server, a zone transfer will take place.
Question No: 145 – (Topic 4)
Bob is acknowledged as a hacker of repute and is popular among visitors of “underground” sites. Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him.
However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well.
In this context, what would be the most affective method to bridge the knowledge gap between the “black” hats or crackers and the “white” hats or computer security professionals? (Choose the test answer)
Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.
Hire more computer security monitoring personnel to monitor computer systems and networks.
Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life.
Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.
Answer: A Explanation:
Bridging the gap would consist of educating the white hats and the black hats equally so that their knowledge is relatively the same. Using books, articles, the internet, and professional training seminars is a way of completing this goal.
Question No: 146 – (Topic 4)
Joseph was the Web site administrator for the Mason Insurance in New York, who#39;s main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker#39;s message #39;#39;Hacker Message: You are dead! Freaks!#39;#39;
From his office, which was directly connected to Mason Insurance#39;s internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:
Y0u @re De@d! Fre@ks!
After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact.
How did the attacker accomplish this hack?
Routing table injection
Explanation: External calls for the Web site has been redirected to another server by a successful DNS poisoning.
Question No: 147 – (Topic 4)
Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing quot;server publishingquot;?
Overloading Port Address Translation
Dynamic Port Address Translation
Dynamic Network Address Translation
Static Network Address Translation
Explanation: Mapping an unregistered IP address to a registered IP address on a one-to- one basis. Particularly useful when a device needs to be accessible from outside the network.
Question No: 148 – (Topic 4)
Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool “SIDExtractor”. Here is the output of the SIDs:
s-1-5-21-1125394485-807628933-54978560-999Shawn s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-500chang s-1-5-21-1125394485-807628933-54978560-555Micah
From the above list identify the user account with System Administrator privileges.
Explanation: The SID of the built-in administrator will always follow this example: S-1-5- domain-500
Question No: 149 – (Topic 4)
One of your team members has asked you to analyze the following SOA record.
What is the TTL?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600
3600 604800 2400.
Explanation: The SOA includes a timeout value. This value can tell an attacker how long any DNS quot;poisoningquot; would last. It is the last set of numbers in the record.
Question No: 150 – (Topic 4)
Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?
A. 137 and 139
B. 137 and 443
C. 139 and 443
D. 139 and 445
Explanation: NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Primarily the following ports are vulnerable if they are accessible:
NETBIOS Session Service
NETBIOS Session Service 445
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|