Ethical Hacking and Countermeasures
Question No: 61 – (Topic 3)
Which of the following is a patch management utility that scans one or more
computers on your network and alerts you if you important Microsoft Security patches are missing. It then provides links that enable those missing patches to be downloaded and installed.
Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning the system for security problems in Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.
Question No: 62 – (Topic 3)
War dialing is a very old attack and depicted in movies that were made years ago. Why would a modem security tester consider using such an old technique?
It is cool, and if it works in the movies it must work in real life.
It allows circumvention of protection mechanisms by being on the internal network.
It allows circumvention of the company PBX.
A good security tester would not use such a derelict technique.
Explanation: If you are lucky and find a modem that answers and is connected to the target network, it usually is less protected (as only employees are supposed to know of its existence) and once connected you don’t need to take evasive actions towards any firewalls or IDS.
Question No: 63 – (Topic 3)
What are the default passwords used by SNMP?(Choose two.)
Explanation: Besides the fact that it passes information in clear text, SNMP also uses well-known passwords. Public and private are the default passwords used by SNMP.
Question No: 64 – (Topic 3)
Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.
UDP is filtered by a gateway
The packet TTL value is too low and cannot reach the target
The host might be down
The destination network might be down
The TCP windows size does not match
ICMP is filtered by a gateway
Explanation: If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will “die” before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.
Question No: 65 – (Topic 3)
War dialing is one of the oldest methods of gaining unauthorized access to the target systems, it is one of the dangers most commonly forgotten by network engineers and system administrators. A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network. Through wardialing an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line.
‘Dial backup’ in routers is most frequently found in networks where redundancy is required. Dial-on-demand routing(DDR) is commonly used to establish connectivity as a backup.
As a security testers, how would you discover what telephone numbers to dial-in to the router?
Search the Internet for leakage for target company’s telephone number to dial-in
Run a war-dialing tool with range of phone numbers and look for CONNECT Response
Connect using ISP’s remote-dial in number since the company’s router has a leased line connection established with them
Brute force the company’s PABX system to retrieve the range of telephone numbers to dial-in
Explanation: Use a program like Toneloc to scan the company’s range of phone numbers.
Question No: 66 – (Topic 3)
Study the log below and identify the scan type.
tcpdump -vv host 192.168.1.10
17:34:45.802163 eth0 lt; 192.168.1.1 gt; victim: ip-proto-117 0 (ttl 48, id 36166)
17:34:45.802216 eth0 lt; 192.168.1.1 gt; victim: ip-proto-25 0 (ttl 48, id 33796)
17:34:45.802266 eth0 lt; 192.168.1.1 gt; victim: ip-proto-162 0 (ttl 48, id 47066)
17:34:46.111982 eth0 lt; 192.168.1.1 gt; victim: ip-proto-74 0 (ttl 48, id 35585)
17:34:46.112039 eth0 lt; 192.168.1.1 gt; victim: ip-proto-117 0 (ttl 48, id 32834)
17:34:46.112092 eth0 lt; 192.168.1.1 gt; victim: ip-proto-25 0 (ttl 48, id 26292)
17:34:46.112143 eth0 lt; 192.168.1.1 gt; victim: ip-proto-162 0 (ttl 48, id 51058)
tcpdump -vv -x host 192.168.1.10
17:35:06.731739 eth0 lt; 192.168.1.10 gt; victim: ip-proto-130 0 (ttl 59, id 42060) 4500
0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000
A. nmap -sR 192.168.1.10 B. nmap -sS 192.168.1.10 C. nmap -sV 192.168.1.10
D. nmap -sO -T 192.168.1.10
Question No: 67 – (Topic 3)
Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports?
Nmap -h -U
Nmap -hU lt;host(s.gt;
Nmap -sU -p 1-1024 lt;host(s.gt;
Nmap -u -v -w2 lt;hostgt; 1-1024
Nmap -sS -O target/1024
Explanation: Nmap -sU -p 1-1024 lt;hosts.gt; is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.
Question No: 68 – (Topic 3)
You have initiated an active operating system fingerprinting attempt with nmap against a target system:
[root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1
Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT Interesting ports on 10.0.0.1:
(The 1628 ports scanned but not shown below are in state: closed) Port State Service
21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open LDAP 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s
2301/tcp open compaqdiag 5555/tcp open freeciv 5800/tcp open vnc-http 5900/tcp open vnc 6000/tcp filtered X11
Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE Nmap run completed – 1 IP address (1 host up) scanned in 3.334 seconds
Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems – Windows XP, Windows 2000, NT4 or 95/98/98SE.
What operating system is the target host running based on the open ports shown above?
Windows 98 SE
Windows NT4 Server
Windows 2000 Server
Explanation: The system is reachable as an active directory domain controller (port 389, LDAP)
Question No: 69 – (Topic 3)
What are the four steps is used by nmap scanning?
Reverse DNS lookup
TCP three way handshake
The Actual nmap scan
Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line.
->If a hostname is used as a remote device specification, nmap will perform a DNS
lookup prior to the scan.
->Nmap pings the remote device. This refers to the nmap quot;pingquot; process, not (necessarily) a traditional ICMP echo request.
->If an IP address is specified as the remote device, nmap will perform a reverse DNS lookup in an effort to identify a name that might be associated with the IP address. This is the opposite process of what happens in step 1, where an IP address is found from a hostname specification.
->Nmap executes the scan. Once the scan is over, this four-step process is completed. Except for the actual scan process in step four, each of these steps can be disabled or prevented using different IP addressing or nmap options. The nmap process can be as quot;quietquot; or as quot;loudquot; as necessary!
Question No: 70 – (Topic 3)
Steve scans the network for SNMP enabled devices. Which port number Steve should scan?
A. 69 B. 150 C. 161 D. 169
Explanation: The SNMP default port is 161. Port 69 is used for tftp, 150 is for SQL-NET and 169 is for SEND.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|