GAQM CPEH-001 Exam Practice Test Instant Access

Question 1

The following exploit code is extracted from what kind of attack?

ARemote password cracking attack

BSQL Injection

CDistributed Denial of Service

DCross Site Scripting

EBuffer Overflow

Answer : E

This is a buffer overflow with it's payload in hex format.

Question 2

There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? Select the best answers.

AEmulators of vulnerable programs

BMore likely to be penetrated

CEasier to deploy and maintain

DTend to be used for production

EMore detectable

FTend to be used for research
Explanations:
A low interaction honeypot would have emulators of vulnerable programs, not the real programs.
A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator.
Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance.
A low interaction honeypot tends to be used for production.
Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot.
A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.

Answer : A, C, D, E

Question 3

Exhibit:

Given the following extract from the snort log on a honeypot, what service is being exploited? :

AFTP

BSSH

CTelnet

DSMTP

Answer : A

The connection is done to 172.16.1.104:21.

Question 4

Eric notices repeated probes to port 1080. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. He wonders if his firewall has been breached. What would be your inference?

AEric network has been penetrated by a firewall breach

BThe attacker is using the ICMP protocol to have a covert channel

CEric has a Wingate package providing FTP redirection on his network

DSomebody is using SOCKS on the network to communicate through the firewall

Answer : D

Port Description:

SOCKS. SOCKS port, used to support outbound tcp services (FTP, HTTP, etc). Vulnerable similar to FTP Bounce, in that attacker can connect to this port and \bounce\ out to another internal host. Done to either reach a protected internal host or mask true source of attack. Listen for connection attempts to this port -- good sign of port scans, SOCKS-probes, or bounce attacks. Also a means to access restricted resources. Example: Bouncing off a MILNET gateway SOCKS port allows attacker to access web sites, etc. that were restricted only to.mil domain hosts.

Question 5

Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web site during work hours, without any consideration for others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these offenders to access the Internet without restriction?

AThey are using UDP that is always authorized at the firewall

BThey are using an older version of Internet Explorer that allow them to bypass the proxy server

CThey have been able to compromise the firewall, modify the rules, and give themselves proper access

DThey are using tunneling software that allows them to communicate with protocols in a way it was not intended

Answer : D

This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.

Question 6

You have performed the traceroute below and notice that hops 19 and 20 both show the same IP address. What can be inferred from this output?

AAn application proxy firewall

BA stateful inspection firewall

CA host based IDS

DA Honeypot

Answer : B

Question 7

What is the tool Firewalk used for?

ATo test the IDS for proper operation

BTo test a firewall for proper operation

CTo determine what rules are in place for a firewall

DTo test the webserver configuration

EFirewalk is a firewall auto configuration tool

Answer : C

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device 'firewall' will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.

GAQM CPEH-001 Certified Professional Ethical Hacker (CPEH) Exam Practice Test