http://www.scribd.

com/doc/34499066/Cehv6-Study-Guide

CEH V6 Study Guide

------------------
1. Jason is the network security administrator for Gunderson International, a gl obal shipping company based
out of New York City. Jason’s company utilizes many layers of security throughout its network such as network
firewalls, applicatio n firewalls, vlans, operating system hardening, and so on. One thing in particu lar the
company is concerned with is the trustworthiness of data and resources i n terms of preventing improper and
unauthorized changes. Since the company is g lobal, information is sent constantly back and forth to all its
employees all ov er the world. What in particular is Jason’s company concerned about?
A. Jason’s company is particularly concerned about data integrity. *
B. Authenticity is what the company is most concerned about.
C. The confidentiality of the company’s data is the most important concern for G
underson International.
D. The availability of the data is paramount to any other concern of the company

2. Yancey is a network security administrator for a large electric company. Thi

s company provides power for over 100,000 people in Las Vegas. Yancey has worke d for his company for
over 15 years and has become very successful. One day, Ya ncey comes in to work and finds out that the
company will be downsizing and he w ill be out of a job in two weeks. Yancey is very angry and decides to
place log ic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he
has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to
pay for what they are doing t o him. What would Yancey be considered?
A. Yancey would be considered a Suicide Hacker. *
B. Since he does not care about going to jail, he would be considered a Black Ha
t.
C. Because Yancey works for the company currently; he would be a White Hat.
D. Yancey is a Hacktivist Hacker since he is standing up to a company that is do
wnsizing.
3. Heather is a hacktivist working for Green Peace International. She has broke n into numerous oil and energy
companies and exposed their confidential data to the public. Normally, Heather uses a combination of social
engineering and DoS techniques to gain access to the companies’ networks. Heather has made over 50 fake
ID cards and access badges to gain unauthorized access to companies to gain information as well. If Heather
is caught by the federal government, what US l aw could she be prosecuted under?
A. She could be prosecuted under US law 18 U.S.C § 1029 if caught. *
B. Heather would be charged under 18 U.S.C § 2510, which entails the use of more
than 15 counterfeit items.
C. 18 U.S.C § 9914 is the US law that Heather would be prosecuted under since sh
e used false pretenses to gain unauthorized access.
D. Heather would serve prison time for her actions if prosecuted under US law 18
U.S.C § 2929.
http://www.scribd.com/doc/34499066/Cehv6-Study-Guide

4. Stephanie is the senior security analyst for her company, a manufacturing com pany in Detroit. Stephanie is
in charge of maintaining network security through out the entire company. A colleague of hers recently told her
in confidence tha t he was able to see confidential corporate information on Stephanie’s external website. He
was typing in URLs randomly on the company website and he found inf ormation that should not be public. Her
friend said this happened about a month ago. Stephanie goes to the addresses he said the pages were at, but
snothing. She is very concerned about this, since someone should be held account able if there really was
sensitive information posted on the website. Where can Stephanie go to see past versions and pages of a
website?
A. Stephanie can go to Archive.org to see past versions of the company website.
*B. She should go to the web page Samspade.org to see web pages that might no lon
ger be on the website.
C. If Stephanie navigates to Search.com; she will see old versions of the compan
y website.
D. AddressPast.com would have any web pages that are no longer hosted on the com
pany’s website.
5. You are the chief information officer for your company, a shipping company ba sed out of Oklahoma City.
You are responsible for network security throughout t he home office and all branch offices. You have
implemented numerous layers of security from logical to physical. As part of your procedures, you perform a ye
arly network assessment which includes vulnerability analysis, internal network scanning, and external
penetration tests. Your main concern currently is the se rver in the DMZ which hosts a number of company
websites. To see how the server appears to external users, you log onto a laptop at a Wi-Fi hotspot. Since you
already know the IP address of the web server, you create a telnet session to t hat server and type in the
command:
HEAD /HTTP/1.0
After typing in this command, you are presented with the following screen:

he finds

What are you trying to do here?

A. You are trying to grab the banner of the web server. *
B. You are attempting to send an html file over port 25 to the web server.
C. You are trying to open a remote shell to the web server.
D. By typing in the HEAD command, you are attempting to create a buffer overflow
on the web server.
6. Kyle is a security consultant currently working under contract for a large fi nancial firm based in San
Francisco. Kyle has been asked by the company to perf orm any and all tests necessary to ensure that every
point of the network is sec ure. Kyle first performs some passive footprinting. He finds the company’s web site
which he checks out thoroughly for information. Kyle sets up an account wi th the company and logs on to their
website with his information.
Kyle changes the URL to:
This address produces a Page Cannot be Displayed error. Kyle then types in anot
her URL:
What is Kyle attempting here?
A. Kyle is trying incremental substitution to navigate to other pages not normal
ly available. *

B. Kyle is using extension walking to gain access to other web pages.

C. He is using error walking to see what software is being used to host the fina
 http://www.scribd.com/doc/34499066/Cehv6-Study-Guide

ncial institution’s website.

D. By changing the address manually, Kyle is attempting ASP poisoning.
7. George is the senior security analyst for Tyler Manufacturing, a motorcycle m anufacturing company in
Seattle. George has been tasked by the president of the company to perform a complete network security
audit. The president is most co ncerned about crackers breaking in through the company’s web server. This
web s erver is vital to the company’s business since over one million dollars of produ ct is sold online every
year. The company’s web address is at: www.customchopp ers.com. George decides to hire an external
security auditor to try and break i nto the network through the web server. This external auditor types in the foll
owing Google search attempting to glean information from the web server:
What is the auditor trying to accomplish here?
A. He is trying to search for all web pages on the customchoppers site without e
xtensions of html and htm. *
B. The auditor is having Google retrieve all web pages on the Tyler Manufacturin
g website that either have the extension of html or htm.
C. He is attempting to retrieve all web pages the might have a login page to the
company’s backend database.
D. The auditor that George has hired is trying to find pages with the extension
of html or htm that link directly to customchoppers.com.

8. Jonathan is an IT security consultant working for Innovative Security, an IT auditing company in Houston.
Jonathan has just been hired on to audit the netwo rk of a large law firm in downtown Houston. Jonathan starts
his work by perform ing some initial passive scans and social engineering. He then uses Angry IP to scan for
live hosts on the firm’s network. After finding some live IP addresse s, he attempts some firewalking techniques
to bypass the firewall using ICMP but the firewall blocks this traffic. Jonathan decides to use HPING2 to
hopefully bypass the firewall this time. He types in the following command:
What is Jonathan trying to accomplish by using HPING2?
A. Jonathan is attempting to send spoofed SYN packets to the target via a truste
d third party to port 81. *
B. He is using HPING2 to send FIN packets to 10.0.1.24 over port 81.
C. By using this command for HPING2, Jonathan is attempting to connect to the ho
st at 10.0.1.24 through an SSH shell.
D. This HPING2 command that Jonathan is using will attempt to connect to the 10.
0.1.24 host over HTTP by tunneling through port 81.
9. Hayden is the network security administrator for her company, a large marking firm based in Miami. Hayden
just got back from a security conference in Las Ve gas where they talked about all kinds of old and new
security threats; many of w hich she did not know of. Hayden is worried about the current security state of her
company’s network so she decides to start scanning the network from an exte rnal IP address. To see how
some of the hosts on her network react, she sends o ut SYN packets to an IP range. A number of IPs responds
with a SYN/ACK response . Before the connection is established she sends RST packets to those hosts to stop
the session. She has done this to see how her intrusion detection system w ill log the traffic. What type of scan
is Hayden attempting here?
A. Hayden is using a half-open scan to find live hosts on her network. *

B. Hayden is attempting to find live hosts on her company’s network by using an

XMAS scan.
C. She is utilizing a SYN scan to find live hosts that are listening on her netw
http://www.scribd.com/doc/34499066/Cehv6-Study-Guide

ork.
D. This type of scan she is using is called a NULL scan.
10. Paul is the systems administrator for One-Time International, a computer man ufacturing company. Paul is
in charge of the company’s older PBX system as well as its workstations and servers. The company’s internal
network is connected t o the PBX phone system so that customized software applications used by employee s
can use the PBX to dial out to customers. Paul is concerned about crackers br eaking into his network by way
of the PBX. He is particularly worried about war dialing software that might try all of the company’s numbers to
find a way in. What software utility can Paul use to notify him if any war dialing attempts ar e made on his PBX?
A. Paul can use SandTrap which would notify him if anyone tries to break into th
e PBX.*
B. If Paul uses ToneLoc, he will be notified by the software when and if anyone
tries to crack into the PBX system.
C. THC Scan would be the best software program for Paul to use if he wants to be
notified of war dialer attacks.
D. Paul needs to use Roadkil’s Detector software to tell if a hacker is trying t
o break into his phone system
11. You are the chief security information analyst for your company Utilize Inco rporated. You are currently
preparing for a future security audit that will be performed by a consulting company. This security audit is
required by company p olicy. To prepare, you are performing vulnerability analysis, scanning, brute f orce, and
many other techniques. Your network is comprised of Windows as well a s Linux servers. From one of the
client computers running Linux, you open a com mand shell and type in the following command:
What are you trying to accomplish?
A. You are attempting to establish a null session on the 192.168.2.121 host. *
B. You are trying to connect to this host at the IPC share using the currently l
ogged on user’s credentials.
C. By typing in this command, you are attempting to connect to the SMB share on
the host using an Anonymous connection.
D. You are trying to connect to the localhost share of the client computer.
12. Lauren is a network security officer for her agency, a large state-run agenc y in California. Lauren has been
asked by the IT manager of another state agenc y to perform a security audit on their network. This audit she
has been asked t o perform will be an external audit. The IT manager thought that Lauren would b e a great
candidate for this task since she does not work for the other agency b ut is an accomplished IT auditor. The
first task that she has been asked to per form is to attempt to crack user passwords. Since Lauren knows that
all state a gency passwords must abide by the same password policy, she believes she can fin ish this
particular task quickly. What would be the best password attack method for Lauren to use in this situation?
A. Lauren should use a rule-based attack on the agency’s user passwords. *
B. Lauren can produce the best and fastest results if she uses a dictionary atta
ck.
C. A hyberfil-based password attack would be the best method of password crackin
g in this scenario.

D. She should utilize the reverse-encryption password cracking technique since

she knows the password policy.
13. Simon is the network administrator for his company. Simon is also an IT sec urity expert with over 10
security-related certifications. Simon has been asked by the company CIO to perform a comprehensive security
audit of the entire netw ork. After auditing the network at the home office without finding any issues, he travels
to one of the company’s branch offices in New Orleans. The first tas k that Simon carries out is to set up traffic
 http://www.scribd.com/doc/34499066/Cehv6-Study-Guide

mirroring on the internal-facing p ort of that office’s firewall. On this port, he uses Wireshark to capture traff ic.
Alarmingly, he finds a huge number of UDP packets going both directions on ports 2140 and 3150. What is
most likely occurring here?
A. A client inside the network has been infected with the Deep Throat Trojan. *
B. This type of traffic is indicative of the Netbus Trojan.
C. Most likely, a computer inside the network is infected with the SQL Slammer w
orm.
D. Seeing traffic on UDP ports 2140 and 3150 means that a computer is infected w
ith the Bobax Trojan
14. Tyler is the senior security officer for WayUP Enterprises, an online retail company based out of Los Angeles.
Tyler is currently performing a network secu rity audit for the entire company. After seeing some odd traffic on
the firewal l going outbound to an IP address found to be in North Korea, Tyler decides to l ook further. Tyler
traces the traffic back to the originating IP inside the net work; which he finds to be a client running Windows
XP. Tyler logs onto this cl ient computer and types in the following command:

What is Tyler trying to accomplish by using this command?

A. Tyler is trying to find out all the ports that are listening on this computer
. *
B. Tyler is using this command to find all the host records that are stored on t
he local client computer.
C. By using this command, Tyler is closing all open TCP and UDP sessions on the
computer.
D. This command will show Tyler if there are any Trojan programs installed on th
is computer.
15. Lyle is a systems security analyst for Gusteffson & Sons, a large law firm i
n Beverly Hills. Lyle’s responsibilities include network vulnerability scans, A
ntivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a
user in the Accounting department. This user reports that his computer is runni
ng very slow all day long and it sometimes gives him an error message that the h
ard drive is almost full. Lyle runs a scan on the computer with the company ant
ivirus software and finds nothing. Lyle downloads another free antivirus applic
ation and scans the computer again. This time a virus is found on the computer.
The infected files appear to be Microsoft Office files since they are in the s
ame directory as that software. Lyle does some research and finds that this vir
us disguises itself as a genuine application on a computer to hide from antiviru
s software. What type of virus has Lyle found on this computer?
A. Lyle has discovered a camouflage virus on the computer. *
B. By using the free antivirus software, Lyle has found a tunneling virus on the
computer.
C. This type of virus that Lyle has found is called a cavity virus.
D16. Miles is a network administrator working for the University of Central Oklah oma. Miles’ responsibilities
include monitoring all network traffic inside the network and traffic coming into the network. On the university’s
IDS, Miles not ices some odd traffic originating from some client computers inside the network.
Miles decides to use Tcpdump to take a further look.
What is Miles going to accomplish by running this command?
A. Miles is trying to capture all UDP traffic from client1 and the LAN except fo
r traffic to client29. *
http://www.scribd.com/doc/34499066/Cehv6-Study-Guide

B. He is trying to see all UDP traffic between client1 and client29 only.
C. This command will capture all traffic on the internal network except for traf
fic originating from client1 and client29.
D. Miles will be able to capture all traffic on the network originating from cli
ent1 and client29 except UDP traffic.
17. Neil is an IT security consultant working on contract for Davidson Avionics.
Neil has been hired to audit the network of Davidson Avionics. He has been gi
ven permission to perform any tests necessary. Neil has created a fake company
ID badge and uniform. Neil waits by one of the company’s entrance doors and fol
lows an employee into the office after they use their valid access card to gain
entrance. What type of social engineering attack has Neil employed here?
A. Neil has used a tailgating social engineering attack to gain access to the of
fices. *
B. He has used a piggybacking technique to gain unauthorized access.
C. This type of social engineering attack is called man trapping.
D. Neil is using the technique of reverse social engineering to gain access to t
he offices of Davidson Avionics

. Lyle has found a polymorphic virus on this computer.

18. Xavier is a network security specialist working for a federal agency in Wash ington DC. Xavier is
responsible for maintaining agency security policies, teac hing security awareness classes, and monitoring the
overall health of the networ k. One of Xavier’s coworkers receives a help desk call from a user who is havin g
issues navigating to certain sites on the Internet. Xavier’s coworker cannot figure out the issue so he hands it
off to Xavier. He logs on to the user’s com puter and goes to a couple of websites the user said were having
issues. When X avier types in www.Google.com, it takes him to Boogle.com instead. When Xavier types in
Yahoo.com, it takes him to Yahooo.com instead. Xavier checks all the I P settings on the computer which are
static and they appear to be correct. Xavi er checks the local DNS settings as well as the DNS settings on the
server and t hey are correct. Xavier opens a command window and types in: ipconfig /flushdn s. When he
navigates to the previous sites, he is still directed to the wrong o nes. What issue is Xavier seeing here on the
client computer?
A. This client computer has had the hosts file poisoned. *
B. From this behavior, it is evident that the client computer’s DNS cache has be
en poisoned.
C. Xavier is seeing a computer that has been infected with an IRC bot Trojan.
D. This computer has obviously been hit by a Smurf attack.
19. Javier is a network security consultant working on contract for a state agen cy in Texas. Javier has been
asked to test the agency’s network security from e very possible aspect. Javier decides to use the Reaper
Exploit virus to see if he can exploit any weaknesses in the company’s email. He infects a couple of co mputers
with the virus and waits for the users of those machines to use their em ail client. After a short amount of time,
he receives numerous emails that were
http://www.scribd.com/doc/34499066/Cehv6-Study-Guide