GAQM CPEH-001 Exam Practice Test Instant Access

Question 1

What is SYSKEY # of bits used for encryption?

A40

B64

C128

D256

Answer : C

System Key hotfix is an optional feature which allows stronger encryption of SAM. Strong encryption protects private account information by encrypting the password data using a 128-bit cryptographically random key, known as a password encryption key.

Question 2

What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?

AEncryption of agent communications will conceal the presence of the agents

BThe monitor will know if counterfeit messages are being generated because they will not be encrypted

CAlerts are sent to the monitor when a potential intrusion is detected

DAn intruder could intercept and delete data or alerts and the intrusion can go undetected

Answer : B

Question 3

An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS?

Select the best answer.

AFirewalk

BManhunt

CFragrouter

DFragids
Explanations:
Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of conducting a port scan in which it can be hidden from some firewalls. Synamtec Man-Hunt is an IDS, not a tool to evade an IDS.
Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and does not exist.

Answer : C

Question 4

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host's TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

ADefrag

BTcpfrag

CTcpdump

DFragroute

Answer : D

fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks 'Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection' paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour.

Question 5

During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces?

AUse a ping flood against the IP of the sniffing NIC and look for latency in the responses.

BSend your attack traffic and look for it to be dropped by the IDS.

CSet your IP to that of the IDS and look for it as it attempts to knock your computer off the network.

DThe sniffing interface cannot be detected.

Answer : D

When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected.

Question 6

If you come across a sheepdip machine at your client's site, what should you do?

AA sheepdip computer is used only for virus-checking.

BA sheepdip computer is another name for a honeypot

CA sheepdip coordinates several honeypots.

DA sheepdip computers defers a denial of service attack.

Answer : A

Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

Question 7

What is a sheepdip?

AIt is another name for Honeynet

BIt is a machine used to coordinate honeynets

CIt is the process of checking physical media for virus before they are used in a computer

DNone of the above

Answer : C

GAQM CPEH-001 Certified Professional Ethical Hacker (CPEH) Exam Practice Test