Free Practice Questions for GAQM CEH-001 Exam

Understanding DNS is critical to meeting the requirements of the CEH. When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server, a zone transfer will take place.

The zone file typically contains the following records:

SOA – Start Of Authority

NS – Name Server record

MX – Mail eXchange record

A – Address record

Explanations:

John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters:

0xAAD3B435B51404EE

Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.

A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

A NULL scan will have no response if the port is open.

When a cracker knows what OS and Services you use he also knows which exploits might work on your system. If he would have to try all possible exploits for all possible Operating Systems and Services it would take too long time and the possibility of being detected increases.

When looking at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long.

To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.

As the hardware keylogger never interacts with the Operating System it is undetectable by anti-virus or anti-spyware products.

Explanations:

By using port security on his switches, the switches will only allow the first MAC address that is connected to the switch to use that port, thus preventing ARP spoofing.ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help, but is usually pretty unrealistic. On a very small network, static ARP entries are a possibility. However, on a large network, this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus, this option won't help you.

Eve tries to get a successful login using the username Administrator and passwords from the file hackfile.txt.

The “Get /msadc/……/……/……/winnt/system32/cmd.exe?” shows that a Unicode Directory Traversal Attack has been performed.

Kerberos, Smart cards and Stanford SRP are techniques where the password never leaves the computer.

Explanations: %windir%\\system32\\drivers\\etc\\services is the correct place to look for this information.

Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network.

The numbers represents the following values:

200302028; se = serial number

3600; ref = refresh = 1h

3600; ret = update retry = 1h

604800; ex = expiry = 1w

3600; min = minimum TTL = 1h

The LM hash is computed as follows.

1. The user’s password as an OEM string is converted to uppercase.

2. This password is either null-padded or truncated to 14 bytes.

3. The “fixed-length” password is split into two 7-byte halves.

4. These values are used to create two DES keys, one from each 7-byte half.

5. Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.

6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

The hashes them self are sent in clear text over the network instead of sending the password in clear text.

In computing, GINA refers to the graphical identification and authentication library, a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services.