Review Questions
1. What port number does FTP use?
A. 21
B. 25
C. 23
D. 80
2. What port number does HTTPS use?
A. 443
B. 80
C. 53
D. 21
3. What is war dialing used for?
A. Testing firewall security
B. Testing remote access system security
C. Configuring a proxy filtering gateway
D. Configuring a firewall
4. Banner grabbing is an example of what?
A. Passive operating system fingerprinting
B. Active operating system fingerprinting
C. Footprinting
D. Application analysis
5. What are the three types of scanning?
A. Port, network, and vulnerability
B. Port, network, and services
C. Grey, black, and white hat
D. Server, client, and network
6. What is the main problem with using only ICMP queries for scanning?
A. The port is not always available.
B. The protocol is unreliable.
C. Systems may not respond because of a firewall.
D. Systems may not have the service running.
7. What does the TCP RST command do?
A. Starts a TCP connection
B. Restores the connection to a previous state
C. Finishes a TCP connection
D. Resets the TCP connection
8. What is the proper sequence of a TCP connection?
A. SYN-SYN-ACK-ACK
B. SYN-ACK-FIN
C. SYN-SYNACK-ACK
D. SYN-PSH-ACK
9. A packet with all flags set is which type of scan?
A. Full Open
B. Syn scan
C. XMAS
D. TCP connect
10. What is the proper command to perform an nmap SYN scan every 5 minutes?
A. nmap -ss - paranoid
B. nmap -sS -paranoid
C. nmap -sS -fast
D. namp -sS -sneaky
11. To prevent a hacker from using SMB session hijacking, which TCP and UDP ports would
you block at the firewall?
A. 167 and 137
B. 80 and 23
C. 139 and 445
D. 1277 and 1270
12. Why would an attacker want to perform a scan on port 137?
A. To locate the FTP service on the target host
B. To check for file and print sharing on Windows systems
C. To discover proxy servers on a network
D. To discover a target system with the NetBIOS null session vulnerability
13. SNMP is a protocol used to manage network infrastructure devices. What is the SNMP
read/write community name used for?
A. Viewing the configuration information
B. Changing the configuration information
C. Monitoring the device for errors
D. Controlling the SNMP management station
14. Why would the network security team be concerned about ports 135–139 being open on a
system?
A. SMB is enabled, and the system is susceptible to null sessions.
B. SMB is not enabled, and the system is susceptible to null sessions.
C. Windows RPC is enabled, and the system is susceptible to Windows DCOM remote
sessions.
D. Windows RPC is not enabled, and the system is susceptible to Windows DCOM
remote sessions.
15. Which step comes after enumerating users in the CEH hacking cycle?
A. Crack password
B. Escalate privileges
C. Scan
D. Cover tracks
16. What is enumeration?
A. Identifying active systems on the network
B. Cracking passwords
C. Identifying users and machine names
D. Identifying routers and firewalls
17. What is a command-line tool used to look up a username from a SID?
A. UsertoSID
B. Userenum
C. SID2User
D. GetAcct
18. Which tool can be used to perform a DNS zone transfer on Windows?
A. NSlookup
B. DNSlookup
C. Whois
D. IPconfig
19. What is a null session?
A. Connecting to a system with the administrator username and password
B. Connecting to a system with the admin username and password
C. Connecting to a system with a random username and password
D. Connecting to a system with no username and password
20. What is a countermeasure for SNMP enumeration?
A. Remove the SNMP agent from the device.
B. Shut down ports 135 and 139 at the firewall.
C. Shut down ports 80 and 443 at the firewall.
D. Enable SNMP read-only security on the agent device.
Answers to Review Questions
1. A. FTP uses TCP port 21. This is a well-known port number and can be found in the Windows Services file.
2. A. HTTPS uses TCP port 443. This is a well-known port number and can be found in the
Windows Services file.
3. B. War dialing involves placing calls to a series of numbers in hopes that a modem will
answer the call. It can be used to test the security of a remote-access system.
4. A. Banner grabbing is not detectible; therefore it is considered passive OS fingerprinting.
5. A. Port, network, and vulnerability are the three types of scanning.
6. C. Systems may not respond to ICMP because they have firewall software installed that
blocks the responses.
7. D. The TCP RST command resets the TCP connection.
8. A. A SYN packet is followed by a SYN-ACK packet. Then, an ACK finishes a successful
TCP connection.
9. C. An XMAS scan has all flags set.
10. B. The command nmap -sS -paranoid performs a SYN scan every 300 seconds, or 5 minutes.
11. C. Block the ports used by NetBIOS null sessions. These are 139 and 445.
12. D. Port 137 is used for NetBIOS null sessions.
13. B. The SNMP read/write community name is the password used to make changes to the
device configuration.
14. A. Ports in the 135 to 139 range indicate the system has SMB services running and is susceptible to null sessions.
15. A. Password cracking is the next step in the CEH hacking cycle after
enumerating users.
16. C. Enumeration is the process of finding usernames, machine names, network shares, and
services on the network.
17. C. SID2User is a command-line tool that is used to find a username from a SID.
18. A. NSlookup is a Windows tool that can be used to initiate a DNS zone transfer that sends
all the DNS records to a hacker’s system.
19. D. A null session involves connecting to a system with no username and password.
20. A. The best countermeasure to SNMP enumeration is to remove the SNMP agent from the
device. Doing so prevents it from responding to SNMP requests.