Quiz-summary
0 of 10 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Information
Certified Ethical Hacker Exam Practice Questions
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 10 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- Answered
- Review
-
Question 1 of 10
1. Question
Several techniques can be used to conduct a website attack; one of the most effective techniques is the watering hole attack. Which of the following statements is true about the watering hole attack?
Correct
The watering hole attack refers to initiating an attack against targeted businesses and organizations. It is the method of gaining access to a website that a lot of people visit and introduce infected software to it.
Incorrect
The watering hole attack refers to initiating an attack against targeted businesses and organizations. It is the method of gaining access to a website that a lot of people visit and introduce infected software to it.
-
Question 2 of 10
2. Question
Even though Bluetooth technology provides a lot of advantages, its security level is considerably low since it uses radio frequencies to transmit data. Hackers can easily acquire personal information by conducting a Bluetooth attack. Some of these attacks are bluejacking, bluesnarfing, and blue bugging. Which of the following sentences defines bluejacking?
Correct
Bluejacking involves an attacker sending data to a Bluetooth-enabled device without having to get through the pairing process, or perhaps the pairing happened without the receiver knowing about it. You could use a bluejacking attack to send an unsolicited message to a victim. This could be a spoof attack, where you send a message that appears to be from someone else to get the recipient to do something. This attack uses the Object Exchange (OBEX) protocol to move the message or picture from one device to another.
Incorrect
Bluejacking involves an attacker sending data to a Bluetooth-enabled device without having to get through the pairing process, or perhaps the pairing happened without the receiver knowing about it. You could use a bluejacking attack to send an unsolicited message to a victim. This could be a spoof attack, where you send a message that appears to be from someone else to get the recipient to do something. This attack uses the Object Exchange (OBEX) protocol to move the message or picture from one device to another.
-
Question 3 of 10
3. Question
Websites depend on databases to deliver the required information to visitors. If a web application is not secure, then your entire database of sensitive information is at serious risk of a web application attack. One of the most common web application attacks is the command injection attack. Which of the following statements best defines the command injection attack?
Correct
The command injection attack is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
Incorrect
The command injection attack is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
-
Question 4 of 10
4. Question
Application exploitation is commonly done with invalid input being sent into the application, and the application doesn’t validate the input. One of the ways to change the flow of execution of a program is by conducting the heap spraying attack. Which of the following statements is true about the heap spraying attack?
Correct
Heap spraying is a technique used to aid the exploitation of vulnerabilities in computer systems. It is called “spraying the heap” because it involves writing a series of bytes at various places in the heap. The goal of the attack is to ensure that the bytes can be accessed later as the vector of a separate attack. Heap spraying attacks are demonstrated using JavaScript, VBScript, and HTML5.
Incorrect
Heap spraying is a technique used to aid the exploitation of vulnerabilities in computer systems. It is called “spraying the heap” because it involves writing a series of bytes at various places in the heap. The goal of the attack is to ensure that the bytes can be accessed later as the vector of a separate attack. Heap spraying attacks are demonstrated using JavaScript, VBScript, and HTML5.
-
Question 5 of 10
5. Question
The attack life cycle helps businesses to detect and respond to threats early on to protect a network from large-scale impact. The earlier an attack is detected and mitigated, the less the ultimate cost to the business will be. Which of the following sentences describes the internal reconnaissance phase in the attack life cycle?
Correct
The internal reconnaissance phase is the fifth phase of the attack life cycle. In this phase, the attacker will get the lay of the land and identify other systems that they may be able to compromise.
Incorrect
The internal reconnaissance phase is the fifth phase of the attack life cycle. In this phase, the attacker will get the lay of the land and identify other systems that they may be able to compromise.
-
Question 6 of 10
6. Question
A block cipher is a symmetric cryptographic algorithm that operates on a fixed-size block of data using a shared, secret key. Plaintext is used during the encryption, and the resulting encrypted text is called a ciphertext. An example of a block cipher that uses a symmetric key is the Data Encryption Standard (DES). Which of the following statements is true about DES?
Correct
The Data Encryption Standard (DES) was approved in the 1970s based on a cipher named Lucifer from IBM. One of the problems with DES is that it only uses a 56-bit key. The block size used for DES was 64 bits, though the key is only 56 bits. That’s because 8 bits of the key are used for parity.
Incorrect
The Data Encryption Standard (DES) was approved in the 1970s based on a cipher named Lucifer from IBM. One of the problems with DES is that it only uses a 56-bit key. The block size used for DES was 64 bits, though the key is only 56 bits. That’s because 8 bits of the key are used for parity.
-
Question 7 of 10
7. Question
Asymmetric key cryptography uses two keys for encryption and decryption, one key is the public key and the other is the private key. The public key is used to encrypt messages that only the private key can decrypt. One common algorithm that uses the public key cryptography is the Rivest-Shamir-Adleman (RSA) algorithm. Which of the following sentences is true about RSA?
Correct
The Rivest-Shamir-Adleman (RSA) algorithm is an algorithm that uses a key based on a pair of very large prime numbers. The key sizes used by RSA are 1024 bits, 2048 bits, and 4096 bits.
Incorrect
The Rivest-Shamir-Adleman (RSA) algorithm is an algorithm that uses a key based on a pair of very large prime numbers. The key sizes used by RSA are 1024 bits, 2048 bits, and 4096 bits.
-
Question 8 of 10
8. Question
Public key encryption uses the public key to encrypt messages that only the private key can decrypt. The private key is the only key that needs to be protected in this scheme, which is fine because it is only needed to decrypt messages that have been sent using the corresponding public key. One approach that uses public-key cryptography is the Elliptic Curve Cryptography (ECC). Which of the following sentences best describes ECC?
Correct
Elliptic Curve Cryptography (ECC) generates security between pairs for public-key encryption by using the mathematics of elliptic curves. It has a smaller key size and has the ability to maintain security. ECC based its approach to public-key cryptographic systems on how elliptic curves are structured algebraically over finite fields. It is also considered to be the next-generation implementation of public-key cryptography and more secure than RSA.
Incorrect
Elliptic Curve Cryptography (ECC) generates security between pairs for public-key encryption by using the mathematics of elliptic curves. It has a smaller key size and has the ability to maintain security. ECC based its approach to public-key cryptographic systems on how elliptic curves are structured algebraically over finite fields. It is also considered to be the next-generation implementation of public-key cryptography and more secure than RSA.
-
Question 9 of 10
9. Question
Keys make cryptography work. It needs to be protected but doesn’t need to be stored beyond the sessions for which they are needed. It can be stored inside a data structure called a certificate. Which of the following statements best defines the certificate authority?
Correct
The certificate authority is a repository of certificates. It issues certificates to users, which means it collects information from the user and then generates the key to provide to the user. The certificate is stored in the authority and also provided to the user.
Incorrect
The certificate authority is a repository of certificates. It issues certificates to users, which means it collects information from the user and then generates the key to provide to the user. The certificate is stored in the authority and also provided to the user.
-
Question 10 of 10
10. Question
The certificate authority can revoke certificates due to various reasons, one of which is if a user is no longer associated with the organization that manages the authority. Revoked certificates are managed through the use of the Online Certificate Status Protocol (OCSP). Which of the following sentences best describes OCSP?
Correct
The Online Certificate Status Protocol (OCSP) was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in public key infrastructure (PKI). It is an internet protocol used for obtaining the revocation status of an X.509 digital certificate and is described in RFC 6960.
Incorrect
The Online Certificate Status Protocol (OCSP) was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in public key infrastructure (PKI). It is an internet protocol used for obtaining the revocation status of an X.509 digital certificate and is described in RFC 6960.