PARTE 1

Pregunta 1:
If you have been contracted to perform an attack against a target system, you
are what type of hacker?
a- Gray hat
b- Black hat
c- Red hat
d- White hat

Explicación:A white hat hacker always has permission to perform pen testing against
a target system.

Pregunta 2:
Which of the following best describes what a hacktivist does?
a- Defaces websites
b- Performs social engineering
c- Hacks with basic skills
d- Hacks for political reasons

Explicación:A hacktivist engages in mischief for political reasons.

Pregunta 3:
Which of the following describes an attacker who goes after a target to draw
attention to a cause?
a- Hacktivist
b- Script Kiddie
c- Terrorist
d- Criminal

Explicación:A hacktivist is an individual or group that performs hacking and other

disruptive activities with the intention of drawing attention to a particular cause or
message.
Pregunta 4:
What does TOE stand for?
a- Target of evaluation
b- Time of evaluation
c- Term of evaluation
d- Type of evaluation

Explicación:TOE stands for target of evaluation and represents the target (the
product or system ) being tested.

Pregunta 5:
Which of the following best describes a vulnerability?
a- A rootkit
b- A weakness
c- A worm
d- A virus

Explicación:A vulnerability is a weakness. Worms, viruses, and rootkits are forms of

malware.

Pregunta 6:
What level of knowledge about hacking does a script kiddie have?
a- Low
b- High
c- Medium
d- Advanced

Explicación:Script kiddies have low or no knowledge of the hacking process but

should still be treated as dangerous.
Pregunta 7:
Which of the following does an ethical hacker require to start evaluating a
system?
a- Permission
b- Nothing
c- Planning
d- Training

Explicación:An ethical hacker never performs their services against a target without
explicit permission of the owner of that system.

Pregunta 8:
What separates a suicide hacker from other attackers?
a- A desire to be helpful
b- The intent to reform
c- A lack of fear of being caught
d- A disregard for the law

Explicación:Much like suicide bombers in the real world, suicide hackers do not worry
about getting caught; they are only concerned with their mission.

Pregunta 9:
Companies may require a penetration test for which of the following reasons?
a- Legal reasons
b- To perform an audit
c- Regulatory reasons
d- All the above

Explicación:Penetration testing, also called pen testing or ethical hacking, is the

practice of testing a computer system, network or web application to find security
vulnerabilities that an attacker could exploit.It could be for any reasons like regulatory
reasons, Legal reasons or A regular audit.
Pregunta 10:
How is black-box testing performed?
a- Wich full knowledge
b- With no knowledge
c- By a black hat
d- With partial knowledge

Explicación:BLACK BOX TESTING, also known as Behavioral Testing, is a software

testing method in which the internal structure/design/implementation of the item being
tested is not known to the tester.

PARTE 2

Pregunta 1:
What device acts as an intermediary between an internal client and a web
resource?
a- Proxy
b- VTC
c- PBX
d- Router

Explicación:A proxy server is a dedicated computer or a software system running on

a computer that acts as an intermediary between an endpoint device, such as a
computer, and another server from which a user or client is requesting a service.

Pregunta 2:
Which of the below kinds of machines do security teams often use for attracting
potential intruders?
a- Files pot
b- Honeypot
c- Data pot
d- Bastion host

Explicación:A honeypot is a machine/computer that can be used to draw in potential

intruders or attackers. A honeypot has intentionally low security permissions and is
useful in collecting intelligence about attackers and their tactics.
Pregunta 3:
Which of the below utilities is a protocol analyzer with the ability to capture
packet traffic as it comes into the network (“in real time”)?
a- Wireshark
b- Netresident
c- Snort
d- NetWitness

Explicación:Wireshark is a protocol analyzer with the ability to capture packet traffic

as it comes into the network (“in real time”). It is free and open source, and will act as a
packet sniffer, capturing network traffic for purposes of troubleshooting, development
of software/communications protocol, analysis, and as a teaching tool. It was originally
called Ethereal. Wireshark will work on Windows, Mac, Linux, or Unix machines.

Pregunta 4:
What is the proper sequence of the TCP three-way-handshake?
a- SYN-ACK.ACK.ACK
b- SYN-SYN,SYN-ACK,SYN
c- SYN,SYN-ACK,ACK
d- ACK,SYN-ACK,SYN

Explicación:Remember this three-way handshake sequence; you will see it quite a bit
in packet captures when sniffing the network. Being able to identify the handshake
process allows you to quickly find the beginning of a data transfer.

Pregunta 5:
You want to access and pull password files from various websites. These
passwords are stored within the index directory of a website’s server. What
could you use from the below options that would allow you to do this?
a- Google
b- Whois
c- Nmap
d- Sam Spade
Explicación:Google hacking is a way to find and retrieve password files which have
been indexed within a web server's directory) from specified websites. Search queries
on Google will potentially discover information from a web server's index directory.

Pregunta 6:
In order to determine the end-time for DNS cache poisoning, which of the below
DNS records should you examine?
a- PTR
b- NS
c- SOA
d- MX

Explicación:A start of authority (SOA) record contains information about the DNS
zone on which it is stored and about other DNS records. A DNS zone is the area of a
domain that is within the responsibility of a specific DNS server. There is only one SOA
record for each DNS.

Pregunta 7:
What port range is an obscure third-party application most likely to use?
a- 1 to 1024
b- 1025 to 32767
c- 32768 to 49151
d- 49152 to 65535

Explicación:Ports 49152 to 65535 are known as the dynamic ports and are used by
applications that are neither well known nor registered. The dynamic range is
essentially reserved for those applications that are not what we would consider
mainstream. Although obscure in terms of port usage, repeated showings of the same
obscure port during pen testing or assessment may be indicative of something strange
going on.

Pregunta 8:
Phil needs to procure information related to a server with an IP address range
that is within the IP address range that is used in Brazil. There are many
registries available online for discovering the details of web server IP addresses,
or reverse Domain Name Service (DNS) lookup. Which of the below registries
will be most useful to him?
a- RIPE NCC
b- ARIN
c- APNIC
d- LACNIC
Explicación:Phil needs to obtain information about a web server situated in Brazil.
Registries are available throughout the world, most often broken up into geographic
locations. So the Latin American and Caribbean Internet Addresses Registry, or
LACNIC, is the Regional Internet Registry for the Latin American and Caribbean
regions and is therefore the best registry for doing a DNS lookup. LACNIC is one of
five (5) regional Internet registries available worldwide. Its chief purpose is to assign
and administrate IP addresses for the region of Latin America and parts of the
Caribbean. The Réseaux IP Européens Network Coordination Centre, or RIPE NCC, is
the Regional Internet Registry (RIR) for Europe, the Middle East, and certain parts of
Central Asia.The Asia Pacific Network Information Centre (APNIC), Regional Internet
Registry for the Asia Pacific region, assigns and administers numerical resource
allocation as well as registration services to support the global operation of the Internet
The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry
(RIR) for Canada, parts of the Caribbean, some North Atlantic islands, and the United
States.

Pregunta 9:
Which attacks take advantage of the built-in code and scripts most off-the shelf
applications come with?
a- Misconfiguration
b- OS attacks
c- Shrink-wrap
d- Bit-flipping

Explicación:Most software inevitably comes with built-in code and script

vulnerabilities, and attacks taking advantage of this are known as shrink-wrap attacks.

Pregunta 10:
You have selected the option in your IDS to notify you via email if it senses any
network irregularities. Checking the logs, you notice a few incidents but you
didn’t receive any alerts. What protocol needs to be configured on the IDS?
a- NTP
b- SNMP
c- SMTP
d- POP3

Explicación:Simple Mail Transfer Protocol (SMTP) operates on port 25 and is used

for outgoing mail traffic. In this scenario, the IDS SMTP configuration needs to be
updated.
Pregunta 11:
Wireshark will excel in which one of the below situations you might face as an
Ethical Hacker?
a- If you need to target networks utilizing repeaters/hubs
b- If your target is a Windows-based network
c- If your target is a Linux-based network
d- If you need to target networks using switches or so called “full-duplex”
hubs (wich are actually switches)

Explicación:When a device is a hub, it is convenient for capturing through Wireshark.

A hub based on switches will only transmit 'clean' packets—whereas a real hub will
simply act as a repeater with no verification of packets. Network hubs do not manage
network traffic. Therefore, each packet that enters a port is repeated on every other
port. A switch learns and maintains a table of MAC addresses. A switch does not
simply forward all packets to all other ports, but rather uses a bridge to determine
which packets are forwarded to which ports.

Pregunta 12:
While running an nmap scan for filtered ports, you send an ACK flag and receive
a RSTpacket for open and closed ports. What kind of nmap scan did you run?
a- XMAS Scan –Sx
b- TCP ACK scan –sA
c- Null Scan –Sn
d- Fin Scan –sF

Explicación:The TCP ACK Scan will not discover open and closed ports—it will
determine whether or not a port is filtered or unfiltered. When an ACK flag is sent,
Open/Closed ports will return RST. Any ports that do not respond are considered
filtered. Conversely, with a NULL Scan, no flags are set on a packet. The target must
follow RFC 793, a TCP specification. If the port is open or filtered, it will receive no
response. If the port is closed, it will receive RST. In Fin Scan, a Fin flag is set on a
packet. Again, the target must follow RFC 793. If a port is open or filtered, it will
receive no response; yet it will receive RST if a port is actually closed. In XMAS Scan,
the FIN, URG, and PSH flags are set on a packet. The target must still follow RFC
793. It will receive no response if a port is open or filtered and will receive RST if a port
is closed.
Pregunta 13:
If a device is using node MAC addresses to funnel traffic, what layer of the OSI
model is this device working in?
a- Layer 2
b- Layer 4
c- Layer 3
d- Layer 1

Explicación:A network device that uses MAC addresses for directing traffic resides on
Layer 2 of the OSI model. Devices that direct traffic via IP addresses, such as routers,
work at Layer 3.

Pregunta 14:
Choosing a protective network appliance, you want a device that will inspect
packets at the most granular level possible while providing improved traffic
efficiency. What appliance would satisfy these requirements?
a- NAT-enabled router
b- Proxy firewall
c- Layer 3 switch
d- Application firewall

Explicación:A packet-filtering firewall operates at Layer 7 (and all layers) of the OSI
model and thus filters traffic at a highly granular level.

Pregunta 15:
Which technology allows the use of a single public address to support many
internal clients while also preventing exposure of internal IP addresses to the
outside world?
a- NAT
b- Tunneling
c- VPN
d- NTP
Explicación:Network Address Translation (NAT) is a technology that funnels all
internal traffic through a single public connection. NAT is implemented for both cost
savings and network security.

Pregunta 16:
Which nmap switch would you use to retrieve as many different protocols as
posible that are being used by a remote host?
a- nmap –sT
b- nmap –sO
c- nmap –vO
d- nmap –sS

Explicación:The nmap -sO switch is used to scan IPs. To search additional IP

protocols, you can utilize the IP protocol scan. Such protocols include ICMP, TCP, and
UDP. This scan will unearth uncommon IP protocols that could be active on a system.
Nmap will not allow you to combine the verbose and OS scanning options. It will
display the below error message: Invalid argument to -v: "O" The nmap -sT switch
performs a TCP full scan. The nmap -sS is performs a TCP half scan. Here an attacker
will send a SYN packet to a target port.

Pregunta 17:
Which port uses SSL to secure web traffic?
a- 25
b- 80
c- 23
d- 443

Explicación:Port 443 is used for HTTPS traffic, which is secured by SSL.

Pregunta 18:
Based on the above information, which of the below tools is Luke using?
a- Sniffer
b- Nessus
c- Kismet
d- Nmap
Explicación:Nmap is an active data collection tool. The port-scanning ability of the
nmap utility can be the open ports on a Linux machine. Administrators can employ this
tool to discover which services are accessible to external users.

Pregunta 19:
When a match for an alert rule is found in Snort, the intrusion detection system
carries out which of the below actions?
a- Continues to analyze the packet until each rule has been checked
b- Blocks a connection with the source IP address in the packet
c- Halts rule query,sends a network alert,and freezes the packet
d- Drops the packet and selects the next packet detection option

Explicación:Anonymizers are used to mask a user's web surfing. Anonymizers work

by removing all identifying information from a computer throughout the time the user is
surfing online. Internet users seeking privacy will use an anonymizer. Once they have
enabled online access anonymization, each link they open for the remainder of the
session will also be accessed anonymously, with no extra actions on the part of the
user. However, anonymizers do have limitations.

Pregunta 20:
At which layer of the OSI model does a proxy operate?
a- Data Link
b- Application
c- Physical
d- Network
Explicación:Proxies operate at Layer 7, the Application layer of the OSI model.
Proxies are capable of filtering network traffic based on content such as keywords and
phrases. Because of this, a proxy digs down farther than a packet’s header and
reviews the data within the packet as well.

Parte 3

Pregunta 1:
What item is also referred to as a logical address to a computer system?
a- MAC address
b- IPX address
c- IP address
d- SMAC address
Explicación:An IP address is a logical address assigned at Layer 3 and can be
assigned to an IPbased system. The same IP address can be assigned to different
systems, albeit at different times, unlike MAC addresses.

Pregunta 2:
A message digest is a product of which kind of algorithm?
a- Asymmetric
b- Hashing
c- Symmetric
d- Steganography

Explicación:A message digest is a product of a hashing algorithm, which may also be

called a message digest function.

Pregunta 3:
What kind of physical access device restricts access to a single individual at
any one time?
a- Checkpoint
b- Security zones
c- Mantrap
d- Perimeter security

Explicación:Mantraps are phone booth–sized devices designed to prevent activities

such as piggybacking and tailgating.

Pregunta 4:
Which of the following is commonly used to create thumbprints for digital
certificates?
a- SHA8
b- SHA12
c- MD7
d- MD5

Explicación:MD5 is a hashing algorithm that creates a fixed-length output, referred to

as a hash or message digest. In the PKI world, SHA and MD5 are the most popular
mechanisms for creating thumbprints for digital certificates.
Pregunta 5:
You want to establish a network connection between two LANs using the
Internet.Which technology would best accomplish that for you?
a- L2TP
b- SLIP
c- IPSec
d- PPP

Explicación:Layer 2 Tunneling Protocol (L2TP) is a VPN technology used to establish

secure connections over an insecure medium such as the Internet.

Pregunta 6:
In the key recovery process, which key must be recoverable?
a- Previous key
b- Secret Key
c- Rollover key
d- Escrow Key

Explicación:The escrow key is a key held by a third party used to perform

cryptographic operations.

Pregunta 7:
IPsec uses which two modes?
a- EH/ASP
b- AES/ESP
c- AH/ESP
d- AES/DES

Explicación:IPsec uses two modes: Authentication Header (AH) and Encapsulating

Security Payload (ESP). Both modes offer protection to data but do so in different
ways.

Pregunta 8:
Which of the following would provide additional security to an Internet web
server?
a- Changing the default port for traffic to 161
b- Changing the default port for traffic to 1019
c- Changing the default port for traffic to 443
d- Changing the default port for traffic to 80
Explicación:Changing the default port for web server traffic to 443 would mean that all
traffic to and from the web server would be encrypted using SSL.

Pregunta 9:
What is the focus of a security audit or vulnerability assessment?
a- Enacting threats
b- Locating threats
c- Locating vulnerabilities
d- Exploiting vulnerabilities

Explicación
A vulnerability assessment is focused on uncovering vulnerabilities or weaknesses in
an environment but by definition does not exploit those vulnerabilities.

Pregunta 10:
Which of the following manages digital certificates?
a- Hub
b- Public Key
c- Certificate authority
d- Key

Explicación:A certificate authority is responsible for issuing and managing digital

certificates as well as keys.

Pregunta 11:
An individual presents herself at your office claiming to be a service technician.
She is attempting to discuss technical details of your environment such as
applications, hardware, and personnel used to manage it. This may be an
example of what type of attack?
a- Social engineering
b- Access control
c- Perimeter screening
d- Behavioral engineering

Explicación:In a case like this, an individual showing up and asking to discuss

intimate details of an environment may be attempting to obtain information for an
attack.
Pregunta 12:
In IPsec, what does Encapsulating Security Payload (ESP) provide?
a- Header security
b- Integrity
c- Authentication services
d- Data security

Explicación:Data security services are provided by ESP.

Pregunta 13:
At what point can SSL be used to protect data?
a- On a hard drive
b- During transmission
c- On Bluetooth
d- On a flash drive

Explicación:Data can be protected using SSL during transmission. If data is being

stored on a hard drive or flash drive, SSL is not effective at proving cryptographic
services.

Pregunta 14:
Which of the following best describes hashing?
a- Cipher
b- Nonreversible
c- A cryptosystem
d- An algorithm

Explicación:Hashing is referred to as a cipher or algorithm or even a cryptosystem,

but it can be uniquely referred to as a nonreversible mechanism for verifying the
integrity of data. Remember that hashing doesn’t enforce confidentiality.

Pregunta 15:
Who first developed SSL?
a- Sun
b- Netscape
c- Oracle
d- Microsoft
Explicación:Netscape originally developed SSL, but since its introduction the
technology has spread to become a standard supported by many clients such as
email, web browsers, VPNs, and other systems.

Pregunta 16:
Symmetric cryptography is also known as __________.
a- Shared key cryptography
b- Hashing
c- Steganography
d- Public key cryptography

Explicación:Symmetric cryptography is also known as shared key cryptography.

Pregunta 17:
Asymmetric encryption is also referred to as which of the following?
a- Shared key
b- Public Key
c- Hashing
d- Block

Explicación:Asymmetric encryption uses two separate keys and is referred to as

public key cryptography. Symmetric algorithms use only one key that is used by both
the sender and receiver.

Pregunta 18:
How many bits are in an IPv6 address?
a- 256
b- 32
c- 64
d- 128

Explicación:An IPv6 address has 128 bits as opposed to IPv4, which has only 32 bits.
This increased number of bits allows for the generation of many more IP addresses
than is possible with IPv4.

Pregunta 19:
Which of the following does IPsec use?
a- PKI
 b- DES
c- AES
d- SSL

Explicación:PKI is used with IPsec to allow it to function in environments of any size.

IPsec is also capable of using Preshared Key if desired by the system owner.

Pregunta 20:
A user has just reported that he downloaded a file from a prospective client
using IM.The user indicates that the file was called account.doc. The system has
been behaving unusually since he downloaded the file. What is the most likely
event that occurred?
a- The system is unstable due to the use of IM
b- Your user may have downloaded a rootkit
c- Your user may have accidently changed a setting on the system
d- Your user inadvertently downloaded a macro virus using IM

Explicación:The file is a Microsoft Word file and as such can have VBA macros
embedded into it that can be used to deliver macro viruses.