CEH Interview Questions and Answers

CEH Interview Questions and Answers

Ques 1. What is phishing?

Phishing is the process of sending email messages to a group of email addresses and making the message look legitimate. These email messages usually contain a link in the email or attachment. The goal is to trick the email recipient into believing that the message is something they want and to click a link or download an attachment.

Ques 2. Which attack method can be used to compromise the system in a way to allow later remote access?

Backdoors are designed to compromise the system in such a way as to allow later remote access to take place.

Ques 3. What is a captcha?

A captcha is a tool that is used on websites to determine whether the user is a human. The protection is achieved by forcing the user to do a task which verifies that they are human, like entering letters or numbers based on a picture or audio.

Ques 4. What is the purpose of a Denial of Service attack?

The purpose of Denial of Service (Dos) attack is to overload a computer system so it is no longer operational.

Ques 5. Which key is used to decrypt the message in PKI?

A public key infrastructure (PKI) use a public key to encrypt a message and a private key to decrypt it.

Ques 6. Why is PGP used for?

Pretty Good Privacy (PGP) can be used for signing, data encrypting, and decrypting emails, message authentication and integrity checking in order to increase the security of email communications.

Ques 7. What are the types of hackers based on their motive and legality of actions?

There are 3 types of hackers based on their motive and legality of actions –



 

Ques 8. What are the types of scanning?

Scanning is a critical component for information gathering. It allows the hacker to create a profile on the site of the organization to be hacked. Types of scanning include:

  

Ques 9. Explain MAC address spoofing?

MAC address spoofing is a technique in which an attacker changes their MAC address to the MAC address of an existing machine that is already on the network. It can be used in the network when a network administrator has applied port security to the switches.

Port scanning

Vulnerability scanning

Network scanning

Ques 10. Explain what is brute force attack and which tool can be used for this attack?

Brute force is a technique for hacking password that involves ‘guessing’ username and passwords to gain unauthorized access to a system. Tool name “Hydra” can be used for this purpose, it quickly runs through a large number of password combinations.

Ques 11. What is the most common form of DoS attack?

Denial of service (DoS) is an attack that aims at preventing normal communication with a resource by disabling the resource itself or by disabling device providing connectivity to it. The most common form of DoS attack is to flood a victim with so much traffic in order to overwhelm the victim’s resources so it is unable to handle additional requests.

Ques 12. How you can prevent against Cross Site Request Forgery (CSRF) attack?

Cross site request forgery is an attack designed to entice a victim into submitting a request, which is malicious in nature, to perform some task as the user. To prevent from CSRF you can append unpredictable token to each request and associate them with user’s session. Methods for CSRF prevention need to be cryptographically secure so the token cannot be easily guessed and as said before cannot be generated based on a predictable pattern.

Ques 13. What is IPsec and why is it used for?

Internet Protocol Security (IPsec) is a set of protocols designed to protect the integrity and confidentiality of data sent over an Internet Protocol network. These protocols are designed to operate at the Network layer of the Open Systems Interconnection model (OSI model) and process packets according to a predefined group of settings. IPsec is used in virtual private networks (VPNs).

Ques 14. How to avoid Man-in-the-middle attacks?

The way to avoid Man-in-the-middle is using HTTPS connections and verify the SSL certificate. SSL prevents Man-in-the-Middle attacks from, as a result of SSL relies on the PKI framework cryptography.

Ques 15. Define ransomware and explain countermeasure for protection?

Ransomware is designed to encrypt files on a target system. Once such files are found, the code will encrypt the data and victim needs to pay certain amount to get their data back. Keeping offline backup of data is the best countermeasure.

Ques 16. According to OWASP top 10 security risks what is the most dangerous web vulnerability?

OWASP Top 10 application security risks puts Injections (SQL, LDAP, NoSQL, OS) on the first place of top security risks

Ques 17. What is footprinting?

Footprinting is the first phase of the ethical hacking process. In this phase the main goal is to collect as much as information about a target network as possible about a target network.

Ques 18. What is a sniffing attack?

Sniffing is a process used by hackers to monitor and capture network packets with appropriate sniffing tools. It can be performed at network and host level so any network packet having information in plain text can be intercepted and read by the attackers. This information can be usernames, passwords or any other secret information.

Ques 19. What is the difference between passive and active reconnaissance?

Passive reconnaissance is method of gaining information about targeted networks and hosts without actively interaction with the systems. In that way avoiding detection is possible.
On the other way in Active reconnaissance the attacker interacts with the target system, typically executing port scan to find any open ports.

Ques 20. What is enumeration?

Enumeration is the process of extracting information from a target system to determine more details about it. It is possible to extract information such as usernames, computer names, shared files etc. In this phase active connections need to be you initiating to gather a wide range of information and chances of getting caught are much greater.

Ques 21. What is the difference between asymmetric and symmetric encryption?

Asymmetric encryption uses different keys, public key for encryption and private key for decryption. On the other hand, symmetric encryption uses the same key encryption and decryption.
Asymmetric encryption is slower but more secure. Symmetric encryption is usually much faster, but the problem is that key needs to be transferred over an unencrypted channel.

Ques 22. What is a firewall?

Generally, a firewall is a network security device that allows or blocks traffic according to predefined set of rules. The main purpose is to filter traffic between two networks so they establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

Ques 23. What is the difference between worm and virus?

Worm is a type of malicious program that replicates functional copy of themselves and do not require a host program or human help to propagate.
Virus is a type malicious program that spreads by copy of itself and becomes a part of operating system and other programs.

Difference between computer viruses and worms is that viruses require an active host program or an active operating system in order for viruses to run. On the other hand, worms are malicious programs that can replicate and propagate via computer networks.

Ques 24. What is Keylogger and Keylogger Trojan?

Keylogger is hardware or software device used to gain information entered via the keyboard. Keylogger Trojan gain information entered via the keyboard, logging them to a file and sending them off to remote attackers.

Ques 25. What is NULL Scan?

• •

Ques 26.

The result of a Null Scan on an open port is no response
The target will send an RST packet in response if the port is closed

Explain Black box testing?

Null Scan is a type of TCP scan that is used to identify listening TCP ports. In this type of scan, the hacker sends frames to the victim with no flag set. The target’s response depends on port state whether is open or closed:

In Black box testing pen tester has little or no knowledge of the target. This is situation when an actual attacker has an extremely low level of knowledge of the target going in, without any knowledge of its internal workings.

Ques 27. What is TCP SYN message in three-way handshake?

TCP SYN is the message that client sends to the server in order to begin TCP connection establishment and negotiation called three-way handshake.

Ques 28. What is Open-source intelligence (OSINT)?

Open-source intelligence (OSINT) is a vital part of the intelligence gathering process. These collection and analysis of information are gathered from public and the drawback is that this information may be somewhat out of date.

Ques 29. What is Maltego?

Maltego is a tool that allows analysts and pen testers for visualizing information. Free and a paid version are available of Maltego are available at www.paterva.com and it can be run on Windows, Mac OS, and Linux. Maltego is capable of showing the relationships with links between data using graphs and link analysis.

Ques 30. What is Snort?

Snort is open source tool that can do network intrusion detection and intrusion prevention. It can perform protocol analysis, content searching at real-time, and can be used to detect a variety of attacks. It can be run on Windows and Linux operating system.

Ques 31. What is the difference between hashing and encryption?

There are two main difference between hashing and encryption:
 First one is that encryption is reversible process (two-way function) and hashing is

irreversible (one-way function)
 Second one is that ensures confidentiality and security of encrypted data and hashing

ensures integrity of hashed data

Ques 32.

Explain cyber kill chain process?

The cyber kill chain is a series of steps from the early reconnaissance stages to the exfiltration of data. It can also be used as a management tool to help improve network defense. Each step is related to a certain type of activity:

•   Reconnaissance

•   Weaponization

•   Delivery

•   Exploitation

•   Installation

•   Command and Control

•   Actions on Objective

• 

Ques 33. Explain DNS spoofing?

DNS spoofing or DNS cache poisoning is a technique in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. This attack can be used to redirect user access from a website to another malicious website. In DNS spoofing attack, an attacker spoofs the IP address DNS entries for a target website on a DNS server.

Ques 34. What is hash collision attack in cryptography?

A Hash Collision Attack is technique in which hacker finds 2 different input strings of a hash function that produce the same hash result. In theory hash has infinite input length and a predefined output length, so it is possible that two different input strings produce same hash. This collision can then be used as exploitation in any software that compares two hashes.

Ques 35. What are WPA and WPA2?

Wi‐Fi Protected Access (WPA) is security protocol to secure wireless computer networks that uses Temporal Key Integrity Protocol (TKIP).
WPA2 is the successor to WPA and was intended to address the problems with WPA. It is much stronger and uses tougher encryption in the form of AES.

Ques 36. What is Kismet?

Kismet is a popular wireless sniffing and detection tool designed for the Linux operating system. It is available at www.kismetwireless.net, and works like a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.

Ques 37. Write OpenSSL command that will check TLS/SSL of website named www.test.com openssl s_client -connect www.test.com:443

Ques 38. Explain buffer overflow?

Buffer overflow is a DoS technique that takes advantage of a flaw in a program’s coding and while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. Once the buffer of a program is in overflow state, all further input that is written to the buffer can have negative consequences, such as crashes, security issues.

Exploiting the behavior of a buffer overflow is a security exploit and sending data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code and replace it with malicious code.

Ques 39. How many antivirus programs should be installed on a single system at the same time?

At the same time only one antivirus should be installed on a single system time. The two or more antiviruses could slow down computer, and it is also possible that they identify each other as a virus. This could lead to conflicts and errors that make your antivirus protection less effective.

Ques 40. User wants to send secret message by hiding it within jpeg image. What technique is used in this scenario?

Steganography is the practice of concealing information inside of other information, thus making it difficult to detect.

Ques 41. Hacker sends a legitimate looking email message asking users to update their information on the company’s website. URL in the email point to a false website. What technique is used in this scenario?

Phishing attack is the process of sending email messages to a group of email addresses and making the message look legitimate. In this scenario hacker uses email messages that contains a URL link to a false website.

Ques 42. Assume that website testwebsite.com may contain sensitive information about username and passwords in pdf files. What query input will help you to search that files using Google as a search engine?

site:testwebsite.com filetype:pdf username password

site:site_name Google will restrict your search results to the site or domain you specify. filetype:suffix Google will restrict the results to pages whose names end in suffix.

Ques 43. What is the purpose of a DMZ on a network?

A DMZ is zone between the public and internal networks that is used to host services that a company wishes to make publicly available, without allowing direct access to their own internal network. Hosts in the DMZ have only limited connectivity to internal network, as the content of DMZ is less secure than internal network.

Ques 44. User with computer IP address 10.10.10.10 fails to access web server at IP address 10.10.10.100. You decide to run wireshark in client computer to check if the messages are going to the web server. What wireshark filter will show the connections from the client computer to web server?

We need to configure destination port at destination ip address. The destination ip is web server ip address 10.10.10.100
tcp.dstport==80 && ip.dst==10.10.10.100

Ques 45. Administrator needs to permit http traffic in the host 10.100.0.2 and UDP traffic in the host 10.100.0.3. He also needs to permit all HTTPS traffic to the rest of the network and deny all other traffic. What should be changed in following configuration in order to achieve this?

access-list 102 deny tcp any any
access-list 105 permit udp host 10.100.0.3 any access-list 120 permit tcp host 10.100.0.2 eq http any access-list 108 permit tcp any eq 443 any

The first ACL rule access-list 102 deny tcp any any matches all tcp packets so it blocks all TCP traffic

Ques 46. Explain SQL injection attack and which method can be used to reduce the risk of falling victim to a SQL injection attack?

SQL Injection attack makes possible to execute malicious SQL statements that control a database server behind a web application. Attackers use vulnerabilities to bypass application security and inject SQL code to database server and after that they are able to add, modify, and delete records in the database.
SQL injections attacks may be classified as:

 Error-based SQL injection

•   Blind SQL injection

•   Time-based SQL injection
  One way to prevent injections is to escape characters that have a special meaning in SQL which makes unavailable to execute SQL code.

  Ques 47. A network administrator realized that some users are connecting their notebooks in the wired network to have Internet access. What should be done in order to prevent unauthorized access to wired network?

  To restrict access to wired network use the 802.1x authentication protocol.
  802.1X authentication consists of three devices: a supplicant, an authenticator, and an authentication server. The supplicant is a client computer that wishes to connect to wired network. The authenticator is a network device which provides a data link between the client and the network such as an Ethernet switch and the authentication server is typically a trusted server typically run RADIUS that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed.

• 

Ques 48. Which nmap scan does not completely open a TCP connection?

SYN stealth scan, also known as a “half-open scanning” will not complete a full TCP connection

Ques 49. Explain nmap -T0 option and when you would use it?

Nmap -T option is timing-related option and defines timing template. Timing template defines speed of scanning that could be from very slow (-T0) to extremely aggressive ( -T5). So nmap -T0 does very slow scan and generate least amount of noise in order to evade IDS.

Ques 50. Write nmap command that will execute http and https port scan for all hosts that belong network 10.2.3.0/24 except host 10.2.3.20?

nmap -p 80,443 10.2.3.0/24 –exclude 10.2.3.20