Deck 2: Information Gathering

A) Using inurl: is like a logical OR and using allinurl: is like a logical AND
B) There is no difference, the allinurl is not listed on the help page because it has been discontinued
C) With inurl: only the first keyword must be in the URL and additional keywords can be anywhere on the page. The allinurl: operator means all of the keywords must be in the URL.
D) With inurl: only the first keyword must be in the URL and additional keywords can be anywhere on the page. The allinurl: operator means any of the keywords must be in the URL.

A) Filetype: looks for executables where ext: looks for data files
B) They are synomyms of each other, but the ext: is intended more for negation
C) There is no such thing as a filetype: operator
D) There is no such thing as an. ext: operator

A) Nothing as the (hash0 character comments out the remaining string
B) Library files from Visual Studio
C) Source code for scripts written in "C"
D) A well known vulnerability in the IIS ISAPI for IPP (Internet Printing Protocol)

A) Broken links produce these errors and indicate a malfunctioning server that is exposing weaknesses
B) Server errors that provide valuable information about what went wrong with the script
C) 404 errors produce pages that include these phrases as a common matter, the search doesn't really tell the attacker anything
D) The first phrase produced too many results. The second phrase was added to refine the search

A) Since Google hacking is anonymous; Chuck should start hacking away at the Ibiblio site. Who knows what this thing is, but it looks fun to attack.
B) Ibiblio is a popular host for downloads, they present a directory listing routinely and this target is not something Chuck should bother with because directory listing are not always a problem
C) Chuck should look further into the results or perhaps add the site: operator to his search
D) Stupid Google is only showing useless results that aren't even web pages. The hacker book must have had a typo as usual and Chuck should just move on to something else.

A) Use Google to locate Matt's script archive, guess on a popular script like formmail.pl, and use Google to look for vulnerabilities. Pop a code string into Google again and try to find vulnerable sites.
B) Use Google to search for webhosts that use these scripts and sign up for a free account. Download the scripts and analyze them for vulnerabilities.
C) These scripts are old and outdated. No one uses stuff like this anymore so Janet should ignore the article and move on.
D) Webhosts would not release vulnerable code, particularly the free services. They recognize their responsibility and invest a lot of money in ensuring the safety of their products. Janet has no angle here and should move on.

A) Name of the physical file on the webserver
B) <head><title>This is the title</title></head>
C) Mapped in a configuration file on the webserver
D) In the status bar of the web browser

A) Bing
B) GoogleGet
C) AutoGoo
D) Goolag Scanner

A) Articles full of keywords but with dubious content value
B) Splurging on a burst of advertising on high cost, high impact traffic sites
C) Posting comments on trendy, spur of the moment type blog articles that have timely and up to the minute reporting
D) A network of connected sites that promote high click through actions. Example" "Click here" results in a sentence or two of promotion copy only to require yet another click to hopefully one day view some content.

A) Run a series of "Make money online" workshops and tell people to do what he is doing look for things to sell online
B) "Scrape" information from other information sources and add his own insightful commentary
C) Steal other web pages, place them under his own domains, place Google adsense onto those pages, and rake in the money when the keywords cause search hits
D) Purchase domains that have recently expired, then sell them to their previous owners for a profit, even if he had no intent of ever using those domains for anything

A) All indexed pages on the example.com site including for those with extensions html, htm, asp, and Php
B) All non-indexed pages on the example.com site expect for those with extensions html, htm, asp, and Php
C) All html, htm, asp, and php pages on every site other than example.com
D) All indexed pages on the example.com site other than those with extensions html, htm, asp, and php

A) GoogleGather
B) GScanPlus
C) GooApp
D) Gooscan

A) Good old fashioned competition
B) Impression Fraud
C) Click fraud
D) Can't be done

A) It is a Slashdot hoax
B) Legal issues brought on my privacy concerns in Germany
C) A project that is meant to demonstrate "The spirit of the times"
D) A conspiracy of Google to own all of the world's information

A) Google Earth
B) My IP Suite
C) Neotrace
D) Sam Spade

A) Nikto
B) Wikto
C) Dogpile
D) Web Ferret

A) nslookup; server ns1.example.dom; ls -d example.dom
B) dig @ns1.example.dom - -zone-transfer
C) host -t ZONE example.dom ns1.example.dom
D) dig @ns1.example.dom example.dom IXFR

A) LACNIC, LAPNIC, AFLAC
B) ARIN, LAPNIC, RIPE NCC
C) ARIN, APNIC, LAPNIC
D) ARIN, LACNIC, AfriNIC

A) He was given bad advice. Incorrect information is a violation of the IEEE and IETF terms of service.
B) He was given bad advice. Incorrect information is a violation of the ICANN terms of service.
C) He was given good advice. Domain poachers use the contact information to steal domains all the time.
D) He was given good advice. You never want to put a personal address in the whois and proxy services that will hide the information are outrageously expensive.

A) This cannot be determined remotely
B) BidiBlah Suite
C) http://uptime.netcraft.com/up/graph
D) www.archive.org

A) It was a common virus scan
B) Directory traversal
C) Verify the accounts on a mail server
D) Zone transfer

A) 2 Hours
B) 60 Minutes
C) 14 Days
D) 1 Week

A) Web the Ripper
B) Black Widow
C) The Wayback Machine
D) HTTrack website copier

A) Send an email to a domain that will bounce back and analyze the headers
B) Telnet into port 25 and issue the VRFY command on names collected from the company directory
C) Embed a "web bug" in the HTML email and spam it out to everyone
D) All of the above

A) Pinpoint targets for a Denial of Service attack
B) Assemble competitive intelligence
C) Find press releases or negative stories
D) Find the names of company officers

A) The Edgar database
B) Findlaw.com
C) cnbc.com
D) Finance.yahoo.com

A) There is a cluster or load balancer on that segment
B) There is an SPI firewall at the gateway
C) One of the two hosts is a honeypot
D) Gregory needs to try a Layer 4 traceroute since this result is impossible

A) Map the network, discover live hosts, discovery open ports, discover services
B) Discover live hosts, discover open ports, discover services, map the network
C) Find the network block, traceroute to the webserver, scan all hops looking for segments
D) Call the front desk and ask to talk to the network administrator. Tell him that network topologies must be a matter of public record for investors and you want a copy mailed right away.

A) Call the front desk and ask them to ping you, since traffic coming from them will be successful
B) Telnet to various ports and run a packet sniffer to watch the backscatter
C) "lft" is an advanced traceroute tool that can incorporate various Layer 4 techniques and it might work instead
D) Post a message on the nmap hackers mailing list and ask someone else to try it from their address

A) The network segment is down
B) ICMP Type 3 messages are being filtered on the way back
C) She is only scanning UDP ports that are open, like 53
D) The filter is blocking all UDP traffic
E) The SYN flags are filtered by the stateful firewall

A) Ryan is inverse scanning a Windows host
B) Ryan is inverse scanning a Linux host
C) The filter is returning the RST flags to discourage the scan
D) The HTTP server always responds with a RST if the browser agent is not Mozilla or IE

A) Seems like Larry is taking a reasonable approach. He expects the scan to take awhile, and he can do other things while he waits.
B) 192.168.0.0/16 is an RFC 1918 compliant range, but this scan will attempt to reach over 65000 hosts and there are better ways of doing this.
C) RFC 1918 specifies 192.16.1.0/24 as a private range, and Larry is trying a class B mask. Larry is wasting his time
D) He should get the network block from ARIN and scan from the outside if he wants to make sure he sees every inside host.

A) An open port
B) Specific services like HTTP on the target since OS detection is basically a banner grab
C) A packet filtering firewall between the scanner and the target
D) One open port and one closed port

A) Cheops
B) Queso
C) NMap
D) p0f

A) Timestamp requests
B) Administratively prohibited
C) Destination unreachable, the network is down
D) Time to live has expired

A) nc -u -v -w3 [target ip] 1-100
B) hping3 -8 -S -p 1-100 [target ip]
C) nmap -sU -v -v [target ip] 1-100
D) uscan -p 1-100 [target ip]

A) SYN; SYN/ACK; ACK; RST
B) SYN; SYN/ACK; RST
C) SYN; SYN/ACK; FIN
D) SYN; SYN/ACK

A) He is watching normal traffic
B) Someone is scanning for subseven
C) This is a harmless UDP scan
D) Someone is scanning for back orifice

A) War dialing with Ettercap
B) War dialing with THC-Scan
C) Dialing for Dollars with Cold-Call Pro DX
D) Robo-dialing with DialDick.exe

A) The setting of the DF bit
B) Window size
C) IPID incrementing
D) ToS bits
E) Initial NACK field
F) Datagram size

A) Half-open
B) Listening
C) Filtered
D) Established

A) SAINT only runs on UNIX
B) Frank's boss needed SATAN, he bought the wrong product
C) SAINT only scans wireless networks
D) Vulnerability scans only tell the attackers where the weaknesses are

A) nmap -sT -v -T5 [Target IP]
B) nmap -sT -v -T0 [Target IP]
C) nmap -sV -v -T0 [Target IP]
D) nmap -sT -v --slow [Target IP]

A) Depends on the speed of the link
B) 53
C) 65535
D) 1500

A) net use \\IPC$ \[target ip] "" / user : ""
B) net use \\[target ip]\IPC$ "" / user : ""
C) net use \\[target ip]\IPC$ '' / user : ''
D) net use \\[target ip]\NULL$ "" / user : ""

A) netstat, pstools, nbtstat, procmon
B) top, netstat, lsof, ps
C) ps, top, nbstat, net use
D) rpcinfo, ldap, nbstat, ps

A) chmod 764 foo.sh
B) chmod 664 foo.sh
C) cacls u+rwx g+rx o+r
D) calcs ./foo.sh /G owner:RWX /G group:rx /G world:R

A) S-1-5-7-341656734543-512
B) S-1-5-7-545632867586-1001
C) AD3424FDA31404EE
D) 1.2.1.1.1.2.1.3.1.4.6

A) On a Linux system they are responsible for logins, much like PAM is for Windows
B) On a Windows system they manage SIDs and user account databases
C) On a Linux system they govern access to TCP based services along with Inetd and TCPWrappers
D) On a Windows host they comprise part of the authentication subsystem

A) The octal equivalent is of these permissions is 755 + SUID
B) The answer to the command was "yes" and the file requested does exist
C) The octal equivalent is of these permissions is 4755
D) The SGID bit is set and the file "yes" is executable with the root UID

A) netstats -an
B) netstat /an
C) nbtstat -an
D) nmap -sT -P0 -v [target ip]

A) Windows doesn't have a scanner that will help with discovery
B) He needs to install a tool first
C) He could use "net view" with no arguments
D) He could use the nbstat tool with the -r or -c or -n options to at least see names of machines he might have discovered via natural protocol behaviors

A) netstat /an
B) nbtstat -A
C) net view \ \[servername]
D) nbstat -shares [target ip]

A) smbclient -L [target ip]
B) nbtstat -L [target ip]
C) net view \ \[domain]
D) Linux doesn't support Windows file sharing, so Chris is wasting his time

A) smbclient \\\ \[target ip]\\c$ -U administrator
B) nbtstat \\[target ip]\c$ -u administrator
C) net view \\\\[target ip]\\ipc$ "" user : ""
D) Kempton cannot have a credential yet. He needs to read the system hacking chapter in the CEH courseware and try some of those techniques first.

A) Fred
B) Paul
C) Steve
D) Liz

A) An account with no user name or password
B) A user that has been disabled
C) The system user of the "NULL" service
D) An internal "loopback" user

A) She should scan 1-1023
B) She should scan 0-63535 just to be sure
C) She should scan 1-49151
D) She should consult the network documentation and avoid the scan altogether.

A) The -sS scan looks for "Services" and this is not compatible with the -P0 (Do not ping first) option
B) He shouldn't run a dangerous scan like this as root, otherwise its OK
C) He is being thorough just as his boss asked him to. This range will be sure to notice everything.
D) He tried to scan 65536 ports on about 16 Million addresses. This is excessive traffic and is not a good approach.

A) Telnet to the open port an grab a banner
B) Use a browser to view the web page
C) Use an FTP client to connect to port 80 and observe the error messages
D) View the source code of the index.html page

A) Telnet to the open port an grab a banner
B) Use a browser to view the web page
C) Use an FTP client to connect to port 80 and observe the error messages
D) View the source code of the index.html page

A) 82, 42, 139, 135, 445
B) 88, 445, 42, 445, 139
C) 42, 88, 135, 139, 445
D) 88, 42, 135, 139, 445

A) Zone harvest
B) Zone Poison
C) Zone transfer
D) Zone estimate

A) \\server\share
B) UNC : / / server.com / share
C) file:\\unc.server.com\share
D) UNC shares can only be accessed via drive mapping, not addresses.