Question: 1
What is the name of the software tool used to crack a single account on Netware Servers using a dictionary attack?
A. NPWCrack
B. NWPCrack
C. NovCrack
D. CrackNov
E. GetCrack
Answer: B
Explanation:
NWPCrack is the software tool used to crack single accounts on Netware servers.
Question: 2
How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?
A. There is no way to tell because a hash cannot be reversed
B. The right most portion of the hash is always the same
C. The hash always starts with AB923D
D. The left most portion of the hash is always the same
E. A portion of the hash will be all 0's
Answer: B
Explanation:
When loosheets at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long.
Question: 3
Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords.(Choose all that apply).
A. Linux passwords can be encrypted with MD5
B. Linux passwords can be encrypted with SHA
C. Linux passwords can be encrypted with DES
D. Linux passwords can be encrypted with Blowfish
E. Linux passwords are encrypted with asymmetric algrothims
Answer: A, C D
Explanation:
Linux passwords can be encrypted with several types of hashing algorithms. These include SHQ,
MD5, and Blowfish.
Question: 4
What are the two basic types of attacks?(Choose two.
A. DoS
B. Passive
C. Sniffing
D. Active
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 2 of 77
E. Cracsheets
Answer: B, D
Explanation:
Passive and active attacks are the two basic types of attacks.
Question: 5
Sniffing is considered an active attack.
A. True
B. False
Answer: B
Explanation:
Sniffing is considered a passive attack.
Question: 6
When discussing passwords, what is considered a brute force attack?
A. You attempt every single possibility until you exhaust all possible combinations or discover the password B. You threaten to use the rubber hose on someone unless they reveal their password
C. You load a dictionary of words into your cracsheets program
D. You create hashes of a large number of words and compare it with the encrypted passwords
E. You wait until the password expires
Answer: A
Explanation:
Brute force cracsheets is a time consuming process where you try every possible combination of letters, numbers, and characters until you discover a match.
Question: 7
Which of the following are well know password-cracsheets programs?(Choose all that apply.
A. L0phtcrack
B. NetCat
C. Jack the Ripper
D. Netbus
E. John the Ripper
Answer: A, E
Explanation:
L0phtcrack and John the Ripper are two well know password-cracsheets programs. Netcat is considered the Swiss-army knife of hacsheets tools, but is not used for password cracsheets
Question: 8
Password cracsheets programs reverse the hashing process to recover passwords.(True/False.
A. True
B. False
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 3 of 77
Answer: B
Explanation:
Password cracsheets programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password. Question: 9
What does the following command achieve?
Telnet
HEAD /HTTP/1.0

A. This command returns the home page for the IP address specified
B. This command opens a backdoor Telnet session to the IP address specified
C. This command returns the banner of the website specified by IP address
D. This command allows a hacker to determine the sites security
E. This command is bogus and will accomplish nothing
Answer: C
Explanation:
This command is used for banner grabbing. Banner grabbing helps identify the service and version of web server running.
Question: 10
Your lab partner is trying to find out more information about a competitors web site. The site has a
.com extension. She has decided to use some online whois tools and look in one of the regional
Internet registrys.
Which one would you suggest she looks in first?
A. LACNIC
B. ARIN
C. APNIC
D. RIPE
E. AfriNIC
Answer: B
Explanation:
Regional registries maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America and therefore, would be a good starting point for a .com domain.
Question: 11
Which of the following tools are used for footprinting?(Choose four.
A. Sam Spade
B. NSLookup
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 4 of 77
C. Traceroute
D. Neotrace
E. Cheops
Answer: A, B, C, D
Explanation:
All of the tools listed are used for footprinting except Cheops.
Question: 12
According to the CEH methodology, what is the next step to be performed after footprinting?
A. Enumeration
B. Scanning
C. System Hacsheets
D. Social Engineering
E. Expanding Influence
Answer: B
Explanation:
Once footprinting has been completed, scanning should be attempted next. Scanning should take lace on two distinct levels: network and host.
Question: 13
NSLookup is a good tool to use to gain additional information about a target network. What does the following command accomplish? nslookup > server
> set type =any
> ls -d
A. Enables DNS spoofing
B. Loads bogus entries into the DNS table
C. Verifies zone security
D. Performs a zone transfer
E. Resets the DNS cache
Answer: D
Explanation:
If DNS has not been properly secured, the command sequence displayed above will perform a zone transfer.
Question: 14
While footprinting a network, what port/service should you look for to attempt a zone transfer?
A. 53 UDP
B. 53 TCP
C. 25 UDP
D. 25 TCP
E. 161 UDP
F. 22 TCP
G. 60 TCP
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 5 of 77
Answer: B
Explanation:
IF TCP port 53 is detected, the opportunity to attempt a zone transfer is there.
Question: 15
Which of the following statements about a zone transfer correct?(Choose three.
A. A zone transfer is accomplished with the DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocsheets all inbound TCP port 53 connections
F. Zone transfers cannot occur on the Internet
Answer: A, C, E
Explanation:
Securing DNS servers should be a priority of the organization. Hackers obtaining DNS information can discover a wealth of information about an organization. This information can be used to further exploit the network.
Question: 16
What did the following commands determine?
C: user2sid \earth guest
S-1-5-21-343818398-789336058-1343024091-501
C:sid2user 5 21 343818398 789336058 1343024091 500
Name is Joe
Domain is EARTH
A. That the Joe account has a SID of 500
B. These commands demonstrate that the guest account has NOT been disabled
C. These commands demonstrate that the guest account has been disabled
D. That the true administrator is Joe
E. Issued alone, these commands prove nothing
Answer: D
Explanation:
One important goal of enumeration is to determine who the true administrator is. In the example above, the true administrator is Joe.
Question: 17
Which of the following tools are used for enumeration?(Choose three.
A. SolarWinds
B. USER2SID
C. Cheops
D. SID2USER
E. DumpSec
Answer: B, D, E
Explanation:
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 6 of 77
USER2SID, SID2USER, and DumpSec are three of the tools used for system enumeration.
Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacsheets methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the exam practicing with the tools and learning to understand their output.
Question: 18
When worsheets with Windows systems, what is the RID of the true administrator account?
A. 500
B. 501
C. 1000
D. 1001
E. 1024
F. 512
Answer: A
Explanation:
Because of the way in which Windows functions, the true administrator account always has a RID of 500.
Question: 19
Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Exam for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
E. To exam for virus protection
Answer: D
Explanation:
Sending a bogus email is one way to find out more about internal servers. Also, to gather additional IP addresses and learn how they treat mail.
Question: 20
The follows is an email header. What address is that of the true originator of the message?
Return-Path:
Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for ; Sat, 9 Aug 2003 18:18:50 -0500
Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000
Received: from ([19.25.19.10]. by smtp.com with SMTP
Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000
From: "Bill Gates"
To: "mikeg"
Subject: We need your help!
Date: Fri, 8 Aug 2003 19:12:28 -0400
Message-ID:
MIME-Version: 1.0
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 7 of 77
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal.
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
A. 19.25.19.10
B. 51.32.123.21
C. 168.150.84.123
D. 215.52.220.122
E. 8.10.2/8.10.2
Answer: C
Explanation:
Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 168.150.84.123 is the true source of the
Question: 21
What is the tool Firewalk used for?
A. To exam the IDS for proper operation
B. To exam a firewall for proper operation
C. To determine what rules are in place for a firewall
D. To exam the webserver configuration
E. Firewalk is a firewall auto configuration tool
Answer: C
Explanation:
Firewalk is an active reconnaissance network security tool that attempts to determine what layer
4 protocols a given IP forwarding device "firewall" will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and no response will be returned.
Question: 22
Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports? A. Nmap -h -U
B. Nmap -hU
C. Nmap -sU -p 1-1024
D. Nmap -u -v -w2 1-1024
E. Nmap -sS -O target/1024
Answer: C
Explanation:
Nmap -sU -p 1-1024 is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 8 of 77
Question: 23
Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? A. Netcat -h -U
B. Netcat -hU
C. Netcat -sU -p 1-1024
D. Netcat -u -v -w2 1-1024
E. Netcat -sS -O target/1024
Answer: D
Explanation:
The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 1-1024". Netcat is considered the Swiss-army knife of hacsheets tools because it is so versatile.
Question: 24
What are two things that are possible when scanning UDP ports?(Choose two.
A. A reset will be returned
B. An ICMP message will be returned
C. The four-way handshake will not be completed
D. An RFC 1294 message will be returned
E. Nothing
Answer: B, E
Explanation:
Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.
Question: 25
Which of the following ICMP message types are used for destinations unreachables?
A. 0
B. 3
C. 11
D. 13
E. 17
Answer: B
Explanation:
Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request. Learning these would be advisable for the exam.
Question: 26
What does a type 3 code 13 represent?(Choose two.
A. Echo request
B. Destination unreachable
C. Network unreachable
D. Administratively prohibited
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 9 of 77
E. Port unreachable
F. Time exceeded
Answer: B, D
Explanation:
Type 3 code 13 is destination unreachable administratively prohibited. This type of message is typically returned from a device blocsheets a port.
Question: 27
Destination unreachable administratively prohibited messages can inform the hacker to what?
A. That a circuit level proxy has been installed and is filtering traffic
B. That his/her scans are being blocked by a honeypot or jail
C. That the packets are being malformed by the scanning software
D. That a router or other packet-filtering device is blocsheets traffic
E. That the network is functioning normally
Answer: D
Explanation:
Destination unreachable administratively prohibited messages are a good way to discover that a router or other low-level packet device is filtering traffic. Analysis of the ICMP message will reveal the IP address of the blocsheets device and the filtered port. This further adds the to the network map and information being discovered about the network and hosts.
Question: 28
Which of the following Nmap commands would be used to perform a stack fingerprinting?
A. Nmap -O -p80
B. Nmap -hU -Q
C. Nmap -sT -p
D. Nmap -u -o -w2
E. Nmap -sS -0p target
Answer: A
Explanation:
This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtlety in the underlying operating system network stack of the computers you are scanning. It uses this information to create a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file. to decide what type of system you are scanning.
Question: 29
Name two software tools used for OS guessing.(Choose two.
A. Nmap
B. Snadboy
C. Queso
D. UserInfo
E. NetBus
Answer: A, C
Exam Name: Certified Ethical Hacker
Exam Type: EC-Council
Exam Code: 312-50 Total Questions: 255
Page 10 of 77
Explanation:
Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the
OS is provided to the user.
Question: 30
What are the six types of social engineering?(Choose six.
A. Spoofing
B. Reciprocation
C. Social Validation
D. Commitment
E. Friendship
F. Scarcity
G. Authority
H. Accountability
Answer: B, C, D, E, F, G
Explanation:
All social engineering is performed by tasheets advantage of human nature. For in-depth information on the subject review, read Robert Cialdini's book, Influence: Science and Practice.
Question: 31
Which of the following is an automated vulnerability assessment tool.
A. Whack a Mole
B. Nmap
C. Nessus
D. Kismet
E. Jill32
Answer: C
Explanation:
Nessus is a vulnerability assessment tool.
Question: 32
If you send a SYN to an open port, what is the correct response?(Choose all correct answers.
A. SYN
B. ACK
C. FIN
D. PSH
Answer: A, B
Explanation:
The proper response is a SYN / ACK. This technique is also known as half-open scanning.
Question: 33
What is the proper response for a FIN scan if the port is closed?
A. SYN