This did not seem to post, so if it shows up more then once, I apologize.


I have been going through and vetting all the test questions and have come across several that are either wrong, or I do not understand.  Can anyone please help me with the ones I do not understand?

Q1. You are reviewing log files and results form a day of pen testing. The following command appears in one of the logs:
    nc -l -u -p 55555 < /etc/passwd
What was the ethical hacker attempting to do?

They say the answer is Take a copy of the /etc/passwd file when connected to 55555. - I guess I am not understanding the work flow here. Can someone explain this to me? It is missing an IP and I guess that is what is throwing me off.

You're thinking in terms of using netcat to connect to a system, the example above shows that netcat is running on the local machine (listen mode) with the following options:

-l Listen
-u UDP protocol
-p port (55555)
< defines what should happen when a connection is made, in this case the /etc/passwd file should be sent to the connecting machine.

To grab the /etc/passwd file from an attacking machine, you would type:
nc -u <ip address> 55555
for example: nc -u 192.168.1.34 55555
Since the connection is over UDP, you'll just see an option connection but if you press enter twice you'll see the passwd file contents displayed on the screen.  

Q2. You are running a FIN scan. What response would you expect from a closed port?

They say nothing, but in my tests I always get a RST packet, regardless of OS. (Windows 2003, Linux Metasploitable)

Q3. You are running a FIN scan. What would you expect from an open port?

They say RST, I say you cant tell without knowing the OS. Windows gives a RST, but Metasplotable returned nothing.

You're right in that different Operating Systems will reply differently to a FIN. Linux returns a FIN ACK if the port is open. I've seen Windows send a RST in reply to a FIN (does not shut the connection down gracefully). Linux replies with a RST ACK to a FIN scan if the port is closed.

Q4. What port does Tini use?

They say 777, but Symantec and other sites say 7777. I am guessing it is a type O on their part?

Port 7777 is the correct port for Tini, reference here: http://www.ntsecurity.nu/toolbox/tini/

Q5. How is a session key created in SSL?

They say The client creates it after verifying the server's identity.

Several sites say they both do. It is based on the random string of the server and the premaster secret from the client. Who is right?

http://www.tech-faq.com/ssl-secure-sockets-layer.html

"The client next generates a premaster secret. This is a different random string which will in turn be utilized to generate the session key for the SSL session."

Q6. Your network administrator wants to prevent NetBIOS traffic into a segment. Which ports should be clocked on the firewall. (Choose all that apply)

They say 135, 139 and 445.

445? I thought that used to be NetBIOS over TCP, but that is no longer true. What is the best answer for the CEH exam?

Port 445 is SMB over TCP. It seems that they are confusing NetBIOS with SMB when they mention port 445. They're asking you about NetBIOS to see if you know which ports NetBIOS uses. Take a look at the following links:
http://technet.microsoft.com/en-us/library/cc940063.aspx
 http://www.petri.co.il/what_is_port_445_in_w2kxp.htm
and http://quizlet.com/18203329/ceh-ports-flash-cards/

Q7. You are asked to compile a program in Linux. Which commands will you need? (Choose all that apply)

They say ./configure, make, make install

I say ./configure and make.
My understanding is that make install installs the compiled code. Who is correct?

Make install will install the complied code on the system. If the question was worded differently and mentioned what commands would you need to compile AND install the program then I would agree with all three.

Q8. How does traceroute work?

They say It manipulates the TTl (hop count) within packets TO ELICIT AN ERROR MESSAGE AT EACH HOP.

I say take out the error part and you are good to go. Right?

Traceroute works by sending ICMP packets (echo requests), I guess the error message they are referring to is the ICMP Time Exceeded.

Q9. An attacker hopes to capture data from a target Bluetooth device. Which Bluetooth attack will be performed.

They say BlueSniffing
I say Bluescarfing.

My understanding is Bluescarfing is the actual theft of data, where Bluesniffing is like using wireshark. While you could steal data that way, it would seem that Bluescarfing is a better answer. What do you all say?

Q10. At what layer does SSL operate?

They say Layer 4 (Transport)

I find answers that say layer 7 and layer 5 and have been told that encryption happens at layer 6 (What I was taught in Net+)

What is the correct answer for the CEH test?

Q11. You run a null scan against a target, which returns all ports open. Which of the following statements is true?
* all ports are open
* system is most likely a web server
* The system is a Windows machine <-- their answer
* The system is behind a firewall.

I have done this many times, and always Windows shows all ports are closed. I do not have access to Windows 2000 or NT.

I ran an NMAP Null scan against a Windows XP SP3 system and no replies were sent by the Windows machine no ACK, no RST ... nothing)

From the NMAP guide: not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered.

Windows hosts do not comply with RFC 793. Subsequently, you cannot use a NULL scan against a Windows machine to determine which ports are active. When a Microsoft operating system receives a packet that has no flags set, it sends an RST packet in response, regardless of whether the port is open. With all NULL packets receiving an RST packet in response, you cannot differentiate open and closed ports.

UNIX-based systems do comply with RFC 793; therefore, they send RST packets back when the port is closed and no packet when the port is open.

Can someone please give me the correct answer and also explain this to me?

Q12. Your team has a pretty good idea of likely usernames and passwords (based on policy and previous testing). WHich of the following tests would be the best choice for the quickest results.
* brute force
* Dictionary
* Encryption
* Hybrid <-- their answer

I say Dictionary. No mention of complex passwords... just the fastest attack. Am I not right?

I agree with Hybrid.
Dictionary attacks are technically the fastest BUT the word list must contain the exact password. With a hybrid attack, dictionary words are used with combinations of numbers, special characters etc.. giving you more options for any variations of the possible password used.

Out of 300 questions, to only not understand these... I do not feel I am doing to bad. But I would like to understand them all! So any help would be most appreciated!

Thank you,

Dalobo

I attended the iSWAT training a few weeks ago and took the CISSP course.  This morning, I took the exam and passed. 

I don't have an endorser so it may be a couple of months before I'm an actual CISSP, but I'm very happy to have the exam behind me.

Don: Thanks again.

Thanks for answer!

If i run remote exploit on server and by mistake that service got crash then? for example i can see there is a exploit on port 80 but if i run come script which crash service, now how i get in to port 80? in exam can i revert back machine to original state?

I'm using backtrack 5r2, a netstat -antp reveals me this,

root@bt:~# netstat -antp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1127/apache2    

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      786/postgres    

tcp6       0      0 ::1:5432                :::*                    LISTEN      786/postgres    

If you had a packet capture running when you got the thing, you might be able to carve out the data.

I already scanned my public ip, on my workstation I've got 15 open ports, when I scanned the public ip it only showed two open ports, seems that there are firewall configuration.