.

AIO master Master Exam (Learnkey) test questions help.

<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sat Feb 23, 2013 12:34 pm

AIO master Master Exam (Learnkey) test questions help.

This did not seem to post, so if it shows up more then once, I apologize.


I have been going through and vetting all the test questions and have come across several that are either wrong, or I do not understand.  Can anyone please help me with the ones I do not understand?

Q1. You are reviewing log files and results form a day of pen testing. The following command appears in one of the logs:
    nc -l -u -p 55555 < /etc/passwd
What was the ethical hacker attempting to do?

They say the answer is Take a copy of the /etc/passwd file when connected to 55555. - I guess I am not understanding the work flow here. Can someone explain this to me? It is missing an IP and I guess that is what is throwing me off.

Q2. You are running a FIN scan. What response would you expect from a closed port?

They say nothing, but in my tests I always get a RST packet, regardless of OS. (Windows 2003, Linux Metasploitable)

Q3. You are running a FIN scan. What would you expect from an open port?

They say RST, I say you cant tell without knowing the OS. Windows gives a RST, but Metasplotable returned nothing.

Q4. What port does Tini use?

They say 777, but Symantec and other sites say 7777. I am guessing it is a type O on their part?

Q5. How is a session key created in SSL?

They say The client creates it after verifying the server's identity.

Several sites say they both do. It is based on the random string of the server and the premaster secret from the client. Who is right?

Q6. Your network administrator wants to prevent NetBIOS traffic into a segment. Which ports should be clocked on the firewall. (Choose all that apply)

They say 135, 139 and 445.

445? I thought that used to be NetBIOS over TCP, but that is no longer true. What is the best answer for the CEH exam?

Q7. You are asked to compile a program in Linux. WHich commands will you need? (Choose all that apply)

They say ./configure, make, make install

I say ./configure and make.
My understanding is that make install installs the compiled code. Who is correct?

Q8. How does traceroute work?

They say It manipulates the TTl (hop count) within packets TO ELICIT AN ERROR MESSAGE AT EACH HOP.

I say take out the error part and you are good to go. Right?

Q9. An attacker hopes to capture data from a target Bluetooth device. Which Bluetooth attack will be performed.

They say BlueSniffing
I say Bluescarfing.

My understanding is Bluescarfing is the actual theft of data, where Bluesniffing is like using wireshark. While you could steal data that way, it would seem that Bluescarfing is a better answer. What do you all say?

Q10. At what layer does SSL operate?

They say Layer 4 (Transport)

I find answers that say layer 7 and layer 5 and have been told that encryption happens at layer 6 (What I was taught in Net+)

What is the correct answer for the CEH test?

Q11. You run a null scan against a target, which returns all ports open. Which of the following statements is true?
* all ports are open
* system is most likely a web server
* The system is a Windows machine <-- their answer
* The system is behind a firewall.

I have done this many times, and always Windows shows all ports are closed. I do not have access to Windows 2000 or NT.

Can someone please give me the correct answer and also explain this to me?

Q12. Your team has a pretty good idea of likely usernames and passwords (based on policy and previous testing). WHich of the following tests would be the best choice for the quickest results.
* brute force
* Dictionary
* Encryption
* Hybrid <-- their answer

I say Dictionary. No mention of complex passwords... just the fastest attack. Am I not right?

Out of 300 questions, to only not understand these... I do not feel I am doing to bad. But I would like to understand them all! :) So any help would be most appreciated!

Thank you,

Dalobo
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Feb 23, 2013 4:23 pm

Re: AIO master Master Exam (Learnkey) test questions help.

1. That binds to port 55555. As soon as you netcat to it (on whatever IP the system has), the passwd file will be dumped. You would supply an IP if you wanted it to establish a connection to a remote listener. Try it both ways.

2/3. The RFC states you should get a RST for a closed port and nothing for an open port, but MS never replies regardless of the port state. It sounds like you're experiencing different behavior (maybe a host-based firewall?); I don't receive any responses from my Windows systems. 

4. Looks like a typo.

5. Looks like the client initiates, but it's mutually agreed-upon: http://en.wikipedia.org/wiki/Secure_Soc ... _in_detail

6. NetBIOS over TCP/IP is 445/TCP.

7. Semantics. You're both right depending on the perspective. You would usually install it in practice, but you can argue its technically compiled after make.

8. ICMP Time Exceeded (error) messages are generated and returned when the TTL expires, so this answer is correct. Do a packet capture.

9. I'd go with sniffing based on the way the question was worded since it specifies "capturing." It seems like the alternative requires accessing the device, which would be more active of an attack than capturing. I don't do much with bluetooth though, so take that with a grain of salt.

10. I've seen people argue over whether it should be OSI five or six, but six seems to be the most commonly used.

11. Again, firewall? I see all as being open|filtered due to no responses. Run nmap with --reason for more info.

12. Again, semantics. While you may be technically correct since that will take the shortest amount of time to run through, hybrid would likely be much more effective in practice. Unfortunately, there's not much consistency in terms of whether the questions are referring to technicalities or real-world situations. It seems like you're on track, so don't worry too much about missing a few garbage questions like this.
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sat Feb 23, 2013 5:51 pm

Re: AIO master Master Exam (Learnkey) test questions help.

#1 - Thank you.  I did try it and it did not work for me. I have been having issues with getting nc to work right.

#2 - I do not have a host based firewall on these machines. I can send a packet capture for you to look at if you want. I have several websites that back what I am seeing, including a Cisco page. I can dig that url up if you want.

#3 - Again, no firewall, see #2

#4 - I figured as much.

#5 - Are you referring to this line?
The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.

I had a better one then this example at the time, but see this site and steps 7-9. It is slightly different, but seems to match what i had found earlier.

http://support.microsoft.com/kb/257591


#6 - So you are saying that 445 is a  NetBIOS port?

#7 - I will go with the make install if asked.

#8 - OK, that was just dumb of me. I did not test it in a packet capture like I did the other stuff... "I used logic" It does have an error at each hop. But why? If the TTL is 20 and I am on hop 1... how has the TTL been exceeded??? <-- my logic made me think this was correct.

#9 - I will see if anyone else chimes in on this one. But I can see your point.

#10 - This is still a toss up. Anyone???

#11 - Again, no firewall!! I will see if I can dig up an older version of Windows to try it on that. I have been told that some of this stuff applies to NT4 and 2000 more then 2003 on.

#12 - Yeah, I hate poorly asked (vague) questions.

Thank you for your help. It is always nice to have someone else look over stuff that is confusing you. It gives you a different perspective and can really help out! Again, thanks!!

Dalobo
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Sat Feb 23, 2013 6:26 pm

Re: AIO master Master Exam (Learnkey) test questions help.

I don't agree with some of the answers, I'm also guessing that the test is somewhat outdated. I also think that an additional study resource would also benefit you. I've answered most of the questions below as best as I can.

Dalobo wrote:This did not seem to post, so if it shows up more then once, I apologize.


I have been going through and vetting all the test questions and have come across several that are either wrong, or I do not understand.  Can anyone please help me with the ones I do not understand?

Q1. You are reviewing log files and results form a day of pen testing. The following command appears in one of the logs:
    nc -l -u -p 55555 < /etc/passwd
What was the ethical hacker attempting to do?

They say the answer is Take a copy of the /etc/passwd file when connected to 55555. - I guess I am not understanding the work flow here. Can someone explain this to me? It is missing an IP and I guess that is what is throwing me off.

You're thinking in terms of using netcat to connect to a system, the example above shows that netcat is running on the local machine (listen mode) with the following options:

-l Listen
-u UDP protocol
-p port (55555)
< defines what should happen when a connection is made, in this case the /etc/passwd file should be sent to the connecting machine.

To grab the /etc/passwd file from an attacking machine, you would type:
nc -u <ip address> 55555
for example: nc -u 192.168.1.34 55555
Since the connection is over UDP, you'll just see an option connection but if you press enter twice you'll see the passwd file contents displayed on the screen.  


Q2. You are running a FIN scan. What response would you expect from a closed port?

They say nothing, but in my tests I always get a RST packet, regardless of OS. (Windows 2003, Linux Metasploitable)

Q3. You are running a FIN scan. What would you expect from an open port?

They say RST, I say you cant tell without knowing the OS. Windows gives a RST, but Metasplotable returned nothing.

You're right in that different Operating Systems will reply differently to a FIN. Linux returns a FIN ACK if the port is open. I've seen Windows send a RST in reply to a FIN (does not shut the connection down gracefully). Linux replies with a RST ACK to a FIN scan if the port is closed.

Q4. What port does Tini use?

They say 777, but Symantec and other sites say 7777. I am guessing it is a type O on their part?

Port 7777 is the correct port for Tini, reference here: http://www.ntsecurity.nu/toolbox/tini/


Q5. How is a session key created in SSL?

They say The client creates it after verifying the server's identity.

Several sites say they both do. It is based on the random string of the server and the premaster secret from the client. Who is right?

http://www.tech-faq.com/ssl-secure-sockets-layer.html

"The client next generates a premaster secret. This is a different random string which will in turn be utilized to generate the session key for the SSL session."


Q6. Your network administrator wants to prevent NetBIOS traffic into a segment. Which ports should be clocked on the firewall. (Choose all that apply)

They say 135, 139 and 445.

445? I thought that used to be NetBIOS over TCP, but that is no longer true. What is the best answer for the CEH exam?

Port 445 is SMB over TCP. It seems that they are confusing NetBIOS with SMB when they mention port 445. They're asking you about NetBIOS to see if you know which ports NetBIOS uses. Take a look at the following links:
http://technet.microsoft.com/en-us/libr ... 40063.aspx
http://www.petri.co.il/what_is_port_445_in_w2kxp.htm
and http://quizlet.com/18203329/ceh-ports-flash-cards/


Q7. You are asked to compile a program in Linux. Which commands will you need? (Choose all that apply)

They say ./configure, make, make install

I say ./configure and make.
My understanding is that make install installs the compiled code. Who is correct?

Make install will install the complied code on the system. If the question was worded differently and mentioned what commands would you need to compile AND install the program then I would agree with all three.


Q8. How does traceroute work?

They say It manipulates the TTl (hop count) within packets TO ELICIT AN ERROR MESSAGE AT EACH HOP.

I say take out the error part and you are good to go. Right?

Traceroute works by sending ICMP packets (echo requests), I guess the error message they are referring to is the ICMP Time Exceeded.

Q9. An attacker hopes to capture data from a target Bluetooth device. Which Bluetooth attack will be performed.

They say BlueSniffing
I say Bluescarfing.

My understanding is Bluescarfing is the actual theft of data, where Bluesniffing is like using wireshark. While you could steal data that way, it would seem that Bluescarfing is a better answer. What do you all say?

Q10. At what layer does SSL operate?

They say Layer 4 (Transport)

I find answers that say layer 7 and layer 5 and have been told that encryption happens at layer 6 (What I was taught in Net+)

What is the correct answer for the CEH test?

Q11. You run a null scan against a target, which returns all ports open. Which of the following statements is true?
* all ports are open
* system is most likely a web server
* The system is a Windows machine <-- their answer
* The system is behind a firewall.

I have done this many times, and always Windows shows all ports are closed. I do not have access to Windows 2000 or NT.

I ran an NMAP Null scan against a Windows XP SP3 system and no replies were sent by the Windows machine no ACK, no RST ... nothing)

From the NMAP guide: not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered.

Windows hosts do not comply with RFC 793. Subsequently, you cannot use a NULL scan against a Windows machine to determine which ports are active. When a Microsoft operating system receives a packet that has no flags set, it sends an RST packet in response, regardless of whether the port is open. With all NULL packets receiving an RST packet in response, you cannot differentiate open and closed ports.

UNIX-based systems do comply with RFC 793; therefore, they send RST packets back when the port is closed and no packet when the port is open.


Can someone please give me the correct answer and also explain this to me?

Q12. Your team has a pretty good idea of likely usernames and passwords (based on policy and previous testing). WHich of the following tests would be the best choice for the quickest results.
* brute force
* Dictionary
* Encryption
* Hybrid <-- their answer

I say Dictionary. No mention of complex passwords... just the fastest attack. Am I not right?

I agree with Hybrid.
Dictionary attacks are technically the fastest BUT the word list must contain the exact password. With a hybrid attack, dictionary words are used with combinations of numbers, special characters etc.. giving you more options for any variations of the possible password used.


Out of 300 questions, to only not understand these... I do not feel I am doing to bad. But I would like to understand them all! :) So any help would be most appreciated!

Thank you,

Dalobo

All men by nature desire knowledge.

Aristotle
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Feb 23, 2013 6:41 pm

Re: AIO master Master Exam (Learnkey) test questions help.

Dalobo wrote:#1 - Thank you.  I did try it and it did not work for me. I have been having issues with getting nc to work right.

#2 - I do not have a host based firewall on these machines. I can send a packet capture for you to look at if you want. I have several websites that back what I am seeing, including a Cisco page. I can dig that url up if you want.

#3 - Again, no firewall, see #2

#4 - I figured as much.

#5 - Are you referring to this line?
The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.

I had a better one then this example at the time, but see this site and steps 7-9. It is slightly different, but seems to match what i had found earlier.

http://support.microsoft.com/kb/257591


#6 - So you are saying that 445 is a  NetBIOS port?

#7 - I will go with the make install if asked.

#8 - OK, that was just dumb of me. I did not test it in a packet capture like I did the other stuff... "I used logic" It does have an error at each hop. But why? If the TTL is 20 and I am on hop 1... how has the TTL been exceeded??? <-- my logic made me think this was correct.

#9 - I will see if anyone else chimes in on this one. But I can see your point.

#10 - This is still a toss up. Anyone???

#11 - Again, no firewall!! I will see if I can dig up an older version of Windows to try it on that. I have been told that some of this stuff applies to NT4 and 2000 more then 2003 on.

#12 - Yeah, I hate poorly asked (vague) questions.

Thank you for your help. It is always nice to have someone else look over stuff that is confusing you. It gives you a different perspective and can really help out! Again, thanks!!

Dalobo
1. What problems are you having here? It's simple and can be tested and a single host

# nc -lvvp 55555 < /etc/passwd
Listening on [0.0.0.0] (family 0, port 55555)
Connection from [127.0.0.1] port 55555 [tcp/*] accepted (family 2, sport 42529)

$ nc localhost 55555
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
...snip...

2/3/11. I'm not sure what's going on with your null/FIN scans. I'm testing against Windows 8 with the Kaspersky firewall active. *shrug* These scans are finicky and results can vary a lot based on what you're scanning.

5. No, the pre-master secret and master secret portions, just like in the MSKB article.

6. NetBIOS on 445: http://technet.microsoft.com/en-us/libr ... 40063.aspx

8. You should review how trace route works. It starts with a TTL of one and then increments by one each iteration. It's able to identify the interim hosts by the ICMP error responses they send.
Last edited by dynamik on Sat Feb 23, 2013 6:43 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sun Feb 24, 2013 2:54 pm

Re: AIO master Master Exam (Learnkey) test questions help.

#1 I am not sure what I am doing wrong I just get a blank screen. I am going to try this on a different Linux VM and see if that changes things.

#2/3/11 I am going to load up Windows 2000 and give it try against it. I am doing these on VM's in an ESX environment, but I would not think that would cause any issues. I am guessing it will work on 2000 or NT 4.

#5 Still has me a bit lost. I guess I am not grasping it. I will re-read the article.

#6 I read that article, but it talks about Windows 2000 which is a very old OS. It does not mention 445, hence the reason I said 445 is not a NetBIOS port. Does the CEH say otherwise?????

#8 I have that one figured out now. It was just a stupid mistake on my part.

Thanks for all the help!!

Dalobo
Last edited by Dalobo on Sun Feb 24, 2013 2:56 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Feb 25, 2013 9:21 am

Re: AIO master Master Exam (Learnkey) test questions help.

Dalobo wrote:#6 I read that article, but it talks about Windows 2000 which is a very old OS. It does not mention 445, hence the reason I said 445 is not a NetBIOS port. Does the CEH say otherwise?????


It mentions 445 twice. Here's another article that says NetBIOS over TCP/IP is enabled in newer OSes: https://isc.sans.edu/diary/Is+it+time+t ... S%3F/12454 Or you could do a packet capture and see for yourself. Why do you think this is no longer the case?
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Thu Feb 28, 2013 2:12 pm

Re: AIO master Master Exam (Learnkey) test questions help.

#1 Good question. I will be doing more testing this weekend. I think it might be the VM I am using so I am going to try it on a different VM.

#6 I have done a packet capture and I get this:

192.168.1.10 -> 192.168.1.15 TCP MICROSOFT-DS
See attached.

Microsoft-DS is a port used ever since Windows 2000 was introduced. It is used for file sharing. Before Windows 2000, SMB used port 137-139. Windows 2000 added the possibility to use SMB directly over TCP/IP on port 445. If this port is opened, it is used instead of the NBT ports. See Microsoft article : http://support.microsoft.com/support/kb ... 4/2/79.ASP. See also at : http://ntsecurity.nu/papers/port445/.


I guess the way I looked at it was it was not NetBIOS, but a new way of doing SMB traffic. Everyone here is saying it is still NetBIOS, just on a different port.

Thank you,

Dalobo
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Feb 28, 2013 5:55 pm

Re: AIO master Master Exam (Learnkey) test questions help.

Microsoft is notorious for having multiple services on a single port, which may be the cause of some of your confusion.
The day you stop learning is the day you start becoming obsolete.

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software