GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 7 of 17.
- Question #311Reconnaissance, Scanning, and Enumeration
You work as a Security Administrator for Net Perfect Inc. The company has a Windows-based network. You want to use a scanning technique which works as a reconnaissance attack. The...
IDLE scanstealth scanningport scanningreconnaissance - Question #312Vulnerability Exploitation & Privilege Escalation
Which of the following actions is performed by the netcat command given below? nc 55555 < /etc/passwd
netcat/etc/passwd exfiltrationpost-exploitationfile transfer - Question #313Reconnaissance, Scanning, and Enumeration
Which of the following programs can be used to detect stealth port scans performed by a malicious hacker? Each correct answer represents a complete solution. Choose all that apply.
scanlogdportsentryscan detectionstealth port scan - Question #314Incident Response & Cyber Kill Chain
Which of the following attacks saturates network resources and disrupts services to a specific computer?
denial of servicenetwork saturationDoS attack types - Question #315Incident Response & Cyber Kill Chain
based network. All client computers run the Windows XP operating system. The employees of the company complain that suddenly all of the client computers have started working slowly...
denial of servicenetwork floodingDoS detection - Question #316Web Application Attacks & Post-Exploitation
John works as a professional Ethical Hacker. He is assigned a project to test the security of are-secure Web site and receives the following error message: Microsoft OLE DB Provide...
SQL injectionOLE DB error messageerror-based SQLiweb vulnerability identification - Question #317Incident Response & Cyber Kill Chain
John is a malicious attacker. He illegally accesses the server of We-are-secure Inc. He then places a backdoor in the We-are-secure server and alters its log files. Which of the fo...
covering trackslog alterationattack phasescyber kill chain - Question #318Incident Response & Cyber Kill Chain
Which of the following would allow you to automatically close connections or restart a server or service when a DoS attack is detected?
active IDSautomated responseDoS mitigationintrusion detection - Question #319Malware Analysis & Advanced Persistent Threats
Which of the following virus is a script that attaches itself to a file or template?
macro virusvirus typesfile template infection - Question #320Reconnaissance, Scanning, and Enumeration
Which of the following tools is described in the statement given below? "It has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows,...
Nessusvulnerability scannersignature databaseCGI vulnerability detection - Question #321Reconnaissance, Scanning, and Enumeration
John works as a professional Ethical Hacker. He has been assigned the project of testing the and applications running on the We-are-secure server. For this purpose, he wants to ini...
IDLE scanzombie scanIP spoofingstealth scanning - Question #322Vulnerability Exploitation & Privilege Escalation
John works as a C programmer. He develops the following C program: #include <stdlib.h> #include <stdio.h> #include <string.h> int buffer(char *str) { char buffer1[10]; strcpy(buffe...
buffer overflowstrcpystack smashingmemory corruption - Question #323Reconnaissance, Scanning, and Enumeration
Which of the following is used to determine the operating system on the remote computer in a network environment?
OS fingerprintingpassive reconnaissanceTTL analysis - Question #324Web Application Attacks & Post-Exploitation
Which of the following are the limitations for the cross site request forgery (CSRF) attack? Each correct answer represents a complete solution. Choose all that apply.
CSRFreferrer headerauthentication cookiesform input validation - Question #325Incident Response & Cyber Kill Chain
Which of the following wireless network security solutions refers to an authentication process in which a user can connect wireless access points to a centralized server to ensure...
RADIUSwireless authenticationcentralized auth802.1x - Question #326Incident Response & Cyber Kill Chain
Which of the following controls is described in the statement given below? "It ensures that the enforcement of organizational security policy does not rely on voluntary web applica...
mandatory access controlsensitivity labelssecurity policy enforcementaccess control models - Question #327Reconnaissance, Scanning, and Enumeration
Which of the following refers to a condition in which a hacker sends a bunch of packets that leave TCP ports half open?
SYN floodhalf-open connectionTCP handshakeDoS - Question #328Incident Response & Cyber Kill Chain
Adam works as a Security Administrator for Umbrella Technology Inc. He reported a breach in security to his senior members, stating that "security defenses has been breached and ex...
VPN securitytrojan incident responseremote access controlsbreach remediation - Question #329Incident Response & Cyber Kill Chain
Logs show that a malicious host has remotely accessed the file 'Documents and Settings:logs'. At what step of the attack process is the attacker most likely operating in?
covering trackslog tamperingcyber kill chainpost-exploitation - Question #330Reconnaissance, Scanning, and Enumeration
A search using the term inurl: 'ViewerFrame?Mode=' is looking for what?
Google dorkingOSINTnetwork camera discoverypassive reconnaissance - Question #331Malware Analysis & Advanced Persistent Threats
Which of the following is the most helpful way to protect a host against application level backdoor trojans from infecting a system?
backdoor trojanantivirushost defenseapplication-level malware - Question #332Incident Response & Cyber Kill Chain
Which control could help detect insider abuse of an organization's intellectual property?
insider threatDLPdata exfiltration detectionaccess monitoring - Question #333Incident Response & Cyber Kill Chain
You are an incident handler from a Fortune 500 oil and gas company. While reviewing the Data Loss Prevention (DLP) email software alerts, you find an email with Personally Identifi...
insider threatPII exfiltrationDLP alert triageincident classification - Question #334Malware Analysis & Advanced Persistent Threats
A host has been compromised with a rootkit through Internet activity. The analyst wishes to reconstruct the binary file used to infect the host. Which of the following sources of e...
rootkit forensicsbinary reconstructionpacket capturenetwork evidence - Question #335Web Application Attacks & Post-Exploitation
How does an attacker try to trick a database into revealing information that can help with an attack?
SQL injectioncrafted queriesquote charactersdatabase attack - Question #336Reconnaissance, Scanning, and Enumeration
Identify the nature of the traffic shown below:
ping broadcastICMPtraffic analysisnetwork reconnaissance - Question #337Web Application Attacks & Post-Exploitation
Which special character or character sequence is often used in SQL injection attacks because it acts as a SQL comment delimiter?
SQL injectioncomment delimitersingle quoteinjection syntax - Question #338Malware Analysis & Advanced Persistent Threats
How would an attacker prevent another system user from viewing malicious files added to an existing Linux directory?
covering tracksls replacementanti-forensicsrootkit technique - Question #339Incident Response & Cyber Kill Chain
What are the differences between patents, copyrights, and trademarks?
intellectual propertypatentscopyrightstrademarks - Question #340Malware Analysis & Advanced Persistent Threats
A workstation with an IP address of 10.10.20.115/24 is suspected of being compromised. Which of the following is supported by the information in the process table?
process table analysistrojan detectionIOC analysishost forensics - Question #341Incident Response & Cyber Kill Chain
What is the first step that a containment team should take?
incident containmentfirst responsescene documentationincident handling - Question #342Reconnaissance, Scanning, and Enumeration
dns.victim.com DNS server using the Kaminsky method of DNS cache poisoning. Of the following choices, which would be an example of an effective query sent by the attacker?
DNS cache poisoningKaminsky attackDNS spoofingDNS query - Question #343Reconnaissance, Scanning, and Enumeration
An organization is moving away from legacy network management tools like telnet. What would be a fast way of ensuring that telnet is not being used on the network?
version scanningservice detectiontelnetnetwork scanning - Question #344Malware Analysis & Advanced Persistent Threats
Which of the following is one of the fields that Covert TCP uses to transmit data?
covert channelTCP headerIP Optionsdata exfiltration - Question #345Web Application Attacks & Post-Exploitation
Which symbol is used to properly terminate a SQL query?
SQL injectionquery syntaxstatement terminationsemicolon - Question #346Reconnaissance, Scanning, and Enumeration
There are six control bits to describe a packet's role in a Transmission Control Protocol (TCP) connection. Which of the following control bits initiates a graceful end to a connec...
TCP flagsFIN flagTCP connection teardownnetwork fundamentals - Question #347Malware Analysis & Advanced Persistent Threats
Covert_TCP will use which of the following byte offsets on the TCP header to carry ASCII data?
Covert_TCPTCP header offsetscovert channeldata exfiltration - Question #348Incident Response & Cyber Kill Chain
You are the leader of an incident handling team for a mid-size manufacturer in the United States. Several of your company's products are patented and several processes used in the...
TTL analysisincident triageHIDSfirewall log analysis - Question #349Incident Response & Cyber Kill Chain
Your company's web server administrator reports that the Apache servers are running slowly, but the IIS servers are not. Based on this report, which of the following pieces of info...
incident classificationweb server attacktraffic logsevent correlation - Question #350Reconnaissance, Scanning, and Enumeration
An analyst notices ICMP Timestamp replies sent from multiple IP addresses on a client LAN to a single IP address on another network segment within a short period of time. What is l...
ICMP timestampnetwork mappinghost discoverytraffic analysis - Question #351Reconnaissance, Scanning, and Enumeration
What is a DNS zone transfer?
DNS zone transferDNS enumerationDNS recordsinformation disclosure - Question #352Incident Response & Cyber Kill Chain
Which of the following is a primary outcome of an effective Incident Handling program?
incident handling programMTTRsecurity metricsprogram outcomes - Question #353Malware Analysis & Advanced Persistent Threats
Which remote control program can be used as an application-level backdoor and typically listens for connections on port 5900?
backdoorVNCport 5900remote access trojan - Question #354Malware Analysis & Advanced Persistent Threats
What would be the classification of a worm with the following characteristics?
worm classificationmulti-exploitmalware typesworm behavior - Question #355Vulnerability Exploitation & Privilege Escalation
What is the value of salting password hashes?
password saltingrainbow tablescredential attackspassword hashing - Question #356Incident Response & Cyber Kill Chain
Prior to restoring clean data from backups, what are the recommended activities for bringing a server's operating system and applications back online following a buffer overflow ex...
buffer overflow recoverysystem rebuildincident recoverypost-exploitation remediation - Question #357Reconnaissance, Scanning, and Enumeration
In the network logs there are ACK/FIN/PSH/URG packets from a host going to a closed port, and SYN/FIN/URG/PSH packets going to open ports. What is the host likely doing?
TCP flag scanninghost discoveryabnormal flag combinationsport scanning - Question #358Incident Response & Cyber Kill Chain
When containing an incident, who makes the final decision on whether a box should be taken offline?
incident authoritycontainment decisionorganizational rolesincident management - Question #359Web Application Attacks & Post-Exploitation
Suppose a web application builds the SQL command "select PhoneNumber from contacts where Company = '[value]';". What would the result likely be if an attacker submitted the value "...
SQL injectionDROP TABLEdestructive SQLquery manipulation - Question #360Incident Response & Cyber Kill Chain
What is one of the functions CyberCPR performs?
CyberCPRincident management toolsNIDSincident response