Practice CEH Advanced Topics: Wireless, Cloud, IoT, Cryptography questions with full explanations on every answer.
Start practicing
Advanced Topics: Wireless, Cloud, IoT, Cryptography — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?
2During a penetration test, an analyst runs the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. What is the PRIMARY purpose of this command?
3A cloud security engineer discovers that an S3 bucket named 'acme-backups' is accessible to anyone with the bucket URL. The bucket contains sensitive customer data. Which AWS shared responsibility model component does this misconfiguration primarily violate?
4An IoT device uses the MQTT protocol without any authentication or encryption. An attacker on the same network subscribes to all topics on the MQTT broker. Which of the following is the MOST effective immediate countermeasure?
5Which cryptographic algorithm is classified as symmetric and uses a block cipher with a fixed block size of 128 bits, supporting key sizes of 128, 192, and 256 bits?
6A security analyst observes the following log entry on a web server: 'GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1'. This request appears to originate from a compromised web application. Which cloud attack technique is being attempted?
7Which of the following tools is specifically designed for assessing the security of AWS environments by checking for misconfigurations in services like S3, IAM, and EC2?
8During a penetration test, a tester captures a WPA2 4-way handshake. Which of the following is the NEXT step to attempt to recover the Wi-Fi passphrase?
9A security analyst discovers that a containerized application running in a cloud environment can access the host's file system by mounting /var/run/docker.sock inside the container. Which type of attack does this configuration enable?
10Which of the following is the PRIMARY reason that MD5 is no longer recommended for use in digital signatures?
11An attacker intercepts a TLS-encrypted session and attempts to force the client and server to use a weaker cipher suite. Which type of attack is being performed?
12A penetration tester uses the tool 'Pacu' during an assessment. Which of the following actions is Pacu designed to perform?
13Which TWO of the following are common attack vectors against IoT devices? (Select TWO.)
14Which THREE of the following are effective countermeasures against evil twin attacks in wireless networks? (Select THREE.)
15Which TWO of the following are symmetric encryption algorithms? (Select TWO.)
16A security analyst captures network traffic and sees multiple ARP packets with the same source MAC address but different IP addresses. Which attack is MOST likely occurring?
17During a wireless penetration test, a tester captures the 4-way handshake between a client and WPA2-PSK access point. Which tool would the tester MOST likely use to attempt to recover the pre-shared key?
18A cloud security engineer notices that an S3 bucket named 'company-backup' is configured to allow 's3:GetObject' access to 'Principal: *'. Which attack is this misconfiguration MOST likely to enable?
19An IoT device uses the MQTT protocol without TLS. A security tester connects to the broker and subscribes to all topics using '#'. What is the tester MOST likely able to accomplish?
20Which of the following cryptographic algorithms is classified as asymmetric?
21A penetration tester executes the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. Which attack is being performed?
22A security analyst observes an SSL/TLS handshake where the client and server negotiate TLS 1.0 instead of TLS 1.2, despite the server supporting TLS 1.2. Which attack BEST describes the manipulation of the handshake to force weaker encryption?
23An attacker gains access to a cloud environment and attempts to move laterally by assuming an IAM role with higher privileges. Which cloud attack vector is the attacker exploiting?
24Which cloud security assessment tool is specifically designed to audit AWS environments for misconfigurations and provides a detailed report of findings?
25A security team finds that a web application accepts a user-supplied URL and fetches it server-side without validation. The application runs on AWS EC2 with a metadata endpoint at 169.254.169.254. Which attack is MOST likely to succeed?
26Which of the following is a recommended countermeasure against WPA2 KRACK attacks?
27A forensic analyst examines a firmware image extracted from an IoT thermostat and finds hardcoded credentials for a cloud backend. Which phase of the IoT attack lifecycle does this represent?
28Which TWO of the following are valid attacks against wireless networks? (Choose two.)
29Which THREE of the following are cryptanalysis attacks that target hash functions? (Choose three.)
30Which TWO of the following are asymmetric encryption algorithms? (Choose two.)
31A security analyst captures WPA2 handshake packets using airodump-ng and then runs aircrack-ng with a wordlist. After several minutes, aircrack-ng reports 'KEY FOUND!' followed by a hex string. Which attack was successfully performed?
32During a cloud penetration test, a tester discovers an AWS S3 bucket that allows public 's3:PutObject' access. The tester uploads a file containing JavaScript that steals cookies. Which type of attack is this an example of?
33An IoT device uses MQTT protocol with default credentials 'admin/admin' and no TLS encryption. An attacker on the same network captures MQTT packets and extracts sensor data. Which two vulnerabilities are being exploited? (Choose the best combination)
34Which tool is specifically designed to assess the security configuration of AWS, Azure, and GCP cloud environments by scanning for misconfigurations in services like S3, IAM, and EC2?
35A security analyst notices that after a user connects to a corporate Wi-Fi network, all HTTP traffic is redirected to a fake login page that captures credentials. The analyst suspects a rogue access point. Which attack is most likely being used to force client connections to the rogue AP?
36In a cloud environment, an attacker exploits a vulnerability in a web application to make the server send requests to internal metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). This yields IAM temporary credentials. Which attack is this?
37Which wireless security standard introduced in 2018 uses Simultaneous Authentication of Equals (SAE) to replace the pre-shared key exchange in WPA2, providing forward secrecy and resistance to offline dictionary attacks?
38A penetration tester uses the tool 'Pacu' during an AWS security assessment. Which phase of testing is Pacu most commonly associated with?
39A security engineer observes the following log event: 'Certificate for www.example.com was issued by an intermediate CA that chains to a root CA not in the trusted store.' Which type of attack might this indicate?
40In an IoT environment, a researcher finds that the firmware of a smart lock can be extracted via UART and reversed to reveal hardcoded encryption keys. Which type of vulnerability is this?
41Which asymmetric encryption algorithm is based on the algebraic structure of elliptic curves over finite fields and provides equivalent security to RSA with smaller key sizes?
42During a cloud security audit, a tool reports that an AWS IAM role has a policy allowing 'ec2:RunInstances' with a condition 'aws:SourceIp': '0.0.0.0/0'. What is the most immediate risk?
43Which TWO of the following are valid cryptanalytic attacks?
44Which THREE of the following are common attack vectors against IoT devices?
45Which TWO of the following correctly describe aspects of the shared responsibility model in cloud computing?
46A security analyst captures a large number of initialization vectors (IVs) on a WEP-protected network. Which tool is most commonly used to crack the WEP key using IVs?
47What is the primary purpose of the 4-way handshake in WPA/WPA2-Personal?
48During a penetration test, a tester captures the WPA2 4-way handshake with airodump-ng and then uses aircrack-ng with a wordlist. However, the PSK is not found. Which of the following is the MOST likely reason?
49An attacker sets up a rogue access point with the same SSID as a legitimate corporate network and broadcasts a stronger signal. Clients connect to the rogue AP. What type of attack is this?
50In the cloud shared responsibility model, which of the following is typically the responsibility of the customer when using AWS EC2 (IaaS)?
51A security team discovers that an S3 bucket configured for static website hosting is exposing sensitive documents. The bucket policy allows public read access. Which AWS misconfiguration is MOST likely present?
52Which cloud security assessment tool is specifically designed to audit AWS environments against best practices and CIS benchmarks?
53An IoT device uses the MQTT protocol without TLS. An attacker on the same network subscribes to all topics and captures messages. What is the MOST significant security risk?
54A penetration tester performs a container escape by exploiting a misconfigured capability and mounts the host filesystem. Which cloud service model is MOST directly affected?
55Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effective security to 64 bits against collision resistance?
56In PKI, what is the primary role of a Certificate Authority (CA)?
57An analyst sees the following in a log: Client sends a request to https://victim.com/api?url=http://169.254.169.254/latest/meta-data/. This is MOST indicative of which attack?
58Which TWO of the following are common defense measures against wireless de-authentication attacks? (Select 2)
59Which THREE of the following are valid methods for exploiting cloud misconfigurations? (Select 3)
60Which TWO of the following are examples of asymmetric cryptography? (Select 2)
61A security analyst captures a WPA2 4-way handshake using airodump-ng. To crack the PSK, which tool would they MOST likely use next?
62During a cloud penetration test, you discover an S3 bucket that allows listing objects. You find a file named 'config.json' that contains an IAM access key and secret key. Which of the following is the BEST next step?
63Which of the following attacks is characterized by an attacker placing a fake wireless access point with the same SSID as a legitimate network to capture client credentials?
64In the shared responsibility model for cloud computing, which of the following is typically the responsibility of the customer?
65A security analyst observes that a server running an IoT device management platform is sending MQTT traffic to an unexpected IP address. The analyst also notes that the device's firmware contains hardcoded credentials. Which attack vector is MOST likely being exploited?
66Which of the following is a symmetric encryption algorithm that uses a block cipher with a fixed block size of 128 bits and key sizes of 128, 192, or 256 bits?
67A penetration tester uses the following command to attack a WPS-enabled AP: 'reaver -i mon0 -b 00:11:22:33:44:55 -vv'. What is the primary goal of this attack?
68An analyst notices that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is the MOST effective mitigation against SSRF attacks in a cloud environment?
69A company wants to ensure that data in transit between its IoT devices and the cloud server is encrypted. Which protocol combination is BEST suited for this purpose?
70Which of the following is a hashing algorithm that produces a 160-bit (20-byte) hash value?
71A security team discovers that an attacker has been intercepting and modifying traffic between a client and server by impersonating both endpoints. Which type of cryptographic attack is this?
72A security analyst runs the following command: 'wget http://example.com/bucket?list-type=2' and receives a listing of objects. Which cloud misconfiguration is this MOST likely exploiting?
73Which TWO tools are specifically designed for cloud security auditing and exploitation? (Choose two.)
74Which THREE of the following are common attack vectors against IoT devices? (Choose three.)
75An organization is using a cloud IAM policy that allows all actions on all resources. Which TWO security issues are MOST directly related to this configuration? (Choose two.)
76A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they most likely use next to attempt to crack the PSK using a wordlist?
77During a wireless penetration test, the tester runs `airodump-ng wlan0mon` and sees numerous beacon frames from a network. The tester then sends deauthentication packets using `aireplay-ng -0 5 -a <BSSID> wlan0mon`. What is the PRIMARY purpose of this deauthentication attack?
78A penetration tester is assessing an AWS environment and discovers an S3 bucket with the following bucket policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*"}]}`. Which of the following is the MOST likely security issue?
79An IoT device uses MQTT for communication. An attacker intercepts MQTT packets and observes that the publish messages are not encrypted and contain plaintext sensor data. Which of the following is the BEST recommendation to secure MQTT traffic?
80Which of the following cryptographic algorithms is classified as asymmetric?
81An attacker performs a downgrade attack on a TLS connection, forcing the client and server to negotiate a weaker cipher suite. This attack exploits which of the following?
82During a cloud penetration test, a tester discovers that an AWS IAM role has the following policy: `{"Effect":"Allow","Action":"*","Resource":"*"}`. This policy is attached to an EC2 instance. Which of the following attacks is the tester MOST likely to perform next?
83A security team is evaluating wireless security for a corporate network. They want to implement the strongest current encryption standard for Wi-Fi. Which of the following should they choose?
84Which of the following tools is specifically designed for auditing cloud environments (AWS, Azure, GCP) for security misconfigurations?
85An analyst captures the following output from a wireless adapter: `[00:1A:2B:3C:4D:5E] 54 Mbps WPA2 CCMP PSK`. The analyst suspects a malicious rogue AP is impersonating a legitimate network. Which of the following indicators would MOST strongly confirm a rogue AP?
86An attacker uses Reaver against a Wi-Fi network. What vulnerability is the attacker primarily exploiting?
87Which of the following is a well-known attack against the MD5 hash function that allows two different inputs to produce the same hash value?
88A penetration tester is assessing the security of a cloud application and discovers that it is vulnerable to Server-Side Request Forgery (SSRF). Which TWO of the following are potential impacts of this vulnerability?
89A security analyst is investigating a potential container escape in a Kubernetes cluster. Which THREE of the following are common indicators of a container escape?
90Which TWO of the following are common weaknesses in IoT devices that are often exploited by attackers?
91A security analyst captures a large number of weak initialization vectors (IVs) using airodump-ng. Which attack does this preparation indicate?
92During a penetration test, an ethical hacker runs the following command: aireplay-ng -0 5 -a 00:11:22:33:44:55 -c 66:77:88:99:AA:BB wlan0mon. What is the immediate effect of this command?
93A security engineer analyzes a cloud environment and finds that an S3 bucket named 'company-backups' is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. Which of the following is the MOST likely risk?
94A penetration tester uses the tool 'ScoutSuite' against an AWS target. Which of the following BEST describes the purpose of this tool?
95An IoT device uses the MQTT protocol without TLS. An attacker on the same network captures messages and publishes a fake temperature reading. Which attack is being executed?
96Which of the following cryptographic algorithms is classified as asymmetric?
97A security analyst notices that a web application's SSL/TLS certificate is issued by a CA that is not trusted by modern browsers. Which type of attack could this enable?
98Which of the following tools is specifically designed to exploit WPS vulnerabilities on wireless networks?
99In the shared responsibility model for cloud computing, which of the following is typically the customer's responsibility?
100A penetration tester discovers that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is a potential impact of this vulnerability?
101Which of the following is a cryptographic attack that exploits collisions in hash functions?
102A security engineer wants to ensure that a wireless network uses the most secure encryption available. Which of the following should be configured on the access point?
103Which TWO of the following are common attack vectors for IoT devices? (Select two)
104Which THREE of the following are valid defenses against WPA2 attacks? (Select three)
105Which TWO of the following are characteristics of symmetric encryption? (Select two)
106A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they use to perform a dictionary attack on the captured handshake to recover the PSK?
107During a cloud penetration test, a tester discovers an S3 bucket that allows public listing and write access. Which of the following is the MOST likely misconfiguration?
108Which of the following cryptographic hash functions is known to be vulnerable to collision attacks and should be avoided for security applications?
109An attacker sets up a fake access point with the same SSID as a legitimate corporate network. Clients connecting to this AP are prompted to enter their network credentials. Which type of attack is this?
110A penetration tester uses the tool Reaver to target a Wi-Fi network. What vulnerability is the tester attempting to exploit?
111In a cloud environment, which of the following is an example of a Server-Side Request Forgery (SSRF) attack?
112A security analyst observes repeated de-authentication packets targeting clients on a corporate Wi-Fi network. What is the MOST likely goal of the attacker?
113Which cryptographic algorithm is classified as symmetric and uses a block cipher with key sizes of 128, 192, or 256 bits?
114During an IoT assessment, a tester examines a smart thermostat that uses the MQTT protocol. The tester finds that the device connects to a broker without any authentication. Which of the following attacks is MOST likely to succeed?
115A security team uses ScoutSuite to assess their AWS environment. The tool reports that an S3 bucket policy allows access from any IP address. What is the MOST likely misconfiguration?
116A penetration tester performs a container escape from a Docker container running in a cloud environment. Which of the following is the MOST likely cause?
117A security analyst captures network traffic and sees the following: Client sends a SYN, server responds with SYN-ACK, then client sends ACK. Immediately after, the client sends an encrypted payload. This traffic is consistent with which phase of a WPA2 attack?
118Which TWO of the following are symmetric encryption algorithms? (Select 2)
119Which TWO of the following are common attack vectors against IoT devices? (Select 2)
120Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)
121During a penetration test, you capture the following 4-way handshake using airodump-ng. Which tool would you use to attempt a dictionary attack to recover the WPA2 passphrase?
122Which TWO of the following are cloud-specific security threats?
123Which THREE of the following are characteristics of asymmetric encryption?
124Which TWO of the following attacks are specifically associated with wireless networks?
125Which THREE of the following are common IoT attack vectors?
126Which TWO of the following tools are used for cloud security auditing or exploitation?
127Which THREE of the following attacks target cryptographic weaknesses?
128Which TWO of the following are symmetric encryption algorithms?
129Which THREE of the following are components of PKI (Public Key Infrastructure)?
The Advanced Topics: Wireless, Cloud, IoT, Cryptography domain covers the key concepts tested in this area of the CEH exam blueprint published by EC-Council. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CEH domains — no account required.
The Courseiva CEH question bank contains 129 questions in the Advanced Topics: Wireless, Cloud, IoT, Cryptography domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Advanced Topics: Wireless, Cloud, IoT, Cryptography domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included