Certified Ethical Hacker CEH (CEH) — Questions 175

1010 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQhard

A security engineer needs to configure a web server to support Perfect Forward Secrecy (PFS) for HTTPS connections. Which of the following key exchange methods should be prioritized?

A.Diffie-Hellman (DH) key exchange
B.Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
C.Pre-Shared Key (PSK)
D.RSA key exchange
AnswerB

ECDHE generates ephemeral keys for each session, ensuring that compromise of long-term keys does not compromise past sessions.

Why this answer

ECDHE is prioritized for Perfect Forward Secrecy because it generates a unique, ephemeral session key for each TLS handshake using elliptic curve cryptography, ensuring that if the server's long-term private key is compromised, past session keys remain secure. Unlike static Diffie-Hellman, ECDHE does not reuse key material, and it offers stronger security per bit compared to traditional DH, making it the recommended choice for PFS in modern HTTPS configurations.

Exam trap

EC-Council often tests the misconception that any Diffie-Hellman variant automatically provides PFS, but candidates must remember that only ephemeral modes (DHE or ECDHE) guarantee forward secrecy, while static DH does not.

How to eliminate wrong answers

Option A is wrong because standard Diffie-Hellman (DH) key exchange can be used in ephemeral mode (DHE) to provide PFS, but the question asks for the method to be 'prioritized'; ECDHE is preferred over DH due to its smaller key sizes, faster computation, and equivalent security strength, so DH is not the top priority. Option C is wrong because Pre-Shared Key (PSK) is a symmetric key method that does not provide forward secrecy—if the PSK is compromised, all past sessions using that key are exposed. Option D is wrong because RSA key exchange is static; the client encrypts the pre-master secret with the server's RSA public key, so if the server's private key is later compromised, all recorded sessions can be decrypted, violating PFS.

2
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RSA
B.3DES
C.SHA-256
D.AES
AnswerA

RSA is an asymmetric cryptosystem using public/private key pairs.

Why this answer

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that uses a pair of keys (public and private) for encryption and digital signatures, making it an asymmetric algorithm. Unlike symmetric ciphers, RSA relies on the mathematical difficulty of factoring large prime numbers to secure communications.

Exam trap

The trap here is that candidates confuse 'asymmetric' with 'symmetric' algorithms or mistakenly classify hash functions (like SHA-256) as encryption, when in fact asymmetric algorithms always involve a key pair (public/private) and RSA is the classic example tested on the CEH exam.

How to eliminate wrong answers

Option B (3DES) is wrong because it is a symmetric block cipher that uses the same key for both encryption and decryption, operating on 64-bit blocks with a key size of 168 bits (effective). Option C (SHA-256) is wrong because it is a cryptographic hash function, not an encryption algorithm; it produces a fixed 256-bit digest and is used for integrity verification, not confidentiality. Option D (AES) is wrong because it is a symmetric encryption algorithm standardized by NIST, using the same secret key for both encryption and decryption, with block sizes of 128 bits and key sizes of 128, 192, or 256 bits.

3
MCQhard

During a vulnerability scan using Nessus, a security analyst discovers that the target host shows a 'High' severity vulnerability for 'SSL/TLS Renegotiation DoS'. What does this vulnerability indicate?

A.The server does not validate SSL certificates
B.The server supports SSLv2
C.The server allows weak cipher suites
D.An attacker can force the server to renegotiate TLS handshakes repeatedly, causing resource exhaustion
AnswerD

This is the definition of the SSL/TLS Renegotiation DoS vulnerability.

Why this answer

Option D is correct because the SSL/TLS Renegotiation DoS vulnerability (CVE-2011-1473) occurs when a server supports TLS renegotiation without proper rate limiting. An attacker can open multiple connections and repeatedly request renegotiation, causing the server to consume excessive CPU resources for cryptographic handshake calculations, effectively leading to a denial of service. Nessus flags this as 'High' severity because it can exhaust server resources even with a single attacker.

Exam trap

The trap here is that candidates often confuse this DoS vulnerability with weak cipher suites or protocol version issues, but the core distinction is that renegotiation DoS is about resource exhaustion from repeated handshakes, not about encryption strength or certificate trust.

How to eliminate wrong answers

Option A is wrong because the vulnerability is about renegotiation resource exhaustion, not certificate validation; certificate validation issues are typically flagged as 'SSL Certificate Cannot Be Trusted' or 'Self-Signed Certificate' vulnerabilities. Option B is wrong because SSLv2 support is a separate vulnerability (e.g., 'SSLv2 Protocol Detection') related to weak protocol versions, not renegotiation attacks; SSLv2 was deprecated due to cipher suite weaknesses, not renegotiation DoS. Option C is wrong because weak cipher suites (e.g., RC4, DES, or export-grade ciphers) are flagged under 'SSL Weak Cipher Suites' vulnerabilities, which concern encryption strength, not the renegotiation handshake process that causes CPU exhaustion.

4
MCQmedium

During a penetration test, the tester uses a tool that queries search engines with specific operators to find sensitive information such as login pages, exposed directories, and file types. Which tool or technique is being used?

A.Shodan
B.theHarvester
C.Google dorking
D.DNS zone transfer
AnswerC

Google dorking uses operators like site:, filetype:, intitle: to find sensitive data.

Why this answer

Google dorking (also known as Google hacking) uses advanced search operators (e.g., intitle:, filetype:, inurl:) to uncover sensitive information indexed by search engines, such as login pages, exposed directories, and specific file types. This technique directly matches the description of querying search engines with operators to find hidden or sensitive data.

Exam trap

The trap here is that candidates often confuse Google dorking with Shodan, because both involve search engines, but Shodan searches for devices and services (e.g., open ports, banners) rather than web content indexed by Google's crawlers.

How to eliminate wrong answers

Option A is wrong because Shodan is a search engine for internet-connected devices (e.g., IoT, servers, webcams) and does not use search engine operators to find login pages or file types within web content. Option B is wrong because theHarvester is a tool for gathering email addresses, subdomains, and names from public sources (e.g., search engines, PGP key servers), but it does not focus on querying with operators to find login pages or exposed directories. Option D is wrong because DNS zone transfer is a technique to request all DNS records from a nameserver (using AXFR/IXFR queries), not a search engine query method for sensitive web content.

5
MCQhard

You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?

A.Directory traversal
B.Parameter tampering
C.Cross-Site Scripting (XSS)
D.Cross-Site Request Forgery (CSRF)
AnswerB

Parameter tampering modifies hidden fields or URL parameters.

Why this answer

Parameter tampering is the correct answer because the 'price' field is stored in a hidden form field, which is client-side data that can be modified before submission. By intercepting the HTTP request (e.g., using a proxy like Burp Suite) and changing the 'price' value to a lower amount, the attacker can purchase the item at a reduced cost. This exploits the lack of server-side validation of the price parameter.

Exam trap

The trap here is that candidates often confuse parameter tampering with CSRF, but CSRF does not allow modifying the request body; it only reuses existing parameters from a forged request, whereas parameter tampering directly alters the parameter value.

How to eliminate wrong answers

Option A is wrong because directory traversal targets file system paths (e.g., ../../../etc/passwd) to access unauthorized files, not form field values. Option C is wrong because Cross-Site Scripting (XSS) injects malicious scripts into web pages to steal cookies or execute client-side code, not to modify form data during submission. Option D is wrong because Cross-Site Request Forgery (CSRF) forces a user to perform unintended actions on a trusted site using their session, but it does not allow the attacker to directly alter the price value in the request; it only replays existing parameters.

6
Multi-Selectmedium

Which THREE of the following are common IoT attack vectors?

Select 3 answers
A.Default credentials
B.SQL injection
C.Insecure protocols (MQTT, CoAP)
D.Firmware reversing
E.ARP spoofing
AnswersA, C, D

Many IoT devices use default usernames/passwords.

Why this answer

Default credentials, insecure protocols, and firmware reversing are common IoT attack vectors.

7
Matchingmedium

Match each footprinting technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Query domain registration details

Gathering DNS records and subdomains

Using advanced search operators to find sensitive info

Manipulating people to reveal information

Search engine for internet-connected devices

Why these pairings

These techniques are used in the reconnaissance phase of ethical hacking.

8
MCQmedium

Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?

A.Amplification attack
B.HTTP flood
C.SYN flood
D.ICMP flood
AnswerA

Amplification uses reflectors to multiply traffic.

Why this answer

Amplification attacks (e.g., DNS, NTP, SNMP) send small queries with spoofed source IP to servers that reply with large responses to the victim.

9
MCQmedium

A network administrator notices that the ARP cache on several workstations contains entries mapping the default gateway IP to an unknown MAC address. Users report intermittent connectivity issues. Which tool is MOST likely being used to perform this attack?

A.Ettercap
B.Nmap
C.tcpdump
D.Wireshark
AnswerA

Ettercap is specifically designed for ARP poisoning and MITM attacks.

Why this answer

Ettercap is a comprehensive MITM tool that performs ARP poisoning. The symptom of incorrect ARP entries for the gateway is classic ARP cache poisoning.

10
MCQeasy

Which of the following techniques involves sending crafted packets to a target to elicit responses that reveal the operating system?

A.Passive OS fingerprinting
B.Banner grabbing
C.DNS enumeration
D.Active OS fingerprinting
AnswerD

Active fingerprinting sends probes to infer the OS.

Why this answer

Active OS fingerprinting involves sending crafted packets (e.g., TCP SYN, FIN, or ICMP probes) to a target and analyzing the responses to deduce the operating system. Unlike passive methods, it actively interacts with the target, leveraging subtle differences in how various OSes implement TCP/IP stack behaviors (e.g., initial TTL values, window sizes, or TCP option ordering). This technique is commonly used by tools like Nmap with its `-O` flag.

Exam trap

The trap here is that candidates often confuse 'active OS fingerprinting' with 'banner grabbing' because both involve sending packets, but banner grabbing targets application-layer banners (e.g., HTTP, FTP) and not the OS-level TCP/IP stack responses that fingerprinting analyzes.

How to eliminate wrong answers

Option A is wrong because passive OS fingerprinting does not send any packets; it only sniffs network traffic to infer the OS from observed packet characteristics (e.g., TTL, DF flag), avoiding direct interaction. Option B is wrong because banner grabbing retrieves application-layer service banners (e.g., HTTP Server header) to identify software versions, not the underlying OS, and it relies on application responses rather than network stack behavior. Option C is wrong because DNS enumeration queries DNS servers for records (e.g., A, MX, NS) to map a domain's infrastructure, not to determine the operating system of a host.

11
MCQeasy

An ethical hacker wants to discover subdomains of a target domain using only public information. Which of the following techniques is MOST effective?

A.Run a traceroute to the main domain
B.Check the WHOIS record for the domain
C.Use the site: operator in search engines
D.Perform a reverse DNS lookup on the target IP range
AnswerC

Search engines index subdomains.

Why this answer

The `site:` operator in search engines (e.g., Google) allows an ethical hacker to enumerate publicly indexed subdomains of a target domain by querying `site:*.targetdomain.com`. This technique leverages the search engine's crawl data to discover subdomains that are publicly accessible but may not be linked from the main site, making it the most effective method for passive, public-information-only reconnaissance.

Exam trap

EC-Council often tests the misconception that WHOIS records contain subdomain information, but WHOIS only holds domain registration data, not DNS resource records like A or CNAME entries for subdomains.

How to eliminate wrong answers

Option A is wrong because traceroute (using ICMP or UDP probes) reveals the network path and intermediate routers, not subdomains; it operates at Layer 3 and does not query DNS records or web indexes. Option B is wrong because WHOIS records contain registration details (registrant, name servers, dates) but do not list subdomains; they are used for domain ownership and administrative information, not DNS enumeration. Option D is wrong because reverse DNS lookup (PTR records) maps IP addresses to hostnames, but it requires knowing the target IP range and only reveals hostnames that have PTR records configured, which is not a reliable method for discovering all subdomains from public information alone.

12
MCQeasy

An attacker crafts a link that, when clicked by an authenticated user, performs an unintended action on a web application where the user is logged in, such as changing their email address. The application uses a session cookie for authentication but does not include any anti-forgery tokens in forms. Which attack is this?

A.Cross-Site Request Forgery (CSRF)
B.Cross-Site Scripting (XSS)
C.Clickjacking
D.Server-Side Request Forgery (SSRF)
AnswerA

CSRF exploits the user's authenticated session to perform unauthorized actions.

Why this answer

The description matches Cross-Site Request Forgery (CSRF), where a malicious link triggers actions on a site where the victim is authenticated.

13
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

Select 2 answers
A.UDP flood
B.HTTP flood
C.Slowloris
D.ICMP flood
E.SYN flood
AnswersB, C

Correct. HTTP flood sends many HTTP requests at the application layer.

Why this answer

Slowloris holds connections open, and HTTP floods send many HTTP requests. SYN flood and ICMP flood are network-layer attacks.

14
MCQhard

A SOC analyst observes a high number of incomplete TCP connections with the SYN flag set but no corresponding ACK from the target. The source IPs are spoofed and the connections are targeting port 80 on a web server. Which DDoS mitigation technique would be MOST effective in this scenario?

A.SYN cookies
B.Rate limiting
C.Anycast distribution
D.Ingress filtering
AnswerA

SYN cookies encode connection state in the SYN-ACK, allowing the server to avoid resource allocation until the handshake completes.

Why this answer

SYN flood attacks exploit the TCP three-way handshake by sending many SYN packets without completing the handshake. SYN cookies allow the server to avoid storing half-open connections, effectively mitigating SYN floods.

15
MCQmedium

A security analyst is conducting a vulnerability scan on a web server using Nessus. After the scan, they notice that the server's performance has degraded significantly, and some services have become unresponsive. Which of the following actions could have prevented this issue?

A.Increase the scan intensity to complete faster and reduce the load
B.Configure Nessus to use a 'safe' scan policy that disables disruptive plugins
C.Use a different scanner like OpenVAS which is less intrusive
D.Run the scan during peak hours to blend in with normal traffic
AnswerB

Safe checks in Nessus avoid plugins known to cause denial of service or system crashes.

Why this answer

Option B is correct because Nessus 'safe' scan policies disable plugins known to cause service disruption, such as those performing denial-of-service tests or exploiting vulnerabilities that may crash services. By using a safe policy, the analyst avoids aggressive checks that can degrade server performance or cause unresponsiveness, which is a common risk during vulnerability scanning.

Exam trap

The trap here is that candidates may think using a different scanner (Option C) or adjusting timing (Option D) solves the problem, but the core issue is the use of disruptive plugins, which is directly controlled by the scan policy, not the scanner brand or schedule.

How to eliminate wrong answers

Option A is wrong because increasing scan intensity (e.g., using more concurrent threads or faster timing) actually increases the load on the target, worsening performance degradation and service unresponsiveness. Option C is wrong because OpenVAS is not inherently less intrusive; it also includes aggressive plugins that can disrupt services, and the issue is about scan policy, not the scanner brand. Option D is wrong because running the scan during peak hours increases the risk of impacting production traffic and does not prevent disruptive plugins from causing service issues; it may even amplify the impact on users.

16
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Select 2)

Select 2 answers
A.It spreads without user interaction.
B.It attaches to a host file and does not change.
C.It changes its code signature on each infection.
D.It uses encryption to hide its payload.
E.It only infects the boot sector.
AnswersC, D

Correct. Polymorphic viruses mutate their code.

Why this answer

Polymorphic viruses change their code signature each time they replicate, making detection difficult. They often use encryption to hide malicious code.

17
MCQmedium

During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?

A.The root user exists but is disabled, the admin mailing list exists, and unknown@domain.com does not exist
B.The server has open relay enabled
C.The server is vulnerable to SMTP injection
D.The server is not running SMTP
AnswerA

VRFY 252 indicates existence but disabled, EXPN 250 indicates existence, RCPT TO 550 indicates non-existence.

Why this answer

VRFY returns 252 if the user exists but is disabled (or ambiguous), EXPN returns 250 if the mailing list/alias exists, RCPT TO returns 550 if the mailbox does not exist. This allows enumerating valid users on the server.

18
MCQmedium

During a password cracking session, a pentester uses a wordlist combined with rules to generate variations of each word. This approach is called a hybrid attack. Which tool, when used with a rule file, can perform such an attack?

A.RainbowCrack
B.Ophcrack
C.Hydra
D.Hashcat
AnswerD

Hashcat's -a 6 (hybrid wordlist + mask) and -a 7 (hybrid mask + wordlist) perform hybrid attacks. Rule-based attacks are also supported with -r.

Why this answer

Hashcat supports multiple attack modes, including a hybrid attack (mode 6 and 7) that combines a dictionary with rules or masks. John the Ripper also supports rules, but Hashcat is explicitly known for hybrid attacks.

19
Multi-Selecthard

Which THREE of the following are valid defenses against WPA2 attacks? (Select three)

Select 3 answers
A.Disable WPS
B.Implement 802.1X/EAP with RADIUS
C.Use WEP instead of WPA2
D.Enable WPA2-Mixed mode
E.Use a strong, complex pre-shared key
AnswersA, B, E

WPS PIN brute-force is a common attack vector; disabling it removes that risk.

Why this answer

Using a strong passphrase makes dictionary attacks harder. 802.1X/EAP provides enterprise authentication. Disabling WPS removes PIN brute-force vector. WPA2-Mixed mode still allows TKIP clients, reducing security.

20
MCQmedium

A penetration tester identifies a web page that reflects user input in the response without proper encoding. The input is submitted via a GET parameter. Which type of cross-site scripting (XSS) is MOST likely present?

A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored XSS
AnswerB

The input is reflected immediately in the response, characteristic of reflected XSS.

Why this answer

Reflected XSS occurs when user input is immediately returned by the server in the response without proper sanitization, typically via GET parameters.

21
MCQhard

Refer to the exhibit. A security analyst notices multiple ESTABLISHED connections on port 443 from different external IPs to the same process ID. What type of attack is most likely occurring?

A.Distributed denial-of-service (DDoS) attack
B.SSL/TLS renegotiation DoS
C.Slowloris attack
D.Man-in-the-middle attack
AnswerA

Multiple external IPs establishing connections to the same server process on port 443 indicates a volumetric DDoS attack, especially if the server is overwhelmed.

22
Multi-Selecthard

Which THREE of the following are techniques used in session hijacking?

Select 3 answers
A.DNS cache poisoning
B.Man-in-the-middle (MITM) interception
C.MAC flooding
D.Cookie theft and replay
E.TCP sequence number prediction
AnswersB, D, E

MITM attacks allow the attacker to intercept and manipulate session data.

Why this answer

Man-in-the-middle (MITM) interception is a core session hijacking technique where the attacker positions themselves between the client and server to intercept and manipulate traffic. By capturing session tokens or credentials in transit, the attacker can impersonate the legitimate user without needing to predict sequence numbers or steal cookies directly.

Exam trap

EC-Council often tests the distinction between attacks that enable session hijacking (like MITM) versus attacks that are merely precursors or different categories (like DNS poisoning or MAC flooding), so candidates mistakenly select options that facilitate but do not directly perform session hijacking.

23
MCQhard

An IDS alerts on a large number of outbound DNS queries from an internal host to a suspicious domain. The queries have random subdomains and the response size is large. Which attack is MOST likely in progress?

A.Slowloris attack
B.UDP flood
C.DNS amplification attack
D.DNS tunneling
AnswerC

Correct. The large responses and random subdomains indicate an amplification attack.

Why this answer

A DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP. The random subdomains are used to generate large responses, and the outbound queries are from the internal host acting as reflector.

24
MCQmedium

A security analyst runs the following command: hping3 -S -p 80 -c 1 192.168.1.1. The response received is an RST/ACK packet. What does this indicate about port 80 on the target?

A.The port is open and listening
B.The port is filtered by a firewall
C.The port is closed
D.The port is in a TIME_WAIT state
AnswerC

RST/ACK indicates the port is closed.

Why this answer

Option C is correct because when hping3 sends a SYN packet to a closed port, the target responds with an RST/ACK packet per TCP RFC 793. This indicates that the port is reachable but no service is listening on it, hence the immediate reset.

Exam trap

The trap here is that candidates often confuse a RST/ACK response with a filtered port or assume it indicates a firewall blocking the port, but in TCP, a closed port actively sends RST/ACK, whereas a firewall typically drops the packet silently.

How to eliminate wrong answers

Option A is wrong because an open port would respond with a SYN/ACK, not an RST/ACK. Option B is wrong because a filtered port would typically drop the packet silently or respond with an ICMP unreachable message, not a TCP RST/ACK. Option D is wrong because TIME_WAIT is a local TCP state on the client side after a connection closes, not a response from a remote port to a SYN probe.

25
Multi-Selectmedium

Which TWO of the following are effective mitigation techniques against DDoS attacks? (Select two)

Select 2 answers
A.Port knocking
B.ARP poisoning
C.Rate limiting
D.Scrubbing centers
E.MAC filtering
AnswersC, D

Rate limiting restricts the number of requests from a source, mitigating DDoS.

Why this answer

Rate limiting limits traffic per source, and scrubbing centers filter malicious traffic. Anycast distributes traffic, and blackholing drops traffic, but rate limiting and scrubbing are direct mitigations.

26
Multi-Selecthard

Which THREE of the following are valid Nmap flags that can be used to evade detection by an IDS? (Select exactly 3.)

Select 3 answers
A.-O
B.-D
C.-f
D.-sS
E.--data-length
AnswersB, C, E

Decoy scan hides the real source among multiple IPs.

Why this answer

Option B (-D) is correct because the decoy scan flag allows you to spoof multiple source IP addresses, making it difficult for an IDS to distinguish the real scanning host from the decoys. This technique floods the target with scan traffic from many IPs, obscuring the true origin and evading detection.

Exam trap

EC-Council often tests the misconception that -sS is an evasion technique, but it is actually a stealth scan that reduces connection logging, not IDS evasion; the real evasion flags are those that alter packet structure or source identity.

27
MCQmedium

A penetration tester discovers that an Nmap SYN scan against a target host returns no open ports, but a TCP connect scan reveals port 443 open. Which of the following is the most likely reason for this discrepancy?

A.The target host has a host-based firewall that drops SYN packets but allows full connections.
B.A network firewall is performing stateful inspection and dropping unsolicited SYN packets while allowing established connections.
C.The target host has ICMP filtering enabled, preventing Nmap from identifying it as online.
D.Nmap's SYN scan requires root privileges, and the tester ran it without sudo.
AnswerB

Stateful firewalls track connections; a SYN scan sends unsolicited SYN packets that may be dropped, while a connect scan completes the handshake and appears as a normal connection.

Why this answer

The discrepancy occurs because a network firewall is performing stateful inspection. It drops unsolicited SYN packets (the first step of a SYN scan) but allows full TCP connections (SYN, SYN-ACK, ACK) to complete, as the connect scan establishes a full three-way handshake. This behavior is typical of stateful firewalls that track connection state and only permit packets belonging to established sessions.

Exam trap

The trap here is that candidates often assume a host-based firewall is the cause, but stateful network firewalls specifically differentiate between incomplete SYN probes and full TCP handshakes, making option B the correct answer.

How to eliminate wrong answers

Option A is wrong because a host-based firewall would typically block both SYN packets and full connection attempts consistently, not selectively allow full connections while dropping SYNs. Option C is wrong because ICMP filtering affects host discovery (ping sweeps), not port scan results; Nmap can still perform port scans without ICMP echo replies. Option D is wrong because while SYN scan requires root privileges, running without sudo would cause an error or fallback to connect scan, not produce a discrepancy between two scans—both would fail or both would show open ports.

28
MCQeasy

Refer to the exhibit. An attacker gains access to the user's workstation and wants to find a file containing passwords. Which file is most likely to contain credentials?

A.User profile (C:\Users\jdoe)
B.Home directory on \\fileserver\home\jdoe
C.logon.bat script
D.Active Directory database (NTDS.dit)
AnswerC

Logon scripts may contain credentials for network resources.

Why this answer

Option C is correct because logon.bat scripts are commonly used in Windows environments to map network drives or perform startup tasks, and administrators often embed plaintext credentials in such scripts for automation. An attacker who compromises the workstation can read this batch file to extract stored passwords, making it a high-value target for credential theft.

Exam trap

EC-Council often tests the misconception that credentials are always stored in system databases like NTDS.dit or SAM, but the trap here is that attackers target easily accessible, plaintext files like logon scripts that users or administrators create for convenience.

How to eliminate wrong answers

Option A is wrong because the user profile (C:\Users\jdoe) contains personal files and settings but not typically stored credentials in plaintext; passwords are usually hashed and stored in the SAM hive, not in profile folders. Option B is wrong because the home directory on \\fileserver\home\jdoe is a network share that may contain user data but is not a default location for credential files; accessing it requires network authentication, and it is less likely to contain plaintext passwords than a local script. Option D is wrong because the Active Directory database (NTDS.dit) contains domain credential hashes, but it resides on a domain controller, not on the user's workstation, and an attacker with only local workstation access cannot directly read it without privilege escalation or network traversal.

29
MCQhard

Refer to the exhibit. An attacker wants to exploit a known vulnerability. Which service is most likely vulnerable to CVE-2019-0215?

A.OpenSSH 7.2p2
B.Linux kernel
C.Squid http proxy 3.5.12
D.Apache httpd 2.4.18
AnswerD

Apache 2.4.18 is vulnerable to CVE-2019-0215.

Why this answer

CVE-2019-0215 affects Apache HTTP Server versions 2.4.17 to 2.4.38. The exhibit shows Apache 2.4.18, which is within the vulnerable range.

30
MCQmedium

After successfully exploiting a system, an attacker uses the command 'wevtutil cl system' on a Windows target. What is the MOST likely purpose of this command?

A.To export event logs to a file
B.To disable Windows event logging
C.To clear the system event log
D.To create a new event log entry
AnswerC

wevtutil cl system clears the system log.

Why this answer

The command 'wevtutil cl system' is used to clear the System event log on a Windows system. After successfully exploiting a target, an attacker would use this command to erase traces of their activities, such as log entries generated by their tools or actions, thereby hindering forensic analysis. The 'cl' parameter stands for 'clear log', and 'system' specifies the System log.

Exam trap

The trap here is that candidates may confuse 'wevtutil cl' with exporting or disabling logs, but the 'cl' parameter specifically means 'clear', and the command is a common post-exploitation anti-forensics technique tested in CEH.

How to eliminate wrong answers

Option A is wrong because 'wevtutil cl system' clears the log, not exports it; exporting logs would use 'wevtutil epl' or 'wevtutil export-log'. Option B is wrong because disabling Windows event logging would require stopping the Event Log service (e.g., 'net stop EventLog') or modifying registry settings, not clearing a log. Option D is wrong because creating a new event log entry is done with 'EventCreate' or 'wevtutil' with the 'epl' parameter, not the 'cl' parameter.

31
Multi-Selectmedium

During a penetration test, a tester finds a web application that reflects user input in the page without sanitization. Which TWO types of XSS are potentially exploitable in this scenario?

Select 2 answers
A.DOM-based XSS
B.Blind XSS
C.Self-XSS
D.Stored (persistent) XSS
E.Reflected XSS
AnswersA, E

DOM-based XSS occurs if client-side JavaScript processes the input unsafely.

Why this answer

Reflected XSS occurs when input is immediately returned in the response. DOM-based XSS occurs when client-side scripts process input unsafely. Stored XSS requires persistence on the server, which is not indicated.

32
MCQhard

Refer to the exhibit. An analyst runs netstat on a Windows server and observes multiple established connections to port 3389 from internal IPs. Which attack is most likely occurring?

A.SMB relay attack
B.DDoS attack
C.RDP brute-force attack
D.Man-in-the-middle attack
AnswerC

Multiple established connections to RDP port 3389 from different IPs indicate successful brute-force attempts.

Why this answer

Multiple established RDP connections from different internal IPs suggest a brute-force or password-spraying attack against RDP. The established connections indicate successful authentication attempts.

33
MCQhard

A penetration tester uses the following Google dork: intitle:"index of" "backup" site:example.com. What is the MOST likely goal of this search?

A.Locate open directories that might contain sensitive files
B.Discover email addresses associated with the domain
C.Find login pages of the target domain
D.Identify subdomains of example.com
AnswerA

The dork targets directory listings (index of) with backup files, a common source of sensitive information.

Why this answer

The Google dork `intitle:"index of" "backup" site:example.com` targets web servers that have directory listing enabled (indicated by the page title containing 'index of') and that contain a folder or file named 'backup'. This is a classic reconnaissance technique to find open directories where backup files (e.g., database dumps, configuration files) may be inadvertently exposed, potentially containing sensitive data such as credentials or proprietary information.

Exam trap

The trap here is that candidates often confuse the purpose of Google dorks, thinking 'index of' always reveals login pages or subdomains, when in fact it specifically identifies directories with listing enabled, and the 'backup' keyword pinpoints potentially sensitive data exposure.

How to eliminate wrong answers

Option B is wrong because discovering email addresses typically uses dorks like `intext:"@example.com"` or `site:example.com intitle:"contact"`, not directory listing indicators. Option C is wrong because finding login pages usually involves dorks such as `inurl:login` or `inurl:admin`, not the 'index of' and 'backup' keywords. Option D is wrong because identifying subdomains is better achieved with dorks like `site:*.example.com` or tools like Sublist3r, not by searching for directory listings containing 'backup'.

34
MCQmedium

A penetration tester wants to enumerate user accounts on a Linux system running SMTP service. Which commands are commonly used for this purpose?

A.USER, PASS, QUIT
B.VRFY, EXPN, RCPT TO
C.AUTH LOGIN, STARTTLS, EHLO
D.HELO, MAIL FROM, DATA
AnswerB

Why this answer

The VRFY command verifies whether a user mailbox exists on the SMTP server, EXPN expands a mailing list or alias to reveal individual member addresses, and RCPT TO specifies the recipient for a mail message and can be used to validate addresses during the SMTP conversation. These three commands are the standard SMTP enumeration techniques for discovering valid user accounts on a Linux system running an SMTP service.

Exam trap

The trap here is that candidates often confuse SMTP enumeration commands (VRFY, EXPN, RCPT TO) with SMTP session commands (HELO, MAIL FROM, DATA) or with authentication commands (AUTH LOGIN, STARTTLS), leading them to select options that are valid SMTP commands but not designed for user enumeration.

How to eliminate wrong answers

Option A is wrong because USER, PASS, and QUIT are POP3 commands used for mailbox access and authentication, not for SMTP user enumeration. Option C is wrong because AUTH LOGIN, STARTTLS, and EHLO are SMTP commands used for authentication negotiation and secure connection initiation, not for enumerating user accounts. Option D is wrong because HELO, MAIL FROM, and DATA are SMTP commands used to initiate a session, specify the sender, and begin message content transfer, respectively; they do not directly reveal user account existence.

35
MCQmedium

During a penetration test, you find a web application that includes files using a parameter like /index.php?page=about. When you change the parameter to /etc/passwd, the application returns the contents of the password file. Which vulnerability is present?

A.Local File Inclusion (LFI)
B.Remote File Inclusion (RFI)
C.Command Injection
D.Directory Traversal
AnswerA

The application includes a local file based on user input.

Why this answer

Local File Inclusion (LFI) allows an attacker to include local files on the server through path traversal or direct inclusion.

36
MCQhard

An attacker gains access to a Linux web server as the 'www-data' user. They run `find / -perm -4000 -type f 2>/dev/null` and see that `/usr/bin/passwd` has the SUID bit set. Which privilege escalation technique is this command checking for?

A.SUID abuse
B.Password cracking
C.Kernel exploit
D.Token impersonation
AnswerA

SUID bit abuse allows running a binary with elevated privileges, potential for escalation.

Why this answer

The find command searches for files with SUID bit set (4000). SUID binaries run with the file owner's privileges, often root. Checking for SUID files is a common technique to find potential privilege escalation vectors, e.g., exploiting a vulnerable SUID binary.

37
Multi-Selectmedium

An attacker is attempting to perform an Insecure Direct Object Reference (IDOR) attack on a web application. Which TWO conditions are necessary for this attack to succeed?

Select 2 answers
A.The application uses indirect object references (e.g., random tokens)
B.The application exposes direct references to internal objects (e.g., user IDs in URLs)
C.The application fails to validate the user's authorization for the requested object
D.The application has a CSRF vulnerability
E.The application implements strong access controls on every object
AnswersB, C

Direct references are necessary for IDOR.

Why this answer

IDOR exploits direct references to objects without proper authorization checks. The application must expose direct references (e.g., IDs in URLs) and fail to verify the user's permission to access the object.

38
Multi-Selectmedium

Which TWO of the following are examples of privilege escalation on Linux? (Select 2)

Select 2 answers
A.Pass-the-Hash
B.Token impersonation
C.SUID bit abuse
D.Exploiting a local vulnerability in a setuid binary
E.DLL hijacking
AnswersC, D

SUID programs run with the file owner's privileges.

Why this answer

SUID bit abuse (C) is a privilege escalation technique because when the SUID (Set User ID) bit is set on an executable, it runs with the permissions of the file owner (often root), regardless of the user who executes it. An attacker can exploit misconfigured SUID binaries to execute commands with elevated privileges, gaining root access.

Exam trap

EC-Council often tests the distinction between Windows and Linux privilege escalation techniques, and the trap here is that candidates confuse cross-platform attacks like token impersonation or DLL hijacking as applicable to Linux, when they are strictly Windows-based.

39
MCQmedium

An analyst runs the following command: dnsenum --enum example.com. Which of the following actions is dnsenum performing?

A.Attempts a zone transfer and brute-forces subdomains
B.Scans for open ports on the DNS server
C.Queries the DNS server for its version information
D.Performs a reverse DNS lookup to find PTR records for the IP range
AnswerA

dnsenum's --enum option attempts a zone transfer and then brute-forces subdomains using a wordlist.

Why this answer

The `dnsenum` tool is designed for DNS enumeration, and its `--enum` flag performs a comprehensive scan that includes attempting a zone transfer (AXFR query) to retrieve all DNS records from the nameserver, and if that fails, it brute-forces subdomains using a wordlist. This matches option A exactly.

Exam trap

The trap here is that candidates confuse `dnsenum` with other DNS tools like `nslookup` or `dig`, assuming it only performs simple queries, when in fact its `--enum` mode specifically targets zone transfers and subdomain brute-forcing.

How to eliminate wrong answers

Option B is wrong because `dnsenum` does not perform port scanning; that is the role of tools like Nmap or Masscan. Option C is wrong because querying the DNS server for its version information is typically done with `dig chaos TXT VERSION.BIND` or `fpdns`, not `dnsenum`. Option D is wrong because reverse DNS lookups for PTR records are not a primary function of `dnsenum`; that is better suited for tools like `dnsrecon` with specific flags or `nslookup` in reverse mode.

40
MCQmedium

A security team is evaluating wireless security for a corporate network. They want to implement the strongest current encryption standard for Wi-Fi. Which of the following should they choose?

A.WEP with 128-bit key
B.WPA2 with CCMP
C.802.1X with EAP-TLS
D.WPA3 with SAE
AnswerD

Correct: WPA3 is the most secure Wi-Fi standard.

Why this answer

WPA3 is the latest Wi-Fi security standard, offering stronger encryption with SAE (Simultaneous Authentication of Equals) and replacing WPA2.

41
MCQeasy

Which of the following is a tool commonly used for MAC flooding attacks to force a switch into fail-open mode, allowing sniffing of all traffic on the network?

A.Ettercap
B.macof
C.Nmap
D.Wireshark
AnswerB

macof is specifically designed for MAC flooding.

Why this answer

macof (part of the dsniff suite) floods a switch with many fake MAC addresses, exhausting the CAM table and causing the switch to flood traffic out all ports.

42
Multi-Selecthard

A penetration tester obtains password hashes from a Windows system. Which TWO methods would be most efficient for cracking NTLM hashes offline? (Choose two.)

Select 2 answers
A.Using RainbowCrack with precomputed rainbow tables for NTLM
B.Performing an online brute-force against the SAM database
C.Using Ophcrack with rainbow tables for NTLM
D.Using Hashcat with a brute-force attack on GPU
E.Using John the Ripper with a dictionary and rules
AnswersD, E

Hashcat leverages GPU for high-speed cracking of NTLM hashes.

Why this answer

Option D is correct because Hashcat, when used with a GPU, can perform massively parallel brute-force attacks against NTLM hashes, achieving billions of hash calculations per second. This makes it one of the most efficient tools for offline password cracking of NTLM hashes, especially when the password is not in a dictionary.

Exam trap

EC-Council often tests the distinction between tools optimized for LM vs. NTLM hashes, and candidates mistakenly choose Ophcrack (option C) because they confuse its LM rainbow table capability with NTLM support.

43
MCQeasy

Which of the following tools is specifically designed to search the internet for exposed devices and services, such as industrial control systems and webcams, using banners and metadata?

A.Maltego
B.Nmap
C.Shodan
D.Google
AnswerC

Shodan is specifically designed to search for internet-connected devices and services by their banners.

Why this answer

Shodan is a search engine specifically designed to scan the internet for exposed devices and services by collecting banners and metadata from protocols such as HTTP, SSH, FTP, and SNMP. Unlike general-purpose search engines, Shodan indexes device-specific information, making it ideal for discovering industrial control systems (ICS), webcams, and other IoT devices that respond to network probes.

Exam trap

The trap here is that candidates confuse Shodan with a general-purpose search engine like Google or a network mapping tool like Nmap, failing to recognize that Shodan is purpose-built for indexing device banners and metadata from internet-connected systems.

How to eliminate wrong answers

Option A is wrong because Maltego is a graphical link analysis tool used for open-source intelligence (OSINT) and relationship mapping, not for scanning the internet for exposed devices via banners. Option B is wrong because Nmap is a network scanning tool used to discover hosts and services on a local or remote network, but it does not maintain a global searchable index of internet-connected devices. Option D is wrong because Google is a general-purpose web search engine that indexes web pages and content, not device banners or metadata from non-HTTP services like industrial control protocols.

44
MCQhard

A penetration tester uses `smbclient -L //192.168.1.30 -N` and receives a list of shares including a hidden administrative share (C$) and a user share named "Backup". What is the most immediate security concern?

A.The Backup share may contain sensitive data
B.SMB signing is not enabled
C.Null session enumeration is possible, allowing information gathering
D.The C$ share is a default administrative share
AnswerC

Why this answer

The `-N` flag in the `smbclient` command suppresses password prompts, enabling a null session connection. The fact that the command successfully lists shares without authentication indicates that null session enumeration is permitted, which is a critical security flaw. This allows an attacker to gather sensitive information (share names, user lists, etc.) without any credentials, often serving as the first step in a targeted attack.

Exam trap

The trap here is that candidates focus on the existence of the C$ administrative share or the Backup share's name, rather than recognizing that the ability to enumerate any shares without authentication (null session) is the most critical and immediate vulnerability.

How to eliminate wrong answers

Option A is wrong because while the Backup share might contain sensitive data, the most immediate security concern is the ability to enumerate shares at all without authentication, not the content of a specific share. Option B is wrong because SMB signing is a separate security feature that prevents man-in-the-middle attacks; its absence is a concern but not directly indicated by the successful null session enumeration shown in the command output. Option D is wrong because the C$ share being a default administrative share is a known fact, but its presence alone is not the immediate security issue—the ability to list it via a null session is the real problem.

45
MCQmedium

A security analyst receives an alert that an external IP address is sending fragmented packets to the company's web server on port 80. The analyst suspects the attacker is using Nmap with fragmentation. Which Nmap flag is being used to fragment the probe packets?

A.-sI
B.-D
C.--mtu
D.-f
AnswerD

-f is the fragmentation flag.

Why this answer

The -f flag in Nmap instructs the tool to fragment the probe packets into 8-byte or smaller fragments, making it harder for packet filters and intrusion detection systems to detect the scan. This matches the scenario where fragmented packets are sent to the web server on port 80, confirming that -f is the correct flag.

Exam trap

EC-Council often tests the distinction between -f (fragmentation) and --mtu (custom MTU size), leading candidates to mistakenly choose --mtu because they associate it with packet size changes, but only -f triggers fragmentation by default.

How to eliminate wrong answers

Option A is wrong because -sI is the Nmap flag for an Idle (zombie) scan, which spoofs the source IP address using a zombie host, not fragmenting packets. Option B is wrong because -D is used for decoy scans, which sends packets from multiple spoofed IP addresses to obscure the real source, not fragmenting the packets. Option C is wrong because --mtu sets a custom Maximum Transmission Unit size for packets, but it does not inherently fragment packets; fragmentation is achieved with -f, and --mtu is used to specify a different fragment size when combined with -f.

46
MCQmedium

An IoT device uses MQTT protocol with default credentials 'admin/admin' and no TLS encryption. An attacker on the same network captures MQTT packets and extracts sensor data. Which two vulnerabilities are being exploited? (Choose the best combination)

A.Buffer overflow and command injection
B.Default credentials and cleartext communication
C.Insecure firmware and hardcoded backdoor
D.Weak encryption and replay attack
AnswerB

Default credentials allow easy access, and no TLS means traffic is sent in cleartext, enabling packet capture and data extraction.

Why this answer

The use of default credentials and lack of encryption (no TLS) are the vulnerabilities. MQTT itself is not insecure when properly configured; the issues are weak authentication and cleartext communication.

47
Matchingmedium

Match each cloud security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure as a Service - virtualized computing resources

Platform as a Service - development and deployment platform

Software as a Service - ready-to-use applications

Security duties split between provider and customer

Cloud Access Security Broker - policy enforcement between users and cloud

Why these pairings

Cloud security is a growing domain in CEH.

48
MCQmedium

A security engineer wants to ensure that a wireless network uses the most secure encryption available. Which of the following should be configured on the access point?

A.WEP
B.WPA3
C.WPA2 with TKIP
D.WPA2 with AES
AnswerB

WPA3 is the current strongest standard.

Why this answer

WPA3 is the latest Wi-Fi security standard, providing stronger encryption (GCMP-256) and protection against dictionary attacks via SAE.

49
MCQeasy

Which of the following is an example of passive OS fingerprinting?

A.Performing a TCP SYN scan
B.Nmap -O scan
C.Sending ICMP echo requests
D.Analyzing TTL values from captured packets
AnswerD

TTL can indicate OS type passively.

Why this answer

Passive OS fingerprinting involves analyzing captured network traffic without sending any packets to the target. Examining TTL (Time to Live) values from captured packets is a classic passive technique because different operating systems use default initial TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255), and by observing the TTL in a received packet, you can infer the OS without actively probing the host.

Exam trap

EC-Council often tests the distinction between active and passive techniques, and the trap here is that candidates confuse 'analyzing captured data' (passive) with 'sending probes and analyzing responses' (active), leading them to pick options like Nmap -O scan or TCP SYN scan.

How to eliminate wrong answers

Option A is wrong because a TCP SYN scan actively sends SYN packets to the target and analyzes responses, which is an active fingerprinting technique. Option B is wrong because Nmap -O scan actively sends a series of crafted probes (e.g., TCP, UDP, ICMP) and analyzes responses to determine the OS, making it an active method. Option C is wrong because sending ICMP echo requests actively probes the target and analyzes replies (e.g., TTL, DF bit, ICMP error handling), which is active fingerprinting, not passive.

50
MCQeasy

A security analyst notices that an internal server is sending a high volume of DNS queries to external servers for non-existent domains. Which type of malware behavior is MOST likely being observed?

A.Spyware exfiltrating data
B.A keylogger capturing keystrokes
C.A worm spreading across the network
D.Ransomware encrypting files
AnswerC

Worms often generate network traffic, including DNS queries, as they attempt to find and infect new hosts.

Why this answer

A worm self-replicates across the network, often generating unusual DNS queries as it spreads.

51
MCQeasy

A penetration tester receives an email that appears to be from the company's CEO, urgently requesting that the tester click a link to review a document. The email contains several grammatical errors and the sender's address is slightly misspelled. Which type of social engineering attack is this MOST likely?

A.Whaling
B.Baiting
C.Vishing
D.Spear phishing
AnswerA

Whaling is a form of spear phishing that targets senior executives, often with urgent requests.

Why this answer

Whaling targets high-level executives (like the CEO) with personalized phishing emails. The urgency and impersonation of a CEO are classic whaling indicators.

52
MCQeasy

Which tool is specifically designed to perform SNMP enumeration by walking the MIB tree using a known community string?

A.enum4linux
B.SNMPwalk
C.nbtstat
D.smbclient
AnswerB

SNMPwalk walks the MIB tree.

Why this answer

SNMPwalk is the correct tool because it is specifically designed to perform SNMP enumeration by walking the Management Information Base (MIB) tree using a known community string (e.g., 'public' or 'private'). It sends successive GETNEXT requests to retrieve all OID values from the SNMP agent, effectively dumping the entire MIB tree for reconnaissance.

Exam trap

The trap here is that candidates often confuse SNMPwalk with enum4linux because both are enumeration tools, but enum4linux targets SMB/NetBIOS, not SNMP, and the question specifically requires walking the MIB tree with a community string.

How to eliminate wrong answers

Option A is wrong because enum4linux is a tool for enumerating information from Windows and Samba systems via SMB, RPC, and NetBIOS, not SNMP. Option C is wrong because nbtstat is a Windows command-line tool that displays NetBIOS over TCP/IP statistics and name tables, not SNMP MIB walking. Option D is wrong because smbclient is an FTP-like client for accessing SMB/CIFS shares on Windows systems, not for SNMP enumeration.

53
MCQmedium

During an internal penetration test, you run 'smbclient -L //192.168.1.100 -N' and get an empty response. Which of the following is the MOST likely reason?

A.The target is not running SMB
B.Null sessions are disabled on the target
C.The target requires NTLM authentication
D.The target is a Linux server
AnswerB

Windows disables null sessions by default since XP SP2, causing smbclient -N to fail.

Why this answer

The `-N` flag in smbclient suppresses password prompts, attempting a null session. An empty response (no error, no output) typically indicates the SMB service is running but null sessions are explicitly disabled, often via the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous` set to 1 or 2. This prevents anonymous enumeration of shares and users, which is a common security hardening measure on Windows systems.

Exam trap

The trap here is that candidates assume an empty response means the service is down or not SMB, but CEH expects you to recognize that a silent empty output from `smbclient -L -N` is a classic indicator of null session restrictions being enabled.

How to eliminate wrong answers

Option A is wrong because if the target were not running SMB, smbclient would return a connection error (e.g., 'Connection refused' or 'NT_STATUS_CONNECTION_REFUSED'), not an empty response. Option C is wrong because NTLM authentication is the default for SMB on Windows; the `-N` flag attempts a null session without credentials, and if NTLM were required but null sessions disabled, the tool would still prompt for credentials or return an access denied error, not an empty response. Option D is wrong because a Linux server running Samba would typically respond to a null session attempt with either a share list or an explicit 'NT_STATUS_ACCESS_DENIED' error, not a completely empty response; the empty response is characteristic of a Windows target with RestrictAnonymous enforced.

54
MCQeasy

An attacker discovers that a web application's login form allows unlimited login attempts. The attacker uses a list of usernames and passwords obtained from a previous breach to gain access. This attack is known as:

A.Password spraying
B.Brute force attack
C.Dictionary attack
D.Credential stuffing
AnswerD

Using breached credentials to gain access.

Why this answer

Credential stuffing (option D) is correct because the attacker uses a list of known username/password pairs from a previous breach to automate login attempts against the web application. This attack exploits password reuse across services, not the weakness of the passwords themselves, and relies on the application's lack of rate limiting or account lockout mechanisms.

Exam trap

The trap here is that candidates confuse credential stuffing with a dictionary attack, but credential stuffing specifically uses known username-password pairs from a prior breach, not a generic wordlist of passwords.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a single common password (e.g., 'Password123') against many usernames, not using a list of known credential pairs. Option B is wrong because a brute force attack systematically tries all possible password combinations for a single username, which is computationally expensive and not based on a pre-compromised list. Option C is wrong because a dictionary attack uses a wordlist of potential passwords against a single username, but does not pair specific usernames with their previously compromised passwords.

55
MCQhard

A security analyst detects an ongoing DDoS attack where the attacker sends a large number of ICMP echo request packets with spoofed source IP addresses to a network's broadcast address. The attack overwhelms the target with responses from all hosts on the network. Which attack type is this?

A.UDP flood
B.SYN flood
C.Smurf attack
D.Ping of Death
AnswerC

Smurf uses ICMP echo requests to broadcast address with spoofed source, causing amplification.

Why this answer

A Smurf attack sends ICMP echo requests to the network broadcast address with the victim's spoofed source IP, causing all hosts to reply to the victim, amplifying traffic.

56
MCQeasy

Which tool is commonly used for ARP spoofing attacks to perform man-in-the-middle (MITM) attacks on a local network?

A.Nmap
B.Ettercap
C.Wireshark
D.Metasploit
AnswerB

Ettercap supports ARP poisoning, DNS spoofing, and other MITM techniques.

Why this answer

Ettercap is a well-known suite for ARP poisoning, enabling MITM attacks. It can intercept traffic between hosts on a switched network.

57
MCQmedium

A web application allows users to access files using parameters like 'file=report.pdf'. A tester changes the parameter to '../../etc/passwd' and retrieves the system password file. This is an example of which attack?

A.Local file inclusion (LFI)
B.Remote file inclusion (RFI)
C.Command injection
D.Directory traversal
AnswerD

The use of '../' to escape the intended directory and read arbitrary files is classic directory traversal.

Why this answer

Directory traversal attacks exploit insufficient input validation to access files outside the intended directory by using '../' sequences.

58
Multi-Selecthard

Which TWO of the following are effective physical security controls to prevent tailgating?

Select 2 answers
A.Biometric door lock
B.Mantrap
C.CCTV cameras
D.Security guard
E.Turnstile with one-way access
AnswersB, E

Mantrap requires one person to pass through and door to close before next opens, preventing tailgating.

Why this answer

A mantrap is a physical security control consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, and the system verifies that only one person enters before allowing the second door to open. This design directly prevents tailgating by trapping unauthorized individuals who attempt to follow an authorized person through the first door.

Exam trap

The trap here is that candidates often confuse 'preventive' controls (like mantrap and turnstile) with 'detective' controls (like CCTV) or 'deterrent' controls (like security guards), leading them to select CCTV or guards as effective tailgating prevention measures.

59
Multi-Selectmedium

Which TWO of the following are effective defenses against CSRF attacks? (Choose 2.)

Select 2 answers
A.Setting the Secure flag on cookies
B.Using input validation to block special characters
C.Using anti-CSRF tokens that are validated on the server
D.Implementing SameSite cookie attribute (Lax or Strict)
E.Enabling the HttpOnly flag on session cookies
AnswersC, D

CSRF tokens are unique per request and verified by the server, ensuring the request originated from the legitimate site.

Why this answer

CSRF tokens and SameSite cookies both prevent cross-site request forgery. Double Submit Cookie is also a method but not listed. Custom headers are not a standard defense; the primary ones are CSRF tokens and SameSite cookies.

60
MCQmedium

A web server is found to have directory listing enabled for the /uploads folder. An attacker discovers a shell.php file uploaded earlier. Which attack is the attacker MOST likely to perform next?

A.File inclusion
B.Cross-site scripting
C.Remote code execution via uploaded shell
D.SQL injection
AnswerC

The attacker can locate the shell via directory listing and then access it to execute commands.

Why this answer

With directory listing, the attacker can find the path to the uploaded shell and then access it to execute commands on the server.

61
MCQmedium

An application is vulnerable to server-side request forgery (SSRF). An attacker exploits this to access internal services. Which of the following is a common indicator of SSRF?

A.The application uses user input in file inclusion functions like include()
B.The application includes a parameter like 'url=' that fetches remote resources
C.The application reflects user input in HTTP headers
D.The application stores user input in a database without sanitization
AnswerB

A 'url=' parameter that the server fetches is a classic SSRF vector.

Why this answer

SSRF vulnerabilities often appear where the application fetches URLs based on user input, such as 'url=' parameters, allowing the attacker to make the server request internal resources.

62
MCQhard

An attacker uses an idle scan with Nmap to probe a target. This technique relies on a third-party host with a predictable IP ID sequence to infer port states. Which Nmap flag enables an idle scan?

A.-sS
B.-sI
C.-sA
D.-sT
AnswerB

-sI specifies an idle scan using a zombie host.

Why this answer

The idle scan (-sI) leverages a third-party host (zombie) with a predictable IP ID sequence to indirectly probe a target's ports. By spoofing the zombie's IP and observing changes in its IP ID counter, Nmap can infer whether a port is open, closed, or filtered without sending packets directly from the attacker's IP.

Exam trap

The trap here is that candidates often confuse -sI with -sS (SYN scan) because both are stealthy, but -sI specifically requires a zombie host and IP ID manipulation, not just half-open connections.

How to eliminate wrong answers

Option A (-sS) is wrong because it performs a TCP SYN stealth scan, which sends SYN packets directly from the attacker's IP and does not involve a zombie host or IP ID manipulation. Option C (-sA) is wrong because it performs a TCP ACK scan, which sends ACK packets to map firewall rules, not to conduct idle scanning. Option D (-sT) is wrong because it performs a TCP connect scan, which completes the full three-way handshake and is detectable, not an idle scan.

63
Multi-Selecteasy

Which TWO of the following are common tools used for web application security testing? (Choose 2)

Select 2 answers
A.Burp Suite
B.Wireshark
C.Nessus
D.OWASP ZAP
E.Metasploit
AnswersA, D

Burp Suite is a comprehensive platform for web application security testing.

Why this answer

Burp Suite and OWASP ZAP are both widely used web application security testing tools.

64
Multi-Selecthard

Which THREE of the following are valid Nmap NSE scripts that could be used for service version detection or vulnerability scanning? (Choose THREE.)

Select 3 answers
A.dns-zone-transfer
B.smb-os-discovery
C.ssl-heartbleed
D.banner
E.http-sql-injection
AnswersC, D, E

Checks for the Heartbleed vulnerability.

Why this answer

Option C is correct because the ssl-heartbleed NSE script (ssl-heartbleed.nse) specifically checks for the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL implementations. It sends a malformed TLS heartbeat request and inspects the response for leaked memory contents, making it a direct vulnerability scanning script. This script is part of Nmap's NSE library and is widely used for identifying vulnerable SSL/TLS services.

Exam trap

The trap here is that candidates may confuse 'service version detection' with 'OS detection' (e.g., smb-os-discovery) or 'information gathering' (e.g., dns-zone-transfer), failing to distinguish between scripts that directly identify service versions or vulnerabilities versus those that perform other reconnaissance tasks.

65
MCQeasy

A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they use to perform a dictionary attack on the captured handshake to recover the PSK?

A.Reaver
B.aircrack-ng
C.Hydra
D.John the Ripper
AnswerB

aircrack-ng is designed to crack WEP and WPA/WPA2 PSK from captured handshake files.

Why this answer

The correct answer is aircrack-ng, which is the standard tool for cracking WPA2 PSK from a captured handshake using a dictionary file.

66
MCQmedium

You need to perform a fast scan of all 65535 TCP ports on a target IP address. Which tool is specifically designed for high-speed scanning and can surpass Nmap's speed on large-scale networks?

A.Netcat
B.hping3
C.Nmap with -T5
D.Masscan
AnswerD

Masscan is a high-speed port scanner.

Why this answer

Masscan is the correct answer because it is specifically engineered for high-speed asynchronous scanning, capable of transmitting packets at rates exceeding 10 million packets per second, which allows it to scan all 65535 TCP ports on a target significantly faster than Nmap, even with the -T5 timing template. Unlike Nmap's synchronous or adaptive scanning, Masscan uses a custom TCP/IP stack and raw sockets to maximize throughput, making it the optimal tool for large-scale network reconnaissance.

Exam trap

The trap here is that candidates assume Nmap's -T5 timing template is the fastest possible scan, but they overlook that Masscan's asynchronous architecture is fundamentally different and designed for orders-of-magnitude higher throughput on large-scale networks.

How to eliminate wrong answers

Option A is wrong because Netcat is a general-purpose networking utility for reading/writing data across network connections, not a port scanner; it lacks the asynchronous, high-speed scanning engine required to efficiently scan all 65535 ports. Option B is wrong because hping3 is a packet crafting and testing tool that can perform port scanning, but it operates with a slower, more manual approach and is not designed for high-speed scanning of all ports on a large network. Option C is wrong because Nmap with -T5 uses the 'insane' timing template, which increases parallelism and reduces timeout intervals, but Nmap's architecture is still fundamentally synchronous and cannot match Masscan's raw packet rate for scanning all 65535 ports on a large-scale network.

67
Multi-Selectmedium

Which TWO of the following are examples of passive footprinting techniques? (Select exactly 2.)

Select 2 answers
A.Performing a ping sweep on the target network
B.Conducting a port scan with Nmap
C.Using Google dorking to find exposed documents
D.Examining job postings for technology clues
E.Brute forcing subdomains via DNS queries
AnswersC, D

Uses search engine index, passive.

Why this answer

Option C is correct because Google dorking involves using advanced search operators (e.g., filetype:, intitle:) to discover publicly accessible information without directly interacting with the target's systems. This is a passive footprinting technique as it relies on publicly indexed data from search engines, not on sending packets to the target's network.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may mistakenly classify DNS-based enumeration (Option E) as passive, when in fact any technique that sends packets to the target's systems (including DNS queries) is considered active.

68
MCQhard

A penetration tester finds that a web application allows uploading a file with the name '../../var/www/html/shell.php'. The file is successfully written to the server. Which combination of vulnerabilities does this exploit?

A.Cross-Site Scripting (XSS) and CSRF
B.Local File Inclusion (LFI) and Remote File Inclusion (RFI)
C.Directory traversal and unrestricted file upload
D.SQL injection and command injection
AnswerC

The traversal path in the filename exploits directory traversal, and the ability to upload a PHP file indicates unrestricted file upload.

Why this answer

Directory traversal allows moving up directories, and unrestricted file upload allows writing a PHP shell, leading to remote code execution.

69
MCQmedium

During a web application penetration test, a security analyst intercepts a request using Burp Suite and notices the following parameter in the URL: /profile?user_id=123. By changing the user_id to 124, the analyst is able to view another user's profile. Which vulnerability is being exploited?

A.SQL Injection
B.Cross-Site Scripting (XSS)
C.Insecure Direct Object Reference (IDOR)
D.Cross-Site Request Forgery (CSRF)
AnswerC

The user_id parameter is manipulated to access another user's profile without authorization.

Why this answer

IDOR occurs when an application exposes a direct reference to an internal object (like a user ID) without proper authorization checks, allowing unauthorized access.

70
MCQmedium

A security analyst notices that a web server is experiencing slow response times, and the connection logs show many incomplete HTTP requests from various IP addresses, each keeping connections open for long periods. Which attack is MOST likely occurring?

A.HTTP flood
B.Slowloris attack
C.SYN flood
D.UDP flood
AnswerB

Slowloris partially sends HTTP headers and keeps connections open.

Why this answer

Slowloris is a low-bandwidth application-layer DoS attack that keeps many connections open by sending partial HTTP requests, exhausting server resources.

71
MCQeasy

Which type of malware is designed to replicate itself across networks without requiring a host file, often exploiting vulnerabilities to spread?

A.Trojan
B.Ransomware
C.Worm
D.Virus
AnswerC

Worms self-replicate without host files.

Why this answer

Worms are standalone malware that self-replicate and spread over networks.

72
MCQmedium

During a penetration test, an attacker gains access to a system and wants to maintain persistent remote control. Which type of Trojan is specifically designed for this purpose?

A.Ransomware
B.Backdoor
C.Keylogger
D.Downloader
AnswerB

Correct. A backdoor Trojan provides unauthorized remote access to the system.

Why this answer

A Remote Access Trojan (RAT) provides the attacker with remote control over the victim machine, often with features for persistence and stealth.

73
MCQmedium

A security analyst discovers that a web application's search box reflects user input without proper sanitization. However, the attacker must trick a victim into clicking a crafted link containing the malicious script. This vulnerability is classified as which type?

A.Blind XSS
B.Stored XSS
C.DOM-based XSS
D.Reflected XSS
AnswerD

Reflected XSS is non-persistent and requires the victim to click a crafted link containing the payload.

Why this answer

Reflected XSS requires user interaction (clicking a link) to execute the script in the victim's browser. The payload is not stored on the server, distinguishing it from stored XSS. DOM-based XSS does not involve server reflection.

74
MCQeasy

An attacker exploits an application by uploading a file that contains server-side script code, leading to arbitrary command execution on the web server. Which best describes this attack?

A.File inclusion (LFI)
B.Command injection
C.XSS
D.Directory traversal
AnswerB

Command injection occurs when an attacker can execute arbitrary commands on the server, often through file uploads that are executed.

Why this answer

File upload vulnerability allowing arbitrary code execution is a form of command injection or remote code execution (RCE).

75
Multi-Selecteasy

Which TWO of the following Nmap scan types are typically used to evade firewalls and IDS systems by sending fragmented packets?

Select 2 answers
A.Fragment scan (-f)
B.SYN scan (-sS)
C.ACK scan (-sA)
D.Idle scan (-sI)
E.Xmas scan (-sX)
AnswersA, D

Correct: Fragments packets to bypass firewalls.

Why this answer

The Fragment scan (-f) is correct because it splits TCP headers into multiple small IP fragments, making it harder for firewalls and IDS systems to reassemble and inspect the full packet. This evasion technique exploits the fact that many filtering devices only check the first fragment and pass subsequent fragments without scrutiny, allowing the scan to bypass detection.

Exam trap

The trap here is that candidates often confuse the Fragment scan (-f) with the Idle scan (-sI) because both are evasion techniques, but the Idle scan uses a zombie host to spoof the source IP, not fragmentation, to evade detection.

Page 1 of 14

Page 2