Certified Ethical Hacker CEH (CEH) — Questions 676750

1010 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?

A.Create a symbolic link to /etc/shadow on the server from the client
B.Use 'showmount -e' to list exports and then mount the share with 'mount -t nfs -o vers=3'
C.Mount the share, create a setuid binary owned by root, then execute it on the client
D.Run 'sudo nmap --script nfs-ls' to list files on the export
AnswerC

Since no_root_squash is disabled, files created as root on the client retain root ownership on the server. A setuid binary executes with root privileges.

Why this answer

Option D is correct. With 'no_root_squash', a root user on the client can create files owned by root on the server. By mounting the share and creating a setuid binary owned by root, any local user on the client can execute it with root privileges.

677
MCQhard

A penetration tester wants to perform a stealth scan without completing the TCP three-way handshake. The target is a web server on port 80. The tester uses Nmap with the -sS flag. What is the expected behavior if the port is open?

A.The tester receives a SYN/ACK and sends an RST to tear down the connection.
B.The tester receives an RST, indicating the port is closed.
C.The tester receives no response, indicating a filtered port.
D.The tester receives a SYN/ACK and sends an ACK to establish the connection.
AnswerA

This is the standard behavior for a SYN scan: after receiving SYN/ACK, the tester sends RST to avoid completing the handshake.

Why this answer

A SYN scan sends a SYN packet; if the port is open, the target responds with SYN/ACK, and the tester sends an RST to tear down the connection without completing the handshake.

678
Multi-Selectmedium

Which TWO of the following are valid methods for enumerating SMB shares on a target system? (Select 2)

Select 2 answers
A.smbclient -L //target -U ''
B.snmpwalk -v2c -c public target
C.nmap -sU -p 445 target
D.nbtstat -A target
E.enum4linux -a target
AnswersA, E

smbclient -L lists available shares.

Why this answer

Option A is correct because `smbclient -L //target -U ''` attempts to list SMB shares on the target by connecting with a null session (empty username). This is a classic enumeration technique that exploits default or weak SMB configurations, allowing an attacker to retrieve share names without authentication.

Exam trap

The trap here is that candidates often confuse NetBIOS enumeration (using `nbtstat`) with SMB share enumeration, or they mistakenly think UDP scans on port 445 (which is TCP-only) are valid for SMB discovery.

679
MCQeasy

Which of the following tools is specifically designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications?

A.Burp Suite
B.Nikto
C.Metasploit
D.SQLMap
AnswerD

SQLMap is dedicated to automating SQL injection detection and exploitation.

Why this answer

SQLMap is a well-known open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities. Burp Suite is a web proxy and scanner, Nikto is a web server scanner, and Metasploit is a penetration testing framework with broader capabilities.

680
MCQmedium

A penetration tester uses the SMTP commands VRFY and EXPN on a mail server. What is the tester MOST likely trying to accomplish?

A.To enumerate valid email addresses and distribution lists
B.To extract email content from the server
C.To perform a mail relay attack
D.To test for open relay
AnswerA

VRFY and EXPN reveal valid users and lists.

Why this answer

The VRFY command asks the mail server to verify whether a given email address exists, while EXPN requests the members of a mailing list or alias. By issuing these commands, the tester can enumerate valid user accounts and distribution lists on the server, which is a key step in building a target list for further attacks such as password guessing or phishing.

Exam trap

The trap here is that candidates confuse VRFY/EXPN with open relay testing, but open relay is verified using the RCPT TO command with an external domain, not address verification or list expansion.

How to eliminate wrong answers

Option B is wrong because VRFY and EXPN only return address existence or list membership, not the content of stored emails; extracting email content would require protocols like IMAP or POP3 with valid credentials. Option C is wrong because a mail relay attack involves using the server to send unauthorized email to external domains, which is tested with the SMTP 'RCPT TO' command, not VRFY or EXPN. Option D is wrong because testing for open relay is done by sending a test email with a RCPT TO pointing to an external domain and observing if the server accepts it without authentication; VRFY and EXPN do not test relay behavior.

681
MCQhard

After gaining initial access to a Windows server, a penetration tester wants to escalate privileges. The tester finds that the current user has the 'SeImpersonatePrivilege' enabled. Which attack technique could the tester use to abuse this privilege?

A.SUID bit abuse
B.Pass-the-Hash attack
C.Token impersonation via Juicy Potato
D.Log manipulation to hide tracks
AnswerC

Juicy Potato abuses SeImpersonatePrivilege to impersonate SYSTEM tokens.

Why this answer

The SeImpersonatePrivilege allows a process to impersonate a user after obtaining a token. Juicy Potato (and its variants like RoguePotato) exploits this by coercing the SYSTEM account to connect to a malicious named pipe, capturing its token, and using it to spawn a process with SYSTEM privileges. This is a well-known privilege escalation technique on Windows systems where the user has the SeImpersonatePrivilege.

Exam trap

The trap here is that candidates confuse SeImpersonatePrivilege with other Windows privileges (like SeDebugPrivilege) or mistakenly associate it with Linux-based SUID attacks, leading them to choose option A or B.

How to eliminate wrong answers

Option A is wrong because SUID bit abuse is a Linux/Unix privilege escalation technique that relies on the set-user-ID permission bit, which has no equivalent on Windows. Option B is wrong because Pass-the-Hash is a lateral movement or credential reuse attack that uses NTLM hashes to authenticate, not a technique to abuse the SeImpersonatePrivilege for local privilege escalation. Option D is wrong because log manipulation is a post-exploitation stealth technique to cover tracks, not a method to escalate privileges using a specific user right.

682
MCQhard

A penetration tester uses SQLMap with the option '--technique=T --dbms=MySQL --level=5 --risk=3' against a login form. The tool returns results after a delay of several seconds per request. Which SQL injection technique is being used?

A.Out-of-band SQL injection
B.Time-based blind SQL injection
C.Error-based SQL injection
D.Boolean-based blind SQL injection
AnswerB

The technique flag 'T' indicates time-based blind injection, which relies on response time delays.

Why this answer

The 'T' in --technique stands for Time-based blind SQL injection. The delay indicates time-based injection where the database sleeps to cause a response delay.

683
MCQmedium

A security analyst observes repeated log entries showing `EXPN` commands from an external IP address to the company's mail server. What is the MOST likely objective of this activity?

A.Testing SMTP authentication mechanisms
B.Attempting to perform a denial-of-service attack
C.Enumerating valid email addresses and mailing list members
D.Delivering spam emails through open relay
AnswerC

EXPN reveals list members.

Why this answer

EXPN expands mailing lists, revealing member email addresses. This aids in social engineering or further attacks.

684
Drag & Dropmedium

Drag and drop the steps to perform a TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK, then data transfer.

685
MCQeasy

A security analyst wants to gather information about a target domain without sending any packets to the target. Which technique should the analyst use?

A.Ping sweep
B.WHOIS lookup
C.Netcat banner grab
D.Nmap SYN scan
AnswerB

WHOIS queries public databases without contacting the target directly.

Why this answer

WHOIS lookup is a passive reconnaissance technique that queries public databases (e.g., RDAP or WHOIS servers) for domain registration details such as registrar, creation date, and administrative contacts. It requires no packets to be sent to the target domain's infrastructure, making it ideal for information gathering without direct interaction.

Exam trap

The trap here is that candidates confuse passive reconnaissance (no packets to the target) with active scanning techniques like ping sweeps or port scans, assuming any information gathering requires direct interaction.

How to eliminate wrong answers

Option A is wrong because a ping sweep sends ICMP Echo Request packets to multiple hosts, actively probing the target network. Option C is wrong because Netcat banner grabbing requires establishing a TCP connection to a target service (e.g., HTTP, FTP) to retrieve its banner, which involves sending packets. Option D is wrong because an Nmap SYN scan sends crafted TCP SYN packets to target ports to determine their state, actively interacting with the target.

686
MCQhard

A forensic analyst discovers that an attacker used a rootkit to hide malicious processes and files on a compromised Linux system. The rootkit also intercepts system calls to `open()` and `stat()` to return clean results. Which of the following techniques is the rootkit using to cover its tracks?

A.Steganography to conceal malicious files in image metadata
B.Token impersonation to gain administrator privileges
C.Syscall hooking to modify the return values of userland commands
D.Log manipulation by clearing entries in /var/log
AnswerC

Syscall hooking intercepts system calls like open() and stat() and returns fake data, hiding the rootkit's presence.

Why this answer

The rootkit intercepts system calls like `open()` and `stat()` to return clean results, which is a classic example of syscall hooking. By hooking these kernel-level functions, the rootkit can filter out any information about its own malicious files and processes, making them invisible to userland commands such as `ls`, `ps`, or `cat`. This technique operates at the kernel level, not in user space, allowing it to control what data is returned to any process that makes those syscalls.

Exam trap

The trap here is that candidates may confuse syscall hooking with log manipulation or steganography, not realizing that the question specifically describes intercepting system calls to return clean results, which is the hallmark of kernel-level rootkit hiding, not file-level or log-level concealment.

How to eliminate wrong answers

Option A is wrong because steganography hides data within other files (e.g., image metadata) but does not intercept system calls or hide running processes; it is a data concealment technique, not a rootkit hiding mechanism. Option B is wrong because token impersonation is a Windows-specific privilege escalation technique that involves duplicating access tokens, not a Linux rootkit method for hiding files or processes via syscall interception. Option D is wrong because log manipulation (clearing /var/log entries) removes evidence from log files but does not intercept system calls or hide active processes and files from commands like `ps` or `ls`; it is a post-exploitation cleanup step, not the core hiding technique described.

687
MCQmedium

Which DoS attack exploits the HTTP protocol by sending partial HTTP requests to keep connections open, exhausting server resources?

A.SYN flood
B.Slowloris
C.Ping of Death
D.UDP flood
AnswerB

Slowloris keeps HTTP connections open.

Why this answer

Slowloris sends partial HTTP headers to keep many connections open, consuming server threads.

688
MCQmedium

During a penetration test, a security analyst discovers that a web application uses sequential numeric identifiers in URLs (e.g., /profile?id=100). By modifying the id parameter, the analyst can access another user's profile data without authorization. Which vulnerability is being exploited?

A.SQL injection
B.Insecure Direct Object Reference (IDOR)
C.Server-Side Request Forgery (SSRF)
D.Cross-Site Request Forgery (CSRF)
AnswerB

The ability to change a parameter like 'id' to access another user's data is a classic IDOR vulnerability.

Why this answer

IDOR (Insecure Direct Object Reference) occurs when an application exposes internal object references (e.g., database keys) and fails to enforce proper access controls, allowing users to manipulate them to access unauthorized data.

689
MCQmedium

A security analyst is reviewing HTTP response headers and notices the following: Set-Cookie: sessionId=abc123; SameSite=Lax. What is the primary purpose of the SameSite attribute?

A.To enforce HTTPS for cookie transmission
B.To prevent the cookie from being accessed by JavaScript
C.To mitigate cross-site request forgery (CSRF) attacks
D.To ensure the cookie is only sent over HTTP and not FTP
AnswerC

SameSite restricts cookie sending to same-site requests, reducing CSRF risk.

Why this answer

SameSite=Lax prevents the browser from sending the cookie in cross-site requests initiated by third-party websites, mitigating CSRF attacks.

690
MCQhard

A penetration tester captures the following output from a command: 'smb: \> ls \\192.168.1.20\C$'. The tester is able to list the contents of the C$ share without providing credentials. Which of the following is the MOST likely reason for this access?

A.The C$ share is intentionally shared with Everyone
B.The target is running a Samba server with weak permissions
C.The target has a null session vulnerability that allows access to admin shares
D.The tester is using a pass-the-hash attack
AnswerC

Older Windows versions or misconfigured systems allow null sessions to admin shares.

Why this answer

The output shows the tester successfully listing the C$ share (a default administrative share) without providing credentials. This is a classic indicator of a null session vulnerability, where Windows allows unauthenticated access to IPC$ and, in some configurations, admin shares via SMB. The tester is leveraging the default null session to enumerate or access these shares, which is a well-known weakness in older Windows systems or misconfigured Samba servers.

Exam trap

The trap here is that candidates often confuse null session access with pass-the-hash or weak permissions, but the key clue is the absence of any credential usage in the command, which directly points to the null session vulnerability.

How to eliminate wrong answers

Option A is wrong because the C$ share is a hidden administrative share that is not shared with Everyone by default; it is only accessible to members of the Administrators group. Option B is wrong because while a Samba server with weak permissions could allow unauthorized access, the specific command accessing C$ without credentials points to a null session vulnerability, not merely weak permissions. Option D is wrong because a pass-the-hash attack requires a captured NTLM hash and is used to authenticate as a specific user, not to gain unauthenticated access to admin shares; the tester did not provide any credentials or hashes.

691
MCQeasy

Which Burp Suite tool is specifically designed to automate customized attacks on web applications, such as brute-forcing login forms or fuzzing parameters?

A.Repeater
B.Proxy
C.Scanner
D.Intruder
AnswerD

Intruder is designed for automated customized attacks, supporting payloads and various attack types.

Why this answer

Burp Intruder is the tool for automating customized attacks like brute-forcing and fuzzing.

692
Multi-Selectmedium

Which TWO of the following are valid methods for enumerating users on a SMTP server? (Select 2)

Select 2 answers
A.EXPN
B.MAIL FROM
C.RCPT TO
D.VRFY
E.AUTH
AnswersA, D

EXPN expands mailing lists and can reveal valid addresses.

Why this answer

EXPN (Expand) and VRFY (Verify) are SMTP commands defined in RFC 821 that allow an attacker to enumerate valid email addresses and mailing list members on a mail server. EXPN reveals the members of a mailing list, while VRFY confirms whether a specific mailbox exists. Both commands are often disabled in production to prevent user enumeration.

Exam trap

The trap here is that candidates confuse RCPT TO (which can indirectly reveal user existence through response codes) with a dedicated enumeration command, but the CEH exam specifically expects VRFY and EXPN as the two valid SMTP enumeration methods.

693
Multi-Selectmedium

Which TWO of the following are valid attacks against wireless networks? (Choose two.)

Select 2 answers
A.De-authentication attack
B.SSRF
C.Dictionary attack
D.Evil twin
E.Replay attack
AnswersA, D

De-authentication attack disconnects clients from an AP, often to capture handshakes.

Why this answer

Evil twin involves a rogue AP, and de-authentication disconnects clients. Dictionary attacks are for cracking, not network attacks. SSRF is cloud-based.

Replay attacks are generic but not wireless-specific. The question asks for attacks against wireless networks, so evil twin and de-authentication are correct.

694
MCQhard

Based on the Nmap scan output, which service is most likely vulnerable to remote code execution?

A.MAC Address 00:1A:2B:3C:4D:5E
B.Apache httpd 2.4.18
C.OpenSSH 7.2p2
D.Apache Tomcat 8.5.5
AnswerD

Tomcat 8.5.5 is vulnerable to Ghostcat (CVE-2020-1938) which allows RCE.

Why this answer

Apache Tomcat 8.5.5 is known to be vulnerable to remote code execution (RCE) via the Ghostcat vulnerability (CVE-2020-1938), which exploits the AJP connector on port 8009. This allows an attacker to read or execute arbitrary files on the server, making it the most likely candidate for RCE among the listed services.

Exam trap

EC-Council often tests the misconception that a common service like Apache httpd or OpenSSH is the most vulnerable, but the trap here is that the AJP connector on Tomcat (port 8009) is frequently overlooked, yet it provides a direct path to RCE via Ghostcat.

How to eliminate wrong answers

Option A is wrong because a MAC address is a hardware identifier for the network interface, not a service, and thus cannot be vulnerable to remote code execution. Option B is wrong because Apache httpd 2.4.18, while having known vulnerabilities, is not typically associated with a direct remote code execution vector in standard Nmap scans; its primary risks are denial-of-service or information disclosure. Option C is wrong because OpenSSH 7.2p2, though it has vulnerabilities like CVE-2016-6210 (user enumeration), does not have a known remote code execution flaw that is commonly exploitable without authentication.

695
MCQmedium

An attacker uses the VRFY command on an SMTP server to check the existence of email addresses. The server responds with '250 OK' for 'admin@company.com' and '550 No such user' for 'fake@company.com'. Which SMTP enumeration technique is being used?

A.EXPN enumeration
B.SMTP banner grabbing
C.RCPT TO enumeration
D.VRFY enumeration
AnswerD

The VRFY command verifies whether a mailbox exists, and the response codes confirm this technique.

Why this answer

The VRFY command is an SMTP command defined in RFC 821 that asks the server to verify whether a given email address exists. When the server responds with '250 OK' for a valid address and '550 No such user' for an invalid one, the attacker is directly using the VRFY command to enumerate valid users. This is explicitly known as VRFY enumeration.

Exam trap

The trap here is that candidates confuse VRFY with RCPT TO, but the question explicitly states the VRFY command is used, making 'VRFY enumeration' the only correct answer.

How to eliminate wrong answers

Option A is wrong because EXPN (Expand) is used to list members of a mailing list or alias, not to verify individual email addresses. Option B is wrong because SMTP banner grabbing involves reading the server's initial greeting banner to identify software/version, not sending VRFY commands. Option C is wrong because RCPT TO enumeration uses the RCPT TO command during the mail transaction to verify recipients, not the standalone VRFY command.

696
Multi-Selecteasy

Which TWO of the following are password cracking techniques? (Select 2)

Select 2 answers
A.SQL injection
B.Rainbow table attack
C.Phishing
D.ARP spoofing
E.Dictionary attack
AnswersB, E

Uses precomputed hash tables.

Why this answer

Dictionary attack and rainbow table attack are both password cracking techniques. SQL injection is a web attack, not password cracking. Phishing is social engineering.

ARP spoofing is network attack.

697
MCQmedium

An attacker calls a company's help desk, pretending to be a new employee who forgot his username and password. The attacker provides some employee details gleaned from social media and convinces the help desk to reset the password. Which social engineering technique is being used?

A.Tailgating
B.Quid pro quo
C.Baiting
D.Pretexting
AnswerD

The attacker uses a fabricated pretext to gain trust.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain information. The attacker invents a story (new employee) to manipulate the help desk.

698
MCQmedium

A web application allows users to submit feedback that is stored in a database and later displayed to administrators. An attacker submits feedback containing <script>alert('stored')</script>. When an admin views the feedback page, the script executes. Which type of XSS is this?

A.Blind XSS
B.Reflected XSS
C.Stored XSS
D.DOM-based XSS
AnswerC

The script is stored in the database and executed when loaded by an admin, classic stored XSS.

Why this answer

Stored (persistent) XSS occurs when the payload is stored on the server and served to other users later.

699
MCQmedium

A penetration tester discovers that a web application includes the following code: 'include($_GET['page'] . '.php');' and the application is running on a Linux server. The tester attempts to exploit this by accessing 'index.php?page=../../etc/passwd'. What type of attack is this, and will it succeed?

A.Directory traversal; it will succeed because '../' bypasses restrictions
B.Remote File Inclusion (RFI); it will succeed because the parameter is not filtered
C.Command injection; it will succeed if the server interprets PHP code
D.Local File Inclusion (LFI); it will not succeed because the '.php' extension is appended
AnswerD

LFI includes local files, but the appended '.php' extension prevents direct file reading unless a null byte or other technique is used.

Why this answer

This is a Local File Inclusion (LFI) vulnerability. The appended '.php' extension prevents reading '/etc/passwd' because the file would be interpreted as '/etc/passwd.php', which does not exist.

700
MCQmedium

During a penetration test, you run the following command: nmap -sV -p 80 --script http-title 192.168.1.10. The output shows that port 80 is open and the HTTP title is 'Login Portal'. Which phase of the penetration testing methodology does this activity represent?

A.Exploitation
B.Post-exploitation
C.Footprinting
D.Scanning and enumeration
AnswerD

Scanning involves actively probing systems to discover open ports, services, and other details. This aligns with the scanning and enumeration phase.

Why this answer

The nmap command with -sV (service version detection) and --script http-title performs service fingerprinting and banner grabbing on port 80, which is a core activity of the scanning and enumeration phase. This phase follows footprinting and involves actively probing target systems to discover open ports, running services, and application details like the HTTP title 'Login Portal'. It does not involve exploiting vulnerabilities (exploitation) or maintaining access (post-exploitation), nor is it passive information gathering (footprinting).

Exam trap

EC-Council often tests the distinction between footprinting and scanning/enumeration, where candidates mistakenly classify any information-gathering activity as footprinting, but the key differentiator is whether the activity involves direct interaction with the target system (scanning) versus passive collection (footprinting).

How to eliminate wrong answers

Option A is wrong because exploitation involves actively leveraging a vulnerability to gain unauthorized access, such as using a buffer overflow or SQL injection, whereas this command only gathers information about the service. Option B is wrong because post-exploitation occurs after successful exploitation and focuses on maintaining access, privilege escalation, or data exfiltration; scanning port 80 is a pre-exploitation reconnaissance step. Option C is wrong because footprinting is the initial passive or semi-passive information gathering phase (e.g., WHOIS, DNS lookups, social engineering), while this nmap command actively sends packets to the target to enumerate services, which is scanning and enumeration.

701
MCQhard

A forensic analyst examining a compromised Linux system finds the following entry in /var/log/auth.log: `Mar 15 10:23:45 server sshd[1234]: Accepted password for root from 10.0.0.5 port 54321 ssh2`. However, the analyst also notices that /var/log/auth.log has been truncated and the /etc/ssh/sshd_config file contains `LogLevel QUIET`. Which attack phase is most likely being obscured?

A.Privilege escalation
B.Executing applications
C.Spying
D.Erasing tracks
AnswerD

Truncating logs and reducing logging levels are classic techniques to cover tracks.

Why this answer

The presence of `LogLevel QUIET` in sshd_config suppresses all authentication log entries, and the truncation of /var/log/auth.log indicates an attempt to remove evidence of unauthorized access. Together, these actions are classic examples of erasing tracks, as the attacker is modifying logs and configuration to hide their activities from forensic analysis.

Exam trap

The trap here is that candidates may confuse log manipulation with privilege escalation or execution phases, but the CEH exam specifically tests the 'Erasing Tracks' phase (part of the System Hacking domain) where attackers modify or delete logs, alter timestamps, or disable auditing to avoid detection.

How to eliminate wrong answers

Option A is wrong because privilege escalation involves gaining higher-level permissions (e.g., via SUID exploits or kernel vulnerabilities), not manipulating SSH logging or truncating auth logs. Option B is wrong because executing applications refers to running malicious code or tools on the system, which is a separate phase after access is obtained. Option C is wrong because spying (or exfiltration) involves covertly monitoring or stealing data, whereas the evidence here points to covering up the intrusion itself, not ongoing surveillance.

702
MCQhard

During a penetration test, you capture the following output: 'HTTP/1.1 200 OK ... Set-Cookie: sessionid=abc123; path=/'. You then send a request with a modified cookie value 'sessionid=abc124' and receive a valid session. Which type of vulnerability has been exploited?

A.Cross-site scripting
B.SQL injection
C.Man-in-the-middle attack
D.Session hijacking via cookie prediction
AnswerD

Correct. The attacker predicted a valid session ID and used it to hijack the session.

Why this answer

Session hijacking via cookie theft/prediction. The attacker guessed or brute-forced a valid session ID (abc124) after seeing the pattern (abc123).

703
MCQmedium

Which of the following is the BEST defense against a TCP SYN flood attack?

A.Ingress filtering
B.Intrusion detection system
C.Rate limiting
D.SYN cookies
AnswerD

SYN cookies enable the server to handle half-open connections without resource exhaustion.

Why this answer

SYN cookies allow the server to avoid allocating resources until the handshake completes, mitigating SYN flood.

704
MCQmedium

An analyst notices that a web application's login page returns a generic 'Invalid credentials' message regardless of whether the username is valid. This is an example of which security control?

A.Anti-CSRF token
B.Account lockout policy
C.Generic error messages
D.Rate limiting
AnswerC

Using the same error message for both invalid username and invalid password prevents attackers from distinguishing valid users.

Why this answer

Providing generic error messages prevents attackers from enumerating valid usernames, which is a common mitigation against brute-force attacks.

705
MCQmedium

You are a penetration tester for a security firm. Your client, Acme Corp, has requested an external reconnaissance assessment. They have provided their primary domain 'acme.com'. You begin by performing passive footprinting using public sources. After gathering initial information, you want to identify their email servers, subdomains, and any exposed services. You also want to map their network infrastructure without directly interacting with their systems to avoid detection. Which course of action should you take next?

A.Call Acme Corp's IT help desk posing as an employee to ask about their email server configuration.
B.Use Shodan to search for Acme Corp's IP ranges and perform DNS enumeration to discover subdomains and mail servers.
C.Perform a traceroute to Acme Corp's web server to map the network path.
D.Run an Nmap scan against the entire IP range of Acme Corp to identify open ports and services.
AnswerB

Shodan provides passive information on exposed services, and DNS enumeration is passive.

Why this answer

Option B is correct because Shodan allows passive identification of exposed services, including email servers and subdomains, by querying its indexed data of internet-facing devices without sending any packets to Acme Corp's systems. DNS enumeration can then be performed passively using public DNS records (e.g., MX, NS, A records) to map subdomains and mail servers, fulfilling the requirement to avoid direct interaction and detection.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates may confuse Shodan (passive) with Nmap (active), or think traceroute is passive because it's a common network diagnostic tool.

How to eliminate wrong answers

Option A is wrong because calling the help desk is active social engineering, not passive reconnaissance, and directly interacts with the client's personnel, which violates the requirement to avoid detection. Option C is wrong because traceroute sends ICMP or UDP packets that directly interact with Acme Corp's routers and firewalls, which is active probing and can be logged or trigger alerts. Option D is wrong because running an Nmap scan sends crafted packets to target systems, which is active scanning that directly interacts with Acme Corp's network and can be detected by intrusion detection systems.

706
MCQeasy

A security analyst discovers a file named invoice.exe in an email attachment. Static analysis with PEiD indicates the file is packed with UPX. What is the BEST next step in analyzing this malware?

A.Execute the packed file on a production server
B.Unpack the file with UPX and then perform static analysis
C.Submit the packed file directly to VirusTotal
D.Delete the file immediately
AnswerB

Unpacking reveals the original code for static analysis.

Why this answer

UPX packers require unpacking to reveal the original code. Dynamic analysis in a sandbox can observe behavior after unpacking.

707
MCQmedium

A security analyst runs 'strings malware.exe' and finds several URLs and IP addresses. The analyst then uploads the file to VirusTotal and gets a detection ratio of 5/70. What type of analysis has been performed?

A.Static analysis
B.Memory analysis
C.Reverse engineering
D.Dynamic analysis
AnswerA

Static analysis examines the code without execution; strings and VirusTotal are static techniques.

Why this answer

Using strings and VirusTotal are static analysis methods—examining the binary without execution.

708
Multi-Selecthard

During a penetration test, the tester successfully cracks a password hash using a hybrid attack. Which THREE characteristics describe a hybrid attack? (Select three.)

Select 3 answers
A.Applies mutations like appending numbers or symbols
B.Tries every possible combination of characters
C.Combines dictionary and brute-force mutations
D.Relies on precomputed hash chains
E.Uses a wordlist as a base
AnswersA, C, E

Why this answer

A hybrid attack combines a dictionary with mutations (e.g., appending numbers, prefixing symbols). It does not try all combinations (that's brute-force) and does not use precomputed tables (rainbow tables).

709
MCQmedium

A security analyst observes that a web application's login page responds with different HTTP status codes and response times for valid versus invalid usernames. This information leakage could be used to perform which type of authentication attack?

A.Username enumeration
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerA

The behavior of differing responses for valid vs invalid usernames is classic username enumeration.

Why this answer

Username enumeration occurs when an application reveals whether a username exists, often through differing error messages or response times. This information can be leveraged for brute force or password spraying attacks by focusing on valid usernames.

710
Multi-Selecthard

Which THREE of the following are common indicators of a social engineering attack? (Choose three.)

Select 3 answers
A.The communication includes verifiable contact information
B.The sender uses a generic greeting like 'Dear Customer'
C.The communication creates a sense of urgency
D.The message contains spelling or grammatical errors
E.The request comes from someone claiming to be in authority
AnswersC, D, E

Attackers often pressure targets to act quickly.

Why this answer

Option C is correct because social engineers frequently fabricate a sense of urgency to bypass the victim's rational decision-making. By claiming an immediate deadline or threat (e.g., 'Your account will be locked in 24 hours'), the attacker pressures the target into acting without verifying the request, a tactic rooted in the psychological principle of scarcity.

Exam trap

The trap here is that candidates mistake generic greetings (Option B) as a definitive indicator, when in fact the CEH emphasizes that urgency, authority, and errors are the three most reliable technical indicators of a social engineering attempt.

711
MCQhard

Refer to the exhibit. A penetration tester executed the SQL injection payload and received the response shown. What is the most likely outcome of this attack?

A.The attacker extracted hashed passwords that can be cracked offline
B.The attacker successfully performed a blind SQL injection to enumerate the database structure
C.The attacker caused a denial of service by sending an invalid query
D.The attacker modified the database records to update user passwords
AnswerA

The response contains username:hash pairs; the hash appears to be MD5, which is crackable.

Why this answer

The response shows a successful SQL injection that returned password hashes (likely from the `password` column) in the output. This indicates the attacker exploited a vulnerable parameter to extract hashed credentials from the database, which can then be cracked offline using tools like Hashcat or John the Ripper. The presence of hash strings in the response confirms data extraction, not modification or denial of service.

Exam trap

EC-Council often tests the distinction between in-band (error-based/UNION) SQL injection, which returns data directly, and blind SQL injection, which does not return visible data; candidates mistakenly choose blind when the response clearly shows extracted values.

How to eliminate wrong answers

Option B is wrong because blind SQL injection does not return visible data in the response; it relies on true/false or time-based inferences, whereas the exhibit shows actual hash values. Option C is wrong because a denial of service would result in an error, timeout, or empty response, not a structured output containing hashes. Option D is wrong because modifying database records (e.g., UPDATE statements) would not return the existing password hashes in the response; the attacker would see confirmation of modification or no data at all.

712
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques?

Select 3 answers
A.IP blacklisting
B.Increasing server resources
C.Scrubbing centers
D.Rate limiting
E.Anycast routing
AnswersC, D, E

Specialized centers that clean traffic by removing malicious packets.

Why this answer

Rate limiting restricts traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple servers to absorb attacks. IP blacklisting alone is insufficient for large-scale DDoS.

713
Multi-Selecthard

A security auditor runs SNMPwalk against a network device using the default community string 'public' and obtains extensive system information. Which THREE of the following are effective countermeasures to prevent unauthorized SNMP enumeration?

Select 3 answers
A.Disable SNMP entirely on all devices
B.Implement an access control list (ACL) limiting SNMP access to management hosts
C.Set the community string to 'private' for read-only access
D.Change the community string from 'public' to a complex string
E.Upgrade SNMP to version 3 with authentication and encryption
AnswersB, D, E

ACLs restrict which IPs can query SNMP, reducing exposure.

Why this answer

Options A, C, and D are correct. Changing default community strings is a basic step. Using SNMPv3 provides encryption and authentication.

Restricting SNMP access to specific IP addresses reduces exposure. B and E are incorrect as they increase risk or are unrelated.

714
MCQhard

An attacker has gained access to a Linux server and wants to cover their tracks. They edit the `.bash_history` file, modify system logs in `/var/log`, and install a kernel module that hides their processes. Which two steps of the system hacking methodology (CHPSET) are being performed?

A.Erasing tracks and Privilege escalation
B.Cracking passwords and Covering tracks
C.Erasing tracks and Spying
D.Executing applications and Spying
AnswerC

Cleaning logs and history is erasing tracks; installing a kernel module to hide processes is spying (maintaining access).

Why this answer

The attacker is performing 'Erasing tracks' by editing .bash_history and modifying logs in /var/log, and 'Spying' by installing a kernel module to hide processes, which allows continued covert monitoring. These correspond to the 'Erasing tracks' and 'Spying' steps in the CHPSET (Cracking, Hacking, Privilege escalation, Spying, Executing applications, Erasing tracks) methodology.

Exam trap

The trap here is confusing 'Erasing tracks' with 'Covering tracks' (they are the same step) and failing to recognize that installing a kernel module to hide processes is a spying/monitoring activity, not privilege escalation or executing applications.

How to eliminate wrong answers

Option A is wrong because privilege escalation involves gaining higher-level permissions (e.g., via SUID exploits or kernel vulnerabilities), not modifying logs or hiding processes. Option B is wrong because cracking passwords is a separate step involving tools like John the Ripper or hashcat, and while 'Covering tracks' is synonymous with 'Erasing tracks', the pair does not match the two actions described (spying is also performed). Option D is wrong because executing applications refers to running malware or payloads (e.g., backdoors), not hiding processes with a kernel module, and spying is only one of the two actions.

715
MCQmedium

A penetration tester uses a tool to intercept and modify HTTP/HTTPS requests in real-time between the browser and the web application. Which tool is being used?

A.SQLMap
B.Burp Suite Proxy
C.Nmap
D.Metasploit
AnswerB

Burp Suite Proxy is designed for intercepting and modifying web traffic.

Why this answer

Burp Suite's Proxy module allows interception and modification of HTTP/HTTPS traffic. Repeater is for resending requests, Intruder for automated attacks, Scanner for vulnerability scanning.

716
Multi-Selecthard

Which THREE of the following are types of SQL injection attacks? (Select 3)

Select 3 answers
A.DOM-based SQL injection
B.Stored SQL injection
C.Blind SQL injection (boolean-based, time-based)
D.In-band SQL injection (error-based, union-based)
E.Out-of-band SQL injection
AnswersC, D, E

Blind infers results without direct output.

Why this answer

Option C is correct because blind SQL injection is a recognized type of SQL injection attack where the attacker does not receive direct error messages or data from the database but instead infers information by observing the application's response (boolean-based) or by causing time delays (time-based). This technique is commonly used when the application is configured to suppress error output, forcing the attacker to rely on side-channel behaviors.

Exam trap

The trap here is that candidates often confuse 'DOM-based' (an XSS attack) with a SQL injection type, or mistakenly think 'Stored SQL injection' is a primary category, when the CEH exam strictly recognizes in-band, blind, and out-of-band as the three main types of SQL injection attacks.

717
MCQmedium

Which tool would a penetration tester MOST likely use to perform ARP poisoning and conduct a man-in-the-middle attack on a local network?

A.Wireshark
B.Nmap
C.tcpdump
D.Ettercap
AnswerD

Correct. Ettercap is specifically designed for MITM attacks using ARP poisoning.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks, including ARP poisoning, DNS spoofing, and packet sniffing.

718
MCQeasy

A security administrator notices that the network switch is broadcasting traffic to all ports as if it were a hub. The switch logs show a sudden flood of packets with random MAC addresses. Which attack is MOST likely occurring?

A.SYN flood
B.MAC flooding
C.ARP poisoning
D.DNS amplification
AnswerB

MAC flooding overwhelms the switch's CAM table, causing it to operate in hub mode.

Why this answer

MAC flooding attacks send many frames with different source MAC addresses, overflowing the switch's CAM table. The switch then fails to learn MAC addresses and broadcasts frames to all ports.

719
Multi-Selectmedium

Which TWO of the following are common defense measures against wireless de-authentication attacks? (Select 2)

Select 2 answers
A.Changing the default SSID
B.Enabling 802.11w (Management Frame Protection)
C.Implementing MAC address filtering
D.Using WPA3 instead of WPA2
E.Disabling SSID broadcast
AnswersB, D

802.11w protects management frames including de-auth.

Why this answer

Using WPA3 (SAE) mitigates de-auth because management frame protection is mandatory. 802.11w (MFP) also protects de-auth frames. Changing default SSID and disabling SSID broadcast do not prevent de-auth.

720
MCQhard

A security analyst is analyzing a suspicious file and runs the command 'strings malware.exe | grep -i http'. The output shows several URLs ending with '.exe'. What does this indicate?

A.The malware may download additional payloads from remote servers
B.The malware has a keylogger component
C.The malware is a boot sector virus
D.The malware is a worm that spreads via email
AnswerA

HTTP URLs with .exe suggest remote file retrieval.

Why this answer

Strings extracts readable text; finding URLs that point to executable files suggests the malware may download additional payloads from those URLs.

721
MCQhard

During a penetration test, a tester uses SQLMap with the following command: 'sqlmap -u "http://target.com/page?id=1" --os-shell'. The target is a Linux server running MySQL. Which SQL injection technique will SQLMap likely attempt to use to achieve an OS shell?

A.Error-based injection
B.In-band (file write via INTO OUTFILE)
C.Blind boolean-based injection
D.Union-based injection
AnswerB

SQLMap uses the INTO OUTFILE clause to write a webshell to the filesystem, which is an in-band technique requiring file write privileges.

Why this answer

SQLMap's --os-shell option typically uses the 'INTO OUTFILE' clause to write a backdoor webshell onto the server, requiring file write privileges. This is an in-band technique.

722
MCQmedium

In an IoT environment, a researcher finds that the firmware of a smart lock can be extracted via UART and reversed to reveal hardcoded encryption keys. Which type of vulnerability is this?

A.Insecure firmware update mechanism
B.Insufficient entropy in random number generation
C.Use of deprecated cryptographic algorithm
D.Hardcoded backdoor credentials
AnswerD

Hardcoded encryption keys serve as a backdoor, allowing attackers to decrypt or spoof communications.

Why this answer

Hardcoded keys in firmware are a classic example of a backdoor or hardcoded credential vulnerability, allowing attackers to decrypt traffic or authenticate without proper authorization.

723
MCQhard

A penetration tester uses a tool to spoof ARP replies, redirecting traffic through the tester's machine. The tester then captures credentials from the redirected traffic. Which tool is BEST suited for this task?

A.Ettercap
B.Wireshark
C.Nmap
D.tcpdump
AnswerA

Ettercap supports ARP poisoning, traffic redirection, and sniffing.

Why this answer

Ettercap is a comprehensive suite for MITM attacks, including ARP poisoning and sniffing.

724
MCQmedium

A malware analyst wants to examine a suspicious executable without executing it. The goal is to extract strings, view the PE header, and check for known signatures. Which approach is the analyst using?

A.Static analysis
B.Dynamic analysis
C.Heuristic analysis
D.Reverse engineering
AnswerA

Static analysis examines the file without running it, using tools like strings, PEiD, and VirusTotal.

Why this answer

Static analysis involves examining the file without executing it. Techniques include string extraction, PE header analysis, and signature-based checks (e.g., VirusTotal).

725
MCQmedium

A penetration tester obtains a list of password hashes and uses RainbowCrack. Which statement BEST describes how RainbowCrack works?

A.It uses a dictionary attack with word mangling rules
B.It uses online password guessing against the target service
C.It uses a brute-force attack by trying all possible character combinations
D.It uses time-memory trade-off with precomputed hash chains
AnswerD

Rainbow tables are a time-memory trade-off technique.

Why this answer

RainbowCrack implements a time-memory trade-off attack by precomputing hash chains for a given set of passwords and storing them in rainbow tables. When a password hash is provided, the tool looks up the hash in these tables to reverse it, avoiding the need to recompute hashes for every possible password. This makes it far faster than brute-force for cracking hashes, provided the password is covered by the precomputed chains.

Exam trap

EC-Council often tests the distinction between offline hash-cracking tools (like RainbowCrack) and online password-guessing attacks, so the trap here is confusing a precomputed table attack (time-memory trade-off) with a brute-force or dictionary attack that computes hashes in real time.

How to eliminate wrong answers

Option A is wrong because a dictionary attack with word mangling rules (e.g., using John the Ripper or Hashcat with rules) does not rely on precomputed tables; it generates candidate passwords on the fly and hashes them. Option B is wrong because RainbowCrack works offline against captured hashes, not by guessing passwords against a live service (that would be an online brute-force or password spraying attack). Option C is wrong because a brute-force attack tries all possible character combinations sequentially, which is computationally expensive and does not use the time-memory trade-off or precomputed hash chains that define RainbowCrack.

726
Multi-Selectmedium

Which TWO of the following describe the state of a port when Nmap reports it as 'filtered'? (Select 2)

Select 2 answers
A.The port is closed and the target sends a RST packet
B.The port is open and a service is listening
C.A firewall is dropping the probe packets
D.A firewall is responding with ICMP unreachable errors
E.The port is open but no service is responding
AnswersC, D

If a firewall silently drops packets, Nmap sees no response and marks the port filtered.

Why this answer

Nmap reports a port as 'filtered' when it cannot determine whether the port is open or closed because probe packets are being dropped or blocked. Option C is correct because a firewall dropping probe packets (e.g., via a DROP rule in iptables or an ACL) prevents Nmap from receiving any response, leading to a 'filtered' state. Option D is correct because a firewall responding with ICMP unreachable errors (e.g., ICMP Type 3 Code 13, 'Communication Administratively Prohibited') also causes Nmap to classify the port as 'filtered', as the response indicates a filtering device is interfering.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', not realizing that 'filtered' specifically indicates a firewall or filter is interfering with the probe, rather than the port's actual listening state.

727
MCQmedium

A security analyst runs the following command: 'smbclient -L //192.168.1.50 -N'. What is the purpose of this command?

A.Connect to the remote host's SMB share with a null password
B.Perform a dictionary attack on SMB passwords
C.Enumerate users via SMB
D.List available SMB shares on the remote host anonymously
AnswerD

-L lists shares, -N indicates anonymous access.

Why this answer

Option B is correct. smbclient -L lists shares on a remote SMB server, and -N uses a null session (no password).

728
MCQeasy

Which of the following is a common defense against clickjacking attacks?

A.CSRF tokens
B.Content Security Policy (CSP) with 'frame-ancestors' directive
C.SameSite cookies
D.Input validation
AnswerB

CSP 'frame-ancestors' is also effective, but the most common is X-Frame-Options.

Why this answer

The X-Frame-Options header (e.g., DENY or SAMEORIGIN) prevents the page from being displayed in a frame, mitigating clickjacking.

729
MCQmedium

A security analyst notices that a web application uses sequential numeric IDs for user accounts (e.g., /profile?id=1001). By changing the ID to 1002, the analyst can view another user's profile. Which vulnerability is present?

A.SQL injection
B.IDOR
C.Directory traversal
D.CSRF
AnswerB

IDOR occurs when an application exposes direct references to internal objects without proper access control.

Why this answer

This is an IDOR (Insecure Direct Object Reference) vulnerability, where direct access to objects is not properly restricted.

730
MCQmedium

An ethical hacker runs the command shown in the exhibit. Which of the following conclusions can be drawn from the output?

A.The domain has two mail exchange servers
B.The DNS server is configured to block zone transfers
C.Mail is automatically forwarded to a backup server
D.The domain has an SPF record configured
AnswerA

Two MX records indicate two servers.

Why this answer

The output shows two MX records for the domain, each with a preference value (10 and 20). MX records specify mail exchange servers, and the presence of two distinct entries indicates the domain has two mail exchange servers. The lower preference value (10) is the primary server, and the higher value (20) is a secondary or backup server.

Exam trap

The trap here is that candidates may assume multiple MX records imply automatic forwarding or failover, but in reality, the secondary server only receives mail if the primary is unreachable, and forwarding is a separate server-side configuration.

How to eliminate wrong answers

Option B is wrong because the output does not show any attempt to perform a zone transfer (e.g., using `dig axfr` or `nslookup -type=axfr`), nor does it include an error message or response indicating a zone transfer block; it only displays MX records. Option C is wrong because mail forwarding to a backup server is not automatically determined by the presence of multiple MX records; the backup server is explicitly configured with a higher preference value, and forwarding behavior depends on the mail server configuration, not the DNS records alone. Option D is wrong because the output shows only MX records, not TXT records; SPF records are stored in TXT records (or SPF RR type, though deprecated), and no TXT record is displayed in the output.

731
MCQhard

During a penetration test, you discover that the target organization uses a cloud-based email service. Which technique would allow you to gather employee email addresses and potentially infer internal organizational structure?

A.Perform a WHOIS lookup on the domain
B.Attempt a DNS zone transfer
C.Run an nmap scan against the mail server
D.Use Google dorking to find publicly exposed email lists
AnswerD

Google dorks can locate files containing email addresses.

Why this answer

Google dorking (advanced search operators) can uncover publicly exposed documents, such as PDFs or spreadsheets, that contain employee email addresses. These documents are often indexed by search engines and can reveal email patterns (e.g., first.last@company.com) and departmental groupings, allowing inference of the internal organizational structure without interacting directly with the target's infrastructure.

Exam trap

The trap here is that candidates often confuse active reconnaissance techniques (like DNS zone transfer or nmap scanning) with passive information gathering, assuming they are the primary way to collect email addresses, when in fact publicly indexed documents via Google dorking are a simpler and more effective passive method.

How to eliminate wrong answers

Option A is wrong because WHOIS lookup returns domain registration details (registrant, admin contact, name servers) but not employee email addresses or organizational structure. Option B is wrong because DNS zone transfer (AXFR request) is typically disabled on modern DNS servers; even if successful, it reveals hostnames and IP addresses, not employee email addresses. Option C is wrong because an nmap scan against the mail server identifies open ports and services (e.g., SMTP, IMAP) but does not extract email addresses or organizational hierarchy.

732
MCQeasy

Which of the following is a common indicator of a stored (persistent) Cross-Site Scripting (XSS) attack?

A.A script executes in the victim's browser without any server interaction
B.A script is permanently stored on the server and executed when users view a page
C.A script is executed when a user submits a form with malicious input
D.A script executes only after clicking a manipulated URL
AnswerB

Stored XSS persists on the server and affects all users viewing the content.

Why this answer

Option B is correct because stored (persistent) XSS occurs when malicious script is permanently stored on the server (e.g., in a database, comment field, or forum post) and is served to every user who views the affected page. The script executes in the victim's browser without requiring any additional interaction, as it is part of the page's HTML response from the server.

Exam trap

The trap here is that candidates confuse stored XSS with reflected XSS, mistakenly thinking that any script execution without user interaction (Option A) is stored XSS, when in fact stored XSS specifically requires the payload to be persisted on the server and served to multiple users.

How to eliminate wrong answers

Option A is wrong because it describes reflected XSS or DOM-based XSS, where the script executes without server interaction (e.g., via client-side JavaScript manipulation), but stored XSS requires the server to serve the stored payload. Option C is wrong because it describes a reflected XSS scenario where the script executes immediately upon form submission, not after being stored and later retrieved. Option D is wrong because it describes reflected XSS where the payload is in a manipulated URL and executes only after the victim clicks that link, not a persistent server-side storage.

733
MCQmedium

A security analyst runs `nbtstat -A 192.168.1.50` from a Windows command prompt and receives output showing a table with names like 'WORKGROUP<00>', 'PC01<20>', and 'USER<03>'. What is the MOST likely purpose of this command?

A.Perform a reverse DNS lookup
B.Display the NetBIOS name table of the remote host
C.Test connectivity to the remote host using ICMP
D.Enumerate DNS records for the domain
AnswerB

The -A option queries the remote host's NetBIOS name table by IP address.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against a remote host using its IP address. The output shows NetBIOS names and their associated suffixes (e.g., <00> for Workstation service, <20> for File Server service, <03> for Messenger service), which are used for NetBIOS over TCP/IP (NBT) name resolution and service discovery. This is the correct purpose because the command specifically queries the remote host's NetBIOS name table, not DNS or ICMP.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with DNS-related commands or ICMP-based tools, because they see an IP address in the command and assume it is performing a reverse lookup or connectivity test, rather than recognizing it as a NetBIOS-specific enumeration technique.

How to eliminate wrong answers

Option A is wrong because `nbtstat -A` does not perform a reverse DNS lookup; reverse DNS lookups are done with `nslookup` or `dig -x` and query PTR records in DNS, not NetBIOS names. Option C is wrong because testing connectivity using ICMP is the function of the `ping` command, not `nbtstat`, which operates at the NetBIOS session layer over TCP/UDP ports 137-139. Option D is wrong because enumerating DNS records for a domain is performed with tools like `nslookup`, `dig`, or `dnsrecon`, not with `nbtstat`, which only deals with NetBIOS names and their associated IP addresses on a local network segment.

734
MCQhard

A security analyst detects a file named 'invoice.pdf.exe' in an email attachment. When the file is submitted to VirusTotal, multiple engines detect it as a Trojan. The analyst wants to perform dynamic analysis to observe its behavior. Which approach is BEST?

A.Disassemble the file using IDA Pro to understand its code
B.Run 'strings' on the file and analyze the output
C.Execute the file in a sandboxed environment and monitor system calls
D.Submit the file again to VirusTotal for a second opinion
AnswerC

Dynamic analysis involves executing the malware and observing its behavior in a sandbox.

Why this answer

Dynamic analysis involves executing the malware in a controlled environment (sandbox) and monitoring its actions. Static analysis (strings, PEiD) examines the binary without execution. Submitting to VirusTotal is static, and disassembly is also static.

735
MCQmedium

A security analyst notices a high volume of ICMP Echo Reply packets on the network. The source IPs are varied, but the destination IP is the same. Which type of attack is MOST likely occurring?

A.UDP flood
B.Ping of Death
C.Smurf attack
D.ICMP flood
AnswerC

Correct. The large number of ICMP Echo Replies from multiple sources to a single target is characteristic of a Smurf attack.

Why this answer

A Smurf attack sends ICMP Echo Request packets to a network broadcast address with a spoofed source IP (the target). All hosts on the network reply to the target, flooding it with ICMP Echo Replies.

736
MCQeasy

Which cloud security assessment tool is specifically designed to audit AWS environments for misconfigurations and provides a detailed report of findings?

A.ScoutSuite
B.Pacu
C.Metasploit
D.Nmap
AnswerA

ScoutSuite audits cloud configurations and reports vulnerabilities.

Why this answer

ScoutSuite is an open-source tool that audits cloud environments (AWS, Azure, GCP) for security misconfigurations. It generates a comprehensive HTML report. Pacu is an exploitation framework, not an audit tool.

737
MCQeasy

During a vulnerability assessment, which of the following tools is a comprehensive vulnerability scanner that uses a plugin architecture to detect thousands of vulnerabilities?

A.Nessus
B.Wireshark
C.OpenVAS
D.Nmap
AnswerA

Nessus is a proprietary vulnerability scanner with a large plugin database.

Why this answer

Nessus is a comprehensive vulnerability scanner that uses a plugin-based architecture to detect thousands of vulnerabilities across a wide range of systems and services. Each plugin corresponds to a specific vulnerability check, and the Nessus engine executes them in sequence or in parallel against the target, making it highly extensible and up-to-date with the latest CVEs.

Exam trap

The trap here is that candidates confuse OpenVAS (an open-source alternative) with Nessus, but the CEH exam expects Nessus as the answer because it is the proprietary, commercial tool that originally defined the plugin-based vulnerability scanning paradigm and is widely referenced in official courseware.

How to eliminate wrong answers

Option B (Wireshark) is wrong because it is a network protocol analyzer that captures and inspects packets in real time, not a vulnerability scanner; it lacks a plugin architecture for vulnerability detection. Option C (OpenVAS) is wrong because while it is also a vulnerability scanner using a plugin-like feed (NVTs), the question asks for the tool that is 'comprehensive' and uses a 'plugin architecture' — Nessus is the industry-standard commercial tool that pioneered this model, and OpenVAS is its open-source fork, but the CEH exam specifically recognizes Nessus as the correct answer for this description. Option D (Nmap) is wrong because it is primarily a port scanner and network mapper that uses scripts (NSE) for limited vulnerability detection, not a comprehensive vulnerability scanner with a dedicated plugin architecture for thousands of vulnerabilities.

738
Multi-Selectmedium

Which TWO of the following are effective countermeasures against SNMP enumeration attacks? (Select 2)

Select 2 answers
A.Restrict SNMP access to trusted IP addresses using ACLs
B.Disable SNMP on all devices
C.Change default community strings to strong, unique values
D.Enable SNMPv3 with default passwords
E.Use SNMPv1 with community string 'private'
AnswersA, C

ACLs limit which hosts can query SNMP agents.

Why this answer

Restricting SNMP access to trusted IP addresses using ACLs is effective because it limits the attack surface by allowing only authorized management stations to query SNMP agents. This prevents unauthorized hosts from performing SNMP enumeration, even if they know the community string or exploit default configurations.

Exam trap

The trap here is that candidates may think disabling SNMP is always the best countermeasure, but the CEH exam expects you to recognize that practical environments need SNMP for monitoring, so ACLs and strong community strings are the realistic, effective countermeasures.

739
Multi-Selectmedium

Which TWO of the following are valid enumeration techniques used to identify user accounts on a system? (Select 2)

Select 2 answers
A.Port scanning with nmap
B.DNS zone transfer
C.SMTP VRFY command
D.SNMPwalk of the entire MIB
E.SMB enumeration using enum4linux
AnswersC, E

VRFY checks whether a user mailbox exists on the SMTP server.

Why this answer

SMTP VRFY (verifies user existence) and SMB enumeration (via tools like enum4linux) can both reveal user accounts. SNMPwalk retrieves system information but not directly usernames; DNS and port scanning do not enumerate users.

740
MCQhard

A penetration tester finds that a Linux binary has the SUID bit set and is owned by root. Which of the following does this indicate?

A.The binary is immutable and cannot be deleted
B.The binary can be executed only by the root user
C.The binary is a symbolic link to a root-owned file
D.The binary will run with root privileges when executed by any user
AnswerD

SUID bit causes the program to run with the file owner's permissions.

Why this answer

When the SUID (Set User ID) bit is set on a binary owned by root, the binary executes with the effective user ID of the file owner (root), regardless of which user runs it. This allows any user to run the binary with root privileges, which is why option D is correct. The SUID bit is represented by an 's' in the owner's execute position (e.g., -rwsr-xr-x).

Exam trap

The trap here is that candidates often confuse the SUID bit with execution restrictions (option B) or file immutability (option A), but the SUID bit specifically grants privilege escalation, not access control or file protection.

How to eliminate wrong answers

Option A is wrong because the SUID bit does not make a file immutable; immutability is controlled by the 'chattr +i' command, which sets the immutable attribute (i flag) on a Linux filesystem. Option B is wrong because the SUID bit allows any user to execute the binary, not just root; execution restrictions are enforced by file permissions (e.g., 700 for owner-only execute). Option C is wrong because the SUID bit is a permission attribute on the binary itself, not a property of symbolic links; symbolic links inherit the permissions of the target file, but the SUID bit is set on the binary, not the link.

741
MCQeasy

Which of the following is the BEST defense against Cross-Site Request Forgery (CSRF) attacks?

A.SameSite cookies
B.Input validation
C.Output encoding
D.CSRF tokens
AnswerD

CSRF tokens are the standard, most effective defense.

Why this answer

CSRF tokens are unique, unpredictable tokens that validate that requests originate from the legitimate site, effectively mitigating CSRF.

742
MCQmedium

A security team observes that a switch's MAC address table is full, and the switch has started flooding unicast traffic to all ports. Which attack has MOST likely been performed?

A.MAC flooding
B.ARP poisoning
C.MAC spoofing
D.DHCP starvation
AnswerA

MAC flooding uses many fake MAC addresses to overflow the CAM table, forcing the switch to flood traffic.

Why this answer

MAC flooding attacks fill the switch's CAM table, causing it to fail open and flood frames, enabling sniffing. MAC spoofing is about impersonating, ARP poisoning manipulates ARP caches, and DHCP starvation exhausts IP addresses.

743
MCQmedium

A security analyst detects multiple failed authentication attempts on a cloud-based SSH server from a single IP address. The analyst implements a rule to block that IP. However, the attacks continue from different IPs. Which additional control should be implemented to reduce the attack surface?

A.Disable password authentication and use SSH key-based authentication.
B.Install fail2ban to automatically block IPs after failures.
C.Implement rate-limiting on SSH connections per IP.
D.Change the SSH port to a non-standard port.
AnswerA

Keys are resistant to brute-force.

Why this answer

Disabling password authentication and enforcing SSH key-based authentication eliminates the attack vector of brute-forcing passwords entirely. Since the attacker is using multiple IPs to perform credential stuffing, blocking individual IPs (as done initially) or using tools like fail2ban only treats the symptom, not the root cause. Key-based authentication uses asymmetric cryptography (RSA/ECDSA/Ed25519) and is not susceptible to online guessing attacks, thus permanently reducing the attack surface.

Exam trap

The trap here is that candidates focus on reactive IP-blocking solutions (fail2ban, rate-limiting) or obscurity (port changing) instead of recognizing that the fundamental vulnerability is the use of passwords, which must be eliminated at the protocol level.

How to eliminate wrong answers

Option B (fail2ban) is wrong because it only blocks IPs after repeated failures, but the attacker is rotating through many IPs, so each new IP can still attempt logins before being blocked. Option C (rate-limiting per IP) is wrong because it similarly assumes a single source; with distributed IPs, each IP stays under the rate limit, allowing the attack to continue. Option D (changing the SSH port) is wrong because it only obscures the service via security through obscurity; an attacker scanning all ports will quickly discover the new port, and the password-based authentication remains vulnerable.

744
MCQmedium

Which of the following is a form of social engineering where an attacker physically follows an authorized person into a restricted area without proper authentication?

A.Pretexting
B.Baiting
C.Tailgating
D.Quid pro quo
AnswerC

Tailgating is physically following someone into a restricted area.

Why this answer

Tailgating (also known as piggybacking) is a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area, bypassing authentication mechanisms such as badge readers, PIN pads, or biometric scanners. The attacker exploits the natural courtesy of the authorized person holding the door open, thereby gaining physical access without any credential validation.

Exam trap

EC-Council often tests tailgating by contrasting it with pretexting or baiting, so the trap is confusing physical access attacks (tailgating) with psychological manipulation attacks (pretexting, baiting, quid pro quo) that do not require physical proximity.

How to eliminate wrong answers

Option A is wrong because pretexting involves fabricating a scenario or identity (e.g., impersonating IT support) to trick a target into divulging information, not physically following someone into a restricted area. Option B is wrong because baiting relies on offering something enticing (e.g., a malware-infected USB drive left in a parking lot) to lure a victim into performing an action, not physical proximity or door access. Option D is wrong because quid pro quo involves an attacker offering a service or benefit (e.g., 'free tech support') in exchange for sensitive information or access, not physically trailing an authorized person.

745
MCQhard

During a penetration test, you run the tool 'macof' against a switch. After a few seconds, the switch starts flooding frames out all ports. Which attack have you successfully executed, and what is the primary goal of this technique?

A.MAC flooding; to cause a switch to fail-open and act like a hub for sniffing
B.VLAN hopping; to gain access to a different VLAN
C.STP manipulation; to create a loop and cause a DoS
D.ARP poisoning; to intercept traffic between two hosts
AnswerA

macof floods with random MACs to exhaust CAM table, enabling sniffing.

Why this answer

MAC flooding sends many fake MAC addresses to overflow the switch's CAM table, forcing it into hub mode so the attacker can sniff traffic. The other options describe different attacks.

746
Multi-Selecteasy

Which TWO of the following are examples of session hijacking attacks? (Select 2)

Select 2 answers
A.DNS spoofing
B.Cookie theft
C.MAC flooding
D.TCP sequence prediction
E.ARP poisoning
AnswersB, D

Stealing session cookies allows an attacker to impersonate a user.

Why this answer

TCP sequence prediction and cookie theft are methods to hijack a session.

747
MCQmedium

Which tool can be used to perform ARP poisoning to intercept traffic between a victim and the default gateway?

A.Wireshark
B.Ettercap
C.tcpdump
D.Nmap
AnswerB

Ettercap supports ARP poisoning for MITM attacks.

Why this answer

Ettercap is a well-known tool for man-in-the-middle attacks, including ARP poisoning.

748
MCQmedium

A penetration tester finds that a web application includes files based on user input without proper validation. The tester supplies 'http://attacker.com/malicious.txt' and the application includes its content. Which vulnerability is this?

A.Directory traversal
B.Remote File Inclusion (RFI)
C.Local File Inclusion (LFI)
D.Server-Side Request Forgery (SSRF)
AnswerB

The application includes a remote file via HTTP, which is RFI.

Why this answer

Including a remote file from an attacker-controlled server is Remote File Inclusion (RFI).

749
MCQmedium

During a cloud security audit, a tool reports that an AWS IAM role has a policy allowing 'ec2:RunInstances' with a condition 'aws:SourceIp': '0.0.0.0/0'. What is the most immediate risk?

A.An attacker can delete all EC2 instances
B.An attacker can launch expensive EC2 instances from any IP
C.An attacker can modify VPC security groups
D.An attacker can read data from any S3 bucket
AnswerB

With unrestricted source IP, any authenticated user can launch instances, leading to resource abuse and cost.

Why this answer

The condition allows all IP addresses (0.0.0.0/0) to launch EC2 instances, meaning any user who can assume this role can create instances from anywhere, potentially for cryptocurrency mining or other malicious purposes.

750
Multi-Selectmedium

Which TWO tools are commonly used for enumerating NFS exports on a target system? (Select 2 correct answers)

Select 2 answers
A.enum4linux
B.nmap (with script nfs-ls)
C.smbclient
D.showmount
E.ldapsearch
AnswersB, D

nmap's nfs-ls script can list NFS exports.

Why this answer

B is correct because nmap's nfs-ls script is specifically designed to enumerate NFS exports by querying the NFS service (port 2049) and listing the available shares. It works by sending MOUNT protocol requests to the target, which reveals the exported file systems and their access permissions, making it a standard tool for NFS enumeration in penetration testing.

Exam trap

The trap here is that candidates often confuse SMB enumeration tools (like enum4linux or smbclient) with NFS enumeration tools, because both involve file sharing, but they operate on entirely different protocols (SMB vs. NFS/RPC) and require distinct command sets.

Page 9

Page 10 of 14

Page 11