Certified Ethical Hacker CEH (CEH) — Questions 751825

1010 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

You are an ethical hacker hired to assess the security of a mid-sized company's internal network. The company has three departments: Sales, Engineering, and HR, each on separate VLANs. The network uses a single firewall with default-deny rules, but inter-VLAN routing is allowed for specific ports (e.g., HR needs to access Sales database on TCP 1433). During reconnaissance, you discover that the Engineering VLAN has a web server running on port 80 that is accessible from all VLANs. You also find that the Sales VLAN has a file share (SMB) on port 445 that is accessible only from HR. The firewall logs show numerous failed SSH attempts from an external IP to the Engineering web server. Which action should you recommend as the most effective immediate step to reduce the attack surface?

A.Implement a password policy requiring complex passwords for all users.
B.Enable two-factor authentication on the web server.
C.Apply the latest security patches to the web server.
D.Restrict access to the Engineering web server to only the Engineering VLAN.
AnswerD

This immediately reduces the attack surface by limiting unnecessary access.

Why this answer

Option D is correct because the Engineering web server is unnecessarily exposed to all VLANs, including potentially compromised segments. By restricting access to only the Engineering VLAN, you eliminate the attack surface from the Sales and HR VLANs, which is the most immediate and effective reduction in exposure. This aligns with the principle of least privilege and network segmentation, directly mitigating the risk of lateral movement from other VLANs.

Exam trap

The trap here is that candidates focus on the external SSH attacks (which are irrelevant to internal VLAN exposure) and choose patching or authentication improvements, missing that the core issue is unnecessary network-level access from other internal segments.

How to eliminate wrong answers

Option A is wrong because implementing a complex password policy does not address the immediate risk of the web server being accessible from all VLANs; it is a general security hygiene measure that does not reduce the current attack surface. Option B is wrong because enabling two-factor authentication on the web server would protect authentication but does not prevent unauthorized network-level access from other VLANs; the server remains reachable and could still be targeted by exploits or reconnaissance. Option C is wrong because applying the latest security patches, while important, does not reduce the attack surface; the server remains exposed to all VLANs, and a zero-day or unpatched vulnerability could still be exploited from any segment.

752
MCQeasy

Which tool would an ethical hacker use to automatically generate a malicious USB drive that, when plugged in, executes a payload and connects back to the attacker?

A.Wireshark
B.Ettercap
C.USB Rubber Ducky
D.Metasploit
AnswerC

The USB Rubber Ducky is a keystroke injection tool that can be used for USB-based attacks.

Why this answer

The USB Rubber Ducky is a device that acts as a keyboard and can execute keystroke injection attacks. The other tools are not specifically designed for this purpose.

753
Multi-Selectmedium

Which TWO of the following are common weaknesses in IoT devices that are often exploited by attackers?

Select 2 answers
A.Use of hardware security modules (HSM)
B.Implementation of secure boot
C.Use of default or hard-coded credentials
D.Use of insecure protocols such as MQTT without TLS
E.Firmware update mechanism with signed updates
AnswersC, D

Correct: Many IoT devices ship with default usernames/passwords that are not changed.

Why this answer

Option C is correct because many IoT devices ship with default usernames and passwords (e.g., 'admin/admin') or hard-coded credentials embedded in firmware. Attackers can easily discover these through simple web searches or Shodan scans, then gain unauthorized access to the device and potentially the entire network.

Exam trap

EC-Council often tests the distinction between security controls (HSM, secure boot, signed updates) and actual vulnerabilities (default credentials, cleartext protocols), so candidates mistakenly select secure features as weaknesses.

754
MCQeasy

Which of the following is a type of malware that spreads by replicating itself across a network without requiring a host file?

A.Worm
B.Trojan
C.Ransomware
D.Virus
AnswerA

Worms are self-replicating and do not need a host file.

Why this answer

A worm is a standalone malware that replicates itself to spread to other computers, often via network vulnerabilities.

755
Multi-Selecthard

A pentester uses Burp Suite's Intruder to perform a brute-force attack on a login form. Which THREE of the following Intruder attack types would be appropriate for testing different payload combinations?

Select 3 answers
A.Pitchfork
B.Sniper
C.Direct
D.Cluster bomb
E.Battering ram
AnswersB, D, E

Sniper is used for single payload set, iterating over positions.

Why this answer

Sniper uses one payload set and iterates over positions sequentially. Battering ram uses one payload set for all positions simultaneously. Pitchfork uses multiple payload sets in parallel but each set must have the same number of payloads.

Cluster bomb uses multiple payload sets and tries all combinations.

756
MCQhard

During a security assessment, a tester runs hping3 with the command: hping3 -S -p 80 -c 5 10.0.0.1. The response shows that packets with the SYN flag set receive SYN-ACK replies. Which of the following conclusions is MOST accurate?

A.Port 80 is open on 10.0.0.1
B.A firewall is blocking the scan
C.Port 80 is closed on 10.0.0.1
D.The target is using a stateful firewall that allows the connection
AnswerA

A SYN-ACK response to a SYN packet indicates an open TCP port.

Why this answer

The hping3 command with the -S flag sends TCP SYN packets to port 80 on 10.0.0.1. Receiving SYN-ACK replies indicates that the target responded with the second step of the TCP three-way handshake, which only occurs when the port is open and listening. This confirms that port 80 is open on the target host.

Exam trap

The trap here is that candidates may confuse the SYN-ACK response with firewall behavior or closed port responses, but the correct interpretation is that a SYN-ACK directly indicates an open port per TCP specification.

How to eliminate wrong answers

Option B is wrong because a firewall blocking the scan would typically drop the packets or send ICMP unreachable messages, not respond with SYN-ACKs. Option C is wrong because a closed port would respond with RST packets, not SYN-ACKs, per RFC 793. Option D is wrong because while a stateful firewall might allow the connection, the SYN-ACK response itself is direct evidence that the port is open on the target host, not just a firewall behavior.

757
MCQmedium

A security analyst reviews logs and notices that an attacker crafted a packet with a source IP address matching the target's IP address, and sent it to a network's broadcast address. Which type of attack does this describe?

A.UDP flood
B.Ping of Death
C.Smurf attack
D.SYN flood
AnswerC

The Smurf attack uses a spoofed source IP (victim) and sends an ICMP echo request to the broadcast address, causing all devices to reply to the victim.

Why this answer

A Smurf attack sends a spoofed ICMP echo request to the broadcast address with the victim's IP as the source, causing all hosts to reply to the victim. The other options do not fit this description.

758
Multi-Selectmedium

During a web application penetration test, a tester discovers a file inclusion vulnerability. Which THREE of the following are potential impacts or exploitation scenarios? (Choose THREE.)

Select 3 answers
A.Disclosure of sensitive files like /etc/passwd
B.Remote code execution via log poisoning
C.Port scanning of internal network hosts
D.Denial of service by including large files
E.Session hijacking by including session files
AnswersA, B, E

LFI allows reading arbitrary files on the server.

Why this answer

LFI can lead to remote code execution (via log poisoning), local file disclosure (e.g., /etc/passwd), and session hijacking (by including session files). Port scanning is not a direct impact of file inclusion.

759
MCQmedium

A web developer wants to mitigate CSRF attacks. Which of the following configurations for cookies is most effective when combined with CSRF tokens?

A.HttpOnly flag
B.SameSite=Strict
C.Domain attribute
D.Secure flag
AnswerB

SameSite=Strict blocks cookies on cross-site requests, mitigating CSRF.

Why this answer

SameSite=Strict prevents the browser from sending cookies for cross-site requests, which blocks CSRF attacks.

760
Matchingmedium

Match each CEH phase to its key activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Gathering information about the target

Identifying live hosts, open ports, and services

Exploiting vulnerabilities to enter the system

Installing backdoors for persistent access

Clearing logs and hiding evidence

Why these pairings

These are the five phases of ethical hacking as per EC-Council.

761
Multi-Selecteasy

Which TWO of the following correctly describe aspects of the shared responsibility model in cloud computing?

Select 2 answers
A.The cloud provider is responsible for managing customer application encryption keys
B.The customer is responsible for network firewall configuration in PaaS
C.The customer is responsible for securing data stored in the cloud
D.The cloud provider is responsible for patching the guest operating system in IaaS
E.The cloud provider is responsible for physical security of data centers
AnswersC, E

Customers must protect their data through encryption, access controls, etc.

Why this answer

The customer is responsible for securing data and application configurations (security IN the cloud). The provider is responsible for the physical infrastructure (security OF the cloud). Option B is incorrect because customers are responsible for OS patching in IaaS.

Option E is wrong because providers do not manage customer-applied encryption.

762
MCQmedium

Which of the following is the most effective defense against Cross-Site Request Forgery (CSRF) attacks?

A.Content Security Policy (CSP)
B.CSRF tokens
C.Rate limiting
D.Input validation
AnswerB

CSRF tokens are the primary defense against CSRF attacks.

Why this answer

CSRF tokens are the most effective defense because they are unique, unpredictable values embedded in each form or request that the server validates. Without a valid token, the server rejects the request, preventing an attacker from forging a legitimate user's action even if the victim is authenticated.

Exam trap

EC-Council often tests the misconception that input validation or CSP can prevent CSRF, when in fact CSRF exploits the browser's automatic inclusion of credentials (cookies) and requires a server-side token or SameSite cookie attribute to verify request intent.

How to eliminate wrong answers

Option A is wrong because Content Security Policy (CSP) is primarily designed to mitigate XSS and data injection attacks by controlling resource loading, not to validate the origin or authenticity of state-changing requests. Option C is wrong because rate limiting only reduces the speed of repeated attacks but does not prevent a single forged request from being executed. Option D is wrong because input validation (e.g., sanitizing or escaping user input) addresses injection attacks like SQLi or XSS, not the lack of origin verification that CSRF exploits.

763
MCQmedium

An employee receives an email that appears to be from the CEO, asking the employee to urgently wire funds to a vendor. The email address is slightly misspelled. What type of social engineering attack is this?

A.Pharming
B.Spear phishing
C.Whaling
D.Vishing
AnswerC

Whaling targets senior executives or impersonates them.

Why this answer

This is a whaling attack because it specifically targets a high-profile individual (the CEO) to deceive another employee into performing a financial action. The slight misspelling of the email address is a classic whaling technique, as the attacker impersonates a senior executive to exploit authority and urgency. Unlike generic phishing, whaling focuses on C-level executives or decision-makers.

Exam trap

EC-Council often tests the distinction between spear phishing and whaling by emphasizing that whaling specifically targets senior executives, while spear phishing can target any individual or role within an organization.

How to eliminate wrong answers

Option A is wrong because pharming redirects users from legitimate websites to fraudulent ones by manipulating DNS or host files, not by sending deceptive emails. Option B is wrong because spear phishing targets a specific individual or organization but does not necessarily involve impersonating a senior executive; the key differentiator here is the impersonation of the CEO, which is the hallmark of whaling. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to trick victims.

764
MCQmedium

During a penetration test, you run `smtp-user-enum -M VRFY -U users.txt -t 10.0.0.10` and receive responses '252 2.5.2 User <username>' for some users and '550 5.1.1 User unknown' for others. What does this indicate?

A.The SMTP server is using EXPN instead of VRFY
B.The SMTP server is revealing valid usernames via the VRFY command
C.The SMTP server is vulnerable to command injection
D.The SMTP server is properly configured to prevent enumeration
AnswerB

The differing responses allow an attacker to identify valid users, which is a security issue.

Why this answer

The VRFY command in SMTP (RFC 821) asks the server to verify whether a mailbox exists. A response starting with '252' indicates the user is valid, while '550 5.1.1' means the user does not exist. By comparing these responses, the attacker can enumerate valid usernames on the mail server, which is exactly what the output shows.

Exam trap

EC-Council often tests the distinction between VRFY and EXPN, where candidates mistakenly think EXPN is being used when the output clearly shows VRFY responses, or they assume any non-250 response means the server is secure.

How to eliminate wrong answers

Option A is wrong because EXPN (expand) returns mailing list members, not individual user verification, and the tool explicitly used the VRFY command, not EXPN. Option C is wrong because command injection would require the server to execute arbitrary commands from the input, which is not indicated by standard VRFY responses. Option D is wrong because a properly configured server to prevent enumeration would either disable VRFY entirely or return a generic response (e.g., '252' for all users) to avoid revealing which users exist.

765
MCQmedium

An ethical hacker is testing a web application that uses cookies for session management. The tester notices that the session cookie does not have the HttpOnly or Secure flags set. Which attack is most likely to succeed due to this misconfiguration?

A.SQL injection
B.Cross-site request forgery (CSRF)
C.Session hijacking via cross-site scripting (XSS)
D.Clickjacking
AnswerC

XSS can steal cookies if HttpOnly is not set.

Why this answer

Option C is correct because the absence of the HttpOnly flag allows JavaScript to access the session cookie via `document.cookie`. An attacker can exploit a cross-site scripting (XSS) vulnerability to steal the cookie and perform session hijacking. The missing Secure flag further exposes the cookie to interception over unencrypted HTTP connections, making the attack easier to execute.

Exam trap

The trap here is that candidates often confuse CSRF with session hijacking, but CSRF does not require reading the cookie—it only requires the browser to automatically include it in requests, whereas XSS-based session hijacking directly steals the cookie value.

How to eliminate wrong answers

Option A is wrong because SQL injection exploits database query vulnerabilities, not cookie flag misconfigurations; it does not rely on cookie attributes. Option B is wrong because CSRF exploits the trust a site has in a user's browser, typically using forged requests, and does not require reading cookies; missing HttpOnly/Secure flags do not directly enable CSRF. Option D is wrong because clickjacking uses transparent overlays to trick users into clicking UI elements, and it does not involve stealing or accessing session cookies.

766
MCQmedium

During a penetration test, you run the following command: hping3 -S -p 80 --flood 192.168.1.100. What is the PRIMARY purpose of this command?

A.Banner grab the HTTP service on port 80
B.Fingerprint the operating system of the target
C.Perform a TCP connect scan to identify open ports
D.Execute a denial-of-service (DoS) attack against the target's web server
AnswerD

--flood sends packets rapidly, and -S sets SYN flag, causing a SYN flood DoS attack.

Why this answer

The command `hping3 -S -p 80 --flood 192.168.1.100` sends a high volume of TCP SYN packets to port 80 of the target without completing the three-way handshake. The `--flood` flag disables packet rate limiting, causing a rapid stream of SYN packets that exhausts the target's connection queue, effectively performing a SYN flood denial-of-service (DoS) attack against the web server.

Exam trap

The trap here is that candidates confuse a SYN flood DoS attack with a SYN scan (port scanning), but the `--flood` flag explicitly indicates a denial-of-service intent, not reconnaissance.

How to eliminate wrong answers

Option A is wrong because banner grabbing requires receiving and analyzing a service response, but `--flood` sends packets as fast as possible without waiting for replies, making banner capture impossible. Option B is wrong because OS fingerprinting relies on analyzing subtle differences in TCP/IP stack responses (e.g., TTL, window size), but the `--flood` mode overwhelms the target and does not collect or analyze response packets for fingerprinting. Option C is wrong because a TCP connect scan completes the three-way handshake (SYN, SYN-ACK, ACK), whereas this command only sends SYN packets and never completes the handshake, so it cannot identify open ports reliably.

767
Multi-Selectmedium

Which THREE of the following are valid methods for DDoS mitigation?

Select 3 answers
A.Rate limiting
B.Increasing server timeout values
C.Scrubbing centers
D.Disabling SYN cookies
E.Anycast routing
AnswersA, C, E

Rate limiting restricts the number of requests from a source, reducing attack impact.

Why this answer

DDoS mitigation strategies include rate limiting, using scrubbing centers, and anycast routing to distribute traffic.

768
MCQeasy

A penetration tester obtains a hash dump from a compromised Windows system and wants to crack LM and NTLM hashes quickly using precomputed tables. Which tool would be most efficient for this task?

A.Hashcat
B.John the Ripper
C.Ophcrack
D.RainbowCrack
AnswerC

Ophcrack uses rainbow tables to crack LM/NTLM hashes efficiently.

Why this answer

Option A is correct. Ophcrack is specifically designed to crack LM and NTLM hashes using rainbow tables. John the Ripper and Hashcat are also good but Ophcrack is optimized for Windows hashes and precomputed tables.

769
MCQeasy

A security analyst notices repeated failed login attempts from a single external IP address targeting the company's webmail portal. The attempts use common usernames like 'admin', 'user', and 'test'. Which type of social engineering attack is MOST likely being attempted?

A.Tailgating
B.Baiting
C.Pretexting
D.Phishing
AnswerC

Pretexting involves fabricating a scenario to trick the victim, which could include impersonating an IT admin to obtain credentials.

Why this answer

Pretexting involves creating a fabricated scenario to obtain information or access. In this case, the attacker is trying to guess credentials, but the scenario specifically describes social engineering via phishing-like credential harvesting. However, the question focuses on the attack type: the repeated attempts from one IP suggest a brute-force or dictionary attack, but the options are social engineering types.

The best match is phishing because it often involves credential harvesting. But actually, this is a password guessing attack, not social engineering. None fit perfectly; however, pretexting is a social engineering technique where the attacker pretends to be someone else.

The question might be flawed. I'll adjust the stem to better fit.

770
MCQmedium

A user reports that their system has become sluggish and they see pop-up advertisements even when no browser is open. Additionally, unknown processes are running in Task Manager. Which type of malware is most likely responsible?

A.Worm
B.Adware
C.Ransomware
D.Spyware
AnswerB

Adware is known for displaying unwanted advertisements and degrading system performance.

Why this answer

Adware displays unwanted advertisements and often comes bundled with other software, causing system slowdowns and pop-ups. Spyware may also cause ads but focuses on data theft. Ransomware encrypts files, and a worm spreads without user interaction.

771
Multi-Selectmedium

A penetration tester is enumerating services on a target Windows server. Which TWO tools are specifically designed for SMB enumeration? (Select two.)

Select 2 answers
A.John the Ripper
B.SNMPwalk
C.Nmap
D.enum4linux
E.smbclient
AnswersD, E

Why this answer

enum4linux and smbclient are tools that interact with SMB/CIFS services to enumerate shares, users, and other information. John the Ripper is a password cracker, Nmap is a port scanner (can perform SMB enumeration via scripts but is not specifically designed for it), and SNMPwalk is for SNMP.

772
MCQmedium

An attacker gains physical access to a restricted area by following an authorized employee through a secured door without swiping a badge. This technique is known as:

A.Tailgating
B.Pretexting
C.Quid pro quo
D.Baiting
AnswerA

Tailgating is following an authorized person through a secure entry.

Why this answer

Tailgating (or piggybacking) is when an unauthorized person follows an authorized person into a restricted area without proper authentication.

773
Multi-Selecthard

Which THREE of the following are indicators of a slowloris DDoS attack?

Select 3 answers
A.ICMP echo replies from random IPs
B.Normal traffic volume but connections remain open for a long time
C.Many half-open HTTP connections
D.Server logs showing incomplete HTTP requests
E.High volume of UDP packets
AnswersB, C, D

Slowloris maintains open connections for extended periods without completing the request.

Why this answer

B is correct because a Slowloris DDoS attack works by opening many connections to a target web server and keeping them open for as long as possible, sending partial HTTP requests to tie up server resources. This results in normal traffic volume but with connections that remain open for extended periods, preventing legitimate users from connecting.

Exam trap

The trap here is that candidates often associate DDoS attacks with high traffic volume, but Slowloris is a low-and-slow attack that uses normal traffic volume with persistent, incomplete connections, so they may incorrectly select high-volume options like A or E.

774
MCQmedium

A penetration tester is attempting to enumerate user accounts on a mail server. They connect to port 25 and issue the commands `VRFY root` and `EXPN support`. Which protocol is being targeted?

A.LDAP
B.SMTP
C.SMB
D.SNMP
AnswerB

Correct. VRFY and EXPN are SMTP commands used for user enumeration.

Why this answer

The commands VRFY and EXPN are SMTP (Simple Mail Transfer Protocol) commands defined in RFC 821 and RFC 5321. VRFY is used to verify whether a mailbox exists on the server, while EXPN expands a mailing list alias to reveal its members. Since the tester connected to port 25 (the default SMTP port) and issued these commands, SMTP is the protocol being targeted.

Exam trap

The trap here is that candidates may confuse SMTP commands with other protocol operations, such as associating VRFY with LDAP directory lookups or EXPN with SNMP expansion, because they focus on the word 'enumerate' rather than the specific port and command syntax.

How to eliminate wrong answers

Option A is wrong because LDAP (Lightweight Directory Access Protocol) uses port 389 or 636 for directory queries, not port 25, and its commands are based on LDAP operations like bind, search, and compare, not SMTP commands like VRFY or EXPN. Option C is wrong because SMB (Server Message Block) uses ports 139 and 445 for file and printer sharing, and its enumeration involves commands like net use or smbclient, not SMTP mail commands. Option D is wrong because SNMP (Simple Network Management Protocol) uses ports 161 and 162 for network device management via GET, SET, and TRAP operations, not SMTP commands on port 25.

775
MCQeasy

Which tool is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

A.John the Ripper
B.RainbowCrack
C.Hashcat
D.Ophcrack
AnswerD

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM hashes using precomputed rainbow tables. It relies on the time-memory trade-off technique, where rainbow tables allow rapid reversal of hashes without brute-forcing each password individually. This makes it the correct choice for the scenario described.

Exam trap

The trap here is that candidates confuse 'rainbow table' tools with general hash crackers like Hashcat or John the Ripper, but the question specifically asks for a tool designed for Windows LM/NTLM hashes using rainbow tables, which is Ophcrack's unique niche.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a general-purpose password cracker that supports many hash types and modes (dictionary, brute-force, incremental), but it does not natively use rainbow tables as its primary attack vector. Option B is wrong because RainbowCrack is a tool that generates and uses rainbow tables for hash cracking, but it is not specifically designed for Windows LM/NTLM hashes; it supports multiple hash algorithms (e.g., MD5, SHA1) and requires separate table generation. Option C is wrong because Hashcat is a high-speed GPU-accelerated password recovery tool that supports many hash modes (including NTLM), but it relies on dictionary, brute-force, or rule-based attacks, not precomputed rainbow tables.

776
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule in iptables to block incoming SSH traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First check rules, add drop rule, verify, save, then test.

777
Multi-Selecthard

A penetration tester is performing a check for HTTP response splitting. Which THREE of the following conditions must be present for this attack to succeed?

Select 3 answers
A.The application reflects user input in the HTTP response headers
B.The application reflects user input in the HTTP response body
C.The application uses HTTPS exclusively
D.The attacker can inject multiple header lines to create a second HTTP response
E.The application does not sanitize or encode CRLF sequences (%0d%0a)
AnswersA, D, E

Input must be placed in headers for CRLF injection.

Why this answer

HTTP response splitting requires that attacker input is reflected in the response headers (e.g., via CRLF injection). The application must not sanitize CRLF sequences. The attacker can then inject headers to separate the response into two HTTP responses, enabling cache poisoning or XSS.

778
MCQeasy

An employee receives an SMS message that claims to be from the IT department, asking the employee to click a link to verify their email account. Which social engineering attack is this?

A.Vishing
B.Phishing
C.SMiShing
D.Whaling
AnswerC

SMiShing is SMS phishing.

Why this answer

SMiShing is phishing via SMS text messages.

779
Multi-Selectmedium

Which THREE of the following are common techniques used in the 'Cracking passwords' phase of system hacking? (Select 3)

Select 3 answers
A.Brute force attack
B.Rainbow table attack
C.Keylogging
D.Social engineering
E.Dictionary attack
AnswersA, B, E

Brute force tries all possible character combinations.

Why this answer

A brute force attack systematically tries every possible combination of characters until the correct password is found. This is a fundamental technique in the password cracking phase, often used when no prior knowledge of the password exists. It is computationally expensive but guaranteed to succeed given enough time.

Exam trap

The trap here is confusing password capturing techniques (like keylogging or social engineering) with password cracking techniques that operate on captured hashes or encrypted passwords.

780
MCQmedium

During a penetration test, you gain access to a Linux server as a low-privileged user. Which of the following is an effective technique to escalate privileges by exploiting misconfigured file permissions?

A.Pass-the-hash
B.Token impersonation
C.SUID/GUID abuse
D.Kerberoasting
AnswerC

SUID/GUID binaries can allow privilege escalation if misconfigured.

Why this answer

SUID (Set User ID) and GUID (Group ID) bits allow a binary to execute with the privileges of the file owner (often root) rather than the calling user. If a low-privileged user can run a binary with the SUID bit set that performs unsafe operations (e.g., spawning a shell, reading arbitrary files, or executing commands), they can leverage it to gain root-level access. This is a classic privilege escalation vector on Linux systems when file permissions are misconfigured.

Exam trap

The trap here is that candidates may confuse SUID/GUID abuse with Windows-specific techniques like token impersonation or pass-the-hash, because the CEH exam often intermixes cross-platform attack vectors to test your ability to match the technique to the correct operating system.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is a Windows-based attack that reuses NTLM hashes to authenticate to remote systems; it does not apply to Linux file permission misconfigurations. Option B is wrong because token impersonation is a Windows privilege escalation technique that manipulates access tokens (e.g., SeImpersonatePrivilege) to assume another user's identity; it is not relevant to Linux SUID/GUID abuse. Option D is wrong because Kerberoasting is an Active Directory attack that requests Kerberos service tickets to crack service account passwords; it targets Windows domain environments, not local Linux file permissions.

781
MCQhard

A penetration tester runs the following command: `macof -i eth0 -s 192.168.1.100 -d 10.0.0.1`. Which attack is being performed?

A.DNS spoofing
B.ARP poisoning
C.MAC flooding
D.DHCP starvation
AnswerC

macof is specifically designed for MAC flooding attacks.

Why this answer

Macof is a tool used for MAC flooding, which fills the switch's CAM table with fake MAC addresses, causing it to fail open and broadcast traffic to all ports.

782
MCQmedium

A penetration tester uses the tool 'Pacu' during an AWS security assessment. Which phase of testing is Pacu most commonly associated with?

A.Reporting and documentation
B.Vulnerability scanning
C.Exploitation and post-exploitation
D.Reconnaissance
AnswerC

Pacu provides modules for privilege escalation, backdooring, and lateral movement in AWS environments.

Why this answer

Pacu is an exploitation framework for AWS, used after initial access to escalate privileges, pivot, and maintain access. It is not typically used for initial reconnaissance (Nmap, ScoutSuite) or reporting.

783
MCQeasy

Which of the following is the PRIMARY purpose of banner grabbing during the reconnaissance phase?

A.To determine the version of a running service
B.To discover open ports
C.To identify the operating system
D.To map the network topology
AnswerA

Banners often include version strings, allowing identification of specific service versions.

Why this answer

Banner grabbing is a technique used to extract service banners that often include software name and version details. The primary purpose is to determine the version of a running service, as this information allows an attacker to identify known vulnerabilities specific to that version for further exploitation.

Exam trap

The trap here is that candidates confuse banner grabbing with OS fingerprinting or port scanning, but the CEH exam specifically tests that banner grabbing's primary goal is service version identification, not OS detection or port discovery.

How to eliminate wrong answers

Option B is wrong because discovering open ports is accomplished through port scanning (e.g., SYN scan, TCP connect scan), not banner grabbing, which occurs after a port is already known to be open. Option C is wrong because while banner information can sometimes hint at the OS, the primary and direct purpose of banner grabbing is to identify the service version, not the OS; OS detection is typically done via TCP/IP stack fingerprinting (e.g., nmap -O). Option D is wrong because mapping network topology involves techniques like traceroute, SNMP sweeps, or analyzing routing tables, not banner grabbing, which only interacts with a single service on a single host.

784
Multi-Selectmedium

Which TWO of the following are effective defenses against SQL injection attacks?

Select 2 answers
A.Implementing stored procedures with dynamic SQL
B.Disabling error messages
C.Using an ORM that generates parameterized queries
D.Using prepared statements with parameterized queries
E.Escaping user input with addslashes()
AnswersC, D

ORMs often use parameterization, providing defense.

Why this answer

Prepared statements (parameterized queries) and stored procedures (if properly parameterized) prevent SQL injection by separating data from code.

785
MCQmedium

An attacker uses the Social Engineering Toolkit (SET) to send a malicious email to employees of a company, claiming to be from IT support and urging them to click a link to reset their password. Which social engineering attack is being performed?

A.Vishing
B.Phishing
C.Baiting
D.SMiShing
AnswerB

Correct. This is a classic phishing attack via email.

Why this answer

Phishing is the broad category of sending fraudulent emails to trick recipients. Using SET for email campaigns is a common phishing technique.

786
Multi-Selectmedium

Which THREE of the following are types of cryptanalytic attacks? (Choose three.)

Select 3 answers
A.Differential cryptanalysis
B.Rainbow table attack
C.Linear cryptanalysis
D.Brute-force attack
E.Replay attack
AnswersA, C, D

Analyzes how differences in plaintext affect differences in ciphertext.

Why this answer

Differential cryptanalysis is a chosen-plaintext attack that analyzes how differences in plaintext pairs affect the resulting ciphertext differences, exploiting statistical biases to recover the encryption key. It is a fundamental cryptanalytic technique, particularly effective against block ciphers like DES.

Exam trap

EC-Council often tests the distinction between cryptanalytic attacks (which target the cipher's mathematical structure) and other attack types like hash precomputation or protocol-level attacks, so candidates mistakenly classify rainbow table or replay attacks as cryptanalytic.

787
MCQhard

You are a security consultant hired by a mid-sized company with 500 employees. The company has a central office with a lobby, reception, and two secure areas: the server room (requires keycard and PIN) and the executive floor (requires keycard only). Recently, employees have reported seeing unfamiliar people in restricted areas. Security logs show keycard access for the server room only during business hours, but no anomalies. However, the executive floor logs show multiple entries by a single employee, John from Sales, at odd hours. John claims he was working late. The company has a policy that all employees must wear ID badges visibly. You observe that employees often hold doors open for colleagues, and the receptionist does not verify visitor badges. Which of the following actions should you recommend FIRST to address the most likely attack vector?

A.Investigate John's activities and consider disciplinary action
B.Upgrade keycard readers to biometric scanners
C.Implement mantraps and enforce a policy of one person per keycard entry
D.Install additional CCTV cameras in hallways
AnswerC

Mantraps physically prevent tailgating, addressing the most likely attack vector.

Why this answer

The most likely attack vector is tailgating (piggybacking), where unauthorized individuals gain physical access by following an authorized employee through a secured door without using their own credentials. Option C directly addresses this by implementing mantraps (a small room with two interlocking doors that only allows one person to pass at a time) and enforcing a strict one-person-per-keycard-entry policy, which physically prevents tailgating. This is the first and most effective control because it mitigates the root cause—social engineering exploiting human courtesy—rather than focusing on symptoms like John's after-hours access or adding surveillance that doesn't prevent the act.

Exam trap

EC-Council often tests the distinction between authentication (e.g., biometrics) and access control (e.g., mantraps), and the trap here is that candidates confuse improving credential verification with preventing the social engineering technique of tailgating, leading them to choose a more expensive but ineffective solution like biometric readers.

How to eliminate wrong answers

Option A is wrong because investigating John's activities focuses on a single employee's behavior (which may be legitimate) rather than addressing the systemic vulnerability of tailgating that allows unfamiliar people into restricted areas. Option B is wrong because upgrading to biometric scanners improves authentication but does not prevent tailgating; an unauthorized person can still follow an authenticated employee through the door after the biometric scan. Option D is wrong because installing additional CCTV cameras only provides passive monitoring and evidence collection after an incident, not active prevention of the tailgating attack vector.

788
MCQmedium

A penetration tester attempts a SQL injection on a login form and receives no error messages, but notices a delay in the server response when injecting ' OR SLEEP(5)--. Which type of SQL injection is this?

A.Union-based SQL injection
B.Boolean-based blind SQL injection
C.Time-based blind SQL injection
D.Error-based SQL injection
AnswerC

The SLEEP function causes a delay, confirming time-based injection.

Why this answer

Time-based blind SQL injection relies on inducing a time delay to infer the truth of a condition, as no error or data is returned.

789
MCQmedium

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform an aggressive scan of all open ports and enumerate SMB shares
B.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
C.Perform a UDP scan on the four specified ports and identify running services
D.Perform a full TCP connect scan with UDP service detection on all ports
AnswerB

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option B is correct because the command `nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24` performs a TCP SYN scan (`-sS`) on only the four specified ports, enables service version detection (`-sV`), and attempts OS fingerprinting (`-O`). This is a stealthy half-open scan that does not complete the TCP three-way handshake, combined with banner grabbing and OS detection, limited to the given port list.

Exam trap

The trap here is that candidates confuse `-sS` (SYN scan) with a full connect scan or UDP scan, or assume that specifying `-p` implies scanning all ports, when in fact it limits the scan to only the listed ports.

How to eliminate wrong answers

Option A is wrong because the command does not include `-A` (aggressive scan) nor any SMB enumeration flags like `--script smb-enum-shares`; it only scans four specific ports, not all open ports. Option C is wrong because `-sS` specifies a TCP SYN scan, not a UDP scan; a UDP scan would require `-sU`. Option D is wrong because `-sS` is a half-open SYN scan, not a full TCP connect scan (which uses `-sT`), and the command does not include UDP service detection or scan all ports.

790
MCQmedium

An employee receives an email that appears to be from the CEO, requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ceo@cornpany.com instead of ceo@company.com). This is an example of which type of attack?

A.Whaling
B.Phishing
C.Pretexting
D.Spear phishing
AnswerD

Spear phishing is a targeted attack using personalized information.

Why this answer

Spear phishing targets a specific individual with a tailored message, often impersonating a trusted figure. Whaling targets high-profile individuals but is a subset of spear phishing. Pretexting involves creating a fabricated scenario, but here the impersonation is through email.

The attack is spear phishing because it targets a specific employee with a custom lure.

791
MCQmedium

Which of the following best describes a Server-Side Request Forgery (SSRF) attack?

A.An attacker tricks the server into making requests to internal or external resources
B.An attacker sends a malicious script that executes in a user's browser
C.An attacker forges HTTP requests to perform actions on behalf of an authenticated user
D.An attacker injects SQL commands into a database query
AnswerA

SSRF involves the server making requests on behalf of the attacker, often to internal systems.

Why this answer

A Server-Side Request Forgery (SSRF) attack occurs when an attacker manipulates a vulnerable server into making HTTP requests to arbitrary destinations, often bypassing network segmentation to access internal resources (e.g., 127.0.0.1, RFC 1918 addresses) or external services. The server acts as a proxy, allowing the attacker to interact with systems that are not directly reachable, such as cloud metadata endpoints (e.g., AWS http://169.254.169.254/latest/meta-data/) or internal databases.

Exam trap

The trap here is that candidates often confuse SSRF with CSRF (Option C) because both involve forged requests, but SSRF targets the server's ability to make requests to internal resources, while CSRF targets the user's browser to perform actions on their behalf.

How to eliminate wrong answers

Option B is wrong because it describes Cross-Site Scripting (XSS), where malicious scripts execute in a user's browser, not server-side requests. Option C is wrong because it describes Cross-Site Request Forgery (CSRF), where an attacker forges requests to perform actions on behalf of an authenticated user, but the server is tricked into sending requests to internal resources, not the user's browser. Option D is wrong because it describes SQL injection, where malicious SQL commands are injected into a database query, not HTTP requests made by the server.

792
MCQmedium

During a penetration test, a tester captures network traffic and notices a large number of ARP replies claiming that 192.168.1.1 is at MAC address 00:11:22:33:44:55, which is different from the legitimate gateway MAC. Which attack is likely in progress?

A.Session hijacking
B.ARP poisoning
C.MAC flooding
D.DNS spoofing
AnswerB

Forged ARP replies bind the attacker's MAC to the gateway IP, allowing interception of traffic.

Why this answer

ARP spoofing (or ARP poisoning) involves sending forged ARP replies to associate the attacker's MAC with the IP of a legitimate host (here, the gateway). This enables MITM attacks.

793
Drag & Dropmedium

Drag and drop the steps to recover a forgotten Windows administrator password using a bootable Linux USB into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Boot, mount, navigate, replace file, reboot to exploit.

794
Multi-Selectmedium

A security analyst is planning a reconnaissance activity that must remain undetected. Which TWO of the following techniques should they choose?

Select 2 answers
A.Engage in social engineering to extract network diagrams from employees
B.Gather information from public OSINT sources like Shodan and social media
C.Conduct a passive reconnaissance by analyzing DNS records without querying the target's DNS servers directly
D.Use Nmap with default scripts to enumerate services
E.Perform a full TCP connect scan on all ports
AnswersB, C

OSINT uses publicly available data without contacting the target, making it undetectable.

Why this answer

Option B is correct because OSINT sources like Shodan and social media provide publicly available information without interacting with the target's systems, keeping the reconnaissance passive and undetected. Option C is correct because passive reconnaissance via DNS records (e.g., using cached or third-party DNS databases) avoids querying the target's authoritative DNS servers, thus not generating logs or alerts on the target's infrastructure.

Exam trap

The trap here is that candidates often confuse 'passive reconnaissance' with 'stealth scanning,' assuming that techniques like SYN scan or Nmap's default scripts are undetected, when in fact any direct packet transmission to the target is active and detectable.

795
MCQeasy

Which OWASP Top 10 (2021) category describes the vulnerability where an application allows an attacker to include a remote file from an external server, leading to code execution or data disclosure?

A.Security Misconfiguration (A05:2021)
B.Injection (A03:2021)
C.Broken Access Control (A01:2021)
D.Cryptographic Failures (A02:2021)
AnswerB

Injection includes SQL, OS, and LDAP injection, as well as file inclusion vulnerabilities like RFI.

Why this answer

Injection (A03:2021) covers various injection flaws, including Remote File Inclusion (RFI). RFI is a type of injection where user input is used to include a remote file, leading to code execution.

796
MCQmedium

A penetration tester is assessing an organization's physical security. The tester wants to gain unauthorized access to a secured server room that uses a biometric fingerprint scanner. Which of the following techniques would be MOST effective for bypassing the biometric scanner?

A.Shoulder surfing the authorized user's fingerprint pattern
B.Picking the lock on the server room door
C.Using a gelatin mold of an authorized user's fingerprint
D.Tailgating behind an authorized employee
AnswerC

Gelatin molds can create replicas of fingerprints that may be accepted by some scanners.

Why this answer

Option C is correct because gelatin molds can replicate the exact ridge and valley patterns of a fingerprint, which many capacitive and optical fingerprint scanners read. This bypasses the biometric authentication without requiring the user's cooperation, making it the most direct method to defeat the scanner itself.

Exam trap

The trap here is that candidates often choose tailgating (Option D) as the easiest social engineering method, but the question specifically asks for bypassing the biometric scanner, not the door lock or human controls.

How to eliminate wrong answers

Option A is wrong because shoulder surfing captures only a visual pattern, not the three-dimensional ridge details or capacitance differences needed to spoof a fingerprint scanner. Option B is wrong because picking the lock bypasses the door lock but does not address the biometric scanner, which would still need to be defeated to gain access. Option D is wrong because tailgating relies on following an authorized person through the door, but it does not bypass the biometric scanner itself and may be prevented by mantraps or security awareness.

797
MCQmedium

During a wireless penetration test, the tester runs `airodump-ng wlan0mon` and sees numerous beacon frames from a network. The tester then sends deauthentication packets using `aireplay-ng -0 5 -a <BSSID> wlan0mon`. What is the PRIMARY purpose of this deauthentication attack?

A.To crash the access point and cause a denial of service
B.To force a client to reconnect and capture the WPA/WPA2 handshake
C.To obtain the WPS PIN of the access point
D.To perform a rogue AP attack by spoofing the BSSID
AnswerB

Correct: The attack forces reauthentication, enabling capture of the 4-way handshake for cracking.

Why this answer

Deauthentication attacks force clients to reconnect, allowing capture of the WPA/WPA2 4-way handshake during reconnection, which is needed for offline cracking.

798
MCQmedium

A network administrator notices that the switch's CAM table is full, causing the switch to flood all incoming traffic out of all ports. Which attack is MOST likely occurring?

A.ARP poisoning
B.DHCP starvation
C.DNS spoofing
D.MAC flooding
AnswerD

Correct. MAC flooding fills the CAM table, causing flooding.

Why this answer

MAC flooding sends many Ethernet frames with different source MAC addresses to fill the switch's CAM table, forcing it into hub mode (flooding all traffic).

799
MCQhard

A security auditor is assessing the physical security of a corporate office building that houses a data center. The building has a single main entrance with a reception desk staffed during business hours (8 AM to 6 PM). After hours, employees use a keycard reader to access the building. The data center itself requires a separate keycard and a 6-digit PIN. The auditor notices that during lunch hours (12-1 PM), the reception desk is often unattended, and employees frequently hold the door for others to avoid using their keycard. Additionally, a recent social engineering test revealed that an attacker was able to call the help desk, claim to be a new employee, and request a password reset, which was granted without proper verification. Based on this scenario, which of the following is the MOST effective combination of controls to mitigate both the physical and social engineering weaknesses?

A.Install a mantrap at the main entrance and require two-factor authentication for the data center door.
B.Install a mantrap at the main entrance and require multi-factor authentication (MFA) for all password reset requests.
C.Deploy security guards at the entrance 24/7 and implement a policy that all visitors must be escorted.
D.Implement a callback verification process for all password reset requests and require a manager approval.
AnswerB

Mantrap prevents physical tailgating; MFA on password resets mitigates social engineering.

Why this answer

Option B is correct because it addresses both weaknesses: a mantrap prevents tailgating at the main entrance (physical security), and requiring MFA for password reset requests mitigates the social engineering attack by adding an authentication factor beyond just a phone call. This combination directly counters the observed vulnerabilities—unattended reception and weak identity verification—without over-engineering or leaving gaps.

Exam trap

The trap here is that candidates focus on the most obvious single weakness (e.g., tailgating or password reset) and choose a control that only fixes that one, missing the requirement for a combination that addresses both physical and social engineering flaws simultaneously.

How to eliminate wrong answers

Option A is wrong because while a mantrap stops tailgating, requiring two-factor authentication only for the data center door does nothing to prevent the social engineering attack on the help desk (password reset). Option C is wrong because deploying 24/7 guards and an escort policy is costly and does not address the social engineering weakness; the attacker called the help desk, not the physical entrance. Option D is wrong because a callback verification process and manager approval only address the social engineering vector, leaving the physical tailgating problem during lunch hours completely unmitigated.

800
MCQmedium

A penetration tester uses SQLMap with the following command: sqlmap -u 'http://target.com/page?id=1' --batch --dbs. Which of the following best describes what this command will do?

A.Enumerate all database names in non-interactive mode
B.Dump the entire contents of the current database
C.Perform a time-based blind SQL injection to extract data
D.Enumerate all tables in all databases
AnswerA

--dbs tells SQLMap to list the available databases, and --batch runs automatically without manual prompts.

Why this answer

--dbs enumerates database names; --batch uses default options without interactive input.

801
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques? (Select 3)

Select 3 answers
A.Rate limiting
B.Scrubbing centers
C.Blackholing all traffic to the target
D.IP spoofing
E.Anycast network distribution
AnswersA, B, E

Correct. Rate limiting can throttle attack traffic.

Why this answer

Scrubbing centers filter malicious traffic, rate limiting reduces impact, and anycast distribution spreads traffic across multiple servers. Blackholing drops all traffic (including legitimate), and IP spoofing is an attack technique.

802
MCQmedium

A security engineer is concerned about DNS zone transfer attacks. Which of the following countermeasures would be MOST effective in preventing unauthorized zone transfers?

A.Restrict zone transfers to authorized IP addresses only
B.Use DNSSEC to sign the zone
C.Change the default port of 53 to a non-standard port
D.Disable DNS recursion on the server
AnswerA

This limits zone transfer requests to trusted secondary servers, preventing unauthorized parties from obtaining the zone data.

Why this answer

Restricting zone transfers to authorized IP addresses only is the most effective countermeasure because it directly controls which DNS servers are allowed to request a full copy of the zone data. By configuring an allow-transfer list (e.g., using the 'allow-transfer { trusted_servers; };' directive in BIND), the primary DNS server will reject zone transfer requests from any unauthorized IP, preventing attackers from enumerating all DNS records.

Exam trap

The trap here is that candidates often confuse DNSSEC (which protects data integrity) with access control mechanisms, or they mistakenly think disabling recursion or changing ports will prevent zone transfers, when in fact zone transfers are controlled by explicit authorization settings on the authoritative server.

How to eliminate wrong answers

Option B is wrong because DNSSEC (DNS Security Extensions) provides data integrity and authentication through digital signatures, but it does not control or restrict the ability to perform a zone transfer; it only ensures that the zone data has not been tampered with. Option C is wrong because changing the default port of 53 to a non-standard port is not a viable countermeasure; DNS clients and servers expect port 53, and changing it would break normal DNS resolution, while an attacker can easily scan for the new port. Option D is wrong because disabling DNS recursion prevents the server from resolving queries for external domains on behalf of clients, but it does not affect the server's ability to perform or allow zone transfers, which are a separate function of authoritative DNS servers.

803
MCQeasy

Which Burp Suite tool is specifically designed to intercept and modify HTTP(S) traffic between the browser and the target web application?

A.Intruder
B.Scanner
C.Repeater
D.Proxy
AnswerD

Burp Proxy captures and allows modification of HTTP/HTTPS traffic in real-time.

Why this answer

Burp Proxy is the component that intercepts and allows modification of requests/responses in transit.

804
Multi-Selectmedium

During a penetration test, an analyst detects that an SNMP agent on a network device is using the default community string 'public'. Which TWO actions can the analyst perform using this information? (Choose TWO.)

Select 2 answers
A.Enumerate user accounts and system details
B.Extract encrypted passwords from the device
C.Write new configuration to the device
D.Perform SNMPwalk to enumerate the MIB tree
E.Disable the SNMP agent remotely
AnswersA, D

MIB values often contain system info and user list.

Why this answer

With 'public' (read-only) access, the analyst can read MIB values (SNMPwalk) and enumerate system information using tools like snmpcheck. Writing is not possible with read-only community.

805
Multi-Selectmedium

A penetration tester is assessing the security of a cloud application and discovers that it is vulnerable to Server-Side Request Forgery (SSRF). Which TWO of the following are potential impacts of this vulnerability?

Select 2 answers
A.Ability to perform a man-in-the-middle attack on the user's browser
B.Access to cloud instance metadata (e.g., AWS IMDS)
C.Direct modification of DNS records
D.Remote code execution on internal servers
E.Direct access to the database without authentication
AnswersB, D

Correct: SSRF can query internal metadata services to retrieve credentials.

Why this answer

SSRF can allow access to internal services (like metadata endpoints) and potentially lead to remote code execution if internal services are compromised.

806
MCQeasy

A security analyst wants to gather information about a target domain using public records without directly interacting with the target's systems. Which technique is the analyst employing?

A.Vulnerability scanning
B.OSINT using WHOIS queries
C.Active reconnaissance
D.Social engineering
AnswerB

WHOIS is a passive OSINT technique that retrieves domain registration details without contacting the target servers.

Why this answer

OSINT (Open Source Intelligence) using WHOIS queries is a passive reconnaissance technique that gathers domain registration details from public WHOIS databases without interacting with the target's systems. This aligns with the requirement to use public records and avoid direct contact, making it the correct choice for footprinting.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance, and the trap here is that candidates confuse WHOIS queries with active techniques because they involve sending a query, but since the query goes to a public third-party database (not the target's systems), it remains passive.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning actively sends probes and packets to the target's systems to identify weaknesses, which directly interacts with the target and is not passive. Option C is wrong because active reconnaissance involves direct interaction with the target's systems (e.g., port scanning, ping sweeps), which violates the 'without directly interacting' condition. Option D is wrong because social engineering involves manipulating human targets through direct or indirect communication (e.g., phishing calls), which is an active technique and not based on public records.

807
MCQhard

A security analyst is tasked with performing passive reconnaissance on a target organization. Which of the following is the BEST approach to gather information about the target's technology stack without directly interacting with the target's systems?

A.Engage in social engineering via phone calls
B.Use Shodan to search for target infrastructure
C.Initiate a DNS zone transfer request
D.Perform a port scan with Nmap
AnswerB

Shodan indexes public data passively.

Why this answer

Shodan is a search engine that indexes banners from internet-connected devices, allowing an analyst to discover a target's exposed services, open ports, and technology stack (e.g., web servers, SSH versions, IoT devices) without sending any packets to the target's systems. This makes it a purely passive reconnaissance technique, as it relies on Shodan's pre-collected data rather than direct interaction.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance, and the trap here is that candidates confuse Shodan (a passive, third-party data source) with active tools like Nmap or DNS zone transfers, which require direct interaction with the target's systems.

How to eliminate wrong answers

Option A is wrong because social engineering via phone calls involves direct interaction with the target's employees, which is an active technique and risks alerting the target. Option C is wrong because initiating a DNS zone transfer request sends a query to the target's DNS server, which is an active interaction that can be logged and often fails due to RFC 1035 restrictions (zone transfers are typically disabled). Option D is wrong because performing a port scan with Nmap sends packets directly to the target's IP addresses, making it an active reconnaissance method that can be detected by intrusion detection systems.

808
MCQhard

During a penetration test, the tester runs `ldapsearch -x -H ldap://192.168.1.20 -b 'dc=domain,dc=com' '(objectclass=*)'`. The output reveals user objects with 'userPassword' attributes in clear text. Which type of enumeration is being performed, and what is the security implication?

A.NFS enumeration; it indicates that NFS shares are world-readable
B.LDAP enumeration; it indicates that the LDAP server stores passwords in plaintext, posing a credential theft risk
C.SNMP enumeration; it indicates that the community string is weak
D.SMTP enumeration; it indicates that the mail server is misconfigured
AnswerB

Correct identification and implication.

Why this answer

The `ldapsearch` command is used to query an LDAP directory service. The option `-x` specifies simple authentication, and the filter `(objectclass=*)` retrieves all entries. The output revealing `userPassword` attributes in clear text indicates that the LDAP server is storing passwords in plaintext, which is a severe security risk because an attacker can directly harvest credentials for lateral movement or privilege escalation.

Exam trap

The trap here is that candidates may confuse the `ldapsearch` command with other enumeration tools (like `snmpwalk` or `smtp-user-enum`) and fail to recognize that the specific command and output directly indicate LDAP enumeration with plaintext password exposure.

How to eliminate wrong answers

Option A is wrong because NFS enumeration uses commands like `showmount -e` or `rpcinfo`, not `ldapsearch`, and the output would show exported shares, not user objects with passwords. Option C is wrong because SNMP enumeration uses tools like `snmpwalk` with community strings, and the output would contain OIDs and MIB values, not LDAP directory entries. Option D is wrong because SMTP enumeration uses commands like `VRFY` or `EXPN` to verify email addresses, and the output would be SMTP response codes, not LDAP attributes.

809
Multi-Selectmedium

Which TWO of the following are enumeration techniques used to gather information from Windows systems? (Select 2)

Select 2 answers
A.SMB enumeration using enum4linux
B.SMTP enumeration using VRFY
C.LDAP enumeration using ldapsearch
D.NFS enumeration using showmount
E.NetBIOS enumeration using nbtstat
AnswersA, E

SMB is primarily Windows file sharing.

Why this answer

NetBIOS enumeration (nbtstat) and SMB enumeration (enum4linux, smbclient) are both Windows-oriented. LDAP enumeration is for directory services, not exclusively Windows; SMTP is mail; NFS is Unix/Linux.

810
MCQeasy

A security analyst captures a large number of unique initialization vectors (IVs) from a wireless network using airodump-ng. Which attack are they MOST likely preparing to execute?

A.WPS PIN brute-force attack
B.Evil twin AP deployment
C.WEP key recovery using aircrack-ng
D.WPA handshake capture
AnswerC

Correct. WEP cracking relies on collecting many unique IVs to exploit statistical weaknesses in the RC4 algorithm.

Why this answer

WEP encryption is vulnerable to statistical attacks that require capturing many unique IVs to recover the WEP key. The large number of unique IVs indicates preparation for a WEP cracking attack using a tool like aircrack-ng.

811
MCQhard

During a penetration test, you discover a Windows service running with SYSTEM privileges that has a weak file permission allowing the 'Everyone' group to modify its executable. Which privilege escalation technique is MOST directly applicable here?

A.Token impersonation
B.Weak service binary permissions
C.DLL hijacking
D.Unquoted service path
AnswerB

Modifiable service binary allows privilege escalation by replacing the executable.

Why this answer

Option B is correct because the scenario describes a Windows service executable with weak file permissions that allow the 'Everyone' group to modify it. This directly enables an attacker to replace the legitimate executable with a malicious one, which will then be executed with SYSTEM privileges when the service starts. This is the classic 'weak service binary permissions' privilege escalation vector, often exploited using tools like `icacls` or `accesschk` to identify the vulnerability.

Exam trap

EC-Council often tests the distinction between modifying the service binary itself (weak binary permissions) versus exploiting path parsing (unquoted service path) or dependency loading (DLL hijacking), so candidates must focus on the specific permission weakness described.

How to eliminate wrong answers

Option A is wrong because token impersonation typically requires an existing token (e.g., from a named pipe or RPC) to steal or duplicate, not a writable service binary. Option C is wrong because DLL hijacking involves placing a malicious DLL in a path where the service searches for missing DLLs, not modifying the service's primary executable. Option D is wrong because an unquoted service path exploits spaces in the service binary path to execute an unintended executable, not the modification of the existing binary itself.

812
MCQhard

A penetration tester uses the following Nmap command: nmap -sS -O -p 1-1000 10.0.0.1. The output shows port 22 as open, and OS detection suggests 'Linux 2.6.x'. The tester then runs: nmap -sV -p 22 10.0.0.1. What additional information does the second scan provide?

A.It confirms the OS is Linux 2.6.x
B.It checks if the port is filtered by a firewall
C.It identifies the version of the SSH service running
D.It performs a UDP scan on port 22
AnswerC

-sV performs version detection on the specified port.

Why this answer

The second scan uses the `-sV` flag, which enables version detection. Nmap probes the open port 22 (SSH) to determine the exact service version (e.g., OpenSSH 5.3p1). This is distinct from OS detection (`-O`), which guesses the operating system based on TCP/IP stack fingerprinting.

The `-sV` scan provides granular service version information, not OS confirmation or firewall status.

Exam trap

The trap here is confusing OS detection (`-O`) with service version detection (`-sV`), leading candidates to think `-sV` confirms the OS when it actually identifies the application version running on the port.

How to eliminate wrong answers

Option A is wrong because `-sV` does not confirm the OS; OS detection is performed by the `-O` flag in the first scan, and version detection only identifies the application version, not the underlying OS. Option B is wrong because checking if a port is filtered by a firewall requires a different scan type, such as a SYN scan (`-sS`) with firewall evasion techniques or a scan that analyzes RST responses; `-sV` assumes the port is open and attempts a full connection to grab the service banner. Option D is wrong because `-sV` performs TCP version detection on the specified port (22), not a UDP scan; a UDP scan requires the `-sU` flag.

813
MCQhard

A penetration tester uses the following command to scan a target: nmap -sU -sV -p 53,161,162 10.0.0.1. Which of the following BEST describes what this scan will accomplish?

A.Full port scan of all 65535 UDP ports
B.Ping sweep and OS detection on the target
C.UDP scan on three ports with service version detection
D.TCP SYN scan on ports 53, 161, 162 with version detection
AnswerC

-sU = UDP scan, -sV = version detection, -p specifies the ports.

Why this answer

-sU performs a UDP scan, -sV attempts service version detection on the specified UDP ports (53=DNS, 161=SNMP, 162=SNMP trap).

814
MCQhard

A security analyst observes an SSL/TLS handshake where the client and server negotiate TLS 1.0 instead of TLS 1.2, despite the server supporting TLS 1.2. Which attack BEST describes the manipulation of the handshake to force weaker encryption?

A.Man-in-the-middle attack
B.Replay attack
C.Downgrade attack
D.Birthday attack
AnswerC

A downgrade attack forces the protocol to use an older, weaker version (e.g., TLS 1.0) by interfering with the handshake.

Why this answer

A downgrade attack occurs when an attacker forces the client and server to negotiate a lower, less secure version of a protocol (e.g., from TLS 1.2 to TLS 1.0) to exploit vulnerabilities in the older version.

815
Multi-Selecthard

An organization is investigating a potential malware infection. The security analyst observes unusual outbound connections to a known malicious IP address and finds a suspicious process running under a user's session. The analyst decides to perform memory analysis using Volatility. Which TWO commands would be most useful to identify the malicious process and its network connections?

Select 2 answers
A.volatility -f memory.dmp netscan
B.volatility -f memory.dmp pslist
C.volatility -f memory.dmp procdump
D.volatility -f memory.dmp svcscan
E.volatility -f memory.dmp malfind
AnswersA, B

Shows network connections; confirms outbound to malicious IP.

Why this answer

The `netscan` plugin in Volatility scans the memory dump for network connections and sockets, including TCP and UDP endpoints, which directly reveals outbound connections to the malicious IP. The `pslist` plugin lists all running processes by walking the process list in the kernel, allowing the analyst to identify the suspicious process by name or PID. Together, these two commands provide the process identity and its network activity, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates may choose `malfind` (option E) because it sounds malware-specific, but it does not list all processes or network connections, whereas `pslist` and `netscan` directly answer the question of identifying the process and its outbound connections.

816
MCQhard

Refer to the exhibit. A security analyst reviews the firewall log and notices that user jdoe accessed a file server via SMB (port 445) from an internal IP (10.0.0.45) that is not the usual file server subnet. Which type of social engineering attack is most likely being attempted?

A.Phishing
B.Vishing
C.Tailgating
D.Baiting
AnswerC

Tailgating allows an attacker to physically enter a secured area and connect to the internal network from an unauthorized IP.

Why this answer

The firewall log shows user jdoe accessing a file server via SMB (port 445) from an internal IP (10.0.0.45) that is not on the usual file server subnet. This indicates the attacker has physically entered the building or restricted area by following an authorized person (tailgating) and then connected a rogue device to the internal network to perform lateral movement. Tailgating is the social engineering attack that relies on gaining physical access by exploiting trust or courtesy, which aligns with the unauthorized internal IP and SMB activity.

Exam trap

The trap here is that candidates see SMB and internal IP and immediately think of a technical attack like phishing or baiting, but the key clue is the physical access implied by the unusual subnet, which points to tailgating as the social engineering vector.

How to eliminate wrong answers

Option A is wrong because phishing involves sending deceptive emails or messages to trick users into revealing credentials or installing malware, not physically accessing a network and using SMB from an unusual internal IP. Option B is wrong because vishing (voice phishing) uses phone calls to extract sensitive information, not physical intrusion or network-level SMB connections. Option D is wrong because baiting involves offering something enticing (e.g., infected USB drives) to lure victims, not directly following someone into a restricted area to gain network access.

817
MCQmedium

An attacker modifies system logs to remove entries related to their activities. Which technique is being used to cover tracks?

A.Token impersonation
B.Steganography
C.Log manipulation
D.Rootkit installation
AnswerC

Why this answer

Log manipulation is the act of altering or deleting log entries to hide evidence of an intrusion. This is part of the covering tracks phase.

818
Multi-Selecthard

Which TWO of the following attacks are specifically associated with wireless networks?

Select 2 answers
A.Man-in-the-middle attack
B.De-authentication attack
C.Evil twin attack
D.Replay attack
E.Birthday attack
AnswersB, C

De-auth attacks disconnect clients from a WLAN.

Why this answer

A de-authentication attack targets the management frames in IEEE 802.11 wireless networks. An attacker sends forged de-authentication frames to disconnect a client from an access point, often as a precursor to capturing the WPA handshake or launching an evil twin attack. This is a wireless-specific attack because it exploits the unencrypted nature of 802.11 management frames.

Exam trap

EC-Council often tests the distinction between attacks that are 'specific to wireless' versus those that are 'general network attacks' — the trap is that candidates confuse a common attack vector (like man-in-the-middle) with a protocol-specific vulnerability unique to 802.11.

819
MCQmedium

During a penetration test, you successfully execute a privilege escalation attack by abusing a service running with SYSTEM privileges on a Windows machine. Which of the following techniques is MOST likely being used?

A.Pass-the-hash
B.SUID abuse
C.Token impersonation
D.DLL hijacking
AnswerC

Token impersonation allows a process to assume the security context of another user, such as SYSTEM, enabling privilege escalation.

Why this answer

Token impersonation is the correct technique because it allows an attacker to steal or duplicate an access token from a process running with SYSTEM privileges. Once the attacker has a token with SYSTEM integrity level, they can use Windows API calls such as ImpersonateLoggedOnUser or DuplicateTokenEx to execute code in the security context of that token, effectively escalating privileges to SYSTEM.

Exam trap

EC-Council often tests the distinction between local privilege escalation techniques (token impersonation) and lateral movement or persistence techniques (pass-the-hash, DLL hijacking), so candidates mistakenly choose DLL hijacking because it is a common Windows attack, but it does not directly provide SYSTEM privileges without the target process already running as SYSTEM.

How to eliminate wrong answers

Option A is wrong because pass-the-hash is a lateral movement technique that reuses NTLM hashes to authenticate to remote systems, not a local privilege escalation method to gain SYSTEM from a lower-privileged process. Option B is wrong because SUID abuse is a Unix/Linux privilege escalation technique involving the setuid bit on executables; Windows does not have a SUID mechanism. Option D is wrong because DLL hijacking exploits the search order of DLLs to load a malicious DLL into a process, which can achieve code execution but does not inherently grant SYSTEM privileges unless the target process already runs as SYSTEM.

820
MCQmedium

A penetration tester uses the Social Engineering Toolkit (SET) to create a malicious USB drive that autoruns when inserted. Which social engineering technique is being employed?

A.Tailgating
B.Baiting
C.Pretexting
D.Phishing
AnswerB

Correct. Baiting uses physical media to entice victims.

Why this answer

Baiting involves leaving a physical device (e.g., USB drive) in a location where the victim will find and use it, often with enticing labels.

821
MCQmedium

A security engineer runs SNMPwalk on a network device and receives community strings as 'public' and 'private'. What is the PRIMARY concern?

A.The device is vulnerable to buffer overflow attacks
B.The device is infected with malware
C.The device may be exposing sensitive configuration information
D.The device is using outdated encryption protocols
AnswerC

Default community strings enable information leakage.

Why this answer

The SNMP community strings 'public' and 'private' are default read-only and read-write credentials defined in SNMPv1 and SNMPv2c. An attacker who can SNMPwalk the device with these strings can enumerate the entire MIB tree, including system configuration, routing tables, interface details, and user accounts. This directly exposes sensitive configuration information, making C the primary concern.

Exam trap

EC-Council often tests the distinction between 'default credentials' and 'exploitation vectors'—candidates mistakenly associate 'public/private' with encryption or malware, when the real risk is unauthorized information disclosure via SNMP enumeration.

How to eliminate wrong answers

Option A is wrong because SNMP community strings are authentication credentials, not a vector for buffer overflow attacks; buffer overflows exploit memory corruption in protocol parsing or application code, not weak default strings. Option B is wrong because the presence of default community strings indicates poor security configuration, not malware infection; malware would require evidence of malicious processes or network behavior. Option D is wrong because SNMPv1 and SNMPv2c do not use encryption at all—they transmit community strings in cleartext; the issue is lack of encryption, not outdated encryption protocols.

822
MCQmedium

During a penetration test, you notice that a web application accepts user input and displays it directly in the browser without sanitization. Which attack is most likely to succeed?

A.SQL Injection
B.Cross-Site Request Forgery (CSRF)
C.Cross-Site Scripting (XSS)
D.Command Injection
AnswerC

Reflected XSS is the direct result of unsanitized input displayed in the browser.

Why this answer

Option C is correct because the scenario describes a classic reflected Cross-Site Scripting (XSS) vulnerability. The application accepts user input and displays it directly in the browser without sanitization, allowing an attacker to inject malicious JavaScript that executes in the victim's browser. This is the defining characteristic of XSS, not SQL injection or command injection, which target server-side interpreters.

Exam trap

EC-Council often tests the distinction between reflected XSS and stored XSS; the trap here is that candidates may assume any unsanitized input is SQL injection, but the key clue is direct display in the browser without server-side processing like database queries or command execution.

How to eliminate wrong answers

Option A is wrong because SQL Injection requires the user input to be included in a database query, not simply displayed in the browser; the scenario does not mention any database interaction. Option B is wrong because Cross-Site Request Forgery (CSRF) exploits the trust a site has in a user's browser to perform unauthorized actions, but it does not involve displaying unsanitized user input directly; it requires a forged request, not reflected output. Option D is wrong because Command Injection requires the input to be passed to a system shell or command interpreter, not merely rendered in HTML; the scenario lacks any indication of server-side command execution.

823
Multi-Selecthard

Which THREE of the following are components of the CHPSET system hacking methodology? (Select three.)

Select 3 answers
A.Sniffing network traffic
B.Hiding files
C.Cracking passwords
D.Scanning ports
E.Executing applications
AnswersB, C, E

H is for Hiding.

Why this answer

B is correct because 'Hiding files' is a key phase in the CHPSET (Cracking, Hiding, Privilege Escalation, Sniffing, Executing, Targeting) system hacking methodology. After gaining access and escalating privileges, the attacker must hide malicious files, processes, or evidence to avoid detection by security tools or administrators. This step often involves techniques like file attribute manipulation, rootkits, or steganography to conceal the presence of the attacker on the compromised system.

Exam trap

EC-Council often tests the distinction between pre-exploitation phases (scanning, sniffing) and the actual system hacking methodology (CHPSET), so candidates mistakenly select 'Sniffing network traffic' or 'Scanning ports' because they associate them with hacking, but they are not part of the CHPSET steps.

824
MCQeasy

Which malware type is characterized by self-replication across networks without needing a host file?

A.Worm
B.Trojan
C.Rootkit
D.Ransomware
AnswerA

Worms spread automatically over networks.

Why this answer

Worms are standalone malware that replicate across networks autonomously, unlike viruses that require a host file.

825
MCQhard

In a cloud environment, an attacker exploits a vulnerability in a web application to make the server send requests to internal metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). This yields IAM temporary credentials. Which attack is this?

A.Server-Side Request Forgery (SSRF) targeting cloud metadata
B.XML External Entity (XXE) injection
C.Insecure Direct Object Reference (IDOR) on metadata
D.Cross-Site Request Forgery (CSRF) targeting cloud APIs
AnswerA

SSRF allows the attacker to make the server request internal resources like the metadata service, leaking credentials.

Why this answer

SSRF occurs when an application fetches user-controlled URLs without proper validation. The attacker used it to access cloud metadata endpoints (like AWS IMDS) to retrieve temporary credentials.

Page 10

Page 11 of 14

Page 12