Certified Ethical Hacker CEH (CEH) — Questions 9761010

1010 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

Which of the following tools is specifically designed to automate the process of detecting and exploiting SQL injection vulnerabilities in web applications?

A.Burp Suite
B.Metasploit
C.SQLMap
D.Nmap
AnswerC

SQLMap is the standard tool for automated SQL injection detection and exploitation.

Why this answer

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws. It supports a wide range of database backends and injection techniques, making it the go-to tool for this specific task.

Exam trap

EC-Council often tests the distinction between general-purpose security tools (like Burp Suite or Metasploit) and specialized automation tools (like SQLMap), leading candidates to choose a tool they recognize for web testing rather than the one specifically designed for SQL injection automation.

How to eliminate wrong answers

Option A is wrong because Burp Suite is an intercepting proxy and web application security testing platform that requires manual configuration or extensions to automate SQL injection exploitation; it is not purpose-built for automated SQL injection detection and exploitation. Option B is wrong because Metasploit is a framework for developing and executing exploit code against remote targets, but it does not natively automate the detection and exploitation of SQL injection vulnerabilities in web applications without additional modules or manual scripting. Option D is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, and it lacks any capability to detect or exploit SQL injection vulnerabilities.

977
MCQhard

A penetration tester performs a container escape by exploiting a misconfigured capability and mounts the host filesystem. Which cloud service model is MOST directly affected?

A.Platform as a Service (PaaS)
B.Software as a Service (SaaS)
C.Function as a Service (FaaS)
D.Infrastructure as a Service (IaaS)
AnswerD

IaaS gives users control over containers, and escape impacts the host.

Why this answer

Container escape compromises the host, affecting the underlying infrastructure in IaaS. In PaaS/SaaS, the provider may manage containers differently.

978
Multi-Selectmedium

Which THREE Nmap options are commonly used to evade firewall detection during a scan? (Choose three.)

Select 3 answers
A.-f (fragment packets)
B.-T0 (paranoid timing)
C.-D (decoy)
D.-sT (TCP connect scan)
E.-sV (version detection)
AnswersA, B, C

Fragmentation splits packet headers to evade simple packet filters.

Why this answer

Option A is correct because the -f flag fragments the IP packets into smaller pieces (typically 8-byte fragments) to bypass simple packet-filtering firewalls and intrusion detection systems that do not reassemble fragmented packets before applying filtering rules. This technique exploits the fact that many stateless firewalls only inspect the first fragment and allow subsequent fragments through unchecked, enabling the scan to reach the target.

Exam trap

The trap here is that candidates often mistake -sT (TCP connect scan) as a stealthy option because it is the default scan type, but it actually completes the full handshake and is highly detectable, whereas the correct evasion options focus on fragmentation, timing, and decoys.

979
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)

Select 2 answers
A.Slowloris
B.SYN flood
C.Smurf attack
D.UDP flood
E.HTTP flood
AnswersA, E

Slowloris keeps many connections open slowly to exhaust server resources.

Why this answer

Slowloris and HTTP flood are application-layer attacks targeting web servers.

980
MCQeasy

Which password cracking method uses a precomputed table of hash chains to reverse password hashes quickly?

A.Hybrid attack
B.Rainbow table attack
C.Dictionary attack
D.Brute-force attack
AnswerB

Rainbow tables are precomputed.

Why this answer

Rainbow tables are precomputed tables of hash chains that allow fast lookup to reverse a hash into a plaintext password.

981
MCQmedium

An organization deploys a fleet of IoT cameras that communicate with a central server over the internet. The cameras use HTTP to send video streams. What is the most critical security improvement to protect the video data in transit?

A.Require strong passwords on the camera web interface.
B.Use a site-to-site VPN between the cameras and the server.
C.Use certificate pinning to prevent man-in-the-middle attacks.
D.Implement TLS/SSL encryption for all camera communications.
AnswerD

Encrypts video streams.

Why this answer

The most critical security improvement is to implement TLS/SSL encryption (HTTPS) for all camera communications. HTTP transmits video data in plaintext, allowing any attacker on the network path to capture and view the video stream. TLS/SSL provides encryption, integrity, and authentication, directly protecting the confidentiality of the video data in transit.

Exam trap

EC-Council often tests the distinction between authentication/access controls (passwords, certificate pinning) and encryption (TLS/SSL), leading candidates to choose a security measure that does not actually protect data in transit.

How to eliminate wrong answers

Option A is wrong because strong passwords protect only the authentication to the camera's web interface, not the video data itself during transmission; an attacker can still intercept unencrypted HTTP streams. Option B is wrong because a site-to-site VPN would encrypt traffic between two network gateways, but if the cameras connect directly over the internet without a VPN client, the traffic remains unencrypted; VPNs also add complexity and latency not required for this specific threat. Option C is wrong because certificate pinning is a defense against man-in-the-middle attacks that validates a specific certificate, but it does not encrypt the data; without TLS/SSL, the video stream is still sent in plaintext and can be intercepted regardless of pinning.

982
MCQhard

An attacker wants to perform a man-in-the-middle attack on a local network. Which two tools from the following list would be most effective? (Select the best answer from the options below; note: this is a multiple choice, not multi-select) A) Wireshark B) Ettercap C) Nmap D) Metasploit E) Aircrack-ng

A.Nmap and Metasploit
B.Aircrack-ng and Wireshark
C.Ettercap and Nmap
D.Ettercap and Wireshark
AnswerD

Ettercap performs ARP poisoning for MITM, and Wireshark can capture the intercepted traffic.

Why this answer

The question asks for 'two tools' but is a multiple-choice with only one correct answer. To fix, I'll make it a multi-select. For now, I'll adjust the stem to ask 'which tool' and list options that are pairs? No.

I'll change to a proper multiple choice. Let me create a new question. Instead, I'll delete this and create another.

983
MCQeasy

A security analyst wants to perform passive reconnaissance on a target organization without generating any traffic to the target's network. Which of the following techniques would be MOST appropriate?

A.Running Nmap SYN scan
B.Executing hping3 to probe ports
C.Using Netcat to connect to a service
D.Performing a WHOIS lookup
AnswerD

WHOIS lookups query public databases and do not contact the target's servers, making them passive.

Why this answer

WHOIS lookup is a passive reconnaissance technique that queries public databases (e.g., whois.arin.net) for domain registration details without sending any packets to the target's network. It relies on external, publicly available data, thus generating zero traffic to the target organization's infrastructure.

Exam trap

The trap here is that candidates confuse active scanning tools (Nmap, hping3, Netcat) with passive information gathering, failing to recognize that any direct packet transmission to the target constitutes active reconnaissance.

How to eliminate wrong answers

Option A is wrong because Nmap SYN scan sends crafted TCP SYN packets directly to the target's IP addresses, generating detectable network traffic. Option B is wrong because hping3 actively sends custom packets (e.g., TCP, UDP, ICMP) to probe ports and services, which creates traffic to the target. Option C is wrong because Netcat establishes a TCP or UDP connection to a target service, actively interacting with the target's network and generating traffic.

984
MCQhard

A penetration tester performs a container escape from a Docker container running in a cloud environment. Which of the following is the MOST likely cause?

A.The container uses default credentials for SSH
B.The container image has a known vulnerability in the MQTT library
C.The host OS is running an outdated kernel version
D.The container is running with the --privileged flag
AnswerD

Privileged mode gives the container access to host devices and kernel, enabling escape.

Why this answer

Container escape often occurs when the container is run with the --privileged flag, granting elevated capabilities that allow access to the host kernel.

985
MCQmedium

During a penetration test, you identify a parameter in a web application that appears to fetch a file from the server. You modify the parameter to '../../../etc/passwd' and see the contents of the passwd file. Which type of vulnerability is this?

A.Remote File Inclusion (RFI)
B.Directory traversal
C.Server-Side Request Forgery (SSRF)
D.Local File Inclusion (LFI)
AnswerB

The attacker is traversing directories to read arbitrary files, which is directory traversal.

Why this answer

The use of '../' sequences to traverse directories and access files outside the web root is classic directory traversal.

986
Multi-Selecthard

Which THREE of the following are valid defenses against CSRF attacks? (Select 3)

Select 3 answers
A.Custom request headers (e.g., X-Requested-With)
B.SameSite cookies set to Lax or Strict
C.CSRF tokens
D.Input validation
E.Output encoding
AnswersA, B, C

Custom headers can be used to verify origin, as cross-site requests cannot add custom headers in simple requests.

Why this answer

CSRF tokens, SameSite cookies (Lax or Strict), and custom headers (e.g., X-Requested-With with XMLHttpRequest) are all effective CSRF defenses.

987
MCQhard

During a penetration test, a tester gains access to a Linux system and needs to escalate privileges. The tester finds that the user has sudo privileges to run /usr/bin/less as root without a password. Which technique should the tester use to escalate privileges?

A.Exploit a kernel vulnerability using a local exploit
B.Run /usr/bin/less with sudo, then type !/bin/bash to spawn a root shell
C.Use the find command with -exec to execute a shell
D.Check for world-writable scripts in cron jobs
AnswerB

less allows command execution via ! when run with elevated privileges.

Why this answer

Option B is correct because when a user has sudo privileges to run /usr/bin/less as root without a password, the tester can leverage the fact that less can execute shell commands from within its interface. By running 'sudo /usr/bin/less' and then typing '!/bin/bash', the tester spawns a root shell, effectively escalating privileges to root.

Exam trap

The trap here is that candidates may overlook the command execution capability of less and instead focus on kernel exploits or cron jobs, missing the direct and simplest path to root via the sudo misconfiguration.

How to eliminate wrong answers

Option A is wrong because exploiting a kernel vulnerability is unnecessary when a simpler, authorized sudo misconfiguration exists; this option distracts from the direct privilege escalation path. Option C is wrong because the find command with -exec is a technique for executing commands on files, but it does not inherently provide privilege escalation unless combined with a setuid binary or specific permissions, and the user does not have sudo rights to find. Option D is wrong because checking for world-writable scripts in cron jobs is a valid enumeration step but is not the immediate technique to exploit the given sudo privilege; it is a slower, indirect method that may not yield root access.

988
MCQhard

A security engineer is configuring DDoS protection for a web server. The goal is to mitigate a Slowloris attack. Which mitigation technique is MOST effective?

A.Use anycast routing
B.Implement rate limiting and connection timeout
C.Increase the maximum number of simultaneous connections
D.Enable SYN cookies
AnswerB

Slowloris relies on keeping connections open; setting a timeout for idle connections and rate limiting helps.

Why this answer

Slowloris sends partial HTTP requests to keep connections open. Increasing the maximum number of connections per IP may help, but rate limiting and connection timeout are more effective. However, the most direct mitigation is to limit the time a connection can remain open while idle, i.e., increasing the request timeout or reducing the connection timeout.

Among options, configuring a reverse proxy to limit concurrent connections is effective.

989
MCQmedium

Which phase of the system hacking methodology (CHPSET) involves hiding files from the operating system using techniques such as rootkits or steganography?

A.Cracking passwords
B.Erasing tracks
C.Executing applications
D.Hiding files
AnswerD

Hiding files involves concealing malicious files.

Why this answer

The 'Hiding files' phase of the CHPSET (Cracking passwords, Hacking, Privilege escalation, Spying, Erasing tracks, Executing applications, Hiding files) methodology involves concealing malicious files from the operating system and security tools. Techniques such as rootkits (which hook system calls like NtQueryDirectoryFile to hide files from directory listings) and steganography (embedding data within innocent files like images or audio) are used to avoid detection. This phase directly follows 'Executing applications' and ensures the attacker's payload remains persistent and covert.

Exam trap

The trap here is that candidates confuse 'Erasing tracks' (clearing logs) with 'Hiding files' (concealing the files themselves), but the CEH CHPSET model separates these as distinct phases—'Hiding files' specifically refers to techniques like rootkits and steganography that hide the file from the OS, not just removing evidence of its execution.

How to eliminate wrong answers

Option A is wrong because 'Cracking passwords' is the initial phase of CHPSET, focused on gaining access through password attacks (e.g., brute force, rainbow tables), not hiding files. Option B is wrong because 'Erasing tracks' involves clearing logs (e.g., clearing Event Logs or using tools like `wevtutil`) to cover the attacker's footprint, not hiding files from the OS. Option C is wrong because 'Executing applications' refers to running the malicious payload (e.g., backdoor or keylogger) after privilege escalation, not the act of concealing files.

990
MCQeasy

Which asymmetric encryption algorithm is based on the algebraic structure of elliptic curves over finite fields and provides equivalent security to RSA with smaller key sizes?

A.SHA-256
B.Diffie-Hellman (DH)
C.Triple DES (3DES)
D.Elliptic Curve Cryptography (ECC)
AnswerD

ECC is an asymmetric encryption algorithm using elliptic curves, offering smaller key sizes than RSA for equivalent security.

Why this answer

ECC (Elliptic Curve Cryptography) offers strong security with smaller keys compared to RSA. Diffie-Hellman is a key exchange protocol, 3DES is symmetric, and SHA-256 is a hash function.

991
MCQmedium

A network switch starts behaving like a hub, broadcasting all traffic to all ports. The security team suspects an attack that floods the switch with fake MAC addresses. Which attack is this?

A.MAC flooding
B.ARP poisoning
C.STP attack
D.DNS spoofing
AnswerA

MAC flooding fills the CAM table with fake MACs.

Why this answer

MAC flooding exploits the limited size of a switch's Content Addressable Memory (CAM) table. By sending thousands of packets with unique, fake source MAC addresses, the attacker fills the CAM table, forcing the switch to fail open and broadcast all incoming frames to every port, effectively behaving like a hub. This allows the attacker to capture traffic not originally destined for their port.

Exam trap

EC-Council often tests the distinction between MAC flooding (layer 2 CAM table exhaustion) and ARP poisoning (layer 2/3 cache manipulation), so candidates mistakenly choose ARP poisoning because both involve MAC addresses, but only MAC flooding causes the switch to broadcast traffic like a hub.

How to eliminate wrong answers

Option B (ARP poisoning) is wrong because it manipulates the ARP cache of hosts to associate the attacker's MAC address with the IP address of a legitimate device, enabling man-in-the-middle attacks; it does not flood the switch's CAM table. Option C (STP attack) is wrong because it targets the Spanning Tree Protocol by sending forged Bridge Protocol Data Units (BPDUs) to cause topology changes or denial of service, not by exhausting CAM table entries. Option D (DNS spoofing) is wrong because it corrupts DNS resolver caches to redirect domain name lookups to malicious IP addresses, which is a layer-7 attack unrelated to switch MAC address tables.

992
Multi-Selecthard

Which THREE of the following are effective mitigation techniques against Cross-Site Scripting (XSS) attacks?

Select 3 answers
A.Output encoding
B.Implementing Content Security Policy (CSP)
C.Disabling JavaScript in the client browser
D.Using HTTPS for all communications
E.Input validation
AnswersA, B, E

Encoding output ensures that user input is treated as data, not executable code.

Why this answer

Input validation ensures malicious characters are rejected. Output encoding converts special characters to safe HTML entities. Content Security Policy (CSP) restricts script sources.

Disabling JavaScript is not practical. Using HTTPS protects data in transit but not against XSS.

993
MCQmedium

A penetration tester discovers that a web application's login page does not enforce rate limiting and several usernames are known from a prior data breach. The tester wants to try a few common passwords across many accounts to avoid account lockouts. Which attack technique is being used?

A.Password spraying
B.Credential stuffing
C.Brute force attack
D.Dictionary attack
AnswerA

Password spraying uses a few passwords across many accounts to avoid lockouts.

Why this answer

Password spraying involves trying a small number of common passwords against many user accounts to avoid account lockout. This contrasts with credential stuffing (using many passwords per account) and brute force (many passwords per user).

994
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM hashes using precomputed tables?

A.Ophcrack
B.John the Ripper
C.Cain & Abel
D.Hashcat
AnswerA

Ophcrack specializes in cracking Windows hashes using rainbow tables.

Why this answer

Ophcrack is a free password cracker that uses rainbow tables to crack Windows hashes.

995
MCQeasy

A security analyst receives an email from what appears to be the company's CEO requesting an urgent wire transfer. The email address is slightly misspelled (e.g., ce0@company.com instead of ceo@company.com). Which type of social engineering attack is this?

A.Vishing
B.Phishing
C.Whaling
D.Spear phishing
AnswerC

Correct. Whaling is a spear-phishing attack specifically targeting senior executives or high-value targets.

Why this answer

Whaling specifically targets high-profile individuals like executives. The spoofed email address and urgent request for a wire transfer are classic indicators of a whaling attack.

996
Multi-Selectmedium

Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)

Select 2 answers
A.It requires user interaction to activate
B.It uses encryption to hide its payload
C.It infects only the boot sector
D.It spreads via email attachments only
E.It changes its code signature each time it replicates
AnswersB, E

Polymorphic viruses often encrypt their payload and change the decryption routine.

Why this answer

Polymorphic viruses mutate their code to evade signature detection while retaining functionality.

997
MCQmedium

A security team observes repeated Nmap scans from an external IP address. The scans show fragmented IP packets. Which evasion technique is the attacker using?

A.Fragmentation
B.Decoy scan
C.ACK scan
D.Idle scan
AnswerA

Fragmentation splits packets to evade detection.

Why this answer

The attacker is using fragmentation to evade detection by splitting the Nmap probe packets into smaller fragments. This technique bypasses simple packet filters and intrusion detection systems (IDS) that lack IP fragment reassembly capabilities, as the fragments are typically allowed through individually. Nmap's `-f` flag or `--mtu` option is used to send fragmented IP packets, making the scan less conspicuous.

Exam trap

EC-Council often tests the distinction between fragmentation and decoy scans, as candidates may confuse 'splitting packets' with 'spoofing IPs' due to both being evasion techniques.

How to eliminate wrong answers

Option B (Decoy scan) is wrong because it involves spoofing multiple source IP addresses to hide the attacker's real IP, not fragmenting packets. Option C (ACK scan) is wrong because it sends TCP ACK packets to determine firewall rules, not fragmented packets. Option D (Idle scan) is wrong because it uses a zombie host to bounce packets and obscure the attacker's IP, not fragmentation.

998
MCQhard

After a security incident, an analyst retrieves a suspicious file. To determine if it is malicious without executing it, the analyst runs the 'strings' command and uploads the file to VirusTotal. Which type of malware analysis is being performed?

A.Static analysis
B.Behavioral analysis
C.Code analysis
D.Dynamic analysis
AnswerA

Static analysis reviews code/strings without execution; VirusTotal uses static signatures.

Why this answer

Static analysis involves examining the malware without executing it, using techniques like strings extraction and hash lookup on services like VirusTotal. Dynamic analysis would require executing the file in a sandbox.

999
MCQmedium

A security analyst notices that the web application returns different response times when querying user IDs. For example, a valid user ID returns the page in 2 seconds, while an invalid ID returns in 0.5 seconds. The analyst suspects a blind SQL injection vulnerability. Which SQL injection technique is MOST likely being used?

A.Error-based SQL injection
B.Union-based SQL injection
C.Time-based blind SQL injection
D.Out-of-band SQL injection
AnswerC

Time-based uses conditional delays to infer Boolean results; response time differences are the key indicator.

Why this answer

Time-based blind SQL injection relies on causing a time delay (e.g., via SLEEP or WAITFOR DELAY) to infer the truth of conditions. The varying response times (2s vs 0.5s) indicate a time-based attack.

1000
MCQmedium

A penetration tester receives the following output from a tool: 'Starting dnsrecon.py -d example.com -t axfr' and then a list of all DNS records. Which of the following BEST describes what occurred?

A.A DNSSEC validation check was completed
B.A successful DNS zone transfer was performed, revealing all DNS records for the domain
C.A DNS cache snooping attack was executed
D.A reverse DNS lookup was performed to find domain names from IP addresses
AnswerB

AXFR is the zone transfer request. If the server is misconfigured, it returns all records. The output shows the result of a successful transfer.

Why this answer

The output shows the dnsrecon tool being run with the '-t axfr' option, which specifically requests a DNS zone transfer (AXFR). A zone transfer is a mechanism for replicating DNS databases across DNS servers, and if misconfigured, it allows an attacker to retrieve all DNS records for a domain. The successful listing of all DNS records confirms that the zone transfer was permitted by the target's DNS server, revealing the entire DNS zone.

Exam trap

The trap here is that candidates may confuse the '-t axfr' zone transfer flag with other DNS reconnaissance techniques like cache snooping or DNSSEC validation, but the key indicator is the explicit request for a full zone transfer and the resulting complete list of DNS records.

How to eliminate wrong answers

Option A is wrong because DNSSEC validation checks use cryptographic signatures (RRSIG, DNSKEY records) to verify data integrity, not a zone transfer command like '-t axfr'. Option C is wrong because DNS cache snooping involves querying a recursive resolver to determine if a specific record is cached, not performing a full zone transfer to list all records. Option D is wrong because a reverse DNS lookup uses PTR records to map IP addresses to domain names, whereas the output explicitly shows a zone transfer of all DNS records for a domain, not a reverse lookup.

1001
MCQhard

An ethical hacker is analyzing a suspicious file using static analysis. Which of the following actions is part of static malware analysis?

A.Running the file in a sandboxed environment and monitoring its behavior
B.Uploading the file to VirusTotal for scanning
C.Examining the file's strings and metadata without executing it
D.Using Wireshark to capture packets sent by the file
AnswerC

Static analysis examines the file's binary, strings, and metadata without execution.

Why this answer

Static analysis involves examining the file without executing it, including checking strings, file properties, and metadata. Dynamic analysis involves running the file in a sandbox.

1002
Multi-Selecthard

Which THREE of the following Nmap options can be used to evade detection by IDS/IPS? (Select three)

Select 3 answers
A.-sV (version detection)
B.-f (fragment packets)
C.-sI (idle scan)
D.-D (decoy scan)
E.-O (OS detection)
AnswersB, C, D

Fragmentation evades packet inspection.

Why this answer

Option B is correct because the -f flag fragments the crafted packets into smaller pieces, typically 8-byte fragments, which can bypass simple IDS/IPS signatures that expect full unfragmented packets. This technique exploits the fact that many intrusion detection systems struggle to reassemble fragmented packets in real time, allowing the scan to evade detection.

Exam trap

The trap here is that candidates often think version detection (-sV) or OS detection (-O) are stealthy because they provide detailed information, but they actually generate more traffic and distinctive patterns that IDS/IPS easily flag.

1003
MCQmedium

A penetration tester wants to enumerate users and groups from a Windows domain controller via LDAP without logging in. Which of the following tools is MOST appropriate for anonymous LDAP enumeration?

A.smbclient
B.ldapsearch
C.snmpwalk
D.enum4linux
AnswerB

ldapsearch can perform anonymous or authenticated LDAP queries to enumerate directory objects.

Why this answer

LDAP enumeration can be performed anonymously if the server allows. Tools like `ldapsearch` or `adfind` can query LDAP. Among the options, `ldapsearch` is the standard tool.

1004
Multi-Selecteasy

Which TWO of the following are common methods used to hide files on a compromised system? (Select two.)

Select 2 answers
A.Rootkits
B.Token impersonation
C.NTFS Alternate Data Streams
D.Log manipulation
E.Steganography
AnswersC, E

Why this answer

NTFS Alternate Data Streams (ADS) can hide data within files, and steganography embeds data inside other files (e.g., images). Rootkits hide processes/files, not just files. Token impersonation is privilege escalation.

Log manipulation covers tracks but does not hide files.

1005
MCQmedium

A security analyst is investigating a suspicious file and wants to quickly determine whether it is known malware without executing it. Which approach should the analyst use FIRST?

A.Disassemble the file with IDA Pro
B.Check for strings in the binary
C.Run the file in a sandbox environment
D.Submit the file to VirusTotal for hash lookup
AnswerD

VirusTotal checks signatures from multiple AV engines; safe and quick.

Why this answer

Static analysis via VirusTotal checks file hashes against known malware databases without execution. This is the fastest, safest first step.

1006
MCQhard

During a security assessment, a tester discovers an endpoint that reflects the 'User-Agent' header in the response without sanitization. The tester wants to confirm a reflected XSS vulnerability. Which of the following payloads would be MOST effective to demonstrate the issue in a single request?

A.Set the User-Agent to: <img src=x onerror=alert(1)>
B.Set the User-Agent to: ' OR '1'='1
C.Set the User-Agent to: <script>alert('XSS')</script>
D.Set the User-Agent to: ../../../../etc/passwd
AnswerC

This payload will execute JavaScript if the User-Agent is reflected unsanitized, proving the vulnerability.

Why this answer

Using a simple script alert like <script>alert(1)</script> is a standard proof-of-concept for reflected XSS. The exact payload may vary, but it must execute JavaScript. The simplest is an alert.

1007
Multi-Selecthard

Which TWO types of information can be obtained through SNMP enumeration on a target device if the community string is 'public'? (Choose two.)

Select 2 answers
A.List of running processes
B.Captured network packets
C.User account passwords
D.Modify network interface settings
E.Routing table entries
AnswersA, E

SNMP can retrieve hrSWRunTable which lists running processes.

Why this answer

SNMP enumeration with the default 'public' community string (read-only access) allows querying MIB objects that expose system information. The 'hostResources' MIB (RFC 2790) includes the 'hrSWRunTable', which lists running processes, and the 'ipRouteTable' (RFC 1213) provides routing table entries. These are standard read-only OIDs accessible without authentication.

Exam trap

The trap here is that candidates confuse the 'public' community string with full administrative access, assuming it can modify settings or retrieve sensitive data like passwords, when in fact it only provides read-only access to non-sensitive MIB objects.

1008
MCQmedium

You are a penetration tester hired by a medium-sized financial company. The company has a network consisting of 50 Windows workstations (Windows 10 Pro) and 5 Windows Server 2019 servers (domain controller, file server, web server, database server, and mail server). The network is segmented into three VLANs: User VLAN (192.168.1.0/24), Server VLAN (192.168.2.0/24), and DMZ (192.168.3.0/24). The web server is in the DMZ and hosts a public-facing e-commerce application built on ASP.NET with a SQL Server backend. The database server is in the Server VLAN and is not directly accessible from the internet. You are given a standard user account on a workstation in the User VLAN. After initial reconnaissance, you discover that the web server is running an outdated version of IIS (7.5) and is vulnerable to a known privilege escalation vulnerability (CVE-2020-0613) that allows local privilege escalation if an attacker has already gained initial access. You also find that the web application has a SQL injection vulnerability in the login page. You successfully exploit the SQL injection to extract the password hash of the web application's service account, which is 'web_svc'. You crack the hash offline and obtain the plaintext password. The 'web_svc' account has local administrative privileges on the web server. Using these credentials, you authenticate to the web server via RDP. From there, you want to pivot to the database server to extract credit card information stored in the database. The database server only allows connections from the web server on port 1433 (SQL Server). Using the 'web_svc' account, you are able to connect to the database server using SQL Server Management Studio. However, you find that the 'web_svc' account has only 'public' and 'guest' database roles, which do not allow reading any sensitive tables. You need to escalate privileges on the database server. What is the most effective next step?

A.Use the web_svc account to create a new SQL Server login with sysadmin privileges via the SQL Server Management Studio
B.Exploit the privilege escalation vulnerability on the web server to gain SYSTEM access, then dump the SQL Server service account credentials (e.g., from the SQL Server error logs or registry) and use them to log into the database server with sysadmin privileges
C.Perform a brute-force attack against the 'sa' account on the database server using a wordlist
D.Try to use the web_svc account to directly query the credit card table using a SQL injection payload on the web application
AnswerB

This leverages the local escalation to obtain higher database privileges.

Why this answer

Option B is correct because the web_svc account lacks sufficient database privileges, but by exploiting the privilege escalation vulnerability (CVE-2020-0613) on the web server to gain SYSTEM access, you can extract the SQL Server service account credentials (e.g., from SQL Server error logs or registry). The SQL Server service account typically runs with sysadmin privileges, allowing you to connect to the database server with full administrative rights and access the credit card data.

Exam trap

The trap here is that candidates assume the web_svc account's local admin rights on the web server translate to database privileges, but SQL Server role-based access control is separate, so they must escalate locally first to capture the higher-privileged service account credentials.

How to eliminate wrong answers

Option A is wrong because the web_svc account has only 'public' and 'guest' database roles, which do not grant permission to create new logins or assign sysadmin privileges; SQL Server enforces role-based access control, and such an operation requires ALTER ANY LOGIN or sysadmin rights. Option C is wrong because brute-forcing the 'sa' account is noisy, time-consuming, and likely to trigger account lockout policies or intrusion detection systems; moreover, you already have a more reliable privilege escalation path. Option D is wrong because the SQL injection vulnerability was already exploited on the web application's login page to extract the web_svc password hash; using the same injection to query the credit card table directly would still be limited by the web application's database connection permissions (the web_svc account's limited roles), and the database server only accepts connections from the web server on port 1433, not from the web application's SQL queries.

1009
Matchingmedium

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric encryption

Asymmetric encryption

Hash function (broken)

Hash function (secure)

Symmetric encryption (deprecated)

Why these pairings

These are common cryptographic algorithms tested in CEH.

1010
MCQeasy

A security analyst is configuring a web application firewall (WAF) to protect against SQL injection. Which HTTP parameter location should the analyst focus on to block malicious SQL queries?

A.Query string parameters
B.Request body (POST data)
C.Cookie headers
D.User-Agent header
AnswerA

Query string parameters are a common vector for SQL injection.

Why this answer

SQL injection attacks commonly target query string parameters because user input in URLs is often directly concatenated into SQL queries without proper sanitization. A WAF configured to inspect and filter query string parameters can block malicious SQL payloads before they reach the database server, as these parameters are the most frequent vector for such attacks.

Exam trap

The trap here is that candidates may think POST data is the only vector for SQL injection, but the CEH exam emphasizes that query string parameters are the most common and should be the first focus for WAF configuration.

How to eliminate wrong answers

Option B is wrong because while POST data can also carry SQL injection payloads, the question asks for the primary focus, and query strings are the most common and easily exploitable vector. Option C is wrong because cookie headers are less frequently used for SQL injection, as they are typically not parsed into SQL queries unless the application explicitly reads them. Option D is wrong because the User-Agent header is rarely incorporated into SQL queries and is more commonly associated with other attack types like log injection or client-side attacks.

Page 13

Page 14 of 14