Certified Ethical Hacker CEH (CEH) — Questions 151225

1010 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQeasy

Which type of malware spreads by replicating itself across a network without requiring a host file to attach to?

A.Trojan
B.Ransomware
C.Worm
D.Virus
AnswerC

Worms self-propagate across networks independently.

Why this answer

Worms are standalone malware that self-replicate and spread across networks. Viruses require a host file, Trojans disguise as legitimate software, and ransomware focuses on encryption.

152
MCQeasy

Which of the following tools is commonly used for dynamic malware analysis by executing the malware in an isolated environment and monitoring system changes?

A.Strings
B.PEiD
C.VirusTotal
D.Cuckoo Sandbox
AnswerD

Cuckoo Sandbox is a dynamic analysis tool that executes malware in a sandbox and monitors behavior.

Why this answer

Cuckoo Sandbox is a popular open-source automated malware analysis system that runs samples in an isolated environment and reports behavior.

153
MCQeasy

Refer to the exhibit. A security analyst runs netstat on a compromised Windows machine. Based on the output, which process is most likely associated with the malicious activity?

A.The process with PID 1234 is not identified
B.explorer.exe (PID 1234)
C.svchost.exe (PID 5678)
D.The process with PID 5678 is not identified
AnswerB

Explorer.exe is making connections to a suspicious IP on port 4444, which is abnormal.

Why this answer

Option B is correct because netstat output showing a suspicious external connection (e.g., to an unknown IP on port 4444) associated with PID 1234, which is identified as explorer.exe, indicates that the Windows shell process has been hijacked or injected with malicious code. Explorer.exe is not a typical network-listening process; its involvement in outbound connections to a non-standard port strongly suggests malware has injected a reverse shell or beacon into this legitimate system process to evade detection.

Exam trap

EC-Council often tests the misconception that svchost.exe is always the malicious process because it hosts many services, but the trap here is that explorer.exe can be hijacked for persistence and network communication, and candidates fail to recognize that a legitimate-looking process name does not guarantee it is benign.

How to eliminate wrong answers

Option A is wrong because the process with PID 1234 is identified as explorer.exe in the netstat output (the exhibit would show the process name), so claiming it is 'not identified' ignores the explicit mapping provided. Option C is wrong because svchost.exe (PID 5678) is a generic host process for Windows services; while it can be abused, the exhibit specifically ties the suspicious connection to PID 1234, not PID 5678. Option D is wrong because the process with PID 5678 is identified as svchost.exe in the output, so stating it is 'not identified' is factually incorrect and misreads the netstat -b or -o display.

154
Multi-Selecthard

A penetration tester is conducting reconnaissance and wants to identify live hosts in a range without being detected. Which TWO techniques would be MOST appropriate? (Choose two.)

Select 2 answers
A.Ping sweep
B.ARP scan
C.DNS query for reverse lookup
D.Passive OS fingerprinting
E.TCP SYN scan
AnswersC, D

DNS queries are generally allowed and less suspicious.

Why this answer

A DNS query for reverse lookup (PTR record) is a passive reconnaissance technique that queries DNS servers for hostnames associated with IP addresses. It does not send packets directly to the target hosts, making it difficult for intrusion detection systems (IDS) or firewalls to detect the probing activity. This aligns with the goal of identifying live hosts without generating network traffic that would alert defensive measures.

Exam trap

The trap here is that candidates often confuse passive OS fingerprinting (which analyzes network traffic patterns without sending probes) with active fingerprinting techniques, or they assume that any DNS query is inherently passive, overlooking that DNS queries themselves generate traffic that may be logged by DNS servers.

155
MCQeasy

Which of the following tools is commonly used to automate the detection and exploitation of SQL injection vulnerabilities?

A.SQLMap
B.Metasploit
C.Nmap
D.Burp Suite
AnswerA

SQLMap is designed to automate SQL injection detection and exploitation.

Why this answer

SQLMap is a widely used open-source tool that automates the process of detecting and exploiting SQL injection flaws in web applications.

156
MCQhard

A penetration tester runs `nmap -sI 192.168.1.10 -p 80 10.0.0.1` and receives output indicating port 80 is open. The scan uses a zombie host. Which type of scan is this?

A.Idle scan
B.SYN scan
C.Decoy scan
D.Fragmentation scan
AnswerA

-sI is the idle scan flag.

Why this answer

The `-sI` flag in Nmap specifies an idle scan, which uses a zombie host (192.168.1.10) to probe the target (10.0.0.1). By observing changes in the zombie's IP ID sequence, the attacker can infer whether a port on the target is open or closed without revealing their own IP address. The output indicating port 80 is open confirms the scan type as an idle scan.

Exam trap

The trap here is that candidates confuse the `-sI` flag with decoy scans (`-D`) because both involve spoofing, but idle scans uniquely require a zombie host and IP ID analysis, not just multiple decoy IPs.

How to eliminate wrong answers

Option B is wrong because a SYN scan uses the `-sS` flag, not `-sI`, and does not involve a zombie host; it sends raw SYN packets directly from the attacker's IP. Option C is wrong because a decoy scan uses the `-D` flag to spoof multiple source IPs to obscure the real scanner, but it does not rely on a zombie host's IP ID sequence. Option D is wrong because a fragmentation scan uses the `-f` flag to split packets into smaller fragments to evade detection, not to leverage a zombie host for stealth.

157
MCQeasy

What is the primary purpose of the 4-way handshake in WPA/WPA2-Personal?

A.To establish encryption keys without transmitting the pre-shared key
B.To authenticate the user with a username and password
C.To synchronize the beacon intervals between client and AP
D.To exchange digital certificates between client and AP
AnswerA

The handshake derives keys from the PSK without sending the PSK itself.

Why this answer

The 4-way handshake confirms that both client and AP possess the pre-shared key (PSK) without exposing it, and generates temporal keys for encryption.

158
MCQmedium

A web application uses a URL parameter to fetch a file from the server, e.g., 'download.php?file=report.pdf'. An attacker changes the parameter to '../../etc/passwd' and retrieves the password file. This attack is known as:

A.Command injection
B.Local File Inclusion (LFI)
C.Directory traversal
D.Server-Side Request Forgery (SSRF)
AnswerC

The use of '../' to navigate directories is characteristic of directory traversal.

Why this answer

Directory traversal (also known as path traversal) allows an attacker to access files outside the intended directory by using '../' sequences.

159
MCQhard

After gaining initial access, an attacker attempts to escalate privileges by exploiting a misconfigured service running as SYSTEM. They find that the service's binary path is writable by the Everyone group. Which privilege escalation technique is the attacker MOST likely using?

A.SUID/GUID abuse
B.Unquoted service path
C.Weak service permissions
D.Token impersonation
AnswerC

Writable service binary is a weak permission vulnerability.

Why this answer

A writable service binary allows an attacker to replace the executable with a malicious one, which will run with the service's privileges (SYSTEM).

160
Multi-Selectmedium

Which TWO of the following are common attack vectors against IoT devices? (Select TWO.)

Select 2 answers
A.Default credentials left unchanged
B.Regular firmware updates
C.Insecure protocols such as plaintext MQTT
D.Use of strong encryption protocols
E.Use of certificate-based authentication
AnswersA, C

Many IoT devices ship with default usernames/passwords that users fail to change.

Why this answer

IoT devices often have default credentials that are not changed, and they use insecure protocols like MQTT without encryption. These are common entry points for attackers.

161
MCQeasy

Which type of malware encrypts the victim's files and demands payment for the decryption key?

A.Keylogger
B.Spyware
C.Adware
D.Ransomware
AnswerD

Correct. Ransomware encrypts files and demands ransom.

Why this answer

Ransomware is designed to encrypt files and demand ransom for the decryption key.

162
Matchingmedium

Match each IDS/IPS term to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert on benign activity

Failing to detect an actual attack

Detects known attack patterns

Detects deviations from normal behavior

Decoy system to attract attackers

Why these pairings

These concepts are essential for understanding intrusion detection and prevention.

163
Multi-Selectmedium

An application uses the SameSite cookie attribute. Which TWO of the following are valid values for this attribute and their purposes? (Select two)

Select 2 answers
A.Lax - Cookie is sent for top-level navigations with safe methods
B.None - Cookie is sent on all cross-site requests
C.Secure - Cookie is sent only over HTTPS
D.HttpOnly - Cookie is inaccessible to JavaScript
E.Strict - Cookie is sent only for same-site requests
AnswersA, E

Lax allows cookies for top-level GET requests from other sites.

Why this answer

SameSite can be set to 'Lax' (default) which allows cookies for top-level navigations, or 'Strict' which prevents cookies on cross-site requests. 'None' requires Secure flag but is used for cross-site.

164
MCQmedium

A penetration tester is enumerating an SMTP server on port 25. They issue the command `VRFY root` and receive a 250 response, then `VRFY admin` also returns 250. What does this indicate about the SMTP server?

A.Both root and admin are valid email accounts on the server
B.The SMTP server supports password authentication
C.The command failed due to syntax errors
D.The SMTP server has disabled user verification
AnswerA

250 means the user exists. Thus both root and admin are valid.

Why this answer

The VRFY command verifies if a user exists. A 250 response indicates the user exists. This allows an attacker to enumerate valid usernames on the system.

165
MCQmedium

During a penetration test, you discover a process named 'svch0st.exe' running on a Windows server with high CPU usage. The file is not digitally signed. Which type of malware is MOST likely present?

A.Polymorphic virus
B.Ransomware
C.Trojan
D.Worm
AnswerC

The process masquerades as a legitimate service (svchost.exe) to avoid detection, typical of a Trojan or backdoor.

Why this answer

The name 'svch0st.exe' mimics 'svchost.exe', a legitimate Windows process. Such masquerading is common with Trojans and backdoors. The absence of a digital signature and high CPU usage suggests malicious activity.

A Trojan or backdoor is most likely.

166
Multi-Selecthard

Which THREE of the following are password cracking techniques that can be used with Hashcat? (Select 3)

Select 3 answers
A.Token impersonation
B.Brute-force attack
C.Rainbow table attack
D.Dictionary attack
E.Hybrid attack
AnswersB, D, E

Hashcat can perform brute-force attacks by iterating through all possible character combinations.

Why this answer

Hashcat is a GPU-accelerated password recovery tool that supports multiple attack modes. A brute-force attack (option B) systematically tries every possible combination of characters from a defined keyspace until the correct password is found. Hashcat implements this via its '?a' mask or direct brute-force mode, making it a core technique for cracking hashes when no prior knowledge of the password exists.

Exam trap

EC-Council often tests the misconception that rainbow table attacks are a core Hashcat feature, but Hashcat does not implement rainbow tables; it uses GPU-accelerated brute-force, dictionary, and hybrid modes instead.

167
MCQmedium

Which of the following tools is specifically designed to perform password cracking using rainbow tables?

A.John the Ripper
B.Ophcrack
C.RainbowCrack
D.Hashcat
AnswerC

RainbowCrack is specifically designed to perform password cracking using rainbow tables.

Why this answer

RainbowCrack is specifically designed to perform password cracking using precomputed rainbow tables, which are time-memory trade-off structures that allow hashes to be reversed quickly without brute-forcing each password. Unlike other tools that rely on brute force, dictionary attacks, or hybrid methods, RainbowCrack's core functionality is built around generating and using rainbow tables to crack LM, NTLM, MD5, SHA1, and other hash types.

Exam trap

EC-Council often tests the distinction between tools that use rainbow tables (RainbowCrack) versus tools that use brute-force or dictionary methods (John the Ripper, Hashcat), and candidates mistakenly associate Ophcrack with general rainbow table cracking when it is actually limited to LM hashes.

How to eliminate wrong answers

Option A is wrong because John the Ripper is a password cracking tool that primarily uses dictionary, brute-force, and incremental modes, not rainbow tables. Option B is wrong because Ophcrack is a Windows password cracker that uses LM hash rainbow tables but is limited to Windows LAN Manager hashes and is not a general-purpose rainbow table tool like RainbowCrack. Option D is wrong because Hashcat is a high-speed password cracker that uses GPU acceleration for brute-force, dictionary, and rule-based attacks, but it does not natively use rainbow tables for cracking.

168
Multi-Selectmedium

Which TWO of the following attacks can be prevented by properly validating and sanitizing user input? (Select 2)

Select 2 answers
A.Cross-Site Request Forgery (CSRF)
B.SQL injection
C.Man-in-the-Middle (MitM) attack
D.Clickjacking
E.Cross-Site Scripting (XSS)
AnswersB, E

Input validation/sanitization can prevent SQL injection (e.g., parameterized queries).

Why this answer

SQL injection and XSS are both injection attacks that can be prevented by input validation and sanitization. CSRF requires tokens, and clickjacking requires frame-busting headers.

169
MCQeasy

Which of the following commands is used to enumerate SNMP information from a network device using a specific community string?

A.ldapsearch -x -h 192.168.1.1 -b dc=domain,dc=com
B.enum4linux -a 192.168.1.1
C.snmpwalk -c public -v 2c 192.168.1.1
D.nbtstat -a 192.168.1.1
AnswerC

This command walks the MIB tree using the 'public' community string on SNMPv2c.

Why this answer

Option C is correct because `snmpwalk` is the standard command-line tool for enumerating SNMP (Simple Network Management Protocol) information from a network device. By specifying the community string (`-c public`) and SNMP version (`-v 2c`), it retrieves the entire Management Information Base (MIB) tree from the target IP address, allowing an attacker to discover system details, running processes, and network interfaces.

Exam trap

The trap here is that candidates confuse SNMP enumeration tools with other network enumeration tools (like LDAP, SMB, or NetBIOS), leading them to pick a command that targets a different protocol entirely.

How to eliminate wrong answers

Option A is wrong because `ldapsearch` is used for querying LDAP directories (port 389), not for SNMP enumeration; it requires a base DN and is unrelated to community strings. Option B is wrong because `enum4linux` is a tool for enumerating SMB/CIFS shares, users, and policies from Windows systems (port 445), not for SNMP queries. Option D is wrong because `nbtstat` is a Windows utility for NetBIOS over TCP/IP name resolution and cache management (port 137), not for SNMP enumeration.

170
MCQeasy

Refer to the exhibit. A security analyst reviews a CloudTrail log entry. What is the primary security concern indicated by this log?

A.The action was performed by the AWS root account, which should be avoided for routine tasks.
B.The AMI ID (ami-0abcdef1234567890) is from a trusted source.
C.The source IP address (203.0.113.5) is suspicious.
D.The instance type is t2.micro, which may be vulnerable.
AnswerA

Root should only be used for specific tasks.

Why this answer

The log entry shows that the action was performed by the AWS root account (userIdentity.type: Root). AWS best practices mandate that the root account be used only for tasks that require it, such as changing account settings or closing the account. Routine operations like launching an EC2 instance should be performed using IAM roles or users with least-privilege permissions.

Using the root account for everyday actions increases the risk of credential compromise and violates the principle of least privilege.

Exam trap

EC-Council often tests the concept that the root account should never be used for routine tasks, and candidates may mistakenly focus on the AMI ID, source IP, or instance type as potential threats, overlooking the critical security violation of root account usage.

How to eliminate wrong answers

Option B is wrong because the AMI ID (ami-0abcdef1234567890) being from a trusted source does not indicate a security concern; the log entry does not provide any evidence of compromise or malicious activity related to the AMI. Option C is wrong because the source IP address (203.0.113.5) is a public IP from a TEST-NET-3 range (RFC 5737), which is reserved for documentation and not a real, routable IP, so it cannot be considered suspicious in a real-world context. Option D is wrong because the instance type t2.micro is a standard, low-cost instance type and is not inherently vulnerable; security vulnerabilities depend on the OS, applications, and configurations, not the instance type itself.

171
MCQmedium

A penetration tester wants to crack Windows NTLM hashes using rainbow tables. Which tool is specifically designed for this purpose?

A.Hashcat
B.John the Ripper
C.RainbowCrack
D.Ophcrack
AnswerC

RainbowCrack is a tool that uses rainbow tables for hash cracking.

Why this answer

Option A is correct. RainbowCrack uses rainbow tables to crack hashes, including NTLM.

172
MCQhard

An analyst notices that a cloud application is vulnerable to Server-Side Request Forgery (SSRF). Which of the following is the MOST effective mitigation against SSRF attacks in a cloud environment?

A.Implement strict input validation on all user-supplied URLs
B.Block outbound traffic to internal IP ranges except through a configured forward proxy
C.Disable the use of external URLs in application features
D.Use a web application firewall (WAF) with SSRF signatures
AnswerB

This prevents the application from reaching internal services like the metadata endpoint, directly mitigating SSRF.

Why this answer

Restricting the application from making requests to internal IP ranges (e.g., 169.254.169.254 is the AWS metadata endpoint) is a key defense against SSRF.

173
MCQmedium

Which of the following commands would a tester use to enumerate NetBIOS names and their associated IP addresses on a local subnet?

A.nbtstat -n
B.nbtstat -c
C.nbtstat -a 192.168.1.10
D.nbtstat -A 192.168.1.10
AnswerD

Correct. nbtstat -A <IP> displays the NetBIOS name table for that IP.

Why this answer

Option D is correct because the `nbtstat -A` command (with a capital 'A') performs a NetBIOS name table lookup against a remote IP address, listing the NetBIOS names registered by that host along with their associated IP addresses. This is the standard method for enumerating NetBIOS names on a specific target within a local subnet, as it queries the NetBIOS name service (UDP port 137) directly.

Exam trap

The trap here is that candidates often confuse the lowercase `-a` (which expects a hostname) with the uppercase `-A` (which expects an IP address), leading them to incorrectly select option C when the question specifies an IP address.

How to eliminate wrong answers

Option A is wrong because `nbtstat -n` displays only the local NetBIOS names registered on the tester's own machine, not names from other hosts on the subnet. Option B is wrong because `nbtstat -c` shows the local NetBIOS name cache, which contains recently resolved names and their IP addresses, but does not actively enumerate all hosts on the subnet. Option C is wrong because `nbtstat -a` (lowercase 'a') performs a NetBIOS name table lookup using a hostname, not an IP address, so it would fail or produce incorrect results when given an IP address.

174
MCQmedium

A security analyst observes repeated de-authentication packets targeting clients on a corporate Wi-Fi network. What is the MOST likely goal of the attacker?

A.To perform a denial-of-service attack and disrupt all wireless connectivity
B.To capture the WPA2 4-way handshake for offline password cracking
C.To install malware on the client devices
D.To exploit a vulnerability in the RADIUS server
AnswerB

De-auth forces reconnection, enabling capture of the handshake if the attacker is running airodump-ng.

Why this answer

De-authentication attacks force clients to reconnect, allowing the attacker to capture the 4-way handshake for offline cracking of the PSK.

175
Multi-Selectmedium

Which TWO of the following are effective mitigations against Clickjacking attacks? (Choose 2)

Select 2 answers
A.Enable HTTP Strict-Transport-Security (HSTS)
B.Set Content-Security-Policy: frame-ancestors 'none'
C.Use CSRF tokens
D.Set X-Frame-Options: DENY
E.Set SameSite cookies to Strict
AnswersB, D

CSP frame-ancestors controls which domains can embed the page.

Why this answer

X-Frame-Options header and Content-Security-Policy frame-ancestors directive are both effective against clickjacking.

176
MCQeasy

During a passive reconnaissance phase, a penetration tester uses a tool to gather email addresses, subdomains, and employee names associated with a target domain without directly interacting with the target's systems. Which tool is BEST suited for this purpose?

A.theHarvester
B.Nmap
C.Netcat
D.Wireshark
AnswerA

theHarvester is a passive OSINT tool that collects emails, subdomains, IPs, and names from public sources like Google, Bing, and LinkedIn.

Why this answer

theHarvester is specifically designed for passive reconnaissance by querying public sources such as search engines (Google, Bing), PGP key servers, and the Shodan API to collect email addresses, subdomains, and employee names without sending any packets directly to the target's infrastructure. This aligns perfectly with the requirement of gathering OSINT data without direct interaction.

Exam trap

The trap here is that candidates often confuse passive reconnaissance with tools that can be used passively in some contexts (like Wireshark for sniffing), but the question specifically requires gathering email addresses, subdomains, and employee names from public sources, which only theHarvester is designed to do.

How to eliminate wrong answers

Option B (Nmap) is wrong because it actively sends crafted packets to target hosts to discover open ports and services, which constitutes active reconnaissance and would generate logs on the target's systems. Option C (Netcat) is wrong because it is a network utility for reading/writing data across TCP/UDP connections, used for banner grabbing or port scanning, both of which involve direct interaction with the target. Option D (Wireshark) is wrong because it is a packet analyzer that captures and inspects network traffic already on the wire, requiring either existing traffic from the target or active sniffing, and does not perform passive OSINT collection from public sources.

177
MCQhard

A security analyst runs `snmpwalk -v2c -c public 192.168.1.1` and receives extensive output about the device's configuration. Which of the following is the MOST effective countermeasure against this enumeration?

A.Disable SNMP entirely
B.Use SNMPv3 with encryption
C.Change the default community string and restrict SNMP access to specific IPs
D.Block ICMP echo requests
AnswerC

Correct. Changing community strings from defaults and using ACLs prevents unauthorized enumeration.

Why this answer

Option C is correct because the most effective countermeasure against SNMP enumeration via a default community string is to change the default 'public' (or 'private') string to a strong, non-guessable value and restrict SNMP access to trusted management IPs using an access control list (ACL). This prevents unauthorized querying of the MIB tree while still allowing legitimate SNMP monitoring.

Exam trap

The trap here is that candidates often choose SNMPv3 with encryption (Option B) because it sounds more secure, but the question specifically targets the misconfiguration of using the default 'public' community string on SNMPv2c, which is best remedied by changing the community string and restricting access, not by upgrading the protocol version alone.

How to eliminate wrong answers

Option A is wrong because disabling SNMP entirely may break legitimate network monitoring and management functions, making it an overly drastic and often impractical solution. Option B is wrong because while SNMPv3 with encryption provides authentication and privacy, the question specifies the attacker is using SNMPv2c with the 'public' community string; switching to SNMPv3 does not directly address the misconfiguration of using a default community string on v2c devices, and the question asks for the most effective countermeasure against this specific enumeration. Option D is wrong because blocking ICMP echo requests (ping) only prevents network discovery via ICMP, not SNMP enumeration over UDP port 161.

178
Multi-Selecteasy

Which TWO of the following are common types of SQL injection attacks?

Select 2 answers
A.Blind SQL injection (boolean-based)
B.Out-of-band SQL injection
C.In-band SQL injection (union-based)
D.Heap-based SQL injection
E.NoSQL injection
AnswersA, C

Blind SQL injection does not return data directly; it infers information from server responses.

Why this answer

In-band SQLi (union-based) uses the same channel to inject and retrieve data. Blind SQLi (boolean-based or time-based) does not return data directly but infers information from behavior. NoSQL injection is a separate category.

Heap-based is not a recognized SQLi type. Out-of-band is a third type but not listed among the options; the question asks for common types.

179
MCQeasy

Which of the following tools is PRIMARILY used for passive OSINT gathering and can query multiple search engines, social media platforms, and public databases to collect information about a target?

A.Nmap
B.Wireshark
C.Maltego
D.theHarvester
AnswerC

Maltego is designed for passive reconnaissance and aggregates data from multiple sources.

Why this answer

Maltego is primarily used for passive OSINT gathering because it leverages open-source intelligence feeds, search engines, social media platforms, and public databases to collect and correlate information about a target without directly interacting with the target's systems. Its transform-based architecture allows it to query multiple data sources simultaneously, making it the correct choice for passive reconnaissance.

Exam trap

The trap here is that candidates often confuse theHarvester with Maltego because both are OSINT tools, but theHarvester is more specialized for email and subdomain harvesting, while Maltego is the broader platform for multi-source passive intelligence gathering and visualization.

How to eliminate wrong answers

Option A is wrong because Nmap is an active reconnaissance tool that sends crafted packets to target hosts to discover open ports, services, and operating systems, which generates network traffic and can be detected. Option B is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting live or recorded traffic, not for querying search engines or public databases for OSINT. Option D is wrong because theHarvester is indeed an OSINT tool, but it is primarily focused on email addresses, subdomains, and names from search engines and PGP key servers, not the broad multi-source correlation and visualization that Maltego provides for passive OSINT gathering.

180
MCQeasy

During a penetration test, you need to identify all live hosts on a target network without being detected by intrusion detection systems. Which Nmap flag would BEST achieve this?

A.-O (OS fingerprinting)
B.-sn (ping sweep)
C.-sS (SYN scan)
D.-sV (version detection)
AnswerB

Ping sweep only checks host availability, generating minimal traffic and avoiding full port scans.

Why this answer

The -sn flag (ping sweep) sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default to determine if a host is alive. This is the best choice for stealthy host discovery because it does not complete a full TCP handshake or send application-layer probes, minimizing the chance of triggering IDS signatures that look for port scans or OS fingerprinting.

Exam trap

The trap here is that candidates often confuse -sn (ping sweep) with -sS (SYN scan) because both involve TCP packets, but -sn is purely for host discovery without port scanning, whereas -sS is a port scanning technique that is much more intrusive and detectable.

How to eliminate wrong answers

Option A is wrong because -O (OS fingerprinting) sends a series of crafted TCP packets to analyze responses for OS detection, which is highly detectable by IDS due to the unusual packet combinations and is not designed for simple host discovery. Option C is wrong because -sS (SYN scan) sends TCP SYN packets to specific ports to identify open ports, which is a port scanning technique that can trigger IDS alerts for half-open connections and is not optimized for stealthy live host detection. Option D is wrong because -sV (version detection) initiates full TCP connections and sends probe strings to identify service versions, which is noisy and easily detected by IDS, and is intended for service enumeration, not host discovery.

181
MCQeasy

Which of the following is a symptom of a successful command injection attack?

A.The server returns a 404 error
B.The output of the 'id' command appears in the response
C.The HTTP response header contains 'Server: Apache'
D.The page loads slower than usual
AnswerB

If the command executes, its output may be reflected.

Why this answer

Command injection allows execution of system commands; using 'id' is a common test to confirm.

182
Multi-Selecteasy

Which TWO of the following are cloud-specific security threats?

Select 2 answers
A.SQL injection
B.De-authentication attack
C.ARP spoofing
D.S3 bucket misconfiguration
E.SSRF in cloud
AnswersD, E

Misconfigured S3 buckets can expose data publicly.

Why this answer

S3 bucket misconfiguration is a cloud-specific threat because it involves improper access control settings on Amazon S3 storage, such as public read/write permissions, which can lead to data exposure or unauthorized access. This threat is unique to cloud environments where object storage is managed via APIs and IAM policies, unlike traditional on-premises storage.

Exam trap

EC-Council often tests the distinction between general web/network attacks and those that exploit cloud-specific features like metadata services or object storage permissions, leading candidates to mistakenly classify SQL injection or ARP spoofing as cloud threats.

183
Multi-Selectmedium

Which THREE of the following are best practices for securing IoT devices in a home automation network?

Select 3 answers
A.Enable Universal Plug and Play (UPnP) for easy integration.
B.Segment IoT devices on a separate VLAN or subnet.
C.Change default usernames and passwords.
D.Disable unnecessary features and services.
E.Ensure all devices are connected directly to the internet for remote access.
AnswersB, C, D

Limits lateral movement.

Why this answer

Segmenting IoT devices on a separate VLAN or subnet (Option B) is a best practice because it isolates potentially insecure IoT devices from the main trusted network. If an IoT device is compromised, the attacker cannot easily pivot to other devices on the primary LAN. This leverages Layer 2 or Layer 3 segmentation to enforce network access controls, reducing the attack surface in a home automation environment.

Exam trap

EC-Council often tests the misconception that UPnP simplifies integration and is safe, when in fact it is a well-known security risk due to its lack of authentication and automatic port forwarding.

184
MCQmedium

A security analyst uses a tool to capture packets in promiscuous mode on a network segment. The analyst notices that only traffic to and from the analyst's machine is captured, not all traffic on the segment. What is the most likely reason?

A.The network is using a switch instead of a hub
B.The switch is preventing sniffing due to port security
C.The analyst is not using the correct filter in Wireshark
D.The network interface is not in promiscuous mode
AnswerA

Switches send frames only to the specific port, making sniffing difficult without additional techniques.

Why this answer

A switch only forwards traffic to the port where the destination MAC resides; promiscuous mode only affects the local NIC, not switch behavior.

185
MCQmedium

A cloud security engineer notices that an S3 bucket containing sensitive customer data is configured with a bucket policy that allows 'Principal': '*' and 'Action': 's3:GetObject'. The bucket is not publicly accessible via the AWS Management Console, but the engineer is concerned about data exposure. What is the most likely risk?

A.Anyone on the internet can read objects in the bucket if they know the object URL.
B.The data is encrypted at rest, so no exposure risk exists.
C.The bucket policy is misconfigured but only affects objects with server-side encryption.
D.Only authenticated AWS users can access the bucket, so the risk is limited.
AnswerA

Public read access is granted to all objects.

Why this answer

The bucket policy allows 'Principal': '*' with 'Action': 's3:GetObject', which grants anonymous read access to any object in the bucket. Even if the bucket is not publicly listed in the AWS Management Console, anyone on the internet who knows or guesses the object URL can retrieve the object directly via HTTP/HTTPS. This is a classic data exposure risk because the policy overrides any console-level restrictions.

Exam trap

The trap here is that candidates confuse 'not publicly accessible via the AWS Management Console' with 'not publicly accessible via direct object URLs,' but S3 bucket policies control access at the API level, not just the console UI.

How to eliminate wrong answers

Option B is wrong because encryption at rest protects data only if it is accessed without proper decryption keys, but the policy allows direct object retrieval without authentication, so encryption does not prevent exposure. Option C is wrong because the bucket policy applies to all objects regardless of server-side encryption status; the misconfiguration affects all objects, not just encrypted ones. Option D is wrong because 'Principal': '*' means any unauthenticated user (not just authenticated AWS users) can access the bucket; the policy does not require AWS authentication.

186
MCQeasy

A security analyst wants to enumerate users and groups from a Windows domain controller using LDAP. Which of the following queries would return all objects of class 'user' from the domain 'example.com'?

A.ldapsearch -x -b "dc=example,dc=com" "(cn=*)"
B.ldapsearch -x -b "dc=example,dc=com" "(objectClass=user)"
C.ldapsearch -x -b "dc=example,dc=com" "(objectClass=person)"
D.ldapsearch -x -b "dc=example,dc=com" "(&(objectClass=user)(objectCategory=person))"
AnswerB

Correct query to list all user objects in the domain.

Why this answer

Option B is correct. The LDAP query '(&(objectClass=user))' filters for user objects. The base DN 'dc=example,dc=com' specifies the domain.

Options A, C, and D use incorrect syntax or filters.

187
MCQmedium

A penetration tester is using SQLMap to automate exploitation of a SQL injection vulnerability found in a login form. The tester wants to retrieve the names of all databases on the backend MySQL server. Which SQLMap flag should be used?

A.--dbs
B.--current-db
C.--schema
D.--tables
AnswerA

--dbs lists all databases on the server.

Why this answer

The --dbs flag in SQLMap enumerates all databases on the database server.

188
Multi-Selectmedium

Which TWO of the following are examples of protocol-based DoS attacks? (Choose two.)

Select 2 answers
A.Smurf attack
B.SYN flood
C.HTTP flood
D.Slowloris
E.UDP flood
AnswersA, B

Smurf attack uses ICMP echo requests with spoofed source IP.

Why this answer

SYN flood and Smurf attack exploit TCP/IP protocol weaknesses.

189
MCQeasy

A security analyst captures a WPA2 4-way handshake using airodump-ng. Which tool would they most likely use next to attempt to crack the PSK using a wordlist?

A.John the Ripper
B.ScoutSuite
C.Aircrack-ng
D.Reaver
AnswerC

Correct tool for dictionary-based cracking of WPA2 handshakes.

Why this answer

Aircrack-ng is the standard tool for cracking WEP/WPA keys from captured packets, including WPA2 handshakes using a dictionary attack.

190
MCQmedium

An employee receives a text message claiming to be from the company's IT department, stating that their account will be suspended unless they click a link to verify their credentials. Which type of social engineering attack is this?

A.Vishing
B.Phishing
C.Baiting
D.SMiShing
AnswerD

SMiShing is phishing via SMS.

Why this answer

SMiShing (SMS phishing) is a phishing attack conducted via SMS text messages. The message uses urgency to trick the recipient into revealing credentials.

191
MCQhard

An attacker intercepts a request and notices that the server reflects the value of the 'User-Agent' header in the response without sanitization. The attacker crafts a payload that triggers an alert box. This is an example of:

A.HTTP header injection
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerD

The server reflects the header value unsanitized, leading to reflected XSS.

Why this answer

Reflected XSS occurs when the application immediately returns the user input in the response; here, the User-Agent header is reflected.

192
MCQhard

Refer to the exhibit. A penetration tester sends a SOAP request and receives multiple user records. Which vulnerability is present?

A.SQL injection in SOAP service
B.XML External Entity (XXE) injection
C.Cross-site scripting (XSS)
D.Command injection
AnswerA

The userId parameter contains '1 OR 1=1', which results in returning all users, indicating SQL injection.

193
MCQmedium

During a web application penetration test, a tester uses Burp Suite's Intruder tool to automate a series of login attempts using a list of common passwords. Which attack type is being performed?

A.Credential stuffing
B.Brute force attack
C.Dictionary attack
D.Password spraying
AnswerA

Credential stuffing involves using lists of known passwords (often from data breaches) to gain unauthorized access.

Why this answer

Credential stuffing uses a list of known passwords, while password spraying uses a few passwords against many accounts. Brute force is typically many passwords per account. The description best matches credential stuffing.

194
Multi-Selecthard

Which TWO of the following are valid techniques for password cracking?

Select 2 answers
A.Brute-force attack
B.Phishing
C.Man-in-the-middle attack
D.Rainbow table attack
E.Keylogging
AnswersA, D

Tries all possible passwords until correct.

Why this answer

A brute-force attack is a valid password cracking technique that systematically tries every possible combination of characters until the correct password is found. It is computationally intensive but guaranteed to succeed given enough time, making it a fundamental method in password auditing and recovery.

Exam trap

The trap here is that candidates often confuse passive or indirect credential theft methods (phishing, keylogging, MITM) with active password cracking techniques that directly derive plaintext from hashes or encrypted data.

195
MCQhard

A security analyst runs the Nmap command: nmap -sI 192.168.1.50 -p 80 10.0.0.1. The scan completes, but the target shows no open ports. What is the MOST likely explanation?

A.The analyst used the wrong port number
B.The target has a firewall blocking the decoy packets
C.The target host is offline
D.The zombie host is not truly idle, causing false results
AnswerD

Idle scan relies on the zombie's IP ID being predictable; if the zombie is active, the IP ID increments unpredictably, leading to false negatives.

Why this answer

The -sI flag in Nmap performs an idle scan, which relies on a zombie host (192.168.1.50) with a globally predictable IP ID sequence to probe the target. If the zombie host is not truly idle—meaning it is sending or receiving other traffic during the scan—its IP ID values will increment unpredictably, corrupting the side-channel analysis and causing Nmap to report all ports as filtered or closed. This is the most likely reason for the false 'no open ports' result.

Exam trap

The trap here is that candidates often assume a firewall or offline target is the cause, but the idle scan's success hinges entirely on the zombie's idle state, not on target-side filtering or host availability.

How to eliminate wrong answers

Option A is wrong because the -p 80 flag explicitly targets port 80, and the scan completed without error, so the port number is not the issue. Option B is wrong because a firewall blocking decoy packets would not affect an idle scan; idle scans use the zombie's IP, not decoys, and firewall rules on the target would block the zombie's packets, not the analyst's. Option C is wrong because if the target host were offline, Nmap would typically report 'Host seems down' or time out, not complete the scan and show 'no open ports'.

196
MCQhard

A penetration tester observes that an Nmap SYN scan shows all 1000 TCP ports as open. The tester suspects the target is using a security appliance that responds with SYN-ACK to all connection attempts, regardless of the actual port state. Which type of Nmap scan would be MOST effective in determining the true state of the ports?

A.UDP scan (-sU)
B.Ping sweep (-sn)
C.TCP connect scan (-sT)
D.Idle scan (-sI)
AnswerC

-sT completes the handshake; if the port is closed, a RST is received after the ACK, revealing the true state even if SYN-ACKs are spoofed.

Why this answer

Option C is correct because a TCP connect scan (-sT) completes the full three-way handshake, which forces the target to respond with a RST if the port is actually closed, even if a security appliance initially sends SYN-ACK to all ports. This distinguishes between ports that are truly open (where the handshake completes) and those that are falsely reported as open by the appliance (where the handshake fails or a RST is received).

Exam trap

The trap here is that candidates assume a SYN scan (-sS) is always superior due to stealth, but they overlook that a security appliance can spoof SYN-ACKs, making the full handshake of -sT necessary to bypass the deception.

How to eliminate wrong answers

Option A is wrong because a UDP scan (-sU) targets UDP ports, not TCP ports, and cannot determine the true state of TCP ports; it also suffers from false positives due to ICMP unreachable responses. Option B is wrong because a ping sweep (-sn) only checks host availability via ICMP or TCP pings and does not perform any port-level scanning to determine port states. Option D is wrong because an idle scan (-sI) relies on a zombie host with predictable IP IDs and is designed for stealth, not for bypassing SYN-ACK spoofing; it would still receive SYN-ACKs from the appliance and cannot differentiate real open ports from spoofed responses.

197
MCQeasy

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

A.Ransomware
B.Trojan
C.Spyware
D.Adware
AnswerA

Ransomware encrypts files and demands payment for decryption.

Why this answer

Ransomware is specifically designed to encrypt files and demand ransom. The other options do not typically encrypt files for ransom.

198
MCQhard

A penetration tester is attempting to evade an IDS/IPS while performing a port scan. They use the Nmap command: nmap -sS -f --data-length 20 -D RND:10 10.0.0.1. Which techniques are being employed to evade detection?

A.Idle scan, fragmentation, and MAC address spoofing
B.Packet timing manipulation, decoy, and avoiding DNS resolution
C.Fragmentation, decoy, and using a random source IP
D.Fragmentation, decoy, and source port spoofing
AnswerC

-f fragments IP packets, --data-length adds random data, and -D RND:10 generates random decoy IPs. The source IP is not random; decoys are additional spoofed sources.

Why this answer

Option C is correct because the Nmap command `-sS -f --data-length 20 -D RND:10` employs three evasion techniques: fragmentation (the `-f` flag splits the TCP SYN packet into smaller fragments to bypass simple packet inspection), decoy scanning (`-D RND:10` generates 10 random decoy source IP addresses to obscure the real scanning host), and using a random source IP (the `RND:10` mechanism effectively randomizes the source IP of the probes, making it harder for the IDS/IPS to attribute the scan to a single attacker).

Exam trap

The trap here is that candidates often confuse the `-D RND:10` decoy option with source IP spoofing or idle scanning, but the command does not include the `-sI` flag for idle scanning or `--source-port` for port spoofing, and the `RND:10` specifically randomizes decoy IPs, not the source IP of the attacker's machine.

How to eliminate wrong answers

Option A is wrong because an idle scan requires the `-sI` flag and a zombie host IP, which is not present; MAC address spoofing is not used in this command. Option B is wrong because packet timing manipulation (e.g., `-T` or `--scan-delay`) and avoiding DNS resolution (`-n`) are not specified in the given Nmap command. Option D is wrong because source port spoofing would require the `--source-port` or `-g` flag, which is not included in the command.

199
MCQeasy

Which of the following tools is specifically designed to automate the detection and exploitation of SQL injection vulnerabilities?

A.Metasploit
B.Nmap
C.SQLMap
D.Burp Suite
AnswerC

SQLMap is the standard tool for automated SQL injection detection and exploitation.

Why this answer

SQLMap is a well-known open-source tool that automates the process of detecting and exploiting SQL injection flaws.

200
MCQmedium

A security analyst notices that after a user connects to a corporate Wi-Fi network, all HTTP traffic is redirected to a fake login page that captures credentials. The analyst suspects a rogue access point. Which attack is most likely being used to force client connections to the rogue AP?

A.Evil twin attack using a stronger signal
B.WPA2 dictionary attack on the handshake
C.WPS PIN brute-force attack
D.De-authentication attack followed by evil twin
AnswerD

De-auth packets disconnect clients; they then connect to the rogue AP (evil twin) which serves a fake login page.

Why this answer

De-authentication packets force clients to disconnect from the legitimate AP, after which they may automatically reconnect to a rogue AP with the same SSID. Evil twin is the fake AP, but the mechanism to disconnect clients is de-authentication.

201
MCQmedium

An ethical hacker is assessing a Linux web server running Apache. The server is suspected to have a remote file inclusion (RFI) vulnerability. Which testing approach is most appropriate to confirm the vulnerability without causing damage?

A.Craft a request with a local file inclusion parameter pointing to /etc/passwd
B.Use SQLMap to test for SQL injection
C.Scan the server with Nikto to detect known RFI signatures
D.Attempt to include a remote URL containing a web shell
AnswerA

This safely confirms RFI by reading a local file, proving the vulnerability.

Why this answer

Option A is correct because it uses a local file inclusion (LFI) parameter to test for file inclusion without causing damage. By attempting to include /etc/passwd, the tester can verify if the server processes user-supplied input to include files, which is a direct indicator of an RFI vulnerability if the server returns the file contents. This approach is safe and non-destructive, as it only reads a standard system file.

Exam trap

The trap here is that candidates may confuse RFI with LFI or think that using a web shell is acceptable for confirmation, but the CEH exam emphasizes non-destructive testing and ethical boundaries, making a local file inclusion test the correct first step.

How to eliminate wrong answers

Option B is wrong because SQLMap is designed to test for SQL injection vulnerabilities, not remote file inclusion; using it would not confirm an RFI vulnerability and could cause unintended database damage. Option C is wrong because Nikto is a vulnerability scanner that detects known signatures, but it may produce false positives or miss custom RFI vectors; it is not a direct confirmation method and could trigger alerts or cause unintended behavior. Option D is wrong because attempting to include a remote URL containing a web shell is destructive and unethical; it would actively exploit the vulnerability, potentially compromising the server, which violates the principle of non-destructive testing in ethical hacking.

202
MCQeasy

Which tool is specifically designed to create and manage phishing campaigns for security awareness testing?

A.Metasploit
B.Nmap
C.Wireshark
D.SET
AnswerD

SET is the Social Engineering Toolkit.

Why this answer

The Social Engineering Toolkit (SET) is a framework for social engineering attacks, including phishing.

203
MCQeasy

A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?

A.Nmap
B.John the Ripper
C.VirusTotal
D.Wireshark
AnswerC

VirusTotal accepts file hashes and returns detection results from many AV engines.

Why this answer

VirusTotal is a free online service that aggregates multiple antivirus engines and malware detection tools, allowing users to upload files or query file hashes against a vast database of known malware signatures. This directly matches the requirement to check if a file is known malware by querying an online database.

Exam trap

The trap here is that candidates may confuse tools like Nmap or Wireshark for malware analysis because they are commonly used in security investigations, but they lack the specific function of querying an online malware signature database.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for discovering hosts and services on a network, not for querying malware signature databases. Option B is wrong because John the Ripper is a password cracking tool that performs brute-force or dictionary attacks on password hashes, not a malware signature lookup service. Option D is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic packets, not for checking file hashes against malware databases.

204
MCQeasy

Which of the following is a passive OS fingerprinting technique that does NOT send any packets to the target?

A.Sending TCP SYN packets and analyzing responses
B.Analyzing TTL and window size from captured packets
C.Performing a NULL scan
D.Using Nmap -O flag
AnswerB

This is passive fingerprinting; it uses existing traffic.

Why this answer

Passive OS fingerprinting involves observing network traffic without sending any packets to the target. Analyzing the Time-to-Live (TTL) and TCP window size from captured packets is a classic passive technique because these values are OS-specific defaults (e.g., Linux often uses TTL 64 and window size 5840, while Windows uses TTL 128 and window size 65535). Since no packets are sent to the target, this method is entirely passive and undetectable.

Exam trap

The trap here is that candidates often confuse passive fingerprinting with active techniques like banner grabbing or Nmap scans, assuming that any packet capture analysis is passive, but the key distinction is whether any packets are sent to the target.

How to eliminate wrong answers

Option A is wrong because sending TCP SYN packets and analyzing responses is an active fingerprinting technique, as it involves transmitting packets to the target. Option C is wrong because performing a NULL scan sends TCP packets with no flags set to the target, making it an active reconnaissance method. Option D is wrong because using Nmap with the -O flag sends a series of probes (e.g., TCP SYN, ICMP) to the target to determine the OS, which is an active fingerprinting approach.

205
MCQmedium

An analyst observes repeated failed login attempts to a Windows server from an internal IP, followed by a successful login using the account 'admin' from the same IP. The analyst checks the Security log and finds Event ID 4624 with Logon Type 3. What type of attack is MOST likely occurring?

A.SMB relay attack
B.Kerberos golden ticket attack
C.Pass-the-hash attack
D.Dictionary attack on the admin account
AnswerD

Multiple failed attempts suggest a dictionary/brute-force attack; success indicates correct password found.

Why this answer

Event ID 4624 with Logon Type 3 indicates a network logon (typically SMB or other network resource access). The sequence of repeated failed attempts followed by a successful login from the same internal IP strongly suggests a dictionary (brute-force) attack against the 'admin' account. The attacker systematically tried passwords until one succeeded, which is the hallmark of a dictionary attack.

Exam trap

The trap here is that candidates see 'successful login' and 'Event ID 4624' and incorrectly assume a pass-the-hash or relay attack, but the presence of repeated failed attempts before success is the key indicator of a dictionary attack, not a credential theft technique.

How to eliminate wrong answers

Option A is wrong because an SMB relay attack intercepts and relays authentication traffic to impersonate a user, not by trying multiple passwords from a single IP; it would not produce repeated failed logins followed by a success from the same IP. Option B is wrong because a Kerberos golden ticket attack forges a Ticket Granting Ticket (TGT) using the KRBTGT hash, allowing domain-wide access without any failed login attempts; it would not generate Event ID 4624 with Logon Type 3 from a single IP. Option C is wrong because a pass-the-hash attack uses a stolen NTLM hash to authenticate without knowing the plaintext password, so it would not cause multiple failed login attempts; it typically succeeds on the first try if the hash is valid.

206
Multi-Selectmedium

Which TWO of the following are common security risks associated with bring-your-own-device (BYOD) policies in a corporate environment?

Select 2 answers
A.Lack of visibility into device security posture
B.Data leakage through personal apps
C.Enhanced network segmentation
D.Stronger encryption of corporate data
E.Increased control over device configurations
AnswersA, B

IT may not know if devices are compromised.

Why this answer

Option A is correct because BYOD devices are personally owned and not under direct corporate management, leading to a lack of visibility into their security posture. Without a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution, the organization cannot assess patch levels, antivirus status, or jailbreak/root status, leaving the network exposed to compromised devices.

Exam trap

EC-Council often tests the distinction between risks and controls; the trap here is that candidates confuse security mitigations (like segmentation or encryption) with inherent risks, leading them to select options C, D, or E instead of recognizing them as countermeasures.

207
MCQeasy

Which tool is specifically designed to assess the security configuration of AWS, Azure, and GCP cloud environments by scanning for misconfigurations in services like S3, IAM, and EC2?

A.ScoutSuite
B.Pacu
C.Reaver
D.Aircrack-ng
AnswerA

ScoutSuite scans cloud infrastructure for security misconfigurations across AWS, Azure, and GCP.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that checks for misconfigurations across AWS, Azure, and GCP. Pacu is an AWS exploitation framework; Aircrack-ng is for wireless; Reaver is for WPS.

208
MCQeasy

An attacker sends an email that appears to come from the CEO, requesting that the recipient urgently transfer funds to a specified account. Which type of social engineering attack is this?

A.Spear phishing
B.Whaling
C.Baiting
D.Phishing
AnswerB

Whaling targets high-profile executives like the CFO, often with CEO impersonation.

Why this answer

Whaling targets high-profile individuals like executives. Spear phishing targets specific individuals, but whaling is specifically aimed at whales (big fish). The email from the CEO targeting an employee would be spear phishing, but the term 'whaling' is used when the target is a high-level executive.

However, the email is from the CEO, so the attacker is impersonating a whale. Actually, whaling is when the target is a whale. Here the target is not necessarily a whale.

The best answer is 'Spear phishing' because it's targeted. But the question says 'appears to come from the CEO' – that's impersonation. 'Pretexting' involves fabricating a scenario. 'Phishing' is generic. 'Spear phishing' is targeted. I'll go with 'Spear phishing' as the most accurate.

I'll correct scenario: An attacker sends an email to a CFO appearing to be from the CEO. That's whaling. Let me adjust the stem to make it clear: 'An attacker sends an email to the company CFO that appears to come from the CEO, requesting an urgent wire transfer.

Which type of social engineering attack is this?' Then the answer is 'Whaling'.

209
MCQeasy

In PKI, what is the primary role of a Certificate Authority (CA)?

A.To issue and digitally sign certificates
B.To revoke user passwords
C.To generate random session keys
D.To encrypt data between client and server
AnswerA

This is the core function of a CA.

Why this answer

A CA issues and signs digital certificates, validating the identity of certificate requestors.

210
MCQhard

A network administrator notices an unusual amount of traffic on port 389 from an internal server to multiple external IP addresses. Which type of malware might be present?

A.Adware
B.Worm
C.Trojan backdoor
D.Ransomware
AnswerC

A backdoor Trojan may use LDAP for covert communication.

Why this answer

Port 389 is used by LDAP. Outbound traffic to multiple external IPs could indicate LDAP query-based command and control or data exfiltration, but more commonly, port 389 is associated with directory services. However, in malware context, it could be a sign of a backdoor or RAT using LDAP for C2.

The most likely is that the malware is using LDAP for communication, but given options, a Trojan backdoor is plausible.

211
Matchingmedium

Match each type of attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via deceptive emails

Intercepting communication between two parties

Inserting malicious SQL queries into input fields

Overwhelming a system to make it unavailable

Associating attacker's MAC with victim's IP

Why these pairings

These attacks are covered in CEH domain on system hacking and network attacks.

212
Multi-Selecteasy

Which TWO of the following are common indicators of a command injection vulnerability? (Select 2)

Select 2 answers
A.The application allows input of shell metacharacters like ;, &&, or |
B.The application reflects user input in the page without encoding
C.The application returns database error messages
D.The application uses parameterized queries for database access
E.The application executes system commands and returns output
AnswersA, E

These metacharacters can be used to chain commands.

Why this answer

Command injection typically involves injecting shell metacharacters (;, &&, |) and can be confirmed by observing time delays with sleep commands.

213
MCQmedium

During a penetration test, you are tasked with performing footprinting on a target organization. You have identified the target's IP range 192.168.1.0/24. Which of the following techniques would provide the most comprehensive information about the target's network topology and potential entry points?

A.Conduct social engineering to gather information from employees about internal network structure.
B.Use traceroute to map the network path and identify intermediate routers and firewalls.
C.Perform a WHOIS lookup to obtain domain registration details including administrative contacts.
D.Perform DNS enumeration to find all subdomains and associated IP addresses.
AnswerB

Traceroute shows the route packets take, revealing network topology and potential entry points.

Why this answer

Traceroute (using ICMP, UDP, or TCP probes with incrementing TTL values) reveals the Layer 3 path from the tester to the target, identifying each hop (router, firewall, or other gateway) along the route. This directly maps the network topology and can expose intermediate security devices, ACLs, and potential choke points, which is the most comprehensive technique for understanding the target's network layout and entry points from the given options.

Exam trap

The trap here is that candidates confuse footprinting techniques that gather passive information (WHOIS, DNS) with active network path mapping (traceroute), assuming WHOIS or DNS enumeration will reveal network topology when they only reveal domain or host metadata.

How to eliminate wrong answers

Option A is wrong because social engineering gathers subjective, often incomplete information from employees and does not directly reveal the actual network topology or technical entry points; it is a separate reconnaissance vector, not a footprinting technique for mapping network paths. Option C is wrong because WHOIS lookup provides domain registration details (registrant, admin contacts, name servers) but reveals nothing about the internal network topology, routers, or firewalls. Option D is wrong because DNS enumeration discovers subdomains and their associated IP addresses, which helps identify public-facing hosts but does not map the network path, intermediate routers, or firewalls.

214
Multi-Selectmedium

Which TWO types of malware typically require user interaction (e.g., opening a file or clicking a link) to activate? (Select two.)

Select 2 answers
A.Ransomware
B.Macro virus
C.Polymorphic virus
D.Worm
E.Trojan horse
AnswersA, E

Often delivered via phishing links or attachments requiring user interaction.

Why this answer

Trojans typically require user interaction to execute, and ransomware often requires user action (clicking a link or opening an attachment) to trigger. Worms and polymorphic viruses can spread without user interaction, though viruses generally need a host file.

215
Multi-Selecthard

During a penetration test, you need to enumerate all DNS records for example.com using a zone transfer. Which TWO tools can be used to attempt this?

Select 2 answers
A.dnsenum
B.dig
C.dnsrecon
D.theHarvester
E.nslookup
AnswersA, C

dnsenum can attempt AXFR zone transfers and enumerate DNS records.

Why this answer

A is correct because dnsenum is a specialized tool designed to enumerate DNS information, including attempting a zone transfer (AXFR query) to retrieve all DNS records for a domain. It automates the process of querying the DNS server for a full zone transfer, which is the primary method to enumerate all records if the server is misconfigured to allow it.

Exam trap

The trap here is that candidates confuse tools that can manually perform a zone transfer (like dig or nslookup) with dedicated enumeration tools that automate the process across multiple nameservers, leading them to select dig or nslookup instead of dnsenum and dnsrecon.

216
MCQhard

During a security assessment, you find a Linux binary with the SUID bit set and owned by root. You execute it and obtain a root shell. This is an example of which privilege escalation technique?

A.DLL hijacking
B.Kernel exploit
C.Token impersonation
D.SUID abuse
AnswerD

Correct. SUID bit abuse allows executing a binary with the owner's (root) privileges.

Why this answer

Option D is correct because the SUID (Set User ID) bit on a binary owned by root allows it to execute with root privileges regardless of the user running it. When you execute such a binary and it spawns a shell, that shell inherits the elevated privileges, effectively granting you a root shell. This is a classic example of SUID abuse, a common privilege escalation technique on Linux systems.

Exam trap

The trap here is that candidates may confuse SUID abuse with a kernel exploit, thinking any root shell from a binary must involve a kernel vulnerability, but SUID abuse is a misconfiguration-based technique that does not require exploiting kernel code.

How to eliminate wrong answers

Option A is wrong because DLL hijacking is a Windows-specific technique that exploits the search order for Dynamic Link Libraries to load a malicious DLL, which is not applicable to Linux binaries. Option B is wrong because a kernel exploit targets vulnerabilities in the operating system kernel to gain elevated privileges, whereas this scenario involves a legitimate SUID binary, not a kernel flaw. Option C is wrong because token impersonation is a Windows privilege escalation method that manipulates access tokens (e.g., using SeImpersonatePrivilege), which does not apply to Linux's SUID mechanism.

217
MCQeasy

Which wireless security standard introduced in 2018 uses Simultaneous Authentication of Equals (SAE) to replace the pre-shared key exchange in WPA2, providing forward secrecy and resistance to offline dictionary attacks?

A.WPA3
B.802.1X/EAP
C.WEP
D.WPA2
AnswerA

WPA3 introduces SAE (Simultaneous Authentication of Equals), providing forward secrecy and resistance to offline dictionary attacks.

Why this answer

WPA3 uses SAE (Dragonfly handshake) to provide forward secrecy and protect against offline dictionary attacks. WPA2 used PSK which is vulnerable to dictionary attacks. WEP and 802.1X are older or different.

218
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RC4
B.3DES
C.AES
D.RSA
AnswerD

Correct: RSA is asymmetric, using public and private keys.

Why this answer

RSA is an asymmetric algorithm using a public/private key pair. AES, 3DES, and RC4 are symmetric algorithms.

219
MCQeasy

A security analyst discovers that an IoT device in a smart building is periodically sending small DNS queries to an external domain known for command-and-control activity. Which security control should be implemented to detect and block such traffic without disrupting legitimate operations?

A.Install a host-based firewall on the IoT device to restrict outbound traffic.
B.Deploy an intrusion detection system (IDS) on the network to alert on suspicious DNS queries.
C.Configure egress filtering on the firewall to block outbound connections to known malicious domains.
D.Disable DNS resolution on the IoT device to prevent any external communication.
AnswerC

Egress filtering prevents malicious outbound traffic.

Why this answer

Option C is correct because egress filtering on the firewall can block outbound DNS queries to known malicious domains by using a blocklist or threat intelligence feed, preventing command-and-control (C2) communication without affecting legitimate traffic to other domains. This control operates at the network perimeter, inspecting DNS requests against a reputation database and dropping matches, which is the most effective way to stop C2 traffic while allowing normal operations.

Exam trap

The trap here is that candidates confuse detection (IDS) with prevention (firewall filtering), assuming an alert is sufficient to stop the threat, but CEH emphasizes that blocking at the perimeter is required for active defense against C2 traffic.

How to eliminate wrong answers

Option A is wrong because host-based firewalls on IoT devices are often impractical due to resource constraints, lack of centralized management, and the device's limited ability to maintain dynamic blocklists; they also cannot block DNS queries if the device itself is compromised. Option B is wrong because an IDS only alerts on suspicious traffic but does not block it, so the C2 communication would still succeed, leaving the network exposed until manual intervention occurs. Option D is wrong because disabling DNS resolution entirely would break all legitimate external communications (e.g., firmware updates, time synchronization), causing operational disruption and potentially rendering the IoT device non-functional.

220
MCQmedium

Which Burp Suite tool is most appropriate for modifying and re-sending a single HTTP request multiple times with different payloads to test for SQL injection?

A.Repeater
B.Intruder
C.Proxy
D.Scanner
AnswerB

Intruder allows sending multiple requests with different payloads to test for vulnerabilities like SQL injection.

Why this answer

Burp Intruder is designed for automated customized attacks, allowing you to send many requests with varying payloads to a single target endpoint.

221
MCQhard

You are performing a penetration test and need to quickly scan a large IP range (e.g., 10.0.0.0/8) for open ports 80 and 443. Which tool is BEST suited for this high-speed scanning task?

A.OpenVAS
B.hping3
C.Nmap
D.Masscan
AnswerD

Masscan is optimized for high-speed port scanning over large address spaces.

Why this answer

Masscan is the best tool for this task because it is designed specifically for high-speed port scanning, capable of transmitting packets at rates exceeding 10 million packets per second, which is necessary to scan a /8 subnet (over 16 million IPs) for ports 80 and 443 in a reasonable timeframe. Unlike Nmap, which optimizes for accuracy and service detection, Masscan uses asynchronous raw socket transmission and can be tuned with the --rate parameter to maximize throughput, making it ideal for large-scale reconnaissance.

Exam trap

The trap here is that candidates often choose Nmap because it is the most familiar and versatile scanning tool, but the question specifically emphasizes 'high-speed' scanning of a massive IP range, which is Masscan's unique strength due to its asynchronous raw packet design and ability to achieve millions of packets per second.

How to eliminate wrong answers

Option A is wrong because OpenVAS is a vulnerability scanner that performs deep, slow assessments with authenticated checks and plugin-based testing, not a high-speed port scanner, and would take an impractical amount of time on a /8 range. Option B is wrong because hping3 is a packet crafting tool used for custom TCP/IP testing, firewall auditing, and DoS simulation, but it lacks the asynchronous scanning engine and rate optimization needed to scan millions of IPs quickly. Option C is wrong because while Nmap can scan large ranges with its -T5 timing template, its synchronous scanning model and service/version detection overhead make it significantly slower than Masscan for pure port discovery at scale, and it is not optimized for the extreme packet rates required for a /8 subnet.

222
Multi-Selectmedium

Which TWO tools are specifically designed for cloud security auditing and exploitation? (Choose two.)

Select 2 answers
A.ScoutSuite
B.Nessus
C.Aircrack-ng
D.Nmap
E.Pacu
AnswersA, E

ScoutSuite is a multi-cloud security auditing tool.

Why this answer

ScoutSuite is an open-source multi-cloud security-auditing tool that assesses the security posture of AWS, Azure, and GCP environments by checking for misconfigurations, excessive permissions, and compliance violations. Pacu is an AWS exploitation framework designed for offensive security testing, allowing penetration testers to enumerate resources, escalate privileges, and execute post-exploitation modules against cloud accounts. Both tools are purpose-built for cloud security auditing and exploitation, making them the correct choices.

Exam trap

EC-Council often tests the distinction between general-purpose security tools (Nessus, Nmap) and cloud-specific frameworks (ScoutSuite, Pacu), expecting candidates to recognize that tools like Aircrack-ng are strictly for wireless, not cloud, environments.

223
MCQmedium

You are a security analyst for a financial institution. The company has deployed a network of 500 Windows 10 workstations and 50 servers running Windows Server 2019. All systems are protected by a next-generation firewall and an endpoint detection and response (EDR) solution. Recently, several employees reported that their workstations are running slowly and exhibiting unusual pop-up messages demanding a ransom note in Bitcoin. The EDR alerts show that a file named 'invoice.docm' was downloaded from an email attachment and executed on multiple workstations. The EDR also indicates that the file dropped a PowerShell script that connected to an external IP address and downloaded additional payloads. After the initial infection, the EDR detected that the ransomware binary 'encryptor.exe' was executed, which began encrypting files. However, the encryption process was stopped by the EDR before all files were encrypted. The incident response team needs to determine the source of the infection and prevent future occurrences. Which of the following is the most effective first step to identify the initial infection vector?

A.Reimage all affected workstations to remove the ransomware and then review email logs for the original phishing email.
B.Block the external IP address at the firewall to prevent further communication with the C2 server.
C.Enable macro security settings in Microsoft Office to block macros from running without explicit user consent, and enforce via Group Policy.
D.Disable PowerShell across all workstations via Group Policy to prevent script execution.
AnswerC

This directly addresses the initial infection vector by preventing macros from executing.

Why this answer

Option C is correct because enabling macro security settings in Microsoft Office and enforcing them via Group Policy directly addresses the initial infection vector: the 'invoice.docm' file, which is a macro-enabled document. Macros are the most common mechanism for delivering initial payloads in phishing attacks, and blocking them from running without explicit consent prevents the PowerShell script from being executed, stopping the attack chain at its source.

Exam trap

EC-Council often tests the distinction between containment/remediation steps and forensic identification steps; the trap here is that candidates choose a reactive measure like blocking IPs or disabling PowerShell instead of identifying the root cause (the macro-enabled document) as the first step in the incident response process.

How to eliminate wrong answers

Option A is wrong because reimaging workstations removes the ransomware but does not identify the initial infection vector; reviewing email logs is a secondary step that can be done without reimaging. Option B is wrong because blocking the external IP address at the firewall prevents further C2 communication but does not identify how the infection started; it is a containment measure, not a forensic step. Option D is wrong because disabling PowerShell across all workstations via Group Policy is overly broad and would break legitimate administrative scripts and automation; it does not address the macro-enabled document that triggered the PowerShell execution.

224
Multi-Selecthard

Which THREE of the following are indicators that a system may be infected with a backdoor Trojan? (Select three)

Select 3 answers
A.Unexpected network traffic on ports typically used for remote administration
B.Persistent high CPU usage by a single process
C.Unauthorized processes running in the background
D.Increased number of DNS queries to known legitimate sites
E.Unusual outbound connections to unknown IP addresses
AnswersA, C, E

Backdoors often use ports like 4444, 1337 for communication.

Why this answer

Backdoor Trojans often cause unusual network connections to unknown IPs, unexpected outbound traffic, and unauthorized processes running. High CPU usage alone could be other malware, but combined with network activity it's indicative.

225
MCQmedium

A security analyst notices that an attacker has gained SYSTEM privileges on a Windows server after compromising a service running as LOCAL SYSTEM. The attacker then uses `whoami /priv` and finds the SeTcbPrivilege (Act as part of the operating system) is enabled. Which privilege escalation technique might the attacker use next?

A.Sticky keys exploit
B.Token impersonation
C.DLL injection
D.Pass-the-hash
AnswerB

SeTcbPrivilege enables token impersonation attacks.

Why this answer

SeTcbPrivilege allows impersonating any user, including SYSTEM. It can be used to execute processes under arbitrary identities, enabling further privilege escalation.

Page 2

Page 3 of 14

Page 4