Certified Ethical Hacker CEH (CEH) — Questions 226300

1010 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQhard

A security analyst captures network traffic and sees the following: Client sends a SYN, server responds with SYN-ACK, then client sends ACK. Immediately after, the client sends an encrypted payload. This traffic is consistent with which phase of a WPA2 attack?

A.De-authentication attack
B.WPA2 4-way handshake exchange
C.WPS PIN exchange
D.WEP initialization vector capture
AnswerB

The sequence matches the 4-way handshake: first two messages (nonces) then third (encrypted GTK) and fourth (ACK).

Why this answer

The TCP handshake shown is for the 4-way handshake messages: first two messages (AP nonce and supplicant nonce) are exchanged, then the third message is the encrypted GTK, followed by ACK. The encrypted payload indicates the handshake is complete.

227
MCQmedium

In the cloud shared responsibility model, which of the following is typically the responsibility of the customer when using AWS EC2 (IaaS)?

A.Configuring security groups and firewall rules
B.Patching the hypervisor
C.Network infrastructure redundancy
D.Physical security of data centers
AnswerA

Security groups are a customer-configurable virtual firewall.

Why this answer

AWS is responsible for the physical host and network infrastructure; the customer manages the guest OS, applications, and security groups.

228
Multi-Selecthard

A security analyst is conducting passive reconnaissance on a target organization. Which THREE of the following are examples of passive reconnaissance techniques? (Select 3)

Select 3 answers
A.Performing a WHOIS lookup on the target's domain
B.Querying a public DNS resolver cache for the target's mail server records
C.Running an Nmap SYN scan against the target's web server
D.Banner grabbing with Netcat on port 80
E.Using Google dork queries to find exposed documents
AnswersA, B, E

WHOIS queries use public databases, no direct target interaction.

Why this answer

WHOIS queries are a classic passive reconnaissance technique because they retrieve publicly registered domain ownership data from WHOIS databases (e.g., registrar, creation date, name servers) without sending any packets directly to the target's infrastructure. This information is stored by third-party registries and is accessible via standard WHOIS protocol (RFC 3912) or web-based lookup tools, making it completely non-intrusive.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by including techniques that appear passive (like banner grabbing) but actually involve direct interaction with the target's services, leading candidates to mistakenly classify them as passive.

229
Multi-Selecthard

Which TWO of the following tools are specifically designed for footprinting and reconnaissance tasks? (Select two.)

Select 2 answers
A.Shodan
B.Nmap
C.Maltego
D.Metasploit
E.John the Ripper
AnswersA, C

Shodan is a search engine for internet-connected devices, used for reconnaissance.

Why this answer

Shodan is a search engine specifically designed for footprinting and reconnaissance by scanning and indexing internet-connected devices, such as IoT devices, servers, and industrial control systems. It allows attackers to gather information about open ports, services, and banners without direct interaction with the target, making it a primary tool for passive reconnaissance in the CEH context.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance tools, and the trap here is that candidates confuse Nmap (active scanning) with footprinting tools, or think Metasploit's auxiliary modules qualify as reconnaissance, when the exam specifically classifies Shodan and Maltego as dedicated footprinting tools.

230
Multi-Selecthard

Which THREE of the following are common attack vectors against IoT devices? (Choose three.)

Select 3 answers
A.Firmware reversing
B.Container escape
C.SQL injection
D.Default credentials
E.Insecure protocols (e.g., MQTT, CoAP)
AnswersA, D, E

Reverse engineering firmware can reveal vulnerabilities and backdoors.

Why this answer

Default credentials, insecure protocols like MQTT, and firmware reversing are all common IoT attack vectors. SQL injection is more typical for web applications.

231
Multi-Selectmedium

Which TWO of the following are effective mitigations against Cross-Site Request Forgery (CSRF) attacks? (Select 2)

Select 2 answers
A.Setting SameSite cookies to Lax or Strict
B.Input validation
C.Implementing CSRF tokens in forms
D.Using CAPTCHA
E.Using HTTPS only
AnswersA, C

SameSite cookies restrict when cookies are sent with cross-site requests, mitigating CSRF.

Why this answer

CSRF tokens ensure the request originates from the legitimate site; SameSite cookies prevent the browser from sending cookies on cross-site requests.

232
Multi-Selecthard

Which THREE of the following are techniques used in static malware analysis? (Select 3)

Select 3 answers
A.Inspecting file metadata and properties
B.Capturing network traffic in a sandbox
C.Searching for suspicious strings in the binary
D.Analyzing the file's structure using PEiD
E.Monitoring registry changes during execution
AnswersA, C, D

This is static analysis.

Why this answer

Static analysis examines the binary without execution. Inspecting file metadata, searching for suspicious strings, and analyzing the file's structure (e.g., using PEiD) are static techniques. Monitoring registry changes and network connections require execution (dynamic analysis).

233
Multi-Selecteasy

Which TWO of the following are examples of active reconnaissance? (Select 2)

Select 2 answers
A.Performing a WHOIS lookup
B.Analyzing public social media profiles for employee information
C.Conducting an Nmap SYN scan on the target network
D.Running a Google dork search for sensitive files
E.Using netcat to retrieve a banner from a web server
AnswersC, E

Nmap sends packets directly to the target, making it active.

Why this answer

Option C is correct because an Nmap SYN scan sends raw SYN packets to target ports and analyzes the responses (SYN-ACK for open, RST for closed). This actively probes the target network, generating traffic that can be detected by intrusion detection systems, which is the defining characteristic of active reconnaissance.

Exam trap

The trap here is that candidates often confuse 'publicly available information' (passive) with 'direct interaction' (active), leading them to incorrectly select WHOIS lookups or Google dork searches as active reconnaissance.

234
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques? (Choose 3)

Select 3 answers
A.MAC address filtering
B.Scrubbing centers
C.Anycast routing
D.Rate limiting
E.Disabling DHCP
AnswersB, C, D

Dedicated infrastructure filters out attack traffic.

Why this answer

Rate limiting restricts traffic per source, scrubbing centers filter malicious traffic, and anycast disperses traffic across multiple nodes to absorb attacks.

235
Multi-Selectmedium

Which THREE of the following are valid techniques in the system hacking methodology (CHPSET)? (Choose three.)

Select 3 answers
A.Privilege escalation
B.Social engineering
C.Erasing tracks
D.Network sniffing
E.Cracking passwords
AnswersA, C, E

Why this answer

Privilege escalation is a core phase in the CEH system hacking methodology (CHPSET), which stands for Cracking, Hacking, Privilege Escalation, System Hacking, Erasing Tracks, and Tunneling. After initial access is gained, an attacker must escalate privileges (e.g., from a standard user to root or SYSTEM) to gain full control over the target system. This is achieved through techniques like exploiting kernel vulnerabilities, token manipulation, or using tools such as Metasploit's getsystem.

Exam trap

The trap here is that candidates often confuse the CHPSET system hacking methodology with the broader ethical hacking phases (reconnaissance, scanning, gaining access, etc.), leading them to incorrectly select social engineering or network sniffing as valid CHPSET steps.

236
MCQeasy

Which tool is specifically designed to crack Windows LM and NTLM password hashes using rainbow tables?

A.Hashcat
B.RainbowCrack
C.Ophcrack
D.John the Ripper
AnswerC

Correct. Ophcrack is widely used for cracking Windows hashes with rainbow tables.

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM password hashes using precomputed rainbow tables. It leverages the time-memory trade-off technique to rapidly reverse these hashes without brute-forcing each password individually, making it the correct choice for this targeted task.

Exam trap

EC-Council often tests the distinction between tools that use rainbow tables (Ophcrack) versus those that use brute-force or dictionary attacks (Hashcat, John the Ripper), leading candidates to mistakenly choose a general-purpose cracker for a rainbow-table-specific question.

How to eliminate wrong answers

Option A is wrong because Hashcat is a general-purpose password cracker that supports many hash types (including LM/NTLM) but relies on GPU-accelerated brute-force or dictionary attacks, not rainbow tables. Option B is wrong because RainbowCrack is a tool that generates and uses rainbow tables for various hash types, but it is not specifically designed for Windows LM/NTLM hashes; it requires separate table generation or download for those formats. Option D is wrong because John the Ripper is a versatile password cracking tool that uses dictionary, brute-force, and incremental modes, but it does not natively use rainbow tables for LM/NTLM cracking.

237
MCQeasy

During a security assessment, a tester uses Maltego to gather information about a target organization. Which type of reconnaissance is being performed?

A.Passive reconnaissance
B.Active reconnaissance
C.Vulnerability scanning
D.Social engineering
AnswerA

Maltego gathers data from public sources (DNS, social media, etc.) without contacting the target, making it passive.

Why this answer

Maltego is a tool that collects publicly available information from sources like DNS records, WHOIS databases, and social media without directly interacting with the target's systems. This aligns with passive reconnaissance, which relies on open-source intelligence (OSINT) and does not send any packets to the target's network. The CEH defines passive reconnaissance as gathering information without engaging the target, making option A correct.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance by presenting tools like Maltego or theHarvester as passive, while candidates mistakenly classify them as active due to the tool's interactive GUI or data aggregation features.

How to eliminate wrong answers

Option B is wrong because active reconnaissance involves direct interaction with the target's systems (e.g., sending probes, port scans, or vulnerability scans), which Maltego does not do by default. Option C is wrong because vulnerability scanning is a form of active reconnaissance that uses tools like Nessus or OpenVAS to identify weaknesses by sending malicious payloads, not OSINT gathering. Option D is wrong because social engineering involves manipulating people to divulge confidential information (e.g., phishing calls or pretexting), which is a separate attack vector not performed by Maltego's automated data mining.

238
MCQeasy

Which of the following cryptographic algorithms is classified as asymmetric?

A.RC4
B.3DES
C.RSA
D.AES
AnswerC

RSA is asymmetric, using public/private key pairs.

Why this answer

Asymmetric cryptography uses key pairs (public and private). RSA is a well-known asymmetric algorithm. AES, 3DES, and RC4 are symmetric algorithms.

239
MCQhard

You are a penetration tester hired to perform a security assessment for a medium-sized e-commerce company, "ShopSmart". The company hosts its website on a shared hosting environment and uses a third-party payment gateway. Your goal is to gather as much information as possible without triggering any alarms. During the initial footprinting, you discover that the company's domain "shopsmart.com" was registered five years ago and the WHOIS record shows the registrant's name, address, phone number, and email. The email address is "admin@shopsmart.com". You also find a job posting on LinkedIn that mentions they are looking for a "Senior PHP Developer with experience in Laravel and MySQL". Additionally, by using the Wayback Machine, you find an old version of the site that includes a comment in the HTML source: "<!-- TODO: Remove debug page before launch: /dev/test.php -->". You attempt to access /dev/test.php but receive a 404 error. What should you do NEXT to maximize information gain while remaining passive?

A.Use Google dorking with site:shopsmart.com and filetype:php to find cached or indexed pages
B.Run a whois lookup on the IP address of the shared host
C.Try common file extensions for the debug page: test.asp, test.aspx, test.jsp
D.Perform a DNS brute force to find subdomains
AnswerA

Passive search via search engine.

Why this answer

Option A is correct because Google dorking with `site:shopsmart.com filetype:php` is a passive reconnaissance technique that leverages cached or indexed pages in Google’s search engine. This can reveal the old `/dev/test.php` page or other PHP files that may still be accessible via cached content, even if the live server returns a 404. It maximizes information gain without sending any direct traffic to the target, thus avoiding alarms.

Exam trap

EC-Council often tests the distinction between passive and active reconnaissance; the trap here is that candidates may choose an active option like DNS brute force or file extension guessing because it seems more direct, but the question explicitly requires remaining passive to avoid triggering alarms.

How to eliminate wrong answers

Option B is wrong because running a whois lookup on the IP address of the shared host will only reveal the hosting provider’s information, not the target company’s specific details, and it does not help locate the debug page or other hidden resources. Option C is wrong because trying common file extensions (test.asp, test.aspx, test.jsp) is an active probing technique that sends requests to the server, potentially triggering alarms, and it assumes the debug page uses a different technology stack than the PHP/Laravel environment indicated by the job posting. Option D is wrong because performing a DNS brute force to find subdomains is an active reconnaissance method that generates DNS queries, which can be logged by the target’s DNS server or security monitoring tools, and it does not directly help recover the specific `/dev/test.php` page.

240
MCQmedium

During a system hacking phase, a tester successfully gains access to a Windows machine and wants to hide a malicious executable. Which of the following techniques is MOST effective for hiding files from standard directory listings without using third-party tools?

A.Use the `attrib +h +s` command to set hidden and system attributes
B.Rename the file to a system filename like svchost.exe and place it in C:\Windows\System32
C.Encrypt the file using EFS
D.Store the executable in an Alternate Data Stream (ADS)
AnswerA

This hides the file from `dir` without /a flags, making it effectively invisible to most users.

Why this answer

The `attrib +h +s` command sets both the hidden and system file attributes, which by default causes Windows Explorer and standard `dir` commands to omit the file from directory listings. This is a built-in, native technique that requires no third-party tools and is effective for basic concealment from casual inspection.

Exam trap

The trap here is that candidates may overthink and choose ADS (Option D) as a more 'advanced' hiding technique, but the question explicitly requires no third-party tools and ADS creation typically requires additional commands or tools, whereas `attrib` is a simple, built-in command that directly achieves the goal.

How to eliminate wrong answers

Option B is wrong because simply renaming a file to svchost.exe and placing it in C:\Windows\System32 does not hide it from directory listings; it remains visible unless its attributes are changed, and it may be flagged by security tools due to behavioral anomalies. Option C is wrong because Encrypting File System (EFS) encrypts the file content but does not hide the file from directory listings; the filename remains visible. Option D is wrong because while Alternate Data Streams (ADS) can hide data within a file, they require third-party tools or specific commands (e.g., `type` with redirection) to create and access, and the host file itself is still visible in directory listings.

241
MCQmedium

A security administrator notices repeated failed login attempts from a single IP address targeting the SSH service. The attempts use common usernames (root, admin, test) and a list of passwords from a dictionary. What type of password attack is being conducted?

A.Rainbow table attack
B.Dictionary attack
C.Hybrid attack
D.Brute-force attack
AnswerB

Using a list of common passwords against usernames is a dictionary attack.

Why this answer

This is a dictionary attack because the attacker uses a predefined list of common usernames and passwords (a dictionary) against the SSH service. Unlike a brute-force attack that tries all possible combinations, a dictionary attack only tests likely entries from a wordlist, making it faster but limited to the dictionary's contents.

Exam trap

The trap here is confusing a dictionary attack with a brute-force attack; CEH emphasizes that a dictionary attack uses a wordlist of likely passwords, while a brute-force attack exhaustively tries all possible character combinations, regardless of likelihood.

How to eliminate wrong answers

Option A is wrong because a rainbow table attack uses precomputed hash chains to reverse hashes, not live login attempts with plaintext passwords. Option C is wrong because a hybrid attack combines dictionary words with modifications (e.g., appending numbers or symbols), but the scenario describes only a static list of passwords without any mutation. Option D is wrong because a brute-force attack systematically tries every possible character combination (e.g., aaa, aab, aac), which is far more exhaustive and computationally expensive than using a predefined wordlist.

242
MCQmedium

During a penetration test, a tester captures the WPA2 4-way handshake with airodump-ng and then uses aircrack-ng with a wordlist. However, the PSK is not found. Which of the following is the MOST likely reason?

A.Aircrack-ng does not support WPA2 cracking
B.The handshake was not captured correctly
C.The wordlist does not contain the PSK
D.The network uses WPA3 instead of WPA2
AnswerC

Dictionary attacks only succeed if the password is in the wordlist.

Why this answer

If the PSK is not in the wordlist, dictionary attacks will fail. Other steps (capture, cracking) were done correctly.

243
MCQmedium

A security analyst observes a sudden flood of ICMP echo request packets from multiple external IPs to a single internal server. The packets have varying sizes and spoofed source addresses. Which type of attack is MOST likely occurring?

A.Ping of Death
B.ICMP flood
C.Smurf attack
D.SYN flood
AnswerB

Multiple sources sending ICMP echo requests with spoofed IPs is a classic ICMP flood, a volumetric DoS.

Why this answer

A distributed ICMP flood (ping flood) uses multiple sources to overwhelm a target with ICMP echo requests. Spoofed source addresses and varying packet sizes are common characteristics.

244
MCQeasy

You are a security analyst for a medium-sized e-commerce company. The company hosts its web application on a single server running Apache on Ubuntu. Recently, the operations team noticed that the server's CPU usage spikes to 100% every few minutes, causing the website to become unresponsive. They have ruled out hardware issues. The web server logs show repeated requests to the same URL with varying parameters, such as /product?id=1, /product?id=2, etc., all originating from a single IP address. Each request returns a 200 OK response, but the server takes several seconds to generate the page. The application uses a relational database backend with an ORM. You suspect an attack is occurring. What is the most likely attack and the best immediate course of action?

A.Implement rate limiting on the /product endpoint
B.Block the IP address of the attacker at the firewall
C.Install a web application firewall (WAF) to detect and block malicious requests
D.Apply input validation to ensure product IDs are positive integers
AnswerB

Blocking the single source IP immediately stops the attack; further analysis can be done later.

Why this answer

The attack is a resource exhaustion or application-layer DoS attack, where repeated requests to a database-backed endpoint (e.g., /product?id=1, /product?id=2) cause high CPU usage due to expensive ORM queries. The immediate best course is to block the single attacking IP at the firewall, as it stops the malicious traffic at the network perimeter with minimal overhead, preserving server resources for legitimate users.

Exam trap

EC-Council often tests the distinction between immediate containment (blocking the IP) and long-term hardening (WAF, rate limiting, input validation), and the trap here is that candidates choose a more 'secure' but slower solution like a WAF or input validation, missing the urgency of stopping the active attack first.

How to eliminate wrong answers

Option A is wrong because rate limiting on the /product endpoint would still allow the attacker to consume resources before being throttled, and it does not address the immediate CPU spike; it is a longer-term mitigation. Option C is wrong because installing a WAF is a proactive measure that requires configuration and tuning, not an immediate action to stop an ongoing attack; it also may not block a simple repeated-request pattern without specific rules. Option D is wrong because input validation to ensure product IDs are positive integers would not prevent the attack—the requests already use valid positive integers (1, 2, etc.)—and the issue is the volume of requests, not the parameter values.

245
MCQmedium

Refer to the exhibit. An Nmap scan shows that port 80 is 'filtered' while ports 22 and 443 are 'open'. What does the 'filtered' state indicate?

A.The port is closed and the target sent a RST packet.
B.The port is open but the service is not responding to the scan.
C.The port is open but Nmap cannot determine the service.
D.A firewall, router rule, or host-based firewall is blocking the probes.
AnswerD

Filtered indicates that probes are being dropped or blocked.

Why this answer

When Nmap reports a port as 'filtered', it means that the scan probes (e.g., SYN packets) were dropped or blocked before reaching the target service, typically by a firewall, router ACL, or host-based firewall. Unlike 'open' (which receives a SYN/ACK) or 'closed' (which receives a RST), 'filtered' indicates no response or an ICMP unreachable message, so Nmap cannot confirm whether the port is actually open or closed.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', not realizing that 'filtered' specifically indicates a firewall or ACL is interfering with the probe, not the state of the service itself.

How to eliminate wrong answers

Option A is wrong because a closed port sends a RST packet in response to a SYN scan, which Nmap reports as 'closed', not 'filtered'. Option B is wrong because if a port is open but the service is not responding, Nmap would still receive a SYN/ACK from the TCP stack (since the OS handles the handshake), and the port would be reported as 'open' unless a firewall interferes. Option C is wrong because Nmap can determine the service on an open port via service version detection (-sV); 'filtered' does not relate to service identification failure.

246
MCQmedium

A security team detects a large number of UDP packets from multiple sources directed at a single server's DNS port (53). The packets appear to have a spoofed source IP of the target. Which type of DDoS attack is being observed?

A.DNS amplification
B.UDP flood
C.SYN flood
D.ICMP flood
AnswerA

Attackers send small queries with spoofed source IP to open DNS resolvers, which reply with large responses to the victim.

Why this answer

A DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP, amplifying traffic. The characteristics include UDP, port 53, spoofed source, and many sources (amplifiers).

247
Multi-Selecteasy

Which TWO of the following are asymmetric encryption algorithms? (Choose two.)

Select 2 answers
A.3DES
B.ECC
C.SHA-256
D.RSA
E.AES
AnswersB, D

ECC (Elliptic Curve Cryptography) is asymmetric.

Why this answer

RSA and ECC are asymmetric algorithms. AES and 3DES are symmetric. SHA-256 is a hash function.

248
Matchingmedium

Match each wireless attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exploiting weak encryption in older Wi-Fi

Rogue access point mimicking a legitimate one

Forcing clients to disconnect from AP

Intercepting the 4-way handshake for cracking

Unauthorized access to Bluetooth devices

Why these pairings

These attacks target wireless networks and devices.

249
MCQmedium

Which tool would an analyst use to capture packets from a network interface and later analyze the pcap file for signs of an attack?

A.Ettercap
B.tcpdump
C.Wireshark
D.Nmap
AnswerC

Wireshark captures and analyzes packets.

Why this answer

Wireshark is the standard tool for capturing and analyzing network packets in pcap format.

250
MCQeasy

During a penetration test, you receive a list of password hashes from a Windows server. Which of the following tools would be BEST suited to perform a dictionary attack against these hashes?

A.Nmap
B.John the Ripper
C.Wireshark
D.Metasploit
AnswerB

John the Ripper is designed for password cracking.

Why this answer

John the Ripper is a dedicated password cracking tool that supports dictionary attacks against various hash types, including Windows NTLM hashes. It takes the list of hashes and compares them against a wordlist of candidate passwords, making it the best choice for this task.

Exam trap

EC-Council often tests the distinction between tools that capture hashes (like Metasploit's hashdump) versus tools that crack them (like John the Ripper), leading candidates to mistakenly choose Metasploit for the cracking phase.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port discovery and service enumeration, not for cracking password hashes. Option C is wrong because Wireshark is a packet analyzer used for network traffic inspection, not for offline hash cracking. Option D is wrong because Metasploit is an exploitation framework; while it can capture hashes via modules like psexec or hashdump, it is not designed for performing dictionary attacks against already-obtained hashes.

251
MCQhard

A Linux system has a script named 'backup' owned by root with the SUID bit set and world-executable permissions. A standard user executes the script and discovers it runs a command that reads /etc/shadow and writes output to a world-readable file. What is the most likely intended exploitation path?

A.GUID abuse
B.LD_PRELOAD injection
C.SUID abuse to read sensitive files
D.Token impersonation
AnswerC

The SUID bit makes the script run as root, so it can read /etc/shadow. Users can exploit this to get hashes.

Why this answer

Option C is correct because the SUID bit on the 'backup' script, owned by root and world-executable, allows any user to execute it with root privileges. If the script reads /etc/shadow (which is normally root-only) and writes the output to a world-readable file, an attacker can exploit this to exfiltrate password hashes. This is a classic SUID abuse scenario where a privileged binary or script is used to access sensitive files.

Exam trap

The trap here is that candidates may confuse SUID with SGID or think LD_PRELOAD works on scripts, but the key is recognizing that SUID on a root-owned executable enables privilege escalation to read /etc/shadow, while LD_PRELOAD only applies to dynamically linked binaries, not scripts.

How to eliminate wrong answers

Option A is wrong because GUID (Group ID) abuse would involve the SGID bit, which grants group-level privileges, not root-level access to /etc/shadow; the question specifies the SUID bit, not SGID. Option B is wrong because LD_PRELOAD injection requires the attacker to control environment variables and the target binary to be dynamically linked, but a script (not a compiled binary) does not honor LD_PRELOAD; it runs via an interpreter like bash, which ignores such environment overrides. Option D is wrong because token impersonation is a Windows-specific attack involving access tokens (e.g., SeImpersonatePrivilege), not applicable to Linux systems.

252
MCQmedium

A penetration tester runs the following command against a target Linux server: smbclient -L 192.168.1.10 -N. The output lists several shares including 'Admin$', 'C$', and 'IPC$'. Which of the following is the MOST likely next step for further enumeration?

A.Use enum4linux -a 192.168.1.10 to enumerate users and policies
B.Attempt to crack the administrator password using a dictionary attack
C.Perform a port scan to check for open ports
D.Run snmpwalk to retrieve SNMP community strings
AnswerA

enum4linux is a tool for SMB enumeration; -a runs all enumeration options, which is appropriate after discovering shares.

Why this answer

The `smbclient -L` command with the `-N` flag (null session) successfully lists SMB shares on the target, including administrative shares like `Admin$`, `C$`, and `IPC$`. This indicates that null session authentication is enabled, which is a classic entry point for SMB enumeration. The most logical next step is to use `enum4linux -a` to extract detailed information such as user lists, group policies, and share permissions, leveraging the same null session to deepen the enumeration without yet attempting password attacks.

Exam trap

The trap here is that candidates often jump to password cracking (Option B) or port scanning (Option C) because they assume administrative shares require credentials, but the question tests the understanding that null sessions allow further enumeration without authentication, making `enum4linux` the correct next step.

How to eliminate wrong answers

Option B is wrong because attempting a dictionary attack on the administrator password is premature at this stage; the penetration tester has not yet identified valid usernames or password policies, and null session enumeration should be exhausted first. Option C is wrong because a port scan was already implicitly performed (the tester knew to target SMB on port 445/139), and further port scanning would not leverage the null session access already obtained. Option D is wrong because `snmpwalk` is used to query SNMP MIB data, which requires SNMP community strings and is unrelated to SMB null session enumeration; it would be a separate reconnaissance step, not the immediate next step.

253
Multi-Selectmedium

Which TWO of the following tools are used for password cracking?

Select 2 answers
A.Wireshark
B.Hashcat
C.John the Ripper
D.Snmpwalk
E.Nmap
AnswersB, C

Hashcat is a GPU-accelerated password cracker.

Why this answer

Options B and D are correct. John the Ripper and Hashcat are well-known password cracking tools.

254
MCQhard

You are the lead security engineer for a financial technology company that hosts a critical web application on three load-balanced servers behind a reverse proxy. The application uses a REST API to process transactions. Recently, the company has experienced intermittent service outages during peak hours. Upon reviewing logs, you find that the reverse proxy is returning HTTP 503 errors for legitimate API requests, and the application servers show high CPU usage but normal memory. The network team reports no bandwidth issues. The application team claims no code changes were made. You suspect a specific type of attack is causing the outages. Which action should you take first to confirm the attack type?

A.Configure the firewall to block all incoming traffic from the IPs that appear most frequently in logs.
B.Analyze the incoming request patterns in the reverse proxy logs to identify if there is a high volume of requests to a specific API endpoint.
C.Increase the number of application servers to handle the load.
D.Run a SQL injection scanner on the application.
AnswerB

This can confirm a Layer 7 DDoS attack targeting a specific endpoint.

Why this answer

Option B is correct because the symptoms—HTTP 503 errors, high CPU usage on application servers, normal memory, and no bandwidth issues—strongly suggest a Layer 7 DDoS attack, specifically an HTTP flood targeting a resource-intensive API endpoint. By analyzing reverse proxy logs for a high volume of requests to a specific endpoint, you can confirm the attack type (e.g., a slow loris or GET flood) before taking mitigation steps. This aligns with the CEH methodology of first identifying the attack vector through log analysis.

Exam trap

The trap here is that candidates often jump to blocking IPs (Option A) or scaling horizontally (Option C) as immediate fixes, but the CEH exam emphasizes first confirming the attack vector through log analysis rather than taking reactive or misdirected actions.

How to eliminate wrong answers

Option A is wrong because blocking IPs from logs without analyzing request patterns may block legitimate users behind NAT or proxies, and it does not confirm the attack type—it's a reactive measure that could worsen outages. Option C is wrong because increasing servers treats the symptom (high CPU) without confirming the attack; it may be ineffective if the attack is a slow-rate DDoS or application-layer flaw, and it doesn't help identify the root cause. Option D is wrong because SQL injection scanners test for injection vulnerabilities, but the symptoms (503 errors, high CPU, no code changes) point to a volumetric or resource-exhaustion attack, not a database injection.

255
MCQmedium

An ethical hacker is analyzing a piece of malware that uses a custom encryption algorithm. The malware sample contains a hardcoded key that is 16 bytes long. The analyst observes that the encrypted data is the same length as the plaintext. Which encryption mode is most likely being used?

A.GCM
B.CFB
C.ECB
D.CBC
AnswerC

ECB encrypts each block independently; no IV, no expansion beyond padding.

Why this answer

ECB (Electronic Codebook) mode encrypts each block of plaintext independently using the same key, so the ciphertext length equals the plaintext length (assuming no padding is needed for exact block sizes). The hardcoded 16-byte key and identical input/output lengths strongly suggest ECB, as other modes typically add an IV or authentication tag, altering the output length.

Exam trap

The trap here is that candidates often forget that ECB does not use an IV or authentication tag, so they incorrectly assume all block cipher modes add overhead, leading them to choose CBC or GCM despite the length constraint.

How to eliminate wrong answers

Option A (GCM) is wrong because GCM produces an authentication tag (usually 16 bytes) in addition to ciphertext, making the output longer than the plaintext. Option B (CFB) is wrong because CFB is a stream cipher mode that requires an IV (initialization vector), which would add extra bytes to the output or be transmitted separately, contradicting the identical length observation. Option D (CBC) is wrong because CBC requires an IV (typically 16 bytes for AES) that must be included with the ciphertext, increasing the total output length beyond the plaintext length.

256
Multi-Selectmedium

A penetration tester uses Burp Suite to intercept and modify web traffic. Which TWO features in Burp Suite would be MOST useful for performing a brute-force attack on a login form? (Choose TWO.)

Select 2 answers
A.Burp Scanner
B.Burp Proxy
C.Burp Decoder
D.Burp Intruder
E.Burp Repeater
AnswersB, D

Proxy captures the login request, which can then be sent to Intruder.

Why this answer

Intruder is designed for automated brute-forcing with payloads. Proxy allows interception and manipulation of requests before sending to Intruder. Repeater is for manual requests, not automated attacks.

Scanner is for vulnerability scanning, not brute-forcing.

257
MCQmedium

Which of the following attacks is characterized by an attacker placing a fake wireless access point with the same SSID as a legitimate network to capture client credentials?

A.De-authentication attack
B.Evil twin attack
C.WPS PIN brute force attack
D.Replay attack
AnswerB

An evil twin is a rogue AP that mimics a legitimate one to trick users into connecting.

Why this answer

An evil twin attack involves setting up a rogue access point that mimics a legitimate SSID to intercept traffic and capture credentials.

258
Multi-Selectmedium

Which TWO of the following are valid enumeration techniques? (Select 2)

Select 2 answers
A.LDAP enumeration
B.NetBIOS enumeration using nbtstat
C.ARP poisoning
D.DNS cache poisoning
E.ICMP flooding
AnswersA, B

LDAP enumeration queries directory services.

Why this answer

LDAP enumeration is a valid enumeration technique because it involves querying a Lightweight Directory Access Protocol (LDAP) service to extract information about users, groups, computers, and other objects from a directory service like Microsoft Active Directory. Attackers use tools such as ldapsearch or ADExplorer to anonymously or authenticatedly browse the directory tree, revealing usernames, group memberships, and organizational units, which are critical for planning further attacks.

Exam trap

EC-Council often tests the distinction between active reconnaissance techniques (like enumeration) and attack techniques (like ARP poisoning or DoS), so candidates mistakenly select options that are network attacks rather than information-gathering methods.

259
MCQmedium

An attacker uses Reaver against a Wi-Fi network. What vulnerability is the attacker primarily exploiting?

A.Weak WPA2 passphrase
B.WPS PIN vulnerability
C.Deauthentication attack
D.IV weakness in WEP
AnswerB

Correct: Reaver attacks the WPS PIN to crack the network.

Why this answer

Reaver is designed to exploit the WPS PIN brute-force vulnerability, where an attacker can recover the WPS PIN and then derive the WPA/WPA2 PSK.

260
MCQeasy

Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?

A.Spyware
B.Adware
C.Keylogger
D.Ransomware
AnswerD

Ransomware encrypts files and demands ransom.

Why this answer

Ransomware encrypts files and demands ransom, typically in cryptocurrency.

261
Multi-Selectmedium

Which TWO of the following are techniques used in session hijacking attacks? (Choose two.)

Select 2 answers
A.TCP sequence prediction
B.MAC flooding
C.Cookie theft
D.DNS spoofing
E.ARP poisoning
AnswersA, C

Attackers can predict sequence numbers to hijack a TCP session.

Why this answer

TCP sequence prediction is a core technique in session hijacking where an attacker predicts or sniffs the TCP sequence numbers used by the client and server to inject forged packets and take over an established TCP session. By correctly guessing the next sequence number, the attacker can spoof the client's IP address and send malicious commands that the server accepts as legitimate traffic.

Exam trap

The trap here is confusing network-level attacks like ARP poisoning or DNS spoofing with session hijacking, which specifically requires taking over an authenticated session by manipulating TCP sequence numbers or stealing session tokens.

262
Multi-Selecthard

Which THREE of the following are characteristics of a DNS amplification DDoS attack? (Select three.)

Select 3 answers
A.Spoofs the source IP address of the victim
B.Amplifies traffic by sending small queries that generate large responses
C.Uses open DNS resolvers
D.Exploits the TCP handshake process
E.Floods the target with small ICMP packets
AnswersA, B, C

Queries are sent with the victim's IP as source so responses go to victim.

Why this answer

DNS amplification uses open DNS resolvers, spoofs the victim's IP, and exploits small queries to generate large responses, thereby amplifying traffic.

263
Multi-Selectmedium

During a web application test, the tester finds that the application includes user-supplied file names in include() statements. Which TWO of the following are indicators of a Remote File Inclusion (RFI) vulnerability? (Choose TWO.)

Select 2 answers
A.The application includes files from http://attacker.com/shell.txt
B.The application includes files with '..' and '/' sequences
C.The application includes /etc/passwd in the response
D.The application includes files with .inc extension
E.The application allows inclusion of files from external FTP servers
AnswersA, E

Inclusion of a remote URL indicates RFI.

Why this answer

RFI allows inclusion of remote files via HTTP/HTTPS URLs. Directory traversal with ../ is more typical of LFI. Inclusion of local files like /etc/passwd indicates LFI, not RFI.

264
MCQmedium

An incident responder notices unusual outbound traffic from a host that is communicating with an external IP on port 4444. The traffic appears to be encrypted. Which tool could be used to initiate a connection to that external IP to gather a banner for service identification?

A.traceroute
B.nslookup
C.Telnet
D.ping
AnswerC

Telnet can connect to a TCP port and often receives a banner.

Why this answer

Telnet can be used to connect to any TCP port, including port 4444, to manually interact with a service and retrieve its banner. Banners often reveal the service name, version, and other identifying information, which is critical for footprinting and reconnaissance. Even though the traffic is encrypted, the initial banner may be sent in cleartext before encryption begins, or the connection attempt itself can reveal the service type.

Exam trap

EC-Council often tests the misconception that Telnet is only for remote terminal access on port 23, but the exam expects you to know Telnet can connect to any TCP port for banner grabbing.

How to eliminate wrong answers

Option A is wrong because traceroute is used to map the network path to a destination by manipulating TTL values, not to connect to a specific port or retrieve a banner. Option B is wrong because nslookup is a DNS query tool used to resolve domain names to IP addresses or query DNS records; it cannot establish a TCP connection to a port. Option D is wrong because ping uses ICMP Echo Request/Reply messages and operates at the network layer; it cannot connect to a TCP port or retrieve application-layer banners.

265
MCQeasy

Which type of malware is characterized by being able to change its code signature each time it replicates to evade signature-based detection?

A.Boot sector virus
B.Polymorphic virus
C.Macro virus
D.Worm
AnswerB

Polymorphic viruses change their code to evade signature detection.

Why this answer

Polymorphic viruses change their code signature (using mutation engines) each replication to avoid detection.

266
Multi-Selecthard

Which THREE of the following are cryptanalysis attacks that target hash functions? (Choose three.)

Select 3 answers
A.Man-in-the-middle attack
B.Preimage attack
C.Collision attack
D.Birthday attack
E.Dictionary attack
AnswersB, C, D

Preimage attack finds an input that hashes to a specific hash value.

Why this answer

Birthday attack exploits hash collisions, preimage attack finds an input that hashes to a given output, and collision attack finds two inputs with same hash. Man-in-the-middle is not specific to hash functions, and dictionary attack is a password cracking technique, not pure cryptanalysis.

267
MCQmedium

During a penetration test, you execute `theHarvester -d example.com -b google,linkedin`. What type of data is this tool primarily designed to collect?

A.Password hashes and user credentials from compromised databases
B.Email addresses, subdomains, and employee names from public sources
C.DNS zone transfer information and TXT records
D.Vulnerability scan results from Nessus and OpenVAS
AnswerB

theHarvester uses search engines and social networks to find email addresses, subdomains, and other OSINT data.

Why this answer

TheHarvester is an open-source intelligence (OSINT) tool designed to gather publicly available information from search engines, PGP key servers, and social platforms. The command `-d example.com -b google,linkedin` instructs it to scrape Google and LinkedIn for email addresses, subdomains, and employee names associated with the target domain, which are classic footprinting data used in reconnaissance.

Exam trap

The trap here is that candidates confuse theHarvester's passive OSINT collection with active reconnaissance tools like `dnsrecon` (for zone transfers) or `nmap` (for vulnerability scanning), leading them to select options C or D.

How to eliminate wrong answers

Option A is wrong because theHarvester does not query compromised databases or extract password hashes; that is the domain of tools like Have I Been Pwned or hashcat. Option C is wrong because DNS zone transfer information and TXT records are obtained via `dig` or `nslookup` with specific query types (AXFR, TXT), not through search engine scraping. Option D is wrong because vulnerability scan results from Nessus and OpenVAS are generated by active scanning tools, not by passive OSINT collection performed by theHarvester.

268
MCQeasy

In the shared responsibility model for cloud computing, which of the following is typically the customer's responsibility?

A.Physical security of data centers
B.Hypervisor security
C.Network infrastructure security
D.Configuration of IAM roles and permissions
AnswerD

Customers manage their own IAM settings.

Why this answer

The customer is responsible for security IN the cloud, including configuring IAM policies, encryption, and access controls.

269
MCQmedium

A web application allows users to upload profile pictures. An attacker uploads a file named "profile.php" containing malicious PHP code. When the attacker visits the uploaded file's URL, the code executes. Which vulnerability is being exploited?

A.Directory traversal
B.Command injection
C.File upload vulnerability
D.Stored XSS
AnswerC

The attacker uploaded a malicious PHP file that executes, indicating a file upload vulnerability.

Why this answer

The application fails to validate the file type or restrict execution, allowing a malicious PHP file to be uploaded and executed on the server, which is a classic file upload vulnerability leading to remote code execution.

270
MCQmedium

A security analyst is performing reconnaissance on a target domain and wants to discover all subdomains using DNS enumeration. Which of the following commands would be MOST effective for performing a DNS zone transfer attempt?

A.dig example.com ANY
B.nslookup -type=ns example.com
C.theHarvester -d example.com -l 500 -b google
D.dnsrecon -d example.com -t axfr
AnswerD

dnsrecon with -t axfr specifically attempts a zone transfer. However, dig is also common. Among options, dnsrecon is correct and typical.

Why this answer

Option D is correct because the `-t axfr` flag in `dnsrecon` specifically attempts a DNS zone transfer (AXFR query) against the target domain's authoritative nameservers. A successful zone transfer returns all DNS records, including all subdomains, making it the most direct and effective method for subdomain enumeration via DNS zone transfer.

Exam trap

The trap here is that candidates often confuse general DNS queries (like `dig ANY` or `nslookup -type=ns`) with the specific zone transfer request (AXFR), assuming any DNS enumeration command can retrieve the full zone file.

How to eliminate wrong answers

Option A is wrong because `dig example.com ANY` queries for all record types but does not attempt a zone transfer; it only returns cached or non-authoritative data, not the full zone. Option B is wrong because `nslookup -type=ns example.com` only retrieves the nameserver records for the domain, not the entire zone file; it does not perform a zone transfer. Option C is wrong because `theHarvester -d example.com -l 500 -b google` uses search engines (Google) to gather subdomains via public sources, not DNS zone transfer; it relies on passive reconnaissance rather than direct DNS enumeration.

271
MCQmedium

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a UDP scan on the four specified ports and identify running services
B.Perform an aggressive scan of all open ports and enumerate SMB shares
C.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
D.Perform a full TCP connect scan with UDP service detection on all ports
AnswerC

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option C is correct because the command uses the -sS flag for a TCP SYN scan (stealth scan), -sV for service version detection, and -O for OS fingerprinting, targeting only the four specified ports (22, 80, 443, 3389) across the 192.168.1.0/24 subnet. This combination performs a half-open TCP scan on those ports, probes open ports to identify service versions, and attempts to determine the operating system based on TCP/IP stack responses.

Exam trap

The trap here is that candidates often confuse the -sS (SYN scan) with -sT (TCP connect scan) or -sU (UDP scan), and they may incorrectly assume that -sV and -O automatically scan all ports or perform additional enumeration like SMB sharing, when in fact the port range is explicitly limited by the -p option.

How to eliminate wrong answers

Option A is wrong because -sS specifies a TCP SYN scan, not a UDP scan; a UDP scan would use -sU, and the command does not include that flag. Option B is wrong because while -sV and -O make the scan somewhat aggressive, the command does not enumerate SMB shares (which would require scripts like smb-enum-shares via -sC or --script), and it only scans four specific ports, not all open ports. Option D is wrong because -sS is a SYN scan, not a full TCP connect scan (which would use -sT), and there is no UDP service detection (which would require -sU); also, the scan is limited to four ports, not all ports.

272
MCQmedium

During footprinting, a tester finds that the target's DNS server allows recursive queries from the internet. What is the MOST significant security implication of this finding?

A.Unauthorized zone transfers are possible
B.The DNS server can be used for denial of service (amplification)
C.The DNS cache can be poisoned easily
D.The DNS server can be used for denial of service
AnswerD

Open recursion enables amplification DDoS.

Why this answer

Option D is correct because a DNS server that allows recursive queries from the internet can be exploited in a DNS amplification attack, a type of denial-of-service (DoS) attack. The attacker sends a small query with a spoofed source IP (the victim's IP) to the open recursive resolver, which responds with a much larger response (e.g., using the ANY record type), amplifying traffic up to 50-100 times. This floods the victim's network, making the DNS server an unwitting participant in the attack.

Exam trap

The trap here is that candidates confuse 'recursive queries' with 'zone transfers' or 'cache poisoning,' but the CEH exam specifically tests that open recursive resolvers are most critically used for DNS amplification DoS attacks, not for other DNS misconfigurations.

How to eliminate wrong answers

Option A is wrong because unauthorized zone transfers are a risk of misconfigured zone transfer permissions (e.g., allowing AXFR from any host), not directly caused by allowing recursive queries; recursive queries and zone transfers are separate DNS operations. Option B is wrong because it is essentially the same as option D but less precise — the specific attack is a DNS amplification DoS, not just any DoS, and the term 'denial of service (amplification)' is redundant and not the standard CEH phrasing; the correct answer is simply 'denial of service' as per CEH terminology. Option C is wrong because DNS cache poisoning (e.g., via Kaminsky attack) exploits vulnerabilities in query ID prediction or lack of DNSSEC, not the mere allowance of recursive queries; recursive resolution is a prerequisite for cache poisoning but not the most significant implication — amplification is more directly impactful and commonly tested.

273
MCQmedium

An attacker attempts to enumerate valid email users by connecting to an SMTP server and issuing the following commands: EHLO example.com, VRFY root, VRFY admin, VRFY user1. Which SMTP enumeration technique is being used?

A.RCPT TO
B.MAIL FROM
C.EXPN
D.VRFY
AnswerD

VRFY asks the server to verify a mailbox name.

Why this answer

Option D is correct because the VRFY command is specifically designed to verify whether a mailbox exists on an SMTP server. By issuing VRFY followed by usernames (root, admin, user1), the attacker can enumerate valid email users based on the server's responses (e.g., 250 or 251 for valid, 550 for invalid). This is a classic SMTP user enumeration technique.

Exam trap

The trap here is that candidates confuse VRFY with EXPN, thinking both verify users, but EXPN expands aliases/groups while VRFY checks individual mailboxes.

How to eliminate wrong answers

Option A is wrong because RCPT TO is used to specify a recipient for a mail message during the SMTP DATA phase, not to verify user existence in isolation; it can be used for enumeration but requires a MAIL FROM first and is not the command shown. Option B is wrong because MAIL FROM identifies the sender of an email, not the recipient, and does not directly enumerate users. Option C is wrong because EXPN expands a mailing list or alias, returning membership details, not verifying individual user accounts like VRFY does.

274
Multi-Selectmedium

Which TWO of the following are common attack vectors for IoT devices? (Select two)

Select 2 answers
A.SQL injection
B.Default credentials
C.Insecure protocols (e.g., plain MQTT)
D.Side-channel attacks
E.ARP spoofing
AnswersB, C

Many IoT devices ship with hardcoded or weak default passwords.

Why this answer

Default credentials (e.g., admin/admin) and insecure protocols (e.g., MQTT without TLS) are frequently exploited in IoT.

275
MCQhard

An analyst captures the following output from a wireless adapter: `[00:1A:2B:3C:4D:5E] 54 Mbps WPA2 CCMP PSK`. The analyst suspects a malicious rogue AP is impersonating a legitimate network. Which of the following indicators would MOST strongly confirm a rogue AP?

A.The channel number is different from the legitimate AP
B.The SSID is broadcasted with the same name as the corporate network
C.The BSSID matches a known manufacturer, but the signal strength is unusually high
D.The encryption type is WPA2 with CCMP
AnswerC

Correct: A high signal strength combined with a BSSID that might be spoofed suggests a rogue AP placed nearby.

Why this answer

A rogue AP often has a higher signal strength than expected, especially if it's placed closer to users. Additionally, a mismatch between the BSSID and the known legitimate AP can indicate spoofing.

276
MCQeasy

Which of the following is a well-known attack against the MD5 hash function that allows two different inputs to produce the same hash value?

A.Birthday attack
B.Replay attack
C.Downgrade attack
D.Dictionary attack
AnswerA

Correct: The birthday attack exploits the birthday paradox to find collisions in hash functions like MD5.

Why this answer

The birthday attack exploits the birthday paradox in probability theory to find two different inputs that produce the same MD5 hash value (a collision) with significantly less effort than a brute-force preimage attack. For an n-bit hash, the birthday attack requires only about 2^(n/2) operations, making MD5's 128-bit output vulnerable to collisions in roughly 2^64 attempts, which is computationally feasible today.

Exam trap

The trap here is that candidates often confuse the birthday attack with a dictionary attack because both involve generating many inputs, but the birthday attack specifically targets collision resistance (two different inputs, same hash) while a dictionary attack targets preimage resistance (finding an input that matches a given hash).

How to eliminate wrong answers

Option B is wrong because a replay attack involves intercepting and retransmitting valid data transmissions (e.g., captured authentication tokens) to impersonate a user, not finding hash collisions. Option C is wrong because a downgrade attack forces a system to fall back to a weaker, less secure protocol or cipher (e.g., SSL stripping to HTTP), not exploiting hash function weaknesses. Option D is wrong because a dictionary attack uses a precomputed list of likely passwords or phrases to guess a password or find a preimage, but it does not find collisions between two arbitrary inputs.

277
MCQmedium

A security analyst is investigating a potential SMB-based attack. They notice unusual traffic on port 445 from a host running `enum4linux`. Which of the following enumeration actions could `enum4linux` perform that would generate such traffic?

A.Scanning for open ports on the target system
B.Enumerating SMB shares and user accounts
C.Performing a DNS zone transfer
D.Querying SNMP MIB values using community strings
AnswerB

enum4linux specifically enumerates SMB shares, users, groups, and other information via SMB (port 445).

Why this answer

enum4linux uses SMB and RPC calls to enumerate shares, users, groups, and other information. It can enumerate SMB shares via smbclient or rpcclient.

278
Multi-Selectmedium

Which TWO of the following are examples of amplification attacks used in DDoS?

Select 2 answers
A.DNS amplification
B.NTP amplification
C.Slowloris
D.SYN flood
E.Ping of Death
AnswersA, B

DNS amplification uses small queries to generate large responses.

Why this answer

Amplification attacks exploit protocols that respond with larger payloads than the request, magnifying traffic. NTP and DNS are common examples.

279
MCQeasy

Which of the following malware types is characterized by self-replication without requiring a host file or program, and spreading across networks automatically?

A.Worm
B.Trojan horse
C.Virus
D.Ransomware
AnswerA

Worms are self-replicating and spread automatically.

Why this answer

Worms are standalone self-replicating malware that spread across networks without needing to attach to host files.

280
MCQhard

A web server is configured with WebDAV and allows PUT requests. An attacker uploads a .asp file and accesses it to execute code. Which tool or method is most directly associated with exploiting this misconfiguration?

A.SQL injection
B.File upload vulnerability
C.Directory brute forcing
D.Cross-site scripting (XSS)
AnswerB

The ability to upload and execute arbitrary files via WebDAV PUT is a file upload vulnerability.

Why this answer

WebDAV with PUT enabled allows attackers to upload arbitrary files, including web shells, leading to remote code execution.

281
MCQmedium

During a penetration test, you need to enumerate all users and groups from a Windows domain controller. Which tool is BEST suited for this task?

A.ldapsearch
B.nbtstat
C.smbclient
D.snmpwalk
AnswerA

Correct. ldapsearch is a command-line tool for LDAP directory queries, ideal for enumerating AD users and groups.

Why this answer

ldapsearch is the best tool for enumerating users and groups from a Windows domain controller because it directly queries the Active Directory LDAP directory service (port 389 or 636 for LDAPS) using standard LDAP search filters. This allows retrieval of all user and group objects, including their attributes, without relying on NetBIOS or SMB file sharing. It is the most efficient and comprehensive method for structured directory enumeration in a domain environment.

Exam trap

The trap here is that candidates often confuse nbtstat or smbclient as tools for user enumeration because they associate them with Windows networking, but neither can query Active Directory's LDAP directory for user and group objects.

How to eliminate wrong answers

Option B (nbtstat) is wrong because it only resolves NetBIOS names to IP addresses and displays local NetBIOS name tables; it cannot enumerate users or groups from a domain controller. Option C (smbclient) is wrong because it is a file-sharing client for SMB/CIFS protocol, used to access shared files and printers, not to query directory services for user and group objects. Option D (snmpwalk) is wrong because it retrieves SNMP MIB data from network devices, which does not include Active Directory user or group information unless specifically configured with custom MIBs, which is not standard for domain controllers.

282
MCQmedium

A web application allows users to upload profile pictures. The application uses the filename provided by the user to save the file on the server. An attacker uploads a file named 'malicious.php%00.png' and the server saves it as 'malicious.php'. Which vulnerability is being exploited?

A.Directory traversal
B.Command injection
C.Null byte injection
D.Cross-Site Scripting (XSS)
AnswerC

Null byte injection exploits the null byte character to truncate strings, bypassing file extension filters.

Why this answer

This is a null byte injection attack, where the %00 (null byte) terminates the string, bypassing extension checks to upload a PHP file.

283
MCQhard

A web application has an endpoint that takes a URL parameter and fetches content from that URL, returning it to the user. An attacker supplies 'file:///etc/passwd' and reads the server's passwd file. Which vulnerability is this?

A.Command injection
B.Remote File Inclusion (RFI)
C.Server-Side Request Forgery (SSRF)
D.Directory traversal
AnswerC

The server is tricked into making requests to internal resources via file:// protocol.

Why this answer

This is SSRF because the server is making requests to internal resources based on user input; file:// is a protocol that can be used for local file access.

284
MCQmedium

A penetration tester runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
B.Perform a full TCP connect scan with UDP service detection on all ports
C.Perform an aggressive scan of all open ports and enumerate SMB shares
D.Perform a UDP scan on the four specified ports and identify running services
AnswerA

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option C is correct. The -sS flag performs a TCP SYN (stealth) scan, -sV detects service versions, -O attempts OS fingerprinting, and -p restricts scanning to ports 22, 80, 443, and 3389. This combination identifies open ports, service versions, and OS on the target subnet.

285
MCQeasy

You are a security consultant for a mid-sized company that recently migrated its customer relationship management (CRM) system to a public cloud provider (AWS). The CRM is a web application behind an Application Load Balancer (ALB) with WAF enabled. The application stores sensitive customer data in an RDS MySQL database. The security team has configured security groups to allow only HTTPS (443) from the internet to the ALB, and from the ALB to the application servers on port 8080. The application servers can connect to the database on port 3306. During a routine vulnerability scan, you discover that the database is publicly accessible from the internet on port 3306, which contradicts the intended design. You verify that the security group for the database allows inbound traffic from 0.0.0.0/0 on port 3306. The database contains unencrypted personal identifiable information (PII). What is the most effective immediate action to remediate this vulnerability?

A.Modify the database security group to remove the 0.0.0.0/0 inbound rule and add a rule allowing only the application servers' security group on port 3306.
B.Enable RDS Enhanced Monitoring and log all connections to the database for forensic analysis.
C.Enable deletion protection on the RDS instance to prevent accidental removal.
D.Enable encryption at rest for the RDS instance using AWS KMS.
AnswerA

This restricts access to only authorized sources, closing the exposure.

Why this answer

The most effective immediate action is to restrict the database security group to allow inbound traffic only from the application servers' security group on port 3306. This directly removes the public exposure (0.0.0.0/0) and enforces the principle of least privilege, ensuring only the intended application tier can communicate with the database. Since the database contains unencrypted PII, closing the public access is the highest priority remediation to prevent data exfiltration.

Exam trap

The trap here is that candidates may focus on encryption or logging as a quick fix, but the most critical and immediate action is to close the direct public network access to the database, as encryption and logging do not prevent an active attacker from connecting and stealing data.

How to eliminate wrong answers

Option B is wrong because enabling Enhanced Monitoring and logging does not remediate the public exposure; it only provides visibility into connections, which is a detective control, not a preventive one. Option C is wrong because enabling deletion protection prevents accidental deletion of the RDS instance but does not address the inbound security group rule allowing public access on port 3306. Option D is wrong because enabling encryption at rest protects data stored on disk but does not prevent an attacker from connecting to the database over the network and exfiltrating unencrypted data in transit.

286
MCQeasy

Which of the following tools is specifically designed for auditing cloud environments (AWS, Azure, GCP) for security misconfigurations?

A.John the Ripper
B.ScoutSuite
C.Aircrack-ng
D.Reaver
AnswerB

Correct: ScoutSuite audits cloud environments.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that checks for common misconfigurations.

287
MCQhard

A penetration tester finds that a web application accepts XML input and returns the parsed data in the response. The tester submits the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which vulnerability is being exploited?

A.SSRF
B.Command injection
C.XXE injection
D.XPath injection
AnswerC

The payload uses an external entity to read a file, which is XXE.

Why this answer

The payload defines an external entity (XXE) that reads a local file, indicating an XML External Entity (XXE) injection vulnerability.

288
MCQmedium

A security analyst runs the following Nmap command: nmap -sS -sV -O -p 22,80,443,3389 192.168.1.0/24. Which of the following BEST describes what this scan will accomplish?

A.Perform a full TCP connect scan with UDP service detection on all ports
B.Perform a TCP SYN scan on four ports, detect service versions, and attempt OS fingerprinting
C.Perform an aggressive scan of all open ports and enumerate SMB shares
D.Perform a UDP scan on the four specified ports and identify running services
AnswerB

-sS = SYN/stealth scan, -sV = version detection, -O = OS fingerprinting, -p 22,80,443,3389 = scan only these four ports. This is a targeted reconnaissance scan.

Why this answer

Option B is correct because the `-sS` flag initiates a TCP SYN stealth scan, `-sV` enables service version detection, and `-O` attempts OS fingerprinting. The `-p 22,80,443,3389` limits the scan to those four ports, and the target `192.168.1.0/24` scans the entire Class C subnet. This combination performs a half-open scan on the specified ports, probes for application versions, and tries to identify the operating system of each live host.

Exam trap

The trap here is that candidates confuse `-sS` (SYN scan) with a full connect scan (`-sT`) or mistakenly think `-sV` and `-O` imply an aggressive scan (`-A`), which also includes default scripts and traceroute.

How to eliminate wrong answers

Option A is wrong because `-sS` performs a TCP SYN scan (half-open), not a full TCP connect scan (`-sT`), and the command does not include UDP scanning (`-sU`) or scan all ports (only four are specified). Option C is wrong because the command does not use the `-A` flag (aggressive scan) and does not include any SMB enumeration flags like `--script smb-enum-shares`. Option D is wrong because `-sS` is a TCP SYN scan, not a UDP scan (`-sU`), and while `-sV` identifies services, it does so over TCP, not UDP.

289
Drag & Dropmedium

Drag and drop the steps to configure a wireless network with WPA2-Enterprise authentication on a Cisco AP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Set up RADIUS, create WLAN, configure AP to use RADIUS, enable, test.

290
MCQeasy

Which of the following tools is specifically designed to perform fast internet-wide scanning, often used in the reconnaissance phase to discover open ports across large IP ranges?

A.hping3
B.OpenVAS
C.Masscan
D.Nmap
AnswerC

Masscan is designed for high-speed scanning of large address spaces.

Why this answer

Masscan is specifically designed for high-speed, asynchronous scanning of large IP ranges, capable of transmitting packets at rates exceeding 10 million packets per second. This makes it the optimal tool for internet-wide reconnaissance to discover open ports across vast address spaces, a task for which Nmap is too slow and hping3 is too manual.

Exam trap

The trap here is that candidates often choose Nmap because it is the most famous scanning tool, but the question specifically asks for a tool designed for 'fast internet-wide scanning,' which is Masscan's unique selling point over Nmap's slower, more thorough approach.

How to eliminate wrong answers

Option A is wrong because hping3 is a packet crafting and manipulation tool used for custom TCP/IP testing and firewall auditing, not for high-speed internet-wide scanning. Option B is wrong because OpenVAS is a vulnerability scanner that performs deep analysis on a targeted set of hosts, not a tool designed for rapid, large-scale port discovery. Option D is wrong because while Nmap is a powerful and versatile scanner, its synchronous scanning engine is too slow for scanning the entire internet; Masscan was explicitly created to fill this performance gap.

291
MCQmedium

A security analyst runs the following command: 'wget http://example.com/bucket?list-type=2' and receives a listing of objects. Which cloud misconfiguration is this MOST likely exploiting?

A.SSRF vulnerability in the cloud application
B.Container escape vulnerability
C.Misconfigured IAM roles allowing privilege escalation
D.Publicly accessible S3 bucket with list permissions enabled
AnswerD

The command uses HTTP to list bucket objects, indicating public list access.

Why this answer

An S3 bucket with public listing enabled allows anyone to list objects via HTTP GET requests.

292
MCQhard

An analyst observes that a web server is receiving many HTTP GET requests with random parameter values, each request taking a long time to complete. The server's connection pool is exhausted, and legitimate users cannot access the site. Which attack is MOST likely occurring?

A.UDP flood
B.SYN flood
C.Slowloris
D.HTTP flood
AnswerC

Slowloris sends incomplete HTTP requests to keep connections open, exhausting connection pool.

Why this answer

Slowloris sends partial HTTP requests to keep connections open, exhausting the server's connection pool.

293
MCQmedium

In the context of privilege escalation on Windows, what is token impersonation, and which tool is commonly used to exploit it?

A.A technique to dump hashes; Hashcat
B.A technique to assume another user's security context; Incognito
C.A technique to steal session cookies; Mimikatz
D.A technique to bypass UAC; Metasploit
AnswerB

Why this answer

Token impersonation allows a process to assume the security context of another user. Tools like `incognito` can list available tokens and impersonate them, often to gain administrator privileges.

294
Multi-Selecteasy

Which TWO of the following are considered passive reconnaissance techniques? (Choose TWO.)

Select 2 answers
A.Ping sweep
B.WHOIS lookup
C.Banner grabbing with Telnet
D.Port scanning
E.Google dorking
AnswersB, E

WHOIS queries public databases, no interaction with target.

Why this answer

WHOIS lookup is a passive reconnaissance technique because it queries public domain registration databases (via WHOIS protocol, RFC 3912) to obtain information such as registrar, registrant contact details, name servers, and expiration dates. This process does not send any packets directly to the target's infrastructure; instead, it relies on third-party data sources, making it undetectable by the target.

Exam trap

The trap here is that candidates often confuse 'passive' with 'low-noise' techniques, mistakenly thinking a ping sweep or banner grabbing is passive because it doesn't exploit vulnerabilities, but any technique that sends packets to the target's systems is active by definition.

295
MCQhard

Based on the exhibit, what type of attack is being attempted?

A.Directory Traversal
B.Command Injection
C.SQL Injection
D.Cross-Site Scripting
AnswerA

The encoded path attempts to access /etc/passwd via traversal.

Why this answer

The exhibit shows a URL parameter (e.g., `?file=../../etc/passwd`) that uses `../` sequences to traverse outside the web root directory. This is the classic signature of a directory traversal attack, which attempts to access restricted files like `/etc/passwd` by manipulating file path references. The attack exploits insufficient input validation in the application's file retrieval logic.

Exam trap

The trap here is that candidates often confuse directory traversal with command injection because both involve manipulating input to access system resources, but directory traversal uses path sequences (`../`) while command injection uses shell metacharacters (`;`, `|`, `&`).

How to eliminate wrong answers

Option B is wrong because command injection requires the injection of OS commands (e.g., `; ls` or `| cat /etc/passwd`) into a parameter that is passed to a system shell, not path traversal sequences. Option C is wrong because SQL injection involves injecting SQL syntax (e.g., `' OR 1=1 --`) into database queries, not file path manipulation. Option D is wrong because cross-site scripting (XSS) injects client-side scripts (e.g., `<script>alert(1)</script>`) into web pages, not directory path patterns.

296
MCQmedium

An organization wants to mitigate the impact of a DDoS attack by distributing incoming traffic across multiple servers in different geographic locations. Which technique is BEST suited?

A.Anycast
B.Scrubbing center
C.Rate limiting
D.Load balancing
AnswerA

Anycast distributes traffic across multiple nodes based on routing protocols.

Why this answer

Anycast routing allows traffic to be directed to the nearest or best-performing server among multiple locations, helping absorb DDoS traffic.

297
MCQhard

You are investigating a suspected data exfiltration. Network logs show an internal host performing numerous DNS queries to a domain that does not exist in any organization records. The queries use various subdomains. Which technique is the attacker MOST likely using?

A.DNS amplification attack
B.DNS cache poisoning
C.DNS zone transfer
D.DNS tunneling
AnswerD

DNS tunneling uses DNS queries to exfiltrate data.

Why this answer

The attacker is most likely using DNS tunneling, which encodes data from exfiltrated information into DNS queries and responses. By making numerous DNS queries to a domain they control, with data encoded in the subdomain labels, the attacker can bypass network security controls that do not inspect DNS traffic deeply. The fact that the domain does not exist in organization records and uses various subdomains is a classic indicator of DNS tunneling.

Exam trap

The trap here is that candidates confuse DNS tunneling with DNS amplification attacks because both involve many DNS queries, but amplification is a DDoS technique focused on volume, not covert data exfiltration via subdomain encoding.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack is a volumetric DDoS technique that uses open resolvers to flood a victim with large DNS responses, not to exfiltrate data via subdomain queries. Option B is wrong because DNS cache poisoning corrupts a resolver's cache with forged records to redirect traffic, not to exfiltrate data through numerous subdomain queries. Option C is wrong because a DNS zone transfer is a legitimate mechanism to replicate DNS records between authoritative servers, typically using TCP port 53 and the AXFR query type, not a method for data exfiltration via subdomain queries.

298
MCQeasy

What is the PRIMARY purpose of performing a DNS zone transfer?

A.To cache DNS queries locally
B.To obtain all DNS records for a domain from an authoritative server
C.To resolve IP addresses to hostnames
D.To verify the DNS server's response time
AnswerB

Zone transfer provides a complete list of DNS records, which is valuable for mapping a network.

Why this answer

DNS zone transfer (AXFR) is a mechanism defined in RFC 1034 and 1035 that allows a secondary DNS server to replicate the entire zone file from a primary authoritative server. The primary purpose is to obtain all DNS records for a domain, which is critical for reconnaissance during the footprinting phase, as it reveals subdomains, mail servers, and other infrastructure without brute-forcing.

Exam trap

EC-Council often tests the distinction between a zone transfer (full record replication) and a standard DNS query (single record lookup), so candidates mistakenly choose option C because they confuse reverse lookup with the bulk data retrieval of AXFR.

How to eliminate wrong answers

Option A is wrong because caching DNS queries locally is the function of a DNS resolver or caching server, not the purpose of a zone transfer; zone transfers replicate authoritative records, not cached queries. Option C is wrong because resolving IP addresses to hostnames is a reverse DNS lookup (PTR record query), which is a separate operation from a zone transfer that copies the entire forward zone. Option D is wrong because verifying the DNS server's response time is a performance check (e.g., using dig +stats), not a function of zone transfers, which are about data replication.

299
MCQmedium

An organization wants to protect against DNS spoofing attacks. Which security measure is MOST effective in preventing an attacker from poisoning DNS cache entries?

A.Use IPsec
B.Implement DNSSEC
C.Use a firewall
D.Disable DNS recursion
AnswerB

DNSSEC validates DNS responses.

Why this answer

DNSSEC adds cryptographic signatures to DNS data, preventing spoofed responses.

300
MCQeasy

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO). Which security control is most effective in preventing account takeover due to credential stuffing?

A.Enforce complex password policies.
B.Enable multi-factor authentication (MFA) for all users.
C.Implement CAPTCHA on the login page.
D.Enable account lockout after 3 failed attempts.
AnswerB

MFA prevents credential stuffing.

Why this answer

Multi-factor authentication (MFA) is the most effective control against credential stuffing because it requires an additional verification factor beyond the password. Even if an attacker obtains valid credentials through a previous breach, they cannot complete authentication without the second factor (e.g., a one-time passcode from an authenticator app or a hardware token). This directly neutralizes the core attack vector of credential stuffing, which relies solely on reused passwords.

Exam trap

The trap here is that candidates often choose account lockout (Option D) thinking it stops brute-force attacks, but credential stuffing uses valid passwords from breaches, so lockout is ineffective and can be easily evaded with distributed IPs.

How to eliminate wrong answers

Option A is wrong because complex password policies do not prevent credential stuffing; they only make it harder to guess or crack a single password, but attackers use already compromised credentials from other breaches, not brute force. Option C is wrong because CAPTCHA only slows down automated login attempts but does not stop an attacker who has valid credentials from manually logging in or using sophisticated bots that can solve CAPTCHAs. Option D is wrong because account lockout after 3 failed attempts can be bypassed by attackers using distributed credential stuffing attacks from many different IP addresses, and it also creates a denial-of-service risk for legitimate users.

Page 3

Page 4 of 14

Page 5