' and the…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-web-application-penetration-test-a-tester-submits-ugc94"},{"@type":"ListItem","position":350,"name":"An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being a…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-uses-the-following-url-pattern-to-access-files-a4r3c"},{"@type":"ListItem","position":351,"name":"Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-examples-of-passive-os-finger-onr3q"},{"@type":"ListItem","position":352,"name":"Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-valid-methods-to-prevent-a-py91u"},{"@type":"ListItem","position":353,"name":"Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the p…","url":"https://courseiva.com/questions/ec-council/ec-ceh/refer-to-the-exhibit-an-ethical-hacker-runs-the-shown-nmap-etlqk"},{"@type":"ListItem","position":354,"name":"Which password cracking technique involves trying every possible combination of characters until the correct password is…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-password-cracking-technique-involves-trying-every-poss-51cgo"},{"@type":"ListItem","position":355,"name":"Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effec…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-cryptographic-algorithm-is-vulnerable-to-a-birthday-at-bsu7u"},{"@type":"ListItem","position":356,"name":"An application allows users to upload XML files for processing. A tester uploads the following payload:

Certified Ethical Hacker CEH (CEH) — Questions 301375

1010 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
Multi-Selecthard

Which THREE of the following are common countermeasures to prevent DNS zone transfers from being abused? (Choose THREE.)

Select 3 answers
A.Enable DNS recursion on the name server
B.Restrict zone transfers to only specific authorized secondary name servers
C.Implement split DNS (internal vs external views)
D.Use Transaction Signatures (TSIG) to authenticate zone transfer requests
E.Configure the name server to allow zone transfers from any host
AnswersB, C, D

Limits who can request a zone transfer.

Why this answer

Option B is correct because restricting zone transfers to only specific authorized secondary name servers prevents unauthorized hosts from requesting a full copy of the DNS zone data. This is a fundamental access control measure that limits the AXFR query to trusted IP addresses, thereby mitigating information leakage during reconnaissance.

Exam trap

The trap here is that candidates often confuse enabling recursion (Option A) with a security measure, when in fact recursion is unrelated to zone transfer control and can introduce other vulnerabilities.

302
MCQeasy

Which Nmap flag is used to perform a TCP SYN scan without completing the three-way handshake?

A.-sS
B.-sT
C.-sU
D.-sA
AnswerA

-sS is the SYN stealth scan.

Why this answer

The -sS flag instructs Nmap to perform a TCP SYN scan, which sends a SYN packet to the target port and, upon receiving a SYN/ACK response, sends an RST packet instead of completing the three-way handshake with an ACK. This allows the scanner to determine port states without establishing a full TCP connection, making it faster and less detectable than a full connect scan.

Exam trap

The trap here is that candidates often confuse -sS (SYN scan) with -sT (TCP connect scan), mistakenly thinking that -sT also avoids completing the handshake, when in fact -sT completes the full three-way handshake and is logged by the target system.

How to eliminate wrong answers

Option B (-sT) is wrong because it performs a full TCP connect scan, which completes the three-way handshake by sending the final ACK, making it more detectable and slower. Option C (-sU) is wrong because it performs a UDP scan, which sends UDP packets and does not involve the TCP three-way handshake at all. Option D (-sA) is wrong because it performs a TCP ACK scan, which sends packets with the ACK flag set to map firewall rules, not to determine open ports via SYN responses.

303
MCQmedium

A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?

A.Conduct a full TCP port scan of the entire network using SYN scan.
B.Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.
C.Use a ping sweep to identify live hosts, then perform a version scan on each.
D.Perform an ARP scan of the entire subnet and then check each host manually.
AnswerB

Scanning only the relevant port with version detection minimizes traffic and focuses on the vulnerable service.

Why this answer

Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.

Exam trap

The trap here is that candidates often choose a ping sweep (Option C) thinking it reduces disruption, but they overlook that ICMP may be blocked, and the subsequent version scan on each host still requires port-level scanning, making Option B more efficient and accurate.

How to eliminate wrong answers

Option A is wrong because a full TCP port scan of the entire network would generate excessive traffic, potentially disrupting operations, and is unnecessary when only port 22 is relevant. Option C is wrong because a ping sweep may miss hosts that block ICMP (e.g., firewalls), leading to incomplete identification, and then performing a version scan on each live host still requires scanning all ports on those hosts, which is less efficient than targeting port 22 directly. Option D is wrong because an ARP scan only works within the local subnet (Layer 2) and does not scale to a large corporate network across multiple subnets; manual checking is impractical and error-prone.

304
MCQeasy

A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?

A.The current routing table on the host
B.Active network connections and listening ports
C.DNS records for the host
D.NetBIOS names and services of the remote system
AnswerD

The -A flag lists the NetBIOS name table for the specified IP address, including MAC addresses and registered names.

Why this answer

`nbtstat -A` with a target IP address displays the NetBIOS name table for that remote system, revealing computer names, logged-in users, and domain/workgroup membership.

305
MCQeasy

Which of the following is a method of hiding files on a system using steganography?

A.Encrypting a file with AES
B.Renaming a file to a system filename
C.Embedding a secret message in an image file
D.Using a rootkit to hide processes
AnswerC

Steganography hides data within cover media.

Why this answer

Option A is correct. Steganography hides data within other media like images, audio, or video.

306
MCQmedium

Which of the following is the PRIMARY reason that MD5 is no longer recommended for use in digital signatures?

A.MD5 is a symmetric algorithm, not a hash function
B.MD5 is computationally too slow for large data
C.MD5 produces a 128-bit hash, which is too short for modern security
D.MD5 is vulnerable to collision attacks
AnswerD

Correct. Practical collision attacks against MD5 have been demonstrated, making it unsuitable for digital signatures.

Why this answer

MD5 is vulnerable to collision attacks, where two different inputs produce the same hash. This undermines the integrity and non-repudiation properties required for digital signatures.

307
MCQmedium

A penetration tester is performing reconnaissance and wants to identify email addresses associated with a target domain. Which tool is specifically designed for this purpose?

A.Nmap
B.theHarvester
C.Shodan
D.Maltego
AnswerB

theHarvester is designed to harvest emails and other data from public sources.

Why this answer

TheHarvester is specifically designed for passive reconnaissance to gather email addresses, subdomains, and other open-source intelligence (OSINT) from public sources like search engines, PGP key servers, and the SHODAN database. It directly queries these sources to extract email addresses associated with a target domain, making it the correct tool for this task.

Exam trap

The trap here is that candidates often confuse Shodan (a device search engine) with a tool for email harvesting, or they assume Maltego's broad OSINT capabilities make it the best choice, but theHarvester is the only option specifically designed for automated email address extraction from public sources.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for port scanning, service detection, and OS fingerprinting, not for harvesting email addresses from public sources. Option C is wrong because Shodan is a search engine for internet-connected devices and services, not a tool for extracting email addresses from a target domain. Option D is wrong because Maltego is a graphical link analysis tool for relationship mapping and OSINT, but it is not specifically designed for automated email harvesting; it requires manual configuration and transforms, whereas theHarvester is purpose-built for this task.

308
Multi-Selectmedium

Which THREE of the following are common types of SQL injection attacks? (Select three)

Select 3 answers
A.Reflected SQL injection
B.Stored SQL injection
C.Out-of-band SQL injection
D.Blind SQL injection
E.In-band SQL injection
AnswersC, D, E

Out-of-band uses a different channel (e.g., DNS) to exfiltrate data.

Why this answer

In-band SQL injection (including error-based and union-based) are classic types. Blind SQL injection (boolean-based and time-based) are also common. Out-of-band is less common but still a type.

309
MCQmedium

An attacker performs a downgrade attack on a TLS connection, forcing the client and server to negotiate a weaker cipher suite. This attack exploits which of the following?

A.A vulnerability in the TLS 1.3 handshake
B.A known weakness in the Diffie-Hellman key exchange
C.The fallback mechanism in SSL/TLS implementations
D.The ability to modify the ClientHello message
AnswerC

Correct: Attackers exploit the fallback to force weaker security.

Why this answer

Downgrade attacks exploit the fallback mechanism in TLS where, if a handshake fails, the client retries with a lower version or weaker suite. The attacker forces failure to degrade security.

310
MCQhard

A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?

A.Token impersonation
B.DLL injection
C.Rootkit installation
D.Steganography
AnswerC

Correct. Rootkits replace system files to hide presence and log cleaners erase evidence.

Why this answer

The presence of a hidden directory containing a modified `sshd` binary and a log cleaner script is a classic sign of a rootkit installation. Rootkits replace core system binaries (like `sshd`) to maintain backdoor access and use log cleaners to erase evidence of their activity, directly aligning with the technique of erasing tracks.

Exam trap

EC-Council often tests the distinction between platform-specific techniques, and the trap here is that candidates may confuse rootkit installation with steganography because both involve 'hiding,' but steganography hides data, not system binaries or logs.

How to eliminate wrong answers

Option A is wrong because token impersonation is a Windows-specific privilege escalation technique that involves duplicating access tokens, not hiding files or modifying binaries on a Linux server. Option B is wrong because DLL injection is a Windows technique for injecting code into running processes via dynamic-link libraries, which does not apply to Linux systems that use shared objects (.so) and have no concept of DLLs. Option D is wrong because steganography hides data within other data (e.g., images or audio) and is not used to replace system binaries or clean logs to erase tracks.

311
MCQhard

During a security assessment, you execute: dnsenum --enum example.com. The tool returns results including the nameservers (NS), mail servers (MX), and performs a zone transfer attempt. The zone transfer fails. What is the MOST likely reason for the failure?

A.The DNS server is not running
B.The zone transfer requires TCP port 443
C.The DNS server is configured to deny zone transfers from unauthorized hosts
D.The domain does not exist
AnswerC

This is the standard security configuration for DNS servers.

Why this answer

Option C is correct because DNS zone transfers (AXFR) are typically restricted by default on authoritative DNS servers to prevent unauthorized disclosure of the entire zone file. The `dnsenum` tool attempts an AXFR query over TCP port 53, and the failure indicates the server explicitly denied the request, which is a standard security configuration per RFC 5936.

Exam trap

The trap here is that candidates may confuse the port used for zone transfers (TCP 53) with the standard DNS query port (UDP 53) or mistakenly think a failed zone transfer implies the server is down or the domain is invalid, rather than recognizing it as a deliberate security control.

How to eliminate wrong answers

Option A is wrong because if the DNS server were not running, the tool would not have returned NS and MX records; a non-responsive server would cause a timeout or connection error, not a specific zone transfer failure. Option B is wrong because zone transfers use TCP port 53, not TCP port 443 (which is used for HTTPS). Option D is wrong because the tool successfully resolved the domain (returning NS and MX records), proving the domain exists and is properly configured.

312
Multi-Selectmedium

A penetration tester wants to perform DNS zone transfer enumeration. Which TWO of the following tools can be used for this purpose? (Select exactly 2.)

Select 2 answers
A.Shodan
B.Maltego
C.theHarvester
D.dnsrecon
E.dnsenum
AnswersD, E

dnsrecon can perform zone transfers as part of its enumeration.

Why this answer

Dnsrecon is a dedicated DNS enumeration tool that supports zone transfer requests (AXFR queries) to retrieve all DNS records from a nameserver if it is misconfigured to allow transfers from any host. It can also perform other DNS reconnaissance tasks such as SRV record enumeration and subdomain brute-forcing, making it a direct choice for zone transfer enumeration.

Exam trap

EC-Council often tests the distinction between passive reconnaissance tools (theHarvester, Maltego) and active DNS enumeration tools (dnsrecon, dnsenum) that directly query DNS servers for zone transfers, leading candidates to select tools that gather DNS data indirectly rather than performing the actual AXFR request.

313
MCQeasy

A company deploys IoT sensors in a remote facility with limited bandwidth. The sensors send small data packets every few seconds. Which wireless technology is most appropriate for this application?

A.4G LTE
B.Wi-Fi 6
C.Bluetooth 5
D.LoRaWAN
AnswerD

Optimized for low-power, long-range IoT.

Why this answer

LoRaWAN is designed for low-power, long-range communication with small data payloads, making it ideal for IoT sensors in remote facilities with limited bandwidth. It operates in sub-GHz ISM bands (e.g., 868 MHz or 915 MHz) and supports data rates from 0.3 kbps to 50 kbps, perfectly matching the requirement of sending small packets every few seconds over kilometers.

Exam trap

The trap here is that candidates often confuse 'low power' and 'short range' technologies like Bluetooth 5 with the specific requirements of remote, long-range IoT, failing to recognize that LoRaWAN is the only option explicitly designed for low-power wide-area networks (LPWAN) with kilometer-scale range.

How to eliminate wrong answers

Option A is wrong because 4G LTE is a cellular technology optimized for high-bandwidth, low-latency applications (e.g., video streaming) and consumes significantly more power, making it unsuitable for battery-powered IoT sensors in remote areas with limited bandwidth. Option B is wrong because Wi-Fi 6 (802.11ax) is designed for high-density, high-throughput local area networks with a typical range of tens of meters, not for long-range, low-power IoT deployments in remote facilities. Option C is wrong because Bluetooth 5, while offering low power and mesh capabilities, has a maximum range of approximately 200-400 meters in ideal conditions, which is insufficient for remote facilities spanning kilometers, and its data rate (up to 2 Mbps) is overkill for small packets sent every few seconds.

314
MCQhard

You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?

A.The EC2 instance is behind a NAT gateway that only allows outbound traffic. The load balancer is in a public subnet, but the instance is in a private subnet and cannot be reached from the internet directly.
B.The VPC's network ACL is blocking inbound SYN packets to the EC2 instance's public IP, while allowing established connections. The TCP connect scan sends ACK packets, which bypass the ACL.
C.The EC2 instance's security group only allows HTTP/HTTPS traffic from the load balancer's security group and SSH from the internal IP range. The load balancer's security group allows internet traffic to the load balancer, but the EC2 instance's security group does not allow direct internet traffic to the instance.
D.The EC2 instance does not have a public IP assigned; the load balancer performs destination NAT. The initial scan targeted the load balancer's IP, not the instance's IP.
AnswerC

Why this answer

Option C is correct because the EC2 instance's security group is configured to allow HTTP/HTTPS only from the load balancer's security group (not from the internet directly) and SSH only from the internal IP range (203.0.113.0/24). The initial Nmap SYN scan against the EC2 instance's public IP failed because the instance's security group drops all inbound traffic not explicitly allowed, including SYN packets to port 22 from external IPs, making the host appear down. The TCP connect scan revealed ports 80 and 443 open because the load balancer forwards traffic to those ports on the instance, but the security group still blocks direct internet access to the instance's public IP for SSH, resulting in a filtered state.

The internal scan from another EC2 instance in the same VPC succeeded because the security group allows SSH from the internal IP range, and the private IP is reachable within the VPC.

Exam trap

The trap here is that candidates confuse the behavior of security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a filtered port or unresponsive host must be due to a NACL blocking SYN packets, rather than recognizing that the security group's explicit deny of direct internet traffic to the instance's public IP causes the scan to fail.

How to eliminate wrong answers

Option A is wrong because a NAT gateway only handles outbound traffic from private instances to the internet; it does not block inbound traffic to an instance that has a public IP assigned, and the scenario confirms the EC2 instance has a public IP (since scans against it returned results). Option B is wrong because network ACLs are stateless and block or allow traffic based on rules, but they do not distinguish between SYN and ACK packets in a way that would allow a TCP connect scan (which uses SYN packets, not ACK) to bypass; additionally, the VPC's default NACL allows all inbound/outbound traffic, and custom NACLs would need explicit rules to block SYN packets, which is not indicated. Option D is wrong because the load balancer does perform destination NAT, but the initial scan targeted the EC2 instance's public IP (as stated in the scenario), not the load balancer's IP; the instance does have a public IP assigned, as evidenced by the successful TCP connect scan to ports 80 and 443 on that IP.

315
MCQeasy

Which of the following is a primary defense mechanism against Cross-Site Request Forgery (CSRF) attacks?

A.Input validation and output encoding
B.Enforcing CAPTCHA on all forms
C.Using SameSite cookies
D.Implementing CSRF tokens
AnswerD

CSRF tokens are the most common and effective defense against CSRF attacks.

Why this answer

CSRF tokens are unique, unpredictable values included in requests that the server validates to ensure the request is intentional. SameSite cookies help but are not the primary defense; CAPTCHA and input validation are not standard CSRF mitigations.

316
Multi-Selecthard

Which THREE of the following are valid DNS record types that an attacker might query during reconnaissance to gather information about a target domain? (Select 3)

Select 3 answers
A.FTP (file transfer)
B.A (IPv4 address)
C.NS (name server)
D.HTTP (hypertext transfer)
E.MX (mail exchange)
AnswersB, C, E

A records map hostnames to IP addresses, revealing the target's IP.

Why this answer

The A record maps a domain name to an IPv4 address, which is fundamental for locating a target server. During reconnaissance, querying A records reveals the IP address of the target domain, enabling further scanning and attack planning. This is a standard DNS query type defined in RFC 1035.

Exam trap

EC-Council often tests the distinction between DNS record types and application-layer protocols, so candidates mistakenly select FTP or HTTP because they are common network services, but they are not valid DNS resource records.

317
Multi-Selectmedium

Which THREE of the following are examples of OSINT techniques? (Choose 3)

Select 3 answers
A.Nmap version detection
B.Shodan search
C.Maltego graph analysis
D.Nessus vulnerability scan
E.Google dorking
AnswersB, C, E

Shodan is an OSINT search engine for devices.

Why this answer

Shodan is a search engine for internet-connected devices, allowing users to discover open ports, services, and banners without directly interacting with the target. This is a classic OSINT technique because it gathers publicly available information from external sources, not from active scanning of the target's own infrastructure.

Exam trap

EC-Council often tests the distinction between active and passive reconnaissance, and the trap here is that candidates confuse tools that can be used for both (like Nmap) with OSINT, forgetting that OSINT specifically excludes any direct interaction with the target system.

318
MCQmedium

A penetration tester uses the tool 'Pacu' during an assessment. Which of the following actions is Pacu designed to perform?

A.Exploit vulnerabilities in Azure cloud infrastructure
B.Automate penetration testing tasks in AWS environments
C.Perform network scanning and service enumeration
D.Crack WPA2 handshakes using dictionary attacks
AnswerB

Correct. Pacu is an AWS exploitation framework for testing and exploitation.

Why this answer

Pacu is an open-source AWS exploitation framework that allows security professionals to test the security of AWS environments. It can perform various attacks, such as IAM privilege escalation, S3 bucket enumeration, and metadata service exploitation.

319
Multi-Selecthard

Which THREE of the following are effective DDoS mitigation techniques? (Select 3)

Select 3 answers
A.Disabling TCP SYN cookies
B.Anycast network distribution
C.Scrubbing centers
D.Rate limiting
E.Using a single server with high bandwidth
AnswersB, C, D

Why this answer

Rate limiting restricts traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple servers.

320
MCQmedium

A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?

A.SNMP
B.FTP
C.HTTPS
D.HTTP
AnswerC

HTTPS encrypts data with TLS.

Why this answer

HTTPS (HTTP over TLS, RFC 2818) encrypts all communication between a client and a web server using TLS/SSL, preventing a network sniffer from capturing plaintext data such as cookies, URLs, or form submissions. This ensures confidentiality and integrity of the web traffic, directly countering passive eavesdropping attacks.

Exam trap

The trap here is that candidates often confuse encryption with authentication or assume that any protocol with 'secure' in its name (like SNMPv3) is suitable for web traffic, when the question specifically requires a protocol that encrypts client-to-web-server communication — only HTTPS directly fulfills that role.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for managing and monitoring network devices, not for encrypting web traffic; its default versions (v1/v2c) send community strings in plaintext, and even SNMPv3 with encryption is irrelevant to client-server web communication. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext, making it vulnerable to sniffing; it does not encrypt web traffic and is designed for file transfers, not web browsing. Option D is wrong because HTTP transmits data in plaintext, allowing any network sniffer to capture the entire request/response payload, including sensitive information like passwords and session tokens.

321
MCQhard

A web application uses an XML parser to process user-supplied XML documents. An attacker submits the following payload: <?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>. Which vulnerability is being exploited?

A.Server-Side Request Forgery (SSRF)
B.XPath injection
C.XML External Entity (XXE) injection
D.SQL injection
AnswerC

The attacker defines an external entity to read a local file, which is XXE.

Why this answer

The payload defines an external entity that reads a local file, which is classic XXE (XML External Entity) injection.

322
MCQmedium

A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?

A.Anycast network
B.Rate limiting
C.Load balancer
D.Scrubbing center
AnswerA

Anycast distributes traffic to multiple locations, mitigating volumetric attacks.

Why this answer

Anycast routing allows multiple servers to share the same IP address; traffic flows to the nearest server, distributing the load and absorbing DDoS attacks.

323
MCQhard

During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?

A.Code obfuscation
B.Anti-debugging
C.Anti-VM / sandbox evasion
D.Packing
AnswerC

Checking for low resource counts is a common sandbox evasion technique.

Why this answer

Option C is correct because checking the number of CPU cores is a classic anti-VM/sandbox evasion technique. Virtual machines and sandboxes often allocate minimal resources (e.g., a single core) to remain lightweight, so malware uses this check to detect an analysis environment and terminate execution to avoid detection.

Exam trap

EC-Council often tests the distinction between anti-debugging and anti-VM techniques; the trap here is that candidates confuse resource-based checks (like CPU cores) with debugger detection, but anti-debugging specifically targets debugger artifacts, not hardware resource enumeration.

How to eliminate wrong answers

Option A is wrong because code obfuscation involves transforming code to make it harder to read or reverse-engineer (e.g., using junk code or control flow flattening), not checking hardware resources like CPU cores. Option B is wrong because anti-debugging techniques target debuggers (e.g., checking for IsDebuggerPresent or NtGlobalFlag), not the number of CPU cores. Option D is wrong because packing compresses or encrypts the executable to hide its original code, but does not involve runtime checks of system resources.

324
MCQmedium

During a web application penetration test, a tester uses Burp Suite's Repeater tool to manually manipulate a request and observe the response. After sending the same request multiple times, the application returns a 302 redirect pointing to a login page. What is the MOST likely cause?

A.The server is rate-limiting the requests
B.A cross-site request forgery (CSRF) token mismatch occurred
C.The session token has expired and the user must re-authenticate
D.The server detected the use of a proxy and blocked the request
AnswerC

After repeated requests without refreshing the session, the token may expire, causing a redirect to the login page.

Why this answer

A 302 redirect to a login page typically indicates that the session has expired or the tester's session is no longer valid. The application is redirecting to enforce authentication.

325
Multi-Selectmedium

Which TWO of the following are effective methods to prevent dumpster diving attacks? (Choose two.)

Select 2 answers
A.Storing all data on encrypted digital media only
B.Shredding sensitive documents before disposal
C.Using locked bins for discarded materials
D.Placing documents in recycling bins
E.Burning all discarded paper documents
AnswersB, C

Shredding renders documents unreadable.

Why this answer

Shredding sensitive documents before disposal (Option B) is effective because it physically destroys the information, making it impossible to reconstruct from discarded paper. This directly counters dumpster diving, where attackers retrieve documents to extract confidential data like passwords or network diagrams.

Exam trap

EC-Council often tests the misconception that any form of destruction (like burning) is equally acceptable, but the CEH exam emphasizes shredding and locked bins as the standard, practical controls, while burning is considered excessive and not a recommended baseline security practice.

326
MCQhard

An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?

A.Pretexting
B.Tailgating
C.Baiting
D.Quid pro quo
AnswerB

Tailgating is physically following someone through a secure entrance.

Why this answer

Tailgating is when an unauthorized person follows an authorized individual into a restricted area without consent. It is a physical security breach.

327
MCQmedium

A security analyst runs `nmap -sU -p 161,162 10.0.0.1` and receives output showing port 161/udp is open. Which service is MOST likely running on this port?

A.DHCP
B.SNMP
C.TFTP
D.DNS
AnswerB

SNMP uses UDP ports 161 (agent) and 162 (manager).

Why this answer

Port 161/udp is the default port for SNMP (Simple Network Management Protocol) used by SNMP agents to receive management queries (GET, SET) from SNMP managers. The `-sU` flag performs a UDP scan, and the open result on 161/udp strongly indicates an SNMP service is listening, as defined in RFC 1157.

Exam trap

The trap here is that candidates often confuse SNMP's port 161 with SNMP trap port 162 or misattribute it to other UDP-based services like DHCP or TFTP, but the scan specifically targets 161, which is exclusively SNMP.

How to eliminate wrong answers

Option A is wrong because DHCP uses ports 67/udp (server) and 68/udp (client), not 161 or 162. Option C is wrong because TFTP uses port 69/udp, not 161 or 162. Option D is wrong because DNS uses port 53/udp (and tcp), not 161 or 162.

328
MCQeasy

Which type of malware is characterized by encrypting a victim's files and demanding a ransom payment for the decryption key?

A.Spyware
B.Adware
C.Keylogger
D.Ransomware
AnswerD

Ransomware encrypts files and demands ransom.

Why this answer

Ransomware encrypts files and demands payment for decryption. Examples include CryptoLocker, WannaCry, and Locky.

329
Multi-Selecthard

Which THREE of the following are common attack vectors against IoT devices?

Select 3 answers
A.Container escape
B.Insecure protocols (e.g., MQTT, CoAP without encryption)
C.Firmware reversing and extraction of hardcoded secrets
D.TLS stripping attack
E.Default credentials
AnswersB, C, E

Insecure protocols allow eavesdropping and manipulation of communications.

Why this answer

Default credentials, insecure protocols (e.g., MQTT without TLS), and firmware reversing (to find hardcoded secrets) are common IoT attack vectors. TLS stripping is a network attack, and container escape is a cloud/container attack.

330
MCQmedium

Which of the following commands would a penetration tester use to enumerate SMB shares on a target Windows machine from a Linux system?

A.ldapsearch -x -h <IP>
B.smbclient -L //<IP> -N
C.snmpwalk -v2c -c public <IP>
D.nbtstat -A <IP>
AnswerB

-L lists shares, -N uses null session.

Why this answer

smbclient -L lists SMB shares on a remote server. It is a standard SMB enumeration tool.

331
MCQeasy

You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?

A.Traceroute
B.Banner grabbing
C.DNS enumeration
D.SNMP walk
AnswerA

Traceroute increments TTL to get ICMP time-exceeded messages from routers, revealing the path.

Why this answer

Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.

Exam trap

The trap here is that candidates often confuse traceroute with ping (which only tests reachability and RTT, not hop-by-hop path discovery) or assume banner grabbing can reveal network topology, but only traceroute systematically identifies each intermediate device along the route.

How to eliminate wrong answers

Option B is wrong because banner grabbing is used to retrieve service banners (e.g., HTTP Server header, SSH version) from open ports to identify running services and versions, not to discover network path or intermediate devices. Option C is wrong because DNS enumeration is a technique to gather DNS records (e.g., A, MX, NS) and subdomains from a DNS server to map domain infrastructure, not to trace packet routes. Option D is wrong because an SNMP walk retrieves the entire Management Information Base (MIB) tree from an SNMP-enabled device to read configuration and performance data, not to discover the path packets take through the network.

332
MCQmedium

A security team wants to test their web application for vulnerabilities. Which Burp Suite tool is BEST suited for automating attacks like brute-force or fuzzing?

A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC

Intruder automates payload delivery for brute-force, fuzzing, etc.

Why this answer

Intruder is designed for automated customized attacks including brute-force, fuzzing, and credential stuffing.

333
MCQeasy

Which command-line tool is specifically designed to extract email addresses, subdomains, and other information from public sources (e.g., search engines, social media) for a given domain?

A.Metasploit
B.Nmap
C.theHarvester
D.Wireshark
AnswerC

theHarvester is designed for passive information gathering from public sources.

Why this answer

theHarvester is a dedicated open-source intelligence (OSINT) tool designed to gather emails, subdomains, IPs, and employee names from public sources such as Google, Bing, LinkedIn, and PGP key servers. It specifically targets a given domain and queries search engines and social media APIs to extract this reconnaissance data, making it the correct choice for this task.

Exam trap

The trap here is that candidates may confuse theHarvester with Nmap or Metasploit because all three are used in reconnaissance, but only theHarvester specializes in passive OSINT gathering from public sources rather than active scanning or exploitation.

How to eliminate wrong answers

Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and payload delivery, not passive information gathering from public sources. Option B is wrong because Nmap is a network scanning tool that discovers live hosts and open ports via raw packet probes, not designed to extract email addresses or subdomains from search engines. Option D is wrong because Wireshark is a packet analyzer that captures and inspects network traffic at the data-link layer, not a tool for querying public sources for domain-related information.

334
Multi-Selectmedium

Which TWO of the following are valid techniques used in password spraying attacks? (Choose 2.)

Select 2 answers
A.Using previously compromised username/password pairs from a breach
B.Capturing keystrokes to obtain a user's password
C.Trying every possible password from a dictionary against a single username
D.Using a list of common passwords (e.g., 'Password123', 'Welcome1') against a large set of usernames
E.Attempting a single common password across multiple users, then trying the next common password
AnswersD, E

This is the essence of password spraying: try a few weak passwords on many accounts to avoid lockout.

Why this answer

Password spraying uses a few common passwords against many accounts to avoid lockouts. Credential stuffing uses known username/password pairs from breaches. Dictionary attack uses a list of words.

Brute force tries many passwords on one account. Keylogging is passive.

335
MCQhard

A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?

A.Timestamp manipulation tool
B.Rootkit
C.Steganography
D.Log cleaner script
AnswerB

Rootkits replace system binaries and manipulate logs to hide the attacker's presence.

Why this answer

The attacker is most likely using a rootkit to cover tracks because rootkits are designed to hide malicious activity by intercepting system calls (e.g., via LD_PRELOAD or kernel modules) to hide processes, files, and network connections. The truncated auth.log and modified timestamps on binaries in /bin/ indicate the rootkit is actively tampering with system logs and file metadata to evade detection, which aligns with rootkit behavior rather than simpler tools.

Exam trap

The trap here is that candidates often confuse a simple log cleaner script (Option D) with the full capability of a rootkit, failing to recognize that only a rootkit can simultaneously hide processes, modify binary timestamps, and intercept log writes at the system call level.

How to eliminate wrong answers

Option A is wrong because timestamp manipulation tools (e.g., touch -t) can modify file timestamps but do not truncate logs or hide ongoing malicious activity; they are a one-off action, not a persistent concealment technique. Option C is wrong because steganography hides data within other files (e.g., images) and is unrelated to log truncation or binary timestamp modification; it is a data exfiltration or covert communication method, not a track-covering mechanism. Option D is wrong because a log cleaner script (e.g., logrotate abuse or sed on auth.log) can delete or truncate logs but cannot modify timestamps on system binaries or hide processes; it is a simpler tool that lacks the system-level interception capabilities of a rootkit.

336
MCQmedium

A penetration tester runs the following command: masscan 10.0.0.0/24 -p80,443,8080 --rate=10000. Compared to Nmap, what is the PRIMARY advantage of using Masscan for this scan?

A.Masscan can scan a large number of hosts and ports at very high speed
B.Masscan provides more detailed service version detection than Nmap
C.Masscan is stealthier than Nmap and less likely to be detected
D.Masscan can scan all 65535 ports faster than Nmap
AnswerA

Masscan's main advantage is its speed. It can scan large ranges quickly, as indicated by the high rate.

Why this answer

Masscan is designed for asynchronous, high-speed scanning, capable of transmitting packets at rates exceeding 10 million packets per second. In this command, the `--rate=10000` parameter sets a transmission rate of 10,000 packets per second, allowing it to scan the entire 10.0.0.0/24 subnet (256 hosts) for three ports in a fraction of the time Nmap would require. Nmap, while feature-rich, operates synchronously by default and cannot match Masscan's raw packet throughput for large-scale port scanning.

Exam trap

EC-Council often tests the misconception that Masscan is stealthier than Nmap, but in reality, its high packet rate makes it more detectable, and the trap here is that candidates confuse speed with stealth.

How to eliminate wrong answers

Option B is wrong because Masscan does not perform service version detection; it is a raw port scanner that only identifies open ports, whereas Nmap's `-sV` flag provides detailed service and version fingerprinting. Option C is wrong because Masscan is not inherently stealthier; its high-speed, asynchronous scanning often generates more conspicuous traffic patterns and can trigger IDS/IPS alerts more easily than Nmap's slower, more deliberate scans. Option D is wrong because while Masscan can scan all 65535 ports faster than Nmap, the question specifically asks about the PRIMARY advantage for the given command (which targets only three ports), and the core advantage is its high-speed scanning capability across many hosts, not just port range coverage.

337
MCQhard

During a penetration test, the tester finds that the Apache server is configured with directory listing enabled on the /uploads directory. The tester navigates to http://example.com/uploads/ and sees a list of files. Which of the following is the MOST immediate security concern?

A.Sensitive files may be exposed to unauthorized users
B.The server is running an outdated version of Apache
C.The server is vulnerable to cross-site scripting (XSS) attacks
D.An attacker can upload malicious files to the directory
AnswerA

Directory listing can expose file names and allow access to sensitive files if they are not protected.

Why this answer

Directory listing exposes file names that may reveal sensitive information (e.g., backup files, config files). Attackers can then attempt to access these files directly, potentially leading to data disclosure.

338
MCQmedium

An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?

A.Disabling the Windows Firewall
B.Installing a rootkit
C.Clearing the Security event log
D.Changing the administrator password
AnswerC

Event logs contain evidence of logins and activities.

Why this answer

Clearing the Security event log (C) is the most effective action for covering tracks on a Windows system because it removes all logged security events, such as logon attempts, privilege use, and audit failures, which are the primary records that would reveal an attacker's activities. The Security log is maintained by the Windows Event Log service and is the default location for audit records under the Local Security Policy; deleting it eliminates forensic evidence of unauthorized access or changes.

Exam trap

EC-Council often tests the distinction between covering tracks (erasing evidence) and maintaining access or evading detection; the trap here is that candidates confuse installing a rootkit (which hides ongoing activity) with clearing logs (which removes past evidence), leading them to choose B instead of C.

How to eliminate wrong answers

Option A is wrong because disabling the Windows Firewall does not erase existing evidence of an attack; it only removes a network defense layer, which may actually draw attention by breaking connectivity or triggering alerts. Option B is wrong because installing a rootkit is a method for maintaining persistent access and hiding files/processes, not for erasing existing logs or evidence; it does not clear the Security event log and may itself be detected by advanced anti-rootkit tools. Option D is wrong because changing the administrator password does not delete any logged events; it only prevents the original administrator from logging in, but the Security log still contains records of the attacker's previous actions.

339
MCQhard

A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?

A.Smurf attack
B.SYN flood
C.Ping of Death
D.ICMP flood
AnswerA

Correct. Smurf uses broadcast amplification and spoofed source IP to flood the victim.

Why this answer

A Smurf attack sends ICMP echo requests to a broadcast address with the victim's spoofed source IP, causing all hosts on the subnet to reply to the victim, overwhelming it.

340
Multi-Selecthard

Which THREE of the following are common indicators of a Server-Side Request Forgery (SSRF) vulnerability? (Select 3)

Select 3 answers
A.The server returns data from internal services like http://localhost/ or http://192.168.x.x/
B.The application supports file:// or dict:// URL schemes in user input
C.The application reflects user input in the page source without encoding
D.The application accepts a URL parameter that is fetched by the server
E.The server responds with a different delay when a URL is provided versus a non-URL input
AnswersA, B, D

Responses containing data from internal IPs indicate the server made requests to internal resources.

Why this answer

SSRF often involves requests to internal IPs or services, use of URL schemas like file://, and responses including internal data.

341
MCQhard

During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?

A.Perform an SMTP VRFY attack to enumerate users
B.Exploit the SUID binary to execute commands as root
C.Use enum4linux to enumerate SMB shares
D.Run 'sudo -l' to list sudo privileges
AnswerB

Exploiting a vulnerable SUID binary is a direct privilege escalation vector.

Why this answer

Option C is correct. Exploiting a vulnerable SUID binary is a classic privilege escalation technique that allows a low-privileged user to run the binary with root privileges.

342
MCQmedium

A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?

A.By using 'find' to delete log files
B.By using 'find' to search for files owned by root
C.By using 'find' to mount a remote share
D.By running 'find / -exec /bin/sh \;' to spawn a root shell
AnswerD

If find has SUID root, the -exec option runs commands with root privileges, spawning a root shell.

Why this answer

When the SUID bit is set on the 'find' command, it executes with the privileges of the file owner (typically root). The '-exec' option allows arbitrary command execution. Running 'find / -exec /bin/sh \;' spawns a shell with root privileges, enabling full system compromise.

Exam trap

The trap here is that candidates may think SUID only applies to obvious binaries like 'passwd' or 'sudo', but CEH tests the lesser-known fact that any binary with SUID and command execution capability (like 'find' with '-exec') can be exploited for privilege escalation.

How to eliminate wrong answers

Option A is wrong because deleting log files does not leverage the SUID bit for privilege escalation; it only removes audit trails and does not grant elevated privileges. Option B is wrong because searching for files owned by root is a normal operation that does not exploit the SUID bit to gain a root shell. Option C is wrong because 'find' does not have built-in functionality to mount remote shares; mounting requires the 'mount' command or similar utilities, and the SUID bit on 'find' does not enable network filesystem mounting.

343
MCQhard

During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?

A.Only the domain admins and local admins
B.User list, share list, OS information, password policy, and group memberships
C.Only the SMB shares and open sessions
D.Only the NetBIOS name table
AnswerB

-a performs all enumeration functions.

Why this answer

enum4linux with the -a flag performs a comprehensive enumeration against a target, leveraging SMB, RPC, and NetBIOS over TCP/IP. It retrieves user lists, share lists, OS information, password policy details, and group memberships by querying the remote Windows system via SMB RPC calls (e.g., SAMR, LSA, SRVSVC). This makes it the most complete set of information obtainable from a single command, as the -a flag essentially runs all available enumeration modules.

Exam trap

The trap here is that candidates often assume enum4linux -a only retrieves shares or NetBIOS data, underestimating its full scope of SMB/RPC-based enumeration that includes users, groups, OS details, and password policy.

How to eliminate wrong answers

Option A is wrong because enum4linux -a retrieves far more than just domain admins and local admins; it enumerates all users, groups, shares, OS details, and password policy, not just administrative accounts. Option C is wrong because enum4linux -a does not limit itself to SMB shares and open sessions; it also retrieves user lists, OS information, password policy, and group memberships, making this option incomplete. Option D is wrong because enum4linux -a goes well beyond the NetBIOS name table; it performs deep SMB and RPC enumeration, including user and share enumeration, which is not captured by NetBIOS alone.

344
MCQhard

During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?

A.Perform banner grabbing on port 22 to identify the SSH version.
B.Perform SNMP enumeration to gather system information.
C.Attempt a DNS zone transfer from the server.
D.Enumerate NetBIOS names using `nbtstat`.
AnswerA

SSH version information can reveal outdated versions with known exploits.

Why this answer

Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.

Exam trap

EC-Council often tests the misconception that SNMP, DNS zone transfers, or NetBIOS enumeration are universally applicable, but the trap here is that these techniques only work when the corresponding services are actually running and accessible — the question explicitly limits open ports to 22, 80, and 443, so only banner grabbing on those ports is directly actionable.

How to eliminate wrong answers

Option B is wrong because SNMP enumeration requires SNMP (UDP ports 161/162) to be open, and the scan only found TCP ports 22, 80, and 443 — no SNMP service was detected, so this step would fail or provide no useful data. Option C is wrong because DNS zone transfer requires a DNS server (typically port 53) to be present and configured to allow transfers; the target server does not have DNS open, so this attempt would be irrelevant. Option D is wrong because NetBIOS enumeration (using nbtstat) relies on NetBIOS over TCP/IP (ports 137-139, 445), which are not open on the target; this technique is only applicable to Windows systems with NetBIOS enabled, not to a server with only SSH, HTTP, and HTTPS.

345
MCQeasy

Which of the following tools is specifically designed to automate the exploitation of SQL injection vulnerabilities and retrieve data from databases?

A.Metasploit
B.Nmap
C.Burp Suite
D.SQLMap
AnswerD

SQLMap is the industry-standard tool for automated SQL injection.

Why this answer

SQLMap is an open-source tool that automates detection and exploitation of SQL injection flaws.

346
MCQmedium

A security analyst observes a web application returning database error messages containing table names and column names in the HTTP response. Which type of SQL injection is MOST likely being exploited?

A.Blind SQL injection (boolean-based)
B.Union-based SQL injection
C.Error-based SQL injection
D.Out-of-band SQL injection
AnswerC

Error-based SQL injection uses database error messages to extract information.

Why this answer

Error-based SQL injection (in-band) relies on error messages from the database to extract information. The presence of database details in errors indicates error-based injection.

347
Multi-Selectmedium

Which TWO of the following are effective defenses against Cross-Site Request Forgery (CSRF) attacks? (Select 2)

Select 2 answers
A.Using anti-CSRF tokens
B.Setting the SameSite attribute on cookies
C.Enabling HTTP Strict Transport Security (HSTS)
D.Implementing input validation on all user inputs
E.Using Content Security Policy (CSP) headers
AnswersA, B

Tokens are a primary defense.

Why this answer

CSRF tokens are unique per request and validated server-side. SameSite cookies restrict cookie sending to same-site requests.

348
MCQmedium

Refer to the exhibit. A web server log shows requests from a single IP. Which vulnerability is being exploited?

A.Directory traversal
B.Cross-site scripting (XSS)
C.Remote file inclusion (RFI)
D.SQL injection
AnswerA

The requests use '../' to traverse directories and access files like /etc/passwd and SAM, which is classic directory traversal.

349
MCQmedium

During a web application penetration test, a tester submits a comment containing '<script>alert("XSS")</script>' and the script executes for all users who view the comment. Which type of cross-site scripting (XSS) vulnerability is present?

A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored (persistent) XSS
AnswerD

The script is stored and executed for all users, indicating stored XSS.

Why this answer

Stored (persistent) XSS occurs when the injected script is permanently stored on the server (e.g., in a database) and executed for every user who accesses that content.

350
MCQmedium

An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being attempted?

A.Command injection
B.Local file inclusion (LFI)
C.Directory traversal
D.Remote file inclusion (RFI)
AnswerC

The use of ../ is characteristic of directory traversal attacks.

Why this answer

Directory traversal (path traversal) uses ../ sequences to access files outside the web root.

351
Multi-Selectmedium

Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)

Select 2 answers
A.Performing a SYN scan on the target
B.Analyzing the initial TTL value of received IP packets
C.Sending a series of TCP packets with different flags and analyzing responses
D.Inspecting the TCP window size in SYN packets
E.Using the telnet command to connect to port 80
AnswersB, D

Different OSes use default TTL values; observing this helps identify the OS passively.

Why this answer

Option B is correct because passive OS fingerprinting involves observing network traffic without sending any packets to the target. Analyzing the initial TTL value of received IP packets is a classic passive technique: different operating systems set specific default TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255), allowing an attacker to infer the OS without direct interaction.

Exam trap

The trap here is that candidates confuse passive fingerprinting (observing existing traffic) with active fingerprinting (sending crafted packets), leading them to select options like SYN scans or flag-based probes as passive techniques.

352
Multi-Selecthard

Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)

Select 3 answers
A.Disable TLS 1.0 and 1.1 on the server
B.Use the TLS_FALLBACK_SCSV cipher suite
C.Use self-signed certificates to avoid CA trust issues
D.Enforce a minimum TLS version of 1.2 in server configuration
E.Disable all cipher suites except those using RC4
AnswersA, B, D

Prevents downgrade to vulnerable versions.

Why this answer

Disabling older TLS versions, enforcing TLS 1.2+, and using TLS_FALLBACK_SCSV prevent downgrade; disabling cipher suites does not prevent downgrade directly; using self-signed certificates increases risk.

353
MCQhard

Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?

A.open
B.closed
C.filtered
D.unfiltered
AnswerB

Closed means reachable but no service listening.

Why this answer

Option B is correct because a 'closed' port in Nmap indicates that the target host responded with a TCP RST (Reset) packet, meaning the port is reachable and the host is alive, but no application is listening on that port. This state confirms the port is accessible (not filtered by a firewall) yet no service is bound to it.

Exam trap

The trap here is that candidates often confuse 'closed' with 'filtered' or 'unfiltered', not realizing that a closed port specifically means the host responded with a TCP RST, proving reachability without a listening service.

How to eliminate wrong answers

Option A is wrong because an 'open' port means a service is actively listening and has responded with a SYN-ACK, not that no service is listening. Option C is wrong because 'filtered' means Nmap cannot determine if the port is open or closed due to packet filtering (e.g., firewall dropping probes), so the port may or may not be reachable. Option D is wrong because 'unfiltered' means the port is reachable but Nmap cannot determine its open/closed state (e.g., from an ACK scan), not that no service is listening.

354
MCQeasy

Which password cracking technique involves trying every possible combination of characters until the correct password is found?

A.Rainbow table attack
B.Dictionary attack
C.Brute force attack
D.Hybrid attack
AnswerC

Correct. Brute force tries all possible combinations.

Why this answer

A brute force attack systematically tries every possible combination of characters from a defined character set (e.g., lowercase, uppercase, digits, special symbols) until the correct password is found. This method guarantees eventual success but is computationally expensive and time-consuming, especially for long or complex passwords. It is the most exhaustive form of password cracking, as it does not rely on any precomputed data or wordlists.

Exam trap

The trap here is that candidates often confuse 'brute force' with 'dictionary attack' because both involve guessing passwords, but the key distinction is that brute force exhaustively tries all combinations while dictionary attacks rely on a precompiled list of likely passwords.

How to eliminate wrong answers

Option A is wrong because a rainbow table attack uses precomputed hash chains to reverse cryptographic hash functions, not by trying every possible character combination. Option B is wrong because a dictionary attack uses a predefined list of likely passwords (e.g., common words, leaked passwords) rather than exhaustive character-by-character guessing. Option D is wrong because a hybrid attack combines dictionary words with common mutations (e.g., appending numbers or symbols) but does not attempt every possible combination of characters.

355
MCQhard

Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effective security to 64 bits against collision resistance?

A.SHA-256
B.SHA-1
C.MD5
D.RC4
AnswerC

MD5 output is 128 bits, birthday attack complexity ~2^64.

Why this answer

MD5 produces 128-bit hashes. Birthday attack complexity for collision is 2^(n/2) = 2^64 for n=128. SHA-1 is 160-bit, SHA-256 is 256-bit, RC4 is a stream cipher not a hash.

356
MCQhard

An application allows users to upload XML files for processing. A tester uploads the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which attack is being performed?

A.XML External Entity (XXE) injection
B.SQL injection
C.Cross-Site Scripting (XSS)
D.Server-Side Request Forgery (SSRF)
AnswerA

The DOCTYPE and entity declaration are classic XXE, and the file read confirms it.

Why this answer

This is an XML External Entity (XXE) injection attack, where an external entity is defined to read a local file. The server's XML parser processes the entity and reflects the file content, confirming the vulnerability.

357
Multi-Selecthard

Which THREE of the following Nmap flags are commonly used for evasion techniques? (Select 3)

Select 3 answers
A.-f
B.-D
C.--mtu
D.-O
E.-sV
AnswersA, B, C

Fragmenting packets can help evade simple IDS/firewall rules.

Why this answer

The -f flag fragments the probe packets into smaller 8-byte fragments (or less, depending on the MTU). This helps evade simple packet-filtering firewalls and intrusion detection systems that do not reassemble fragments before applying rules, as the fragmented headers may bypass signature-based detection.

Exam trap

EC-Council often tests the distinction between scanning techniques (like -O and -sV) and evasion techniques (like -f, -D, --mtu), so candidates mistakenly select -O or -sV because they are common Nmap flags, even though they serve reconnaissance, not evasion.

358
MCQmedium

An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?

A.Phishing
B.Vishing
C.Whaling
D.Spear phishing
AnswerC

Whaling targets senior executives with personalized attacks.

Why this answer

Whaling is a spear-phishing attack targeting senior executives, often with requests for wire transfers or sensitive information.

359
MCQmedium

Which of the following Nmap flags would an attacker use to evade IDS by sending fragmented IP packets?

A.-D
B.-g
C.-sS
D.-f
AnswerD

-f causes packet fragmentation to evade detection.

Why this answer

The -f flag in Nmap instructs the tool to fragment the transmitted packets into smaller pieces (typically 8-byte fragments). This fragmentation is used to evade Intrusion Detection Systems (IDS) that rely on signature matching against complete, unfragmented packets, as the IDS may not reassemble the fragments before inspection or may fail to detect the malicious payload when spread across multiple fragments.

Exam trap

The trap here is that candidates often confuse the -f flag with the -D (decoy) flag, thinking both are used for evasion, but -f specifically targets packet fragmentation to bypass IDS, while -D hides the source IP.

How to eliminate wrong answers

Option A (-D) is wrong because the -D flag is used for decoy scanning, which spoofs multiple source IP addresses to hide the attacker's real IP, not to fragment packets. Option B (-g) is wrong because the -g flag sets a custom source port number for the scan, often to bypass firewall rules that allow traffic from specific ports (e.g., port 53 for DNS), and has nothing to do with fragmentation. Option C (-sS) is wrong because -sS performs a TCP SYN stealth scan, which sends SYN packets without completing the handshake to avoid connection logging, but it does not involve IP fragmentation.

360
MCQhard

An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?

A.nmap -sT 192.168.1.1
B.enum4linux 192.168.1.1
C.snmpwalk -v 2c 192.168.1.1
D.ldapsearch -h 192.168.1.1
AnswerB

enum4linux performs extensive SMB enumeration.

Why this answer

Option B is correct. enum4linux is a tool specifically designed for SMB enumeration on Linux systems, often used to enumerate shares, users, and OS information.

361
MCQhard

Refer to the exhibit. A security analyst checks for missing patches. Which vulnerability is this system likely exposed to?

A.EternalBlue (MS17-010)
B.BlueKeep (CVE-2019-0708)
C.ZeroLogon (CVE-2020-1472)
D.PrintNightmare (CVE-2021-34527)
AnswerD

Not patched as of the exhibited patch dates (2020).

Why this answer

The system is Windows 10 build 19041 (2004) with patches up to 9/17/2020. EternalBlue (MS17-010) was patched in 2017, so it is likely patched. However, BlueKeep (CVE-2019-0708) affects older systems (Windows 7/2008 R2), not Windows 10.

ZeroLogon (CVE-2020-1472) was patched in August 2020; the system has KB4577586 from 9/8/2020 which includes the fix. PrintNightmare (CVE-2021-34527) was disclosed in 2021, after the patch dates shown, so the system is likely vulnerable to PrintNightmare.

362
MCQmedium

During a web application test, a penetration tester intercepts a request using Burp Suite Proxy, modifies the 'Referer' header, and resends the request. The application processes the request despite the modified header. Which attack is the tester attempting to validate?

A.Server-Side Request Forgery (SSRF)
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.SQL injection
AnswerC

CSRF defenses sometimes check the Referer header; modifying it tests this defense.

Why this answer

CSRF (Cross-Site Request Forgery) attacks often rely on the Referer header for validation. By modifying it, the tester checks if the application validates the header. If the request is processed, the application is vulnerable to CSRF.

363
MCQhard

During a cloud penetration test, you discover an S3 bucket that allows listing objects. You find a file named 'config.json' that contains an IAM access key and secret key. Which of the following is the BEST next step?

A.Delete the bucket to prevent further data exposure
B.Use the keys to call sts:GetCallerIdentity and then enumerate permissions via IAM
C.Download all objects from the bucket and exfiltrate them
D.Immediately rotate the keys in the AWS console
AnswerB

This validates the keys and determines what actions they allow, a standard post-exploitation step.

Why this answer

The correct action is to use the discovered credentials to enumerate permissions via the AWS CLI, as they may grant further access.

364
MCQmedium

A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?

A.The scan uses fragmented packets and decoy IP addresses
B.The scan uses FTP bounce to hide the true source IP
C.The scan sends SYN packets with the zombie host's IP address as the source and monitors IPID changes on the zombie to determine open ports
D.The scan shows a SYN packet with the attacker's real IP but uses a zombie host to relay replies
AnswerC

This correctly describes the idle scan technique: spoofing the zombie's IP and observing IPID increments to infer port states.

Why this answer

Option C is correct because an idle scan (also known as a zombie scan) relies on sending SYN packets to the target with the spoofed source IP address of a zombie host, then monitoring the IPID sequence on that zombie to infer whether the target port is open, closed, or filtered. The key characteristic is the use of the zombie's IP as the source and the observation of IPID changes on the zombie, which is exactly what option C describes.

Exam trap

The trap here is that candidates often confuse the idle scan with other spoofing or relay techniques like FTP bounce or decoy scans, but the idle scan is uniquely defined by the use of a zombie host's IPID changes to infer port states, not by hiding the attacker's IP via relays or multiple decoys.

How to eliminate wrong answers

Option A is wrong because fragmented packets and decoy IP addresses are features of a fragmented scan or a decoy scan, not an idle scan; idle scan does not use fragmentation or multiple decoy IPs. Option B is wrong because FTP bounce is a separate technique that uses an FTP server to relay traffic and hide the true source, but it does not involve monitoring IPID changes on a zombie host. Option D is wrong because an idle scan does not send SYN packets with the attacker's real IP; the attacker's IP is never used in the probe packets—the zombie's IP is used as the source, and the zombie does not relay replies; instead, the attacker monitors the zombie's IPID to infer port states.

365
MCQeasy

Which of the following tools is specifically designed for high-speed port scanning across large address spaces?

A.Masscan
B.Zenmap
C.hping3
D.Nmap
AnswerA

Masscan is designed for high-speed scanning, capable of millions of packets per second.

Why this answer

Masscan is specifically designed for high-speed port scanning across large address spaces, capable of transmitting packets at rates exceeding 10 million packets per second. It achieves this by using asynchronous transmission and a custom TCP/IP stack, making it ideal for scanning the entire IPv4 internet or massive subnets in minutes, unlike general-purpose scanners that prioritize accuracy over raw speed.

Exam trap

The trap here is that candidates often assume Nmap is the fastest scanning tool because of its popularity and extensive feature set, but Masscan is explicitly engineered for raw speed at the cost of some accuracy, which is the key differentiator tested in this question.

How to eliminate wrong answers

Option B (Zenmap) is wrong because it is merely a graphical front-end for Nmap, not a standalone high-speed scanner; it inherits Nmap's slower, more thorough scanning approach. Option C (hping3) is wrong because it is a packet crafting and testing tool focused on custom packet generation and firewall testing, not optimized for high-speed port scanning across large address spaces. Option D (Nmap) is wrong because while it is a powerful and versatile scanner, it is designed for detailed, reliable scans with features like service detection and OS fingerprinting, and its default scanning methods are significantly slower than Masscan's asynchronous approach.

366
MCQeasy

In the context of system hacking methodology (CHPSET), which phase involves removing evidence of the attacker's activities from logs and system files?

A.Spying
B.Privilege escalation
C.Erasing tracks
D.Cracking passwords
AnswerC

Erasing tracks covers evidence.

Why this answer

Erasing tracks is the final phase where attackers cover their tracks by manipulating logs, deleting files, or using rootkits.

367
MCQeasy

A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?

A.SNMP with public community string
B.SMB null session
C.SMTP VRFY
D.LDAP anonymous query
AnswerD

LDAP can query directory services like AD; anonymous queries may reveal basic user info if not restricted.

Why this answer

Option D is correct because LDAP anonymous queries allow unauthenticated users to query an Active Directory domain for directory information, including user enumeration. By default, AD permits anonymous LDAP binds to retrieve attributes like sAMAccountName, userPrincipalName, and group memberships, making it a standard technique for enumerating users without credentials.

Exam trap

The trap here is that candidates often confuse SMB null sessions (a deprecated attack) with LDAP anonymous queries (a current, often-valid technique), or they mistakenly think SMTP VRFY is relevant to domain user enumeration instead of email address verification.

How to eliminate wrong answers

Option A is wrong because SNMP with a public community string is used for reading device configuration and statistics, not for enumerating Active Directory users; it targets network devices, not domain user objects. Option B is wrong because SMB null sessions were a legacy Windows vulnerability that allowed unauthenticated access to shares and user lists, but this has been disabled by default since Windows 2003 SP1 and is not a reliable modern enumeration technique. Option C is wrong because SMTP VRFY is used to verify email addresses on a mail server, not to enumerate Active Directory users; it operates at the application layer for email routing, not directory services.

368
MCQeasy

A security team is implementing measures to prevent cross-site request forgery (CSRF) attacks. Which of the following is the most effective mitigation technique?

A.Enabling SSL/TLS
B.Using HTTP GET for all form submissions
C.Implementing CSRF tokens
D.Using input validation
AnswerC

CSRF tokens are the standard defense against CSRF attacks.

Why this answer

CSRF tokens are unique, unpredictable values that must be included in state-changing requests, ensuring the request originated from the legitimate site.

369
MCQeasy

An attacker attempts to log into a web application by trying many common passwords for a list of known usernames. Which type of authentication attack is this?

A.Dictionary attack
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerC

Password spraying uses a few common passwords across many accounts.

Why this answer

Password spraying involves using a few common passwords against many usernames to avoid account lockouts, as opposed to brute force (many passwords on one account) or credential stuffing (using known username/password pairs).

370
MCQhard

A security team finds that a web application accepts a user-supplied URL and fetches it server-side without validation. The application runs on AWS EC2 with a metadata endpoint at 169.254.169.254. Which attack is MOST likely to succeed?

A.SQL injection
B.Server-Side Request Forgery (SSRF)
C.Remote file inclusion (RFI)
D.Cross-site scripting (XSS)
AnswerB

SSRF allows the attacker to make the server request internal resources like the metadata endpoint.

Why this answer

SSRF (Server-Side Request Forgery) occurs when an application fetches a user-controlled URL. By supplying the metadata endpoint, an attacker can retrieve IAM credentials, making this the most likely attack.

371
Multi-Selecteasy

Which TWO of the following are characteristics of symmetric encryption? (Select two)

Select 2 answers
A.Uses a single shared key for encryption and decryption
B.Faster than asymmetric encryption
C.Slower than asymmetric encryption
D.Provides non-repudiation
E.Uses a pair of public and private keys
AnswersA, B

The same key is used by both parties.

Why this answer

Symmetric encryption uses a single shared key for both encryption and decryption, and is generally faster than asymmetric.

372
MCQhard

A security analyst discovers that a containerized application running in a cloud environment can access the host's file system by mounting /var/run/docker.sock inside the container. Which type of attack does this configuration enable?

A.Server-Side Request Forgery (SSRF)
B.Privilege escalation within the container only
C.Container escape to the host
D.Denial-of-Service (DoS) attack against the container runtime
AnswerC

Correct. Access to the Docker socket allows full control over the host's Docker daemon, enabling container escape.

Why this answer

Mounting the Docker socket inside a container allows the container to communicate with the Docker daemon on the host, potentially allowing the attacker to create new containers, escape the container, and execute commands on the host.

373
MCQmedium

A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?

A.ARP poisoning
B.Session hijacking
C.DNS spoofing
D.MAC flooding
AnswerA

ARP poisoning causes multiple MAC entries for one IP due to forged ARP replies.

Why this answer

Multiple MAC addresses for one IP in the ARP cache is a sign of ARP spoofing/poisoning, where an attacker sends forged ARP replies to associate their MAC with the victim's IP.

374
MCQmedium

A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?

A.Upload to VirusTotal
B.Dynamic analysis in a sandbox
C.Static analysis using strings and PEiD
D.Run the file on a production system to observe behavior
AnswerC

Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.

Why this answer

Static analysis (e.g., examining strings, digital signatures, PE headers) is the first step because it is safe and can quickly identify suspicious indicators without executing the file.

375
MCQhard

During an assessment, a tester discovers that the web application accepts XML input and returns the parsed data. The tester submits the following payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The response contains the contents of /etc/passwd. This vulnerability is known as:

A.Local File Inclusion (LFI)
B.Server-Side Request Forgery (SSRF)
C.XML External Entity (XXE) Injection
D.SQL injection
AnswerC

XXE exploits XML parsers to read files or perform SSRF.

Why this answer

The payload defines an external entity that reads a local file, a classic XXE (XML External Entity) injection.

Page 4

Page 5 of 14

Page 6