' and the…","url":"https://courseiva.com/questions/ec-council/ec-ceh/during-a-web-application-penetration-test-a-tester-submits-ugc94"},{"@type":"ListItem","position":350,"name":"An attacker uses the following URL pattern to access files: http://example.com/../../etc/passwd. Which attack is being a…","url":"https://courseiva.com/questions/ec-council/ec-ceh/an-attacker-uses-the-following-url-pattern-to-access-files-a4r3c"},{"@type":"ListItem","position":351,"name":"Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-two-of-the-following-are-examples-of-passive-os-finger-onr3q"},{"@type":"ListItem","position":352,"name":"Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-three-of-the-following-are-valid-methods-to-prevent-a-py91u"},{"@type":"ListItem","position":353,"name":"Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the p…","url":"https://courseiva.com/questions/ec-council/ec-ceh/refer-to-the-exhibit-an-ethical-hacker-runs-the-shown-nmap-etlqk"},{"@type":"ListItem","position":354,"name":"Which password cracking technique involves trying every possible combination of characters until the correct password is…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-password-cracking-technique-involves-trying-every-poss-51cgo"},{"@type":"ListItem","position":355,"name":"Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effec…","url":"https://courseiva.com/questions/ec-council/ec-ceh/which-cryptographic-algorithm-is-vulnerable-to-a-birthday-at-bsu7u"},{"@type":"ListItem","position":356,"name":"An application allows users to upload XML files for processing. A tester uploads the following payload:
Which THREE of the following are common countermeasures to prevent DNS zone transfers from being abused? (Choose THREE.)
Select 3 answers
A.Enable DNS recursion on the name server
B.Restrict zone transfers to only specific authorized secondary name servers
C.Implement split DNS (internal vs external views)
D.Use Transaction Signatures (TSIG) to authenticate zone transfer requests
E.Configure the name server to allow zone transfers from any host
AnswersB, C, D
Limits who can request a zone transfer.
Why this answer
Option B is correct because restricting zone transfers to only specific authorized secondary name servers prevents unauthorized hosts from requesting a full copy of the DNS zone data. This is a fundamental access control measure that limits the AXFR query to trusted IP addresses, thereby mitigating information leakage during reconnaissance.
Exam trap
The trap here is that candidates often confuse enabling recursion (Option A) with a security measure, when in fact recursion is unrelated to zone transfer control and can introduce other vulnerabilities.
Which Nmap flag is used to perform a TCP SYN scan without completing the three-way handshake?
A.-sS
B.-sT
C.-sU
D.-sA
AnswerA
-sS is the SYN stealth scan.
Why this answer
The -sS flag instructs Nmap to perform a TCP SYN scan, which sends a SYN packet to the target port and, upon receiving a SYN/ACK response, sends an RST packet instead of completing the three-way handshake with an ACK. This allows the scanner to determine port states without establishing a full TCP connection, making it faster and less detectable than a full connect scan.
Exam trap
The trap here is that candidates often confuse -sS (SYN scan) with -sT (TCP connect scan), mistakenly thinking that -sT also avoids completing the handshake, when in fact -sT completes the full three-way handshake and is logged by the target system.
How to eliminate wrong answers
Option B (-sT) is wrong because it performs a full TCP connect scan, which completes the three-way handshake by sending the final ACK, making it more detectable and slower. Option C (-sU) is wrong because it performs a UDP scan, which sends UDP packets and does not involve the TCP three-way handshake at all. Option D (-sA) is wrong because it performs a TCP ACK scan, which sends packets with the ACK flag set to map firewall rules, not to determine open ports via SYN responses.
A network administrator needs to identify all devices on a large corporate network that are running a specific vulnerable version of OpenSSH. The administrator has network access and can use scanning tools. However, scanning the entire network might disrupt operations. Which approach minimizes disruption while accurately identifying the vulnerable hosts?
A.Conduct a full TCP port scan of the entire network using SYN scan.
B.Run a TCP SYN scan on port 22 only, with version detection enabled, across the target IP range.
C.Use a ping sweep to identify live hosts, then perform a version scan on each.
D.Perform an ARP scan of the entire subnet and then check each host manually.
AnswerB
Scanning only the relevant port with version detection minimizes traffic and focuses on the vulnerable service.
Why this answer
Option B is correct because it targets only TCP port 22 (the default SSH port) with a SYN scan, which is stealthier and faster than a full connect scan, and enables version detection to identify the specific vulnerable OpenSSH version. This minimizes disruption by avoiding scanning unnecessary ports and reduces network load, while accurately pinpointing vulnerable hosts.
Exam trap
The trap here is that candidates often choose a ping sweep (Option C) thinking it reduces disruption, but they overlook that ICMP may be blocked, and the subsequent version scan on each host still requires port-level scanning, making Option B more efficient and accurate.
How to eliminate wrong answers
Option A is wrong because a full TCP port scan of the entire network would generate excessive traffic, potentially disrupting operations, and is unnecessary when only port 22 is relevant. Option C is wrong because a ping sweep may miss hosts that block ICMP (e.g., firewalls), leading to incomplete identification, and then performing a version scan on each live host still requires scanning all ports on those hosts, which is less efficient than targeting port 22 directly. Option D is wrong because an ARP scan only works within the local subnet (Layer 2) and does not scale to a large corporate network across multiple subnets; manual checking is impractical and error-prone.
A security analyst runs the command `nbtstat -A 192.168.1.50` in a Windows environment. What information is the analyst attempting to retrieve?
A.The current routing table on the host
B.Active network connections and listening ports
C.DNS records for the host
D.NetBIOS names and services of the remote system
AnswerD
The -A flag lists the NetBIOS name table for the specified IP address, including MAC addresses and registered names.
Why this answer
`nbtstat -A` with a target IP address displays the NetBIOS name table for that remote system, revealing computer names, logged-in users, and domain/workgroup membership.
Which of the following is the PRIMARY reason that MD5 is no longer recommended for use in digital signatures?
A.MD5 is a symmetric algorithm, not a hash function
B.MD5 is computationally too slow for large data
C.MD5 produces a 128-bit hash, which is too short for modern security
D.MD5 is vulnerable to collision attacks
AnswerD
Correct. Practical collision attacks against MD5 have been demonstrated, making it unsuitable for digital signatures.
Why this answer
MD5 is vulnerable to collision attacks, where two different inputs produce the same hash. This undermines the integrity and non-repudiation properties required for digital signatures.
A penetration tester is performing reconnaissance and wants to identify email addresses associated with a target domain. Which tool is specifically designed for this purpose?
A.Nmap
B.theHarvester
C.Shodan
D.Maltego
AnswerB
theHarvester is designed to harvest emails and other data from public sources.
Why this answer
TheHarvester is specifically designed for passive reconnaissance to gather email addresses, subdomains, and other open-source intelligence (OSINT) from public sources like search engines, PGP key servers, and the SHODAN database. It directly queries these sources to extract email addresses associated with a target domain, making it the correct tool for this task.
Exam trap
The trap here is that candidates often confuse Shodan (a device search engine) with a tool for email harvesting, or they assume Maltego's broad OSINT capabilities make it the best choice, but theHarvester is the only option specifically designed for automated email address extraction from public sources.
How to eliminate wrong answers
Option A is wrong because Nmap is a network scanning tool used for port scanning, service detection, and OS fingerprinting, not for harvesting email addresses from public sources. Option C is wrong because Shodan is a search engine for internet-connected devices and services, not a tool for extracting email addresses from a target domain. Option D is wrong because Maltego is a graphical link analysis tool for relationship mapping and OSINT, but it is not specifically designed for automated email harvesting; it requires manual configuration and transforms, whereas theHarvester is purpose-built for this task.
Which THREE of the following are common types of SQL injection attacks? (Select three)
Select 3 answers
A.Reflected SQL injection
B.Stored SQL injection
C.Out-of-band SQL injection
D.Blind SQL injection
E.In-band SQL injection
AnswersC, D, E
Out-of-band uses a different channel (e.g., DNS) to exfiltrate data.
Why this answer
In-band SQL injection (including error-based and union-based) are classic types. Blind SQL injection (boolean-based and time-based) are also common. Out-of-band is less common but still a type.
An attacker performs a downgrade attack on a TLS connection, forcing the client and server to negotiate a weaker cipher suite. This attack exploits which of the following?
A.A vulnerability in the TLS 1.3 handshake
B.A known weakness in the Diffie-Hellman key exchange
C.The fallback mechanism in SSL/TLS implementations
D.The ability to modify the ClientHello message
AnswerC
Correct: Attackers exploit the fallback to force weaker security.
Why this answer
Downgrade attacks exploit the fallback mechanism in TLS where, if a handshake fails, the client retries with a lower version or weaker suite. The attacker forces failure to degrade security.
A security analyst examines a compromised Linux server and finds a hidden directory `/usr/share/.syslog` containing a modified version of `sshd` and a log cleaner script. This is indicative of which technique used to erase tracks?
A.Token impersonation
B.DLL injection
C.Rootkit installation
D.Steganography
AnswerC
Correct. Rootkits replace system files to hide presence and log cleaners erase evidence.
Why this answer
The presence of a hidden directory containing a modified `sshd` binary and a log cleaner script is a classic sign of a rootkit installation. Rootkits replace core system binaries (like `sshd`) to maintain backdoor access and use log cleaners to erase evidence of their activity, directly aligning with the technique of erasing tracks.
Exam trap
EC-Council often tests the distinction between platform-specific techniques, and the trap here is that candidates may confuse rootkit installation with steganography because both involve 'hiding,' but steganography hides data, not system binaries or logs.
How to eliminate wrong answers
Option A is wrong because token impersonation is a Windows-specific privilege escalation technique that involves duplicating access tokens, not hiding files or modifying binaries on a Linux server. Option B is wrong because DLL injection is a Windows technique for injecting code into running processes via dynamic-link libraries, which does not apply to Linux systems that use shared objects (.so) and have no concept of DLLs. Option D is wrong because steganography hides data within other data (e.g., images or audio) and is not used to replace system binaries or clean logs to erase tracks.
During a security assessment, you execute: dnsenum --enum example.com. The tool returns results including the nameservers (NS), mail servers (MX), and performs a zone transfer attempt. The zone transfer fails. What is the MOST likely reason for the failure?
A.The DNS server is not running
B.The zone transfer requires TCP port 443
C.The DNS server is configured to deny zone transfers from unauthorized hosts
D.The domain does not exist
AnswerC
This is the standard security configuration for DNS servers.
Why this answer
Option C is correct because DNS zone transfers (AXFR) are typically restricted by default on authoritative DNS servers to prevent unauthorized disclosure of the entire zone file. The `dnsenum` tool attempts an AXFR query over TCP port 53, and the failure indicates the server explicitly denied the request, which is a standard security configuration per RFC 5936.
Exam trap
The trap here is that candidates may confuse the port used for zone transfers (TCP 53) with the standard DNS query port (UDP 53) or mistakenly think a failed zone transfer implies the server is down or the domain is invalid, rather than recognizing it as a deliberate security control.
How to eliminate wrong answers
Option A is wrong because if the DNS server were not running, the tool would not have returned NS and MX records; a non-responsive server would cause a timeout or connection error, not a specific zone transfer failure. Option B is wrong because zone transfers use TCP port 53, not TCP port 443 (which is used for HTTPS). Option D is wrong because the tool successfully resolved the domain (returning NS and MX records), proving the domain exists and is properly configured.
A penetration tester wants to perform DNS zone transfer enumeration. Which TWO of the following tools can be used for this purpose? (Select exactly 2.)
Select 2 answers
A.Shodan
B.Maltego
C.theHarvester
D.dnsrecon
E.dnsenum
AnswersD, E
dnsrecon can perform zone transfers as part of its enumeration.
Why this answer
Dnsrecon is a dedicated DNS enumeration tool that supports zone transfer requests (AXFR queries) to retrieve all DNS records from a nameserver if it is misconfigured to allow transfers from any host. It can also perform other DNS reconnaissance tasks such as SRV record enumeration and subdomain brute-forcing, making it a direct choice for zone transfer enumeration.
Exam trap
EC-Council often tests the distinction between passive reconnaissance tools (theHarvester, Maltego) and active DNS enumeration tools (dnsrecon, dnsenum) that directly query DNS servers for zone transfers, leading candidates to select tools that gather DNS data indirectly rather than performing the actual AXFR request.
A company deploys IoT sensors in a remote facility with limited bandwidth. The sensors send small data packets every few seconds. Which wireless technology is most appropriate for this application?
A.4G LTE
B.Wi-Fi 6
C.Bluetooth 5
D.LoRaWAN
AnswerD
Optimized for low-power, long-range IoT.
Why this answer
LoRaWAN is designed for low-power, long-range communication with small data payloads, making it ideal for IoT sensors in remote facilities with limited bandwidth. It operates in sub-GHz ISM bands (e.g., 868 MHz or 915 MHz) and supports data rates from 0.3 kbps to 50 kbps, perfectly matching the requirement of sending small packets every few seconds over kilometers.
Exam trap
The trap here is that candidates often confuse 'low power' and 'short range' technologies like Bluetooth 5 with the specific requirements of remote, long-range IoT, failing to recognize that LoRaWAN is the only option explicitly designed for low-power wide-area networks (LPWAN) with kilometer-scale range.
How to eliminate wrong answers
Option A is wrong because 4G LTE is a cellular technology optimized for high-bandwidth, low-latency applications (e.g., video streaming) and consumes significantly more power, making it unsuitable for battery-powered IoT sensors in remote areas with limited bandwidth. Option B is wrong because Wi-Fi 6 (802.11ax) is designed for high-density, high-throughput local area networks with a typical range of tens of meters, not for long-range, low-power IoT deployments in remote facilities. Option C is wrong because Bluetooth 5, while offering low power and mesh capabilities, has a maximum range of approximately 200-400 meters in ideal conditions, which is insufficient for remote facilities spanning kilometers, and its data rate (up to 2 Mbps) is overkill for small packets sent every few seconds.
You are conducting a security assessment for a company that hosts a web application on AWS. The application consists of a public-facing load balancer, an EC2 instance running a Linux web server, and an RDS MySQL database in a private subnet. The web server is configured to allow SSH access only from the company's internal IP range (203.0.113.0/24). During initial reconnaissance, you discover that the load balancer's security group allows inbound HTTP/HTTPS from anywhere. You attempt an Nmap SYN scan against the EC2 instance's public IP but receive no response (host appears down). Using a TCP connect scan, you find that ports 80 and 443 are open on the EC2 instance's public IP, but port 22 is filtered. You then launch an EC2 instance in the same region and run a scan from that internal AWS IP, and you find that port 22 is open on the target EC2 instance's private IP. Which of the following is the most likely reason for the initial scan failure and the filtered SSH port?
A.The EC2 instance is behind a NAT gateway that only allows outbound traffic. The load balancer is in a public subnet, but the instance is in a private subnet and cannot be reached from the internet directly.
B.The VPC's network ACL is blocking inbound SYN packets to the EC2 instance's public IP, while allowing established connections. The TCP connect scan sends ACK packets, which bypass the ACL.
C.The EC2 instance's security group only allows HTTP/HTTPS traffic from the load balancer's security group and SSH from the internal IP range. The load balancer's security group allows internet traffic to the load balancer, but the EC2 instance's security group does not allow direct internet traffic to the instance.
D.The EC2 instance does not have a public IP assigned; the load balancer performs destination NAT. The initial scan targeted the load balancer's IP, not the instance's IP.
AnswerC
Why this answer
Option C is correct because the EC2 instance's security group is configured to allow HTTP/HTTPS only from the load balancer's security group (not from the internet directly) and SSH only from the internal IP range (203.0.113.0/24). The initial Nmap SYN scan against the EC2 instance's public IP failed because the instance's security group drops all inbound traffic not explicitly allowed, including SYN packets to port 22 from external IPs, making the host appear down. The TCP connect scan revealed ports 80 and 443 open because the load balancer forwards traffic to those ports on the instance, but the security group still blocks direct internet access to the instance's public IP for SSH, resulting in a filtered state.
The internal scan from another EC2 instance in the same VPC succeeded because the security group allows SSH from the internal IP range, and the private IP is reachable within the VPC.
Exam trap
The trap here is that candidates confuse the behavior of security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a filtered port or unresponsive host must be due to a NACL blocking SYN packets, rather than recognizing that the security group's explicit deny of direct internet traffic to the instance's public IP causes the scan to fail.
How to eliminate wrong answers
Option A is wrong because a NATgateway only handles outbound traffic from private instances to the internet; it does not block inbound traffic to an instance that has a public IP assigned, and the scenario confirms the EC2 instance has a public IP (since scans against it returned results). Option B is wrong because network ACLs are stateless and block or allow traffic based on rules, but they do not distinguish between SYN and ACK packets in a way that would allow a TCP connect scan (which uses SYN packets, not ACK) to bypass; additionally, the VPC's default NACL allows all inbound/outbound traffic, and custom NACLs would need explicit rules to block SYN packets, which is not indicated. Option D is wrong because the load balancer does perform destination NAT, but the initial scan targeted the EC2 instance's public IP (as stated in the scenario), not the load balancer's IP; the instance does have a public IP assigned, as evidenced by the successful TCP connect scan to ports 80 and 443 on that IP.
Which of the following is a primary defense mechanism against Cross-Site Request Forgery (CSRF) attacks?
A.Input validation and output encoding
B.Enforcing CAPTCHA on all forms
C.Using SameSite cookies
D.Implementing CSRF tokens
AnswerD
CSRF tokens are the most common and effective defense against CSRF attacks.
Why this answer
CSRF tokens are unique, unpredictable values included in requests that the server validates to ensure the request is intentional. SameSite cookies help but are not the primary defense; CAPTCHA and input validation are not standard CSRF mitigations.
Which THREE of the following are valid DNS record types that an attacker might query during reconnaissance to gather information about a target domain? (Select 3)
Select 3 answers
A.FTP (file transfer)
B.A (IPv4 address)
C.NS (name server)
D.HTTP (hypertext transfer)
E.MX (mail exchange)
AnswersB, C, E
A records map hostnames to IP addresses, revealing the target's IP.
Why this answer
The A record maps a domain name to an IPv4 address, which is fundamental for locating a target server. During reconnaissance, querying A records reveals the IP address of the target domain, enabling further scanning and attack planning. This is a standard DNS query type defined in RFC 1035.
Exam trap
EC-Council often tests the distinction between DNS record types and application-layer protocols, so candidates mistakenly select FTP or HTTP because they are common network services, but they are not valid DNS resource records.
Which THREE of the following are examples of OSINT techniques? (Choose 3)
Select 3 answers
A.Nmap version detection
B.Shodan search
C.Maltego graph analysis
D.Nessus vulnerability scan
E.Google dorking
AnswersB, C, E
Shodan is an OSINT search engine for devices.
Why this answer
Shodan is a search engine for internet-connected devices, allowing users to discover open ports, services, and banners without directly interacting with the target. This is a classic OSINT technique because it gathers publicly available information from external sources, not from active scanning of the target's own infrastructure.
Exam trap
EC-Council often tests the distinction between active and passive reconnaissance, and the trap here is that candidates confuse tools that can be used for both (like Nmap) with OSINT, forgetting that OSINT specifically excludes any direct interaction with the target system.
A penetration tester uses the tool 'Pacu' during an assessment. Which of the following actions is Pacu designed to perform?
A.Exploit vulnerabilities in Azure cloud infrastructure
B.Automate penetration testing tasks in AWS environments
C.Perform network scanning and service enumeration
D.Crack WPA2 handshakes using dictionary attacks
AnswerB
Correct. Pacu is an AWS exploitation framework for testing and exploitation.
Why this answer
Pacu is an open-source AWS exploitation framework that allows security professionals to test the security of AWS environments. It can perform various attacks, such as IAM privilege escalation, S3 bucket enumeration, and metadata service exploitation.
A network administrator wants to prevent an attacker from using a network sniffer to capture traffic between a client and a web server. Which protocol should be enforced to encrypt all communication?
A.SNMP
B.FTP
C.HTTPS
D.HTTP
AnswerC
HTTPS encrypts data with TLS.
Why this answer
HTTPS (HTTP over TLS, RFC 2818) encrypts all communication between a client and a web server using TLS/SSL, preventing a network sniffer from capturing plaintext data such as cookies, URLs, or form submissions. This ensures confidentiality and integrity of the web traffic, directly countering passive eavesdropping attacks.
Exam trap
The trap here is that candidates often confuse encryption with authentication or assume that any protocol with 'secure' in its name (like SNMPv3) is suitable for web traffic, when the question specifically requires a protocol that encrypts client-to-web-server communication — only HTTPS directly fulfills that role.
How to eliminate wrong answers
Option A is wrong because SNMP (Simple Network Management Protocol) is used for managing and monitoring network devices, not for encrypting web traffic; its default versions (v1/v2c) send community strings in plaintext, and even SNMPv3 with encryption is irrelevant to client-server web communication. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext, making it vulnerable to sniffing; it does not encrypt web traffic and is designed for file transfers, not web browsing. Option D is wrong because HTTP transmits data in plaintext, allowing any network sniffer to capture the entire request/response payload, including sensitive information like passwords and session tokens.
A web application uses an XML parser to process user-supplied XML documents. An attacker submits the following payload: <?xml version='1.0'?><!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>. Which vulnerability is being exploited?
A.Server-Side Request Forgery (SSRF)
B.XPath injection
C.XML External Entity (XXE) injection
D.SQL injection
AnswerC
The attacker defines an external entity to read a local file, which is XXE.
Why this answer
The payload defines an external entity that reads a local file, which is classic XXE (XML External Entity) injection.
A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?
A.Anycast network
B.Rate limiting
C.Load balancer
D.Scrubbing center
AnswerA
Anycast distributes traffic to multiple locations, mitigating volumetric attacks.
Why this answer
Anycast routing allows multiple servers to share the same IP address; traffic flows to the nearest server, distributing the load and absorbing DDoS attacks.
During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?
A.Code obfuscation
B.Anti-debugging
C.Anti-VM / sandbox evasion
D.Packing
AnswerC
Checking for low resource counts is a common sandbox evasion technique.
Why this answer
Option C is correct because checking the number of CPU cores is a classic anti-VM/sandbox evasion technique. Virtual machines and sandboxes often allocate minimal resources (e.g., a single core) to remain lightweight, so malware uses this check to detect an analysis environment and terminate execution to avoid detection.
Exam trap
EC-Council often tests the distinction between anti-debugging and anti-VM techniques; the trap here is that candidates confuse resource-based checks (like CPU cores) with debugger detection, but anti-debugging specifically targets debugger artifacts, not hardware resource enumeration.
How to eliminate wrong answers
Option A is wrong because code obfuscation involves transforming code to make it harder to read or reverse-engineer (e.g., using junk code or control flow flattening), not checking hardware resources like CPU cores. Option B is wrong because anti-debugging techniques target debuggers (e.g., checking for IsDebuggerPresent or NtGlobalFlag), not the number of CPU cores. Option D is wrong because packing compresses or encrypts the executable to hide its original code, but does not involve runtime checks of system resources.
During a web application penetration test, a tester uses Burp Suite's Repeater tool to manually manipulate a request and observe the response. After sending the same request multiple times, the application returns a 302 redirect pointing to a login page. What is the MOST likely cause?
C.The session token has expired and the user must re-authenticate
D.The server detected the use of a proxy and blocked the request
AnswerC
After repeated requests without refreshing the session, the token may expire, causing a redirect to the login page.
Why this answer
A 302 redirect to a login page typically indicates that the session has expired or the tester's session is no longer valid. The application is redirecting to enforce authentication.
Which TWO of the following are effective methods to prevent dumpster diving attacks? (Choose two.)
Select 2 answers
A.Storing all data on encrypted digital media only
B.Shredding sensitive documents before disposal
C.Using locked bins for discarded materials
D.Placing documents in recycling bins
E.Burning all discarded paper documents
AnswersB, C
Shredding renders documents unreadable.
Why this answer
Shredding sensitive documents before disposal (Option B) is effective because it physically destroys the information, making it impossible to reconstruct from discarded paper. This directly counters dumpster diving, where attackers retrieve documents to extract confidential data like passwords or network diagrams.
Exam trap
EC-Council often tests the misconception that any form of destruction (like burning) is equally acceptable, but the CEH exam emphasizes shredding and locked bins as the standard, practical controls, while burning is considered excessive and not a recommended baseline security practice.
An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?
A.Pretexting
B.Tailgating
C.Baiting
D.Quid pro quo
AnswerB
Tailgating is physically following someone through a secure entrance.
Why this answer
Tailgating is when an unauthorized person follows an authorized individual into a restricted area without consent. It is a physical security breach.
A security analyst runs `nmap -sU -p 161,162 10.0.0.1` and receives output showing port 161/udp is open. Which service is MOST likely running on this port?
A.DHCP
B.SNMP
C.TFTP
D.DNS
AnswerB
SNMP uses UDP ports 161 (agent) and 162 (manager).
Why this answer
Port 161/udp is the default port for SNMP (Simple Network Management Protocol) used by SNMP agents to receive management queries (GET, SET) from SNMP managers. The `-sU` flag performs a UDP scan, and the open result on 161/udp strongly indicates an SNMP service is listening, as defined in RFC 1157.
Exam trap
The trap here is that candidates often confuse SNMP's port 161 with SNMP trap port 162 or misattribute it to other UDP-based services like DHCP or TFTP, but the scan specifically targets 161, which is exclusively SNMP.
How to eliminate wrong answers
Option A is wrong because DHCP uses ports 67/udp (server) and 68/udp (client), not 161 or 162. Option C is wrong because TFTP uses port 69/udp, not 161 or 162. Option D is wrong because DNS uses port 53/udp (and tcp), not 161 or 162.
Which THREE of the following are common attack vectors against IoT devices?
Select 3 answers
A.Container escape
B.Insecure protocols (e.g., MQTT, CoAP without encryption)
C.Firmware reversing and extraction of hardcoded secrets
D.TLS stripping attack
E.Default credentials
AnswersB, C, E
Insecure protocols allow eavesdropping and manipulation of communications.
Why this answer
Default credentials, insecure protocols (e.g., MQTT without TLS), and firmware reversing (to find hardcoded secrets) are common IoT attack vectors. TLS stripping is a network attack, and container escape is a cloud/container attack.
You are conducting a security assessment and need to map the network topology and identify routers, firewalls, and other network devices. Which technique is specifically designed to discover the path packets take to reach a destination and can reveal intermediate devices?
A.Traceroute
B.Banner grabbing
C.DNS enumeration
D.SNMP walk
AnswerA
Traceroute increments TTL to get ICMP time-exceeded messages from routers, revealing the path.
Why this answer
Traceroute is the correct technique because it is specifically designed to map the path packets take from a source to a destination by manipulating the Time-to-Live (TTL) field in IP headers. As each hop decrements the TTL, routers along the path send ICMP Time Exceeded messages (or UDP responses in some implementations), revealing their IP addresses and thus identifying intermediate devices like routers and firewalls.
Exam trap
The trap here is that candidates often confuse traceroute with ping (which only tests reachability and RTT, not hop-by-hop path discovery) or assume banner grabbing can reveal network topology, but only traceroute systematically identifies each intermediate device along the route.
How to eliminate wrong answers
Option B is wrong because banner grabbing is used to retrieve service banners (e.g., HTTP Server header, SSH version) from open ports to identify running services and versions, not to discover network path or intermediate devices. Option C is wrong because DNS enumeration is a technique to gather DNS records (e.g., A, MX, NS) and subdomains from a DNS server to map domain infrastructure, not to trace packet routes. Option D is wrong because an SNMP walk retrieves the entire Management Information Base (MIB) tree from an SNMP-enabled device to read configuration and performance data, not to discover the path packets take through the network.
A security team wants to test their web application for vulnerabilities. Which Burp Suite tool is BEST suited for automating attacks like brute-force or fuzzing?
A.Proxy
B.Repeater
C.Intruder
D.Scanner
AnswerC
Intruder automates payload delivery for brute-force, fuzzing, etc.
Why this answer
Intruder is designed for automated customized attacks including brute-force, fuzzing, and credential stuffing.
Which command-line tool is specifically designed to extract email addresses, subdomains, and other information from public sources (e.g., search engines, social media) for a given domain?
A.Metasploit
B.Nmap
C.theHarvester
D.Wireshark
AnswerC
theHarvester is designed for passive information gathering from public sources.
Why this answer
theHarvester is a dedicated open-source intelligence (OSINT) tool designed to gather emails, subdomains, IPs, and employee names from public sources such as Google, Bing, LinkedIn, and PGP key servers. It specifically targets a given domain and queries search engines and social media APIs to extract this reconnaissance data, making it the correct choice for this task.
Exam trap
The trap here is that candidates may confuse theHarvester with Nmap or Metasploit because all three are used in reconnaissance, but only theHarvester specializes in passive OSINT gathering from public sources rather than active scanning or exploitation.
How to eliminate wrong answers
Option A is wrong because Metasploit is a penetration testing framework focused on exploit development and payload delivery, not passive information gathering from public sources. Option B is wrong because Nmap is a network scanning tool that discovers live hosts and open ports via raw packet probes, not designed to extract email addresses or subdomains from search engines. Option D is wrong because Wireshark is a packet analyzer that captures and inspects network traffic at the data-link layer, not a tool for querying public sources for domain-related information.
Which TWO of the following are valid techniques used in password spraying attacks? (Choose 2.)
Select 2 answers
A.Using previously compromised username/password pairs from a breach
B.Capturing keystrokes to obtain a user's password
C.Trying every possible password from a dictionary against a single username
D.Using a list of common passwords (e.g., 'Password123', 'Welcome1') against a large set of usernames
E.Attempting a single common password across multiple users, then trying the next common password
AnswersD, E
This is the essence of password spraying: try a few weak passwords on many accounts to avoid lockout.
Why this answer
Password spraying uses a few common passwords against many accounts to avoid lockouts. Credential stuffing uses known username/password pairs from breaches. Dictionary attack uses a list of words.
Brute force tries many passwords on one account. Keylogging is passive.
A security analyst is investigating a compromised Linux system. The /var/log/auth.log file appears to be truncated, and the timestamps on several binaries in /bin/ have been modified. Which of the following tools or techniques is the attacker MOST likely using to cover tracks?
A.Timestamp manipulation tool
B.Rootkit
C.Steganography
D.Log cleaner script
AnswerB
Rootkits replace system binaries and manipulate logs to hide the attacker's presence.
Why this answer
The attacker is most likely using a rootkit to cover tracks because rootkits are designed to hide malicious activity by intercepting system calls (e.g., via LD_PRELOAD or kernel modules) to hide processes, files, and network connections. The truncated auth.log and modified timestamps on binaries in /bin/ indicate the rootkit is actively tampering with system logs and file metadata to evade detection, which aligns with rootkit behavior rather than simpler tools.
Exam trap
The trap here is that candidates often confuse a simple log cleaner script (Option D) with the full capability of a rootkit, failing to recognize that only a rootkit can simultaneously hide processes, modify binary timestamps, and intercept log writes at the system call level.
How to eliminate wrong answers
Option A is wrong because timestamp manipulation tools (e.g., touch -t) can modify file timestamps but do not truncate logs or hide ongoing malicious activity; they are a one-off action, not a persistent concealment technique. Option C is wrong because steganography hides data within other files (e.g., images) and is unrelated to log truncation or binary timestamp modification; it is a data exfiltration or covert communication method, not a track-covering mechanism. Option D is wrong because a log cleaner script (e.g., logrotate abuse or sed on auth.log) can delete or truncate logs but cannot modify timestamps on system binaries or hide processes; it is a simpler tool that lacks the system-level interception capabilities of a rootkit.
A penetration tester runs the following command: masscan 10.0.0.0/24 -p80,443,8080 --rate=10000. Compared to Nmap, what is the PRIMARY advantage of using Masscan for this scan?
A.Masscan can scan a large number of hosts and ports at very high speed
B.Masscan provides more detailed service version detection than Nmap
C.Masscan is stealthier than Nmap and less likely to be detected
D.Masscan can scan all 65535 ports faster than Nmap
AnswerA
Masscan's main advantage is its speed. It can scan large ranges quickly, as indicated by the high rate.
Why this answer
Masscan is designed for asynchronous, high-speed scanning, capable of transmitting packets at rates exceeding 10 million packets per second. In this command, the `--rate=10000` parameter sets a transmission rate of 10,000 packets per second, allowing it to scan the entire 10.0.0.0/24 subnet (256 hosts) for three ports in a fraction of the time Nmap would require. Nmap, while feature-rich, operates synchronously by default and cannot match Masscan's raw packet throughput for large-scale port scanning.
Exam trap
EC-Council often tests the misconception that Masscan is stealthier than Nmap, but in reality, its high packet rate makes it more detectable, and the trap here is that candidates confuse speed with stealth.
How to eliminate wrong answers
Option B is wrong because Masscan does not perform service version detection; it is a raw port scanner that only identifies open ports, whereas Nmap's `-sV` flag provides detailed service and version fingerprinting. Option C is wrong because Masscan is not inherently stealthier; its high-speed, asynchronous scanning often generates more conspicuous traffic patterns and can trigger IDS/IPS alerts more easily than Nmap's slower, more deliberate scans. Option D is wrong because while Masscan can scan all 65535 ports faster than Nmap, the question specifically asks about the PRIMARY advantage for the given command (which targets only three ports), and the core advantage is its high-speed scanning capability across many hosts, not just port range coverage.
During a penetration test, the tester finds that the Apache server is configured with directory listing enabled on the /uploads directory. The tester navigates to http://example.com/uploads/ and sees a list of files. Which of the following is the MOST immediate security concern?
A.Sensitive files may be exposed to unauthorized users
B.The server is running an outdated version of Apache
C.The server is vulnerable to cross-site scripting (XSS) attacks
D.An attacker can upload malicious files to the directory
AnswerA
Directory listing can expose file names and allow access to sensitive files if they are not protected.
Why this answer
Directory listing exposes file names that may reveal sensitive information (e.g., backup files, config files). Attackers can then attempt to access these files directly, potentially leading to data disclosure.
An attacker has gained access to a system and wants to erase evidence of their activities. Which of the following actions is MOST effective for covering tracks on a Windows system?
A.Disabling the Windows Firewall
B.Installing a rootkit
C.Clearing the Security event log
D.Changing the administrator password
AnswerC
Event logs contain evidence of logins and activities.
Why this answer
Clearing the Security event log (C) is the most effective action for covering tracks on a Windows system because it removes all logged security events, such as logon attempts, privilege use, and audit failures, which are the primary records that would reveal an attacker's activities. The Security log is maintained by the Windows Event Log service and is the default location for audit records under the Local Security Policy; deleting it eliminates forensic evidence of unauthorized access or changes.
Exam trap
EC-Council often tests the distinction between covering tracks (erasing evidence) and maintaining access or evading detection; the trap here is that candidates confuse installing a rootkit (which hides ongoing activity) with clearing logs (which removes past evidence), leading them to choose B instead of C.
How to eliminate wrong answers
Option A is wrong because disabling the Windows Firewall does not erase existing evidence of an attack; it only removes a network defense layer, which may actually draw attention by breaking connectivity or triggering alerts. Option B is wrong because installing a rootkit is a method for maintaining persistent access and hiding files/processes, not for erasing existing logs or evidence; it does not clear the Security event log and may itself be detected by advanced anti-rootkit tools. Option D is wrong because changing the administrator password does not delete any logged events; it only prevents the original administrator from logging in, but the Security log still contains records of the attacker's previous actions.
A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?
A.Smurf attack
B.SYN flood
C.Ping of Death
D.ICMP flood
AnswerA
Correct. Smurf uses broadcast amplification and spoofed source IP to flood the victim.
Why this answer
A Smurf attack sends ICMP echo requests to a broadcast address with the victim's spoofed source IP, causing all hosts on the subnet to reply to the victim, overwhelming it.
During a penetration test, you gain initial access to a Linux server as a low-privileged user. The target runs a vulnerable SUID binary owned by root. Which of the following is the MOST effective method to escalate privileges?
A.Perform an SMTP VRFY attack to enumerate users
B.Exploit the SUID binary to execute commands as root
C.Use enum4linux to enumerate SMB shares
D.Run 'sudo -l' to list sudo privileges
AnswerB
Exploiting a vulnerable SUID binary is a direct privilege escalation vector.
Why this answer
Option C is correct. Exploiting a vulnerable SUID binary is a classic privilege escalation technique that allows a low-privileged user to run the binary with root privileges.
A penetration tester discovers a Linux server with the SUID bit set on the 'find' command. How could this be exploited for privilege escalation?
A.By using 'find' to delete log files
B.By using 'find' to search for files owned by root
C.By using 'find' to mount a remote share
D.By running 'find / -exec /bin/sh \;' to spawn a root shell
AnswerD
If find has SUID root, the -exec option runs commands with root privileges, spawning a root shell.
Why this answer
When the SUID bit is set on the 'find' command, it executes with the privileges of the file owner (typically root). The '-exec' option allows arbitrary command execution. Running 'find / -exec /bin/sh \;' spawns a shell with root privileges, enabling full system compromise.
Exam trap
The trap here is that candidates may think SUID only applies to obvious binaries like 'passwd' or 'sudo', but CEH tests the lesser-known fact that any binary with SUID and command execution capability (like 'find' with '-exec') can be exploited for privilege escalation.
How to eliminate wrong answers
Option A is wrong because deleting log files does not leverage the SUID bit for privilege escalation; it only removes audit trails and does not grant elevated privileges. Option B is wrong because searching for files owned by root is a normal operation that does not exploit the SUID bit to gain a root shell. Option C is wrong because 'find' does not have built-in functionality to mount remote shares; mounting requires the 'mount' command or similar utilities, and the SUID bit on 'find' does not enable network filesystem mounting.
During a penetration test, an analyst uses enum4linux with the -a flag against a target. Which of the following is the MOST comprehensive set of information that can be obtained?
A.Only the domain admins and local admins
B.User list, share list, OS information, password policy, and group memberships
C.Only the SMB shares and open sessions
D.Only the NetBIOS name table
AnswerB
-a performs all enumeration functions.
Why this answer
enum4linux with the -a flag performs a comprehensive enumeration against a target, leveraging SMB, RPC, and NetBIOS over TCP/IP. It retrieves user lists, share lists, OS information, password policy details, and group memberships by querying the remote Windows system via SMB RPC calls (e.g., SAMR, LSA, SRVSVC). This makes it the most complete set of information obtainable from a single command, as the -a flag essentially runs all available enumeration modules.
Exam trap
The trap here is that candidates often assume enum4linux -a only retrieves shares or NetBIOS data, underestimating its full scope of SMB/RPC-based enumeration that includes users, groups, OS details, and password policy.
How to eliminate wrong answers
Option A is wrong because enum4linux -a retrieves far more than just domain admins and local admins; it enumerates all users, groups, shares, OS details, and password policy, not just administrative accounts. Option C is wrong because enum4linux -a does not limit itself to SMB shares and open sessions; it also retrieves user lists, OS information, password policy, and group memberships, making this option incomplete. Option D is wrong because enum4linux -a goes well beyond the NetBIOS name table; it performs deep SMB and RPC enumeration, including user and share enumeration, which is not captured by NetBIOS alone.
During an internal penetration test, you are tasked with enumerating services on a target server. You run a full TCP port scan and find that ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. You then perform version detection on these ports. Which additional enumeration step would provide the most valuable information for identifying potential vulnerabilities?
A.Perform banner grabbing on port 22 to identify the SSH version.
B.Perform SNMP enumeration to gather system information.
C.Attempt a DNS zone transfer from the server.
D.Enumerate NetBIOS names using `nbtstat`.
AnswerA
SSH version information can reveal outdated versions with known exploits.
Why this answer
Banner grabbing on port 22 (SSH) is the most valuable next step because it directly identifies the SSH server version (e.g., OpenSSH 7.4). Knowing the exact version allows you to cross-reference known vulnerabilities (CVEs) for that specific SSH implementation, which is a common high-risk attack vector during internal penetration tests. While version detection already identified the service, banner grabbing can reveal additional details like patch levels or configuration quirks that version detection might miss.
Exam trap
EC-Council often tests the misconception that SNMP, DNS zone transfers, or NetBIOS enumeration are universally applicable, but the trap here is that these techniques only work when the corresponding services are actually running and accessible — the question explicitly limits open ports to 22, 80, and 443, so only banner grabbing on those ports is directly actionable.
How to eliminate wrong answers
Option B is wrong because SNMP enumeration requires SNMP (UDP ports 161/162) to be open, and the scan only found TCP ports 22, 80, and 443 — no SNMP service was detected, so this step would fail or provide no useful data. Option C is wrong because DNS zone transfer requires a DNS server (typically port 53) to be present and configured to allow transfers; the target server does not have DNS open, so this attempt would be irrelevant. Option D is wrong because NetBIOS enumeration (using nbtstat) relies on NetBIOS over TCP/IP (ports 137-139, 445), which are not open on the target; this technique is only applicable to Windows systems with NetBIOS enabled, not to a server with only SSH, HTTP, and HTTPS.
A security analyst observes a web application returning database error messages containing table names and column names in the HTTP response. Which type of SQL injection is MOST likely being exploited?
A.Blind SQL injection (boolean-based)
B.Union-based SQL injection
C.Error-based SQL injection
D.Out-of-band SQL injection
AnswerC
Error-based SQL injection uses database error messages to extract information.
Why this answer
Error-based SQL injection (in-band) relies on error messages from the database to extract information. The presence of database details in errors indicates error-based injection.
During a web application penetration test, a tester submits a comment containing '<script>alert("XSS")</script>' and the script executes for all users who view the comment. Which type of cross-site scripting (XSS) vulnerability is present?
A.Blind XSS
B.Reflected XSS
C.DOM-based XSS
D.Stored (persistent) XSS
AnswerD
The script is stored and executed for all users, indicating stored XSS.
Why this answer
Stored (persistent) XSS occurs when the injected script is permanently stored on the server (e.g., in a database) and executed for every user who accesses that content.
Which TWO of the following are examples of passive OS fingerprinting techniques? (Select 2)
Select 2 answers
A.Performing a SYN scan on the target
B.Analyzing the initial TTL value of received IP packets
C.Sending a series of TCP packets with different flags and analyzing responses
D.Inspecting the TCP window size in SYN packets
E.Using the telnet command to connect to port 80
AnswersB, D
Different OSes use default TTL values; observing this helps identify the OS passively.
Why this answer
Option B is correct because passive OS fingerprinting involves observing network traffic without sending any packets to the target. Analyzing the initial TTL value of received IP packets is a classic passive technique: different operating systems set specific default TTL values (e.g., Windows uses 128, Linux uses 64, Cisco IOS uses 255), allowing an attacker to infer the OS without direct interaction.
Exam trap
The trap here is that candidates confuse passive fingerprinting (observing existing traffic) with active fingerprinting (sending crafted packets), leading them to select options like SYN scans or flag-based probes as passive techniques.
Which THREE of the following are valid methods to prevent a downgrade attack on TLS? (Select 3)
Select 3 answers
A.Disable TLS 1.0 and 1.1 on the server
B.Use the TLS_FALLBACK_SCSV cipher suite
C.Use self-signed certificates to avoid CA trust issues
D.Enforce a minimum TLS version of 1.2 in server configuration
E.Disable all cipher suites except those using RC4
AnswersA, B, D
Prevents downgrade to vulnerable versions.
Why this answer
Disabling older TLS versions, enforcing TLS 1.2+, and using TLS_FALLBACK_SCSV prevent downgrade; disabling cipher suites does not prevent downgrade directly; using self-signed certificates increases risk.
Refer to the exhibit. An ethical hacker runs the shown Nmap scan against a target. Which port state indicates that the port is reachable but no service is listening?
A.open
B.closed
C.filtered
D.unfiltered
AnswerB
Closed means reachable but no service listening.
Why this answer
Option B is correct because a 'closed' port in Nmap indicates that the target host responded with a TCP RST (Reset) packet, meaning the port is reachable and the host is alive, but no application is listening on that port. This state confirms the port is accessible (not filtered by a firewall) yet no service is bound to it.
Exam trap
The trap here is that candidates often confuse 'closed' with 'filtered' or 'unfiltered', not realizing that a closed port specifically means the host responded with a TCP RST, proving reachability without a listening service.
How to eliminate wrong answers
Option A is wrong because an 'open' port means a service is actively listening and has responded with a SYN-ACK, not that no service is listening. Option C is wrong because 'filtered' means Nmap cannot determine if the port is open or closed due to packet filtering (e.g., firewall dropping probes), so the port may or may not be reachable. Option D is wrong because 'unfiltered' means the port is reachable but Nmap cannot determine its open/closed state (e.g., from an ACK scan), not that no service is listening.
Which password cracking technique involves trying every possible combination of characters until the correct password is found?
A.Rainbow table attack
B.Dictionary attack
C.Brute force attack
D.Hybrid attack
AnswerC
Correct. Brute force tries all possible combinations.
Why this answer
A brute force attack systematically tries every possible combination of characters from a defined character set (e.g., lowercase, uppercase, digits, special symbols) until the correct password is found. This method guarantees eventual success but is computationally expensive and time-consuming, especially for long or complex passwords. It is the most exhaustive form of password cracking, as it does not rely on any precomputed data or wordlists.
Exam trap
The trap here is that candidates often confuse 'brute force' with 'dictionary attack' because both involve guessing passwords, but the key distinction is that brute force exhaustively tries all combinations while dictionary attacks rely on a precompiled list of likely passwords.
How to eliminate wrong answers
Option A is wrong because a rainbow table attack uses precomputed hash chains to reverse cryptographic hash functions, not by trying every possible character combination. Option B is wrong because a dictionary attack uses a predefined list of likely passwords (e.g., common words, leaked passwords) rather than exhaustive character-by-character guessing. Option D is wrong because a hybrid attack combines dictionary words with common mutations (e.g., appending numbers or symbols) but does not attempt every possible combination of characters.
Which cryptographic algorithm is vulnerable to a birthday attack on its hash output size of 128 bits, reducing the effective security to 64 bits against collision resistance?
A.SHA-256
B.SHA-1
C.MD5
D.RC4
AnswerC
MD5 output is 128 bits, birthday attack complexity ~2^64.
Why this answer
MD5 produces 128-bit hashes. Birthday attack complexity for collision is 2^(n/2) = 2^64 for n=128. SHA-1 is 160-bit, SHA-256 is 256-bit, RC4 is a stream cipher not a hash.
An application allows users to upload XML files for processing. A tester uploads the following payload: <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The server returns the contents of /etc/passwd. Which attack is being performed?
A.XML External Entity (XXE) injection
B.SQL injection
C.Cross-Site Scripting (XSS)
D.Server-Side Request Forgery (SSRF)
AnswerA
The DOCTYPE and entity declaration are classic XXE, and the file read confirms it.
Why this answer
This is an XML External Entity (XXE) injection attack, where an external entity is defined to read a local file. The server's XML parser processes the entity and reflects the file content, confirming the vulnerability.
Which THREE of the following Nmap flags are commonly used for evasion techniques? (Select 3)
Select 3 answers
A.-f
B.-D
C.--mtu
D.-O
E.-sV
AnswersA, B, C
Fragmenting packets can help evade simple IDS/firewall rules.
Why this answer
The -f flag fragments the probe packets into smaller 8-byte fragments (or less, depending on the MTU). This helps evade simple packet-filtering firewalls and intrusion detection systems that do not reassemble fragments before applying rules, as the fragmented headers may bypass signature-based detection.
Exam trap
EC-Council often tests the distinction between scanning techniques (like -O and -sV) and evasion techniques (like -f, -D, --mtu), so candidates mistakenly select -O or -sV because they are common Nmap flags, even though they serve reconnaissance, not evasion.
An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?
A.Phishing
B.Vishing
C.Whaling
D.Spear phishing
AnswerC
Whaling targets senior executives with personalized attacks.
Why this answer
Whaling is a spear-phishing attack targeting senior executives, often with requests for wire transfers or sensitive information.
Which of the following Nmap flags would an attacker use to evade IDS by sending fragmented IP packets?
A.-D
B.-g
C.-sS
D.-f
AnswerD
-f causes packet fragmentation to evade detection.
Why this answer
The -f flag in Nmap instructs the tool to fragment the transmitted packets into smaller pieces (typically 8-byte fragments). This fragmentation is used to evade Intrusion Detection Systems (IDS) that rely on signature matching against complete, unfragmented packets, as the IDS may not reassemble the fragments before inspection or may fail to detect the malicious payload when spread across multiple fragments.
Exam trap
The trap here is that candidates often confuse the -f flag with the -D (decoy) flag, thinking both are used for evasion, but -f specifically targets packet fragmentation to bypass IDS, while -D hides the source IP.
How to eliminate wrong answers
Option A (-D) is wrong because the -D flag is used for decoy scanning, which spoofs multiple source IP addresses to hide the attacker's real IP, not to fragment packets. Option B (-g) is wrong because the -g flag sets a custom source port number for the scan, often to bypass firewall rules that allow traffic from specific ports (e.g., port 53 for DNS), and has nothing to do with fragmentation. Option C (-sS) is wrong because -sS performs a TCP SYN stealth scan, which sends SYN packets without completing the handshake to avoid connection logging, but it does not involve IP fragmentation.
An analyst detects an SMB enumeration attempt in network logs. Which of the following tools would MOST likely generate such traffic?
A.nmap -sT 192.168.1.1
B.enum4linux 192.168.1.1
C.snmpwalk -v 2c 192.168.1.1
D.ldapsearch -h 192.168.1.1
AnswerB
enum4linux performs extensive SMB enumeration.
Why this answer
Option B is correct. enum4linux is a tool specifically designed for SMB enumeration on Linux systems, often used to enumerate shares, users, and OS information.
Refer to the exhibit. A security analyst checks for missing patches. Which vulnerability is this system likely exposed to?
A.EternalBlue (MS17-010)
B.BlueKeep (CVE-2019-0708)
C.ZeroLogon (CVE-2020-1472)
D.PrintNightmare (CVE-2021-34527)
AnswerD
Not patched as of the exhibited patch dates (2020).
Why this answer
The system is Windows 10 build 19041 (2004) with patches up to 9/17/2020. EternalBlue (MS17-010) was patched in 2017, so it is likely patched. However, BlueKeep (CVE-2019-0708) affects older systems (Windows 7/2008 R2), not Windows 10.
ZeroLogon (CVE-2020-1472) was patched in August 2020; the system has KB4577586 from 9/8/2020 which includes the fix. PrintNightmare (CVE-2021-34527) was disclosed in 2021, after the patch dates shown, so the system is likely vulnerable to PrintNightmare.
During a web application test, a penetration tester intercepts a request using Burp Suite Proxy, modifies the 'Referer' header, and resends the request. The application processes the request despite the modified header. Which attack is the tester attempting to validate?
A.Server-Side Request Forgery (SSRF)
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.SQL injection
AnswerC
CSRF defenses sometimes check the Referer header; modifying it tests this defense.
Why this answer
CSRF (Cross-Site Request Forgery) attacks often rely on the Referer header for validation. By modifying it, the tester checks if the application validates the header. If the request is processed, the application is vulnerable to CSRF.
During a cloud penetration test, you discover an S3 bucket that allows listing objects. You find a file named 'config.json' that contains an IAM access key and secret key. Which of the following is the BEST next step?
A.Delete the bucket to prevent further data exposure
B.Use the keys to call sts:GetCallerIdentity and then enumerate permissions via IAM
C.Download all objects from the bucket and exfiltrate them
D.Immediately rotate the keys in the AWS console
AnswerB
This validates the keys and determines what actions they allow, a standard post-exploitation step.
Why this answer
The correct action is to use the discovered credentials to enumerate permissions via the AWS CLI, as they may grant further access.
A security analyst receives an alert about a scan originating from an IP address that appears to be using a 'sIdle scan' technique. Which of the following characteristics would confirm this?
A.The scan uses fragmented packets and decoy IP addresses
B.The scan uses FTP bounce to hide the true source IP
C.The scan sends SYN packets with the zombie host's IP address as the source and monitors IPID changes on the zombie to determine open ports
D.The scan shows a SYN packet with the attacker's real IP but uses a zombie host to relay replies
AnswerC
This correctly describes the idle scan technique: spoofing the zombie's IP and observing IPID increments to infer port states.
Why this answer
Option C is correct because an idle scan (also known as a zombie scan) relies on sending SYN packets to the target with the spoofed source IP address of a zombie host, then monitoring the IPID sequence on that zombie to infer whether the target port is open, closed, or filtered. The key characteristic is the use of the zombie's IP as the source and the observation of IPID changes on the zombie, which is exactly what option C describes.
Exam trap
The trap here is that candidates often confuse the idle scan with other spoofing or relay techniques like FTP bounce or decoy scans, but the idle scan is uniquely defined by the use of a zombie host's IPID changes to infer port states, not by hiding the attacker's IP via relays or multiple decoys.
How to eliminate wrong answers
Option A is wrong because fragmented packets and decoy IP addresses are features of a fragmented scan or a decoy scan, not an idle scan; idle scan does not use fragmentation or multiple decoy IPs. Option B is wrong because FTP bounce is a separate technique that uses an FTP server to relay traffic and hide the true source, but it does not involve monitoring IPID changes on a zombie host. Option D is wrong because an idle scan does not send SYN packets with the attacker's real IP; the attacker's IP is never used in the probe packets—the zombie's IP is used as the source, and the zombie does not relay replies; instead, the attacker monitors the zombie's IPID to infer port states.
Which of the following tools is specifically designed for high-speed port scanning across large address spaces?
A.Masscan
B.Zenmap
C.hping3
D.Nmap
AnswerA
Masscan is designed for high-speed scanning, capable of millions of packets per second.
Why this answer
Masscan is specifically designed for high-speed port scanning across large address spaces, capable of transmitting packets at rates exceeding 10 million packets per second. It achieves this by using asynchronous transmission and a custom TCP/IP stack, making it ideal for scanning the entire IPv4 internet or massive subnets in minutes, unlike general-purpose scanners that prioritize accuracy over raw speed.
Exam trap
The trap here is that candidates often assume Nmap is the fastest scanning tool because of its popularity and extensive feature set, but Masscan is explicitly engineered for raw speed at the cost of some accuracy, which is the key differentiator tested in this question.
How to eliminate wrong answers
Option B (Zenmap) is wrong because it is merely a graphical front-end for Nmap, not a standalone high-speed scanner; it inherits Nmap's slower, more thorough scanning approach. Option C (hping3) is wrong because it is a packet crafting and testing tool focused on custom packet generation and firewall testing, not optimized for high-speed port scanning across large address spaces. Option D (Nmap) is wrong because while it is a powerful and versatile scanner, it is designed for detailed, reliable scans with features like service detection and OS fingerprinting, and its default scanning methods are significantly slower than Masscan's asynchronous approach.
A system administrator wants to enumerate all users in an Active Directory domain. Which protocol and query technique should they use?
A.SNMP with public community string
B.SMB null session
C.SMTP VRFY
D.LDAP anonymous query
AnswerD
LDAP can query directory services like AD; anonymous queries may reveal basic user info if not restricted.
Why this answer
Option D is correct because LDAP anonymous queries allow unauthenticated users to query an Active Directory domain for directory information, including user enumeration. By default, AD permits anonymous LDAP binds to retrieve attributes like sAMAccountName, userPrincipalName, and group memberships, making it a standard technique for enumerating users without credentials.
Exam trap
The trap here is that candidates often confuse SMB null sessions (a deprecated attack) with LDAP anonymous queries (a current, often-valid technique), or they mistakenly think SMTP VRFY is relevant to domain user enumeration instead of email address verification.
How to eliminate wrong answers
Option A is wrong because SNMP with a public community string is used for reading device configuration and statistics, not for enumerating Active Directory users; it targets network devices, not domain user objects. Option B is wrong because SMB null sessions were a legacy Windows vulnerability that allowed unauthenticated access to shares and user lists, but this has been disabled by default since Windows 2003 SP1 and is not a reliable modern enumeration technique. Option C is wrong because SMTP VRFY is used to verify email addresses on a mail server, not to enumerate Active Directory users; it operates at the application layer for email routing, not directory services.
A security team is implementing measures to prevent cross-site request forgery (CSRF) attacks. Which of the following is the most effective mitigation technique?
A.Enabling SSL/TLS
B.Using HTTP GET for all form submissions
C.Implementing CSRF tokens
D.Using input validation
AnswerC
CSRF tokens are the standard defense against CSRF attacks.
Why this answer
CSRF tokens are unique, unpredictable values that must be included in state-changing requests, ensuring the request originated from the legitimate site.
An attacker attempts to log into a web application by trying many common passwords for a list of known usernames. Which type of authentication attack is this?
A.Dictionary attack
B.Credential stuffing
C.Password spraying
D.Brute force attack
AnswerC
Password spraying uses a few common passwords across many accounts.
Why this answer
Password spraying involves using a few common passwords against many usernames to avoid account lockouts, as opposed to brute force (many passwords on one account) or credential stuffing (using known username/password pairs).
A security team finds that a web application accepts a user-supplied URL and fetches it server-side without validation. The application runs on AWS EC2 with a metadata endpoint at 169.254.169.254. Which attack is MOST likely to succeed?
A.SQL injection
B.Server-Side Request Forgery (SSRF)
C.Remote file inclusion (RFI)
D.Cross-site scripting (XSS)
AnswerB
SSRF allows the attacker to make the server request internal resources like the metadata endpoint.
Why this answer
SSRF (Server-Side Request Forgery) occurs when an application fetches a user-controlled URL. By supplying the metadata endpoint, an attacker can retrieve IAM credentials, making this the most likely attack.
A security analyst discovers that a containerized application running in a cloud environment can access the host's file system by mounting /var/run/docker.sock inside the container. Which type of attack does this configuration enable?
A.Server-Side Request Forgery (SSRF)
B.Privilege escalation within the container only
C.Container escape to the host
D.Denial-of-Service (DoS) attack against the container runtime
AnswerC
Correct. Access to the Docker socket allows full control over the host's Docker daemon, enabling container escape.
Why this answer
Mounting the Docker socket inside a container allows the container to communicate with the Docker daemon on the host, potentially allowing the attacker to create new containers, escape the container, and execute commands on the host.
A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?
A.ARP poisoning
B.Session hijacking
C.DNS spoofing
D.MAC flooding
AnswerA
ARP poisoning causes multiple MAC entries for one IP due to forged ARP replies.
Why this answer
Multiple MAC addresses for one IP in the ARP cache is a sign of ARP spoofing/poisoning, where an attacker sends forged ARP replies to associate their MAC with the victim's IP.
A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?
A.Upload to VirusTotal
B.Dynamic analysis in a sandbox
C.Static analysis using strings and PEiD
D.Run the file on a production system to observe behavior
AnswerC
Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.
Why this answer
Static analysis (e.g., examining strings, digital signatures, PE headers) is the first step because it is safe and can quickly identify suspicious indicators without executing the file.
During an assessment, a tester discovers that the web application accepts XML input and returns the parsed data. The tester submits the following payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>. The response contains the contents of /etc/passwd. This vulnerability is known as:
A.Local File Inclusion (LFI)
B.Server-Side Request Forgery (SSRF)
C.XML External Entity (XXE) Injection
D.SQL injection
AnswerC
XXE exploits XML parsers to read files or perform SSRF.
Why this answer
The payload defines an external entity that reads a local file, a classic XXE (XML External Entity) injection.