Certified Ethical Hacker CEH (CEH) — Questions 376450

1010 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQeasy

Which HTTP method is commonly used by WebDAV to upload files to a web server, and if misconfigured, could allow an attacker to upload malicious scripts?

A.DELETE
B.GET
C.POST
D.PUT
AnswerD

PUT is the HTTP method used to upload files in WebDAV.

Why this answer

The PUT method allows uploading resources to the server, and if enabled without proper controls, can be exploited to upload malicious files.

377
MCQmedium

A security analyst wants to perform banner grabbing on a web server without establishing a full TCP connection. Which tool would be MOST appropriate?

A.Telnet
B.Wireshark
C.Nmap with -sT
D.Netcat
AnswerD

Netcat can open a TCP connection and receive the banner, though it completes the handshake.

Why this answer

Netcat (option D) is the most appropriate tool for banner grabbing without establishing a full TCP connection because it can send a raw TCP SYN packet and then immediately read the server's response banner without completing the three-way handshake. By using the `-z` flag for zero I/O mode, Netcat performs a simple port probe that captures the initial banner data, which is often sent by services like HTTP or FTP before the handshake finishes. This avoids the overhead of a full connection and minimizes the footprint on the target.

Exam trap

The trap here is that candidates often confuse Netcat with Telnet or assume that any Nmap scan type (like -sT) is suitable for banner grabbing, but the question specifically requires avoiding a full TCP connection, which only a tool capable of half-open scanning (like Netcat with -z) can achieve.

How to eliminate wrong answers

Option A (Telnet) is wrong because Telnet establishes a full TCP connection via a three-way handshake and then waits for user input, which defeats the purpose of avoiding a full connection; it also cannot perform banner grabbing without completing the handshake. Option B (Wireshark) is wrong because it is a passive packet capture and analysis tool that cannot initiate connections or perform banner grabbing; it can only observe traffic that is already flowing. Option C (Nmap with -sT) is wrong because the -sT flag performs a full TCP connect scan, which completes the three-way handshake, exactly what the analyst wants to avoid; a stealth SYN scan (-sS) would be more appropriate for banner grabbing without a full connection.

378
MCQmedium

A security team deployed a web application firewall (WAF) that blocks requests containing SQL keywords like 'SELECT', 'UNION', and 'DROP'. An attacker bypasses the WAF by encoding the payload in base64 and using a SQL injection tool that decodes it server-side. Which mitigation would be MOST effective against this?

A.Increase WAF sensitivity to block base64-encoded strings
B.Implement prepared statements with parameterized queries
C.Disable error messages to hide database errors
D.Use a more restrictive input validation regex
AnswerB

Prepared statements eliminate SQL injection by using placeholders for user input.

Why this answer

Prepared statements (parameterized queries) prevent SQL injection by separating query structure from data, regardless of encoding. WAF bypasses are mitigated by using proper coding practices.

379
MCQhard

During a penetration test, a tester uses Nmap with the command: nmap -sS -D RND:10 192.168.1.100. After the scan, the IDS logs show multiple SYN packets from different source IPs hitting the target. However, the tester's true IP is not among them. Which of the following techniques is being used?

A.Idle scan
B.SYN flood
C.Decoy scan
D.Fragmentation attack
AnswerC

The -D flag specifies decoy IPs. RND:10 generates random decoys. This hides the real source by making it appear from multiple IPs.

Why this answer

The command `nmap -sS -D RND:10` performs a SYN stealth scan with 10 randomly generated decoy IP addresses. The IDS logs show multiple SYN packets from different source IPs, but the tester's true IP is not among them because Nmap sends the decoy packets with spoofed source addresses while the real scan packet is interleaved among them. This is the definition of a decoy scan, which aims to obscure the attacker's true origin by blending it with fake sources.

Exam trap

The trap here is confusing decoy scans with idle scans, as both involve spoofed IPs, but idle scans require a zombie host and IPID manipulation, while decoy scans simply flood the target with fake sources to hide the real one.

How to eliminate wrong answers

Option A is wrong because an idle scan (nmap -sI) uses a zombie host to bounce scan traffic off, relying on IPID sequence analysis, not multiple random source IPs. Option B is wrong because a SYN flood is a denial-of-service attack that sends a high volume of SYN packets to overwhelm the target, not a stealth scanning technique to hide the tester's IP. Option D is wrong because a fragmentation attack (nmap -f) splits packets into smaller fragments to evade IDS/IPS signature detection, but does not spoof source IPs or use decoys.

380
MCQhard

An attacker has compromised a Linux machine and wants to hide a rootkit by replacing system binaries with trojaned versions. Which technique is being used to maintain persistent access while evading detection?

A.Log manipulation
B.Token impersonation
C.Steganography
D.Rootkit installation via binary replacement
AnswerD

Rootkits often replace system binaries to hide malicious activity.

Why this answer

Replacing system binaries (e.g., ls, ps, netstat) with trojaned versions that hide the attacker's processes is a classic rootkit technique to cover tracks.

381
MCQmedium

During a penetration test, an analyst obtains a dump of password hashes from a Windows server. The hashes are in LM:NT format. The analyst wants to crack the NT portion using a brute-force attack on 8-character alphanumeric passwords. Which tool is BEST suited for this task?

A.Hashcat
B.John the Ripper
C.RainbowCrack
D.Ophcrack
AnswerA

Hashcat supports GPU brute-force on NTLM.

Why this answer

Hashcat is a high-performance password cracker that supports GPU-accelerated brute-force attacks on NTLM hashes.

382
MCQhard

A web server running IIS 8.5 is found to have WebDAV enabled with write permissions. Which attack is MOST likely to be successful against this configuration?

A.Cross-Site Request Forgery (CSRF)
B.SQL injection
C.File upload leading to remote code execution
D.Directory traversal
AnswerC

WebDAV write permissions enable uploading executable files.

Why this answer

WebDAV with write permissions allows attackers to upload files (e.g., web shells) to the server, leading to remote code execution.

383
MCQhard

A security analyst notices that their Nmap scan results show all ports as 'filtered' despite the target host being alive and responsive to ping. Which of the following is the MOST likely cause?

A.The analyst's machine has a misconfigured routing table
B.The target has a host-based firewall that drops all incoming traffic silently
C.The target is running a honeypot that mimics multiple services
D.The target is an idle host that does not respond to any traffic
AnswerB

A stateful firewall dropping packets without sending RST or ICMP unreachable leads to filtered port status.

Why this answer

When an Nmap scan shows all ports as 'filtered', it indicates that the target is reachable (since ping succeeds) but the probe packets (e.g., SYN, ACK) are being dropped without any response. A host-based firewall configured to silently drop all incoming traffic is the most likely cause, as it prevents Nmap from receiving RST or SYN/ACK replies, leading to the 'filtered' state for every port.

Exam trap

The trap here is that candidates often confuse 'filtered' with 'closed' or 'open', or assume a host that responds to ping must have open ports, but a firewall can silently drop all inbound TCP/UDP probes while still allowing ICMP echo requests.

How to eliminate wrong answers

Option A is wrong because a misconfigured routing table on the analyst's machine would likely cause no response at all (including ping failure) or asymmetric routing issues, not a consistent 'filtered' state on all ports while ping succeeds. Option C is wrong because a honeypot mimicking multiple services would typically respond to probes (e.g., with SYN/ACK or banners) to attract attackers, resulting in 'open' or 'closed' port states, not 'filtered'. Option D is wrong because an idle host that does not respond to any traffic would not respond to ping either, contradicting the scenario where the target is alive and responsive to ping.

384
MCQeasy

Which of the following is a primary purpose of the SameSite cookie attribute in mitigating CSRF attacks?

A.To limit the cookie to a specific path
B.To encrypt the cookie value
C.To prevent the cookie from being sent in cross-origin requests, mitigating CSRF
D.To restrict the cookie to HTTPS connections only (Secure flag)
AnswerC

SameSite prevents cookies from being sent in cross-site requests, which is a key defense against CSRF.

Why this answer

SameSite cookie attribute (Strict, Lax, or None) controls when cookies are sent in cross-site requests. Setting SameSite to Lax or Strict prevents the browser from sending cookies on cross-site POST requests, thus mitigating CSRF.

385
MCQeasy

Which of the following tools is used to crack Windows LAN Manager (LM) and NTLM password hashes using rainbow tables?

A.RainbowCrack
B.Hashcat
C.John the Ripper
D.Hydra
AnswerA

RainbowCrack specifically uses rainbow tables for cracking.

Why this answer

RainbowCrack is a tool that uses rainbow tables (precomputed hash chains) to crack password hashes, including LM and NTLM. Ophcrack also uses rainbow tables but is specifically for LM hashes; RainbowCrack is more general.

386
Multi-Selectmedium

Which TWO techniques are considered active reconnaissance? (Choose TWO.)

Select 2 answers
A.Using Google dorking to find exposed files
B.Querying Shodan for exposed devices
C.Port scanning with Nmap
D.Banner grabbing with Netcat
E.Performing a WHOIS lookup
AnswersC, D

Port scanning sends probes to the target, making it active.

Why this answer

Port scanning with Nmap (Option C) is active reconnaissance because it sends crafted packets (e.g., TCP SYN, UDP probes) directly to target systems and analyzes the responses to determine open ports, running services, and operating system details. Banner grabbing with Netcat (Option D) is also active reconnaissance as it establishes a TCP connection to a target service (e.g., HTTP, FTP) and reads the service banner, which involves direct interaction with the target. Both techniques generate detectable network traffic and can be logged by intrusion detection systems.

Exam trap

The trap here is that candidates confuse 'using a tool that sometimes performs active scanning' (like Shodan, which actively scans on its own) with the user's action being active; the key distinction is whether the user's query directly interacts with the target system.

387
Multi-Selecteasy

Which TWO of the following are types of malware analysis? (Select two.)

Select 2 answers
A.Static analysis
B.Memory analysis
C.Signature analysis
D.Dynamic analysis
E.Heuristic analysis
AnswersA, D

Correct. Static analysis reviews code and structure without execution.

Why this answer

Static analysis examines the file without executing it (e.g., examining strings, headers). Dynamic analysis executes the malware in a controlled environment (sandbox) to observe behavior.

388
MCQmedium

An organization wants to mitigate the impact of a DDoS attack that uses large volumes of UDP traffic to exhaust bandwidth. Which of the following techniques would be MOST effective?

A.Rate limiting on all ports
B.Deploying a scrubbing center
C.Blocking all UDP traffic
D.Implementing SYN cookies
AnswerB

Scrubbing centers can analyze and filter out malicious UDP traffic while allowing legitimate traffic.

Why this answer

Scrubbing centers filter malicious traffic from legitimate traffic, effectively mitigating volumetric DDoS attacks.

389
MCQhard

During a penetration test, a tester discovers that the target switch's MAC address table is full, causing it to flood traffic out all ports. The tester then captures network traffic using Wireshark on the same segment. Which attack was the tester performing?

A.DNS spoofing
B.MAC flooding
C.Session hijacking
D.ARP poisoning
AnswerB

MAC flooding fills the switch's MAC address table, causing it to broadcast frames.

Why this answer

MAC flooding attacks send many fake MAC addresses to overflow the switch's MAC table, forcing it into hub mode and allowing traffic sniffing.

390
Multi-Selectmedium

Which TWO tools are commonly used for ARP poisoning attacks?

Select 2 answers
A.Wireshark
B.Cain & Abel
C.tcpdump
D.Ettercap
E.Nmap
AnswersB, D

Cain & Abel is a Windows tool that includes ARP poisoning capabilities.

Why this answer

Ettercap and Cain & Abel are well-known tools for ARP poisoning, allowing attackers to intercept traffic on a LAN.

391
MCQeasy

A security analyst wants to identify all live hosts on a network without generating excessive traffic. Which of the following techniques is MOST appropriate for this purpose?

A.Banner grabbing with Netcat
B.Full TCP connect scan on all ports
C.UDP scan on common ports
D.Ping sweep using ICMP echo requests
AnswerD

Ping sweep sends ICMP echo requests to multiple IPs; replies indicate live hosts. It is efficient and low-traffic.

Why this answer

A ping sweep using ICMP Echo Requests (Type 8) is the most efficient method to identify live hosts on a network because it sends a single packet per target and listens for ICMP Echo Replies (Type 0). This generates minimal traffic compared to full port scans, making it ideal for initial reconnaissance without overwhelming the network or triggering intrusion detection systems.

Exam trap

The trap here is that candidates often confuse host discovery with service discovery, choosing a port-based scan (like TCP connect or UDP) because they think 'scanning' always involves ports, but the question explicitly asks for identifying live hosts with minimal traffic, which is the textbook purpose of a ping sweep.

How to eliminate wrong answers

Option A is wrong because banner grabbing with Netcat requires an active TCP connection to a specific port on a host, which is a post-discovery technique used to identify services, not to find live hosts, and it generates more traffic per host than a simple ping. Option B is wrong because a full TCP connect scan on all 65,535 ports per host would generate massive traffic (thousands of packets per host), defeating the goal of minimizing network load and being easily detected. Option C is wrong because a UDP scan on common ports sends datagrams that often receive no response (due to stateless nature or firewalls), making it unreliable for host discovery and still generating more traffic than a single ICMP packet per host.

392
Multi-Selecteasy

Which TWO of the following are commonly used to mitigate SQL injection vulnerabilities? (Select 2)

Select 2 answers
A.Stored procedures
B.Output encoding
C.Input validation
D.Parameterized queries
E.HTTPS encryption
AnswersA, D

Stored procedures can be safe if parameterized correctly.

Why this answer

Parameterized queries and stored procedures (when used correctly) prevent SQL injection by separating SQL logic from data.

393
MCQeasy

You are a penetration tester hired by a financial services company to assess the security of their external web application. The application is a customer portal hosted on a Linux server with Apache 2.4.6 and PHP 7.2. During reconnaissance, you discover that the server responds to HTTP OPTIONS requests and the Allow header includes PUT and DELETE methods. The application uses a MySQL database backend. You also find a file upload feature in the profile section that accepts JPEG images. While testing, you notice that uploading a file with a .php extension returns a '403 Forbidden' error, but uploading a file with .php5 or .phtml extension succeeds. The uploaded files are stored in /uploads/ directory. What should be your next step to escalate the attack?

A.Use the PUT method to upload a malicious file directly to the web root.
B.Upload a PHP web shell with .phtml extension and access it via the /uploads/ directory to execute commands.
C.Exploit the IIS WebDAV vulnerability to execute commands.
D.Attempt SQL injection in the login form to extract database credentials.
AnswerB

This leverages the upload bypass to achieve code execution.

Why this answer

Option B is correct because the server allows file uploads with .phtml extension, which Apache processes as PHP due to its configuration. Uploading a PHP web shell with .phtml extension to the /uploads/ directory and accessing it directly allows command execution, escalating the attack. This bypasses the 403 Forbidden restriction on .php files while leveraging the existing upload functionality.

Exam trap

The trap here is that candidates may assume PUT method (Option A) is the primary escalation path because it is listed in the Allow header, but they overlook that the file upload feature with .phtml extension is a confirmed, working vector that directly leads to code execution.

How to eliminate wrong answers

Option A is wrong because the PUT method, while listed in the Allow header, typically requires WebDAV to be enabled on Apache, and direct PUT to web root is often restricted by server configuration or requires authentication; it is not a reliable escalation path without further evidence. Option C is wrong because IIS WebDAV vulnerability is specific to Microsoft IIS servers, not Apache on Linux; the server is running Apache 2.4.6 on Linux, so this option is irrelevant. Option D is wrong because SQL injection in the login form is a separate attack vector that may be possible but is not the immediate next step given the confirmed file upload vulnerability with .phtml extension; the question asks for escalation based on the discovered upload flaw.

394
Multi-Selecthard

Which THREE of the following are common indicators of a man-in-the-middle attack using ARP spoofing? (Choose three.)

Select 3 answers
A.Multiple MAC addresses associated with the same IP in the ARP cache
B.Duplicate IP addresses in the ARP table
C.A sudden spike in DNS traffic
D.Unusual ARP replies without corresponding requests
E.Increased network latency on the victim's connection
AnswersB, D, E

ARP spoofing assigns the same IP to multiple MAC addresses, causing duplicates.

Why this answer

ARP spoofing often causes duplicate IP addresses in ARP tables, unusual ARP traffic, and increased latency due to packet interception. A sudden spike in DNS traffic is not directly related to ARP spoofing.

395
MCQmedium

A security analyst notices that users receive emails from a known vendor requesting urgent payment to a new bank account. The email domain is misspelled (e.g., vvendorfake.com). Which type of social engineering is this?

A.Spear phishing
B.Whaling
C.Phishing
D.Vishing
AnswerA

Targeted emails with personalized context and spoofed domain indicate spear phishing.

Why this answer

Spear phishing targets specific individuals or organizations with personalized content. The misspelled domain and urgency are classic spear phishing indicators.

396
MCQhard

A security analyst observes that an Nmap SYN scan against a target network returns all ports as 'filtered'. The analyst suspects an IDS/IPS is dropping inbound SYN packets. Which Nmap technique would MOST likely bypass this detection while still identifying open ports?

A.Enable IP fragmentation with the -f flag
B.Use the -sU flag for UDP scanning
C.Use the -sT flag for a TCP connect scan
D.Increase scanning speed with -T5
AnswerA

Fragmentation can help evade detection by splitting the SYN packet across multiple fragments.

Why this answer

When an IDS/IPS drops inbound SYN packets, a standard SYN scan (-sS) is detected because the probe packets are easily recognized. Enabling IP fragmentation with the -f flag splits the TCP header across multiple fragments, making it harder for the IDS/IPS to reassemble and inspect the full packet, thus potentially bypassing the filter while still allowing Nmap to determine open ports based on responses.

Exam trap

The trap here is that candidates often think increasing speed (-T5) or using a full connect scan (-sT) makes scanning stealthier, when in fact fragmentation (-f) is the classic evasion technique for bypassing packet filters and IDS/IPS that inspect full packets.

How to eliminate wrong answers

Option B is wrong because UDP scanning (-sU) sends UDP datagrams, not SYN packets, and would not bypass a filter that drops inbound SYN packets; it also does not help identify open TCP ports. Option C is wrong because a TCP connect scan (-sT) completes the full three-way handshake, which still uses SYN packets and is even more detectable than a SYN scan, not less. Option D is wrong because increasing scanning speed with -T5 makes the scan more aggressive and noisy, which is more likely to trigger IDS/IPS alerts rather than bypass them.

397
MCQhard

An attacker intercepts a TLS-encrypted session and attempts to force the client and server to use a weaker cipher suite. Which type of attack is being performed?

A.Man-in-the-middle (MITM) attack
B.Birthday attack
C.Replay attack
D.Downgrade attack
AnswerD

Correct. The attacker forces the use of weaker encryption by interfering with the handshake.

Why this answer

A downgrade attack tricks the communicating parties into negotiating a less secure version of TLS or a weaker cipher suite, making it easier for the attacker to break the encryption.

398
MCQhard

A web application takes a URL from user input and fetches the content to display on the page. An attacker submits a URL pointing to an internal service like http://localhost:8080/admin. The server retrieves the internal resource and returns it. What is this attack?

A.Cross-Site Scripting (XSS)
B.Server-Side Request Forgery (SSRF)
C.Directory Traversal
D.Remote File Inclusion (RFI)
AnswerB

The server is tricked into making a request to an internal resource.

Why this answer

Server-Side Request Forgery (SSRF) occurs when a server makes requests to internal resources based on user-supplied URLs.

399
MCQmedium

During a security assessment, a tester uses Netcat to connect to a target's SMTP port and receive the service banner. Which command would achieve this?

A.nc -z <target> 25
B.nc -l -p 25
C.nc -u <target> 25
D.nc -v <target> 25
AnswerD

This connects to the target on port 25 and displays the banner.

Why this answer

Option D is correct because the `-v` (verbose) flag in Netcat causes it to display connection details, including the service banner received from the target. When connecting to SMTP port 25, the server typically sends a banner (e.g., "220 smtp.example.com ESMTP") immediately upon TCP connection establishment, and `nc -v <target> 25` prints that banner to stdout, allowing the tester to read it.

Exam trap

The trap here is that candidates often confuse the `-v` flag with `-z` or `-u`, mistakenly thinking that a simple connection (without verbose) or a UDP scan would reveal the banner, but only `-v` ensures the received data is printed to the terminal.

How to eliminate wrong answers

Option A is wrong because `nc -z` performs a zero-I/O scan (port scanning without sending data) and does not read or display any banner; it only reports whether the port is open. Option B is wrong because `nc -l -p 25` puts Netcat in listening mode on port 25, which would make the tester's machine act as an SMTP server, not connect to a target's SMTP port. Option C is wrong because `-u` specifies UDP mode, but SMTP operates over TCP (RFC 5321), so a UDP connection to port 25 would not establish a valid SMTP session or receive a banner.

400
MCQmedium

During a penetration test, a tester runs 'dnsrecon -d example.com -t axfr' and receives a full list of DNS records. What does this indicate about the target's DNS configuration?

A.The DNS server has DNSSEC enabled
B.The DNS server allows recursive queries
C.The DNS server allows zone transfers from any host
D.The DNS server is authoritative for the domain
AnswerC

A successful axfr means the server is configured to allow zone transfers to unauthorized hosts.

Why this answer

The 'dnsrecon -d example.com -t axfr' command performs a DNS zone transfer (AXFR) request. Receiving a full list of DNS records indicates that the target DNS server is misconfigured to allow zone transfers from any host, which exposes the entire DNS zone data (including internal hostnames and IP addresses) to unauthorized parties. This is a critical information disclosure vulnerability.

Exam trap

The trap here is that candidates confuse 'authoritative' with 'vulnerable' — being authoritative is normal, but allowing unrestricted zone transfers is the misconfiguration; EC-Council often tests this by making option D sound correct because the server is authoritative, but the real issue is the lack of access control on the AXFR query.

How to eliminate wrong answers

Option A is wrong because DNSSEC (DNS Security Extensions) provides data integrity and authentication via digital signatures, but it does not control or prevent zone transfers; a server can have DNSSEC enabled and still allow unauthorized AXFR. Option B is wrong because recursive queries allow the DNS server to resolve queries for external domains on behalf of clients, which is a separate setting (often controlled by 'allow-recursion') and not directly related to zone transfer permissions. Option D is wrong because being authoritative for a domain means the server holds the official zone data for that domain, which is normal and expected; the security issue is not that it is authoritative, but that it allows zone transfers from any host without restriction.

401
MCQmedium

Which type of malware is characterized by modifying its own code to evade signature-based detection, often changing its appearance each time it replicates?

A.Polymorphic virus
B.Trojan horse
C.Macro virus
D.Boot sector virus
AnswerA

Polymorphic viruses change their code on each infection.

Why this answer

Polymorphic malware changes its code (but retains functionality) to avoid detection by signature-based antivirus.

402
MCQmedium

An organization receives an email that appears to be from the CEO, urgently requesting that the recipient wire funds to a new vendor. The email contains the CEO's name and title but the sender address is slightly misspelled. Which type of social engineering attack is this?

A.Pretexting
B.Whaling
C.Vishing
D.Spear phishing
AnswerB

Whaling targets senior executives with personalized scams.

Why this answer

Whaling targets senior executives (like the CEO) with personalized phishing emails, often involving financial fraud.

403
MCQeasy

Which Google dork would a penetration tester use to find login pages of websites that have 'admin' in the URL?

A.site:admin login
B.filetype:pdf admin login
C.intitle:"login" inurl:admin
D.inurl:"admin" inurl:"login"
AnswerD

inurl:admin finds URLs containing 'admin', and inurl:login finds URLs containing 'login'. Combined, they find login pages with 'admin' in the URL.

Why this answer

Option D is correct because the Google dork `inurl:"admin" inurl:"login"` specifically searches for pages where both 'admin' and 'login' appear in the URL. This is a precise way to find login pages on administrative interfaces, as it targets URLs containing both terms, which is a common pattern for admin login portals.

Exam trap

The trap here is that candidates often choose `intitle:"login" inurl:admin` (Option C) thinking it's more comprehensive, but they overlook that many admin login pages do not have 'login' in the HTML title tag, making the `intitle:` operator too restrictive for this specific goal.

How to eliminate wrong answers

Option A is wrong because `site:admin login` is not a valid Google dork; `site:` requires a domain name, not a keyword, and 'admin login' as a search phrase would just match pages containing those words anywhere, not specifically in the URL. Option B is wrong because `filetype:pdf admin login` restricts results to PDF files, which is irrelevant for finding login pages (typically HTML/ASPX/PHP), and the terms 'admin' and 'login' are searched in the page content, not the URL. Option C is wrong because `intitle:"login" inurl:admin` searches for pages with 'login' in the title and 'admin' in the URL, but this misses pages where 'login' is only in the URL (not the title), which is common for many admin login pages.

404
Drag & Dropmedium

Drag and drop the steps to set up a reverse shell using Netcat into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Listener first, then victim connects, shell access, execute, cleanup.

405
Multi-Selectmedium

Which TWO of the following are examples of static malware analysis techniques? (Select two.)

Select 2 answers
A.Running the malware in a sandbox
B.Capturing network traffic during execution
C.Monitoring process behavior with Process Monitor
D.Checking file hash on VirusTotal
E.Examining strings in the binary
AnswersD, E

VirusTotal uses static signatures.

Why this answer

Static analysis examines the malware without executing it. String analysis looks for embedded strings, and VirusTotal checks hashes against known signatures. Sandboxing and process monitoring are dynamic analysis.

406
MCQeasy

A security analyst receives an alert indicating that a workstation is sending outbound connections to a known malicious IP address. The analyst suspects a Trojan. Which tool is BEST for performing dynamic analysis of the suspicious binary?

A.VirusTotal
B.Sandbox
C.String analysis
D.PEiD
AnswerB

A sandbox runs the binary in a controlled environment to monitor its actions.

Why this answer

Sandbox environments safely execute malware to observe behavior, making them ideal for dynamic analysis.

407
Multi-Selectmedium

Which THREE of the following are common indicators of an ongoing brute-force attack against a web application?

Select 3 answers
A.A single user account being locked out repeatedly
B.Login requests arriving at an unusually high frequency
C.Many different usernames being targeted from the same IP
D.Successful logins from unusual geographic locations
E.A high number of failed login attempts from a single IP address
AnswersB, C, E

High frequency suggests automated tool.

Why this answer

Multiple failed logins from the same IP, high frequency of login requests, and many different usernames tried from one source are typical signs of brute-force.

408
Multi-Selectmedium

Which TWO of the following are examples of application-layer DDoS attacks? (Choose two.)

Select 2 answers
A.UDP flood
B.Slowloris
C.HTTP flood
D.SYN flood
E.Smurf attack
AnswersB, C

Slowloris is an application-layer attack that consumes server resources by keeping many connections open.

Why this answer

Slowloris and HTTP flood are application-layer attacks. SYN flood is a protocol attack, UDP flood is volumetric, and Smurf is also a protocol attack.

409
MCQhard

A forensic analyst examines a system infected with malware that displays ransomware notes and encrypts files. The analyst uses a sandbox to observe behavior. During analysis, the malware contacts a C2 server and downloads additional payloads. Which type of malware analysis is being performed?

A.Dynamic analysis
B.Static analysis
C.Network analysis
D.Code analysis
AnswerA

The sandbox execution and behavioral observation is dynamic analysis.

Why this answer

Dynamic analysis involves executing malware in a controlled environment to observe behavior.

410
MCQeasy

Which of the following tools is specifically designed to crack Windows LAN Manager (LM) and NTLM hashes using rainbow tables?

A.Hashcat
B.RainbowCrack
C.John the Ripper
D.Ophcrack
AnswerD

Ophcrack uses rainbow tables to crack LM and NTLM hashes efficiently.

Why this answer

Ophcrack is specifically designed to crack Windows LM and NTLM hashes using precomputed rainbow tables. It leverages the time-memory trade-off technique to rapidly reverse these hashes without brute-forcing, making it the correct choice for this targeted task.

Exam trap

The trap here is that candidates often confuse RainbowCrack (a generic rainbow table tool) with Ophcrack (which is specifically designed for Windows LM/NTLM hashes), leading them to select RainbowCrack despite Ophcrack being the correct answer due to its Windows-specific focus.

How to eliminate wrong answers

Option A is wrong because Hashcat is a general-purpose password recovery tool that uses GPU acceleration and supports many hash types, but it is not specifically designed for rainbow table attacks; it primarily uses brute-force, dictionary, and rule-based attacks. Option B is wrong because RainbowCrack is a generic rainbow table implementation that can crack various hash types, but it is not specifically tailored to Windows LM/NTLM hashes and lacks the integrated Windows-focused features of Ophcrack. Option C is wrong because John the Ripper is a versatile password cracking tool that supports many hash formats, but it does not natively use rainbow tables; its primary methods are dictionary and brute-force attacks.

411
MCQmedium

A penetration tester uses the tool 'ScoutSuite' against an AWS target. Which of the following BEST describes the purpose of this tool?

A.Enumerate IAM users and roles for privilege escalation
B.Perform automated penetration testing of web applications
C.Exploit vulnerabilities in cloud services
D.Audit cloud infrastructure for misconfigurations and compliance
AnswerD

ScoutSuite identifies security issues like open S3 buckets, weak IAM policies, etc.

Why this answer

ScoutSuite is an open-source multi-cloud security auditing tool that assesses cloud environments (AWS, Azure, GCP) by scanning for misconfigurations and compliance violations. It does not perform exploitation or penetration testing; instead, it checks for issues like overly permissive security groups, unencrypted S3 buckets, or unused IAM roles, aligning with option D's description of auditing cloud infrastructure for misconfigurations and compliance.

Exam trap

EC-Council often tests the distinction between auditing and exploitation, so the trap here is that candidates confuse 'auditing for misconfigurations' with 'exploiting vulnerabilities,' leading them to choose option C, even though ScoutSuite is purely a read-only assessment tool.

How to eliminate wrong answers

Option A is wrong because ScoutSuite does not specifically enumerate IAM users and roles for privilege escalation; it audits all cloud resources for misconfigurations, and while it may report IAM issues, its primary purpose is not targeted enumeration for privilege escalation. Option B is wrong because ScoutSuite is not a web application penetration testing tool; it focuses on cloud infrastructure configuration, not web application vulnerabilities like SQL injection or XSS. Option C is wrong because ScoutSuite does not exploit vulnerabilities; it is a read-only auditing tool that identifies misconfigurations without performing any exploitation actions.

412
Multi-Selectmedium

Which TWO techniques are commonly used for privilege escalation on Linux systems? (Select two.)

Select 2 answers
A.Kernel exploits
B.SUID/GUID abuse
C.Token impersonation
D.DLL hijacking
E.Pass-the-hash
AnswersA, B

Exploiting kernel vulnerabilities to gain root.

Why this answer

Kernel exploits (A) are a common privilege escalation technique on Linux because they target vulnerabilities in the kernel itself, allowing an attacker to execute arbitrary code with root privileges. By exploiting flaws such as buffer overflows or race conditions in kernel modules, an attacker can elevate from a low-privileged user to full root access. This is a classic method because the kernel runs with the highest system privileges, and a successful exploit bypasses all user-level security controls.

Exam trap

EC-Council often tests the distinction between Windows-specific and Linux-specific privilege escalation techniques, and the trap here is that candidates may confuse token impersonation or pass-the-hash as cross-platform methods, when they are strictly tied to Windows authentication and security models.

413
Multi-Selecteasy

Which THREE of the following are password cracking techniques? (Select 3)

Select 3 answers
A.Dictionary attack
B.Brute-force attack
C.Phishing
D.Steganography
E.Rainbow table attack
AnswersA, B, E

Uses a wordlist to guess passwords.

Why this answer

A dictionary attack is a password cracking technique where an attacker uses a precompiled list of likely passwords (a dictionary file) to attempt authentication against a target system. It relies on the fact that many users choose common words or phrases as passwords, making it effective against weak passwords but ineffective against strong, random ones.

Exam trap

The trap here is that candidates may confuse password cracking techniques with broader attack categories like social engineering (phishing) or data hiding (steganography), which are distinct concepts in the CEH exam's enumeration and system hacking domain.

414
Multi-Selecthard

Which THREE of the following are effective countermeasures against evil twin attacks in wireless networks? (Select THREE.)

Select 3 answers
A.Implementing client-side certificate validation for network authentication
B.Using WPA3-Enterprise with 802.1X authentication
C.Enabling MAC address filtering on the AP
D.Disabling SSID broadcast on the legitimate AP
E.Using a VPN over the wireless connection
AnswersA, B, E

Client-side certificates ensure the client verifies the AP's identity, preventing connection to rogue APs.

Why this answer

Evil twin attacks involve a rogue AP impersonating a legitimate one. Countermeasures include using WPA3-Enterprise with 802.1X for mutual authentication, implementing client-side certificate validation, and using VPNs to encrypt traffic even over rogue APs.

415
MCQmedium

An organization experiences a DDoS attack where the attacker sends a flood of UDP packets to a server, causing it to become unresponsive. The packets appear to come from many different source IP addresses and are directed to random high-numbered ports. Which type of DDoS attack is this?

A.ICMP flood
B.UDP flood
C.SYN flood
D.Smurf attack
AnswerB

UDP flood sends a high volume of UDP datagrams to random ports, exhausting server resources.

Why this answer

A UDP flood is a volumetric attack that sends many UDP packets to random ports, overwhelming the target's ability to process them.

416
MCQhard

An attacker successfully escalates privileges on a Windows server using a known vulnerability in the Print Spooler service (PrintNightmare). Which type of privilege escalation does this represent?

A.Local exploit in a service
B.DLL hijacking
C.SUID abuse
D.Token impersonation
AnswerA

PrintNightmare is a local exploit in the Print Spooler service.

Why this answer

PrintNightmare is a local exploit that allows an unprivileged user to gain SYSTEM privileges. It is a classic local privilege escalation vulnerability.

417
MCQhard

A tester sends the following payload to a web application: %3Cscript%3Ealert('XSS')%3C/script%3E. The application echoes back the decoded payload in the response without sanitization. This behavior is typical of which type of vulnerability?

A.HTTP Response Splitting
B.DOM-based XSS
C.Stored XSS
D.Reflected XSS
AnswerD

The input is reflected in the response unsanitized.

Why this answer

The payload is URL-encoded HTML and is decoded and reflected, indicating reflected XSS.

418
MCQmedium

During a reconnaissance phase, a tester uses `dnsrecon -d example.com -t axfr`. What specific DNS query is being attempted?

A.A subdomain brute-force
B.A zone transfer request
C.A reverse DNS lookup
D.A SRV record enumeration
AnswerB

-t axfr specifies a zone transfer attempt.

Why this answer

The `-t axfr` flag in `dnsrecon` specifies a zone transfer request (AXFR). This query attempts to retrieve the entire DNS zone file from a nameserver, which can reveal all DNS records for the domain. A successful zone transfer is a critical misconfiguration because it exposes internal network topology and hostnames.

Exam trap

The trap here is that candidates may confuse `-t axfr` with other reconnaissance techniques like brute-forcing or record enumeration, but the CEH exam specifically tests the exact command flag for zone transfers.

How to eliminate wrong answers

Option A is wrong because a subdomain brute-force uses a wordlist to guess subdomains, not the AXFR query type. Option C is wrong because a reverse DNS lookup queries an IP address for a PTR record, not a domain for a zone transfer. Option D is wrong because SRV record enumeration uses the `-t srv` flag or similar, not `-t axfr`, which is specific to zone transfers.

419
MCQmedium

A security team wants to mitigate a DNS amplification DDoS attack. Which of the following techniques would be MOST effective in preventing the attack from leveraging open DNS resolvers?

A.Deploy a web application firewall
B.Disable recursion on DNS servers for external queries
C.Use anycast routing for DNS servers
D.Implement rate limiting on DNS responses
AnswerB

Correct. Disabling recursion for external clients prevents the server from being used in amplification attacks.

Why this answer

DNS amplification relies on open resolvers that respond to queries from any source. Restricting recursive queries to trusted clients eliminates the amplification vector.

420
MCQmedium

A security analyst notices that the web application returns different response times when a valid username is submitted versus an invalid one during login. Which type of vulnerability is likely being exploited?

A.Time-based SQL injection
B.Reflected XSS
C.Blind boolean-based SQL injection
D.CSRF
AnswerA

Time-based SQL injection uses database delay functions (e.g., SLEEP()) to infer information based on response times.

Why this answer

Time-based SQL injection involves injecting SQL code that causes the database to pause if a condition is true, allowing an attacker to infer information based on response times. The observed difference in response times for valid vs. invalid usernames is characteristic of this technique.

421
MCQmedium

An ethical hacker needs to crack a set of NTLM hashes obtained from a Windows system. Which tool would be MOST efficient for performing a dictionary attack with hybrid rules?

A.John the Ripper
B.Hashcat
C.Ophcrack
D.RainbowCrack
AnswerB

Hashcat supports GPU acceleration, hybrid attacks, and is optimized for speed.

Why this answer

Hashcat is the most efficient tool for performing a dictionary attack with hybrid rules because it is GPU-accelerated, supports the NTLM hash mode (1000), and allows the application of rule-based mutations (e.g., appending digits or special characters) directly to dictionary words. Its speed and flexibility in handling large wordlists with complex rule sets make it superior for cracking NTLM hashes in a professional penetration test.

Exam trap

EC-Council often tests the misconception that John the Ripper is the best all-around password cracker, but for GPU-accelerated hybrid dictionary attacks on NTLM hashes, Hashcat is the industry standard due to its speed and rule engine.

How to eliminate wrong answers

Option A is wrong because John the Ripper, while capable of dictionary and hybrid attacks, is primarily CPU-based and significantly slower than Hashcat for large-scale NTLM cracking, making it less efficient for this specific task. Option C is wrong because Ophcrack is designed specifically for LM and NTLM hashes using rainbow tables, not for dictionary attacks with hybrid rules; it lacks rule-based mutation capabilities. Option D is wrong because RainbowCrack is a tool for precomputed rainbow table attacks, not for dictionary attacks with hybrid rules; it requires tables to be generated beforehand and cannot apply real-time rule mutations.

422
MCQhard

An attacker wants to perform a CSRF attack against a banking application. The application uses SameSite cookies set to 'Strict'. The attacker hosts a malicious page on their own domain. When the victim visits the malicious page, which of the following statements is TRUE regarding the CSRF attack?

A.The attack will succeed because cookies are sent regardless of SameSite settings.
B.The attack will succeed because the attacker can bypass SameSite using GET requests.
C.The attack will fail because CSRF requires POST requests and the malicious page only uses GET.
D.The attack will fail because the browser will not include the session cookie with the cross-origin request.
AnswerD

SameSite=Strict prevents cookie inclusion on cross-origin requests, defeating CSRF.

Why this answer

SameSite=Strict prevents cookies from being sent on cross-site requests, effectively blocking CSRF attacks if the attacker cannot control the origin.

423
MCQeasy

A user reports that their system has become very slow and numerous pop-up ads appear even when browsing is not active. Which type of malware is MOST likely installed?

A.Adware
B.Ransomware
C.Keylogger
D.Spyware
AnswerA

Adware is known for displaying pop-up advertisements and degrading performance.

Why this answer

Adware displays unwanted advertisements and can cause system slowdowns.

424
MCQhard

During a cloud penetration test, a tester discovers an AWS S3 bucket that allows public 's3:PutObject' access. The tester uploads a file containing JavaScript that steals cookies. Which type of attack is this an example of?

A.Cross-Site Scripting (XSS) via uploaded file
B.Server-Side Request Forgery (SSRF)
C.Insecure Direct Object Reference (IDOR)
D.S3 bucket privilege escalation
AnswerA

The tester uploaded JavaScript to a public S3 bucket. When users browse the bucket or link to the file, the script executes in their browser, stealing cookies.

Why this answer

Uploading malicious content to an S3 bucket with public write access enables storage of attacker-controlled files. When users access these files, a client-side attack (like XSS) can occur. This is a classic example of a storage-based attack via misconfigured S3 bucket.

425
MCQhard

A penetration tester uses a tool to perform a MAC flooding attack. What is the intended result of this attack?

A.Read all network traffic by turning the switch into a hub
B.Modify the MAC address of the attacker's NIC
C.Cause a denial of service on the switch
D.Poison the ARP cache of the target hosts
AnswerA

MAC flooding makes the switch act like a hub, forwarding all frames to all ports.

Why this answer

MAC flooding overwhelms a switch's CAM table, causing it to enter fail-open mode and broadcast all frames, allowing the attacker to sniff traffic.

426
MCQmedium

Which Google dork query would an attacker most likely use to find login pages on a web server?

A.inurl:admin
B.intitle:login
C.site:example.com filetype:pdf
D.link:example.com
AnswerB

This directly finds pages with 'login' in the title.

Why this answer

Option B is correct because the Google dork 'intitle:login' specifically searches for web pages where the word 'login' appears in the HTML title tag. Attackers use this to quickly discover login portals, as many web applications include 'login' in the page title, making it a reliable footprinting technique for identifying authentication interfaces.

Exam trap

The trap here is that candidates often confuse 'inurl:admin' with login page discovery, but 'admin' in the URL typically points to administrative backends rather than user login portals, which are more commonly identified by the title tag containing 'login'.

How to eliminate wrong answers

Option A is wrong because 'inurl:admin' searches for URLs containing 'admin', which may return admin panels or directories but is less specific to login pages and often yields broader results like admin dashboards or configuration pages. Option C is wrong because 'site:example.com filetype:pdf' restricts results to PDF files on a specific domain, which is useful for document discovery but not for finding login pages. Option D is wrong because 'link:example.com' is a deprecated Google operator that lists pages linking to a given URL, not a method for locating login pages on the target server.

427
MCQmedium

A security analyst runs 'nbtstat -A 192.168.1.105' and sees a table with the computer name 'FILESERVER' and a logged-in user 'admin'. Which of the following BEST describes the purpose of this command?

A.Perform an SNMP walk to enumerate the remote host's MIB
B.Execute a dictionary attack against the remote host's passwords
C.Enumerate all SMB shares on the remote host
D.Perform a NetBIOS name table lookup of the remote host
AnswerD

nbtstat -A displays the NetBIOS name table of the remote host, including computer and user names.

Why this answer

Option A is correct. nbtstat -A performs a NetBIOS name table lookup of a remote machine using its IP address, revealing computer names, logged-in users, and services.

428
MCQmedium

A penetration tester successfully predicts the TCP sequence numbers of a target and sends crafted packets to impersonate a trusted host. Which type of attack is this?

A.ARP poisoning
B.TCP sequence prediction attack
C.TCP session hijacking
D.DNS spoofing
AnswerC

Session hijacking uses sequence prediction to take over a TCP session.

Why this answer

TCP session hijacking involves predicting sequence numbers to inject packets and take over a session. It allows the attacker to impersonate one of the communicating parties.

429
MCQmedium

During a penetration test, you execute a DNS zone transfer request against a target domain and succeed. Which type of DNS record would you expect to reveal the mail servers for the domain?

A.CNAME record
B.MX record
C.A record
D.NS record
AnswerB

MX records direct email to the correct mail servers.

Why this answer

An MX (Mail Exchange) record is the DNS record type that specifies the mail servers responsible for accepting email messages on behalf of a domain. During a successful DNS zone transfer, the full zone file is retrieved, and MX records are included, directly revealing the domain's mail server hostnames and priority values.

Exam trap

EC-Council often tests the distinction between record types by making candidates confuse the purpose of an MX record with an A record or CNAME, especially when the question involves identifying services rather than simple hostname resolution.

How to eliminate wrong answers

Option A is wrong because a CNAME (Canonical Name) record is an alias that maps one domain name to another, not a record that directly identifies mail servers. Option C is wrong because an A (Address) record maps a hostname to an IPv4 address; while it could resolve a mail server's hostname to an IP, it does not itself designate which servers handle mail for the domain. Option D is wrong because an NS (Name Server) record delegates a zone to authoritative name servers, not mail servers.

430
Multi-Selecthard

Which THREE of the following are effective techniques to prevent ARP poisoning attacks? (Choose three.)

Select 3 answers
A.Enabling DHCP snooping
B.Configuring port security on switches
C.Using static ARP entries
D.Disabling STP on all ports
E.Implementing Dynamic ARP Inspection (DAI)
AnswersB, C, E

Port security limits MAC addresses per port, reducing spoofing.

Why this answer

Static ARP entries, dynamic ARP inspection, and port security help prevent ARP poisoning.

431
MCQmedium

During a social engineering engagement, an attacker calls an employee pretending to be from IT support and asks for their password to perform a system update. Which social engineering technique is being employed?

A.Phishing
B.Pretexting
C.Quid pro quo
D.Vishing
AnswerB

Pretexting is creating a fabricated scenario to trick the target into revealing information.

Why this answer

Pretexting involves fabricating a scenario (pretext) to obtain information, such as pretending to be from IT support. The other choices refer to different techniques.

432
MCQmedium

During a penetration test, a tester uses a tool to perform ARP spoofing to intercept traffic between two hosts on the same subnet. Which tool is most commonly associated with this technique?

A.Wireshark
B.Ettercap
C.Metasploit
D.Nmap
AnswerB

Ettercap specializes in ARP spoofing and MITM attacks.

Why this answer

Ettercap is a well-known tool for ARP poisoning (spoofing) to perform man-in-the-middle attacks. It is specifically designed for this purpose.

433
Multi-Selectmedium

Which TWO of the following are valid techniques for session hijacking? (Select 2)

Select 2 answers
A.DNS spoofing
B.MAC flooding
C.TCP sequence prediction
D.Cookie theft
E.ARP poisoning
AnswersC, D

Predicting sequence numbers allows an attacker to inject packets into a TCP session.

Why this answer

Session hijacking can involve predicting TCP sequence numbers or stealing session cookies. ARP poisoning is a method to enable MITM but not direct session hijacking; DNS spoofing redirects traffic but not session hijacking per se.

434
MCQeasy

A security analyst captures network traffic and sees multiple ARP packets with the same source MAC address but different IP addresses. Which attack is MOST likely occurring?

A.WPS PIN attack
B.De-authentication attack
C.Evil twin attack
D.ARP spoofing attack
AnswerD

The attacker sends forged ARP replies, linking their MAC to multiple IPs to intercept traffic.

Why this answer

An evil twin attack involves a rogue AP impersonating a legitimate one, but it does not typically cause ARP packets with varied IPs. ARP spoofing involves an attacker sending forged ARP replies to associate their MAC with another IP, causing traffic to be misdirected. The described behavior matches ARP spoofing, where the attacker's MAC appears with multiple IPs.

435
MCQmedium

A penetration tester is performing a session hijacking attack. After capturing packets, the tester successfully predicts the TCP sequence numbers and injects packets to take over the session. Which type of attack is this?

A.MAC flooding
B.Cookie theft
C.TCP session hijacking
D.ARP poisoning
AnswerC

Predicting TCP sequence numbers allows an attacker to hijack a TCP session.

Why this answer

TCP sequence prediction is a classic method for session hijacking, where the attacker guesses the sequence numbers to spoof the server's IP and inject packets. ARP poisoning and MAC flooding are local network attacks, and cookie theft is application-level.

436
MCQhard

An attacker intercepts a TCP session between a client and a server. By analyzing sequence numbers, the attacker successfully predicts the next sequence number and injects malicious packets. Which attack is being performed?

A.DNS spoofing
B.ARP poisoning
C.Man-in-the-middle
D.Session hijacking
AnswerD

Session hijacking involves taking over a TCP session by predicting sequence numbers.

Why this answer

TCP session hijacking relies on predicting or obtaining valid sequence numbers to impersonate one party in a TCP connection.

437
MCQmedium

A penetration tester needs to perform ARP poisoning to intercept traffic between two hosts on the same subnet. Which tool would be the most appropriate choice for this task?

A.tcpdump
B.Ettercap
C.Nmap
D.Wireshark
AnswerB

Correct. Ettercap is designed for ARP poisoning and man-in-the-middle attacks.

Why this answer

Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN, including ARP poisoning. It provides packet sniffing, interception, and injection capabilities.

438
MCQeasy

Which of the following is the BEST defense against tailgating attacks in a secure facility?

A.Hiring security guards
B.Reviewing keycard access logs
C.Installing CCTV cameras
D.Implementing a mantrap at the entrance
AnswerD

Mantraps physically enforce one-person entry, preventing tailgating.

Why this answer

A mantrap is a physical security access control system consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, and authentication (e.g., keycard + biometric) is required to pass through both. This design physically prevents an unauthorized person from following an authorized person into the facility, directly mitigating tailgating attacks by enforcing strict one-person-per-authentication entry.

Exam trap

EC-Council often tests the distinction between preventive, detective, and corrective controls; the trap here is that candidates mistake surveillance (CCTV) or logging (access logs) for active prevention, when only a mantrap provides a physical barrier that stops tailgating in real time.

How to eliminate wrong answers

Option A is wrong because hiring security guards relies on human vigilance, which is fallible and can be bypassed through distraction or social engineering, and does not provide a mechanical barrier against tailgating. Option B is wrong because reviewing keycard access logs is a detective control that identifies tailgating incidents after they occur, not a preventive defense that stops the attack in real time. Option C is wrong because installing CCTV cameras provides surveillance and evidence but does not physically prevent an unauthorized person from entering behind an authorized person; it is a passive monitoring control, not an active access control.

439
MCQhard

After compromising a Windows system, an attacker wants to cover tracks by deleting event logs. Which command would achieve this?

A.wevtutil cl Security
B.del *.log
C.rm -rf /var/log/*
D.clear-eventlog -Log Security
AnswerA

wevtutil cl clears the specified event log.

Why this answer

The wevtutil cl Security command clears the Windows Security event log, which is a standard method for an attacker to cover tracks by removing evidence of their activities. This command is built into Windows and can be executed from the command line with administrative privileges, making it a direct and effective way to delete event logs without relying on external tools.

Exam trap

The trap here is that candidates may confuse the Windows command wevtutil with the Linux command rm -rf or the PowerShell cmdlet Clear-EventLog, assuming any log-clearing command works across platforms, but the CEH exam tests knowledge of OS-specific utilities.

How to eliminate wrong answers

Option B (del *.log) is wrong because it attempts to delete files with a .log extension, but Windows event logs are stored in a proprietary format (Evtx files) in the C:\Windows\System32\winevt\Logs directory, not as simple .log files; this command would not target the correct files and would likely fail due to permissions. Option C (rm -rf /var/log/*) is wrong because it is a Linux/Unix command for removing logs from /var/log, which does not exist on a Windows system; this reflects a confusion between operating systems. Option D (clear-eventlog -Log Security) is wrong because it is a PowerShell cmdlet, not a native command-line tool, and while it can clear logs, the question asks for a command that would achieve this, and wevtutil is the more direct and commonly used utility in CEH contexts; however, the primary reason it is incorrect here is that the correct answer is A, and D is not the standard command for this purpose in exam scenarios.

440
MCQhard

A forensic analyst finds a system where the user's password hash was obtained and cracked offline. The attacker then used stolen credentials to log in and run `wevtutil cl system`. What is the purpose of this command?

A.Remove scheduled tasks
B.Delete the SAM database
C.Disable Windows Defender
D.Clear the System event log
AnswerD

Why this answer

`wevtutil cl system` clears the System event log on Windows. This is a common technique to erase evidence of the attacker's activities.

441
Multi-Selectmedium

Which THREE of the following are essential phases in the ethical hacking methodology as defined by EC-Council?

Select 3 answers
A.Maintaining Access
B.Scanning
C.Enumeration
D.Reconnaissance
E.Social Engineering
AnswersA, B, D

Maintaining Access is a phase after gaining initial entry.

Why this answer

Maintaining Access is a core phase in the EC-Council ethical hacking methodology because after gaining initial access, the attacker must ensure persistent control over the target system. This involves installing backdoors, rootkits, or creating privileged user accounts to bypass re-authentication. Without this phase, the penetration test would not simulate a real-world advanced persistent threat (APT) scenario.

Exam trap

The trap here is that candidates confuse enumeration as a distinct phase when it is actually a sub-component of the Scanning phase, and they mistake social engineering for a phase rather than recognizing it as a technique that can be used within Reconnaissance or Gaining Access.

442
MCQhard

During a ransomware incident response, a forensic analyst recovers a suspicious file that appears to be a PE executable. The analyst wants to quickly check if the file is known malware without executing it. Which of the following is the BEST first step?

A.Disassemble the file using IDA Pro
B.Submit the file hash to VirusTotal
C.Perform static analysis using PEiD to identify compiler and packer
D.Run the file in a sandbox and observe its behavior
AnswerB

Correct. VirusTotal provides a quick check against multiple AV engines and threat intelligence feeds.

Why this answer

VirusTotal aggregates many antivirus engines and provides a quick reputation check. Submitting the file hash (or the file itself) is non-invasive and immediately reveals known malicious indicators.

443
Multi-Selectmedium

Which TWO tools are commonly used for password cracking against hashed passwords? (Select two.)

Select 2 answers
A.Wireshark
B.John the Ripper
C.Nmap
D.Hashcat
E.Metasploit
AnswersB, D

John is a classic password cracker.

Why this answer

John the Ripper and Hashcat are both widely used password cracking tools.

444
MCQmedium

A security analyst suspects an attacker has replaced system binaries with a rootkit to hide malicious processes. Which covering tracks technique is the attacker using?

A.Timestomping
B.Steganography
C.Rootkit installation
D.Log manipulation
AnswerC

Rootkits often replace system binaries to conceal their presence.

Why this answer

The attacker is using rootkit installation to replace system binaries (e.g., ps, ls, netstat) with trojaned versions that filter out malicious processes from system calls like readdir() or /proc listings. This is a classic covering tracks technique because the rootkit hides evidence of compromise by intercepting and modifying kernel or user-space output, making the attacker's activities invisible to standard monitoring tools.

Exam trap

EC-Council often tests the distinction between 'rootkit installation' as a covering tracks technique and 'log manipulation' as a separate method, trapping candidates who confuse hiding processes (rootkit) with hiding log entries (log manipulation).

How to eliminate wrong answers

Option A is wrong because timestomping is a technique to alter file timestamps (e.g., using touch -t or SetFileTime) to hide when files were created or modified, not to replace binaries or hide processes. Option B is wrong because steganography hides data within other media (e.g., images, audio) for covert communication, not for replacing system binaries to conceal processes. Option D is wrong because log manipulation involves deleting, modifying, or clearing log entries (e.g., using /var/log/messages or event log clearing) to remove evidence of intrusion, but it does not involve replacing system binaries to hide running processes.

445
Multi-Selecthard

Which THREE of the following are valid pieces of information that can be gathered from a properly configured Netcraft site report? (Select exactly 3.)

Select 3 answers
A.Internal IP addresses of the servers
B.Hosting provider and country
C.Site's first seen date and uptime history
D.Web server software and version
E.Employee email addresses
AnswersB, C, D

Netcraft shows hosting location.

Why this answer

Netcraft site reports are derived from external, public-facing data sources, including DNS records, HTTP response headers, and historical crawl data. The hosting provider and country are identified by mapping the site's public IP address to WHOIS and BGP routing information, which is a standard part of Netcraft's passive reconnaissance.

Exam trap

EC-Council often tests the distinction between passive reconnaissance (which yields only public information) and active reconnaissance (which might reveal internal details), leading candidates to mistakenly assume that internal IPs or employee emails are obtainable from a public site report.

446
MCQmedium

A security analyst notices an unusual spike in outbound traffic on UDP port 53 from a single internal host. The host is not a DNS server. Which type of malware is MOST likely responsible?

A.A worm that spreads via email attachments
B.A polymorphic virus
C.A DNS tunneling tool used for data exfiltration
D.A keylogger that sends captured keystrokes via HTTP
AnswerC

DNS tunneling encodes data in DNS queries/responses, causing increased UDP 53 traffic.

Why this answer

A DNS tunneling tool uses DNS queries to exfiltrate data, which would cause an increase in UDP port 53 traffic. The other options are less likely to generate such traffic.

447
MCQeasy

A security analyst suspects that a user's machine is infected with a keylogger. Which of the following is the most effective method to detect a hardware keylogger?

A.Check running processes for suspicious entries
B.Physically inspect the connection between the keyboard and the computer
C.Review USB device history in Event Viewer
D.Run an antivirus scan
AnswerB

Hardware keyloggers are physical devices inserted inline.

Why this answer

A hardware keylogger is a physical device inserted between the keyboard and the computer, typically at the PS/2 or USB connector. Unlike software-based keyloggers, it operates independently of the operating system, so it cannot be detected by process lists, event logs, or antivirus scans. The only reliable detection method is a physical inspection of the keyboard cable and connection point for any unusual inline devices.

Exam trap

The trap here is that candidates assume all keyloggers are software-based and can be detected by OS-level tools, but CEH specifically tests the distinction between hardware and software keyloggers, where physical inspection is the only definitive method for hardware variants.

How to eliminate wrong answers

Option A is wrong because checking running processes detects software keyloggers, not hardware keyloggers, which have no process or driver footprint in the OS. Option C is wrong because reviewing USB device history in Event Viewer may show connected devices but cannot identify a passive inline hardware keylogger that does not register as a new USB device. Option D is wrong because an antivirus scan relies on signature or behavioral analysis of executable code, and a hardware keylogger has no software component to scan.

448
Multi-Selecthard

A security team is investigating a compromised Linux server. They suspect the attacker used privilege escalation via SUID binaries. Which THREE techniques should the team check as potential attack vectors? (Choose THREE.)

Select 3 answers
A.Injecting a malicious shared library via LD_PRELOAD into a SUID binary
B.Using token impersonation with SeDebugPrivilege
C.Leveraging a SUID shell script that calls a user-controlled command
D.Performing a DDoS attack on the server
E.Exploiting a vulnerable SUID binary such as 'nmap' or 'find'
AnswersA, C, E

LD_PRELOAD can load arbitrary libraries if the binary runs with elevated privs.

Why this answer

Common SUID escalation vectors include exploiting known vulnerable SUID binaries, using shared library injection, and abusing SUID shell scripts that call unsafe commands.

449
MCQmedium

While performing reconnaissance, a tester uses a Google dork to find login pages exposed on the internet. Which of the following is an example of a Google dork that could be used for this purpose?

A.inurl:login.php
B.site:example.com -www
C.filetype:pdf
D.link:example.com
AnswerA

This dork finds URLs containing 'login.php'.

Why this answer

Option A is correct because the Google dork 'inurl:login.php' instructs Google to return only URLs that contain the string 'login.php' in the URL path. This is a classic reconnaissance technique to discover exposed login pages, as many web applications use 'login.php' as the default authentication endpoint. The 'inurl:' operator filters search results based on the literal text in the URL, making it ideal for footprinting specific web resources.

Exam trap

EC-Council often tests the distinction between operators that search URL content ('inurl:') versus page content ('intitle:') or file types ('filetype:'), leading candidates to confuse 'filetype:pdf' as a valid dork for finding login pages when it actually targets document files.

How to eliminate wrong answers

Option B is wrong because 'site:example.com -www' restricts results to the domain 'example.com' while excluding subdomains containing 'www', which is useful for narrowing scope but does not specifically target login pages. Option C is wrong because 'filetype:pdf' limits results to PDF files, which are documents, not interactive login pages; it is used for finding documents, not web application endpoints. Option D is wrong because 'link:example.com' is a deprecated Google operator that used to find pages linking to a specific URL; it does not search for login pages and is no longer supported by Google.

450
MCQmedium

Which of the following is a recommended defense against Cross-Site Request Forgery (CSRF) attacks?

A.Enabling directory listing on the web server
B.Implementing CSRF tokens in forms
C.Using a same-origin policy with CORS headers
D.Setting the HttpOnly flag on cookies
AnswerB

CSRF tokens prevent forged requests.

Why this answer

CSRF tokens are unique per request and verified by the server, making forged requests invalid without the token.

Page 5

Page 6 of 14

Page 7